Samba 3.0.0 Released

Matt writes "As posted on Samba.org the fine folks at Samba.org released their newest version of the popular free Windows File- and Print Server. Most famous additions are Active Directory integration and possibilities to form NT4 trust relationships. Release notes are online." See also their press release.

wohoo

wohooo! first poooost!

Samba?!

Da da da da da, da! Da da da da, da!

How low can you go?

patch?

When will the first patch be released?

First Post :o)

[ericisbananaman]

yeah

Here we go...

[c_oflynn]

Commence posts referencing pr0n storing/bewolf clusters.

trust no one...

[maharg]

especially not NT4 ;o)

Top ten is fine with me.

[elanoz]

SAAAAAAAMMMMBAAAAAA!!

Becareful about using this

[Sonnenschein]

as we've seen so many times this week,

opensource != secure

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

Re:Becareful about using this

[classic66coupe]

oh, but windows is much more secure. Are you sure you are on the right website ?

Re:Becareful about using this

[Brahmastra]

There are exploits in every product, opensource or not. It's just a matter of you taking necessary precautions like using a decent firewall and patching regularly.

Re:Becareful about using this

Stretched holes? You sick fuck. I bet you fiddle ten year old boys, too. You should be castrated, you fucking pervert.

Re:Becareful about using this

[Jugalator]

as we've seen so many times this week,

opensource != secure

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

Yeah, so let's use the alternative.

Windows servers.

Those are more secure I heard. :-P

Re:Becareful about using this

[davejenkins]

opensource != secure

Thanks Egan, good safety tip.

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

And let`s also remember that _because_ it is open source, we now have thousands of developers who can view the code, find potential exploits, and then propose patches, QUICKLY and WITHOUT BIAS. Unfortunately, for patches to the same styled exploits that would exist in a closed source networking protocol, we would need to depend on a small team of developers under a common management structure (one pointy haired boss = single point of failure).

Open Source != secure
Open Source == better method toward security

Re:Becareful about using this

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.


I can tell you that here in corperate, a linux box can be put on the network without question. a windows box requires certification by the NOC as all windows version are deemed unsafe by the NOC.

so windows = unsafe and they are 20 times the exploits in windows than the worst version of sendmail and bind put together..

Re:Becareful about using this

You mean like the OpenSSH bug that was around longer than Win32 operating systems have existed being found and patched quickly?

Re:Becareful about using this

[weave]

in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

Didn't quite a few of the Microsoft hotfixes credit the Samba team for finding the weaknesses and bringing it to Microsoft's attention?

Re:Becareful about using this

There is truth in that open source does not neccessarily mean secure.

But with open source it is openly reviewed for such nasty exploits. Can one imagine how bad it would get if Microsoft source were released!

Microsoft is anti-open source as they still believe in security by obscurity and FUD. People find their vulnerabilities through normal coding .. so the obscurity breaks with time.

They will find new vulnerabilities in Windows for many years to come. Those who use Microsoft products aught to just get used to it.

Re:Becareful about using this

Holy shit. A piece of software that's older than another!

Whodathunkit?

Let's count up security holes found in both:

OpenSSH: Not a billion

Windows: A billion

Yeah, great lil' comparison you got going there, bro. Asshat.

Re:Becareful about using this

[RevMike]

opensource != secure

Very true.

The advantage of opensource is that you can examine the internals yourself, and fix it yourself.

The more sophisticated the user, the more valuable opensource is. If you're a low level admin who can't do anything more than apply pre-canned patches, opensource may be cheaper but it isn't defacto better. If you can participate in the patch process by either writing your own patches or applying patches from the developers directly or from other users, rather than waiting for a vendor, you can be way ahead of the game.

Re:Becareful about using this

Just like in the movies: secure and securerer

Re:Becareful about using this

HEY BUTTMONKEY!!!! Who's posting pictures of naked men stretching their assholes beyond all beleivable boundaries? Me? NOOO!!! It's you, you sick fuck! How did you find a link like that anyways?! I would imagine one of your ass pounding buddies told you about it when he was giving you the moby from behind. Now STFU and go away.

Re:Becareful about using this

[Trolling4Dollars]

The real key is that where there is money involved (ie. a company stands to lose money on good bug hunting and peer review) security is always going to come second to last. With Microsoft, here's the hierarchy:

1. Profit!
2. PR/Spin
3. ???
4. Satisfy customers just enough to keep them
5. Everything else (ie. security, stability, etc...)

Since a lot of OSS projects aren't made in the name of profit, the hierarchy is more like this:

1. Write something useful/cool
2. Share it with everyone and get peer review
3. Patch holes and bugs
4. Wind up with excellent quality software (Emacs, GNU, etc..)
5. Rinse and repeat

With either approach, you have to keep in mind that the cycles are unending because the bars are always being raised. But, which bar is payed more attention varies based on the end goal. For proprietary/non-free software, the only goal is to write software to make money. For free software, the primary goal is to write good software for the sake of writing good software. This approach angers the capitalists because it potentially threatens their system. And in the long run, Emacs is still going to be around long after MS Notepad is gone. Just like classical music has more lasting value than Eminem or Kidd Rock. Someday 25 years from now you can ask a 10 year old who Kidd Rock is, and they'll say, "Who"? But if you ask the same 10 year old who Beethoven is, they'll probably have heard of him.

Re:Becareful about using this

[Cable_Monkey]

What I think

Sorry guys, couldn't resist. Posts like the one I'm replying to drive me insane.

Re:Becareful about using this

[lobsterGun]

thats not what he was talking about ya' big gorilla.

The original poster made the ridiculios claim that in open source projects bugs are fixed quickly and efficiently by an army of programmers. The response about the OpenSSH bug was pointing out that not all bugs are fixed quickly. He wasn't making a comparison about the relative security of either product.

Re:Becareful about using this

Me? I only view quality Japanese, heterosexual porn thank you very much. How come they're allowing you to use a computer anyway? I thought they were banned on the nonce wing, in case one of you sick fucks logs onto MSN and starts trying to get a 5 year old child to wave his penis on a webcam. Oh yeah, I hope you're proud of yourself, forcing MSN to shut their pedophile infested chatrooms. Cunt!

Re:Becareful about using this

[TedCheshireAcad]

Wow. I wish I had mod points. Bravo.

Re:Becareful about using this

[xchino]

"Its just a matter of time, as with any opensource product."

It's just a matter of time, as with any product, regardless of whether it is open or closed. Windows is closed source, but we see exploits for it every single day, now don't we? qmail is open source, but to this day not a single remote hole has been found, even with the author offering a substantial chunk of change for anyone who finds one.

Re:Becareful about using this

[William+Baric]

Without proper documentation, the idea of inspecting and fixing an open source project is only wishful thinking. Reading thousands of pages of code (written by someone else) is fun but it takes far to much time to consider this option seriously. It's like searching for a specific information in a reference book without an index. Now I'd like to know... How many times have you seen a simple design specification for an open source project?

So here's the problem : because there's no documentation, a "regular" user (like a network administrator) cannot look at the internals of a program as it would take to much time but, on the other hand, a good cracker who target a specific program can scrutinize a project to find a flaw somewhere. Do the math.

Re:Becareful about using this

[RevMike]

I think your point is a good one, but it is a little more broad than it needs to be. Certain fixes are relatively easy, others are not. For instance, many of the buffer-overflow security holes that always pop up can be fixed pretty easily. They are isolated to small segments of code and a sophisticated techie should be able to handle them no problem, especially if the exploit has already been identified.

If there is a fundamental architectural problem with the code then, yeah, it will be a cold day in hell before a network/system admin can do anything about it.

For the medium scale bugs, the admin has the ability to take any "early" patch from an untrusted source, inspect the patch, and apply it instead of waiting for his vendor to produce an approved patch. With closed software, he might find an "early" patch, but will have no way of seeing whether it contains a trojan. His only option is to wait until his vendor provides him a patch, assuming the vendor is interested.

And now ...

Profit ?

Will it run under Ninnle Linux?

Stupid question! Of course it will!

Get the doc!

[Karamchand]

..at O'Reilly's Safari Bookshelf!

Congrats to the Samba Team!

Re:Get the doc!

[Rudeboy777]

Is anyone here privy to any insider O'Reilly information regarding a release date of Using Samba, 3rd ed.? I was hoping it would follow closely on the tails of Samba 3.0.0's release, and I'm sure many of the other geeks here are interested in buying it as well.

Re:Get the doc!

[Eil]

If you download Samba 3, (or any of the rc's, like I did), then you don't need to "get" it, it's already there.

You Know

I really don't care about this. Why am I posting?

Re:You Know

[Trolling4Dollars]

Off-topic, but... You post because you can't resist the Pavlovian response that most Slashdotters seem to be slave to. Of course, what fun would Slashdot be if we didn't all have trigger fingers from time to time? :)

I did not have relations with that server

now my linux box has to deny having a relationship the that windows server next door.

Re:I did not have relations with that server

[lanswitch]

or try to build a relationship that benefits you...
pubstro anyone?

Re:I did not have relations with that server

[IAR80]

Your linux server is in denial. ;)

Re:I did not have relations with that server

Did you establish a relationship with that server's directory?

"That depends on what the meaning of the word ls ls."

morons re-release pateNTdead eyecon0meter 1.won

it works in/on several dimensions (more than 3) & is available for use immediately.

consult with/trust in yOUR creator. vote with yOUR wallet. that's the spirit.

lookout bullow. the daze of the phonIE payper liesense softwar gangsters/corepirate nazis/unprecedented evile is WANing into coolapps/the abyss.

Re:morons re-release pateNTdead eyecon0meter 1.won

Dude, you keep posting this stuff. What exactly are you on about ?

wonderful!

[borgdows]

...and possibilities to form NT4 trust relationships.

but is it wise to trust a NT4 server?

Re:wonderful!

It isn't really wise to trust any Windows server. But it allows people to start replacing them with Linux/UNIX systems.

Samab also allows authentication with UNIX. This is the way I prefer to run it. You can make it act just like a Windows server but without the crashes. And unlike windows, file distribution (rsync versus sms), secure shell, samba and others don't come with the nickle and dime pricing.

Re:wonderful!

[Large+Green+Mallard]

We decided it wasn't.. we had the option of trusting an NT4 server at work, but it kept timeing out on trust exchanges due to a firewall change.

Re:wonderful!

[ToterSan]

Actually the proper configuration is for the NT server to implicitly trust the Linux box....

Bill we own you now! }:>

That's nothing !!

We've had Samba in Brazil for centuries...

Amazing how the USA thinks they are ahead of everyone else... ;)

Re:That's nothing !!

[penguinsula]

We've had Samba in Brazil for centuries...

Amazing how the USA thinks they are ahead of everyone else... ;)

Strange indeed...with Andrew Tridgell being Australian and all...;)

Re:That's nothing !!

[bhsx]

Yeah, but your money is so gay. Plus, kids in flamingo costumes make more than Malcolm in the Middle.

Re:That's nothing !!

[glgraca]

But it's your money that has
men with wigs on it.

Re:That's nothing !!

[ivanmarsh]

Wow! Did you totally miss the joke there.

Samba, you know, the dance... Brazil???

Re:That's nothing !!

[Deep+Esophagus]

Don't forget the US is also ahead of Brazil in coffee - after all, we invented Java!

Re:That's nothing !!

[MegaHamsterX]

No, that would be Columbia, their other product is quite successful here in Florida as well, I'm not speaking of SUN either ;-)

Re:That's nothing !!

[KingAdrock]

Who cares about the samba. is Brazil's truly great export.

Re:That's nothing !!

OK, I'm obviously an idiot.

Re:That's nothing !!

[zumajim]

Yep. The USA can still lay claim to having the ugliest money in the world! And you ain't seen nothing yet... wait until our new peach-hued $20 bills hit the streets.

Re:That's nothing !!

Columbia, eh? The river?

Or did you mean Colombia?

Re:That's nothing !!

[jelle]

Well,

"Amazing how the USA thinks they are ahead of everyone else... ;)"

M'kay I'll bite...

The last time I checked, the Samba team was in Australia (see whois samba.org ). And I challenge you to prove that Australia is part of the USA...

Hmm. Maybe it's not about what the USA thinks, but about what people outside the USA think?

Yummy. Brainfood!

Re:That's nothing !!

[bill_mcgonigle]

And I challenge you to prove that Australia is part of the USA...

Actually, it's just the opposite: aUStrAlia.

Sorry.

Re:That's nothing !!

[jelle]

;-)

But... But... But... That changes everything ;-)

Does this ver. solve the WinXP security "features"

[HiroProtagonist]

I was recently banging my head against the wall when attempting to use a Samba share on an XP box that had worked fine on all my Win2K boxes.

Days & days of hacking the config and attempting to get it to work to no avail. Finally I find that it appears that WinXP has some security "features" added into it that break the use of samaba shares.

This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen.

Best new features

[linuxkrn]

The author missed one of the bigger points that they have working now. BDC! You can finally, if it works - I haven't tried it, have automated fail over without hacking some scripts and running a few PDCs. Very COOL!

That and it says it will work "out of the box" with Windows Server 2003. I wonder if that means they fixed the "trust" issue with Windows XP trying to auth with it for login without reg hacks....

Re:Best new features

[gregarican]

The BDC functionality has been in Samba for awhile now. I recall working with a beta test of that back before the Y2K. There's a decent amount of tweaking and fine-tuning to be done to get it to work, but once it works it usually works well. Companies who still think they have to run Windoze on the client end due to the application suite folks are supposedly so used to can still migrate the server end to Linux, potentially without anyone noticing any difference.

Re:Best new features

People are still running NT4 domains? Without security patch support from Microsoft? Smart move there.

Re:Best new features

[SushiFugu]

Finally! I was talking with a friend about this just the other day -- the only big thing that Samba is lacking is a working Bullet Drop Compensator!

It really helps when aiming files across long distances :)

Re:Best new features

The author missed one of the bigger points that they have working now. BDC!

So this means I can use Samba now as my Brimary Domain Controller?

Re:Best new features

[XSforMe]

Actually, I think the most important feature is this:
10) Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs.
Why? NT Server is coming to the end of support period (Dec 2003). There are still LOTS of NT4 server out there. Last time I checked, you had to recreate ALL of the groups and users whenever you migrated them from NT4 to any other PDC (there is a little support for automating this activity, but it just saves you from retyping the users and groups names).

Re:Best new features

[hawkbug]

As other posters have pointed out, from what I understand, there is still support until December for NT4. Not that anyone should still be running it...

Re:Best new features

[jerkyjunkmail]

Security patch support is until December of next year. I couldn't find the the link to the actually EOL roadmap but this is just a good.

ZDNET atticle

I know this because I'm in the process of figuring out what to do. I'm checking out how well samba can replace the file servers. I have a test print spooler setup and it kicks ass.

Re:Best new features

[Jeremy+Allison+-+Sam]

It means we do SMB signing by default now :-).

Jeremy Allison,
Samba Team.

Re:Best new features

[Flopper]

Now linux's really getting into business. I mean you could for no license cost setup a backup server in your domain at a company.
Wait some time and the BDC would replace the PDC and so here we are.
Samba is for cooperation, right currently. But migration would be a nice target aswell.

Re:Best new features

[propellor_head]

It is relatively easy to migrate from NT4 to an AD domaing using ADMT.

Re:Best new features

[XSforMe]

Thanks for the tip, Prop. Last time I did a migration was from an NT4 to another NT4. All the passwords and ACLs where lost. Seems this new tool would have comed handy then.

Re:Best new features

[XSforMe]

Hey, good to see I am not the only one in this position.
I also have an NT4 based domain which I am trying to figure out what to do with, though, my solution is a little bit more complex than just a PDC, it is an SBS server (Exchange, SQL-Server, Proxy, Fax server, print server) among other stuff.
Im considering Linux too, but my current worry is Exchange, most of my users are too used to it. Any ideas on how to replace Exchange?

Vulnerable?

[gregarican]

Serious question here, not flamebait. Does Samba use similar RPC methods to thje Windoze NT family? If so are there potential exploits? I'm not sure. I've used Samba and Mars_NWE (a Linux emulator of a Novell Netware server) for years now but never thought of potential parallel security holes. I doubt that the code could be that similar, but am curious. I recall back in the day where anonymous RPC sessions on Windoze NT could totally give admin access through that simple sechole.exe exploit.

Aside from that concern I can personally say that Samba rules. I have benchmarked it as being a faster file/print server compared to Windoze on identical hardware. A Linux box that can act as a domain controller, and now participate in cross-domain trust relationships and use AD is a helpful tool for weaning folks away from Micro$loth.

Re:Vulnerable?

[gregarican]

Here is a footnote of the other side of the coin. I recall back around 1999 working with Samba 2.0.something-or-other. Our company had many sites but centralized Windoze NT domain administration at CHQ. I was interested in trying to sneak a Samba server onto the domain.

Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary. It was funny when an NT admin from CHQ called me to ask me why our site had this new server showing up. He couldn't browse any of the shares (only local Linux accounts were defined in the Samba user file and /etc/passwd file) and was pissed.

I apologized and proceeded to take the box off the network, but found it funny that no authentication was necessary. With all of the inherent flaws in Microsoft's security models I would bet that a Samba box could potentially wreak havok on a pre-Windows 2003 network!

Re:Vulnerable?

[davecb]

Yes, the SMB protocol does use all the NT RPCs, and the Samba team usually find and fix numerous security holes in it with each new release. And report them to MS, and code Samba so it doesn't accidentally trigger NT security problems.

They're really very professional, and a pleasure to work with.

--dave (the Using Samba 3rd author) c-b

Re:Vulnerable?

[Large+Green+Mallard]

It's a fair enough question.. one that someone asked Tridge at LCA2003.

Basically no.

Buffer overflows in RPC are due to server programming, and since both are entirely different server codebases, they don't share vulnerabilities. But the Samba team have found many of these RPC bugs with windows ;)

Re:Vulnerable?

[beady]

Time to bust out the old cartoon!
Penny Arcade goodness

Re:Vulnerable?

[requim]

Sounds to me like what you are describing is just the SAMBA server showing up in the browse list either via a WINS or NETBIOS name resolution. You cannot in fact join an NT domain without administrative rights to grant the machine an account in the domain, whether it be created on the server prior to joining the machine, or in the process of joing the machine to the domain from the joining machine.

This isn't to say that there are not other ways in which a unix box can wreak havoc on an NT/200x network...

Re:Vulnerable?

[gregarican]

I hear what you are saying, but I mean that the Samba box was on the Server Manager list as a member server. If I would've tried to add an NT Workstation or Server to the domain in this capacity the action wouldn't failed because I wouldn't have known the admin logon to authenticate. AFAIK you can't add another node to the domain in this manner without admin rights. But the Linux box popped right in without a problem.

Re:Vulnerable?

[Skweetis]

This reminds me of one of the first times I experimented with Samba. I was using 2.0.something as well. We had a Win9x network at the time. I configured Samba as a client without really reading much of the documentation, and installed one of the GUI clients to play (tksamba, maybe? I don't really remember). I was browsing randomly around the network to test, and discovered I could connect to all the shares on the network without authentication (and there were passwords on most of those shares).

It's amazing how much of the Windows "security" model depends on the client behaving exactly as expected!

Re:Vulnerable?

[gregarican]

Exactly. Combining NT security from 5+ years ago with a misbehaving client and things weren't as they should've been. Some other guy on this thread posted that it just *cannot* happen, but I can tell you it did back then. Our CHQ NT "gurus" were going out of their skulls trying to figure out what was happening.

Keeping in mind that back then you could just connect through to the RPC$ share anonymously or attach to the debugger process and immediately get admin rights using a sechole.exe program freely available on the Internet. You could also perform an Internet search for "Microsoft Windows NT 4.0 Option Pack provides enhanced Web, application, and communication" and immediately come up with hundreds of newly-installed (read not locked down) IIS boxes. I just found one right now.

You hit the nail on the head. Combine a misbehaving client with a poor security model and the results could be interesting.

Re:Vulnerable?

[requim]

I would like to test the scenario for the answer I am about to give just to validate my thinking, but I will give it to you anyway. My understanding of how the Server Manager lists the machines is by how the machine is configured, not necessarily as a member of any particular domain/workgroup/etc. It would appear that it lists the machines that are configured to set their domain/workgroup name via netbios in the same groupings (ie if you have a workgroup named SERVERS and and a domain named SERVERS) machines from both the workgroup and domain will appear in the same listing (if using Explorer or some other tree listing. The NETBIOS protocol uses/stores the machine type used for Domain Master Browser functions for election purposes in specific packets. These packets use a code to determine what type of function/server the machine is setup, so in the Browser elections that take place in each subnet, the machine with the highest setting wins (ie PDC > BDC > Member Server > Workstation (it's really a little bit more complicated, but this should suffice.)).

This being the case, I would have to interpret the samba server appearing in the Server Manager as a result of the code passed in the netbios protocol and it being used to determine machine times when listing the (PDC, BDC, Member Server, etc) I would also imagine that if you were to setup a second NT/200x server as a PDC using the same Domain Name, that that machine would also appear in the Browse List and have a similar effect, though in reality the two domains would not be related except by name (the SID's would be different which would cause many problems that I would rather not go into.).

This is BS

[keester]

I want to talk about Prevayler -- which is due to replace Samba in 2005. Anyway, noone uses Samba.

SMB/OSX question

Does anyone know why Mac OS X (10.2) hangs when mounted Windows-share suddently disapears from the network?

Re:SMB/OSX question

File Locking. You can tune Samba to fix this.

Re:SMB/OSX question

Because Mac OS X (10.2) blows goat balls and should never be used by anyone other than special needs children. Wait, I guess that includes you, then...

Re:SMB/OSX question

[fluor2]

how do you tune samba to fix this?

Re:SMB/OSX question

[diamondc]

Nah.. it's a Mac OS X problem. Sometimes I forget to unmount samba shares when I leave the office and I have to wait about 10 minutes for OS X to time out connecting to the share. During this, the whole UI hangs. This is somewhat fixed in Panther (it prompts you to disconnect from missing shares).

Re:SMB/OSX question

[Morky]

I have given up on OS X's Samba implementation. Panther (10.3) will be using Samba 3.0, so I'm hoping my problems will be resolved and that they've improved the Finder's interface to Samba. Samba is awesome, so I'm sure most of the problems are OS X's interface to it. In the meantime, Thursby software's Dave is nice piece of software that can make OSX a rubust member of a Windows network. Our Mac users are very happy with it.

Re:SMB/OSX question

[Dougie]

Unfortunately I can't remember the exact methods (and i am suffering the same problems as your self).

I am not entirly sure it is tied down to file locking either.

I would advise investigating time out options in both the smb client and the server.

NFS suffers similar problems unless you "soft mount" the partition.

Doug

Re:SMB/OSX question

Mommy? Is that you?

i liek buttholez i liek poopie

i leik puttin my ween in womens!

Re:Does this ver. solve the WinXP security "featur

[Second+Vampyre]

Works fine for me, with Windows XP Pro and Home (and Debian of course). Don't blame the software for user errors. Linux software takes more time to learn, but it will be worth it in the end, because you will have a much more intimate knowledge of the software and how it works.

Re:Does this ver. solve the WinXP security "featur

[Jellybob]

I'm not entirely sure what you're talking about. I'm running Samba at home, and my XP boxes can pick up the shares on it just fine.

You may need to add smbpasswd entries for the machines users, but other than that, it should be ok.

Too late!

Version 3.0 - HA! I got Windows version 3.1 many many many years ago! loosers...

well

[Tirel]

now that konqueror can do thumbs over ftp, who needs samba for porn???

Re:well

[Andrewkov]

Only on Slashdot would that be moderated as "Interesting"! :-)

Re:well

[MrPink2U]

That's only because there wasn't a "Very Intersting" selection...

Re:well

[1010011010]

It would be nice if there wasn't a "KDE VFS" and a "Gnome VFS" on top of the kernel VFS... it'd be nicer if there was, perhaps, a LibC VFS, or kernel-mountable userspace filesystems.

Re:well

[Jaysyn]

Have you noticed? The Mods are on crack again.

Jaysyn

Re:well

portalfs

Re:Does this ver. solve the WinXP security "featur

[elanoz]

I do not want to express my negative feelings for the XP OS, for I feel I may ramble much too long. However if a situation presents it self that pushes you away from XP towards Linux then that "feature" is a cloaked blessing!

This doc is for 2.2.

"...covers all versions of Samba from 2.0 to 2.2, including selected features from an alpha version of 3.0"
I'd rather wait a bit.

Re:Does this ver. solve the WinXP security "featur

why the hell do you have XP anywhere?

XP does nothing that windows 2000 does.

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

That's one of the issues. Some boxes didn't have the problem, some boxes did.

I went so far as to fdisk the XP box, reformat and do a complete reinstall just to have the same problem after I reinstalled. All of that while other boxes _just_worked_. BTW, in my setup the Samba box was acting as the PDC for the Wintel boxes.

Oh, and we're talking XP Pro not Home.

Re:Does this ver. solve the WinXP security "featur

Have you considered that it is far more likely that the problem is with Samba than XP.

If MS were going to make XP not work with Samba, they would have made ALL XP not work, rather than just a few XP installs and at random.

Not everything is a conspiricy you know...

quite impressive

[Dreadlord]

I quite happy with this new release, what I like the most about it is the new Active Directory support, I have been waiting for it since I started to use it in my homenetwork. Another impressive feature is UNICODE support (isn't mentioned in the post), one of my family members needed it badly to deal with non-latin charsets.
And the new "get" command which is similar to windows "net" is useful too.
Keep up the great work SAMBA team!

Re:quite impressive

[Dreadlord]

grr, a typo in my parent post, SAMBA new command is "net" too not "get"

Re:quite impressive

[DrPascal]

Active Directory in your home network? Why would you ever want/need that? I'm not flaming you, I'm genuinely curious.

Re:quite impressive

[Dreadlord]

it started as a test to see how active directory works, I liked it and continued to use it, that's all.

Re:quite impressive

[VivianC]

Active Directory in your home network? Why would you ever want/need that? I'm not flaming you, I'm genuinely curious.

Because they won't let me tinker with 'rouge servers' at the office, so I have to learn the ins and outs on my own time and dime. My wife's one desk home office tax practice is seriously overpowered because I use it as a learning tool (and she is a typical end-user).

Re:quite impressive

i've seen your wife before. quite the ugly bitch, if you ask me.

Re:quite impressive

[brettper]

Because they won't let me tinker with 'rouge servers' at the office
That's easily fixed, just paint the box blue instead

Please ....from this point on ....

only refer to your computer as 'boxen' .. it's hella-cool!!!

Ben

Re:Does this ver. solve the WinXP security "featur

[Large+Green+Mallard]

Samba 2.2.x + XP + SP1 requires some tweaking to do domain logons for XP clients.

Basic file sharing is fine, but if you're using Samba as a domain controller, you need to set a SignOrSeal reg value off to allow domain logons and also unset a "check profile ownership acls" setting which was introduced by SP1.

-- Someone who uses Samba 2.2.x as domain controller for several hundred XP boxes :)

Nah...

[zonix]

If so are there potential exploits?

I'd say no - the RPC vulnerabilities you mention are buffer overrun errors, which lie with the (somewhat braindamaged) implementation of the protocol. As long as there are no flaws discovered in the actual protocols, you won't see the same exploits unless the source code is copied directly between implementations.

z

Re:Nah...

[EastCoastSurfer]

Except when the buffer overflow is a "feature" and it must be duplicated in order to work with properly with the windows version of the SMB protocol :)

Re:Nah...

Umm, no.
Buffer overrun errors have nothing to do with protocol. They have to do with poorly written code.

Re:Does this ver. solve the WinXP security "featur

[myz24]

Sounds to me like signorseal. You want to edit the following entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv ic es\Netlogon\Parameters\requiresignorseal and set it to 0. Reboot and your XP machines will now be able to logon to your samba domain.

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

Hahahaha.

Nobody said it was a conspiracy. It's not like I was stumbling around in the dark here. I read the docs for Samba, I read the man pages of Samba, I googled for the problem.

It appears to be some DNS-like issue that XP _sometimes_ does, and samba 2.8 didn't support. My bet is that 3.0 probably takes care of this issue, or at least addresses it in the readme or docs.

Trust relationships

[myz24]

The change log mentions creating trust relationships with NT4 machines, can I create trust relationships between two samba machines. I would assume so but I'm for a definite yes.

Re:Trust relationships

[Jeremy+Allison+-+Sam]

Yes it works.

Jeremy Allison,
Samba Team.

Do you mean 'oplocks'?

I read a few years ago that Microsoft deliberatly broke the way they handle oplocks in such a way that it looked like a Samba problem.

If you Google "Microsoft SAMBA oplock" you'll see a lot of hits, some of which went away when oplocks were turned off in Samba.

Re:Do you mean 'oplocks'?

[Jeremy+Allison+-+Sam]

No, they never did this. Oplocks are problematic in that
Windows boxes tend not to respond to oplock break requests
if there are *any* network problems. Most people have cheap
switches/hubs etc. For instance on my home network I can
only reliably ssh transfer a 100mb file over one of my
switches (the gigabit one), the 100Mbit switch will
consistantly corrupt the tcp stream causing ssh to abort.

oplocks need *reliable* networking hardware.

Jeremy Allison,
Samba Team.

Re:Do you mean 'oplocks'?

I don't get it why we nee reliable networking hardware. That is exactly why TCP/IP is here for and I bet samba runs above TCP/IP

So I believe this is not the real problem

rh9 samba lockup

I've experienced numerous random lockups using samba v3. The mount point would just hang requiring a samba restart.

After searching for a while, I found that there's a bug in Redhat 9's new thread library which samba somehow triggers. There's a workaround on the net, look for it and avoid hassling the samba team - they're not at fault here!

Re:rh9 samba lockup

[NiteHaqr]

You stated that you had to search for a while to find this bug.

You managed to find the workaround.

Why not post the link instead of saying look for it ??????

Re:rh9 samba lockup

[Znonymous+Coward]

NTPL is backported from 2.6. Like it or not, it's youre getting it.

Re:rh9 samba lockup

[Dougie]

I can't remember where the link is, however here are the solutions that I know "work".

If you only have one or two SMB entries, edit the /etc/init.d/netfs script and comment out the options for mounting SMB shares.

it will look some thing like -a -t smbfs

Then edit /etc/rc.local and add some thing like this.

mount /mnt/ &
mount /mnt/ &

etc.

i know this is a REAL pain, but any other method I have seen has lead to a real mess.

When doing that, if you run ps -aux | grep mount you will see some mount's sitting around. These have not caused me any problems that i am aware of.

All other work arounds I have seen related to this, have never worked for every one.

Doug

Re:rh9 samba lockup

[lkaos]

Samba doesn't use threads and shouldn't link to any thread libraries.

I have no idea how there could possibly be such a problem. If you can recreate this, it'd be a good idea to submit such a bug to BugZilla.

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

We did this. It's the reg entry that's in the docs. Every machine that we attempted to connect has it. Thanks for trying though. Originally I found that information here:

The Samba unofficial HOWTO - 5.3. Joining your Samba Domain

How many hidden root exploits in this version?

For those bots who have blocked it out from their memory, Samba is the Open-Source product that had a root level exploit in its code that went undetected(?) for eight years.

Open-Source secure...lol.

Re:How many hidden root exploits in this version?

[Tenareth]

I'm sure a lot less than in W2K3.

2 so far?

Slightly OT - Samba Clustering

[jACL]

We've been waiting for this release as the version to start replacing Windows servers with. We'd like to build the farm clustered, however. From our research, it looks like clustering Samba can only be done with Mission Critical Linux' products. Anyone seen anything else out there that can also do the job?

Re:Slightly OT - Samba Clustering

Maybe this helps you, look at the first talk on tuesday.

Re:Slightly OT - Samba Clustering

[christophersaul]

Sun's Sun Cluster can do it, on Solaris of course. There's a supported agent. The new cheapo V440 and V250 would be ideal for this, although they won't be certified for Sun Cluster for a bit. The V240 is certified though.

Re:Slightly OT - Samba Clustering

[ckaminski]

What type of cluster? A shared-nothing failover cluster, or a shared-everything load-balancing cluster? Makes a difference.

In the first case, just about ANY piece of software can be clustered. In the second, I'm not at all sure.

Re:Slightly OT - Samba Clustering

[ckaminski]

Well, looking at the Mission Critical Linux pages, it seems their product is an Active-active failover clustering product. It might have shared-everything features and a lock manager to manage resource contention.

http://linux-ha.org/ - has quite a bit of info on this, including the software and OpenGFS for managing shared resources across machines.

Re:Slightly OT - Samba Clustering

[johnnyb]

It's pretty easy to do this just scripted. The main part of MCL is the process, not the technology. What you need is

* Computers w/ shared SCSI RAID array
* Each computer has a serial connection that can terminate the power of the other (VERY IMPORTANT)
* Server A is master, Server B monitors server A
* When Server A goes down, Server B turns off the power to A, takes over the IP address, and mounts the volume from the SCSI array.
* When Server A comes back up, you manually switch it back over.

The part where B turns off A's power is critically important, because if A isn't fully dead and tries to write to the SCSI array after B mounts it, you have data loss.

Re:Slightly OT - Samba Clustering

[NeonSpirit]

steeleye lists samba as a supported appliaction for failover clustering. I haven't used it myself but have heard good things.

Re:Slightly OT - Samba Clustering

[plsuh]

You might want to look into Mac OS X Server. It ships with Samba 2.x right now, and the new version (MOSXS 10.3) will ship RSN with Samba 3.0. It does active/passive clustering out of the box, and comes with a very nice toolset beyond just Samba. Apple's XServe Raid unit just about owns the storage market in terms of price/performance/capacity.

--Paul

Re:Slightly OT - Samba Clustering

[illumin8]

I would highly recommend the V240 as a great Samba box. Dual UltraSparc IIIi procs up to 1050 mhz.; 4 gigabit ether on copper interfaces should be enough to direct connect it to three segments, plus have one interface free for your heartbeat between nodes on the cluster.

Couldn't resist.

[Bill,+Shooter+of+Bul]

I, for one, welcome our new brazillian overloards.

Re:Couldn't resist.

[Bill,+Shooter+of+Bul]

Someone please explain why my post was moderated as redundant. I looked at all previous posts and did not see a single overlord comment. If the joke isn't funny then it should be rated offtopic, or overated, but not redundant. Unless, maybe the moderators were saying that the joke was getting redundant. I think moderators should provide an explanation for their decisions. That way posters would learn what makes a good post good and a bad post bad.

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

Now that's something I haven't seen before.

"unset a 'check profile ownership acls'"

I'll have to look into that.

Thanks!

Flamebait?

[HiroProtagonist]

I imagine the flamebait was for:

"This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen"

It's not flamebait people, it's actualy how I feel. Other nice /.'s have been attempting to help me solve the problem instead of modding me out of existence. :(

Re:Flamebait?

[dotgain]

I think maybe somebody that shouldn't have got mod points, I've seen plenty of posts modded down flamebait or offtopic which were neither. Don't worry, you might get pushed back up.

Re:Flamebait?

[Daniel+Phillips]

It's not flamebait people, it's actualy how I feel. Other nice /.'s have been attempting to help me solve the problem instead of modding me out of existence

It seems that any Slashdot article containing the words "Microsoft" or "Windows" triggers a script somewhere deep in the Redmond campus that calls out the volunteer MS astroturfer fire brigade. Outraged Slashdotters quickly respond, and in the end this mainly achieves the unintended effect of boosting Slashdot traffic.

Re:Does this ver. solve the WinXP security "featur

[Large+Green+Mallard]

It's accessable from the MMC on each client machine, or alternatively if you have a recent enough samba, there's a "profile acls = yes" option you can set in the smb.conf

Open source top 5 best contributions

[MagicMerlin]

Linux/FreeBSD
Apache
Gcc
PostgreSQL
Samba

In that order. Thank you.

Merlin

Re:Open source top 5 best contributions

Indeed, it is common knowledge that *BSD is dying. Yes, ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

Fact: *BSD is dying

Re:Open source top 5 best contributions

[ari_j]

That's not a list of 5 at all. Linux and FreeBSD couldn't be much less similar. Linux is just a kernel, using other projects to fill in the gaps, whereas FreeBSD is an operating system, using only minimal contributed code (see /usr/src/contrib; gcc is about it for major items). Putting them together there indicates that you're not qualified to make such a list.

Re:Open source top 5 best contributions

[EvilTwinSkippy]

I'd replace postgres with MySQL, Apache with either Python/Tcl/Perl.

Scripting language power a lot more under the hood of your Linux box than Apache.

Re:Open source top 5 best contributions

You have a typo in your list.

Change Linux/FreeBSD to:
Linux

Thanks, and please try to remember:

*BSD is DYING!

Re:Open source top 5 best contributions

[dang-a-pin]

You would have replaced the last 4 with Chromium, if you had any sense about you. :>}

Re:Open source top 5 best contributions

[CausticWindow]

Troll.

Postgres is miles ahead of MySQL (which still has it's uses, mind you). And Apache is one of the most successful Open Source projects, no matter how you see it (I don't use Apache and I love Python, but Apache is a much bigger and more important project).

Re:Open source top 5 best contributions

[StrawberryFrog]

I'd replace postgres with MySQL,

You're a sick sick man.

Serously though, PostgreSQL's feature set (i.e. real sql) shows up MySQL for the toy that it is.

Re:Open source top 5 best contributions

[ckaminski]

Chromium?? Please excuse the ignorant sack of flesh (me).

-Chris

Re:Open source top 5 best contributions

[EvilTwinSkippy]

(Cough) replication (Cough)

Re:Open source top 5 best contributions

Postgres is SO reliable, you don't NEED replication! C'mon guys, who really uses it? Honestly.

Re:Open source top 5 best contributions

[EvilTwinSkippy]

Postgres is SO reliable, you don't NEED replication!

Sure. As if postgres can mystically operate over multiple servers at once, and makes a server immune to hardware failure.

That's as bad as the MySQL guys saying "You don't NEED server-side includes or foriegn keys."

Re:Open source top 5 best contributions

NEXT!

Re:Open source top 5 best contributions

[xchino]

How are you going to compile apache without GCC? I think you should reverse that order..

Re:Open source top 5 best contributions

[Webmoth]

How are you going to compile a Linux kernel without GCC? And how are you going to compile GCC without a Linux kernel?

Re:Open source top 5 best contributions

You can easily compile GCC w/o a Linux kernel. GCC works under pretty much any *nix.

question

[Twister002]

(kind of a newbie question, but other people might want to know)

I'm running Red Hat 7.1 on my file server. The only binaries I can find at the site even close to that say they are for RH 7.3.(http://us3.samba.org/samba/ftp/Binary_Package s/RedHat/RPMS/i386/) Can I use these on my RH 7.1 system?

Re:question

[Chuck+Milam]

No problem: Get the source RPM and build it yourself. Go here, get the Samba 3.0 source RPM (SRPM) and build it using:

rpmbuild --rebuild

And it should compile you some nice RPMS to install (hint: look under /usr/src/redhat/RPMS).

Single Sign-On

[CromeDome]

The promise of single sign-on for the various servers I have around here seems great :) While I know how to get Windows clients to authenticate against a Samba server, and also how to get *nix boxes to connect to a Samba server, is there a way to replace the traditional *nix login/authentication methods and replace it with Samba? Our domain is predominantly NT/2k, with a small scattering of Linux and FreeBSD boxes. Would be great if users could change their NT password and still be able to log in to our *nix boxes for e-mail and such.

Re:Single Sign-On

[fodder69]

Yes, use pam and the winbind. I can ssh to my samba box and authenticate against Active Directory. There are how tos out there, here are a few links I used. http://www.netadmintools.com/part172.html http://www.flatmtn.com/computer/Linux-Samba3.html http://us1.samba.org/samba/docs/man/winbind.html

Re:Single Sign-On

[pirhana]

Why dont you configure samba as PDC and use LDAP for all the authentication purpose?. I found it a robust solution. The beuty is that you can use it as a back end for any services/servers which requires authentication and can act as a truly single source of authentication. All the requirements you mentioned is possible with this.

Re:Single Sign-On

[datalife]

you don't need samba for single-sign on .. you need kerberos.

There are still issues with the interaction between samba in ADS-mode and kerberized tools on the same host.

I had set up SSH with GSSAPI-Authentifiaction. after installing samba3.0rc4 it didn't work anymore.

the
net ads join -Command
wiped out my existing Kerberos-Principal on Windows2000-Server

and samba doesn't propagate its machineaccount-password to /etc/krb5.keytab.

Re:Single Sign-On

[Jeremy+Allison+-+Sam]

Known bug - we intend to fix this for 3.0.1. We intend to
be able to export the Samba smbd keytab entry in the next
release (this is a request I've had inside HP as well).
Sorry for the problem you had.

Jeremy Allison,
Samba Team.

From the release notes

[watzinaneihm]

5) A new "net" command has been added. It is somewhat similar to the "net" command in windows. Eventually we plan to replace numerous other utilities (such as smbpasswd) with subcommands in "net".
Now making it more useful for windows users might be a good idea, but is'nt replacing the older commands with windows style commands a bad idea? the "net" command does not take a standard "-" or "--" for parameters, also we now have to worry about our "/"s and "\"es. With everything in the GUI already looking like windows , why do we want our CLI to be spoiled too? Are we more worried about existing linux users or the people who probably might migrate from windows?

Re:From the release notes

[fodder69]

Similar != exactly the same Usage: net time to view or set time information net lookup to lookup host name or ip address net user to manage users net group to manage groups net groupmap to manage group mappings net join to join a domain net cache to operate on cache tdb file net getlocalsid [NAME] to get the SID for local name net setlocalsid SID to set the local domain SID net ads to run ADS commands net rap to run RAP (pre-RPC) commands net rpc to run RPC commands Type "net help " to get more information on that option Valid targets: choose one (none defaults to localhost) -S or --server= server name -I or --ipaddress= address of target server -w or --workgroup= target workgroup or domain Valid miscellaneous options are: -p or --port= connection port on target -W or --myworkgroup= client workgroup -d or --debuglevel= debug level (0-10) -n or --myname= client name -U or --user= user name -s or --configfile= pathname of smb.conf file -l or --long Display full information -V or --version Print samba version information -P or --machine-pass Authenticate as machine account

Re:From the release notes

[atomicdoggy]

The net command isn't replacing an older command, Samba did not have a siminlar command, it is all new functionality for Samba.

Re:From the release notes

[hey]

I hope the new command is called "smbnet".
Just "net" seems a bit presumptuous.
After all this "net" refers to you local LAN
and there is after all the interNET.

Re:From the release notes

[lkaos]

The net command does not behave like the windows version and it does support GNU style options.

The idea behind net was to have a single point of administrator for all things Samba instead of having multiple different utilities.

The CLI has remained unspoiled.

Multiple workgroups?

[sjbe]

Can anyone tell me if 3.0 includes an easier way to get computers in more than one workgroup to connect? I know you can do it with by running an extra instance of samba but it's awkward. Any better ideas?

I've got a bunch of laptops that have to connect to different workgroups but I'd like to have them all connect to my samba server. But they have different workgroups and that cannot easily be changed. Samba doesn't deal well with this out of the box, though it works pretty well under Windows proper.

Samba is great!

[ErisCalmsme]

I'm not an admin but I still need samba in order to get work done at the office... I have been using it to send people files from my laptop, and just yesterday I figured out how to get printing to work with samba+cups+foomatic+hpijs(finally). Thanks to the samba team I can have the only linux box (my laptop) in the office (or quite possibly entire company) and still get things done, without having to reboot or use the slow computer that's under my desk...

I just compiled and installed samba-3.0.0 over the existing install and everything still works great too...

Production environment

[gsparrow]

I think I need to look into using this, but I need to learn more.

Re:Does this ver. solve the WinXP security "featur

I had a lot of trouble getting xp to read a public samba share with no password - 2k worked fine, but for xp I needed to do (in the command prompt):

net use t: \\linux-box\samba-share * /USER:

(and just press enter for the password)

This maps it to drive t:

Re:Does this ver. solve the WinXP security "featur

[FyRE666]

I call bullshit here. I regularly set up Linux Samba servers (file and print) that work fine with Win98, NT, 2K and XP machines. Both standalone and as domain members. I've used both the normal smb password file and LDAP passwords for authentication, and it all works faultlessly.

In fact I'm sitting at an XP machine right now that's mounting from 3 different Samba servers...

It's called winbind

[buchanmilne]

You could do this with 2.2.8a if your AD server allowed anonymous authentication. If not, you need 3.0.0.

See how we do it on Mandrake (since 9.0).

I run a Mandrake 8.2 box in production as a mail server in an AD domain, all authentication is via winbind.

It's because I love him.

And he won't requite me, the fool.

Huh?

[buchanmilne]

Unless you are talking about domains, no, there is no reason you should be having any trouble to connect (besides the usual windows browsing problems, but you should use WINS to prevent that).

Re:Huh?

[sjbe]

I should clarify. It connects fine but accounts that are in a workgroup that does not match the samba server can only log in as guest. So for example I have two workgroups GROUPA and GROUPB, and the samba server is in GROUPA. One laptop in each workgroup. The GROUPA laptop can share the printer and copy files to the samba server, but the GROUPB laptop can only do so as Guest. The accounts are properly defined and if I switch the workgroup name for the samba server, the problem reverses itself.

What little documentation I've found (samba documentation is rather poor IMO) indicates that multiple workgroups is difficult at best. It worked fine with a Windows 2000 box but perhaps I'm taking a too simple approach.

NT4 support? Err , what about 2000, XP?

[Viol8]

I'm not a windows admin so I may have got the wrong end of the stick here , but I can't see
too many people getting excited over support for NT4 trust relationships just as MS is phasing NT4 out. Isn't this a classic example of
too little too late since anyone who wanted NT with this functionality would have long ago gone the all MS route and is unlikely to suddenly
want to zap their legacy NT4 servers and replace them with *nix and samba. Are they?

Re:NT4 support? Err , what about 2000, XP?

[fgb]

2000, XP & 2003 Server all support NT trust relationships.

Re:NT4 support? Err , what about 2000, XP?

[EvilTwinSkippy]

In a word yes.

That's exactly what I did 3 years ago when M$ started playing games with Active Directory, and I still had a network full of 98 and NT boxes. We set up a new domain, and moved all the file and print services to it.

Now that we have aged out all of the decrepid hardware and standardized on 2k, ActiveDirectory is a good idea. But that is 3 years, and a $100,000 in hardware later.

Having trust support would have saved me from having to hike to all the machines and add them to the new domain. I can imagine with NT entering M$'s discard pile, there are quite a few NT shops that are looking for a drop in replacement.

Enter the dragon...

Re:NT4 support? Err , what about 2000, XP?

[smcavoy]

There is still plenty of NT 4 out there.
For some it's all they need.

Samba 3, Squid and NTLM Authentication - a change!

[OneNonly]

One thing that does change with Samba 3 is the way that you need to configure Squid to use NTLM authentication...

If you upgrade and try using the old authenticators built with squid, you'll be stuck. Samba 3 comes with it's own helper utility (ntlm_auth) to work with other applications such as Squid.

I have written a Samba 3 / Squid Walkthrough that takes users step by step through getting this going.

Find out about it here:
http://itmanagers.net/article-4--0-0.html

Re:Does this ver. solve the WinXP security "featur

That's nice, you still don't know what you're talking about though.

So Am I Nuts

...to put a Samba server exposed to the internet?

Seriously, I'd like to know if people do it and if it is secure.

Re:So Am I Nuts

[Abalamahalamatandra]

Security concerns notwithstanding, I'm not sure I'd want the attention that comes these days with having a port 135 RPC server out on the net.

As someone who runs several IDS systems, I can tell you that there's active scanning for these systems going on, and it isn't from worms.

I'd put a VPN in front of it if I were you.

Re:So Am I Nuts

[Jeremy+Allison+-+Sam]

I wouldn't do it. And I write lots of the Samba code :-).
The protocol is just too complex to be sure any implementation
is safe.

Hopefully that should tell you something. It should also
tell you why we don't want it in the Linux kernel. Microsoft
put it in their kernel - I think that's a mistake.

Jeremy Allison,
Samba Team.

Re:Does this ver. solve the WinXP security "featur

Does this work for XP Home Edition as well as Professional Edition?

You troll...

[ckaminski]

I seriously doubt that OpenSSH is 10 years old.

YOU FAIL IT!

[YOU+FAIL+IT!]

ericisbananaman .. when he eats a banana, he becomes a FAILURE! This is not the first post! You are a FAILURE, bananaman!!

YOU FAIL IT!

Samba 3.0

[Lost+Penguin]

SCO will be happy to have a new item included in Unixware to crow about.

It is time they ate their crow.

Re:Does this ver. solve the WinXP security "featur

[smooc]

nope, SignOrSeal is supported now!

Re:Does this ver. solve the WinXP security "featur

[caseih]

This is a well-documented problem with XP and 2000 when service pack 4 is installed. Besides setting the registry entry "RequireSignOrSeal" to "0," you must run the "mmc" program, add a "Group Policy" Snap-in, then in there find and option that says something about ignore permissions on roaming profile. Set that to "enabled." I'm not yet at work, but when I get there, I'll get the exact key name and post it here. A quick search of google reveals it's not terribly obvious, although I found this before.

Re:Does this ver. solve the WinXP security "featur

[EvilTwinSkippy]

It does a hell of a lot more. I have more software that doesn't work under XP than I ever did under 2000.

And hey, who can't love the fisher-price dialog system. You have no need to go in and change a setting that you know where it goes. There is a ritual now by which you painstaking step through a set of droolproof dialogs, enter the setting you wanted 4 steps in, and then have step 7 negate them.

Re:Does this ver. solve the WinXP security "featur

[TheMayor]

There is an easy fix to this for XP:

Settings -> Control Panel -> Admin Tools -> Local Security Policy

Look under Local Policies, then Security Options.

Look for "Domain Member: Digitally encrypt or sign secured channel (always)" and set it to DISABLED.

That should solve some of your problems.

XP only wants to trust other Windows machines when working in a domain environment.

Building RPMS

[Cable_Monkey]

Upon trying to build my own RPMs (mainly as a learning exercise), I get this:

[root@dhogan root]# rpmbuild -ta samba-latest.tar.gz
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.44093
+ umask 022
+ cd /usr/src/redhat/BUILD
+ LANG=C
+ export LANG
+ cd /usr/src/redhat/BUILD
+ rm -rf smbldap-tools-0.8
+ /bin/mkdir -p smbldap-tools-0.8
+ cd smbldap-tools-0.8
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.65514
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd smbldap-tools-0.8
+ LANG=C
+ export LANG
+ tar zxvf /root/mkntpwd.tar.gz
tar (child): /root/mkntpwd.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now tar: Child returned status 2
tar: Error exit delayed from previous errors
error: Bad exit status from /var/tmp/rpm-tmp.65514 (%build)

What is this mkntpwd.tar.gz and why is it missing?
NOTE: This is on a RedHat 9 system.

Re:Building RPMS

[Spruce+Moose]

Is this even supposed to work? Try rebuilding from the Samba src rpm instead of the tar file. i.e rpmbuild --rebuild samba-3.0.0-1.src.rpm

Re:Does this ver. solve the WinXP security "featur

[batkiwi]

XP Home does not allow logon to domains, so there's no problem to fix.

Stop stealing my bandwith

[arabagast]

...You bandwith whores, I only get 2 KB/s on my norwegian mirror - you`r NOT living in Norway, are you ? Goddamn outlanders :)

-Wants it, me wants it so bad.

Bill Clinton spoke the truth when he said...

...he did not have sexual relations with that woman.

It was the cigar that had the sex!! Bwuh huh huh :-)

What I want to know is did Bill smoke the cigar afterwards?

you're worried about migrating users, of course

[flicman]

Of course you're worried about migrating users. If Samba gets easier to use, you'll find people migrating from the biggest user base on the planet - Windows.

And worry about alienating Linux users? Please, where are you going to go to get something better? On a Mac? I know you're not going to stop using Linux (maybe Samba, but who cares, I guess) and go to Windows because your system is operating more and more like Windows.

Unless you're losing functionality, cheer the changes. As more users (like me) migrate to open source, your exclusive club will get better and better. I'll tell you one thing - if Samba gets easier to figure out, I'll certainly start using it to get my systems connected to a single file server.

Thanks all!

[jACL]

All of your contributions have given some good leads. I'm out digging into them now.

No.

[abulafia]

It means samba can function as your Bondage and Discipline Cop.

What happens is that if you fail to listen to your Primary Domain Controller, the Bondage and Discipline Cop steps in to beat and humiliate you until you submit creditentials to the proper authorities. Usually, this happens when you're standing in front of many people and attempting to get at Powerpoint slides you left on your client machine.

WATCH OUT WHO YOU TALK TO LIKE THAT YOU TWAT

I'm going to find you and slay you. Don't believe me? Just wait until you're asleep and we'll see how you survive the heart attack I'm going to induce. I don't take kindly to people calling the pot black.

Egads a new holy war...

[EvilTwinSkippy]

First it was VI vs. Emacs

Then, Gnome Vs. KDE

Now its MySQL Vs. Postgres

At least we are evolving from text editors and eye-candy to relational databases.

Auto workstation add via LDAP? LDAP in general?

[otis+wildflower]

How's support for LDAP in 3?

Last time I touched samba, there were issues joining machines to a domain where I had to manually add LDAP entries for machines, then join them.. Kinda tedious..

Also, passwd sync was hell, I ended up writing a password change web CGI that fed values into ldapmodify and smbpasswd to keep passwds in sync, since samba used LM and NT passwd fields within the samba ldap schema. Has this been addressed? It made using standard LDAP GUI utils rather painful..

Looks like a great leap in the right direction...

[NtroP]

But...

One of the stumbling blocks I've run into in the past (I am no Samba guru) is dealing with the occasionally complex, nested groupings, permisions, and far more detailed ACLs than the ext2-3 filesystems provide. I know that there are some filesystems (and what? overlays?) that can be applied to ext3 which allow more than OWNER-GROUP-WORLD permissions.

How does this improved AD integration tie in with the various exended-ACL solutions?

I would LOVE to yank most or all of our windows fileservers and replace them with Linux boxes. The increased security and protection from viruses, etc. would be great. But with thousands of users in hundreds of departments in our domain(s) needing to access some of the same resources with different permissions - I've not found a satisfactory Linux solution.

Obviously, I'm missing something. But it would be great to have an out-of-the-box solution that takes the best of NTFS (for what it's worth) and the best of journaled Linux FSs to provide a truly stable, yet flexible fileserver.

Any /.'ers have a solution that's worked for them which you'd be willing to share?

Re:Does this ver. solve the WinXP security "featur

[xanadu-xtroot.com]

It's accessable from the MMC on each client machine

Cool, I actually have to visit each and everyone of my clients, personally?

Works for me

[buchanmilne]

Our home network ran a samba-2.2.8a+LDAP domain controller (for me to test), but some of the machines are in their own workgroup, and can access the samba server (which is in another workgroup) with no problems.

On our business network (running samba-2.2.8a on LDAP etc), we often have consultants bring their own machines, some of which are joined to their own Windows domains, and they have no problems accessing our samba boxes.

Of course, it would help if you gave more detail, but it would be more appropriate for the samba list.

But, I don't think the problems you were seeing are common.

BTW, we have been running samba as a production DC since 2.0.7 ...

Re:Works for me

[sjbe]

You're right, it's not really appropriate for /. Thanks though. It's nice to know that I may not be experiencing technical limitations after all.

Re:Does this ver. solve the WinXP security "featur

[Moridineas]

Well given that you have to visit them to join a machine to a domain in the first place, I don't see how this is a problem?

Works fine in 2.2.8a

[buchanmilne]

Last time I touched samba, there were issues joining machines to a domain where I had to manually add LDAP entries for machines, then join them.. Kinda tedious..

<plug>
Implementing a Samba LDAP PDC Setup
and
Implementing Disconnected Authentication and PDC/BDC Relationships Using Samba and OpenLDAP
</plug>

Those two documents cover a setup which will give you a PDC-BDC setup where any member of the right group (adm by default) will be able join machines to the domain without having to pre-make machine accounts.

Also, passwd sync was hell, I ended up writing a password change web CGI that fed values into ldapmodify and smbpasswd to keep passwds in sync, since samba used LM and NT passwd fields within the samba ldap schema.

This can be addressed by using 'pam password change' and ensuring your pam_ldap setup is correct.

The biggest issue that samba-3.0.0 addresses (IMHO) is password expiry, which could be hacked onto 2.2.8a, but not easily ...

Since 1997

[marcomuskus]

I start using samba from 1997 starting with version 2.0.7 on a DX2 486 33Mhz with 16MB RAM and 500MB HD for 20 PC running WfWG 3.11 & W95, today running 2.2.8a on a PIII 800Mhz with 512MB RAM and 200GB for +180 PC running W2K Professional.

Thanx to the samba team for this spectacular piece of software.

Re:Does this ver. solve the WinXP security "featur

[MCZapf]

Did you also set sealsecurechannel=1 and signsecurechannel=1? I found I had to do this with my Win2k SP3 box. For your convenience (remove the Slashdot-added spaces):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Netlogon\Parameters]
"requiresignorseal"=dwor d:00000000
"requirestrongkey"=dword:00000000
"se alsecurechannel"=dword:00000001
"signsecurechanne l"=dword:00000001

Re:Does this ver. solve the WinXP security "featur

[Scooter]

Hmm same here - one XP box quite happily connecting to Samba shares on my 2 Linux servers.

Re:Does this ver. solve the WinXP security "featur

[Jeremy+Allison+-+Sam]

Not any more. We implemented sign&seal for Samba 3.0.

If it doesn't work when you remove this please log
a bug at bugzilla.samba.org.

Thanks,

Jeremy Allison,
Samba Team.

Re:Does this ver. solve the WinXP security "featur

[Jeremy+Allison+-+Sam]

It's probably the Web sharing service. Turn off the client
side on the XP box. It tries to contact a port on the Samba
server that isn't open and times out. Sorry, I can't remember
the exact instructions to turn this off (I only use Windows
under VMware to test Samba :-).

Jeremy Allison,
Samba Team.

Uh, no.

[SuperBanana]

Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary.

Your machine may have -appeared- on the network, but it wasn't part of the domain, unless the admin password was blank. You simply -cannot- join the domain without domain admin rights. Period.

Re:Uh, no.

[gregarican]

I can tell you for a fact that the Samba box appeared in Server Manager as a member server. And the admin password for our 5,000 person nationwide company wasn't blank. I had attempted to add NT Workstations to the domain so they appeared under Server Manager in the past and sure enough the NTLM authetnication popped up and since I couldn't exercise admin rights I couldn't add them to the domain.

But the Samba box dropped right in *without* admin authentication. I am not talking about just appearing in a SMB browse list or having its name resolved via WINS/NetBIOS. I am not talking about just appearing under 'Network Neighborhood.' Don't think that I just fell off a turnip truck. Thinking back I believe it was Samba 2.0.3 or so(?) and under an NT 4.0 domain security model.

Re:Does this ver. solve the WinXP security "featur

[elanoz]

a hell of a lot more. Please site examples other than the obvious software limitations of 2K. I have twice as many problems with XP than I have with 2K, and yes my XP is patched like an old quilt. Although, I do appreciate the "Send Error Report" dialog that rears it's ugly head every few hours or so.

Re:Does this ver. solve the WinXP security "featur

[MCZapf]

So should I just remove these entries completely, or change them to certain values? What are the correct values?

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

I'm talkin' XP Pro, not Home.

Use XFS as your filesystem

[MCZapf]

XFS supports ACLs (specifically, some withdrawn POSIX ACL draft standard, IIRC). Samba (2.2 and up) supports the XFS ACLs. The mapping from NTFS-style ACLs to XFS-style ACLs works well enough for my home use - can't really comment on large-scale use or AD, though.

Oh, XFS is also journaled.

To anyone who has tried XFS/Samba on a large scale, would you care to comment?

Re:Use XFS as your filesystem

[ocelotbob]

ACLs aren't just limited to XFS. ext2/3 has had ACLs for years, with support being rolled into the kernel proper with 2.6.

Re:Does this ver. solve the WinXP security "featur

well, that's super, but I have XP Home and he was replying to my question.

AD Dynamic DNS

What about using Active Directory's dynamic DNS features for member servers? 3.0alpha didn't assign a fully qualified domain name to the member server after a "net join." Any fix here?

Re:Single Sign-On - Winbind now Kerberized

Winbind is the logon utility (pam/nss modules) that provides the broadest interoperability and now can use Kerberos/LDAP if in an ActiveDirectory like environment or use DCE/RPC if in a Samba 2.2 or Windows NT environment. It also has a flexible backend with function pointers that can be mapped with little code to other authentication and user/group models. Its dual daemon and caching support are much better than the alternatives.

Winbind is less known than it should be, probably because it is included in the Samba tree, and not immediately obvious to some is that is useful on clients whether or not Samba is present.

Re:Does this ver. solve the WinXP security "featur

[xanadu-xtroot.com]

Even better! I get to spend a few hours downloading things AND configuration on ach machine, just to make basic Networking Things (tm) up-to-date and possible. This is so cool!

I love being an NT admin...
I love being an NT admin...
I love being an NT admin...
I love being an NT admin...
I love being an NT admin...
I love being an NT admin...

Re:Single Sign-On - Winbind does use LDAP

Winbind already does use LDAP, if available, and is faster and more tolerant of different LDAP schema.

"Can not view list of users"

[MrJones]

Is this problem in Win98 fixed?
The problem is that you get this error:
"You can not view the list of users. Try again later" on Win98 clients.

If it is solved, it will be really great.

Congrats for the 3.0 to the Samba Team! :-)

Re:Does this ver. solve the WinXP security "featur

[HiroProtagonist]

Lol, sorry, I surf at +2 & didn't see you.

Boy do I feel dumb...

I'm looking at your page and I can't find the actual walkthrough.

Is the user interface that bad or am I blind?

Re:Does this ver. solve the WinXP security "featur

[Minna+Kirai]

If MS were going to make XP not work with Samba, they would have made ALL XP not work, rather than just a few XP installs and at random.

But if it was a conspiracy, and MS really was secretly, intentionally breaking compatibility with Samba, then they'd want to do it on just a few random installs.

That way they deflect attention from themselves, making everyone assume (as you did) that the problem is in Samba, not XP. And when the Samba team goes to try reproducing the user's bug report, chances are it works fine.

Whereas if it were broken all the time, they'd be more quickly able to reverse engineer whatever's needed to achieve compatibility again.

Re:Building RPMS (offtopic???)

Would someone mind explaining to me why the parent post is offtopic? He is talking about Samba 3.0.0.

Re:Does this ver. solve the WinXP security "featur

[Moridineas]

If you really WERE an admin and not just some disgruntled linux user, you would possibly know about ways to automate software rollouts and patches such as this one. Guess you don't though.

Re:Does this ver. solve the WinXP security "featur

[Large+Green+Mallard]

No, it's probably just a whole lot easier to set the "profile acls = yes" option in the smb.conf ;p

SMB, PAM, and Apache

So, anyone here developed a intranet hosted on a Linux server w/ Apache that authenticates to an NT domain? I've googled and read a lot about winbind, pam_auth modules, etc. but, not being a domain administrator, have not yet truly understood. Pointers?

Re:SMB, PAM, and Apache

[arkane1234]

So, anyone here developed a intranet hosted on a Linux server w/ Apache that authenticates to an NT domain?

You could set the local system to use pam_smb... that's one way.

I did a lookup on google for "nt auth apache" and ran across this: http://www.linuxmanagers.org/pipermail/linuxmanage rs/2002-December/000864.html

I really think using pam_smb is the best way, IMHO.

Well, that made sence!

[Bill,+Shooter+of+Bul]

My request for an explanation gets modded funny? I just don't understand it. I think I'm turning into Charlie Brown.

wha wa whawha wa wha wawawaw wha wha wha.

You say charlie brown was funnier than me?

wa wha wha whana wha wawa wa.

Arrrghh!. And better looking? Unbelievable. I just don't understand! I just don't Understand.

Re:Well, that made sence!

And I, for one, welcome our new moderation overlords. I'd like to remind them that, as a poster with excellent Karma, I could be helpful in rounding up others to toil in their underground Karma caves.

Re:Building RPMS (offtopic???)

Because he's asking a question that's better suited to a Samba mailing list than a general discussion board such as slashdot, and he's boring the snot out of people.

/., you did it again!

Why the fuck is Ninnle offtopic?
It couldn't be more ON topic!