Hello all. AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain Security = DOMAIN encrypt passwords = yes update encrypted = yes Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called ad-domain Problem: Users that have been migrated to ad-domain cannot authenticate to AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40 domain. Explanation: I can however, map / access share if I use the "administrator" login of the ad-domain. We have a two way trust between the nt40 domain and the 2000 ad-domain. This particular share configuration is: guest account = guest guest = okay read only = no create mask = 0777 force create mode = 0777 directory mask = 0777 force directory mode = 0777 browseable = yes I don't want to move the AIX SAMBA server into the new 2000 ad-domain yet because I don't want to risk the production nt40 domain losing this share. I'm in testing mode yet with 2 live users logging into the 2000 ad-domain. Everything else (printer and folder shares and even proxy) from a PC world works. Please ask any further questions that you need answers to, to clarify the issue at hand. And of course any solutions.
Hi Kirk, Don't know if this is your problem or not, but when working with 2.0.7 on HP-UX 11.0, we found this irregularity (only for nt users that had been moved from an NT 4.0 domain to a Win2k Domain): ********************************** When Windows users are migrated from Windows NT to Windows 2000 domains, to maintain backward access permissions, the migration tools add whats called as SID history to the users accounts. When Samba server is used in domain authentication mode with migrated users the authentications fails. The problem is that due to the addition of old security ids (called as SIDHistory) to the user accounts, when Samba authenticates a user against a Windows 2000 server, if the user is authenticated properly, Win2k returns more information than what samba expects. Consequently Samba fails with buffer overflow error. You should be able to determine if this is happening to you by turning up your log level and reproducing the failure, then looking thru the log file for a buffer overflow... When a user is migrated from Windows NT to Windows 2000 running in native mode, Win2K preserves the users old SID information in a Win2K native attribute called SID History. When samba authenticates such a user successfully against the Windows 2000 server (giving rightusername and password), Windows 2K appends SID history to the response. Samba isn't ready (not coded) to handle the extra SID information returned by Win2K servers, so it fails. Work around is to use the the Samba in server security mode. ******************************************************* We (hp) have coded a fix for this for the 2.0.7 version we ship as part of the HP-UX 11.0 operating system. Jeremy, et all - could this still be an issue with the 2.2 code? I can submit a patch for this as soon as I can find the lab guy who actually coded the fix, if you like. Hope this helps, Don -----Original Message----- From: Kirk Shimek [mailto:Kirk.Shimek@trw.com] Sent: Wednesday, April 11, 2001 4:46 PM To: samba@lists.samba.org Subject: Changing Domains from NT4 / AD 2000 Hello all. AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain Security = DOMAIN encrypt passwords = yes update encrypted = yes Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called ad-domain Problem: Users that have been migrated to ad-domain cannot authenticate to AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40 domain. Explanation: I can however, map / access share if I use the "administrator" login of the ad-domain. We have a two way trust between the nt40 domain and the 2000 ad-domain. This particular share configuration is: guest account = guest guest = okay read only = no create mask = 0777 force create mode = 0777 directory mask = 0777 force directory mode = 0777 browseable = yes I don't want to move the AIX SAMBA server into the new 2000 ad-domain yet because I don't want to risk the production nt40 domain losing this share. I'm in testing mode yet with 2 live users logging into the 2000 ad-domain. Everything else (printer and folder shares and even proxy) from a PC world works. Please ask any further questions that you need answers to, to clarify the issue at hand. And of course any solutions. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Jeremy, I should have known you had your hand in there someplace! Thanks! Don -----Original Message----- From: Jeremy Allison [mailto:jeremy@valinux.com] Sent: Wednesday, April 11, 2001 16:40 To: MCCALL,DON (HP-USA,ex1) Cc: 'Kirk Shimek'; samba@lists.samba.org; 'samba-technical@lists.samba.org' Subject: Re: Changing Domains from NT4 / AD 2000 "MCCALL,DON (HP-USA,ex1)" wrote:> > We (hp) have coded a fix for this for the 2.0.7 version we ship as part of > the > HP-UX 11.0 operating system. > > Jeremy, et all - could this still be an issue with > the 2.2 code? I can submit a patch for this as soon as I can find thelab> guy > who actually coded the fix, if you like.Actually, I was the person who coded the fix for Agilent :-). I don't know if the CIFS/9000 people got it from me :-). I fixed it at the same time in the 2.2 code so it's not an issue there. I've attached the fix for 2.0.7 to this email. Cheers, Jeremy. Index: include/rpc_lsa.h ==================================================================RCS file: /data/cvs/samba/source/include/rpc_lsa.h,v retrieving revision 1.8.2.2 diff -u -r1.8.2.2 rpc_lsa.h --- include/rpc_lsa.h 1999/04/06 00:39:45 1.8.2.2 +++ include/rpc_lsa.h 2001/04/11 22:37:01 @@ -52,7 +52,7 @@ #define LSA_LOOKUPRIDS 0xFD #define LSA_MAX_GROUPS 96 -#define LSA_MAX_SIDS 32 +#define LSA_MAX_SIDS 128 /* DOM_QUERY - info class 3 and 5 LSA Query response */ typedef struct dom_query_info Index: include/rpc_netlogon.h ==================================================================RCS file: /data/cvs/samba/source/include/rpc_netlogon.h,v retrieving revision 1.4.4.2 diff -u -r1.4.4.2 rpc_netlogon.h --- include/rpc_netlogon.h 1999/04/20 01:01:43 1.4.4.2 +++ include/rpc_netlogon.h 2001/04/11 22:37:01 @@ -120,6 +120,10 @@ UNISTR2 uni_logon_dom; /* logon domain unicode string */ DOM_SID2 dom_sid; /* domain SID */ + + uint32 num_other_groups; /* other groups */ + DOM_GID other_gids[LSA_MAX_GROUPS]; /* group info */ + DOM_SID2 other_sids[LSA_MAX_SIDS]; /* undocumented - domain SIDs */ } NET_USER_INFO_3; Index: rpc_parse/parse_net.c ==================================================================RCS file: /data/cvs/samba/source/rpc_parse/parse_net.c,v retrieving revision 1.17.2.6 diff -u -r1.17.2.6 parse_net.c --- rpc_parse/parse_net.c 1999/04/20 01:01:44 1.17.2.6 +++ rpc_parse/parse_net.c 2001/04/11 22:37:01 @@ -1080,6 +1080,8 @@ init_unistr2(&usr->uni_logon_dom, logon_dom, len_logon_dom); init_dom_sid2(&usr->dom_sid, dom_sid); + + usr->num_other_groups = num_other_sids; /* "other" sids are set up above */ } @@ -1198,11 +1200,22 @@ if(!smb_io_dom_sid2("", &usr->dom_sid, ps, depth)) /* domain SID */ return False; - SMB_ASSERT_ARRAY(usr->other_sids, usr->num_other_sids); + if (usr->num_other_sids) { + SMB_ASSERT_ARRAY(usr->other_sids, usr->num_other_sids); - for (i = 0; i < usr->num_other_sids; i++) { - if(!smb_io_dom_sid2("", &usr->other_sids[i], ps, depth)) /* other domain SIDs */ + if(!prs_uint32("num_other_groups", ps, depth, &usr->num_other_groups)) return False; + + SMB_ASSERT_ARRAY(usr->other_gids, usr->num_other_groups); + + for (i = 0; i < usr->num_other_groups; i++) { + if(!smb_io_gid("", &usr->other_gids[i], ps, depth)) /* other GIDs */ + return False; + } + for (i = 0; i < usr->num_other_sids; i++) { + if(!smb_io_dom_sid2("", &usr->other_sids[i], ps, depth)) /* other domain SIDs */ + return False; + } } return True; -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Thanks Don, A follow on config question. I understand the work around . . . how do I handle the fact that my users' NT account names are not the same as the UNIX account names? i.e. NT uses shimekk / whereas UNIX uses kshimek, AND ALL the accounts already exist. Does the user-name-map option work here. I'm already using it. But before I affect ~300 users, I would like to know the effects, if any. Also, I suppose to make the change to security = server I need to modify the smb.conf file and shutdown and restart smbd and nmbd . . .correct. Again, thanks for the quick response. You guys rock at SAMBA! ?--------------------------------------------------------------------- Hi Kirk, Don't know if this is your problem or not, but when working with 2.0.7 on HP-UX 11.0, we found this irregularity (only for nt users that had been moved from an NT 4.0 domain to a Win2k Domain): ********************************** When Windows users are migrated from Windows NT to Windows 2000 domains, to maintain backward access permissions, the migration tools add whats called as SID history to the users accounts. When Samba server is used in domain authentication mode with migrated users the authentications fails. The problem is that due to the addition of old security ids (called as SIDHistory) to the user accounts, when Samba authenticates a user against a Windows 2000 server, if the user is authenticated properly, Win2k returns more information than what samba expects. Consequently Samba fails with buffer overflow error. You should be able to determine if this is happening to you by turning up your log level and reproducing the failure, then looking thru the log file for a buffer overflow... When a user is migrated from Windows NT to Windows 2000 running in native mode, Win2K preserves the users old SID information in a Win2K native attribute called SID History. When samba authenticates such a user successfully against the Windows 2000 server (giving rightusername and password), Windows 2K appends SID history to the response. Samba isn't ready (not coded) to handle the extra SID information returned by Win2K servers, so it fails. Work around is to use the the Samba in server security mode. Kirk Shimek Information Systems Systems Engineer - UNIX Administrator TRW Automotive Electronics Body Control Systems 507-457-3750 ext.8241 WINONA MN " . . . for it is in one's speech, that the bent of one's mind is revealed." Book of Sirach
Okay - this is my fault - not enough information. I cannot change the UNIX logins. We have a CAD system here that uses the UNIX login names as the project names. Cannot easily / readily make project name changes because of all the security and links the CAD system uses. So the only solution is to use a user-name-map (which I believe I can) or if this won't work, tell all my SAMBA users that we'd have to install an NFS client for the interim of transition between NT4.0 and AD-2000, OR finally . . . nobody can use SAMBA until the entire environment has been converted. All ideas and solutions are welcome. Thanks again for all the responses. Kirk Shimek Information Systems Systems Engineer - UNIX Administrator TRW Automotive Electronics Body Control Systems 507-457-3750 ext.8241 WINONA MN " . . . for it is in one's speech, that the bent of one's mind is revealed." Book of Sirach
Hi Kirk, Yes, the username map works the same in security = server as security domain. So if security = domain and your username map has been working for you so far, modifying security=domain to security=server should be pretty transparent to your users. Of course, security = domain IS the preferred method. I remember you mentioned that you are using 2.0.6; Jeremy posted a patch to 2.0.7 last night (he was the one that originally wrote it!) that fixes the problem I mentioned. And 2.0.7 plays better with Win2k clients. So at some point you might consider moving up to 2.0.7 & this patch and going back into domain mode, OR go up to 2.2.x (which has this problem fixed as well) when it becomes released/stable. (Thanks again, Jeremy for posting that patch...) BTW, Both Richard Sharp's "Special Edition Using Samba" and the OReilly "Using Samba" have nice sections describing the differences between domain and server level security, and why you would prefer one to the other, if you're interested. I personally couldn't live without either one of these books... Hope this helps, Don -----Original Message----- From: Kirk Shimek [mailto:Kirk.Shimek@trw.com] Sent: Thursday, April 12, 2001 9:10 AM To: don_mccall@hp.com; samba@lists.samba.org; samba-technical@lists.samba.org Subject: RE: Changing Domains from NT4 / AD 2000 Thanks Don, A follow on config question. I understand the work around . . . how do I handle the fact that my users' NT account names are not the same as the UNIX account names? i.e. NT uses shimekk / whereas UNIX uses kshimek, AND ALL the accounts already exist. Does the user-name-map option work here. I'm already using it. But before I affect ~300 users, I would like to know the effects, if any. Also, I suppose to make the change to security = server I need to modify the smb.conf file and shutdown and restart smbd and nmbd . . .correct. Again, thanks for the quick response. You guys rock at SAMBA! ?--------------------------------------------------------------------- Hi Kirk, Don't know if this is your problem or not, but when working with 2.0.7 on HP-UX 11.0, we found this irregularity (only for nt users that had been moved from an NT 4.0 domain to a Win2k Domain): ********************************** When Windows users are migrated from Windows NT to Windows 2000 domains, to maintain backward access permissions, the migration tools add whats called as SID history to the users accounts. When Samba server is used in domain authentication mode with migrated users the authentications fails. The problem is that due to the addition of old security ids (called as SIDHistory) to the user accounts, when Samba authenticates a user against a Windows 2000 server, if the user is authenticated properly, Win2k returns more information than what samba expects. Consequently Samba fails with buffer overflow error. You should be able to determine if this is happening to you by turning up your log level and reproducing the failure, then looking thru the log file for a buffer overflow... When a user is migrated from Windows NT to Windows 2000 running in native mode, Win2K preserves the users old SID information in a Win2K native attribute called SID History. When samba authenticates such a user successfully against the Windows 2000 server (giving rightusername and password), Windows 2K appends SID history to the response. Samba isn't ready (not coded) to handle the extra SID information returned by Win2K servers, so it fails. Work around is to use the the Samba in server security mode. Kirk Shimek Information Systems Systems Engineer - UNIX Administrator TRW Automotive Electronics Body Control Systems 507-457-3750 ext.8241 WINONA MN " . . . for it is in one's speech, that the bent of one's mind is revealed." Book of Sirach -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
YEAH !!!! It all works as Don has stated. Yes, I will move when the AD2000 project is finished. I'm the lead in the 2000 project as well. So for now . . . status quo with as few changes as possible. Thanks AGAIN SAMBA team. That comment is for all board readers and responders. Kirk Shimek Information Systems Systems Engineer - UNIX Administrator TRW Automotive Electronics Body Control Systems 507-457-3750 ext.8241 WINONA MN " . . . for it is in one's speech, that the bent of one's mind is revealed." Book of Sirach