samba - Dec 2016 - ntvfs file server and selftest background

On Mon, 05 Dec 2016 07:50:23 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2016-12-04 at 11:43 +0000, Rowland Penny via samba wrote:
> > On Sun, 4 Dec 2016 12:11:17 +0100
> > Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> > 
> > > 
> > > Hi Scott,
> > > 
> > > Am 02.12.2016 um 06:55 schrieb Scott Mattan via samba:
> > > > 
> > > > I am currently trying to get a Samba 4.5.1 environment set
up
> > > > for testing and I am unable to get samba to request a new
> > > > password from
> > > > a windows user.  The error that I get, is in Japanese, so I
> > > > don't have the exact translation, however it is along
the lines
> > > > of...
> > > > 
> > > > Your user password must be changed before logging in for the
> > > > first
> > > > time.
> > > > 
> > > > I am currently using SambaDC (although my computer is not
> > > > connected
> > > > to the samba domain).
> > > 
> > > As far as I know, Windows only prompts for password changes when
a
> > > domain user logs into a domain workstation. If a domain user just
> > > access a share from a none-domain-member machine only an error is
> > > shown and access is denied.
> 
> This is correct.  There isn't a way to forward on the password
> changes, nor clearly know which DC the file server was using, so no
> password change prompt can be offered.
> 
> > > 
> > > 
> > > Am 03.12.2016 um 18:53 schrieb Rowland Penny via samba:
> > > > 
> > > > You also seem to have built the deprecated 'ntvfs'
filesystem.
> > > 
> > > Yes, but he's not using it:
> > > > 
> > > > server services = s3fs,...
> > > 
> > > If he would, Samba 4.5 would fail to start:
> > >
https://wiki.samba.org/index.php/Updating_Samba#The_ntvfs_File_Serv
> > > er_Back_End_Has_Been_Disabled
> > > 
> > > 
> > 
> > Yes, I noticed, but everything the OP posted seemed to be just
> > wrong. He appears to be running Samba as an AD DC, but isn't
joining
> > anything
> > to it, he has built the 'ntvfs' filesystem but isn't using
it.
> 
> That's just because he built with --enable-selftest.  That turns on
> the ntvfs file server as the selftest relies on it.
> 
Again I knew this, but why does selftest rely on something that isn't
used anymore, just what does get tested ? and how does using ntvfs
help ?

Rowland

On Sun, 2016-12-04 at 19:05 +0000, Rowland Penny via samba
wrote:
> On Mon, 05 Dec 2016 07:50:23 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > 
> > On Sun, 2016-12-04 at 11:43 +0000, Rowland Penny via samba wrote:
> > > 
> > > On Sun, 4 Dec 2016 12:11:17 +0100
> > > Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> > > 
> > > > 
> > > > 
> > > > Hi Scott,
> > > > 
> > > > Am 02.12.2016 um 06:55 schrieb Scott Mattan via samba:
> > > > > 
> > > > > 
> > > > > I am currently trying to get a Samba 4.5.1 environment
set up
> > > > > for testing and I am unable to get samba to request a
new
> > > > > password from
> > > > > a windows user.  The error that I get, is in Japanese,
so I
> > > > > don't have the exact translation, however it is
along the
> > > > > lines
> > > > > of...
> > > > > 
> > > > > Your user password must be changed before logging in
for the
> > > > > first
> > > > > time.
> > > > > 
> > > > > I am currently using SambaDC (although my computer is
not
> > > > > connected
> > > > > to the samba domain).
> > > > 
> > > > As far as I know, Windows only prompts for password changes
> > > > when a
> > > > domain user logs into a domain workstation. If a domain user
> > > > just
> > > > access a share from a none-domain-member machine only an
error
> > > > is
> > > > shown and access is denied.
> > 
> > This is correct.  There isn't a way to forward on the password
> > changes, nor clearly know which DC the file server was using, so no
> > password change prompt can be offered.
> > 
> > > 
> > > > 
> > > > 
> > > > 
> > > > Am 03.12.2016 um 18:53 schrieb Rowland Penny via samba:
> > > > > 
> > > > > 
> > > > > You also seem to have built the deprecated
'ntvfs'
> > > > > filesystem.
> > > > 
> > > > Yes, but he's not using it:
> > > > > 
> > > > > 
> > > > > server services = s3fs,...
> > > > 
> > > > If he would, Samba 4.5 would fail to start:
> > > >
https://wiki.samba.org/index.php/Updating_Samba#The_ntvfs_File_
> > > > Serv
> > > > er_Back_End_Has_Been_Disabled
> > > > 
> > > > 
> > > 
> > > Yes, I noticed, but everything the OP posted seemed to be just
> > > wrong. He appears to be running Samba as an AD DC, but isn't
> > > joining
> > > anything
> > > to it, he has built the 'ntvfs' filesystem but isn't
using it.
> > 
> > That's just because he built with --enable-selftest.  That turns
on
> > the ntvfs file server as the selftest relies on it.
> > 
> 
> Again I knew this, but why does selftest rely on something that isn't
> used anymore, just what does get tested ? and how does using ntvfs
> help ?
It is a lot of work to change the situation, even more so without loss
of important tests.  A number of tests, particularly for spoolss but
also of the cifs proxy (which in turn tests kerberos delegation), use
the ntvfs file server. 

The next step is to have it build with ntvfs only during the main make,
but re-link without it for the install.  That is still non-trivial
however.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Mon, 05 Dec 2016 21:07:48 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> 
> It is a lot of work to change the situation, even more so without loss
> of important tests.  A number of tests, particularly for spoolss but
> also of the cifs proxy (which in turn tests kerberos delegation), use
> the ntvfs file server.
OK, but how can you be sure that something you are testing against
ntvfs actually works with s3fs ? 

Rowland