- Andreas Schneider·Last edited by Andreas Schneider on Nov 12, 2020Linked with GitHubContributed by
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.Samba TODO
TEST:
Add
echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c getusername
echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c getusername
-> https://gitlab.com/samba-team/samba/-/merge_requests/1271
Migrate s3 client code to cli_credentials
-> https://gitlab.com/samba-team/samba/-/merge_requests/1362
SMB.CONF:
SMB_SIGNING_VALS="default|off|if_required|desired|required"
Create one function translating signing state string to enum
see set_cmdline_auth_info_signing_state and enum_smb_signing_vals
Add 'server smb encrypt' (done)
-> smb encrypt as alias
Add 'client smb encrypt' (done)
smbclient -e => getop => lp_do_param(client smb encrypt) =>
cli_creds reads lp_client_smb_encrypt()
Add cli_credentials_set_smb_singing(),
cli_credentials_set_smb_ipc_signing(),
cli_credentials_set_smb_encryption(). - DONE
Use cli_creds smb encryption:
tig -7 b06e7ea5cbc0e46c0c42d6cdeb3a14f3cf21f1c6 - DONE
Check do_connect() in client.c
CMDLINE CLI:
-> parse popts
-> set password callback, if not --use-krb5-ccache and not
--use-ccache and not --no-pass and not auth-file
--use-kerberos=yes|auto|no|default
default only if we add 'client use kerberos' as smb.conf option
--use-krb5-ccache
imply --use-kerberos=yes
--krb5-cache=$PATH - DONE
'-U... -k' =>
--use-kerberos=yes
'-k' without -U =>
--use-krb5-cache
--use-krb5-ccache and --use-ccache
=> not supported,
TODO: --use-winbind-ccache that provides
generic support for krb5 and ntlm
Rename --use-ccache to --use-winbind-ccache (removes --use-ccache?) - DONE
Add --smb-signing=$SMB_SIGNING_VALS
also set GENSEC_FEATURE_SIGN for desired/required
--signing=$SMB_SIGNING_VALS (as legacy)
'-S $SMB_SIGNING_VALS' ??? (only smbclient?)
'-S' check what smbtorture is actually using
Remove -S for signing and use only long option
Add --smb-encryption=$SMB_SIGNING_VALS
-e => --smb-encryption=required
also set GENSEC_FEATURE_SEAL??? => defer to --gensec-protection
Remove -e and use only long option
Implemented --client-protection=off|sign|encrypt
TODO: what about 'net'...
break it and use options as above
Add the following???
--gensec-client-protection=[default,seal,sign,plain]
=> see also "ldap client sasl wrapping"
=> default from "gensec client protection"
LATER:
TODO: --use-pkinit
NEW TODO
popt pw-nt-hash
Remove smb_encrypt from client.c
Remove smb_encrypt from cli_cm_connect()
Add smb_cmdline_sanity(long_options)
POPT_COMMON_LEGACY_S3
POPT_COMMON_LEGACY_S4
client ldap sasl wrapping -> directly use gensec
add support for client-protection
Remove cli_credentials_set_machine_account_pending()
Read more
Samba Debugging
Maybe one of the most important tools we have. The testparm utility checks if the the smb.conf is valid. Run
Jul 18, 2023Hack together
Run Samba Selftest rlRun "chown -R $USER:$USER $TmpDir" 0 "change owner of $TmpDir to $USER" # Unpacks RPM in $HOME/rpmbuild/SOURCES and unpacks tarball to $HOME/rpmbuild/BUILD rlRun "rpmbuild -rp samba-4.16.2-101.el9.src.rpm" 0 "Unpack RPM and apply patches" rlRun "$SU_CMD CFLAGS='-O1 -g -ggdb -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -fasynchronous-unwind-tables -fstack-clash-protection' ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-fhs --with-piddir=/run --with-sockets-dir=/run/samba --with-modulesdir=/usr/lib64/samba --with-pammodulesdir=/usr/lib64/security --with-lockdir=/var/lib/samba/lock --with-statedir=/var/lib/samba --with-cachedir=/var/lib/samba --disable-rpath-install --with-shared-modules=idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_wbc,auth_unix,auth_server,auth_samba4,vfs_dfs_samba4 '--bundled-libraries=!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb,!pyldb-util' --with-pam --with-pie --with-relro --without-fam --with-system-mitkrb5 --with-experimental-mit-ad-dc --disable-glusterfs --with-cluster-support --with-profiling-data --with-systemd --with-quotas --enable-selftest" rlRun "$SU_CMD make -j4" && rlRun "touch /root/make_successful"
Jun 27, 2022Day of Learning: neovim 0.5.0
by Andreas Schneider Introduction Finally neovim 0.5.0 has been released. This release represents ~4000 commits since v0.4.4, the previous non-maintenance release. Highlights include builtin support for Lanugage Server Protocol (LSP), new APIs for extended marks (with byte resolution tracking of changes) and buffer decorations, as well as vast improvements to lua as a plugin and configuration language. Experimental support for tree-sitter as a syntax engine is also included, building on the new core APIs for byte tracking and decorations. https://github.com/neovim/neovim/commit/a5ac2f45ff84a688a09479f357a9909d5b914294 Till now your config was going to init.nvim. As Vimscript is an interpredted language and slow, neovim supports lua for config files now (init.lua). This makes a lot of stuff faster. However vimscript support will not go away.
Jul 29, 2021Developing images with darktable's Linear RGB tools
Jan 9, 2020
HackMD