RichardSharpe.com

Much of this material is from my 3-day Samba course. If you have an interest in the course materials, please feel free to contact me to discuss purchasing the course.

Here is a small table of contents:

• Function of Samba
• Structure of Samba
• Network name cannot be found
• Unable to browse the network
• Inconsistent SID
• Some musings on GSSAPI, SPNEGO, NTLMSSP in Windows
• Windows cannot copy \\...\SendTo\3
• Profiles and NTUSER.DAT
• Editing registry files under UNIX

Function of Samba

Structure of Samba

The following diagram shows the structure of Samba. Samba consists of the following daemons: nmbd—The NetBIOS name service daemon. It handles WINS and server broadcasts, some parts of Logons, etc. There will be one nmbd in a properly functioning Samba server, and there can be more. If you are operating as a WINS server, a second copy of nmbd will run. Client talk to nmbd via UDP port 137 and port 138. smbd—The SMB Server daemon. This process handles all file and print requests. When a client connects, it forks a new copy of itself to handle the client, and goes back to listening for new connections. Clients talk to smbd via TCP on port 139. However, newer Windows clients (Windows 2000 and Windows XP) want to talk NetBIOS-less SMB over port 445. They will fallback to port 139 if port 445 is not available. winbindd—The winbind daemon. This daemon handles lookups of account and other information against a domain controller in much the same way that NIS can be used.

Network name cannot be found

This is perhaps one of the most frequent problems enountered by Samba users. You try to browse a recently created share, and get the following message: It can be caused for the following reasons: You have misspelled the path provided for the share in your smb.conf or the path does not exist. The path exists, but the user logged onto to the Windows system you are trying to access the share from does not have access to the share. Samba checks UNIX permissions when providing access. Please note, as pointed out by DSRC (whose email account does not exist), if the requesting user does not have X access to one of the directories on the path to the directory that is shared, they will get this message as well. In some circumstances, like when you have used net use g: \\server\share from a DOS box, you might have used a share name that does not exist.

Unable to browse the network

This problem occurs all too frequently. You are trying to browse the network, and the following warning is displayed. There can be several reasons for this problem: nmbd is not running on your network, so there is no browsing service. You have not configured a local master browser. You cannot log onto the machine that is the local master browser. IP connectivity problems.

Inconsistent SID

You might have seen the following error when trying to log onto a Samba-based domain from one of your Windows NT or Windows 2000/XP clients. This is invariably caused by changing the name of your Samba server, which changes the SID of your Samba PDC. Since its SID has changed, clients can no longer log into the domain controller. You can fix the problem in a number of ways: Change the name of your server back to what it was in the smb.conf file and restart Samba.   Use the new net getlocalsid [NAME] and net setlocalsid S-1-5-21-x-y-z commands to change the SID of your Samba server back to what it used to be. For example, if samba1 is the old NetBIOS name of your PDC, you can retrieve its SID with the following command, as the SID is still available: net getlocalsid samba1 SID for domain samba1 is: S-1-5-21-3349071909-1695333706-3939217754 Then you can set your SID correctly with: net setlocalsid S-1-5-21-3349071909-1695333706-3939217754 Of course, a quick way to achieve all that is: net setlocalsid ‘net getlocalsid samba1 | cut -f2 -d:‘ These commands are only available in Samba-3.0alpha20 and beyond. When Samba 2.2.8 ships, you should also be able to recover your previous SID and replace the existing one with the old one. You do this with the commands smbpasswd -X <SERVER> and smbpasswd -W <SID> For example, if samba1 is the old NetBIOS name of your Samba 2.2.8 server, you can retrieve its SID with: smbpasswd -X samba1 SID for domain samba1 is: S-1-5-21-3349071909-1695333706-3939217754 And you can change the SID of your server with: smbpasswd -W S-1-5-21-3349071909-1695333706-3939217754 It turns out that Samba still has the SID in its secrets.tdb file. If you can't remember your server's old name, you can most likely figure it out with the aid of tdbdump. Firstly, you will need to build tdbdump. You can do this from the Samba source tree: cd tdb make tdbdump Then you simply dump your secrets file with tdbdump. The following shows an example. ./tdb/tdbdump /usr/local/samba/private/secrets.tdb { key = "SECRETS/SID/CRAPTESTER" data = "\01\04\00\00\00\00\00\05\15\00\00\00\0D\949?\A6Z\8A\7F\C88\B2\88 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" } { key = "SECRETS/SID/INTRESTING" data = "\01\04\00\00\00\00\00\05\15\00\00\00|\0Ex\04v\E8\F5\19\0Ag,\FF\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" } You might find your data formatted a little differently to that above. In anycase, you can see the server names that are likely to have been used. They are the last component of the keys starting with SECRETS. You should note that there will be one entry in your secrets.tdb file of the form SECRETS/SID/<DOMAIN> for your domain SID, and one entry of the form SECRETS/SID/<SERVER> for your server SID. They should be the same.

Some musings on GSSAPI, SPNEGO, NTLMSSP in Windows

Here are some observations gleaned while working with Jim McDonough and Steve French of IBM to figure out how to decode the authentication protocols used by MS. Of course, much of it was already decoded by others, and was in Samba and so on, but there were some mistakes here and there. I will add pretty pictures and clean this up as time permits. And references. Things all start with the NegProt request a client sends to a server. If the Extended Security Negotiation Flag is set in the flags2 field of the SMB header, a server capable of handling extended security will return a differently formatted NegProt response to normal. This NegProt Response contains a Server GUID, and, in most cases, a GSSAPI encoded security blob. If Windows omits the security blob, but includes the GUID, this is a signal that it supports raw NTLMSSP. We don't yet know what Windows uses to determine whether to use raw NTLMSSP. If the NegProt response contains a security blob, it will consist of an ASN.1 encoded RFC2078 (GSS-API) token. That token will consist of an OID specifying that SPNEGO is in use, followed by an SPNEGO token as specified by RFC2478. The OID is 1.3.6.1.5.5.2. An Ethereal breakout of the security blob is shown below. SPNEGO consists of a series of Token exchanges to allow a client to authenticate with a server, and vice versa, if needed. The first token sent by a Windows server when contacted by a client is a negTokenInit. This consists of a list of OIDs of the authentication protocols it supports, followed by mechListMIC. RFC2478 specifies that the negTokenInit should consist of: NegTokenInit ::= SEQUENCE { mechTypes [0] MechTypeList OPTIONAL, reqFlags [1] ContextFlags OPTIONAL, mechToken [2] OCTET STRING OPTIONAL, mechListMIC [3] OCTET STRING OPTIONAL } ContextFlags ::= BIT STRING { delegFlag (0), mutualFlag (1), replayFlag (2), sequenceFlag (3), anonFlag (4), confFlag (5), integFlag (6) } The mechListMIC in the figure above seems wrong. That is, it is not a MIC, rather it is some information to be used by the server. Indeed, later on the the negTokenTarg, MS servers (and Samba) return a blob of data in the mechListMIC field as well. In the diagram above, the Windows server specified that it understands MS Kerberos 5 (a small mistake in their OID, it seems) and NTLMSSP. With respect to the incorrect OID value, Jean-Baptiste Marchand pointed out an email from the <ietf-krb-wg@anl.gov> mailing list which contains the following info from a Microsoft person: First, the oid for kerberos (your issue #2 below). The previous library had a limit of 16 bits on any value in the oid. We had some code that was working around that, and that did not get updated at the same time (the correct OID for kerberos is 1.2.840.113554.1.2.2, and 113554 == 0x1bb92; the incorrect OID that is sent around is 1.2.840.48018.1.2.2, with 48018 == 0xbb92). Since at the time there were no other implementations of SPNEGO to test against, and we were self-consistent, this was not detected until after Windows 2000 shipped. This was fixed in Windows XP and was fixed in a service pack for Windows 2000 (at least SP2 and later), as is evidenced by the correct OIDs showing up in the init message. The next step is that the client responds with a SessionSetup&X request, and guess what, that also includes a security blob, as shown below. The following shows what the security blob contained in the SessionSetup&X request contains. This time around, the client sends another NegTokenInit in the security blob in the SessionSetup&X requests, however, this one contains a mechToken. The mechToken actually contains a Kerberos 5 ticket and authenticator for the user who wants to authenticate. As an aside, the security blob contained in the mechToken above is for Kerberos 5 as used by Microsoft's Active Directory authentication protocols. The following shows what it looks like. The response to the negTokenInit in the SessionSetup&X request in a negTokenTarg in the SessionSetup&X response. In addition, if the underlying security protocol requires more transactions to complete the authentication process, this will be indicated by a status code of STATUS_MORE_PROCESSING_REQUIRED, and will require at least another SessionSetup&X request and response pair. SPNEGO (RFC2478) defines the negTokenTarg as: NegTokenTarg ::= SEQUENCE { negResult [0] ENUMERATED { accept_completed (0), accept_incomplete (1), reject (2) } OPTIONAL, supportedMech [1] MechType OPTIONAL, responseToken [2] OCTET STRING OPTIONAL, mechListMIC [3] OCTET STRING OPTIONAL } The following shows the details of a negTokenTarg from a SessionSetup&X response with a Win2K AD domain controller. More discussion here on the format of the GSSAPI/SPNEGO blobs.

Windows cannot copy \\...\SendTo\3

Sometimes when you are logging onto a workstation and your profiles are on your Samba server, you can get the following error message: This has been reported to occur if you have copied your profiles from a Windows system. However, in my experience, it occurs when you convert from Samba 2.2.x to Samba 3.0.x and your users were already using profiles. The problem is that files with names like 3½ Floppy ... where the 1/2 is one of those Windows funny characters are converted to UNIX names in different ways by these two different versions of Samba. For the moment, simply delete the file and log off and on again. The file will show up under some versions of UNIX as 3« Floppy .... Once your user has logged back on again, simply recreate the file by copying it from the My Computer folder.

Profiles and NTUSER.DAT

Profiles can be very useful, but sometimes they get messed up, and you get messages like that shown below: One of the reasons that this can occur is that the SID of your Samba server has changed (perhaps because you changed its name). While this can be fixed, thanks to other information on this site, it would be neat to be able to go through NTUSER.DAT and change the SIDs and/or permissions associated with them. Recently I figured out enough of the format of NTUSER.DAT that anyone could print out the SIDs and modify them. The format seems to be: <A 'regf' block> <A 'hbin' block> <A 'sk' block, containing, eventually, A SECDESC consisting of { USHORT version USHORT Flags ULONG Offset to Owner SID ULONG Offset to Group SID ULONG Offset to SACL ULONG Offset to DACL Then the DACL, usually no SACL, then Owner and Group SIDs } > <The rest of the registry> Actually, it is more complex that what I have indicated above. There are multiple SK records, one for each SEC DESC that the NTUSER.DAT file contains. You can find more information about this at: WinReg.txt I have found plenty of code that understands the format, so we can possibly fix the SIDs in the case that you have copied profiles from an NT server and did not set your Server's SID correctly. I have now implemented a program called profiles that can, at a minimum, list all the SEC DESCs, including ACLs, in NTUSER.DAT. This program is part of Samba-head, and can be built using: make bin/profiles You might be able to do the following to fix the SIDs: profiles -c S-1-5-21-x-y-z-oldrid -n S-1-5-21-a-b-c-newrid /path/to/profile You will have to do that twice, once for the owner SID and once for the group SID. You can use net getlocalsid to find the SID of your server. Don't forget to add the RID of the user on the end. Actually, you might be better off to use rpcclient to find the user's SID. For example: rpcclient -Uroot%pass -c 'lookupnames ' Here is an example of using: Registry file size: 524288 First Key Off: 32, Data Block Size: 266240 Next Off: 0, Prev Off: 4096 Type: 2c SK Off : 10204 Off: 00000080, Refs: 312, Size: 256 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-32-544 Perms: 80000000, SID: S-1-5-12 Off: 00006E28, Refs: 245, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00008750, Refs: 3, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00006968, Refs: 2, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00005E08, Refs: 5, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00002DF8, Refs: 5, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00002188, Refs: 9, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00001838, Refs: 5, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00000C28, Refs: 6, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00000980, Refs: 5, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00000608, Refs: 6, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 000002D8, Refs: 9, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00000020, Refs: 4, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000D958, Refs: 22, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000D768, Refs: 39, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000D108, Refs: 3, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000C980, Refs: 20, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000C408, Refs: 2, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000C2F0, Refs: 7, Size: 256 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 00000DC0, Refs: 9, Size: 76 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 1 Perms: 000F003F, SID: S-1-5-18 Off: 0000C1D8, Refs: 1, Size: 256 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000C0A0, Refs: 8, Size: 284 Owner SID: S-1-5-21-129735678-430395340-1080627117-2002 Group SID: S-1-5-21-129735678-430395340-1080627117-2003 SACL: NONE DACL: ACEs: 8 Perms: 000F003F, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-12 Off: 0000BCF8, Refs: 1, Size: 216 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 6 Perms: 00020019, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 80000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-32-544 Off: 0000BE10, Refs: 1, Size: 216 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 6 Perms: 00020019, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 80000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 10000000, SID: S-1-5-32-544 Off: 0000B6B8, Refs: 11, Size: 256 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 8 Perms: 00020019, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-32-544 Perms: 80000000, SID: S-1-5-12 Off: 00000218, Refs: 2, Size: 256 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 8 Perms: 00020019, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 000F003F, SID: S-1-5-18 Perms: 000F003F, SID: S-1-5-32-544 Perms: 00020019, SID: S-1-5-12 Perms: 80000000, SID: S-1-5-21-129735678-430395340-1080627117-2002 Perms: 10000000, SID: S-1-5-18 Perms: 10000000, SID: S-1-5-32-544 Perms: 80000000, SID: S-1-5-12 Off: 00005020, Refs: 1, Size: 96 Owner SID: S-1-5-32-544 Group SID: S-1-5-18 SACL: NONE DACL: ACEs: 2 Perms: 000F003F, SID: S-1-5-18 Perms: 00020019, SID: S-1-1-0

Editing registry files under UNIX

Following on from the profiles utility, I worked on a tool to allow people to edit Windows registry files from UNIX. Here is an example of listing the contents of NTUSER.DAT from a Windows user's profile: # ./bin/editreg -p /root/profile/NTUSER.DAT | more Migrated Schemes = REG_SZ : 1 [$$$PROTO.HIV\AppEvents\EventLabels\.Default] = REG_SZ : Default Beep DispFileName = REG_SZ : @mmsys.cpl,-5824 [$$$PROTO.HIV\AppEvents\EventLabels\ActivatingDocument] = REG_SZ : Complete Navigation [$$$PROTO.HIV\AppEvents\EventLabels\AppGPFault] = REG_SZ : Program error DispFileName = REG_SZ : @mmsys.cpl,-5825 [$$$PROTO.HIV\AppEvents\EventLabels\CCSelect] = REG_SZ : Select [$$$PROTO.HIV\AppEvents\EventLabels\Close] = REG_SZ : Close program DispFileName = REG_SZ : @mmsys.cpl,-5826 [$$$PROTO.HIV\AppEvents\EventLabels\CriticalBatteryAlarm] = REG_SZ : Critical Battery Alarm DispFileName = REG_SZ : @mmsys.cpl,-5827 [$$$PROTO.HIV\AppEvents\EventLabels\DeviceConnect] = REG_SZ : Device Connect DispFileName = REG_SZ : @mmsys.cpl,-5828 [$$$PROTO.HIV\AppEvents\EventLabels\DeviceDisconnect] = REG_SZ : Device Disconnect As you can see, all the keys in NTUSER.DAT start with $$$PROTO.HIV. This tool is also expected to be able to add and delete keys, add and delete values, and change ACLs on keys. There is also a graphical tool being developed using the code I have written as well as a library being done. You can find out more on the graphical tool at kregedit.