The branch, master has been updated via 1e52bb9 krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5 via 6308671 auth/credentials: Add missing error code check for MIT Kerberos via fd98174 auth/gensec: Fix typo in log message via 99d8788 auth/gensec: Remove unneeded cli_credentials_set_conf() call via 5aa00d9 WHATSNEW: Add text for AD DC changes from 77b51ba ldb_tdb: avoid erroneous error messages
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1e52bb9c34a77c8c79f0bfc81317aded183ada59 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Dec 23 07:22:27 2016 +0100 krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5 krb5_cc_copy_creds() expects an already initialized output cache. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Sat Dec 24 21:04:23 CET 2016 on sn-devel-144 commit 630867196b9e9d1096443f979b32957c5a0d2be2 Author: Andreas Schneider <a...@samba.org> Date: Thu Dec 22 17:01:35 2016 +0100 auth/credentials: Add missing error code check for MIT Kerberos Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fd98174443543ee3a150a10b056b45c4663bd7f7 Author: Andreas Schneider <a...@samba.org> Date: Tue Dec 13 11:33:06 2016 +0100 auth/gensec: Fix typo in log message Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 99d87880282dad4f9a5a6d9f1018329bb00e5112 Author: David Mulder <dmul...@suse.com> Date: Wed Dec 21 21:49:36 2016 +0100 auth/gensec: Remove unneeded cli_credentials_set_conf() call The cli_credentials_set_client_gss_creds() will set the correct realm from the gss creds. Pair-Programmed-With: Andreas Schneider <a...@samba.org> Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: David Mulder <dmul...@suse.com> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 5aa00d92ad31a241376263029318182165ee6707 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 23 13:55:30 2016 +1300 WHATSNEW: Add text for AD DC changes Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 44 +++++++++++++++++++++++++++++++++++++ auth/credentials/credentials_krb5.c | 6 ++++- lib/krb5_wrap/krb5_samba.c | 12 ++++++++++ source4/auth/gensec/gensec_gssapi.c | 16 ++++++++------ 4 files changed, 70 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f542a5b..b512796 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -81,6 +81,48 @@ A new option, "unix only", enables this feature only for the UNIX owner of the file, not affecting the SID owner in the Windows NT ACL of the file. This can be used to emulate something very similar to folder quotas. +Multi-process Netlogon support +------------------------------ + +The Netlogon server in the Samba AD DC can now run as multiple +processes. The Netlogon server is a part of the AD DC that handles +NTLM authentication on behalf of domain members, including file +servers, NTLM-authenticated web servers and 802.1x gateways. The +previous restriction to running as a single process has been removed, +and it will now run in the same process model as the rest of the +'samba' binary. + +As part of this change, the NETLOGON service will now run on a distinct +TCP port, rather than being shared with all other RPC services (LSA, +SAMR, DRSUAPI etc). + +new options for controlling TCP ports used for RPC services +----------------------------------------------------------- + +The new 'rpc server port' option controls the default port used for +RPC services other than Netlogon. The Netlogon server honours instead +the 'rpc server port:netlogon' option. The default value for both +these options is the first available port including or after 1024. + +Improve AD performance and replication improvements +--------------------------------------------------- + +Samba's LDB and replication code continues to improve, particularly in +respect to the handling of large numbers of linked attributes. We now +respect an 'uptodateness vector' which will dramatically reduce the +over-replication of links from new DCs. We have also made the parsing +of on-disk linked attributes much more efficient. + +DNS improvements +--------------------------- + +The samba-tool dns subcommand is now much more robust and can delete +records in a number of situations where it was not possible to do so +in the past. + +On the server side, DNS names are now more strictly validated. + + CTDB changes ------------ @@ -145,6 +187,8 @@ smb.conf changes kerberos encryption types New all inherit owner New option fruit:resource Spelling correction + lsa over netlogon New (deprecated) no + rpc server port New 0 KNOWN ISSUES diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index ca62e30..e974df9 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -581,7 +581,11 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, &gcc->creds); - if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32) KRB5_CC_NOTFOUND)) { + if ((maj_stat == GSS_S_FAILURE) && + (min_stat == (OM_uint32)KRB5_CC_END || + min_stat == (OM_uint32)KRB5_CC_NOTFOUND || + min_stat == (OM_uint32)KRB5_FCC_NOFILE)) + { /* This CCACHE is no good. Ensure we don't use it again */ cli_credentials_unconditionally_invalidate_ccache(cred); diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index a8eafcd..307be93 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2899,6 +2899,18 @@ krb5_error_code smb_krb5_cc_copy_creds(krb5_context context, #ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */ return krb5_cc_copy_cache(context, incc, outcc); #elif defined(HAVE_KRB5_CC_COPY_CREDS) + krb5_error_code ret; + krb5_principal princ = NULL; + + ret = krb5_cc_get_principal(context, incc, &princ); + if (ret != 0) { + return ret; + } + ret = krb5_cc_initialize(context, outcc, princ); + krb5_free_principal(context, princ); + if (ret != 0) { + return ret; + } return krb5_cc_copy_creds(context, incc, outcc); #else #error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index a37a0a9..a6c4019 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -221,7 +221,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->settings->lp_ctx, &gcc); if (ret) { - DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", + DEBUG(1, ("Acquiring acceptor credentials failed: %s\n", error_message(ret))); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -1311,16 +1311,18 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi const char *error_string; DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n")); - session_info->credentials = cli_credentials_init(session_info); - if (!session_info->credentials) { + + /* + * Create anonymous credentials for now. + * + * We will update them with the provided client gss creds. + */ + session_info->credentials = cli_credentials_init_anon(session_info); + if (session_info->credentials == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx); - /* Just so we don't segfault trying to get at a username */ - cli_credentials_set_anonymous(session_info->credentials); - ret = cli_credentials_set_client_gss_creds(session_info->credentials, gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, -- Samba Shared Repository