[Samba] Problem with Windows Vista IE7-8
This happens when I try to download files to XLS or XLSX correspond to MS Office 2003 Excel from Internet Explorer 7 or 8, I was denied access to download and tells me I have no permissions Best Regards Claudio -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Windows Vista IE7-8
This happens when I try to download files to XLS or XLSX correspond to MS Office 2003 Excel from Internet Explorer 7 or 8, I was denied access to download and tells me I have no permissions Please better describe what you are doing. You have no permission to save the .xls file? You have no permission to open it? You have no permission to write to it? Who owns the folder? ls -al on your *nix filesystem can help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc join failed ?
Hi, I am using samba-3.4.5. I am trying for join to domain controller, with security=domain in smb.conf. But it fails with following debug messages. * rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED) ! rpc command function failed ! (NT_STATUS_ACCESS_DENIED) .. get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' net_rpc_join_ok: failed to get schannel session key for server MYSERVER for domain MYDOMAIN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO. unable to join domain MYDOMAIN return code = -1.* Can you please help , where is the problem. Thanks Annada -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Howto determine flags like readonly and readwrite.
Hello, I'm writing a fuse module (fuse-wokspace-union) which makes local (USB) and remote (FTP, SMB, and SSH and maybe IPX(netware)) resources available in a map in the homedirectory of the user. Look for more information my website: http://linux.bononline.nl/linux/create_workspace/index.php http://linux.bononline.nl/linux/mount.md5key/index.php http://linux.bononline.nl/linux/fuse-workspace/index.php The fusemodule creates a bridge between the actual mountpoints (which are managed by autofs, this does the actual mounting) and the special connectionsmap in the users homedirectory. I've also made an entry at KDE Brainstorm: http://forum.kde.org/brainstorm.php#idea84975 and added a question about it at the developers site: http://forum.kde.org/viewtopic.php?f=18t=85148 You may ask, it's all about tools for the workstation, and we are here at the samba maillist, which is for servers. You're right about that, but let me explain. First it's maybe interesting for anyone to see that you can access samba shares this way, and I think it's very userfriendly. (if it's technically optimal I do not know yet..) Second I've been working on a tool which show information about resources used, apps using them and files and locks, just like smbstatus, and Ive a question about it. It does works like root [ ~/bin ]# ./mount.md5.status Service User Security smb://LFS20060812/sbon/ sbon private /home/sbon/Workspace/Network/Windows\ Network/BONONLINE/LFS20060812/sbon /test.odt /opt/openoffice-3.1.1/program/soffice.bin-writer - 3492 I'm working on the format, maybe multiple sections like smbstatus would be nicer. Smbstatus on the target machine gives: smbstatus Samba version 3.4.4 PID Username Group Machine --- 7330 sbon netgroup 192.168.0.11 (192.168.0.11) Service pid machine Connected at --- sbon 7330 192.168.0.11 Tue Jan 26 21:24:17 2010 Locked files: Pid UidDenyMode Access R/WOplock SharePath Name Time -- 7330 4000 DENY_NONE 0x83RDWR NONE /home/sbon test.odt Tue Jan 26 21:24:23 2010 My question is now, how can I determine the flags in human readable form, just like smbstatus. The pid of the application (here openoffice writer) is known, as well as the file/path to it. I know where to look for info, /proc/pidnr/fdinfo/flags, but this gives a (hex?) number. Is this the lock I'm looking for, and how can I translate it into terms like readonly, readwrite and exclusive. Stef Bon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] You do not have permission to change password issue with XP clients
On Wed, 3 Feb 2010, Gaiseric Vandal wrote: GV On 02/02/10 18:07, Brett Charbeneau wrote: GV Greetings all GV GV I'm running Samba 3.0 on an Ubuntu box as a PDC and I'm having trouble GV changing passwords with XP clients - here's my smb.conf GV http://pastebin.com/m1bb6d4a6 GV GV I've played with a variety of passwd chat settings but no joy. I am GV trying to use pam_cracklib.so - here's my /etc/pam.d/common-password file: GV http://pastebin.com/m1a1d5f89 GV GV I've tried the suggestions in this thread, but no luck: GV http://www.mail-archive.com/samba@lists.samba.org/msg104476.html GV GV Any hints? I'd be very grateful for any suggestions anyone has the time to GV offer! GV GV GV GV Are you using an LDAP backend? GV GV I am not sure the samba password chat chat scripts can pass the old GV password back to unix.My experience with ldap (Sun LDAP server not GV OpenLDAP) is that that password change either requires the user's old GV password or the LDAP admin pw. The local root account does not have GV privledges to change ldap passwords. (Local or NIS password's weren't a GV problem.) I appreciate the response! No, I'm using tdbsam as the back end... -- Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax)br...@wrl.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't locate samba server in windows network/ can't add domain
On 02/05/10 09:36, Thijs Hakkenberg wrote: On 4-2-2010 19:19, Gaiseric Vandal wrote: On 02/04/10 12:07, Thijs Hakkenberg wrote: List, I've installed an samba server as PDC next to another samba server. The DHCP/DNS is handled by a router (vigor 2110). For the first domain (DOMAIN1) I can join computers or leave the domain. However- I can't join the other domain- because no DNS entry exists. The strange thing is they both broadcast their NETBIOS name (It's present in the ARP table of the router) but on a windows host I can see the first server but not the second one. How can I get the seccond server to also broadcast it's netbios name to the windows hosts? Or can I bypass the whole thing by modifying the HOSTS file on the win XP hosts? Cheers, Thijs Presumably you do have DNS entries in the DNS server for both machines. Are you using WINS? Are both PDC's WINS servers? You should only have one WINS server on the network.And make sure only one is configured as the preferred master in smb.conf.I find using WINS makes a lot of network browsing issues go away. Can you use net use \\thenewserver command to find the machine? Well, the problem is that I can't edit the DNS server because the router takes care of the DNS. The problem is that they both are a PDC, because I am migrating to a new domain. And I think they are both the WINS server- but I can't setup the WINS allocation in the DHCP server. But maybe I can try setting the WINS server manually on the XP host? I don't think it really is a DNS issue since Windows clients in an NT4-type/Samba domain don't use DNS to locate a domain controller. But I can't think of any good reason that you should not have your DNS server configured with records for your key servers.The DNS functionality on smaller routers is usually geared to proxying (actually NAT) DNS requests to the ISP's DNS servers. It may not be appropriate for maintaining internal DNS records. If you were to update local files on the XP machines it is probably the lmhosts file not the hosts file you want to update (I would only do this as last resort- it defeats the purpose of DNS/WINS/DHCP and you are likely to loose track of changes.) How big is the network. It is is pretty small you should have been able to get by without configuring WINS servers at all.You can manually set the WINS server parameter on the client. Just make sure that this machine and the new PDC are both using the 1st PDC as the wins server. Also, when you try to join a machine to DOMAIN2, did you try changing the machine to workgroup DOMAIN2, rebooting, verify that that you can find the new server in network neighborhood, and then try joining the domain? If net use \\thenewserver_name command doesn't work does net use \\thenewserver_ip_address work? The net command will probably try to look up host name via DNS 1st. If I have a work laptop at home it will be in a different workgroup than my home PC and this is sometimes the only way to make the machines see each other quickly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 samba domain trust relatioshiop
I have upgraded both my PDC and BDC to samba-3.4.5 and restarted samba. Then I applied the registry changes to windows 7 aslisted in the wiki. Anyways I joind the domain without problems but when I go to login I get a trust relationship error. In my eventlog I see the following: The session setup to the Windows NT or Windows 2000 Domain Controller \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not support signing or sealing the Netlogon session. Either upgrade the Domain controller or set the RequireSignOrSeal registry entry on this machine to 0. \\VS_LDAP1 is the BDC if that matters. I am using a ldap domain with ssl off. I tried against the wiki advice to set the RequireSignOrSeal to 0 but that gave me a different error: This computer could not authenticate with \\VS_LDAP1, a Windows domain controller for domain RADIMG, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. Any ideas where to start. -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 samba domain trust relatioshiop
On Fri, Feb 5, 2010 at 11:56 AM, John Drescher dresche...@gmail.com wrote: I have upgraded both my PDC and BDC to samba-3.4.5 and restarted samba. Then I applied the registry changes to windows 7 aslisted in the wiki. Anyways I joind the domain without problems but when I go to login I get a trust relationship error. In my eventlog I see the following: The session setup to the Windows NT or Windows 2000 Domain Controller \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not support signing or sealing the Netlogon session. Either upgrade the Domain controller or set the RequireSignOrSeal registry entry on this machine to 0. \\VS_LDAP1 is the BDC if that matters. I am using a ldap domain with ssl off. I tried against the wiki advice to set the RequireSignOrSeal to 0 but that gave me a different error: This computer could not authenticate with \\VS_LDAP1, a Windows domain controller for domain RADIMG, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. Any ideas where to start. Cancel that. User error. I forgot to restart samba on the BDC so it was still running the old version.. -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 machine account fails to authenticate against samba PDC
a slight change in the log entries now, as below. I don't know why (I don't think I've changed anything), but there is an extra log entry showing the host is in the passdb, but getpwnam() is failing. However, the machine name is definitely in /etc/passwd. Can anyone cast any light on this apparent inconsistency, or what I might do to diagnose the problem further? [2010/02/05 17:19:16, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7HOST machine account WIN7HOST$ *[2010/02/05 17:19:23, 1] auth/auth_util.c:577(make_server_info_sam) User WIN7HOST$ in passdb, but getpwnam() fails!* [2010/02/05 17:19:23, 0] auth/auth_sam.c:355(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' graham wrote on 03/02/2010 17:09: Hello all, I've added my windows7 client to the domain (samba running as pdc), having applied the registry changes identified here (http://wiki.samba.org/index.php/Windows7). Partial success - domain users can login and see shares etc, BUT: 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am I right in thinking that windows 7 ignores this policy? And if so I therefore need to put the appropriate registry settings into a logon script? 2 - every time a domain user logs in to the windows7 host smbd reports an error: [2010/02/02 19:07:51, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7HOST machine account WIN7HOST$ [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' This only occurs for the windows7 client (not XP clients). What does this mean, is it a problem, and how do I fix it?! 3 - periodic errors reported by nmbd: Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted That's the ipaddress of the windows7 client. Actually, looking back in the logs I see this has occasionally happened for all but one of the xp clients too. Again, what does this error mean, is it a problem, how would I fix it? 4 - windows7 client bombards the server on port 389 (ldap) No idea why, no other (xp) clients do this. I'm guessing it /might/ be part of question 2 above ,ie. maybe the win7 client is trying to authenticate against ldap?? rgds all, graham. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain account policies
Hi. I'm using samba 3.4.3. if I set my domain account policies with pdbedit (for example: min password length 8, password history 4 and maximum password age 90 days), is it possible to change this default policies for some users ? Thanks, Marcelo H. Terres mhter...@gmail.com ICQ: 6649932 MSN: mhter...@hotmail.com Jabber: mhter...@jabber.org http://twitter.com/mhterres http://identi.ca/mhterres http://mundoopensource.blogspot.com/ http://www.propus.com.br Sent from Porto Alegre, RS, Brazil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Claimed Zero Day exploit in Samba.
Claimed Zero Day exploit in Samba. A user named kcopedarookie posted what they claim to be a video of a zero-day exploit in Samba on youtube yesterday here: http://www.youtube.com/watch?v=NN50RtZ2N74aia=true The video shows modifications to smbclient allowing /etc/passwd to be downloaded from a remote server. The issue is actually a default insecure configuration in Samba. Quick FAQ: What do I do ! - Set: wide links = no in the [global] section of your smb.conf and restart smbd to eliminate this problem. Longer FAQ: The real issue -- The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read (this is not a privilege escalation problem). By default Samba ships with the parameter wide links = yes, which allows Administrators to locally (on the server) add a symbolic link inside an exported share which SMB/CIFS clients will follow. As an example, given a share definition: [tmp] path = /tmp read only = no guest ok = yes The administrator could add a symlink: $ ln -s /etc/passwd /tmp/passwd and SMB/CIFS clients would then see a file called passwd within the [tmp] share that could be read and would allow clients to read /etc/passwd. If the wide links parameter is set to no, any attempt to read this file will fail with an access denied error. The problem occurs as Samba allows clients using the UNIX extensions (which are also turned on by default) to create symlinks on remotely mounted shares on which they have write access that point to any path on the file system. This is by design, as applications running on UNIX clients may have good reasons to create symlinks anywhere on the filesystem they have write access that point to local files (such as /etc/passwd). UNIX clients will resolve these links locally, but Windows clients will resolve them on the server. It is this combination that causes the problem. All future versions of Samba will have the parameter wide links set to no by default, and the manual pages will be updated to explain this issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbpasswd issue in a migration.
Hi, thank you for answer, in the new server tells (8.04), r...@server:~# which -a smbpasswd /usr/bin/smbpasswd r...@server:~# ls -l /usr/bin/smbpasswd -rwxr-xr-x 1 root root 1307112 2007-02-05 22:14 /usr/bin/smbpasswd In the ubuntu 5.10 (original server), r...@sever:~# which -a smbpasswd /usr/bin/smbpasswd /usr/bin/X11/smbpasswd r...@sever:~# ls -l /usr/bin/smbpasswd -rwxr-xr-x 1 root root 1307112 2007-02-05 22:15 /usr/bin/smbpasswd Thanks, g. -Mensaje original- De: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] En nombre de Helmut Hullen Enviado el: viernes, 05 de febrero de 2010 04:10 a.m. Para: samba@lists.samba.org Asunto: Re: [Samba] smbpasswd issue in a migration. Hallo, Gabriel, Du meintest am 04.02.10: My problem is when I try to change an user?s password. To change from the original server a password I use the command smbpasswd ?user? and it works; but when I try to do the same in the new server I get this error bash: /usr/bin/smbpasswd no such file or directory exist. What tells which -a smbpasswd ls -l /usr/bin/smbpasswd I try to change the password with passwd but then it doesn?t allow me to log on a windows?s terminal with the new password. That's simple: passwd changes (only) the Linux password, and smbpasswd only changes the Samba password. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] using RPCS printer driver for a PP printer
Hi, I'm wondering if anyone has had experience with using RPCS printer drivers in a PP printer share. Installing the driver onto samba went without a problem (followed the Samba howto chapter 21: Add Printer Wizard Driver Installation) but after that, every time i try to access the printer properties it takes sometimes minutes to open or just doesn't come up at all (same behavior when i open the properties locally on the installed printer or directly on the server as a printer admin). So i either can't set up any default printer properties or it takes so long that its not worth the waiting time (if the properties windows shows up, every action i do in there will also have such a long delay). I can't find any error/denied or similar messages (or simply smth that would stand out of the usual) in the log files (loglevel 3). I can install the drivers on the WS by hand and use samba just for the printer queue fine (per-machine printer). But since i will have to install more printers i wanted to use the pointprint method since it saves a lot of hassle. The printer is a NRG DSc424 and im using Windows XP. The same thing works fine with the official PCL6 drivers and i might have to settle for that in the end but the RPCS drivers give a better quality. It's not a permission problem either, using either root or a user with the SePrintOperatorPrivilege right (also it would probably show up in the log files otherwise). If anyone knows what the cause for those delays might be (even if its just that RPCS is simply slow in combination with samba) i'd be really happy to know. :) Thanks Richard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind: only domains option/patch
Hi. In January 2009 a patch was sent to this list that introduced the winbind: only domains option to smb.conf (http://lists.samba.org/archive/samba-technical/2009-January/062706.html). This provides the inverse of winbind: ignore domains and the creator of the patch explained that this was more useful (to him) that having to explicitly exclude domains. Can anyone confirm if this patch was accepted, and if so, what version of Samba supports winbind: only domains? If the patch has not been accepted, is there a particular reason why not? Thanks JR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] IPv6 name resolution problem
Hi, I'm trying to set up a small network over IPv6. It will have IPv4 too but the dhcp server may not work and Ubuntu (9.04) automatically configure a .local domain IPv6 addresses, so I must run the samba server and clients over IPv6. Only one machine will act as a server, but samba is up and running in all of them. The problem is that smbclient can't resolve the server's name, my probes from the client follows: ping6 -Ieth0 ipv6_server_address works fine smbclient -L ::1 works fine smbclient -L ipv6_client_address works fine smbclient -L client_name.local fails with NT_STATUS_BAD_NETWORK_NAME smbclient -L ipv6_server_address fails with NT_STATUS_INVALID_HANDLE smbclient -L server_name.local fails with NT_STATUS_BAD_NETWORK_NAME As I mentioned both client and server IPv6 addresses are in local scope: fe80:0:0:0:x:x:x:x/64 I'm also using avahi-daemon with IPv6 enabled and my nsswitch.conf host's line is: hosts: files mdns_minimal [NOTFOUND=return] mdns dns An strace reveals this: RESOLVE-HOSTNAME-IPV4, but not IPV6 apparently. Any ideas? Best regards, Ernesto. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3 and 3.4 compile failure on dbwrap
On 2/5/10 6:23 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I also have problems using this gcc bundled with the Sun freeware tools (/usr/sfw/bin/gcc.) I had more luck with using gcc from sunfreeware.com. In hindsight I think it may have just been a matter of setting CPPFLAGS and LDFLAGS correctly.You may also find that the samba build on sunfreeware meets your needs. (zfs support seems lacking - which shouldn't matter for solaris 9, and you may still need to compile the nss_winbind modules.) I also installed OpenLDAP from Sunfreeware.com. The Solaris native ldap client does not seem to have full functionality for Active Directory support (may not be an issue for you.) I think Sun compiles Samba using a Mozilla LDAP SDK. This is how I ended up compiling Samba using Sunfreeware GCC. #PATH=/usr/swf/bin:/usr/ccs/bin:$PATH #PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH #LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH #LD_LIBRARY_PATH=/usr/local/samba-3.4.5:$LD_LIBRARY_PATH #export LD_LIBRARY_PATH #export CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/include #export LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib #./configure --prefix=/usr/local/samba-3.4.5 --with-shared-modules=vfs_zfsacl --with-privatedir=/etc/samba/private --with-lockdir=/var/samba/locks --with-configdir=/etc/samba --enable-nss-wrapper #make #make install I think I may need to have manually copied nss_winbind.so.1 file to /usr/local/samba-3.4.5/lib On 02/04/10 17:51, Jeff Block wrote: I'm having problems compiling a newer version of samba (3.3.x or 3.4.x) on solaris 9. We are currently running 3.0.23d and have been putting off upgrading for far to long. I've tried gcc and sun studio 12 cc with the same issues when it comes to compiling dbwrap.c. I can't seem to find anything on google that's related to my issue. Here's my configure line when using gcc: ./configure --prefix=/netopt --with-automount \ --with-configdir=/usr/local/samba --localstatedir=/var/log/samba \ --infodir=/netopt/share/info --mandir=/netopt/share/man \ --with-privatedir=/usr/local/samba/private --with-krb5=/netopt \ --with-libiconv=/netopt --with-utmp --with-winbind CC=gcc \ CFLAGS='-I/netopt/include' LD=gcc LDFLAGS='-L/netopt/lib -R/netopt/lib' \ --with-syslog-facility=local7 When it finally gets to compiling dbwrap.c, here's what I see: Compiling lib/dbwrap.c lib/dbwrap.c:58:46: macro fetch passed 4 arguments, but takes just 1 lib/dbwrap.c: In function `dbwrap_fallback_parse_record': lib/dbwrap.c:58: warning: assignment makes integer from pointer without a cast lib/dbwrap.c:186:38: macro store passed 3 arguments, but takes just 2 lib/dbwrap.c: In function `dbwrap_store': lib/dbwrap.c:186: error: incompatible types in assignment lib/dbwrap.c:196:41: macro fetch passed 4 arguments, but takes just 1 lib/dbwrap.c: In function `dbwrap_fetch': lib/dbwrap.c:196: warning: comparison between pointer and integer The following command failed: gcc -I../lib/zlib -I/netopt/include -I/netopt/include -I. -I/opt/src/freeware/samba-3.4.5/source3 -I/opt/src/freeware/samba-3.4.5/source3/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H -I/netopt/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 -I/netopt/include -DLDAP_DEPRECATED -DSUNOS5 -I/opt/src/freeware/samba-3.4.5/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/dbwrap.c -o lib/dbwrap.o make: *** [lib/dbwrap.o] Error 1 Thanks for the advice, but unfortunately I'm still having problems. I am using a compiled version of gcc (3.4.3). My LDFLAGS and CFLAGS are: CFLAGS='-I/netopt/include' LDFLAGS='-L/netopt/lib -R/netopt/lib' This is generally what I use as /netopt is basically our /usr/local. I'm not sure why /usr/lib would need to be added here. Isn't that just implied? I added --enable-nss-wrapper and made sure that ssl libs could be found (which you specifically added to your FLAGS) but I'm still getting a failure on dbwrap.c. I'm wondering if there is some lib or something that needs to be updated on my end. But, I'm not sure how to determine what that is. Thanks for any further help on this. Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: only domains option/patch
On Fri, Feb 05, 2010 at 09:26:20AM -0800, Julian Regel wrote: In January 2009 a patch was sent to this list that introduced the winbind: only domains option to smb.conf (http://lists.samba.org/archive/samba-technical/2009-January/062706.html). This provides the inverse of winbind: ignore domains and the creator of the patch explained that this was more useful (to him) that having to explicitly exclude domains. Can anyone confirm if this patch was accepted, and if so, what version of Samba supports winbind: only domains? If the patch has not been accepted, is there a particular reason why not? Nobody so far has asked loudly enough, that's probably the only real reason. It's in my inbox now again. I had to do a similar patch for an ancient Samba version for a customer recently, but did not get around to put this upstream. So there seems to be real need for it :-) Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues with latest build 3.4.5
Same share that works fine with older version 3.0.27 as guest does not work with latest 3.4.5. For anyone (guest) while version 3.0.27 maps fine w/o any password, server with 3.4.5 errors out. Has something changed on newer releases that checks group membership before mapping, even as a guest? force group = agroup guest ok = Yes Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] IPv6 name resolution problem
On 2/5/2010 1:50 PM, Ernesto Silva wrote: Hi, I'm trying to set up a small network over IPv6. It will have IPv4 too but the dhcp server may not work and Ubuntu (9.04) automatically configure a .local domain IPv6 addresses, so I must run the samba server and clients over IPv6. --snip-- ping6 -Ieth0 ipv6_server_address works fine smbclient -L ::1 works fine smbclient -L ipv6_client_address works fine smbclient -L client_name.local fails with NT_STATUS_BAD_NETWORK_NAME smbclient -L ipv6_server_address fails with NT_STATUS_INVALID_HANDLE smbclient -L server_name.local fails with NT_STATUS_BAD_NETWORK_NAME As I mentioned both client and server IPv6 addresses are in local scope: fe80:0:0:0:x:x:x:x/64 I'm also using avahi-daemon with IPv6 enabled and my nsswitch.conf host's line is: hosts: files mdns_minimal [NOTFOUND=return] mdns dns An strace reveals this: RESOLVE-HOSTNAME-IPV4, but not IPV6 apparently. Any ideas? Best regards, Ernesto. Check your /etc/hosts file. You may have an old IPv4 dotted address there. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 86, Issue 6
Hi. reading docs i found THIS pdbedit -P minimum password age -C 5184000 (limit for validity of the password set for 60 days) pdbedit -P maximum password age -C 7776000 (maximum period for validity of the password set for 90 days) after u set ur policies restart samba and cofirm policies/informations make to user: pdbedit -L -v samba_user AND THIS -P account-policy Display an account policy Valid policies are: minimum password age, reset count minutes, disconnect time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. i hope that helps you! Att, Losnak, André. -- Mensagem encaminhada -- From: Marcelo Terres mhter...@gmail.com To: samba@lists.samba.org Date: Fri, 5 Feb 2010 16:02:24 -0200 Subject: [Samba] Domain account policies Hi. I'm using samba 3.4.3. if I set my domain account policies with pdbedit (for example: min password length 8, password history 4 and maximum password age 90 days), is it possible to change this default policies for some users ? Thanks, Marcelo H. Terres mhter...@gmail.com ** ** ICQ: 6649932 MSN: mhter...@hotmail.com Jabber: mhter...@jabber.org http://twitter.com/mhterres http://identi.ca/mhterres http://mundoopensource.blogspot.com/ http://www.propus.com.br Sent from Porto Alegre, RS, Brazil 2010/2/5 samba-requ...@lists.samba.org Send samba mailing list submissions to samba@lists.samba.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.samba.org/mailman/listinfo/samba or, via email, send a message with subject or body 'help' to samba-requ...@lists.samba.org You can reach the person managing the list at samba-ow...@lists.samba.org When replying, please edit your Subject line so it is more specific than Re: Contents of samba digest... Today's Topics: 1. Windows 7 samba domain trust relatioshiop (John Drescher) 2. Re: Windows 7 samba domain trust relatioshiop (John Drescher) 3. Re: windows 7 machine account fails to authenticate against samba PDC (graham) 4. Domain account policies (Marcelo Terres) 5. Claimed Zero Day exploit in Samba. (Jeremy Allison) 6. Re: smbpasswd issue in a migration. (=?us-ascii?Q?Gabriel_Burgos_Informatica?=) 7. using RPCS printer driver for a PP printer (Richard Gansterer) 8. winbind: only domains option/patch (Julian Regel) 9. IPv6 name resolution problem (Ernesto Silva) 10. Re: 3.3 and 3.4 compile failure on dbwrap (Jeff Block) -- Mensagem encaminhada -- From: John Drescher dresche...@gmail.com To: samba samba@lists.samba.org Date: Fri, 5 Feb 2010 11:56:47 -0500 Subject: [Samba] Windows 7 samba domain trust relatioshiop I have upgraded both my PDC and BDC to samba-3.4.5 and restarted samba. Then I applied the registry changes to windows 7 aslisted in the wiki. Anyways I joind the domain without problems but when I go to login I get a trust relationship error. In my eventlog I see the following: The session setup to the Windows NT or Windows 2000 Domain Controller \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not support signing or sealing the Netlogon session. Either upgrade the Domain controller or set the RequireSignOrSeal registry entry on this machine to 0. \\VS_LDAP1 is the BDC if that matters. I am using a ldap domain with ssl off. I tried against the wiki advice to set the RequireSignOrSeal to 0 but that gave me a different error: This computer could not authenticate with \\VS_LDAP1, a Windows domain controller for domain RADIMG, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. Any ideas where to start. -- John M. Drescher -- Mensagem encaminhada -- From: John Drescher dresche...@gmail.com To: samba samba@lists.samba.org Date: Fri, 5 Feb 2010 12:24:48 -0500 Subject: Re: [Samba] Windows 7 samba domain trust relatioshiop On Fri, Feb 5, 2010 at 11:56 AM, John Drescher dresche...@gmail.com wrote: I have upgraded both my PDC and BDC to samba-3.4.5 and restarted samba. Then I applied the registry changes to windows 7 aslisted in the wiki. Anyways I joind the domain without problems but when I go to login I get a trust relationship error. In my eventlog I see the following: The session setup to the Windows NT or Windows 2000 Domain Controller \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not support signing or sealing the Netlogon session. Either upgrade the Domain controller or set the RequireSignOrSeal registry entry on this machine to 0. \\VS_LDAP1 is the BDC if
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 4de319a... s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() from 4879e70... Add cross option to samba_cv_linux_getgrouplist_ok http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 4de319afb5dd520b0a72fadeabf70d2aafe262d5 Author: Stefan Metzmacher me...@samba.org Date: Thu Feb 4 14:03:20 2010 +0100 s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() When we need to do more than one network operation to get the browse list we need to use the same 'stype' value each time. metze Signed-off-by: Stefan Metzmacher me...@samba.org (cherry picked from commit c2e4746fa9d68e7601e8e90cc0144d2e65a695b6) Fix bug #7098 (smbclient -L gives wrong results with a large browse list). --- Summary of changes: source3/libsmb/clirap.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c index c3ec82b..3f77378 100644 --- a/source3/libsmb/clirap.c +++ b/source3/libsmb/clirap.c @@ -342,6 +342,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, const char *p1; char *s1, *s2; TALLOC_CTX *frame = talloc_stackframe(); + uint32_t entry_stype; if (p + 26 rdata_end) { TALLOC_FREE(frame); @@ -365,7 +366,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, len++; } - stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; + entry_stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; pull_string_talloc(frame,rdata,0, s1,sname,16,STR_ASCII); @@ -377,7 +378,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, continue; } - fn(s1, stype, s2, state); + fn(s1, entry_stype, s2, state); TALLOC_FREE(frame); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-4-test updated
The branch, v3-4-test has been updated via 49ed8e5... s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() from 050f86f... Add cross option to samba_cv_linux_getgrouplist_ok http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log - commit 49ed8e5ef079edf42bbe5325a46547ecfdff8a7d Author: Stefan Metzmacher me...@samba.org Date: Thu Feb 4 14:03:20 2010 +0100 s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() When we need to do more than one network operation to get the browse list we need to use the same 'stype' value each time. metze Signed-off-by: Stefan Metzmacher me...@samba.org (cherry picked from commit c2e4746fa9d68e7601e8e90cc0144d2e65a695b6) Fix bug #7098 (smbclient -L gives wrong results with a large browse list). --- Summary of changes: source3/libsmb/clirap.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c index 3f95e77..9705cac 100644 --- a/source3/libsmb/clirap.c +++ b/source3/libsmb/clirap.c @@ -341,6 +341,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, const char *p1; char *s1, *s2; TALLOC_CTX *frame = talloc_stackframe(); + uint32_t entry_stype; if (p + 26 rdata_end) { TALLOC_FREE(frame); @@ -364,7 +365,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, len++; } - stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; + entry_stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; pull_string_talloc(frame,rdata,0, s1,sname,16,STR_ASCII); @@ -376,7 +377,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, continue; } - fn(s1, stype, s2, state); + fn(s1, entry_stype, s2, state); TALLOC_FREE(frame); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated
The branch, v3-3-test has been updated via f6484f7... s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() from 0b36486... Fix bug #7072 - Accounts can't be unlocked from ldap. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit f6484f7febd853122d4b91e52ee896d70686d9d2 Author: Stefan Metzmacher me...@samba.org Date: Thu Feb 4 14:03:20 2010 +0100 s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum() When we need to do more than one network operation to get the browse list we need to use the same 'stype' value each time. metze (cherry picked from commit c2e4746fa9d68e7601e8e90cc0144d2e65a695b6) Signed-off-by: Stefan Metzmacher me...@samba.org Fix bug #7098 (smbclient -L gives wrong results with a large browse list). --- Summary of changes: source/libsmb/clirap.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source/libsmb/clirap.c b/source/libsmb/clirap.c index 61e2fb7..d248d0c 100644 --- a/source/libsmb/clirap.c +++ b/source/libsmb/clirap.c @@ -364,6 +364,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, const char *p1; char *s1, *s2; TALLOC_CTX *frame = talloc_stackframe(); + uint32_t entry_stype; if (p + 26 rdata_end) { TALLOC_FREE(frame); @@ -387,7 +388,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, len++; } - stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; + entry_stype = IVAL(p,18) ~SV_TYPE_LOCAL_LIST_ONLY; pull_string_talloc(frame,rdata,0, s1,sname,16,STR_ASCII); @@ -399,7 +400,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, continue; } - fn(s1, stype, s2, state); + fn(s1, entry_stype, s2, state); TALLOC_FREE(frame); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8823a54... s4/drs: propagate DRS_ extension flags in code base via f9d820e... s4/idl: Regenerate IDL for DRSUAPI interface via 5c7f55b... s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_RECYCLE_BIN ext. flag for DRSUAPI via 386f2c3... s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10 flag for DRSUAPI via d8a7718... s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5 flag for DRSUAPI via 6687c6e... s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY flag for DRSUAPI from d899032... Fix bug 7075 - bug in vfs_scannedonly rmdir implementation. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8823a549ca6102e9bf6710361eedc832d4317926 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 14:28:57 2010 +0200 s4/drs: propagate DRS_ extension flags in code base commit f9d820ed52274806202da0f44ddc7d2555131b38 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 14:27:46 2010 +0200 s4/idl: Regenerate IDL for DRSUAPI interface commit 5c7f55ba26504d48bdf08031bb5f80a1e6639362 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 13:48:01 2010 +0200 s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_RECYCLE_BIN ext. flag for DRSUAPI This flag corresponds to DRS_EXT_RECYCLE_BIN extended flag in [MS-DRSR] documentation. Reference: [MS-DRSR] - 5.37 Description: If present, signifies that the DC has enabled the Recycle Binoptional feature. commit 386f2c3d128878434813d5fdcc4923c56866c793 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 13:46:20 2010 +0200 s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10 flag for DRSUAPI This flag corresponds to DRS_EXT_GETCHGREQ_V10 flag in [MS-DRSR] documentation. Reference: [MS-DRSR] - 5.37 Description: If present, signifies that the DC supports DRS_MSG_GETCHGREQ_V10. commit d8a7718b9e73df1f0ddf1d78a6d07de395460101 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 13:44:49 2010 +0200 s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5 flag for DRSUAPI This flag corresponds to DRS_EXT_GETCHGREQ_V5 flag in [MS-DRSR] documentation. Reference: [MS-DRSR] - 5.37 Description: If present, signifies that the DC supports DRS_MSG_GETCHGREQ_V5. commit 6687c6e1826588e64ca2bbbc10251a17c6e6b179 Author: Kamen Mazdrashki kamen.mazdras...@postpath.com Date: Tue Feb 2 13:34:55 2010 +0200 s4/idl: add DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY flag for DRSUAPI This flag corresponds to DRS_EXT_ADDENTRY flag in [MS-DRSR] documentation. Reference: [MS-DRSR] - 5.37 Description: If present, signifies that the DC supports IDL_DRSAddEntry. --- Summary of changes: librpc/gen_ndr/drsuapi.h|7 --- librpc/gen_ndr/ndr_drsuapi.c|7 --- librpc/idl/drsuapi.idl |9 + source4/dsdb/repl/drepl_service.c |2 +- source4/libnet/libnet_become_dc.c |2 +- source4/rpc_server/drsuapi/dcesrv_drsuapi.c |2 +- 6 files changed, 16 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/gen_ndr/drsuapi.h b/librpc/gen_ndr/drsuapi.h index 5bcbf00..4717753 100644 --- a/librpc/gen_ndr/drsuapi.h +++ b/librpc/gen_ndr/drsuapi.h @@ -63,7 +63,7 @@ #define DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS ( 0x0010 ) #define DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1 ( 0x0020 ) #define DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION ( 0x0040 ) -#define DRSUAPI_SUPPORTED_EXTENSION_0080 ( 0x0080 ) +#define DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY ( 0x0080 ) #define DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE ( 0x0100 ) #define DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2 ( 0x0200 ) #define DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION ( 0x0400 ) @@ -76,7 +76,7 @@ #define DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP ( 0x0002 ) #define DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY ( 0x0004 ) #define DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3 ( 0x0008 ) -#define DRSUAPI_SUPPORTED_EXTENSION_0010 ( 0x0010 ) +#define DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5 ( 0x0010 ) #define DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2 ( 0x0020 ) #define DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6 ( 0x0040 ) #define DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS ( 0x0080 ) @@ -87,13 +87,14 @@ #define DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7 ( 0x0800 ) #define DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT ( 0x0800 ) #define DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS ( 0x1000 ) -#define DRSUAPI_SUPPORTED_EXTENSION_2000
[SCM] CTDB repository - branch 112-patches created - 64fb20dcfcff5bc067d97bff39e491e40ca45a3f
The branch, 112-patches has been created at 64fb20dcfcff5bc067d97bff39e491e40ca45a3f (commit) - Log - commit 64fb20dcfcff5bc067d97bff39e491e40ca45a3f Author: Andrew Tridgell tri...@samba.org Date: Fri Feb 5 17:11:29 2010 +1100 fixed printing of high latency commit 82f2ed827caab8999cb3f958c70821a23490fdde Author: Andrew Tridgell tri...@samba.org Date: Thu Feb 4 14:36:14 2010 +1100 ctdb: when we fill the client packet queue we need to drop the client We can't just drop packets to the list, as those packets could be part of the core protocol the client is using. This happens (for example) when Samba is doing a traverse. If we drop a traverse packet then Samba hangs indefinately. We are better off dropping the ctdb socket to Samba. commit ac885788678255f0c8a091f88ee4d440edf818a9 Author: Andrew Tridgell tri...@samba.org Date: Thu Feb 4 14:14:18 2010 +1100 ctdb: move ctdb_io.c to use TLIST_*() macros This will make large packet queues much more efficient commit a781f05f9b80e288ae43ca16f109890942937e62 Author: Andrew Tridgell tri...@samba.org Date: Thu Feb 4 14:13:49 2010 +1100 util: added TLIST_*() macros The TLIST_*() macros are like the DLIST_*() macros, but take both a head and tail pointer for the list. This means that adding an element to the end of the list is efficient (it doesn't need to walk the list). We should move all uses of the DLIST_*() macros which use DLIST_ADD_END() to use the TLIST_*() macros instead. commit 3ec469339e56f5221960ac5b3a69bf8fb553b8f5 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Thu Feb 4 09:54:06 2010 +1100 We only queued up to 1000 packets per queue before we start dropping packets, to avoid the queue to grow excessively if smbd has blocked. This could cause traverse packets to become discarded in case the main smbd daemon does a traverse of a database while there is a recovery (sending a erconfigured message to smbd, causing an avalanche of unlock messages to be sent across the cluster.) This avalance of messages could cause also the tranversal message to be discarded causing the main smbd process to hang indefinitely waiting for the traversal message that will never arrive. Bump the maximum queue length before starting to discard messages from 1000 to 100 and at the same time rework the queueing slightly so we can append messages cheaply to the queue instead of walking the list from head to tail every time. commit 4af34ca1bdb4895c2dd1ec280ef14cffab7fc815 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Thu Feb 4 06:37:41 2010 +1100 Drop the debug level for logging fd creation to DEBUG_DEBUG commit 04e40deac8d0c7edf907135ae81ac961c23135c3 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Tue Feb 2 08:03:37 2010 +1100 Version 1.0.112-5 commit 72d6ae64ab5ece7645b02054d617b71e231d4741 Author: Volker Lendecke v...@samba.org Date: Fri Jan 29 18:21:09 2010 +0100 tdb: fix an early release of the global lock that can cause data corruption There was a bug in tdb where the tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1); (ending the transaction-mutex) was done before the /* remove the recovery marker */ This means that when a transaction is committed there is a window where another opener of the file sees the transaction marker while the transaction committer is still fully functional and working on it. This led to transaction being rolled back by that second opener of the file while transaction_commit() gave no error to the caller. This patch moves the F_UNLCK to after the recovery marker was removed, closing this window. commit 3e2b1839a9f8419eeeb7f22ea5925f6c42f32a65 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Thu Jan 21 18:51:54 2010 +1100 version 1.0.112-4 commit eb68bc6f27f9b10abbd5bc4e4fd62b7af54c9abb Author: Martin Schwenke mar...@meltin.net Date: Thu Jan 21 13:40:03 2010 +1100 onnode: update algorithm for finding nodes file. 2 changes: * If a relative nodes file is specified via -f or $CTDB_NODES_FILE but this file does not exist then try looking for the file in /etc/ctdb (or $CTDB_BASE if set). * If a nodes file is specified via -f or $CTDB_NODES_FILE but this file does not exist (even when checked as per above) then do not fall back to /etc/ctdb/nodes ((or $CTDB_BASE if set). The old behaviour was surprising and hid errors. Signed-off-by: Martin Schwenke mar...@meltin.net commit cd8b1eb75f430c589e71b2837dab9d83a12bb43e Author: Martin Schwenke mar...@meltin.net Date: Thu Jan 21 13:16:18 2010 +1100 onnode - respect $CTDB_BASE rather than hard-coding /etc/ctdb.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f9f1db1... s3: normalize Changing password for msg IDs and STRs from 8823a54... s4/drs: propagate DRS_ extension flags in code base http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f9f1db18834648da73b7b1f6d9472523941e8277 Author: Lars Müller l...@samba.org Date: Fri Feb 5 17:38:04 2010 +0100 s3: normalize Changing password for msg IDs and STRs An additional space at the end of the Changing password for msgid lead to untranslated pam_winnind messages. --- Summary of changes: source3/locale/pam_winbind/ar.po|4 ++-- source3/locale/pam_winbind/cs.po|2 +- source3/locale/pam_winbind/da.po|2 +- source3/locale/pam_winbind/es.po|4 ++-- source3/locale/pam_winbind/fi.po|4 ++-- source3/locale/pam_winbind/fr.po|4 ++-- source3/locale/pam_winbind/hu.po|2 +- source3/locale/pam_winbind/it.po|4 ++-- source3/locale/pam_winbind/ja.po|4 ++-- source3/locale/pam_winbind/ko.po|2 +- source3/locale/pam_winbind/nb.po|4 ++-- source3/locale/pam_winbind/nl.po|4 ++-- source3/locale/pam_winbind/pl.po|4 ++-- source3/locale/pam_winbind/pt_BR.po |2 +- source3/locale/pam_winbind/ru.po|4 ++-- source3/locale/pam_winbind/sv.po|4 ++-- source3/locale/pam_winbind/zh_CN.po |4 ++-- source3/locale/pam_winbind/zh_TW.po |2 +- 18 files changed, 30 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/locale/pam_winbind/ar.po b/source3/locale/pam_winbind/ar.po index 1cd622b..d50aae3 100644 --- a/source3/locale/pam_winbind/ar.po +++ b/source3/locale/pam_winbind/ar.po @@ -136,8 +136,8 @@ msgid Password: msgstr ÙÙÙ Ø© اÙسر: #: pam_winbind.c:2013 -msgid Changing password for -msgstr تغÙÙر ÙÙÙ Ø© اÙسر ÙÙ +msgid Changing password for +msgstr تغÙÙر ÙÙÙ Ø© اÙسر ÙÙ #: pam_winbind.c:2027 msgid (current) NT password: diff --git a/source3/locale/pam_winbind/cs.po b/source3/locale/pam_winbind/cs.po index cffdf2b..3fe4d61 100644 --- a/source3/locale/pam_winbind/cs.po +++ b/source3/locale/pam_winbind/cs.po @@ -136,7 +136,7 @@ msgid Password: msgstr Heslo: #: pam_winbind.c:2013 -msgid Changing password for +msgid Changing password for msgstr MÄnÃm heslo pro #: pam_winbind.c:2027 diff --git a/source3/locale/pam_winbind/da.po b/source3/locale/pam_winbind/da.po index a2e3ad9..ddd46a6 100644 --- a/source3/locale/pam_winbind/da.po +++ b/source3/locale/pam_winbind/da.po @@ -153,7 +153,7 @@ msgstr Brugernavn: #. instruct user what is happening #: ../../nsswitch/pam_winbind.c:2589 -msgid Changing password for +msgid Changing password for msgstr Ãndrer adgangskode for #: ../../nsswitch/pam_winbind.c:2604 diff --git a/source3/locale/pam_winbind/es.po b/source3/locale/pam_winbind/es.po index 28fa2e8..f0ce376 100644 --- a/source3/locale/pam_winbind/es.po +++ b/source3/locale/pam_winbind/es.po @@ -136,8 +136,8 @@ msgid Password: msgstr Contraseña: #: pam_winbind.c:2013 -msgid Changing password for -msgstr Cambiando la contraseña para +msgid Changing password for +msgstr Cambiando la contraseña para #: pam_winbind.c:2027 msgid (current) NT password: diff --git a/source3/locale/pam_winbind/fi.po b/source3/locale/pam_winbind/fi.po index d7006a4..3ba7a3b 100644 --- a/source3/locale/pam_winbind/fi.po +++ b/source3/locale/pam_winbind/fi.po @@ -156,8 +156,8 @@ msgstr Käyttäjänimi: #. instruct user what is happening #: ../../nsswitch/pam_winbind.c:2589 -msgid Changing password for -msgstr Vaihdetaan salasana käyttäjälle +msgid Changing password for +msgstr Vaihdetaan salasana käyttäjälle #: ../../nsswitch/pam_winbind.c:2604 msgid (current) NT password: diff --git a/source3/locale/pam_winbind/fr.po b/source3/locale/pam_winbind/fr.po index 2b185fd..6f81c37 100644 --- a/source3/locale/pam_winbind/fr.po +++ b/source3/locale/pam_winbind/fr.po @@ -136,8 +136,8 @@ msgid Password: msgstr Mot de passe : #: pam_winbind.c:2013 -msgid Changing password for -msgstr Changement du mot de passe pour +msgid Changing password for +msgstr Changement du mot de passe pour #: pam_winbind.c:2027 msgid (current) NT password: diff --git a/source3/locale/pam_winbind/hu.po b/source3/locale/pam_winbind/hu.po index 08e96a3..b09d5f3 100644 --- a/source3/locale/pam_winbind/hu.po +++ b/source3/locale/pam_winbind/hu.po @@ -150,7 +150,7 @@ msgid Password: msgstr Jelszó: #: pam_winbind.c:2013 -msgid Changing password for +msgid Changing password for msgstr JelszómódosÃtás #: pam_winbind.c:2027 diff --git a/source3/locale/pam_winbind/it.po b/source3/locale/pam_winbind/it.po index c7d7463..ddb70e2 100644 --- a/source3/locale/pam_winbind/it.po +++ b/source3/locale/pam_winbind/it.po
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e4d29bb... s4:UID wrapper - Make it work on older distributions via 16aa074... s4:UID wrapper - Fix includes via a51d750... NSS wrapper - add dependency to nsstest via 44b95bc... s4:Heimdal build - never require the NSS wrapper for Heimdal Kerberos from f9f1db1... s3: normalize Changing password for msg IDs and STRs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e4d29bb4fd0564c39863b56c1a285d6e23e257ab Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Sat Jan 30 14:25:51 2010 +0100 s4:UID wrapper - Make it work on older distributions On my older CentOS 4 installation I had the problem with the missing substitution prototypes (uwrap_*). So I added them to uid_wrapper.h. Also, I made the head of the uid_wrapper.c file more like the one of nss_wrapper.c - it shouldn't change that much, I did it only to be consistent. This patch should fix the build on older distributions while keep it running on newer ones. commit 16aa0744c6820c5400b73fd4889608c38fc55b39 Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Sat Jan 30 14:25:51 2010 +0100 s4:UID wrapper - Fix includes The includes of the UID wrapper headers werent't really efficient according to metze's post on the technical mailing list (http://lists.samba.org/archive/samba-technical/2010-February/069165.html). To achieve this move the uid_wrapper.h includes into lib/util/unix_privs.c, lib/util/util.c, ntvfs/posix/pvfs_acl.c and ntvfs/unixuid/vfs_unixuid.c. commit a51d750652671a41a2828b80feaa9e4d81219002 Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Sat Jan 30 14:18:57 2010 +0100 NSS wrapper - add dependency to nsstest The code part makes use of the NSS wrapper if it is enabled. Surprisingly the build process doesn't break with the missing dependency on more recent systems. But with an older CentOS 4 installation it has been broken. This patch should fix the problem on older distributions while keep the build running on newer ones. commit 44b95bc72777ab42f2b089f37b0b84b3b4c0736c Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Fri Feb 5 16:58:32 2010 +0100 s4:Heimdal build - never require the NSS wrapper for Heimdal Kerberos Disable the use of it in the heimdal code. Notice: This doesn't need to be ported upstream since it only affects the build in conjunction with s4. --- Summary of changes: lib/uid_wrapper/uid_wrapper.c | 12 ++-- lib/uid_wrapper/uid_wrapper.h | 12 ++-- lib/util/unix_privs.c | 11 ++- lib/util/util.c |9 + nsswitch/config.mk |3 ++- source4/heimdal_build/config.h |9 - source4/heimdal_build/internal.mk | 10 +- source4/include/includes.h |9 - source4/ntvfs/posix/pvfs_acl.c |8 source4/ntvfs/unixuid/vfs_unixuid.c | 10 ++ 10 files changed, 64 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/uid_wrapper/uid_wrapper.c b/lib/uid_wrapper/uid_wrapper.c index f7f0431..93ebb7c 100644 --- a/lib/uid_wrapper/uid_wrapper.c +++ b/lib/uid_wrapper/uid_wrapper.c @@ -15,10 +15,18 @@ along with this program. If not, see http://www.gnu.org/licenses/. */ +#ifdef _SAMBA_BUILD_ + #define UID_WRAPPER_NOT_REPLACE -#include includes.h +#include ../replace/replace.h +#include talloc.h #include system/passwd.h -#include system/filesys.h + +#else /* _SAMBA_BUILD_ */ + +#error uid_wrapper_only_supported_in_samba_yet + +#endif #ifndef _PUBLIC_ #define _PUBLIC_ diff --git a/lib/uid_wrapper/uid_wrapper.h b/lib/uid_wrapper/uid_wrapper.h index 5d7c99d..3d42223 100644 --- a/lib/uid_wrapper/uid_wrapper.h +++ b/lib/uid_wrapper/uid_wrapper.h @@ -18,6 +18,16 @@ #ifndef __UID_WRAPPER_H__ #define __UID_WRAPPER_H__ +int uwrap_enabled(void); +int uwrap_seteuid(uid_t euid); +uid_t uwrap_geteuid(void); +int uwrap_setegid(gid_t egid); +uid_t uwrap_getegid(void); +int uwrap_setgroups(size_t size, const gid_t *list); +int uwrap_getgroups(int size, gid_t *list); +uid_t uwrap_getuid(void); +gid_t uwrap_getgid(void); + #ifdef seteuid #undef seteuid #endif @@ -58,6 +68,4 @@ #endif #define getgid uwrap_getgid -int uwrap_enabled(void); - #endif /* __UID_WRAPPER_H__ */ diff --git a/lib/util/unix_privs.c b/lib/util/unix_privs.c index f55e739..b30b2f5 100644 --- a/lib/util/unix_privs.c +++ b/lib/util/unix_privs.c @@ -20,9 +20,18 @@ */ #include includes.h -#include system/filesys.h +#include system/passwd.h #include ../lib/util/unix_privs.h +#if defined(UID_WRAPPER) +#if !defined(UID_WRAPPER_REPLACE)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via abbd0f9... s3: Make use of ZERO_STRUCTP via 3ea602a... s3: Remove a pointless if-statement via dcc850e... s3: Make guest_user_info() static via 004e3e4... s3: Hide some uses of pdb_get_init_flags (which I would love to remove...) via 1cd7223... s3: Fix some nonempty blank lines from e4d29bb... s4:UID wrapper - Make it work on older distributions http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit abbd0f9195fe9b4feb29b86a04c88be001e2737a Author: Volker Lendecke v...@samba.org Date: Fri Feb 5 15:55:14 2010 +0100 s3: Make use of ZERO_STRUCTP commit 3ea602a7c3f71a5cc1b2f867d86d8baa24bfe661 Author: Volker Lendecke v...@samba.org Date: Fri Feb 5 15:53:19 2010 +0100 s3: Remove a pointless if-statement commit dcc850e3b30f84513c4b38dac88dffa19aac53cd Author: Volker Lendecke v...@samba.org Date: Fri Feb 5 15:50:11 2010 +0100 s3: Make guest_user_info() static commit 004e3e400d0f404ffd9515c1f502c5287a4bff1c Author: Volker Lendecke v...@samba.org Date: Fri Feb 5 15:40:12 2010 +0100 s3: Hide some uses of pdb_get_init_flags (which I would love to remove...) commit 1cd7223b8e380813b5324eb903e980c6eeefda5f Author: Volker Lendecke v...@samba.org Date: Fri Feb 5 15:43:26 2010 +0100 s3: Fix some nonempty blank lines --- Summary of changes: source3/include/proto.h|1 - source3/passdb/machine_sid.c | 20 +++--- source3/passdb/pdb_get_set.c |2 +- source3/passdb/pdb_interface.c |2 +- source3/passdb/pdb_ldap.c |2 +- source3/passdb/pdb_smbpasswd.c | 54 6 files changed, 40 insertions(+), 41 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index 8a17039..177c333 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4575,7 +4575,6 @@ struct event_context *pdb_get_event_context(void); NTSTATUS make_pdb_method_name(struct pdb_methods **methods, const char *selected); struct pdb_domain_info *pdb_get_domain_info(TALLOC_CTX *mem_ctx); bool pdb_getsampwnam(struct samu *sam_acct, const char *username) ; -bool guest_user_info( struct samu *user ); bool pdb_getsampwsid(struct samu *sam_acct, const DOM_SID *sid) ; NTSTATUS pdb_create_user(TALLOC_CTX *mem_ctx, const char *name, uint32 flags, uint32 *rid); diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index c7c3cc4..d70e7c4 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -5,17 +5,17 @@ Copyright (C) Andrew Tridgell 2002 Copyright (C) Gerald (Jerry) Carter 2000 Copyright (C) Stefan (metze) Metzmacher 2002 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ @@ -42,12 +42,12 @@ static bool read_sid_from_file(const char *fname, DOM_SID *sid) bool ret; lines = file_lines_load(fname, numlines,0, NULL); - + if (!lines || numlines 1) { - if (lines) TALLOC_FREE(lines); + TALLOC_FREE(lines); return False; } - + ret = string_to_sid(sid, lines[0]); TALLOC_FREE(lines); return ret; @@ -61,7 +61,8 @@ static void generate_random_sid(DOM_SID *sid) int i; uchar raw_sid_data[12]; - memset((char *)sid, '\0', sizeof(*sid)); + ZERO_STRUCTP(sid); + sid-sid_rev_num = 1; sid-id_auth[5] = 5; sid-num_auths = 0; @@ -81,7 +82,7 @@ static DOM_SID *pdb_generate_sam_sid(void) DOM_SID domain_sid; char *fname = NULL; DOM_SID *sam_sid; - + if(!(sam_sid=SMB_MALLOC_P(DOM_SID))) return NULL; @@ -124,7 +125,6 @@ static DOM_SID *pdb_generate_sam_sid(void) } return sam_sid; - } /* check for an old MACHINE.SID file for backwards compatibility */ @@ -185,7 +185,7 @@ DOM_SID *get_global_sam_sid(void) if (global_sam_sid != NULL) return global_sam_sid; - + /* * memory for global_sam_sid is allocated in *
svn commit: samba-web r1363 - in trunk: . news
Author: tridge Date: 2010-02-05 14:48:36 -0700 (Fri, 05 Feb 2010) New Revision: 1363 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1363 Log: add response to symlink attack Added: trunk/news/symlink_attack.html Modified: trunk/index.html Changeset: Modified: trunk/index.html === --- trunk/index.html2010-02-01 18:57:40 UTC (rev 1362) +++ trunk/index.html2010-02-05 21:48:36 UTC (rev 1363) @@ -24,6 +24,12 @@ h2Latest News/h2 !--#include virtual=/samba/news/headlines.html -- +h45 February 2010/h4 +p class=headlineSamba response to reported security hole/p + +pThe Samba Team has a href=news/symlink_attack.htmlposted a +response/a to the widely reported symlink attack./p + h426 January 2010/h4 p class=headlineSamba 3.5.0rc2 Available for Download/p Added: trunk/news/symlink_attack.html === --- trunk/news/symlink_attack.html (rev 0) +++ trunk/news/symlink_attack.html 2010-02-05 21:48:36 UTC (rev 1363) @@ -0,0 +1,79 @@ +!--#include virtual=/samba/header.html -- + titleSymlink attack/title +!--#include virtual=/samba/header_columns.html -- + + +h45 February 2010/h4 +p class=headlineClaimed Zero Day exploit in Samba/p + +pA user named kcopedarookie posted what they claim to be a video +of a +zero-day a href=http://www.youtube.com/watch?v=NN50RtZ2N74aia=true;exploit +in Samba/a on youtube yesterday./p + +pThe video shows modifications to smbclient allowing +/etc/passwd to be downloaded from a remote server./p + +pThe issue is actually a default insecure configuration +in Samba./p + +h5Quick FAQ: What do I do !/h5 + +pSet: +pre + wide links = no +/pre +in the [global] section of your smb.conf and restart +smbd to eliminate this problem./p + +h5Longer FAQ: The real issue/h5 + +pThe problem comes from a combination of two features in Samba, each +of which on their own are useful to Administrators, but in combination +allow users to access any file on the system that their logged in +username has permissions to read (this is not a privilege escalation +problem)./p + +pBy default Samba ships with the parameter wide links = yes, which +allows Administrators to locally (on the server) add a symbolic link +inside an exported share which SMB/CIFS clients will follow./p + +pAs an example, given a share definition: +pre + [tmp] + path = /tmp + read only = no + guest ok = yes +/pre/p + +pThe administrator could add a symlink: + +pre + $ ln -s /etc/passwd /tmp/passwd +/pre + +and SMB/CIFS clients would then see a file called passwd within +the [tmp] share that could be read and would allow clients to read +/etc/passwd./p + +pIf the wide links parameter is set to no, any attempt +to read this file will fail with an access denied error./p + +pThe problem occurs as Samba allows clients using the UNIX +extensions (which are also turned on by default) to create +symlinks on remotely mounted shares on which they have write +access that point to any path on the file system./p + +pThis is by design, as applications running on UNIX clients may have +good reasons to create symlinks anywhere on the filesystem they have +write access that point to local files (such as /etc/passwd)./p + +pUNIX clients will resolve these links locally, but Windows +clients will resolve them on the server. It is this combination +that causes the problem./p + +pAll future versions of Samba will have the parameter wide links +set to no by default, and the manual pages will be updated to +explain this issue./p + +!--#include virtual=/samba/footer.html --
svn commit: samba-web r1364 - in trunk: .
Author: tridge Date: 2010-02-05 14:49:33 -0700 (Fri, 05 Feb 2010) New Revision: 1364 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1364 Log: fixed link Modified: trunk/index.html Changeset: Modified: trunk/index.html === --- trunk/index.html2010-02-05 21:48:36 UTC (rev 1363) +++ trunk/index.html2010-02-05 21:49:33 UTC (rev 1364) @@ -27,7 +27,7 @@ h45 February 2010/h4 p class=headlineSamba response to reported security hole/p -pThe Samba Team has a href=news/symlink_attack.htmlposted a +pThe Samba Team has a href=/samba/news/symlink_attack.htmlposted a response/a to the widely reported symlink attack./p h426 January 2010/h4
svn commit: samba-web r1365 - in trunk/news: .
Author: tridge Date: 2010-02-05 14:54:11 -0700 (Fri, 05 Feb 2010) New Revision: 1365 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1365 Log: improve layout Modified: trunk/news/symlink_attack.html Changeset: Modified: trunk/news/symlink_attack.html === --- trunk/news/symlink_attack.html 2010-02-05 21:49:33 UTC (rev 1364) +++ trunk/news/symlink_attack.html 2010-02-05 21:54:11 UTC (rev 1365) @@ -8,7 +8,7 @@ pA user named kcopedarookie posted what they claim to be a video of a -zero-day a href=http://www.youtube.com/watch?v=NN50RtZ2N74aia=true;exploit +zero-day a href=http://www.youtube.com/watch?v=NN50RtZ2N74amp;aia=true;exploit in Samba/a on youtube yesterday./p pThe video shows modifications to smbclient allowing @@ -25,6 +25,7 @@ /pre in the [global] section of your smb.conf and restart smbd to eliminate this problem./p +p/p h5Longer FAQ: The real issue/h5 @@ -38,21 +39,21 @@ allows Administrators to locally (on the server) add a symbolic link inside an exported share which SMB/CIFS clients will follow./p -pAs an example, given a share definition: +pAs an example, given a share definition:/p pre [tmp] path = /tmp read only = no guest ok = yes -/pre/p +/pre -pThe administrator could add a symlink: +pThe administrator could add a symlink:/p pre $ ln -s /etc/passwd /tmp/passwd /pre -and SMB/CIFS clients would then see a file called passwd within +pand SMB/CIFS clients would then see a file called passwd within the [tmp] share that could be read and would allow clients to read /etc/passwd./p
svn commit: samba-web r1366 - in trunk/news: .
Author: tridge Date: 2010-02-05 14:56:08 -0700 (Fri, 05 Feb 2010) New Revision: 1366 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1366 Log: improve layout2 Modified: trunk/news/symlink_attack.html Changeset: Modified: trunk/news/symlink_attack.html === --- trunk/news/symlink_attack.html 2010-02-05 21:54:11 UTC (rev 1365) +++ trunk/news/symlink_attack.html 2010-02-05 21:56:08 UTC (rev 1366) @@ -19,11 +19,11 @@ h5Quick FAQ: What do I do !/h5 -pSet: +pSet:/p pre wide links = no /pre -in the [global] section of your smb.conf and restart +pin the [global] section of your smb.conf and restart smbd to eliminate this problem./p p/p
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bd26944... Fix bug 7104 - wide links and unix extensions are incompatible. from abbd0f9... s3: Make use of ZERO_STRUCTP http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bd269443e311d96ef495a9db47d1b95eb83bb8f4 Author: Jeremy Allison j...@samba.org Date: Fri Feb 5 15:20:18 2010 -0800 Fix bug 7104 - wide links and unix extensions are incompatible. Change parameter wide links to default to no. Ensure wide links = no if unix extensions = yes on a share. Fix man pages to refect this. Remove within share checks for a UNIX symlink set - even if widelinks = no. The server will not follow that link anyway. Correct DEBUG message in check_reduced_name() to add missing \n so it's really clear when a path is being denied as it's outside the enclosing share path. Jeremy. --- Summary of changes: docs-xml/smbdotconf/misc/widelinks.xml | 13 ++-- docs-xml/smbdotconf/protocol/unixextensions.xml |3 ++ source3/param/loadparm.c|2 +- source3/smbd/service.c |8 + source3/smbd/trans2.c | 36 --- source3/smbd/vfs.c |2 +- 6 files changed, 22 insertions(+), 42 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml index fb707c1..1c30bb7 100644 --- a/docs-xml/smbdotconf/misc/widelinks.xml +++ b/docs-xml/smbdotconf/misc/widelinks.xml @@ -9,10 +9,15 @@ server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported./para - paraNote that setting this parameter can have a negative - effect on your server performance due to the extra system calls - that Samba has to do in order to perform the link checks./para + paraNote: Turning this parameter on when UNIX extensions are enabled + will allow UNIX clients to create symbolic links on the share that + can point to files or directories outside restricted path exported + by the share definition. This can cause access to areas outside of + the share. Due to this problem, this parameter will be automatically + disabled (with a message in the log file) if the + smbconfoption name=unix extensions/ option is on. + /para /description -value type=defaultyes/value +value type=defaultno/value /samba:parameter diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml index da9ad10..36e72d2 100644 --- a/docs-xml/smbdotconf/protocol/unixextensions.xml +++ b/docs-xml/smbdotconf/protocol/unixextensions.xml @@ -10,6 +10,9 @@ by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients./para +para +Note if this parameter is turned on, the smbconfoption name=wide links/ +parameter will automatically be disabled. /description value type=defaultyes/value diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index bd70ee1..5bac25c 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -606,7 +606,7 @@ static struct service sDefault = { True, /* bLevel2OpLocks */ False, /* bOnlyUser */ True, /* bMangledNames */ - True, /* bWidelinks */ + false, /* bWidelinks */ True, /* bSymlinks */ False, /* bSyncAlways */ False, /* bStrictAllocate */ diff --git a/source3/smbd/service.c b/source3/smbd/service.c index e8775ff..8039d16 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -1039,6 +1039,14 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, } #endif + if (lp_unix_extensions() lp_widelinks(snum)) { + DEBUG(0,(Share '%s' has wide links and unix extensions enabled. + These parameters are incompatible. + Disabling wide links for this share.\n, + lp_servicename(snum) )); + lp_do_parameter(snum, wide links, False); + } + /* Figure out the characteristics of the underlying filesystem. This * assumes that all the filesystem mounted withing a share path have * the same characteristics, which is likely but not guaranteed. diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index df61167..28862d1 100644 --- a/source3/smbd/trans2.c +++
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fac6d52... Remove now unused variable. Jeremy. from bd26944... Fix bug 7104 - wide links and unix extensions are incompatible. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fac6d5212be3e7159896a9c67e15faa4a557c213 Author: Jeremy Allison j...@samba.org Date: Fri Feb 5 16:20:34 2010 -0800 Remove now unused variable. Jeremy. --- Summary of changes: source3/smbd/trans2.c |1 - 1 files changed, 0 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 28862d1..073bee6 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -5815,7 +5815,6 @@ static NTSTATUS smb_set_file_unix_link(connection_struct *conn, { char *link_target = NULL; const char *newname = smb_fname-base_name; - NTSTATUS status = NT_STATUS_OK; TALLOC_CTX *ctx = talloc_tos(); /* Set a symbolic link. */ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5bb89bc... s4-ldb: fixed api.py selftest from fac6d52... Remove now unused variable. Jeremy. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5bb89bc47cbba73c732ea6873b72849e9f239503 Author: Andrew Tridgell tri...@samba.org Date: Sat Feb 6 14:26:22 2010 +1100 s4-ldb: fixed api.py selftest subunitrun seemed to be calling a test from its own source, instead of the samba test. Fix this by calling the test directly. --- Summary of changes: source4/selftest/tests.sh |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh index dd5ffe2..904f148 100755 --- a/source4/selftest/tests.sh +++ b/source4/selftest/tests.sh @@ -436,7 +436,7 @@ then fi SUBUNITRUN=$VALGRIND $PYTHON $samba4srcdir/scripting/bin/subunitrun -plantest ldb.python none PYTHONPATH=$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python/ $SUBUNITRUN api +plantest ldb.python none PYTHONPATH=$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python/ $PYTHON $samba4srcdir/lib/ldb/tests/python/api.py plantest credentials.python none PYTHONPATH=$PYTHONPATH:$samba4srcdir/auth/credentials/tests $SUBUNITRUN bindings plantest gensec.python none PYTHONPATH=$PYTHONPATH:$samba4srcdir/auth/gensec/tests $SUBUNITRUN bindings plantest registry.python none PYTHONPATH=$PYTHONPATH:$samba4srcdir/lib/registry/tests/ $SUBUNITRUN bindings -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5dbf175... s3-events: make the old timed events compatible with tevent via dd498d2... s3-smbd: add a rate limited cleanup of brl, connections and locking db via 74267d6... s3-brlock: we don't need these MSG_SMB_UNLOCK calls now via 5b398ed... s3-brlock: add a minimim retry time for pending blocking locks from 5bb89bc... s4-ldb: fixed api.py selftest http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5dbf175c75bd6139f3238f36665000641f7f7f79 Author: Andrew Tridgell tri...@samba.org Date: Fri Feb 5 19:14:45 2010 -0800 s3-events: make the old timed events compatible with tevent tevent ensures that a timed event is only called once. The old events code relied on the called handler removing the event itself. If the handler removed the event after calling a function which invoked the event loop then the timed event could loop forever. This change makes the two timed event systems more compatible, by allowing the handler to free the te if it wants to, but ensuring it is off the linked list of events before the handler is called, and ensuring it is freed even if the handler doesn't free it. commit dd498d2eecf124a03b6117ddab892a1112f9e9db Author: Andrew Tridgell tri...@samba.org Date: Fri Feb 5 21:08:56 2010 -0800 s3-smbd: add a rate limited cleanup of brl, connections and locking db On unclean shutdown we can end up with stale entries in the brlock, connections and locking db. Previously we would do the cleanup on every unclean exit, but that can cause smbd to be completely unavailable for several minutes when a large number of child smbd processes exit. This adds a rate limited cleanup of the databases, with the default that cleanup happens at most every 20s commit 74267d652485cdcb711f734f0d80da0fb1495867 Author: Andrew Tridgell tri...@samba.org Date: Fri Feb 5 21:02:24 2010 -0800 s3-brlock: we don't need these MSG_SMB_UNLOCK calls now These have been replaced with the min timeout in blocking.c commit 5b398edbee672392f2cea260ab17445ecca927d7 Author: Andrew Tridgell tri...@samba.org Date: Fri Feb 5 20:59:43 2010 -0800 s3-brlock: add a minimim retry time for pending blocking locks When we are waiting on a pending byte range lock, another smbd might exit uncleanly, and therefore not notify us of the removal of the lock, and thus not trigger the lock to be retried. We coped with this up to now by adding a message_send_all() in the SIGCHLD and cluster reconfigure handlers to send a MSG_SMB_UNLOCK to all smbd processes. That would generate O(N^2) work when a large number of clients disconnected at once (such as on a network outage), which could leave the whole system unusable for a very long time (many minutes, or even longer). By adding a minimum re-check time for pending byte range locks we avoid this problem by ensuring that pending locks are retried at a more regular interval. --- Summary of changes: source3/lib/ctdbd_conn.c |8 --- source3/lib/events.c | 21 +- source3/smbd/blocking.c | 20 ++ source3/smbd/server.c| 50 ++--- 4 files changed, 81 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c index 84bba3b..8ddb12a 100644 --- a/source3/lib/ctdbd_conn.c +++ b/source3/lib/ctdbd_conn.c @@ -542,15 +542,7 @@ static NTSTATUS ctdb_handle_message(uint8_t *buf, size_t length, messaging_send(conn-msg_ctx, procid_self(), MSG_SMB_BRL_VALIDATE, data_blob_null); - /* -* it's possible that we have just rejoined the cluster after -* an outage. In that case our pending locks could have been -* removed from the lockdb, so retry them once more -*/ - message_send_all(conn-msg_ctx, MSG_SMB_UNLOCK, NULL, 0, NULL); - TALLOC_FREE(buf); - return NT_STATUS_OK; } diff --git a/source3/lib/events.c b/source3/lib/events.c index 7a06ad0..75aa250 100644 --- a/source3/lib/events.c +++ b/source3/lib/events.c @@ -105,12 +105,29 @@ bool run_events(struct tevent_context *ev, if ((ev-timer_events != NULL) (timeval_compare(now, ev-timer_events-next_event) = 0)) { + /* this older events system did not auto-free timed + events on running them, and had a race condition + where the event could be called twice if the + talloc_free of the te happened after the callback + made a call
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 913a9f4... s3: Fix malformed require_membership_of_sid. from 5dbf175... s3-events: make the old timed events compatible with tevent http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 913a9f4e420c7a4177e6a7874e8ec2703f447918 Author: Bo Yang boy...@samba.org Date: Sun Feb 7 14:45:42 2010 +0800 s3: Fix malformed require_membership_of_sid. Signed-off-by: Bo Yang boy...@samba.org --- Summary of changes: nsswitch/pam_winbind.c | 12 1 files changed, 12 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 51346a8..52a8daa 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -1137,6 +1137,7 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx, char *current_name = NULL; const char *search_location; const char *comma; + int len; if (sid_list_buffer_size 0) { sid_list_buffer[0] = 0; @@ -1192,6 +1193,17 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx, _make_remark_format(ctx, PAM_TEXT_INFO, _(Cannot convert group %s to sid, please contact your administrator to see if group %s is valid.), search_location, search_location); + /* +* The lookup of the last name failed.. +* It results in require_member_of_sid ends with ',' +* It is malformated parameter here, overwrite the last ','. +*/ + len = strlen(sid_list_buffer); + if (len) { + if (sid_list_buffer[len - 1] == ',') { + sid_list_buffer[len - 1] = '\0'; + } + } } result = true; -- Samba Shared Repository
Build status as of Sat Feb 6 07:00:07 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-02-05 00:00:06.0 -0700 +++ /home/build/master/cache/broken_results.txt 2010-02-06 00:00:14.0 -0700 @@ -1,4 +1,4 @@ -Build status as of Fri Feb 5 07:00:05 2010 +Build status as of Sat Feb 6 07:00:07 2010 Build counts: Tree Total Broken Panic @@ -14,8 +14,8 @@ samba-web0 0 0 samba_3_current 33 32 1 samba_3_master 33 31 5 -samba_3_next 29 28 4 -samba_4_0_test 35 34 1 +samba_3_next 29 29 4 +samba_4_0_test 35 33 1 talloc 35 12 0 tdb 33 21 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b93f07e... Fix trailing whitespace errors I added (sorry). from 913a9f4... s3: Fix malformed require_membership_of_sid. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b93f07ef41fedf9cdb3f48fe77ed070c69ec3608 Author: Jeremy Allison j...@samba.org Date: Fri Feb 5 22:51:11 2010 -0800 Fix trailing whitespace errors I added (sorry). Jeremy. --- Summary of changes: source3/smbd/blocking.c |4 ++-- source3/smbd/server.c |6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c index 6c7c167..04e28a9 100644 --- a/source3/smbd/blocking.c +++ b/source3/smbd/blocking.c @@ -76,7 +76,7 @@ static bool recalc_brl_timeout(void) TALLOC_FREE(brl_timeout); - next_timeout = timeval_zero(); + next_timeout = timeval_zero(); for (blr = blocking_lock_queue; blr; blr = blr-next) { if (timeval_is_zero(blr-expire_time)) { @@ -117,7 +117,7 @@ static bool recalc_brl_timeout(void) if (max_brl_timeout 0) { struct timeval min_to = timeval_current_ofs(max_brl_timeout, 0); - next_timeout = timeval_min(next_timeout, min_to); + next_timeout = timeval_min(next_timeout, min_to); } if (DEBUGLVL(10)) { diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 37716c4..ea1ef2e 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -239,7 +239,7 @@ static void cleanup_timeout_fn(struct event_context *event_ctx, DEBUG(1,(Cleaning up brl and lock database after unclean shutdown\n)); message_send_all(smbd_messaging_context(), MSG_SMB_UNLOCK, NULL, 0, NULL); - messaging_send_buf(smbd_messaging_context(), procid_self(), + messaging_send_buf(smbd_messaging_context(), procid_self(), MSG_SMB_BRL_VALIDATE, NULL, 0); /* mark the cleanup as having been done */ (*cleanup_te) = NULL; @@ -255,14 +255,14 @@ static void remove_child_pid(pid_t pid, bool unclean_shutdown) processes to see if they can grab any of the pending locks */ - DEBUG(3,(__location__ Unclean shutdown of pid %u\n, + DEBUG(3,(__location__ Unclean shutdown of pid %u\n, (unsigned int)pid)); if (!cleanup_te) { /* call the cleanup timer, but not too often */ int cleanup_time = lp_parm_int(-1, smbd, cleanuptime, 20); cleanup_te = event_add_timed(smbd_event_context(), NULL, timeval_current_ofs(cleanup_time, 0), - cleanup_timeout_fn, + cleanup_timeout_fn, cleanup_te); DEBUG(1,(Scheduled cleanup of brl and lock database after unclean shutdown\n)); } -- Samba Shared Repository