Re: [Samba] Samba4 + Kerberos cross-realms + ldap
On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote: Quick and easy question: I have a network which already has its own kerberos + ldap servers running and I want to setup a samba4 box as AD. So, from conversations here and on irc, the best thing to do is to setup the samba4's built-in kerberos to do cross-realm authentication with the other kerberos server. Now, how would those crossed users look like in samba? Or, how would they be created in the samba4 ldap so they would have, among other things, a local home directory (or wherever the homedir; it just have to be in a place samba can find, know what to do with it, and do it) which would the be exported? I realise it's not a great answer, but currently we don't support cross-realm trusts. We have some of the parts (they are being used for IPA), but I would not make any assumptions about it being fully working for what you need. In particular, for the Microsoft modal, we should find the 'local' account for the principal and make up a PAC, none of which we do. As to extending the Samba4 schema, this is a great option, except that a number of users have reported various issues here, which we are yet to resolve. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and .NET FileSystemWatcher
On Thu, Jun 16, 2011 at 02:59:20PM +0100, Keith Douglas wrote: I've been looking into a problem using the .NET FileSystemWatcher class in a VB application. The application is only receiving notifications for events in the root of the directory it is watching. E.g. When monitoring \\SambaServer\Files file:///\\SambaServer\Files \\SambaServer\Files\file.txt file:///\\SambaServer\Files\file.txt will give notifications but not \\SambaServer\Files\Folder\file2.txt via Samba. The same application works fine using a windows CIFS/SMB share or a local drive. The FileSystemWatcher.IncludeSubdirectories option is set to True in the application. The issue appears to be that Samba does not monitoring file events recursively, because inotify in the linux kernel does not monitor directories recursively. From man inotify; Inotify monitoring of directories is not recursive: to monitor subdirectories under a directory, additional watches must be created. I was wondering if there is any method by which Samba can notify for recursive events? I am aware that this could also be achieved by adding individual watches within the afore-mentioned VB application, however this is not an option for me at present. For events that are generated locally on the Linux box or via other protocols like NFS we have to rely on the functionality provided by Linux as such, so we are limited by inotify. Imagine a huge directory tree with thousands of subdirectories. We just can't put inotify listeners on all of those. However, recursive notifies should work for all events that come in via other cifs clients. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba process throttled back?
Hello, We are running Samba 3.0.33 on a 2-node Linux cluster running RedHat 5.6 ES. Its primary application is to serve out a single network drive to support our business (out 350GB in size). For several years, this solution has been running flawlessly. File access was almost as fast as a local disk, so putting files on the server was never a problem. Our clients are running mostly Windows XP Pro. We have a few Windows 7 clients. Almost a year ago, that changed. Applications written in VB 6.0 that read files from the server started showing *significant* performance problems. What used to take seconds now takes more than a minute to finish. Moving the file to a local disk brought the speed back up to where it should be. Moving the file to a Windows 2003 or 2008 server also provided good throughput. All clients experience this same problem. I ran strace -f against the smbd process that is assigned to my desktop and then ran the VB application to see what the daemon was up to. I discovered that it went through a process of opening the file several times and reading data from it, using progressively smaller buffer sizes until is settled on using a buffer size of 1, which it used for the remainder of the file I/O session. I've attached the smb.conf file for your reading pleasure. I can attach the strace output file if that would be helpful. I suspect that something changed on the Windows desktop side to bring this about, since we made no changes to our VB code at all. Richard G. Lang Sr. Software Engineer la...@specsensors.commailto:la...@specsensors.com (330) 659-3312 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba process throttled back?
I've attached the smb.conf file for your reading pleasure. I can attach the strace output file if that would be helpful. The list automatically throws away all attachments. Can you post that inline or on pastebin.com and link here or something similar? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba process throttled back?
Sorry - I didn't realize the list wouldn't accept attachments. Here is the smb.conf file: #Backup Domain Controller ## Global parameters [global] unix charset = LOCALE workgroup = IBMPEERS netbios name = mustang1 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 passdb backend = ldapsam:ldap://mustang1.si.lan ldap://mustang2.si.lan; # passdb backend = ldapsam:ldap://mustang1.si.lan; username map = /etc/samba/smbusers # interfaces = 192.168.2.242/32 # bind interfaces only = yes log level = 0 syslog = 1 log file = /var/log/samba/%m max log size = 1024 name resolve order = wins bcast hosts guest account = nobody # printcap name = CUPS # show add printer wizard = No logon script = logon.bat logon path = logon drive = C: domain logons = Yes domain master = No local master = no preferred master = no os level = 0 wins server = mustang2.si.lan ldap suffix = dc=IBMPEERS,dc=lan ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=IBMPEERS,dc=lan utmp = no idmap backend = ldap://mustang2.si.lan idmap uid = 1-2 idmap gid = 1-2 # printing = cups veto files = /*.eml/*.nws/*.{*}/ veto oplock files = /*.doc/*.xls/*.mdb/*.pdf/ #Share Definitions= [si] comment = Shared disk service on SI Cluster veto files = /.clumanager/.rgmanager/ browsable = yes writable = yes public = yes path = /mnt/share/si # #- Force all files/dirs to be create group-writeable and world-readable. # create mask = 0664 force create mode = 0664 directory mask = 0775 force directory mode = 0775 [homes] comment = Home Directories valid users = %S read only = No browseable = No #[test] # comment = TEST # browseable = yes # writable = yes # public = yes # path = /tmp/data1 # [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes [cdrom] oplocks = False level2 oplocks = False comment = CD-ROM/DVD path = /mnt/cdrom read only = Yes guest ok = Yes public = Yes browsable = Yes Richard G. Lang Sr. Software Engineer la...@specsensors.commailto:la...@specsensors.com (330) 659-3312 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help - user password expiration in loop
Thanks a lot Christ, a managed using pdbedit. In facts, many accounts were carrying only the [U], no X (but i clearly remember I changed every user's setting with password never expires from the srvtool graphical tool :s ) Now the only thing i have to do is waiting Thanks a lot for your time, hoping this will permanently do the job. Best Regards Fabio On Thu, 2011-06-16 at 06:52 -0700, Christ Schlacta wrote: use pdbedit or your web-based ldap manager to update the account flags to [UX]. document the previous value before changing the flags. Use smbldap tools to update the expire time. if none of this fixes it, post an ldif if an affected user account, as well as all the info from smbldap-tools about said user. On 6/16/2011 06:39, Fabio Pardi wrote: Hi everybody, I think i need a samba guru to solve this issue, because googling for months did not help and the problem is becoming pressing. I'm facing an annoying problem with samba. In detail, there is something wrong with the password handling. It happens from windows, mac or linux clients. Randomly (probably after $num days), the system asks to the user to change the password. After the user did it, the system keeps asking the same, in a sort of loop. The only option to change it is to manually go on the console and issue the command smbldap-passwd username. My system: ubuntu lucid 32 bit smb.conf cut--- [global] idmap uid = 1000-15000 idmap gid = 1000-15000 workgroup = PORTAVITA netbios name = PSAMBA domain logons = Yes domain master = Yes wins support = true obey pam restrictions = Yes dns proxy = No log level = 2 os level = 35 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = Yes # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del unix password sync = no ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=pdc ldap admin dn = cn=admin,dc=pdc ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap ssl = no add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u #those scripts are modified so we can create groups also on the system add group script = /usr/sbin/addgroupldap-system '%g' delete group script = /usr/sbin/delgroupldap-system '%g' add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' delete user from group script = /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon drive = logon home = logon path = logon script = users/login.bat server signing = auto server schannel = Auto nt acl support = yes [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No logon script = login.bat [Software] comment = Software Folder path = /share/software create mask = 0777 directory mask = 0777 read only = no writable = yes browsable = yes invalid users =guest123 [progr] comment = Prog Folder path = /share/prog create mask = 0777 directory mask = 0777 read only = no writable = yes browsable = yes invalid users =guest123 cut samba version from package is 3.4.7 ldapadd -V ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $ buildd@rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools (LDAP library: OpenLDAP 20421) SASL/DIGEST-MD5 authentication started Any help or suggestion is strongly appreciated. Regards, Fabio -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] known incompatibility with msdfs and vfs full_audit combination?
Thanks for the quick response. It is supposed to work. It's probably to do with a bad interaction between the faked up connection struct inside the msdfs code and the vfs object. Can you reproduce with either 3.5.8 or 3.6.0rc2 ? I've just upgraded to 3.5.8 from squeeze backports, upgrade went super smooth, and the problem seems to be gone. :-) Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting logins using pam_winbind require_membership_of ?
Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add require_membership_of to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
In the samba share definition you could add valid users = +group this should have the effect your looking for if I understand you correctly. If not my apologies.. On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add require_membership_of to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows XP suddenly loses access to servers
Hi, All. I hope everyone's enjoying the nice weather. I am called the system admin here, but really I just fell into the job over the past 25 years. Is there a way to search the archives? My problem is that I've suddenly got 6 WinXP desktops that can access only 1 of my 5 smb servers, 4 of which run on Linux and 1 on SCO Unix. The 1 they can access runs Linux with Samba version 3.0.26a and is also my DHCP server and WINS server. SCO Unix runs 2.2.5. Others are versions 3.4.0, 3.5.4, and 3.0.28a. All servers are setup with security = share. I use file permissions to control access. I have had SCO and 1 Linux running in virtual machines via vmware and virtualbox for about 9 months. In general, I have been running Linux with Samba this way for 8 years and SCO with Samba for 10. Everything was fine on Wednesday, 6/17 and on Thursday morning WinXP had no access. It reports error 58. I have 5 Linux desktops that report no problems and have access to all servers via smb. No WinXP updates had been installed that I know of and none on Linux, either. My initial feeling was to blame my switch, but my laptop, running WinXP, can access all servers plugged into the same cat5 cable as any desktop. This one's got me stumped and is stalling my operation. Thanks for any help, -- Alex P Janssen Jr Charlottesville, Virginia -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows XP suddenly loses access to servers
On Fri, Jun 17, 2011 at 03:31:37PM -0400, Alex wrote: I hope everyone's enjoying the nice weather. I am called the system admin here, but really I just fell into the job over the past 25 years. Is there a way to search the archives? My problem is that I've suddenly got 6 WinXP desktops that can access only 1 of my 5 smb servers, 4 of which run on Linux and 1 on SCO Unix. The 1 they can access runs Linux with Samba version 3.0.26a and is also my DHCP server and WINS server. SCO Unix runs 2.2.5. Others are versions 3.4.0, 3.5.4, and 3.0.28a. All servers are setup with security = share. I use file permissions to control access. I have had SCO and 1 Linux running in virtual machines via vmware and virtualbox for about 9 months. In general, I have been running Linux with Samba this way for 8 years and SCO with Samba for 10. Everything was fine on Wednesday, 6/17 and on Thursday morning WinXP had no access. It reports error 58. I have 5 Linux desktops that report no problems and have access to all servers via smb. No WinXP updates had been installed that I know of and none on Linux, either. My initial feeling was to blame my switch, but my laptop, running WinXP, can access all servers plugged into the same cat5 cable as any desktop. Take a look at https://bugzilla.samba.org/show_bug.cgi?id=8238 Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows XP suddenly loses access to servers
Alex said the following on 06/17/2011 03:31 PM: No WinXP updates had been installed that I know of and none on Linux, either. Ok. I spoke too soon. I just found out that on Thursday morning at 3am my WinXP desktops downloaded and installed Software Distribution Service 3.0 from Microsoft. That broke the connectivity. As soon as I restored WinXP to the day before that update, all was well again. Sorry for jumping to the list before completing a thorough investigation at my site. Thanks for your offers of help, Alex -- Alex P Janssen Jr 3350 Watts Station Drive Charlottesville, VA 22911 434-973-8712 a...@ourwoods.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba process throttled back?
Lang, Rich wrote: Hello, We are running Samba 3.0.33 on a 2-node Linux cluster running RedHat 5.6 ES. Its primary application is to serve out a single network drive to support our business (out 350GB in size). For several years, this solution has been running flawlessly. File access was almost as fast as a local disk, so putting files on the server was never a problem. Our clients are running mostly Windows XP Pro. We have a few Windows 7 clients. Any difference in performance between the client types? Did the problems coincide with adding win7 machines to the network? Any new software on the clients (antivirus, firewall...etc?) Is something using up more memory on them? on your sockets, I up the SO_RCVBUF and SO_SNDBUF to at least 65536 each (more won't help until full smb2 support is in samba) Did you get any new windows servers on your network around the time of the problem? I notice that you have your 'os level = 0', that means for things like name resolution, your smb server will have lowest priority -- even below a win98 client, as I understand it. You mention you ran an 'strace -f' on smbd. Have you looked at a wireshark trace? That would tell you more -- like when negotiating a TCP session, if your windows client keeps reducing the RCV buffer size that would have told you why the reads were getting smaller. Maybe you are getting packet drops, or similar -- Reminds me, do you have switches or hubs, what type of ethernet speed...I take it nothing in the hardward on the clients or the server has changed? You say you are using RH. Has the SW remained static since installation and through this problem increase (I.e. an auto-update of SW might have changed some setting in the kernel, or some firewall might have been added, modifiedetc...)... Are the windows client's 'paging' more? I.e. was there any change in the VB script or the SW it's using such that now there could be a memory leak, thus increased paging? Have you set/optimized your TCP/IP params on XP? (and what little you can do on Win7... which is less configurable than XP) Have you added more clients (significant?)... On the Win clients...what SP are the XP clients running at? Many people complained when SP2 came out -- especially affected were network applications. SP3 has the best performance of the XP series (even better than the original), while SP1 was slower than 'SP0' (original), and SP2 was slower still... I don't have any specific theories...just asking for more data at this point, since there are so many possible variables...and just having the information out there would help anyone investigate the problem... Good luck! Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d2bc45e build: only use the git version on install, not in the build tree via 0b3b7e3 samba-tool: exit with non-zero status on dbcheck failure via b07e493 talloc: added talloc_stackframe_exists() via e080ae0 s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST' via 705ed1c samba-tool: show success message on group operations from 0c3075c s4-pysamdb: fixed the normalisation of grouptype in group add http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d2bc45e7ffb4e8d47878a6fc53c5f5c90dfd2114 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 15:21:39 2011 +1000 build: only use the git version on install, not in the build tree having the git version in our version.h in the build tree is annoying for developers, as every time you commit or rebase you need to spend several minutes re-linking. This changes it to use the git version only on install, which is much more useful as when you actually install the binaries you may be using them in a way that reporting the version is useful Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Fri Jun 17 08:37:06 CEST 2011 on sn-devel-104 commit 0b3b7e3797a9aa0dc8f0922c8cd873b0f0b3231e Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 14:40:48 2011 +1000 samba-tool: exit with non-zero status on dbcheck failure Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit b07e4933b7ed4b2452cfdd9d223eecb8c0b74fec Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 14:22:28 2011 +1000 talloc: added talloc_stackframe_exists() This can be used to tell if a talloc stackframe is currently available. Callers can use this to decide if they will use talloc_tos() or instead use an alternative strategy. This gives us a way to safely have calls to talloc_tos() in common code that may end up in external libraries, as long as all talloc_tos() calls in these pieces of common code check first that a stackframe is available. commit e080ae0faa2556825189f82fa61a7ff5f249dbc5 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 13:47:14 2011 +1000 s4-auth: quiet down the krb5 warnings when kerberos is not set to 'MUST' this prevents spurious error messages on client commands when when we will fallback to NTLM authentication Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 705ed1c4921a1456ebcf80ac352567679ab7dfa9 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 13:35:52 2011 +1000 samba-tool: show success message on group operations --- Summary of changes: buildtools/wafsamba/samba_patterns.py|3 ++- buildtools/wafsamba/samba_version.py | 15 +-- lib/util/talloc_stack.c | 17 + lib/util/talloc_stack.h |8 source4/auth/credentials/credentials_krb5.c |6 +- source4/auth/gensec/gensec.c |2 +- source4/scripting/python/samba/netcmd/dbcheck.py |4 +++- source4/scripting/python/samba/netcmd/group.py |4 wscript |2 +- wscript_build|2 +- 10 files changed, 51 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_patterns.py b/buildtools/wafsamba/samba_patterns.py index 37ef419..f064608 100644 --- a/buildtools/wafsamba/samba_patterns.py +++ b/buildtools/wafsamba/samba_patterns.py @@ -10,7 +10,7 @@ def write_version_header(task): src = task.inputs[0].srcpath(task.env) tgt = task.outputs[0].bldpath(task.env) -version = samba_version_file(src, task.env.srcdir, env=task.env) +version = samba_version_file(src, task.env.srcdir, env=task.env, is_install=task.env.is_install) string = str(version) f = open(tgt, 'w') @@ -26,4 +26,5 @@ def SAMBA_MKVERSION(bld, target): source= 'VERSION', target=target, always=True) +t.env.is_install = bld.is_install Build.BuildContext.SAMBA_MKVERSION = SAMBA_MKVERSION diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py index 0b0c159..0c39ed4 100644 --- a/buildtools/wafsamba/samba_version.py +++ b/buildtools/wafsamba/samba_version.py @@ -90,7 +90,7 @@ def git_version_summary(path, env=None): class SambaVersion(object): -def __init__(self, version_dict, path, env=None): +def __init__(self, version_dict, path, env=None, is_install=True): '''Determine the version
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via acc9535 s4-errors: Import error maps from the source3/ unix - ntstatus mapping via 4162c7b errors: reorder error codes for easier s3/s4 comparison via e645675 s4-util: removed the s4 nterr.c via 2644097 s3-util: remove the s3 nterr.c via b341979 util: moved nt_errstr() into common code via 1233ba7 libclu/util: Move get_friendly_nt_error_msg() in common. from d2bc45e build: only use the git version on install, not in the build tree http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit acc95354008ff11be5e59f74481228f04869095c Author: Andrew Bartlett abart...@samba.org Date: Fri Jun 17 17:07:26 2011 +1000 s4-errors: Import error maps from the source3/ unix - ntstatus mapping We need to syncronise these mappings, as the duplication of this symobol in the build means that either may be called based only on library link orders. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri Jun 17 10:22:07 CEST 2011 on sn-devel-104 commit 4162c7b74aa94ee77ef47f0abae058b80eca6e38 Author: Andrew Bartlett abart...@samba.org Date: Fri Jun 17 16:06:34 2011 +1000 errors: reorder error codes for easier s3/s4 comparison commit e645675aa46e945da5293b54a1bd368599b7b5a7 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 14:40:26 2011 +1000 s4-util: removed the s4 nterr.c this is now in common code Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 264409750a569b632576e8cd6fddd72fc29e9660 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 14:40:07 2011 +1000 s3-util: remove the s3 nterr.c this is now in common code Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit b341979adb950ae6abd518df3a170db9e9708797 Author: Andrew Tridgell tri...@samba.org Date: Fri Jun 17 14:39:37 2011 +1000 util: moved nt_errstr() into common code this brings nt_errstr() into common code, using the new talloc_stackframe_exists() to ensure that we only allocate an error string using talloc_tos() if a talloc stackframe does currently exists. This makes it safe to use in external libraries Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 1233ba7bf3d2dfd9a84eb52d601e589411c55185 Author: Andrew Bartlett abart...@samba.org Date: Thu Jun 16 13:00:09 2011 +1000 libclu/util: Move get_friendly_nt_error_msg() in common. Andrew Bartlett Signed-off-by: Andrew Tridgell tri...@samba.org --- Summary of changes: libcli/util/nterr.c| 58 ++ libcli/util/ntstatus.h |9 + libcli/util/wscript_build |2 +- source3/Makefile.in|2 +- source3/include/proto.h|7 source3/lib/errmap_unix.c | 22 ++-- source3/libsmb/nterr.c | 77 source3/wscript_build |2 +- source4/libcli/util/errormap.c | 17 +++-- source4/libcli/util/nterr.c| 74 -- source4/libcli/wscript_build |2 +- 11 files changed, 96 insertions(+), 176 deletions(-) delete mode 100644 source3/libsmb/nterr.c delete mode 100644 source4/libcli/util/nterr.c Changeset truncated at 500 lines: diff --git a/libcli/util/nterr.c b/libcli/util/nterr.c index 5f31c3c..1158fdd 100644 --- a/libcli/util/nterr.c +++ b/libcli/util/nterr.c @@ -1,7 +1,10 @@ /* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines + * * Copyright (C) Luke Kenneth Casson Leighton 1997-2001. + * Copyright (C) Andrew Bartlett + * Copyright (C) Andrew Tridgell * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -906,3 +909,58 @@ NTSTATUS nt_status_squash(NTSTATUS nt_status) return nt_status; } } + +/* + Returns an NT error message. not amazingly helpful, but better than a number. + */ + +const char *nt_errstr(NTSTATUS nt_code) +{ + int idx = 0; + char *result; + + while (nt_errs[idx].nt_errstr != NULL) { + if (NT_STATUS_V(nt_errs[idx].nt_errcode) == + NT_STATUS_V(nt_code)) { + return nt_errs[idx].nt_errstr; + } + idx++; + } + + if (!talloc_stackframe_exists()) { + /* prevent memory leaks from talloc_tos() by using a +* static area. This means the caller will overwrite +* the string
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 4a9a11c s3:libsmb/clireadwrite: calculate cli_write_max_bufsize() correct based on max_xmit via 0144836 s3:libsmb/clireadwrite: calculate cli_read_max_bufsize() correct based on max_xmit via ed31c08 s3:libsmb/clitrans: correctly transfer the seqnum between secondary and primary requests via fa1ff15 s3:libsmb/clitrans: fix handling of multi pdu [nt]trans[s][2] calls via 09da3b1 s3:libsmb/clitrans: use subreq2 as variable for the secondary requests via 036c8b7 s3:libsmb/clitrans: move MID handling to the end of cli_trans_send() and add a comment via da5870b s3:libsmb/clitrans: correctly marshall [nt]trans[s][2] requests via 6e3eefa s3:libsmb/clitrans: marshall SMBnttrans[2] as the others via 0440d3c s3:libsmb/clitrans: use uint32_t for param and data variables via c5434b5 s3:libsmb/clitrans: remove unused secondary_request_ctx via bad85df s3:libsmb/async_smb: add helpers to get and set the seqnum for signing via 60932bc s3:libsmb/async_smb: don't remove pending requests if the mid is set via 43f383b s3:libsmb/async_smb: call cli_smb_req_unset_pending() instead of destructor directly via 956bbf7 s3:libsmb/async_smb: let cli_smb_recv() initialize output values for one way requests from 2dec07d s3:libsmb/cli_np_tstream: s/TSTREAM_CLI_NP_BUF_SIZE/TSTREAM_CLI_NP_MAX_BUF_SIZE http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 4a9a11c0398692fe103597c8694867d6b6184134 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 19:01:13 2011 +0200 s3:libsmb/clireadwrite: calculate cli_write_max_bufsize() correct based on max_xmit This is important in order to support DCERPC over ncacn_np against NT4 servers, where max_xmit is just 4356. metze (cherry picked from commit f0ba1afe5f7dbafaf22c3028864de0f3910f675f) The last 14 patches address the generic part of bug #8195 (rpc client code doesn't work against NT4, when we need to fragment requests). commit 01448363c55ea890c7c6733213681cb3c4165fc3 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 18:59:39 2011 +0200 s3:libsmb/clireadwrite: calculate cli_read_max_bufsize() correct based on max_xmit This is important in order to support DCERPC over ncacn_np against NT4 servers, where max_xmit is just 4356. metze (cherry picked from commit 73128b7cc7f536f80072a19cb69527c53d9a6c2f) commit ed31c08d2aa59ec81dbcc747cfe7f0d42f9d9e3b Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 9 11:57:55 2011 +0200 s3:libsmb/clitrans: correctly transfer the seqnum between secondary and primary requests This is needed to implement SMB signing correct. metze (cherry picked from commit 5d06b2197b5fd95aaf0394d1bdba957bac6c3570) commit fa1ff15b19df1e0cf2a2616bdcb28554a8e2458b Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 10:31:23 2011 +0200 s3:libsmb/clitrans: fix handling of multi pdu [nt]trans[s][2] calls We now keep the primary request open for the whole logical request. The primary request is the one that gets all incoming replies. While secondary requests are handled as separate one-way requests. metze (cherry picked from commit 1dd24ac06a7472f53b06bc0aaa54cb22c8da0f78) commit 09da3b1fa685973619c833cc14e375abf859b5c1 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 16:41:11 2011 +0200 s3:libsmb/clitrans: use subreq2 as variable for the secondary requests metze (cherry picked from commit 10bb088cf1e005fd047c09afcf6b5b8999d416fe) commit 036c8b736852d002e0806f5c36b698c19b42ec98 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 16:11:00 2011 +0200 s3:libsmb/clitrans: move MID handling to the end of cli_trans_send() and add a comment metze (cherry picked from commit 5146c9ba9df063d6611abe356f9262adb027b091) commit da5870b0073ad2a8b3f1bd3957551283a5f0da33 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 8 00:44:34 2011 +0200 s3:libsmb/clitrans: correctly marshall [nt]trans[s][2] requests We need to align params and data to 4 byte offsets. This also correctly recalculates the useable space after each step. metze (cherry picked from commit 0a8fd50bd806e925a915c74cb86733481b2144f6) commit 6e3eefad3a265e7417ab9393fe8fc276523efd8a Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 9 12:22:59 2011 +0200 s3:libsmb/clitrans: marshall SMBnttrans[2] as the others This is just to make the code more readable and easier to notice how many words we're using in vwv. metze (cherry picked from commit 6f7af1b0388d30c8a06c495713066b90ded00780) commit 0440d3cb3585ceb636d7945c10d1a2b269401312 Author: Stefan Metzmacher me...@samba.org Date:
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via a33b603 libreplace: include sys/file.h only when available from 4829da5 s3-docs Add documentation for 'client use spnego principal' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit a33b6032beb45f7ba07432899236fccb133a6dfc Author: Björn Jacke b...@sernet.de Date: Sun May 30 21:52:39 2010 +0200 libreplace: include sys/file.h only when available thanks to Joachim Schmitz schm...@hp.com. This fixes #7460. --- Summary of changes: lib/replace/system/config.m4 |2 +- lib/replace/system/filesys.h |2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/replace/system/config.m4 b/lib/replace/system/config.m4 index 39c2f58..b8568a5 100644 --- a/lib/replace/system/config.m4 +++ b/lib/replace/system/config.m4 @@ -1,7 +1,7 @@ # filesys AC_HEADER_DIRENT AC_CHECK_HEADERS(fcntl.h sys/fcntl.h sys/resource.h sys/ioctl.h sys/mode.h sys/filio.h sys/fs/s5param.h sys/filsys.h) -AC_CHECK_HEADERS(sys/acl.h acl/libacl.h) +AC_CHECK_HEADERS(sys/acl.h acl/libacl.h sys/file.h) # select AC_CHECK_HEADERS(sys/select.h) diff --git a/lib/replace/system/filesys.h b/lib/replace/system/filesys.h index 22e3d23..6cf2dd2 100644 --- a/lib/replace/system/filesys.h +++ b/lib/replace/system/filesys.h @@ -77,7 +77,9 @@ #include sys/filio.h #endif +#ifdef HAVE_SYS_FILE_H #include sys/file.h +#endif #ifdef HAVE_FCNTL_H #include fcntl.h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via df22e63 s3:utils/net_*registry: use c99 initializers which are supported by old gcc 2.95 compilers (bug #8226) from 4a9a11c s3:libsmb/clireadwrite: calculate cli_write_max_bufsize() correct based on max_xmit http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit df22e635f51d3423e8e8a810de57270b3c13edd3 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 15 02:34:53 2011 +0200 s3:utils/net_*registry: use c99 initializers which are supported by old gcc 2.95 compilers (bug #8226) metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 15 03:48:41 CEST 2011 on sn-devel-104 (cherry picked from commit 5d736d87778754de7043d902c7d1d5db1c46cb02) --- Summary of changes: source3/utils/net_registry.c |8 +--- source3/utils/net_rpc_registry.c |4 +++- 2 files changed, 8 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c index 19405e2..dcc88a9 100644 --- a/source3/utils/net_registry.c +++ b/source3/utils/net_registry.c @@ -958,9 +958,11 @@ static int net_registry_import(struct net_context *c, int argc, .createkey = (reg_import_callback_createkey_t)import_create_key, .deletekey = (reg_import_callback_deletekey_t)import_delete_key, .deleteval = (reg_import_callback_deleteval_t)import_delete_val, - .setval.registry_value = (reg_import_callback_setval_registry_value_t) - import_create_val, - .setval_type = REGISTRY_VALUE, + .setval = { + .registry_value = (reg_import_callback_setval_registry_value_t) + import_create_val, + }, + .setval_type = REGISTRY_VALUE, .data= import_ctx }; diff --git a/source3/utils/net_rpc_registry.c b/source3/utils/net_rpc_registry.c index 20a6bda..dde129f 100644 --- a/source3/utils/net_rpc_registry.c +++ b/source3/utils/net_rpc_registry.c @@ -1959,7 +1959,9 @@ static NTSTATUS rpc_registry_import_internal(struct net_context *c, .createkey = (reg_import_callback_createkey_t)import_create_key, .deletekey = (reg_import_callback_deletekey_t)import_delete_key, .deleteval = (reg_import_callback_deleteval_t)import_delete_val, - .setval.blob = (reg_import_callback_setval_blob_t)import_create_val, + .setval = { + .blob = (reg_import_callback_setval_blob_t)import_create_val, + }, .setval_type = BLOB, .data = import_ctx }; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via df0a827 s3:wb_lookupsids: add some paranoia checks to wb_lookupsids_recv() via e26fb59 s3:wb_lookupsids: don't ignore 'result' and check if we got useable values via 1269dec Revert s3-winbind: Fix paranoia checks in winbindd_samr.c. from df22e63 s3:utils/net_*registry: use c99 initializers which are supported by old gcc 2.95 compilers (bug #8226) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit df0a827e74096b295c7624278ca5f0b7b7e8d6e5 Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 16 18:25:15 2011 +0200 s3:wb_lookupsids: add some paranoia checks to wb_lookupsids_recv() This hopefully catches future bugs. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jun 16 19:50:16 CEST 2011 on sn-devel-104 (cherry picked from commit 5961852d9c0e5cf64cea988586d610af9d63d487) commit e26fb591060b10880b25f6b0a4437f9c9052dab4 Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 16 18:16:15 2011 +0200 s3:wb_lookupsids: don't ignore 'result' and check if we got useable values The wrong fix for bug #8215 discovered this bug, as it caused sam_rids_to_names() to always return NT_STATUS_NONE_MAPPED. metze (cherry picked from commit 85809ccbe3a79f307af1fdd227f33b899d8db1b4) commit 1269dec1b0121fcbf6dda36a385a4a510232124e Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 16 18:40:04 2011 +0200 Revert s3-winbind: Fix paranoia checks in winbindd_samr.c. This reverts commit 207a84d725b905c2b119d2ef0f4f4d4eb391140d. This is the wrong fix for the problem, see bug #8215. metze (cherry picked from commit 283f8a7fb5089a7126f07e26315fd06ab59997d8) --- Summary of changes: source3/winbindd/wb_lookupsids.c | 70 +++-- source3/winbindd/winbindd_samr.c |4 +- 2 files changed, 68 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c index 05601ad..bf2ddb3 100644 --- a/source3/winbindd/wb_lookupsids.c +++ b/source3/winbindd/wb_lookupsids.c @@ -428,6 +428,7 @@ static void wb_lookupsids_done(struct tevent_req *subreq) req, struct wb_lookupsids_state); struct wb_lookupsids_domain *d; uint32_t i; + bool fallback = false; NTSTATUS status, result; @@ -437,13 +438,31 @@ static void wb_lookupsids_done(struct tevent_req *subreq) return; } + d = state-domains[state-domains_done]; + + if (NT_STATUS_IS_ERR(result)) { + fallback = true; + } else if (state-tmp_names.count != d-sids.num_sids) { + fallback = true; + } + + if (fallback) { + for (i=0; i d-sids.num_sids; i++) { + uint32_t res_sid_index = d-sid_indexes[i]; + + state-single_sids[state-num_single_sids] = + res_sid_index; + state-num_single_sids += 1; + } + state-domains_done += 1; + wb_lookupsids_next(req, state); + return; + } + /* -* Ignore result here. We depend on the individual states in -* the translated names. +* Look at the individual states in the translated names. */ - d = state-domains[state-domains_done]; - for (i=0; istate-tmp_names.count; i++) { uint32_t res_sid_index = d-sid_indexes[i]; @@ -544,6 +563,7 @@ static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq) NTSTATUS status, result; struct wb_lookupsids_domain *d; uint32_t i; + bool fallback = false; status = dcerpc_wbint_LookupRids_recv(subreq, state, result); TALLOC_FREE(subreq); @@ -552,6 +572,30 @@ static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq) } d = state-domains[state-domains_done]; + + if (NT_STATUS_IS_ERR(result)) { + fallback = true; + } else if (state-rid_names.num_principals != d-sids.num_sids) { + fallback = true; + } + + if (fallback) { + for (i=0; i d-sids.num_sids; i++) { + uint32_t res_sid_index = d-sid_indexes[i]; + + state-single_sids[state-num_single_sids] = + res_sid_index; + state-num_single_sids += 1; + } + state-domains_done += 1; + wb_lookupsids_next(req, state); + return; + } + + /* +* Look at the individual states in the translated names. +*/ +
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via b08149c s3: improve WHATSNEW around kerberos changes from df0a827 s3:wb_lookupsids: add some paranoia checks to wb_lookupsids_recv() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit b08149c6b8ddcac1399808b1b96e1fc08d382318 Author: Andrew Bartlett abart...@samba.org Date: Tue Jun 14 21:51:36 2011 +1000 s3: improve WHATSNEW around kerberos changes --- Summary of changes: WHATSNEW.txt | 19 ++- 1 files changed, 10 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c3c514c..813d5b3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -30,15 +30,16 @@ released in-kernel CIFS client. To re-enable the poorer NTLM encryption set '--option=clientusentlmv2auth=no' on your smbclient command line, or set 'client ntlmv2 auth = no' in your smb.conf -The impact of 'client use spnego principal = no' is that we may be able -to use Kerberos to communicate with a server less often in smbclient, -winbind and other Samba client tools. We may fall back to NTLMSSP in -more situations where we would previously rely on the insecure -indication from the 'NegProt' CIFS packet. This mostly occursed when -connecting to a name alias not recorded as a servicePrincipalName for -the server. This indication is not available from Windows 2008 or later -in any case, and is not used by modern Windows clients, so this makes -Samba's behaviour consistent with other clients and against all servers. +The impact of 'client use spnego principal = no' is that Samba will +use CIFS/hostname to obtain a kerberos ticket, acting more like +Windows when using Kerberos against a CIFS server in smbclient, +winbind and other Samba client tools. This will change which servers +we will successfully negotiate kerberos connections to. This is due +to Samba no longer trusting a server-provided hint which is not +available from Windows 2008 or later. For correct operation with all +clients, all aliases for a server should be recorded as a as a +servicePrincipalName on the server's record in AD. (For this reason, +this behavior change and parameter was also made in Samba 3.5.9) The impact of 'send spnego principal = no' is to match Windows 2008 and not to send this principal, making existing clients give more consistent -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8925b0c [PATCH] s3-WHATSNEW 3.5.9 Add information on kerberos change from ec99588 Update latest stable release. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8925b0ceed6bfb6109a5283ce040fd705421a427 Author: Andrew Bartlett abart...@samba.org Date: Fri Jun 17 22:06:10 2011 +0200 [PATCH] s3-WHATSNEW 3.5.9 Add information on kerberos change This patch modifies the release notes after the release, so the hints are not included in the 3.5.9 tarball. --- Summary of changes: history/samba-3.5.9.html | 15 +++ 1 files changed, 15 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/history/samba-3.5.9.html b/history/samba-3.5.9.html index 8450077..feb9b58 100755 --- a/history/samba-3.5.9.html +++ b/history/samba-3.5.9.html @@ -25,6 +25,21 @@ Major enhancements in Samba 3.5.9 include: o Sgid bit lost on folder rename (bug #7996). o ACL can get lost when files are being renamed (bug #7987). o Respect allow trusted domains = no in Winbind (bug #6966). +o Samba now follows Windows behaviour as a kerberos client, + requesting a CIFS/ ticket (bug #7893). + +New Kerberos behaviour +-- + +A new parameter 'client use spnego principal' defaults to 'no' and +means Samba will use CIFS/hostname to obtain a kerberos ticket, acting +more like Windows when using Kerberos against a CIFS server in +smbclient, Winbind and other Samba client tools. This will change +which servers we will successfully negotiate Kerberos connections to. +This is due to Samba no longer trusting a server-provided hint which +is not available from Windows 2008 or later. For correct operation +with all clients, all aliases for a server should be recorded as a as +a servicePrincipalName on the server's record in AD. Changes since 3.5.8: -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bb66504 s3:modules fix Bug 8244 - Cannot copy files larger than 2 GB to Samba share from acc9535 s4-errors: Import error maps from the source3/ unix - ntstatus mapping http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bb66504dadf56366ea30697ae73673de3df08132 Author: Christian Ambach a...@samba.org Date: Fri Jun 17 21:54:30 2011 +0200 s3:modules fix Bug 8244 - Cannot copy files larger than 2 GB to Samba share the time_audit module uses int instead of uint64 as return value in get_alloc_size so that sizes of files larger than 2 GB are cut of leading to wrong replies to NtCreateAndX and Windows clients giving up While checking the types of all functions, I found two more wrong return value types that needed correction Autobuild-User: Christian Ambach a...@samba.org Autobuild-Date: Fri Jun 17 23:11:10 CEST 2011 on sn-devel-104 --- Summary of changes: source3/modules/vfs_time_audit.c |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_time_audit.c b/source3/modules/vfs_time_audit.c index 0f32619..25332e4 100644 --- a/source3/modules/vfs_time_audit.c +++ b/source3/modules/vfs_time_audit.c @@ -564,7 +564,7 @@ static SMB_OFF_T smb_time_audit_lseek(vfs_handle_struct *handle, files_struct *fsp, SMB_OFF_T offset, int whence) { - ssize_t result; + SMB_OFF_T result; struct timespec ts1,ts2; double timediff; @@ -721,7 +721,7 @@ static uint64_t smb_time_audit_get_alloc_size(vfs_handle_struct *handle, files_struct *fsp, const SMB_STRUCT_STAT *sbuf) { - int result; + uint64_t result; struct timespec ts1,ts2; double timediff; @@ -2216,7 +2216,7 @@ static ssize_t smb_time_audit_aio_return(struct vfs_handle_struct *handle, struct files_struct *fsp, SMB_STRUCT_AIOCB *aiocb) { - int result; + ssize_t result; struct timespec ts1,ts2; double timediff; -- Samba Shared Repository