Re: [Samba] tkey-gssapi-credential and bind (Samba4)
Hi Mauricio, the easiest way to find out, where named fails may be to do an strace -f /usr/sbin/named ... (don't forget to set/export the keytab environment variables before doing so). Check the output of strace for accesses to the keytab file and you will get some hints about what's wrong. You may also want to check for the files mentioned below in the apparmor list. In my apparmor config (Ubuntu 10.04) I had to add some more entries (the list is far from optimized, but it works for me). /opt/samba4/private/dns.keytab kr, /opt/samba4/private/named.conf.update kr, /opt/samba4/private/named.conf kr, /opt/samba4/private/dns/* krw, /var/tmp/krb5_* rw, /var/tmp/DNS_* rw, If you like you can send me the strace log in private, I'll have a look. (AFAIK the allowed size of attachments on the list is quite small). Bye, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mauricio Tavares Gesendet: Dienstag, 21. Juni 2011 21:23 An: samba@lists.samba.org Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4) On Tue, Jun 21, 2011 at 1:14 PM, Aaron E. ssures...@gmail.com wrote: In my experience this is due to gssapi not being compiled to the correct directory for bind.. I also used 11.04 and my compile path was --with-gssapi=/usr/include/gssapi,, instead of /usr Aaron, in my case it seems to be pointing to /usr: root@sambabox:~# named -V BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' root@sambabox:~# On 06/21/2011 10:45 AM, Marcel Ritter wrote: Hi Mauricio, this is usually caused by one of 3 things: 1) bind is started without KRB5_KTNAME being set, and therefore doesn't know where to look for it's keytab Marcel, what I have in /etc/default/bind9 is # Samba-related stuff KEYTAB_FILE=/var/lib/samba/private/dns.keytab KRB5_KTNAME=/var/lib/samba/private/dns.keytab export KEYTAB_FILE export KRB5_KTNAME And here is what dns.keytab looks like: -rw-r- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab 2) the bind user does not have access permission to the keytab (or any directory in its path) As user bind (I edited /etc/passwd temporarily) I was able to reach that file: bind@sambabox:~$ cat /var/lib/samba/private/dns.keytab HTEST.DOMAIN.COMDNStest.domain.com [...] 3) I also hat problems related to apparmor (on Ubuntu 10.04) where the apparmor security framework prevented bind from accessing the keytab, even if file permissions were ok I edited # /etc/apparmor.d/usr.sbin.named per http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html , adding the following lines: /var/lib/samba/private/* rw, /var/lib/samba/private/dns/* rw, Hope this helps, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mauricio Tavares Gesendet: Dienstag, 21. Juni 2011 16:11 An: samba@lists.samba.org Betreff: [Samba] tkey-gssapi-credential and bind (Samba4) So I am in step 10 of the samba4 howto (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add tkey-gssapi-credential DNS/samdom.example.com; tkey-domain SAMDOM.EXAMPLE.COM; to /etc/bind/named.conf.options. Since my test domain is test.domain.com, I changed the above to tkey-gssapi-credential DNS/test.domain.com; tkey-domain TEST.DOMAIN.COM; In the log file I have: Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
Re: [Samba] Lost performance between Samba 3.0.24 and 3.5.8 with high number of concurrent connections
2011/6/13 juan david jd.alar...@gmail.com
Hi,
We are trying upgrade our roaming profile sever from Debian Etch to Debian
Squeeze. That's means a upgrade from Samba 3.0.24 to Samba 3.5.8. Our
production environment has above 600 concurrent users without problem. After
upgrade to Samba 3.5.8, server can't manage above 200 users. With
'smbclient', the output is:
Error [user] session setup failed: Call timed out: server did not respond
after 2 milliseconds
We use Samba+Winbind+kerberos to validate users. After upgrade I have been
tried all configurations that I could imagine without luck.
After that I have tried simplify the problem, I made a test environment
with the next smb.conf:
[global]
netbios name = yela
security = share
guest account = nobody
[mdrive]
path = /home/HUGU-Profiles/WinXP/enfgen.man
browseable = yes
public = yes
guest ok = yes
Trivial, isn't it? The server is a Debian Squeeze with Linux Kernel
2.6.32-5 and Samba 3.5.8. From one client I ran the next script:
#!/bin/bash
connectAndList ()
{
for i in $( seq 1 1000 )
do
fechaInicio=$( date )
salida=$( smbclient //yela/mdrive -U nobody% -c ls 2
/dev/null )
retorno=$?
fechaFin=$( date )
if [ ! $retorno -eq 0 ]
then
echo $fechaInicio - Error $1 $salida - $fechaFin
sleep 1
fi
done
}
for j in $( seq 1 5 )
do
for i in $( seq 1 100 )
do
connectAndList $i $j
done
done
To summarize, this script do 500 concurrent connections, list the directory
and repeat it. If one connection fail then sleep 1 second and do again.
Samba 3.0.24 run script with 1 or 2 fail connection per second. In Samba
3.5.8 We need falling to 200 concurrent connections, in other case, the
server was freeze and load raise over 20. There isn't any error in log. The
server doesn't fail is the client which has return a timeout.
Maybe the problem are in connection reply, because once you has been
connect with 'smbclient' follow commands work without problem.
Has Some one Samba with above 300 concurrent users in production
enviroment? Does some one know something about this performance lost in
connection time?
In your production environment How many users are there? Where is the limit?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user info .vs. wbinfo -g ?
That's really useful thanks. John On 21 June 2011 12:25, Robert Freeman-Day pres...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/20/2011 12:44 PM, John McNulty wrote: The group names from these two commands display differently. For example: $ net ads user info my-name -U my-name . . Systems Engineering EU $ wbinfo -g . . systemsengineeringeu.write Why is this different? Regards, John John, The net command is a close relative to the net command for windows. It will display information in a format more like windows or ldap-like output. If you do this type of net command on your samba install: net ads search (SAMAccountName=adusername) -P you will get all the entries from active directory, similar to the output from ADSIedit. The -P allows you to use your samba machine's credentials (if it is joined to the domain). net ads search ((objectCategory=computer)(name=*rhel*)) -P Allows ldap-like searching. wbinfo and winbindd allow translation from windows account formats to unix-like account formats. This is why the outputs are different. If you were to do a getent passwd aduser you will get a direct entry that is as if it was from /etc/passwd. It is actually getting info from winbindd and translating it on the fly. Hope that helps differentiate them. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4Af7EACgkQup357T5MfTZE2wCfbOebJzIGvrlJp+vSNJ/MOKv+ QF8An3NOKExf9gusbJfsZr/R13Heemwt =bdGG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
pam_access actually worked very well and is the most powerful / flexible of all the choices, so that's the one I'm going with. Thanks to everyone who replied. John On 20 June 2011 18:35, TAKAHASHI Motonobu mo...@monyo.com wrote: On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add require_membership_of to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? From: John McNulty johnm...@gmail.com Date: Mon, 20 Jun 2011 10:50:45 +0100 The user accounts exist in Active Directory and we're using the rfc2307 schema. So the shell is set in AD. I cannot change the shell to /bin/false or that would affect all the other servers they login to. I see. You may manage local login with the facility of PAM, for example pam_access, pam_listfile or others... --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Different permissions displayed in security tab and advanced tab
Hello everyone, Got a weird ACL issue: First of all, my Linux host is fully ACL enabled (kernel support, file system support, mount with xattr, library support, samba compilation support, all set). Then a share is created with vfs acl_xattr and ea support on, got mounted on a Windows client as administrator, and a directory created right under the drive. The issue is when I was checking out the security tab, as can be seen from attached screenshot, the administrator is displayed with no permission at all (nothing ticked) in the basic security tab, whereas the advanced tab shows the administrator with full control, which is self-contradictory and confusing. I then try to grant some permission to administrator by ticking and clicking apply, failed with the error can't save the changes... the parameter is invalid. I do suppose full control is correct because I can read, write and everything under the directory, plus getfacl from Linux side demonstrated that administrator is actually with rwx on the newly created directory. Any idea why is this? Thanks in advance. p.s. I have no problem adding/granting additional ACLs for users other than administrator. Regards -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent group fails
Hi, I've been debugging this for a day now and I am on the edge of my understanding and could use some help. I have a smbd 3.5.6 running as a PDC (smb.conf below) with an openldap backend. If I run `getent passwd` I get all the users (local and Domain) and computer accounts that I've imported into the ldap tree. If I run `getent group`, I only see local groups: root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: powerdev:x:115: ntpd:x:116: winbindd_priv:x:117: (don't know where winbind comes from. It's not in /etc/passwd) I can see the imported groups in the ldap tree via phpLDAPadmin. I have cranked up the logging in slapd.conf and watched as I did both queries: getent passwd Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 ACCEPT from IP=127.0.0.1:39071 (IP=0.0.0.0:389) Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk method=128 Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk mech=SIMPLE ssf=0 Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 RESULT tag=97 err=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH base=dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixAccount) Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=115 text= Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 closed (connection lost) nentries=115 getent group Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 ACCEPT from IP=127.0.0.1:39072 (IP=0.0.0.0:389) Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk method=128 Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk mech=SIMPLE ssf=0 Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 RESULT tag=97 err=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH base=ou=group,dc=example,dc=co,dc=uk scope=1 deref=0 filter=((objectClass=posixGroup)) Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 closed (connection lost) nentries=0 and err=32 I tried to replicate the query using ldapsearch. I am not very familiar with ldapsearch. This was the best I could muster: ldapsearch -x -b 'dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' This returned the groups from the ldap tree correctly: ... ... # Backup Operators, Groups, example.co.uk dn: cn=Backup Operators,ou=Groups,dc=example,dc=co,dc=uk objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators # Replicators, Groups, example.co.uk dn: cn=Replicators,ou=Groups,dc=example,dc=co,dc=uk objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 The difference as far as I can tell is between the two searches SRCH base=ou=group,dc=example,dc=co,dc=uk scope=1 deref=0 filter=((objectClass=posixGroup)) # Failed lookup and SRCH base=dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixGroup) # Working lookup The first one confines itself to the base 'group' ou, where as the working search starts at the root and does not restrict themselves. If I do (notice ou=groups) ldapsearch -x -b 'ou=groups,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' I see this: Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 ACCEPT from IP=127.0.0.1:51550 (IP=0.0.0.0:389) Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 BIND dn= method=128 Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 RESULT tag=97 err=0 text= Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SRCH base=ou=groups,dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixGroup) Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SEARCH RESULT tag=101 err=0 nentries=9 text= Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=2 UNBIND Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 closed and get this by way of response: # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 # CORRECT! If I do the search as it looks like it's being sent to ldap, EG: ou=group NOT ou=groups ldapsearch -x -b 'ou=group,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' I see: Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 ACCEPT from IP=127.0.0.1:42136 (IP=0.0.0.0:389) Jun 22 13:36:07 rigel
Re: [Samba] Samba 3.3.15 Ignoring Logon Path and Logon Home to Disable Roaming Profiles
From: Charles Kozler char...@fixflyer.com Date: Mon, 20 Jun 2011 13:53:40 -0400 I had tried that already and it still did not work. I tried creating new users after setting the aforementioned configuration settings to Samba but it still did not work. You are using smbldap-tools, so you have to unset userProfile in smbldap.conf. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Different permissions displayed in security tab andadvanced tab
David, Samba does not have the ability to change the permissions of directories on the security tab, and many times they will not be displayed either. As you have already discovered, permissions on directories are changed in Advanced. The permissions of files can be manipulated on the security tab. Dale On 06/22/2011 4:28 AM, David Roid wrote: Hello everyone, Got a weird ACL issue: First of all, my Linux host is fully ACL enabled (kernel support, file system support, mount with xattr, library support, samba compilation support, all set). Then a share is created with vfs acl_xattr and ea support on, got mounted on a Windows client as administrator, and a directory created right under the drive. The issue is when I was checking out the security tab, as can be seen from attached screenshot, the administrator is displayed with no permission at all (nothing ticked) in the basic security tab, whereas the advanced tab shows the administrator with full control, which is self-contradictory and confusing. I then try to grant some permission to administrator by ticking and clicking apply, failed with the error can't save the changes... the parameter is invalid. I do suppose full control is correct because I can read, write and everything under the directory, plus getfacl from Linux side demonstrated that administrator is actually with rwx on the newly created directory. Any idea why is this? Thanks in advance. p.s. I have no problem adding/granting additional ACLs for users other than administrator. Regards -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.15 Ignoring Logon Path and Logon Home to Disable Roaming Profiles
From: Charles Kozler char...@fixflyer.com Date: Wed, 22 Jun 2011 12:52:35 -0400 As I had previously noted, if there is an LDAP entry for a profile path specified, will Windows try to force load a roaming profile and Samba options ignored? In modern passdb such as ldapsam and tdbsam (not smbpasswd), Samba parameters such as logon path, logon home are only defined as the default value. After an user is created and the default value is set, these parameters are ignored. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getting winbindd errors on OS X Server 10.6.6
All, I am attempting to resolve an issue that our OS X Server is having. It's running 10.6.6 and samba 3.0.28a-apple. In the last two weeks we've been rebooting this server multiple times a day because it stops responding to smb requests. A look at the logs reveal the following two error messages repeated hundreds of times: 6/17/11 6:18:00 PM /usr/sbin/winbindd[231] dnssd_clientstub deliver_request: socketpair failed 24 (Too many open files) 6/17/11 6:18:00 PM /usr/sbin/winbindd[13089] dnssd_clientstub deliver_request: socketpair failed 24 (Too many open files) The messages stop on the reboot and don't come back for a period of time. We typically have 60-75 clients connected to the system, which hosts files for a software build system. We don't think there's been a significant change in the way the clients interact with the server, nor have any software changes been made on the server. Any help figuring out what to do next is appreciated! -- Michael Porter Senior Desktop Admin and Project Lead 650-357-3415 michael.por...@efi.comapplewebdata://AED39CAB-3274-4D7E-8D18-10BC6694E14B/michael.por...@efi.com Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9e766f0 samba-tool: added missing GUID component checks to dbcheck
via 505dce2 pyldb: added methods to get/set extended components on DNs
via 202f0a4 pydsdb: added get_syntax_oid_from_lDAPDisplayName()
via 341884c ldb: added extended_str() method to pyldb
via dd5350b ldb: expose syntax oids to python
via c4a7908 samba-tool: try to keep dbcheck.py in a logical ordering
via c46f808 s4-dsdb: don't add zero GUID to BINARY_DN
from c173e6e s3-spoolss: Fix some valgrind warnings.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9e766f019bff74ec9c1d5df326cdea2c7fe05e2a
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:44:36 2011 +1000
samba-tool: added missing GUID component checks to dbcheck
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104
commit 505dce2d3aa95d475e12c4e5e4e2b3f1907bdd84
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:44:12 2011 +1000
pyldb: added methods to get/set extended components on DNs
this will be used by the dbcheck code
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit 202f0a4b576d78928a403b68f3e057d3a425bddf
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:41:50 2011 +1000
pydsdb: added get_syntax_oid_from_lDAPDisplayName()
this gives you access to the syntax oid of an attribute
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit 341884c835b9c5785794cba562c2a21939eb4bce
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 13:49:37 2011 +1000
ldb: added extended_str() method to pyldb
this gives access to ldb_dn_get_extended_linearized() from python
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit dd5350b0a87c82be7d0b0d124885ecfd73bb1b5b
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 12:34:32 2011 +1000
ldb: expose syntax oids to python
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit c4a7908f46e7005f323eeca5fd38ec9e88a54aa9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 12:23:05 2011 +1000
samba-tool: try to keep dbcheck.py in a logical ordering
keep individual error handlers together and separate from driver code
commit c46f80824b649647b5a61364a1b8fe26267bbdd9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 11:56:40 2011 +1000
s4-dsdb: don't add zero GUID to BINARY_DN
When converting from DRS to ldb format for a BINARY_DN, don't add the
GUID extended DN element if the GUID is all zeros.
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
---
Summary of changes:
source4/dsdb/pydsdb.c| 40 ++
source4/dsdb/schema/schema_syntax.c | 20 ++--
source4/lib/ldb/pyldb.c | 77 +++
source4/scripting/python/samba/netcmd/dbcheck.py | 160 +
source4/scripting/python/samba/samdb.py |5 +
5 files changed, 262 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 62f33bb..5ca6b02 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -331,6 +331,38 @@ static PyObject
*py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject
}
/*
+ return the attribute syntax oid as a string from the attribute name
+ */
+static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self,
PyObject *args)
+{
+ PyObject *py_ldb;
+ struct ldb_context *ldb;
+ struct dsdb_schema *schema;
+ const char *ldap_display_name;
+ const struct dsdb_attribute *attribute;
+
+ if (!PyArg_ParseTuple(args, Os, py_ldb, ldap_display_name))
+ return NULL;
+
+ PyErr_LDB_OR_RAISE(py_ldb, ldb);
+
+ schema = dsdb_get_schema(ldb, NULL);
+
+ if (!schema) {
+ PyErr_SetString(PyExc_RuntimeError, Failed to find a schema
from ldb);
+ return NULL;
+ }
+
+ attribute = dsdb_attribute_by_lDAPDisplayName(schema,
ldap_display_name);
+ if (attribute == NULL) {
+ PyErr_Format(PyExc_RuntimeError, Failed to find attribute
'%s', ldap_display_name);
+ return NULL;
+ }
+
+ return PyString_FromString(attribute-syntax-ldap_oid);
+}
+
+/*
convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute
*/
static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args)
@@ -802,6 +834,8 @@ static PyMethodDef py_dsdb_methods[] = {
METH_VARARGS, NULL },
{
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc()
against old KDCs
via e5378e6 s4:auth/kerberos: remove one indentation level in
kerberos_kinit_password_cc()
via b98428e s4:auth/kerberos: reformat kerberos_kinit_password_cc()
via 9c56303 s4:auth/kerberos: don't mix s4u2self creds with machine
account creds
via b3d4962 s4:auth/kerberos: use better variable names in
kerberos_kinit_password_cc()
via 7cf3842 s4:auth/kerberos: don't ignore return code in
kerberos_kinit_password_cc()
from 9e766f0 samba-tool: added missing GUID component checks to dbcheck
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ede3046b8b9b0576a35626026cb28c31b42da46d
Author: Stefan Metzmacher me...@samba.org
Date: Tue Jun 21 01:39:58 2011 +0200
s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
commit e5378e600e507241dd64c1ea7345676076dc8755
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 21:23:45 2011 +0200
s4:auth/kerberos: remove one indentation level in
kerberos_kinit_password_cc()
This will make the following changes easier to review.
metze
commit b98428e630cc5a1bbc18bf4260030a24322fdf9e
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 21:09:13 2011 +0200
s4:auth/kerberos: reformat kerberos_kinit_password_cc()
In order to make the following changes easier to review.
metze
commit 9c56303f5a56697470ea9f2ee1a428aed2367d75
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 15:27:58 2011 +0200
s4:auth/kerberos: don't mix s4u2self creds with machine account creds
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
commit b3d49620875d878e2ad39896a6fe9fddb039253e
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 18:01:49 2011 +0200
s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()
This will make the following changes easier to review.
metze
commit 7cf38425b274c43144a2216accf5330d8ef1fe36
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 17:41:52 2011 +0200
s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()
metze
---
Summary of changes:
source4/auth/kerberos/kerberos.c | 228 +
1 files changed, 178 insertions(+), 50 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 0db0dd3..fa8c64b 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -84,82 +84,210 @@
The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or the local service (if we are doing s4u2self)
*/
- krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
- krb5_principal principal, const
char *password,
- krb5_principal
impersonate_principal, const char *target_service,
+ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache
store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal
impersonate_principal,
+ const char *target_service,
krb5_get_init_creds_opt
*krb_options,
time_t *expire_time, time_t
*kdc_time)
{
krb5_error_code code = 0;
- krb5_creds my_creds;
- krb5_creds *impersonate_creds;
krb5_get_creds_opt options;
+ krb5_principal store_principal;
+ krb5_creds store_creds;
+ const char *self_service = target_service;
+ krb5_creds *s4u2self_creds;
+ krb5_principal self_princ;
+ krb5_ccache tmp_cc;
+ const char *self_realm;
+ krb5_principal blacklist_principal = NULL;
- /* If we are not impersonating, then get this ticket for the
+ /*
+* If we are not impersonating, then get this ticket for the
* target service, otherwise a krbtgt, and get the next
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 21af0af s3: Added missing includes to .clang_complete. from ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 21af0af4e4a498bc676125507fdb96fa5b0e5cd5 Author: Andreas Schneider a...@samba.org Date: Tue Jun 21 15:09:28 2011 +0200 s3: Added missing includes to .clang_complete. Autobuild-User: Andreas Schneider a...@cryptomilk.org Autobuild-Date: Wed Jun 22 11:15:56 CEST 2011 on sn-devel-104 --- Summary of changes: source3/.clang_complete |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/.clang_complete b/source3/.clang_complete index 52de1ac..46925f9 100644 --- a/source3/.clang_complete +++ b/source3/.clang_complete @@ -1,5 +1,6 @@ -I. -I./.. +-I./../lib -I./../lib/replace -I./../lib/talloc -I./../lib/tevent @@ -7,6 +8,7 @@ -I./../lib/iniparser/src -I./../lib/popt -I./../lib/tdb/include +-I./../lib/tdb_compat -I./include/autoconf -I./include -I./librpc -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a353b49 s4-dsdb: bypass validation when relax set
via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap
server
via ff8cdee samba-tool: expanded dbcheck DN checking
via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in
via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in
from 21af0af s3: Added missing includes to .clang_complete.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 18:14:14 2011 +1000
s4-dsdb: bypass validation when relax set
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:38:19 2011 +1000
samba-tool: allow for running dbcheck against a remove ldap server
this is useful for running it against a Windows server
commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:08:28 2011 +1000
samba-tool: expanded dbcheck DN checking
this now checks for bad GUID elements in DN links, and offers to fix
them when possible
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:07:39 2011 +1000
s4-dsdb: prioritise GUID in extended_dn_in
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:05:08 2011 +1000
s4-dsdb: catch duplicate matches in extended_dn_in
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
---
Summary of changes:
source4/dsdb/samdb/ldb_modules/extended_dn_in.c| 31 +++-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |3 +-
source4/scripting/python/samba/netcmd/dbcheck.py | 144
3 files changed, 143 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 3e2004d..9a70d9a 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req,
struct ldb_reply *are
switch (ares-type) {
case LDB_REPLY_ENTRY:
+ if (ac-basedn) {
+ /* we have more than one match! This can
+ happen as S-1-5-17 appears twice in a
+ normal provision. We need to return
+ NO_SUCH_OBJECT */
+ const char *str = talloc_asprintf(req, Duplicate
base-DN matches found for '%s',
+
ldb_dn_get_extended_linearized(req, ac-req-op.search.base, 1));
+ ldb_set_errstring(ldb_module_get_ctx(ac-module), str);
+ return ldb_module_done(ac-req, NULL, NULL,
+ LDB_ERR_NO_SUCH_OBJECT);
+ }
+
if (!ac-wellknown_object) {
ac-basedn = talloc_steal(ac, ares-message-dn);
break;
@@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module,
struct ldb_request *req
guid_val = ldb_dn_get_extended_component(dn, GUID);
wkguid_val = ldb_dn_get_extended_component(dn, WKGUID);
- if (sid_val) {
+ /*
+ prioritise the GUID - we have had instances of
+ duplicate SIDs in the database in the
+ ForeignSecurityPrinciples due to provision errors
+*/
+ if (guid_val) {
all_partitions = true;
base_dn =
ldb_get_default_basedn(ldb_module_get_ctx(module));
- base_dn_filter = talloc_asprintf(req, (objectSid=%s),
-ldb_binary_encode(req,
*sid_val));
+ base_dn_filter = talloc_asprintf(req, (objectGUID=%s),
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via d4c30a5 Update eDirectory schema
from a353b49 s4-dsdb: bypass validation when relax set
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c
Author: Jim McDonough j...@samba.org
Date: Wed Jun 22 07:36:20 2011 -0400
Update eDirectory schema
Autobuild-User: Jim McDonough j...@samba.org
Autobuild-Date: Wed Jun 22 14:48:09 CEST 2011 on sn-devel-104
---
Summary of changes:
examples/LDAP/samba-nds.schema | 69 +++
1 files changed, 20 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema
index 0b3cf66..369670b 100644
--- a/examples/LDAP/samba-nds.schema
+++ b/examples/LDAP/samba-nds.schema
@@ -35,7 +35,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME
'sambaNTPassword' DESC 'MD4 hash
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account
Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account
Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16}
SINGLE-VALUE )
##
## Password timestamps policies
@@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME
'sambaMungedDial' DESC 'Base64 en
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC
'Concatenated MD4 hashes of the unicode passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC
'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} )
##
## SID, of any type
@@ -137,7 +137,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME
'sambaPasswordHistory' DESC 'Conc
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID'
EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID'
EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
@@ -287,47 +287,13 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME
'sambaRefuseMachinePwdChange' DES
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of
trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC
'Clear text password (used for trusted domain passwords)' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC
'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC
'Direction of a trust' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully
qualified name of the domain with which a trust exists' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS
name of a domain' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC
'Authentication information for the outgoing portion of a trust' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC
'Authentication information for the incoming portion of a trust' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC
'SID of a trusted
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy
via 033f337 s4:auth/kerberos: protect kerberos_kinit_password_cc()
against old KDCs
via b9e095f s4:auth/kerberos: add S4U2Proxy support to
kerberos_kinit_password_cc()
from d4c30a5 Update eDirectory schema
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5a8ac842701b65c0abd9731545792c2a0fd2aa79
Author: Stefan Metzmacher me...@samba.org
Date: Fri Mar 11 08:32:22 2011 +0100
s4:ntvfs/cifs: add option to use S4U2Proxy
Note: this doesn't work against a Samba4 KDC yet.
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104
commit 033f3376a834c1078b377647069b7e30aef59667
Author: Stefan Metzmacher me...@samba.org
Date: Tue Jun 21 11:05:15 2011 +0200
s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.
metze
commit b9e095fdfb684005f9bb5c1d943b2a0705308500
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 20:28:44 2011 +0200
s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.
metze
---
Summary of changes:
source4/auth/kerberos/kerberos.c | 181 -
source4/auth/kerberos/kerberos.h |4 +-
source4/auth/kerberos/kerberos_util.c |1 +
source4/ntvfs/cifs/vfs_cifs.c | 49 +
4 files changed, 230 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index fa8c64b..0fc9d14 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -81,13 +81,16 @@
The impersonate_principal is the principal if NULL, or the principal to
impersonate
- The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or the local service (if we are doing s4u2self)
+ The self_service, should be the local service (for S4U2Self if
impersonate_principal is given).
+
+ The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or a remote service (for S4U2Proxy)
*/
krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache
store_cc,
krb5_principal init_principal,
const char *init_password,
krb5_principal
impersonate_principal,
+ const char *self_service,
const char *target_service,
krb5_get_init_creds_opt
*krb_options,
time_t *expire_time, time_t
*kdc_time)
@@ -96,12 +99,21 @@
krb5_get_creds_opt options;
krb5_principal store_principal;
krb5_creds store_creds;
- const char *self_service = target_service;
krb5_creds *s4u2self_creds;
+ Ticket s4u2self_ticket;
+ size_t s4u2self_ticketlen;
+ krb5_creds *s4u2proxy_creds;
krb5_principal self_princ;
+ bool s4u2proxy;
+ krb5_principal target_princ;
krb5_ccache tmp_cc;
const char *self_realm;
krb5_principal blacklist_principal = NULL;
+ krb5_principal whitelist_principal = NULL;
+
+ if (impersonate_principal self_service == NULL) {
+ return EINVAL;
+ }
/*
* If we are not impersonating, then get this ticket for the
@@ -168,6 +180,18 @@
krb5_free_cred_contents(ctx, store_creds);
/*
+* Check if we also need S4U2Proxy or if S4U2Self is
+* enough in order to get a ticket for the target.
+*/
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ /*
* For S4U2Self we need our own service principal,
* which belongs to our own realm (available on
* our client principal).
@@ -197,6 +221,14 @@
return code;
}
+ if (s4u2proxy) {
+ /*
+* If we want S4U2Proxy, we need the forwardable flag
+* on the S4U2Self ticket.
+*/
+ krb5_get_creds_opt_set_options(ctx, options,
KRB5_GC_FORWARDABLE);
+ }
+
code = krb5_get_creds_opt_set_impersonate(ctx,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order
to work against w2k8r2
from 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ae6a7f945f8a48a2b4b2c6cc43a0efee4f134a8b
Author: Stefan Metzmacher me...@samba.org
Date: Wed Jun 22 18:25:30 2011 +0200
s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against
w2k8r2
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104
---
Summary of changes:
source4/winbind/wb_init_domain.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 50a6af0..9847afb 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -154,7 +154,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX
*mem_ctx,
(lpcfg_server_role(service-task-lp_ctx) ==
ROLE_DOMAIN_CONTROLLER))
(dom_sid_equal(state-domain-info-sid,
state-service-primary_sid))) {
- state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL;
+ state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL |
DCERPC_SCHANNEL_128;
/* For debugging, it can be a real pain if all the traffic is
encrypted */
if (lpcfg_winbind_sealed_pipes(service-task-lp_ctx)) {
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a9e4592 s4-dbcheck: fix uninitialized errstr in
err_dn_target_mismatch
via ef7940f s4-dbcheck: remove unused include
via 4d51ddb s4-schema: avoid segfaulting if id3.guid is NULL
via 249fbd8 s4-samba_dnsupdate: set environment via the env parameter
via c2dfaa2 s4-upgradeprovision: Don't forget to populate the non
replicated objects, and don't touch rIDPreviousAllocationPool
via 2f4251c dbchecker: cope with a broken link to Deleted Objects
via 4fe9ebc dbchecker: fixed argument error for -H and DN
via 6b939f4 dbchecker: when fixing a bad GUID in a DN, search by the
string DN
via 9676c26 samba-tool: added --attrs option to dbcheck
via 7fff636 samba-tool: make the dbcheck class available outside of
samba-tool
via 9be9f0e samba-tool: added --quiet option to dbcheck
from ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order
to work against w2k8r2
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a9e45923369e3171cb7f42284f52ce3c4c8b0a4b
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 21:28:25 2011 +0400
s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch
Autobuild-User: Matthieu Patou m...@samba.org
Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104
commit ef7940f7be7de238a693cfba649faf8b67b7da3a
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 21:28:00 2011 +0400
s4-dbcheck: remove unused include
commit 4d51ddbb5c9e4465887d9fcd2c10de3f46c6a12a
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 20:54:37 2011 +0400
s4-schema: avoid segfaulting if id3.guid is NULL
commit 249fbd8a334b4d19f9148e07449fec3f26b8267d
Author: Matthieu Patou m...@matws.net
Date: Tue Jun 21 13:39:28 2011 +0400
s4-samba_dnsupdate: set environment via the env parameter
I faced a situation where the os.environ(KRB5CCNAME) = ... didn't
seems to be effective
commit c2dfaa2580918cf31069c1063ff07a819ca0554a
Author: Matthieu Patou m...@matws.net
Date: Tue Jun 21 13:37:26 2011 +0400
s4-upgradeprovision: Don't forget to populate the non replicated objects,
and don't touch rIDPreviousAllocationPool
commit 2f4251c389f5fa92bfba10739677a760f0bdf198
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 22:06:18 2011 +1000
dbchecker: cope with a broken link to Deleted Objects
if a DN link to Deleted Objects has a bad GUID, we need to use
show_deleted
commit 4fe9ebc2e3e09befe8d7a2ce577336eefd9b9694
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 21:22:39 2011 +1000
dbchecker: fixed argument error for -H and DN
commit 6b939f4a9c19cd868ac1b6d77cc26662e2726e8c
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:53:44 2011 +1000
dbchecker: when fixing a bad GUID in a DN, search by the string DN
commit 9676c26fdd7ca53405abd06f58ae40d39d818e4d
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:44:35 2011 +1000
samba-tool: added --attrs option to dbcheck
this allows checking of a specific list of attributes
commit 7fff636bce2576a63170bf3cc555eb85b8fefd67
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:01:58 2011 +1000
samba-tool: make the dbcheck class available outside of samba-tool
this will be used in provision, and probably in upgradeprovision as
well
commit 9be9f0e43c9312094a42efa236791dfcd95dc9f9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 19:32:45 2011 +1000
samba-tool: added --quiet option to dbcheck
this will be used to allow for other tools (such as provision) to call
into dbcheck without generating a lot of noise
---
Summary of changes:
source4/dsdb/schema/schema_syntax.c|3 +-
source4/scripting/bin/samba_dnsupdate |2 +-
source4/scripting/bin/upgradeprovision |6 +-
.../samba/{netcmd/dbcheck.py = dbchecker.py} | 182 +---
source4/scripting/python/samba/netcmd/dbcheck.py | 307 ++--
5 files changed, 102 insertions(+), 398 deletions(-)
copy source4/scripting/python/samba/{netcmd/dbcheck.py = dbchecker.py} (61%)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/schema/schema_syntax.c
b/source4/dsdb/schema/schema_syntax.c
index f542f67..a93cdfa 100644
--- a/source4/dsdb/schema/schema_syntax.c
+++ b/source4/dsdb/schema/schema_syntax.c
@@ -1995,10 +1995,9 @@ static WERROR dsdb_syntax_DN_BINARY_drsuapi_to_ldb(const
struct dsdb_syntax_ctx
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
+ talloc_free(guid_blob.data);
}
- talloc_free(guid_blob.data);
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 4f7f143 dfsreferral: search client's site and use it
from a9e4592 s4-dbcheck: fix uninitialized errstr in
err_dn_target_mismatch
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 4f7f1430268f0ab5447fe189da6435bdd8e0614e
Author: Matthieu Patou m...@matws.net
Date: Thu Jun 23 02:35:50 2011 +0400
dfsreferral: search client's site and use it
Autobuild-User: Matthieu Patou m...@samba.org
Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104
---
Summary of changes:
source4/smb_server/smb/trans2.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/smb_server/smb/trans2.c b/source4/smb_server/smb/trans2.c
index b3aa690..72babd5 100644
--- a/source4/smb_server/smb/trans2.c
+++ b/source4/smb_server/smb/trans2.c
@@ -1107,7 +1107,7 @@ static NTSTATUS get_dcs(TALLOC_CTX *ctx, struct
ldb_context *ldb,
}
talloc_free(r);
- if (searched_site != NULL) {
+ if (searched_site != NULL searched_site[0] != '\0') {
ret = ldb_search(ldb, subctx, r, configdn, LDB_SCOPE_SUBTREE,
attrs_none, ((name=%s)(objectClass=site)),
searched_site);
if (ret != LDB_SUCCESS) {
@@ -1461,7 +1461,7 @@ static NTSTATUS dodc_or_sysvol_referral(TALLOC_CTX *ctx,
client_addr = tsocket_address_inet_addr_string(remote_address,
context);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(client_addr, context);
}
-
+ site_name = samdb_client_site_name(ldb, context, client_addr, NULL);
status = get_dcs(context, ldb, site_name, need_fqdn, set, 0);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3,(Unable to get list of DCs\n));
--
Samba Shared Repository
