Re: [Samba] tkey-gssapi-credential and bind (Samba4)
Hi Mauricio, the easiest way to find out, where named fails may be to do an strace -f /usr/sbin/named ... (don't forget to set/export the keytab environment variables before doing so). Check the output of strace for accesses to the keytab file and you will get some hints about what's wrong. You may also want to check for the files mentioned below in the apparmor list. In my apparmor config (Ubuntu 10.04) I had to add some more entries (the list is far from optimized, but it works for me). /opt/samba4/private/dns.keytab kr, /opt/samba4/private/named.conf.update kr, /opt/samba4/private/named.conf kr, /opt/samba4/private/dns/* krw, /var/tmp/krb5_* rw, /var/tmp/DNS_* rw, If you like you can send me the strace log in private, I'll have a look. (AFAIK the allowed size of attachments on the list is quite small). Bye, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mauricio Tavares Gesendet: Dienstag, 21. Juni 2011 21:23 An: samba@lists.samba.org Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4) On Tue, Jun 21, 2011 at 1:14 PM, Aaron E. ssures...@gmail.com wrote: In my experience this is due to gssapi not being compiled to the correct directory for bind.. I also used 11.04 and my compile path was --with-gssapi=/usr/include/gssapi,, instead of /usr Aaron, in my case it seems to be pointing to /usr: root@sambabox:~# named -V BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' root@sambabox:~# On 06/21/2011 10:45 AM, Marcel Ritter wrote: Hi Mauricio, this is usually caused by one of 3 things: 1) bind is started without KRB5_KTNAME being set, and therefore doesn't know where to look for it's keytab Marcel, what I have in /etc/default/bind9 is # Samba-related stuff KEYTAB_FILE=/var/lib/samba/private/dns.keytab KRB5_KTNAME=/var/lib/samba/private/dns.keytab export KEYTAB_FILE export KRB5_KTNAME And here is what dns.keytab looks like: -rw-r- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab 2) the bind user does not have access permission to the keytab (or any directory in its path) As user bind (I edited /etc/passwd temporarily) I was able to reach that file: bind@sambabox:~$ cat /var/lib/samba/private/dns.keytab HTEST.DOMAIN.COMDNStest.domain.com [...] 3) I also hat problems related to apparmor (on Ubuntu 10.04) where the apparmor security framework prevented bind from accessing the keytab, even if file permissions were ok I edited # /etc/apparmor.d/usr.sbin.named per http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html , adding the following lines: /var/lib/samba/private/* rw, /var/lib/samba/private/dns/* rw, Hope this helps, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mauricio Tavares Gesendet: Dienstag, 21. Juni 2011 16:11 An: samba@lists.samba.org Betreff: [Samba] tkey-gssapi-credential and bind (Samba4) So I am in step 10 of the samba4 howto (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add tkey-gssapi-credential DNS/samdom.example.com; tkey-domain SAMDOM.EXAMPLE.COM; to /etc/bind/named.conf.options. Since my test domain is test.domain.com, I changed the above to tkey-gssapi-credential DNS/test.domain.com; tkey-domain TEST.DOMAIN.COM; In the log file I have: Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
Re: [Samba] Lost performance between Samba 3.0.24 and 3.5.8 with high number of concurrent connections
2011/6/13 juan david jd.alar...@gmail.com Hi, We are trying upgrade our roaming profile sever from Debian Etch to Debian Squeeze. That's means a upgrade from Samba 3.0.24 to Samba 3.5.8. Our production environment has above 600 concurrent users without problem. After upgrade to Samba 3.5.8, server can't manage above 200 users. With 'smbclient', the output is: Error [user] session setup failed: Call timed out: server did not respond after 2 milliseconds We use Samba+Winbind+kerberos to validate users. After upgrade I have been tried all configurations that I could imagine without luck. After that I have tried simplify the problem, I made a test environment with the next smb.conf: [global] netbios name = yela security = share guest account = nobody [mdrive] path = /home/HUGU-Profiles/WinXP/enfgen.man browseable = yes public = yes guest ok = yes Trivial, isn't it? The server is a Debian Squeeze with Linux Kernel 2.6.32-5 and Samba 3.5.8. From one client I ran the next script: #!/bin/bash connectAndList () { for i in $( seq 1 1000 ) do fechaInicio=$( date ) salida=$( smbclient //yela/mdrive -U nobody% -c ls 2 /dev/null ) retorno=$? fechaFin=$( date ) if [ ! $retorno -eq 0 ] then echo $fechaInicio - Error $1 $salida - $fechaFin sleep 1 fi done } for j in $( seq 1 5 ) do for i in $( seq 1 100 ) do connectAndList $i $j done done To summarize, this script do 500 concurrent connections, list the directory and repeat it. If one connection fail then sleep 1 second and do again. Samba 3.0.24 run script with 1 or 2 fail connection per second. In Samba 3.5.8 We need falling to 200 concurrent connections, in other case, the server was freeze and load raise over 20. There isn't any error in log. The server doesn't fail is the client which has return a timeout. Maybe the problem are in connection reply, because once you has been connect with 'smbclient' follow commands work without problem. Has Some one Samba with above 300 concurrent users in production enviroment? Does some one know something about this performance lost in connection time? In your production environment How many users are there? Where is the limit? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user info .vs. wbinfo -g ?
That's really useful thanks. John On 21 June 2011 12:25, Robert Freeman-Day pres...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/20/2011 12:44 PM, John McNulty wrote: The group names from these two commands display differently. For example: $ net ads user info my-name -U my-name . . Systems Engineering EU $ wbinfo -g . . systemsengineeringeu.write Why is this different? Regards, John John, The net command is a close relative to the net command for windows. It will display information in a format more like windows or ldap-like output. If you do this type of net command on your samba install: net ads search (SAMAccountName=adusername) -P you will get all the entries from active directory, similar to the output from ADSIedit. The -P allows you to use your samba machine's credentials (if it is joined to the domain). net ads search ((objectCategory=computer)(name=*rhel*)) -P Allows ldap-like searching. wbinfo and winbindd allow translation from windows account formats to unix-like account formats. This is why the outputs are different. If you were to do a getent passwd aduser you will get a direct entry that is as if it was from /etc/passwd. It is actually getting info from winbindd and translating it on the fly. Hope that helps differentiate them. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4Af7EACgkQup357T5MfTZE2wCfbOebJzIGvrlJp+vSNJ/MOKv+ QF8An3NOKExf9gusbJfsZr/R13Heemwt =bdGG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
pam_access actually worked very well and is the most powerful / flexible of all the choices, so that's the one I'm going with. Thanks to everyone who replied. John On 20 June 2011 18:35, TAKAHASHI Motonobu mo...@monyo.com wrote: On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add require_membership_of to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? From: John McNulty johnm...@gmail.com Date: Mon, 20 Jun 2011 10:50:45 +0100 The user accounts exist in Active Directory and we're using the rfc2307 schema. So the shell is set in AD. I cannot change the shell to /bin/false or that would affect all the other servers they login to. I see. You may manage local login with the facility of PAM, for example pam_access, pam_listfile or others... --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Different permissions displayed in security tab and advanced tab
Hello everyone, Got a weird ACL issue: First of all, my Linux host is fully ACL enabled (kernel support, file system support, mount with xattr, library support, samba compilation support, all set). Then a share is created with vfs acl_xattr and ea support on, got mounted on a Windows client as administrator, and a directory created right under the drive. The issue is when I was checking out the security tab, as can be seen from attached screenshot, the administrator is displayed with no permission at all (nothing ticked) in the basic security tab, whereas the advanced tab shows the administrator with full control, which is self-contradictory and confusing. I then try to grant some permission to administrator by ticking and clicking apply, failed with the error can't save the changes... the parameter is invalid. I do suppose full control is correct because I can read, write and everything under the directory, plus getfacl from Linux side demonstrated that administrator is actually with rwx on the newly created directory. Any idea why is this? Thanks in advance. p.s. I have no problem adding/granting additional ACLs for users other than administrator. Regards -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent group fails
Hi, I've been debugging this for a day now and I am on the edge of my understanding and could use some help. I have a smbd 3.5.6 running as a PDC (smb.conf below) with an openldap backend. If I run `getent passwd` I get all the users (local and Domain) and computer accounts that I've imported into the ldap tree. If I run `getent group`, I only see local groups: root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: powerdev:x:115: ntpd:x:116: winbindd_priv:x:117: (don't know where winbind comes from. It's not in /etc/passwd) I can see the imported groups in the ldap tree via phpLDAPadmin. I have cranked up the logging in slapd.conf and watched as I did both queries: getent passwd Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 ACCEPT from IP=127.0.0.1:39071 (IP=0.0.0.0:389) Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk method=128 Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk mech=SIMPLE ssf=0 Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 RESULT tag=97 err=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH base=dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixAccount) Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SEARCH RESULT tag=101 err=0 nentries=115 text= Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 closed (connection lost) nentries=115 getent group Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 ACCEPT from IP=127.0.0.1:39072 (IP=0.0.0.0:389) Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk method=128 Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND dn=cn=admin,dc=example,dc=co,dc=uk mech=SIMPLE ssf=0 Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 RESULT tag=97 err=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH base=ou=group,dc=example,dc=co,dc=uk scope=1 deref=0 filter=((objectClass=posixGroup)) Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 closed (connection lost) nentries=0 and err=32 I tried to replicate the query using ldapsearch. I am not very familiar with ldapsearch. This was the best I could muster: ldapsearch -x -b 'dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' This returned the groups from the ldap tree correctly: ... ... # Backup Operators, Groups, example.co.uk dn: cn=Backup Operators,ou=Groups,dc=example,dc=co,dc=uk objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators # Replicators, Groups, example.co.uk dn: cn=Replicators,ou=Groups,dc=example,dc=co,dc=uk objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 The difference as far as I can tell is between the two searches SRCH base=ou=group,dc=example,dc=co,dc=uk scope=1 deref=0 filter=((objectClass=posixGroup)) # Failed lookup and SRCH base=dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixGroup) # Working lookup The first one confines itself to the base 'group' ou, where as the working search starts at the root and does not restrict themselves. If I do (notice ou=groups) ldapsearch -x -b 'ou=groups,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' I see this: Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 ACCEPT from IP=127.0.0.1:51550 (IP=0.0.0.0:389) Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 BIND dn= method=128 Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 RESULT tag=97 err=0 text= Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SRCH base=ou=groups,dc=example,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixGroup) Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SEARCH RESULT tag=101 err=0 nentries=9 text= Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=2 UNBIND Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 closed and get this by way of response: # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 # CORRECT! If I do the search as it looks like it's being sent to ldap, EG: ou=group NOT ou=groups ldapsearch -x -b 'ou=group,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)' I see: Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 ACCEPT from IP=127.0.0.1:42136 (IP=0.0.0.0:389) Jun 22 13:36:07 rigel
Re: [Samba] Samba 3.3.15 Ignoring Logon Path and Logon Home to Disable Roaming Profiles
From: Charles Kozler char...@fixflyer.com Date: Mon, 20 Jun 2011 13:53:40 -0400 I had tried that already and it still did not work. I tried creating new users after setting the aforementioned configuration settings to Samba but it still did not work. You are using smbldap-tools, so you have to unset userProfile in smbldap.conf. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Different permissions displayed in security tab andadvanced tab
David, Samba does not have the ability to change the permissions of directories on the security tab, and many times they will not be displayed either. As you have already discovered, permissions on directories are changed in Advanced. The permissions of files can be manipulated on the security tab. Dale On 06/22/2011 4:28 AM, David Roid wrote: Hello everyone, Got a weird ACL issue: First of all, my Linux host is fully ACL enabled (kernel support, file system support, mount with xattr, library support, samba compilation support, all set). Then a share is created with vfs acl_xattr and ea support on, got mounted on a Windows client as administrator, and a directory created right under the drive. The issue is when I was checking out the security tab, as can be seen from attached screenshot, the administrator is displayed with no permission at all (nothing ticked) in the basic security tab, whereas the advanced tab shows the administrator with full control, which is self-contradictory and confusing. I then try to grant some permission to administrator by ticking and clicking apply, failed with the error can't save the changes... the parameter is invalid. I do suppose full control is correct because I can read, write and everything under the directory, plus getfacl from Linux side demonstrated that administrator is actually with rwx on the newly created directory. Any idea why is this? Thanks in advance. p.s. I have no problem adding/granting additional ACLs for users other than administrator. Regards -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.15 Ignoring Logon Path and Logon Home to Disable Roaming Profiles
From: Charles Kozler char...@fixflyer.com Date: Wed, 22 Jun 2011 12:52:35 -0400 As I had previously noted, if there is an LDAP entry for a profile path specified, will Windows try to force load a roaming profile and Samba options ignored? In modern passdb such as ldapsam and tdbsam (not smbpasswd), Samba parameters such as logon path, logon home are only defined as the default value. After an user is created and the default value is set, these parameters are ignored. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getting winbindd errors on OS X Server 10.6.6
All, I am attempting to resolve an issue that our OS X Server is having. It's running 10.6.6 and samba 3.0.28a-apple. In the last two weeks we've been rebooting this server multiple times a day because it stops responding to smb requests. A look at the logs reveal the following two error messages repeated hundreds of times: 6/17/11 6:18:00 PM /usr/sbin/winbindd[231] dnssd_clientstub deliver_request: socketpair failed 24 (Too many open files) 6/17/11 6:18:00 PM /usr/sbin/winbindd[13089] dnssd_clientstub deliver_request: socketpair failed 24 (Too many open files) The messages stop on the reboot and don't come back for a period of time. We typically have 60-75 clients connected to the system, which hosts files for a software build system. We don't think there's been a significant change in the way the clients interact with the server, nor have any software changes been made on the server. Any help figuring out what to do next is appreciated! -- Michael Porter Senior Desktop Admin and Project Lead 650-357-3415 michael.por...@efi.comapplewebdata://AED39CAB-3274-4D7E-8D18-10BC6694E14B/michael.por...@efi.com Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9e766f0 samba-tool: added missing GUID component checks to dbcheck via 505dce2 pyldb: added methods to get/set extended components on DNs via 202f0a4 pydsdb: added get_syntax_oid_from_lDAPDisplayName() via 341884c ldb: added extended_str() method to pyldb via dd5350b ldb: expose syntax oids to python via c4a7908 samba-tool: try to keep dbcheck.py in a logical ordering via c46f808 s4-dsdb: don't add zero GUID to BINARY_DN from c173e6e s3-spoolss: Fix some valgrind warnings. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9e766f019bff74ec9c1d5df326cdea2c7fe05e2a Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:44:36 2011 +1000 samba-tool: added missing GUID component checks to dbcheck Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104 commit 505dce2d3aa95d475e12c4e5e4e2b3f1907bdd84 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:44:12 2011 +1000 pyldb: added methods to get/set extended components on DNs this will be used by the dbcheck code Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 202f0a4b576d78928a403b68f3e057d3a425bddf Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:41:50 2011 +1000 pydsdb: added get_syntax_oid_from_lDAPDisplayName() this gives you access to the syntax oid of an attribute Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 341884c835b9c5785794cba562c2a21939eb4bce Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 13:49:37 2011 +1000 ldb: added extended_str() method to pyldb this gives access to ldb_dn_get_extended_linearized() from python Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit dd5350b0a87c82be7d0b0d124885ecfd73bb1b5b Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 12:34:32 2011 +1000 ldb: expose syntax oids to python Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit c4a7908f46e7005f323eeca5fd38ec9e88a54aa9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 12:23:05 2011 +1000 samba-tool: try to keep dbcheck.py in a logical ordering keep individual error handlers together and separate from driver code commit c46f80824b649647b5a61364a1b8fe26267bbdd9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 11:56:40 2011 +1000 s4-dsdb: don't add zero GUID to BINARY_DN When converting from DRS to ldb format for a BINARY_DN, don't add the GUID extended DN element if the GUID is all zeros. Pair-Programmed-With: Andrew Bartlett abart...@samba.org --- Summary of changes: source4/dsdb/pydsdb.c| 40 ++ source4/dsdb/schema/schema_syntax.c | 20 ++-- source4/lib/ldb/pyldb.c | 77 +++ source4/scripting/python/samba/netcmd/dbcheck.py | 160 + source4/scripting/python/samba/samdb.py |5 + 5 files changed, 262 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index 62f33bb..5ca6b02 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -331,6 +331,38 @@ static PyObject *py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject } /* + return the attribute syntax oid as a string from the attribute name + */ +static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self, PyObject *args) +{ + PyObject *py_ldb; + struct ldb_context *ldb; + struct dsdb_schema *schema; + const char *ldap_display_name; + const struct dsdb_attribute *attribute; + + if (!PyArg_ParseTuple(args, Os, py_ldb, ldap_display_name)) + return NULL; + + PyErr_LDB_OR_RAISE(py_ldb, ldb); + + schema = dsdb_get_schema(ldb, NULL); + + if (!schema) { + PyErr_SetString(PyExc_RuntimeError, Failed to find a schema from ldb); + return NULL; + } + + attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); + if (attribute == NULL) { + PyErr_Format(PyExc_RuntimeError, Failed to find attribute '%s', ldap_display_name); + return NULL; + } + + return PyString_FromString(attribute-syntax-ldap_oid); +} + +/* convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute */ static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args) @@ -802,6 +834,8 @@ static PyMethodDef py_dsdb_methods[] = { METH_VARARGS, NULL }, {
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs via e5378e6 s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc() via b98428e s4:auth/kerberos: reformat kerberos_kinit_password_cc() via 9c56303 s4:auth/kerberos: don't mix s4u2self creds with machine account creds via b3d4962 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc() via 7cf3842 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc() from 9e766f0 samba-tool: added missing GUID component checks to dbcheck http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ede3046b8b9b0576a35626026cb28c31b42da46d Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 21 01:39:58 2011 +0200 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104 commit e5378e600e507241dd64c1ea7345676076dc8755 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 21:23:45 2011 +0200 s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc() This will make the following changes easier to review. metze commit b98428e630cc5a1bbc18bf4260030a24322fdf9e Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 21:09:13 2011 +0200 s4:auth/kerberos: reformat kerberos_kinit_password_cc() In order to make the following changes easier to review. metze commit 9c56303f5a56697470ea9f2ee1a428aed2367d75 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 15:27:58 2011 +0200 s4:auth/kerberos: don't mix s4u2self creds with machine account creds It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze commit b3d49620875d878e2ad39896a6fe9fddb039253e Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 18:01:49 2011 +0200 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc() This will make the following changes easier to review. metze commit 7cf38425b274c43144a2216accf5330d8ef1fe36 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 17:41:52 2011 +0200 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc() metze --- Summary of changes: source4/auth/kerberos/kerberos.c | 228 + 1 files changed, 178 insertions(+), 50 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 0db0dd3..fa8c64b 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -84,82 +84,210 @@ The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) */ - krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, - krb5_principal principal, const char *password, - krb5_principal impersonate_principal, const char *target_service, + krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache store_cc, + krb5_principal init_principal, + const char *init_password, + krb5_principal impersonate_principal, + const char *target_service, krb5_get_init_creds_opt *krb_options, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; - krb5_creds my_creds; - krb5_creds *impersonate_creds; krb5_get_creds_opt options; + krb5_principal store_principal; + krb5_creds store_creds; + const char *self_service = target_service; + krb5_creds *s4u2self_creds; + krb5_principal self_princ; + krb5_ccache tmp_cc; + const char *self_realm; + krb5_principal blacklist_principal = NULL; - /* If we are not impersonating, then get this ticket for the + /* +* If we are not impersonating, then get this ticket for the * target service, otherwise a krbtgt, and get the next
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 21af0af s3: Added missing includes to .clang_complete. from ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 21af0af4e4a498bc676125507fdb96fa5b0e5cd5 Author: Andreas Schneider a...@samba.org Date: Tue Jun 21 15:09:28 2011 +0200 s3: Added missing includes to .clang_complete. Autobuild-User: Andreas Schneider a...@cryptomilk.org Autobuild-Date: Wed Jun 22 11:15:56 CEST 2011 on sn-devel-104 --- Summary of changes: source3/.clang_complete |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/.clang_complete b/source3/.clang_complete index 52de1ac..46925f9 100644 --- a/source3/.clang_complete +++ b/source3/.clang_complete @@ -1,5 +1,6 @@ -I. -I./.. +-I./../lib -I./../lib/replace -I./../lib/talloc -I./../lib/tevent @@ -7,6 +8,7 @@ -I./../lib/iniparser/src -I./../lib/popt -I./../lib/tdb/include +-I./../lib/tdb_compat -I./include/autoconf -I./include -I./librpc -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a353b49 s4-dsdb: bypass validation when relax set via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap server via ff8cdee samba-tool: expanded dbcheck DN checking via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in from 21af0af s3: Added missing includes to .clang_complete. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 18:14:14 2011 +1000 s4-dsdb: bypass validation when relax set this allows dbcheck to fix bad attributes Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104 commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:38:19 2011 +1000 samba-tool: allow for running dbcheck against a remove ldap server this is useful for running it against a Windows server commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:08:28 2011 +1000 samba-tool: expanded dbcheck DN checking this now checks for bad GUID elements in DN links, and offers to fix them when possible Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:07:39 2011 +1000 s4-dsdb: prioritise GUID in extended_dn_in if we search with a base DN that has both a GUID and a SID, then use the GUID first. This matters for the S-1-5-17 SID. Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:05:08 2011 +1000 s4-dsdb: catch duplicate matches in extended_dn_in When searching using extended DNs, if there are multiple matches then return an object not found error. This is needed for the case of a duplicate objectSid, which happens for S-1-5-17 Pair-Programmed-With: Andrew Bartlett abart...@samba.org --- Summary of changes: source4/dsdb/samdb/ldb_modules/extended_dn_in.c| 31 +++- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |3 +- source4/scripting/python/samba/netcmd/dbcheck.py | 144 3 files changed, 143 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 3e2004d..9a70d9a 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are switch (ares-type) { case LDB_REPLY_ENTRY: + if (ac-basedn) { + /* we have more than one match! This can + happen as S-1-5-17 appears twice in a + normal provision. We need to return + NO_SUCH_OBJECT */ + const char *str = talloc_asprintf(req, Duplicate base-DN matches found for '%s', + ldb_dn_get_extended_linearized(req, ac-req-op.search.base, 1)); + ldb_set_errstring(ldb_module_get_ctx(ac-module), str); + return ldb_module_done(ac-req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + if (!ac-wellknown_object) { ac-basedn = talloc_steal(ac, ares-message-dn); break; @@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req guid_val = ldb_dn_get_extended_component(dn, GUID); wkguid_val = ldb_dn_get_extended_component(dn, WKGUID); - if (sid_val) { + /* + prioritise the GUID - we have had instances of + duplicate SIDs in the database in the + ForeignSecurityPrinciples due to provision errors +*/ + if (guid_val) { all_partitions = true; base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module)); - base_dn_filter = talloc_asprintf(req, (objectSid=%s), -ldb_binary_encode(req, *sid_val)); + base_dn_filter = talloc_asprintf(req, (objectGUID=%s), +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d4c30a5 Update eDirectory schema from a353b49 s4-dsdb: bypass validation when relax set http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c Author: Jim McDonough j...@samba.org Date: Wed Jun 22 07:36:20 2011 -0400 Update eDirectory schema Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Wed Jun 22 14:48:09 CEST 2011 on sn-devel-104 --- Summary of changes: examples/LDAP/samba-nds.schema | 69 +++ 1 files changed, 20 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 0b3cf66..369670b 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -35,7 +35,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ## ## Password timestamps policies @@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 en dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) ## ## SID, of any type @@ -137,7 +137,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Conc dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) ## ## Primary group SID, compatible with ntSid @@ -287,47 +287,13 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DES dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy via 033f337 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs via b9e095f s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc() from d4c30a5 Update eDirectory schema http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a8ac842701b65c0abd9731545792c2a0fd2aa79 Author: Stefan Metzmacher me...@samba.org Date: Fri Mar 11 08:32:22 2011 +0100 s4:ntvfs/cifs: add option to use S4U2Proxy Note: this doesn't work against a Samba4 KDC yet. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104 commit 033f3376a834c1078b377647069b7e30aef59667 Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 21 11:05:15 2011 +0200 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze commit b9e095fdfb684005f9bb5c1d943b2a0705308500 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 20:28:44 2011 +0200 s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc() For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze --- Summary of changes: source4/auth/kerberos/kerberos.c | 181 - source4/auth/kerberos/kerberos.h |4 +- source4/auth/kerberos/kerberos_util.c |1 + source4/ntvfs/cifs/vfs_cifs.c | 49 + 4 files changed, 230 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index fa8c64b..0fc9d14 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -81,13 +81,16 @@ The impersonate_principal is the principal if NULL, or the principal to impersonate - The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) + The self_service, should be the local service (for S4U2Self if impersonate_principal is given). + + The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or a remote service (for S4U2Proxy) */ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache store_cc, krb5_principal init_principal, const char *init_password, krb5_principal impersonate_principal, + const char *self_service, const char *target_service, krb5_get_init_creds_opt *krb_options, time_t *expire_time, time_t *kdc_time) @@ -96,12 +99,21 @@ krb5_get_creds_opt options; krb5_principal store_principal; krb5_creds store_creds; - const char *self_service = target_service; krb5_creds *s4u2self_creds; + Ticket s4u2self_ticket; + size_t s4u2self_ticketlen; + krb5_creds *s4u2proxy_creds; krb5_principal self_princ; + bool s4u2proxy; + krb5_principal target_princ; krb5_ccache tmp_cc; const char *self_realm; krb5_principal blacklist_principal = NULL; + krb5_principal whitelist_principal = NULL; + + if (impersonate_principal self_service == NULL) { + return EINVAL; + } /* * If we are not impersonating, then get this ticket for the @@ -168,6 +180,18 @@ krb5_free_cred_contents(ctx, store_creds); /* +* Check if we also need S4U2Proxy or if S4U2Self is +* enough in order to get a ticket for the target. +*/ + if (target_service == NULL) { + s4u2proxy = false; + } else if (strcmp(target_service, self_service) == 0) { + s4u2proxy = false; + } else { + s4u2proxy = true; + } + + /* * For S4U2Self we need our own service principal, * which belongs to our own realm (available on * our client principal). @@ -197,6 +221,14 @@ return code; } + if (s4u2proxy) { + /* +* If we want S4U2Proxy, we need the forwardable flag +* on the S4U2Self ticket. +*/ + krb5_get_creds_opt_set_options(ctx, options, KRB5_GC_FORWARDABLE); + } + code = krb5_get_creds_opt_set_impersonate(ctx,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 from 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ae6a7f945f8a48a2b4b2c6cc43a0efee4f134a8b Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 22 18:25:30 2011 +0200 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104 --- Summary of changes: source4/winbind/wb_init_domain.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 50a6af0..9847afb 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -154,7 +154,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx, (lpcfg_server_role(service-task-lp_ctx) == ROLE_DOMAIN_CONTROLLER)) (dom_sid_equal(state-domain-info-sid, state-service-primary_sid))) { - state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL; + state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_128; /* For debugging, it can be a real pain if all the traffic is encrypted */ if (lpcfg_winbind_sealed_pipes(service-task-lp_ctx)) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a9e4592 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch via ef7940f s4-dbcheck: remove unused include via 4d51ddb s4-schema: avoid segfaulting if id3.guid is NULL via 249fbd8 s4-samba_dnsupdate: set environment via the env parameter via c2dfaa2 s4-upgradeprovision: Don't forget to populate the non replicated objects, and don't touch rIDPreviousAllocationPool via 2f4251c dbchecker: cope with a broken link to Deleted Objects via 4fe9ebc dbchecker: fixed argument error for -H and DN via 6b939f4 dbchecker: when fixing a bad GUID in a DN, search by the string DN via 9676c26 samba-tool: added --attrs option to dbcheck via 7fff636 samba-tool: make the dbcheck class available outside of samba-tool via 9be9f0e samba-tool: added --quiet option to dbcheck from ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a9e45923369e3171cb7f42284f52ce3c4c8b0a4b Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 21:28:25 2011 +0400 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104 commit ef7940f7be7de238a693cfba649faf8b67b7da3a Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 21:28:00 2011 +0400 s4-dbcheck: remove unused include commit 4d51ddbb5c9e4465887d9fcd2c10de3f46c6a12a Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 20:54:37 2011 +0400 s4-schema: avoid segfaulting if id3.guid is NULL commit 249fbd8a334b4d19f9148e07449fec3f26b8267d Author: Matthieu Patou m...@matws.net Date: Tue Jun 21 13:39:28 2011 +0400 s4-samba_dnsupdate: set environment via the env parameter I faced a situation where the os.environ(KRB5CCNAME) = ... didn't seems to be effective commit c2dfaa2580918cf31069c1063ff07a819ca0554a Author: Matthieu Patou m...@matws.net Date: Tue Jun 21 13:37:26 2011 +0400 s4-upgradeprovision: Don't forget to populate the non replicated objects, and don't touch rIDPreviousAllocationPool commit 2f4251c389f5fa92bfba10739677a760f0bdf198 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 22:06:18 2011 +1000 dbchecker: cope with a broken link to Deleted Objects if a DN link to Deleted Objects has a bad GUID, we need to use show_deleted commit 4fe9ebc2e3e09befe8d7a2ce577336eefd9b9694 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 21:22:39 2011 +1000 dbchecker: fixed argument error for -H and DN commit 6b939f4a9c19cd868ac1b6d77cc26662e2726e8c Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:53:44 2011 +1000 dbchecker: when fixing a bad GUID in a DN, search by the string DN commit 9676c26fdd7ca53405abd06f58ae40d39d818e4d Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:44:35 2011 +1000 samba-tool: added --attrs option to dbcheck this allows checking of a specific list of attributes commit 7fff636bce2576a63170bf3cc555eb85b8fefd67 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:01:58 2011 +1000 samba-tool: make the dbcheck class available outside of samba-tool this will be used in provision, and probably in upgradeprovision as well commit 9be9f0e43c9312094a42efa236791dfcd95dc9f9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 19:32:45 2011 +1000 samba-tool: added --quiet option to dbcheck this will be used to allow for other tools (such as provision) to call into dbcheck without generating a lot of noise --- Summary of changes: source4/dsdb/schema/schema_syntax.c|3 +- source4/scripting/bin/samba_dnsupdate |2 +- source4/scripting/bin/upgradeprovision |6 +- .../samba/{netcmd/dbcheck.py = dbchecker.py} | 182 +--- source4/scripting/python/samba/netcmd/dbcheck.py | 307 ++-- 5 files changed, 102 insertions(+), 398 deletions(-) copy source4/scripting/python/samba/{netcmd/dbcheck.py = dbchecker.py} (61%) Changeset truncated at 500 lines: diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index f542f67..a93cdfa 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -1995,10 +1995,9 @@ static WERROR dsdb_syntax_DN_BINARY_drsuapi_to_ldb(const struct dsdb_syntax_ctx talloc_free(tmp_ctx); return WERR_FOOBAR; } + talloc_free(guid_blob.data); } - talloc_free(guid_blob.data); -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f7f143 dfsreferral: search client's site and use it from a9e4592 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f7f1430268f0ab5447fe189da6435bdd8e0614e Author: Matthieu Patou m...@matws.net Date: Thu Jun 23 02:35:50 2011 +0400 dfsreferral: search client's site and use it Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104 --- Summary of changes: source4/smb_server/smb/trans2.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/smb_server/smb/trans2.c b/source4/smb_server/smb/trans2.c index b3aa690..72babd5 100644 --- a/source4/smb_server/smb/trans2.c +++ b/source4/smb_server/smb/trans2.c @@ -1107,7 +1107,7 @@ static NTSTATUS get_dcs(TALLOC_CTX *ctx, struct ldb_context *ldb, } talloc_free(r); - if (searched_site != NULL) { + if (searched_site != NULL searched_site[0] != '\0') { ret = ldb_search(ldb, subctx, r, configdn, LDB_SCOPE_SUBTREE, attrs_none, ((name=%s)(objectClass=site)), searched_site); if (ret != LDB_SUCCESS) { @@ -1461,7 +1461,7 @@ static NTSTATUS dodc_or_sysvol_referral(TALLOC_CTX *ctx, client_addr = tsocket_address_inet_addr_string(remote_address, context); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(client_addr, context); } - + site_name = samdb_client_site_name(ldb, context, client_addr, NULL); status = get_dcs(context, ldb, site_name, need_fqdn, set, 0); if (!NT_STATUS_IS_OK(status)) { DEBUG(3,(Unable to get list of DCs\n)); -- Samba Shared Repository