Re: [Samba] Interdomain Trusts winbind
Quoting j...@hytronix.com (j...@hytronix.com): Suggestions anyone? I can post whatever portions of an smb.conf that might be helpful of course. Upgrade samba? 3.0.29 is really old and issues with supplemental groups ar emaybe not surprising. I doubt that anyone can really bring some support for versions below latest 3.4 or 3.5, now. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] basic LDAP authentication to Samba share from existin g directory
We use pGINA (www.pgina.org) to authenticate windows user logins via ldaps:// against the university directory. Don't know if that will fit your model, but it works for us. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brent Busby Sent: Wednesday, June 29, 2011 4:59 PM To: samba@lists.samba.org Subject: [Samba] basic LDAP authentication to Samba share from existing directory We have an existing LDAP directory in which users have UNIX passwords that are used for a variety of different services. We'd like to keep as close to having a single synchronized password service as possible, but we've run into an issue. There seem to be two ways of doing this, neither of which seem helpful: (1) ldapsam From looking at the Samba documentation that's available, it looks like there is no possibility of true password synchronization between NT passwords and UNIX. (Please correct me if that's not so -- I'd really like to be wrong!) You setup the samba.schema on the LDAP server, which gives you the sambaNTPassword objectClass (among others), and that stores the clients' Windows password. They still have regular UNIX password capability from the inetorgperson.schema. These are two separate password fields, provided by two different schemas, both belonging to the same user's LDAP account. Basically, you've got two account systems in the same user's LDAP data, completely separate. (Is all this true so far?) You use the ldapsam passdb backend to connect to Samba to your LDAP server, and when a Windows machine wants to change its NT password, it can use that backend to do it. None of this seems to be helping get any closer to allowing Windows clients to authenticate off of the same password database as our UNIX services There's a utility called smbldap-populate, but all this seems to do is go through an existing user database and give the users the new Samba object classes if they don't have them. It doesn't really translate their UNIX passwords into NT passwords and fill them in, does it? (2) pam_unix On the other hand, there is a more apocryphal (and dangerous) way to do this, which does what we want, but is completely insecure: You can setup Samba to use pam_unix to authenticate, so that it is using the local UNIX security stack rather than its own ldapsam passdb, and then setup PAM to do LDAP auth at the UNIX level (the same way you would if you were setting the machine up to allow LDAP login for SSH or some other such UNIX service). The reason that's insecure is because since PAM doesn't know what to do with an encrypted NT password, it is necessary to setup both the Windows clients and the smb.conf on the Samba server for encrypted passwords = no, which then makes it so that even if you're doing secure LDAP over SSL/TLS, you're still screwed because your passwords get sent from the Windows clients in cleartext. So you get: WINDOWS - cleartext - SAMBA - ldap ssl/tls encrypted - LDAP It's only encrypted for part of the trip, which isn't good enough at all. This method does however let you authenticate Windows clients directly off of an existing UNIX password database in LDAP, and works perfectly if you don't mind having passwords flying around in the clear on your LAN. Does anyone have any suggestions on this? I've poured over literally reams of Samba and LDAP documentation in the past week or so, looking for an answer to this. It hasn't helped that most of the documentation seems to be aimed at setting up Samba as a full scale NT Primary Domain Controller, with domain membership for machines and the whole nine yards. Many of these documents are much more elaborate than is (hopefully!) necessary for just doing LDAP password auth, and it's not clear from reading them how much of what is being described is required for basic authentication, and how much is just the writer taking advantage of everything Samba can do in one configuration. (Some of these howtos are thirty or forty pages long.) Also, many of them presume that you're starting from scratch, and that you don't have any existing users, and you're free to implement an LDAP namespace from an empty tree. Is there any way to LDAP-authenticate Samba from an existing user database with their existing UNIX passwords, without resorting to implementing a full PDC setup, or requiring that the Windows side use cleartext passwords, or ending up with two separate password fields (UNIX and NT)? (The later option almost seems to remove some of the motivation for using LDAP at all, since you end up with double-signon. Help and comments appreciated! -- + Brent A. Busby + The New JFI Computing Web Site: + Sr.
[Samba] Printer Migration and configuration script
Hi All... We're in the process of moving our printing from multiple servers to a single dedicated Samba/CUPS server... Wondering if anyone is aware of tools that can assist automating this process from the command line. Trying to avoid re-inventing the wheel. So far I'm able to automatically download all associated windows driver files from a named printer on a named host. If anyone's interested I'd be happy to share. -Jeff -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) 661.392.0681 (fax) http://district.standard.k12.ca.us -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns.keytab for Samba4 and Bind9
On Wed, 2011-06-29 at 18:55 +0100, Adam Thorn wrote: Hi, When provisioning a new domain, samba4 creates /usr/local/samba/private/dns.keytab. What's the best way to create that file manually, when not provisioning a new domain? My use case is how one migrates from a Windows AD+DNS to samba4+bind9. I begin by joining a new samba4 instance as a DC to an existing Windows domain (so no /source4/setup/provision), then getting rid of the Windows DC and pointing my DNS clients to a bind9 server - which I'd like to be dynamically updated by samba. We've figured out how to do this, so here's how we did it, given that we couldn't find instructions elsewhere on the web. Let's say we have a server called smbserver in the ad.example.com domain. First create a base64-encoded password for an AD service account which will do the DDNS updates; for example, we did this via a python command-line: from base64 include b64encode b64encode('myRandomPassword'.encode('utf-16-le')) which will output an encoded password - copy that string, without the quote marks which surround it. (if you'd prefer a different base64 encoder, make sure to set the character encoding correctly.) Create dns.ldif with the following contents: dn: CN=dns-smbserver,CN=Users,DC=ad,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user description: DNS Service Account for smbserver userAccountControl: 512 accountExpires: 9223372036854775807 sAMAccountName: dns-smbserver servicePrincipalName: DNS/smbserver.ad.example.com servicePrincipalName: DNS/ad.example.com clearTextPassword:: base64encodedpassword except in place of base64encodedpassword for the clearTextPassword, paste the base64-encoded password from earlier. We based this ldif on source4/setup/provision_dns_add.ldif, with the modification that we didn't set the isCriticalSystemObject attribute to TRUE, otherwise you get an error when importing the ldif. We'll do that next; first get a kerberos ticket (kinit domainAdminAccountName) then run ldbadd -H ldap://smbserver -v -k yes dns.ldif Next, cd to source4/scripting/bin/ and run ./ktpass.sh --out dns.keytab --pass myRandomPassword --princ DNS/ad.example.com Depending on your setup, you may also need to set the --path-to-ldbsearch option. Move dns.keytab to /usr/local/samba/private/, and also chown dns.keytab to bind.bind (or named.named, or whatever's appropriate for the user which runs your bind daemon). Also, mkdir /usr/local/samba/private/dns and chown that directory to bind.bind. Now that the dns.keytab is in place, follow the instructions for setting up DNS at http://wiki.samba.org/index.php/Samba4/HOWTO. Hopefully this'll be of use to someone else! Adam -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] basic LDAP authentication to Samba share from existin g directory
Hi, Would it be thinkable that users change their password8s) via web interface, such as *phpldapadmin*? The Windows tool LdapAdmin can change both passwords at once, but its not suitable for end users. Newer versions of phpldapadmion do it too, but I've not yet checked to see if the GUI is usable for end users.. Sean Boran On 30 June 2011 15:50, Hoover, Tony hoo...@sal.ksu.edu wrote: We use pGINA (www.pgina.org) to authenticate windows user logins via ldaps:// against the university directory. Don't know if that will fit your model, but it works for us. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brent Busby Sent: Wednesday, June 29, 2011 4:59 PM To: samba@lists.samba.org Subject: [Samba] basic LDAP authentication to Samba share from existing directory We have an existing LDAP directory in which users have UNIX passwords that are used for a variety of different services. We'd like to keep as close to having a single synchronized password service as possible, but we've run into an issue. There seem to be two ways of doing this, neither of which seem helpful: (1) ldapsam From looking at the Samba documentation that's available, it looks like there is no possibility of true password synchronization between NT passwords and UNIX. (Please correct me if that's not so -- I'd really like to be wrong!) You setup the samba.schema on the LDAP server, which gives you the sambaNTPassword objectClass (among others), and that stores the clients' Windows password. They still have regular UNIX password capability from the inetorgperson.schema. These are two separate password fields, provided by two different schemas, both belonging to the same user's LDAP account. Basically, you've got two account systems in the same user's LDAP data, completely separate. (Is all this true so far?) You use the ldapsam passdb backend to connect to Samba to your LDAP server, and when a Windows machine wants to change its NT password, it can use that backend to do it. None of this seems to be helping get any closer to allowing Windows clients to authenticate off of the same password database as our UNIX services There's a utility called smbldap-populate, but all this seems to do is go through an existing user database and give the users the new Samba object classes if they don't have them. It doesn't really translate their UNIX passwords into NT passwords and fill them in, does it? (2) pam_unix On the other hand, there is a more apocryphal (and dangerous) way to do this, which does what we want, but is completely insecure: You can setup Samba to use pam_unix to authenticate, so that it is using the local UNIX security stack rather than its own ldapsam passdb, and then setup PAM to do LDAP auth at the UNIX level (the same way you would if you were setting the machine up to allow LDAP login for SSH or some other such UNIX service). The reason that's insecure is because since PAM doesn't know what to do with an encrypted NT password, it is necessary to setup both the Windows clients and the smb.conf on the Samba server for encrypted passwords = no, which then makes it so that even if you're doing secure LDAP over SSL/TLS, you're still screwed because your passwords get sent from the Windows clients in cleartext. So you get: WINDOWS - cleartext - SAMBA - ldap ssl/tls encrypted - LDAP It's only encrypted for part of the trip, which isn't good enough at all. This method does however let you authenticate Windows clients directly off of an existing UNIX password database in LDAP, and works perfectly if you don't mind having passwords flying around in the clear on your LAN. Does anyone have any suggestions on this? I've poured over literally reams of Samba and LDAP documentation in the past week or so, looking for an answer to this. It hasn't helped that most of the documentation seems to be aimed at setting up Samba as a full scale NT Primary Domain Controller, with domain membership for machines and the whole nine yards. Many of these documents are much more elaborate than is (hopefully!) necessary for just doing LDAP password auth, and it's not clear from reading them how much of what is being described is required for basic authentication, and how much is just the writer taking advantage of everything Samba can do in one configuration. (Some of these howtos are thirty or forty pages long.) Also, many of them presume that you're starting from scratch, and that you don't have any existing users, and you're free to implement an LDAP namespace from an empty tree. Is there any way to LDAP-authenticate Samba from an existing
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c9e3f6a s3-printing: skip migration of non-existent printers via a36ce07 s3-printing: fill devicemode size in migrate_printer() from 44a434a s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c9e3f6ab02bdc354a9b656f62744ee66fe9e9e67 Author: David Disseldorp dd...@suse.de Date: Wed Jun 15 14:59:49 2011 +0200 s3-printing: skip migration of non-existent printers Skip tdb migration of printer and security descriptor entries which refer to non-existent printers. Signed-off-by: Günther Deschner g...@samba.org Autobuild-User: Günther Deschner g...@samba.org Autobuild-Date: Thu Jun 30 10:54:23 CEST 2011 on sn-devel-104 commit a36ce0735ff6cad8124bd63a056a71d9495b238c Author: David Disseldorp dd...@suse.de Date: Wed Jun 15 12:46:55 2011 +0200 s3-printing: fill devicemode size in migrate_printer() Signed-off-by: Günther Deschner g...@samba.org --- Summary of changes: source3/printing/nt_printing_migrate.c | 27 +++ source3/utils/net_printing.c |1 + 2 files changed, 20 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/nt_printing_migrate.c b/source3/printing/nt_printing_migrate.c index ec66dfe..7914585 100644 --- a/source3/printing/nt_printing_migrate.c +++ b/source3/printing/nt_printing_migrate.c @@ -318,6 +318,7 @@ static NTSTATUS migrate_printer(TALLOC_CTX *mem_ctx, dm.pelsheight = r.devmode-pelsheight; dm.pelswidth = r.devmode-pelswidth; dm.printquality= r.devmode-printquality; + dm.size= r.devmode-size; dm.scale = r.devmode-scale; dm.specversion = r.devmode-specversion; dm.ttoption= r.devmode-ttoption; @@ -458,10 +459,6 @@ static NTSTATUS migrate_secdesc(TALLOC_CTX *mem_ctx, key_name, nt_errstr(status))); return status; } - if (W_ERROR_EQUAL(WERR_INVALID_PRINTER_NAME, result)) { - DEBUG(3, (Ignoring missing printer %s\n, key_name)); - return NT_STATUS_OK; - } if (!W_ERROR_IS_OK(result)) { DEBUG(2, (OpenPrinter(%s) failed: %s\n, key_name, win_errstr(result))); @@ -587,13 +584,20 @@ static NTSTATUS migrate_internal(TALLOC_CTX *mem_ctx, } if (strncmp((const char *) kbuf.dptr, PRINTERS_PREFIX, strlen(PRINTERS_PREFIX)) == 0) { + const char *printer_name = (const char *)(kbuf.dptr + + strlen(PRINTERS_PREFIX)); status = migrate_printer(mem_ctx, pipe_hnd, -(const char *) kbuf.dptr + strlen(PRINTERS_PREFIX), +printer_name, dbuf.dptr, dbuf.dsize); SAFE_FREE(dbuf.dptr); - if (!NT_STATUS_IS_OK(status)) { + /* currently no WERR_INVALID_PRINTER_NAME equivalent */ + if (NT_STATUS_EQUAL(status, + werror_to_ntstatus(WERR_INVALID_PRINTER_NAME))) { + DEBUG(2, (Skipping migration for non-existent + printer: %s\n, printer_name)); + } else if (!NT_STATUS_IS_OK(status)) { tdb_close(tdb); return status; } @@ -601,13 +605,20 @@ static NTSTATUS migrate_internal(TALLOC_CTX *mem_ctx, } if (strncmp((const char *) kbuf.dptr, SECDESC_PREFIX, strlen(SECDESC_PREFIX)) == 0) { + const char *secdesc_name = (const char *)(kbuf.dptr + + strlen(SECDESC_PREFIX)); status = migrate_secdesc(mem_ctx, pipe_hnd, -(const char *) kbuf.dptr + strlen(SECDESC_PREFIX), +secdesc_name, dbuf.dptr, dbuf.dsize); SAFE_FREE(dbuf.dptr); - if (!NT_STATUS_IS_OK(status)) { + /* currently no
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a611769 rebuildexetendeddn: PEP8: Use spaces rather than tabs. via 6dbe3e3 rpcclient: PEP8: Use spaces rather than tabs. via a67683e smbstatus: PEP8: Use spaces rather than tabs. via e4e9c5d mischema: Remove unused import. via ac28c82 enablerecyclebin: Remove unused imports, fix formatting. from c9e3f6a s3-printing: skip migration of non-existent printers http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a61176900fc16b6ad3dab330bf6465f35e891ea6 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jun 30 10:33:05 2011 +0200 rebuildexetendeddn: PEP8: Use spaces rather than tabs. Autobuild-User: Jelmer Vernooij jel...@samba.org Autobuild-Date: Thu Jun 30 12:07:32 CEST 2011 on sn-devel-104 commit 6dbe3e36009707b88d1517aab2a47fbaefca4050 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jun 30 10:32:35 2011 +0200 rpcclient: PEP8: Use spaces rather than tabs. commit a67683eb6d2ee340bd81a8c756e000954552ed38 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jun 30 10:31:59 2011 +0200 smbstatus: PEP8: Use spaces rather than tabs. commit e4e9c5d140dd73f3a09fa9b04c0699f1d253eb38 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jun 30 10:30:43 2011 +0200 mischema: Remove unused import. commit ac28c8216f3230bf647bc95f582a0d45e81fe33c Author: Jelmer Vernooij jel...@samba.org Date: Thu Jun 30 10:29:23 2011 +0200 enablerecyclebin: Remove unused imports, fix formatting. --- Summary of changes: source4/scripting/bin/enablerecyclebin |8 +- source4/scripting/bin/minschema |1 - source4/scripting/bin/rebuildextendeddn | 127 +++ source4/scripting/bin/rpcclient | 90 +++--- source4/scripting/bin/smbstatus | 76 +- 5 files changed, 147 insertions(+), 155 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/bin/enablerecyclebin b/source4/scripting/bin/enablerecyclebin index 61ad32c..ab36ead 100755 --- a/source4/scripting/bin/enablerecyclebin +++ b/source4/scripting/bin/enablerecyclebin @@ -2,9 +2,7 @@ # # enabled the Recycle Bin optional feature # -import base64 import optparse -import os import sys # Find right directory when running from source tree @@ -12,7 +10,7 @@ sys.path.insert(0, bin/python) import samba from samba import getopt as options, Ldb -from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError +from ldb import SCOPE_BASE import sys import ldb from samba.auth import system_session @@ -48,8 +46,8 @@ configbase=rootDse[configurationNamingContext] msg = ldb.Message() msg.dn = ldb.Dn(sam_ldb, ) msg[enableOptionalFeature] = ldb.MessageElement( -CN=Partitions, + str(configbase) + :766ddcd8-acd0-445e-f3b9-a7f9b6744f2a, -ldb.FLAG_MOD_ADD, enableOptionalFeature) + CN=Partitions, + str(configbase) + :766ddcd8-acd0-445e-f3b9-a7f9b6744f2a, + ldb.FLAG_MOD_ADD, enableOptionalFeature) res = sam_ldb.modify(msg) print Recycle Bin feature enabled diff --git a/source4/scripting/bin/minschema b/source4/scripting/bin/minschema index 6fca074..1744f6c 100755 --- a/source4/scripting/bin/minschema +++ b/source4/scripting/bin/minschema @@ -5,7 +5,6 @@ import base64 import optparse -import os import sys # Find right directory when running from source tree diff --git a/source4/scripting/bin/rebuildextendeddn b/source4/scripting/bin/rebuildextendeddn index 1154b7c..5ab90c9 100755 --- a/source4/scripting/bin/rebuildextendeddn +++ b/source4/scripting/bin/rebuildextendeddn @@ -8,17 +8,16 @@ # Copyright (C) Jelmer Vernooij jel...@samba.org 2007-2008 # Copyright (C) Andrew Bartlett abart...@samba.org 2008 # -# # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. # @@ -47,17 +46,17 @@ parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option(--targetdir, type=string, metavar=DIR, - help=Set target directory) + help=Set target directory) opts = parser.parse_args()[0] def message(text): -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 847ca0a s3:smbd do not panic when CTDB is unhealthy (Bug #8278) via d2adf96 docs: fix some whitespace via 1ae9a71 docs: fix a typo from a611769 rebuildexetendeddn: PEP8: Use spaces rather than tabs. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 847ca0a5d791d881be8d9a0721bf30399c80013b Author: Christian Ambach a...@samba.org Date: Wed Jun 29 15:01:16 2011 +0200 s3:smbd do not panic when CTDB is unhealthy (Bug #8278) when CTDB is unhealthy, log a message and exit cleanly instead of creating a core file Autobuild-User: Christian Ambach a...@samba.org Autobuild-Date: Thu Jun 30 13:18:12 CEST 2011 on sn-devel-104 commit d2adf96402a0ee3454778c8ffee970720def66a7 Author: Christian Ambach a...@samba.org Date: Wed Jun 29 09:24:44 2011 +0200 docs: fix some whitespace replace spaces with tabs, removing whitespaces at end of lines commit 1ae9a7160c49b3afc401f219a25f721daa2835fd Author: Christian Ambach a...@samba.org Date: Tue Jun 28 23:17:35 2011 +0200 docs: fix a typo --- Summary of changes: docs-xml/smbdotconf/protocol/enableasusupport.xml | 12 ++-- source3/smbd/server.c |9 + 2 files changed, 15 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/protocol/enableasusupport.xml b/docs-xml/smbdotconf/protocol/enableasusupport.xml index bb56b5a..8f25103 100644 --- a/docs-xml/smbdotconf/protocol/enableasusupport.xml +++ b/docs-xml/smbdotconf/protocol/enableasusupport.xml @@ -1,15 +1,15 @@ samba:parameter name=enable asu support - context=G - advanced=1 developer=1 +context=G +advanced=1 developer=1 type=boolean - xmlns:samba=http://www.samba.org/samba/DTD/samba-doc; +xmlns:samba=http://www.samba.org/samba/DTD/samba-doc; description -paraHosts running the Advanced Server for Unix (ASU) product -require some special accomodations such as creating a builtin [ADMIN$] +paraHosts running the Advanced Server for Unix (ASU) product +require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections. The has been the default behavior in smbd for many years. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support -an [ADMIN$} file share. Disabling this parameter allows for creating +an [ADMIN$] file share. Disabling this parameter allows for creating an [ADMIN$] file share in smb.conf./para /description diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 5aa3ddb..03d971b 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -443,6 +443,15 @@ static void smbd_accept_connection(struct tevent_context *ev, because too many files are open\n)); goto exit; } + if (lp_clustering() + NT_STATUS_EQUAL(status, + NT_STATUS_INTERNAL_DB_ERROR)) { + DEBUG(1,(child process cannot initialize +because connection to CTDB +has failed\n)); + goto exit; + } + DEBUG(0,(reinit_after_fork() failed\n)); smb_panic(reinit_after_fork() failed); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c234b4b lib/util/string_wrappers: move everything into one HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS block via 75e9f21 s3:nmbd_subnetdb: close all sockets attached to a subnet in close_subnet() (bug #8276) from 847ca0a s3:smbd do not panic when CTDB is unhealthy (Bug #8278) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c234b4b0c0c59c4e972d0832aefc6a94f41f4e1f Author: Stefan Metzmacher me...@samba.org Date: Fri Jun 24 21:49:16 2011 +0200 lib/util/string_wrappers: move everything into one HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS block metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jun 30 14:29:41 CEST 2011 on sn-devel-104 commit 75e9f2110876137a57632d223248ac51dbfc4569 Author: Stefan Metzmacher me...@samba.org Date: Thu Jun 30 10:09:56 2011 +0200 s3:nmbd_subnetdb: close all sockets attached to a subnet in close_subnet() (bug #8276) metze --- Summary of changes: lib/util/string_wrappers.h | 26 -- source3/nmbd/nmbd_subnetdb.c | 14 +++--- 2 files changed, 19 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/string_wrappers.h b/lib/util/string_wrappers.h index 37384fc..6f2d6e9 100644 --- a/lib/util/string_wrappers.h +++ b/lib/util/string_wrappers.h @@ -23,24 +23,6 @@ #ifndef _STRING_WRAPPERS_H #define _STRING_WRAPPERS_H -/* We need a number of different prototypes for our - non-existant fuctions */ -char * __unsafe_string_function_usage_here__(void); - -size_t __unsafe_string_function_usage_here_size_t__(void); - -#ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS - -/* if the compiler will optimize out function calls, then use this to tell if we are - have the correct types (this works only where sizeof() returns the size of the buffer, not - the size of the pointer). */ - -#define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) sizeof(d) != sizeof(char *)) - -#else /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */ - -#endif /* HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS */ - #define strlcpy_base(dest, src, base, size) \ do { \ const char *_strlcpy_base_src = (const char *)src; \ @@ -74,6 +56,14 @@ do { \ #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS +/* We need a number of different prototypes for our + non-existant fuctions */ +char * __unsafe_string_function_usage_here__(void); + +size_t __unsafe_string_function_usage_here_size_t__(void); + +#define CHECK_STRING_SIZE(d, len) (sizeof(d) != (len) sizeof(d) != sizeof(char *)) + /* if the compiler will optimize out function calls, then use this to tell if we are have the correct types (this works only where sizeof() returns the size of the buffer, not the size of the pointer). */ diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c index 79a..311a240 100644 --- a/source3/nmbd/nmbd_subnetdb.c +++ b/source3/nmbd/nmbd_subnetdb.c @@ -56,13 +56,21 @@ yet and it may be in use by a response record void close_subnet(struct subnet_record *subrec) { + if (subrec-nmb_sock != -1) { + close(subrec-nmb_sock); + subrec-nmb_sock = -1; + } + if (subrec-nmb_bcast != -1) { + close(subrec-nmb_bcast); + subrec-nmb_bcast = -1; + } if (subrec-dgram_sock != -1) { close(subrec-dgram_sock); subrec-dgram_sock = -1; } - if (subrec-nmb_sock != -1) { - close(subrec-nmb_sock); - subrec-nmb_sock = -1; + if (subrec-dgram_bcast != -1) { + close(subrec-dgram_bcast); + subrec-dgram_bcast = -1; } DLIST_REMOVE(subnetlist, subrec); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 76467dc s3:build: add vfs_examples to the everything target via c2e8832 s3:build: add a vfs_examples target. via 197df81 examples/VFS: add include path for s3's autoconf config.h via 576cb57 examples/VFS: fix skel_transparent.c in reference to shadow_copy changes via 7766728 examples/VFS: fix skel_opaque.c in reference to shadow_copy changes via 6930afc examples/VFS: fix shadow_copy_test.c in reference to shadow_copy changes via 1f72088 s3:registry: when deleting the records for a key, also delete the sorted subkeys cache via 2b162db s3:registry: add helper function regdb_delete_sorted_subkeys() from c234b4b lib/util/string_wrappers: move everything into one HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS block http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 76467dc4064572fdf7ddea067b0f23ff082aebfe Author: Michael Adam ob...@samba.org Date: Thu Jun 30 15:15:22 2011 +0200 s3:build: add vfs_examples to the everything target So that one can not pass autobuild without keeping the vfs examples intact. Autobuild-User: Michael Adam ob...@samba.org Autobuild-Date: Thu Jun 30 16:52:48 CEST 2011 on sn-devel-104 commit c2e88320a0952a7ee53c398b1533fb184a3ec0ae Author: Michael Adam ob...@samba.org Date: Thu Jun 30 13:54:52 2011 +0200 s3:build: add a vfs_examples target. commit 197df817a3f70707715e784a9330017c74ccb547 Author: Michael Adam ob...@samba.org Date: Thu Jun 30 13:53:54 2011 +0200 examples/VFS: add include path for s3's autoconf config.h commit 576cb574a15158a33feab48be3c5ed05721f28fc Author: Björn Baumbach b...@sernet.de Date: Wed Jun 29 16:57:27 2011 +0200 examples/VFS: fix skel_transparent.c in reference to shadow_copy changes Signed-off-by: Michael Adam ob...@samba.org commit 776672805c35bb2db760194730c46b96019e0da1 Author: Björn Baumbach b...@sernet.de Date: Wed Jun 29 16:56:45 2011 +0200 examples/VFS: fix skel_opaque.c in reference to shadow_copy changes Signed-off-by: Michael Adam ob...@samba.org commit 6930afc9f4e613a660bbe716e849f5db7276491c Author: Björn Baumbach b...@sernet.de Date: Wed Jun 29 16:53:57 2011 +0200 examples/VFS: fix shadow_copy_test.c in reference to shadow_copy changes Signed-off-by: Michael Adam ob...@samba.org commit 1f72088633c2215a23e086c8627f35621b47ffec Author: Michael Adam ob...@samba.org Date: Thu Jun 30 14:37:49 2011 +0200 s3:registry: when deleting the records for a key, also delete the sorted subkeys cache This prevents orphaned empty sorted subkeys cache records from filling the database. Pair-Programmed-With: Gregor Beck gb...@sernet.de Signed-off-by: Michael Adam ob...@samba.org commit 2b162db6e9cc3e098f339516bbda719618664a83 Author: Michael Adam ob...@samba.org Date: Thu Jun 30 14:36:35 2011 +0200 s3:registry: add helper function regdb_delete_sorted_subkeys() Pair-Programmed-With: Gregor Beck gb...@sernet.de Signed-off-by: Michael Adam ob...@samba.org --- Summary of changes: examples/VFS/Makefile.in |1 + examples/VFS/shadow_copy_test.c | 13 ++--- examples/VFS/skel_opaque.c|3 ++- examples/VFS/skel_transparent.c |3 ++- source3/Makefile.in | 14 +- source3/registry/reg_backend_db.c | 15 +++ 6 files changed, 43 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/VFS/Makefile.in b/examples/VFS/Makefile.in index 8fe414a..9591186 100644 --- a/examples/VFS/Makefile.in +++ b/examples/VFS/Makefile.in @@ -9,6 +9,7 @@ SHLIBEXT= @SHLIBEXT@ OBJEXT = @OBJEXT@ FLAGS = $(CFLAGS) $(CPPFLAGS) -fPIC \ -Iinclude -I$(SAMBA_SOURCE)/include \ + -I$(SAMBA_SOURCE)/include/autoconf \ -I$(SAMBA_SOURCE)/../popt \ -I$(SAMBA_SOURCE)/../lib/replace \ -I$(SAMBA_SOURCE)/../lib/talloc \ diff --git a/examples/VFS/shadow_copy_test.c b/examples/VFS/shadow_copy_test.c index d4da238..a47d2ee 100644 --- a/examples/VFS/shadow_copy_test.c +++ b/examples/VFS/shadow_copy_test.c @@ -19,6 +19,8 @@ */ #include includes.h +#include ntioctl.h +#include smbd/proto.h #undef DBGC_CLASS #define DBGC_CLASS DBGC_VFS @@ -50,7 +52,10 @@ Directories are always displayed... */ -static int test_get_shadow_copy_data(vfs_handle_struct *handle, files_struct *fsp, SHADOW_COPY_DATA *shadow_copy_data, bool labels) +static int test_get_shadow_copy_data(vfs_handle_struct *handle, + files_struct *fsp, + struct shadow_copy_data *shadow_copy_data, + bool labels)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4804013 script/librelease.sh: keep dots in the release tag via 84d9cdb release-scripts/create-tarball: always create a tag in form of samba-${version} from 76467dc s3:build: add vfs_examples to the everything target http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4804013210ba620a6d20fd813017ac383cc3b946 Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 28 12:55:47 2011 +0200 script/librelease.sh: keep dots in the release tag metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jun 30 18:52:06 CEST 2011 on sn-devel-104 commit 84d9cdb5112e55ae8a1e525ca2b8cef2ae606f22 Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 28 12:52:37 2011 +0200 release-scripts/create-tarball: always create a tag in form of samba-${version} metze --- Summary of changes: release-scripts/create-tarball | 26 ++ script/librelease.sh |2 +- 2 files changed, 7 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/release-scripts/create-tarball b/release-scripts/create-tarball index 213e35e..e6a515f 100755 --- a/release-scripts/create-tarball +++ b/release-scripts/create-tarball @@ -3,7 +3,6 @@ ## option defaults OPT_BRANCH= OPT_DOCSDIR= -OPT_TAG= OPT_KEYID= TOPDIR=`dirname $0`/.. @@ -32,7 +31,6 @@ function printUsage echo --help Print command usage echo --branch nameSpecify the branch to to create the archive file from echo --copy-docs dir Copy documentation from dir rather than building -echo --tag name Tag name for release echo --keyid emailThe GnuPG key ID used to sign the release tag echo } @@ -67,15 +65,6 @@ function parseOptions OPT_DOCSDIR=$1 shift ;; - --tag) - shift - if [ -z $1 ]; then - printUsage - return 1 - fi - OPT_TAG=$1 - shift - ;; --keyid) shift if [ -z $1 ]; then @@ -145,13 +134,10 @@ function buildDocs ## function createReleaseTag { -if [ -z ${OPT_TAG} ]; then - echo Tagging disabled - return 0 -fi +tagname=$1 -if [ x`git tag -l ${OPT_TAG}` != x ]; then - echo -n Tag exists. Do you wish to overwrite? (y/N): +if [ x`git tag -l ${tagname}` != x ]; then + echo -n Tag '${tagname}' exists. Do you wish to overwrite? (y/N): read answer if [ x$answer != xy ]; then @@ -168,8 +154,8 @@ function createReleaseTag fi fi -git tag -u ${OPT_KEYID} ${OPT_TAG} -exitOnError $? Failed to create tag +git tag -u ${OPT_KEYID} ${tagname} +exitOnError $? Failed to create tag '${tagname}' return 0 } @@ -239,7 +225,7 @@ function main popd -createReleaseTag +createReleaseTag samba-${version} exitOnError $? Failed to create release tag return 0 diff --git a/script/librelease.sh b/script/librelease.sh index 7fbca88..6125236 100755 --- a/script/librelease.sh +++ b/script/librelease.sh @@ -39,7 +39,7 @@ release_lib() { exit 1 } -tagname=$(basename $tarname .tar | sed s/[\.]/-/g) +tagname=$(basename $tarname .tar) echo tagging as $tagname git tag -u $GPG_KEYID -s $tagname -m $lib: tag release $tagname || { exit 1 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 4b094c2 Second part of fix for bug #8219 - SMB Panic from Windows 7 Client. via 501969a Fix bug #8219 - SMB Panic from Windows 7 Client from 44cfdd9 s3: explicitly pass domain_sid to wbint_LookupRids() (bug #7841) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 4b094c2acdfe93fdce80adc6dc3df73cf2d3fae1 Author: Jeremy Allison j...@samba.org Date: Wed Jun 29 09:56:47 2011 -0700 Second part of fix for bug #8219 - SMB Panic from Windows 7 Client. Pass in the correct vector to the signing algorithm in an async response - we must start with vector[1] which has the SMB2_HDR_BODY length, not vector[0] which is the 4 byte packet length. Also note we're passing in 2 vectors not 3. Metze please review. commit 501969a2b95b15fd9f8602b14a391e5096b17183 Author: Jeremy Allison j...@samba.org Date: Tue Jun 28 17:45:49 2011 -0700 Fix bug #8219 - SMB Panic from Windows 7 Client Caused by referencing an uninitialized variable in the duplicated struct smbd_smb2_request when sending a signed intermediate reply. --- Summary of changes: source3/smbd/smb2_server.c | 10 +- 1 files changed, 9 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 7cbe90a..0944e57 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -665,10 +665,18 @@ static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *re } newreq-sconn = req-sconn; + newreq-session = req-session; newreq-do_signing = req-do_signing; newreq-current_idx = req-current_idx; newreq-async = false; newreq-cancelled = false; + /* Note we are leaving: + -tcon + -smb1req + -compat_chain_fsp + uninitialized as NULL here as + they're not used in the interim + response code. JRA. */ outvec = talloc_zero_array(newreq, struct iovec, count); if (!outvec) { @@ -915,7 +923,7 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, if (req-do_signing) { status = smb2_signing_sign_pdu(req-session-session_key, - state-vector, 3); + state-vector[1], 2); if (!NT_STATUS_IS_OK(status)) { return status; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 97055ce s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCs from 4b094c2 Second part of fix for bug #8219 - SMB Panic from Windows 7 Client. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 97055cee026b4f1b0e2730786a94390f6515593e Author: Günther Deschner g...@samba.org Date: Tue Jun 28 23:59:11 2011 +0200 s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCs Guenther Autobuild-User: Günther Deschner g...@samba.org Autobuild-Date: Thu Jun 30 00:42:23 CEST 2011 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_pam.c | 26 +++--- 1 files changed, 19 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 6b87482..29add8c 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1250,18 +1250,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, info3); } - if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) -domain-can_do_samlogon_ex) { - DEBUG(3, (Got a DC that can not do NetSamLogonEx, - retrying with NetSamLogon\n)); - domain-can_do_samlogon_ex = false; + if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { + /* * It's likely that the server also does not support * validation level 6 */ domain-can_do_validation6 = false; - retry = true; - continue; + + if (domain-can_do_samlogon_ex) { + DEBUG(3, (Got a DC that can not do NetSamLogonEx, + retrying with NetSamLogon\n)); + domain-can_do_samlogon_ex = false; + retry = true; + continue; + } + + + /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon +* (no Ex). This happens against old Samba +* DCs. Drop the connection. +*/ + invalidate_cm_connection(domain-conn); + result = NT_STATUS_LOGON_FAILURE; + break; } if (domain-can_do_validation6 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1053a24 Part of fix for bug 8276 - FD_SET out of bounds access crash. from 4804013 script/librelease.sh: keep dots in the release tag http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1053a24a87f341fcd5578db56bc8b3962e63bb98 Author: Jeremy Allison j...@samba.org Date: Thu Jun 30 11:01:40 2011 -0700 Part of fix for bug 8276 - FD_SET out of bounds access crash. Ensure we never add fd's set to -1 to the pollfd set. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Thu Jun 30 21:15:25 CEST 2011 on sn-devel-104 --- Summary of changes: source3/nmbd/nmbd_packets.c | 27 ++- 1 files changed, 18 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index a89f49c..0324c9d 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1698,7 +1698,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec != NULL; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - count += 2; /* nmb_sock and dgram_sock */ + if (subrec-nmb_sock != -1) { + count += 1; + } + if (subrec-dgram_sock != -1) { + count += 1; + } if (subrec-nmb_bcast != -1) { count += 1; } @@ -1736,10 +1741,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - fds[num].fd = subrec-nmb_sock; - attrs[num].type = NMB_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec-nmb_sock != -1) { + fds[num].fd = subrec-nmb_sock; + attrs[num].type = NMB_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec-nmb_bcast != -1) { fds[num].fd = subrec-nmb_bcast; @@ -1748,10 +1755,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, num += 1; } - fds[num].fd = subrec-dgram_sock; - attrs[num].type = DGRAM_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec-dgram_sock != -1) { + fds[num].fd = subrec-dgram_sock; + attrs[num].type = DGRAM_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec-dgram_bcast != -1) { fds[num].fd = subrec-dgram_bcast; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f3c3768 s4-dsdb guard principalName parse for invalid inputs via f1b1a66 s4-dsdb Allow a servicePrincipalName of machine$ from 1053a24 Part of fix for bug 8276 - FD_SET out of bounds access crash. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f3c3768d30410de8b0cc8b2ef078640bdc0864d4 Author: Andrew Bartlett abart...@samba.org Date: Thu Jun 30 14:21:51 2011 +1000 s4-dsdb guard principalName parse for invalid inputs We need to ensure that if this parses name.name_string as just one val, then we don't read uninitialised and possibly unallocated memory. Found by Adam Thorn al...@cam.ac.uk While we are checking that, we need to fix the strncasecmp() check to first check if the string is the expected length, then check for a match against sAMAccountName-without-doller, as otherwise we will permit a string such as machinefoo to match a sAMAccountName of machine. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104 commit f1b1a66615bfceb4d53c11140aceba2412d0ec37 Author: Andrew Bartlett abart...@samba.org Date: Thu Jun 30 14:20:22 2011 +1000 s4-dsdb Allow a servicePrincipalName of machine$ This is pointless, but MacOS X (version 10.6.8 was tested) apparently sets machine$ into this field. Andrew Bartlett --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl.c | 13 - 1 files changed, 12 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index b6eb563..49152d4 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -457,6 +457,12 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, bool is_dc = (userAccountControl UF_SERVER_TRUST_ACCOUNT) || (userAccountControl UF_PARTIAL_SECRETS_ACCOUNT); + if (strcasecmp_m(spn_value, samAccountName) == 0) { + /* MacOS X sets this value, and setting an SPN of your +* own samAccountName is both pointless and safe */ + return LDB_SUCCESS; + } + kerr = smb_krb5_init_context_basic(mem_ctx, lp_ctx, krb_ctx); @@ -471,6 +477,10 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, return LDB_ERR_CONSTRAINT_VIOLATION; } + if (principal-name.name_string.len 2) { + goto fail; + } + instanceName = principal-name.name_string.val[1]; serviceType = principal-name.name_string.val[0]; realm = krb5_principal_get_realm(krb_ctx, principal); @@ -503,7 +513,8 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx, } /* instanceName can be samAccountName without $ or dnsHostName * or ntds_guid._msdcs.forest_domain for DC objects */ - if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) { + if (strlen(instanceName) == (strlen(samAccountName) - 1) +strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) { goto success; } else if (strcasecmp(instanceName, dnsHostName) == 0) { goto success; -- Samba Shared Repository