[Samba] getent group not listing domain groups / wbinfo -r not working
I know, I know, this again :) The company I work for would like to use squid for proxy authentication purposes using NTLM, using a Windows 2008 R2 server as a DC. I've managed to setup samba/winbind to use ads and successfully joined the domain. Configured nsswitch.conf to lookup winbind entities (however I didn't touch PAM configuration, as I don't actually want the users to be able to login to the linux machine). wbinfo -t reports a successful check of trust. wbinfo -u / wbinfo -g work as intended, e.g. dump a list of domain users / groups. I can authenticate using wbinfo -a (both plaintext and challenge-response) and wbinfo -K. nsswitch.conf: passwd: compat winbind group: compat winbind As far as I can tell, nsswitch.conf is also configured properly, since `getent passwd` dumps local users, waits about .2 seconds, and dumps domain users: sasa.sokolova:*:10283:10001:Sasa Sokolova:/home/LIONSK/sasa.sokolova:/bin/false adam.szabados:*:10284:10001:Adam Szabados:/home/LIONSK/adam.szabados:/bin/false (All domain users are members of group '10001', is this normal?) However, `getent group` lists only local groups. No waiting time, it just dumps local groups and exits. Likewise, when attempting to `wbinfo -r domainuser`, the command fails with 'Could not get groups for domainuser'. I've run strace on `getent group` (which, incidentally, shows a timeout, but none is perceived), the result can hopefully be viewed here: http://halka.yw.sk/ext/strace_getent_group.txt A widely suggested fix for this was to delete /var/lib/samba/winbindd_idmap.tdb (for Samba versions up to 3.2.x?), but the problems persist even after clearing the cache. This is the point at which I'm stumped, since management wants to apply different squid ACLs based on domain user's group. The funny (or not) thing is, when authenticating using domain group restriction, e.g.: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAIN\\it ...works as intended (allows only member of the group 'it' to authenticate successfully), but that's about as far as I can get. I'm using samba 3.5.8 as provided by, cough, Ubuntu (10.08) packages. I've previously tried a similar solution on Debian lenny. Now, this is a virtual server which only holds samba and squid, so I have no qualms about reinstalling, using various pre-alpha versions or anything, so wild ideas like this are not unwelcome. I've linked my configuration files below, since I'm not yet sure about proper attachment etiquette in mailing lists: http://halka.yw.sk/ext/krb5.conf http://halka.yw.sk/ext/smb.conf http://halka.yw.sk/ext/nsswitch.conf Any help is of course greatly appreciated. -- Ľubomír Brindza xmpp: lubomir.brin...@gmail.com Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi, I've seen many people complain about this error message by Googling around, but I've never found a satisfactory explanation as to the cause and resolution. I'm hoping someone on the list will be able to point me in the right direction? I'm attempting to get a RHEL 5.5 client configured to use winbind auth against Windows 2003 R2 AD (in fact my end game is to get all NIS maps served from AD, but one step at a time). I've been following these steps: http://wiki.samba.org/index.php/Samba__Active_Directory But when I come to issue the 'net ads join' command: # net ads join -U administrator administrator's password: [2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials So having manually configured it, I decided maybe 'authconfig' could help. I have no graphics here, so tried a command-line approach: # authconfig --enablecache --enablewinbind --enablewinbindauth --smbsecurity ads --smbrealm FMTEST.NET --smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294 --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=Administrator --update This made no difference (same error when trying to join). Apart from adding the 'winbind offline logon' option which I omitted from my manual approach, using the old idmap features instead of the new ones, and setting up PAM for winbind (which I hadn't got around to yet) there was no difference in config. Debug modes, RHEL logs, Windows event logs, network traces - I've looked at them all and can't find anything that points to the exact problem. Some pertinent info: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.5 (Tikanga) # rpm -qa | egrep 'samba|libsmb' libsmbclient-3.0.33-3.29.el5_5.1 samba-client-3.0.33-3.29.el5_5.1 samba-3.0.33-3.29.el5_5.1 samba-common-3.0.33-3.29.el5_5.1 # testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = FMTEST realm = FMTEST.NET server string = Linux Test Machine security = ADS passdb backend = tdbsam log file = /var/log/samba/%m.log preferred master = No idmap domains = ALLDOMAINS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind offline logon = Yes idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:range = 100-4294967294 idmap config ALLDOMAINS:schema_mode = rfc2307 # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FMTEST.NET dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] FMTEST.NET = { default_domain = fmtest.net } [domain_realm] .fmtest.net = FMTEST.NET fmtest.net = FMTEST.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Can you advise? Thanks, Mark. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for Mac OS X
Samba is not a protocol. SMB is the protocol, and the protocol is owned by Microsoft. Samba is an open source package that implements a SMB server. It doesn't matter what kernel, or OS you are using, you can build Samba from the source code to run on your platform. As for the front-end... have you ever thought of learning about text config files? (seriously, there are some other front-ends such as SWAT and webmin. They, however, don't integrate with Aqua, but they should be usable) Of course, those steps are only necessary if you want to share resources from your Mac with the rest of your network. I don't believe the existing CIFS (SMB client in the kernel) client has gone away in OSX 10.7. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniel Sutton Sent: Monday, September 19, 2011 8:03 PM To: samba@lists.samba.org Subject: [Samba] Samba for Mac OS X Dear Samba Community, Because Apple has transitioned away from the open-source SAMBA protocol for their new 10.7 release of Mac OS X, I was wondering if there is a third-party solution to fill this void. Because OS X is based on Darwin, and Darwin is an open-source free version of UNIX, I thought there might be a solution with an Aqua front-end that would make it easier for Mac machines to connect to Windows networks. If you are able to answer my question, I would be very happy! Thank you so much, and have a great week, --Daniel --- Daniel Sutton danielsut...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for Mac OS X
On 20.09.2011 15:39, Hoover, Tony wrote: Of course, those steps are only necessary if you want to share resources from your Mac with the rest of your network. I don't believe the existing CIFS (SMB client in the kernel) client has gone away in OSX 10.7. OSX 10.7 still has an SMB/CIFS client, although the current beta (10.7.2) isn't able to connect to a Samba-Share due to authentication problems, but I don't know if this will affect the final version. To have a SMB/CIFS-Share shown up in Finder you'll have to announce the Service via Bonjour using port 445. Samba3 itself is available as MacPorts Portfile: http://www.macports.org/ports.php?by=librarysubstr=samba3 Of course you will not have a posh GUI, and you don't need Samba to connect to an SMB/CIFS-Share. Bye for now. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniel Sutton Sent: Monday, September 19, 2011 8:03 PM To: samba@lists.samba.org Subject: [Samba] Samba for Mac OS X Dear Samba Community, Because Apple has transitioned away from the open-source SAMBA protocol for their new 10.7 release of Mac OS X, I was wondering if there is a third-party solution to fill this void. Because OS X is based on Darwin, and Darwin is an open-source free version of UNIX, I thought there might be a solution with an Aqua front-end that would make it easier for Mac machines to connect to Windows networks. If you are able to answer my question, I would be very happy! Thank you so much, and have a great week, --Daniel --- Daniel Sutton danielsut...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba fails
We are running Samba 3.5.8 on a Solaris 10 box and created several shares on our server so that people can access certain files/folders via the Active Directory (so we are also using winbindd). This worked well for a couple of years until recently - now, we are not able to access any of our shares. When we try, samba crashes (though nmbd winbind do not). I've gone through several tests: testparm - everything is fine here wbinfo -u, wbinfo -g, getent passwd USERID, getent group GROUPID - all are successful When I try smbclient, connecting to the server itself, I get tree connect failed: NT_STATUS_CONNECTION_INVALID. On the Samba listserv, there was a post just like this on 8/3/2011, but no solution was offered (other than please send a debug level 10 log - don't know if this ever happened). I tried the recommendation on this page - http://www.unixresources.net/linux/lf/56/archive/00/00/05/78/57864.html - changing valid users to just users, and got the same result. I'm not really sure what else to try, but I sure would appreciate any suggestions or recommendations. Thank you! Jamen McGranahan Systems Services Librarian Vanderbilt University Library # smbclient //acorn6/test -U mcgranj -d=3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface e1000g1265000 ip=10.2.187.238 bcast=10.2.187.255 netmask=255.255.254.0 added interface e1000g0 ip=129.59.95.30 bcast=129.59.95.255 netmask=255.255.255.0 Client started (version 3.5.8). Enter mcgranj's password: resolve_wins: Attempting wins lookup for name acorn60x20 resolve_wins: using WINS server 129.59.1.15 and tag '*' Got a positive name query response from 129.59.1.15 ( 129.59.95.30 ) Connecting to 129.59.95.30 at port 445 Doing spnego session setup (blob length=128) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=cifs/acorn6.library.vanderbilt@ds.vanderbilt.edumailto:principal=cifs/acorn6.library.vanderbilt@ds.vanderbilt.edu Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Domain=[VANDERBILT] OS=[Unix] Server=[Samba 3.5.8] tree connect failed: NT_STATUS_CONNECTION_INVALID # -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Group access control under LDAP.
Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fails
On Tue, Sep 20, 2011 at 12:59:18PM -0500, McGranahan, Jamen wrote: We are running Samba 3.5.8 on a Solaris 10 box and created several shares on our server so that people can access certain files/folders via the Active Directory (so we are also using winbindd). This worked well for a couple of years until recently - now, we are not able to access any of our shares. When we try, samba crashes (though nmbd winbind do not). I've gone through several tests: Can you get a stack backtrace ? Samba should never crash. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended configuration for AD forest with childdomains
Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. You could try to switch to idmap_adex which was created explicitly to answer the multidomain forest problem. Please read http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht ml before trying to deploy as it needs schema modifications for AD: Note that you must add the uidNumber, gidNumber, and uid attributes to the partial attribute set of the forest global catalog servers. This can be done using the Active Directory Schema Management MMC plugin (schmmgmt.dll).. Good Luck! Geza Geza, Thanks for the quick response, but I have already tried idmap_adex, and as I stated already, we have already added the rfc2307 attributes to the GC partial attribute set per the idmap_adex man page. It's not a schema change, by the way - the Windows 2003R2 AD schema already has the RFC2307 attributes. What has to change is that those attributes have to be included in the Global Catalog, as they are not included there by default. The Partial Attribute Set is the subset of the full set of attributes defined in the AD schema, which are populated into the GC, to reduce the sheer size and volume of data the GC holds. Anyway... That doesn't seem to help any when the LDAP lookup is using port 389 and not port 3268, and the lookup is done against the DC that has the Infrastructure role (because Winbind decided to use that DC as the auth server), and therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX lookup, even if the GC port were to be used. Can anyone recommend a specific way to configure a multi-domain parent-child-domain forest using idmap_ad, where the RFC2307 attributes will be used to IDMAP the UID/GID to the user/group? I'd try
Re: [Samba] Recommended configuration for AD forest with childdomains
2011-09-20 23:16 keltezéssel, Jim Stalewski írta: Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. You could try to switch to idmap_adex which was created explicitly to answer the multidomain forest problem. Please read http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht ml before trying to deploy as it needs schema modifications for AD: Note that you must add the uidNumber, gidNumber, and uid attributes to the partial attribute set of the forest global catalog servers. This can be done using the Active Directory Schema Management MMC plugin (schmmgmt.dll).. Good Luck! Geza Geza, Thanks for the quick response, but I have already tried idmap_adex, and as I stated already, we have already added the rfc2307 attributes to the GC partial attribute set per the idmap_adex man page. It's not a schema change, by the way - the Windows 2003R2 AD schema already has the RFC2307 attributes. What has to change is that those attributes have to be included in the Global Catalog, as they are not included there by default. The Partial Attribute Set is the subset of the full set of attributes defined in the AD schema, which are populated into the GC, to reduce the sheer size and volume of data the GC holds. Anyway... That doesn't seem to help any when the LDAP lookup is using port 389 and not port 3268, and the lookup is done against the DC that has the Infrastructure role (because Winbind decided to use that DC as the auth server), and therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX lookup, even if the GC port were to be used. Can anyone recommend a specific way to configure a multi-domain parent-child-domain forest using idmap_ad, where the RFC2307 attributes will be used to IDMAP the UID/GID to the user/group? I'd try idmap_adex
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 92c022f tdb2: allow readonly changes even while holding locks. from da5224a s3:dbwrap_ctdb: skip the internal __db_sequence_number__ key from (persistent) traverse and traverse_read http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 92c022f04392e731ee1e5389ed021b54317da141 Author: Rusty Russell ru...@rustcorp.com.au Date: Tue Sep 20 12:02:43 2011 +0930 tdb2: allow readonly changes even while holding locks. This happens in SAMBA with the TDB_VERSION1, presumably due to a read-only traverse nested inside a normal traverse (since it doesn't occur without TDB_VERSION1). Signed-off-by: Rusty Russell ru...@rustcorp.com.au Signed-off-by: Rusty Russell ru...@rustcorp.com.au (Imported from CCAN commit 24e5ddb143fb5e79112649472258f5da67cc7362) Autobuild-User: Rusty Russell ru...@rustcorp.com.au Autobuild-Date: Tue Sep 20 09:35:10 CEST 2011 on sn-devel-104 --- Summary of changes: lib/tdb2/tdb.c | 10 -- 1 files changed, 0 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/tdb2/tdb.c b/lib/tdb2/tdb.c index 9447816..6f38244 100644 --- a/lib/tdb2/tdb.c +++ b/lib/tdb2/tdb.c @@ -369,16 +369,6 @@ static bool readonly_changable(struct tdb_context *tdb, const char *caller) caller); return false; } - - if (tdb-file-allrecord_lock.count != 0 - || tdb-file-num_lockrecs != 0) { - tdb-last_error = tdb_logerr(tdb, TDB_ERR_EINVAL, -TDB_LOG_USE_ERROR, -%s: can't change - TDB_RDONLY holding locks, -caller); - return false; - } return true; } -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba3.stderr http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba4.stderr http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba4.stdout The top commit at the time of the failure was: commit 92c022f04392e731ee1e5389ed021b54317da141 Author: Rusty Russell ru...@rustcorp.com.au Date: Tue Sep 20 12:02:43 2011 +0930 tdb2: allow readonly changes even while holding locks. This happens in SAMBA with the TDB_VERSION1, presumably due to a read-only traverse nested inside a normal traverse (since it doesn't occur without TDB_VERSION1). Signed-off-by: Rusty Russell ru...@rustcorp.com.au Signed-off-by: Rusty Russell ru...@rustcorp.com.au (Imported from CCAN commit 24e5ddb143fb5e79112649472258f5da67cc7362) Autobuild-User: Rusty Russell ru...@rustcorp.com.au Autobuild-Date: Tue Sep 20 09:35:10 CEST 2011 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0167b04 s4-drs: allow replication of the GC partial attribute set from 92c022f tdb2: allow readonly changes even while holding locks. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0167b0447fa679ceaf322633e3170f43fde4b740 Author: Andrew Tridgell tri...@samba.org Date: Tue Sep 20 15:15:36 2011 +1000 s4-drs: allow replication of the GC partial attribute set when a DC has the GUID_DRS_GET_FILTERED_ATTRIBUTES right on a NC, we need to allow it to replicate if all the attributes it is asking for are in the GC partial attribute set Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Tue Sep 20 13:47:38 CEST 2011 on sn-devel-104 --- Summary of changes: source4/rpc_server/drsuapi/getncchanges.c | 100 +++-- 1 files changed, 95 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index ca24b3d..61a6002 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -1162,20 +1162,90 @@ static WERROR dcesrv_drsuapi_is_reveal_secrets_request(struct drsuapi_bind_state } } + if (req10-partial_attribute_set_ex) { + /* check the extended attributes they asked for */ + for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) { + const struct dsdb_attribute *sa; + sa = dsdb_attribute_by_attributeID_id(schema, req10-partial_attribute_set_ex-attids[i]); + if (sa == NULL) { + return WERR_DS_DRA_SCHEMA_MISMATCH; + } + if (!dsdb_attr_in_rodc_fas(sa)) { + *is_secret_request = true; + return WERR_OK; + } + } + } + + *is_secret_request = false; + return WERR_OK; +} + +/* + see if this getncchanges request is only for attributes in the GC + partial attribute set + */ +static WERROR dcesrv_drsuapi_is_gc_pas_request(struct drsuapi_bind_state *b_state, + struct drsuapi_DsGetNCChangesRequest10 *req10, + bool *is_gc_pas_request) +{ + enum drsuapi_DsExtendedOperation exop; + uint32_t i; + struct dsdb_schema *schema; + + exop = req10-extended_op; + + switch (exop) { + case DRSUAPI_EXOP_FSMO_REQ_ROLE: + case DRSUAPI_EXOP_FSMO_RID_ALLOC: + case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE: + case DRSUAPI_EXOP_FSMO_REQ_PDC: + case DRSUAPI_EXOP_FSMO_ABANDON_ROLE: + case DRSUAPI_EXOP_REPL_SECRET: + *is_gc_pas_request = false; + return WERR_OK; + case DRSUAPI_EXOP_REPL_OBJ: + case DRSUAPI_EXOP_NONE: + break; + } + + if (req10-partial_attribute_set == NULL) { + /* they want it all */ + *is_gc_pas_request = false; + return WERR_OK; + } + + schema = dsdb_get_schema(b_state-sam_ctx, NULL); + /* check the attributes they asked for */ - for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) { + for (i=0; ireq10-partial_attribute_set-num_attids; i++) { const struct dsdb_attribute *sa; - sa = dsdb_attribute_by_attributeID_id(schema, req10-partial_attribute_set_ex-attids[i]); + sa = dsdb_attribute_by_attributeID_id(schema, req10-partial_attribute_set-attids[i]); if (sa == NULL) { return WERR_DS_DRA_SCHEMA_MISMATCH; } - if (!dsdb_attr_in_rodc_fas(sa)) { - *is_secret_request = true; + if (!sa-isMemberOfPartialAttributeSet) { + *is_gc_pas_request = false; return WERR_OK; } } - *is_secret_request = false; + if (req10-partial_attribute_set_ex) { + /* check the extended attributes they asked for */ + for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) { + const struct dsdb_attribute *sa; + sa = dsdb_attribute_by_attributeID_id(schema, req10-partial_attribute_set_ex-attids[i]); + if (sa == NULL) { + return WERR_DS_DRA_SCHEMA_MISMATCH; + } + if (!sa-isMemberOfPartialAttributeSet) { + *is_gc_pas_request = false; + return WERR_OK; + } +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8dda773 s3-docs: document -k switch in net manpage. from 0167b04 s4-drs: allow replication of the GC partial attribute set http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8dda773bd7eea1d163282b1f3c5e90cbff8a1003 Author: Günther Deschner g...@samba.org Date: Tue Sep 20 14:13:36 2011 +0200 s3-docs: document -k switch in net manpage. Guenther Autobuild-User: Günther Deschner g...@samba.org Autobuild-Date: Tue Sep 20 15:47:00 CEST 2011 on sn-devel-104 --- Summary of changes: docs-xml/manpages-3/net.8.xml |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/net.8.xml b/docs-xml/manpages-3/net.8.xml index 6e6b7e3..754fd43 100644 --- a/docs-xml/manpages-3/net.8.xml +++ b/docs-xml/manpages-3/net.8.xml @@ -61,6 +61,7 @@ variablelist stdarg.help; + stdarg.kerberos; varlistentry term-w target-workgroup/term -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 02a08d5 s4:ntvfs common - remove two outdated function prototypes via 7c44039 s4:ntvfs common - add UTIL_TDB and tdb-wrap as internal build dependency via 5347074 s4:param/pyparam.c - suppress P_SEP compilation warning from 8dda773 s3-docs: document -k switch in net manpage. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 02a08d5cd5f2a57e51fffd2a10b6ee8f797df9e0 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Sep 20 18:38:54 2011 +0200 s4:ntvfs common - remove two outdated function prototypes The two functions don't exist anymore. Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Tue Sep 20 20:16:29 CEST 2011 on sn-devel-104 commit 7c44039f483802c04611abaf11e0b421716e632b Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Sep 20 15:04:54 2011 +0200 s4:ntvfs common - add UTIL_TDB and tdb-wrap as internal build dependency These modules are required for both header and source code files (see bug #8468). Reviewed-by: Jelmer commit 5347074c4e458e077e2833170e2b122494037552 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Sep 20 14:32:52 2011 +0200 s4:param/pyparam.c - suppress P_SEP compilation warning Reviewed-by: Jelmer --- Summary of changes: source4/ntvfs/common/brlock.h |3 --- source4/ntvfs/common/opendb.h |1 - source4/ntvfs/common/wscript_build |1 + source4/param/pyparam.c|4 ++-- 4 files changed, 3 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/ntvfs/common/brlock.h b/source4/ntvfs/common/brlock.h index 703538f..650136b 100644 --- a/source4/ntvfs/common/brlock.h +++ b/source4/ntvfs/common/brlock.h @@ -51,8 +51,5 @@ struct brlock_ops { int *count); }; - void brlock_set_ops(const struct brlock_ops *new_ops); void brl_tdb_init_ops(void); -void brl_ctdb_init_ops(void); - diff --git a/source4/ntvfs/common/opendb.h b/source4/ntvfs/common/opendb.h index 446df17..1bfc6aa 100644 --- a/source4/ntvfs/common/opendb.h +++ b/source4/ntvfs/common/opendb.h @@ -57,4 +57,3 @@ struct opendb_oplock_break { void odb_set_ops(const struct opendb_ops *new_ops); void odb_tdb_init_ops(void); -void odb_ctdb_init_ops(void); diff --git a/source4/ntvfs/common/wscript_build b/source4/ntvfs/common/wscript_build index 4977b70..b16f8fa 100644 --- a/source4/ntvfs/common/wscript_build +++ b/source4/ntvfs/common/wscript_build @@ -3,6 +3,7 @@ bld.SAMBA_SUBSYSTEM('ntvfs_common', source='init.c brlock.c brlock_tdb.c opendb.c opendb_tdb.c notify.c', autoproto='proto.h', + deps='UTIL_TDB tdb-wrap', public_deps='NDR_OPENDB NDR_NOTIFY sys_notify sys_lease share' ) diff --git a/source4/param/pyparam.c b/source4/param/pyparam.c index 663ed84..d5049d7 100644 --- a/source4/param/pyparam.c +++ b/source4/param/pyparam.c @@ -143,8 +143,8 @@ static PyObject *py_lp_ctx_get_helper(struct loadparm_context *lp_ctx, const cha PyString_FromString(strlist[j])); return pylist; } - - break; +case P_SEP: + return NULL; /* this stands for a separator, can be ignored */ } return NULL; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9881712 s3: Further fix for bug 8338 via 37b9753 Fix some typos via cb2fe8b s3: Fix typos from 02a08d5 s4:ntvfs common - remove two outdated function prototypes http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9881712a09b2579047dcca6c22f9e919029455d4 Author: Volker Lendecke v...@samba.org Date: Tue Sep 20 22:45:52 2011 +0200 s3: Further fix for bug 8338 OS/X can not deal with a 10-vwv read on normal files. Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Wed Sep 21 00:51:08 CEST 2011 on sn-devel-104 commit 37b9753096f20087bf3bf9f8454b99302eebdfd2 Author: Volker Lendecke v...@samba.org Date: Mon Sep 19 01:41:27 2011 +0200 Fix some typos commit cb2fe8bafc738acdec35d4061a94c9767847e9ae Author: Volker Lendecke v...@samba.org Date: Mon Sep 19 00:02:55 2011 +0200 s3: Fix typos --- Summary of changes: docs-xml/smbdotconf/misc/rpcserver.xml | 11 --- source3/libsmb/clireadwrite.c | 11 +-- 2 files changed, 13 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/misc/rpcserver.xml b/docs-xml/smbdotconf/misc/rpcserver.xml index 6984668..fcc63fe 100644 --- a/docs-xml/smbdotconf/misc/rpcserver.xml +++ b/docs-xml/smbdotconf/misc/rpcserver.xml @@ -15,7 +15,7 @@ para This option can be set for each available rpc service in Samba. The following list shows all available pipe names services you - can modify with this options. + can modify with this option. /para itemizedlist @@ -50,19 +50,16 @@ para Choosing the emphasisexternal/emphasis option allows to run - separate daemon or even a completely independent (3rd party) + a separate daemon or even a completely independent (3rd party) server capable of interfacing with samba via the MS-RPC interface over named pipes. /para para - Currently in Samba3 we support thre daemons, spoolssd, epmd and + Currently in Samba3 we support three daemons, spoolssd, epmd and lsasd. These daemons can be enabled using the emphasisrpc_daemon/emphasis option. For spoolssd you have - to to enable the deamon and proxy the named pipe with: - Currently in Samba3 we support thre daemons, spoolssd, epmd and - lsasd. These daemons can be enabled using the - emphasisrpc_daemon/emphasis option. + to to enable the daemon and proxy the named pipe with: /para para diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c index 1ee2196..e8c9017 100644 --- a/source3/libsmb/clireadwrite.c +++ b/source3/libsmb/clireadwrite.c @@ -155,10 +155,17 @@ struct tevent_req *cli_read_andx_create(TALLOC_CTX *mem_ctx, SSVAL(state-vwv + 8, 0, 0); SSVAL(state-vwv + 9, 0, 0); - if ((uint64_t)offset 32) { + if (cli_state_capabilities(cli) CAP_LARGE_FILES) { SIVAL(state-vwv + 10, 0, (((uint64_t)offset)32) 0x); - wct += 2; + wct = 12; + } else { + if uint64_t)offset) 0xLL) != 0) { + DEBUG(10, (cli_read_andx_send got large offset where + the server does not support it\n)); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } } subreq = cli_smb_req_create(state, ev, cli, SMBreadX, 0, wct, -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.11-63-g3d37be3
The branch, master has been updated via 3d37be3e2bfb61ede824028aeebaa18ba304faae (commit) from 8a86ac72088ad9f64ca83218c704f84c9abe00b6 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 3d37be3e2bfb61ede824028aeebaa18ba304faae Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Sep 21 11:42:19 2011 +1000 when checking that the interfaces exist in ctdb_add_public_address() cant talloc off vnn since it is not yet initialized and might not always be NULL --- Summary of changes: server/ctdb_takeover.c |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c index 4114b40..29f7acd 100644 --- a/server/ctdb_takeover.c +++ b/server/ctdb_takeover.c @@ -880,15 +880,15 @@ static int ctdb_add_public_address(struct ctdb_context *ctdb, int i; int ret; - tmp = talloc_strdup(vnn, ifaces); + tmp = strdup(ifaces); for (iface = strtok(tmp, ,); iface; iface = strtok(NULL, ,)) { if (!ctdb_sys_check_iface_exists(iface)) { DEBUG(DEBUG_CRIT,(Interface %s does not exist. Can not add public-address : %s\n, iface, ctdb_addr_to_str(addr))); - talloc_free(tmp); + free(tmp); return -1; } } - talloc_free(tmp); + free(tmp); /* Verify that we dont have an entry for this ip yet */ for (vnn=ctdb-vnn;vnn;vnn=vnn-next) { -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ad3ac7e Try and fix bug #8472 - Crash in asn.1 parsing code. from 9881712 s3: Further fix for bug 8338 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ad3ac7e3c0bdf9b93c6b831f29452fd63fe0818b Author: Jeremy Allison j...@samba.org Date: Tue Sep 20 18:50:00 2011 -0700 Try and fix bug #8472 - Crash in asn.1 parsing code. Found by Codenomicon at the SNIA plugfest. Don't keep going in the loop when reading the OIDs fail. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Wed Sep 21 05:24:59 CEST 2011 on sn-devel-104 --- Summary of changes: source3/libsmb/clispnego.c |7 ++- 1 files changed, 6 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 4581ce4..d584f9f 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -126,7 +126,12 @@ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, asn1_start_tag(data,ASN1_CONTEXT(0)); asn1_start_tag(data,ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(data) 0 i ASN1_MAX_OIDS-1; i++) { - asn1_read_OID(data,ctx, OIDs[i]); + if (!asn1_read_OID(data,ctx, OIDs[i])) { + break; + } + if (data-has_error) { + break; + } } OIDs[i] = NULL; asn1_end_tag(data); -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.11-64-gb963f5e
The branch, master has been updated via b963f5e40b1e73a60363568da88557cad9e58a28 (commit) from 3d37be3e2bfb61ede824028aeebaa18ba304faae (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit b963f5e40b1e73a60363568da88557cad9e58a28 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Sep 21 15:41:28 2011 +1000 Change the 'This Node' column of the machinereadable output for 'ctdb status -Y' to Y/N instead of 1/0 1/0 is unsuitable since it can be useful to check 'if a column is 1 there is something wrong with that node' --- Summary of changes: tools/ctdb.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/tools/ctdb.c b/tools/ctdb.c index fc281e4..876521a 100644 --- a/tools/ctdb.c +++ b/tools/ctdb.c @@ -651,7 +651,7 @@ static int control_status(struct ctdb_context *ctdb, int argc, const char **argv talloc_free(ifaces); } } - printf(:%d:%s:%d:%d:%d:%d:%d:%d:%d:%d:\n, nodemap-nodes[i].pnn, + printf(:%d:%s:%d:%d:%d:%d:%d:%d:%d:%c:\n, nodemap-nodes[i].pnn, ctdb_addr_to_str(nodemap-nodes[i].addr), !!(nodemap-nodes[i].flagsNODE_FLAGS_DISCONNECTED), !!(nodemap-nodes[i].flagsNODE_FLAGS_BANNED), @@ -660,7 +660,7 @@ static int control_status(struct ctdb_context *ctdb, int argc, const char **argv !!(nodemap-nodes[i].flagsNODE_FLAGS_STOPPED), !!(nodemap-nodes[i].flagsNODE_FLAGS_INACTIVE), partially_online, - (nodemap-nodes[i].pnn == mypnn)); + (nodemap-nodes[i].pnn == mypnn)?'Y':'N'); } return 0; } -- CTDB repository