[Samba] getent group not listing domain groups / wbinfo -r not working
I know, I know, this again :) The company I work for would like to use squid for proxy authentication purposes using NTLM, using a Windows 2008 R2 server as a DC. I've managed to setup samba/winbind to use ads and successfully joined the domain. Configured nsswitch.conf to lookup winbind entities (however I didn't touch PAM configuration, as I don't actually want the users to be able to login to the linux machine). wbinfo -t reports a successful check of trust. wbinfo -u / wbinfo -g work as intended, e.g. dump a list of domain users / groups. I can authenticate using wbinfo -a (both plaintext and challenge-response) and wbinfo -K. nsswitch.conf: passwd: compat winbind group: compat winbind As far as I can tell, nsswitch.conf is also configured properly, since `getent passwd` dumps local users, waits about .2 seconds, and dumps domain users: sasa.sokolova:*:10283:10001:Sasa Sokolova:/home/LIONSK/sasa.sokolova:/bin/false adam.szabados:*:10284:10001:Adam Szabados:/home/LIONSK/adam.szabados:/bin/false (All domain users are members of group '10001', is this normal?) However, `getent group` lists only local groups. No waiting time, it just dumps local groups and exits. Likewise, when attempting to `wbinfo -r domainuser`, the command fails with 'Could not get groups for domainuser'. I've run strace on `getent group` (which, incidentally, shows a timeout, but none is perceived), the result can hopefully be viewed here: http://halka.yw.sk/ext/strace_getent_group.txt A widely suggested fix for this was to delete /var/lib/samba/winbindd_idmap.tdb (for Samba versions up to 3.2.x?), but the problems persist even after clearing the cache. This is the point at which I'm stumped, since management wants to apply different squid ACLs based on domain user's group. The funny (or not) thing is, when authenticating using domain group restriction, e.g.: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAIN\\it ...works as intended (allows only member of the group 'it' to authenticate successfully), but that's about as far as I can get. I'm using samba 3.5.8 as provided by, cough, Ubuntu (10.08) packages. I've previously tried a similar solution on Debian lenny. Now, this is a virtual server which only holds samba and squid, so I have no qualms about reinstalling, using various pre-alpha versions or anything, so wild ideas like this are not unwelcome. I've linked my configuration files below, since I'm not yet sure about proper attachment etiquette in mailing lists: http://halka.yw.sk/ext/krb5.conf http://halka.yw.sk/ext/smb.conf http://halka.yw.sk/ext/nsswitch.conf Any help is of course greatly appreciated. -- Ľubomír Brindza xmpp: lubomir.brin...@gmail.com Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi,
I've seen many people complain about this error message by Googling
around, but I've never found a satisfactory explanation as to the
cause and resolution. I'm hoping someone on the list will be able to
point me in the right direction?
I'm attempting to get a RHEL 5.5 client configured to use winbind
auth against Windows 2003 R2 AD (in fact my end game is to get all
NIS maps served from AD, but one step at a time).
I've been following these steps:
http://wiki.samba.org/index.php/Samba__Active_Directory
But when I come to issue the 'net ads join' command:
# net ads join -U administrator
administrator's password:
[2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials
Failed to join domain: Invalid credentials
So having manually configured it, I decided maybe 'authconfig' could
help. I have no graphics here, so tried a command-line approach:
# authconfig --enablecache --enablewinbind --enablewinbindauth
--smbsecurity ads --smbrealm FMTEST.NET
--smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294
--enablewinbindusedefaultdomain
--enablewinbindoffline --winbindjoin=Administrator --update
This made no difference (same error when trying to join). Apart
from adding the 'winbind offline logon' option which I omitted from
my manual approach, using the old idmap features instead of the new
ones, and setting up PAM for winbind (which I hadn't got around to
yet) there was no difference in config.
Debug modes, RHEL logs, Windows event logs, network traces - I've
looked at them all and can't find anything that points to the exact
problem.
Some pertinent info:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
# rpm -qa | egrep 'samba|libsmb'
libsmbclient-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-3.0.33-3.29.el5_5.1
samba-common-3.0.33-3.29.el5_5.1
# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = FMTEST
realm = FMTEST.NET
server string = Linux Test Machine
security = ADS
passdb backend = tdbsam
log file = /var/log/samba/%m.log
preferred master = No
idmap domains = ALLDOMAINS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:range = 100-4294967294
idmap config ALLDOMAINS:schema_mode = rfc2307
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FMTEST.NET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
FMTEST.NET = {
default_domain = fmtest.net
}
[domain_realm]
.fmtest.net = FMTEST.NET
fmtest.net = FMTEST.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Can you advise?
Thanks,
Mark.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for Mac OS X
Samba is not a protocol. SMB is the protocol, and the protocol is owned by Microsoft. Samba is an open source package that implements a SMB server. It doesn't matter what kernel, or OS you are using, you can build Samba from the source code to run on your platform. As for the front-end... have you ever thought of learning about text config files? (seriously, there are some other front-ends such as SWAT and webmin. They, however, don't integrate with Aqua, but they should be usable) Of course, those steps are only necessary if you want to share resources from your Mac with the rest of your network. I don't believe the existing CIFS (SMB client in the kernel) client has gone away in OSX 10.7. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniel Sutton Sent: Monday, September 19, 2011 8:03 PM To: samba@lists.samba.org Subject: [Samba] Samba for Mac OS X Dear Samba Community, Because Apple has transitioned away from the open-source SAMBA protocol for their new 10.7 release of Mac OS X, I was wondering if there is a third-party solution to fill this void. Because OS X is based on Darwin, and Darwin is an open-source free version of UNIX, I thought there might be a solution with an Aqua front-end that would make it easier for Mac machines to connect to Windows networks. If you are able to answer my question, I would be very happy! Thank you so much, and have a great week, --Daniel --- Daniel Sutton danielsut...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for Mac OS X
On 20.09.2011 15:39, Hoover, Tony wrote: Of course, those steps are only necessary if you want to share resources from your Mac with the rest of your network. I don't believe the existing CIFS (SMB client in the kernel) client has gone away in OSX 10.7. OSX 10.7 still has an SMB/CIFS client, although the current beta (10.7.2) isn't able to connect to a Samba-Share due to authentication problems, but I don't know if this will affect the final version. To have a SMB/CIFS-Share shown up in Finder you'll have to announce the Service via Bonjour using port 445. Samba3 itself is available as MacPorts Portfile: http://www.macports.org/ports.php?by=librarysubstr=samba3 Of course you will not have a posh GUI, and you don't need Samba to connect to an SMB/CIFS-Share. Bye for now. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniel Sutton Sent: Monday, September 19, 2011 8:03 PM To: samba@lists.samba.org Subject: [Samba] Samba for Mac OS X Dear Samba Community, Because Apple has transitioned away from the open-source SAMBA protocol for their new 10.7 release of Mac OS X, I was wondering if there is a third-party solution to fill this void. Because OS X is based on Darwin, and Darwin is an open-source free version of UNIX, I thought there might be a solution with an Aqua front-end that would make it easier for Mac machines to connect to Windows networks. If you are able to answer my question, I would be very happy! Thank you so much, and have a great week, --Daniel --- Daniel Sutton danielsut...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba fails
We are running Samba 3.5.8 on a Solaris 10 box and created several shares on our server so that people can access certain files/folders via the Active Directory (so we are also using winbindd). This worked well for a couple of years until recently - now, we are not able to access any of our shares. When we try, samba crashes (though nmbd winbind do not). I've gone through several tests: testparm - everything is fine here wbinfo -u, wbinfo -g, getent passwd USERID, getent group GROUPID - all are successful When I try smbclient, connecting to the server itself, I get tree connect failed: NT_STATUS_CONNECTION_INVALID. On the Samba listserv, there was a post just like this on 8/3/2011, but no solution was offered (other than please send a debug level 10 log - don't know if this ever happened). I tried the recommendation on this page - http://www.unixresources.net/linux/lf/56/archive/00/00/05/78/57864.html - changing valid users to just users, and got the same result. I'm not really sure what else to try, but I sure would appreciate any suggestions or recommendations. Thank you! Jamen McGranahan Systems Services Librarian Vanderbilt University Library # smbclient //acorn6/test -U mcgranj -d=3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface e1000g1265000 ip=10.2.187.238 bcast=10.2.187.255 netmask=255.255.254.0 added interface e1000g0 ip=129.59.95.30 bcast=129.59.95.255 netmask=255.255.255.0 Client started (version 3.5.8). Enter mcgranj's password: resolve_wins: Attempting wins lookup for name acorn60x20 resolve_wins: using WINS server 129.59.1.15 and tag '*' Got a positive name query response from 129.59.1.15 ( 129.59.95.30 ) Connecting to 129.59.95.30 at port 445 Doing spnego session setup (blob length=128) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=cifs/acorn6.library.vanderbilt@ds.vanderbilt.edumailto:principal=cifs/acorn6.library.vanderbilt@ds.vanderbilt.edu Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Domain=[VANDERBILT] OS=[Unix] Server=[Samba 3.5.8] tree connect failed: NT_STATUS_CONNECTION_INVALID # -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Group access control under LDAP.
Hi. I would like to know if there is a way to restric access to computer under LDAP. In the SambaSamAccount I have a SambaUserWorkstation that allow me to set the workstation a user could logon. I'm looking for something like this, but under computer account, I would like to set a list of users group that is allowed to logon on this computer. Thanks Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fails
On Tue, Sep 20, 2011 at 12:59:18PM -0500, McGranahan, Jamen wrote: We are running Samba 3.5.8 on a Solaris 10 box and created several shares on our server so that people can access certain files/folders via the Active Directory (so we are also using winbindd). This worked well for a couple of years until recently - now, we are not able to access any of our shares. When we try, samba crashes (though nmbd winbind do not). I've gone through several tests: Can you get a stack backtrace ? Samba should never crash. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended configuration for AD forest with childdomains
Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. You could try to switch to idmap_adex which was created explicitly to answer the multidomain forest problem. Please read http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht ml before trying to deploy as it needs schema modifications for AD: Note that you must add the uidNumber, gidNumber, and uid attributes to the partial attribute set of the forest global catalog servers. This can be done using the Active Directory Schema Management MMC plugin (schmmgmt.dll).. Good Luck! Geza Geza, Thanks for the quick response, but I have already tried idmap_adex, and as I stated already, we have already added the rfc2307 attributes to the GC partial attribute set per the idmap_adex man page. It's not a schema change, by the way - the Windows 2003R2 AD schema already has the RFC2307 attributes. What has to change is that those attributes have to be included in the Global Catalog, as they are not included there by default. The Partial Attribute Set is the subset of the full set of attributes defined in the AD schema, which are populated into the GC, to reduce the sheer size and volume of data the GC holds. Anyway... That doesn't seem to help any when the LDAP lookup is using port 389 and not port 3268, and the lookup is done against the DC that has the Infrastructure role (because Winbind decided to use that DC as the auth server), and therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX lookup, even if the GC port were to be used. Can anyone recommend a specific way to configure a multi-domain parent-child-domain forest using idmap_ad, where the RFC2307 attributes will be used to IDMAP the UID/GID to the user/group? I'd try
Re: [Samba] Recommended configuration for AD forest with childdomains
2011-09-20 23:16 keltezéssel, Jim Stalewski írta: Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. You could try to switch to idmap_adex which was created explicitly to answer the multidomain forest problem. Please read http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht ml before trying to deploy as it needs schema modifications for AD: Note that you must add the uidNumber, gidNumber, and uid attributes to the partial attribute set of the forest global catalog servers. This can be done using the Active Directory Schema Management MMC plugin (schmmgmt.dll).. Good Luck! Geza Geza, Thanks for the quick response, but I have already tried idmap_adex, and as I stated already, we have already added the rfc2307 attributes to the GC partial attribute set per the idmap_adex man page. It's not a schema change, by the way - the Windows 2003R2 AD schema already has the RFC2307 attributes. What has to change is that those attributes have to be included in the Global Catalog, as they are not included there by default. The Partial Attribute Set is the subset of the full set of attributes defined in the AD schema, which are populated into the GC, to reduce the sheer size and volume of data the GC holds. Anyway... That doesn't seem to help any when the LDAP lookup is using port 389 and not port 3268, and the lookup is done against the DC that has the Infrastructure role (because Winbind decided to use that DC as the auth server), and therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX lookup, even if the GC port were to be used. Can anyone recommend a specific way to configure a multi-domain parent-child-domain forest using idmap_ad, where the RFC2307 attributes will be used to IDMAP the UID/GID to the user/group? I'd try idmap_adex
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 92c022f tdb2: allow readonly changes even while holding locks.
from da5224a s3:dbwrap_ctdb: skip the internal __db_sequence_number__
key from (persistent) traverse and traverse_read
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 92c022f04392e731ee1e5389ed021b54317da141
Author: Rusty Russell ru...@rustcorp.com.au
Date: Tue Sep 20 12:02:43 2011 +0930
tdb2: allow readonly changes even while holding locks.
This happens in SAMBA with the TDB_VERSION1, presumably due to a
read-only traverse nested inside a normal traverse (since it doesn't
occur without TDB_VERSION1).
Signed-off-by: Rusty Russell ru...@rustcorp.com.au
Signed-off-by: Rusty Russell ru...@rustcorp.com.au
(Imported from CCAN commit 24e5ddb143fb5e79112649472258f5da67cc7362)
Autobuild-User: Rusty Russell ru...@rustcorp.com.au
Autobuild-Date: Tue Sep 20 09:35:10 CEST 2011 on sn-devel-104
---
Summary of changes:
lib/tdb2/tdb.c | 10 --
1 files changed, 0 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/tdb2/tdb.c b/lib/tdb2/tdb.c
index 9447816..6f38244 100644
--- a/lib/tdb2/tdb.c
+++ b/lib/tdb2/tdb.c
@@ -369,16 +369,6 @@ static bool readonly_changable(struct tdb_context *tdb,
const char *caller)
caller);
return false;
}
-
- if (tdb-file-allrecord_lock.count != 0
- || tdb-file-num_lockrecs != 0) {
- tdb-last_error = tdb_logerr(tdb, TDB_ERR_EINVAL,
-TDB_LOG_USE_ERROR,
-%s: can't change
- TDB_RDONLY holding locks,
-caller);
- return false;
- }
return true;
}
--
Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba3.stderr http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba4.stderr http://git.samba.org/autobuild.flakey/2011-09-20-1247/samba4.stdout The top commit at the time of the failure was: commit 92c022f04392e731ee1e5389ed021b54317da141 Author: Rusty Russell ru...@rustcorp.com.au Date: Tue Sep 20 12:02:43 2011 +0930 tdb2: allow readonly changes even while holding locks. This happens in SAMBA with the TDB_VERSION1, presumably due to a read-only traverse nested inside a normal traverse (since it doesn't occur without TDB_VERSION1). Signed-off-by: Rusty Russell ru...@rustcorp.com.au Signed-off-by: Rusty Russell ru...@rustcorp.com.au (Imported from CCAN commit 24e5ddb143fb5e79112649472258f5da67cc7362) Autobuild-User: Rusty Russell ru...@rustcorp.com.au Autobuild-Date: Tue Sep 20 09:35:10 CEST 2011 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 0167b04 s4-drs: allow replication of the GC partial attribute set
from 92c022f tdb2: allow readonly changes even while holding locks.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 0167b0447fa679ceaf322633e3170f43fde4b740
Author: Andrew Tridgell tri...@samba.org
Date: Tue Sep 20 15:15:36 2011 +1000
s4-drs: allow replication of the GC partial attribute set
when a DC has the GUID_DRS_GET_FILTERED_ATTRIBUTES right on a NC, we
need to allow it to replicate if all the attributes it is asking for
are in the GC partial attribute set
Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Tue Sep 20 13:47:38 CEST 2011 on sn-devel-104
---
Summary of changes:
source4/rpc_server/drsuapi/getncchanges.c | 100 +++--
1 files changed, 95 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/rpc_server/drsuapi/getncchanges.c
b/source4/rpc_server/drsuapi/getncchanges.c
index ca24b3d..61a6002 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1162,20 +1162,90 @@ static WERROR
dcesrv_drsuapi_is_reveal_secrets_request(struct drsuapi_bind_state
}
}
+ if (req10-partial_attribute_set_ex) {
+ /* check the extended attributes they asked for */
+ for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ sa = dsdb_attribute_by_attributeID_id(schema,
req10-partial_attribute_set_ex-attids[i]);
+ if (sa == NULL) {
+ return WERR_DS_DRA_SCHEMA_MISMATCH;
+ }
+ if (!dsdb_attr_in_rodc_fas(sa)) {
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+ }
+ }
+
+ *is_secret_request = false;
+ return WERR_OK;
+}
+
+/*
+ see if this getncchanges request is only for attributes in the GC
+ partial attribute set
+ */
+static WERROR dcesrv_drsuapi_is_gc_pas_request(struct drsuapi_bind_state
*b_state,
+ struct
drsuapi_DsGetNCChangesRequest10 *req10,
+ bool *is_gc_pas_request)
+{
+ enum drsuapi_DsExtendedOperation exop;
+ uint32_t i;
+ struct dsdb_schema *schema;
+
+ exop = req10-extended_op;
+
+ switch (exop) {
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+ case DRSUAPI_EXOP_REPL_SECRET:
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_NONE:
+ break;
+ }
+
+ if (req10-partial_attribute_set == NULL) {
+ /* they want it all */
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ }
+
+ schema = dsdb_get_schema(b_state-sam_ctx, NULL);
+
/* check the attributes they asked for */
- for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) {
+ for (i=0; ireq10-partial_attribute_set-num_attids; i++) {
const struct dsdb_attribute *sa;
- sa = dsdb_attribute_by_attributeID_id(schema,
req10-partial_attribute_set_ex-attids[i]);
+ sa = dsdb_attribute_by_attributeID_id(schema,
req10-partial_attribute_set-attids[i]);
if (sa == NULL) {
return WERR_DS_DRA_SCHEMA_MISMATCH;
}
- if (!dsdb_attr_in_rodc_fas(sa)) {
- *is_secret_request = true;
+ if (!sa-isMemberOfPartialAttributeSet) {
+ *is_gc_pas_request = false;
return WERR_OK;
}
}
- *is_secret_request = false;
+ if (req10-partial_attribute_set_ex) {
+ /* check the extended attributes they asked for */
+ for (i=0; ireq10-partial_attribute_set_ex-num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ sa = dsdb_attribute_by_attributeID_id(schema,
req10-partial_attribute_set_ex-attids[i]);
+ if (sa == NULL) {
+ return WERR_DS_DRA_SCHEMA_MISMATCH;
+ }
+ if (!sa-isMemberOfPartialAttributeSet) {
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ }
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8dda773 s3-docs: document -k switch in net manpage. from 0167b04 s4-drs: allow replication of the GC partial attribute set http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8dda773bd7eea1d163282b1f3c5e90cbff8a1003 Author: Günther Deschner g...@samba.org Date: Tue Sep 20 14:13:36 2011 +0200 s3-docs: document -k switch in net manpage. Guenther Autobuild-User: Günther Deschner g...@samba.org Autobuild-Date: Tue Sep 20 15:47:00 CEST 2011 on sn-devel-104 --- Summary of changes: docs-xml/manpages-3/net.8.xml |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/net.8.xml b/docs-xml/manpages-3/net.8.xml index 6e6b7e3..754fd43 100644 --- a/docs-xml/manpages-3/net.8.xml +++ b/docs-xml/manpages-3/net.8.xml @@ -61,6 +61,7 @@ variablelist stdarg.help; + stdarg.kerberos; varlistentry term-w target-workgroup/term -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 02a08d5 s4:ntvfs common - remove two outdated function prototypes
via 7c44039 s4:ntvfs common - add UTIL_TDB and tdb-wrap as internal
build dependency
via 5347074 s4:param/pyparam.c - suppress P_SEP compilation warning
from 8dda773 s3-docs: document -k switch in net manpage.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 02a08d5cd5f2a57e51fffd2a10b6ee8f797df9e0
Author: Matthias Dieter Wallnöfer m...@samba.org
Date: Tue Sep 20 18:38:54 2011 +0200
s4:ntvfs common - remove two outdated function prototypes
The two functions don't exist anymore.
Reviewed-by: Jelmer
Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org
Autobuild-Date: Tue Sep 20 20:16:29 CEST 2011 on sn-devel-104
commit 7c44039f483802c04611abaf11e0b421716e632b
Author: Matthias Dieter Wallnöfer m...@samba.org
Date: Tue Sep 20 15:04:54 2011 +0200
s4:ntvfs common - add UTIL_TDB and tdb-wrap as internal build dependency
These modules are required for both header and source code files (see
bug #8468).
Reviewed-by: Jelmer
commit 5347074c4e458e077e2833170e2b122494037552
Author: Matthias Dieter Wallnöfer m...@samba.org
Date: Tue Sep 20 14:32:52 2011 +0200
s4:param/pyparam.c - suppress P_SEP compilation warning
Reviewed-by: Jelmer
---
Summary of changes:
source4/ntvfs/common/brlock.h |3 ---
source4/ntvfs/common/opendb.h |1 -
source4/ntvfs/common/wscript_build |1 +
source4/param/pyparam.c|4 ++--
4 files changed, 3 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/ntvfs/common/brlock.h b/source4/ntvfs/common/brlock.h
index 703538f..650136b 100644
--- a/source4/ntvfs/common/brlock.h
+++ b/source4/ntvfs/common/brlock.h
@@ -51,8 +51,5 @@ struct brlock_ops {
int *count);
};
-
void brlock_set_ops(const struct brlock_ops *new_ops);
void brl_tdb_init_ops(void);
-void brl_ctdb_init_ops(void);
-
diff --git a/source4/ntvfs/common/opendb.h b/source4/ntvfs/common/opendb.h
index 446df17..1bfc6aa 100644
--- a/source4/ntvfs/common/opendb.h
+++ b/source4/ntvfs/common/opendb.h
@@ -57,4 +57,3 @@ struct opendb_oplock_break {
void odb_set_ops(const struct opendb_ops *new_ops);
void odb_tdb_init_ops(void);
-void odb_ctdb_init_ops(void);
diff --git a/source4/ntvfs/common/wscript_build
b/source4/ntvfs/common/wscript_build
index 4977b70..b16f8fa 100644
--- a/source4/ntvfs/common/wscript_build
+++ b/source4/ntvfs/common/wscript_build
@@ -3,6 +3,7 @@
bld.SAMBA_SUBSYSTEM('ntvfs_common',
source='init.c brlock.c brlock_tdb.c opendb.c opendb_tdb.c notify.c',
autoproto='proto.h',
+ deps='UTIL_TDB tdb-wrap',
public_deps='NDR_OPENDB NDR_NOTIFY sys_notify sys_lease share'
)
diff --git a/source4/param/pyparam.c b/source4/param/pyparam.c
index 663ed84..d5049d7 100644
--- a/source4/param/pyparam.c
+++ b/source4/param/pyparam.c
@@ -143,8 +143,8 @@ static PyObject *py_lp_ctx_get_helper(struct
loadparm_context *lp_ctx, const cha
PyString_FromString(strlist[j]));
return pylist;
}
-
- break;
+case P_SEP:
+ return NULL; /* this stands for a separator, can be ignored */
}
return NULL;
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9881712 s3: Further fix for bug 8338
via 37b9753 Fix some typos
via cb2fe8b s3: Fix typos
from 02a08d5 s4:ntvfs common - remove two outdated function prototypes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9881712a09b2579047dcca6c22f9e919029455d4
Author: Volker Lendecke v...@samba.org
Date: Tue Sep 20 22:45:52 2011 +0200
s3: Further fix for bug 8338
OS/X can not deal with a 10-vwv read on normal files.
Autobuild-User: Volker Lendecke vlen...@samba.org
Autobuild-Date: Wed Sep 21 00:51:08 CEST 2011 on sn-devel-104
commit 37b9753096f20087bf3bf9f8454b99302eebdfd2
Author: Volker Lendecke v...@samba.org
Date: Mon Sep 19 01:41:27 2011 +0200
Fix some typos
commit cb2fe8bafc738acdec35d4061a94c9767847e9ae
Author: Volker Lendecke v...@samba.org
Date: Mon Sep 19 00:02:55 2011 +0200
s3: Fix typos
---
Summary of changes:
docs-xml/smbdotconf/misc/rpcserver.xml | 11 ---
source3/libsmb/clireadwrite.c | 11 +--
2 files changed, 13 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/misc/rpcserver.xml
b/docs-xml/smbdotconf/misc/rpcserver.xml
index 6984668..fcc63fe 100644
--- a/docs-xml/smbdotconf/misc/rpcserver.xml
+++ b/docs-xml/smbdotconf/misc/rpcserver.xml
@@ -15,7 +15,7 @@
para
This option can be set for each available rpc service in Samba.
The following list shows all available pipe names services you
- can modify with this options.
+ can modify with this option.
/para
itemizedlist
@@ -50,19 +50,16 @@
para
Choosing the emphasisexternal/emphasis option allows to run
- separate daemon or even a completely independent (3rd party)
+ a separate daemon or even a completely independent (3rd party)
server capable of interfacing with samba via the MS-RPC
interface over named pipes.
/para
para
- Currently in Samba3 we support thre daemons, spoolssd, epmd and
+ Currently in Samba3 we support three daemons, spoolssd, epmd and
lsasd. These daemons can be enabled using the
emphasisrpc_daemon/emphasis option. For spoolssd you have
- to to enable the deamon and proxy the named pipe with:
- Currently in Samba3 we support thre daemons, spoolssd, epmd and
- lsasd. These daemons can be enabled using the
- emphasisrpc_daemon/emphasis option.
+ to to enable the daemon and proxy the named pipe with:
/para
para
diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index 1ee2196..e8c9017 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -155,10 +155,17 @@ struct tevent_req *cli_read_andx_create(TALLOC_CTX
*mem_ctx,
SSVAL(state-vwv + 8, 0, 0);
SSVAL(state-vwv + 9, 0, 0);
- if ((uint64_t)offset 32) {
+ if (cli_state_capabilities(cli) CAP_LARGE_FILES) {
SIVAL(state-vwv + 10, 0,
(((uint64_t)offset)32) 0x);
- wct += 2;
+ wct = 12;
+ } else {
+ if uint64_t)offset) 0xLL) != 0) {
+ DEBUG(10, (cli_read_andx_send got large offset where
+ the server does not support it\n));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
}
subreq = cli_smb_req_create(state, ev, cli, SMBreadX, 0, wct,
--
Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.11-63-g3d37be3
The branch, master has been updated
via 3d37be3e2bfb61ede824028aeebaa18ba304faae (commit)
from 8a86ac72088ad9f64ca83218c704f84c9abe00b6 (commit)
http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master
- Log -
commit 3d37be3e2bfb61ede824028aeebaa18ba304faae
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date: Wed Sep 21 11:42:19 2011 +1000
when checking that the interfaces exist in ctdb_add_public_address()
cant talloc off vnn since it is not yet initialized and might not always be
NULL
---
Summary of changes:
server/ctdb_takeover.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c
index 4114b40..29f7acd 100644
--- a/server/ctdb_takeover.c
+++ b/server/ctdb_takeover.c
@@ -880,15 +880,15 @@ static int ctdb_add_public_address(struct ctdb_context
*ctdb,
int i;
int ret;
- tmp = talloc_strdup(vnn, ifaces);
+ tmp = strdup(ifaces);
for (iface = strtok(tmp, ,); iface; iface = strtok(NULL, ,)) {
if (!ctdb_sys_check_iface_exists(iface)) {
DEBUG(DEBUG_CRIT,(Interface %s does not exist. Can not
add public-address : %s\n, iface, ctdb_addr_to_str(addr)));
- talloc_free(tmp);
+ free(tmp);
return -1;
}
}
- talloc_free(tmp);
+ free(tmp);
/* Verify that we dont have an entry for this ip yet */
for (vnn=ctdb-vnn;vnn;vnn=vnn-next) {
--
CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ad3ac7e Try and fix bug #8472 - Crash in asn.1 parsing code.
from 9881712 s3: Further fix for bug 8338
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ad3ac7e3c0bdf9b93c6b831f29452fd63fe0818b
Author: Jeremy Allison j...@samba.org
Date: Tue Sep 20 18:50:00 2011 -0700
Try and fix bug #8472 - Crash in asn.1 parsing code.
Found by Codenomicon at the SNIA plugfest. Don't keep going
in the loop when reading the OIDs fail.
Autobuild-User: Jeremy Allison j...@samba.org
Autobuild-Date: Wed Sep 21 05:24:59 CEST 2011 on sn-devel-104
---
Summary of changes:
source3/libsmb/clispnego.c |7 ++-
1 files changed, 6 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 4581ce4..d584f9f 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -126,7 +126,12 @@ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
asn1_start_tag(data,ASN1_CONTEXT(0));
asn1_start_tag(data,ASN1_SEQUENCE(0));
for (i=0; asn1_tag_remaining(data) 0 i ASN1_MAX_OIDS-1; i++) {
- asn1_read_OID(data,ctx, OIDs[i]);
+ if (!asn1_read_OID(data,ctx, OIDs[i])) {
+ break;
+ }
+ if (data-has_error) {
+ break;
+ }
}
OIDs[i] = NULL;
asn1_end_tag(data);
--
Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.11-64-gb963f5e
The branch, master has been updated via b963f5e40b1e73a60363568da88557cad9e58a28 (commit) from 3d37be3e2bfb61ede824028aeebaa18ba304faae (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit b963f5e40b1e73a60363568da88557cad9e58a28 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Sep 21 15:41:28 2011 +1000 Change the 'This Node' column of the machinereadable output for 'ctdb status -Y' to Y/N instead of 1/0 1/0 is unsuitable since it can be useful to check 'if a column is 1 there is something wrong with that node' --- Summary of changes: tools/ctdb.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/tools/ctdb.c b/tools/ctdb.c index fc281e4..876521a 100644 --- a/tools/ctdb.c +++ b/tools/ctdb.c @@ -651,7 +651,7 @@ static int control_status(struct ctdb_context *ctdb, int argc, const char **argv talloc_free(ifaces); } } - printf(:%d:%s:%d:%d:%d:%d:%d:%d:%d:%d:\n, nodemap-nodes[i].pnn, + printf(:%d:%s:%d:%d:%d:%d:%d:%d:%d:%c:\n, nodemap-nodes[i].pnn, ctdb_addr_to_str(nodemap-nodes[i].addr), !!(nodemap-nodes[i].flagsNODE_FLAGS_DISCONNECTED), !!(nodemap-nodes[i].flagsNODE_FLAGS_BANNED), @@ -660,7 +660,7 @@ static int control_status(struct ctdb_context *ctdb, int argc, const char **argv !!(nodemap-nodes[i].flagsNODE_FLAGS_STOPPED), !!(nodemap-nodes[i].flagsNODE_FLAGS_INACTIVE), partially_online, - (nodemap-nodes[i].pnn == mypnn)); + (nodemap-nodes[i].pnn == mypnn)?'Y':'N'); } return 0; } -- CTDB repository
