Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)

2012-03-19 Thread Andreas Oster
Am 18.03.2012 16:19, schrieb steve:
 On 17/03/12 18:00, Andreas Oster wrote:
 I want to achieve the following:

 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd
 2) allow Windows machines (joined to AD) to update their own entries

 2 - already works with the configuration from samba wiki

 Thank you for your kind help

 best regards

 Andreas

 Hi
 I'm not sure if his is what you mean but we have a lan of windows and
 linux clients under s4. Both win and Linux clients get their IP via
 dhcp. You can see the Kerberos dialogue reveal the IP when the box first
 connects. It is a different IP after each boot. So, if Linux counts as
 non windows, then yes, it works. We did nothing apart from adding the
 dlz stuff to bind.
 Cheers,
 Steve
 
Hi all,

does nobody have the same requirements regarding the dynamic DNS updates ?

I know this setup would somehow circumvent the security efforts behind
the kerberos stuff, but I personally prefer to have security at L2, with
for example 802.1X, and allow the DHCP srver to update name records in
the DNS database.

kind regards

Andreas

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] max path length - ExcludeProfileDirs not sufficient - temporary profile

2012-03-19 Thread L . P . H . van Belle
 
Hi, 

Did you try, 

1) login on the pc.
2) remove the profile from the network. 
3) logout en reboot te computer. 
4) and login again.

Does this work ? 


-Oorspronkelijk bericht-
Van: stefan.ba...@cubewerk.de 
[mailto:samba-boun...@lists.samba.org] Namens Stefan Bauer
Verzonden: 2012-03-14 19:20
Aan: samba@lists.samba.org
Onderwerp: [Samba] max path length - ExcludeProfileDirs not 
sufficient - temporary profile

Good evening dear users and developers,

I'm using samba 3.5.6 on Debian Squeeze as Domain-Controller 
for several Windows XP clients. Config below.

One user installed a software with settings in C:\documents 
and 
settings\martin\.vkbstandalone/.metadata/.plugins/de.vkb.standa
lone.tomcat/work/catalina/localhost/eba_standalone_web/org/apache/jsp/jsp/composite/angebot/angebot
 zum 
versicherungsnehmer/html/angaben zum versicherungsn

Indeed quite a long path so i expected problems and used a 
patch to not sync this specific folder .vkbstandalone to the server ...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
ParseAutoexec=1
ExcludeProfileDirs=Lokale Einstellungen;Temporary Internet 
Files;Verlauf;Temp;.vkbstandalone
BuildNumber=dword:0a28

That works - this path is not synced. Now the strange part:

Even though this path is not synced, windows complains about 
it cannot find the path and serves a temporary profile - WHY?!

This path is locally available.

snippets from config:

domain logons = Yes
workgroup = FSH

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
browseable = No

[profiles]
comment = Users profiles
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
browseable = No

I would really appreciate any hints and ideas.

Regards

Stefan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Cifs mount in samba

2012-03-19 Thread Андрей Гребенников

Hi people!
Help me please with a cifs mount in samba. When I mount a cifs resource 
to a folder which is a part of samba share, users get all folders in it 
as zero files. They press F5 or refresh, and folders become ordinary 
ones. The issue repeats with all folders inside it. How to resolv this 
issue?


--
Faithfully,

Andrey Grebennikov

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Cifs mount in samba

2012-03-19 Thread Nico Kadel-Garcia
2012/3/19 Андрей Гребенников grebenni...@sarenergo.ru

 Hi people!
 Help me please with a cifs mount in samba. When I mount a cifs resource to
 a folder which is a part of samba share, users get all folders in it as
 zero files. They press F5 or refresh, and folders become ordinary ones. The
 issue repeats with all folders inside it. How to resolv this issue?


My car makes a funny noise: what's wrong with it?

Seriously, you're missing a lot of information. What version of Samba are
you using? What CIFS client, Windows, Linux, or something else? And what
you mean by mount a CIFS resource to a folder which is a part of a samba
share is a bit unclear. Describe the exact process.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cifs mount in samba

2012-03-19 Thread John Drescher
 Hi people!
 Help me please with a cifs mount in samba. When I mount a cifs resource to a
 folder which is a part of samba share, users get all folders in it as zero
 files. They press F5 or refresh, and folders become ordinary ones. The issue
 repeats with all folders inside it. How to resolv this issue?


I would use a dfs link inside your share instead.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] samba over nfs mount and free space problem

2012-03-19 Thread Alex Mestiashvili
Hi All,

I see a strange behavior with samba server and nfs mounts.

We have a number of shares mounted via nfs on the smabaserver.

When I connect from apple mac computers to a samba share which is an nfs
mountpoint, the free space of the share is reported as zero.
And obviously Finder is not able to copy anything to the share because
it thinks that there is no free space left.
But copy from the terminal works fine!

In case when samba share is a local filesystem everything works just fine.

I tried max disk size option, but is didn't work for NFS, but worked
for a local filesystem.
Didn't work means that available space was reported as zero and I
couldn't copy file to the share.
That's why I think that the problem is somehow samba related and not the
apple software.

dfree command also didn't help.

Why there is a difference between the way free space is calculated
between nfs and local filesystems ?
And what else can I try to workaround this problem ?

here is the output of smbd -b
http://www.biotec.tu-dresden.de/~alex/smb_build_options.txt

Thank you in advance,
Alex




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] samba over nfs mount and free space problem

2012-03-19 Thread Volker Lendecke
On Mon, Mar 19, 2012 at 03:55:44PM +0100, Alex Mestiashvili wrote:
 dfree command also didn't help.

The dfree command should always help. You could fake 100GB
free space always.

Volker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] some questions about CTDB

2012-03-19 Thread Michael Adam
jintao chen wrote:
 Hello, Michael

Hi, and sorry for the delay...

 I deployed two nodes with ctdb for HA solution, and I used smbpasswd
 -a ctdbuser01 to create a new user in node1, it was shown correctly
 in node1:
 # pdbedit -L
 ctdbuser01:501:
 
 but it was showing something wrong through node2:
 # pdbedit -L
 ctdbuser01:4294967295:
 
 # pdbedit -Lv
 ---
 Unix username:ctdbuser01
 NT username:
 Account Flags:[U  ]
 User SID: S-1-5-21-3030760710-2492829195-736885294-1000
 pdb_get_group_sid: Failed to find Unix account for ctdbuser01
 Primary Group SID:(NULL SID)
 
 what can I do for this?

Well, for a samba user in passdb.tdb, you still need the unix
user underneath. For a normal (non-clustered) samba server you
can create the unix users automatically when adding the samba
user with the help of a add user script configured in smb.conf.

I assume that in your case you either had a unix user pre-created
or used a add user script - right?

In a ctdb-cluster, the passdb.tdb is automatically synchronized
in the cluster, but the unix users aren't. This is the reason
why you have the proper user on one node, and and the same user
does not exist (uid = -1) on the other node.

Now you have three options in principle to fix that:

1. use a domain and make your samba server a member.
   this removes the need of maintaining local users in the
   cluster.
   This is the most common mode by far.

2. use an external user database: ldap
   this can definitely be done. Setup is like for a
   non-clustered server.

3. establish a mechanism that keeps the unix users and
   groups in sync on the nodes. (i.e. including uids/gids).
   This needs to be done on creation time. So concurrent
   creations on different nodes don't creat conflicts.
   I have never set up something like that and I have never
   heard of such a setup either.

I hope this helps.

Cheers - Michael



pgpUfTzOTAR8D.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba over nfs mount and free space problem

2012-03-19 Thread Alex Mestiashvili

On 03/19/2012 08:35 PM, Volker Lendecke wrote:

On Mon, Mar 19, 2012 at 03:55:44PM +0100, Alex Mestiashvili wrote:

dfree command also didn't help.

The dfree command should always help. You could fake 100GB
free space always.

Volker

Hi,

that is my dfree command ( I added simple logging )

#!/bin/sh
/usr/sbin/df -k  $1 | /usr/bin/tail -1 | /opt/csw/bin/gawk '{print $2 $4}'
/bin/echo $1 | /usr/bin/logger -t smbd_dfree_args -p local7.notice
/bin/echo `pwd` | /usr/bin/logger -t smbd_dfree_cwd -p local7.notice

the output is like that :
$/usr/local/bin/dfree
629145600 354102404

df output  for nfs share looks like that:

df -k |head-1
Filesystemkbytesused   avail capacity  Mounted on

cd /home/mygroup/myuser
df -k .
nfsserver:/users/myuser
 629145600 275043196 35410240444%
/home/mygroup/myuser



df -k for local fs:

localzfs/users/myuser
 1948778496 42750990 914183310 5%
/home/mygroup/myuser



nevertheless when I access nfs share via samba I get no free space .
with local fs it is ok .
The same happens in windows when one maps a network drive.

I will check again tomorrow, but may be I am missing something simple 
and obvious ?


Thank you,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Cifs mount in samba

2012-03-19 Thread Андрей Гребенников

I'm sorry, I understand that I didn't describe the process.

Well, I have a windows file server which shares its resources, for 
example \\windowsserver\share. This folder includes anothers like 
share\folders\1\ and share\folders\2\. Windows users can see them correctly.
I have remote linux server, which is a file server too, and it shares 
its resource looked like \\linuxserver\Everyone.
I try to mount the \\windowsserver\share\folders to one folder which it 
inside the Everyone, for example /mnt/Everyone/Remote, as cifs. In the 
end of such moves user lists the  share \\linuxserver\Everyone\Remote 
and sees two zero files 1 and 2. Then he refreshes the folder by F5 and 
these files transform to folders. This issue happens with all folders 
inside the Remote folder. Next users see these folders right until I 
restart samba service.



19.03.2012 16:09, Nico Kadel-Garcia пишет:
2012/3/19 Андрей Гребенников grebenni...@sarenergo.ru 
mailto:grebenni...@sarenergo.ru


Hi people!
Help me please with a cifs mount in samba. When I mount a cifs
resource to a folder which is a part of samba share, users get all
folders in it as zero files. They press F5 or refresh, and folders
become ordinary ones. The issue repeats with all folders inside
it. How to resolv this issue?

My car makes a funny noise: what's wrong with it?
Seriously, you're missing a lot of information. What version of Samba 
are you using? What CIFS client, Windows, Linux, or something else? 
And what you mean by mount a CIFS resource to a folder which is a 
part of a samba share is a bit unclear. Describe the exact process.





--
Faithfully,
Andrey Grebennikov

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch v3-6-test updated

2012-03-19 Thread Karolin Seeger
The branch, v3-6-test has been updated
   via  8c4491c Fix bug #8807 - dcerpc_lsa_lookup_sids_noalloc() crashes 
when groups has more than 1000 groups
  from  14fe979 Revert s3: Add sys_statvfs() wrapper support for 
OpenBSD/FreeBSD/DragonFly.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -
commit 8c4491c6ad126771eafa8ea0f54f733f52437a10
Author: Christian Ambach a...@samba.org
Date:   Tue Mar 13 10:07:11 2012 -0700

Fix bug #8807 - dcerpc_lsa_lookup_sids_noalloc() crashes when groups has 
more than 1000 groups

Use correct talloc heirarchy.

Signed-off-by: Jeremy Allison j...@samba.org
(cherry picked from commit 7936fb0ab8c3413768e83975c9d8544d653ee13c)

---

Summary of changes:
 source3/rpc_client/cli_lsarpc.c |   10 +++---
 1 files changed, 7 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index e599571..99e0262 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -166,6 +166,8 @@ NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client 
*cli,
 
 static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
   TALLOC_CTX *mem_ctx,
+  TALLOC_CTX *domains_ctx,
+  TALLOC_CTX *names_ctx,
   struct policy_handle *pol,
   int num_sids,
   const struct dom_sid *sids,
@@ -287,7 +289,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct 
dcerpc_binding_handle *h,
name = lsa_names.names[i].name.string;
 
if (name) {
-   (names)[i] = talloc_strdup(names, name);
+   (names)[i] = talloc_strdup(names_ctx, name);
if ((names)[i] == NULL) {
DEBUG(0, 
(cli_lsa_lookup_sids_noalloc(): out of memory\n));
*presult = NT_STATUS_UNSUCCESSFUL;
@@ -296,7 +298,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct 
dcerpc_binding_handle *h,
} else {
(names)[i] = NULL;
}
-   domains[i] = talloc_strdup(domains,
+   domains[i] = talloc_strdup(domains_ctx,
   dom_name ? dom_name : );
(types)[i] = lsa_names.names[i].sid_type;
if (((domains)[i] == NULL)) {
@@ -394,6 +396,8 @@ static NTSTATUS dcerpc_lsa_lookup_sids_generic(struct 
dcerpc_binding_handle *h,
 
status = dcerpc_lsa_lookup_sids_noalloc(h,
mem_ctx,
+   (TALLOC_CTX *)domains,
+   (TALLOC_CTX *)names,
pol,
hunk_num_sids,
hunk_sids,
@@ -433,7 +437,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_generic(struct 
dcerpc_binding_handle *h,
}
 
sids_left -= hunk_num_sids;
-   sids_processed += hunk_num_sids; /* only used in DEBUG */
+   sids_processed += hunk_num_sids;
hunk_sids += hunk_num_sids;
hunk_domains += hunk_num_sids;
hunk_names += hunk_num_sids;


-- 
Samba Shared Repository


[SCM] Samba Shared Repository - branch v3-6-test updated

2012-03-19 Thread Karolin Seeger
The branch, v3-6-test has been updated
   via  5ca1ff3 v3-6-test: Further fix for bug 8338
  from  8c4491c Fix bug #8807 - dcerpc_lsa_lookup_sids_noalloc() crashes 
when groups has more than 1000 groups

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -
commit 5ca1ff390843e2a0c217a3627297d7af4eadd50d
Author: Volker Lendecke v...@samba.org
Date:   Tue Sep 20 22:45:52 2011 +0200

v3-6-test: Further fix for bug 8338

OS/X can not deal with a 10-vwv read on normal files.

Autobuild-User: Volker Lendecke vlen...@samba.org
Autobuild-Date: Wed Sep 21 00:51:08 CEST 2011 on sn-devel-104

---

Summary of changes:
 source3/libsmb/clireadwrite.c |   11 +--
 1 files changed, 9 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index 83531a5..a32f078 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -133,10 +133,17 @@ struct tevent_req *cli_read_andx_create(TALLOC_CTX 
*mem_ctx,
SSVAL(state-vwv + 8, 0, 0);
SSVAL(state-vwv + 9, 0, 0);
 
-   if ((uint64_t)offset  32) {
+   if (cli-capabilities  CAP_LARGE_FILES) {
SIVAL(state-vwv + 10, 0,
  (((uint64_t)offset)32)  0x);
-   wct += 2;
+   wct = 12;
+   } else {
+   if uint64_t)offset)  0xLL) != 0) {
+   DEBUG(10, (cli_read_andx_send got large offset where 
+  the server does not support it\n));
+   tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+   return tevent_req_post(req, ev);
+   }
}
 
subreq = cli_smb_req_create(state, ev, cli, SMBreadX, 0, wct,


-- 
Samba Shared Repository


[SCM] Samba Shared Repository - branch v3-5-test updated

2012-03-19 Thread Karolin Seeger
The branch, v3-5-test has been updated
   via  81703ab v3-6-test: Further fix for bug 8338
  from  38bfe91 WHATSNEW: Update 3.5.13 release notes.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -
commit 81703ab7528055bbae8306d2c9a8314316107f85
Author: Volker Lendecke v...@samba.org
Date:   Tue Sep 20 22:45:52 2011 +0200

v3-6-test: Further fix for bug 8338

OS/X can not deal with a 10-vwv read on normal files.

Autobuild-User: Volker Lendecke vlen...@samba.org
Autobuild-Date: Wed Sep 21 00:51:08 CEST 2011 on sn-devel-104

---

Summary of changes:
 source3/libsmb/clireadwrite.c |   13 +
 1 files changed, 9 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index 724c846..b80151e 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -88,7 +88,6 @@ struct tevent_req *cli_read_andx_create(TALLOC_CTX *mem_ctx,
 {
struct tevent_req *req, *subreq;
struct cli_read_andx_state *state;
-   bool bigoffset = False;
uint8_t wct = 10;
 
if (size  cli_read_max_bufsize(cli)) {
@@ -115,11 +114,17 @@ struct tevent_req *cli_read_andx_create(TALLOC_CTX 
*mem_ctx,
SSVAL(state-vwv + 8, 0, 0);
SSVAL(state-vwv + 9, 0, 0);
 
-   if ((uint64_t)offset  32) {
-   bigoffset = true;
+   if (cli-capabilities  CAP_LARGE_FILES) {
SIVAL(state-vwv + 10, 0,
  (((uint64_t)offset)32)  0x);
-   wct += 2;
+   wct = 12;
+   } else {
+   if uint64_t)offset)  0xLL) != 0) {
+   DEBUG(10, (cli_read_andx_send got large offset where 
+  the server does not support it\n));
+   tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+   return tevent_req_post(req, ev);
+   }
}
 
subreq = cli_smb_req_create(state, ev, cli, SMBreadX, 0, wct,


-- 
Samba Shared Repository


[SCM] Samba Shared Repository - branch v3-6-test updated

2012-03-19 Thread Karolin Seeger
The branch, v3-6-test has been updated
   via  2815036 Fix bug #8797 - Samba does not correctly handle DENY ACEs 
when privileges apply. Signed-off-by: Jeremy Allison j...@samba.org (cherry 
picked from commit 9aafc490db58017133bbd7a7f49264ee0d48f0ff)
  from  5ca1ff3 v3-6-test: Further fix for bug 8338

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -
commit 28150366a958a3133dc8e418695b914f2ff3f472
Author: Richard Sharpe realrichardsha...@gmail.com
Date:   Fri Mar 9 14:54:38 2012 -0800

Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges 
apply. Signed-off-by: Jeremy Allison j...@samba.org (cherry picked from 
commit 9aafc490db58017133bbd7a7f49264ee0d48f0ff)

---

Summary of changes:
 libcli/security/access_check.c |   54 ---
 1 files changed, 28 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index a9b618f..d9f6293 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -178,38 +178,12 @@ NTSTATUS se_access_check(const struct security_descriptor 
*sd,
bits_remaining));
}
 
-   /* s3 had this with #if 0 previously. To be sure the merge
-  doesn't change any behaviour, we have the above #if check
-  on _SAMBA_BUILD_. */
-   if (access_desired  SEC_FLAG_SYSTEM_SECURITY) {
-   if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
-   bits_remaining = ~SEC_FLAG_SYSTEM_SECURITY;
-   } else {
-   return NT_STATUS_PRIVILEGE_NOT_HELD;
-   }
-   }
-
/* the owner always gets SEC_STD_WRITE_DAC and SEC_STD_READ_CONTROL */
if ((bits_remaining  (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL)) 
security_token_has_sid(token, sd-owner_sid)) {
bits_remaining = ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL);
}
 
-   /* TODO: remove this, as it is file server specific */
-   if ((bits_remaining  SEC_RIGHTS_PRIV_RESTORE) 
-   security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-   bits_remaining = ~(SEC_RIGHTS_PRIV_RESTORE);
-   }
-   if ((bits_remaining  SEC_RIGHTS_PRIV_BACKUP) 
-   security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-   bits_remaining = ~(SEC_RIGHTS_PRIV_BACKUP);
-   }
-
-   if ((bits_remaining  SEC_STD_WRITE_OWNER) 
-security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
-   bits_remaining = ~(SEC_STD_WRITE_OWNER);
-   }
-
/* a NULL dacl allows access */
if ((sd-type  SEC_DESC_DACL_PRESENT)  sd-dacl == NULL) {
*access_granted = access_desired;
@@ -247,6 +221,34 @@ NTSTATUS se_access_check(const struct security_descriptor 
*sd,
 
bits_remaining |= explicitly_denied_bits;
 
+   /*
+* We check privileges here because they override even DENY entries.
+*/
+
+   /* Does the user have the privilege to gain SEC_PRIV_SECURITY? */
+   if (bits_remaining  SEC_FLAG_SYSTEM_SECURITY) {
+   if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
+   bits_remaining = ~SEC_FLAG_SYSTEM_SECURITY;
+   } else {
+   return NT_STATUS_PRIVILEGE_NOT_HELD;
+   }
+   }
+
+   /* TODO: remove this, as it is file server specific */
+   if ((bits_remaining  SEC_RIGHTS_PRIV_RESTORE) 
+   security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+   bits_remaining = ~(SEC_RIGHTS_PRIV_RESTORE);
+   }
+   if ((bits_remaining  SEC_RIGHTS_PRIV_BACKUP) 
+   security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+   bits_remaining = ~(SEC_RIGHTS_PRIV_BACKUP);
+   }
+
+   if ((bits_remaining  SEC_STD_WRITE_OWNER) 
+security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
+   bits_remaining = ~(SEC_STD_WRITE_OWNER);
+   }
+
 done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;


-- 
Samba Shared Repository


[SCM] Samba Shared Repository - branch master updated

2012-03-19 Thread Jeremy Allison
The branch, master has been updated
   via  0902392 s3-winbindd Only use SamLogonEx when we can get unencrypted 
session keys
  from  ee0e1ca s4:selftest: add test for samba-tool group list

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0902392413dcbd8bedcb7c42d86497d671ba1e0f
Author: Andrew Bartlett abart...@samba.org
Date:   Thu Dec 15 10:00:36 2011 +1100

s3-winbindd Only use SamLogonEx when we can get unencrypted session keys

This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.

The check comes from the fact that the credentials chain is tied to
the session key, and so if the credentials check passes then the
netlogon session key will be correct, and so the user session key
will be correctly decrypted.

Andrew Bartlett

Signed-off-by: Jeremy Allison j...@samba.org

Autobuild-User: Jeremy Allison j...@samba.org
Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104

---

Summary of changes:
 source3/winbindd/winbindd_pam.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b7aec20..6757f36 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1246,7 +1246,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct 
winbindd_domain *domain,
domain-can_do_validation6 = false;
}
 
-   if (domain-can_do_samlogon_ex) {
+   if (domain-can_do_samlogon_ex  domain-can_do_validation6) {
result = rpccli_netlogon_sam_network_logon_ex(
netlogon_pipe,
mem_ctx,
@@ -1256,7 +1256,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct 
winbindd_domain *domain,
domainname, /* target domain */
workstation,/* workstation */
chal,
-   domain-can_do_validation6 ? 6 : 3,
+   6,
lm_response,
nt_response,
info3);


-- 
Samba Shared Repository