[Samba] Server authentication
Hello, I can't find any precise technical information about how the client computer in Windows domain (NT,AD) verifies the identity of the PDC. Can you please point me to any source of relevant information or give me a brief explanation? Situation: I'm going to replace a Windows Server 2003 PDC with samba. I've successfully extracted the PDC's ldap contents (with ldifde tool) and account passwords (ntds.dit and system hive copied, data extracted, all password hashes cracked). Problem description: If I install samba3 as PDC, populate LDAP with the data dumped from WS, copy the users' data and shut down the old PDC, would the client computers notice the change? Would I have to re-add all the computers to the new PDC or not? i.e. would the users notice the server change or not? I'm interested in behavior of Win XP, Vista, 7 and I can't install samba4. Thank you for any suggestions and pointing to further reading. M. Prymek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Server authentication
Hi On 19 August 2013 09:58, Miroslav Prýmek m.pry...@gmail.com wrote: Hello, I can't find any precise technical information about how the client computer in Windows domain (NT,AD) verifies the identity of the PDC. Can you please point me to any source of relevant information or give me a brief explanation? Situation: I'm going to replace a Windows Server 2003 PDC with samba. I've successfully extracted the PDC's ldap contents (with ldifde tool) and account passwords (ntds.dit and system hive copied, data extracted, all password hashes cracked). Problem description: If I install samba3 as PDC, populate LDAP with the data dumped from WS, copy the users' data and shut down the old PDC, would the client computers notice the change? Would I have to re-add all the computers to the new PDC or not? i.e. would the users notice the server change or not? I believe that once a Windows client has been joined to an AD domain it will not work with that domain converted to an NT-style domain. (e.g. if you had upgraded a Samba 3 PDC to a Samba 4 AD DC and your clients interacted with the new DC, you would no longer be able to shut down the Samba 4 DC and boot up the Samba 3 PDC and still have the clients working properly without rejoining them to the domain.) At least that's the impression I got from previous discussions on the Samba lists. So I think you would have to rejoin all the machines to the domain. I'm interested in behavior of Win XP, Vista, 7 and I can't install samba4. Thank you for any suggestions and pointing to further reading. M. Prymek -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] /var/lock/samba filling up /run/lock
Thanks Achim, especially for pointing out where we can set the size of /run/lock and have it stick after a reboot. We hadn't gotten that far yet, but we did expand the size of /run/lock on Friday by hand and do some testing. We ended up chasing an unrelated wild goose, but realized this morning that simply expanding /run/lock does look like a viable workaround. Also, in exploring the problem, we're seeing about 300KB being chewed up in /run/lock with every new user that logs in. To be clear, this only seems to happen the first time a user logs in. I'm not sure if that is a symptom of a problem, or just normal operation. We've also noticed that a version of Samba 4 built from source taken from the Git repository puts its lock files under /usr/local/samba, completely avoiding the problem. Since the Sernet packages use /run/lock, I imagine this will be a problem for anyone with more than about a dozen users. They might want to point Samba somewhere else to store its locks. Mark A. Fox, M.Sc. Director of Technology East Central Alberta Catholic Schools Cell: 403-740-6101 Office: 780-842-3992 On Fri, Aug 16, 2013 at 6:28 PM, Achim Gottinger ac...@ag-web.biz wrote: Am 16.08.2013 17:49, schrieb Mark Fox: A couple of days ago, we noticed the following message appearing in syslog: Aug 14 15:09:35 zadok smbd[16067]: tdb(/var/lock/samba/locking.**tdb): expand_file write of 8192 bytes failed (No space left on device) Had this issue on my debian setup. /run/lock is a tmpfs volume. It's size is defined in /etc/defaults/tmpfs on debian. I increased it from 5 to 50Mib (LOCK_SIZE=52428800) and had no isses since. achim+ Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.8 on RHEL 6.2 how to grant permissions via Windows to unix users/groups?
I have built from source Samba 4.0.8 on RHEL 6.2. I want users to be able to change permissions via Windows, but I don't see how to do that for the unix users and groups in the Windows permission screens. When I create a folder, for example, and right-click to get properties and click on the security tab I can see under Group or user names: Everyone, kallbac (Unix User\kallbac) and blah (Unix Group \blah) However, when I click edit and try to add additional permissions I have our ADS server as the default from this location option and can change that to the server running Samba. However, I cannot select any groups using this option --none are returned and I get An object named blah cannot be found… even though the group is returned with getent group. I am wondering if there is a problem between the usern...@ads.iu.edu returned from getent vs. the unix username that appear in the Windows permission, but I don't know how to resolve that. Any ideas? Additional info below, let me know if something else is useful. Thanks, Kristy I have a GPFS share with the following smb.conf settings: [gpfs_export] comment = gpfs export path = /gpfs/gpfs_export public = yes writable = yes printable = no vfs objects = gpfs fileid idmap backend = tdb2 fileid:mapping = fsname gpfs:sharemodes = No force unknown acl user = yes nfs4: mode = special nfs4: chown = yes nfs4: acedup = merge I am using Kerberos/AD to authenticate and can connect to the share. Relevant settings are: workgroup = ADS security = ADS realm = ADS.IU.EDU password server = ads.iu.edu passed and groups should be coming from files and ldap per nsswitch.conf: passwd: files ldap group: files ldap For my own account I see: getent passwd | grep kallbac kallbac:{KERBEROS}kall...@ads.iu.edu:12108:236:Kristy Kallback-Rose:/N/u/kallbac: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 + Winbind + PAM Installation/Configuration
I am justs tarting o samba too, but I think it is normal to have lots of not found. You have to pay attention for the features you want, though. You might need libpam0g-dev package for PAM support (At least that is the one for Debian) and you can also consider libacl-dev for ACL support (changing permissions for a share on windows, for example) On Sun, Aug 18, 2013 at 11:38 AM, Andreas Krupp andreaskr...@akrupp.chwrote: Hi, I have not set any home var yet in my smb.conf. If you're asking for that, I am probably missing a lot of important parameters. Below my smb.conf for the moment: # Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.HOME netbios name = DC server role = active directory domain controller dns forwarder = 10.33.66.99 template shell = /bin/bash wins support = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.home/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Otherwise I checked for all the lines during ./configure that mention not found... I have more than 100 of these. Is that normal? Among the things missing are e.g. ldap, pam_start, NFS QUOTAS, and lots of other stuff... I tried to follow the list of packages to install on the Samba4 Wiki for CentOS but it seems, that is not really enough, is it? Cheers best, Andreas *On 16 August 2013 08:37, Daniel Müller has written: * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Thiago Fernandes Crepaldi (aka Crepaldi) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 on startup always loads temporary profiles samba 3.4.8
i think it's not samba proble, after long search and trying , thank god, i found the solution the client can't write to it's home profile and read it so you jest give it permission for profile directory chmod 777 -R /home best regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba-tool classicupgrade throws uncaught exception
I have a new server running CentOS 6.4 x64, which will serve as our new Samba4 server. It is set up in a test environment, and I've copied over the tdb files and the smb.conf file from our samba3 server (Same OS and version). I'm trying to do an in-place upgrade on the copied files, but keep hitting an assert / uncaught exception during the upgrade: # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Ignoring group memberships of 'testuser' S-1-5-21-XX-1065: Unable to enumerate group memberships, (-1073741724,No such user) Skipping wellknown rid=501 (for username=nobody) Ignoring group memberships of 'TEST-PC$' S-1-5-21-XX-1097: Unable to enumerate group memberships, (-1073741724,No such user) Ignoring group memberships of 'testuser2' S-1-5-21-XX-1075: Unable to enumerate group memberships, (-1073741724,No such user) Next rid = 9001 Exporting posix attributes Reading WINS database Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: myserver NetBIOS Domain:MYDOMAIN DNS Domain:mydomain.com DOMAIN SID:S-1-5-21-XX Importing WINS database Importing Account policy Importing idmap database ERROR(assert): uncaught exception File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 868, in upgrade_from_samba3 import_idmap(result.idmap, samba3, logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 214, in import_idmap samba3_idmap = samba3.get_idmap_db() File /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py, line 402, in get_idmap_db return IdmapDatabase(self.statedir_path(winbindd_idmap.tdb)) File /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py, line 59, in __init__ self._check_version() File /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py, line 142, in _check_version assert fetch_int32(self.tdb, IDMAP_VERSION\0) == IDMAP_VERSION_V2 The error indicates an idmap problem, so on advise of another poster, I renamed my winbindd_idmap.tdb file, then tried again (after deleting the generated tdb files and smb.conf). This, however, caused another error: ... ... Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Domain Admins ((68, samldb: Account name (sAMAccountName) 'Domain Admins' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-XX-1057, id=502, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-XX-1057' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-XX-1057, ((32, Base-DN 'SID=S-1-5-21-XX-1057' not found)) Could not add group name=Domain Users ((68, samldb: Account name (sAMAccountName) 'Domain Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-XX-1066, id=100, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-XX-1066' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-XX-1066, ((32, Base-DN 'SID=S-1-5-21-XX-1066' not found)) Importing users User root has been kept in the directory, it should
[Samba] Is kerberos authentication against AD possible without joining the domain?
On CentOS (and presumably RHEL), the authconfig tool can set up kerberos authentication via PAM so that locally added users can be authenticated at the shell/ssh level if the password they use succeeds for the matching user name in Active Directory - and this works without joining the linux box to the domain. Now I'd like those linux users to be able to map their home directories from a windows box using that same password. Is this possible without joining the linux host to the active directory domain? I don't care if they have to re-enter the password instead of using their domain credentials directly, I just don't want to have to maintain a local password on the linux side for people who already exist in AD. And I don't want to join the domain. -- Les Mikesell lesmikes...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] rpcclient netshareenum 502 causes SEGV
Hello: I have a Windows 2003 Server that is causing rpcclient to SEGV via the following command: $ rpcclient -U Administrator%foobar -c 'netshareenum 502' server ... type: 0x6269: SEC_DESC_OWNER_DEFAULTED SEC_DESC_DACL_DEFAULTED SEC_DESC_SACL_DEFAULTED SEC_DESC_DACL_TRUSTED SEC_DESC_SACL_AUTO_INHERIT_REQ SEC_DESC_SACL_PROTECTED SEC_DESC_RM_CONTROL_VALID SACL Segmentation fault (core dumped) I did a little poking and it seems that the issue is here: source3/rpcclient/cmd_srvsvc.c: 384 case 502: 385 for (i = 0; i totalentries;i++) 386 display_share_info_502(info_ctr.ctr.ctr502-array[i]); 387 break; Sorry for the formatting. But the NDR code yanks out 35 SHARE_INFO_502* * entries* *but the array size NDR code calculates only 34. Since totalentries is one entry too big, it causes rpcclient to go past the end of the ctr502 array and SEGV. See here: (gdb) p *info_ctr.ctr.ctr502 $9 = { count = 34, array = 0x67a140 } (gdb) p totalentries $10 = 35 Commit history shows that when the specific enum shares got unionized this loop changed to use totalentries intsead of ctr.num_entries, which without looking into it might have been equivalent to count. It would seem to me that totalentries really has to be bounds checked here else you can fall into this trap. I know this is ugly, but couldn't something be done like offsetof(ctr.share.infoXX, count) to verify that that the array size and total entries match. Or perhaps even better check this bounds condition during the NDR pull out unmarshalling code? (that is what I would vote for since it puts less of a burden on the callee but there may be cases where knowing the total entries vs what is in the array is useful, not sure...). I am by no means a Samba expert but any insight into this issue would be greatly appreciated. Cheers! -aps -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rpcclient netshareenum 502 causes SEGV
On Mon, Aug 19, 2013 at 6:21 PM, pisymbol . pisym...@gmail.com wrote: Hello: I have a Windows 2003 Server that is causing rpcclient to SEGV via the following command: $ rpcclient -U Administrator%foobar -c 'netshareenum 502' server ... type: 0x6269: SEC_DESC_OWNER_DEFAULTED SEC_DESC_DACL_DEFAULTED SEC_DESC_SACL_DEFAULTED SEC_DESC_DACL_TRUSTED SEC_DESC_SACL_AUTO_INHERIT_REQ SEC_DESC_SACL_PROTECTED SEC_DESC_RM_CONTROL_VALID SACL Segmentation fault (core dumped) I did a little poking and it seems that the issue is here: source3/rpcclient/cmd_srvsvc.c: 384 case 502: 385 for (i = 0; i totalentries;i++) 386 display_share_info_502(info_ctr.ctr.ctr502-array[i]); 387 break; Sorry for the formatting. But the NDR code yanks out 35 SHARE_INFO_502* * entries* *but the array size NDR code calculates only 34. Since totalentries is one entry too big, it causes rpcclient to go past the end of the ctr502 array and SEGV. See here: (gdb) p *info_ctr.ctr.ctr502 $9 = { count = 34, array = 0x67a140 } (gdb) p totalentries $10 = 35 Commit history shows that when the specific enum shares got unionized this loop changed to use totalentries intsead of ctr.num_entries, which without looking into it might have been equivalent to count. It would seem to me that totalentries really has to be bounds checked here else you can fall into this trap. I know this is ugly, but couldn't something be done like offsetof(ctr.share.infoXX, count) to verify that that the array size and total entries match. Or perhaps even better check this bounds condition during the NDR pull out unmarshalling code? (that is what I would vote for since it puts less of a burden on the callee but there may be cases where knowing the total entries vs what is in the array is useful, not sure...). I am by no means a Samba expert but any insight into this issue would be greatly appreciated. Uh crap my bad, this is Fedora 13 x86-64, 3.6 stable. -aps -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, 2013-08-19 at 17:17 -0500, Les Mikesell wrote: On CentOS (and presumably RHEL), the authconfig tool can set up kerberos authentication via PAM so that locally added users can be authenticated at the shell/ssh level if the password they use succeeds for the matching user name in Active Directory - and this works without joining the linux box to the domain. Now I'd like those linux users to be able to map their home directories from a windows box using that same password. Is this possible without joining the linux host to the active directory domain? I don't care if they have to re-enter the password instead of using their domain credentials directly, I just don't want to have to maintain a local password on the linux side for people who already exist in AD. And I don't want to join the domain. As you have found out, you can to this with pam_krb5 but you have no assurance that the AD DC is indeed the AD DC, as there is no local cryptographic material (the machine account password) with which to verify the ticket. If 'something' issues a ticket, then the user will be authenticated. This is not secure. That is why windows workstations and linux workstations should both be joined to the domain. As to, one way or other using this password to map a directory, look into things like pam_mount. The login will have generated a kerberos credentials cache. This doesn't change on being part of the domain or not. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.5 User who has same password then Administrator authenticated as Administrator.
Hi list! I use samba 4.0.5 as ADDC and I have more shares. Everthing great but I have some share premission problem. There are some users who have same password then Administrator, they authenticated as Administrator on shares. These users don't have premission to these shares. For example: Administrator's pass is 123uberpass user1's pass is 123uberpass too And logon to win2k8r2(simple domain member client) (with RDP) with user1, and i try open a share, what has premission only for Administrator, it SUCCES. And syslog show: mydc smbd_audit: MYDOMAIN\Administrator|192.168.1.249|open|ok|r|. (Administrator instead of user1!) Then I change password for user1 to 123otherpass, and i try open a share, what has premission only for Administrator, it DENIED. (this is good) When I rechange pass to same then Admin's pass for user1, shares access SUCCESS again. And so on... What could be the problem? Thanks for replyes, and excuse me for my bad English. Regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, Aug 19, 2013 at 5:40 PM, Andrew Bartlett abart...@samba.org wrote: On CentOS (and presumably RHEL), the authconfig tool can set up kerberos authentication via PAM so that locally added users can be authenticated at the shell/ssh level if the password they use succeeds for the matching user name in Active Directory - and this works without joining the linux box to the domain. Now I'd like those linux users to be able to map their home directories from a windows box using that same password. Is this possible without joining the linux host to the active directory domain? I don't care if they have to re-enter the password instead of using their domain credentials directly, I just don't want to have to maintain a local password on the linux side for people who already exist in AD. And I don't want to join the domain. As you have found out, you can to this with pam_krb5 but you have no assurance that the AD DC is indeed the AD DC, as there is no local cryptographic material (the machine account password) with which to verify the ticket. If 'something' issues a ticket, then the user will be authenticated. This is not secure. All I want is a check that the password the user gave is correct. If it is good enough for ssh it should be good enough for samba service. (And it's all on a firewalled private network so not particularly exposed). That is why windows workstations and linux workstations should both be joined to the domain. You need admin credentials for that - and the people managing the AD are all in a different group in a different office. As to, one way or other using this password to map a directory, look into things like pam_mount. The login will have generated a kerberos credentials cache. This doesn't change on being part of the domain or not. I want to go the other direction - that is to have the samba server on the linux box serving the user's home directories to their windows desktop boxes using the same credentials as they'd use for shell logins. Most (maybe not all) of the windows boxes are already logged into the domain as the appropriate user, but I don't care if those domain credentials are used or not. -- Les Mikesell lesmikes...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE
Hi. I we are migrating form domain ad.adc.com to ad.xyz.com , there is a trust between the two domains. Before the move the file server was work perfectly, post migration I get the following in the samba logs [2013/08/19 08:07:15.961679, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 08:07:25.983662, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. [2013/08/19 11:19:26.308406, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:26.355646, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:39.835641, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. And on the windows client I get prompted for username and password , It won't accept any of the ones I have provided. My workstation and the others that can’t access it are all on the new domain as the file server (ad.xyz.com) I have a number of other file servers migrated to ad.xyz.com and they are fine. I have googled and found the issue is related to Kerberos. I have update the dns to ensure that the servers hostname resolves correctly in both forward and reverse lookups. I have noted that /etc/krb5.conf is very different between the working servers and the broken one , but I don’t know much about Kerberos so I’m lost. I have update to : pbis : 7.0.918 samba :3.6.6-0.129.el5 krb5 : 1.6.1-70.el5_9.2 OS is CentOS 5.3 Clients are windows 7 Any suggestions on how to resolve this ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool classicupgrade throws uncaught exception
Update: I realized shortly after I sent the email that because I don't use winbind, I can (and should) delete the file winbindd_idmap.tdb. So, the second error is now the stopper. In essence, it's complaining that it can't find the user or group with sid ending in 1057. Adding users to groups ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: Could not add member 'S-1-5-21-XXX-1002' to group 'S-1-5-21-XXX-1057' as either group or user record doesn't exist: Base-DN 'SID=S-1-5-21-XXX-1057' not found File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 913, in upgrade_from_samba3 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 316, in add_users_to_group raise ProvisioningError(Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s % (member_sid, group.sid, emsg)) *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin sc...@mimicsimulation.comwrote: I have a new server running CentOS 6.4 x64, which will serve as our new Samba4 server. It is set up in a test environment, and I've copied over the tdb files and the smb.conf file from our samba3 server (Same OS and version). I'm trying to do an in-place upgrade on the copied files, but keep hitting an assert / uncaught exception during the upgrade: # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Ignoring group memberships of 'testuser' S-1-5-21-XX-1065: Unable to enumerate group memberships, (-1073741724,No such user) Skipping wellknown rid=501 (for username=nobody) Ignoring group memberships of 'TEST-PC$' S-1-5-21-XX-1097: Unable to enumerate group memberships, (-1073741724,No such user) Ignoring group memberships of 'testuser2' S-1-5-21-XX-1075: Unable to enumerate group memberships, (-1073741724,No such user) Next rid = 9001 Exporting posix attributes Reading WINS database Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: myserver NetBIOS Domain:MYDOMAIN DNS Domain:mydomain.com DOMAIN SID:S-1-5-21-XX Importing WINS database Importing Account policy Importing idmap database ERROR(assert): uncaught exception File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 868, in upgrade_from_samba3 import_idmap(result.idmap, samba3, logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 214, in import_idmap samba3_idmap = samba3.get_idmap_db() File
Re: [Samba] rpcclient netshareenum 502 causes SEGV
On Mon, Aug 19, 2013 at 06:21:02PM -0400, pisymbol . wrote: Hello: I have a Windows 2003 Server that is causing rpcclient to SEGV via the following command: $ rpcclient -U Administrator%foobar -c 'netshareenum 502' server ... type: 0x6269: SEC_DESC_OWNER_DEFAULTED SEC_DESC_DACL_DEFAULTED SEC_DESC_SACL_DEFAULTED SEC_DESC_DACL_TRUSTED SEC_DESC_SACL_AUTO_INHERIT_REQ SEC_DESC_SACL_PROTECTED SEC_DESC_RM_CONTROL_VALID SACL Segmentation fault (core dumped) I did a little poking and it seems that the issue is here: source3/rpcclient/cmd_srvsvc.c: 384 case 502: 385 for (i = 0; i totalentries;i++) 386 display_share_info_502(info_ctr.ctr.ctr502-array[i]); 387 break; Sorry for the formatting. But the NDR code yanks out 35 SHARE_INFO_502* * entries* *but the array size NDR code calculates only 34. Since totalentries is one entry too big, it causes rpcclient to go past the end of the ctr502 array and SEGV. See here: (gdb) p *info_ctr.ctr.ctr502 $9 = { count = 34, array = 0x67a140 } (gdb) p totalentries $10 = 35 Commit history shows that when the specific enum shares got unionized this loop changed to use totalentries intsead of ctr.num_entries, which without looking into it might have been equivalent to count. It would seem to me that totalentries really has to be bounds checked here else you can fall into this trap. I know this is ugly, but couldn't something be done like offsetof(ctr.share.infoXX, count) to verify that that the array size and total entries match. Or perhaps even better check this bounds condition during the NDR pull out unmarshalling code? (that is what I would vote for since it puts less of a burden on the callee but there may be cases where knowing the total entries vs what is in the array is useful, not sure...). I am by no means a Samba expert but any insight into this issue would be greatly appreciated. Can you log a bug and attach the specific packet trace that shows this problem. I'd really like to look at this in more detail. Also, exactly what version of Samba are you running ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rpcclient netshareenum 502 causes SEGV
On Mon, Aug 19, 2013 at 06:21:02PM -0400, pisymbol . wrote: Hello: I have a Windows 2003 Server that is causing rpcclient to SEGV via the following command: $ rpcclient -U Administrator%foobar -c 'netshareenum 502' server ... type: 0x6269: SEC_DESC_OWNER_DEFAULTED SEC_DESC_DACL_DEFAULTED SEC_DESC_SACL_DEFAULTED SEC_DESC_DACL_TRUSTED SEC_DESC_SACL_AUTO_INHERIT_REQ SEC_DESC_SACL_PROTECTED SEC_DESC_RM_CONTROL_VALID SACL Segmentation fault (core dumped) I did a little poking and it seems that the issue is here: source3/rpcclient/cmd_srvsvc.c: 384 case 502: 385 for (i = 0; i totalentries;i++) 386 display_share_info_502(info_ctr.ctr.ctr502-array[i]); 387 break; Sorry for the formatting. But the NDR code yanks out 35 SHARE_INFO_502* * entries* *but the array size NDR code calculates only 34. Since totalentries is one entry too big, it causes rpcclient to go past the end of the ctr502 array and SEGV. See here: (gdb) p *info_ctr.ctr.ctr502 $9 = { count = 34, array = 0x67a140 } (gdb) p totalentries $10 = 35 Commit history shows that when the specific enum shares got unionized this loop changed to use totalentries intsead of ctr.num_entries, which without looking into it might have been equivalent to count. It would seem to me that totalentries really has to be bounds checked here else you can fall into this trap. I know this is ugly, but couldn't something be done like offsetof(ctr.share.infoXX, count) to verify that that the array size and total entries match. Or perhaps even better check this bounds condition during the NDR pull out unmarshalling code? (that is what I would vote for since it puts less of a burden on the callee but there may be cases where knowing the total entries vs what is in the array is useful, not sure...). I am by no means a Samba expert but any insight into this issue would be greatly appreciated. Actually I think that totalentries is just the wrong thing to use here. Can you try the following patch to see if it fixes the problem ? Jeremy. diff --git a/source3/rpcclient/cmd_srvsvc.c b/source3/rpcclient/cmd_srvsvc.c index 0d67639..e5fa065 100644 --- a/source3/rpcclient/cmd_srvsvc.c +++ b/source3/rpcclient/cmd_srvsvc.c @@ -273,6 +273,7 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli, WERROR result; NTSTATUS status; uint32_t totalentries = 0; + uint32_t count = 0; uint32_t resume_handle = 0; uint32_t *resume_handle_p = NULL; uint32 preferred_len = 0x, i; @@ -374,15 +375,18 @@ static WERROR cmd_srvsvc_net_share_enum_int(struct rpc_pipe_client *cli, switch (info_level) { case 1: - for (i = 0; i totalentries; i++) + count = info_ctr.ctr.ctr1-count; + for (i = 0; i count; i++) display_share_info_1(info_ctr.ctr.ctr1-array[i]); break; case 2: - for (i = 0; i totalentries; i++) + count = info_ctr.ctr.ctr2-count; + for (i = 0; i count; i++) display_share_info_2(info_ctr.ctr.ctr2-array[i]); break; case 502: - for (i = 0; i totalentries; i++) + count = info_ctr.ctr.ctr502-count; + for (i = 0; i count; i++) display_share_info_502(info_ctr.ctr.ctr502-array[i]); break; default: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, 2013-08-19 at 18:22 -0500, Les Mikesell wrote: On Mon, Aug 19, 2013 at 5:40 PM, Andrew Bartlett abart...@samba.org wrote: On CentOS (and presumably RHEL), the authconfig tool can set up kerberos authentication via PAM so that locally added users can be authenticated at the shell/ssh level if the password they use succeeds for the matching user name in Active Directory - and this works without joining the linux box to the domain. Now I'd like those linux users to be able to map their home directories from a windows box using that same password. Is this possible without joining the linux host to the active directory domain? I don't care if they have to re-enter the password instead of using their domain credentials directly, I just don't want to have to maintain a local password on the linux side for people who already exist in AD. And I don't want to join the domain. As you have found out, you can to this with pam_krb5 but you have no assurance that the AD DC is indeed the AD DC, as there is no local cryptographic material (the machine account password) with which to verify the ticket. If 'something' issues a ticket, then the user will be authenticated. This is not secure. All I want is a check that the password the user gave is correct. If it is good enough for ssh it should be good enough for samba service. (And it's all on a firewalled private network so not particularly exposed). That is why windows workstations and linux workstations should both be joined to the domain. You need admin credentials for that - and the people managing the AD are all in a different group in a different office. As to, one way or other using this password to map a directory, look into things like pam_mount. The login will have generated a kerberos credentials cache. This doesn't change on being part of the domain or not. I want to go the other direction - that is to have the samba server on the linux box serving the user's home directories to their windows desktop boxes using the same credentials as they'd use for shell logins. OK. Most (maybe not all) of the windows boxes are already logged into the domain as the appropriate user, but I don't care if those domain credentials are used or not. You need to join the domain to do this reliably. In the past we would suggest folks use 'security=server' for this situation, where you want to 'pass though' authentication to another server, but it is not only insecure (again total trust), but is now much less reliable with modern clients, due to NTLMv2. We removed security=server in Samba 4.0. You cannot accept a kerberos ticket without joining the domain, as you can't decrypt it, even if you wanted to just trust it, it is an opaque blob until decrypted. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] CTDB repository - branch master updated - ctdb-2.3-60-g7b7aa7b
The branch, master has been updated via 7b7aa7b599536cd60ebb84d363607bb4e953248a (commit) via 1c9025fdd08d1cea342af7487d0123015e08831b (commit) via f0853013655ac3bedf1b793de128fb679c6db6c6 (commit) via a610bc351f0754c84c78c27d02f9a695e60c5b0f (commit) via 60cb40d090e45ff6134c098a238fac7ad854f134 (commit) from e9ef93f7b6dad59eabaa32124df81f3e74c651ef (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 7b7aa7b599536cd60ebb84d363607bb4e953248a Author: Amitay Isaacs ami...@gmail.com Date: Wed Aug 14 11:44:12 2013 +1000 recoverd: Improve log message when nodes disagree on recmaster Signed-off-by: Amitay Isaacs ami...@gmail.com commit 1c9025fdd08d1cea342af7487d0123015e08831b Author: Amitay Isaacs ami...@gmail.com Date: Fri Aug 2 11:05:08 2013 +1000 common: Null terminate process name string so valgrind doesn't complain Signed-off-by: Amitay Isaacs ami...@gmail.com commit f0853013655ac3bedf1b793de128fb679c6db6c6 Author: Amitay Isaacs ami...@gmail.com Date: Mon Aug 12 15:50:30 2013 +1000 vacuuming: Fix vacuuming bug where requests keep bouncing between nodes (part 2) This is caused by corruption of a record header such that the records on two nodes point to each other as dmaster. This makes a request for that record bounce between nodes endlessly. Signed-off-by: Amitay Isaacs ami...@gmail.com commit a610bc351f0754c84c78c27d02f9a695e60c5b0f Author: Amitay Isaacs ami...@gmail.com Date: Mon Aug 12 15:51:00 2013 +1000 vacuuming: Fix vacuuming bug where requests keep bouncing between nodes (part 1) This is caused by corruption of a record header such that the records on two nodes point to each other as dmaster. This makes a request for that record bounce between nodes endlessly. Signed-off-by: Amitay Isaacs ami...@gmail.com commit 60cb40d090e45ff6134c098a238fac7ad854f134 Author: Amitay Isaacs ami...@gmail.com Date: Tue Aug 6 14:37:13 2013 +1000 db_wrap: Make sure tdb messages are logged correctly Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: common/system_linux.c |1 + lib/util/db_wrap.c |1 + server/ctdb_recover.c | 42 +- server/ctdb_recoverd.c |2 +- 4 files changed, 24 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/common/system_linux.c b/common/system_linux.c index ab232f0..84daba4 100644 --- a/common/system_linux.c +++ b/common/system_linux.c @@ -606,6 +606,7 @@ int ctdb_set_process_name(const char *name) char procname[16]; strncpy(procname, name, 15); + procname[15] = '\0'; return prctl(PR_SET_NAME, (unsigned long)procname, 0, 0, 0); } diff --git a/lib/util/db_wrap.c b/lib/util/db_wrap.c index 07b066c..1b2bf7e 100644 --- a/lib/util/db_wrap.c +++ b/lib/util/db_wrap.c @@ -47,6 +47,7 @@ static void log_fn(struct tdb_context *tdb, enum tdb_debug_level level, const ch { if (level = TDB_DEBUG_ERROR) { va_list ap; + this_log_level = level; char newfmt[strlen(tdb_name(tdb)) + 1 + strlen(fmt) + 1]; sprintf(newfmt, %s:%s, tdb_name(tdb), fmt); va_start(ap, fmt); diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c index 0bec03e..1cbcc59 100644 --- a/server/ctdb_recover.c +++ b/server/ctdb_recover.c @@ -785,7 +785,7 @@ bool ctdb_recovery_lock(struct ctdb_context *ctdb, bool keep) */ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context *ctdb_db, struct ctdb_rec_data *rec) { - TDB_DATA key, data; + TDB_DATA key, data, data2; struct ctdb_ltdb_header *hdr, *hdr2; /* these are really internal tdb functions - but we need them here for @@ -816,13 +816,13 @@ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context * return -1; } - data = tdb_fetch(ctdb_db-ltdb-tdb, key); - if (data.dptr == NULL) { + data2 = tdb_fetch(ctdb_db-ltdb-tdb, key); + if (data2.dptr == NULL) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); return 0; } - if (data.dsize sizeof(struct ctdb_ltdb_header)) { + if (data2.dsize sizeof(struct ctdb_ltdb_header)) { if (tdb_lock_nonblock(ctdb_db-ltdb-tdb, -1, F_WRLCK) == 0) { if (tdb_delete(ctdb_db-ltdb-tdb, key) != 0) { DEBUG(DEBUG_CRIT,(__location__ Failed to delete corrupt record\n)); @@ -831,59 +831,59 @@ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context * DEBUG(DEBUG_CRIT,(__location__ Deleted corrupt record\n));
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-08-19-0935/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-08-19-0935/samba3.stderr http://git.samba.org/autobuild.flakey/2013-08-19-0935/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-08-19-0935/samba.stderr http://git.samba.org/autobuild.flakey/2013-08-19-0935/samba.stdout The top commit at the time of the failure was: commit 02618cc58a49864bd0bf280d9f13a7f39fcf9658 Author: Volker Lendecke v...@samba.org Date: Sun Aug 18 20:41:51 2013 + rpc_server: Fix CID 1063255 Resource leak We would leak a socket 0 here Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Mon Aug 19 03:10:51 CEST 2013 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 74829fe Fix bug #10097 - MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba. from 02618cc rpc_server: Fix CID 1063255 Resource leak http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 74829fecd7a4e806ee441cd75141bede2eefef1a Author: Richard Sharpe realrichardsha...@gmail.com Date: Sun Aug 18 07:34:31 2013 -0700 Fix bug #10097 - MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba. Windows overloads the EA Length field in the DIRECTORY INFO leves of FIND FIRST/FIND NEXT. This field indicates either the REPARSE_TAG if the file/folder has a reparse proint or the EA Length if it has EAs, and is the fundamental reason you cannot have both on a file or folder. Signed-off-by: Richard Sharpe rsha...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Mon Aug 19 22:21:34 CEST 2013 on sn-devel-104 --- Summary of changes: source3/include/ntioctl.h |1 + source3/smbd/dosmode.c|5 + source3/smbd/trans2.c | 19 +-- 3 files changed, 19 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/ntioctl.h b/source3/include/ntioctl.h index e09e1c8..65bed64 100644 --- a/source3/include/ntioctl.h +++ b/source3/include/ntioctl.h @@ -26,6 +26,7 @@ #define IO_REPARSE_TAG_MOUNT_POINT 0xA003 #define IO_REPARSE_TAG_HSM 0xC004 #define IO_REPARSE_TAG_SIS 0x8007 +#define IO_REPARSE_TAG_DFS 0x800A /* For FSCTL_GET_SHADOW_COPY_DATA ...*/ diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index a6ad107..2d07dd9 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -489,6 +489,11 @@ uint32 dos_mode_msdfs(connection_struct *conn, result = filter_mode_by_protocol(result); + /* +* Add in that it is a reparse point +*/ + result |= FILE_ATTRIBUTE_REPARSE_POINT; + DEBUG(8,(dos_mode_msdfs returning )); if (result FILE_ATTRIBUTE_HIDDEN) DEBUG(8, (h)); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 2bff483..81f80c3 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -24,6 +24,7 @@ */ #include includes.h +#include ntioctl.h #include system/filesys.h #include version.h #include smbd/smbd.h @@ -1817,12 +1818,14 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx, SOFF_T(p,0,allocation_size); p += 8; SIVAL(p,0,mode); p += 4; q = p; p += 4; /* q is placeholder for name length. */ - { + if (mode FILE_ATTRIBUTE_REPARSE_POINT) { + SIVAL(p, 0, IO_REPARSE_TAG_DFS); + } else { unsigned int ea_size = estimate_ea_size(conn, NULL, smb_fname); SIVAL(p,0,ea_size); /* Extended attributes */ - p += 4; } + p += 4; /* Clear the short name buffer. This is * IMPORTANT as not doing so will trigger * a Win2k client bug. JRA. @@ -1994,12 +1997,14 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx, SOFF_T(p,0,allocation_size); p += 8; SIVAL(p,0,mode); p += 4; q = p; p += 4; /* q is placeholder for name length. */ - { + if (mode FILE_ATTRIBUTE_REPARSE_POINT) { + SIVAL(p, 0, IO_REPARSE_TAG_DFS); + } else { unsigned int ea_size = estimate_ea_size(conn, NULL, smb_fname); SIVAL(p,0,ea_size); /* Extended attributes */ - p +=4; } + p += 4; SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */ SBVAL(p,0,file_index); p += 8; len = srvstr_push(base_data, flags2, p, @@ -2040,12 +2045,14 @@ static bool smbd_marshall_dir_entry(TALLOC_CTX *ctx, SOFF_T(p,0,allocation_size); p += 8; SIVAL(p,0,mode); p += 4; q = p; p += 4; /* q is placeholder for name length */ - { + if (mode FILE_ATTRIBUTE_REPARSE_POINT) { + SIVAL(p, 0, IO_REPARSE_TAG_DFS); + } else { unsigned int ea_size = estimate_ea_size(conn, NULL, smb_fname); SIVAL(p,0,ea_size); /* Extended attributes */ - p
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f96d57 libsmb: Fix a bunch of Coverity IDs from 74829fe Fix bug #10097 - MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f96d5753ffe6c446c46676ba31cd2a3722890a0 Author: Volker Lendecke v...@samba.org Date: Mon Aug 19 22:36:02 2013 +0200 libsmb: Fix a bunch of Coverity IDs (fnum != -1) is always true, even if fnum=-1 was initialized. fnum is a uint16, and the comparison first casts this to 65535, which is always != -1. Also change the initialization to make it clearer what is happening here. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Aug 20 00:52:36 CEST 2013 on sn-devel-104 --- Summary of changes: source3/libsmb/cli_smb2_fnum.c | 40 1 files changed, 20 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index d0b744b..18b03f3 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -493,7 +493,7 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, void *state) { NTSTATUS status; - uint16_t fnum = -1; + uint16_t fnum = 0x; char *parent_dir = NULL; const char *mask = NULL; struct smb2_hnd *ph = NULL; @@ -618,7 +618,7 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } TALLOC_FREE(subframe); @@ -638,7 +638,7 @@ NTSTATUS cli_smb2_qpathinfo_basic(struct cli_state *cli, { NTSTATUS status; struct smb2_create_returns cr; - uint16_t fnum = -1; + uint16_t fnum = 0x; size_t namelen = strlen(name); if (smbXcli_conn_has_async_calls(cli-conn)) { @@ -772,7 +772,7 @@ NTSTATUS cli_smb2_qpathinfo_alt_name(struct cli_state *cli, { NTSTATUS status; DATA_BLOB outbuf = data_blob_null; - uint16_t fnum = -1; + uint16_t fnum = 0x; struct smb2_hnd *ph = NULL; uint32_t altnamelen = 0; TALLOC_CTX *frame = talloc_stackframe(); @@ -865,7 +865,7 @@ NTSTATUS cli_smb2_qpathinfo_alt_name(struct cli_state *cli, fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } TALLOC_FREE(frame); @@ -1026,7 +1026,7 @@ NTSTATUS cli_smb2_getatr(struct cli_state *cli, time_t *write_time) { NTSTATUS status; - uint16_t fnum = -1; + uint16_t fnum = 0x; struct smb2_hnd *ph = NULL; TALLOC_CTX *frame = talloc_stackframe(); @@ -1071,7 +1071,7 @@ NTSTATUS cli_smb2_getatr(struct cli_state *cli, fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } @@ -1097,7 +1097,7 @@ NTSTATUS cli_smb2_qpathinfo2(struct cli_state *cli, { NTSTATUS status; struct smb2_hnd *ph = NULL; - uint16_t fnum = -1; + uint16_t fnum = 0x; TALLOC_CTX *frame = talloc_stackframe(); if (smbXcli_conn_has_async_calls(cli-conn)) { @@ -1141,7 +1141,7 @@ NTSTATUS cli_smb2_qpathinfo2(struct cli_state *cli, fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } @@ -1162,7 +1162,7 @@ NTSTATUS cli_smb2_qpathinfo_streams(struct cli_state *cli, { NTSTATUS status; struct smb2_hnd *ph = NULL; - uint16_t fnum = -1; + uint16_t fnum = 0x; DATA_BLOB outbuf = data_blob_null; TALLOC_CTX *frame = talloc_stackframe(); @@ -1229,7 +1229,7 @@ NTSTATUS cli_smb2_qpathinfo_streams(struct cli_state *cli, fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } @@ -1248,7 +1248,7 @@ NTSTATUS cli_smb2_setatr(struct cli_state *cli, time_t mtime) { NTSTATUS status; - uint16_t fnum = -1; + uint16_t fnum = 0x; struct smb2_hnd *ph = NULL; uint8_t inbuf_store[40]; DATA_BLOB inbuf = data_blob_null; @@ -1311,7 +1311,7 @@ NTSTATUS cli_smb2_setatr(struct cli_state *cli, ph-fid_volatile); fail: - if (fnum != -1) { + if (fnum != 0x) { cli_smb2_close_fnum(cli, fnum); } @@ -1391,7 +1391,7 @@ NTSTATUS cli_smb2_setattrE(struct cli_state *cli, NTSTATUS cli_smb2_dskattr(struct cli_state *cli, int
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1808316 docs: Fix variable list in man vfs_crossrename. via 3e11421 Man pages for ntdb tools missing from 4f96d57 libsmb: Fix a bunch of Coverity IDs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1808316b1245290fd4a4aa87a801410899e4c1e3 Author: Karolin Seeger ksee...@samba.org Date: Tue Aug 13 11:04:50 2013 +0200 docs: Fix variable list in man vfs_crossrename. The varlist entries need a paragraph, otherwise the list is broken and the list entries end with .RE. Fix bug #10076 - varlist in man vfs_crossrename broken. Signed-off-by: Karolin Seeger ksee...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Aug 20 04:19:42 CEST 2013 on sn-devel-104 commit 3e11421e7476d968a3d550491279d0ad6b6c398f Author: Rusty Russell ru...@rustcorp.com.au Date: Thu Aug 15 12:32:06 2013 +0930 Man pages for ntdb tools missing Copied and modified from tdb man pages. Avoided reproducing API documentation which is extensively documented in the ntdb.h header already. BUG: https://bugzilla.samba.org/show_bug.cgi?id=1 Signed-off-by: Rusty Russell ru...@rustcorp.com.au Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: docs-xml/manpages/vfs_crossrename.8.xml| 20 ++-- lib/ntdb/man/ntdb.3.xml| 132 .../tdbbackup.8.xml = ntdb/man/ntdbbackup.8.xml} | 55 + .../man/tdbdump.8.xml = ntdb/man/ntdbdump.8.xml} | 37 +++--- .../man/ntdbrestore.8.xml} | 38 --- .../man/tdbtool.8.xml = ntdb/man/ntdbtool.8.xml} | 46 --- lib/ntdb/wscript | 13 ++- 7 files changed, 252 insertions(+), 89 deletions(-) create mode 100644 lib/ntdb/man/ntdb.3.xml copy lib/{tdb/man/tdbbackup.8.xml = ntdb/man/ntdbbackup.8.xml} (64%) copy lib/{tdb/man/tdbdump.8.xml = ntdb/man/ntdbdump.8.xml} (67%) copy lib/{tdb/man/tdbrestore.8.xml = ntdb/man/ntdbrestore.8.xml} (50%) copy lib/{tdb/man/tdbtool.8.xml = ntdb/man/ntdbtool.8.xml} (83%) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/vfs_crossrename.8.xml b/docs-xml/manpages/vfs_crossrename.8.xml index 409a34f..b8f7faa 100644 --- a/docs-xml/manpages/vfs_crossrename.8.xml +++ b/docs-xml/manpages/vfs_crossrename.8.xml @@ -37,28 +37,30 @@ NT_STATUS_NOT_SAME_DEVICE and the client has to move the file by manual copy and delete operations. If the rename by copy is done by the server this can be much more efficient. vfs_crossrename tries to do - this server-side cross-device rename operation. There are however - limitations that this module currently does not solve: + this server-side cross-device rename operation. + /para + + paraThere are however limitations that this module currently does not + solve:/para variablelist varlistentry - the ACLs of files are not preserved + paraThe ACLs of files are not preserved,/para /varlistentry varlistentry - meta data in EAs are not preserved + parameta data in EAs are not preserved,/para /varlistentry varlistentry - renames of whole subdirectories cannot be done recursively, + pararenames of whole subdirectories cannot be done recursively, in that case we still return STATUS_NOT_SAME_DEVICE and - let the client decide what to do + let the client decide what to do,/para /varlistentry varlistentry - rename operations of huge files can cause hangs on the + pararename operations of huge files can cause hangs on the client because clients expect a rename operation to - return fast + return fast./para /varlistentry /variablelist - /para paraThis module is stackable./para diff --git a/lib/ntdb/man/ntdb.3.xml b/lib/ntdb/man/ntdb.3.xml new file mode 100644 index 000..79f8937 --- /dev/null +++ b/lib/ntdb/man/ntdb.3.xml @@ -0,0 +1,132 @@ +?xml version=1.0? +!DOCTYPE refentry PUBLIC -//OASIS//DTD DocBook XML V4.2//EN http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd; +refentry + refmeta +refentrytitlentdb/refentrytitle +manvolnum3/manvolnum +refmiscinfo class=sourceSamba/refmiscinfo +refmiscinfo class=manualSystem Administration tools/refmiscinfo +refmiscinfo class=version4.0/refmiscinfo + /refmeta + refnamediv +refnamentdb/refname +refpurposeA not-so