Build status as of Wed Jan 27 07:00:05 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-01-26 00:00:07.0 -0700 +++ /home/build/master/cache/broken_results.txt 2010-01-27 00:00:05.0 -0700 @@ -1,22 +1,22 @@ -Build status as of Tue Jan 26 07:00:07 2010 +Build status as of Wed Jan 27 07:00:05 2010 Build counts: Tree Total Broken Panic build_farm 0 0 0 -ccache 1 0 0 +ccache 19 13 0 distcc 0 0 0 -ldb 27 27 0 -libreplace 27 12 0 +ldb 28 28 0 +libreplace 29 12 0 lorikeet 0 0 0 pidl 0 0 0 -ppp 0 0 0 +ppp 1 0 0 rsync0 0 0 samba-docs 0 0 0 samba-web0 0 0 -samba_3_current 26 26 0 -samba_3_master 26 25 3 -samba_3_next 26 25 3 +samba_3_current 27 26 0 +samba_3_master 27 26 3 +samba_3_next 27 25 3 samba_4_0_test 28 27 0 -talloc 27 10 0 -tdb 25 17 0 +talloc 29 10 0 +tdb 26 17 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 899bd00... Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. from 2dd301e... Add dependency of bin/smbfilter to libwbclient. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 899bd0005f56dcc1e95c3988d41ab3f628bb15db Author: Jeremy Allison Date: Tue Jan 26 16:51:57 2010 -0800 Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. Only works on Linux kernels 2.6.26 and above. Grants CAP_KILL capability to allow Linux threads under different euids to send signals to each other. Jeremy. --- Summary of changes: source3/include/smb.h |3 +- source3/lib/system.c | 65 ++--- source3/smbd/server.c |8 ++ 3 files changed, 71 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smb.h b/source3/include/smb.h index bc7a90d..041c96b 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1723,7 +1723,8 @@ minimum length == 24. enum smbd_capability { KERNEL_OPLOCK_CAPABILITY, DMAPI_ACCESS_CAPABILITY, -LEASE_CAPABILITY +LEASE_CAPABILITY, +KILL_CAPABILITY }; /* diff --git a/source3/lib/system.c b/source3/lib/system.c index a58d903..9c1da3a 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -883,6 +883,11 @@ char *sys_getwd(char *s) #if defined(HAVE_POSIX_CAPABILITIES) +/* This define hasn't made it into the glibc capabilities header yet. */ +#ifndef SECURE_NO_SETUID_FIXUP +#define SECURE_NO_SETUID_FIXUP 2 +#endif + /** Try and abstract process capabilities (for systems that have them). / @@ -913,6 +918,32 @@ static bool set_process_capability(enum smbd_capability capability, } #endif +#if defined(HAVE_PRCTL) && defined(PR_SET_SECUREBITS) && defined(SECURE_NO_SETUID_FIXUP) +/* New way of setting capabilities as "sticky". */ + + /* +* Use PR_SET_SECUREBITS to prevent setresuid() +* atomically dropping effective capabilities on +* uid change. Only available in Linux kernels +* 2.6.26 and above. +* +* See here: +* http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html +* for details. +* +* Specifically the CAP_KILL capability we need +* to allow Linux threads under different euids +* to send signals to each other. +*/ + + if (prctl(PR_SET_SECUREBITS, 1 << SECURE_NO_SETUID_FIXUP)) { + DEBUG(0,("set_process_capability: " + "prctl PR_SET_SECUREBITS failed with error %s\n", + strerror(errno) )); + return false; + } +#endif + cap = cap_get_proc(); if (cap == NULL) { DEBUG(0,("set_process_capability: cap_get_proc failed: %s\n", @@ -941,6 +972,11 @@ static bool set_process_capability(enum smbd_capability capability, cap_vals[num_cap_vals++] = CAP_LEASE; #endif break; + case KILL_CAPABILITY: +#ifdef CAP_KILL + cap_vals[num_cap_vals++] = CAP_KILL; +#endif + break; } SMB_ASSERT(num_cap_vals <= ARRAY_SIZE(cap_vals)); @@ -950,16 +986,37 @@ static bool set_process_capability(enum smbd_capability capability, return True; } - cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals, - enable ? CAP_SET : CAP_CLEAR); + /* +* Ensure the capability is effective. We assume that as a root +* process it's always permitted. +*/ + + if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals, + enable ? CAP_SET : CAP_CLEAR) == -1) { + DEBUG(0, ("set_process_capability: cap_set_flag effective " + "failed (%d): %s\n", + (int)capability, + strerror(errno))); + cap_free(cap); + return false; + } /* We never want to pass capabilities down to our children, so make * sure they are not inherited. */ - cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR); + if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, + cap_vals, CAP_CLEAR) == -1) { + DEBUG(0, ("set_process_capability: cap_set_flag inheritable " + "failed (%d): %s\n", + (int)capability, + strerror(errn
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 137fd79... s4:winsrepl.idl: add random interface uuid via 601642d... s4:smbtorture: add BASE-BENCH-HOLDOPEN from a0c31ec... mount.cifs: don't allow it to be run as setuid root program http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 137fd79f445c30b04d443288c03db2b1cc5dcba3 Author: Stefan Metzmacher Date: Tue Jan 26 15:22:09 2010 +0100 s4:winsrepl.idl: add random interface uuid This is needed to include the wrepl interface into ndrdump. metze commit 601642d92369ca9c572e40aa32b5b3b53eeb8dbf Author: Stefan Metzmacher Date: Tue Jan 26 15:20:57 2010 +0100 s4:smbtorture: add BASE-BENCH-HOLDOPEN This is useful for manual performance testing with a large number of share mode entries. metze --- Summary of changes: source4/librpc/idl/winsrepl.idl |5 ++- source4/torture/basic/base.c|1 + source4/torture/basic/misc.c| 63 +++ 3 files changed, 68 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/librpc/idl/winsrepl.idl b/source4/librpc/idl/winsrepl.idl index 0ec05e8..cedc70b 100644 --- a/source4/librpc/idl/winsrepl.idl +++ b/source4/librpc/idl/winsrepl.idl @@ -11,7 +11,10 @@ import "nbt.idl"; -interface wrepl +[ + uuid("915f5653-bac1-431c-97ee-9ffb34526921"), + helpstring("WINS Replication PDUs") +] interface wrepl { const int WINS_REPLICATION_PORT = 42; diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c index 2c72257..ed389fb 100644 --- a/source4/torture/basic/base.c +++ b/source4/torture/basic/base.c @@ -1771,6 +1771,7 @@ NTSTATUS torture_base_init(void) torture_suite_add_1smb_test(suite, "MAXIMUM_ALLOWED", torture_maximum_allowed); torture_suite_add_simple_test(suite, "BENCH-HOLDCON", torture_holdcon); + torture_suite_add_1smb_test(suite, "BENCH-HOLDOPEN", torture_holdopen); torture_suite_add_simple_test(suite, "BENCH-READWRITE", run_benchrw); torture_suite_add_smb_multi_test(suite, "BENCH-TORTURE", run_torture); torture_suite_add_1smb_test(suite, "SCAN-PIPE_NUMBER", run_pipe_number); diff --git a/source4/torture/basic/misc.c b/source4/torture/basic/misc.c index a8ea88f..ab79d79 100644 --- a/source4/torture/basic/misc.c +++ b/source4/torture/basic/misc.c @@ -231,6 +231,69 @@ bool torture_holdcon(struct torture_context *tctx) } /* + open a file N times on the server and just hold them open + used for testing performance when there are N file handles + alopenn + */ +bool torture_holdopen(struct torture_context *tctx, + struct smbcli_state *cli) +{ + int i, fnum; + const char *fname = "\\holdopen.dat"; + NTSTATUS status; + + smbcli_unlink(cli->tree, fname); + + fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT|O_EXCL, DENY_NONE); + if (fnum == -1) { + torture_comment(tctx, "open of %s failed (%s)\n", fname, smbcli_errstr(cli->tree)); + return false; + } + + smbcli_close(cli->tree, fnum); + + for (i=0;itree, tctx, &op); + if (!NT_STATUS_IS_OK(status)) { + torture_warning(tctx, "open %d failed\n", i); + continue; + } + + if (torture_setting_bool(tctx, "progress", true)) { + torture_comment(tctx, "opened %d file\r", i); + fflush(stdout); + } + } + + torture_comment(tctx, "\nStarting pings\n"); + + while (1) { + struct smb_echo ec; + + status = smb_raw_echo(cli->transport, &ec); + torture_comment(tctx, "."); + fflush(stdout); + sleep(15); + } + + return true; +} + +/* test how many open files this server supports on the one socket */ bool run_maxfidtest(struct torture_context *tctx, struct smbcli_state *cli, int dummy) -- Samba Shared Repository
svn commit: samba-web r1361 - in trunk: .
Author: kseeger Date: 2010-01-26 08:10:26 -0700 (Tue, 26 Jan 2010) New Revision: 1361 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1361 Log: Announce Samba 3.5.0rc2 Karolin Modified: trunk/index.html Changeset: Modified: trunk/index.html === --- trunk/index.html2010-01-19 11:08:25 UTC (rev 1360) +++ trunk/index.html2010-01-26 15:10:26 UTC (rev 1361) @@ -24,6 +24,38 @@ Latest News +26 January 2010 +Samba 3.5.0rc2 Available for Download + +Samba 3.5.0rc2 is now available for download. This the second +release candidate of the next upgrade production release version of Samba. +It is intended for testing purposes only. Please test and +https://bugzilla.samba.org/";>report any bugs that you +find. Please read the changes in the +Release Notes +for details on new features and difference in behavior from +previous releases. + +Plans are to ship the final 3.5.0 release on February 16 if there +are no major issues with 3.5.0rc2. Please see +http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.5";> +Samba 3.5 Release Planning for more information on the current release +schedule. + +The Samba 3.5.0rc2 +source code can be downloaded now. The GnuPG +signature is for the for the uncompressed tarball. +If you prefer, the patch +file against Samba 3.5.0rc1 +(GnuPG +signature) is also available for download. +Please read these instructions on +how to verify the gpg signature. Precompiled packages will +be made available on a volunteer basis and can be found in the +Binary_Packages download area. + 19 January 2010 Samba 3.4.5 Available for Download @@ -68,7 +100,7 @@ signature is for the for the uncompressed tarball. If you prefer, the patch -file against Samba 3.3.0pre2 +file against Samba 3.5.0pre2 (GnuPG signature) is also available for download. Please read these instructions on
[SCM] Samba Shared Repository - branch v3-5-stable updated
The branch, v3-5-stable has been updated via 6e42522... WHATSNEW: Update changes. via ff7027a... s3-docs: Fix version in man ldbrename. via a4e7412... s3: Enable use of ccache by default for libsmbclient via b244e3e... s3-libsmbclient: Add smbc_setOptionUseCCache() via ce033a7... s3: Add --use-ccache to net (cherry picked from commit af32a49c7d8803f597e184f1361e795f179b809f) via b2c393a... s3: add libnetapi_set_use_ccache() (cherry picked from commit b99ab82ebab598b45eb6729498c9e67b195e698d) via e2e48df... s3: Fix a bug in net's use of popt via a97d76b... s3: Enable -C in rpcclient (cherry picked from commit 2aca69ef0df02e655125d9db31e1f0144d21a144) via a361992... s3: Add CLI_FULL_CONNECTION_USE_CCACHE (cherry picked from commit 36854ea0aa260dfe23f77825e942f5b3905d396d) via f3428ec... s3: Use -C in smbclient via 1fcfa0b... s3: Add -C (--use-ccache) to popt_common_credentials (cherry picked from commit 58ebc50663a299e16684aa24cfae95954d5a14f0) via bef877a... s3: Add ccache use to cli_session_setup_ntlmssp (cherry picked from commit e06abe412f78b58f36998037637d1b3478fdc477) via 7928241... s3: Add NTLMSSP_FEATURE_CCACHE via dc3e7f7... libwbclient: Actually implement wbcCredentialCache() (cherry picked from commit 7ab798d141bf715808fa0941f19422069e65fa0e) via 2643ff4... s3: Add the session key to the ccache_ntlm_auth response (cherry picked from commit 99f6f322ae5aa13596c5b0f1a6e600b6fec48896) via b444541... s3: Add wbinfo --ccache-save from 43c03a6... lib/popt: Fix typo in README. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable - Log - commit 6e4252217a6f239a64afc5103d6416c402e5e10f Author: Karolin Seeger Date: Tue Jan 26 14:58:45 2010 +0100 WHATSNEW: Update changes. Karolin (cherry picked from commit 048adb50d83a3928820e6607451d582696cd7cc7) commit ff7027abcba3bfc69f068da2a8c3b0792c72e870 Author: Karolin Seeger Date: Tue Jan 26 14:19:31 2010 +0100 s3-docs: Fix version in man ldbrename. Karolin (cherry picked from commit 77bb3f2a5596c84e99b9006d2a31a752c68ab34a) commit a4e7412578752a03a10d5c6a95221cba8c7bb077 Author: Volker Lendecke Date: Tue Jan 26 10:51:32 2010 +0100 s3: Enable use of ccache by default for libsmbclient Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, which has the advantage over an smb.conf option to be easily settable per application. (cherry picked from commit 0e8552abc1b48e62aaac3cab7c13c8dea60c9f9b) commit b244e3ec83d508c4515dd0987c2880117ae9119f Author: Volker Lendecke Date: Sun Jan 24 19:24:10 2010 +0100 s3-libsmbclient: Add smbc_setOptionUseCCache() Can we enable this by default? This would be a change in behaviour, but this feature is just too cool for everyone to catch up in the apps. The patch would be (cherry picked from commit 9698c214624678125551f2d65b95deb29ea72b64) commit ce033a724aff9bf587e8b3ba02e3010b565f3912 Author: Volker Lendecke Date: Sun Jan 24 18:50:48 2010 +0100 s3: Add --use-ccache to net (cherry picked from commit af32a49c7d8803f597e184f1361e795f179b809f) commit b2c393a4bd4c9d8a8c2f5007fa287ca0a97a0919 Author: Volker Lendecke Date: Sun Jan 24 18:50:31 2010 +0100 s3: add libnetapi_set_use_ccache() (cherry picked from commit b99ab82ebab598b45eb6729498c9e67b195e698d) commit e2e48df6dc9efb245f4c16d46f487a065d806d99 Author: Volker Lendecke Date: Sun Jan 24 18:51:58 2010 +0100 s3: Fix a bug in net's use of popt In order to add --use-ccache to net, I added another "bool opt_ccache;" to struct net_context. popt did not like this, it took a while to figure out why. Popt has the lines /* XXX Check alignment, may fail on funky platforms. */ if (arg == NULL || (((unsigned long)arg) & (sizeof(*arg)-1))) return POPT_ERROR_NULLARG; The "bool opt_ccache;" was not aligned anymore... (cherry picked from commit 340277382518c62e23faae4af69a9c5c32b96af2) commit a97d76b1515be57746b22413ec4bc1533feee71d Author: Volker Lendecke Date: Sun Jan 24 17:35:04 2010 +0100 s3: Enable -C in rpcclient (cherry picked from commit 2aca69ef0df02e655125d9db31e1f0144d21a144) commit a3619926795f2bb139e9b9a3c9c4ceb40858d38e Author: Volker Lendecke Date: Sun Jan 24 17:34:13 2010 +0100 s3: Add CLI_FULL_CONNECTION_USE_CCACHE (cherry picked from commit 36854ea0aa260dfe23f77825e942f5b3905d396d) commit f3428ecb6b3c640e703822592cb369c4bbe4d8fa Author: Volker Lendecke Date: Sun Jan 24 17:08:56 2010 +0100 s3: Use -C in smbclient $ bin/wbinfo --ccache-save=w2k3ad\\vl%Password saving creds succeeded $ bin/smbclient //192.168.42.160/tmp -Uvl -N -C -W w2k3ad OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Win
[SCM] Samba Shared Repository - annotated tag release-3-5-0rc2 created
The annotated tag, release-3-5-0rc2 has been created at 94bf3471d9196f3bf070d73ef2fa804f09c106b2 (tag) tagging 6e4252217a6f239a64afc5103d6416c402e5e10f (commit) replaces release-3-5-0rc1 tagged by Karolin Seeger on Tue Jan 26 15:11:54 2010 +0100 - Log - tag release-3-5-0rc2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (GNU/Linux) iD8DBQBLXvhGbzORW2Vot+oRAhbcAKCMxgBPqfsN5HvWo7Uy4apLyvuyQACgoqqJ c3EZUrn5lamOPpPunOw4CoI= =tT+U -END PGP SIGNATURE- André Hentschel (1): net: Add German translation, specially for the command listing Björn Jacke (3): s3/i18n/de: improve some German translations Ñ3/i18n/de: fix typo s3/net: split up some printable stings to ease i18n Giovanni Bajo (1): s3-lanman: Allow a level2 descriptor for a level1 NetShareGetInfo Günther Deschner (2): s3-docs: mention -K option in pdbedit manpage. s3-libsmbclient: Fix crash bug in SMBC_parse_path(). Jeremy Allison (7): Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes" Fix bug #7033 - SMBrmdir call always returns true, even on failure to delete a directory. Fix two uses of strncat -> strlcat. Ensure proper use of strncpy when setting socket name. Fix bug #7036 - net rpc getsid fails in hardened windows environments. Fix bug #6876 - Delete of an object whose parent folder does not have delete rights fails even if the delete right is set on the object. Modification of fix for bug 6876 - Delete of an object whose parent folder does not have delete rights fails even if the delete right is set on the object Fix bug 7045 - Bad (non memory copying) interfaces in smbc_set calls. Kai Blin (5): s3 net: Fix compile error with WITH_DNS_UPDATES s3 net/i18n: Use only one spelling for "Usage:" s3 net/i18n: update .po files s3 net: Fix compile warnings s3 net/i18n: Update .po files Karolin Seeger (11): VERSION: Raise version number up to 3.5.0rc2. WHATSNEW: Start 3.5.0rc2 release notes. s3-docs: Adapt version number in man vfs_scannedonly. WHATSNEW: Update release notes. s3-docs: Fix typos. WHATSNEW: Update changes since 3.5.0rc1. WHATSNEW: Update changes. s3/docs: Fix typo. lib/popt: Fix typo in README. s3-docs: Fix version in man ldbrename. WHATSNEW: Update changes. Michael Adam (15): docs: fix xml tag in the pdbedit manpage s3:check_sam_security: untangle assignment from statement s3:auth:sam_password_ok: enhance readability (imho) by adding some pointers s3:auth:sam_password_ok: fix allocation of a data blob. s3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok() s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampass s3:auth:check_sam_security: null out sampass after it has been stolen. s3:auth:check_sam_security: create (and use) a common exit point s3:auth:check_sam_security: fix a leading tab/ws mixup s3:auth:check_sam_security: improve calling and logging of pdb_update_sam_account s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash s3:passdb: store the plain nt passwords hashes in history, not salted md5 s3:auth:check_sam_security: introduce a bool var to control pad_pw_count incrementation s3:auth: don't update the bad pw count if pw is among last 2 history entries s3:auth: fix account unlock regression introduced with fix for bug #4347 Olivier Sessink (3): Bug #7028 part1 Part 4 of bug #7028 - include scannedonly VFS module s3-docs: Add man page for vfs_scannedonly. SASAJIMA Toshihiro (1): Fix bug #7034 - vfs_cap causes signal 11 (SIGSEGV) (cherry picked from commit ca847952054f5bbde1d40ad4260589b6fcc9721d) Stefan Metzmacher (2): s3:smbldap: add smbldap_talloc_first_attribute() s3:pdb_ldap: restore Samba 3.0.x behavior and use the first "uid" value. Volker Lendecke (33): s3: Lock down some srvsvc calls according to what w2k3 seems to do s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth() s3: Fix a winbind segfault in "trusted_domains" s3: Lift the version of the scannedonly VFS module (cherry picked from commit 2d4dda0688d5c88fb73ae17db970afe9d0f77f6a) s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS server s3:pdb_ldap: Fix large paged search. s3: Avoid a memset(, 0, ) call s3: Fix a typo s3: Simplify pdb_set_plaintext_passwd() slightly s3: Simplify pdb_set_plaintext_passwd() a bit s3: Make use of talloc_array in pdb_set_plaintext_passwd() s3: Simplify pdb_set_plaintext_passwd by using talloc_zero_array s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes s3: Simplify pdb_set_plaintext_passwd()
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 048adb5... WHATSNEW: Update changes. from 77bb3f2... s3-docs: Fix version in man ldbrename. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 048adb50d83a3928820e6607451d582696cd7cc7 Author: Karolin Seeger Date: Tue Jan 26 14:58:45 2010 +0100 WHATSNEW: Update changes. Karolin --- Summary of changes: WHATSNEW.txt | 11 +++ 1 files changed, 11 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ac82c51..1a30e15 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -13,6 +13,7 @@ Major enhancements in Samba 3.5.0 include: General changes: o Add support for full Windows timestamp resolution o The Using Samba HTML book has been removed. +o 'net', 'smbclient' and libsmbclient can use credentials cached by Winbind. Protocol changes: o Experimental implementation of SMB2 @@ -38,6 +39,12 @@ kernel (2.6.22 and higher) and the glibc (2.6 and higher). The Using Samba HTML book has been removed from the Samba tarball. It is still available at http://www.samba.org/samba/docs/using_samba/toc.html. +Samba client tools like 'net', 'smbclient' and libsmbclient can use the user +credentials cached by Winbind at logon time. This is very useful e.g. when +connecting to a Samba server using Nautilus without re-entering username and +password. This feature is enabled by default and can be disabled per application +by setting the LIBSMBCLIENT_NO_CCACHE environment variable. + Protocol changes @@ -105,6 +112,8 @@ o Björn Jacke o Volker Lendecke * Major internal refactoring of the Winbind daemon. * Make Winbind asynchronous. +* Make 'net', 'smbclient' and libsmbclient use the logon credentials cached + by Winbind. o Stefan Metzmacher @@ -159,6 +168,8 @@ o Volker Lendecke * BUG 7027: Fix a segfault in winbindd_dual_ccache_ntlm_auth(). * BUG 7037: Fix a Winbind segfault in "trusted_domains". * BUG 7046: Fix libsmbclient crash against OpenSolaris CIFS server. +* BUG 7062: Make 'net', 'smbclient' and libsmbclient use the logon + credentials cached by Winbind. * Lock down some srvsvc calls according to what w2k3 seems to do. -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-4-test updated
The branch, v3-4-test has been updated via 69100db... s3-docs: Adapt version in man ldbrename. via ba665a5... s3/docs: Add missing meta data to man ldbrename. from 28b3cf3... s3: Fix bug 7052: "DFS broken on AIX (maybe others)" (cherry picked from commit c531d00abdb19ff6ba4c60ebdcc8319949c6) (cherry picked from commit f21796955e7aa2e84a1c810612f2fdee2bde611c) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log - commit 69100db8c331ed15651ae52b88632d047f148ae4 Author: Karolin Seeger Date: Tue Jan 26 14:28:12 2010 +0100 s3-docs: Adapt version in man ldbrename. Karolin commit ba665a53b3a86a56b1cf3adeccf6764291dc264b Author: Karolin Seeger Date: Thu Oct 15 12:27:24 2009 +0200 s3/docs: Add missing meta data to man ldbrename. Avoid warnings. Karolin (cherry picked from commit 6a9e88e08bfa4463ce5bdc57183f6518b524c98c) (cherry picked from commit 1a25ef232bacb59aa753fbe21fed53a996d2e6b3) --- Summary of changes: docs-xml/manpages-3/ldbrename.1.xml |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/ldbrename.1.xml b/docs-xml/manpages-3/ldbrename.1.xml index 391ec84..8567cd4 100644 --- a/docs-xml/manpages-3/ldbrename.1.xml +++ b/docs-xml/manpages-3/ldbrename.1.xml @@ -5,6 +5,9 @@ ldbrename 1 +Samba +User Commands +3.4 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 77bb3f2... s3-docs: Fix version in man ldbrename. via 0e8552a... s3: Enable use of ccache by default for libsmbclient via 9698c21... s3-libsmbclient: Add smbc_setOptionUseCCache() via af32a49... s3: Add --use-ccache to net via b99ab82... s3: add libnetapi_set_use_ccache() via 3402773... s3: Fix a bug in net's use of popt via 2aca69e... s3: Enable -C in rpcclient via 36854ea... s3: Add CLI_FULL_CONNECTION_USE_CCACHE via 5e91f9e... s3: Use -C in smbclient via 58ebc50... s3: Add -C (--use-ccache) to popt_common_credentials via e06abe4... s3: Add ccache use to cli_session_setup_ntlmssp via 8e96e1f... s3: Add NTLMSSP_FEATURE_CCACHE via 7ab798d... libwbclient: Actually implement wbcCredentialCache() via 99f6f32... s3: Add the session key to the ccache_ntlm_auth response via 1ae7b07... s3: Add wbinfo --ccache-save from 007dbc5... lib/popt: Fix typo in README. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 77bb3f2a5596c84e99b9006d2a31a752c68ab34a Author: Karolin Seeger Date: Tue Jan 26 14:19:31 2010 +0100 s3-docs: Fix version in man ldbrename. Karolin commit 0e8552abc1b48e62aaac3cab7c13c8dea60c9f9b Author: Volker Lendecke Date: Tue Jan 26 10:51:32 2010 +0100 s3: Enable use of ccache by default for libsmbclient Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, which has the advantage over an smb.conf option to be easily settable per application. commit 9698c214624678125551f2d65b95deb29ea72b64 Author: Volker Lendecke Date: Sun Jan 24 19:24:10 2010 +0100 s3-libsmbclient: Add smbc_setOptionUseCCache() Can we enable this by default? This would be a change in behaviour, but this feature is just too cool for everyone to catch up in the apps. The patch would be commit af32a49c7d8803f597e184f1361e795f179b809f Author: Volker Lendecke Date: Sun Jan 24 18:50:48 2010 +0100 s3: Add --use-ccache to net commit b99ab82ebab598b45eb6729498c9e67b195e698d Author: Volker Lendecke Date: Sun Jan 24 18:50:31 2010 +0100 s3: add libnetapi_set_use_ccache() commit 340277382518c62e23faae4af69a9c5c32b96af2 Author: Volker Lendecke Date: Sun Jan 24 18:51:58 2010 +0100 s3: Fix a bug in net's use of popt In order to add --use-ccache to net, I added another "bool opt_ccache;" to struct net_context. popt did not like this, it took a while to figure out why. Popt has the lines /* XXX Check alignment, may fail on funky platforms. */ if (arg == NULL || (((unsigned long)arg) & (sizeof(*arg)-1))) return POPT_ERROR_NULLARG; The "bool opt_ccache;" was not aligned anymore... commit 2aca69ef0df02e655125d9db31e1f0144d21a144 Author: Volker Lendecke Date: Sun Jan 24 17:35:04 2010 +0100 s3: Enable -C in rpcclient commit 36854ea0aa260dfe23f77825e942f5b3905d396d Author: Volker Lendecke Date: Sun Jan 24 17:34:13 2010 +0100 s3: Add CLI_FULL_CONNECTION_USE_CCACHE commit 5e91f9eb10404a1df470fd87fc8c1cae5ea7b70c Author: Volker Lendecke Date: Sun Jan 24 17:08:56 2010 +0100 s3: Use -C in smbclient $ bin/wbinfo --ccache-save=w2k3ad\\vl%Password saving creds succeeded $ bin/smbclient //192.168.42.160/tmp -Uvl -N -C -W w2k3ad OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2] smb: \> $ bin/wbinfo --ccache-save=w2k3ad\\vl%WrongPassword saving creds succeeded $ bin/smbclient //192.168.42.160/tmp -Uvl -N -C -W w2k3ad Anonymous login successful Domain=[W2K3AD] OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2] tree connect failed: NT_STATUS_ACCESS_DENIED $ commit 58ebc50663a299e16684aa24cfae95954d5a14f0 Author: Volker Lendecke Date: Sun Jan 24 17:07:24 2010 +0100 s3: Add -C (--use-ccache) to popt_common_credentials commit e06abe412f78b58f36998037637d1b3478fdc477 Author: Volker Lendecke Date: Sun Jan 24 16:50:46 2010 +0100 s3: Add ccache use to cli_session_setup_ntlmssp commit 8e96e1f49867d1260aa291b688fbb58e01ef2009 Author: Volker Lendecke Date: Sun Jan 24 16:47:24 2010 +0100 s3: Add NTLMSSP_FEATURE_CCACHE Uses the winbind ccache to do authentication if asked to do so commit 7ab798d141bf715808fa0941f19422069e65fa0e Author: Volker Lendecke Date: Sun Jan 24 16:44:15 2010 +0100 libwbclient: Actually implement wbcCredentialCache() commit 99f6f322ae5aa13596c5b0f1a6e600b6fec48896 Author: Volker Lendecke Date: Sun Jan 24 16:41:30 2010 +0100 s3: Add the session key to the ccache_ntlm_auth response commit 1ae7b074113497342f0b85223df270bdee0b07a0 Author: Volker Lendecke Date: Sat Jan 9 20:20:36 2010 +0100 s3: Add wbinfo --ccache-save
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a0c31ec... mount.cifs: don't allow it to be run as setuid root program via a065c17... mount.cifs: check for invalid characters in device name and mountpoint via 3ae5dac... mount.cifs: take extra care that mountpoint isn't changed during mount from 7148eff... s4-smbtorture: also test smbc_getOptionUseCCache http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5 Author: Jeff Layton Date: Tue Jan 26 08:15:41 2010 -0500 mount.cifs: don't allow it to be run as setuid root program mount.cifs has been the subject of several "security" fire drills due to distributions installing it as a setuid root program. This program has not been properly audited for security and the Samba team highly recommends that it not be installed as a setuid root program at this time. To make that abundantly clear, this patch forcibly disables the ability for mount.cifs to run as a setuid root program. People are welcome to trivially patch this out, but they do so at their own peril. A security audit and redesign of this program is in progress and we hope that we'll be able to remove this in the near future. Signed-off-by: Jeff Layton commit a065c177dfc8f968775593ba00dffafeebb2e054 Author: Jeff Layton Date: Tue Jan 26 08:15:41 2010 -0500 mount.cifs: check for invalid characters in device name and mountpoint It's apparently possible to corrupt the mtab if you pass embedded newlines to addmntent. Apparently tabs are also a problem with certain earlier glibc versions. Backslashes are also a minor issue apparently, but we can't reasonably filter those. Make sure that neither the devname or mountpoint contain any problematic characters before allowing the mount to proceed. Signed-off-by: Jeff Layton commit 3ae5dac462c4ed0fb2cd94553583c56fce2f9d80 Author: Jeff Layton Date: Tue Jan 26 08:15:41 2010 -0500 mount.cifs: take extra care that mountpoint isn't changed during mount It's possible to trick mount.cifs into mounting onto the wrong directory by replacing the mountpoint with a symlink to a directory. mount.cifs attempts to check the validity of the mountpoint, but there's still a possible race between those checks and the mount(2) syscall. To guard against this, chdir to the mountpoint very early, and only deal with it as "." from then on out. Signed-off-by: Jeff Layton --- Summary of changes: client/mount.cifs.c | 107 ++ 1 files changed, 98 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/client/mount.cifs.c b/client/mount.cifs.c index 459a9f3..9044184 100644 --- a/client/mount.cifs.c +++ b/client/mount.cifs.c @@ -43,7 +43,7 @@ #include "mount.h" #define MOUNT_CIFS_VERSION_MAJOR "1" -#define MOUNT_CIFS_VERSION_MINOR "13" +#define MOUNT_CIFS_VERSION_MINOR "14" #ifndef MOUNT_CIFS_VENDOR_SUFFIX #ifdef _SAMBA_BUILD_ @@ -87,6 +87,17 @@ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN /* + * mount.cifs has been the subject of many "security" bugs that have arisen + * because of users and distributions installing it as a setuid root program. + * mount.cifs has not been audited for security. Thus, we strongly recommend + * that it not be installed setuid root. To make that abundantly clear, + * mount.cifs now check whether it's running setuid root and exit with an + * error if it is. If you wish to disable this check, then set the following + * #define to 1, but please realize that you do so at your own peril. + */ +#define CIFS_DISABLE_SETUID_CHECK 0 + +/* * By default, mount.cifs follows the conventions set forth by /bin/mount * for user mounts. That is, it requires that the mount be listed in * /etc/fstab with the "user" option when run as an unprivileged user and @@ -178,7 +189,7 @@ check_mountpoint(const char *progname, char *mountpoint) struct stat statbuf; /* does mountpoint exist and is it a directory? */ - err = stat(mountpoint, &statbuf); + err = stat(".", &statbuf); if (err) { fprintf(stderr, "%s: failed to stat %s: %s\n", progname, mountpoint, strerror(errno)); @@ -212,6 +223,29 @@ check_mountpoint(const char *progname, char *mountpoint) return 0; } +#if CIFS_DISABLE_SETUID_CHECK +static int +check_setuid(void) +{ + return 0; +} +#else /* CIFS_DISABLE_SETUID_CHECK */ +static int +check_setuid(void) +{ + if (getuid() && !geteuid()) { + printf("This mount.cifs program has been built with the " + "ability to run as a setuid root program disabled.\n" +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 08fa573... s3: Enable use of ccache by default for libsmbclient from 1e2e92f... Correct fix for unused variable return from ndr_decode. Use it :-). Jeremy. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 08fa57335a2e1ac44764330c0d95aaf099aa0c15 Author: Volker Lendecke Date: Tue Jan 26 10:51:32 2010 +0100 s3: Enable use of ccache by default for libsmbclient Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, which has the advantage over an smb.conf option to be easily settable per application. --- Summary of changes: source3/libsmb/libsmb_context.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c index 2e56911..c44d92c 100644 --- a/source3/libsmb/libsmb_context.c +++ b/source3/libsmb/libsmb_context.c @@ -173,6 +173,9 @@ smbc_new_context(void) smbc_setOptionBrowseMaxLmbCount(context, 3);/* # LMBs to query */ smbc_setOptionUrlEncodeReaddirEntries(context, False); smbc_setOptionOneSharePerServer(context, False); + if (getenv("LIBSMBCLIENT_NO_CCACHE") == NULL) { + smbc_setOptionUseCCache(context, true); + } smbc_setFunctionAuthData(context, SMBC_get_auth_data); smbc_setFunctionCheckServer(context, SMBC_check_server); -- Samba Shared Repository