[Samba] Need connection log
Hi all, I need to have a connection log. I file who will contain all connection information : user/date/IP and a status FAIL or OK What is the better way : utmp/wtmp or VFS object audit on the IPC$ share ? I would like to log ALL connection . thanks for your help Stephane --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using Samba NTLM authentication
Hi, I apologize for bothering you but I don't really understand what should I do when my proxy get this one *:* C -- S GET ... Authorization: NTLM base64-encoded type-1-message How should I call to ntlm_auth ? And what then ? I just novice in this area , so I am little confused :-[ ... Thanks in advance ,Arkady NTLM Handshake When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; C is the client, S the server): 1: C -- S GET ... 2: C -- S 401 Unauthorized WWW-Authenticate: NTLM *3:* C -- S GET ... Authorization: NTLM base64-encoded type-1-message 4: C -- S 401 Unauthorized WWW-Authenticate: NTLM base64-encoded type-2-message 5: C -- S GET ... Authorization: NTLM base64-encoded type-3-message 6: C -- S 200 Ok Bjoern Meier wrote: 2010/3/7, Arkady arka...@pineapp.com: Hi,guys . I implement HTTP Proxy running in Linux environment and my proxy have to support NTLM authentication. My proxy written in C++. I want to use samba API ,but I don't* know how and what* API can be used exactly. I would very appreciate if you can advice me some example code and any advice which can help me in my task. Thanks in advance,Arkady hi, I don't think there is a need to use an API. We use Squid3 with NTLM authentification over an external tool which provide samba. Just a hint: man ntlm_auth Greetings, Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error 49152
Hi, connecting to a XP Box trying to read printer queue I get an smb_err: 49152. Printing to this share works without errors, accessing another (disk) share with the same user too. Queue and cancel commands only are errornous. Could there be some windows rights problems? Firewalls were for disabled for the tests and the user has a pw. What makes me some headaches is that the user in the windows security event log is named as guest although I even tested to re-login with logon user but this doesn't change anything. Could there be a registry entry or anything else redirecting all smb access to guest any help is thankfully accepted cu jth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using Samba NTLM authentication
2010/3/8 Arkady arka...@pineapp.com: Hi, I apologize for bothering you but I don't really understand what should I do when my proxy get this one : C -- S GET ... Authorization: NTLM base64-encoded type-1-message How should I call to ntlm_auth ? And what then ? I just novice in this area , so I am little confused :-[ ... Thanks in advance ,Arkady NTLM Handshake When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; C is the client, S the server): 1: C -- S GET ... 2: C -- S 401 Unauthorized WWW-Authenticate: NTLM 3: C -- S GET ... Authorization: NTLM base64-encoded type-1-message 4: C -- S 401 Unauthorized WWW-Authenticate: NTLM base64-encoded type-2-message 5: C -- S GET ... Authorization: NTLM base64-encoded type-3-message 6: C -- S 200 Ok hi, you need to specify the helper protocol. http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html man ntlm_auth provide all Infos you need. Greetings, Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nss_winbind.so delivers first group only on Solaris 10
Hello, I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD running on 2003/2008 R2 servers. After some compile trouble I finally managed to get the whole thing running including winbind in nsswitch.conf for users and groups and PAM for authentication. The problem is that winbind only reports the primary group of an AD user. 'wbinfo -r aduser' only reports the GID of the primary group the user is in. When I do a 'su aduser' and then 'id -a' I also get just the primary group information. But the user is a member of several AD groups. I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine with 3.0.37 and 3.2.15. Can anybody help ? My setup: Solaris 10 10/09 X86 - latest patches installed. I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler from SunStudio 12 (Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I tried to compile samba 3.4.6 with the following configure options / ENV variables set: $ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads --with-pam --with-acl-support \ --with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap --with-shared-modules=idmap_ad --disable-cups CC=cc LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib -R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include -I/usr/include The build was successful but joining the domain failed with various errors. I kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW. With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine now. Except the the fact thet I get no secondary group information from AD. My smb.conf: [global] workgroup = XX realm = XX.YY.ZZ security = ADS map to guest = Bad User lanman auth = Yes client NTLMv2 auth = Yes kerberos method = system keytab log level = 3 log file = /var/samba/log/%m socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY load printers = No domain master = No wins server = wins04.xx.yy.zz idmap uid = 600-10 idmap gid = 600-10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config XX : range = 1-19000 idmap config XX : backend = ad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba file locking
On Mon, Mar 1, 2010 at 4:03 PM, Janez Kosmrlj postnali...@googlemail.comwrote: On Mon, Feb 22, 2010 at 10:18 AM, Janez Kosmrlj postnali...@googlemail.com wrote: On Sun, Feb 21, 2010 at 8:46 PM, Janez Kosmrlj postnali...@googlemail.com wrote: On Fri, Feb 19, 2010 at 9:23 PM, Ernesto Silva erniesi...@gmail.comwrote: Can you try to mount with -o directio? Not sure this will help, but it might be worth a try. Volker Hi, there is also another parameter similar to directio, I don't know the difference but seems more radical, it's forcedirectio. I have been using it on linux clients which mounts a samba share or a w2k share. Best regards, Ernesto. I think we tried -o, but i will check it again. I will also giwe forcedirectio a try. Any other ideas. It looks like forcedirectio is the right way to go. I tried it with the text file tests, that i mentioned before and for now it looks OK. All i have to do now is to test it with real life jar files and java. I will report to this list as soon as i get any results. Hi, Unfortunately forcedirectio is not the solution i hoped it would be. When i preform the above mentioned text file test everything looks OK, but when we try to work with real life .jar files then we get mmap failed for CEN and END part of zip file from the Java application. Is there someone with a better solution. Thanx anyway to Ernesto and Volker for the help. update. For now it looks like fakeoplocks=yes in smb.conf is the solution. Also the audit service on the client has to be turned off. We have to do some further testing, but this looks like it is it for now. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba file locking
On Mon, Mar 08, 2010 at 01:42:16PM +0100, Janez Kosmrlj wrote: update. For now it looks like fakeoplocks=yes in smb.conf is the solution. Also the audit service on the client has to be turned off. We have to do some further testing, but this looks like it is it for now. NEVER use fake oplocks. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
On Fri, Mar 05, 2010 at 08:44:00PM -0800, randa...@bioinfo.wsu.edu wrote: Kevin, Thanks for the response. I was kind of thinking along the same lines as what you described. I disabled the second NIC and every samba started working through the firewall. I even wrote a simple perl socket server and made the same observations as I did with Samba. Thanks, Randall Svancara It's always been a pretty good rule of thumb that you should not have two active interfaces on the same subnet in the same machine unless either they're bonded together on a single IP, or one is a listen-only monitoring interface. It will almost invariably cause problems. Even a machine dual-homed on two different but connected subnets will sometimes create issues. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 ala...@caerllewys.net ala...@metrocast.net p...@co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nss_winbind.so delivers first group only on Solaris 10
Hello, sometimes it's so easy ... Having a look at the GIDs in their numeric form I saw that using the following line in smb.conf --- idmap config XX : range = 1-19000 --- excluded all my groups I'm interested in. So I changed my smb.conf to --- idmap config XX : range = 1000-19000 --- and I feel fine. best regards, Markus -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Preller, Markus Gesendet: Montag, 8. März 2010 12:54 An: samba@lists.samba.org Betreff: [Samba] nss_winbind.so delivers first group only on Solaris 10 Hello, I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD running on 2003/2008 R2 servers. After some compile trouble I finally managed to get the whole thing running including winbind in nsswitch.conf for users and groups and PAM for authentication. The problem is that winbind only reports the primary group of an AD user. 'wbinfo -r aduser' only reports the GID of the primary group the user is in. When I do a 'su aduser' and then 'id -a' I also get just the primary group information. But the user is a member of several AD groups. I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine with 3.0.37 and 3.2.15. Can anybody help ? My setup: Solaris 10 10/09 X86 - latest patches installed. I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler from SunStudio 12 (Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I tried to compile samba 3.4.6 with the following configure options / ENV variables set: $ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads --with-pam --with-acl-support \ --with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap --with-shared-modules=idmap_ad --disable-cups CC=cc LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib -R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include -I/usr/include The build was successful but joining the domain failed with various errors. I kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW. With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine now. Except the the fact thet I get no secondary group information from AD. My smb.conf: [global] workgroup = XX realm = XX.YY.ZZ security = ADS map to guest = Bad User lanman auth = Yes client NTLMv2 auth = Yes kerberos method = system keytab log level = 3 log file = /var/samba/log/%m socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY load printers = No domain master = No wins server = wins04.xx.yy.zz idmap uid = 600-10 idmap gid = 600-10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config XX : range = 1-19000 idmap config XX : backend = ad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Setting up LDAP Authentification - Tree design/search scope
Hi, recently I started to evaluate and think about setting up a central LDAP system for authentification and phonebook. I'm also new to LDAP. There is a lot of doc and well documented how tos, and I came across the following question: Where is the search scope for samba defiend? Or is the LDAP servers setting defining the scope? All docs talk about putting all people under one branche, e.g. ou=People,dc=example,dc=com for the samba setting I'd have ldap user suffix = ou=People But with this setting I dont see how I may restrict the search for the phonebook look up. (e.g. I do have students, empoyees and other. Students may look up students and employees, but not the other group.) For me it would make more sense to subgroup the people like this: ou=students,ou=People,dc=example,dc=com ou=employees,ou=People,dc=example,dc=com ou=other,ou=People,dc=example,dc=com May be I'm mistaken. Thanks for any comment and best regards! Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
Thanks, I will look into the bonding approach. Randall Svancara Systems Administrator/DBA/Developer Main Bioinformatics Laboratory - Original Message - From: Brother Railgun of Reason ala...@caerllewys.net To: randa...@bioinfo.wsu.edu Cc: Kevin Keane subscript...@kkeane.com, samba@lists.samba.org Sent: Monday, March 8, 2010 4:49:02 AM Subject: Re: [Samba] Not another SAMBA through a firewall post On Fri, Mar 05, 2010 at 08:44:00PM -0800, randa...@bioinfo.wsu.edu wrote: Kevin, Thanks for the response. I was kind of thinking along the same lines as what you described. I disabled the second NIC and every samba started working through the firewall. I even wrote a simple perl socket server and made the same observations as I did with Samba. Thanks, Randall Svancara It's always been a pretty good rule of thumb that you should not have two active interfaces on the same subnet in the same machine unless either they're bonded together on a single IP, or one is a listen-only monitoring interface. It will almost invariably cause problems. Even a machine dual-homed on two different but connected subnets will sometimes create issues. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 ala...@caerllewys.net ala...@metrocast.net p...@co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrading our domain to Windows 2008 AD DS
Hi, This is my first post. Please let me know if I do something that doesn't conform to the rules. We are in the process of upgrading our Active Directory to Windows 2008. We have many systems running Samba. I've been reading post all morning about problems joining boxes running Samba to a Windows 2008 domain, but what if they are already joined? Will I be looking at authentication failures once the first domain controller is promoted? Do I really have to upgrade Samba to 3.2.1? Thanks David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win7: Older user accounts works (fwd)
I have still no idea about what to do with problem described below. I have confirmed this with another Fedora 12 installation. It was new clean system and I only yum-installed samba and set up remote password server. Is there any easy way to see from Windows side what information system gets from user account? Some kind on full-dump or query-all utility, something little easier than tcpdumping whole net traffic. -- Jori Mäntysalo -- Forwarded message -- Subject: Win7: Older user accounts works I got very strange behavior: Server A has local passwords (made with smbpasswd -a) and it also use password from other server: security = server password server = b.domain.example passdb backend = tdbsam With OLDER user accounts everything works. With WIN-XP everything works. With CMD-PROMPT everything works. With LOCAL PASSWORDS everything works. With PERMISSIONS TO GROUP everything works. I can map home directory to drive letter (say, O:). When I doubleclick it, it says access denied, if I use newer user account, use Win7, use passwords from remote server, and home directory has permissions only for user. At same time I can open cmd-prompt and say dir o: and it works. If permissions are like this drwx-- 8 majahu majahu 4096 2010-02-18 13:06 /home/majahu I got access denied, but it works if they are drwxrwx--- 8 majahu majahu 4096 2010-02-18 13:06 /home/majahu So what is going on? There is exact combination of 5 things that makes this bug visible. There must be something wrong with newer user accounts. I have confirmed 3 working account and 3 not working; it might be that older accounts have been made with older smbpasswd-file and later converted to .tdb. I have tdbdumped passwords.tdb, but have no idea what to look for. -- Jori Mäntysalo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] error today
Morning, I have a user that keeps getting a temporary profile. The user is logging into the machine so the authentication through samba to ldap is working. The only item that looks odd to me in the machine log (/var/log/samba/$MACHINE.log) is 'Re-using invalid record'. I've had the user boot the machine and I've restarted samba (# service smb restart) and the user is still getting the same temporary profile. The user was able to log in to this machine without error on Friday before the weekend. Any ideas what to check next? Mike samba 3.3.3 samba machine is fedora core 5 client machine is vista, fully patched -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today
On Mon, Mar 8, 2010 at 9:57 AM, Mike Eggleston mikee...@mac.com wrote: Morning, I have a user that keeps getting a temporary profile. The user is logging into the machine so the authentication through samba to ldap is working. The only item that looks odd to me in the machine log (/var/log/samba/$MACHINE.log) is 'Re-using invalid record'. I've had the user boot the machine and I've restarted samba (# service smb restart) and the user is still getting the same temporary profile. The user was able to log in to this machine without error on Friday before the weekend. Any ideas what to check next? Look at the windows machine event viewer. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] print jobs 4GB
thanks for the fast reply I've stumbled over a problem with large print jobs coming from windows vista clients. Jobs above 4GB fail to be printed. The file in the spool directory grows to a size a little above 4GB and then printing is aborted. Transfer via smbclient -c print works fine and printing from the same windows client to a windows server also succeeds, so it seems both server and client basically can handle jobs above 4GB. Is this a known issue ? No. Although you should try 3.4.6 to see if this changes anything (64-bit print fixes are in there). I've tried 3.4.6 to no avail, but found out that the bug is more subtle. It fails if the windows client is 64bit and works fine if it is 32bit. If the client is 32bit even an old samba 3.0.25c seems to work find. Is there a fix ? Can you get a log with the crient writing around the 4gb mark ? I'd be interested to see what error messages the server is generating when it fails. which debug level would be fine ? Raise a bug in bugzilla.samba.org and add the traces there. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Why isn't Samba honouring UNIX permissions? [NOT PROTECTIVELY MARKED]
Classification: NOT PROTECTIVELY MARKED I recompiled and it now appears to be working. The things that were different in the compile were: The previous compile was done with ADS, Kerberos and LDAP whereas I didn't add any switches this time (not using ADS security). The person who compiled it last time did so as root. I'm not clear that this would make a difference but then I'm a complete novice when it comes to compiling software. I've previously just installed packages from the SunFreeWare site. Any thoughts? Nigel Pain This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return. Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government. The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by CableWireless in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free. Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Setting up LDAP Authentification - Tree design/search scope
smb.conf will list where samba searches in ldap. e.g. ldap suffix=o=abc.com ldap user suffix=ou=employees,ou=people ldap group suffix = ou=groups ldap machine suffix=ou=machines,ou=people I think the main challenge will be configuring access control lists. If you have a server you only want accessed by employees, you would set the ldap user suffix parameter in smb.conf appropriately. But in terms of an address book, if someone has an LDAP address book client (e.g. thunderbird) you can't prevent them from trying to recursively query ou=people,) vs ou=students.You can advise end users whether they should set up two LDAP address books (students vs employees) rather than one top level people one.From the end user pespective, a single LDAP directory will probably be simpler. So you would need to set ACL's to restrict access to ou=other OR to restrict access to ou=people and then grant it back to ou=employees and ou=students. You also want to make sure that certain fields (passwd) are restricted so that only administrator accounts can access them. You can also configure whether anonymous users can access certain information or not (e.g. names and phone numbers.) I use Sun's directory server as an LDAP backend. I suspect most samba users are using OpenLDAP. I also suspect that LDAP attributes may not be restricted by default as much as they should be. On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote: Hi, recently I started to evaluate and think about setting up a central LDAP system for authentification and phonebook. I'm also new to LDAP. There is a lot of doc and well documented how tos, and I came across the following question: Where is the search scope for samba defiend? Or is the LDAP servers setting defining the scope? All docs talk about putting all people under one branche, e.g. ou=People,dc=example,dc=com for the samba setting I'd have ldap user suffix = ou=People But with this setting I dont see how I may restrict the search for the phonebook look up. (e.g. I do have students, empoyees and other. Students may look up students and employees, but not the other group.) For me it would make more sense to subgroup the people like this: ou=students,ou=People,dc=example,dc=com ou=employees,ou=People,dc=example,dc=com ou=other,ou=People,dc=example,dc=com May be I'm mistaken. Thanks for any comment and best regards! Götz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today
On Mon, 08 Mar 2010, John Drescher might have said: On Mon, Mar 8, 2010 at 9:57 AM, Mike Eggleston mikee...@mac.com wrote: Morning, I have a user that keeps getting a temporary profile. The user is logging into the machine so the authentication through samba to ldap is working. The only item that looks odd to me in the machine log (/var/log/samba/$MACHINE.log) is 'Re-using invalid record'. I've had the user boot the machine and I've restarted samba (# service smb restart) and the user is still getting the same temporary profile. The user was able to log in to this machine without error on Friday before the weekend. Any ideas what to check next? Look at the windows machine event viewer. John The event viewer says the box could not find a server capable of netlogon. I updated the network driver and the WINS server IP address was missing (I don't know if because the update or was just missing) so I entered the WINS IP address (the samba server) and tried again. This box is still not finding the roaming profile. I didn't see anything else in the client event viewer. In the server logs I do see messages of: [2010/03/08 09:45:24, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:45:25, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service Pointwise initially as user wxh (uid=11001, gid=513) (pid 6557) [2010/03/08 09:45:25, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service tmp initially as user wxh (uid=11001, gid=513) (pid 6557) [2010/03/08 09:45:43, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service profiles [2010/03/08 09:46:00, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service netlogon [2010/03/08 09:46:38, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for plato$ [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service Pointwise [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service wxh [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service tmp [2010/03/08 09:50:49, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service profiles initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service netlogon initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service wxh initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:51, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:50:51, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service Pointwise initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:51, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service tmp initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:51:11, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service profiles [2010/03/08 09:51:28, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service netlogon [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service Pointwise [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service wxh [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service tmp [2010/03/08 09:52:56, 1] smbd/session.c:session_claim(112) Re-using invalid record That is repeated often. Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today
On 03/08/2010 10:37 AM, John Drescher wrote: On Mon, Mar 8, 2010 at 9:57 AM, Mike Egglestonmikee...@mac.com wrote: Morning, I have a user that keeps getting a temporary profile. The user is logging into the machine so the authentication through samba to ldap is working. The only item that looks odd to me in the machine log (/var/log/samba/$MACHINE.log) is 'Re-using invalid record'. I've had the user boot the machine and I've restarted samba (# service smb restart) and the user is still getting the same temporary profile. The user was able to log in to this machine without error on Friday before the weekend. Any ideas what to check next? Look at the windows machine event viewer. John You may want to rt-click on My Computer and check out the user profile entries. I ran into this last week. Typically, the johnsmith user has a local profile also called johnsmith. In this case the user was linked to small profile johnsmith.somethingelse and the original larger johnsmith profile was marked as type backup. I deleted the johnsmith.somethingelse profile and on the next logon the computer correctly mapped the profile to the user.My guess is that some file was not properly closed when he had last shutdown so that Windows was unable to read/write where it needed. The PC in question was a laptop. He may have unplugged his network cable before logging out and shutting down. We are not using roaming profiles. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Time stamps
I am new to SAMBA and I have what I'm not even sure is an issue. I am aware of the difference in time stamps between *nix and Windows. What I don't understand is this: I used touch to modify the time stamps of a large number of files on the file server from the server side to match the time in the file name. They were video files from my Digital Video Cam and the import program used the time stamp of the video as part of the file name when importing. It was easy to do with a little command line script, so I update all the time stamps to match. However, when I look at the files from my Windows laptop, I noticed some of the time stamps are off by one hour. I double checked the times on the server and they are correct. I also noticed that the files that are off by and hour appear to fall within daylight savings time. Is this a common problem with SAMBA and Windows, or is there something I have configured incorrectly? -- Richard Hillis 23 Walnut Knls Canton, MA 02021 /phone/ 781-562-1374 /fax/ 781-562-1374 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Time stamps
On 2010/03/08 11:39 (GMT-0500) Richard Hillis composed: I am new to SAMBA and I have what I'm not even sure is an issue. I am aware of the difference in time stamps between *nix and Windows. What I don't understand is this: I used touch to modify the time stamps of a large number of files on the file server from the server side to match the time in the file name. They were video files from my Digital Video Cam and the import program used the time stamp of the video as part of the file name when importing. It was easy to do with a little command line script, so I update all the time stamps to match. However, when I look at the files from my Windows laptop, I noticed some of the time stamps are off by one hour. I double checked the times on the server and they are correct. I also noticed that the files that are off by and hour appear to fall within daylight savings time. Is this a common problem with SAMBA and Windows, or is there something I have configured incorrectly? I too wonder if this is something that needs fixing and as a practical matter can be fixed. I use both Linux and OS/2 24/7, and Samba as both client and server on Linux, while ancient LANMAN on OS/2. After each switch to/from DST, Linux and OS/2 timestamps get out of sync by one hour, until I reboot OS/2, which brings sync back. -- Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other. John Adams, 2nd US President Team OS/2 ** Reg. Linux User #211409 Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbget returns wrong exit code
found the same behavior using smbget with errornous parameters. Maybe it should do so: return not the error code but the count of files it got? Although that would be really strange... cu jth No, its just that the exit status is reversed from the standard. Successful completion should return 0 and unsuccessful should return 1. I see it as a bug. Exit status only has values of 0-255. So file count is out :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Setting up LDAP Authentification - Tree design/search scope
On Mon, Mar 08, 2010 at 11:04:42AM -0500, Gaiseric Vandal wrote: But in terms of an address book, if someone has an LDAP address book client (e.g. thunderbird) you can't prevent them from trying to recursively query ou=people,) vs ou=students.You can advise end users whether they should set up two LDAP address books (students vs employees) rather than one top level people one.From the end user pespective, a single LDAP directory will probably be simpler. So you would need to set ACL's to restrict access to ou=other OR to restrict access to ou=people and then grant it back to ou=employees and ou=students. You also want to make sure that certain fields (passwd) are restricted so that only administrator accounts can access them. You can also configure whether anonymous users can access certain information or not (e.g. names and phone numbers.) I use Sun's directory server as an LDAP backend. I suspect most samba users are using OpenLDAP. I also suspect that LDAP attributes may not be restricted by default as much as they should be. I've never gotten around to actually setting up LDAP anywhere, though I've looked at it several times. Each time I do, I come away from it feeling that LDAP suffers badly from The wonderful thing about standards is that there's so many to choose from. It seems it's so open-ended, and there are so many possible ways to set up a directory, that it becomes difficult to find any two LDAP-aware applications that actually use (and expect to see) the same LDAP schema. How does one overcome this? -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 ala...@caerllewys.net ala...@metrocast.net p...@co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Time stamps
Hi, My guess is that it's your setup. I just checked some files on my systems (openSUSE 11.1, SAMBA 3.2.7; and Windows 2000 with Active Directory) and the dates and times match. Check that all systems are using the same time source and that all systems are set to the same time offset (time zone) and that the windows system has had any needed time zone patches applied (there were some issued for Windows 2000 and XP, not sure about Vista and 7; the Windows 2000 one had to be manually applied, although I found a third party utility online that would do the trick.) the time offset/zone setting is important, not just the time displayed on the clock, as time calculations are based on the offset. Gary -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]on Behalf Of Felix Miata Sent: Monday, March 08, 2010 11:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Time stamps On 2010/03/08 11:39 (GMT-0500) Richard Hillis composed: I am new to SAMBA and I have what I'm not even sure is an issue. I am aware of the difference in time stamps between *nix and Windows. What I don't understand is this: I used touch to modify the time stamps of a large number of files on the file server from the server side to match the time in the file name. They were video files from my Digital Video Cam and the import program used the time stamp of the video as part of the file name when importing. It was easy to do with a little command line script, so I update all the time stamps to match. However, when I look at the files from my Windows laptop, I noticed some of the time stamps are off by one hour. I double checked the times on the server and they are correct. I also noticed that the files that are off by and hour appear to fall within daylight savings time. Is this a common problem with SAMBA and Windows, or is there something I have configured incorrectly? I too wonder if this is something that needs fixing and as a practical matter can be fixed. I use both Linux and OS/2 24/7, and Samba as both client and server on Linux, while ancient LANMAN on OS/2. After each switch to/from DST, Linux and OS/2 timestamps get out of sync by one hour, until I reboot OS/2, which brings sync back. -- Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other. John Adams, 2nd US President Team OS/2 ** Reg. Linux User #211409 Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today
On 03/08/2010 11:05 AM, Mike Eggleston wrote: On Mon, 08 Mar 2010, John Drescher might have said: On Mon, Mar 8, 2010 at 9:57 AM, Mike Egglestonmikee...@mac.com wrote: Morning, I have a user that keeps getting a temporary profile. The user is logging into the machine so the authentication through samba to ldap is working. The only item that looks odd to me in the machine log (/var/log/samba/$MACHINE.log) is 'Re-using invalid record'. I've had the user boot the machine and I've restarted samba (# service smb restart) and the user is still getting the same temporary profile. The user was able to log in to this machine without error on Friday before the weekend. Any ideas what to check next? Look at the windows machine event viewer. John The event viewer says the box could not find a server capable of netlogon. I updated the network driver and the WINS server IP address was missing (I don't know if because the update or was just missing) so I entered the WINS IP address (the samba server) and tried again. This box is still not finding the roaming profile. I didn't see anything else in the client event viewer. In the server logs I do see messages of: [2010/03/08 09:45:24, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:45:25, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service Pointwise initially as user wxh (uid=11001, gid=513) (pid 6557) [2010/03/08 09:45:25, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service tmp initially as user wxh (uid=11001, gid=513) (pid 6557) [2010/03/08 09:45:43, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service profiles [2010/03/08 09:46:00, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service netlogon [2010/03/08 09:46:38, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for plato$ [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service Pointwise [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service wxh [2010/03/08 09:46:46, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service tmp [2010/03/08 09:50:49, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service profiles initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service netlogon initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:49, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service wxh initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:51, 1] smbd/session.c:session_claim(112) Re-using invalid record [2010/03/08 09:50:51, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service Pointwise initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:50:51, 1] smbd/service.c:make_connection_snum() plato (:::10.1.2.200) connect to service tmp initially as user wxh (uid=11001, gid=513) (pid 9655) [2010/03/08 09:51:11, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service profiles [2010/03/08 09:51:28, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service netlogon [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service Pointwise [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service wxh [2010/03/08 09:52:15, 1] smbd/service.c:close_cnum(1323) plato (:::10.1.2.200) closed connection to service tmp [2010/03/08 09:52:56, 1] smbd/session.c:session_claim(112) Re-using invalid record That is repeated often. Mike Looks like the problem is some how with the machine account (failed to find Unix account for plato$) Does pbedit plato$ show info on the machine account? Does the user have same problem on other machines?Can you remove the machine from the domain and rejoin? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today
On Mon, 08 Mar 2010, Gaiseric Vandal might have said: Looks like the problem is some how with the machine account (failed to find Unix account for plato$) Does pbedit plato$ show info on the machine account? Does the user have same problem on other machines?Can you remove the machine from the domain and rejoin? I guess this is moot for now. I've just been told to reload that machine and make it a dual boot windows/ubuntu box. I'll try removing and adding the other machine the user complained about. Thanks for noticing the error. I hope that's all it is. Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error today [SOLVED]
On Mon, 08 Mar 2010, Mike Eggleston might have said: On Mon, 08 Mar 2010, Gaiseric Vandal might have said: Looks like the problem is some how with the machine account (failed to find Unix account for plato$) Does pbedit plato$ show info on the machine account? Does the user have same problem on other machines?Can you remove the machine from the domain and rejoin? I guess this is moot for now. I've just been told to reload that machine and make it a dual boot windows/ubuntu box. I'll try removing and adding the other machine the user complained about. Thanks for noticing the error. I hope that's all it is. Mike Just a follow up. The machine I originally reported is already wiped and being rebuilt. I tried the removing and adding from/to the domain on the other machine the user complained about and the removing/adding worked. Thanks for everyone's help. Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11
Security problem with Samba on Linux In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a severe security flaw which was undetected until now. We are releasing new binaries and fixed source code as release numbers: 3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only fix included in these release numbers. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms where binaries were built without libcap support. Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x versions are NOT affected. How did this happen ? - Our testing procedures failed. Errors in code always happen, and we guard against them by writing tests which we run against the code continuously. As Samba runs as a root process, many of our test environments run under a build farm shim that allows people to test Samba without granting it root privilege. Unfortunately, this means that some of the tests cannot be run correctly. This is the make test that developers run frequently. Extra tests are run as root to detect these areas, but are not run as often as the normal make test that the developers run. This problem affects only binaries compiled with capabilities support. The libcap development packages need to be installed at build time for samba to be vulnerable. Unfortunately, although most developers do have the package, it was absent on the machines used to do pre-release validation, causing the flawed code not to be compiled into the tested binary. None of our third party testers or partners discovered this flaw before release. How are we intending to fix this ? -- We will be fixing make test so it can be run as root for all the developers to regularly test with elevated privilege. In addition we will be adding extra tests to check for this specific issue, to ensure we do not ever release with such a regression again. As this was such a serious flaw, we will not be doing any further Samba 3.x releases other than the security fix until these tests are in place. Please accept our apologies for such a serious error, and our assurances that we will do everything within our power to ensure this will not happen again. With our most sincere regrets, The Samba Team -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] about samba user issue
hi: recently, i download the samba Version 3.6.0-GIT-9ddeac1-devel,use cross complie and run on arm board.when set the share level = share, it's ok,but when i set the share level = user, it will can not work .it is my smb.conf as follow: [global] log file = /var/log/samba/log.%m max log size = 50 security = user guest ok = yes guest account = root load printers = yes cups options = raw printcap name = /etc/printcap printing = cups [printers] comment = All Printers path = /var/spool/samba browseable = yes guest ok = yes writable = yes printable = yes [public] comment = public path = /data/datadisk/public writeable = yes printable = no public = yes [JyanShare] path = /data/datadisk/JyanShare ;public = yes valid users = jyan printable = no writeable = yes the user 'jyan' is one system user, and i use the pdbedit add it become one smbuser.but when access the share directory /data/datadisk/JyanShare ,input the right user name and password,however,it can not be accessed.i try many times,but always failed.please help me analyse this issue,if you have good suggestion,please email me.thank you very much! james -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Setting up LDAP Authentification - Tree design/search scope
Hi, the ACLs are indeed one of the importent topics. Therefore I was hoping, that samba searches sub-trees for the login and auth information. Than I could set up LDAP ACLs so samba looks up all information in the tree for all groups (we do have only one fileserver for all user groups togehter) and other ACLs handel the access for phonebook lookups from the mailclients. That is what I was thinking off. But if samba only browses one tree level and not the sub levels, than I do have to think in an other direction. Or what do you think? Thanks and best regards, Götz Gaiseric Vandal schrieb: smb.conf will list where samba searches in ldap. e.g. ldap suffix=o=abc.com ldap user suffix=ou=employees,ou=people ldap group suffix = ou=groups ldap machine suffix=ou=machines,ou=people I think the main challenge will be configuring access control lists. If you have a server you only want accessed by employees, you would set the ldap user suffix parameter in smb.conf appropriately. But in terms of an address book, if someone has an LDAP address book client (e.g. thunderbird) you can't prevent them from trying to recursively query ou=people,) vs ou=students.You can advise end users whether they should set up two LDAP address books (students vs employees) rather than one top level people one.From the end user pespective, a single LDAP directory will probably be simpler. So you would need to set ACL's to restrict access to ou=other OR to restrict access to ou=people and then grant it back to ou=employees and ou=students. You also want to make sure that certain fields (passwd) are restricted so that only administrator accounts can access them. You can also configure whether anonymous users can access certain information or not (e.g. names and phone numbers.) I use Sun's directory server as an LDAP backend. I suspect most samba users are using OpenLDAP. I also suspect that LDAP attributes may not be restricted by default as much as they should be. On 03/08/2010 08:49 AM, Götz Reinicke - IT-Koordinator wrote: Hi, recently I started to evaluate and think about setting up a central LDAP system for authentification and phonebook. I'm also new to LDAP. There is a lot of doc and well documented how tos, and I came across the following question: Where is the search scope for samba defiend? Or is the LDAP servers setting defining the scope? All docs talk about putting all people under one branche, e.g. ou=People,dc=example,dc=com for the samba setting I'd have ldap user suffix = ou=People But with this setting I dont see how I may restrict the search for the phonebook look up. (e.g. I do have students, empoyees and other. Students may look up students and employees, but not the other group.) For me it would make more sense to subgroup the people like this: ou=students,ou=People,dc=example,dc=com ou=employees,ou=People,dc=example,dc=com ou=other,ou=People,dc=example,dc=com May be I'm mistaken. Thanks for any comment and best regards! Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 818d518... s4-gensec: Fixed wrong usage of error_string.
from 85598be... s4:extended_dn_out LDB module - change counter variables
to unsigned where appropriate
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 818d51862c6234d0ffb08fcae6e8425907facde4
Author: Andreas Schneider a...@redhat.com
Date: Wed Mar 3 15:15:03 2010 +0100
s4-gensec: Fixed wrong usage of error_string.
Signed-off-by: Stefan Metzmacher me...@samba.org
---
Summary of changes:
source4/auth/gensec/gensec_krb5.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/gensec_krb5.c
b/source4/auth/gensec/gensec_krb5.c
index 3d74477..e8beb4c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -489,7 +489,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security
*gensec_security,
/* This ensures we lookup the correct entry in that keytab */
ret = principal_from_credentials(out_mem_ctx,
gensec_get_credentials(gensec_security),
gensec_krb5_state-smb_krb5_context,
-server_in_keytab,
error_string);
+server_in_keytab,
error_string);
if (ret) {
DEBUG(2,(Failed to make credentials from principal:
%s\n, error_string));
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-4-test updated
The branch, v3-4-test has been updated via f94a377... mount.cifs: don't allow it to be run as setuid root program via 5532a5d... mount.cifs: check for invalid characters in device name and mountpoint via c4a342c... mount.cifs: take extra care that mountpoint isn't changed during mount via 396eb03... mount.cifs: properly check for mount being in fstab when running setuid root (try#3) via fa722e2... mount.cifs: directly include sys/stat.h in mtab.c from a0254fa... Fix one of the valgrind warnings from bug #6814 - Fixes for problems reported by valgrind http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log - commit f94a377fb58f7b104aa633236f3391c9af6a7b12 Author: Jeff Layton jlay...@redhat.com Date: Tue Jan 26 08:45:58 2010 -0500 mount.cifs: don't allow it to be run as setuid root program mount.cifs has been the subject of several security fire drills due to distributions installing it as a setuid root program. This program has not been properly audited for security and the Samba team highly recommends that it not be installed as a setuid root program at this time. To make that abundantly clear, this patch forcibly disables the ability for mount.cifs to run as a setuid root program. People are welcome to trivially patch this out, but they do so at their own peril. A security audit and redesign of this program is in progress and we hope that we'll be able to remove this in the near future. Signed-off-by: Jeff Layton jlay...@redhat.com The last 5 patches address bug #6853 (mount.cifs race that allows user to replace mountpoint with a symlink). commit 5532a5d5cf7cec0bb758a80e9ee74b5807088661 Author: Jeff Layton jlay...@redhat.com Date: Tue Jan 26 08:45:58 2010 -0500 mount.cifs: check for invalid characters in device name and mountpoint It's apparently possible to corrupt the mtab if you pass embedded newlines to addmntent. Apparently tabs are also a problem with certain earlier glibc versions. Backslashes are also a minor issue apparently, but we can't reasonably filter those. Make sure that neither the devname or mountpoint contain any problematic characters before allowing the mount to proceed. Signed-off-by: Jeff Layton jlay...@redhat.com commit c4a342cec1ced80128f82758c7a2192b23f4017a Author: Jeff Layton jlay...@redhat.com Date: Tue Jan 26 08:45:58 2010 -0500 mount.cifs: take extra care that mountpoint isn't changed during mount It's possible to trick mount.cifs into mounting onto the wrong directory by replacing the mountpoint with a symlink to a directory. mount.cifs attempts to check the validity of the mountpoint, but there's still a possible race between those checks and the mount(2) syscall. To guard against this, chdir to the mountpoint very early, and only deal with it as . from then on out. Signed-off-by: Jeff Layton jlay...@redhat.com commit 396eb03109400fe603c57a0a0d4bdc37c7131cf5 Author: Jeff Layton jlay...@redhat.com Date: Tue Jan 26 08:45:57 2010 -0500 mount.cifs: properly check for mount being in fstab when running setuid root (try#3) This is the third attempt to clean up the checks when a setuid mount.cifs is run by an unprivileged user. The main difference in this patch from the last one is that it fixes a bug where the mount might have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set. When mount.cifs is installed setuid root and run as an unprivileged user, it does some checks to limit how the mount is used. It checks that the mountpoint is owned by the user doing the mount. These checks however do not match those that /bin/mount does when it is called by an unprivileged user. When /bin/mount is called by an unprivileged user to do a mount, it checks that the mount in question is in /etc/fstab, that it has the user option set, etc. This means that it's currently not possible to set up user mounts the standard way (by the admin, in /etc/fstab) and simultaneously protect from an unprivileged user calling mount.cifs directly to mount a share on any directory that that user owns. Fix this by making the checks in mount.cifs match those of /bin/mount itself. This is a necessary step to make mount.cifs safe to be installed as a setuid binary, but not sufficient. For that, we'd need to give mount.cifs a proper security audit. Since some users may be depending on the legacy behavior, this patch also adds the ability to build mount.cifs with the older behavior. Signed-off-by: Jeff Layton jlay...@redhat.com commit fa722e20c9f5712571f9009afed8c4e44ac11cdc Author: Jeff Layton jlay...@redhat.com Date: Tue Jan 26 08:45:53 2010 -0500 mount.cifs:
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated
via e6c856a... mount.cifs: don't allow it to be run as setuid root
program
via ae24005... mount.cifs: check for invalid characters in device name
and mountpoint
via a60afce... mount.cifs: take extra care that mountpoint isn't
changed during mount
from cc5e6e6... s3: net_share.c: fix argc handling
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -
commit e6c856ac84ee18a192edc3e8a6547e2e9387a1b5
Author: Jeff Layton jlay...@redhat.com
Date: Tue Jan 26 08:36:11 2010 -0500
mount.cifs: don't allow it to be run as setuid root program
mount.cifs has been the subject of several security fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton jlay...@redhat.com
The last 3 patches address bug #6853 (mount.cifs race that allows user to
replace mountpoint with a symlink).
commit ae24005a5a2c165dfd9b859bf1c02b5f7e967be5
Author: Jeff Layton jlay...@redhat.com
Date: Tue Jan 26 08:36:03 2010 -0500
mount.cifs: check for invalid characters in device name and mountpoint
It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.
Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.
Signed-off-by: Jeff Layton jlay...@redhat.com
commit a60afceaa71c0c9b53b2ec1014db5d09d777803d
Author: Jeff Layton jlay...@redhat.com
Date: Tue Jan 26 08:35:35 2010 -0500
mount.cifs: take extra care that mountpoint isn't changed during mount
It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.
To guard against this, chdir to the mountpoint very early, and only deal
with it as . from then on out.
Signed-off-by: Jeff Layton jlay...@redhat.com
---
Summary of changes:
client/mount.cifs.c | 107 ++
1 files changed, 98 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/client/mount.cifs.c b/client/mount.cifs.c
index 3baaad7..0b8d5b4 100644
--- a/client/mount.cifs.c
+++ b/client/mount.cifs.c
@@ -43,7 +43,7 @@
#include mount.h
#define MOUNT_CIFS_VERSION_MAJOR 1
-#define MOUNT_CIFS_VERSION_MINOR 13
+#define MOUNT_CIFS_VERSION_MINOR 14
#ifndef MOUNT_CIFS_VENDOR_SUFFIX
#ifdef _SAMBA_BUILD_
@@ -89,6 +89,17 @@
#define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
/*
+ * mount.cifs has been the subject of many security bugs that have arisen
+ * because of users and distributions installing it as a setuid root program.
+ * mount.cifs has not been audited for security. Thus, we strongly recommend
+ * that it not be installed setuid root. To make that abundantly clear,
+ * mount.cifs now check whether it's running setuid root and exit with an
+ * error if it is. If you wish to disable this check, then set the following
+ * #define to 1, but please realize that you do so at your own peril.
+ */
+#define CIFS_DISABLE_SETUID_CHECK 0
+
+/*
* By default, mount.cifs follows the conventions set forth by /bin/mount
* for user mounts. That is, it requires that the mount be listed in
* /etc/fstab with the user option when run as an unprivileged user and
@@ -179,7 +190,7 @@ check_mountpoint(const char *progname, char *mountpoint)
struct stat statbuf;
/* does mountpoint exist and is it a directory? */
- err = stat(mountpoint, statbuf);
+ err = stat(., statbuf);
if (err) {
fprintf(stderr, %s: failed to stat %s: %s\n, progname,
mountpoint, strerror(errno));
@@ -213,6 +224,29 @@ check_mountpoint(const char *progname, char *mountpoint)
return 0;
}
+#if CIFS_DISABLE_SETUID_CHECK
+static int
+check_setuid(void)
+{
+ return 0;
+}
+#else /* CIFS_DISABLE_SETUID_CHECK */
+static int
+check_setuid(void)
+{
+
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated
via cb627d3... s3: Fix the build of net_afs.c with --fake-kaserver=yes,
bug 7216
from e6c856a... mount.cifs: don't allow it to be run as setuid root
program
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -
commit cb627d3628da1da3c167de3b319cd92948e862eb
Author: Volker Lendecke v...@samba.org
Date: Sat Mar 6 12:57:35 2010 +0100
s3: Fix the build of net_afs.c with --fake-kaserver=yes, bug 7216
Thanks to Geza Gemes g...@kzsdabas.hu for filing this bug
(cherry picked from commit 5a3633faf12cdec41dc18064d5364a3fd067a22d)
---
Summary of changes:
source3/utils/net_afs.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 6aea513..26259c1 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -45,7 +45,7 @@ int net_afs_key(struct net_context *c, int argc, const char
**argv)
}
if ((fd = open(argv[0], O_RDONLY, 0)) 0) {
- d_fprintf(stderr, _(Could not open %s\n, argv[0]));
+ d_fprintf(stderr, _(Could not open %s\n), argv[0]);
return -1;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f8dba77... s4:ldb_ldap.c - fix indentation
via 2d03011... LDB:TDB backend - change counter variables to unsigned
where appropriate
via 4a2b78a... LDB:SQLITE3 backend - change counter variables to
unsigned where appropriate
via 95d726f... LDB:LDAP backend - change a counter variable to
unsigned
via b33a340... LDB:map - make LDB signed-safe on counter variables
where appropriate
via 7a7cb5e... s4:ldif_handlers - Change unsigned int to uint32_t
which fits better here
from 818d518... s4-gensec: Fixed wrong usage of error_string.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f8dba773a5174055e3c206d006317b5275481636
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 09:58:28 2010 +0100
s4:ldb_ldap.c - fix indentation
commit 2d03011858ca33ee56b4c36ac6a901850ff69864
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Fri Nov 6 18:35:17 2009 +0100
LDB:TDB backend - change counter variables to unsigned where appropriate
commit 4a2b78a6f36d4eb2a8763464f33720936921650c
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Fri Nov 6 18:35:17 2009 +0100
LDB:SQLITE3 backend - change counter variables to unsigned where
appropriate
commit 95d726f3018ef5d249f89d56bde24b7ee0c24ecf
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Fri Nov 6 18:35:17 2009 +0100
LDB:LDAP backend - change a counter variable to unsigned
commit b33a340e0a2dcf972f0e53d3ff28a17eb42e4582
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Fri Nov 6 18:35:17 2009 +0100
LDB:map - make LDB signed-safe on counter variables where appropriate
commit 7a7cb5e9c25131e6eadc24f2e5a5a020e015731d
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 08:02:32 2010 +0100
s4:ldif_handlers - Change unsigned int to uint32_t which fits better
here
---
Summary of changes:
source4/lib/ldb-samba/ldif_handlers.c |2 +-
source4/lib/ldb/ldb_ldap/ldb_ldap.c|4 ++--
source4/lib/ldb/ldb_map/ldb_map.c | 16
source4/lib/ldb/ldb_map/ldb_map_inbound.c |7 ---
source4/lib/ldb/ldb_map/ldb_map_outbound.c | 26 --
source4/lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 18 ++
source4/lib/ldb/ldb_tdb/ldb_cache.c| 11 ++-
source4/lib/ldb/ldb_tdb/ldb_index.c| 12 ++--
source4/lib/ldb/ldb_tdb/ldb_search.c |5 +++--
source4/lib/ldb/ldb_tdb/ldb_tdb.c |5 +++--
source4/lib/ldb/ldb_tdb/ldb_tdb.h |2 +-
11 files changed, 60 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb-samba/ldif_handlers.c
b/source4/lib/ldb-samba/ldif_handlers.c
index b5a6630..4d7d5db 100644
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -594,7 +594,7 @@ static int ldif_write_prefixMap(struct ldb_context *ldb,
void *mem_ctx,
struct prefixMapBlob *blob;
enum ndr_err_code ndr_err;
char *string;
- unsigned int i;
+ uint32_t i;
if (ldb_get_flags(ldb) LDB_FLG_SHOW_BINARY) {
int err;
diff --git a/source4/lib/ldb/ldb_ldap/ldb_ldap.c
b/source4/lib/ldb/ldb_ldap/ldb_ldap.c
index 4e88cc4..11edd34 100644
--- a/source4/lib/ldb/ldb_ldap/ldb_ldap.c
+++ b/source4/lib/ldb/ldb_ldap/ldb_ldap.c
@@ -387,7 +387,7 @@ static int lldb_rename(struct lldb_context *lldb_ac)
struct ldb_module *module = lldb_ac-module;
struct ldb_request *req = lldb_ac-req;
char *old_dn;
- char *newrdn;
+ char *newrdn;
char *parentdn;
int ret;
@@ -483,8 +483,8 @@ static bool lldb_parse_result(struct lldb_context *ac,
LDAPMessage *result)
bool callback_failed;
bool request_done;
bool lret;
+ unsigned int i;
int ret;
- int i;
ldb = ldb_module_get_ctx(ac-module);
diff --git a/source4/lib/ldb/ldb_map/ldb_map.c
b/source4/lib/ldb/ldb_map/ldb_map.c
index ab9578b..483222e 100644
--- a/source4/lib/ldb/ldb_map/ldb_map.c
+++ b/source4/lib/ldb/ldb_map/ldb_map.c
@@ -256,7 +256,7 @@ int ldb_next_remote_request(struct ldb_module *module,
struct ldb_request *reque
/* Find an objectClass mapping by the local name. */
static const struct ldb_map_objectclass *map_objectclass_find_local(const
struct ldb_map_context *data, const char *name)
{
- int i;
+ unsigned int i;
for (i = 0; data-objectclass_maps
data-objectclass_maps[i].local_name; i++) {
if (ldb_attr_cmp(data-objectclass_maps[i].local_name, name) ==
0) {
@@ -270,7 +270,7 @@ static const struct ldb_map_objectclass
*map_objectclass_find_local(const struct
/* Find an
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 30ff229... s4:LDB TDB index code - reintroduce accidentally removed
code part
from f8dba77... s4:ldb_ldap.c - fix indentation
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 30ff229a3e32549073424b423302e976c988d563
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 11:43:40 2010 +0100
s4:LDB TDB index code - reintroduce accidentally removed code part
This was removed by 95d726f3018ef5d249f89d56bde24b7ee0c24ecf. Sorry.
---
Summary of changes:
source4/lib/ldb/ldb_tdb/ldb_index.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/ldb_tdb/ldb_index.c
b/source4/lib/ldb/ldb_tdb/ldb_index.c
index c9c3e0c..828dca1 100644
--- a/source4/lib/ldb/ldb_tdb/ldb_index.c
+++ b/source4/lib/ldb/ldb_tdb/ldb_index.c
@@ -1331,7 +1331,9 @@ int ltdb_index_del_value(struct ldb_module *module,
struct ldb_dn *dn,
}
j = (unsigned int) i;
- memmove(list-dn[j], list-dn[j+1], sizeof(list-dn[0])*(list-count
- (i+1)));
+ if (j != list-count - 1) {
+ memmove(list-dn[j], list-dn[j+1],
sizeof(list-dn[0])*(list-count - (j+1)));
+ }
list-count--;
list-dn = talloc_realloc(list, list-dn, struct ldb_val, list-count);
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 4e16a28... LDB:common - Change counters to unsigned where
appropriate
from 30ff229... s4:LDB TDB index code - reintroduce accidentally removed
code part
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 4e16a285c7c34732ba95fb5ec201e6f11cf88bef
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Fri Nov 6 18:35:17 2009 +0100
LDB:common - Change counters to unsigned where appropriate
To count LDB objects use variables of type unsigned (int) or long long
int
on binary or downto searches.
To count characters in strings use size_t.
To calculate differences between pointers use ptrdiff_t.
---
Summary of changes:
source4/lib/ldb/common/attrib_handlers.c |4 +-
source4/lib/ldb/common/ldb.c |4 +-
source4/lib/ldb/common/ldb_attributes.c | 15 +
source4/lib/ldb/common/ldb_controls.c| 14
source4/lib/ldb/common/ldb_dn.c | 46 +-
source4/lib/ldb/common/ldb_ldif.c|2 +-
source4/lib/ldb/common/ldb_match.c |4 +-
source4/lib/ldb/common/ldb_modules.c | 12
source4/lib/ldb/common/ldb_msg.c | 20 +++--
source4/lib/ldb/common/ldb_parse.c | 16 +-
source4/lib/ldb/common/ldb_utf8.c|6 ++--
11 files changed, 76 insertions(+), 67 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/common/attrib_handlers.c
b/source4/lib/ldb/common/attrib_handlers.c
index 4647075..2a2bd08 100644
--- a/source4/lib/ldb/common/attrib_handlers.c
+++ b/source4/lib/ldb/common/attrib_handlers.c
@@ -55,7 +55,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
{
char *s, *t;
- int l;
+ size_t l;
if (!in || !out || !(in-data)) {
return -1;
@@ -456,7 +456,7 @@ static const struct ldb_schema_syntax
ldb_standard_syntaxes[] = {
const struct ldb_schema_syntax *ldb_standard_syntax_by_name(struct ldb_context
*ldb,
const char *syntax)
{
- int i;
+ unsigned int i;
unsigned num_handlers =
sizeof(ldb_standard_syntaxes)/sizeof(ldb_standard_syntaxes[0]);
/* TODO: should be replaced with a binary search */
for (i=0;inum_handlers;i++) {
diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c
index 94fd6cd..bbb3b79 100644
--- a/source4/lib/ldb/common/ldb.c
+++ b/source4/lib/ldb/common/ldb.c
@@ -665,7 +665,7 @@ int ldb_request_get_status(struct ldb_request *req)
static void ldb_trace_request(struct ldb_context *ldb, struct ldb_request *req)
{
TALLOC_CTX *tmp_ctx = talloc_new(req);
- int i;
+ unsigned int i;
switch (req-operation) {
case LDB_SEARCH:
@@ -845,7 +845,7 @@ int ldb_search_default_callback(struct ldb_request *req,
struct ldb_reply *ares)
{
struct ldb_result *res;
- int n;
+ unsigned int n;
res = talloc_get_type(req-context, struct ldb_result);
diff --git a/source4/lib/ldb/common/ldb_attributes.c
b/source4/lib/ldb/common/ldb_attributes.c
index 79c5dd6..13f4d32 100644
--- a/source4/lib/ldb/common/ldb_attributes.c
+++ b/source4/lib/ldb/common/ldb_attributes.c
@@ -49,7 +49,7 @@ int ldb_schema_attribute_add_with_syntax(struct ldb_context
*ldb,
unsigned flags,
const struct ldb_schema_syntax *syntax)
{
- int i, n;
+ unsigned int i, n;
struct ldb_schema_attribute *a;
if (!syntax) {
@@ -122,7 +122,9 @@ static const struct ldb_schema_attribute
*ldb_schema_attribute_by_name_internal(
struct ldb_context *ldb,
const char *name)
{
- int i, e, b = 0, r;
+ /* for binary search we need signed variables */
+ long long int i, e, b = 0;
+ int r;
const struct ldb_schema_attribute *def = ldb_attribute_default;
/* as handlers are sorted, '*' must be the first if present */
@@ -135,7 +137,6 @@ static const struct ldb_schema_attribute
*ldb_schema_attribute_by_name_internal(
e = ldb-schema.num_attributes - 1;
while (b = e) {
-
i = (b + e) / 2;
r = ldb_attr_cmp(name, ldb-schema.attributes[i].name);
@@ -179,7 +180,7 @@ const struct ldb_schema_attribute
*ldb_schema_attribute_by_name(struct ldb_conte
void ldb_schema_attribute_remove(struct ldb_context *ldb, const char *name)
{
const struct ldb_schema_attribute *a;
- int i;
+ ptrdiff_t i;
a = ldb_schema_attribute_by_name_internal(ldb, name);
if (a == NULL || a-name == NULL)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f4cb528... samba: remove cifs-utils tools from build systems from 4e16a28... LDB:common - Change counters to unsigned where appropriate http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f4cb528ac510d3381a92a303e858edaf9e3d908a Author: Jeff Layton jlay...@redhat.com Date: Mon Mar 8 09:06:40 2010 -0500 samba: remove cifs-utils tools from build systems Now that cifs-utils are their own project, we need to go ahead and pull them out of the samba tree. This patch represents the first step toward that end. Remove the cifs-utilities from the source3 and source4 builds. Please pay particular attention to the source4 piece. I'm not at all familiar with the build system there, and would appreciate someone sanity checking my changes. It also adds a small README.cifs-utils file in the topdir. This is optional, but I think it's a good idea to carry this for a release or two. Once this patch looks ok, I'll plan to do another patch to actually remove the client dir and the relevant docs-xml files from the tree altogether. Signed-off-by: Jeff Layton jlay...@redhat.com --- Summary of changes: source3/Makefile.in | 54 ++-- source3/configure.in | 124 -- source4/client/config.m4 | 13 - source4/client/config.mk | 16 -- source4/configure.ac |1 - 5 files changed, 5 insertions(+), 203 deletions(-) delete mode 100644 source4/client/config.m4 Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index de70c27..739eeda 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -208,8 +208,6 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\$(SMB_PASSWD_FILE)\ \ SBIN_PROGS = bin/s...@exeext@ bin/n...@exeext@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ -ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ @CIFSUMOUNT_PROGS@ - BIN_PROGS1 = bin/smbcli...@exeext@ bin/n...@exeext@ bin/smbsp...@exeext@ \ bin/testp...@exeext@ bin/smbsta...@exeext@ bin/smb...@exeext@ BIN_PROGS2 = bin/smbcont...@exeext@ bin/smbt...@exeext@ $(TDBBACKUP) \ @@ -1039,12 +1037,6 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(LDB_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \ $(LIBNDR_GEN_OBJ0) -CIFS_MOUNT_OBJ = ../client/mount.cifs.o ../client/mtab.o - -CIFS_UMOUNT_OBJ = ../client/umount.cifs.o ../client/mtab.o - -CIFS_UPCALL_OBJ = ../client/cifs.upcall.o - NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) @@ -1358,8 +1350,8 @@ SPLIT_TOKENS_OBJ = utils/split_tokens.o \ ## # now the rules... ## -all:: SHOWFLAGS basics libs $(SBIN_PROGS) $(BIN_PROGS) $(ROOT_SBIN_PROGS) \ - $(MODULES) $(NSS_MODULES) $(PAM_MODULES) @CIFSUPCALL_PROGS@ \ +all:: SHOWFLAGS basics libs $(SBIN_PROGS) $(BIN_PROGS) \ + $(MODULES) $(NSS_MODULES) $(PAM_MODULES) \ $(EXTRA_ALL_TARGETS) basics:: @@ -1620,21 +1612,6 @@ bin/smbsp...@exeext@: $(BINARY_PREREQS) $(CUPS_OBJ) @BUILD_POPT@ $(LIBTALLOC) $( @LIBWBCLIENT_STATIC@ $(LIBWBCLIENT_LIBS) \ $(KRB5LIBS) $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(ZLIB_LIBS) -bin/mount.c...@exeext@: $(BINARY_PREREQS) $(CIFS_MOUNT_OBJ) - @echo Linking $@ - @$(CC) -o $@ $(CIFS_MOUNT_OBJ) $(DYNEXP) $(LDFLAGS) - -bin/umount.c...@exeext@: $(BINARY_PREREQS) $(CIFS_UMOUNT_OBJ) - @echo Linking $@ - @$(CC) -o $@ $(CIFS_UMOUNT_OBJ) $(DYNEXP) $(LDFLAGS) - -bin/cifs.upc...@exeext@: $(BINARY_PREREQS) $(CIFS_UPCALL_OBJ) $(LIBSMBCLIENT_OBJ1) $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) - @echo Linking $@ - @$(CC) -o $@ $(CIFS_UPCALL_OBJ) $(DYNEXP) $(LDFLAGS) \ - $(LIBSMBCLIENT_OBJ1) $(LIBS) -lkeyutils $(KRB5LIBS) \ - $(LDAP_LIBS) $(LIBTALLOC_LIBS) $(LIBWBCLIENT_LIBS) \ - $(LIBTDB_LIBS) $(NSCD_LIBS) $(ZLIB_LIBS) - bin/testp...@exeext@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) @echo Linking $@ @$(CC) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ @@ -2973,7 +2950,7 @@ bin/split_tok...@exeext@: $(BINARY_PREREQS) $(SPLIT_TOKENS_OBJ) @BUILD_POPT@ $(L $(LDAP_LIBS) \ $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) -install:: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSUMOUNT@ @INSTALL_CIFSUPCALL@ installman \ +install:: installservers installbin installman \ installscripts installdat installmodules @SWAT_INSTALL_TARGETS@ \
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2f1fa4f... s3: add man page for vfs_crossrename via 0769a18... s3: add vfs_crossrename via 583de7b... s3: remove cross-device rename support from vfs_default from f4cb528... samba: remove cifs-utils tools from build systems http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2f1fa4f8ca020c5d96bd3ac8706c54cd881aaa03 Author: Björn Jacke b...@sernet.de Date: Mon Mar 8 12:38:38 2010 +0100 s3: add man page for vfs_crossrename commit 0769a1833aff2057e7f6ab05713d7fd6886d6040 Author: Björn Jacke b...@sernet.de Date: Mon Mar 8 12:59:40 2010 +0100 s3: add vfs_crossrename this module adds optional server-side support for limited rename operations beyond filesystem boundaries, which was the previously the default. commit 583de7b582956d3bec7e875d88ef16b3b8ac6e53 Author: Björn Jacke b...@sernet.de Date: Mon Mar 8 12:52:13 2010 +0100 s3: remove cross-device rename support from vfs_default cross-device rename support has some major limitations: - on huge files clients will timeout or hang - ACLs and EA information is not retained Usually a client will have to handle this. A Windows Server with a reparse point will also just return NT_STATUS_NOT_SAME_DEVICE. We will now by default do the same. I will add a vfs module which will restore the old cross-device renames. --- Summary of changes: docs-xml/manpages-3/vfs_crossrename.8.xml | 115 + source3/configure.in |2 + source3/modules/vfs_crossrename.c | 200 + source3/modules/vfs_default.c | 116 - 4 files changed, 317 insertions(+), 116 deletions(-) create mode 100644 docs-xml/manpages-3/vfs_crossrename.8.xml create mode 100644 source3/modules/vfs_crossrename.c Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/vfs_crossrename.8.xml b/docs-xml/manpages-3/vfs_crossrename.8.xml new file mode 100644 index 000..675c92e --- /dev/null +++ b/docs-xml/manpages-3/vfs_crossrename.8.xml @@ -0,0 +1,115 @@ +?xml version=1.0 encoding=iso-8859-1? +!DOCTYPE refentry PUBLIC -//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN http://www.samba.org/samba/DTD/samba-doc; +refentry id=vfs_crossrename.8 + +refmeta + refentrytitlevfs_crossrename/refentrytitle + manvolnum8/manvolnum + refmiscinfo class=sourceSamba/refmiscinfo + refmiscinfo class=manualSystem Administration tools/refmiscinfo + refmiscinfo class=version3.6/refmiscinfo +/refmeta + + +refnamediv + refnamevfs_crossrename/refname + refpurposeserver side rename files across filesystem boundaries/refpurpose +/refnamediv + +refsynopsisdiv + cmdsynopsis + commandvfs objects = crossrename/command + /cmdsynopsis +/refsynopsisdiv + +refsect1 + titleDESCRIPTION/title + + paraThis VFS module is part of the + citerefentryrefentrytitlesamba/refentrytitle + manvolnum7/manvolnum/citerefentry suite./para + + paraThe commandvfs_crossrename/command VFS module allows + server side rename operations even if source and target are on + differen physical devices. A move in Explorer is usually a + rename operation if it is inside of a single share or device. + Usually such a rename operation returns + NT_STATUS_NOT_SAME_DEVICE and the client has to move the file by + manual copy and delete operations. If the rename by copy is done by the + server this can be much more efficient. vfs_crossrename tries to do + this server-side cross-device rename operation. There are however + limitations that this module currently does not solve: + + variablelist + varlistentry + the ACLs of files are not preserved + /varlistentry + varlistentry + meta data in EAs are not preserved + /varlistentry + varlistentry + renames of whole subdirectories cannot be done recursively, + in that case we still return STATUS_NOT_SAME_DEVICE and + let the client decide what to do + /varlistentry + varlistentry + rename operations of huge files can cause hangs on the + client because clients expect a rename operation to + return fast + /varlistentry + /variablelist + /para + + paraThis module is stackable./para + +/refsect1 + + +refsect1 + titleOPTIONS/title + + variablelist + + varlistentry + termcrossrename:sizelimit = BYTES/term + listitem + paraserver-side cross-device-renames are
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a4dc50e... s3: add missing Makefile.in changes for vfs_crossrename from 2f1fa4f... s3: add man page for vfs_crossrename http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a4dc50ef1273259c53f96ee4aaaef917e8daeffe Author: Björn Jacke b...@sernet.de Date: Mon Mar 8 17:53:18 2010 +0100 s3: add missing Makefile.in changes for vfs_crossrename --- Summary of changes: source3/Makefile.in |5 + 1 files changed, 5 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 739eeda..925f0be 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -743,6 +743,7 @@ PERFCOUNT_ONEFS_OBJ = modules/perfcount_onefs.o PERFCOUNT_TEST_OBJ = modules/perfcount_test.o VFS_DIRSORT_OBJ = modules/vfs_dirsort.o VFS_SCANNEDONLY_OBJ = modules/vfs_scannedonly.o +VFS_CROSSRENAME_OBJ = modules/vfs_crossrename.o PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o @@ -2842,6 +2843,10 @@ bin/scannedon...@shlibext@: $(BINARY_PREREQS) $(VFS_SCANNEDONLY_OBJ) @echo Building plugin $@ @$(SHLD_MODULE) $(VFS_SCANNEDONLY_OBJ) +bin/crossrena...@shlibext@: $(BINARY_PREREQS) $(VFS_CROSSRENAME_OBJ) + @echo Building plugin $@ + @$(SHLD_MODULE) $(VFS_CROSSRENAME_OBJ) + # ## IdMap NSS plugins -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 8d3b7d4... LDB:asq module - change counters to unsigned where
appropriate
via df17e1b... LDB:sort module - change counters to unsigned where
appropriate
via 8248069... LDB:rdn name module - change counters to unsigned
where appropriate
via 681c887... LDB:paged searches module - change counters to
unsigned where appropriate
via 7e7d9a8... LDB:paged results module - change counters to unsigned
where appropriate
from a4dc50e... s3: add missing Makefile.in changes for vfs_crossrename
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8d3b7d418edc6955271d262bbdbf307a45b7fb7f
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 18:01:32 2010 +0100
LDB:asq module - change counters to unsigned where appropriate
commit df17e1b962d084315ebcba78a7ebe1d659781dbf
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 18:01:32 2010 +0100
LDB:sort module - change counters to unsigned where appropriate
commit 8248069c91922c93bf9020cc1f94b8cf59c43e28
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 18:01:32 2010 +0100
LDB:rdn name module - change counters to unsigned where appropriate
commit 681c88798a1e16da9dc13688c1ed18659127684b
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 18:01:32 2010 +0100
LDB:paged searches module - change counters to unsigned where appropriate
commit 7e7d9a8a4827f283d13f393404da978130baaa93
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 18:01:32 2010 +0100
LDB:paged results module - change counters to unsigned where appropriate
---
Summary of changes:
source4/lib/ldb/modules/asq.c|9 +
source4/lib/ldb/modules/paged_results.c |8
source4/lib/ldb/modules/paged_searches.c |4 ++--
source4/lib/ldb/modules/rdn_name.c |5 +++--
source4/lib/ldb/modules/sort.c |9 +
5 files changed, 19 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/modules/asq.c b/source4/lib/ldb/modules/asq.c
index 4918683..6d1e88b 100644
--- a/source4/lib/ldb/modules/asq.c
+++ b/source4/lib/ldb/modules/asq.c
@@ -55,8 +55,8 @@ struct asq_context {
struct ldb_reply *base_res;
struct ldb_request **reqs;
- int num_reqs;
- int cur_req;
+ unsigned int num_reqs;
+ unsigned int cur_req;
struct ldb_control **controls;
};
@@ -85,7 +85,7 @@ static int asq_search_continue(struct asq_context *ac);
static int asq_search_terminate(struct asq_context *ac)
{
struct ldb_asq_control *asq;
- int i;
+ unsigned int i;
if (ac-controls) {
for (i = 0; ac-controls[i]; i++) /* count em */ ;
@@ -250,7 +250,8 @@ static int asq_build_multiple_requests(struct asq_context
*ac, bool *terminated)
struct ldb_control *control;
struct ldb_dn *dn;
struct ldb_message_element *el;
- int ret, i;
+ unsigned int i;
+ int ret;
if (ac-base_res == NULL) {
return LDB_ERR_NO_SUCH_OBJECT;
diff --git a/source4/lib/ldb/modules/paged_results.c
b/source4/lib/ldb/modules/paged_results.c
index ff1b92f..25b7532 100644
--- a/source4/lib/ldb/modules/paged_results.c
+++ b/source4/lib/ldb/modules/paged_results.c
@@ -65,8 +65,7 @@ struct results_store {
};
struct private_data {
-
- int next_free_id;
+ unsigned int next_free_id;
struct results_store *store;
};
@@ -95,7 +94,7 @@ static int store_destructor(struct results_store *del)
static struct results_store *new_store(struct private_data *priv)
{
struct results_store *newr;
- int new_id = priv-next_free_id++;
+ unsigned int new_id = priv-next_free_id++;
/* TODO: we should have a limit on the number of
* outstanding paged searches
@@ -140,7 +139,8 @@ static int paged_results(struct paged_context *ac)
{
struct ldb_paged_control *paged;
struct message_store *msg;
- int i, num_ctrls, ret;
+ unsigned int i, num_ctrls;
+ int ret;
if (ac-store == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
diff --git a/source4/lib/ldb/modules/paged_searches.c
b/source4/lib/ldb/modules/paged_searches.c
index 09786c3..39780cb 100644
--- a/source4/lib/ldb/modules/paged_searches.c
+++ b/source4/lib/ldb/modules/paged_searches.c
@@ -52,7 +52,7 @@ struct ps_context {
bool pending;
char **saved_referrals;
- int num_referrals;
+ unsigned int num_referrals;
struct ldb_request *down_req;
};
@@ -132,7 +132,7 @@ static int send_referrals(struct ps_context *ac)
{
struct ldb_reply *ares;
int ret;
- int i;
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via fde707a... s4:dns_update_list file: install it properly into the
private directory
via a34eafc... Revert s4:script/installmisc.sh - install
dns_update_list to target setup folder
from 8d3b7d4... LDB:asq module - change counters to unsigned where
appropriate
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit fde707aa0c563d239c2f8c442cddfee0b6ff057f
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 20:36:16 2010 +0100
s4:dns_update_list file: install it properly into the private directory
This is what the samba_dnsupdate script requests (line 220).
commit a34eafc693d8750c0883823068e5c6f7355efa04
Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de
Date: Mon Mar 8 20:30:06 2010 +0100
Revert s4:script/installmisc.sh - install dns_update_list to target
setup folder
This reverts commit b49276e291274652d46eed39249c07531e32b591.
---
Summary of changes:
source4/Makefile |2 +-
source4/script/installmisc.sh | 16 +---
2 files changed, 10 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/Makefile b/source4/Makefile
index 0da1ee2..dd9376b 100644
--- a/source4/Makefile
+++ b/source4/Makefile
@@ -243,7 +243,7 @@ installman:: manpages installdirs
@$(SHELL) $(srcdir)/script/installman.sh $(DESTDIR)$(mandir) $(MANPAGES)
installmisc:: installdirs
- @$(SHELL) $(srcdir)/script/installmisc.sh $(DESTDIR) $(srcdir)
$(DESTDIR)$(setupdir) $(DESTDIR)$(bindir) $(DESTDIR)$(sbindir) $(pythondir)
$(PYTHON)
+ @$(SHELL) $(srcdir)/script/installmisc.sh $(DESTDIR) $(srcdir)
$(DESTDIR)$(setupdir) $(DESTDIR)$(privatedir) $(DESTDIR)$(bindir)
$(DESTDIR)$(sbindir) $(pythondir) $(PYTHON)
installpc:: installdirs
@$(SHELL) $(srcdir)/script/installpc.sh $(builddir)
$(DESTDIR)$(pkgconfigdir) $(PC_FILES)
diff --git a/source4/script/installmisc.sh b/source4/script/installmisc.sh
index 6aaf6be..5c7d76d 100755
--- a/source4/script/installmisc.sh
+++ b/source4/script/installmisc.sh
@@ -1,18 +1,19 @@
#!/bin/sh
# install miscellaneous files
-[ $# -eq 7 ] || {
-echo Usage: installmisc.sh DESTDIR SRCDIR SETUPDIR BINDDIR SBINDDIR
PYTHONDIR PYTHON
+[ $# -eq 8 ] || {
+echo Usage: installmisc.sh DESTDIR SRCDIR SETUPDIR PRIVATEDIR BINDDIR
SBINDDIR PYTHONDIR PYTHON
exit 1
}
DESTDIR=$1
SRCDIR=$2
SETUPDIR=$3
-BINDIR=$4
-SBINDIR=$5
-PYTHONDIR=$6
-PYTHON=$7
+PRIVATEDIR=$4
+BINDIR=$5
+SBINDIR=$6
+PYTHONDIR=$7
+PYTHON=$8
cd $SRCDIR || exit 1
@@ -79,7 +80,6 @@ cp setup/named.conf.update $SETUPDIR || exit 1
cp setup/provision.smb.conf.dc $SETUPDIR || exit 1
cp setup/provision.smb.conf.member $SETUPDIR || exit 1
cp setup/provision.smb.conf.standalone $SETUPDIR || exit 1
-cp setup/dns_update_list $SETUPDIR || exit 1
echo Installing external python libraries
mkdir -p $PYTHONDIR/samba_external || exit 1
@@ -90,5 +90,7 @@ do
cp -r scripting/python/samba_external/$p/* $PYTHONDIR/samba_external/$p/ ||
exit 1
done
+echo Installing stuff in $PRIVATEDIR
+cp setup/dns_update_list $PRIVATEDIR || exit 1
exit 0
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 8a76352... samba: remove Linux cifs-utils files from samba master
branch
from fde707a... s4:dns_update_list file: install it properly into the
private directory
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8a76352544ccbac7e9aca2c3357256a01493cc7b
Author: Jeff Layton jlay...@redhat.com
Date: Mon Mar 8 15:05:05 2010 -0500
samba: remove Linux cifs-utils files from samba master branch
This patch removes all of the files from the samba tree that should now
be provided by the cifs-utils package. It also drops a
README.cifs-utils into the topdir with a URL to the main cifs-utils
webpage. This is for people who don't want the lists and might be taken
by surprise by the change. That's optional, but I think it's a good idea
for a least a release or two.
Signed-off-by: Jeff Layton jlay...@samba.org
---
Summary of changes:
README.cifs-utils |7 +
client/cifs.upcall.c | 656
client/cifs_spnego.h | 46 -
client/mount.cifs.c | 1779 -
client/mount.h| 38 -
client/mtab.c | 220 ---
client/umount.cifs.c | 406 -
docs-xml/Samba3-HOWTO/manpages.xml|2 -
docs-xml/linux-client/linux-cifs-client-guide.odt | Bin 126569 - 0 bytes
docs-xml/manpages-3/cifs.upcall.8.xml | 124 --
docs-xml/manpages-3/mount.cifs.8.xml | 732 -
docs-xml/manpages-3/umount.cifs.8.xml | 179 ---
12 files changed, 7 insertions(+), 4182 deletions(-)
create mode 100644 README.cifs-utils
delete mode 100644 client/cifs.upcall.c
delete mode 100644 client/cifs_spnego.h
delete mode 100644 client/mount.cifs.c
delete mode 100644 client/mount.h
delete mode 100644 client/mtab.c
delete mode 100644 client/umount.cifs.c
delete mode 100644 docs-xml/linux-client/linux-cifs-client-guide.odt
delete mode 100644 docs-xml/manpages-3/cifs.upcall.8.xml
delete mode 100644 docs-xml/manpages-3/mount.cifs.8.xml
delete mode 100644 docs-xml/manpages-3/umount.cifs.8.xml
Changeset truncated at 500 lines:
diff --git a/README.cifs-utils b/README.cifs-utils
new file mode 100644
index 000..2ea6a38
--- /dev/null
+++ b/README.cifs-utils
@@ -0,0 +1,7 @@
+As of Sunday March 7th, 2010, the Linux CIFS utilities are no longer
+part of the samba suite of tools and have been split off into their own
+project. Please see this webpage for information on how to acquire and
+build them:
+
+http://www.samba.org/linux-cifs/cifs-utils/
+
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c
deleted file mode 100644
index 42632a0..000
--- a/client/cifs.upcall.c
+++ /dev/null
@@ -1,656 +0,0 @@
-/*
-* CIFS user-space helper.
-* Copyright (C) Igor Mammedov (niall...@gmail.com) 2007
-* Copyright (C) Jeff Layton (jlay...@redhat.com) 2009
-*
-* Used by /sbin/request-key for handling
-* cifs upcall for kerberos authorization of access to share and
-* cifs upcall for DFS srver name resolving (IPv4/IPv6 aware).
-* You should have keyutils installed and add something like the
-* following lines to /etc/request-key.conf file:
-
-create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
-create dns_resolver * * /usr/local/sbin/cifs.upcall %k
-
-* This program is free software; you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
-* the Free Software Foundation; either version 2 of the License, or
-* (at your option) any later version.
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-* You should have received a copy of the GNU General Public License
-* along with this program; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*/
-
-#include includes.h
-#include ../libcli/auth/spnego.h
-#include smb_krb5.h
-#include keyutils.h
-#include getopt.h
-
-#include cifs_spnego.h
-
-#defineCIFS_DEFAULT_KRB5_DIR /tmp
-#defineCIFS_DEFAULT_KRB5_PREFIXkrb5cc_
-
-#defineMAX_CCNAME_LEN PATH_MAX + 5
-
-const char *CIFSSPNEGO_VERSION = 1.3;
-static const char *prog = cifs.upcall;
-typedef enum _sectype {
- NONE = 0,
- KRB5,
- MS_KRB5
-} sectype_t;
-
-/* does the ccache have a valid TGT? */
-static time_t
-get_tgt_time(const char *ccname) {
- krb5_context context;
- krb5_ccache ccache;
- krb5_cc_cursor cur;
-
[SCM] Samba Shared Repository - branch v3-5-stable updated
The branch, v3-5-stable has been updated
via 1c9494c... Revert Fix bug #7067 - Linux asynchronous IO (aio) can
cause smbd to fail to respond to a read or write.
via cd499ea... WHATSNEW: Prepare release notes for Samba 3.5.1.
via ab98964... VERSION: Raise version number up to 3.5.1.
from d82b72a... WHATSNEW: Update changes since 3.5.0rc3.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable
- Log -
commit 1c9494c76cc9686c61e0966f38528d3318f3176f
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 20:34:39 2010 +0100
Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail
to respond to a read or write.
This reverts commit a6ae7a552f851a31262377cc0e062e40ac20.
This fixes bug #7222 (All users have full rigths on all shares)
(CVE-2010-0728).
commit cd499eaf0418fa0a3034c5ba4709278a302ea980
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 20:32:49 2010 +0100
WHATSNEW: Prepare release notes for Samba 3.5.1.
Karolin
commit ab98964115b56306b82f38aa2f65757dc2917ffe
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 1 15:03:03 2010 +0100
VERSION: Raise version number up to 3.5.1.
Karolin
(cherry picked from commit 0410c8bca22c61318bf71c845fca523614bef73a)
---
Summary of changes:
WHATSNEW.txt | 52 ++-
source3/VERSION |2 +-
source3/include/smb.h |3 +-
source3/lib/system.c | 65 +++--
source3/smbd/server.c |8 --
5 files changed, 57 insertions(+), 73 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index caad89d..12c12d5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,55 @@
=
+ Release Notes for Samba 3.5.1
+ March 8, 2010
+ =
+
+
+This is a security release in order to address CVE-2010-0728.
+
+
+o CVE-2010-0728:
+ In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
+ was added to fix a problem with Linux asynchronous IO handling.
+ This code introduced a bad security flaw on Linux platforms if the
+ binaries were built on Linux platforms with libcap support.
+ The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
+ capabilities, allowing all file system access to be allowed
+ even when permissions should have denied access.
+
+
+Changes since 3.5.0
+---
+
+
+o Jeremy Allison j...@samba.org
+* BUG 7222: Fix for CVE-2010-0728.
+
+
+##
+Reporting bugs Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
+ =
Release Notes for Samba 3.5.0
March 1, 2010
===
@@ -479,4 +530,3 @@ database (https://bugzilla.samba.org/).
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==
-
diff --git a/source3/VERSION b/source3/VERSION
index 13358fe..35c8256 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 041c96b..bc7a90d 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1723,8 +1723,7 @@ minimum length == 24.
enum smbd_capability {
KERNEL_OPLOCK_CAPABILITY,
DMAPI_ACCESS_CAPABILITY,
-LEASE_CAPABILITY,
-KILL_CAPABILITY
+LEASE_CAPABILITY
};
/*
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 9c1da3a..a58d903 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@
[SCM] Samba Shared Repository - annotated tag release-3-5-1 created
The annotated tag, release-3-5-1 has been created at e70dd664c57a77822f845ac8ec987ad9ebd86cc1 (tag) tagging 1c9494c76cc9686c61e0966f38528d3318f3176f (commit) replaces release-3-5-0 tagged by Karolin Seeger on Mon Mar 8 20:40:09 2010 +0100 - Log - tag release-3-5-1 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (GNU/Linux) iD8DBQBLlVOmbzORW2Vot+oRAswUAKC/Tx2aOKrbl1hTc1iaZJXYR67fOACgthtq FHRYX3jyDtm5W1sxq6p7/Jg= =HOvd -END PGP SIGNATURE- Karolin Seeger (3): VERSION: Raise version number up to 3.5.1. WHATSNEW: Prepare release notes for Samba 3.5.1. Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-4-stable updated
The branch, v3-4-stable has been updated via 49fc62c... Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. via bdad635... WHATSNEW: Prepare release notes for Samba 3.4.7. via df5a563... WHATSNEW: Start release notes for Samba 3.4.7. via d811847... VERSION: Raise version number up to 3.4.7. from d0e7cc3... WHATSNEW: Fix typo. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-stable - Log - commit 49fc62cc5d8bcb2ef246fa6505c99071b406c413 Author: Karolin Seeger ksee...@samba.org Date: Mon Mar 8 20:53:38 2010 +0100 Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. This reverts commit c81c109a6ce83741bb5149a51ceb4ab30855e9f9. This fixes bug #7222 (All users have full rigths on all shares)(CVE-2010-0728). commit bdad63514f345a10774dade1746072312ed140c1 Author: Karolin Seeger ksee...@samba.org Date: Mon Mar 8 20:52:56 2010 +0100 WHATSNEW: Prepare release notes for Samba 3.4.7. Karolin commit df5a5630a795f57a71d3b9e0f68ba104bc289982 Author: Karolin Seeger ksee...@samba.org Date: Wed Feb 24 16:08:26 2010 +0100 WHATSNEW: Start release notes for Samba 3.4.7. Karolin (cherry picked from commit c8f888a6cc67e603ba04510f5504596b67d8) commit d811847bbd8badf5c343417b453a527de3f06bbe Author: Karolin Seeger ksee...@samba.org Date: Wed Feb 24 16:06:32 2010 +0100 VERSION: Raise version number up to 3.4.7. Karolin (cherry picked from commit b280381ed338920b1746d0b2b7cd6ea6eb1f92b9) --- Summary of changes: WHATSNEW.txt | 54 +++- source3/VERSION |2 +- source3/include/smb.h |3 +- source3/lib/system.c | 65 +++-- source3/smbd/server.c |8 -- 5 files changed, 58 insertions(+), 74 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 42341d0..80589c7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,54 @@ = + Release Notes for Samba 3.4.7 + March 8, 2010 + = + + +This is a security release in order to address CVE-2010-0728. + + +o CVE-2010-0728: + In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code + was added to fix a problem with Linux asynchronous IO handling. + This code introduced a bad security flaw on Linux platforms if the + binaries were built on Linux platforms with libcap support. + The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE + capabilities, allowing all file system access to be allowed + even when permissions should have denied access. + + +Changes since 3.5.0 +--- + + +o Jeremy Allison j...@samba.org +* BUG 7222: Fix for CVE-2010-0728. + + +## +Reporting bugs Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.4 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older versions follow: + + + = Release Notes for Samba 3.4.6 February 24, 2010 = @@ -109,8 +159,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older versions follow: - +-- + = Release Notes for Samba 3.4.5 diff --git a/source3/VERSION b/source3/VERSION index 7133dfb..f40ac81 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=6 +SAMBA_VERSION_RELEASE=7 # Bug fix releases use a letter for the
[SCM] Samba Shared Repository - annotated tag release-3-4-7 created
The annotated tag, release-3-4-7 has been created at 574d9ad7b6c795cfcdd8bb53456f656908c29bc9 (tag) tagging 49fc62cc5d8bcb2ef246fa6505c99071b406c413 (commit) replaces release-3-4-6 tagged by Karolin Seeger on Mon Mar 8 20:54:29 2010 +0100 - Log - tag release-3-4-7 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (GNU/Linux) iD4DBQBLlVYBbzORW2Vot+oRAlAlAJUcFy5P5sX4ZSdDd1dDKOv+TuBSAKC96/Tx fAkHaLYBSX/HwZ09hI54kA== =5lR2 -END PGP SIGNATURE- Karolin Seeger (4): VERSION: Raise version number up to 3.4.7. WHATSNEW: Start release notes for Samba 3.4.7. WHATSNEW: Prepare release notes for Samba 3.4.7. Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-stable updated
The branch, v3-3-stable has been updated
via 007f9c9... Revert Fix bug #7067 - Linux asynchronous IO (aio) can
cause smbd to fail to respond to a read or write.
via cb608fe... WHATSNEW: Prepare release notes for Samba 3.3.12.
via 689fd1b... VERSION: Raise version number up to 3.3.12.
from adc7b06... WHATSNEW: Update changes since 3.3.10.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -
commit 007f9c90e952aeea2d8f73cff3ccd0f747a9c06e
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 21:08:36 2010 +0100
Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail
to respond to a read or write.
This reverts commit 153357b9bb4d70a168c81cb9ff2da437eae823fc.
This fixes bug #7222 (All users have full rigths on all shares)
(CVE-2010-0728).
commit cb608fef71f9da629a1858cd1d6c8b19e27e6655
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 21:08:01 2010 +0100
WHATSNEW: Prepare release notes for Samba 3.3.12.
Karolin
commit 689fd1bd11806f92e9f5acbc634e27f7b197ee23
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 21:05:40 2010 +0100
VERSION: Raise version number up to 3.3.12.
Karolin
---
Summary of changes:
WHATSNEW.txt | 54 -
source/VERSION |2 +-
source/include/smb.h |3 +-
source/lib/system.c | 65 +++--
source/smbd/server.c |8 --
5 files changed, 58 insertions(+), 74 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0d5d5f0..90a1960 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,54 @@
==
+ Release Notes for Samba 3.3.12
+ March 8, 2010
+ ==
+
+
+This is a security release in order to address CVE-2010-0728.
+
+
+o CVE-2010-0728:
+ In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
+ was added to fix a problem with Linux asynchronous IO handling.
+ This code introduced a bad security flaw on Linux platforms if the
+ binaries were built on Linux platforms with libcap support.
+ The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
+ capabilities, allowing all file system access to be allowed
+ even when permissions should have denied access.
+
+
+Changes since 3.5.0
+---
+
+
+o Jeremy Allison j...@samba.org
+* BUG 7222: Fix for CVE-2010-0728.
+
+
+##
+Reporting bugs Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+ ==
Release Notes for Samba 3.3.11
February 26, 2010
==
@@ -79,8 +129,8 @@ database (https://bugzilla.samba.org/).
==
-Release notes for older releases follow:
-
+--
+
==
Release Notes for Samba 3.3.10
diff --git a/source/VERSION b/source/VERSION
index 29efdb3..01fc3b8 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
# Bug fix releases use a letter for the patch revision #
diff --git a/source/include/smb.h b/source/include/smb.h
index 3825c63..327f212 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1684,8 +1684,7 @@ minimum length == 18.
enum smbd_capability {
KERNEL_OPLOCK_CAPABILITY,
DMAPI_ACCESS_CAPABILITY,
-LEASE_CAPABILITY,
-KILL_CAPABILITY
+LEASE_CAPABILITY
};
/* if a kernel does support
[SCM] Samba Shared Repository - annotated tag release-3-3-12 created
The annotated tag, release-3-3-12 has been created at cf4bfa915b638bce6ad9433328a8a4a7d6ba562d (tag) tagging 007f9c90e952aeea2d8f73cff3ccd0f747a9c06e (commit) replaces release-3-3-11 tagged by Karolin Seeger on Mon Mar 8 21:09:38 2010 +0100 - Log - tag release-3-3-12 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (GNU/Linux) iD8DBQBLlVmRbzORW2Vot+oRAv8fAJ97OU36kCSwXHLw/ohrSZB5RHCaowCgwokH OsGhLGyhX9gEiYE1Y7n4p/I= =PAIl -END PGP SIGNATURE- Karolin Seeger (3): VERSION: Raise version number up to 3.3.12. WHATSNEW: Prepare release notes for Samba 3.3.12. Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write. --- -- Samba Shared Repository
svn commit: samba-web r1407 - in trunk: . devel history
Author: kseeger Date: 2010-03-08 14:06:10 -0700 (Mon, 08 Mar 2010) New Revision: 1407 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1407 Log: Announce Samba 3.5.1, 3.4.7 and 3.3.12 Karolin Added: trunk/history/samba-3.3.12.html trunk/history/samba-3.4.7.html trunk/history/samba-3.5.1.html Modified: trunk/devel/index.html trunk/header_columns.html trunk/history/header_history.html trunk/index.html Changeset: Modified: trunk/devel/index.html === --- trunk/devel/index.html 2010-03-02 06:05:57 UTC (rev 1406) +++ trunk/devel/index.html 2010-03-08 21:06:10 UTC (rev 1407) @@ -20,8 +20,8 @@ 3.0.x and 2.2.x versions of Samba, which are no longer in active development. /p -pThe latest production release is emSamba 3.5.0/em (a -href=/samba/history/samba-3.5.0.htmlrelease notes/a and a +pThe latest production release is emSamba 3.5.1/em (a +href=/samba/history/samba-3.5.1.htmlrelease notes/a and a href=/samba/download/download/a)./p pWith the release of Samba 3.5.0, the 3.4 series has been turned into Modified: trunk/header_columns.html === --- trunk/header_columns.html 2010-03-02 06:05:57 UTC (rev 1406) +++ trunk/header_columns.html 2010-03-08 21:06:10 UTC (rev 1407) @@ -120,20 +120,20 @@ div class=releases h4Current Stable Release/h4 ul -lia href=/samba/ftp/stable/samba-3.5.0.tar.gzSamba 3.5.0 (gzipped)/a/li -lia href=/samba/history/samba-3.5.0.htmlRelease Notes/a/li -lia href=/samba/ftp/stable/samba-3.5.0.tar.ascSignature/a/li +lia href=/samba/ftp/stable/samba-3.5.1.tar.gzSamba 3.5.1 (gzipped)/a/li +lia href=/samba/history/samba-3.5.1.htmlRelease Notes/a/li +lia href=/samba/ftp/stable/samba-3.5.1.tar.ascSignature/a/li /ul h4Historical/h4 ul -lia href=/samba/ftp/stable/samba-3.4.6.tar.gzSamba 3.4.6 (gzipped)/a/li -lia href=/samba/history/samba-3.4.6.htmlRelease Notes/a/li -lia href=/samba/ftp/stable/samba-3.4.6.tar.ascSignature/a/li +lia href=/samba/ftp/stable/samba-3.4.7.tar.gzSamba 3.4.7 (gzipped)/a/li +lia href=/samba/history/samba-3.4.7.htmlRelease Notes/a/li +lia href=/samba/ftp/stable/samba-3.4.7.tar.ascSignature/a/li -lia href=/samba/ftp/stable/samba-3.3.11.tar.gzSamba 3.3.11 (gzipped)/a/li -lia href=/samba/history/samba-3.3.11.htmlRelease Notes 3.3.11/a/li -lia href=/samba/ftp/stable/samba-3.3.11.tar.ascSignature 3.3.11/a/li +lia href=/samba/ftp/stable/samba-3.3.12.tar.gzSamba 3.3.12 (gzipped)/a/li +lia href=/samba/history/samba-3.3.12.htmlRelease Notes 3.3.12/a/li +lia href=/samba/ftp/stable/samba-3.3.12.tar.ascSignature 3.3.12/a/li lia href=/samba/ftp/stable/samba-3.2.15.tar.gzSamba 3.2.15 (gzipped)/a/li lia href=/samba/history/samba-3.2.15.htmlRelease Notes 3.2.15/a/li Modified: trunk/history/header_history.html === --- trunk/history/header_history.html 2010-03-02 06:05:57 UTC (rev 1406) +++ trunk/history/header_history.html 2010-03-08 21:06:10 UTC (rev 1407) @@ -77,7 +77,9 @@ div class=notes h6Release Notes/h6 ul +lia href=samba-3.5.1.htmlsamba-3.5.1/a/li lia href=samba-3.5.0.htmlsamba-3.5.0/a/li +lia href=samba-3.4.7.htmlsamba-3.4.7/a/li lia href=samba-3.4.6.htmlsamba-3.4.6/a/li lia href=samba-3.4.5.htmlsamba-3.4.5/a/li lia href=samba-3.4.4.htmlsamba-3.4.4/a/li @@ -85,6 +87,7 @@ lia href=samba-3.4.2.htmlsamba-3.4.2/a/li lia href=samba-3.4.1.htmlsamba-3.4.1/a/li lia href=samba-3.4.0.htmlsamba-3.4.0/a/li +lia href=samba-3.3.12.htmlsamba-3.3.12/a/li lia href=samba-3.3.11.htmlsamba-3.3.11/a/li lia href=samba-3.3.10.htmlsamba-3.3.10/a/li lia href=samba-3.3.9.htmlsamba-3.3.9/a/li Added: trunk/history/samba-3.3.12.html === --- trunk/history/samba-3.3.12.html (rev 0) +++ trunk/history/samba-3.3.12.html 2010-03-08 21:06:10 UTC (rev 1407) @@ -0,0 +1,43 @@ +!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; +html xmlns=http://www.w3.org/1999/xhtml; + +head +titleSamba - Release Notes Archive/title +/head + +body + + H2Samba 3.3.12 Available for Download/H2 + +p +pre + == + Release Notes for Samba 3.3.12 + March 8, 2010 + == + + +This is a security release in order to address CVE-2010-0728. + + +o CVE-2010-0728: + In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code + was added to fix a problem with Linux asynchronous IO handling. + This code introduced a bad security flaw on Linux platforms if the + binaries were built on Linux
svn commit: samba-web r1408 - in trunk/security: .
Author: kseeger Date: 2010-03-08 14:36:30 -0700 (Mon, 08 Mar 2010) New Revision: 1408 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1408 Log: Add security advisory Karolin Added: trunk/security/CVE-2010-0728.html Changeset: Added: trunk/security/CVE-2010-0728.html === --- trunk/security/CVE-2010-0728.html (rev 0) +++ trunk/security/CVE-2010-0728.html 2010-03-08 21:36:30 UTC (rev 1408) @@ -0,0 +1,69 @@ +!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; +html xmlns=http://www.w3.org/1999/xhtml; + +head +titleSamba - Security Announcement Archive/title +/head + +body + + H2CVE-2010-0728: /H2 + +p +pre +=== +== Subject: Allowing all file system access even when +== permissions should have denied access. +== +== CVE ID#: CVE-2010-0728 +== +== Versions:3.3.11, 3.4.6 and 3.5.0 +== +== Summary: This flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE +== capabilities, allowing all file system access to be allowed +== even when permissions should have denied access. +=== + +=== +Description +=== + +This flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE +capabilities, allowing all file system access to be allowed +even when permissions should have denied access. + +Please note this security problem does not affect any platform that does +not support capabilities and platforms where binaries were built without +libcap support. +Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x +versions are NOT affected. + + +== +Patch Availability +== + +A Patch addressing this issue has been posted to: + +http://www.samba.org/samba/security/ + +Additionally, Samba 3.3.12, 3.4.7 and 3.5.1 have been issued +as security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon +as possible. + +== +Workaround +== + +None available + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== +/pre +/body +/html
svn commit: samba-web r1409 - in trunk/security: .
Author: vlendec Date: 2010-03-08 15:00:48 -0700 (Mon, 08 Mar 2010) New Revision: 1409 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1409 Log: Mention the bug reporter Modified: trunk/security/CVE-2010-0728.html Changeset: Modified: trunk/security/CVE-2010-0728.html === --- trunk/security/CVE-2010-0728.html 2010-03-08 21:36:30 UTC (rev 1408) +++ trunk/security/CVE-2010-0728.html 2010-03-08 22:00:48 UTC (rev 1409) @@ -59,7 +59,14 @@ None available +=== +Credits +=== +The problem was was reported as +https://bugzilla.samba.org/show_bug.cgi?id=7222 +by Andreas Matthus andreas.matt...@tu-dresden.de. + == == Our Code, Our Bugs, Our Responsibility. == The Samba Team
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b845025... s3:release-scripts: fix create-tarball to treat vendor
patch level correctly
from 8a76352... samba: remove Linux cifs-utils files from samba master
branch
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b845025daf2da85eb1af6cbfa7878cf59a32f2a6
Author: Michael Adam ob...@samba.org
Date: Mon Mar 8 23:37:21 2010 +0100
s3:release-scripts: fix create-tarball to treat vendor patch level correctly
---
Summary of changes:
release-scripts/create-tarball |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/release-scripts/create-tarball b/release-scripts/create-tarball
index 9e6b8fe..94525e0 100755
--- a/release-scripts/create-tarball
+++ b/release-scripts/create-tarball
@@ -196,7 +196,7 @@ function main
if [ -n $vendor_version ]; then
version=$version-$vendor_version
fi
-vendor_patch=`grep define SAMBA_VERSION_VENDOR_PATCH $VER_H | awk
'{print $3}'`
+vendor_patch=`grep define SAMBA_VERSION_VENDOR_PATCH_STRING $VER_H | awk
'{print $3}'`
if [ -n $vendor_patch ]; then
version=$version-$vendor_patch
fi
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9113e14... s3:build: Fix automatic building of vfs_tsmsm if gpfs and dmapi are present. from b845025... s3:release-scripts: fix create-tarball to treat vendor patch level correctly http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9113e14b291c10c824d2d8ea5cb28ffc0adcb63b Author: Michael Adam ob...@samba.org Date: Mon Mar 8 22:32:41 2010 +0100 s3:build: Fix automatic building of vfs_tsmsm if gpfs and dmapi are present. Michael --- Summary of changes: source3/configure.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index 436f708..f0dabbf 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2700,7 +2700,7 @@ fi # Add TSM SM VFS module only if there are both GPFS and DMAPI support # Theoretically it should work with AIX JFS2 too but this needs testing -if test x$samba_cv_HAVE_GPFS = xyes test x$samba_dmapi_libs != x ; then +if test x$ac_cv_header_gpfs_gpl_h = xyes test x$samba_dmapi_libs != x ; then default_shared_modules=$default_shared_modules vfs_tsmsm fi -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 56b13ee... Revert Fix bug #7067 - Linux asynchronous IO (aio) can
cause smbd to fail to respond to a read or write.
from 9113e14... s3:build: Fix automatic building of vfs_tsmsm if gpfs
and dmapi are present.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 56b13ee8edfa434cbca69af17aeea58cc5502b40
Author: Karolin Seeger ksee...@samba.org
Date: Mon Mar 8 20:34:39 2010 +0100
Revert Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail
to respond to a read or write.
This reverts commit a6ae7a552f851a31262377cc0e062e40ac20.
This fixes bug #7222 (All users have full rigths on all shares)
(CVE-2010-0728).
(cherry picked from commit 1c9494c76cc9686c61e0966f38528d3318f3176f)
---
Summary of changes:
source3/include/smb.h |3 +-
source3/lib/system.c | 65 +++--
source3/smbd/server.c |8 --
3 files changed, 5 insertions(+), 71 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 8d1e148..8674629 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1724,8 +1724,7 @@ minimum length == 24.
enum smbd_capability {
KERNEL_OPLOCK_CAPABILITY,
DMAPI_ACCESS_CAPABILITY,
-LEASE_CAPABILITY,
-KILL_CAPABILITY
+LEASE_CAPABILITY
};
/*
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 58240a3..5aab441 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -908,11 +908,6 @@ char *sys_getwd(char *s)
#if defined(HAVE_POSIX_CAPABILITIES)
-/* This define hasn't made it into the glibc capabilities header yet. */
-#ifndef SECURE_NO_SETUID_FIXUP
-#define SECURE_NO_SETUID_FIXUP 2
-#endif
-
/**
Try and abstract process capabilities (for systems that have them).
/
@@ -943,32 +938,6 @@ static bool set_process_capability(enum smbd_capability
capability,
}
#endif
-#if defined(HAVE_PRCTL) defined(PR_SET_SECUREBITS)
defined(SECURE_NO_SETUID_FIXUP)
-/* New way of setting capabilities as sticky. */
-
- /*
-* Use PR_SET_SECUREBITS to prevent setresuid()
-* atomically dropping effective capabilities on
-* uid change. Only available in Linux kernels
-* 2.6.26 and above.
-*
-* See here:
-*
http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
-* for details.
-*
-* Specifically the CAP_KILL capability we need
-* to allow Linux threads under different euids
-* to send signals to each other.
-*/
-
- if (prctl(PR_SET_SECUREBITS, 1 SECURE_NO_SETUID_FIXUP)) {
- DEBUG(0,(set_process_capability:
- prctl PR_SET_SECUREBITS failed with error %s\n,
- strerror(errno) ));
- return false;
- }
-#endif
-
cap = cap_get_proc();
if (cap == NULL) {
DEBUG(0,(set_process_capability: cap_get_proc failed: %s\n,
@@ -997,11 +966,6 @@ static bool set_process_capability(enum smbd_capability
capability,
cap_vals[num_cap_vals++] = CAP_LEASE;
#endif
break;
- case KILL_CAPABILITY:
-#ifdef CAP_KILL
- cap_vals[num_cap_vals++] = CAP_KILL;
-#endif
- break;
}
SMB_ASSERT(num_cap_vals = ARRAY_SIZE(cap_vals));
@@ -1011,37 +975,16 @@ static bool set_process_capability(enum smbd_capability
capability,
return True;
}
- /*
-* Ensure the capability is effective. We assume that as a root
-* process it's always permitted.
-*/
-
- if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
- enable ? CAP_SET : CAP_CLEAR) == -1) {
- DEBUG(0, (set_process_capability: cap_set_flag effective
- failed (%d): %s\n,
- (int)capability,
- strerror(errno)));
- cap_free(cap);
- return false;
- }
+ cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+ enable ? CAP_SET : CAP_CLEAR);
/* We never want to pass capabilities down to our children, so make
* sure they are not inherited.
*/
- if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals,
- cap_vals, CAP_CLEAR) == -1) {
- DEBUG(0, (set_process_capability: cap_set_flag inheritable
- failed (%d): %s\n,
- (int)capability,
-
Build status as of Tue Mar 9 07:00:06 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-03-08 00:00:20.0 -0700 +++ /home/build/master/cache/broken_results.txt 2010-03-09 00:00:06.0 -0700 @@ -0,0 +1,21 @@ +Build status as of Tue Mar 9 07:00:06 2010 + +Build counts: +Tree Total Broken Panic +build_farm 0 0 0 +ccache 34 12 0 +ldb 34 34 0 +libreplace 33 12 0 +lorikeet 0 0 0 +pidl 24 23 0 +ppp 17 0 0 +rsync34 13 0 +samba-docs 0 0 0 +samba-web0 0 0 +samba_3_current 32 32 2 +samba_3_master 32 32 7 +samba_3_next 29 28 4 +samba_4_0_test 34 32 1 +talloc 34 11 0 +tdb 32 22 0 +
