The branch, master has been updated
via 7dbfeb0 s4-auth: fixed the SID list for DCs in the PAC
via 65fc066e autobuild: fixed detection of master changes
via c0a1cbd s3-selftest: added samba3.posix_s3.rap.printing as a
knownfail
via f1c2702 idl-pac: add a decoder for the pac info ctr
via f33fc39 s4-drs: use the system sam_ctx for updaterefs
via f3ceec9 s4-spn: don't try to do SPN updates as a RODC
from 95b56aa libcli/ldap: let ldap_full_packet() use
asn1_peek_tag_needed_size()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7dbfeb0dc040889244a1110940af2d070f823374
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 19:14:42 2010 -0700
s4-auth: fixed the SID list for DCs in the PAC
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Autobuild-User: Andrew Tridgell <[email protected]>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
commit 65fc066ef43786faae9d4adf8f0941d86315f398
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 19:43:13 2010 -0700
autobuild: fixed detection of master changes
commit c0a1cbda5d70d2a6e0ffedb07cfaaadc01b0fc8d
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 19:23:02 2010 -0700
s3-selftest: added samba3.posix_s3.rap.printing as a knownfail
this fails intermittently on sn-devel, Günther suggests adding this to
knownfail for now
commit f1c2702b268ce2f48cab793422b3c0b7954e9a38
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 19:13:28 2010 -0700
idl-pac: add a decoder for the pac info ctr
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Pair-Programmed-With: Andrew Bartlett <[email protected]>
commit f33fc39f37c21e0d1d5cf926db1a742395f25ea7
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 17:53:14 2010 -0700
s4-drs: use the system sam_ctx for updaterefs
this is needed for RODC clients calling updaterefs
commit f3ceec9b1b9e0f2a4a40cf25cacbd157fb690de4
Author: Andrew Tridgell <[email protected]>
Date: Sat Sep 25 17:52:43 2010 -0700
s4-spn: don't try to do SPN updates as a RODC
we don't have the permissions to do it
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/krb5pac.idl | 4 ++++
script/autobuild.py | 7 ++++---
source3/selftest/knownfail | 1 +
source4/auth/auth.h | 1 -
source4/auth/sam.c | 16 ++++++++++++++++
source4/auth/session.c | 18 ------------------
source4/dsdb/samdb/samdb.c | 10 ----------
source4/rpc_server/drsuapi/updaterefs.c | 17 +++++++++--------
source4/scripting/bin/samba_spnupdate | 4 ++++
9 files changed, 38 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 24c55b8..d7a99c9 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -122,6 +122,10 @@ interface krb5pac
[in] PAC_LOGON_INFO logon_info
);
+ void decode_login_info_ctr(
+ [in] PAC_LOGON_INFO_CTR logon_info_ctr
+ );
+
void decode_pac_validate(
[in] PAC_Validate pac_validate
);
diff --git a/script/autobuild.py b/script/autobuild.py
index 4941562..f75ccd7 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -62,12 +62,13 @@ tasks = {
retry_task = [ '''set -e
git remote add -t master master %s
+ git fetch master
while :; do
sleep 60
+ git describe master/master > old_master.desc
git fetch master
- git describe > HEAD.desc
- git describe > master.desc
- diff HEAD.desc master.desc
+ git describe master/master > master.desc
+ diff old_master.desc master.desc
done
''' % samba_master]
diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
index 4e9906d..da38f88 100644
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -1 +1,2 @@
.*printer.*print_test_extended # fails on some hosts due to timing issues ?
+samba3.posix_s3.rap.printing # fails sometimes on sn-devel
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index ce583c8..2f0af02 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -46,7 +46,6 @@ struct loadparm_context;
#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default
world and network groups */
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the
'authenticated users' group */
-#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the
'enterprise DC' group */
struct auth_serversupplied_info
{
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 6bf1d5f..bdbf690 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX
*mem_ctx,
server_info);
}
+ if (server_info->acct_flags & ACB_SVRTRUST) {
+ /* the SID_NT_ENTERPRISE_DCS SID gets added into the
+ PAC */
+ server_info->domain_groups = talloc_realloc(server_info,
+
server_info->domain_groups,
+ struct dom_sid *,
+
server_info->n_domain_groups+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups,
server_info);
+ server_info->domain_groups[server_info->n_domain_groups] =
+ dom_sid_parse_talloc(server_info->domain_groups,
+ SID_NT_ENTERPRISE_DCS);
+
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+ server_info);
+ server_info->n_domain_groups++;
+ }
+
server_info->authenticated = true;
talloc_free(tmp_ctx);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bd1be8e..68d03ae 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -91,24 +91,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX
*mem_ctx,
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (auth_context) {
- if (server_info->acct_flags & ACB_SVRTRUST) {
- dom_sid = samdb_domain_sid(auth_context->sam_ctx);
- if (dom_sid) {
- if (dom_sid_in_domain(dom_sid,
server_info->account_sid)) {
- session_info_flags |=
AUTH_SESSION_INFO_ENTERPRISE_DC;
- } else {
- DEBUG(2, ("DC %s is not in our domain.
"
- "It will not have Enterprise
Domain Controllers membership on this server",
- server_info->account_name));
- }
- } else {
- DEBUG(2, ("Could not obtain local domain SID, "
- "so can not determine if DC %s is a
DC of this domain. "
- "It will not have Enterprise Domain
Controllers membership",
- server_info->account_name));
- }
- }
-
groupSIDs = talloc_array(tmp_ctx, struct dom_sid *,
server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
if (!groupSIDs) {
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 32698ea..637da4f 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -202,16 +202,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->num_sids++;
}
- if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct
dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS,
&ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1;
diff --git a/source4/rpc_server/drsuapi/updaterefs.c
b/source4/rpc_server/drsuapi/updaterefs.c
index a41eec8..3863ac7 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -125,25 +125,26 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state
*b_state, TALLOC_CTX *mem_ct
{
WERROR werr;
struct ldb_dn *dn;
+ struct ldb_context *sam_ctx =
b_state->sam_ctx_system?b_state->sam_ctx_system:b_state->sam_ctx;
DEBUG(4,("DsReplicaUpdateRefs for host '%s' with GUID %s options 0x%08x
nc=%s\n",
req->dest_dsa_dns_name, GUID_string(mem_ctx,
&req->dest_dsa_guid),
req->options,
drs_ObjectIdentifier_to_string(mem_ctx, req->naming_context)));
- dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, req->naming_context->dn);
+ dn = ldb_dn_new(mem_ctx, sam_ctx, req->naming_context->dn);
if (dn == NULL) {
return WERR_DS_INVALID_DN_SYNTAX;
}
- if (ldb_transaction_start(b_state->sam_ctx) != LDB_SUCCESS) {
+ if (ldb_transaction_start(sam_ctx) != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to start transaction on samdb:
%s\n",
- ldb_errstring(b_state->sam_ctx)));
+ ldb_errstring(sam_ctx)));
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (req->options & DRSUAPI_DRS_DEL_REF) {
- werr = uref_del_dest(b_state->sam_ctx, mem_ctx, dn,
&req->dest_dsa_guid, req->options);
+ werr = uref_del_dest(sam_ctx, mem_ctx, dn, &req->dest_dsa_guid,
req->options);
if (!W_ERROR_IS_OK(werr)) {
DEBUG(0,("Failed to delete repsTo for %s: %s\n",
GUID_string(mem_ctx, &req->dest_dsa_guid),
@@ -164,7 +165,7 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state
*b_state, TALLOC_CTX *mem_ct
dest.source_dsa_obj_guid = req->dest_dsa_guid;
dest.replica_flags = req->options;
- werr = uref_add_dest(b_state->sam_ctx, mem_ctx, dn, &dest,
req->options);
+ werr = uref_add_dest(sam_ctx, mem_ctx, dn, &dest, req->options);
if (!W_ERROR_IS_OK(werr)) {
DEBUG(0,("Failed to add repsTo for %s: %s\n",
GUID_string(mem_ctx,
&dest.source_dsa_obj_guid),
@@ -173,16 +174,16 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state
*b_state, TALLOC_CTX *mem_ct
}
}
- if (ldb_transaction_commit(b_state->sam_ctx) != LDB_SUCCESS) {
+ if (ldb_transaction_commit(sam_ctx) != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to commit transaction on samdb:
%s\n",
- ldb_errstring(b_state->sam_ctx)));
+ ldb_errstring(sam_ctx)));
return WERR_DS_DRA_INTERNAL_ERROR;
}
return WERR_OK;
failed:
- ldb_transaction_cancel(b_state->sam_ctx);
+ ldb_transaction_cancel(sam_ctx);
return werr;
}
diff --git a/source4/scripting/bin/samba_spnupdate
b/source4/scripting/bin/samba_spnupdate
index c675a54..7c9ed4f 100755
--- a/source4/scripting/bin/samba_spnupdate
+++ b/source4/scripting/bin/samba_spnupdate
@@ -102,6 +102,10 @@ except ldb.LdbError, (num, msg):
print("Unable to open sam database %s : %s" % (lp.get("sam database"),
msg))
sys.exit(1)
+if samdb.am_rodc():
+ # don't try and update SPNs on RODC
+ exit(0)
+
# get the substitution dictionary
sub_vars = get_subst_vars(samdb)
--
Samba Shared Repository
