The branch, v4-1-test has been updated
via af95423 s3: client - "client use spnego principal = yes" code
checks wrong name.
via 2f46746 docs: Mark 'client use spnego principal' as deprecated and
also a bad idea.
via c9a9483 s3:winbind:grent: don't stop group enumeration when a group
has no gid
from f5e3b94 s3: lib: libsmbclient: If reusing a server struct, check
every cli->timout miliseconds if it's still valid before use.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit af954230197daf391c71c521268f17e30610bd7e
Author: Jeremy Allison <j...@samba.org>
Date: Thu Mar 19 13:10:33 2015 -0700
s3: client - "client use spnego principal = yes" code checks wrong name.
Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178@please_ignore"
https://bugzilla.samba.org/show_bug.cgi?id=10888
Code patch from <martin.wi...@ts.fujitsu.com>
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <me...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Mar 26 00:56:25 CET 2015 on sn-devel-104
(cherry picked from commit e8932b92016fc7ece3169635fbe3d98cb0caa36b)
Autobuild-User(v4-1-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-1-test): Sat Mar 28 01:22:31 CET 2015 on sn-devel-104
commit 2f46746071dbea6cdd30d3629899bb473db08afb
Author: Jeremy Allison <j...@samba.org>
Date: Thu Mar 19 13:09:21 2015 -0700
docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178@please_ignore"
https://bugzilla.samba.org/show_bug.cgi?id=10888
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <me...@samba.org>
(cherry picked from commit c9299bd6a4e86dbec10ab7741056f331a18c44a0)
commit c9a9483aed2056be37f827989ab0fa74970c9fb1
Author: Michael Adam <ob...@samba.org>
Date: Mon Jan 19 13:51:55 2015 +0100
s3:winbind:grent: don't stop group enumeration when a group has no gid
simply continue with the next group
Note: this patch introduces some code duplication to make it
easier to create minimal backport patch. Subsequent patches
will provide some refactoring to reduce the duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8905
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 24015224da1f363019d9d2da81ce533463a16abb)
-----------------------------------------------------------------------
Summary of changes:
.../security/clientusepsnegoprincipal.xml | 7 +++
lib/param/param_table.c | 2 +-
source3/libsmb/cliconnect.c | 2 +-
source3/winbindd/wb_next_grent.c | 51 +++++++++++++++++++++-
4 files changed, 59 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
index 6ec1eb1..792a738 100644
--- a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -14,6 +14,10 @@
servers known only by IP address. Kerberos relies on names, so
ordinarily cannot function in this situation. </para>
+ <para>This is a VERY BAD IDEA for security reasons, and so this
+ parameter SHOULD NOT BE USED. It will be removed in a future
+ version of Samba.</para>
+
<para>If disabled, Samba will use the name used to look up the
server when asking the KDC for a ticket. This avoids situations
where a server may impersonate another, soliciting authentication
@@ -23,6 +27,9 @@
<para>Note that Windows XP SP2 and later versions already follow
this behaviour, and Windows Vista and later servers no longer
supply this 'rfc4178 hint' principal on the server side.</para>
+
+ <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+ (along with the functionality) in a later release of Samba.</para>
</description>
<value type="default">no</value>
</samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 8e3f952..d590bd1 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -739,7 +739,7 @@ static struct parm_struct parm_table[] = {
.offset = GLOBAL_VAR(client_use_spnego_principal),
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
.label = "username",
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 5255e8a..b545cd9 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1670,7 +1670,7 @@ static char *cli_session_setup_get_principal(
char *principal = NULL;
if (!lp_client_use_spnego_principal() ||
- strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+ strequal(spnego_principal, ADS_IGNORE_PRINCIPAL)) {
spnego_principal = NULL;
}
if (spnego_principal != NULL) {
diff --git a/source3/winbindd/wb_next_grent.c b/source3/winbindd/wb_next_grent.c
index d3b0333..d932384 100644
--- a/source3/winbindd/wb_next_grent.c
+++ b/source3/winbindd/wb_next_grent.c
@@ -168,9 +168,58 @@ static void wb_next_grent_getgrsid_done(struct tevent_req
*subreq)
status = wb_getgrsid_recv(subreq, talloc_tos(), &domname, &name,
&state->gr->gr_gid, &state->members);
TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ state->gstate->next_group += 1;
+
+ if (state->gstate->next_group >= state->gstate->num_groups) {
+ TALLOC_FREE(state->gstate->groups);
+
+ if (state->gstate->domain == NULL) {
+ state->gstate->domain = domain_list();
+ } else {
+ state->gstate->domain =
state->gstate->domain->next;
+ }
+
+ if ((state->gstate->domain != NULL) &&
+ sid_check_is_our_sam(&state->gstate->domain->sid))
+ {
+ state->gstate->domain =
state->gstate->domain->next;
+ }
+
+ if (state->gstate->domain == NULL) {
+ tevent_req_nterror(req,
+ NT_STATUS_NO_MORE_ENTRIES);
+ return;
+ }
+
+ subreq = dcerpc_wbint_QueryGroupList_send(
+ state, state->ev,
+ dom_child_handle(state->gstate->domain),
+ &state->next_groups);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+
+ tevent_req_set_callback(subreq,
+ wb_next_grent_fetch_done, req);
+ return;
+ }
+
+ subreq = wb_getgrsid_send(
+ state, state->ev,
+ &state->gstate->groups[state->gstate->next_group].sid,
+ state->max_nesting);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_next_grent_getgrsid_done,
+ req);
+ return;
+ } else if (tevent_req_nterror(req, status)) {
return;
}
+
if (!fill_grent(talloc_tos(), state->gr, domname, name,
state->gr->gr_gid)) {
DEBUG(5, ("fill_grent failed\n"));
--
Samba Shared Repository
