[Samba] slow perf without winbind nested groups = no and ldpa backend
Helo samba list, We are using a samba (3.0.25b-1.el5_1.2) PDC ( users are in an LDAP backend ). The perfs were bad and there were errors until I set winbind nested groups = no in smb.conf. I saw this post http://lists.samba.org/archive/samba-technical/2005-May/040946.html saying What I would like to do is to make clear that people should always use idmap_ldap when they use ldapsam. I have no needs for winbind and no idmap backend is set. am I wrong ? what is the link with winbind nested groups option ? thanks in advance for your answers. jmp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] useradd scripts
Hi can someone explain me please exactly how these scripts work ? How can i have them automatically add users etc? If i add use them like this i get the NT STATUS CONNECTION REFUSED errors # Useradd scripts add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usernod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u idmap uid = 15000-2 dmap gid = 15000-2 template shell = /bin/bash the samba server is a stand along server. This is my conf. Please advise: [global] log file = /var/log/samba/log.%m template homedir = //192.168.10.198/home/%U hide unreadable = yes logon drive = H: hide dot files = yes null passwords = no hosts allow = ALL netbios name = Master server string = %h server (Samba, Debian) logon script = \\192.168.10.198\netlogon\%U.bat workgroup = OCR logon path = \\192.168.10.198\%U security = user domain logons = yes log level = 3 winbind cache time = 10 #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Homes browseable = yes writable = yes valid users = %S read only = no create mode = 0600 directory mode = 0700 path = /home/%U -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NTConfig.POL
Hi where do i find the above script? so i can place it in my netlogon folder? thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba profiles
Hi list I got a small problem, i use atm 3X Samba Servers 1XPDC 1XBDC 1XFileserver ATM I have all profiles/homes on the PDC, but I need it on BDC too. My thought the best way is I move the /homes to the Fileserver. And now comes my problem, what must I change on the smb.conf? Logon path = \\fileserver\profiles\.msprofiles file:///\\fileserver\profiles\.msprofiles Logon home =\\fileserver\profiles\%U\9xprofile And on share: [profiles] comment = Network Profiles Service path = /Data/samba/home ---that's my DIR where the files are is this ok ?? [global] workgroup = Domain server string = Samba map to guest = Bad User passdb backend = ldapsam:ldap://server.intern log level = 3 log file = /var/log/samba/%U.log debug uid = Yes smb ports = 139 deadtime = 120 printcap name = /etc/printcap logon script = logon.bat logon path = \\%L\profiles\.msprofile logon drive = H: logon home = \\%L\%U\.9xprofile [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = %H read only = No acl check permissions = No create mask = 0600 directory mask = 0700 profile acls = Yes [users] comment = All users path = /home read only = No inherit acls = Yes THX for support/help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NTConfig.POL
where do i find the above script? so i can place it in my netlogon folder? Above? I assume you mean NTConfig.pol from the subject. (a) it isn't a script (b) YOU create it with the policy editor (poledit.exe) (c) Not a Samba question, policies are a Windows domain administration issue, entirely, 110%. In an NT4 domain (which is what Samba 3 provides) the DC doesn't actually do anything in relation to policies other than serve the file at a prescribed location. http://www.microsoft.com/technet/archive/winntas/maintain/featusability/prof_pol.mspx?pf=true -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NTConfig.POL
Dimitris Theoharis wrote: Hi where do i find the above script? so i can place it in my netlogon folder? thanks The Script is the netlogon.bat, but is not of samba i keys of regedit of W$. Example: server:~# vi netlogon.bat @echo off title Policy My Enterprise rem Home Page Internet Explorer reg add HKCU\Software\Microsoft\Internet Explorer\Main /v Start Page /t REG_SZ /d http://www.fiac.es; /f rem Start Classic reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSimpleStartMenu /t REG_DWORD /d 1 /f reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSimpleStartMenu /t REG_DWORD /d 1 /f rem Sincronize time with the server net time \\192.168.30.11 /set /yes -- ilimit... *Oscar Mas* [EMAIL PROTECTED] ÀREA SISTEMES 0034 937 333 375 VOLTA 1, PIS 5 08224 TERRASSA.BCN Aquest enviament és confidencial i està destinat únicament a la persona a qui s'ha enviat. Pot contenir informació privada sotmesa al secret professional, la distribució de la qual està prohibida per la legislació vigent. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] DFS enumeration on a Samba hosted DFS tree.
I've translated a Windows based DFS tree to a Samba based (3.0.23c)
one and it seems to work quite well from Windows Explorer and cmd.exe.
First off, I have a relatively big tree.
grep dfscmd /root/dfs.cmd | wc -l
1614
One issue I've noticed that tree enumeration and manipulation from a
Windows machine to a Samba based DFS root just doesn't work at all.
For instance dfscmd.exe (a long time friend):
dfscmd /view \\SERVER\dfs
\\SERVER\array
\\SERVER\dfs\ROOT_LINK
\\SERVER\\
\\SERVER\\
This is pretty interesting since first item is the 'other share' on
the machine (not the DFS share) which shouldn't be enumerated in the
output at all (AFAIK).
The second is the only link in the root of the dfs tree.
Not sure what to make of the tail two entries here.
As well I've written up a small tool to check each link in the DFS
tree (to detect broken links) using the Win32 API function NetDfsEnum.
Basically (this is going to get pretty mangled):
result = NetDfsEnum(argv[1],3,MAX_PREFERRED_LENGTH,(LPBYTE
*)root,numEntries,hResume);
while(result==ERROR_SUCCESS) {
for(iterator=1;iterator=numEntries;iterator++) {
info = dfsEntry-Storage;
for(numStorage=dfsEntry-NumberOfStorages;numStorage0;numStorage--) {
swprintf_s(buffer,MAX_PATH,L%s\\%s\\*,info-ServerName,info-ShareName);
hFind = FindFirstFile(buffer,FindFileData); // If you can
list the contents of a UNC, odds are it isn't broken.
}
}
result = NetDfsEnum(argv[1],3,MAX_PREFERRED_LENGTH,(LPBYTE
*)root,numEntries,hResume);
}
This obviously is not complete but basically this will run infinitely
because it will resolve the same output as dfscmd but if you noticed
the last two links are self referential so we've got a recursive
infinite loop going on. Taking out the while loop obviously fixes the
problem (and assuming NetDfsEnum will always return the entire tree on
the first invocation [not a valid assumption]) but still I can't
resolve the tree properly programatically since I get the same output
as dfscmd.exe.
Now I've figured out that the NetDfsEnum RPC call is returning this
stuff because most of my links are pretty deep. Meaning I have a
large tree of folders with DFS links being the leafs of the tree.
When Samba lists the dfs root it sees the 'root' folders and the one
DFS link (which could account for the trailing '\\SERVER\\' links
though there are more than 2 folders in the root).
ssh [EMAIL PROTECTED] ls -l /home/dfs
total 20
drwxr-xr-x 10 nobody nogroup 512 Nov 26 09:52 .
drwxr-xr-x 5 rootwheel 512 Nov 26 08:46 ..
drwxr-xr-x 5 rootnogroup 512 Nov 26 09:52 A
drwxr-xr-x 5 rootnogroup 512 Nov 26 09:52 B
drwxr-xr-x 4 rootnogroup 512 Nov 26 09:52 C
drwxr-xr-x 4 rootnogroup 512 Nov 26 09:52 D
lrwxr-xr-x 1 rootnogroup25 Nov 26 09:52 ROOT_LINK -
msdfs:serverb\array
So it looks like the Samba NetDfsEnum handler doesn't recurse into
directories (understandable though annoying for me) nor results in any
usable enumeration of a hosted dfs tree.
So my question here is how do you suggest I enumerate the Samba hosted
DFS tree from a Windows machine reliably?
There doesn't seem to be a deterministic way of enumerating the leaf
nodes of the tree, which if there was then I can just make new or
update the tools I have to use that (ie. traverse the share tree
looking for DFS leaf nodes and return filtered result links).
As well I'm going to assume that NetDfsAdd* NetDfsMove* and
NetDfsRemove* will also not work as I can't use dfscmd.exe to map or
unmap anything in the Samba hosted tree (response is always 'Access is
denied', yet the DFS root folder and sub-folders are all owned by the
guest user).
--
Sean
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind / AIX 5.3 returns incomplete user informations
Hi, We are facing a problem on AIX 5.3 (latest patch) where the following behavior happens. Reproduced with versions of samba from 3.0.23 to 3.0.26a. # Normal behavior : # id and id username should return the same info # [EMAIL PROTECTED]:/# id uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp) [EMAIL PROTECTED]:/# id root uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp) # Now let's su to a winbind user : [EMAIL PROTECTED]:/# su winuser1 # Running id only returns the users principal group. # this also affects file ownership checks in smbd, which is our main problem. [EMAIL PROTECTED]:/# id uid=10013(winuser1) gid=10002(domain users) # while id user returns the full list : [EMAIL PROTECTED]:/$ id winuser1 uid=10013(winuser1) gid=10002(domain users) groups=10283(lint-lecsysteme-gpic-inventaire),10277(lint-lecsysteme),10224(lint-lec ysteme-imax),10186(lint-lecsysteme-gpic),10162(lint-lecsysteme-txtele),10132(gint-app-lecinstructdocfisc),10119(gint-prd-lecs steme-txtele),10118(gint-dev-lecconstatsinfractions),10819(gsamba),10106(gint-prd-lecsysteme),10101(gint-prd-lecresshum-abonn bus),10094(gint-prd-lecsysteme-gpic),10090(gint-prd-lecsysteme-imax),10084(gint-prd-lecdgpar-interne),10083(gint-app-lecproji pact),10077(gint-app-lecdgpar-bd),10063(gint-prd-lecdgpar),10050(gint-prd-lecsysteme-gpic-inventaire),10048(gint-prd-lecsonda e-rev_loi-reg),10047(gint-prd-lecdgppb),10046(gint-app-lecdgpar),10039(rdgppb-utilisateursbd),10037(gint-prd-lecdgppb-bd),100 8(gint-prd-lectelecommunication),10016(gint-prd-lecinfojuridique),10006(gint-prd-lecdgpar-bd),10001(BUILTIN\users) # lsuser also returns the normal/full list, as the previous command. Is there anyone having success with winbind on this system /release ? Regards, Jerome -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Query a Windows 2003 AD server for specific information
The Question: What command do I use to query a Windows 2003 AD server to return the Organizational Unit of a specific users? Also, what would be the command that would return the Home Directory path as specified in the Account Properties of the Windows 2003 account? The Environment: Windows 2003 Domain with 1 plus users 8000 Windows 2k/XP workstations 1100 Terminal Clients connecting to SuSE Linux Enterprise Server 10 Authentication between Linux and Windows using Samba Version 3.0.24-2.28-1354-SUSE-CODE10 Winbind Version 3.0.24-2.28-1354-SUSE-CODE10 All users have a home directory located on a Windows server. The path is set in their AD account and mapped to H: When they login to a XP or 2000 workstation. This is setup in a school district. Users can be either logged into windows or into Linux. The path to the home directory is ODD at best. I didn't set it up, nor can I change it. For teachers they are mapped to \\server\teachers\username For students it is a little more complicated. Each school has it own OU. Therefor, the Windows admins created a path that is similar to this \\server\OUname\username The problem is there are 1 students divided between 30 OUs. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Pls delete this off the internet IMMEDIATELY
http://groups.google.com/group/linux.samba/browse_thread/thread/d669e5e24f24e1f6/236c73e8a362b5e6?hl=enq=jpmchase.com#236c73e8a362b5e6 - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Pls delete this off the internet IMMEDIATELY
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You've got to be kidding. If it was something you sent to a mailing list, forget it, it's hopeless. You may get it removed from one place, but there are so many places that archive mailing lists that when it leaves your machine, it's out there. =R [EMAIL PROTECTED] wrote: http://groups.google.com/group/linux.samba/browse_thread/thread/d669e5e24f24e1f6/236c73e8a362b5e6?hl=enq=jpmchase.com#236c73e8a362b5e6 - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHSxfUmb+gadEcsb4RAmSJAKC9AmsTlMRBg4UW3W5Eu653iKfVVgCgtuGS B76etu3kFdsfXTPZOX/J+n8= =GZNO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange file permissions
Is sgid on the top level dir? Also have you tried force group samba option? Mark. On 24 Nov 2007, at 13:13, DNL [EMAIL PROTECTED] wrote: Hi I have a samba server with tdbsam passwords, and a share, PROJECTS, which is accessed by various XP home clients, the usenames and passwords being manually synced to the samba ones (less than 10 users, and only 4 workstations). There is one win2K machine, which is a domain member. Subdirectories on PROJECTS have g+s set, so only users, who are members of specific Linux groups, have access to the files in them. Recently, a laptop with XP professional has been connected, and the user on it can access the correct directories, but when he edits or creates a file, the group owner and file permissions are wrong: /home/projects/cp/CP 2007# ls -alt total 2932 drwxrwsrw- 4 daniel cp 4096 2007-11-24 12:35 . -r 1 haffers BUILTIN\users 197120 2007-11-24 12:34 CP 11 Nova.xls -rw-rw-rw- 1 haffers BUILTIN\users 199168 2007-11-23 19:47 CP 10 Octa.xls drwxrwsrwx 2 daniel cp 4096 2007-11-23 19:34 FORMS 2007 -rw-rw-rw- 1 haffers BUILTIN\users 299520 2007-11-23 19:20 2007 ANALYSIS.xls drwxrws--- 26 dnl cp 4096 2007-11-23 15:37 .. -r 1 haffers BUILTIN\users 197120 2007-11-23 14:40 CP 10 Oct.xls -rwxrwx--- 1 haffers cp196608 2007-11-18 18:51 CP 11 Nov.xls -rwxrwx--- 1 haffers cp192512 2007-11-18 17:47 CP 09 Sep.xls The files he creates are therefore unusable until permissions are changed. Various searches on the internet and reading of the Samba documentation have failed give me any idea on why this is happening, or how to put it right. How is Samba managing to not respecting the Linux g+s bit? How do I make this system work correctly? Can you assist? Background information: The log-on of the user on the XP professional machine: # tail -14 andylap.old [2007/11/24 01:32:01, 1] smbd/service.c:close_cnum(1150) andylap (192.168.0.168) closed connection to service projects [2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [haffers] - [haffers] - [haffers] succeeded [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp # head -24 andylap [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950) andylap (192.168.0.168) connect to service projects initially as user haffers (uid=529, gid=502) (pid 17358) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving projects as a Dfs root [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp [2007/11/24 11:13:20, 1] smbd/service.c:close_cnum(1150) andylap (192.168.0.168) closed connection to service projects [2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [haffers] - [haffers] - [haffers] succeeded [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950) andylap (192.168.0.168) connect to service projects initially as user haffers (uid=529, gid=502) (pid 17358) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving projects as a Dfs root [2007/11/24 11:14:36, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:14:36, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root The most recent problem file in that log: /var/log/samba# grep Nova andylap unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776 haffers opened file cp/CP 2007/CP 11 Nova.xls read=Yes write=No (numopen=3) unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776 haffers opened file cp/CP 2007/CP 11 Nova.xls read=No write=No (numopen=4) haffers closed file cp/CP 2007/CP 11 Nova.xls (numopen=3) haffers closed file cp/CP 2007/CP 11 Nova.xls (numopen=2) unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting from cp/CP 2007 unix_mode(cp/CP 2007/CP 11 Nova.xls) inherit mode 42776 haffers opened file cp/CP 2007/CP 11
Re: [Samba] Share root directory appears in subdirectories. (Well, can't actually see it but can cd into it, even if its not there.) (Serious bug?)
Check your filesystem. Reminder, unmount then fsck.ext3 /my/dev/path Mark. On 24 Nov 2007, at 14:58, Wiesner Thomas [EMAIL PROTECTED] wrote: Additionally to the problems I reported earlier, I'Ve discovered another problem with my server/client setup. find reports find: WARNING: Hard link count is wrong for ./foo: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched. in one directory and if I browse this directorya and I see completely wrong files in it (Actually, I seem to see the contents of the upper level directory). This problem doesn't appear with Win2K clients and the filesystem itself is OK. Samba Version 3.0.24 on the server (Debian Etch), according to smbd - V. As mount helper I use mount.cifs, compiled from samba-3.0.26a. The kernels on the server and client are the Debian default kernels (2.6.18-5-486 and 2.6.18-5-686). The directory structure looks like: /dir1/dir2/dir3 where dir2 is the mountpoint. If I 'cd' into dir4 from dir3, I see the contest of dir2. It may have to do with the fact, that the name of dir4 is the same as dir2 ... Example: /coffee/cup$ ls Dir contents of cup /coffee/cup$ cd foo /coffee/cup/foo$ ls cup, water /coffee/cup/foo$ cd cup /coffee/cup/foo/cup$ ls The contents of /coffee/cup and not of /coffee/cup/foo/cup are shown and I can even access those wrong files! This seems to be a definite bug in either Samba or the filesystem driver. This may even be a security hole in some way. (Can't think of any now, but who knows.) I played around a bit and found the following out: The problem appears when a directory has the same name as the mount point. I can even 'cd' into a directory which isn't there: (Mount point is gstorage, share name is gstorage too, don't know if this matters, I haven't investigated it) /cifsmounts/gstorage$ cd anydir /cifsmounts/gstorage/anydir$ cd gstorage /cifsmounts/gstorage/anydir/gstorage$ Crazy. I seem to be in the root of the share again(!), even if the directory gstorage doesn't exist in 'anydir'. I called it anydir, because it works from any directory (but it must be one level below the share root). In /cifsmounts/gstorage/anydir/gstorage I can see the contents of the root of the share, again. If there is a dir with the share name the contents are overridden, like described above. I've tried this on a client running 2.6.22.10. Same problem from this one too. Seems to be either an undisovered kernel or Samba Bug. mfg Wiesner Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Access control question.
Hi Andrew, Thanks for this. I did think about using ACLs, but even if I set this up (for *every* directory that our users need access to) won't they still be able to *see* those directories even if they don't have r/w/x permission? I'm looking for a way to setup user permissions so that they can only see that which they have access to. Thanks again for the pointer, and if any thought come to mind, please do share! --- Matt Lozier IT Analyst 972.644.2581, ext. 248 972.661.2701 fax The information contained in this message or any attached document is confidential and intended only for the individual(s) or entity to which it is addressed. The information should be considered privileged and confidential. If you are not the intended recipient, you are hereby notified that any unauthorized use of the information contained in or transmitted with the communication, or dissemination, distribution, or copying of this communication is strictly prohibited by law. If you have received this communication in error, please inform the sender by immediately returning this communication to the sender and then deleting the original message and any copy of it in your possession. -Original Message- From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] Sent: Thursday, November 22, 2007 8:34 AM To: Matt Lozier; samba@lists.samba.org Subject: RE: [Samba] Access control question. Hi Matt, You may wish to look into the 'setfacl' command. http://bama.ua.edu/cgi-bin/man-cgi?setfacl+1 Hope this helps! --- -Original Message- From: Matt Lozier [mailto:[EMAIL PROTECTED] Sent: 21 November 2007 17:39 To: Andrew Sherlock-CF; samba@lists.samba.org Subject: RE: [Samba] Access control question. Hi Andrew, Thank you for your response. The only problem with going this route is that I really need to have finer grain control over what the users are able to access. I have situations where user1 needs to have access to /smbshare/dir1 and dir3 then user2 needs to have access to /smbshare/dir1/subdir1 and /smbshare/dir3, but *no* access to /smbshare/dir1. I suppose that the real problem lies in the poor setup of the root /smbshare. However, any changes to this configuration are out of the question because too many people who are resistant to change already understand things the way they are ;-) If I understand LDAP properly (I'm new to this technology) then I should be able to store user permissions in the LDAP database, no? Thanks, Matt -Original Message- From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 21, 2007 11:07 AM To: Matt Lozier; samba@lists.samba.org Subject: RE: [Samba] Access control question. Is it out of the question to create many different shares and then secure the system on a per-share basis? I'm securing shares individually using Active Directory. In each share config I have: valid [EMAIL PROTECTED] @MR_ADGROUP_FOR_READING write [EMAIL PROTECTED] read [EMAIL PROTECTED] Create different groups for each share and you're golden. Of course, this model can be followed without AD. --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Matt Lozier Sent: 21 November 2007 15:58 To: samba@lists.samba.org Subject: [Samba] Access control question. Hello, I have a general administrative question concerning Samba shares. I have a large amount of data that about 25 users have limited access to. I only want these users to have access to a sub-set of this data, but I also only want the users to see that which they have access to. So, for example, suppose that the share looks like thus: /smbshare /smbshare/dir1 /smbshare/dir2 /smbshare/dir3 And I only want the users to see that they have access to /smbshare/dir1 and /smbshare/dir3. The way that this is currently setup is that I have symlinks from the user's home directory to /smbshare/dir1 and /smbshare/dir3. That way then the user maps their home share, they only see dir1 and dir3 - dir2 is out of sight, and thus (hopefully) out of mind. Is there a better way to implement what I'm trying to do? I'm currently looking into setting up permissions as an LDAP directory and using this as the means to control access to the data - have also considered using ACLs - not sure which way to go! Any and all help / input is appreciated. Thank you, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from
[Samba] [samba pdc] serverbased profiles doesnt load at winxp login
ive installed samba 3 on a debian 4, the samba server should act like a pdc. at the moment it work that user can login on my clients (all windows xp pro sp2), the homedrive is mapped corretly, the only thing that doesn't work, is that the serverbased profile is saved automatically on the server, so that the user can downlad the profile at login. here is my smb.conf: [global] workgroup = lecture server string = %h server netbios name = samba_pdc interfaces = 127.0.0.1, 192.168.10.0/24 hosts allow = 127.0.0.1, 192.168.10.0/24 hosts deny = all map to guest = Bad User passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *changed* passwd chat debug = yes #username map = /etc/samba/smbusers unix password sync = yes log level = 2 passdb backend = smbpasswd encrypt passwords = yes log file = /var/log.%m #Samba als PDC domain logons = yes preferred master = Yes domain master = Yes os level = 65 #netbios name = samba_pdc logon path = \\%L\home\samba\profiles\%U logon drive = Z: logon script = logon.bat wins support = yes name resolve order = wins lmhosts host bcast admin users = root security = user #guest ok = no encrypt passwords = yes null passwords = no [homes] comment = Home Directories valid users = %S read only = no inherit acls = yes browseable = no [profiles] comment = Network Profiles Service path = /home/samba/profiles read only = no create mask = 0600 directory mask = 0700 store dos attributes = yes browsable = no guest ok = no printable = no #hide files = /desktop.ini/outlook*.Ink/*Briefcase*/ [public] comment = Public path = /home/samba/public browseable = yes create mask = 0777 directory mask = 0777 guest ok = yes writeable = yes share modes = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon writeable = no browseable = no i created the directories of the profiles manually, and give the rights 0777 (for testing). i assigned the profiles to their owners. here is the log (with an error!): [2007/11/13 15:52:15, 2] lib/access.c:check_access(323) Allowed connection from (192.168.10.2) [2007/11/13 15:52:15, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/13 15:52:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797) Returning domain sid for domain LECTURE - S-1-5-21-1599594011-1679142555-2671711842 [2007/11/13 15:52:18, 2] lib/access.c:check_access(323) Allowed connection from (192.168.10.2) [2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/13 15:52:18, 2] lib/access.c:check_access(323) Allowed connection from (192.168.10.2) [2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/13 15:52:18, 0] smbd/service.c:make_connection() x20 (192.168.10.2) couldn't find service home [2007/11/13 15:52:18, 2] lib/access.c:check_access(323) Allowed connection from (192.168.10.2) [2007/11/13 15:52:18, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root (x20 is the netbios name of a client) The Server is pingable from the clients with ip and the netbios name! for tests i also set the smb-server as wins and dns on the clients - with the same error on login. when a user logs in onto a client the user profile doesnt load, and a error message pop up, for about 30 seconds, with the circa message: the networkname cant be found. the profiles are set to serverbased on the clients (its the standard). i dont know if its important, but: the clients login through vpn (the vpn server is the same machine as the samba server), vpn seems to work correctly. sorry for my bad english. hope someone can help. chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [samba pdc] serverbased profiles doesnt load at winxp login
You did not mention what the exact problem is. My guess is you need profile acls = yes in your profiles share. Sorry that is at the end of your email. Possibly this is a nmbd problem. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [samba pdc] serverbased profiles doesnt load at winxp login
at the moment it work that user can login on my clients (all windows xp pro sp2), the homedrive is mapped corretly, the only thing that doesn't work, is that the serverbased profile is saved automatically on the server, so that the user can downlad the profile at login. You did not mention what the exact problem is. My guess is you need profile acls = yes in your profiles share. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Upgraded from 3.0.24 to 3.0.27a now no admin permissions
I have verified all of the net groupmap list groups are still mapped right. The net rpc commands show the proper SID's and users that are members of the adm (unix) and Domain Admins groups. Everything seems correct, except that now there are no admin priviliges. All users can log in to the server and their workstations fine. The problem are all of the users who are members of the Domain Admins group do not have admin rights now. What changed?? All I did was download the tarball for 3.0.27a and run the RHEL/makerpms.sh script. After that I just did a rpm -Uvh samba*.rpm and it upgraded with no errors. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Point-and-Print driver problems with unprivileged users on XP
Hi, I've problems to install printer drivers as a normal user with unprivileged rights on WinXP in a samba 3.0.24 domain (debian etch) using the Point-and-Print mechanism. I've read Volker Lendecke's Samba book on page 131 footnote 1, which mention to enable point and print. Which reg keys do I have to set to install drivers by Point and Print? I've set keys like described in http://support.microsoft.com/kb/319939/en but this does not work? Installing the drives from the print$ share working as domain admin works works fine. Therefore I think, I've forgotten to set some rights on the local XP machine. smb.conf: [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes public = no writable = no create mode = 0700 [print$] comment = Drucker Treiber path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no write list = root, ntadmin Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange file permissions
Mark Adams wrote: Is sgid on the top level dir? Set for subdirectory cp, but not for projects as different directories at that level require no access control /projects/cp# ls -al total 164 drwxrws--- 26 dnl cp 4096 2007-11-23 15:37 . drwxr-xr-x 17 rootroot 4096 2007-11-16 22:35 .. drwxrws--- 2 daniel cp 4096 2007-06-18 11:52 4 Spencer Close drwxrws--- 2 daniel cp 4096 2007-09-01 19:20 Addresses Also have you tried force group samba option? My understanding is that this would force the same group for all the PROJECT share, but I only want it for a subdirectory. Am I forced into making projects/cp a separate share and using this samba option? Mark. Thanks for your response. Dave. On 24 Nov 2007, at 13:13, DNL [EMAIL PROTECTED] wrote: Hi I have a samba server with tdbsam passwords, and a share, PROJECTS, which is accessed by various XP home clients, the usenames and passwords being manually synced to the samba ones (less than 10 users, and only 4 workstations). There is one win2K machine, which is a domain member. Subdirectories on PROJECTS have g+s set, so only users, who are members of specific Linux groups, have access to the files in them. Recently, a laptop with XP professional has been connected, and the user on it can access the correct directories, but when he edits or creates a file, the group owner and file permissions are wrong: /home/projects/cp/CP 2007# ls -alt total 2932 drwxrwsrw- 4 daniel cp 4096 2007-11-24 12:35 . -r 1 haffers BUILTIN\users 197120 2007-11-24 12:34 CP 11 Nova.xls -rw-rw-rw- 1 haffers BUILTIN\users 199168 2007-11-23 19:47 CP 10 Octa.xls drwxrwsrwx 2 daniel cp 4096 2007-11-23 19:34 FORMS 2007 -rw-rw-rw- 1 haffers BUILTIN\users 299520 2007-11-23 19:20 2007 ANALYSIS.xls drwxrws--- 26 dnl cp 4096 2007-11-23 15:37 .. -r 1 haffers BUILTIN\users 197120 2007-11-23 14:40 CP 10 Oct.xls -rwxrwx--- 1 haffers cp196608 2007-11-18 18:51 CP 11 Nov.xls -rwxrwx--- 1 haffers cp192512 2007-11-18 17:47 CP 09 Sep.xls The files he creates are therefore unusable until permissions are changed. Various searches on the internet and reading of the Samba documentation have failed give me any idea on why this is happening, or how to put it right. How is Samba managing to not respecting the Linux g+s bit? How do I make this system work correctly? Can you assist? Background information: The log-on of the user on the XP professional machine: # tail -14 andylap.old [2007/11/24 01:32:01, 1] smbd/service.c:close_cnum(1150) andylap (192.168.0.168) closed connection to service projects [2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/11/24 11:13:20, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [haffers] - [haffers] - [haffers] succeeded [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp # head -24 andylap [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950) andylap (192.168.0.168) connect to service projects initially as user haffers (uid=529, gid=502) (pid 17358) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving projects as a Dfs root [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp [2007/11/24 11:13:20, 1] smbd/service.c:close_cnum(1150) andylap (192.168.0.168) closed connection to service projects [2007/11/24 11:13:20, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [haffers] - [haffers] - [haffers] succeeded [2007/11/24 11:13:20, 2] smbd/utmp.c:sys_utmp_update(419) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp [2007/11/24 11:13:20, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:13:20, 1] smbd/service.c:make_connection_snum(950) andylap (192.168.0.168) connect to service projects initially as user haffers (uid=529, gid=502) (pid 17358) [2007/11/24 11:13:20, 2] smbd/reply.c:reply_tcon_and_X(711) Serving projects as a Dfs root [2007/11/24 11:14:36, 2] lib/access.c:check_access(323) Allowed connection from (192.168.0.168) [2007/11/24 11:14:36, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root The most recent problem file in that log: /var/log/samba# grep Nova andylap unix_mode(cp/CP 2007/CP 11 Nova.xls) inheriting
Re: [Samba] Wondering if there is an option like banner
I'm not 100% sure (I've only ever used security = user), but I believe you can still have map to guest = bad user, they may still be prompted for a username and password but they could put in almost anything (except a valid username) and they would be granted access. The man page only says that you map to guest isn't valid with security = share, which suggests that it should work when you are authing against another server. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Max León wrote: Well while the global option security is still set as server, it will prompt for a user and a password, I do have it set to a guest account, which I designated to nobody but the user must know this and this is why I'm looking for an easy embedded way to let hem be aware of it. On 11/23/07, Koenraad Lelong [EMAIL PROTECTED] wrote: Max León schreef: Hi everyone, I have been googling quite a bit and going through the samba documentation looking for something like a banner for a share and nothing came up. I need to setup a public share on a server that is currently running with server security, so I addedd the nobody account to the smbpasswd with null password, but I want to set a banner on the share that let people know this. Is this possible? Running samba 3.0.26a on slackware 12.0 Thanks so much. There is a comment field for the share. Regards, Koenraad Lelong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb.conf question. multiple /home/shares
Have a look at the section of the man page regarding the [homes] share. It will do all this automatically. In it's simplest form [homes] read only = no will share everyones home directory read write as \\server\username. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Dimitris Theoharis wrote: Hi This is what i want to do : each windows pc will have its own /home/username on this samba server. for example i have added 3 users so far and my .conf is like this : [george] comment = Home path = /home/george #valid users = %S read only = no browsable = yes [trandism] comment = Home path = /home/trandism read only = no browsable = yes [xristoforos] comment = Home path = /home/xristoforos read only = no browsable = yes now , when each user logs in will he get a \\serverip\username on his explorer window? i will include here my smb.conf too . make any suggestions you want ;) cat /etc/samba/smb.conf [global] log file = /var/log/samba/log.%m hide unreadable = yes logon drive = H: hide dot files = yes null passwords = no hosts allow = ALL netbios name = Master server string = %h server (Samba, Debian) logon script = \\192.168.10.198\netlogon\%U.bat workgroup = OCR logon path = \\192.168.10.198\%U security = user domain logons = yes log level = 3 winbind cache time = 10 #passdb backend = tdbsam #username map = /etc/samba/smbusers #name resolve order = lmhosts bcast hosts #preferred master = yes #os level = 65 # Default logon # Useradd scripts #add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u #delete user script = /usr/sbin/userdel -r %u #add group script = /usr/sbin/groupadd %g #delete group script = /usr/sbin/groupdel %g #add user to group script = /usr/sbin/usernod -G %g %u #add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u #idmap uid = 15000-2 #idmap gid = 15000-2 #template shell = /bin/bash # set the loglevel #[public] #path = /home/shares #browseable = yes #public = yes #write list = @users [george] comment = Home path = /home/george #valid users = %S read only = no browsable = yes [trandism] comment = Home path = /home/trandism read only = no browsable = yes [xristoforos] comment = Home path = /home/xristoforos read only = no browsable = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = Administrator valid users = %U read only = no guest ok = yes writable = no #share modes = no [profile] comment = User profiles path = /home/samba/profiles valid users = %U create mode = 0600 directory mode = 0700 writable = yes browsable = no guest ok = no [allusers] comment = All Users path = /home/shares/allusers valid users = @users force group = users create mask = 0660 directory mask = 0771 writable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP logonHours problem
Hi! I have a problem according to the logonHours setting in my Samba Domain. Users are in LDAP, and everyone has a logonHours attribute, which could be: - login is possible at any time - login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24 hours format, I'm going to use 24h format here in this post. Samba manual states than logonHours is a 168 bit mask, starting with Sunday 0h-1h, each bit represents an hour of the week, converted into Hex. Therefore: For 'any time' login, I'm using FF This works, users who have this in logonHours, can log in at any time. For logins limited to 7h-24h, I'm using: 01010101010101 Here comes the problem, the limited users cannot log in before 10h, they get the error out of login time. Samba log says the same, and the timestamp there is correct. Saturday in the morning, i've tried setting different logonHours attributes on my own account, to see which one shold be 1 to let me log in at that time (between 7h and 8h) Surprisingly, I got this: 40 Well, it's 6 hours earier than I expected, but OK, let's try this mask: 7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0 It worked in the morning but in the afternoon, it didn't. What could be the problem? My calculations are bad, or timezone problem (Hungary, central european time, UTC+1)? Can anyone please send me a working logonHours string, or calculate the correct string for logins 7h-24h. Until we figure out what's wrong, can I override the LDAP logonHours attributes from smb.conf, to allow everyone to log in, at any time? Regards, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: XFS and inherit permissions bug?
Hi
On Fri, 09 Nov 2007 15:05:22 +0100
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hello
Here are some more informations.
General infos on my Samba configuration
###
The server is a Debian Etch with distro kernel Samba package
(2.6.18-5-686 3.0.24-6etch4).
Users shell is set to /bin/false, they are only accessing this server
through Samba.
All files are owned by user root (Administrator) and group
smb-Administrators (Domain Admins). The basic rights are rwx for root
and smb-Administrators and nothing for other.
The inherit permissions parameter is set in smb.conf for Administrator
user and Domain Admins group to have access to all the files, the
inherit owner is set to have all files owned by user root, and all
folders are setgid to have all files owned by group smb-Administrators.
The users get their access rights using acls and the inherit acls
parameter is set in smb.conf.
The windows attributes (archive, hidden and system) are stored in
extended attributes.
Finally got to the bottom of this one. To sum it up, the setgid bit is lost
by XFS under certain circumstances when performing acl_set_file() as non
root during inherit_access_acl().
This is different to how EXT3 behaves in this case - setgid remains.
Samba 3.0.24 source/smbd/vfs.c:
370 int vfs_MkDir(connection_struct *conn, const char *name, mode_t mode)
371 {
372 int ret;
373 SMB_STRUCT_STAT sbuf;
374
375 if(!(ret=SMB_VFS_MKDIR(conn, name, mode))) {
376
377 inherit_access_acl(conn, name, mode);
After this there is a check whether any high mode bits are lost (setgid):
384 if(mode ~(S_IRWXU|S_IRWXG|S_IRWXO)
385 !SMB_VFS_STAT(conn,name,sbuf) (mode
~sbuf.st_mode))
386 SMB_VFS_CHMOD(conn,name,sbuf.st_mode | (mode
~sbuf.st_mode));
Only problem is the SMB_VFS_CHMOD does a chmod_acl() which eventually ends up
calling acl_set_file(), and where back to where we started ;)
Anyhow this patch for 3.0.24 should fix the setgid inheritance problem:
- start patch -
Index: samba-3.0.24.vanilla/source/smbd/posix_acls.c
===
--- samba-3.0.24.vanilla.orig/source/smbd/posix_acls.c 2007-11-02
11:12:05.338179162 +1100
+++ samba-3.0.24.vanilla/source/smbd/posix_acls.c 2007-11-22
17:09:31.351873317 +1100
@@ -3450,7 +3450,12 @@
if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
goto done;
+ /*
+* high mode bits (SGID) may be lost if acl_set_file is not run as root
+*/
+ become_root();
ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS,
posix_acl);
+ unbecome_root();
done:
- end patch -
The XFS team are looking into the issue. Thanks again for your bug report.
Cheers, Dave
Reproducing the problem
###
In the base dir of one of my shares I have:
[EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/
total 436
drwxrws---+ 7 root smb-Administrators .
drwxr-xr-x 16 root root ..
drwxrws---+ 11 root smb-Administrators ARCHIVES_INF
drwxrws---+ 5 root smb-Administrators BROUILLON_INF
-rw-rwx---+ 1 root smb-Administrators DCI-INF-L-001-F.xls
drwxrws---+ 10 root smb-Administrators ESPACE_INF
drwxrws---+ 6 root smb-Administrators ESPACE_INF_PUBLIC
drwxrws---+ 2 root smb-Administrators MODELES_INF
[EMAIL PROTECTED]:~ # getfacl /srv/samba/data_inf/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data_inf
# owner: root
# group: smb-Administrators
user::rwx
group::rwx
group:smb-Inf:rwx
group:smb-Bme-Fr:r-x
mask::rwx
other::---
From a Windows client I create a new dir test1:
[EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/
total 440
drwxrws---+ 8 root smb-Administrators .
drwxr-xr-x 16 root root ..
drwxrws---+ 11 root smb-Administrators ARCHIVES_INF
drwxrws---+ 5 root smb-Administrators BROUILLON_INF
-rw-rwx---+ 1 root smb-Administrators DCI-INF-L-001-F.xls
drwxrws---+ 10 root smb-Administrators ESPACE_INF
drwxrws---+ 6 root smb-Administrators ESPACE_INF_PUBLIC
drwxrws---+ 2 root smb-Administrators MODELES_INF
drwxrwx---+ 2 root smb-Administrators test1
[EMAIL PROTECTED]:~ # getfacl /srv/samba/data_inf/test1/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data_inf/test1
# owner: root
# group: smb-Administrators
user::rwx
group::rwx
group:smb-Inf:rwx
group:smb-Bme-Fr:r-x
mask::rwx
other::---
The test1 dir is owned by the group smb-Administrators because the . dir
is setgid, but it is not setgid.
From a Windows client I create a new dir test2 in dir test1:
[EMAIL PROTECTED]:~ # ll /srv/samba/data_inf/test1/
total 16
drwxrwx---+ 3 root smb-Administrators 18 2007-11-09 14:37 .
drwxrws---+ 8 root smb-Administrators 4096 2007-11-09 14:33 ..
drwxrwx---+ 2 root
Re: [Samba] Installation problem of SAMBA 3.0.23a on HP-UX 11.23
Ryan is correct for both topics. Go here to get the correct compiler
(4.2.2):
http://hpux.cs.utah.edu/hppd/hpux/Gnu/gcc-4.2.2/
Also, if you are attempting to compile and install 3.0.23a, you should
consider using HP CIFS Server 3.0h, which is Samba 3.0.22 plus fixes
from each release through 3.0.25. It's free for HP-UX:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA
This is an easy download, install and configure.
Eric Roseme
Hewlett-Packard
Ryan Novosielski wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A compile of Samba requires HP's AnsiC (non-bundled) compiler, or GCC.
At least, I'm pretty sure that's the case.
Anyhow, CIFS/9000 is pretty up-to-date these days. You might consider
not bothering and just installing that from HP.
=R
Béland wrote:
To whom it concern,
There was no problem at all with the installation of the Depot.
Before running the ./configure command I'm setting the following variables like this (as it's mentionned in the README file) :
export CFLAGS=-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\\\smbnull\\\
export CPPFLAGS=-I/opt/iexpress/openldap/include
export LDFLAGS=-L/opt/iexpress/openldap/lib
Here is the 'configure' command that I'm using (as it's mentionned in the README file)
./configure \
--sbindir=\${BINDIR} \
--with-krb5 \
--with-ldap \
--with-ldapsam \
--with-ads \
--with-libiconv=/usr/local \
--with-quotas \
--prefix=/usr/local/samba \
--with-acl-support \
--with-winbind \
--with-pam \
--with-sendfile-support \
--with-shared-modules=idmap_rid \
--disable-pie \
--with-aio-support
And here is the output of that command :
SAMBA VERSION: 3.0.23a
checking for gcc... no
checking for cc... cc
checking for C compiler default output file name... configure: error: C compiler
cannot create executables
See `config.log' for more details.
And here is the output of the config.log :
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by configure, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ ./configure --sbindir=${BINDIR} --with-krb5 --with-ldap --with-ldapsam --wit
h-ads --with-libiconv=/usr/local --with-quotas --prefix=/usr/local/samba --with-
acl-support --with-winbind --with-pam --with-sendfile-support --with-shared-modu
les=idmap_rid --disable-pie --with-aio-support
## - ##
## Platform. ##
## - ##
hostname = trsoracle01
uname -m = ia64
uname -r = B.11.23
uname -s = HP-UX
uname -v = U
/usr/bin/uname -p = unknown
/bin/uname -X = unknown
/bin/arch = unknown
/usr/bin/arch -k = unknown
/usr/convex/getsysinfo = unknown
hostinfo = unknown
/bin/machine = unknown
/usr/bin/oslevel = unknown
/bin/universe = unknown
PATH: /usr/bin
PATH: /usr/sbin
PATH: /sbin
## --- ##
## Core tests. ##
## --- ##
configure:1901: checking for gcc
configure:1930: result: no
configure:1981: checking for cc
configure:1997: found /usr/bin/cc
configure:2007: result: cc
configure:2171: checking for C compiler version
configure:2174: cc --version /dev/null 5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2177: $? = 0
configure:2179: cc -v /dev/null 5
configure:2182: $? = 0
configure:2184: cc -V /dev/null 5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2187: $? = 0
configure:2210: checking for C compiler default output file name
configure:2213: cc -O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\ -D_SAMBA_BUILD_
-I/opt/iexpress/openldap/include -L/opt/iexpress/openldap/lib conftest.c 5
(Bundled) cc: warning 922: -O is unsupported in the bundled compiler, ignored.
Error 100: command line, line 0 # String and character constants cannot span
lines.
configure:2216: $? = 2
configure: failed program was:
| /* confdefs.h. */
|
| #define PACKAGE_NAME
| #define PACKAGE_TARNAME
| #define PACKAGE_VERSION
| #define PACKAGE_STRING
| #define PACKAGE_BUGREPORT
| /* end confdefs.h. */
|
| int
| main ()
| {
|
| ;
| return 0;
| }
configure:2254: error: C compiler cannot create executables
See `config.log' for more details.
## ##
## Cache variables. ##
## ##
ac_cv_env_CC_set=''
ac_cv_env_CC_value=''
ac_cv_env_CFLAGS_set=set
ac_cv_env_CFLAGS_value='-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\'
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value=-I/opt/iexpress/openldap/include
ac_cv_env_CPP_set=''
ac_cv_env_CPP_value=''
ac_cv_env_LDFLAGS_set=set
ac_cv_env_LDFLAGS_value=-L/opt/iexpress/openldap/lib
ac_cv_env_build_alias_set=''
ac_cv_env_build_alias_value=''
ac_cv_env_host_alias_set=''
ac_cv_env_host_alias_value=''
ac_cv_env_target_alias_set=''
ac_cv_env_target_alias_value=''
ac_cv_prog_ac_ct_CC=cc
libc_cv_fpie=no
## - ##
## Output variables. ##
## - ##
ACL_LIBS=''
AR=''
AUTH_LIBS=''
AUTH_MODULES=''
Re: [Samba] Access control question.
On Nov 26, 2007 3:13 PM, Matt Lozier [EMAIL PROTECTED] wrote: Thanks for this. I did think about using ACLs, but even if I set this up (for *every* directory that our users need access to) won't they still be able to *see* those directories even if they don't have r/w/x permission? Add hide unreadable = yes to your smb.conf. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] map to guest in share definition?
Is it possible to use map to guest in a single share? We have 2 or 3 shares where I want this behavior, but for most I would like to not use it due to issues with home directories with bad users. I would simply try moving that line to a share definition to see what happens, but I don't want to break a live server to test (and have no spare Samba boxes right now). Tim B ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] map to guest in share definition?
As I understand it, the client is authenticated before it specifies which share it wants (except under share level security) so having map to guest as a per share setting isn't possible. Couldn't you just specify guest ok = no on the other shares? what issues with home directories? We have several shares with guest access, several without and a homes share and haven't had any problems. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Tim Bates wrote: Is it possible to use map to guest in a single share? We have 2 or 3 shares where I want this behavior, but for most I would like to not use it due to issues with home directories with bad users. I would simply try moving that line to a share definition to see what happens, but I don't want to break a live server to test (and have no spare Samba boxes right now). Tim B ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: ***SPAM*** [Samba] LDAP logonHours problem
time ago I fiddled alot with sambaLogonHours. The 2 main problems I can rethink of where the Sunday are the first 6 FF, but the first hour is the most RIGHT bit of this FF sambaLogonHours is in UTC so you have to calc with your timezone (and that is weired with daylight saving times, because I believe the bits must be shuffled when daylight saving time changes) This was all try and error, did not found a documentation wich was precise enough. No warranties. - Original Message - From: Peter Molnar [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Tuesday, November 27, 2007 12:18 AM Subject: ***SPAM*** [Samba] LDAP logonHours problem Hi! I have a problem according to the logonHours setting in my Samba Domain. Users are in LDAP, and everyone has a logonHours attribute, which could be: - login is possible at any time - login is only possible between 7AM and 12PM(mindnight), 7h-24h in 24 hours format, I'm going to use 24h format here in this post. Samba manual states than logonHours is a 168 bit mask, starting with Sunday 0h-1h, each bit represents an hour of the week, converted into Hex. Therefore: For 'any time' login, I'm using FF This works, users who have this in logonHours, can log in at any time. For logins limited to 7h-24h, I'm using: 01010101010101 Here comes the problem, the limited users cannot log in before 10h, they get the error out of login time. Samba log says the same, and the timestamp there is correct. Saturday in the morning, i've tried setting different logonHours attributes on my own account, to see which one shold be 1 to let me log in at that time (between 7h and 8h) Surprisingly, I got this: 40 Well, it's 6 hours earier than I expected, but OK, let's try this mask: 7FFFC07FFFC07FFFC07FFFC07FFFC07FFFC07FFFC0 It worked in the morning but in the afternoon, it didn't. What could be the problem? My calculations are bad, or timezone problem (Hungary, central european time, UTC+1)? Can anyone please send me a working logonHours string, or calculate the correct string for logins 7h-24h. Until we figure out what's wrong, can I override the LDAP logonHours attributes from smb.conf, to allow everyone to log in, at any time? Regards, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-371-g5b4ba4b
The branch, v3-2-test has been updated
via 5b4ba4bfc54e2fa468abe15383e5b33eb5bd1324 (commit)
via 9bf5ead4b2be57fa84e5b3137bfa0305a916f10f (commit)
from 102a247df99967f25dbaf40c9be2d48a8e15c64c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 5b4ba4bfc54e2fa468abe15383e5b33eb5bd1324
Author: Volker Lendecke [EMAIL PROTECTED]
Date: Mon Nov 26 14:30:50 2007 +0100
Improve debug message
Fix bug 5056, thanks to debian package maintainer
commit 9bf5ead4b2be57fa84e5b3137bfa0305a916f10f
Author: Volker Lendecke [EMAIL PROTECTED]
Date: Mon Nov 26 11:55:55 2007 +0100
Fix a C++ warning
---
Summary of changes:
source/lib/debug.c |2 +-
source/passdb/pdb_ldap.c |3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/lib/debug.c b/source/lib/debug.c
index 49ec40a..4afc953 100644
--- a/source/lib/debug.c
+++ b/source/lib/debug.c
@@ -537,7 +537,7 @@ void debug_init(void)
for(p = default_classname_table; *p; p++) {
debug_add_class(*p);
}
- format_bufr = SMB_MALLOC(FORMAT_BUFR_SIZE);
+ format_bufr = (char *)SMB_MALLOC(FORMAT_BUFR_SIZE);
if (!format_bufr) {
smb_panic(debug_init: unable to create buffer);
}
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c
index a3637bf..215cd3c 100644
--- a/source/passdb/pdb_ldap.c
+++ b/source/passdb/pdb_ldap.c
@@ -2536,7 +2536,8 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods
*methods,
count = ldap_count_entries(priv2ld(ldap_state), result);
if (count 1) {
- DEBUG(4, (ldapsam_getgroup: Did not find group\n));
+ DEBUG(4, (ldapsam_getgroup: Did not find group, filter was
+ %s\n, filter));
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_GROUP;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-372-g8bcd2df
The branch, v3-2-test has been updated
via 8bcd2df841bae63e7d58c35d4728b7d853471697 (commit)
from 5b4ba4bfc54e2fa468abe15383e5b33eb5bd1324 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 8bcd2df841bae63e7d58c35d4728b7d853471697
Author: Volker Lendecke [EMAIL PROTECTED]
Date: Mon Nov 26 15:28:13 2007 +0100
Fix bug 5055
---
Summary of changes:
source/lib/ldb/common/ldb_dn.c |2 +-
source/lib/replace/replace.c |2 +-
source/passdb/pdb_ldap.c |2 +-
source/smbd/lanman.c |2 +-
source/smbd/trans2.c |2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/lib/ldb/common/ldb_dn.c b/source/lib/ldb/common/ldb_dn.c
index 155c485..7ef3c38 100644
--- a/source/lib/ldb/common/ldb_dn.c
+++ b/source/lib/ldb/common/ldb_dn.c
@@ -26,7 +26,7 @@
*
* Component: ldb dn explode and utility functions
*
- * Description: - explode a dn into it's own basic elements
+ * Description: - explode a dn into its own basic elements
* and put them in a structure
* - manipulate ldb_dn structures
*
diff --git a/source/lib/replace/replace.c b/source/lib/replace/replace.c
index cec158b..b2a240e 100644
--- a/source/lib/replace/replace.c
+++ b/source/lib/replace/replace.c
@@ -218,7 +218,7 @@ long nap(long milliseconds) {
#ifndef HAVE_MEMMOVE
/***
safely copies memory, ensuring no overlap problems.
-this is only used if the machine does not have it's own memmove().
+this is only used if the machine does not have its own memmove().
this is not the fastest algorithm in town, but it will do for our
needs.
/
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c
index 215cd3c..707e3f3 100644
--- a/source/passdb/pdb_ldap.c
+++ b/source/passdb/pdb_ldap.c
@@ -5623,7 +5623,7 @@ static NTSTATUS ldapsam_change_groupmem(struct
pdb_methods *my_methods,
}
if (user_gid == group_gid) {
- DEBUG (3, (ldapsam_change_groupmem: can't remove user
from it's own primary group!\n));
+ DEBUG (3, (ldapsam_change_groupmem: can't remove user
from its own primary group!\n));
return NT_STATUS_MEMBERS_PRIMARY_GROUP;
}
}
diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index b2e435e..17ab891 100644
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -1380,7 +1380,7 @@ static bool api_RNetServerEnum(connection_struct *conn,
uint16 vuid,
}
/* If someone sets SV_TYPE_LOCAL_LIST_ONLY but hasn't set
- any other bit (they may just set this bit on it's own) they
+ any other bit (they may just set this bit on its own) they
want all the locally seen servers. However this bit can be
set on its own so set the requested servers to be
ALL - DOMAIN_ENUM. */
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 323d78c..e37f6ff 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -3279,7 +3279,7 @@ static char *store_file_unix_basic(connection_struct
*conn,
*
* XXX: this really should be behind the VFS interface. To do this, we would
* need to alter SMB_STRUCT_STAT so that it included a flags and a mask field.
- * Each VFS module could then implement it's own mapping as appropriate for the
+ * Each VFS module could then implement its own mapping as appropriate for the
* platform. We would then pass the SMB flags into SMB_VFS_CHFLAGS.
*/
static const struct {unsigned stat_fflag; unsigned smb_fflag;}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-373-g3088bc7
The branch, v3-2-test has been updated
via 3088bc76f1ceffecaa5aea039be79973c9876f0c (commit)
from 8bcd2df841bae63e7d58c35d4728b7d853471697 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 3088bc76f1ceffecaa5aea039be79973c9876f0c
Author: Volker Lendecke [EMAIL PROTECTED]
Date: Sat Nov 24 17:27:19 2007 +0100
Remove a global
---
Summary of changes:
source/libads/ads_status.c |9 -
1 files changed, 4 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/libads/ads_status.c b/source/libads/ads_status.c
index 3f0ab57..ecef9d2 100644
--- a/source/libads/ads_status.c
+++ b/source/libads/ads_status.c
@@ -99,10 +99,6 @@ NTSTATUS ads_ntstatus(ADS_STATUS status)
*/
const char *ads_errstr(ADS_STATUS status)
{
- static char *ret;
-
- SAFE_FREE(ret);
-
switch (status.error_type) {
case ENUM_ADS_ERROR_SYSTEM:
return strerror(status.err.rc);
@@ -117,6 +113,7 @@ const char *ads_errstr(ADS_STATUS status)
#ifdef HAVE_GSSAPI
case ENUM_ADS_ERROR_GSS:
{
+ char *ret;
uint32 msg_ctx;
uint32 minor;
gss_buffer_desc msg1, msg2;
@@ -129,7 +126,9 @@ const char *ads_errstr(ADS_STATUS status)
GSS_C_NULL_OID, msg_ctx, msg1);
gss_display_status(minor, status.minor_status, GSS_C_MECH_CODE,
GSS_C_NULL_OID, msg_ctx, msg2);
- asprintf(ret, %s : %s, (char *)msg1.value, (char
*)msg2.value);
+ ret = talloc_asprintf(talloc_tos(), %s : %s,
+ (char *)msg1.value, (char *)msg2.value);
+ SMB_ASSERT(ret != NULL);
gss_release_buffer(minor, msg1);
gss_release_buffer(minor, msg2);
return ret;
--
Samba Shared Repository
svn commit: samba r26132 - in branches/SAMBA_4_0/source/lib: crypto nss_wrapper
Author: jelmer Date: 2007-11-26 21:12:01 + (Mon, 26 Nov 2007) New Revision: 26132 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26132 Log: Update ignores. Modified: branches/SAMBA_4_0/source/lib/crypto/ branches/SAMBA_4_0/source/lib/nss_wrapper/ Changeset: Property changes on: branches/SAMBA_4_0/source/lib/crypto ___ Name: svn:ignore - .sconsign *.d *.po + test_proto.h .sconsign *.d *.po Property changes on: branches/SAMBA_4_0/source/lib/nss_wrapper ___ Name: svn:ignore + *.pc
svn commit: samba r26133 - in branches/SAMBA_4_0/source/libcli/util: .
Author: gd
Date: 2007-11-26 23:58:39 + (Mon, 26 Nov 2007)
New Revision: 26133
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26133
Log:
Add some more error codes from wkssvc testing.
Guenther
Modified:
branches/SAMBA_4_0/source/libcli/util/doserr.c
branches/SAMBA_4_0/source/libcli/util/werror.h
Changeset:
Modified: branches/SAMBA_4_0/source/libcli/util/doserr.c
===
--- branches/SAMBA_4_0/source/libcli/util/doserr.c 2007-11-26 21:12:01 UTC
(rev 26132)
+++ branches/SAMBA_4_0/source/libcli/util/doserr.c 2007-11-26 23:58:39 UTC
(rev 26133)
@@ -41,6 +41,7 @@
{ WERR_FILE_EXISTS, WERR_FILE_EXISTS },
{ WERR_INVALID_PARAM, WERR_INVALID_PARAM },
{ WERR_NOT_SUPPORTED, WERR_NOT_SUPPORTED },
+ { WERR_DUP_NAME, WERR_DUP_NAME },
{ WERR_BAD_PASSWORD, WERR_BAD_PASSWORD },
{ WERR_NOMEM, WERR_NOMEM },
{ WERR_INVALID_NAME, WERR_INVALID_NAME },
@@ -62,6 +63,7 @@
{ WERR_DEST_NOT_FOUND, WERR_DEST_NOT_FOUND },
{ WERR_NOT_LOCAL_DOMAIN, WERR_NOT_LOCAL_DOMAIN },
{ WERR_DOMAIN_CONTROLLER_NOT_FOUND, WERR_DOMAIN_CONTROLLER_NOT_FOUND
},
+ { WERR_TIME_DIFF_AT_DC, WERR_TIME_DIFF_AT_DC },
{ WERR_SETUP_NOT_JOINED, WERR_SETUP_NOT_JOINED },
{ WERR_SETUP_ALREADY_JOINED, WERR_SETUP_ALREADY_JOINED },
{ WERR_SETUP_DOMAIN_CONTROLLER, WERR_SETUP_DOMAIN_CONTROLLER },
@@ -84,6 +86,7 @@
{ WERR_INVALID_COMPUTERNAME, WERR_INVALID_COMPUTERNAME },
{ WERR_INVALID_DOMAINNAME, WERR_INVALID_DOMAINNAME },
{ WERR_NO_LOGON_SERVERS, WERR_NO_LOGON_SERVERS },
+ { WERR_NO_SUCH_LOGON_SESSION, WERR_NO_SUCH_LOGON_SESSION },
{ WERR_NO_SUCH_PRIVILEGE, WERR_NO_SUCH_PRIVILEGE },
{ WERR_PRIVILEGE_NOT_HELD, WERR_PRIVILEGE_NOT_HELD },
{ WERR_NO_SUCH_USER, WERR_NO_SUCH_USER },
@@ -128,6 +131,8 @@
{ WERR_FRS_INVALID_SERVICE_PARAMETER,
WERR_FRS_INVALID_SERVICE_PARAMETER },
{ WERR_FRS_SYSVOL_IS_BUSY, WERR_FRS_SYSVOL_IS_BUSY },
{ WERR_FRS_INSUFFICIENT_PRIV, WERR_FRS_INSUFFICIENT_PRIV },
+ { WERR_RPC_E_REMOTE_DISABLED, WERR_RPC_E_REMOTE_DISABLED },
+ { WERR_NOT_CONNECTED, WERR_NOT_CONNECTED },
{ NULL, W_ERROR(0) }
};
Modified: branches/SAMBA_4_0/source/libcli/util/werror.h
===
--- branches/SAMBA_4_0/source/libcli/util/werror.h 2007-11-26 21:12:01 UTC
(rev 26132)
+++ branches/SAMBA_4_0/source/libcli/util/werror.h 2007-11-26 23:58:39 UTC
(rev 26133)
@@ -70,6 +70,7 @@
#define WERR_NOMEM W_ERROR(8)
#define WERR_GENERAL_FAILURE W_ERROR(31)
#define WERR_NOT_SUPPORTED W_ERROR(50)
+#define WERR_DUP_NAME W_ERROR(52)
#define WERR_BAD_NETPATH W_ERROR(53)
#define WERR_BAD_NET_RESP W_ERROR(58)
#define WERR_UNEXP_NET_ERR W_ERROR(59)
@@ -97,6 +98,7 @@
#define WERR_REVISION_MISMATCH W_ERROR(1306)
#define WERR_INVALID_OWNER W_ERROR(1307)
#define WERR_NO_LOGON_SERVERS W_ERROR(1311)
+#define WERR_NO_SUCH_LOGON_SESSION W_ERROR(1312)
#define WERR_NO_SUCH_PRIVILEGE W_ERROR(1313)
#define WERR_PRIVILEGE_NOT_HELD W_ERROR(1314)
#define WERR_NO_SUCH_USER W_ERROR(1317)
@@ -112,10 +114,12 @@
#define WERR_BUF_TOO_SMALL W_ERROR(2123)
#define WERR_JOB_NOT_FOUND W_ERROR(2151)
#define WERR_DEST_NOT_FOUND W_ERROR(2152)
+#define WERR_NOT_CONNECTED W_ERROR(2250)
#define WERR_SESSION_NOT_FOUND W_ERROR(2312)
#define WERR_FID_NOT_FOUND W_ERROR(2314)
#define WERR_NOT_LOCAL_DOMAIN W_ERROR(2320)
#define WERR_DOMAIN_CONTROLLER_NOT_FOUND W_ERROR(2453)
+#define WERR_TIME_DIFF_AT_DC W_ERROR(2457)
#define WERR_SETUP_ALREADY_JOINED W_ERROR(2691)
#define WERR_SETUP_NOT_JOINED W_ERROR(2692)
@@ -189,6 +193,10 @@
#define WERR_FRS_SYSVOL_IS_BUSY W_ERROR(FRS_ERR_BASE+15)
#define WERR_FRS_INVALID_SERVICE_PARAMETER W_ERROR(FRS_ERR_BASE+17)
+/* RPC errors */
+#define WERR_RPC_E_INVALID_HEADER W_ERROR(0x80010111)
+#define WERR_RPC_E_REMOTE_DISABLED W_ERROR(0x8001011c)
+
/* SEC errors */
#define WERR_SEC_E_ENCRYPT_FAILURE W_ERROR(0x80090329)
#define WERR_SEC_E_DECRYPT_FAILURE W_ERROR(0x80090330)
Build status as of Tue Nov 27 00:00:01 2007
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2007-11-26 00:00:58.0 + +++ /home/build/master/cache/broken_results.txt 2007-11-27 00:00:40.0 + @@ -1,4 +1,4 @@ -Build status as of Mon Nov 26 00:00:01 2007 +Build status as of Tue Nov 27 00:00:01 2007 Build counts: Tree Total Broken Panic @@ -16,10 +16,10 @@ rsync28 12 0 samba-docs 0 0 0 samba-gtk4 4 0 -samba4 25 22 0 +samba4 25 16 0 samba_3_20 0 0 samba_3_2_test 28 17 0 smb-build27 26 0 talloc 28 7 0 -tdb 28 5 0 +tdb 27 5 0
svn commit: samba r26134 - in branches/SAMBA_4_0/source/auth: .
Author: jelmer
Date: 2007-11-27 01:14:54 + (Tue, 27 Nov 2007)
New Revision: 26134
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26134
Log:
Avoid using samdb-dependent functions in auth_system_session.
Modified:
branches/SAMBA_4_0/source/auth/config.mk
branches/SAMBA_4_0/source/auth/system_session.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/config.mk
===
--- branches/SAMBA_4_0/source/auth/config.mk2007-11-26 23:58:39 UTC (rev
26133)
+++ branches/SAMBA_4_0/source/auth/config.mk2007-11-27 01:14:54 UTC (rev
26134)
@@ -11,6 +11,7 @@
[SUBSYSTEM::auth_system_session]
OBJ_FILES = system_session.o
PUBLIC_PROTO_HEADER = system_session_proto.h
+PRIVATE_DEPENDENCIES = auth_session
[SUBSYSTEM::auth_sam]
PRIVATE_PROTO_HEADER = auth_sam.h
Modified: branches/SAMBA_4_0/source/auth/system_session.c
===
--- branches/SAMBA_4_0/source/auth/system_session.c 2007-11-26 23:58:39 UTC
(rev 26133)
+++ branches/SAMBA_4_0/source/auth/system_session.c 2007-11-27 01:14:54 UTC
(rev 26134)
@@ -24,7 +24,6 @@
#include includes.h
#include libcli/security/security.h
#include libcli/auth/libcli_auth.h
-#include dsdb/samdb/samdb.h
#include auth/credentials/credentials.h
#include param/param.h
#include auth/auth.h /* for auth_serversupplied_info */
@@ -32,6 +31,123 @@
#include auth/system_session_proto.h
/**
+ * Create the SID list for this user.
+ *
+ * @note Specialised version for system sessions that doesn't use the SAM.
+ */
+static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
+ struct dom_sid *user_sid,
+ struct dom_sid *group_sid,
+ int n_groupSIDs,
+ struct dom_sid **groupSIDs,
+ bool is_authenticated,
+ struct security_token **token)
+{
+ struct security_token *ptoken;
+ int i;
+
+ ptoken = security_token_initialise(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken);
+
+ ptoken-sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken-sids);
+
+ ptoken-user_sid = talloc_reference(ptoken, user_sid);
+ ptoken-group_sid = talloc_reference(ptoken, group_sid);
+ ptoken-privilege_mask = 0;
+
+ ptoken-sids[0] = ptoken-user_sid;
+ ptoken-sids[1] = ptoken-group_sid;
+
+ /*
+* Finally add the standard SIDs.
+* The only difference between guest and anonymous
+* is the addition of Authenticated_Users.
+*/
+ ptoken-sids[2] = dom_sid_parse_talloc(ptoken-sids, SID_WORLD);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken-sids[2]);
+ ptoken-sids[3] = dom_sid_parse_talloc(ptoken-sids, SID_NT_NETWORK);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken-sids[3]);
+ ptoken-num_sids = 4;
+
+ if (is_authenticated) {
+ ptoken-sids[4] = dom_sid_parse_talloc(ptoken-sids,
SID_NT_AUTHENTICATED_USERS);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken-sids[4]);
+ ptoken-num_sids++;
+ }
+
+ for (i = 0; i n_groupSIDs; i++) {
+ size_t check_sid_idx;
+ for (check_sid_idx = 1;
+check_sid_idx ptoken-num_sids;
+check_sid_idx++) {
+ if (dom_sid_equal(ptoken-sids[check_sid_idx],
groupSIDs[i])) {
+ break;
+ }
+ }
+
+ if (check_sid_idx == ptoken-num_sids) {
+ ptoken-sids[ptoken-num_sids++] =
talloc_reference(ptoken-sids, groupSIDs[i]);
+ }
+ }
+
+ *token = ptoken;
+
+ /* Shortcuts to prevent recursion and avoid lookups */
+ if (ptoken-user_sid == NULL) {
+ ptoken-privilege_mask = 0;
+ return NT_STATUS_OK;
+ }
+
+ if (security_token_is_system(ptoken)) {
+ ptoken-privilege_mask = ~0;
+ return NT_STATUS_OK;
+ }
+
+ if (security_token_is_anonymous(ptoken)) {
+ ptoken-privilege_mask = 0;
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(0, (Created token was not system or anonymous token!));
+ *token = NULL;
+ return NT_STATUS_INTERNAL_ERROR;
+}
+
+static NTSTATUS generate_session_info(TALLOC_CTX *mem_ctx,
+ struct auth_serversupplied_info
*server_info,
+ struct auth_session_info **_session_info)
+{
+ struct auth_session_info *session_info;
+ NTSTATUS nt_status;
+
+ session_info = talloc(mem_ctx, struct auth_session_info);
+ NT_STATUS_HAVE_NO_MEMORY(session_info);
+
+ session_info-server_info = talloc_reference(session_info, server_info);
+
+ /*
[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-374-g331c0d6
The branch, v3-2-test has been updated
via 331c0d6216e1a1607a49ed7eb4078e10138ec16a (commit)
from 3088bc76f1ceffecaa5aea039be79973c9876f0c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -
commit 331c0d6216e1a1607a49ed7eb4078e10138ec16a
Author: Jeremy Allison [EMAIL PROTECTED]
Date: Mon Nov 26 17:24:56 2007 -0800
Remove pstrings from nsswitch/ and registry/
Jeremy.
---
Summary of changes:
source/nsswitch/wb_common.c | 41 ++--
source/registry/reg_cachehook.c | 26 ++-
source/registry/reg_db.c| 443 ++
source/registry/reg_dynamic.c | 43 +++--
source/registry/reg_eventlog.c | 151 --
source/registry/reg_objects.c | 10 +-
source/registry/reg_perfcount.c | 50 +++--
source/registry/reg_printing.c | 393 ++
source/registry/reg_util.c | 138 +++--
9 files changed, 723 insertions(+), 572 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c
index 2ae85dc..49a2935 100644
--- a/source/nsswitch/wb_common.c
+++ b/source/nsswitch/wb_common.c
@@ -168,54 +168,51 @@ static int winbind_named_pipe_sock(const char *dir)
{
struct sockaddr_un sunaddr;
struct stat st;
- pstring path;
+ char *path = NULL;
int fd;
int wait_time;
int slept;
-
+
/* Check permissions on unix socket directory */
-
+
if (lstat(dir, st) == -1) {
return -1;
}
-
- if (!S_ISDIR(st.st_mode) ||
+
+ if (!S_ISDIR(st.st_mode) ||
(st.st_uid != 0 st.st_uid != geteuid())) {
return -1;
}
-
+
/* Connect to socket */
-
- strncpy(path, dir, sizeof(path) - 1);
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, /, sizeof(path) - 1 - strlen(path));
- path[sizeof(path) - 1] = '\0';
-
- strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1 - strlen(path));
- path[sizeof(path) - 1] = '\0';
-
+
+ if (asprintf(path, %s/%s, dir, WINBINDD_SOCKET_NAME) 0) {
+ return -1;
+ }
+
ZERO_STRUCT(sunaddr);
sunaddr.sun_family = AF_UNIX;
strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
-
+
/* If socket file doesn't exist, don't bother trying to connect
with retry. This is an attempt to make the system usable when
the winbindd daemon is not running. */
if (lstat(path, st) == -1) {
+ SAFE_FREE(path);
return -1;
}
-
+
+ SAFE_FREE(path);
/* Check permissions on unix socket file */
-
- if (!S_ISSOCK(st.st_mode) ||
+
+ if (!S_ISSOCK(st.st_mode) ||
(st.st_uid != 0 st.st_uid != geteuid())) {
return -1;
}
-
+
/* Connect to socket */
-
+
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
return -1;
}
diff --git a/source/registry/reg_cachehook.c b/source/registry/reg_cachehook.c
index 739faca..289d4e5 100644
--- a/source/registry/reg_cachehook.c
+++ b/source/registry/reg_cachehook.c
@@ -47,18 +47,24 @@ bool reghook_cache_init( void )
bool reghook_cache_add( REGISTRY_HOOK *hook )
{
- pstring key;
-
- if ( !hook )
- return False;
-
- pstrcpy( key, \\);
- pstrcat( key, hook-keyname );
-
- pstring_sub( key, \\, / );
+ TALLOC_CTX *ctx = talloc_tos();
+ char *key = NULL;
+
+ if (!hook) {
+ return false;
+ }
+
+ key = talloc_asprintf(ctx, //%s, hook-keyname);
+ if (!key) {
+ return false;
+ }
+ key = talloc_string_sub(ctx, key, \\, /);
+ if (!key) {
+ return false;
+ }
DEBUG(10,(reghook_cache_add: Adding key [%s]\n, key));
-
+
return pathtree_add( cache_tree, key, hook );
}
diff --git a/source/registry/reg_db.c b/source/registry/reg_db.c
index 4947b2a..7c4ea18 100644
--- a/source/registry/reg_db.c
+++ b/source/registry/reg_db.c
@@ -82,10 +82,13 @@ static struct builtin_regkey_value
builtin_registry_values[] = {
/***
Open the registry data in the tdb
***/
-
+
static bool init_registry_data( void )
{
- pstring path, base, remaining;
+ char *path = NULL;
+ char *base = NULL;
+ char *remaining = NULL;
+ TALLOC_CTX *ctx = talloc_tos();
fstring keyname, subkeyname;
REGSUBKEY_CTR *subkeys;
REGVAL_CTR *values;
svn commit: samba r26135 - in branches/SAMBA_4_0/source: dsdb/samdb libnet ntptr/simple_ldb rpc_server/drsuapi rpc_server/lsa rpc_server/samr
Author: abartlet
Date: 2007-11-27 01:25:11 + (Tue, 27 Nov 2007)
New Revision: 26135
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26135
Log:
Remove samdb_add(), samdb_delete() and samdb_modify(), which were just
wrappers to ldb_add() etc. samdb_replace() remains, as it sets flags on
all entries as 'replace'.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/dsdb/samdb/samdb.c
branches/SAMBA_4_0/source/libnet/libnet_join.c
branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c
branches/SAMBA_4_0/source/ntptr/simple_ldb/ntptr_simple_ldb.c
branches/SAMBA_4_0/source/rpc_server/drsuapi/dcesrv_drsuapi.c
branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c
branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/samdb.c
===
--- branches/SAMBA_4_0/source/dsdb/samdb/samdb.c2007-11-27 01:14:54 UTC
(rev 26134)
+++ branches/SAMBA_4_0/source/dsdb/samdb/samdb.c2007-11-27 01:25:11 UTC
(rev 26135)
@@ -1022,30 +1022,6 @@
}
/*
- add a record
-*/
-int samdb_add(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct
ldb_message *msg)
-{
- return ldb_add(sam_ldb, msg);
-}
-
-/*
- delete a record
-*/
-int samdb_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct
ldb_dn *dn)
-{
- return ldb_delete(sam_ldb, dn);
-}
-
-/*
- modify a record
-*/
-int samdb_modify(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct
ldb_message *msg)
-{
- return ldb_modify(sam_ldb, msg);
-}
-
-/*
replace elements in a record
*/
int samdb_replace(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct
ldb_message *msg)
@@ -1058,7 +1034,7 @@
}
/* modify the samdb record */
- return samdb_modify(sam_ldb, mem_ctx, msg);
+ return ldb_modify(sam_ldb, msg);
}
/*
@@ -1992,7 +1968,7 @@
foreignSecurityPrincipal);
/* create the alias */
- ret = samdb_add(sam_ctx, mem_ctx, msg);
+ ret = ldb_add(sam_ctx, msg);
if (ret != 0) {
DEBUG(0,(Failed to create foreignSecurityPrincipal
record %s: %s\n,
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c 2007-11-27 01:14:54 UTC
(rev 26134)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c 2007-11-27 01:25:11 UTC
(rev 26135)
@@ -1136,7 +1136,7 @@
}
/* create the secret */
- ret = samdb_add(ldb, tmp_mem, msg);
+ ret = ldb_add(ldb, msg);
if (ret != 0) {
r-out.error_string = talloc_asprintf(mem_ctx, Failed to
create secret record %s,
ldb_dn_get_linearized(msg-dn));
Modified: branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2007-11-27
01:14:54 UTC (rev 26134)
+++ branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2007-11-27
01:25:11 UTC (rev 26135)
@@ -101,7 +101,7 @@
*fsp_dn = msg-dn;
/* create the alias */
- ret = samdb_add(state-sam_ldb, mem_ctx, msg);
+ ret = ldb_add(state-sam_ldb, msg);
if (ret != 0) {
*error_string = talloc_asprintf(mem_ctx, Failed to create
foreignSecurityPrincipal
record %s: %s,
@@ -429,7 +429,7 @@
}
}
- ret = samdb_add(state-sam_ldb, mem_ctx, msg);
+ ret = ldb_add(state-sam_ldb, msg);
if (ret != 0) {
struct ldb_dn *first_try_dn = msg-dn;
/* Try again with the default DN */
@@ -440,7 +440,7 @@
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg-dn = talloc_steal(msg, remote_msgs[0]-dn);
- ret = samdb_add(state-sam_ldb, mem_ctx, msg);
+ ret = ldb_add(state-sam_ldb, msg);
if (ret != 0) {
*error_string =
talloc_asprintf(mem_ctx, Failed to create user record. Tried both %s and %s:
%s,
ldb_dn_get_linearized(first_try_dn),
@@ -493,7 +493,7 @@
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- ret = samdb_delete(state-sam_ldb, mem_ctx, msgs[0]-dn);
+ ret = ldb_delete(state-sam_ldb, msgs[0]-dn);
if (ret != 0) {
*error_string = talloc_asprintf(mem_ctx, Failed to delete user
record %s: %s,
svn commit: samba r26136 - in branches/SAMBA_4_0/source: auth auth/gensec auth/ntlmssp dsdb ldap_server libcli libcli/ldap ntvfs
Author: jelmer Date: 2007-11-27 02:04:38 + (Tue, 27 Nov 2007) New Revision: 26136 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26136 Log: Attempt to fix dependencies for auth. Modified: branches/SAMBA_4_0/source/auth/config.mk branches/SAMBA_4_0/source/auth/gensec/config.mk branches/SAMBA_4_0/source/auth/ntlmssp/config.mk branches/SAMBA_4_0/source/dsdb/config.mk branches/SAMBA_4_0/source/ldap_server/config.mk branches/SAMBA_4_0/source/libcli/config.mk branches/SAMBA_4_0/source/libcli/ldap/config.mk branches/SAMBA_4_0/source/ntvfs/config.mk Changeset: Modified: branches/SAMBA_4_0/source/auth/config.mk === --- branches/SAMBA_4_0/source/auth/config.mk2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/auth/config.mk2007-11-27 02:04:38 UTC (rev 26136) @@ -80,7 +80,6 @@ auth_util.o \ auth_simple.o PUBLIC_DEPENDENCIES = LIBSECURITY SAMDB CREDENTIALS -PRIVATE_DEPENDENCIES = auth_session auth_system_session # End SUBSYSTEM auth ### Modified: branches/SAMBA_4_0/source/auth/gensec/config.mk === --- branches/SAMBA_4_0/source/auth/gensec/config.mk 2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/auth/gensec/config.mk 2007-11-27 02:04:38 UTC (rev 26136) @@ -28,7 +28,7 @@ SUBSYSTEM = gensec INIT_FUNCTION = gensec_gssapi_init OBJ_FILES = gensec_gssapi.o -PRIVATE_DEPENDENCIES = HEIMDAL_GSSAPI CREDENTIALS_KRB5 KERBEROS auth +PRIVATE_DEPENDENCIES = HEIMDAL_GSSAPI CREDENTIALS_KRB5 KERBEROS # End MODULE gensec_gssapi @@ -38,7 +38,7 @@ SUBSYSTEM = gensec INIT_FUNCTION = gensec_sasl_init OBJ_FILES = cyrus_sasl.o -PRIVATE_DEPENDENCIES = CREDENTIALS SASL auth +PRIVATE_DEPENDENCIES = CREDENTIALS SASL # End MODULE cyrus_sasl @@ -61,7 +61,7 @@ INIT_FUNCTION = gensec_schannel_init OBJ_FILES = schannel.o \ schannel_sign.o -PRIVATE_DEPENDENCIES = auth SCHANNELDB NDR_SCHANNEL CREDENTIALS +PRIVATE_DEPENDENCIES = SCHANNELDB NDR_SCHANNEL CREDENTIALS OUTPUT_TYPE = INTEGRATED # End MODULE gensec_schannel Modified: branches/SAMBA_4_0/source/auth/ntlmssp/config.mk === --- branches/SAMBA_4_0/source/auth/ntlmssp/config.mk2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/auth/ntlmssp/config.mk2007-11-27 02:04:38 UTC (rev 26136) @@ -12,7 +12,7 @@ ntlmssp_sign.o \ ntlmssp_client.o \ ntlmssp_server.o -PRIVATE_DEPENDENCIES = auth MSRPC_PARSE +PRIVATE_DEPENDENCIES = MSRPC_PARSE OUTPUT_TYPE = INTEGRATED # End MODULE gensec_ntlmssp Modified: branches/SAMBA_4_0/source/dsdb/config.mk === --- branches/SAMBA_4_0/source/dsdb/config.mk2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/dsdb/config.mk2007-11-27 02:04:38 UTC (rev 26136) @@ -8,7 +8,8 @@ PUBLIC_PROTO_HEADER = samdb/samdb_proto.h PUBLIC_HEADERS = samdb/samdb.h PUBLIC_DEPENDENCIES = LIBCLI_LDAP HEIMDAL_KRB5 -PRIVATE_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI NDR_DRSBLOBS NSS_WRAPPER +PRIVATE_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI NDR_DRSBLOBS NSS_WRAPPER \ + auth_system_session OBJ_FILES = \ samdb/samdb.o \ samdb/samdb_privilege.o \ Modified: branches/SAMBA_4_0/source/ldap_server/config.mk === --- branches/SAMBA_4_0/source/ldap_server/config.mk 2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/ldap_server/config.mk 2007-11-27 02:04:38 UTC (rev 26136) @@ -13,7 +13,7 @@ ldap_extended.o PRIVATE_DEPENDENCIES = CREDENTIALS \ LIBCLI_LDAP SAMDB \ - process_model auth \ + process_model \ GENSEC_SOCKET # End SUBSYSTEM SMB ### Modified: branches/SAMBA_4_0/source/libcli/config.mk === --- branches/SAMBA_4_0/source/libcli/config.mk 2007-11-27 01:25:11 UTC (rev 26135) +++ branches/SAMBA_4_0/source/libcli/config.mk 2007-11-27 02:04:38 UTC (rev 26136) @@ -34,7 +34,7 @@ smb_composite/fetchfile.o \ smb_composite/appendacl.o \ smb_composite/fsinfo.o -PUBLIC_DEPENDENCIES = LIBCLI_COMPOSITE CREDENTIALS +PUBLIC_DEPENDENCIES = LIBCLI_COMPOSITE CREDENTIALS gensec [SUBSYSTEM::NDR_NBT_BUF] PRIVATE_PROTO_HEADER = nbt/nbtname.h Modified: branches/SAMBA_4_0/source/libcli/ldap/config.mk
svn commit: samba r26137 - in branches/SAMBA_4_0/source: dsdb/samdb/ldb_modules selftest/env setup
Author: abartlet Date: 2007-11-27 02:26:47 + (Tue, 27 Nov 2007) New Revision: 26137 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26137 Log: Rename the entryUUID module to better match it's purpose: being a simple ldap mapping (a complex mapping will follow). Fix the module to handle 'name' better, rather than using the 'name' attribute built into OpenLDAP, rename to samba4RDN. We need to see if this can be handled in the backend. Also rename the functions and inernal module name to entryuuid for consistancy. Andrew Bartlett Added: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/simple_ldap_map.c Removed: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/entryUUID.c Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/config.mk branches/SAMBA_4_0/source/selftest/env/Samba4.pm branches/SAMBA_4_0/source/setup/provision branches/SAMBA_4_0/source/setup/schema-map-openldap-2.3 Changeset: Sorry, the patch is too large (1750 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26137
svn commit: samba r26138 - in branches/SAMBA_4_0/source/dsdb/samdb: .
Author: abartlet
Date: 2007-11-27 02:47:57 + (Tue, 27 Nov 2007)
New Revision: 26138
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26138
Log:
Don't talloc_free() res if an error occoured.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/dsdb/samdb/cracknames.c
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/cracknames.c
===
--- branches/SAMBA_4_0/source/dsdb/samdb/cracknames.c 2007-11-27 02:26:47 UTC
(rev 26137)
+++ branches/SAMBA_4_0/source/dsdb/samdb/cracknames.c 2007-11-27 02:47:57 UTC
(rev 26138)
@@ -110,7 +110,10 @@
if (ret != LDB_SUCCESS ret != LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(1, (ldb_search: dn: %s not found: %s, service_dn_str,
ldb_errstring(ldb_ctx)));
return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
- } else if (ret == LDB_ERR_NO_SUCH_OBJECT || res-count != 1) {
+ } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(1, (ldb_search: dn: %s not found, service_dn_str));
+ return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
+ } else if (res-count != 1) {
talloc_free(res);
DEBUG(1, (ldb_search: dn: %s not found, service_dn_str));
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
svn commit: samba r26139 - in branches/SAMBA_4_0/source/scripting/libjs: .
Author: abartlet Date: 2007-11-27 02:49:37 + (Tue, 27 Nov 2007) New Revision: 26139 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26139 Log: Based on a report by Theodor Chirana, don't assert() on invalid netbios names at this point, the calling order has changed, and we have a more informative place to do it. Andrew Bartlett Modified: branches/SAMBA_4_0/source/scripting/libjs/provision.js Changeset: Modified: branches/SAMBA_4_0/source/scripting/libjs/provision.js === --- branches/SAMBA_4_0/source/scripting/libjs/provision.js 2007-11-27 02:47:57 UTC (rev 26138) +++ branches/SAMBA_4_0/source/scripting/libjs/provision.js 2007-11-27 02:49:37 UTC (rev 26139) @@ -464,9 +464,7 @@ subobj.REALM = strupper(subobj.REALM); subobj.HOSTNAME= strlower(subobj.HOSTNAME); subobj.DOMAIN = strupper(subobj.DOMAIN); - assert(valid_netbios_name(subobj.DOMAIN)); subobj.NETBIOSNAME = strupper(subobj.HOSTNAME); - assert(valid_netbios_name(subobj.NETBIOSNAME)); subobj.DNSDOMAIN= strlower(subobj.REALM); subobj.DNSNAME = sprintf(%s.%s, strlower(subobj.HOSTNAME),
svn commit: samba r26140 - in branches/SAMBA_4_0: source/dsdb/samdb/ldb_modules testprogs/ejs
Author: abartlet
Date: 2007-11-27 04:43:20 + (Tue, 27 Nov 2007)
New Revision: 26140
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=26140
Log:
Add a new test for searches by distinguieshedName and dn, and
implement these in the simple ldap mapping module.
We still don't pass this test, because we must get linked attributes
into OpenLDAP.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/simple_ldap_map.c
branches/SAMBA_4_0/testprogs/ejs/ldap.js
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/simple_ldap_map.c
===
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/simple_ldap_map.c
2007-11-27 02:49:37 UTC (rev 26139)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/simple_ldap_map.c
2007-11-27 04:43:20 UTC (rev 26140)
@@ -376,6 +376,15 @@
}
},
{
+ .local_name = dn,
+ .type = MAP_RENAME,
+ .u = {
+ .rename = {
+.remote_name = entryDN
+}
+ }
+ },
+ {
.local_name = groupType,
.type = MAP_CONVERT,
.u = {
@@ -525,6 +534,15 @@
}
},
{
+ .local_name = dn,
+ .type = MAP_RENAME,
+ .u = {
+ .rename = {
+.remote_name = entryDN
+}
+ }
+ },
+ {
.local_name = groupType,
.type = MAP_CONVERT,
.u = {
Modified: branches/SAMBA_4_0/testprogs/ejs/ldap.js
===
--- branches/SAMBA_4_0/testprogs/ejs/ldap.js2007-11-27 02:49:37 UTC (rev
26139)
+++ branches/SAMBA_4_0/testprogs/ejs/ldap.js2007-11-27 04:43:20 UTC (rev
26140)
@@ -230,6 +230,28 @@
assert(res.msgs[0].cn == ldaptestUSER3);
assert(res.msgs[0].name == ldaptestUSER3);
+ println(Testing ldb.search for (dn=CN=ldaptestUSER3,CN=Users, +
base_dn + ));
+ var res = ldb.search((dn=CN=ldaptestUSER3,CN=Users, + base_dn + ));
+ if (res.error != 0 || res.msgs.length != 1) {
+ println(Could not find (dn=CN=ldaptestUSER3,CN=Users, +
base_dn + ));
+ assert(res.error == 0);
+ assert(res.msgs.length == 1);
+ }
+ assert(res.msgs[0].dn == (CN=ldaptestUSER3,CN=Users, + base_dn));
+ assert(res.msgs[0].cn == ldaptestUSER3);
+ assert(res.msgs[0].name == ldaptestUSER3);
+
+ println(Testing ldb.search for
(distinguishedName=CN=ldaptestUSER3,CN=Users, + base_dn + ));
+ var res = ldb.search((distinguishedName=CN=ldaptestUSER3,CN=Users, +
base_dn + ));
+ if (res.error != 0 || res.msgs.length != 1) {
+ println(Could not find (dn=CN=ldaptestUSER3,CN=Users, +
base_dn + ));
+ assert(res.error == 0);
+ assert(res.msgs.length == 1);
+ }
+ assert(res.msgs[0].dn == (CN=ldaptestUSER3,CN=Users, + base_dn));
+ assert(res.msgs[0].cn == ldaptestUSER3);
+ assert(res.msgs[0].name == ldaptestUSER3);
+
// ensure we cannot add it again
ok = ldb.add(
dn: cn=ldaptestuser3,cn=userS, + base_dn +
