Re: [Samba] Need suggestion for domain controller
Why don' t try samba4: My thread on this list: HOWTO samba4 centos5.5 named dnsupdate drbd simple failover --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jack Downes Gesendet: Montag, 9. August 2010 20:48 An: samba@lists.samba.org Betreff: Re: [Samba] Need suggestion for domain controller The quick solution here is to head over to turnkeylinux.org and use their prebuilt setup to handle this. I've not used it (yet), but if it's as good as their other stuff, it's probably quite nice. Jack On 07/31/10 07:34 AM, masatheesh wrote: Hi, I wish to establish domain controller based on Centos 5.x.I am considering below setups. 1) Samba PDC 2) OpenLDAP 3) Combination of Samba PDC + LDAP I am confused to select one among above.Can anyone please suggest me? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba and ms server 2008
Look at my thread: HOWTO samba4 centos5.5 named dnsupdate drbd simple failover --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Rob Townley Gesendet: Dienstag, 10. August 2010 02:59 An: gaiseric.van...@gmail.com Cc: samba@lists.samba.org Betreff: Re: [Samba] samba and ms server 2008 On Mon, Aug 9, 2010 at 2:07 PM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: http://wiki.samba.org/index.php/Windows7 I would be pretty sure that if Windows 7 doesn't work with Samba 3.0.x that Windows 2008 won't either. Rather than compiling samba 3.4 or 3.5 from source I would go with Fedora Core 11 (samba 3.3.x) or some other more up-to-date linux distro that has a newer version of samba included. I wouldn't start anything with 3.0.xx. I would (maybe stating the obvious) set up a test environment 1st. I did start playing with FC13 (samba 3.5)- not sure it behaved properly. I personally would stick with FC12 which I think had samba 3.4.x included- since I am pretty familiar with 3.4.x but not 3.5.x. There were definately some config changes between 3.0.x and 3.4.x (group mapping, domain trusts.) On 08/09/2010 02:56 PM, Peter Lawrie wrote: Hi I am about to set up a Centos server with samba and an MS server 2008 for a new customer. The MS server is required because he has an MSSQL application. The samba shares will be for everything else. I've previously set up centos and redhat servers as domain members with a 2003 pdc before I get stuck, are there any issues I should worry about with server 2008? What release of samba should I run? Are there any differences in configuration compared with samba3.0.33 which comes with centos5.5 Peter No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 9.0.851 / Virus Database: 271.1.1/3059 - Release Date: 08/09/10 07:35:00 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba If you want to use CentOS, then your best bet would probably be : http://enterprisesamba.com/index.php?id=123 They do have a 64 bit packages, but you have to click on the 386 packages and navigate up and down to see the x86_64 packages. Better yet, simply add this repo file as /etc/yum.repos.d/sernet-samba.repo and then yum install samba3*. Not samba, but samba3 as they name packages differently. http://ftp.sernet.de/pub/samba/3.5/rhel/5/sernet-samba.repo [sernet-samba] name=SerNet Samba Team packages (RedHat Enterprise Linux 5) type=rpm-md baseurl=http://ftp.sernet.de/pub/samba/3.5/rhel/5 enabled=1 gpgcheck=0 Let us know how it goes. Are you using 2008 or 2008R2? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] home share issue: //server/homes errs, while //server/username works
Hello list, I'm running a samba server in AD domain, with some AD users explicitly mapped into local users by username map = sambauser.map, which is a text file. Problem is found with explicitly mapped user, I can only access home share by //server/ADusername, not //server/homes (using windows explorer). This feels wrong because I also tried those AD users not listed in the map file, they could access home share either way. So it's bothering me, any idea what did I miss out anything or it's a samba bug? Bests David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] home share issue: //server/homes errs, while //server/username works
Forgot to metion that mapped AD user can login with smbclient (huh, better than with windows explorer), but any further operation will hit the error below. # smbclient //localhost/homes -U ADusername Enter cifs5's password: Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3-1.1-2362-SUSE-CODE10] smb: \ ls do_list: [\*] NT_STATUS_OBJECT_PATH_NOT_FOUND Error in dskattr: NT_STATUS_OBJECT_PATH_NOT_FOUND smbclient //localhost/ADusername -U works just fine, again. Samba ver = 3.5.3 and the homes share is a msdfs root. 2010/8/10 David Roid datar...@gmail.com Hello list, I'm running a samba server in AD domain, with some AD users explicitly mapped into local users by username map = sambauser.map, which is a text file. Problem is found with explicitly mapped user, I can only access home share by //server/ADusername, not //server/homes (using windows explorer). This feels wrong because I also tried those AD users not listed in the map file, they could access home share either way. So it's bothering me, any idea what did I miss out anything or it's a samba bug? Bests David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Import samba 3 to samba 4
On 08/08/2010 12:44 AM, Michael Wood wrote: On 7 August 2010 19:11, Nico Kadel-Garcianka...@gmail.com wrote: On Mon, Aug 2, 2010 at 10:06 AM, Dave Thurstondthurs...@comcast.net wrote: I have searched but I have yet to find a method to import users and passwords from a samba3/ldap system to samba4. Is there available a method of doing this? Why do you need to import? Isn't the backend Kerberos and the account informat sufficiently similar that you can simply switch over? (I ask as someone using Samba 3, eyeing Samba 4 with interest to get LDAP out of the hands of Active Directory.) By default Samba 4 uses its own built in LDAP server and the OpenLDAP backend is currently not working properly. I have managed to migrate users from an Apple Open Directory server (which is based on MIT Kerberos and OpenLDAP) to Samba 4, but I was only using Open Directory for authentication of one service. No machines joined to OD or anything like that. All I needed to do was dump the kerberos database, import it to Heimdal, dump it from Heimdal again and then use the password hashes from the Heimdal dump to create the necessary unicodePwd attributes in Samba's directory. After that I used ldapsearch to get hold of the groups each user was a member of and then used ldbmodify (or perhaps ldapmodify. I can't remember now) to migrate them to Samba. I've never used Samba 3 as a PDC, so I'm not sure what the LDAP schema looks like and how it differs from what Samba 4 uses, but as long as the password hashes are in a compatible format, I imagine it's just a matter of slapcat or ldapsearch, munging the results and then ldbmodify to add the users to Samba 4. I don't know of an existing script to do this. I have started writing a script that will pull account information (Users, Groups and Computers) from s3's ldap backend and import it to s4. its still early days though. I'm pretty sure that there will be loads of hurdles to jump before is in any usable state Regards Luk Cc: samba-technical -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
Hi Peter, thanks for your detailed instructions for a workaround! Just to get you right: Your proposals include changes for the win7- clients _and_ the samba domain itself, correct? If it is possible, I would like to change only settings within the win7-clients (or server 2008 R2 systems) and not the domain itself, because all other systems (XP, 2003, 2008) operate quite well for over one year now. Besides, I also see the DisablePasswordChange-Option on Windows server- systems (2003, 2008, 2008 R2) but I do not see a RefusePasswordChange- Option. According to MS knowledgebase (http://support.microsoft.com/? scid=kb%3Ben-us%3B154501x=7y=6) it seems to me, that the RefusePasswordChange-Option was only intended to be used on older systems (NT4, 2000). Thus, I think it will be ineffective on modern systems. I would like to here your comments. Greetings, Stefan Peter Rindfuss rindf...@wzb.eu wrote in news:4c600628.2010...@wzb.eu: On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote: We are observing the following phenomenon: After 30 days our Windows 7 clients lose their trust relationship with the samba domain. We think, that the automatic machine password change on these clients fails. I posted a message about the very same problem on July 15. I think it does not always happen after 30 days (or whatever the change interval is set to), but only occurs when the machine password change time has arrived and the computer is on, but not no one is logged on (i.e. the login box is shown). Since we are only starting to deploy Windows 7, we simply turned the machine password change off in the registry of our imaged installation and the few real installations. We had no more problems afterwards. There are three ways to change the machine password behavior: Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 or Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:100 or Server-Registry (if you have a Windows server) HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 With Samba + OpenLDAP, set sambaRefuseMachinePwdChange = 1 in the sambaDomainName= entry. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Import samba 3 to samba 4
Am 10.08.2010 11:39, schrieb Lukasz Zalewski: On 08/08/2010 12:44 AM, Michael Wood wrote: On 7 August 2010 19:11, Nico Kadel-Garcianka...@gmail.com wrote: On Mon, Aug 2, 2010 at 10:06 AM, Dave Thurstondthurs...@comcast.net wrote: I have searched but I have yet to find a method to import users and passwords from a samba3/ldap system to samba4. Is there available a method of doing this? Why do you need to import? Isn't the backend Kerberos and the account informat sufficiently similar that you can simply switch over? (I ask as someone using Samba 3, eyeing Samba 4 with interest to get LDAP out of the hands of Active Directory.) By default Samba 4 uses its own built in LDAP server and the OpenLDAP backend is currently not working properly. I have managed to migrate users from an Apple Open Directory server (which is based on MIT Kerberos and OpenLDAP) to Samba 4, but I was only using Open Directory for authentication of one service. No machines joined to OD or anything like that. All I needed to do was dump the kerberos database, import it to Heimdal, dump it from Heimdal again and then use the password hashes from the Heimdal dump to create the necessary unicodePwd attributes in Samba's directory. After that I used ldapsearch to get hold of the groups each user was a member of and then used ldbmodify (or perhaps ldapmodify. I can't remember now) to migrate them to Samba. I've never used Samba 3 as a PDC, so I'm not sure what the LDAP schema looks like and how it differs from what Samba 4 uses, but as long as the password hashes are in a compatible format, I imagine it's just a matter of slapcat or ldapsearch, munging the results and then ldbmodify to add the users to Samba 4. I don't know of an existing script to do this. I have started writing a script that will pull account information (Users, Groups and Computers) from s3's ldap backend and import it to s4. its still early days though. I'm pretty sure that there will be loads of hurdles to jump before is in any usable state I've something that's is almost done for users, groups and computers. It needs a lot of cleanup, then I'll commit it to master/example/*. Currently the script 'myldap-pub.py' expects input.ldif hardcoded (later we can also support ldap urls) metze signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question re kerberos and plain password login
Anyone got any thoughts about this? On Sun, Aug 08, 2010 at 12:32:28AM +0100, Mark Adams wrote: Hi There, I've just upgraded to 2 new 2008 R2 domain controllers, and had been using 2003 integration with samba successfully. After hitting this issue https://bugzilla.samba.org/show_bug.cgi?id=6700 I upgraded my samba to 3.4.8, which seems to be working OK for pc hosts. However, I used to also log in some OSX 10.5 clients in using smb, and now these clients are getting password failed issues. I also allow AFP access using netatalk, and this is working correctly, which indicates winbind is checking things correctly. Is there any option needed to allow password login AND kerberos? On 3.2.4 with 2003 my config was working ok. There is no log created when the mac attempts to auth (unlike the log for each windows client) so I'm not sure where it's going wrong. Any help appreciated! Cheers,Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba pdc for samba clients - job
Hi All, this is a samba related job request. Sorry if this is not the correct mailing list, feel free to point me toward a better place. I'm looking for an how-to style documentation to configure Debian 5 (Lenny) as a PDC and file server for Debian 5 (Lenny) clients. Would prefer to use Samba (and Kerberos if needed) as the PDC and file server and would prefer to avoid ldap integration. The documentation must describe how to configure the server to provide the authentication facility (PDC), and how to configure the client to authenticate (would prefer with GDM (gnome display manager) and mount the file share accordingly. No printer handling is needed. The clients are using the desktop manager xfce4. I am a linux sysadmin myself so you will not be alone. Please bid only if you have experience with this setup because this is urgent (2-3 days). Budget is negotiable but I'm looking to spend around 100 USD. Thanks for your attention, have a nice day. Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba posix_acls.c file and dir permissions
Dear samba team, please help me in understanding these. 1) in samba posix_acls.c why samba always setting the READ access for the file and READ and WRITE access for directory ? -- case S_IRUSR: /* Ensure owner has read access. */ pace-perms |= S_IRUSR; if (is_directory) pace-perms |= (S_IWUSR|S_IXUSR); and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR); or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR); --- 2) I have connected a samba share from the device onto my windows xp machine.. when I tried modify subfolder owner write permissions , it is simply ignoring that and setting the write permission again. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 DDNS update samba_dnsupdate issues
On Fri, 30 Jul 2010, Daniel A. Creed wrote: The wierd thing is I know that TSIG transfers are working because I can use nsupdate with the key set and it updates the records fine... So what TKEY is this looking for and whats the issue with it? Sorry to barge in, but did you use the nsupdate from bind? And if so, how did you use it? I'm struggling with samba3 which is unable to update dns for me, but the nsupdate-gss script by tridge works otherwise but doesn't know how to update the PTR record.. t -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 connect to FreeBSD samba
I'm having trouble connecting my windows 7 machine to my Samba server that i set up on a FreeBSD VM. The FreeBSD version is 7.2 and the samba version is 3. I followed the directions here http://www.mrp3.com/windows-to-unix-samba.html to set it up as a domain controller exactly.. except for adding the samba_dns_update script because i didn't find it being asked for in the config file. The name of my Windows computer is Pushkin-PC so like it says in the script I added it using adduser and put it under the machines group. I added it as Pushkin-PC$ though.. as the site showed. then I did smbpasswd -a Pushkin-PC$ which also made me make a password. Then the script said to finalize it by doing the command smbpasswd -m Pushkin-PC$ .. but when I executed that command i got the errors: Failed to set password for user Pushkin-PC$. Failed to modify password entry for user Pushkin-PC$. I couldn't figure out why... Here's my config file.. all the uncommented parts: server string = WORKGROUP server string = Samba Server security = user hosts allow = 192.168.1 192.168.2 127. load printers = yes printing = cups log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam include = /usr/local/etc/smb.conf.%m local master = yes os level = 33 domain master = yes preferred master = auto domain logons = yes logon path = \\%L\Profiles\%U wins support = yes dns proxy = no add user script = /usr/local/sbin/smb-add-user %u add group script = /usr/local/sbin/smb-add-group %g add machine script = /usr/local/sbin/smb-add-machine %u add user to group script = /usr/local/sbin/smb-add-user-group %u %g delete user script = /usr/local/sbin/smb-rm-user %u delete user from group script = /usr/local/sbin/smb-rm-user-group %u %g delete group script = /usr/local/sbin/smb-rm-group %g [homes] comment = Home Directories browseable = no writeable = yes [netlogon] comment = Network Logon Service path = /usr/local/lib/samba/netlogon guest ok = yes writeable = no share modes = no [profiles] path = /usr/local/lib/samba/profiles browseable = no guest ok = yes [printers] comment =All Pringers path = /var/spool/samba browseable = no guest ok = no writeable = no printable = yes anyways, when try to connect my windows pc (Pushin-PC) to samba.. i do the following command: \\192.168.198.137\Pushkin-PC$ the ip is the freebsd's ip running samba. and I get the following error: The network path was not found. Help? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 connect to FreeBSD samba
I'm having trouble connecting my windows 7 machine to my Samba server that i set up on a FreeBSD VM. The FreeBSD version is 7.2 and the samba version is 3. 3 is not a descriptive samba version. It must be 3.3 or greater. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 connect to FreeBSD samba
On Tuesday 10/08/2010 at 1:54 pm, dan dylan wrote: I'm having trouble connecting my windows 7 machine to my Samba server that i set up on a FreeBSD VM. The FreeBSD version is 7.2 and the samba version is 3. I followed the directions here http://www.mrp3.com/windows-to-unix-samba.html to set it up as a domain controller exactly.. except for adding the samba_dns_update script because i didn't find it being asked for in the config file. The name of my Windows computer is Pushkin-PC so like it says in the script I added it using adduser and put it under the machines group. I added it as Pushkin-PC$ though.. as the site showed. then I did smbpasswd -a Pushkin-PC$ which also made me make a password. Then the script said to finalize it by doing the command smbpasswd -m Pushkin-PC$ .. but when I executed that command i got the errors: Failed to set password for user Pushkin-PC$. Failed to modify password entry for user Pushkin-PC$. I couldn't figure out why... Here's my config file.. all the uncommented parts: server string = WORKGROUP server string = Samba Server security = user hosts allow = 192.168.1 192.168.2 127. load printers = yes printing = cups log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam include = /usr/local/etc/smb.conf.%m local master = yes os level = 33 domain master = yes preferred master = auto domain logons = yes logon path = \\%L\Profiles\%U wins support = yes dns proxy = no add user script = /usr/local/sbin/smb-add-user %u add group script = /usr/local/sbin/smb-add-group %g add machine script = /usr/local/sbin/smb-add-machine %u add user to group script = /usr/local/sbin/smb-add-user-group %u %g delete user script = /usr/local/sbin/smb-rm-user %u delete user from group script = /usr/local/sbin/smb-rm-user-group %u %g delete group script = /usr/local/sbin/smb-rm-group %g Where did these scripts come from? [homes] comment = Home Directories browseable = no writeable = yes [netlogon] comment = Network Logon Service path = /usr/local/lib/samba/netlogon guest ok = yes writeable = no share modes = no [profiles] path = /usr/local/lib/samba/profiles browseable = no guest ok = yes [printers] comment =All Pringers path = /var/spool/samba browseable = no guest ok = no writeable = no printable = yes anyways, when try to connect my windows pc (Pushin-PC) to samba.. i do the following command: \\192.168.198.137\Pushkin-PC$ the ip is the freebsd's ip running samba. and I get the following error: The network path was not found. Help? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Dumb questions
Hi, I've followed Muller's HOWTO thread and it worked like a charm, except for these errors when starting smaba on node2 mba,DC=dghvoip,DC=com using filter (uSNChanged=3524) DsGetNCChanges with uSNChanged = 3524 flags 0x0070 on CN=Configuration,DC=samba,DC=dghvoip,DC=com gave 0 objects (done 0/0) 0 links (done 0/0) /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED I think I'll have to manually add a a line to named.conf to allow this host to update DDNS records, might help. Other question is: I have a shre I want to be viewable as with Samba3, but hwnever I browse NetHood, I don't see my Samba4 Servers, I _do_ see them if I do \\server\share at the command prompt or Run... window. Is there anyway to make Samba4 shares viewable?. Thanks. --- David Gonzalez H. DGHVoIP - OPEN SOURCE TELEPHONY SOLUTIONS Phone Bogotá: +(57-1)289-1168 Phone Medellin: +(57-4)247-0985 Mobile: +(57)315-838-8326 MSN: da...@planetaradio.net Skype: davidgonzalezh WEB: http://www.dghvoip.com/ Proud Linux User #294661 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba posix_acls.c file and dir permissions
I did not get any response . pinging it again. Dear samba team, please help me in understanding these. 1) in samba posix_acls.c why samba always setting the READ access for the file and READ and WRITE access for directory ? -- case S_IRUSR: /* Ensure owner has read access. */ pace-perms |= S_IRUSR; if (is_directory) pace-perms |= (S_IWUSR|S_IXUSR); and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR); or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR); --- 2) I have connected a samba share from the device onto my windows xp machine.. when I tried modify subfolder owner write permissions , it is simply ignoring that and setting the write permission again. ofcourse acl are enabled on that share. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba posix_acls.c file and dir permissions
On Tue, Aug 10, 2010 at 07:50:47PM -0400, suresh.kanduk...@emc.com wrote: I did not get any response . pinging it again. Dear samba team, please help me in understanding these. 1) in samba posix_acls.c why samba always setting the READ access for the file and READ and WRITE access for directory ? -- case S_IRUSR: /* Ensure owner has read access. */ pace-perms |= S_IRUSR; if (is_directory) pace-perms |= (S_IWUSR|S_IXUSR); and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR); or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR); --- 2) I have connected a samba share from the device onto my windows xp machine.. when I tried modify subfolder owner write permissions , it is simply ignoring that and setting the write permission again. ofcourse acl are enabled on that share. That's simply the way the POSIX ACL mapping is designed. Onwers are given read (and for a directory) write access by default. This maps what users expect, that the owner of a file/directory always has access to it. If you want more precise Windows ACL mapping, layer the acl_xattr module on top of the default POSIX ACL mapping, which will present a Windows view of the underlying ACL mapping. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] HOWTO samba4 centos5.5 named dnsupdate drbd simple failover
On Mon, Aug 9, 2010 at 10:10 AM, Daniel Müller muel...@tropenklinik.de wrote: centOs5.5/samba4/named here is a short guide setting it up to work. First of all do not install the bind package coming with centos 5.5!! Install needs for samba yum install libacl* gnutls* readline* python* gdb* autoconf* Named installation: Here is a description on what to do: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-d nssec-nsec3-support/ The steps, Thanks for the pointer. I do have some strong suggestions for you. * Never build RPM's as root. Always do them as a user. This takes setting up your $HOME/.rpmmacros, but it's far safer and helps prevent badly written or erroneous .spec files from accidentally doing rm -rf / or modifying your installed system files. (I just published patches to an upstream package maintainer to prevent exactly this sort of accidental local modification in the build process.) I'd be happy to publish notes for it. * If possible, build RPM's with the mock tool. This assures that you're building them with a clean build environment, rather than with locally modified libraries, or if you need local modifications you've identified them all. Again, I'd be happy to publish notes. yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto Simply doing yum -y insall rpmbuild, then rpmbuild --rebuild samba-*.src.rpm should identify the dependencies for the existing samba packages or any *.src.rpm you work with. For named to compile correctly you need this 2 packages too: yum -y install curl* download.fedora.redhat.com/pub/fedora/epel/5/i386/python-dns-1.7.1-1.el5.noa rch.rpm EPEL is great, and also available at ftp://mirrors.kernel.org/fedora-epel/5/. And whether to use i386 or x86_64 depends on your architecture. And EPEL changes versions and discards old ones without announcements, so your needed tool may change behind you back.. Better to install the 'epel-release RPM from the same repository, and disable the /etc/yum.repos.d/epel.repo if you don't want it on by default, but use it as needed to more gracefully install and update such packages. Also, dnssec-conf has been obsoleted in the EPEL repository by unbound, which I assume will also work. cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/dnssec-conf-*.src.rpm cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/12/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/releases/12/Fedora/source/SRPMS/dnssec-c onf-*.src.rpm rpm -ivh --nomd5 bind-9.6.*.src.rpm dnssec-conf-*.src.rpm Fedora 13 is out. But this doesn't work with either Fedora 12 or 13 packages, unless you've separately updated your RPM to be compatible with current Fedora releases. That's fairly awkward to do. To work around that, you need to extract the files and drop them ni place manually. If you use .rpmmacros, it looks like this: cd $HOME/rpm/SOURCES for name in ../SRPMS/bind-9.6.*.src.rpm rpm2cpio $name | cpio -i mv bind.spec ../SPECS/bind.spec rpmbuild -bs --nodeps ../SPECS/bind.spec done rpmbuild -bs --nodeps rpmbuild --rebuild ../SRPMS/bind-9.6-[whatever].el5.src.rpm cd /usr/src/redhat/SPECS rpmbuild -ba ./bind.spec The built bind RPM is now in /usr/src/redhat/RPMS/i386/ or /usr/src/redhat/RPMS/x86_64/ depending on your Arch. rpmbuild --ba ./dnssec-conf.spec The built dnssec-conf RPM is now in /usr/src/redhat/RPMS/noarch/ Which is now unnecessary, due to the availability of dnssec-conf's successor in EPEL. cd /usr/src/redhat/RPMS/*86* rpm -Uvh bind-9.6.*.rpm bind-utils-9.6.*.rpm bind-libs-9.6.*.rpm ../noarch/dnssec-conf-1.21-*.noarch.rpm Now bind is installed Config-File in /etc/named.conf I disabled in options: //dnssec-enable yes; //dnssec-validation yes; //dnssec-lookaside . trust-anchor dlv.isc.org.; To make bind work you have to add user named to the group named. Set the rights to make named work correctly chmod 770 /etc/named.conf chmod 770 /etc/named.rfc1912.zones chown root:named /etc/named.conf chown named:named /etc/named.rfc1912.zones chmod -R 770 /var/named chown -R named:named /var/named chown named:named /etc/rndc.key chown named:named /var/run/named/ named is already there from your installations of the bind RPM. Look in the '%post' commands. I'm going to take a break here, before getting into building Samba 4 itself. While your guidelines are helpful, I'm afraid they're off the beaten path for RPM based installations, and I'd like to encourage you to update them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Are acl_xattr and admin users option incompatible?
On Wed, Jul 21, 2010 at 08:15:35AM -0400, John Mulligan wrote: Hello List, I've run into an interesting situation and am wondering if this is by design or just an interesting side effect: using both acl_xattr and a user in the admin users list at the same time seem to conflict. I have a tool that is running on a windows box that needs full access to files on a given share while ignore individual file and folder permissions. We were able to make that tool run as an admin user in smb.conf. When I run the tool with the vfs xattr_acl module turned on (for best compatibility with nt acls), the tests fail but when using only straight POSIX acls the test works. Running things manually, it appears that running with only POSIX acls the root user on the samba side is able to read/write any file as expected, but with acl_xattr turned on samba is doing some internal checking of the xattr acls and blocking access to the files. So my question is, is this by design or is this something that the samba team would consider as a bug/feature request? Also feel free to tell me you're doing it wrong if there is a better way to provide read/write access to the windows side regardless of the acls on the files. None of my searches turned up anything relevant, but its always possible that I was looking in the wrong direction. Ok, is this with 3.5.x ? If so, it's a bug - one that has been fixed in the 3.6.0 code tree. The function smb1_file_se_access_check() in 3.5.x is directly called from the acl_xattr module, and this code doesn't taker into account the admin_user status of the calling user. In 3.6.0 and above, the admin_user status check has been moved directly into the smb1_file_se_access_check() function so that it's consistent will all calls for access checking. Let me know if you want this fix back-porting to 3.5.x, if so, log a bug at bugzilla.samba.org and I'll create the patch (it's a reasonably simple fix). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Dumb questions
Hey there, Following up on my own problem with DDNS updates, I went on and changed these on file: /usr/local/samba/private/named.conf cat /usr/local/samba/private/named.conf # This file should be included in your main BIND configuration file # # For example with # include /usr/local/samba/private/named.conf; zone samba.dghvoip.com. IN { type master; file /usr/local/samba/private/dns/samba.dghvoip.com.zone; # include /usr/local/samba/private/named.conf.update; ##Commented out update-policy { grant SAMBA.DGHVOIP.COM ms-self * A ; grant administra...@samba.dghvoip.com wildcard * A SRV CNAME TXT; grant vpnserv...@samba.dghvoip.com wildcard * A SRV CNAME; grant vo...@samba.dghvoip.com wildcard * A SRV CNAME; grant 192.168.254.130 wildcard * A SRV CNAME; ### Added manually grant 192.168.254.100 wildcard * A SRV CNAME; ### Added manually }; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; }; As you see I added the hosts that could update the zone, but after that I now get this error, altough there're tons of messages on the net regarding this, none helped me. Aug 10 21:30:13 voip named[2167]: client 192.168.254.160#51038: updating zone 'samba.dghvoip.com/IN': update unsuccessful: samba.dghvoip.com: 'name not in use' prerequisite not satisfied (YXDOMAIN) Strange thing, I try to ping samba.dghvoip.com from the same machine where Smaba is installed, and I get: # ping samaba.dghvoip.com ping: unknown host samaba.dghvoip.com And my zone file looks like: ]# dig axfr samba.dghvoip.com ; DiG 9.6.2-P2-RedHat-9.6.2-5.P2 axfr samba.dghvoip.com ;; global options: +cmd samba.dghvoip.com. 604800 IN SOA samba.dghvoip.com. hostmaster.samba.dghvoip.com. 2010081022 172800 14400 3628800 604800 samba.dghvoip.com. 604800 IN NS voip.samba.dghvoip.com. samba.dghvoip.com. 900 IN A 192.168.254.100 samba.dghvoip.com. 900 IN A 192.168.254.130 _kerberos.samba.dghvoip.com. 604800 IN TXT SAMBA.DGHVOIP.COM w2k8._mscds.samba.dghvoip.com. 604800 IN CNAME w2k8.samba.dghvoip.com. a51a03b2-f191-4d24-adb8-c4fb594d8de4._msdcs.samba.dghvoip.com. 604800 IN CNAME vpnserver.samba.dghvoip.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 88 voip.samba.dghvoip.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 88 vpnserver.samba.dghvoip.com. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 voip.samba.dghvoip.com. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 vpnserver.samba.dghvoip.com. _kerberos._tcp.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 88 voip.samba.dghvoip.com. _kerberos._tcp.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 88 vpnserver.samba.dghvoip.com. _ldap._tcp.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 voip.samba.dghvoip.com. _ldap._tcp.dc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 vpnserver.samba.dghvoip.com. _ldap._tcp.7620096c-a269-4881-99e1-149da78a4a36.domains._ msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 voip.samba.dghvoip.com. _ldap._tcp.7620096c-a269-4881-99e1-149da78a4a36.domains._ msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 vpnserver.samba.dghvoip.com. ebb75fa1-e4ac-443c-ad9d-9878e1ff3f0d._msdcs.samba.dghvoip.com. 604800 IN CNAME voip.samba.dghvoip.com. gc._msdcs.samba.dghvoip.com. 604800 IN A 192.168.254.100 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 3268 voip.samba.dghvoip.com. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 3268 vpnserver.samba.dghvoip.com. _ldap._tcp.gc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 3268 voip.samba.dghvoip.com. _ldap._tcp.gc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 3268 vpnserver.samba.dghvoip.com. _ldap._tcp.pdc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 voip.samba.dghvoip.com. _ldap._tcp.pdc._msdcs.samba.dghvoip.com. 900 IN SRV 0 100 389 vpnserver.samba.dghvoip.com. _gc._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 3268 voip.samba.dghvoip.com. _gc._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 3268 vpnserver.samba.dghvoip.com. _kerberos._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 88 voip.samba.dghvoip.com. _kerberos._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 88 vpnserver.samba.dghvoip.com. _ldap._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 389 voip.samba.dghvoip.com. _ldap._tcp.Default-First-Site-Name._sites.samba.dghvoip.com. 900 IN SRV 0 100 389 vpnserver.samba.dghvoip.com. _gc._tcp.samba.dghvoip.com. 900 IN SRV 0 100 3268 voip.samba.dghvoip.com.
[Samba] Samba 3.0.37 with Windows Server 2008
I'm running Windows Server 2008 and trying to connect to Samba 3.0.37 on Opensolaris. The Samba system is a member of a Windows Server 2008-based Active Directory domain - it was able to join the domain just fine - and Windows XP, Windows 2000, Windows Vista, and Windows 7 can connect, but Windows Server 2008 SP2 cannot connect. The log file is posted below - I'm guessing the key is the message about krb5_rd_req with auth failed (Bad encryption type), but none of the solutions out there that I've looked at seem to apply - it doesn't seem to be the same bug as was in Windows Server 2003, and I'm not sure what kerberos keytab has to do with remote connections to the machine. Any hints would be greatly appreciate. Thanks, Nick [2010/08/10 20:05:22, 5] smbd/uid.c:(338) change_to_root_user: now uid=(0,0) gid=(0,0) [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [PC NETWORK PROGRAM 1.0] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [LANMAN1.0] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [Windows for Workgroups 3.1a] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [LM1.2X002] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [LANMAN2.1] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [NT LM 0.12] [2010/08/10 20:05:22, 3] smbd/negprot.c:(505) Requested protocol [SMB 2.002] [2010/08/10 20:05:22, 5] smbd/connection.c:(182) claiming 0 [2010/08/10 20:05:22, 3] smbd/negprot.c:(364) using SPNEGO [2010/08/10 20:05:22, 3] smbd/negprot.c:(606) Selected protocol NT LM 0.12 [2010/08/10 20:05:22, 5] smbd/negprot.c:(612) negprot index=5 [2010/08/10 20:05:22, 5] lib/util.c:(484) [2010/08/10 20:05:22, 5] lib/util.c:(494) size=173 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=65535 smb_pid=65279 smb_uid=0 smb_mid=0 smt_wct=17 smb_vwv[ 0]=5 (0x5) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]=0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]=24832 (0x6100) smb_vwv[ 8]= 82 (0x52) smb_vwv[ 9]=64512 (0xFC00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]= 128 (0x80) smb_vwv[12]=39069 (0x989D) smb_vwv[13]=63911 (0xF9A7) smb_vwv[14]=52024 (0xCB38) smb_vwv[15]=26625 (0x6801) smb_vwv[16]=1 (0x1) smb_bcc=104 [2010/08/10 20:05:22, 3] smbd/process.c:(1083) Transaction 1 of length 1640 [2010/08/10 20:05:22, 5] lib/util.c:(484) [2010/08/10 20:05:22, 5] lib/util.c:(494) size=1636 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=65535 smb_pid=65279 smb_uid=0 smb_mid=64 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=0 (0x0) smb_vwv[ 2]=16644 (0x4104) smb_vwv[ 3]= 50 (0x32) smb_vwv[ 4]=0 (0x0) smb_vwv[ 5]=0 (0x0) smb_vwv[ 6]=0 (0x0) smb_vwv[ 7]= 1573 (0x625) smb_vwv[ 8]=0 (0x0) smb_vwv[ 9]=0 (0x0) smb_vwv[10]= 212 (0xD4) smb_vwv[11]=40960 (0xA000) smb_bcc=1577 [2010/08/10 20:05:22, 3] smbd/process.c:(932) switch message SMBsesssetupX (pid 21089) conn 0x0 [2010/08/10 20:05:22, 3] smbd/sec_ctx.c:(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/08/10 20:05:22, 5] auth/auth_util.c:(448) NT user token: (NULL) [2010/08/10 20:05:22, 5] auth/auth_util.c:(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/08/10 20:05:22, 5] smbd/uid.c:(338) change_to_root_user: now uid=(0,0) gid=(0,0) [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1258) wct=12 flg2=0xc807 [2010/08/10 20:05:22, 2] smbd/sesssetup.c:(1214) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1040) Doing spnego session setup [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1071) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669) parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2 [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669) parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2 [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669) parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10 [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(699) reply_spnego_negotiate: Got secblob of size 1507 [2010/08/10 20:05:22, 3] libads/kerberos_verify.c:(427) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2010/08/10 20:05:22, 1] smbd/sesssetup.c:(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2010/08/10 20:05:22, 3] smbd/error.c:(106) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2010/08/10 20:05:22, 5] lib/util.c:(484) This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this
Build status as of Tue Aug 10 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-08-09 00:00:04.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-08-10 00:00:04.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Mon Aug 9 06:00:02 2010 +Build status as of Tue Aug 10 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -17,7 +17,7 @@ samba_3_master 32 31 1 samba_3_next 32 32 6 samba_4_0_test 32 32 0 -samba_4_0_waf 36 34 0 +samba_4_0_waf 36 33 0 talloc 32 7 0 tdb 30 8 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 78fa58f... libcli/auth/ntlmssp: remove outdated comment. The version flag is well understood now. via d84a2ae... s3: fix the waf build. via 1e83b36... libcli/auth Move some source3/ NTLMSSP functions to the common code. libcli/auth Use true and false rather than True and False in common code from e0f79da... Fix bug #7608 - Win7 SMB2 authentication causes smbd panic http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 78fa58f8c36a111b5231a979aaa8b89a29ec815f Author: Günther Deschner g...@samba.org Date: Tue Aug 10 11:51:01 2010 +0200 libcli/auth/ntlmssp: remove outdated comment. The version flag is well understood now. Guenther commit d84a2aeb6405f37d485a2108c05c932518dcd272 Author: Günther Deschner g...@samba.org Date: Tue Aug 10 11:39:04 2010 +0200 s3: fix the waf build. Guenther commit 1e83b36afb67c43d99c4fdd2a8eba0da5da5b95e Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 18:16:32 2010 +1000 libcli/auth Move some source3/ NTLMSSP functions to the common code. libcli/auth Use true and false rather than True and False in common code Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org --- Summary of changes: libcli/auth/ntlmssp.c | 58 + libcli/auth/ntlmssp_private.h |7 ++ libcli/auth/ntlmssp_server.c | 53 source3/Makefile.in |3 +- source3/libsmb/ntlmssp.c | 87 -- source3/wscript_build |3 +- source4/auth/ntlmssp/ntlmssp.c| 110 - source4/auth/ntlmssp/ntlmssp_server.c | 30 - source4/auth/ntlmssp/wscript_build|7 ++- 9 files changed, 128 insertions(+), 230 deletions(-) create mode 100644 libcli/auth/ntlmssp_server.c Changeset truncated at 500 lines: diff --git a/libcli/auth/ntlmssp.c b/libcli/auth/ntlmssp.c index 1be764e..b7f14c1 100644 --- a/libcli/auth/ntlmssp.c +++ b/libcli/auth/ntlmssp.c @@ -74,3 +74,61 @@ void debug_ntlmssp_flags(uint32_t neg_flags) if (neg_flags NTLMSSP_NEGOTIATE_56) DEBUGADD(4, ( NTLMSSP_NEGOTIATE_56\n)); } + +void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t neg_flags, bool allow_lm) +{ + if (neg_flags NTLMSSP_NEGOTIATE_UNICODE) { + ntlmssp_state-neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state-unicode = true; + } else { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state-neg_flags |= NTLMSSP_NEGOTIATE_OEM; + ntlmssp_state-unicode = false; + } + + if ((neg_flags NTLMSSP_NEGOTIATE_LM_KEY) allow_lm) { + /* other end forcing us to use LM */ + ntlmssp_state-neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; + ntlmssp_state-use_ntlmv2 = false; + } else { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_LM_KEY; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_NTLM2)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_NTLM2; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_128)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_128; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_56)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_56; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_KEY_EXCH)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_KEY_EXCH; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_SIGN)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_SIGN; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_SEAL)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_SEAL; + } + + if (!(neg_flags NTLMSSP_NEGOTIATE_VERSION)) { + ntlmssp_state-neg_flags = ~NTLMSSP_NEGOTIATE_VERSION; + } + + if ((neg_flags NTLMSSP_REQUEST_TARGET)) { + ntlmssp_state-neg_flags |= NTLMSSP_REQUEST_TARGET; + } +} diff --git a/libcli/auth/ntlmssp_private.h b/libcli/auth/ntlmssp_private.h index e2044ee..cb91987 100644 --- a/libcli/auth/ntlmssp_private.h +++ b/libcli/auth/ntlmssp_private.h @@ -42,3 +42,10 @@ union ntlmssp_crypt_state { /* The following definitions come from libcli/auth/ntlmssp.c */ void debug_ntlmssp_flags(uint32_t neg_flags); +void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, + uint32_t
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4969b3d... s3:ntlmssp Always call ntlmssp_sign_init() via 617ec07... s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now via d112557... s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2 via f6cc686... s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available via 3c0a17a... s3:ntlmssp Don't use the lm key if the user didn't supply one. via f744e42... s3:ntlmssp Add extra DEBUG() message for auth system failures via e0c94d1... s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key' from 78fa58f... libcli/auth/ntlmssp: remove outdated comment. The version flag is well understood now. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4969b3de632c1545d7ea5997c52b85aa4baaf4d8 Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 20:48:17 2010 +1000 s3:ntlmssp Always call ntlmssp_sign_init() There is no code path that sets nt_status before this point, without a return. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit 617ec0733dad40c9441b1e1533fb3d99bf22c24f Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 20:41:54 2010 +1000 s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now This code will, I hope, soon be merged in common, and the Samba4 use case does not currently support talloc_tos() properly. Use another context for now. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit d112557a05b23480abd3f2f52c1c7b8ded2b4f66 Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 20:24:35 2010 +1000 s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2 This is another 'belts and braces' check to avoid the use of the weak 'LM_KEY' encryption when the client has chosen NTLMv2. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit f6cc686036281ee9b467ba18e96ee5086b89bef7 Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 19:43:06 2010 +1000 s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available This ensures the client isn't confused and we don't enter this weaker authentication scheme when we don't really, really need to. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit 3c0a17a1274df1b38b3acd9335192cd78730b01c Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 19:01:34 2010 +1000 s3:ntlmssp Don't use the lm key if the user didn't supply one. This may help to avoid a number of possible MITM attacks where LM_KEY is spoofed into the session. If the login wasn't with lanman (and so the user chose to disclose their lanman response), don't disclose back anything based on their lanman password. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit f744e42bd08cd724da09b5b04bafb68de07888cc Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 18:35:25 2010 +1000 s3:ntlmssp Add extra DEBUG() message for auth system failures Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit e0c94d14b3ddc6f20e8f37b2a01b045ca2ad7375 Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 18:18:51 2010 +1000 s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key' This will allow this to be handled via common code in the future Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org --- Summary of changes: source3/libsmb/ntlmssp.c | 42 +++--- 1 files changed, 31 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 784a347..6815358 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -325,11 +325,13 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, } } - ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth()); + ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state-allow_lm_key); /* Ask our caller what challenge they would like in the packet */ status = ntlmssp_state-get_challenge(ntlmssp_state, cryptkey); if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, (ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n, + nt_errstr(status))); return status; } @@ -414,7 +416,7 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, if (DEBUGLEVEL = 10) { struct CHALLENGE_MESSAGE *challenge = talloc( -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 75adca6... libcli/auth Make the source3/ implementation of the NTLMSSP server common via 979b672... s3:ntlmssp Split the NTLMSSP server into before and after authentication from 4969b3d... s3:ntlmssp Always call ntlmssp_sign_init() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 75adca63f21ab4b415e0f909a54972d8dd57a153 Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 21:31:21 2010 +1000 libcli/auth Make the source3/ implementation of the NTLMSSP server common This means that the core logic (but not the initialisation) of the NTLMSSP server is in common, but uses different authentication backends. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org commit 979b672dcb013ed38a312b280fa6c0642469649b Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 6 20:53:39 2010 +1000 s3:ntlmssp Split the NTLMSSP server into before and after authentication This allows for a future where the auth subsystem is async, and the session key generation needs to happen in a callback. This code is originally reworked into this style by metze for the source4/ implementation. The other change here is to introduce an 'out_mem_ctx', which makes the API match that used in source4. Andrew Bartlett Signed-off-by: Günther Deschner g...@samba.org --- Summary of changes: libcli/auth/ntlmssp_private.h |6 + libcli/auth/ntlmssp_server.c | 524 + source3/libsmb/ntlmssp.c | 457 + source4/auth/ntlmssp/ntlmssp_server.c | 521 + 4 files changed, 539 insertions(+), 969 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/ntlmssp_private.h b/libcli/auth/ntlmssp_private.h index cb91987..ff7b285 100644 --- a/libcli/auth/ntlmssp_private.h +++ b/libcli/auth/ntlmssp_private.h @@ -49,3 +49,9 @@ void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state, uint32_t neg_flags, uint32_t *chal_flags); +NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out); +NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state, +TALLOC_CTX *out_mem_ctx, +const DATA_BLOB request, DATA_BLOB *reply); diff --git a/libcli/auth/ntlmssp_server.c b/libcli/auth/ntlmssp_server.c index 30b5541..844a0b4 100644 --- a/libcli/auth/ntlmssp_server.c +++ b/libcli/auth/ntlmssp_server.c @@ -23,6 +23,10 @@ #include includes.h #include ../libcli/auth/ntlmssp.h #include ../libcli/auth/ntlmssp_private.h +#include ../librpc/gen_ndr/ndr_ntlmssp.h +#include ../libcli/auth/ntlmssp_ndr.h +#include ../libcli/auth/libcli_auth.h +#include ../lib/crypto/crypto.h /** * Determine correct target name flags for reply, given server role @@ -51,3 +55,523 @@ const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state, return ; } } + +/** + * Next state function for the Negotiate packet + * + * @param ntlmssp_state NTLMSSP state + * @param out_mem_ctx Memory context for *out + * @param in The request, as a DATA_BLOB. reply.data must be NULL + * @param out The reply, as an allocated DATA_BLOB, caller to free. + * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required. + */ + +NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *out_mem_ctx, + const DATA_BLOB request, DATA_BLOB *reply) +{ + DATA_BLOB struct_blob; + uint32_t neg_flags = 0; + uint32_t ntlmssp_command, chal_flags; + uint8_t cryptkey[8]; + const char *target_name; + NTSTATUS status; + + /* parse the NTLMSSP packet */ +#if 0 + file_save(ntlmssp_negotiate.dat, request.data, request.length); +#endif + + if (request.length) { + if ((request.length 16) || !msrpc_parse(ntlmssp_state, request, Cdd, + NTLMSSP, + ntlmssp_command, + neg_flags)) { + DEBUG(1, (ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n, + (unsigned int)request.length)); + dump_data(2, request.data, request.length); + return NT_STATUS_INVALID_PARAMETER; +
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 9673c7f... cleanups: Trailing spaces, line length, etc... (cherry picked from commit 28c74564c5bd3c972745deaa904ec8695f21ea1f) via 398020f... s3-dcerpc: Use dcerpc_guess_sizes in the server code too. (cherry picked from commit 57bd974e5865212641f6941dd875bc1bc4967ed9) via c12e4f2... s3-dceprc: Improve dcerpc_guess_sizes() interface via da1b08d... s3-dcerpc: rationalize packet creation in the server code via 191f069... s3-dcerpc: Make function to guess pdu sizes common. (cherry picked from commit a9d3a596a7c4d7e5775751cbce74e2fb07ce2192) via 3a8a549... s3-dceprc: consolidate use of dcerpc_push_dcerpc_auth() (cherry picked from commit 9329a9fe848761e2835ff58123d8f64d8bab35b2) via 6d550ef... s3-dcerpc: Remove unused functions (cherry picked from commit da6c246aacc298ec0c7536289afbd9e0d99ea130) via 88cf1c1... s3-dcerpc: use common spengo wrapper code for client SPNEGO/NTLMSSP (cherry picked from commit 186f93633b4890c444115ac4eed109aa24f20b44) via 04f397f... s3-dcerpc: add sign/seal support when using SPNEGO/KRB5 (cherry picked from commit 984438ca1522bfc2d882b2e3e7e8db187577e05a) via 3bf1347... s3-dcerpc: Add SPNEGO incapsulation for KRB5 auth via 9132f34... rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for ntlmssp (cherry picked from commit e286b9c0bd7bf553f216d7c8288bb75a6b3dde95) via db8bd28... s3-dcerpc: Try to fix build when gssapi_ext.h is not available (cherry picked from commit e8ac4a8b82798ef0691d384f59d880dc38b56592) via 24b0188... Do not refernece pipe_auth_data directly in dcerpc_gssapi.c (cherry picked from commit 7c9c075987e7cdb2d5cb6311876f088f907e46f2) via 0ce9b97... s3-dcerpc: Avoid ifdef, it is handled within dcerpc_gssapi.c already (cherry picked from commit d17abc69f690ccc845a0a1d6d291b6e21ce86b3d) via bcb5b48... smbd: Fix build warning (cherry picked from commit c4b3c9ec0f2efa937529160999f7e44bcad3591f) via b8979bb... s3-dcerpc: Add sign/seal with gssapi (cherry picked from commit 7eaa15af2c5b544946bfb2b8c522ba9677527972) via 6841746... s3-dcerpc: Add next authentication step with gssapi (cherry picked from commit 1abcbd70aed327ae5233423ce74662241fa9d21a) via c09e659... s3-decrpc: Introduce gssapi support for dcerpc krb5 auth via acd1abe... rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for krb5 auth (cherry picked from commit 72088096af8dbf57cbc85c71cd0eef4447e7560d) via be1c095... s3-dcerpc: Refactor calculate_data_len_tosend() (cherry picked from commit 183e0a0d9f87bc619cd832decf5745be1d28f598) via a448126... s3-dcerpc: Add auth trailer only when appropriate. (cherry picked from commit c08d684f4ef679831e8fed69cd87e4d9b06cb3e0) via 42eb8ca... s3-dcerpc: consolidate unmarshalling of dcerpc_auth (cherry picked from commit 866f85e31973de356c3843836d5cacdbdf245e32) via 268df6f... s3-dcerpc: revive cli_rpc_pipe_open_krb5() (cherry picked from commit 146af48d4887e8fa0c66bf53aa5f204366648478) via d92aab4... misc: Remove unused structure elements (cherry picked from commit 250e341e0aad67c2f70fea597f34deadea1d2ccc) via 881236a... s3-rpcclient: Allow choosing spnego mech: (ntlm/krb5) (cherry picked from commit b00f9a0a2d3b692dd12e182a2a4a7979c626dec7) via 05dc21c... s3-dcerpc: Use dcerpc_AuthType in pipe_auth_data (cherry picked from commit 2463a871776bb4de8653d6a44469d2adb3ec9418) via 810c4a6... s3-dcerpc: Cleanup and refactor create_rpc_bind_req() (cherry picked from commit 1e915d231d4191bf3a0bb54ba99a31ad6b2afd3b) via fda83be... s3-auth: Remove unimplemented functions (cherry picked from commit 3c3237dd0afa37ba0e545424f5008973b645cf96) via 304081a... s3-dcerpc: Set flags directly instead of calling unimplemented functions. (cherry picked from commit bfe53d414548cd8a0226136b73cf2b766b6a61ef) via fecb756... s3-dcerpc: Use dcerpc_check_auth in client code too (cherry picked from commit 7407c979a1469997c9277c501787b5f16aac) via 4c5995b... s3-dcerpc: Make dcerpc_check_auth() common code (cherry picked from commit 9565e3f6a7ef2fb590558eb7b29c6c2fc657fca9) via b0363df... s3-dcerpc: Add the same paranoia checks we have in the client code (cherry picked from commit 5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611) via 63ada38... s3-dcerpc: Split auth checking into a generic function. (cherry picked from commit 49a8c2965d2982e6510609fa9772a56597494641) via d923df6... s3-dcerpc do not pass pipes_struct to dcesrv_auth_request() (cherry picked from commit 1fc71c9c6ff26f2d49f314b8425c6cd4c91683f3) via 6850e68... s3-dcerpc: Make dcesrv_auth_request() return NTSTATUS codes (cherry picked from commit 2ce169ce187cc7229aecdc3e5cd889c5194956aa) via d586cdb... s3-dcerpc: Use the common dcerpc_add_auth_footer() in the
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 1b58b1e... s3-waf: fix the build. via 163cd49... s3-dcerpc: fix some uninitialized variables build warnings. via dcc0314... s3-build: fix some c++ build warnings. from 9673c7f... cleanups: Trailing spaces, line length, etc... (cherry picked from commit 28c74564c5bd3c972745deaa904ec8695f21ea1f) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 1b58b1ecd0fc920e3433c2f67b3b88be81b226fe Author: Günther Deschner g...@samba.org Date: Wed Aug 4 14:55:10 2010 +0200 s3-waf: fix the build. Guenther (cherry picked from commit 4b17ff4a9088860646e127b17df18d415dbdc97d) commit 163cd49b09102976036b9425043d921bbcb851f8 Author: Günther Deschner g...@samba.org Date: Tue Aug 3 15:55:20 2010 +0200 s3-dcerpc: fix some uninitialized variables build warnings. Guenther (cherry picked from commit 64b26affe0afa2999130cdd4f1d521dccd877c9c) commit dcc0314f06bd607757ae534f0626f016c521ca90 Author: Günther Deschner g...@samba.org Date: Sun Aug 1 15:34:52 2010 +0200 s3-build: fix some c++ build warnings. Guenther (cherry picked from commit 322b52419485b882658c53c21f86e5bdfa82b71f) --- Summary of changes: source3/librpc/rpc/dcerpc_gssapi.c |4 ++-- source3/librpc/rpc/dcerpc_spnego.c |4 ++-- source3/rpc_client/cli_pipe.c |2 +- source3/rpc_server/srv_pipe.c |2 +- source3/wscript_build |6 +- 5 files changed, 11 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/librpc/rpc/dcerpc_gssapi.c b/source3/librpc/rpc/dcerpc_gssapi.c index c9496ab..2de46b5 100644 --- a/source3/librpc/rpc/dcerpc_gssapi.c +++ b/source3/librpc/rpc/dcerpc_gssapi.c @@ -310,7 +310,7 @@ static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min) goto done; } gss_maj = gss_display_status(gss_min, min, GSS_C_MECH_CODE, -discard_const(gss_mech_krb5), +(gss_OID)discard_const(gss_mech_krb5), msg_ctx, msg_min); if (gss_maj) { goto done; @@ -394,7 +394,7 @@ NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx, if (!signature-length) { return NT_STATUS_INTERNAL_ERROR; } - signature-data = talloc_size(mem_ctx, signature-length); + signature-data = (uint8_t *)talloc_size(mem_ctx, signature-length); if (!signature-data) { return NT_STATUS_NO_MEMORY; } diff --git a/source3/librpc/rpc/dcerpc_spnego.c b/source3/librpc/rpc/dcerpc_spnego.c index a0832ce..5627a0d 100644 --- a/source3/librpc/rpc/dcerpc_spnego.c +++ b/source3/librpc/rpc/dcerpc_spnego.c @@ -68,7 +68,7 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, uint32_t add_gss_c_flags, struct spnego_context **spnego_ctx) { - struct spnego_context *sp_ctx; + struct spnego_context *sp_ctx = NULL; NTSTATUS status; status = spnego_context_init(mem_ctx, @@ -97,7 +97,7 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, const char *password, struct spnego_context **spnego_ctx) { - struct spnego_context *sp_ctx; + struct spnego_context *sp_ctx = NULL; NTSTATUS status; status = spnego_context_init(mem_ctx, diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index dcbb816..87575cb 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2747,7 +2747,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; - struct pipe_auth_data *auth; + struct pipe_auth_data *auth = NULL; enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP; NTSTATUS status; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 899073b..436e5be 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -205,7 +205,7 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx, bool create_next_pdu(struct pipes_struct *p) { - size_t pdu_size; + size_t pdu_size = 0; NTSTATUS status; /* diff --git a/source3/wscript_build b/source3/wscript_build index 9d33fd1..1babb54 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -241,6 +241,7 @@ LIBSMB_ERR_SRC = '${LIBSMB_ERR_SRC0} ${LIBSMB_ERR_SRC1} ${REG_PARSE_PRS_SRC}' LIBSMB_SRC0 = ''' ../libcli/auth/ntlm_check.c libsmb/ntlmssp.c +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 303089f... s4:dsdb/common/util.c - provide a call which returns the forest function level via 3b1d74f... libds/common/flags.h - fix a comment's typo via e53fc12... s4:dsdb/common/util.c - use LDB constants whenever possible from 75adca6... libcli/auth Make the source3/ implementation of the NTLMSSP server common http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 303089f5b8ced9fb80ed76cb0205f0cdf11fc530 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Aug 9 19:52:00 2010 +0200 s4:dsdb/common/util.c - provide a call which returns the forest function level Sooner or later we'll need this too since not all operations depend only on the current's domain function level (see the MS-ADTS docs). commit 3b1d74f4b677842a0cbe16ba29be7d672c07b87c Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Aug 9 19:48:03 2010 +0200 libds/common/flags.h - fix a comment's typo commit e53fc1228f12ff2ce2c84936e38fef3b5ae311c4 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Aug 9 19:45:45 2010 +0200 s4:dsdb/common/util.c - use LDB constants whenever possible --- Summary of changes: libds/common/flags.h |2 +- source4/dsdb/common/util.c | 33 +++-- 2 files changed, 24 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/libds/common/flags.h b/libds/common/flags.h index be1e839..021db2a 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -172,7 +172,7 @@ /* domainFunctionality, forestFunctionality and domainControllerFunctionality in the rootDSE */ #define DS_DOMAIN_FUNCTION_20000 -#define DS_DOMAIN_FUNCTION_2003_MIXED 1 /* Not a valid/meaningfulxs +#define DS_DOMAIN_FUNCTION_2003_MIXED 1 /* Not a valid/meaningful * domainControllerFunctionality * Level */ #define DS_DOMAIN_FUNCTION_20032 diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 52ba81d..7c5fd8a 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1831,7 +1831,7 @@ bool samdb_is_pdc(struct ldb_context *ldb) } ret = ldb_search(ldb, tmp_ctx, dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL); - if (ret) { + if (ret != LDB_SUCCESS) { DEBUG(1,(Searching for fSMORoleOwner in %s failed: %s\n, ldb_dn_get_linearized(ldb_get_default_basedn(ldb)), ldb_errstring(ldb))); @@ -1877,7 +1877,7 @@ bool samdb_is_gc(struct ldb_context *ldb) /* Query cn=ntds settings, */ ret = ldb_search(ldb, tmp_ctx, res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL); - if (ret) { + if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return false; } @@ -1903,7 +1903,7 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, TALLOC_CTX *local_ctx; struct ldb_dn *sdn = dn; struct ldb_result *res = NULL; - int ret = 0; + int ret = LDB_SUCCESS; const char *attrs[] = { NULL }; local_ctx = talloc_new(mem_ctx); @@ -2350,7 +2350,7 @@ struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, domain_ref_attrs, ((nETBIOSName=%s)(objectclass=crossRef)), escaped_domain); - if (ret_domain != 0) { + if (ret_domain != LDB_SUCCESS) { return NULL; } @@ -2361,7 +2361,7 @@ struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, LDB_SCOPE_BASE, domain_ref2_attrs, (objectclass=domain)); - if (ret_domain != 0) { + if (ret_domain != LDB_SUCCESS) { return NULL; } @@ -2895,7 +2895,7 @@ int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options) } ret = ldb_search(ldb, tmp_ctx, res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL); - if (ret) { + if (ret != LDB_SUCCESS) { goto failed; } @@ -2922,7 +2922,7 @@ const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context * struct ldb_result *res; ret = ldb_search(ldb, tmp_ctx, res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL); - if (ret) { + if (ret != LDB_SUCCESS) { goto failed; }
Re: s4:objectclass LDB module - implement additional delete constraint checks
Hi ekacnet, Matthieu Patou wrote: Could it be possible to be a bit less violent here ? This change breaks upgradeprovision in full mode when upgrading at least alpha10 but I'm pretty sure that alpha8,9 and 11 are broken too ... The thing is that old provision do not have the rid_set ... it seems : everything what I implement is stated in MS-ADTS and is tested by me against Windows Server as far as possible. If you need weaker checks (e.g. in the objectclass LDB module) then please use the RELAX control - this should bypass them. Matthias
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 4acb48e... librpc/idl/mgmt.idl: add missing size_is() via 31bc9ad... pidl:NDR: correctly handle bracket arrays with 'string' via 7853a6d... s3:smbd: fix valgrind warning, sizeof(16) != 16... via 6af4ce4... s3:rpc_server: fix valgrind warning via bc64c9a... s3:rpc_server: fix memory leaks in rpc_pipe_internal_dispatch() from 1b58b1e... s3-waf: fix the build. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 4acb48edc00c0b82d3c6e63128f147bf8188a5b5 Author: Stefan Metzmacher me...@samba.org Date: Thu Aug 5 17:19:16 2010 +0200 librpc/idl/mgmt.idl: add missing size_is() metze (cherry picked from commit ad94ae980462dc4c581a2fa1d7e927c2ae625c19) commit 31bc9ad0c08eba2b79b09ce0a9c0f2a2e98a9646 Author: Stefan Metzmacher me...@samba.org Date: Thu Aug 5 16:10:37 2010 +0200 pidl:NDR: correctly handle bracket arrays with 'string' metze (cherry picked from commit 0a7f749bc80d9846b97cd22cd503473a205aaafd) commit 7853a6d4bbb9c2f0dcacb950fe353ff77701d227 Author: Stefan Metzmacher me...@samba.org Date: Sun Aug 8 09:21:57 2010 +0200 s3:smbd: fix valgrind warning, sizeof(16) != 16... metze (cherry picked from commit ac9f06c9b93ada5d0e8331a122e199a8f69049a3) commit 6af4ce44d0c2d75652a8cad99eae9071595fe19f Author: Stefan Metzmacher me...@samba.org Date: Sun Aug 8 09:23:00 2010 +0200 s3:rpc_server: fix valgrind warning metze (cherry picked from commit cc6951243d5641e2185ed9dee3b6ee4de07d217b) commit bc64c9ab1b4e58ad1475c82e8f97c9ad9f50a9c5 Author: Stefan Metzmacher me...@samba.org Date: Sat Aug 7 14:27:27 2010 +0200 s3:rpc_server: fix memory leaks in rpc_pipe_internal_dispatch() metze (cherry picked from commit 66412bfc76dc8b7337f3690ec75b14542a3df11e) --- Summary of changes: librpc/idl/mgmt.idl|2 +- pidl/lib/Parse/Pidl/NDR.pm |4 source3/rpc_server/rpc_ncacn_np_internal.c |7 +++ source3/rpc_server/srv_pipe.c |1 + source3/smbd/negprot.c |2 +- 5 files changed, 14 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/mgmt.idl b/librpc/idl/mgmt.idl index 35857f2..17c8cc4 100644 --- a/librpc/idl/mgmt.idl +++ b/librpc/idl/mgmt.idl @@ -70,6 +70,6 @@ interface mgmt WERROR mgmt_inq_princ_name ( [in]uint32 authn_proto, [in]uint32 princ_name_size, - [out] [string,charset(DOS)] uint8 princ_name[] + [out] [string,size_is(princ_name_size),charset(DOS)] uint8 princ_name[] ); } diff --git a/pidl/lib/Parse/Pidl/NDR.pm b/pidl/lib/Parse/Pidl/NDR.pm index a875ec8..1b45010 100644 --- a/pidl/lib/Parse/Pidl/NDR.pm +++ b/pidl/lib/Parse/Pidl/NDR.pm @@ -124,6 +124,10 @@ sub GetElementLevelTable($$) if ($d eq *) { $is_conformant = 1; if ($size = shift @size_is) { + if (has_property($e, string)) { + $is_string = 1; + delete($e-{PROPERTIES}-{string}); + } } elsif ((scalar(@size_is) == 0) and has_property($e, string)) { $is_string = 1; delete($e-{PROPERTIES}-{string}); diff --git a/source3/rpc_server/rpc_ncacn_np_internal.c b/source3/rpc_server/rpc_ncacn_np_internal.c index 9bb5428..2393f94 100644 --- a/source3/rpc_server/rpc_ncacn_np_internal.c +++ b/source3/rpc_server/rpc_ncacn_np_internal.c @@ -291,16 +291,23 @@ static NTSTATUS rpc_pipe_internal_dispatch(struct rpc_pipe_client *cli, } if (!cmds[i].fn(cli-pipes_struct)) { + data_blob_free(cli-pipes_struct-in_data.data); + data_blob_free(cli-pipes_struct-out_data.rdata); + talloc_free_children(cli-pipes_struct-mem_ctx); return NT_STATUS_UNSUCCESSFUL; } status = internal_ndr_pull(mem_ctx, cli, table, opnum, r); if (!NT_STATUS_IS_OK(status)) { + data_blob_free(cli-pipes_struct-in_data.data); + data_blob_free(cli-pipes_struct-out_data.rdata); + talloc_free_children(cli-pipes_struct-mem_ctx); return status; } data_blob_free(cli-pipes_struct-in_data.data); data_blob_free(cli-pipes_struct-out_data.rdata); + talloc_free_children(cli-pipes_struct-mem_ctx); return NT_STATUS_OK; } diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 436e5be..e704d75 100644 ---
Re: s4:objectclass LDB module - implement additional delete constraint checks
Matthias, Hi ekacnet, Matthieu Patou wrote: Could it be possible to be a bit less violent here ? This change breaks upgradeprovision in full mode when upgrading at least alpha10 but I'm pretty sure that alpha8,9 and 11 are broken too ... The thing is that old provision do not have the rid_set ... it seems : everything what I implement is stated in MS-ADTS and is tested by me against Windows Server as far as possible. If you need weaker checks (e.g. in the objectclass LDB module) then please use the RELAX control - this should bypass them. No pb to test it again a windows server but you have not to forget that some people (and they are more and more numerous) do not have always a provision with the state of art objects in it (otherwise I won't spend my time on upgradeprovision). In this particular case you could have made the test a bit different as if the attribute do not exists we are not removing it so it won't hit the test, using the relax control is not the best solution as it is a kind of sledgehammer. Also you can ask yourself and the list of the effect of what you are adding to the samdb code with existing provision. Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 067b572... s4:objectclass LDB module - weak the check for the rIDSet delete constraint from 303089f... s4:dsdb/common/util.c - provide a call which returns the forest function level http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 067b5721c71cbc0004ea59d357e79cd4fc8d8954 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Aug 10 21:01:11 2010 +0200 s4:objectclass LDB module - weak the check for the rIDSet delete constraint Perform it only when a rIDSet does exist. Requested by ekacnet for upgradeprovision. --- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass.c | 18 ++ 1 files changed, 10 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 9c2e416..548d51e 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1366,20 +1366,22 @@ static int objectclass_do_delete(struct oc_context *ac) } /* DC's rIDSet object */ + /* Perform this check only when it does exist - this is needed in order +* to don't let existing provisions break. */ ret = samdb_rid_set_dn(ldb, ac, dn); - if (ret != LDB_SUCCESS) { + if ((ret != LDB_SUCCESS) (ret != LDB_ERR_NO_SUCH_OBJECT)) { return ret; } - - if (ldb_dn_compare(ac-req-op.del.dn, dn) == 0) { + if (ret == LDB_SUCCESS) { + if (ldb_dn_compare(ac-req-op.del.dn, dn) == 0) { + talloc_free(dn); + ldb_asprintf_errstring(ldb, objectclass: Cannot delete %s, it's the DC's rIDSet object!, + ldb_dn_get_linearized(ac-req-op.del.dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } talloc_free(dn); - ldb_asprintf_errstring(ldb, objectclass: Cannot delete %s, it's the DC's rIDSet object!, - ldb_dn_get_linearized(ac-req-op.del.dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; } - talloc_free(dn); - /* crossRef objects regarding config, schema and default domain NCs */ if (samdb_find_attribute(ldb, ac-search_res-message, objectClass, crossRef) != NULL) { -- Samba Shared Repository
Re: s4:objectclass LDB module - implement additional delete constraint checks
Hi ekacnet, no I've understood what you mean - and yes, I can bypass the check when the rIDSet doesn't exist. I will push a patch. Matthias Matthieu Patou wrote: Matthias, Hi ekacnet, Matthieu Patou wrote: Could it be possible to be a bit less violent here ? This change breaks upgradeprovision in full mode when upgrading at least alpha10 but I'm pretty sure that alpha8,9 and 11 are broken too ... The thing is that old provision do not have the rid_set ... it seems : everything what I implement is stated in MS-ADTS and is tested by me against Windows Server as far as possible. If you need weaker checks (e.g. in the objectclass LDB module) then please use the RELAX control - this should bypass them. No pb to test it again a windows server but you have not to forget that some people (and they are more and more numerous) do not have always a provision with the state of art objects in it (otherwise I won't spend my time on upgradeprovision). In this particular case you could have made the test a bit different as if the attribute do not exists we are not removing it so it won't hit the test, using the relax control is not the best solution as it is a kind of sledgehammer. Also you can ask yourself and the list of the effect of what you are adding to the samdb code with existing provision. Matthieu.
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 7651996... s3:utils/net_rpc_service.c: we also need some ndr_pull functions via dba6d93... s3:libnet/libnet_samsync.c: we also need some ndr_pull functions via 46be277... s3:rpcclient: we also need some ndr_pull functions from 4acb48e... librpc/idl/mgmt.idl: add missing size_is() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 765199607a07dfff1e37da9e897ca89fbe72f5ad Author: Stefan Metzmacher me...@samba.org Date: Fri Aug 6 14:50:31 2010 +0200 s3:utils/net_rpc_service.c: we also need some ndr_pull functions metze (cherry picked from commit 1c515fb94b9bc4d432aa6435e352cb8294f436e2) commit dba6d936ccea25800ab278d5b506049f590b57df Author: Stefan Metzmacher me...@samba.org Date: Fri Aug 6 14:51:54 2010 +0200 s3:libnet/libnet_samsync.c: we also need some ndr_pull functions metze (cherry picked from commit 08cf7ac7a0d885ca4bf733c7f7f705b3f2a30e92) commit 46be277ad6e707d03739541d07ebf6ae05b58293 Author: Stefan Metzmacher me...@samba.org Date: Fri Aug 6 14:52:58 2010 +0200 s3:rpcclient: we also need some ndr_pull functions metze (cherry picked from commit d6eb42cc619206c280edd732b1b56563a21e8f4d) --- Summary of changes: source3/libnet/libnet_samsync.c |1 + source3/rpcclient/cmd_eventlog.c |1 + source3/rpcclient/cmd_lsarpc.c |1 + source3/rpcclient/cmd_netlogon.c |1 + source3/rpcclient/cmd_samr.c |1 + source3/rpcclient/cmd_srvsvc.c |1 + source3/utils/net_rpc_service.c |1 + 7 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c index 5c42aca..6668be2 100644 --- a/source3/libnet/libnet_samsync.c +++ b/source3/libnet/libnet_samsync.c @@ -26,6 +26,7 @@ #include ../lib/crypto/crypto.h #include ../libcli/samsync/samsync.h #include ../libcli/auth/libcli_auth.h +#include ../librpc/gen_ndr/ndr_netlogon.h #include ../librpc/gen_ndr/cli_netlogon.h /** diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c index 941909e..8c4ed49 100644 --- a/source3/rpcclient/cmd_eventlog.c +++ b/source3/rpcclient/cmd_eventlog.c @@ -20,6 +20,7 @@ #include includes.h #include rpcclient.h +#include ../librpc/gen_ndr/ndr_eventlog.h #include ../librpc/gen_ndr/cli_eventlog.h static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli, diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 1cc16fb..9db316f 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -23,6 +23,7 @@ #include includes.h #include rpcclient.h #include ../libcli/auth/libcli_auth.h +#include ../librpc/gen_ndr/ndr_lsa.h #include ../librpc/gen_ndr/cli_lsa.h #include rpc_client/cli_lsarpc.h diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index 0917bad..4419485 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -22,6 +22,7 @@ #include includes.h #include rpcclient.h #include ../libcli/auth/libcli_auth.h +#include ../librpc/gen_ndr/ndr_netlogon.h #include ../librpc/gen_ndr/cli_netlogon.h #include rpc_client/cli_netlogon.h #include secrets.h diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 367c3b8..37c63ae 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -25,6 +25,7 @@ #include includes.h #include rpcclient.h #include ../libcli/auth/libcli_auth.h +#include ../librpc/gen_ndr/ndr_samr.h #include ../librpc/gen_ndr/cli_samr.h #include rpc_client/cli_samr.h #include rpc_client/init_samr.h diff --git a/source3/rpcclient/cmd_srvsvc.c b/source3/rpcclient/cmd_srvsvc.c index 890151e..91e9404 100644 --- a/source3/rpcclient/cmd_srvsvc.c +++ b/source3/rpcclient/cmd_srvsvc.c @@ -22,6 +22,7 @@ #include includes.h #include rpcclient.h +#include ../librpc/gen_ndr/ndr_srvsvc.h #include ../librpc/gen_ndr/cli_srvsvc.h /* Display server query info */ diff --git a/source3/utils/net_rpc_service.c b/source3/utils/net_rpc_service.c index 9ab82b5..631a5a1 100644 --- a/source3/utils/net_rpc_service.c +++ b/source3/utils/net_rpc_service.c @@ -18,6 +18,7 @@ #include includes.h #include utils/net.h +#include ../librpc/gen_ndr/ndr_svcctl.h #include ../librpc/gen_ndr/cli_svcctl.h struct svc_state_msg { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via dfc1cf9... pidl:NDR: correctly handle no pointer bracket arrays with 'string' from 7651996... s3:utils/net_rpc_service.c: we also need some ndr_pull functions http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit dfc1cf9e57b5cbdf924287d7b2f9c3c8284a54cf Author: Stefan Metzmacher me...@samba.org Date: Mon Aug 9 19:38:30 2010 +0200 pidl:NDR: correctly handle no pointer bracket arrays with 'string' metze (cherry picked from commit a22989a54afd411a8d038110c7df2c545b4121b7) --- Summary of changes: pidl/lib/Parse/Pidl/NDR.pm |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/pidl/lib/Parse/Pidl/NDR.pm b/pidl/lib/Parse/Pidl/NDR.pm index 1b45010..4c327a3 100644 --- a/pidl/lib/Parse/Pidl/NDR.pm +++ b/pidl/lib/Parse/Pidl/NDR.pm @@ -124,7 +124,7 @@ sub GetElementLevelTable($$) if ($d eq *) { $is_conformant = 1; if ($size = shift @size_is) { - if (has_property($e, string)) { + if ($e-{POINTERS} 1 and has_property($e, string)) { $is_string = 1; delete($e-{PROPERTIES}-{string}); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 03bfd42... s4-test: Implement DRS-RPC-msDSIntId test case via d595f07... s4-dsdb: fix attributes_by_msDS_IntId index sorting via 06f5985... s4-test: Move dsdb_schema loading into public function via c30f9bd... s4-test: Move RPC-DSSYNC test in DRS-RPC test suite via da074f1... s4-test: Move dssync.c to torture/drs/rpc via f3c0689... s4-test: strip trailing white-spaces from 067b572... s4:objectclass LDB module - weak the check for the rIDSet delete constraint http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 03bfd4290f70ab2de46ccd82a429fda57c8c6bb9 Author: Kamen Mazdrashki kame...@samba.org Date: Tue Aug 10 01:08:19 2010 +0300 s4-test: Implement DRS-RPC-msDSIntId test case commit d595f070f6ab7c6c8732c3c3a4ca39d37bcca3b4 Author: Kamen Mazdrashki kame...@samba.org Date: Tue Aug 10 21:05:47 2010 +0300 s4-dsdb: fix attributes_by_msDS_IntId index sorting commit 06f59855a7b4fcc6f4957d9e1a8e29e387397b50 Author: Kamen Mazdrashki kame...@samba.org Date: Sat Aug 7 12:52:07 2010 +0300 s4-test: Move dsdb_schema loading into public function I will use this function for tests implementation later commit c30f9bd7345cddd85502eb9d099279606959f447 Author: Kamen Mazdrashki kame...@samba.org Date: Thu Aug 5 04:55:04 2010 +0300 s4-test: Move RPC-DSSYNC test in DRS-RPC test suite commit da074f10e3900413a134ee8143c68f05563da13f Author: Kamen Mazdrashki kame...@samba.org Date: Thu Aug 5 18:37:24 2010 +0300 s4-test: Move dssync.c to torture/drs/rpc commit f3c06892eccac1169a73615637bf82bf956ce523 Author: Kamen Mazdrashki kame...@samba.org Date: Thu Aug 5 18:35:35 2010 +0300 s4-test: strip trailing white-spaces --- Summary of changes: source4/dsdb/schema/schema_set.c |6 +- source4/selftest/tests.sh|2 +- source4/torture/drs/drs_init.c |3 + source4/torture/drs/drs_util.c | 94 +++ source4/torture/drs/rpc/dssync.c | 1064 source4/torture/drs/rpc/msds_intid.c | 643 +++ source4/torture/drs/wscript_build|2 +- source4/torture/rpc/dssync.c | 1120 -- source4/torture/rpc/rpc.c|1 - source4/torture/wscript_build|2 +- 10 files changed, 1812 insertions(+), 1125 deletions(-) create mode 100644 source4/torture/drs/rpc/dssync.c create mode 100644 source4/torture/drs/rpc/msds_intid.c delete mode 100644 source4/torture/rpc/dssync.c Changeset truncated at 500 lines: diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c index b8ed7ca..344e9bb 100644 --- a/source4/dsdb/schema/schema_set.c +++ b/source4/dsdb/schema/schema_set.c @@ -230,6 +230,10 @@ static int dsdb_compare_attribute_by_attributeID_id(struct dsdb_attribute **a1, { return uint32_cmp((*a1)-attributeID_id, (*a2)-attributeID_id); } +static int dsdb_compare_attribute_by_msDS_IntId(struct dsdb_attribute **a1, struct dsdb_attribute **a2) +{ + return uint32_cmp((*a1)-msDS_IntId, (*a2)-msDS_IntId); +} static int dsdb_compare_attribute_by_attributeID_oid(struct dsdb_attribute **a1, struct dsdb_attribute **a2) { return strcasecmp((*a1)-attributeID_oid, (*a2)-attributeID_oid); @@ -345,7 +349,7 @@ static int dsdb_setup_sorted_accessors(struct ldb_context *ldb, /* sort the arrays */ TYPESAFE_QSORT(schema-attributes_by_lDAPDisplayName, schema-num_attributes, dsdb_compare_attribute_by_lDAPDisplayName); TYPESAFE_QSORT(schema-attributes_by_attributeID_id, schema-num_attributes, dsdb_compare_attribute_by_attributeID_id); - TYPESAFE_QSORT(schema-attributes_by_msDS_IntId, schema-num_int_id_attr, dsdb_compare_attribute_by_attributeID_id); + TYPESAFE_QSORT(schema-attributes_by_msDS_IntId, schema-num_int_id_attr, dsdb_compare_attribute_by_msDS_IntId); TYPESAFE_QSORT(schema-attributes_by_attributeID_oid, schema-num_attributes, dsdb_compare_attribute_by_attributeID_oid); TYPESAFE_QSORT(schema-attributes_by_linkID, schema-num_attributes, dsdb_compare_attribute_by_linkID); diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh index 1dd507e..bc4543c 100755 --- a/source4/selftest/tests.sh +++ b/source4/selftest/tests.sh @@ -166,7 +166,7 @@ fi # that they stay passing ncacn_np_tests=RPC-SCHANNEL RPC-JOIN RPC-LSA RPC-DSSETUP RPC-ALTERCONTEXT RPC-MULTIBIND RPC-NETLOGON RPC-HANDLES RPC-SAMSYNC RPC-SAMBA3-SESSIONKEY RPC-SAMBA3-GETUSERNAME RPC-SAMBA3-LSA RPC-SAMBA3-BIND RPC-SAMBA3-NETLOGON RPC-ASYNCBIND RPC-LSALOOKUP RPC-LSA-GETUSER RPC-SCHANNEL2 RPC-AUTHCONTEXT ncalrpc_tests=RPC-SCHANNEL RPC-JOIN RPC-LSA RPC-DSSETUP RPC-ALTERCONTEXT RPC-MULTIBIND RPC-NETLOGON RPC-DRSUAPI RPC-ASYNCBIND RPC-LSALOOKUP
[SCM] CTDB repository - branch 1.0.112 updated - ctdb-1.0.111-136-g83fcabe
The branch, 1.0.112 has been updated via 83fcabed2d3014df4112f9644c3186e205b28ad6 (commit) via 1a595bad79aa2b6994c9098b86f06bf38444e23c (commit) from e19ef366984223fe94f878aecb50d05990f1ced7 (commit) http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=1.0.112 - Log - commit 83fcabed2d3014df4112f9644c3186e205b28ad6 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Aug 11 12:46:33 2010 +1000 New version 1.0.112-33 commit 1a595bad79aa2b6994c9098b86f06bf38444e23c Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Aug 11 12:37:51 2010 +1000 Add a new event :ipreallocated This is called everytime a reallocation is performed. While STARTRECOVERY/RECOVERED events are only called when we do ipreallocation as part of a full database/cluster recovery, this new event can be used to trigger on when we just do a light failover due to a node becomming unhealthy. I.e. situations where we do a failover but we do not perform a full cluster recovery. Use this to trigger for natgw so we select a new natgw master node when failover happens and not just when cluster rebuilds happen. --- Summary of changes: common/ctdb_util.c |3 ++- config/events.d/11.natgw |2 +- include/ctdb.h |1 + packaging/RPM/ctdb.spec.in |7 ++- server/ctdb_takeover.c | 19 --- server/eventscript.c |1 + 6 files changed, 27 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/common/ctdb_util.c b/common/ctdb_util.c index 9dc6d7a..835bbfd 100644 --- a/common/ctdb_util.c +++ b/common/ctdb_util.c @@ -664,5 +664,6 @@ const char *ctdb_eventscript_call_names[] = { monitor, status, shutdown, - reload + reload, + ipreallocated }; diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw index c872837..2fc232a 100755 --- a/config/events.d/11.natgw +++ b/config/events.d/11.natgw @@ -45,7 +45,7 @@ case $1 in ctdb setnatgwstate on ;; -recovered|updatenatgw) +recovered|updatenatgw|ipreallocated) MYPNN=`ctdb pnn | cut -d: -f2` NATGWMASTER=`ctdb natgwlist | head -1 | sed -e s/ .*//` NATGWIP=`ctdb natgwlist | head -1 | sed -e s/^[^ ]* *//` diff --git a/include/ctdb.h b/include/ctdb.h index cc83495..294fe01 100644 --- a/include/ctdb.h +++ b/include/ctdb.h @@ -695,6 +695,7 @@ enum ctdb_eventscript_call { CTDB_EVENT_STATUS, /* Report service status: no args. */ CTDB_EVENT_SHUTDOWN,/* CTDB shutting down: no args. */ CTDB_EVENT_RELOAD, /* magic */ + CTDB_EVENT_IPREALLOCATED, /* when a takeover_run() completes */ CTDB_EVENT_MAX }; diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in index 7a09368..a71cacf 100644 --- a/packaging/RPM/ctdb.spec.in +++ b/packaging/RPM/ctdb.spec.in @@ -5,7 +5,7 @@ Vendor: Samba Team Packager: Samba Team sa...@samba.org Name: ctdb Version: 1.0.112 -Release: 32 +Release: 33 Epoch: 0 License: GNU GPL version 3 Group: System Environment/Daemons @@ -125,6 +125,11 @@ rm -rf $RPM_BUILD_ROOT %{_docdir}/ctdb/tests/bin/ctdb_transaction %changelog +* Tue Aug 11 2010 : Version 1.0.112-33 + - CQ : S1019290 + Add a new event ipreallocated so that we can update the natgw + configuration also when normal/light failovers occur and not just when + heavy/full database recoveries/cluster rebuilds trigger. * Tue Aug 10 2010 : Version 1.0.112-32 - Dont check if natgw is enabled or not in the natgw script - disable the check if winbind is ok diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c index cb65f29..208a6c6 100644 --- a/server/ctdb_takeover.c +++ b/server/ctdb_takeover.c @@ -737,10 +737,10 @@ create_merged_ip_list(struct ctdb_context *ctdb) */ int ctdb_takeover_run(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap) { - int i, num_healthy, retries, num_ips; + int i, num_healthy, retries, num_ips; struct ctdb_public_ip ip; struct ctdb_public_ipv4 ipv4; - uint32_t mask; + uint32_t mask, *nodes; struct ctdb_public_ip_list *all_ips, *tmp_ip; int maxnode, maxnum=0, minnode, minnum=0, num; TDB_DATA data; @@ -749,7 +749,6 @@ int ctdb_takeover_run(struct ctdb_context *ctdb, struct ctdb_node_map *nodemap) struct ctdb_client_control_state *state; TALLOC_CTX *tmp_ctx = talloc_new(ctdb); - ZERO_STRUCT(ip); /* Count how many completely healthy nodes we have */ @@ -1057,6 +1056,20 @@ finished: return -1; } + + /* tell all nodes to update natwg */ + /* send the flags update natgw on all connected nodes */ + data.dptr = discard_const(ipreallocated); +
[SCM] CTDB repository - branch 1.0.112 updated - ctdb-1.0.111-137-g1d1d475
The branch, 1.0.112 has been updated via 1d1d475d7e18620330aaee95038c40b27e5496d4 (commit) from 83fcabed2d3014df4112f9644c3186e205b28ad6 (commit) http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=1.0.112 - Log - commit 1d1d475d7e18620330aaee95038c40b27e5496d4 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Aug 11 14:42:44 2010 +1000 add some extra debugging statements to the client side code sending controls and failing. in particular the GETRECMASTER control --- Summary of changes: client/ctdb_client.c | 24 +++- 1 files changed, 19 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/client/ctdb_client.c b/client/ctdb_client.c index 7caa5cb..0b65466 100644 --- a/client/ctdb_client.c +++ b/client/ctdb_client.c @@ -282,6 +282,11 @@ int ctdb_socket_connect(struct ctdb_context *ctdb) ctdb-daemon.queue = ctdb_queue_setup(ctdb, ctdb, ctdb-daemon.sd, CTDB_DS_ALIGNMENT, ctdb_client_read_cb, ctdb); + if (ctdb-daemon.queue == NULL) { + DEBUG(DEBUG_ERR,(__location__ Failed to setup queue to daemon\n)); + return -1; + } + return 0; } @@ -835,6 +840,7 @@ struct ctdb_client_control_state *ctdb_control_send(struct ctdb_context *ctdb, ret = ctdb_client_queue_pkt(ctdb, (c-hdr)); if (ret != 0) { + DEBUG(DEBUG_ERR,(__location__ Failed to queue packet to ctdb daemon\n)); talloc_free(state); return NULL; } @@ -864,6 +870,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb, } if (state == NULL) { + DEBUG(DEBUG_ERR,(__location__ ctdb_control_recv called with state==NULL\n)); return -1; } @@ -879,12 +886,12 @@ int ctdb_control_recv(struct ctdb_context *ctdb, } if (state-state != CTDB_CONTROL_DONE) { - DEBUG(DEBUG_ERR,(__location__ ctdb_control_recv failed\n)); + DEBUG(DEBUG_ERR,(__location__ ctdb_control_recv failed with state:%d\n, state-state)); if (state-async.fn) { state-async.fn(state); } talloc_free(tmp_ctx); - return -1; + return -2; } if (state-errormsg) { @@ -896,7 +903,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb, state-async.fn(state); } talloc_free(tmp_ctx); - return -1; + return -3; } if (outdata) { @@ -1122,9 +1129,16 @@ struct ctdb_client_control_state * ctdb_ctrl_getrecmaster_send(struct ctdb_context *ctdb, TALLOC_CTX *mem_ctx, struct timeval timeout, uint32_t destnode) { - return ctdb_control_send(ctdb, destnode, 0, + struct ctdb_client_control_state *state; + + state = ctdb_control_send(ctdb, destnode, 0, CTDB_CONTROL_GET_RECMASTER, 0, tdb_null, mem_ctx, timeout, NULL); + if (state == NULL) { + DEBUG(DEBUG_ERR,(__location__ Failed to send getrecmaster control to node %u\n, destnode)); + } + + return state; } int ctdb_ctrl_getrecmaster_recv(struct ctdb_context *ctdb, TALLOC_CTX *mem_ctx, struct ctdb_client_control_state *state, uint32_t *recmaster) @@ -1134,7 +1148,7 @@ int ctdb_ctrl_getrecmaster_recv(struct ctdb_context *ctdb, TALLOC_CTX *mem_ctx, ret = ctdb_control_recv(ctdb, state, mem_ctx, NULL, res, NULL); if (ret != 0) { - DEBUG(DEBUG_ERR,(__location__ ctdb_ctrl_getrecmaster_recv failed\n)); + DEBUG(DEBUG_ERR,(__location__ ctdb_ctrl_getrecmaster_recv failed with error:%d\n, ret)); return -1; } -- CTDB repository