Re: [Samba] VPN/WAN Domain members

[Christian Rost]

Hi,

the problem you're describing is common to such setups. IMHO the following will 
help you in your setup:

1. raise the VPN timeouts
This should prevent your VPN to go offline.

2. install a PDC/ BDC in each location
Distribute distribute domain specific information to all locations, so you 
don't rely so heavily on your VPN. The samba-howto gives you information about 
the setup (Chapter 5. Backup Domain Control - LDAP Configuration Notes). 

For this setup you need a Linux-box in each location. Depending on the needed 
performance/ size of your locations/ ... , it can range from something like a 
Buffalo WZR-HP-G300NH with OpenWRT  up to a small server.


Cheers,

Christian
===
Dipl.-Ing. Christian Rost
roCon - Informationstechnologie
Ulmenstraße 45

44534 Lünen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de



ray klassen julius_ahenobar...@yahoo.co.uk wrote
Subject: [Samba] VPN/WAN Domain members
Date: 24.11.2010 18:15

I have about 60 PC's running windows XP behind vpn routers in different 
locations. I find that they lose connection or sync (or whatever the right
word 
is) to the domain periodically, probably when the vpn shuts down due to
low 
demand. The result is that any domain user not already in the local
password 
hash cache cannot log in and any local share with domain permissions on it
will 
not allow the a domain account access if the pc is not rebooted. Is there
any 
way to force windows to resync without a reboot or to make XP more fault 
tolerant to slower connections to the samba domain?

Thanks in advance. etc...



  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] group names with longer names than 30 chars [winbind 3.4.7]

[Assarsson, Emil]

Hi All,

I'm unable to do lookups on groups that have a longer name than 30 characters.
Is this a known problem and does it help to upgrade?

Are there any workaround for this?

Best regards

Emil Assarsson
Sony Ericsson Mobile Communications AB

The information in this email, and attachment(s) thereto, is strictly 
confidential and may be legally privileged. It is intended solely for the named 
recipient(s), and access to this e-mail, or any attachment(s) thereto, by 
anyone else is unauthorized. Violations hereof may result in legal actions. Any 
attachment(s) to this e-mail has been checked for viruses, but please rely on 
your own virus-checker and procedures. If you contact us by e-mail, we will 
store your name and address to facilitate communications in the matter 
concerned. If you do not consent to us storing your name and address for above 
stated purpose, please notify the sender promptly. Also, if you are not the 
intended recipient please inform the sender by replying to this transmission, 
and delete the e-mail, its attachment(s), and any copies of it without, 
disclosing it.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba slow with some files.

[Esteban Torres Rodríguez]

In my samba server (3.2.5-4lenny13) I have problems of slowness in some
files.
Let me explain:

A word file of 155Mb when the user is the owner takes about 7 seconds, but
if the user is not the owner takes about 40 seconds (WAN).

I have monitored with wireshark and when the user owns is a 4096 bytes/frame
and when the user does not own is a 512 bytes/frame.

I have worked with this option: kernel oplocks = no

Why do ocurreo this?

My smb.conf

[Global]
   workgroup = domain
   realm = domain.com
   preferred master = no
   server string = Samba
   security = ADS
   encrypt passwords = yes
   password server = activedirectory.domain.com
   domain master = no
   encrypt passwords = yes
   SO_KEEPALIVE TCP_NODELAY socket options = SO_RCVBUF = 8192 SO_SNDBUF
IPTOS_LOWDELAY = 8192
   dns proxy = yes
   log level = 3
   syslog = 0
   log file = / var / log / samba /% m
   max log size = 50
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   idmap uid = 600-2
   idmap gid = 600-2
   read raw = yes
   write raw = yes
   oplocks = yes
   max xmit = 65535
   getwd cache = yes
  * **kernel oplocks = no*

[share]
   comment = myshare
   path = /opt/data/
   public = no
   writable = yes
   browseable = yes
   create mask = 770
   directory mask = 770
   force create mode = 0770
   force group = group_quota
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows 7

[Todd E Thomas]

Jonathan, thank you for taking an interest in this. I did have this 
directive in smb.conf file.


To reiterate, the users logon, seemingly without fail. The work stations 
add to ldap without error, they only have a problem when trying to auth 
after the add to ldap. These are the relevant bits of the log:


Adding workstation to the domain:
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16,  2] 
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:16 mail smbd[28796]:   init_ldap_from_sam: Setting entry 
for user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17,  2] 
passdb/pdb_ldap.c:ldapsam_add_sam_account(2303)
Nov 22 10:06:17 mail smbd[28796]:   ldapsam_add_sam_account: added: uid 
== 7TEST1$ in the LDAP database


After adding the workstation to the domain, reboot, login user:
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]:   _netr_ServerAuthenticate2: 
netlogon_creds_server_check failed. Rejecting auth request from client 
7TEST1 machine account 7TEST1$

...
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45,  2] 
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]:   check_ntlm_password:  Authentication 
for user [7TEST1] - [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER

...
Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00,  2] 
auth/auth.c:check_ntlm_password(308)
Nov 22 10:38:00 mail smbd[19317]:   check_ntlm_password:  authentication 
for user [thomas] - [thomas] - [thomas] succeeded




For some reason my attachments werestripped out on the last send. For 
posterity, this is the smb.conf file.



# smb.conf from the book:
# Using Samba, Third Edition; January 2007
# Server role: ROLE_DOMAIN_PDC

# --- Browser Control Options 


[global]
workgroup = OFFICE
netbios name = SERVER
server string = Server %v
encrypt passwords = yes
security = user
domain master = yes
domain logons = yes
os level = 35
preferred master = yes
local master = yes
;   max smbd processes = 0
# - LDAP Authentication 
--

ldap passwd sync = yes
ldap ssl = off
ldap timeout = 60
ldap connection timeout = 2
passdb backend = ldapsam:ldap://mail.domain.tld:389
ldap admin dn = uid=zmposixroot,cn=appaccts,cn=zimbra
ldap suffix = dc=domain,dc=tld
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
# -- Universal Options 
---

dos charset = ASCII
unix charset = UTF-8
time server = yes
ntlm auth = yes
client lanman auth = yes
lanman auth = no
client plaintext auth = no
pam password change = yes
obey pam restrictions = yes
server signing = Disabled
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n Retype*new*password* %n\n 
*updated*

username map = /etc/samba/smbusers
wins support = yes
name resolve order = wins bcast hosts
logon script = %G.vbs
logon path =
logon drive = H:
logon home =
interfaces = lo eth0
bind interfaces only = yes
hosts deny = ALL
hosts allow = 127. 10.0.0.0/24
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 
SO_RCVBUF=32768

enable privileges = yes
dns proxy = no
create mask = 0777
directory mask = 0777
panic action = /usr/share/samba/panic-action %d
# --- Printing 
---

load printers = no
show add printer wizard = no
printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups
;   show add printer wizard = no
;   use sendfile = yes
# --- Logging Options 


log file = /var/log/samba/%m.log
syslog = 3
log level = 3
max log size = 1000
syslog only = no
# --- Samba Scripting 

add machine script = /usr/sbin/useradd -n -g 100 -c 
Workstation (%u) -M -d /nohome -s /sbin/nologin %u
add user script = /usr/sbin/useradd -n -g 100 -d 
/export/homes/%u -s /sbin/nologin %u

delete user script = /usr/sbin/userdel %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
set primary group script = /usr/sbin/usermod -g %g %u




Todd E Thomas
It's a frail music knits the world together.
-Robert Dana

[Samba] Samba print fix utility?

[Ryan Suarez]

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/print_utility/troubleshooting/guide/PrntUtil.html#wp39367

It's saved me numerous times.  Other people have asked for a copy.  But 
you need a valid contract to use it.  Does anyone know of a similar 
open/free utility?


Apparently the product this utility supports is end of life:
http://www.cisco.com/en/US/products/ps6469/index.html

I wish they'd just open this up for everyone.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows 7

[Pascal Legrand]

I made some test without ldap only with a new machine with samba 3.5.6 
tdbbackend

on the windows 7 station i modify the registry as said on the samba wiki
i apply the microsoft patch

The windows 7 join without problem the samba domain
users can login on without problem
then everything works fine

it's only in the log there is the error messages

server signing = disabled is like that by default

-- 

---
Pascal
---

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ADS auth client disconnects when ads_cleanup_expired_creds runs

[Mark Adams]

Hi All,

Debian Lenny, with Samba 3.4.8~dfsg-2~bpo50+1 (backports)

I'm having an issue where 1 or 2 random clients out of 100 seem to be
disconnected from a samba print server and not allowed to reconnect
until they log off and back on to their machines. It is not always the
same clients. I have a Samba fileserver running on another machine with
virtually identical config that does not have this issue. 

This happens pretty quickly after the ads_cleanup_expired creds log:

---

[2010/11/25 15:15:01,  3] libsmb/clikrb5.c:620(ads_cleanup_expired_creds) 
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Fri, 
26 Nov 2010 01:14:44 GMT

---

In the specific client logs after this occurs I get the following:

---

[2010/11/25 15:17:15,  0] lib/util_sock.c:738(write_data)
[2010/11/25 15:17:15,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer
[2010/11/25 15:17:15,  0] smbd/process.c:62(srv_send_smb)
  Error writing 4 bytes to client. -1. (Transport endpoint is not
connected)
[2010/11/25 15:17:15,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/11/25 15:17:15,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2010/11/25 15:17:15,  3] smbd/connection.c:42(yield_connection)
  deleting connection record returned NT_STATUS_NOT_FOUND
[2010/11/25 15:17:15,  3] smbd/server.c:849(exit_server_common)
  Server exit (failed to receive smb request)
[2010/11/25 15:18:35,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/11/25 15:18:35,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2010/11/25 15:18:35,  3] smbd/connection.c:42(yield_connection)
  deleting connection record returned NT_STATUS_NOT_FOUND
[2010/11/25 15:18:35,  3] smbd/server.c:849(exit_server_common)
  Server exit (failed to receive smb request)

---

It doesn't occur everytime the cleanup is run (which seems to be every
15 minutes), but does happen once or twice a day.

It doesn't seem to be something wrong with my samba config, because it
works 99% of the time. But please find it below and advise if anything
might be causing this.

---

[global]

security = ads
workgroup = DOMAIN
realm = DOMAIN.LOCAL
password server = dc1.domain.local, dc2.domain.local
encrypt passwords = yes
server string = domainprint
netbios name = domainprint
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind offline logon = yes
enhanced browsing = no
template shell = /bin/false
veto files = /TheVolumeSettingsFolder/, /Temporary Items/, /*DS_Store*/,
/*AppleDB/, /*AppleDesktop/, /*AppleDouble/, /Network Trash Folder/,
 * /*Trashes/, /*TemporaryItems/, /*FBCLockFolder/, /*FBCIndex/
delete veto files = yes
create mask = 0775
directory mask = 2775
invalid users = root
panic action = /usr/share/samba/panic-action %d
log file = /var/log/samba/log.%m
log level = 3
socket options = TCP_NODELAY
printing = cups
printcap = cups
#load printers = yes
printer admin = @DOMAIN\itdept
follow symlinks=yes

-

Is it possible to change the ticket expiration time? or is there a
Windows setting on the Domain controller than needs to be changed?
(Windows server standard 2008 R2).

Any help appreciated, Please advise if I need to post any other details.

Thanks,
Mark
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

[Matthias Dieter Wallnöfer]

The branch, master has been updated
   via  ae61408 s4:lsa RPC server / objectclass LDB module - fix the 
creation of trusted domain objects
  from  fc1da86 s4-tests: Modified speedtest.py to use 
samba.tests.delete_force

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ae61408e2f198ada294a826e375f0f4a1e7da3d6
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Nov 25 09:33:47 2010 +0100

s4:lsa RPC server / objectclass LDB module - fix the creation of trusted 
domain objects

Tridge pointed out that it is to dangerous to allow them to be created
with SYSTEM permissions. The solution using the untrusted flag should
be much more viable.

Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org
Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104

---

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c |8 +---
 source4/rpc_server/lsa/dcesrv_lsa.c  |4 ++--
 2 files changed, 3 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c 
b/source4/dsdb/samdb/ldb_modules/objectclass.c
index d69c3f4..21f3164 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -467,8 +467,6 @@ static int objectclass_do_add(struct oc_context *ac)
struct ldb_request *add_req;
struct ldb_message_element *objectclass_element, *el;
struct ldb_message *msg;
-   struct ldb_control *as_system = ldb_request_get_control(ac-req,
-   
LDB_CONTROL_AS_SYSTEM_OID);
TALLOC_CTX *mem_ctx;
struct class_list *sorted, *current;
const char *rdn_name = NULL;
@@ -480,10 +478,6 @@ static int objectclass_do_add(struct oc_context *ac)
bool found;
int ret;
 
-   if (as_system != NULL) {
-   as_system-critical = 0;
-   }
-
msg = ldb_msg_copy_shallow(ac, ac-req-op.add.message);
if (msg == NULL) {
return ldb_module_oom(ac-module);
@@ -581,7 +575,7 @@ static int objectclass_do_add(struct oc_context *ac)
/* LSA-specific objectclasses per default not allowed */
if (((strcmp(value, secret) == 0) ||
 (strcmp(value, trustedDomain) == 0)) 
-   !(dsdb_module_am_system(ac-module) || as_system)) {
+   ldb_req_is_untrusted(ac-req)) {
ldb_asprintf_errstring(ldb,
   objectclass: object 
class '%s' is LSA-specific, rejecting creation of '%s'!,
   value,
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c 
b/source4/rpc_server/lsa/dcesrv_lsa.c
index 1b55824..4cb5da2 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1056,7 +1056,7 @@ static NTSTATUS 
dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc
trusted_domain_state-trusted_domain_dn = 
talloc_reference(trusted_domain_state, msg-dn);
 
/* create the trusted_domain */
-   ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
+   ret = ldb_add(sam_ldb, msg);
switch (ret) {
case  LDB_SUCCESS:
break;
@@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct 
dcesrv_call_state *dce_call, TALL
secret_state-secret_dn = talloc_reference(secret_state, msg-dn);
 
/* create the secret */
-   ret = dsdb_add(secret_state-sam_ldb, msg, DSDB_FLAG_AS_SYSTEM);
+   ret = ldb_add(secret_state-sam_ldb, msg);
if (ret != LDB_SUCCESS) {
DEBUG(0,(Failed to create secret record %s: %s\n,
 ldb_dn_get_linearized(msg-dn), 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Nadezhda Ivanova]

The branch, master has been updated
   via  db403ac s4-dsdb: Switched to using a dictionary in create_ou for 
consistency.
   via  05b8e07 s4-dsdb: Fixed wrong assignment of name attribute to 
description atribute in create_ou.
  from  ae61408 s4:lsa RPC server / objectclass LDB module - fix the 
creation of trusted domain objects

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit db403ac35dde415231498aee41b2306dfbe6a983
Author: Nadezhda Ivanova nivan...@samba.org
Date:   Thu Nov 25 14:25:28 2010 +0200

s4-dsdb: Switched to using a dictionary in create_ou for consistency.

Autobuild-User: Nadezhda Ivanova nivan...@samba.org
Autobuild-Date: Thu Nov 25 14:12:52 CET 2010 on sn-devel-104

commit 05b8e078f4649239bda42c66966dfa5567485b6d
Author: Nadezhda Ivanova nivan...@samba.org
Date:   Thu Nov 25 14:02:51 2010 +0200

s4-dsdb: Fixed wrong assignment of name attribute to description atribute 
in create_ou.

---

Summary of changes:
 source4/scripting/python/samba/samdb.py |8 +++-
 1 files changed, 3 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/python/samba/samdb.py 
b/source4/scripting/python/samba/samdb.py
index a59494f..109e948 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -659,15 +659,13 @@ accountExpires: %u
 :param sd: security descriptor of the object, can be
 an SDDL string or security.descriptor type
 
-m = ldb.Message()
-m.dn = ldb.Dn(self, ou_dn)
-m[ou] = ou_dn.split(,)[0][3:]
-m[objectClass] = organizationalUnit
+m = {dn: ou_dn,
+ objectClass: organizationalUnit}
 
 if description:
  m[description] = description
 if name:
- m[description] = name
+ m[name] = name
 
 if sd:
 assert(isinstance(sd, str) or isinstance(sd, security.descriptor))


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Nadezhda Ivanova]

The branch, master has been updated
   via  1e9a788 s4-tests: Modified create_ou to only accept 
security.descriptor type for sd to avoid confusion
  from  db403ac s4-dsdb: Switched to using a dictionary in create_ou for 
consistency.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306
Author: Nadezhda Ivanova nivan...@samba.org
Date:   Thu Nov 25 19:57:51 2010 +0200

s4-tests: Modified create_ou to only accept security.descriptor type for sd 
to avoid confusion

It used to work with sddl as well, but this is confusing and could lead to 
errors. It also caused a message about tallocing a security descriptor to 
appear.

Autobuild-User: Nadezhda Ivanova nivan...@samba.org
Autobuild-Date: Thu Nov 25 19:46:42 CET 2010 on sn-devel-104

---

Summary of changes:
 source4/dsdb/tests/python/acl.py|   64 +-
 source4/scripting/python/samba/samdb.py |   12 +
 2 files changed, 31 insertions(+), 45 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 691f358..fb66766 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -736,16 +736,13 @@ class AclSearchTests(AclTests):
 self.create_clean_ou(OU=ou1, + self.base_dn)
 mod = (A;;LC;;;%s)(A;;LC;;;%s) % (str(self.user_sid), 
str(self.group_sid))
 self.dacl_add_ace(OU=ou1, + self.base_dn, mod)
-self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + 
mod)
-self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + 
mod)
-self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + 
mod)
-self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + 
mod)
-self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + 
mod)
+tmp_desc = 
security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod,
+ self.domain_sid)
+self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, 
sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, 
sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + 
self.base_dn, sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + 
self.base_dn, sd=tmp_desc)
 
 #regular users must see only ou1 and ou2
 res = self.ldb_user3.search(OU=ou1, + self.base_dn, 
expression=(objectClass=*),
@@ -807,16 +804,13 @@ class AclSearchTests(AclTests):
 self.create_clean_ou(OU=ou1, + self.base_dn)
 mod = (A;CI;LC;;;%s)(A;CI;LC;;;%s) % (str(self.user_sid), 
str(self.group_sid))
 self.dacl_add_ace(OU=ou1, + self.base_dn, mod)
-self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA))
-self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA))
-self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA))
-self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA))
-self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn,
- D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA))
+tmp_desc = 
security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod,
+ self.domain_sid)
+self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, 
sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, 
sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + 
self.base_dn, sd=tmp_desc)
+self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + 
self.base_dn, sd=tmp_desc)
 
 print Testing correct behavior on nonaccessible search base
 try:
@@ -861,16 +855,13 @@ class AclSearchTests(AclTests):
 self.create_clean_ou(OU=ou1, + self.base_dn)
 mod = (A;CI;CC;;;%s) % 

[SCM] Samba Shared Repository - branch master updated

[Nadezhda Ivanova]

The branch, master has been updated
   via  fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is 
being manipulated
  from  1e9a788 s4-tests: Modified create_ou to only accept 
security.descriptor type for sd to avoid confusion

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit fad57d8ad05cf6175c87db33a404aff205adddaf
Author: Nadezhda Ivanova nivan...@samba.org
Date:   Thu Nov 25 21:01:05 2010 +0200

s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated

Also made password tests set dSHeuristics only once rather that once per 
test.

Autobuild-User: Nadezhda Ivanova nivan...@samba.org
Autobuild-Date: Thu Nov 25 20:48:38 CET 2010 on sn-devel-104

---

Summary of changes:
 source4/dsdb/tests/python/acl.py |   53 ++
 1 files changed, 25 insertions(+), 28 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index fb66766..9a0e754 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -614,8 +614,6 @@ class AclSearchTests(AclTests):
 self.creds_tmp.set_domain(creds.get_domain())
 self.creds_tmp.set_realm(creds.get_realm())
 self.creds_tmp.set_workstation(creds.get_workstation())
-self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
-self.dsheuristics = self.ldb_admin.get_dsheuristics()
 self.ldb_admin.newuser(self.u1, self.user_pass)
 self.ldb_admin.newuser(self.u2, self.user_pass)
 self.ldb_admin.newuser(self.u3, self.user_pass)
@@ -676,7 +674,8 @@ class AclSearchTests(AclTests):
 
 def test_search_anonymous1(self):
 Verify access of rootDSE with the correct request
-res = self.anonymous.search(, expression=(objectClass=*), 
scope=SCOPE_BASE)
+anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+res = anonymous.search(, expression=(objectClass=*), 
scope=SCOPE_BASE)
 self.assertEquals(len(res), 1)
 #verify some of the attributes
 #dont care about values
@@ -691,20 +690,21 @@ class AclSearchTests(AclTests):
 
 def test_search_anonymous2(self):
 Make sure we cannot access anything else
+anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
 try:
-res = self.anonymous.search(, expression=(objectClass=*), 
scope=SCOPE_SUBTREE)
+res = anonymous.search(, expression=(objectClass=*), 
scope=SCOPE_SUBTREE)
 except LdbError, (num, _):
 self.assertEquals(num, ERR_OPERATIONS_ERROR)
 else:
 self.fail()
 try:
-res = self.anonymous.search(self.base_dn, 
expression=(objectClass=*), scope=SCOPE_SUBTREE)
+res = anonymous.search(self.base_dn, expression=(objectClass=*), 
scope=SCOPE_SUBTREE)
 except LdbError, (num, _):
 self.assertEquals(num, ERR_OPERATIONS_ERROR)
 else:
 self.fail()
 try:
-res = self.anonymous.search(CN=Configuration, + self.base_dn, 
expression=(objectClass=*),
+res = anonymous.search(CN=Configuration, + self.base_dn, 
expression=(objectClass=*),
 scope=SCOPE_SUBTREE)
 except LdbError, (num, _):
 self.assertEquals(num, ERR_OPERATIONS_ERROR)
@@ -718,18 +718,18 @@ class AclSearchTests(AclTests):
 mod = (A;CI;LC;;;AN)
 self.dacl_add_ace(OU=test_search_ou1, + self.base_dn, mod)
 self.ldb_admin.create_ou(OU=test_search_ou2,OU=test_search_ou1, + 
self.base_dn)
-res = self.anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + 
self.base_dn,
-expression=(objectClass=*), 
scope=SCOPE_SUBTREE)
+anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+res = anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + 
self.base_dn,
+   expression=(objectClass=*), 
scope=SCOPE_SUBTREE)
 self.assertEquals(len(res), 1)
 self.assertTrue(dn in res[0])
 self.assertTrue(res[0][dn] == Dn(self.ldb_admin,

OU=test_search_ou2,OU=test_search_ou1, + self.base_dn))
-res = self.anonymous.search(CN=Configuration, + self.base_dn, 
expression=(objectClass=*),
-scope=SCOPE_SUBTREE)
+res = anonymous.search(CN=Configuration, + self.base_dn, 
expression=(objectClass=*),
+   scope=SCOPE_SUBTREE)
 self.assertEquals(len(res), 1)
 self.assertTrue(dn in res[0])
 self.assertTrue(res[0][dn] == Dn(self.ldb_admin, 
self.configuration_dn))
-

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  fab9d94 s4-dsdb Remove rootDSE and anonymous checks from acl_read
   via  d184da8 s4-dsdb Add 'block anonymous' checks to the rootdse module
   via  885ecd7 s4-dsdb Remove mem_ctx argument from 
dsdb_module_find_dsheuristics().
  from  fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is 
being manipulated

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit fab9d94006351793fddd7f06eef7a05c62f8817c
Author: Andrew Bartlett abart...@samba.org
Date:   Thu Nov 25 16:17:10 2010 +1100

s4-dsdb Remove rootDSE and anonymous checks from acl_read

The rootdse module handles rootDSE requests, and blocks anonymous
access, so we on't need to do it again here.

Andrew Bartlett

Autobuild-User: Andrew Bartlett abart...@samba.org
Autobuild-Date: Fri Nov 26 00:36:19 CET 2010 on sn-devel-104

commit d184da806550c2edb6113206048ea78c3d2d27a0
Author: Andrew Bartlett abart...@samba.org
Date:   Thu Nov 25 16:13:17 2010 +1100

s4-dsdb Add 'block anonymous' checks to the rootdse module

This ensures that one single point checks for and blocks anonymous
read access to the database over LDAP.

Andrew Bartlett

commit 885ecd7b6b567a50067c9d3298e67c6e0f85b82a
Author: Andrew Bartlett abart...@samba.org
Date:   Thu Nov 25 16:12:39 2010 +1100

s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics().

A function that does not return memory should not take a memory context.

Andrew Bartlett

---

Summary of changes:
 source4/dsdb/samdb/ldb_modules/acl_read.c |   15 
 source4/dsdb/samdb/ldb_modules/rootdse.c  |  100 +
 source4/dsdb/samdb/ldb_modules/util.c |5 +-
 3 files changed, 102 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c 
b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 401e0dc..81f9bf6 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -191,11 +191,9 @@ static int aclread_search(struct ldb_module *module, 
struct ldb_request *req)
 {
struct ldb_context *ldb;
int ret;
-   bool block_anonymous;
struct aclread_context *ac;
struct ldb_request *down_req;
struct ldb_control *as_system = ldb_request_get_control(req, 
LDB_CONTROL_AS_SYSTEM_OID);
-   struct auth_session_info *session_info;
struct ldb_result *res;
struct ldb_message_element *parent;
struct aclread_private *p;
@@ -219,19 +217,6 @@ static int aclread_search(struct ldb_module *module, 
struct ldb_request *req)
if (ldb_dn_is_special(req-op.search.base)) {
return ldb_next_request(module, req);
}
-   /* allow all access to rootDSE */
-   if (req-op.search.scope == LDB_SCOPE_BASE  
ldb_dn_is_null(req-op.search.base)) {
-   return ldb_next_request(module, req);
-   }
-
-   session_info = (struct auth_session_info *)ldb_get_opaque(ldb, 
sessionInfo);
-   if (session_info  
security_token_is_anonymous(session_info-security_token)) {
-   block_anonymous = dsdb_block_anonymous_ops(module, req);
-   if (block_anonymous) {
-   return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
-This request is not allowed to an 
anonymous connection.);
-   }
-   }
 
/* check accessibility of base */
if (!ldb_dn_is_null(req-op.search.base)) {
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c 
b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 8a3f0cf..263c6f5 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -40,6 +40,7 @@ struct private_data {
char **controls;
unsigned int num_partitions;
struct ldb_dn **partitions;
+   bool block_anonymous;
 };
 
 /*
@@ -613,6 +614,35 @@ static int rootdse_filter_controls(struct ldb_module 
*module, struct ldb_request
return LDB_SUCCESS;
 }
 
+/* Ensure that anonymous users are not allowed to make anything other than 
rootDSE search operations */
+
+static int rootdse_filter_operations(struct ldb_module *module, struct 
ldb_request *req)
+{
+   struct auth_session_info *session_info;
+   struct private_data *priv = 
talloc_get_type(ldb_module_get_private(module), struct private_data);
+   bool is_untrusted = ldb_req_is_untrusted(req);
+   bool is_anonymous = true;
+   if (is_untrusted == false) {
+   return LDB_SUCCESS;
+   }
+
+   session_info = (struct auth_session_info 
*)ldb_get_opaque(ldb_module_get_ctx(module), sessionInfo);
+   if (session_info) {
+   is_anonymous = 

[SCM] Samba Shared Repository - branch master updated

[Björn Jacke]

The branch, master has been updated
   via  e52ba1f librpc: fix builds without IPv6 suport (HP-UX 11.00)
   via  4f27a64 s3/smbtorture: use $MAKE to build to make sure we use the 
make that makes our build
   via  dbcf73c ѕ3/configue: set Tru64 cc's PIC switch right (none)
  from  fab9d94 s4-dsdb Remove rootDSE and anonymous checks from acl_read

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e52ba1fb87ff57052f460246c2026604a8f63bf2
Author: Björn Jacke b...@sernet.de
Date:   Fri Nov 26 02:17:14 2010 +0100

librpc: fix builds without IPv6 suport (HP-UX 11.00)

Kai, please check.

Autobuild-User: Björn Jacke b...@sernet.de
Autobuild-Date: Fri Nov 26 03:07:21 CET 2010 on sn-devel-104

commit 4f27a644070ebfc5c6dcc177047eff0e492103cf
Author: Björn Jacke b...@sernet.de
Date:   Fri Nov 26 02:14:09 2010 +0100

s3/smbtorture: use $MAKE to build to make sure we use the make that makes 
our build

commit dbcf73c45782c310cb7ff1f2177d410399e2f06d
Author: Björn Jacke b...@sernet.de
Date:   Fri Nov 26 01:32:53 2010 +0100

ѕ3/configue: set Tru64 cc's PIC switch right (none)

-fPIC made shared library builds fail there

---

Summary of changes:
 librpc/ndr/ndr_basic.c |2 ++
 source3/Makefile.in|4 ++--
 source3/configure.in   |4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c
index 31a8b9d..96f7323 100644
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -848,6 +848,7 @@ _PUBLIC_ void ndr_print_ipv4address(struct ndr_print *ndr, 
const char *name,
ndr-print(ndr, %-25s: %s, name, address);
 }
 
+#ifdef AF_INET6
 /*
   pull a ipv6address
 */
@@ -903,6 +904,7 @@ _PUBLIC_ void ndr_print_ipv6address(struct ndr_print *ndr, 
const char *name,
ndr-print(ndr, %-25s: %s, name, address);
 }
 #undef IPV6_BYTES
+#endif
 
 _PUBLIC_ void ndr_print_struct(struct ndr_print *ndr, const char *name, const 
char *type)
 {
diff --git a/source3/Makefile.in b/source3/Makefile.in
index da531d8..61ec157 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -3478,11 +3478,11 @@ samba4-configure: ../source4/configure
 .PHONY: samba4-configure
 
 bin/smbtorture4: $(BINARY_PREREQS) samba4-configure
-   cd ../source4  make bin/smbtorture
+   cd ../source4  $(MAKE) bin/smbtorture
cp ../source4/bin/smbtorture bin/smbtorture4
 
 bin/ndrdump4: $(BINARY_PREREQS) samba4-configure
-   cd ../source4  make bin/ndrdump
+   cd ../source4  $(MAKE) bin/ndrdump
cp ../source4/bin/ndrdump bin/ndrdump4
 
 .PHONY: bin/smbtorture4
diff --git a/source3/configure.in b/source3/configure.in
index 011bd1a..17b5470 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -1736,7 +1736,9 @@ DSO_EXPORTS=
BLDSHARED=true
LDSHFLAGS=-shared
SONAMEFLAG=-Wl,-soname,
-   PICFLAG=-fPIC
+   if test ${GCC} = yes; then
+   PICFLAG=-fPIC
+   fi
AC_DEFINE(STAT_ST_BLOCKSIZE,512)
AC_DEFINE(BROKEN_GETGRNAM,1,[Does getgrnam work 
correctly])
for flags in -expect_unresolved '*' 
-Wl,-expect_unresolved,'*' ; do


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Tridgell]

The branch, master has been updated
   via  bf52cff s4-kcc: fixed valgrind errors in drs replicaInfo server side
   via  5e8cb67 s4-provision: fixed eadb automatic and manual setting in 
provision
   via  cfa7510 wintest: do an initial replication of CN=Configuration to 
transfer dnsHostname
   via  23b wintest: fixed rndc command option in provision
   via  9409b73 wintest: make IPv6 optional in wintest
   via  eeb29b5 s4-provision: don't try to look for an IPv6 address when 
not specified
  from  e52ba1f librpc: fix builds without IPv6 suport (HP-UX 11.00)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit bf52cffd2587615243a7101868a9038d9aa1b0c2
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 12:38:06 2010 +1100

s4-kcc: fixed valgrind errors in drs replicaInfo server side

Pair-Programmed-With: Andrew Bartlett abart...@samba.org

Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Fri Nov 26 03:52:30 CET 2010 on sn-devel-104

commit 5e8cb67605367ffd9dd2a8624df90f2ca5e77fc4
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 12:10:55 2010 +1100

s4-provision: fixed eadb automatic and manual setting in provision

we should not set posix:eadb in lp in the acl native test code

Pair-Programmed-With: Andrew Bartlett abart...@samba.org

commit cfa7510e19b5e593af8c4da6e89b6a99adfe8b2b
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 11:36:29 2010 +1100

wintest: do an initial replication of CN=Configuration to transfer 
dnsHostname

this fixes the drs replication in the dcpromo test

commit 23b98c7d1bd700509bb3fa6eaca3e1524096
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 11:33:49 2010 +1100

wintest: fixed rndc command option in provision

we need to point at the generated rndc.conf

Pair-Programmed-With: Andrew Bartlett abart...@samba.org

commit 9409b73290bdbfc82b75c4af8a22ca1ed6165e2a
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 11:33:10 2010 +1100

wintest: make IPv6 optional in wintest

we need some more work on IPv6 support in s4 before this works

commit eeb29b593a671e16f87e64f01abea47ec898ba77
Author: Andrew Tridgell tri...@samba.org
Date:   Fri Nov 26 10:20:03 2010 +1100

s4-provision: don't try to look for an IPv6 address when not specified

the getaddrinfo() method of finding an IPv6 address is incorrect. We
could do it via the Samba interfaces code, but until we have that it
is better to not try to auto-detect IPv6

Pair-Programmed-With: Andrew Bartlett abart...@samba.org

---

Summary of changes:
 source4/dsdb/kcc/kcc_drs_replica_info.c |   12 +++-
 source4/scripting/python/samba/ntacls.py|   31 ++---
 source4/scripting/python/samba/provision.py |   13 +
 source4/setup/provision |6 +---
 wintest/conf/abartlet.conf  |1 -
 wintest/conf/tridge.conf|1 -
 wintest/test-s4-howto.py|   40 ---
 7 files changed, 53 insertions(+), 51 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/kcc/kcc_drs_replica_info.c 
b/source4/dsdb/kcc/kcc_drs_replica_info.c
index e2e49b8..1da3ecd 100644
--- a/source4/dsdb/kcc/kcc_drs_replica_info.c
+++ b/source4/dsdb/kcc/kcc_drs_replica_info.c
@@ -418,13 +418,9 @@ static WERROR get_master_ncs(TALLOC_CTX *mem_ctx, struct 
ldb_context *samdb,
}
 
for (k = 0; k  msg_elem-num_values; k++) {
-   int len = msg_elem-values[k].length;
-
/* copy the string on msg_elem-values[k]-data to 
nc_str */
-   nc_str = talloc_array(mem_ctx, char, len);
+   nc_str = talloc_strndup(mem_ctx, (char 
*)msg_elem-values[k].data, msg_elem-values[k].length);
W_ERROR_HAVE_NO_MEMORY(nc_str);
-   memcpy(nc_str, msg_elem-values[k].data, len);
-   nc_str[len] = '\0';
 
nc_list_elem = talloc_zero(mem_ctx, struct ncList);
W_ERROR_HAVE_NO_MEMORY(nc_list_elem);
@@ -584,7 +580,6 @@ static WERROR kccdrs_replica_get_info_neighbours(TALLOC_CTX 
*mem_ctx,
struct repsFromTo2 *reps_from = NULL;
uint32_t c_reps_from;
uint32_t i_rep;
-   struct drsuapi_DsReplicaNeighbour neigh;
struct ncList *nc_list = NULL;
 
status = get_ncs_list(mem_ctx, samdb, service, object_dn_str, nc_list);
@@ -624,6 +619,8 @@ static WERROR kccdrs_replica_get_info_neighbours(TALLOC_CTX 
*mem_ctx,
{
 
if (i = base_index) {
+   struct