Re: [Samba] VPN/WAN Domain members
Hi, the problem you're describing is common to such setups. IMHO the following will help you in your setup: 1. raise the VPN timeouts This should prevent your VPN to go offline. 2. install a PDC/ BDC in each location Distribute distribute domain specific information to all locations, so you don't rely so heavily on your VPN. The samba-howto gives you information about the setup (Chapter 5. Backup Domain Control - LDAP Configuration Notes). For this setup you need a Linux-box in each location. Depending on the needed performance/ size of your locations/ ... , it can range from something like a Buffalo WZR-HP-G300NH with OpenWRT up to a small server. Cheers, Christian === Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de ray klassen julius_ahenobar...@yahoo.co.uk wrote Subject: [Samba] VPN/WAN Domain members Date: 24.11.2010 18:15 I have about 60 PC's running windows XP behind vpn routers in different locations. I find that they lose connection or sync (or whatever the right word is) to the domain periodically, probably when the vpn shuts down due to low demand. The result is that any domain user not already in the local password hash cache cannot log in and any local share with domain permissions on it will not allow the a domain account access if the pc is not rebooted. Is there any way to force windows to resync without a reboot or to make XP more fault tolerant to slower connections to the samba domain? Thanks in advance. etc... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] group names with longer names than 30 chars [winbind 3.4.7]
Hi All, I'm unable to do lookups on groups that have a longer name than 30 characters. Is this a known problem and does it help to upgrade? Are there any workaround for this? Best regards Emil Assarsson Sony Ericsson Mobile Communications AB The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail has been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba slow with some files.
In my samba server (3.2.5-4lenny13) I have problems of slowness in some files. Let me explain: A word file of 155Mb when the user is the owner takes about 7 seconds, but if the user is not the owner takes about 40 seconds (WAN). I have monitored with wireshark and when the user owns is a 4096 bytes/frame and when the user does not own is a 512 bytes/frame. I have worked with this option: kernel oplocks = no Why do ocurreo this? My smb.conf [Global] workgroup = domain realm = domain.com preferred master = no server string = Samba security = ADS encrypt passwords = yes password server = activedirectory.domain.com domain master = no encrypt passwords = yes SO_KEEPALIVE TCP_NODELAY socket options = SO_RCVBUF = 8192 SO_SNDBUF IPTOS_LOWDELAY = 8192 dns proxy = yes log level = 3 syslog = 0 log file = / var / log / samba /% m max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes idmap uid = 600-2 idmap gid = 600-2 read raw = yes write raw = yes oplocks = yes max xmit = 65535 getwd cache = yes * **kernel oplocks = no* [share] comment = myshare path = /opt/data/ public = no writable = yes browseable = yes create mask = 770 directory mask = 770 force create mode = 0770 force group = group_quota -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7
Jonathan, thank you for taking an interest in this. I did have this directive in smb.conf file. To reiterate, the users logon, seemingly without fail. The work stations add to ldap without error, they only have a problem when trying to auth after the add to ldap. These are the relevant bits of the log: Adding workstation to the domain: Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1128) Nov 22 10:06:16 mail smbd[28796]: init_ldap_from_sam: Setting entry for user: 7TEST1$ Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(2303) Nov 22 10:06:17 mail smbd[28796]: ldapsam_add_sam_account: added: uid == 7TEST1$ in the LDAP database After adding the workstation to the domain, reboot, login user: Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555) Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client 7TEST1 machine account 7TEST1$ ... Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2] auth/auth.c:check_ntlm_password(318) Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication for user [7TEST1] - [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER ... Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00, 2] auth/auth.c:check_ntlm_password(308) Nov 22 10:38:00 mail smbd[19317]: check_ntlm_password: authentication for user [thomas] - [thomas] - [thomas] succeeded For some reason my attachments werestripped out on the last send. For posterity, this is the smb.conf file. # smb.conf from the book: # Using Samba, Third Edition; January 2007 # Server role: ROLE_DOMAIN_PDC # --- Browser Control Options [global] workgroup = OFFICE netbios name = SERVER server string = Server %v encrypt passwords = yes security = user domain master = yes domain logons = yes os level = 35 preferred master = yes local master = yes ; max smbd processes = 0 # - LDAP Authentication -- ldap passwd sync = yes ldap ssl = off ldap timeout = 60 ldap connection timeout = 2 passdb backend = ldapsam:ldap://mail.domain.tld:389 ldap admin dn = uid=zmposixroot,cn=appaccts,cn=zimbra ldap suffix = dc=domain,dc=tld ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=machines # -- Universal Options --- dos charset = ASCII unix charset = UTF-8 time server = yes ntlm auth = yes client lanman auth = yes lanman auth = no client plaintext auth = no pam password change = yes obey pam restrictions = yes server signing = Disabled passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n Retype*new*password* %n\n *updated* username map = /etc/samba/smbusers wins support = yes name resolve order = wins bcast hosts logon script = %G.vbs logon path = logon drive = H: logon home = interfaces = lo eth0 bind interfaces only = yes hosts deny = ALL hosts allow = 127. 10.0.0.0/24 socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768 enable privileges = yes dns proxy = no create mask = 0777 directory mask = 0777 panic action = /usr/share/samba/panic-action %d # --- Printing --- load printers = no show add printer wizard = no printcap name = /etc/printcap ; printing = cups ; printcap name = cups ; show add printer wizard = no ; use sendfile = yes # --- Logging Options log file = /var/log/samba/%m.log syslog = 3 log level = 3 max log size = 1000 syslog only = no # --- Samba Scripting add machine script = /usr/sbin/useradd -n -g 100 -c Workstation (%u) -M -d /nohome -s /sbin/nologin %u add user script = /usr/sbin/useradd -n -g 100 -d /export/homes/%u -s /sbin/nologin %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g %g %u Todd E Thomas It's a frail music knits the world together. -Robert Dana
[Samba] Samba print fix utility?
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/print_utility/troubleshooting/guide/PrntUtil.html#wp39367 It's saved me numerous times. Other people have asked for a copy. But you need a valid contract to use it. Does anyone know of a similar open/free utility? Apparently the product this utility supports is end of life: http://www.cisco.com/en/US/products/ps6469/index.html I wish they'd just open this up for everyone. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7
I made some test without ldap only with a new machine with samba 3.5.6 tdbbackend on the windows 7 station i modify the registry as said on the samba wiki i apply the microsoft patch The windows 7 join without problem the samba domain users can login on without problem then everything works fine it's only in the log there is the error messages server signing = disabled is like that by default -- --- Pascal --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ADS auth client disconnects when ads_cleanup_expired_creds runs
Hi All, Debian Lenny, with Samba 3.4.8~dfsg-2~bpo50+1 (backports) I'm having an issue where 1 or 2 random clients out of 100 seem to be disconnected from a samba print server and not allowed to reconnect until they log off and back on to their machines. It is not always the same clients. I have a Samba fileserver running on another machine with virtually identical config that does not have this issue. This happens pretty quickly after the ads_cleanup_expired creds log: --- [2010/11/25 15:15:01, 3] libsmb/clikrb5.c:620(ads_cleanup_expired_creds) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Fri, 26 Nov 2010 01:14:44 GMT --- In the specific client logs after this occurs I get the following: --- [2010/11/25 15:17:15, 0] lib/util_sock.c:738(write_data) [2010/11/25 15:17:15, 0] lib/util_sock.c:1491(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2010/11/25 15:17:15, 0] smbd/process.c:62(srv_send_smb) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2010/11/25 15:17:15, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/11/25 15:17:15, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/11/25 15:17:15, 3] smbd/connection.c:42(yield_connection) deleting connection record returned NT_STATUS_NOT_FOUND [2010/11/25 15:17:15, 3] smbd/server.c:849(exit_server_common) Server exit (failed to receive smb request) [2010/11/25 15:18:35, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/11/25 15:18:35, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/11/25 15:18:35, 3] smbd/connection.c:42(yield_connection) deleting connection record returned NT_STATUS_NOT_FOUND [2010/11/25 15:18:35, 3] smbd/server.c:849(exit_server_common) Server exit (failed to receive smb request) --- It doesn't occur everytime the cleanup is run (which seems to be every 15 minutes), but does happen once or twice a day. It doesn't seem to be something wrong with my samba config, because it works 99% of the time. But please find it below and advise if anything might be causing this. --- [global] security = ads workgroup = DOMAIN realm = DOMAIN.LOCAL password server = dc1.domain.local, dc2.domain.local encrypt passwords = yes server string = domainprint netbios name = domainprint idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind offline logon = yes enhanced browsing = no template shell = /bin/false veto files = /TheVolumeSettingsFolder/, /Temporary Items/, /*DS_Store*/, /*AppleDB/, /*AppleDesktop/, /*AppleDouble/, /Network Trash Folder/, * /*Trashes/, /*TemporaryItems/, /*FBCLockFolder/, /*FBCIndex/ delete veto files = yes create mask = 0775 directory mask = 2775 invalid users = root panic action = /usr/share/samba/panic-action %d log file = /var/log/samba/log.%m log level = 3 socket options = TCP_NODELAY printing = cups printcap = cups #load printers = yes printer admin = @DOMAIN\itdept follow symlinks=yes - Is it possible to change the ticket expiration time? or is there a Windows setting on the Domain controller than needs to be changed? (Windows server standard 2008 R2). Any help appreciated, Please advise if I need to post any other details. Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ae61408 s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects from fc1da86 s4-tests: Modified speedtest.py to use samba.tests.delete_force http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ae61408e2f198ada294a826e375f0f4a1e7da3d6 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Nov 25 09:33:47 2010 +0100 s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects Tridge pointed out that it is to dangerous to allow them to be created with SYSTEM permissions. The solution using the untrusted flag should be much more viable. Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass.c |8 +--- source4/rpc_server/lsa/dcesrv_lsa.c |4 ++-- 2 files changed, 3 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index d69c3f4..21f3164 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -467,8 +467,6 @@ static int objectclass_do_add(struct oc_context *ac) struct ldb_request *add_req; struct ldb_message_element *objectclass_element, *el; struct ldb_message *msg; - struct ldb_control *as_system = ldb_request_get_control(ac-req, - LDB_CONTROL_AS_SYSTEM_OID); TALLOC_CTX *mem_ctx; struct class_list *sorted, *current; const char *rdn_name = NULL; @@ -480,10 +478,6 @@ static int objectclass_do_add(struct oc_context *ac) bool found; int ret; - if (as_system != NULL) { - as_system-critical = 0; - } - msg = ldb_msg_copy_shallow(ac, ac-req-op.add.message); if (msg == NULL) { return ldb_module_oom(ac-module); @@ -581,7 +575,7 @@ static int objectclass_do_add(struct oc_context *ac) /* LSA-specific objectclasses per default not allowed */ if (((strcmp(value, secret) == 0) || (strcmp(value, trustedDomain) == 0)) - !(dsdb_module_am_system(ac-module) || as_system)) { + ldb_req_is_untrusted(ac-req)) { ldb_asprintf_errstring(ldb, objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!, value, diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 1b55824..4cb5da2 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1056,7 +1056,7 @@ static NTSTATUS dcesrv_lsa_CreateTrustedDomain_base(struct dcesrv_call_state *dc trusted_domain_state-trusted_domain_dn = talloc_reference(trusted_domain_state, msg-dn); /* create the trusted_domain */ - ret = dsdb_add(sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); + ret = ldb_add(sam_ldb, msg); switch (ret) { case LDB_SUCCESS: break; @@ -2949,7 +2949,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL secret_state-secret_dn = talloc_reference(secret_state, msg-dn); /* create the secret */ - ret = dsdb_add(secret_state-sam_ldb, msg, DSDB_FLAG_AS_SYSTEM); + ret = ldb_add(secret_state-sam_ldb, msg); if (ret != LDB_SUCCESS) { DEBUG(0,(Failed to create secret record %s: %s\n, ldb_dn_get_linearized(msg-dn), -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via db403ac s4-dsdb: Switched to using a dictionary in create_ou for consistency. via 05b8e07 s4-dsdb: Fixed wrong assignment of name attribute to description atribute in create_ou. from ae61408 s4:lsa RPC server / objectclass LDB module - fix the creation of trusted domain objects http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit db403ac35dde415231498aee41b2306dfbe6a983 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 14:25:28 2010 +0200 s4-dsdb: Switched to using a dictionary in create_ou for consistency. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 14:12:52 CET 2010 on sn-devel-104 commit 05b8e078f4649239bda42c66966dfa5567485b6d Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 14:02:51 2010 +0200 s4-dsdb: Fixed wrong assignment of name attribute to description atribute in create_ou. --- Summary of changes: source4/scripting/python/samba/samdb.py |8 +++- 1 files changed, 3 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index a59494f..109e948 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -659,15 +659,13 @@ accountExpires: %u :param sd: security descriptor of the object, can be an SDDL string or security.descriptor type -m = ldb.Message() -m.dn = ldb.Dn(self, ou_dn) -m[ou] = ou_dn.split(,)[0][3:] -m[objectClass] = organizationalUnit +m = {dn: ou_dn, + objectClass: organizationalUnit} if description: m[description] = description if name: - m[description] = name + m[name] = name if sd: assert(isinstance(sd, str) or isinstance(sd, security.descriptor)) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1e9a788 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion from db403ac s4-dsdb: Switched to using a dictionary in create_ou for consistency. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1e9a7882bead2a87eedcd5ddfe2b4df6a2b57306 Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 19:57:51 2010 +0200 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion It used to work with sddl as well, but this is confusing and could lead to errors. It also caused a message about tallocing a security descriptor to appear. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 19:46:42 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/tests/python/acl.py| 64 +- source4/scripting/python/samba/samdb.py | 12 + 2 files changed, 31 insertions(+), 45 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 691f358..fb66766 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -736,16 +736,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;;LC;;;%s)(A;;LC;;;%s) % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace(OU=ou1, + self.base_dn, mod) -self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) -self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod) +tmp_desc = security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod, + self.domain_sid) +self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) #regular users must see only ou1 and ou2 res = self.ldb_user3.search(OU=ou1, + self.base_dn, expression=(objectClass=*), @@ -807,16 +804,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;CI;LC;;;%s)(A;CI;LC;;;%s) % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace(OU=ou1, + self.base_dn, mod) -self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) -self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, - D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)) +tmp_desc = security.descriptor.from_sddl(D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) + mod, + self.domain_sid) +self.ldb_admin.create_ou(OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou5,OU=ou3,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) +self.ldb_admin.create_ou(OU=ou6,OU=ou4,OU=ou2,OU=ou1, + self.base_dn, sd=tmp_desc) print Testing correct behavior on nonaccessible search base try: @@ -861,16 +855,13 @@ class AclSearchTests(AclTests): self.create_clean_ou(OU=ou1, + self.base_dn) mod = (A;CI;CC;;;%s) %
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated from 1e9a788 s4-tests: Modified create_ou to only accept security.descriptor type for sd to avoid confusion http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fad57d8ad05cf6175c87db33a404aff205adddaf Author: Nadezhda Ivanova nivan...@samba.org Date: Thu Nov 25 21:01:05 2010 +0200 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated Also made password tests set dSHeuristics only once rather that once per test. Autobuild-User: Nadezhda Ivanova nivan...@samba.org Autobuild-Date: Thu Nov 25 20:48:38 CET 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/tests/python/acl.py | 53 ++ 1 files changed, 25 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index fb66766..9a0e754 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -614,8 +614,6 @@ class AclSearchTests(AclTests): self.creds_tmp.set_domain(creds.get_domain()) self.creds_tmp.set_realm(creds.get_realm()) self.creds_tmp.set_workstation(creds.get_workstation()) -self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) -self.dsheuristics = self.ldb_admin.get_dsheuristics() self.ldb_admin.newuser(self.u1, self.user_pass) self.ldb_admin.newuser(self.u2, self.user_pass) self.ldb_admin.newuser(self.u3, self.user_pass) @@ -676,7 +674,8 @@ class AclSearchTests(AclTests): def test_search_anonymous1(self): Verify access of rootDSE with the correct request -res = self.anonymous.search(, expression=(objectClass=*), scope=SCOPE_BASE) +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +res = anonymous.search(, expression=(objectClass=*), scope=SCOPE_BASE) self.assertEquals(len(res), 1) #verify some of the attributes #dont care about values @@ -691,20 +690,21 @@ class AclSearchTests(AclTests): def test_search_anonymous2(self): Make sure we cannot access anything else +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) try: -res = self.anonymous.search(, expression=(objectClass=*), scope=SCOPE_SUBTREE) +res = anonymous.search(, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) else: self.fail() try: -res = self.anonymous.search(self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) +res = anonymous.search(self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) else: self.fail() try: -res = self.anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), +res = anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), scope=SCOPE_SUBTREE) except LdbError, (num, _): self.assertEquals(num, ERR_OPERATIONS_ERROR) @@ -718,18 +718,18 @@ class AclSearchTests(AclTests): mod = (A;CI;LC;;;AN) self.dacl_add_ace(OU=test_search_ou1, + self.base_dn, mod) self.ldb_admin.create_ou(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn) -res = self.anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn, -expression=(objectClass=*), scope=SCOPE_SUBTREE) +anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) +res = anonymous.search(OU=test_search_ou2,OU=test_search_ou1, + self.base_dn, + expression=(objectClass=*), scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) self.assertTrue(dn in res[0]) self.assertTrue(res[0][dn] == Dn(self.ldb_admin, OU=test_search_ou2,OU=test_search_ou1, + self.base_dn)) -res = self.anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), -scope=SCOPE_SUBTREE) +res = anonymous.search(CN=Configuration, + self.base_dn, expression=(objectClass=*), + scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) self.assertTrue(dn in res[0]) self.assertTrue(res[0][dn] == Dn(self.ldb_admin, self.configuration_dn)) -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fab9d94 s4-dsdb Remove rootDSE and anonymous checks from acl_read via d184da8 s4-dsdb Add 'block anonymous' checks to the rootdse module via 885ecd7 s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics(). from fad57d8 s4-tests: Made acl tests to reconnect if dSHeuristics is being manipulated http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fab9d94006351793fddd7f06eef7a05c62f8817c Author: Andrew Bartlett abart...@samba.org Date: Thu Nov 25 16:17:10 2010 +1100 s4-dsdb Remove rootDSE and anonymous checks from acl_read The rootdse module handles rootDSE requests, and blocks anonymous access, so we on't need to do it again here. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri Nov 26 00:36:19 CET 2010 on sn-devel-104 commit d184da806550c2edb6113206048ea78c3d2d27a0 Author: Andrew Bartlett abart...@samba.org Date: Thu Nov 25 16:13:17 2010 +1100 s4-dsdb Add 'block anonymous' checks to the rootdse module This ensures that one single point checks for and blocks anonymous read access to the database over LDAP. Andrew Bartlett commit 885ecd7b6b567a50067c9d3298e67c6e0f85b82a Author: Andrew Bartlett abart...@samba.org Date: Thu Nov 25 16:12:39 2010 +1100 s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics(). A function that does not return memory should not take a memory context. Andrew Bartlett --- Summary of changes: source4/dsdb/samdb/ldb_modules/acl_read.c | 15 source4/dsdb/samdb/ldb_modules/rootdse.c | 100 + source4/dsdb/samdb/ldb_modules/util.c |5 +- 3 files changed, 102 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 401e0dc..81f9bf6 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -191,11 +191,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; int ret; - bool block_anonymous; struct aclread_context *ac; struct ldb_request *down_req; struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID); - struct auth_session_info *session_info; struct ldb_result *res; struct ldb_message_element *parent; struct aclread_private *p; @@ -219,19 +217,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) if (ldb_dn_is_special(req-op.search.base)) { return ldb_next_request(module, req); } - /* allow all access to rootDSE */ - if (req-op.search.scope == LDB_SCOPE_BASE ldb_dn_is_null(req-op.search.base)) { - return ldb_next_request(module, req); - } - - session_info = (struct auth_session_info *)ldb_get_opaque(ldb, sessionInfo); - if (session_info security_token_is_anonymous(session_info-security_token)) { - block_anonymous = dsdb_block_anonymous_ops(module, req); - if (block_anonymous) { - return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, -This request is not allowed to an anonymous connection.); - } - } /* check accessibility of base */ if (!ldb_dn_is_null(req-op.search.base)) { diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 8a3f0cf..263c6f5 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -40,6 +40,7 @@ struct private_data { char **controls; unsigned int num_partitions; struct ldb_dn **partitions; + bool block_anonymous; }; /* @@ -613,6 +614,35 @@ static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request return LDB_SUCCESS; } +/* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */ + +static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req) +{ + struct auth_session_info *session_info; + struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data); + bool is_untrusted = ldb_req_is_untrusted(req); + bool is_anonymous = true; + if (is_untrusted == false) { + return LDB_SUCCESS; + } + + session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), sessionInfo); + if (session_info) { + is_anonymous =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e52ba1f librpc: fix builds without IPv6 suport (HP-UX 11.00) via 4f27a64 s3/smbtorture: use $MAKE to build to make sure we use the make that makes our build via dbcf73c Ñ3/configue: set Tru64 cc's PIC switch right (none) from fab9d94 s4-dsdb Remove rootDSE and anonymous checks from acl_read http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e52ba1fb87ff57052f460246c2026604a8f63bf2 Author: Björn Jacke b...@sernet.de Date: Fri Nov 26 02:17:14 2010 +0100 librpc: fix builds without IPv6 suport (HP-UX 11.00) Kai, please check. Autobuild-User: Björn Jacke b...@sernet.de Autobuild-Date: Fri Nov 26 03:07:21 CET 2010 on sn-devel-104 commit 4f27a644070ebfc5c6dcc177047eff0e492103cf Author: Björn Jacke b...@sernet.de Date: Fri Nov 26 02:14:09 2010 +0100 s3/smbtorture: use $MAKE to build to make sure we use the make that makes our build commit dbcf73c45782c310cb7ff1f2177d410399e2f06d Author: Björn Jacke b...@sernet.de Date: Fri Nov 26 01:32:53 2010 +0100 Ñ3/configue: set Tru64 cc's PIC switch right (none) -fPIC made shared library builds fail there --- Summary of changes: librpc/ndr/ndr_basic.c |2 ++ source3/Makefile.in|4 ++-- source3/configure.in |4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c index 31a8b9d..96f7323 100644 --- a/librpc/ndr/ndr_basic.c +++ b/librpc/ndr/ndr_basic.c @@ -848,6 +848,7 @@ _PUBLIC_ void ndr_print_ipv4address(struct ndr_print *ndr, const char *name, ndr-print(ndr, %-25s: %s, name, address); } +#ifdef AF_INET6 /* pull a ipv6address */ @@ -903,6 +904,7 @@ _PUBLIC_ void ndr_print_ipv6address(struct ndr_print *ndr, const char *name, ndr-print(ndr, %-25s: %s, name, address); } #undef IPV6_BYTES +#endif _PUBLIC_ void ndr_print_struct(struct ndr_print *ndr, const char *name, const char *type) { diff --git a/source3/Makefile.in b/source3/Makefile.in index da531d8..61ec157 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -3478,11 +3478,11 @@ samba4-configure: ../source4/configure .PHONY: samba4-configure bin/smbtorture4: $(BINARY_PREREQS) samba4-configure - cd ../source4 make bin/smbtorture + cd ../source4 $(MAKE) bin/smbtorture cp ../source4/bin/smbtorture bin/smbtorture4 bin/ndrdump4: $(BINARY_PREREQS) samba4-configure - cd ../source4 make bin/ndrdump + cd ../source4 $(MAKE) bin/ndrdump cp ../source4/bin/ndrdump bin/ndrdump4 .PHONY: bin/smbtorture4 diff --git a/source3/configure.in b/source3/configure.in index 011bd1a..17b5470 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -1736,7 +1736,9 @@ DSO_EXPORTS= BLDSHARED=true LDSHFLAGS=-shared SONAMEFLAG=-Wl,-soname, - PICFLAG=-fPIC + if test ${GCC} = yes; then + PICFLAG=-fPIC + fi AC_DEFINE(STAT_ST_BLOCKSIZE,512) AC_DEFINE(BROKEN_GETGRNAM,1,[Does getgrnam work correctly]) for flags in -expect_unresolved '*' -Wl,-expect_unresolved,'*' ; do -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf52cff s4-kcc: fixed valgrind errors in drs replicaInfo server side via 5e8cb67 s4-provision: fixed eadb automatic and manual setting in provision via cfa7510 wintest: do an initial replication of CN=Configuration to transfer dnsHostname via 23b wintest: fixed rndc command option in provision via 9409b73 wintest: make IPv6 optional in wintest via eeb29b5 s4-provision: don't try to look for an IPv6 address when not specified from e52ba1f librpc: fix builds without IPv6 suport (HP-UX 11.00) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf52cffd2587615243a7101868a9038d9aa1b0c2 Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 12:38:06 2010 +1100 s4-kcc: fixed valgrind errors in drs replicaInfo server side Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Fri Nov 26 03:52:30 CET 2010 on sn-devel-104 commit 5e8cb67605367ffd9dd2a8624df90f2ca5e77fc4 Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 12:10:55 2010 +1100 s4-provision: fixed eadb automatic and manual setting in provision we should not set posix:eadb in lp in the acl native test code Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit cfa7510e19b5e593af8c4da6e89b6a99adfe8b2b Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 11:36:29 2010 +1100 wintest: do an initial replication of CN=Configuration to transfer dnsHostname this fixes the drs replication in the dcpromo test commit 23b98c7d1bd700509bb3fa6eaca3e1524096 Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 11:33:49 2010 +1100 wintest: fixed rndc command option in provision we need to point at the generated rndc.conf Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 9409b73290bdbfc82b75c4af8a22ca1ed6165e2a Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 11:33:10 2010 +1100 wintest: make IPv6 optional in wintest we need some more work on IPv6 support in s4 before this works commit eeb29b593a671e16f87e64f01abea47ec898ba77 Author: Andrew Tridgell tri...@samba.org Date: Fri Nov 26 10:20:03 2010 +1100 s4-provision: don't try to look for an IPv6 address when not specified the getaddrinfo() method of finding an IPv6 address is incorrect. We could do it via the Samba interfaces code, but until we have that it is better to not try to auto-detect IPv6 Pair-Programmed-With: Andrew Bartlett abart...@samba.org --- Summary of changes: source4/dsdb/kcc/kcc_drs_replica_info.c | 12 +++- source4/scripting/python/samba/ntacls.py| 31 ++--- source4/scripting/python/samba/provision.py | 13 + source4/setup/provision |6 +--- wintest/conf/abartlet.conf |1 - wintest/conf/tridge.conf|1 - wintest/test-s4-howto.py| 40 --- 7 files changed, 53 insertions(+), 51 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/kcc/kcc_drs_replica_info.c b/source4/dsdb/kcc/kcc_drs_replica_info.c index e2e49b8..1da3ecd 100644 --- a/source4/dsdb/kcc/kcc_drs_replica_info.c +++ b/source4/dsdb/kcc/kcc_drs_replica_info.c @@ -418,13 +418,9 @@ static WERROR get_master_ncs(TALLOC_CTX *mem_ctx, struct ldb_context *samdb, } for (k = 0; k msg_elem-num_values; k++) { - int len = msg_elem-values[k].length; - /* copy the string on msg_elem-values[k]-data to nc_str */ - nc_str = talloc_array(mem_ctx, char, len); + nc_str = talloc_strndup(mem_ctx, (char *)msg_elem-values[k].data, msg_elem-values[k].length); W_ERROR_HAVE_NO_MEMORY(nc_str); - memcpy(nc_str, msg_elem-values[k].data, len); - nc_str[len] = '\0'; nc_list_elem = talloc_zero(mem_ctx, struct ncList); W_ERROR_HAVE_NO_MEMORY(nc_list_elem); @@ -584,7 +580,6 @@ static WERROR kccdrs_replica_get_info_neighbours(TALLOC_CTX *mem_ctx, struct repsFromTo2 *reps_from = NULL; uint32_t c_reps_from; uint32_t i_rep; - struct drsuapi_DsReplicaNeighbour neigh; struct ncList *nc_list = NULL; status = get_ncs_list(mem_ctx, samdb, service, object_dn_str, nc_list); @@ -624,6 +619,8 @@ static WERROR kccdrs_replica_get_info_neighbours(TALLOC_CTX *mem_ctx, { if (i = base_index) { + struct