Re: [Samba] AD / new auxiliary class / vb script

[Hervé Hénoch]

Hello Matthieu,

1) Yes is a typo sorry.

2) ldbsearch -H ldap://dc_ip --cross-ncs '(ldapdisplayname=iscA)'  -U 
admin%password  give (have to authenticate if it is not work) :

# record 1
dn: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
objectClass: top
objectClass: classSchema
cn: iscA
instanceType: 4
whenCreated: 20120523130147.0Z
whenChanged: 20120523130147.0Z
uSNCreated: 5642
subClassOf: top
governsID: 1.2.840.113556.1.8000.2554.99.1
mayContain: iscA1
rDNAttID: cn
showInAdvancedViewOnly: TRUE
objectClassCategory: 3
lDAPDisplayName: iscA
name: iscA
objectGUID: 39a53446-19e6-4f67-a280-14fce546e475
schemaIDGUID: f0a54822-d855-40b1-8afd-421933f5824d
defaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPC

 RCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
objectCategory: 
CN=Class-Schema,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=o rg
defaultObjectCategory: 
CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org

uSNChanged: 5643
distinguishedName: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org

# returned 1 records
# 1 entries
# 0 referrals

3) ldbsearch -H ldap://dc_ip --cross-ncs '(auxiliaryClass=iscA)'  -U 
admin%password  give

# record 1
dn: CN=User,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
objectClass: top
objectClass: classSchema
cn: User
instanceType: 4
whenCreated: 20120523124800.0Z
uSNCreated: 1787
subClassOf: organizationalPerson
governsID: 1.2.840.113556.1.5.9
mayContain: msSFU30NisDomain
mayContain: msSFU30Name
mayContain: msDS-SourceObjectDN
mayContain: x500uniqueIdentifier
mayContain: userSMIMECertificate
mayContain: userPKCS12
mayContain: uid
mayContain: secretary
mayContain: roomNumber
mayContain: preferredLanguage
mayContain: photo
mayContain: labeledURI
mayContain: jpegPhoto
mayContain: homePostalAddress
mayContain: givenName
mayContain: employeeType
mayContain: employeeNumber
mayContain: displayName
mayContain: departmentNumber
mayContain: carLicense
mayContain: audio
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: User
adminDescription: User
objectClassCategory: 1
lDAPDisplayName: user
name: User
objectGUID: 399ff624-5ec8-4379-8f6a-09cdf0bd0594
schemaIDGUID: bf967aba-0de6-11d0-a285-00aa003049e2
systemOnly: FALSE
systemPossSuperiors: builtinDomain
systemPossSuperiors: organizationalUnit
systemPossSuperiors: domainDNS
systemMayContain: msTSPrimaryDesktop
systemMayContain: msTSSecondaryDesktops
systemMayContain: msPKI-CredentialRoamingTokens
systemMayContain: msDS-ResultantPSO
systemMayContain: msTSLSProperty01
systemMayContain: msTSLSProperty02
systemMayContain: msTSManagingLS2
systemMayContain: msTSManagingLS3
systemMayContain: msTSManagingLS4
systemMayContain: msTSLicenseVersion2
systemMayContain: msTSLicenseVersion3
systemMayContain: msTSLicenseVersion4
systemMayContain: msTSExpireDate2
systemMayContain: msTSExpireDate3
systemMayContain: msTSExpireDate4
systemMayContain: msDS-AuthenticatedAtDC
systemMayContain: msDS-UserPasswordExpiryTimeComputed
systemMayContain: msTSManagingLS
systemMayContain: msTSLicenseVersion
systemMayContain: msTSExpireDate
systemMayContain: msTSProperty02
systemMayContain: msTSProperty01
systemMayContain: msTSInitialProgram
systemMayContain: msTSWorkDirectory
systemMayContain: msTSDefaultToMainPrinter
systemMayContain: msTSConnectPrinterDrives
systemMayContain: msTSConnectClientDrives
systemMayContain: msTSBrokenConnectionAction
systemMayContain: msTSReconnectionAction
systemMayContain: msTSMaxIdleTime
systemMayContain: msTSMaxConnectionTime
systemMayContain: msTSMaxDisconnectionTime
systemMayContain: msTSRemoteControl
systemMayContain: msTSAllowLogon
systemMayContain: msTSHomeDrive
systemMayContain: msTSHomeDirectory
systemMayContain: msTSProfilePath
systemMayContain: msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon
systemMayContain: msDS-FailedInteractiveLogonCount
systemMayContain: msDS-LastFailedInteractiveLogonTime
systemMayContain: msDS-LastSuccessfulInteractiveLogonTime
systemMayContain: msRADIUS-SavedFramedIpv6Route
systemMayContain: msRADIUS-FramedIpv6Route
systemMayContain: msRADIUS-SavedFramedIpv6Prefix
systemMayContain: msRADIUS-FramedIpv6Prefix
systemMayContain: msRADIUS-SavedFramedInterfaceId
systemMayContain: msRADIUS-FramedInterfaceId
systemMayContain: msPKIAccountCredentials
systemMayContain: msPKIDPAPIMasterKeys
systemMayContain: msPKIRoamingTimeStamp
systemMayContain: msDS-SupportedEncryptionTypes
systemMayContain: msDS-SecondaryKrbTgtNumber
systemMayContain: pager
systemMayContain: o
systemMayContain: mobile
systemMayContain: manager
systemMayContain: mail
systemMayContain: initials
systemMayContain: homePhone
systemMayContain: businessCategory
systemMayContain: userCertificate
systemMayContain: userWorkstations
systemMayContain: userSharedFolderOther
systemMayContain: userSharedFolder
systemMayContain: userPrincipalName
systemMayContain: userParameters
systemMayContain: userAccountControl
systemMayContain: unicodePwd
systemMayContain: terminalServer

Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?

[Pacher Dragos]

Then POSIX ACLs are still the way to go for the moment, though ZFS ACL's
seems pretty robust.

Volker, may I ask what is the trend now: are people switching to ACEs now or
still stick with POSIX ?

Dragos

On Tue, May 22, 2012 at 2:16 PM, Volker Lendecke
volker.lende...@sernet.dewrote:

 On Tue, May 22, 2012 at 02:12:02PM +0300, Pacher Dragos wrote:
  Seems resonable, zfsacl stores the ACE's natively compared to acl_xattr
  that makes
  use of extended attributes.
 
  It seems that the big players (Oracle, IBM) made their own tools.
 
  Any idea of the strict mapping completeness among zfsacl and acl_xattr ?

 Closer than posix acls, but depending on your requirements
 still pretty bad for some aspects of ACLs. In particular
 inheritance based things are not covered properly, and chown
 operations have very different semantics.

 Volker

 --
 SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
 phone: +49-551-37-0, fax: +49-551-37-9
 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
 http://www.sernet.de, mailto:kont...@sernet.de

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 : Problem setting folder and file permissions from windows box

[micmac]

Hi, this is my first message here. I need help, the reason is in the title.
The version running is SAMBA_4.0.0ALPHA18_DEVELOPERBUILD

It was running just fine until I had (for some reason) had to transfer all
the system (ubuntu 11.10 server)
to another clean hard drive. I used  rsync -rltgoHDv /olddriveroot
/newdriveroot to copy the files,
and installed grub on the new disk.

Now the problem is that  samba4 works, domain users can log on and access
files, but the permissions
have been reset to some basic values (different from all the ones I had set
before), and I can not
change them at all from a windows7 box as I could before. When I apply the
changes, it takes a while
to process the files, then the basic permissions are set again (my changes
lost).

Here is my /usr/local/samba/etc/smb.conf :


[global]
interfaces = 127.0.0.1/8 192.168.1.0/24
server role = domain controller
workgroup = ACEIUBUNTU
realm = ACEI2
netbios name = ubuntuserveur
passdb backend = samba4
security = ADS
domain master = yes
local master = yes
wins support = yes
browseable = yes
log file = /var/log/samba/smbd.log
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=4096 SO_SNDBUF=4096

[netlogon]
path = /usr/local/samba/var/locks/sysvol/acei2/scripts
read only = no

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = no

[profiles]
path = /usr/local/samba/var/profiles
read only = no

[homes]
path = /home/windows
read only = no

-

The AD database is readable, since I can edit users and computers with the
administration toolkit
from windows7 box.

/usr/local/samba/bin/testparm gives the following result :

Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section [netlogon]
Processing section [sysvol]
Processing section [profiles]
Processing section [homes]
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions

[global]
workgroup = ACEIUBUNTU
realm = ACEI2
interfaces = 127.0.0.1/8, 192.168.1.0/24
server role = domain controller
security = ADS
passdb backend = samba4
log file = /var/log/samba/smbd.log
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=4096 SO_SNDBUF=4096
domain master = Yes
wins support = Yes
idmap config * : backend = tdb

[netlogon]
path = /usr/local/samba/var/locks/sysvol/acei2/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[profiles]
path = /usr/local/samba/var/profiles
read only = No

[homes]
path = /home/windows
read only = No


Also, user_xattr and acl are enabled on the ext4 file system, and the home
folder on which I can
not set permission has root:users ownership with rwx rights (which was
working before).

Since it is a recopy from a working system, maybe there is a problem with
some file permission
on the linux system, but I have searched a lot without finding any solution.
Any help would be
greatly appreciated.

Regards,
micmac




--
View this message in context: 
http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba as member of multi domain AD (nss/pam)

[Marcel Ritter]

Hi list,

I'm looking for someone out there, using samba as a member
server in a multi-domain Active Directory forest (maybe even
with nss_/pam_winbind for unix users/groups).

It took quite a long time to get things working at all here, and we're
still not really comfortable with our current solution (especially
the unix nss/pam part).

I'd be glad if someone out there was interested in exchanging
information on that topic.
So please don't hesitate to contact me, if you are :)

Bye,
   Marcel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba as member of multi domain AD (nss/pam)

[steve]

On 24/05/12 10:06, Marcel Ritter wrote:

Hi list,

I'm looking for someone out there, using samba as a member
server in a multi-domain Active Directory forest (maybe even
with nss_/pam_winbind for unix users/groups).

It took quite a long time to get things working at all here, and we're
still not really comfortable with our current solution (especially
the unix nss/pam part).

I'd be glad if someone out there was interested in exchanging
information on that topic.
So please don't hesitate to contact me, if you are :)

Bye,
Marcel

Hi Marcel
Not as part of a multi domain no but we have bypassed winbind in favour 
of storing attributes in the directory instead of an external winbind 
mapping. It works fine using nss-pam-ldapd (I think this is libnss-ldapd 
and libpam-ldapd on Debian).


It not officially supported but it works a treat.
http://linuxcostablanca.blogspot.com.es/p/s4bind.html

Cheers and hth a bit with your nss qn.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] multi home dir locations

[Collen]

On 23-5-2012 19:50, steve wrote:

On 05/23/2012 07:22 PM, Muhammad Yousuf Khan wrote:

check this.


[ProfileShare]
comment = Roaming Profile Share
path = /nas/users/%D/%U
valid users = %U
read only = No
guest ok = No
browseable = yes
root preexec = /scripts/smbmkdir.sh %D %U
create mask = 4770
directory mask = 4770
store dos attributes = Yes
map archive = No
map system = No
map hidden = No
map readonly = no



smbmkdir.sh
#!/bin/bash

if [ ! -e /nas/users/$1/$2 ]; then
mkdir -p /nas/users/$1/$2
chown $2:admin-grp /nas/users/$1/$2
chmod 4770 /nas/users/$1/$2
fi
exit 0

On Wed, May 23, 2012 at 8:28 PM, stevest...@steve-ss.com wrote:

On 05/23/2012 03:56 PM, Collen wrote:

Hi all,

i've got samba 3.6 joined to a ad domain (s4 in this case)
running winbind
all looks ok, but i ran into a problem (for us that is)

i've got 2 groups (students and employes)
who have there home dirs in 2 different places.

/home/students/user
/home/employ/user


+1
It's not just you:
we have s3 connected to and s4 domain and we want e.g.

/home2/students/year7
/home2/students/year7/year7a/student
/home2/students/year7/year7b/student
/home2/staff
/home2/staffteacher

Under winbind we cannot see how to do it. So we have used the new
nss-pam-ldapd instead and store the unixHomeDirectory in the
directory. As
it's available in both the 2008 and s4 schema it works quickly and
efficiently. With the homeDirectory [share] and unixHomeDirectory being
mapped by ldapd it works fine. Just like under 2008r2. I Really do
think we
should look into this being standard.

Winbind has done a good job since 2000 but unless it can cope with new
ideas. . . I'm sure it can. It's just not as easy.
Please contact us personally for full details.
Cheers,
Steve.
http://linuxcostablanca.blogspot.com.es/p/s4bind.html


Thanks that's a good idea, but nope. It doesn't work in winbind:

I want a student who has a home directory in
/home2/DOMAIN/students/year7/student-name

and a teacher who has a home directory in:
path = /home2/DOMAIN/staffstaff name

I can't do that with winbind.

As both unixHomeDirectory and the homeDirectory attributes are available
in the 20008r2 and Samba4 schemas, why not simply write the values _you_
want into the directory and map it using nss-ldapd? As m$ make it
available, surely this is what they intend us to do.
Cheers,
Steve



Thx that was indeed the way I was looking for.
but how can i make it default ?
that when i add a user it also has the objectclass - posixaccount ??

in the user manager from windows ad, i see the unix attributes, but 
can't alter them
also when I look at the users with ldap, i have to add the posixaccount 
objectclass before i can enter a unixhomedir

can i add a default objectclass to the users layer ??

annyway, thx for putting me on the right track...

Cheers, Collen



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box

[François Moyson]

I have just tried to set permissions on folders present inside 
profiles share,

and there it works! I can add users, change permissions and so on.

The ownership of /usr/local/samba/var/profiles is also root:users with 
same rights as my /home/windows folder (which is homes share).
So I don't get why I can set permissions and edit users in the profiles 
share, and not in the homes share.


/home is not on a separate partition, everything is on the same 
partition, so not a filesystem issue.

hope it can help to pinpoint the issue...

micmac

Le 24/05/2012 10:14, micmac a écrit :

Hi, this is my first message here. I need help, the reason is in the title.
The version running is SAMBA_4.0.0ALPHA18_DEVELOPERBUILD

It was running just fine until I had (for some reason) had to transfer all
the system (ubuntu 11.10 server)
to another clean hard drive. I used  rsync -rltgoHDv /olddriveroot
/newdriveroot to copy the files,
and installed grub on the new disk.

Now the problem is that  samba4 works, domain users can log on and access
files, but the permissions
have been reset to some basic values (different from all the ones I had set
before), and I can not
change them at all from a windows7 box as I could before. When I apply the
changes, it takes a while
to process the files, then the basic permissions are set again (my changes
lost).

Here is my /usr/local/samba/etc/smb.conf :


[global]
 interfaces = 127.0.0.1/8 192.168.1.0/24
 server role = domain controller
 workgroup = ACEIUBUNTU
 realm = ACEI2
 netbios name = ubuntuserveur
 passdb backend = samba4
 security = ADS
 domain master = yes
 local master = yes
 wins support = yes
 browseable = yes
 log file = /var/log/samba/smbd.log
 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=4096 SO_SNDBUF=4096

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/acei2/scripts
 read only = no

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = no

[profiles]
 path = /usr/local/samba/var/profiles
 read only = no

[homes]
 path = /home/windows
 read only = no

-

The AD database is readable, since I can edit users and computers with the
administration toolkit
from windows7 box.

/usr/local/samba/bin/testparm gives the following result :

Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section [netlogon]
Processing section [sysvol]
Processing section [profiles]
Processing section [homes]
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions

[global]
 workgroup = ACEIUBUNTU
 realm = ACEI2
 interfaces = 127.0.0.1/8, 192.168.1.0/24
 server role = domain controller
 security = ADS
 passdb backend = samba4
 log file = /var/log/samba/smbd.log
 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=4096 SO_SNDBUF=4096
 domain master = Yes
 wins support = Yes
 idmap config * : backend = tdb

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/acei2/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

[profiles]
 path = /usr/local/samba/var/profiles
 read only = No

[homes]
 path = /home/windows
 read only = No


Also, user_xattr and acl are enabled on the ext4 file system, and the home
folder on which I can
not set permission has root:users ownership with rwx rights (which was
working before).

Since it is a recopy from a working system, maybe there is a problem with
some file permission
on the linux system, but I have searched a lot without finding any solution.
Any help would be
greatly appreciated.

Regards,
micmac




--
View this message in context: 
http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038.html
Sent from the Samba - General mailing list archive at Nabble.com.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box

[micmac]

Ok it seems I have to also copy the extended attributes from the original
folders.

Does anybody know how to copy xattr from some file/folder to another ? (I
think it's still in the subject
and could be useful to anyone wanting to move files to another drive, right
?)...

The ideal would be knowing how to copy a file or a folder, together with its
extended attributes,
and also how to copy extended attributes from existing files/folders to
other files/folders.

micmac


--
View this message in context: 
http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632045.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Restricting access to [homes]

[steve]

On 05/23/2012 09:39 PM, NdK wrote:

On 23/05/2012 15:30, steve wrote:


If the gidNumber for the gid is stored in AD (as the 2008 and samba4
schema allow) then there can be no clash. It is then no problem in
extracting it and applying it using normal /etc/nsswitch.conf format.

The AD schema is still 2003. And who manages it thinks the world is
Win-only :( It's easier to talk a mountain into moving itself than
making 'em change a single bit in the schema...

[...]


snip

Hi Diego

I think the schema we use (Samba4)  is m$ supplied. Our devs fought to 
get it out of them a few months ago. It is 2008 and/or 2008r2. It 
certainly has all the rfc2307 stuff that Linux needs out of the box. It 
has objectClasses posixGroup and posixAccount and all the attributes 
that go with them.


We tried winbind, but the mappings uid:gid just don't work for us. It 
seems a pity to have this all available in the schema but still 
recommend external winbind mappings. But we are very novice in all this.

Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Restricting access to [homes]

[steve]

On 05/23/2012 11:46 PM, Jonathan Buzzard wrote:

NdK wrote:

On 23/05/2012 15:30, steve wrote:


If the gidNumber for the gid is stored in AD (as the 2008 and samba4
schema allow) then there can be no clash. It is then no problem in
extracting it and applying it using normal /etc/nsswitch.conf format.

The AD schema is still 2003. And who manages it thinks the world is
Win-only :( It's easier to talk a mountain into moving itself than
making 'em change a single bit in the schema...


Surely it is at least 2003 R2, in which case the scheme has been 
extended (the update to R2 does it whether you want it or not) and all 
the fields are waiting to be populated :-)



JAB.

It is 2008r2. We have the rfc2307 objectClasses and attributes built in. 
Let's use them!

Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 Re-provisioning

[Mike Howard]

What's best practice when it comes to changing a samba4 provision, 
without screwing current domain objects (users, computers, policy etc)? 
If, for example, I wanted to change the DNS from internal to external 
bind9, is it just a case of re-running 'provision' with the different 
command line option or will that mangle the domain sid etc?


Cheers,
Mike.
--
Any question is easy if you know the answer!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs Is it possible to have a file owned by the user who creates the file?

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 17 May 2012 14:37:00 +0200
steve st...@steve-ss.com wrote:

 On 05/17/2012 02:34 AM, Jeff Layton wrote:
  On Wed, 16 May 2012 17:30:23 +0200
  stevest...@steve-ss.com  wrote:
 
  On 05/16/2012 02:56 PM, steve wrote:
  Hi
  e.g.
  mount.cifs //192.168.1.6/reports /mnt -o rw,setuids,nodev,user=steve2
 
  Any file created in the share is always owned by steve2 (or the person
  who mounted the share).
 
  According to man cifs(8), the setuids overrides this but doesn't seem
  to work for us. We'd like it to be the same behavior as nfs if that's
  possible.
 
  Version 4.0.0alpha21-GIT-46a41d0 with s3fs
 
  Cheers,
  Steve
 
 
  CORRECTION:
  It _looks_ as though it's owned by the person specified as user _when in
  the share_ but the actual file (the unmounted file) is always owned by 
  root.
  Steve
  Sadly, permissions enforcement and handling in cifs.ko are badly
  broken by default.
 
  The only way to do this properly is to switch to using multiuser
  mounts. Have a look at the multiuser option in mount.cifs(8) and
  cifscreds(1).
 
  Cheers,
 Hi Jeff
 Thanks for the confirmation. Strangely, I found by accident that using 
 the .gvfs smb:// mount in Nautilus does actually create user owned 
 files. I'm sure that there must be a catch there somewhere though:
 

AFAIK, the .gvfs stuff uses a libsmbclient fuse-based fs. Apples and
oranges here...

 kinit Administrator
 mount.cifs -o rw,uid=308,sec=krb5 //server/share /somewhere
 

Calling mount.cifs directly isn't recommended. It's a mount helper
that's intended to only be called from /bin/mount.

 produces uid 308 files no matter who accesses the share. Leaving off 
 the uid= creates files as uid=root. Maybe the .gvfs is doing what you 
 described on a who-ever-is-logged-in-and-access's-it basis?
 

That's correct behavior. If you've specified uid= which tells the
client to forcibly override all of the uids in the inodes with the
value you provided.

It can't do that on the server however. All the server sees is a call
to create a file that came from the client by Administrator. That
probably doesn't match up to uid 308 on the server, which is why
you see the mismatch.

What you may want to do is to instead use -o sec=krb5,multiuser,
which will make cifs.ko switch to multiuser mode. In that mode, each
uid on the client that accesses the mount will do so using their own
credentials and (most importantly) the client won't try to enforce
permissions locally.

It does mean that every user who accesses the mount will need a krb5
ticket however instead of every user sharing the same set of
credentials.

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBAgAGBQJPvhjQAAoJEAAOaEEZVoIVyq4P/j7te66su6d4RkZJ6DOPELae
v89mjwfn79ro4JBRnrdj8M2Qo7vO3a4Y/F7x0VhO2mVmU5P8JPmzunCuS/z31G+k
7hHUCTbl1sME2tePHk18SybW/zbrKINPJjK+pzkyoDfWLRZjDF0yeJv2rSFjI2ET
tAd71oZ2gyOtPJemZwAkeGrqDIEENS0D5m1U0HNKkOyqd7VJxxvu+C6Z8bD2jYKR
ByO63Fe6D7YM+ldGPCR+XLgGj7aBTzeWTdrvzPXWPMEl09btG7Yy6kktlLanae3T
a6LZ2p2r66/18OfFgZpR9Mifgd4diZx/bNTKaM59joh1DUyrPOT8o7xs7Pdi2XW6
E+NUCbDoZZ4zo7mfdZDRHYTVDw6Z6LhXE6O+gvpzBvMeDVWx4ciW+64c2ml6GdIv
NS1wX74joA7Hwb9Mnnr5mhUUjnZXpviSDFFY6DESEI4okJFY7bxGv6+rllnPrbji
GKqW4xhR0Bl9/TzXnKY4yvJMcL94wbuLo+c1TGKcC6Q+ObNEHrcny3LMe+wYb2fo
rCwPrZ3essw6J8j6/u42eol0pC4BjWgfMr1ex/HTyHiMycCTKd+rVL2cO94751at
spGZ15HZ9hMJZow0S9A41/JG+5enHSz+PX4DfnFAIKd+rpIbqX2N1bkZsyyIup/s
Yc32hr1g5iphc5g9hueH
=R+2L
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Linux to Windows Interoperability

[Knecht, Matthew J (AS)]

Hello,

Currently using a freely available MS Windows file system driver, Ext2Fsd, to 
communicate (read/write) with external media formatted EXT3 (Linux volume) from 
within MS Windows.

Curious to know if Samba is able to support communication (read/write) with 
external media formatted EXT3 (Linux volume) from within the MS Windows 
environment?

Looking forward to your reply.

Thanks.

Best,

Matthew Knecht
516-346-7264
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux to Windows Interoperability

[John Drescher]

 Curious to know if Samba is able to support communication (read/write) with 
 external media formatted EXT3 (Linux volume) from within the MS Windows 
 environment?


I am not sure samba works on a windows machine. I mean you would have
to disable the Server service and probably a few more since Samba
replaces these.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux to Windows Interoperability

[Gala Dragos]

If you are thinking about storing the files on a linux ext3 partition, then it 
is possible, but the access will be case sensitive.



 From: John Drescher dresche...@gmail.com
To: Knecht, Matthew J (AS) matthew.kne...@ngc.com 
Cc: samba@lists.samba.org samba@lists.samba.org; 
samba-techni...@lists.samba.org samba-techni...@lists.samba.org; 
mail...@lists.samba.org mail...@lists.samba.org 
Sent: Thursday, May 24, 2012 3:32 PM
Subject: Re: [Samba] Linux to Windows Interoperability
 
 Curious to know if Samba is able to support communication (read/write) with 
 external media formatted EXT3 (Linux volume) from within the MS Windows 
 environment?


I am not sure samba works on a windows machine. I mean you would have
to disable the Server service and probably a few more since Samba
replaces these.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba compilation issue - trick

[Gaiseric Vandal]

  In fact, that makes sense-  why recompile multiple times if you don't
need to do.  


It should be fine as long as the dependent libraries versions  (e.g.
glibc, openldap, kerberos etc)  are the same or at least close enough.
If you had a library mismatch you would probably find that out as soon
as you ran it.  It is odd though-  if your environments are the same
then the compilation should not have been an issue.






On 05/24/12 01:20, prabu.muru...@emc.com wrote:
 Hi,

 I have just copied the compiled samba directory from other machine :).
 3.4.17 is working now and it joined to AD domain too.

 I know it is not the correct procedure. Do you think it will create any issue 
 in future?

 -Prabu



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] cannot execute .exe files from a share

[BeavieS]

Hello, i've seen this error on the mailing list but no solutions.

Problem: No user can execute an .exe file from a group share under any
windows version (wXP til Windows 7).

Permisions: Every user can read, write, delete, etc in that share.
I've chmoded 777 the file but for nothing. The user can copy the .exe
file to another location like desktop and then can execute it (is a
portable aplication) with no problems.

Strange behaviour: The most strange is that if an user copies the .exe
file to their 'home' (his private share on the samba server) then they
CAN run it!.

Another clue: the admin users of the share CAN execute the .exe file

CONFIGUTARION
It's an standalone server joined on a Windows 2003 domain

[global]
workgroup = HCG
realm = SOME.ACTIVEDIRECTORY.DOMAIN
server string = Servidor de Datos
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
printcap name = /dev/null
disable spoolss = Yes
domain master = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
template shell = /bin/bash
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1-2
idmap config * : backend = tdb
printing = bsd

[homes]
comment = Directorio personal
path = /home/%S
valid users = %S
force group = users
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[administracio]
path = /home/administracio
valid users = @administracio
admin users = ds
read only = No
create mask = 0660
directory mask = 0770
inherit acls = Yes
inherit owner = Yes
vfs objects = acl_xattr, full_audit
full_audit:priority = notice
full_audit:facility = local7
full_audit:failure = connect
full_audit:success = rmdir rename unlink
full_audit:prefix = Administracio|%u|%m

So an user of @administracio group can execute .exe files in its home
share but NOT the same .exe file in [administracio] share. Except user
'ds' that it is an admin user of the share.

ls -l /home/administracio/program.exe
-rwxrwxrwx 1 administrador administracio 582656 may 23 13:26
/home/administracio/program.exe

ls -l /home
drwxrws--- 56 administrador administracio  4096 may 24 15:01 administracio

(althought chmodig 777 /home/administracio don't work).

Samba version 3.6.3

Thank you!

-- 
beavies at gmail dot com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box

[micmac]

I found a Python script that can copy the xattr from one file to another,
sadly it didn't help at all...

I'm completely desperate about a solution... and apparently people don't
care at all about what I'm
saying on this list.

Here is the script, if it can be of use to some:

http://game-sat.com/~brian/xattr.copy

micmac


--
View this message in context: 
http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632070.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba / LDAP : map uid to another field ?

[Sylvain]

Hi !

I have an OpenLDAP where users DN are in the form «
uid=P1234,ou=people,dc=example,dc=com » and where the login is in the «
eduPersonPrincipalName » attribute (ex : jdoe).
I have configured my system (Debian Squeeze) to authenticate against LDAP
(libpam-ldapd + libnss-ldapd with a mapping uid-eduPersonPrincipalName),
if I do « ssh jdoe@server », it's works great.
Now I want to give Samba share to theses users so I configured Samba
(3.5.6) to connect to LDAP but I cannot authenticate with
eduPersonPrincipalName, if I use the « uid », it's works.
I have searched for a mapping option in samba but I didn't found...
Is it possible to map « uid » attribute to another attribute ? If yes, how ?

Here the smb.conf :

[global]
server string = %h server
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://192.168.102.153;
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
domain logons = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin,dc=example,dc=fr
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap suffix = dc=example,dc=fr
ldap ssl = no
ldap user suffix = ou=people
ldap debug level = 1
ldap debug threshold = 1
panic action = /usr/share/samba/panic-action %d

[netlogon]
path = /srv/samba/netlogon
write list = P1234
browseable = No

[profiles]
path = /srv/samba/export/profiles
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No

[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers

Here the slapd log which show the use of uid:

May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 ACCEPT from IP=
192.168.102.153:55825 (IP=0.0.0.0:389)
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND
dn=cn=admin,dc=example,dc=fr method=128
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND
dn=cn=admin,dc=example,dc=fr mech=SIMPLE ssf=0
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 RESULT tag=97 err=0
text=
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH base= scope=0
deref=0 filter=(objectClass=*)
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH
attr=supportedControl
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=

May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH
base=dc=example,dc=fr scope=2 deref=0
filter=((uid=sderosiaux)(objectClass=sambaSamAccount))

May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn
displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath
description sambaUserWorkstations sambaSID sambaPrimaryGroupSID
sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags
sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
uidNumber gidNumber homeDirectory loginShell gecos
May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text=
May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 closed (connection
lost)

Thanks for advice,
Sylvain
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cannot execute .exe files from a share

[Daniel Müller]

Try to set the sticky bit for the group on this share.

Good Luck
Danel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von BeavieS
Gesendet: Donnerstag, 24. Mai 2012 15:31
An: samba@lists.samba.org
Betreff: [Samba] cannot execute .exe files from a share

Hello, i've seen this error on the mailing list but no solutions.

Problem: No user can execute an .exe file from a group share under any
windows version (wXP til Windows 7).

Permisions: Every user can read, write, delete, etc in that share.
I've chmoded 777 the file but for nothing. The user can copy the .exe file
to another location like desktop and then can execute it (is a portable
aplication) with no problems.

Strange behaviour: The most strange is that if an user copies the .exe file
to their 'home' (his private share on the samba server) then they CAN run
it!.

Another clue: the admin users of the share CAN execute the .exe file

CONFIGUTARION
It's an standalone server joined on a Windows 2003 domain

[global]
workgroup = HCG
realm = SOME.ACTIVEDIRECTORY.DOMAIN
server string = Servidor de Datos
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
printcap name = /dev/null
disable spoolss = Yes
domain master = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
template shell = /bin/bash
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1-2
idmap config * : backend = tdb
printing = bsd

[homes]
comment = Directorio personal
path = /home/%S
valid users = %S
force group = users
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[administracio]
path = /home/administracio
valid users = @administracio
admin users = ds
read only = No
create mask = 0660
directory mask = 0770
inherit acls = Yes
inherit owner = Yes
vfs objects = acl_xattr, full_audit
full_audit:priority = notice
full_audit:facility = local7
full_audit:failure = connect
full_audit:success = rmdir rename unlink
full_audit:prefix = Administracio|%u|%m

So an user of @administracio group can execute .exe files in its home share
but NOT the same .exe file in [administracio] share. Except user 'ds' that
it is an admin user of the share.

ls -l /home/administracio/program.exe
-rwxrwxrwx 1 administrador administracio 582656 may 23 13:26
/home/administracio/program.exe

ls -l /home
drwxrws--- 56 administrador administracio  4096 may 24 15:01 administracio

(althought chmodig 777 /home/administracio don't work).

Samba version 3.6.3

Thank you!

--
beavies at gmail dot com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux to Windows Interoperability

[Chris Weiss]

On Wed, May 23, 2012 at 9:13 AM, Knecht, Matthew J (AS)
matthew.kne...@ngc.com wrote:
 Hello,

 Currently using a freely available MS Windows file system driver, Ext2Fsd, to 
 communicate (read/write) with external media formatted EXT3 (Linux volume) 
 from within MS Windows.

 Curious to know if Samba is able to support communication (read/write) with 
 external media formatted EXT3 (Linux volume) from within the MS Windows 
 environment?


that's not really how smb/cifs work.  Samba is a network server
process that (among other things) translates whatever local
filesystems your operating system supports into a network filesystem
that OS's that have a smb/cifs client can use. It does not directly
support any filesystems itself, that's your OS's job.  Even if somehow
one were to make Samba work on windows, which is pointless since
windows already has a smb/cifs server built in, it would NOT add ext3
support to windows.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba / LDAP : map uid to another field ?

[miguelmedalha]

I am not sure if you can act on the samba side. Maybe you should think  
the other way around. You can map one attribute to another inside the  
LDAP server.


You would use the map attribute directive to map  
eduPersonPrincipalName to uid. Both logins would then authenticate  
against uid.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cannot execute .exe files from a share

[Moray Henderson]

 -Original Message-
 From: BeavieS [mailto:beav...@gmail.com]
 Sent: 24 May 2012 14:31
 
 Hello, i've seen this error on the mailing list but no solutions.
 
 Problem: No user can execute an .exe file from a group share under any
 windows version (wXP til Windows 7).
 
 Permisions: Every user can read, write, delete, etc in that share.
 I've chmoded 777 the file but for nothing. The user can copy the .exe
 file to another location like desktop and then can execute it (is a
 portable aplication) with no problems.
 
 Strange behaviour: The most strange is that if an user copies the .exe
 file to their 'home' (his private share on the samba server) then they
 CAN run it!.
 
 Another clue: the admin users of the share CAN execute the .exe file
 
 CONFIGUTARION
 It's an standalone server joined on a Windows 2003 domain
 
 [global]
 workgroup = HCG
 realm = SOME.ACTIVEDIRECTORY.DOMAIN
 server string = Servidor de Datos
 security = ADS
 map to guest = Bad User
 obey pam restrictions = Yes
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 load printers = No
 printcap name = /dev/null
 disable spoolss = Yes
 domain master = No
 dns proxy = No
 panic action = /usr/share/samba/panic-action %d
 template shell = /bin/bash
 winbind separator = /
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 idmap config * : range = 1-2
 idmap config * : backend = tdb
 printing = bsd
 
 [homes]
 comment = Directorio personal
 path = /home/%S
 valid users = %S
 force group = users
 read only = No
 create mask = 0600
 directory mask = 0700
 browseable = No
 
 [administracio]
 path = /home/administracio
 valid users = @administracio
 admin users = ds
 read only = No
 create mask = 0660
 directory mask = 0770
 inherit acls = Yes
 inherit owner = Yes
 vfs objects = acl_xattr, full_audit
 full_audit:priority = notice
 full_audit:facility = local7
 full_audit:failure = connect
 full_audit:success = rmdir rename unlink
 full_audit:prefix = Administracio|%u|%m
 
 So an user of @administracio group can execute .exe files in its home
 share but NOT the same .exe file in [administracio] share. Except user
 'ds' that it is an admin user of the share.
 
 ls -l /home/administracio/program.exe
 -rwxrwxrwx 1 administrador administracio 582656 may 23 13:26
 /home/administracio/program.exe
 
 ls -l /home
 drwxrws--- 56 administrador administracio  4096 may 24 15:01
 administracio
 
 (althought chmodig 777 /home/administracio don't work).
 
 Samba version 3.6.3

I'm sure I saw this problem a long time ago - now to see if I can remember
the solution...

Windows security settings?  It identifies the file as being remote (or
possibly Local-intranet) and Windows is set to not trust remote files.


Moray.
To err is human; to purr, feline.





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.5 to 3.6

[manfred]

same problem here with a pc not in the same workgroup/domain

we had no problems to access the server with user/password from other workgroup
since update to 3.6.3 - now the user can't access and samba log's the error:

[2012/05/24 15:54:12.124757,  1] auth/server_info.c:391(samu_to_SamInfo3)
  The primary group domain sid(S-1-5-21-133745353-162177866-37141012-513) does
not match the domain sid(S-1-5-21-71619937-141952100-153857936) for
bgsystem(S-1-5-21-71619937-141951100-153857936-4306)

with the correct user/password access to the share should always be granted!
with two windows pc's this would work too.

is there a way to turn the consistency off or switch to the old behavior?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cannot execute .exe files from a share

[Denis Witt]

On 24.05.2012 15:30, BeavieS wrote:


Problem: No user can execute an .exe file from a group share under any
windows version (wXP til Windows 7).


Check your Internet Explorer (yes, IE) Security-Settings and if you are 
connecting to the share via the server IP add the IP to the IE trusted 
sites.


Some time ago my users had problems opening Office Files. This was 
caused by the IE-Security settings. The users were connected to the 
share via IP instead of the server's netbios name, so Windows thought 
the file was downloaded from the Internet and blocked it.


Best regards
Denis
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box

[steve]

On 05/24/2012 03:39 PM, micmac wrote:

I found a Python script that can copy the xattr from one file to another,
sadly it didn't help at all...

I'm completely desperate about a solution... and apparently people don't
care at all about what I'm
saying on this list.

Here is the script, if it can be of use to some:

http://game-sat.com/~brian/xattr.copy

micmac


--
View this message in context: 
http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632070.html
Sent from the Samba - General mailing list archive at Nabble.com.

Hi
I think you may be looking at the same bug as us:
https://bugzilla.samba.org/show_bug.cgi?id=8938

Briefly: posix to windows and windows to posix doesn't work at the 
moment. I feel sure we are on the edge of an imminent fix. Please add 
your test-case to 3938 if you think it relevant.


Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba / LDAP : map uid to another field ?

[Sylvain]

Unfortunaly, I cannot do this since the two attributes are different
meaning and are used in another applications so maybe with a local LDAP
replica and use of your tricks will works. I will try if there are no
Samba solutions.

Thanks :)

2012/5/24 miguelmeda...@sapo.pt


 I am not sure if you can act on the samba side. Maybe you should think the
 other way around. You can map one attribute to another inside the LDAP
 server.

 You would use the map attribute directive to map
 eduPersonPrincipalName to uid. Both logins would then authenticate
 against uid.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Lots of NT_STATUS_OBJECT_NAME_COLLISION errors, harmless?

[Paul Elliott]

Hello all,

I'm attempting to setup a small Windows network using Samba as the PDC 
(and the only server involved). Clients are running Windows 7 (x86_64) 
and the server is running Debian Squeeze with samba 3.5.6. For now I'm 
just using tdmsam as the passwd backend.


The problem I have is that I see lots of errors involving 
NT_STATUS_OBJECT_NAME_COLLISION, here's an example at login time for 
user pre500 with roaming profiles enabled:


[2012/05/24 15:36:15.038884,  3] smbd/dosmode.c:166(unix_mode)
  unix_mode(pre500.V2) returning 0700
[2012/05/24 15:36:15.038902,  2] smbd/open.c:2505(open_directory)
  open_directory: unable to create pre500.V2. Error was 
NT_STATUS_OBJECT_NAME_COLLISION

[2012/05/24 15:36:15.038925,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/error.c(153) cmd=162 (SMBntcreateX) 
NT_STATUS_OBJECT_NAME_COLLISION


And similar errors at logout for every directory within the profile:

[2012/05/24 15:36:15.975852,  3] smbd/dosmode.c:166(unix_mode)
  unix_mode(pre500.V2/AppData/Roaming/Microsoft/Windows/Start Menu) 
returning 0700

[2012/05/24 15:36:15.975870,  2] smbd/open.c:2505(open_directory)
  open_directory: unable to create 
pre500.V2/AppData/Roaming/Microsoft/Windows/Start Menu. Error was 
NT_STATUS_OBJECT_NAME_COLLISION

[2012/05/24 15:36:15.975888,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/error.c(153) cmd=162 (SMBntcreateX) 
NT_STATUS_OBJECT_NAME_COLLISION


The unix user can access, create and delete files/directories within the 
profiles directory without issue directly on the samba server itself and 
the directories quoted in the error messages already exist with the 
correct owner.


Here's my global and profile share config in case it shows any obvious 
errors:


[global]
security = user
workgroup = YNIC
netbios name = SAMBA
os level = 99
preferred master = yes
domain master = yes
domain logons = Yes
wins support = yes
name resolve order = wins hosts bcast
interfaces = 144.32.169.120
bind interfaces only = true
encrypt passwords = yes
username map = /etc/samba/smbusers
# management scripts pruned
passdb backend = tdbsam
logon path = \\%L\profiles\%U
log level = 4
[profiles]
path = /srv/samba/profiles
comment = roaming profiles
read only = no
store dos attributes = yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
profile acls = yes
csc policy = disable

So far, even with these errors, I haven't observed any failures from the 
client although my testing so far has been severely limited. Would 
anyone be able to confirm if these errors are something I should be 
concerned about or if they are purely cosmetic and can be safely ignored?


Much appreciated, Paul.

--
Paul Elliott, UNIX Systems Administrator
York Neuroimaging Centre, University of York
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Re-provisioning

[Charles Tryon]

If all you are trying to do is rebuild (or migrate) your DNS without
boffing the rest of your current domain, you should be able to use:

/usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ --verbose

I just used this to convert my flat-file back-end over to DLZ.  I DON'T
know if it understands pulling your zone out of the internal server and
converting it to bind9.



On Thu, May 24, 2012 at 6:30 AM, Mike Howard m...@dewberryfields.co.ukwrote:

 What's best practice when it comes to changing a samba4 provision, without
 screwing current domain objects (users, computers, policy etc)? If, for
 example, I wanted to change the DNS from internal to external bind9, is it
 just a case of re-running 'provision' with the different command line
 option or will that mangle the domain sid etc?

 Cheers,
 Mike.
 --
 Any question is easy if you know the answer!
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba




-- 
Charles Tryon
_
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
- Ralph D. Winter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] exported LDAP DB file smbpasswd?

[aurfalien]

Hi all,

I am using OpenLDAP and over have ~800 users in its DB.

I would like to simply use Samba as a file server, no PDC.

I have been able to export my LDAP DB to a file containing hashes of users 
passwords.

Is there a way I can import this file to smbpasswd or other file that Samba 
understands so that my 800 some odd users won't have to re register there 
passwords?

I would really love to avoid having 800 annoyed users retyping there passwords 
for accessing shares.

I have them currently authenticating on Windows via an LDAP client (pGina).

- aurf
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] exported LDAP DB file smbpasswd?

[Gaiseric Vandal]

Presumably with the PGINA/LDAP solution, the has method is something
unix-compatible  (e.g. unix crypt+md5, or SSHA) that is hard to break
with a password cracking program? Are the LDAP transmissions done in
the clear?  If so, you could sniff the traffic and capture the
passwords.   (You may not consider this ethical.)  Either way, if you
had a database of plain text passwords you could then create the NTLM
passwords for each user.

You could try configuring samba to use permit plain text passwords for
authentication.  I think (but not sure) that could then configure samba
to use pam authentication (the same way a unix login would.)  But you
would then need to configure all the Windows PC's to support plain text
passwords.








On 05/24/12 16:25, aurfalien wrote:
 Hi all,

 I am using OpenLDAP and over have ~800 users in its DB.

 I would like to simply use Samba as a file server, no PDC.

 I have been able to export my LDAP DB to a file containing hashes of users 
 passwords.

 Is there a way I can import this file to smbpasswd or other file that Samba 
 understands so that my 800 some odd users won't have to re register there 
 passwords?

 I would really love to avoid having 800 annoyed users retyping there 
 passwords for accessing shares.

 I have them currently authenticating on Windows via an LDAP client (pGina).

 - aurf

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] exported LDAP DB file smbpasswd?

[aurfalien]

Hi Gaiseric,

I tried w/o success in configuring Samba + PAM last night.

Do you know now of any documentation that would help?

- aurf


On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote:

 Presumably with the PGINA/LDAP solution, the has method is something
 unix-compatible  (e.g. unix crypt+md5, or SSHA) that is hard to break
 with a password cracking program? Are the LDAP transmissions done in
 the clear?  If so, you could sniff the traffic and capture the
 passwords.   (You may not consider this ethical.)  Either way, if you
 had a database of plain text passwords you could then create the NTLM
 passwords for each user.
 
 You could try configuring samba to use permit plain text passwords for
 authentication.  I think (but not sure) that could then configure samba
 to use pam authentication (the same way a unix login would.)  But you
 would then need to configure all the Windows PC's to support plain text
 passwords.
 
 
 
 
 
 
 
 
 On 05/24/12 16:25, aurfalien wrote:
 Hi all,
 
 I am using OpenLDAP and over have ~800 users in its DB.
 
 I would like to simply use Samba as a file server, no PDC.
 
 I have been able to export my LDAP DB to a file containing hashes of users 
 passwords.
 
 Is there a way I can import this file to smbpasswd or other file that Samba 
 understands so that my 800 some odd users won't have to re register there 
 passwords?
 
 I would really love to avoid having 800 annoyed users retyping there 
 passwords for accessing shares.
 
 I have them currently authenticating on Windows via an LDAP client (pGina).
 
 - aurf
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] exported LDAP DB file smbpasswd?

[Gaiseric Vandal]

Just what is in the documentation on samba.org.

Anything involving plain-text authentication seems to be discouraged.



On 05/24/12 17:56, aurfalien wrote:
 Hi Gaiseric,

 I tried w/o success in configuring Samba + PAM last night.

 Do you know now of any documentation that would help?

 - aurf


 On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote:

 Presumably with the PGINA/LDAP solution, the has method is something
 unix-compatible  (e.g. unix crypt+md5, or SSHA) that is hard to break
 with a password cracking program? Are the LDAP transmissions done in
 the clear?  If so, you could sniff the traffic and capture the
 passwords.   (You may not consider this ethical.)  Either way, if you
 had a database of plain text passwords you could then create the NTLM
 passwords for each user.

 You could try configuring samba to use permit plain text passwords for
 authentication.  I think (but not sure) that could then configure samba
 to use pam authentication (the same way a unix login would.)  But you
 would then need to configure all the Windows PC's to support plain text
 passwords.








 On 05/24/12 16:25, aurfalien wrote:
 Hi all,

 I am using OpenLDAP and over have ~800 users in its DB.

 I would like to simply use Samba as a file server, no PDC.

 I have been able to export my LDAP DB to a file containing hashes of users 
 passwords.

 Is there a way I can import this file to smbpasswd or other file that Samba 
 understands so that my 800 some odd users won't have to re register there 
 passwords?

 I would really love to avoid having 800 annoyed users retyping there 
 passwords for accessing shares.

 I have them currently authenticating on Windows via an LDAP client (pGina).

 - aurf
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  e33bf32 selftest: Run only the samba3 tests on builds without the 
AD DC
   via  9633ec0 WHATSNEW: Move to document changes for beta1
   via  abb2c7f s4-provision: Make s3fs the default way to install a new 
Samba4 DC
   via  22cd4bc s4-selftest: Always delete the user at the end of 
test_passwords.sh
  from  f52afa9 dlz_bind9: Make the talloc destructor static and return 0.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e33bf32ba3538032f95afbcd4b7e11c6ec6cb226
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 16:53:34 2012 +1000

selftest: Run only the samba3 tests on builds without the AD DC

Autobuild-User: Andrew Bartlett abart...@samba.org
Autobuild-Date: Thu May 24 11:51:40 CEST 2012 on sn-devel-104

commit 9633ec0c8605d6cfa43cc4a688f2ce9195f99bf1
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 16:30:00 2012 +1000

WHATSNEW: Move to document changes for beta1

This is not the beta1 release, but this is the preperation for such a 
release.

Andrew Bartlett

commit abb2c7fef466f973a871661a3a96c75f8c3afc0d
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 14:56:27 2012 +1000

s4-provision: Make s3fs the default way to install a new Samba4 DC

With s3fs now well settled into master, we now throw the swtich and make
it the default.

There is still much to do, but we need to be using s3fs by default to
find out exactly what that is.

Andrew Bartlett

commit 22cd4bcc9e8367c6871512f4c96033c7836e2c41
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 13:37:09 2012 +1000

s4-selftest: Always delete the user at the end of test_passwords.sh

If this test is run in the dc environment (rather than dc:local) is 
would not delete the
test user.

Andrew Bartlett

---

Summary of changes:
 WHATSNEW.txt |  108 --
 selftest/target/Samba4.pm|1 +
 selftest/wscript |7 ++-
 source4/setup/provision  |4 +-
 testprogs/blackbox/test_passwords.sh |2 +-
 5 files changed, 61 insertions(+), 61 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8798a87..41e6055 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,4 @@
-What's new in Samba 4 alpha20
+What's new in Samba 4 beta1
 =
 
 Samba 4.0 will be the next version of the Samba suite and incorporates
@@ -7,48 +7,36 @@ stable 3.x series. The primary additional features over Samba 
3.6 are
 support for the Active Directory logon protocols used by Windows 2000
 and above.
 
-SECURITY RELEASE
-
-
-This is a security release in order to address CVE-2012-2111
-(Incorrect permission checks when granting/removing privileges can
-compromise file server security).
-
-o  CVE-2012-2111:
-   Samba 3.4.x to 3.6.4 are affected by a
-   vulnerability that allows arbitrary users
-   to modify privileges on a file server.
-
-This is in regards to the smbd file server, which is shipped in Samba
-4.0 alpha.  The AD DC is not directly impacted, as the LSA
-implementation differs.
 
 WARNINGS
 
 
-Samba4 alpha20 is not a final Samba release, however we are now making
+Samba4 beta1 is not a final Samba release, however we are now making
 good progress towards a Samba 4.0 release, of which this is a preview.
-Be aware the this release contains both the technology of Samba 3.6
-(that you can reasonably expect to upgrade existing Samba 3.x releases
-to) and the AD domain controller work previously known as 'samba4'.
-
-While binaries for the stable file server are provided in this
-release, for a stable, supported file server, Samba3 domain or AD
-domain member installation, please run a Samba 3.x release, as we are
-still bedding down the new single build system.
+Be aware the this release contains the best of all of Samba's
+technology parts, both a file server (that you can reasonably expect
+to upgrade existing Samba 3.x releases to) and the AD domain
+controller work previously known as 'samba4'.
 
 Samba4 is subjected to an awesome battery of tests on an automated
 basis, we have found Samba 4.0 to be very stable in it's behavior.
 However, we still recommend against upgrading production servers from
 Samba 3.x release to Samba 4.0 alpha at this stage.
 
+In particular note that the new default configuration 's3fs' may have
+different stability characteristics compared with our previous default
+file server.  We are making this release so that we can find and fix
+any of these issues that arise in the real world.  AD DC installations
+can provision with --use-ntvfs to obtain the previous default file
+server.
+
 If you are 

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  a95b2ba s3:smbd/msdfs: pass allow_broken_path to 
resolve_dfspath_wcard()
   via  758d612 s3:smbd/msdfs: pass 'allow_broken_path' to 
get_referred_path()
   via  a92f717 s3:smbd/msdfs: let create_conn_struct() also fake the 
'smbd_server_connection'
   via  0733183 s3:smbd/files: work without sconn-file_bmap and assign 
fsp-fnum = -1
   via  768004b s3:smbd/files: fix error path and correctly cleanup
  from  e33bf32 selftest: Run only the samba3 tests on builds without the 
AD DC

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a95b2ba043ce843149fef4821cc25823c53cf994
Author: Stefan Metzmacher me...@samba.org
Date:   Wed May 23 13:22:47 2012 +0200

s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard()

metze

Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Thu May 24 16:14:01 CEST 2012 on sn-devel-104

commit 758d61201f7b51da6ce74aee2d18c5125d72522e
Author: Stefan Metzmacher me...@samba.org
Date:   Wed May 23 13:09:40 2012 +0200

s3:smbd/msdfs: pass 'allow_broken_path' to get_referred_path()

Note the DCERPC code should not be smb2 specific!

I wonder why this is at all smb2 specific...

metze

commit a92f7176bd7f198a547952142b7d361a9b4e9146
Author: Stefan Metzmacher me...@samba.org
Date:   Wed May 23 13:06:55 2012 +0200

s3:smbd/msdfs: let create_conn_struct() also fake the 
'smbd_server_connection'

metze

commit 0733183594dbd3ce07ddaf9e1fcf8102b80fc605
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 10:43:56 2012 +0200

s3:smbd/files: work without sconn-file_bmap and assign fsp-fnum = -1

For faked connection_structs we do not need valid fnum values,
e.g. in the dfs and printing code.

metze

commit 768004b11d396edfafaee90c7c710722376ff2e6
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 11:22:11 2012 +0200

s3:smbd/files: fix error path and correctly cleanup

metze

---

Summary of changes:
 source3/modules/vfs_default.c |4 +-
 source3/printing/nt_printing.c|   15 +-
 source3/rpc_server/dfs/srv_dfs_nt.c   |   11 +++--
 source3/rpc_server/srvsvc/srv_srvsvc_nt.c |   10 +++-
 source3/smbd/filename.c   |2 +
 source3/smbd/files.c  |   76 +---
 source3/smbd/msdfs.c  |   55 +++--
 source3/smbd/proto.h  |   16 +++---
 source3/smbd/trans2.c |1 +
 9 files changed, 128 insertions(+), 62 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 887dbcb..8908508 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -22,6 +22,7 @@
 #include system/time.h
 #include system/filesys.h
 #include smbd/smbd.h
+#include smbd/globals.h
 #include ntioctl.h
 #include smbprofile.h
 #include ../libcli/security/security.h
@@ -209,7 +210,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct 
vfs_handle_struct *handle,
}
 
/* The following call can change cwd. */
-   status = get_referred_path(r, pathnamep, handle-conn-sconn,
+   status = get_referred_path(r, pathnamep,
+  !handle-conn-sconn-using_smb2,
   junction, consumedcnt, self_referral);
if (!NT_STATUS_IS_OK(status)) {
vfs_ChDir(handle-conn, handle-conn-connectpath);
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 96947f1..f52b6ae 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -616,7 +616,10 @@ static uint32 get_correct_cversion(struct 
auth_session_info *session_info,
return -1;
}
 
-   nt_status = create_conn_struct(talloc_tos(), smbd_server_conn, conn,
+   nt_status = create_conn_struct(talloc_tos(),
+  server_event_context(),
+  server_messaging_context(),
+  conn,
   printdollar_snum,
   lp_pathname(printdollar_snum),
   session_info, oldcwd);
@@ -1000,7 +1003,10 @@ WERROR move_driver_to_download_area(struct 
auth_session_info *session_info,
return WERR_NO_SUCH_SHARE;
}
 
-   nt_status = create_conn_struct(talloc_tos(), smbd_server_conn, conn,
+   nt_status = create_conn_struct(talloc_tos(),
+  server_event_context(),
+  server_messaging_context(),
+  conn,
   

[SCM] Samba Shared Repository - branch master updated

[Alexander Bokovoy]

The branch, master has been updated
   via  b452fb3 waf: for MIT krb5 build require kerberos version above 1.9
   via  72029d5 s3-smbldap: Add API for external callback to perform LDAP 
bind in smbldap
   via  838435ab3 s4/scripting: in MIT build do not install samba-tool, it 
is not usable yet
   via  ca2b625 s4-selftest: Demonstrate the correct behaviour between 
specified usernames and kerberos ccache
   via  dc3f74a auth/credentials: 'workgroup' set via command line will not 
drop existing ccache
  from  a95b2ba s3:smbd/msdfs: pass allow_broken_path to 
resolve_dfspath_wcard()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit b452fb30f79c5effa508b891bcb453de8f452286
Author: Alexander Bokovoy a...@samba.org
Date:   Thu May 24 16:28:31 2012 +0300

waf: for MIT krb5 build require kerberos version above 1.9

MIT krb5 implementation provides sufficient support for features
used in Samba 4 starting with 1.9. Require version above when using
system MIT krb5 build.

Autobuild-User: Alexander Bokovoy a...@samba.org
Autobuild-Date: Thu May 24 18:15:36 CEST 2012 on sn-devel-104

commit 72029d5547766787afb0a76c3959d1820388e28e
Author: Alexander Bokovoy a...@samba.org
Date:   Thu May 24 15:38:41 2012 +0300

s3-smbldap: Add API for external callback to perform LDAP bind in smbldap

In order to support other bind methods, introduce a generic bind callback.
When smbldap_state.bind_callback is set, it means there is an alternative
way to perform LDAP bind to ldap_simple_bind_s() so call it instead.
The call is wrapped in become_root()/unbecome_root() to allow proper 
permissions
in smbd to access needed resources in the callback, for example, credential 
caches.
When run outside smbd, become_root()/unbecome_root() are no-op.

The API expectation is similar to ldap_simple_bind_s().

A caller of smbldap API can pass additional information to the callback by 
setting
smbldap_state.bind_callback_data pointer.

Both callback and the data pointer elements of smbldap_state structure get
cleaned up if someone sets proper credentials on smbldap_state with
smbldap_set_creds() so if you are interested in using smbldap_state.bind_dn
with the callback, make sure to set callback after credentials are set.

commit 838435ab30c03e5db7eb1e80f486528231dffdfc
Author: Alexander Bokovoy a...@samba.org
Date:   Thu May 24 15:24:12 2012 +0300

s4/scripting: in MIT build do not install samba-tool, it is not usable yet

commit ca2b6259b7f0787eb372b56076e63413f530ec12
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 13:36:20 2012 +1000

s4-selftest: Demonstrate the correct behaviour between specified usernames 
and kerberos ccache

This shows that a username/password on the command line must always
override any credentials cache in the environment.

Andrew Bartlett

commit dc3f74a953de0fcf9b3f693efe2ba8dea7b93da9
Author: Alexander Bokovoy a...@samba.org
Date:   Thu May 24 15:17:40 2012 +0300

auth/credentials: 'workgroup' set via command line will not drop existing 
ccache

The root cause for existing ccache being invalidated was use of global 
loadparm with
'workgroup' value set as if from command line. However, we don't really 
need to take
'workgroup' parameter value's nature into account when invalidating 
existing ccache.
When -U is used on the command line, one can specify a password to force 
ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.

---

Summary of changes:
 auth/credentials/credentials.c   |6 +-
 auth/credentials/credentials_krb5.c  |   14 ++
 source3/include/smbldap.h|2 ++
 source3/lib/smbldap.c|   20 +++-
 source4/scripting/bin/wscript_build  |4 +---
 source4/scripting/wscript_build  |7 +++
 testprogs/blackbox/test_kinit.sh |1 -
 testprogs/blackbox/test_passwords.sh |8 
 wscript_configure_system_mitkrb5 |9 -
 9 files changed, 48 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 3eaccde..05f0a62 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct 
cli_credentials *cred,
 * calculations */
cred-domain = strupper_talloc(cred, val);
cred-domain_obtained = obtained;
-   cli_credentials_invalidate_ccache(cred, cred-domain_obtained);
+   /* setting domain does not mean we have to invalidate ccache 
+* because domain in not used for 

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  b5e9ece s3:smbd: remove global 'smbd_server_conn' !!!
   via  288a75d s3:smbd: only call file_init_global() in the parent smbd
   via  9e45885 s3:smbd/files: split file_init_global() out of file_init()
   via  48e62f2 s3:smbd: remove unused var in 
smbXsrv_connection_init_tables()
   via  0beede3 s4:smb_server/smb: fix talloc_free() bug
  from  b452fb3 waf: for MIT krb5 build require kerberos version above 1.9

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit b5e9ece1f3936d2221480169713042019e34a276
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 13:46:11 2012 +0200

s3:smbd: remove global 'smbd_server_conn' !!!

For now we still use a global 'global_smbXsrv_connection'
in order to pass the connection state to exit_server*().

metze

Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Thu May 24 20:07:20 CEST 2012 on sn-devel-104

commit 288a75d8dc4b17c92da22e0e04f622c593bd5df7
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 12:26:46 2012 +0200

s3:smbd: only call file_init_global() in the parent smbd

metze

commit 9e45885fcc54fa16e947b5b6370f171c2c7bfaf2
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 12:20:30 2012 +0200

s3:smbd/files: split file_init_global() out of file_init()

metze

commit 48e62f2d46a39b09ac0bcad84493b12381bb5a05
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 12:41:20 2012 +0200

s3:smbd: remove unused var in smbXsrv_connection_init_tables()

metze

commit 0beede33a7034d63912bed301e3e7340f8d2ea86
Author: Stefan Metzmacher me...@samba.org
Date:   Thu May 24 11:57:02 2012 +0200

s4:smb_server/smb: fix talloc_free() bug

ERROR: talloc_free with references at 
../source4/smb_server/smb/receive.c:637
reference at ../source4/ntvfs/posix/pvfs_wait.c:86

metze

---

Summary of changes:
 source3/smbd/files.c |   47 +++-
 source3/smbd/globals.c   |   11 +---
 source3/smbd/globals.h   |2 +-
 source3/smbd/process.c   |   55 -
 source3/smbd/proto.h |5 +++-
 source3/smbd/server.c|   33 ++
 source3/smbd/server_exit.c   |   10 +-
 source4/smb_server/smb/receive.c |2 +-
 8 files changed, 105 insertions(+), 60 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index ae34006..fcdd740 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -189,38 +189,59 @@ void file_close_pid(struct smbd_server_connection *sconn, 
uint16 smbpid,
  Initialise file structures.
 /
 
-bool file_init(struct smbd_server_connection *sconn)
+static int files_max_open_fds;
+
+bool file_init_global(void)
 {
-   int request_max_open_files = lp_max_open_files();
+   int request_max = lp_max_open_files();
int real_lim;
+   int real_max;
+
+   if (files_max_open_fds != 0) {
+   return true;
+   }
 
/*
 * Set the max_open files to be the requested
 * max plus a fudgefactor to allow for the extra
 * fd's we need such as log files etc...
 */
-   real_lim = set_maxfiles(request_max_open_files + MAX_OPEN_FUDGEFACTOR);
+   real_lim = set_maxfiles(request_max + MAX_OPEN_FUDGEFACTOR);
 
-   sconn-real_max_open_files = real_lim - MAX_OPEN_FUDGEFACTOR;
+   real_max = real_lim - MAX_OPEN_FUDGEFACTOR;
 
-   if (sconn-real_max_open_files + FILE_HANDLE_OFFSET + MAX_OPEN_PIPES
-65536)
-   sconn-real_max_open_files =
-   65536 - FILE_HANDLE_OFFSET - MAX_OPEN_PIPES;
+   if (real_max + FILE_HANDLE_OFFSET + MAX_OPEN_PIPES  65536) {
+   real_max = 65536 - FILE_HANDLE_OFFSET - MAX_OPEN_PIPES;
+   }
 
-   if(sconn-real_max_open_files != request_max_open_files) {
-   DEBUG(1, (file_init: Information only: requested %d 
+   if (real_max != request_max) {
+   DEBUG(1, (file_init_global: Information only: requested %d 
  open files, %d are available.\n,
- request_max_open_files, sconn-real_max_open_files));
+ request_max, real_max));
}
 
-   SMB_ASSERT(sconn-real_max_open_files  100);
+   SMB_ASSERT(real_max  100);
 
-   sconn-file_bmap = bitmap_talloc(sconn, sconn-real_max_open_files);
+   files_max_open_fds = real_max;
+   return true;
+}
 
+bool file_init(struct smbd_server_connection *sconn)
+{
+   bool ok;
+
+   ok = file_init_global();
+   if (!ok) {
+  

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  64ddb66 s3:smbd/signing: use smbd_server_connection as talloc 
parent for its smb1 signing state
   via  074991c s3-passdb: Fix negative SID-uid/gid/both cache handling
  from  b5e9ece s3:smbd: remove global 'smbd_server_conn' !!!

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 64ddb668843554725eb7cddc862c8e906f1bbe63
Author: Stefan Metzmacher me...@samba.org
Date:   Mon Dec 12 13:50:04 2011 +0100

s3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 
signing state

metze

Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Fri May 25 00:23:53 CEST 2012 on sn-devel-104

commit 074991cefe2b8bb58de869e099379e182fab28b7
Author: Ira Cooper i...@samba.org
Date:   Wed May 23 21:42:26 2012 -0400

s3-passdb: Fix negative SID-uid/gid/both cache handling

-1 uid/gid/both signals a non existent uid/gid/both.

Signed-off-by: Stefan Metzmacher me...@samba.org

---

Summary of changes:
 source3/passdb/lookup_sid.c |   14 ++
 source3/smbd/signing.c  |4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 4ceba3c..3f8b06d 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1347,6 +1347,20 @@ bool sids_to_unixids(const struct dom_sid *sids, 
uint32_t num_sids,
}
}
 done:
+   for (i=0; inum_sids; i++) {
+   switch(ids[i].type) {
+   case WBC_ID_TYPE_GID:
+   case WBC_ID_TYPE_UID:
+   case WBC_ID_TYPE_BOTH:
+   if (ids[i].id == -1) {
+   ids[i].type = ID_TYPE_NOT_SPECIFIED;
+   }
+   break;
+   case WBC_ID_TYPE_NOT_SPECIFIED:
+   break;
+   }
+   }
+
ret = true;
 fail:
TALLOC_FREE(wbc_ids);
diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c
index 8e4c50f..f4a8d2a 100644
--- a/source3/smbd/signing.c
+++ b/source3/smbd/signing.c
@@ -186,7 +186,7 @@ bool srv_init_signing(struct smbd_server_connection *conn)
struct smbd_shm_signing *s;
 
/* setup the signing state in shared memory */
-   s = talloc_zero(server_event_context(), struct 
smbd_shm_signing);
+   s = talloc_zero(conn, struct smbd_shm_signing);
if (s == NULL) {
return false;
}
@@ -208,7 +208,7 @@ bool srv_init_signing(struct smbd_server_connection *conn)
return true;
}
 
-   conn-smb1.signing_state = smb_signing_init(server_event_context(),
+   conn-smb1.signing_state = smb_signing_init(conn,
allowed, desired, 
mandatory);
if (!conn-smb1.signing_state) {
return false;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  eec4f80 move VERSION to alpha22
   via  9ccbe16 WHATSNEW: update for alpha21, and mark as release
   via  7891ad4 wintest: s3fs is now the default in provision
   via  1876d63 doc: Explain our build systems for Samba 4.0
  from  64ddb66 s3:smbd/signing: use smbd_server_connection as talloc 
parent for its smb1 signing state

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit eec4f80d613c2c725194a23d208d51a616c3156e
Author: Andrew Bartlett abart...@samba.org
Date:   Fri May 25 10:20:46 2012 +1000

move VERSION to alpha22

We will change this to beta once we both fix the VERSION parsing scripts
and we agree that the next release will indeed be the beta.

Andrew Bartlett

Autobuild-User: Andrew Bartlett abart...@samba.org
Autobuild-Date: Fri May 25 04:19:30 CEST 2012 on sn-devel-104

commit 9ccbe1660c466f6c45f6b61a32f6ec5813ccf380
Author: Andrew Bartlett abart...@samba.org
Date:   Fri May 25 10:17:34 2012 +1000

WHATSNEW: update for alpha21, and mark as release

The plan has changed.  This will we hope be the last alpha.

Andrew Bartlett

commit 7891ad478b46d756a6ff402f62bd529f5520434f
Author: Andrew Bartlett abart...@samba.org
Date:   Fri May 25 08:52:47 2012 +1000

wintest: s3fs is now the default in provision

commit 1876d63083e3c4c9a4f6112cca423dcf9b00acfe
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 24 20:31:37 2012 +1000

doc: Explain our build systems for Samba 4.0

---

Summary of changes:
 BUILD_SYSTEMS.txt|   97 ++
 VERSION  |2 +-
 WHATSNEW.txt |   16 
 wintest/test-s4-howto.py |3 +-
 4 files changed, 107 insertions(+), 11 deletions(-)
 create mode 100644 BUILD_SYSTEMS.txt


Changeset truncated at 500 lines:

diff --git a/BUILD_SYSTEMS.txt b/BUILD_SYSTEMS.txt
new file mode 100644
index 000..2aff56d
--- /dev/null
+++ b/BUILD_SYSTEMS.txt
@@ -0,0 +1,97 @@
+BUILDING SAMBA 4.0
+(which build system to use and why)
+===
+
+The waf build
+-
+
+Samba 4.0 ships with a new build system, based on waf.  A background to
+this build system can be found at https://wiki.samba.org/index.php/Waf
+
+This is the build system that is used when you run ./configure  make
+in the top level of a Samba 4.0 release tree.
+
+For the vast majority of our users, this is the build system you should
+use.  It supports parallel and incremental builds, and builds the whole
+Samba suite, the file server, the print server, the NT4 domain
+controller, winbind, the AD Domain Controller, the client libraries and
+the python libraries.  
+
+A key feature for many of our distributors and OEMs is that despite the
+range of additional features, the resulting binaries and libraries are
+substantially smaller, because we use shared libraries extensively. 
+
+For distributions that have a requirement to use the system-supplied
+Kerberos library, we support building against a Heimdal or system MIT
+Kerberos library, provided the version is recent enough (otherwise we
+will use our internal version of Heimdal).  Please note that builds
+with MIT krb5 support will not have AD DC features.
+
+By the time of the first release candidate, we will finish renaming
+the binaries that we ship so that where we provide a tool under a name
+that was used in Samba 3.x, it continues to behave in the same way it
+always has.  This will ensure that our change in build system does not
+impact on our user's ability to use Samba as they always have.
+
+For developers, this build system backs a comprehensive 'make test',
+which provides code coverage of around 48% of our code by line:
+https://build.samba.org/lcov/data/coverage/samba_4_0_test/
+
+This build system also implements important features such as ABI
+checking (which protects you as users from accidental changes to our
+published libraries), symbol versions and dependency checked incremental
+rebuilds after header-file changes. 
+
+The waf build also assists developers by providing fully-linked binaries
+that run from bin/ without needing to set LD_LIBRARY_PATH. 
+
+For users who do not have python installed on their systems, we provide
+a install_with_python.sh script, which will install a local copy of
+python sufficient to run the build system, without impacting on the rest
+of the system.  
+
+Within this requirement, we expect that this build will run on all our
+supported platforms, and will actively deal with any portability issues
+that users can bring to our attention. 
+
+For all these reasons, we highly recommend this new build system to all
+our users, for whatever purpose you want to put Samba to.
+
+The autoconf build
+--
+
+For a small number 

[SCM] CTDB repository - branch 1.13 updated - ctdb-1.43-5-gc8886ad

[Ronnie Sahlberg]

The branch, 1.13 has been updated
   via  c8886ad41c80c45619d5eb6e2f95d652b171ca1e (commit)
   via  ea073ef2f73343247e653c7c39f2e0f5e34a0c39 (commit)
  from  b8260448c192c3866bffb99b475a4b3de57f38b3 (commit)

http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.13


- Log -
commit c8886ad41c80c45619d5eb6e2f95d652b171ca1e
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date:   Fri May 25 12:31:11 2012 +1000

RECOVERY: Increase the time we allow before timing out recovery related 
tasks.

If the system is temporarily taking unusually long to perform these tasks 
it is better to wait a lot longer and allow the tasks to complete than timing 
out repeatedly and then becomming banned.

commit ea073ef2f73343247e653c7c39f2e0f5e34a0c39
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date:   Fri May 25 12:27:59 2012 +1000

RECOVER: When we pull databases during recovery, we used to reallocate the 
databuffer for each entry added. This would normally not be an issue, but for 
cases where memory is fragmented, this could start to cost significant cpu if 
we need to reallocate and move to a different region.

Change this to instead preallocate , by default, 10MByte chunks to the data 
buffer.
This significantly reduces the number of potential reallocate and move  
operations that may be required.

Create a tunable to override/change how much preallocation should be used.

---

Summary of changes:
 include/ctdb_private.h |1 +
 server/ctdb_recover.c  |7 ++-
 server/ctdb_recoverd.c |7 ++-
 server/ctdb_tunables.c |5 +++--
 4 files changed, 16 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/include/ctdb_private.h b/include/ctdb_private.h
index 0f494b4..7c3fdf0 100644
--- a/include/ctdb_private.h
+++ b/include/ctdb_private.h
@@ -134,6 +134,7 @@ struct ctdb_tunable {
uint32_t db_record_count_warn;
uint32_t db_record_size_warn;
uint32_t db_size_warn;
+   uint32_t pulldb_preallocation_size;
 };
 
 /*
diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c
index 05f72f9..e54312f 100644
--- a/server/ctdb_recover.c
+++ b/server/ctdb_recover.c
@@ -348,6 +348,7 @@ struct pulldb_data {
struct ctdb_db_context *ctdb_db;
struct ctdb_marshall_buffer *pulldata;
uint32_t len;
+   uint32_t allocated_len;
bool failed;
 };
 
@@ -364,7 +365,10 @@ static int traverse_pulldb(struct tdb_context *tdb, 
TDB_DATA key, TDB_DATA data,
params-failed = true;
return -1;
}
-   params-pulldata = talloc_realloc_size(NULL, params-pulldata, 
rec-length + params-len);
+   if (params-len + rec-length = params-allocated_len) {
+   params-allocated_len = rec-length + params-len + 
ctdb-tunable.pulldb_preallocation_size;
+   params-pulldata = talloc_realloc_size(NULL, params-pulldata, 
params-allocated_len);
+   }
if (params-pulldata == NULL) {
DEBUG(DEBUG_CRIT,(__location__  Failed to expand pulldb_data 
to %u\n, rec-length + params-len));
ctdb_fatal(params-ctdb, failed to allocate memory for 
recovery. shutting down\n);
@@ -414,6 +418,7 @@ int32_t ctdb_control_pull_db(struct ctdb_context *ctdb, 
TDB_DATA indata, TDB_DAT
params.ctdb_db = ctdb_db;
params.pulldata = reply;
params.len = offsetof(struct ctdb_marshall_buffer, data);
+   params.allocated_len = params.len;
params.failed = false;
 
if (ctdb_db-unhealthy_reason) {
diff --git a/server/ctdb_recoverd.c b/server/ctdb_recoverd.c
index f739900..b380746 100644
--- a/server/ctdb_recoverd.c
+++ b/server/ctdb_recoverd.c
@@ -1178,6 +1178,7 @@ struct recdb_data {
struct ctdb_context *ctdb;
struct ctdb_marshall_buffer *recdata;
uint32_t len;
+   uint32_t allocated_len;
bool failed;
bool persistent;
 };
@@ -1206,7 +1207,10 @@ static int traverse_recdb(struct tdb_context *tdb, 
TDB_DATA key, TDB_DATA data,
params-failed = true;
return -1;
}
-   params-recdata = talloc_realloc_size(NULL, params-recdata, 
rec-length + params-len);
+   if (params-len + rec-length = params-allocated_len) {
+   params-allocated_len = rec-length + params-len + 
params-ctdb-tunable.pulldb_preallocation_size;
+   params-recdata = talloc_realloc_size(NULL, params-recdata, 
params-allocated_len);
+   }
if (params-recdata == NULL) {
DEBUG(DEBUG_CRIT,(__location__  Failed to expand recdata to %u 
(%u records)\n, 
 rec-length + params-len, params-recdata-count));
@@ -1245,6 +1249,7 @@ static int push_recdb_database(struct ctdb_context *ctdb, 
uint32_t dbid,
params.ctdb = ctdb;
params.recdata = recdata;

[SCM] CTDB repository - branch master updated - ctdb-1.13-183-g03fa2a5

[Ronnie Sahlberg]

The branch, master has been updated
   via  03fa2a517247eb2adfba67248e2466f17ea14418 (commit)
   via  1f262deaad0818f159f9c68330f7fec121679023 (commit)
  from  6cf6a9b071bd8dd730717ca07ff73bf247bb (commit)

http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master


- Log -
commit 03fa2a517247eb2adfba67248e2466f17ea14418
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date:   Fri May 25 12:31:11 2012 +1000

RECOVERY: Increase the time we allow before timing out recovery related 
tasks.

If the system is temporarily taking unusually long to perform these tasks 
it is better to wait a lot longer and allow the tasks to complete than timing 
out repeatedly and then becomming banned.

commit 1f262deaad0818f159f9c68330f7fec121679023
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date:   Fri May 25 12:27:59 2012 +1000

RECOVER: When we pull databases during recovery, we used to reallocate the 
databuffer for each entry added. This would normally not be an issue, but for 
cases where memory is fragmented, this could start to cost significant cpu if 
we need to reallocate and move to a different region.

Change this to instead preallocate , by default, 10MByte chunks to the data 
buffer.
This significantly reduces the number of potential reallocate and move  
operations that may be required.

Create a tunable to override/change how much preallocation should be used.

---

Summary of changes:
 include/ctdb_private.h |1 +
 server/ctdb_recover.c  |7 ++-
 server/ctdb_recoverd.c |7 ++-
 server/ctdb_tunables.c |5 +++--
 4 files changed, 16 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/include/ctdb_private.h b/include/ctdb_private.h
index 0f494b4..7c3fdf0 100644
--- a/include/ctdb_private.h
+++ b/include/ctdb_private.h
@@ -134,6 +134,7 @@ struct ctdb_tunable {
uint32_t db_record_count_warn;
uint32_t db_record_size_warn;
uint32_t db_size_warn;
+   uint32_t pulldb_preallocation_size;
 };
 
 /*
diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c
index 05f72f9..e54312f 100644
--- a/server/ctdb_recover.c
+++ b/server/ctdb_recover.c
@@ -348,6 +348,7 @@ struct pulldb_data {
struct ctdb_db_context *ctdb_db;
struct ctdb_marshall_buffer *pulldata;
uint32_t len;
+   uint32_t allocated_len;
bool failed;
 };
 
@@ -364,7 +365,10 @@ static int traverse_pulldb(struct tdb_context *tdb, 
TDB_DATA key, TDB_DATA data,
params-failed = true;
return -1;
}
-   params-pulldata = talloc_realloc_size(NULL, params-pulldata, 
rec-length + params-len);
+   if (params-len + rec-length = params-allocated_len) {
+   params-allocated_len = rec-length + params-len + 
ctdb-tunable.pulldb_preallocation_size;
+   params-pulldata = talloc_realloc_size(NULL, params-pulldata, 
params-allocated_len);
+   }
if (params-pulldata == NULL) {
DEBUG(DEBUG_CRIT,(__location__  Failed to expand pulldb_data 
to %u\n, rec-length + params-len));
ctdb_fatal(params-ctdb, failed to allocate memory for 
recovery. shutting down\n);
@@ -414,6 +418,7 @@ int32_t ctdb_control_pull_db(struct ctdb_context *ctdb, 
TDB_DATA indata, TDB_DAT
params.ctdb_db = ctdb_db;
params.pulldata = reply;
params.len = offsetof(struct ctdb_marshall_buffer, data);
+   params.allocated_len = params.len;
params.failed = false;
 
if (ctdb_db-unhealthy_reason) {
diff --git a/server/ctdb_recoverd.c b/server/ctdb_recoverd.c
index f739900..b380746 100644
--- a/server/ctdb_recoverd.c
+++ b/server/ctdb_recoverd.c
@@ -1178,6 +1178,7 @@ struct recdb_data {
struct ctdb_context *ctdb;
struct ctdb_marshall_buffer *recdata;
uint32_t len;
+   uint32_t allocated_len;
bool failed;
bool persistent;
 };
@@ -1206,7 +1207,10 @@ static int traverse_recdb(struct tdb_context *tdb, 
TDB_DATA key, TDB_DATA data,
params-failed = true;
return -1;
}
-   params-recdata = talloc_realloc_size(NULL, params-recdata, 
rec-length + params-len);
+   if (params-len + rec-length = params-allocated_len) {
+   params-allocated_len = rec-length + params-len + 
params-ctdb-tunable.pulldb_preallocation_size;
+   params-recdata = talloc_realloc_size(NULL, params-recdata, 
params-allocated_len);
+   }
if (params-recdata == NULL) {
DEBUG(DEBUG_CRIT,(__location__  Failed to expand recdata to %u 
(%u records)\n, 
 rec-length + params-len, params-recdata-count));
@@ -1245,6 +1249,7 @@ static int push_recdb_database(struct ctdb_context *ctdb, 
uint32_t dbid,
params.ctdb = ctdb;
params.recdata = recdata;

[SCM] Samba Shared Repository - annotated tag samba-4.0.0alpha21 created

[Andrew Bartlett]

The annotated tag, samba-4.0.0alpha21 has been created
at  881090d61f3d6ffe3fc6be0ee716affa3db5e21d (tag)
   tagging  9ccbe1660c466f6c45f6b61a32f6ec5813ccf380 (commit)
  replaces  samba-4.0.0alpha20
 tagged by  Andrew Bartlett
on  Fri May 25 14:53:57 2012 +1000

- Log -
samba4: tag release samba-4.0.0alpha21
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQBPvxBlz4A8Wyi0NrsRAvPKAJ0ScZsNI1GYA9P+m4rg7SP6Wxe44gCggSc2
l/JwJCES8M3Dl0q15TgOZks=
=k2bL
-END PGP SIGNATURE-

Alejandro Escanero Blanco (1):
  s3:auth/server_info: the primary rid should be in the groups rid array 
(bug #8798)

Alexander Bokovoy (18):
  s4:ntvfs: add missing headers to vfs_ipc
  Avoid using Heimdal-specific tests in MIT build
  s4:torture: auth/pac.c: use Kerberos wrapper for krb5_keyblock_init
  s4:auth/kerberos: don't do tracing in MIT build
  lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
  dns: fix comments and make s4/libcli/resolve dns resolver working
  s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
  auth-credentials: Support using pre-fetched ccache when obtaining 
kerberos credentials
  s4: samba-tool is usable without export-keytab command, make sure it does 
not break
  Introduce system MIT krb5 build with --with-system-mitkrb5 option.
  libcli/dns: make 'clidns' private library out of DNS code in WAF build
  wafsamba: ensure TO_LIST does not fail with empty string
  s3-autoconf: fix typo after migrating DNS resolver code to lib/addns
  blackbox: fix samba4.blackbox.kinit test
  auth/credentials: 'workgroup' set via command line will not drop existing 
ccache
  s4/scripting: in MIT build do not install samba-tool, it is not usable yet
  s3-smbldap: Add API for external callback to perform LDAP bind in smbldap
  waf: for MIT krb5 build require kerberos version above 1.9

Alexander Werth (1):
  s3:vfs/gpfs: Have inherited deny ACE's show up in ACLs

Amitay Isaacs (4):
  s4-dns: Build BIND DLZ modules with correct private library
  samba-upgradedns: Use the correct magic incantation of sys.path.insert()
  dlz_bind9: Fix the named crash on reloading named
  dlz_bind9: Make the talloc destructor static and return 0.

Andreas Schneider (18):
  krb5samba: Add a smb_krb5_cc_get_lifetime() function.
  s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
  waf: Fix com_err detection with MIT krb5.
  doc: Fixes for the talloc context tutorial.
  doc: Fixes for the talloc stealing tutorial.
  doc: Fixes for the talloc dynamic type system tutorial.
  doc: Fixes for the talloc destructor tutorial.
  doc: Fixes for the talloc pool tutorial.
  doc: Fixes for the talloc debugging tutorial.
  doc: Fixes for the talloc best practices tutorial.
  talloc: Update doxygen config.
  s4-auth: Use smb_krb5_make_pac_checksum.
  krb5samba: Add smb_krb5_make_pac_checksum.
  s3-spoolss: Set DWORD values correctly.
  s3-auth: Don't lookup the system user in pdb.
  s3-auth: Rename to init_system_session_info().
  krb5samba: Add smb_gss_oid_equal wrapper.
  gse: Use the smb_gss_oid_equal wrapper.

Andrew Bartlett (78):
  move VERSION to alpha21
  s3-smbd: Use security_session_user_level() rather than 
nt_token_check_sid()
  selftest: Enable ACL testing against the s3dc environment
  selftest: attempt to test samba3hide in a different environment
  selftest: prepare to run smbtorture tests against plugin_s4_dc
  selftest: run plugin_s4_dc with 'acl_xattr xattr_tdb streams_depot' VFS 
modules
  selftest: Add hideunread share to plugin_s4_dc
  selftest: Use same pattern for path to share as Samba3.pm
  file_server: forward dssetup, but use embedded svcctl for s3fs
  file_server: use embedded eventlog server
  file_server: use embedded ntsvcs server
  file_server: Use the embedded winreg server
  file_server: use embedded srvsvc
  selftest: change knownfail to cope with running plugin_s4_dc as well
  selftest: add knownfail entries for plugin_s4_dc tests
  selftest: mark samba3.raw.acls.inheritance(plugin_s4_dc) as flapping
  selftest: mark samba3.raw.samba3checkfsp as flapping on plugin_s4_dc
  selftest: add hooks required for printing to Samba4.pm
  selftest: Do not start samba4 srvsvc in plugin_s4_dc mode
  selftest: Run smbtorture tests being run against s3dc against 
plugin_s4_dc as well
  selftest: run more raw.samba3 against secshare simple file server
  file_server: set 'store dos attributes = yes'
  s4-provision: set 'dcerpc endpoint servers' but not 'vfs objects'
  selftest: 'store dos attributes = yes' is now set in fileserver.conf
  testsuite/libsmbclient: Remove unused and expensive-to-link testsuite
  s4-provision: Fix --use-s3fs to parse