Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 23:25 -0700, Kyle Brantley wrote: On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Metze, Can you get this into master? I'll try and follow-up with a testcase (setting the UF_NO_AUTH_DATA_REQUIRED on an account and doing a kerberos login) soon, but this much needs to get to 4.0.2 -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { + if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n, principal_string));
[Samba] problem joining AD domain
Hi I'm trying to make a Linux server (RHEL 5.3) join my company's ADS domain. The company's domain is built from serveral kerberos realms and Windows domain. the Linux FQDN resolves to the name of one of the kerberos realms we have, but I was asked to to have the linux server join a different kerberos realm and windows Domain. When I attempt to run the command: 'net ads join -U [account] -w [domain]. I get the following error: Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I know it's possible because it was done in the company in the past (unfortunately) the sysadmin that did it no longer works here and no one else knows how to reproduce how he did it. I know this email is scarce on helpfull information. I simply don't know what information to supply (I have the output of join with -d 4 and -d 10 debug levels). TIA Paolo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mapping SIDUID (and reverse)
Hi Further to my previous mail on this problem, I've found that when I connect to the Samba server from a Windows 7 PC, the log.winbindd-idmap file reports the following messages: On opening the file share: \\fs01: [2013/01/21 11:18:42.474060, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS [2013/01/21 11:18:42.722730, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config NT AUTHORITY [2013/01/21 11:18:42.726528, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config AD [2013/01/21 11:18:42.736245, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS (CSS and AD are both Active Directory domains in the same forest). When I open the contents of the share and mouse-over a file, the following is logged: [2013/01/21 11:20:20.821208, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/21 11:20:20.823030, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_jsmith [2013/01/21 11:20:20.823250, 5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid) pdb_default_uid_to_sid: Did not find user jsmith (4510) [2013/01/21 11:20:21.279879, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The user jsmith is both a NIS Unix user and a Windows AD user in the CSS domain. When I right-click onthe file and select Properties, then select the Security tab, I see the list of ACLs listed by SID before they are resolved. In the above instance, the user jsmith SID is S-1-22-1-4510. A couple of seconds later this is resolved to Unix User\jsmith. I've checked that the 4510 in the SID is the same as the Unix UID stored in NIS. If I open the properties of another file and add an ACL entry for user CSS\jsmith, the following is logged: [2013/01/22 11:17:27.030191, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/22 11:17:27.031587, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user jsmith [2013/01/22 11:17:27.031765, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is jsmith [2013/01/22 11:17:27.034069, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [jsmith]! [2013/01/22 11:17:27.034825, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The entry appears in the file properties box correctly (as CSS\jsmith) and when I now open the properties of the original file, the file is now owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it always maps the Unix UID to the CSS domain SID. Is this possible? Please can someone advise what I'm doing wrong? Thanks!!! JR This is the output of testparm: [global] workgroup = CSS realm = CSS.AD.COMPANYNAME.CO.UK server string = Samba %v security = ADS kerberos method = system keytab log file = /var/log/samba/smbd.log max log size = 50 max protocol = SMB2 unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash idmap config * : range = 500-99 idmap config * : backend = nss ea support = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j dfree command = /usr/local/bin/dfree [zfsshare] comment = ZFS share path = /testpool/samba read only = No inherit permissions = Yes map archive = No map readonly = no store dos attributes = Yes wide links = Yes vfs objects = shadow_copy2, streams_xattr, zfsacl zfsacl:acesort = dontcare nfs4:mode = special nfs4:chown = yes nfs4:acedup = merge shadow:format = GMT-%Y.%m.%d-%H.%M.%S shadow:snapdir = .zfs/snapshot shadow:basedir = /testpool/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Use backends
Hi, Can I have two passdb backend in my smb.conf ? Thanks ! Rodrigo Faria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
Hi, I am still experimenting with Samba 4 and I'd like to serve both Windows and Linux clients with Samba (standalone AD server). The Windows-side is already working well. For serving Linux-clients I need to store the users' uidNumber and gidNumber in the Active Directory. This is how I do that: 1. Create a user test with samba-tool 2. Get the internal UID which was assigned to this user by Samba through wbinfo 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN With the correct nss_ldap setup (mainly attribute mappings) the Linux boxes can now get their passwd/shadow/group information directly from AD. The Linux user now has the exact same attributes and groups as the Windows user. Now the issue is that Samba needs a group with the same gidNumber as the uidNumber for each user to work correctly in this setup (see why in #9521 [1]). The only logical way of doing that is storing this gidNumber as the user's primary group in the AD. This way the user loses the membership in the group Domain Users (gidNumber 100), though - at least on the Linux side. Are there any thoughts on how to solve this? Is this maybe a Samba issue or is my setup just wrong? Regards, Frederik [1] https://bugzilla.samba.org/show_bug.cgi?id=9521 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use backends
From: rodrigo tavares rodrigofar...@yahoo.com.br Date: Tue, 22 Jan 2013 05:08:40 -0800 (PST) Can I have two passdb backend in my smb.conf ? Thanks ! After Samba 3.0.23, only one passdb backend is allowed. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Posted this question once already -- no response. Password expiry problem
On Tue, 2013-01-15 at 17:53 +, ray klassen wrote: Solved this problem gentle rant This is precisely the sort of question that should be answerable on this list. as no one run into this before? I've brought it up twice here and several times on the irc channel with no response, but the solution was simple enough /gentle rant anyway here it is. So that it goes in the mailing list and others can find it. /etc/smbldap-tools/smbldap.conf includes a line that says defaultMaxPasswordAge=45 FYI, I've never used smbldap-tools. This affects the sambaPwdMustChange date stamp attribute in the ldap user record at the time smbldap-passwd is run. sambaPwdMustChange appears to trump the user X flag and the maximum password age system policy Maybe that's the nature of the samba 3.x beast. Yes, that matches my recollection [I could be wrong]. The password policy just controlled the calculation of sambaPwdMustChange. I recall just going in sometimes and manually setting sambaPwdMustChange to some value like 12 in order to force a user to change there password on their next logon, and moving the value way up to avoid expiration. The precedent of one value over the other was never expressly documented AFAIK. I *assumed*, and it seemed to be true, that the more specific value [sambaPwdMustChange] would win. Maybe it has to be that way if you are using LDAP. Now that Samba 4 is out probably no one will want to comment on that. :) I suggest you upgrade yesterday. Samba4 is a much better PDC that Samba3 ever thought about being on the brightest most optimistic spring day. -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap users with users samba
From: rodrigo tavares rodrigofar...@yahoo.com.br Date: Tue, 22 Jan 2013 03:17:44 -0800 (PST) Hello, I create one user, with the command. smbldap-useradd -a -P user The option -a (atributtes samba) and -P call smbldap-passwd. This command make atributtes. Then, i try to login in domain, but some error. root@replica:~# smbclient -L localhost -U user Enter user's password: session setup failed: NT_STATUS_LOGON_FAILURE Because you set: - passdb backend = ldapsam:ldap://10.65.8.95 passdb backend = tdbsam - in your smb.conf. If you set a parameter twice in smb.conf, latter one is enabled. So you use tdbsam now. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
2013-01-22 15:52 keltezéssel, Fred F írta: Hi, I am still experimenting with Samba 4 and I'd like to serve both Windows and Linux clients with Samba (standalone AD server). The Windows-side is already working well. For serving Linux-clients I need to store the users' uidNumber and gidNumber in the Active Directory. This is how I do that: 1. Create a user test with samba-tool 2. Get the internal UID which was assigned to this user by Samba through wbinfo 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN With the correct nss_ldap setup (mainly attribute mappings) the Linux boxes can now get their passwd/shadow/group information directly from AD. The Linux user now has the exact same attributes and groups as the Windows user. Now the issue is that Samba needs a group with the same gidNumber as the uidNumber for each user to work correctly in this setup (see why in #9521 [1]). The only logical way of doing that is storing this gidNumber as the user's primary group in the AD. This way the user loses the membership in the group Domain Users (gidNumber 100), though - at least on the Linux side. Are there any thoughts on how to solve this? Is this maybe a Samba issue or is my setup just wrong? Regards, Frederik [1] https://bugzilla.samba.org/show_bug.cgi?id=9521 I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] fail-over, redundancy, bdc, multi-dc-domain
I'm aware of, at least generally, how one would have done a BDC/Redundant server under OpenLDAP Samba3. However, rolling your own multi-domain-controller was fairly daunting [for me] under Samba3 / OpenLDAP. I've been very interested in Samba4 for the more integrated nature of having LDAP/DNS/Samba all under one roof. [i.e. Fewer places where I can screw it up horribly.] However I'm also interested in how one can handle fail-over. I don't need something totally seamless and big-iron style. A backup box that would need some manual intervention would be fine. So, something like an rsync'd backup box where the shared files/accounts/etc are perhaps an hour out of date, and that would require 15 minutes to bring up as a primary would be an acceptable solution. That's not to say I wouldn't want something better, but that's kind of the low end of the acceptable scale. I've done some searches on the list and spent a while looking for examples but I don't easily find any. [Using searches with: samba4 bdc, redundant, backup, etc. There are a ton of very old articles on the list, but almost nothing I could find specifically on Samba4.] Could some kind soul point me either to: 1) Search terms more likely to produce results, or some discussion threads or 2) wiki/how-to's on how to accomplish something in the neighborhood on this subjet? [Option #2 preferred.] As a note, I'd be glad to help document this/provide a here's what I did and how, provided it's something reasonable for me to apply to the situation I'm referring to - so I'm more than glad to contribute back where I can. TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fail-over, redundancy, bdc, multi-dc-domain
On Tue, 2013-01-22 at 10:53 -0800, Gregory Sloop wrote: I'm aware of, at least generally, how one would have done a BDC/Redundant server under OpenLDAP Samba3. However, rolling your own multi-domain-controller was fairly daunting [for me] under Samba3 / OpenLDAP. Yea... that is an understatement. Replication... OpenLDAP... shivers/. It was rough, and then they switched to cn=config. Never bothered to make a single administrative tool worth @^@*@ and that-one-developer harassed and insulted and was a general @*%^@*$ to anyone who tried [including me] - tools are for whimps! [and, you know, people who have stuff to do, those whimps!]. Sad, OpenLDAP is a really great project/product. I've been very interested in Samba4 for the more integrated nature of having LDAP/DNS/Samba all under one roof. [i.e. Fewer places where I can screw it up horribly.] Yep, it does that. Yay! Or you can look at it as one-stop horrible screw up; kill it, and you kill everything. However I'm also interested in how one can handle fail-over. I don't need something totally seamless and big-iron style. A backup box that would need some manual intervention would be fine. So, something like an rsync'd backup box where the shared files/accounts/etc are perhaps an hour out of date, and that would require 15 minutes to bring up as a primary would be an acceptable solution. It does hot-replication of the SAM (at least). In theory it does replication of DNS [if you are using internal DNS] but there might be some bugs there. It doesn't replicate the sysvol [yet], you gotta do that yourself, old-school. That's not to say I wouldn't want something better, but that's kind of the low end of the acceptable scale. It is above your acceptable out-of-the-box. I've done some searches on the list and spent a while looking for examples but I don't easily find any. [Using searches with: samba4 bdc, redundant, backup, etc. There are a ton of very old articles on the list, but almost nothing I could find specifically on Samba4.] Create a DC, add a another DC, done. Move on. Could some kind soul point me either to: 1) Search terms more likely to produce results, or some discussion threads or 2) wiki/how-to's on how to accomplish something i the neighborhood on this subjet? [Option #2 preferred.] The Samba4 wiki! http://wiki.samba.org/index.php/Samba4 And you need to read up on Active Directory. As a note, I'd be glad to help document this/provide a here's what I did and how, provided it's something reasonable for me to apply to the situation I'm referring to - so I'm more than glad to contribute back where I can. Create an account on the wiki. -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] I have a problem with printing on samba4
I have a problem with printing on samba4. Everytime I try to connect to my printer or even try to change its properties or anything it won't let me connect and do anything with the printer and when I do this the smbd log says: [2013/01/22 19:07:25.991058, 0] ../source3/rpc_server/spoolss/srv_spoolss_nt.c:1736(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\ samba4server.samba4.keyedinsoft.com [2013/01/22 19:07:26.097079, 0] ../source3/rpc_server/spoolss/srv_spoolss_nt.c:1736(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\ samba4server.samba4.keyedinsoft.com [2013/01/22 19:07:26.222868, 0] ../source3/rpc_server/spoolss/srv_spoolss_nt.c:1736(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\ samba4server.samba4.keyedinsoft.com [2013/01/22 19:07:26.331781, 0] ../source3/rpc_server/spoolss/srv_spoolss_nt.c:1736(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\ samba4server.samba4.keyedinsoft.com [2013/01/22 19:07:26.455268, 0] ../source3/rpc_server/spoolss/srv_spoolss_nt.c:1736(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\ samba4server.samba4.keyedinsoft.com Please Could someone please help me with this error. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining AD domain
On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi I'm trying to make a Linux server (RHEL 5.3) join my company's ADS domain. The company's domain is built from serveral kerberos realms Stop *right* there. If you have RHEL, and you've been regularly applying updates, you've automatically updated to RHEL 5.9 since its release a few weeks ago. RHEL 5.3 is now 4 yours old and you should *not* use it for any security sensitive functions like the critical Kerberos authentication in an ADS domain, without the Red Hat published system updates. So do the system updates first. and Windows domain. the Linux FQDN resolves to the name of one of the kerberos realms we have, but I was asked to to have the linux server join a different kerberos realm and windows Domain. When I attempt to run the command: 'net ads join -U [account] -w [domain]. I get the following error: Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I know it's possible because it was done in the company in the past (unfortunately) the sysadmin that did it no longer works here and no one else knows how to reproduce how he did it. Are you using the built-in Samba 3.0.33, the available samba3x tool that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If you're using the built-in Samba 3.0.33 or the samba3x package, you should be able to use authconfig to set all of this in PAM,a nd only need net ads to register the particular host with AD credentials. And are you making sure to use net ads join -U 'admin@remotedomain' -w 'remotedomain', if the DNS domain does not match the AD domain? You might also install, and try working with, the X-based version of the system-config-authentication command which provides reasonable GUI options for most of this. I know this email is scarce on helpfull information. I simply don't know what information to supply (I have the output of join with -d 4 and -d 10 debug levels). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 8 and roaming profiles hosted on Samba - NO ONE does this?
On 20.12.2012 20:59, Nick wrote: Windows XP and Windows 7 work fine. Clean profile, imported profiles, etc.With Windows 8, there seems to be some sort of profile corruption when the profile syncs. It always seems to trip up on files related to Internet Explorer. \Favorites, \Links, \IECompatCache, .url files, etc. I am experiencing exactly the same issues. I've checked the security rights and the problem cannot be from them. What could be the problem? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via a2d6884 BUG 9574: Fix a possible null pointer dereference in spoolss. via 43810c8 s3-rpc_server: Fix a possible null pointer dereference. from cd9c1a0 samr: Make use of posix_openpt http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit a2d68842ea33733fa7900831ed10e73f820afcf7 Author: Andreas Schneider a...@samba.org Date: Fri Jan 18 18:04:17 2013 +0100 BUG 9574: Fix a possible null pointer dereference in spoolss. If the the client enumerates the printers and didn't specify a servername we have a null pointer dereference, so the process serving the connection crashes. Reviewed-by: David Disseldorp dd...@samba.org Autobuild-User(master): David Disseldorp dd...@samba.org Autobuild-Date(master): Mon Jan 21 13:30:11 CET 2013 on sn-devel-104 (cherry picked from commit c38fb0b106b62e42a5b75b1c78386bb8912c7d7e) commit 43810c80936c8f509cc2adba6193dd4c55325875 Author: Andreas Schneider a...@samba.org Date: Mon Dec 17 15:31:21 2012 +0100 s3-rpc_server: Fix a possible null pointer dereference. This variable can be set to NULL in an earlier function call. Found by Coverity. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Günther Deschner g...@samba.org (cherry picked from commit 72e02c73b64f1ff56b2d53ec63d68486a4f1ff90) --- Summary of changes: source3/rpc_server/spoolss/srv_spoolss_nt.c |6 -- 1 files changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index b5949e4..a5579c2 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -4442,7 +4442,8 @@ static WERROR enum_all_printers_info_1_name(TALLOC_CTX *mem_ctx, DEBUG(4,(enum_all_printers_info_1_name\n)); - if ((servername[0] == '\\') (servername[1] == '\\')) { + if (servername != NULL + (servername[0] == '\\') (servername[1] == '\\')) { s = servername + 2; } @@ -4477,7 +4478,8 @@ static WERROR enum_all_printers_info_1_network(TALLOC_CTX *mem_ctx, listed. Windows responds to this call with a WERR_CAN_NOT_COMPLETE so we should do the same. */ - if (servername[0] == '\\' servername[1] == '\\') { + if (servername != NULL + (servername[0] == '\\') (servername[1] == '\\')) { s = servername + 2; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 069f102 BUG 9378: Add extra attributes for AD printer publishing. via 31d61ad printing: Remove invalid free from error path. from a2d6884 BUG 9574: Fix a possible null pointer dereference in spoolss. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 069f1029a76c9b9c0a48ac7cb3d2c5f45c3a231c Author: David Disseldorp dd...@samba.org Date: Thu Jan 17 13:21:25 2013 +0100 BUG 9378: Add extra attributes for AD printer publishing. Currently attempting to publish a printer in AD fails with Object class violation, due to a number of missing attributes in the LDAP request. Reviewed-by: Andreas Schneider a...@samba.org commit 31d61ad8f9c850c302c83a65af8474545723ea1c Author: David Disseldorp dd...@samba.org Date: Fri Jan 18 11:48:20 2013 +0100 printing: Remove invalid free from error path. Reviewed-by: Andreas Schneider a...@samba.org --- Summary of changes: source3/printing/nt_printing_ads.c | 87 +++- 1 files changed, 85 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c index 67046bc..5a0cd24 100644 --- a/source3/printing/nt_printing_ads.c +++ b/source3/printing/nt_printing_ads.c @@ -87,6 +87,86 @@ done: talloc_free(tmp_ctx); } +static WERROR nt_printer_info_to_mods(TALLOC_CTX *ctx, + struct spoolss_PrinterInfo2 *info2, + ADS_MODLIST *mods) +{ + char *info_str; + + ads_mod_str(ctx, mods, SPOOL_REG_PRINTERNAME, info2-sharename); + ads_mod_str(ctx, mods, SPOOL_REG_SHORTSERVERNAME, global_myname()); + ads_mod_str(ctx, mods, SPOOL_REG_SERVERNAME, get_mydnsfullname()); + + info_str = talloc_asprintf(ctx, %s\\%s, + get_mydnsfullname(), info2-sharename); + if (info_str == NULL) { + return WERR_NOMEM; + } + ads_mod_str(ctx, mods, SPOOL_REG_UNCNAME, info_str); + + info_str = talloc_asprintf(ctx, %d, 4); + if (info_str == NULL) { + return WERR_NOMEM; + } + ads_mod_str(ctx, mods, SPOOL_REG_VERSIONNUMBER, info_str); + + /* empty strings in the mods list result in an attrubute error */ + if (strlen(info2-drivername) != 0) + ads_mod_str(ctx, mods, SPOOL_REG_DRIVERNAME, info2-drivername); + if (strlen(info2-location) != 0) + ads_mod_str(ctx, mods, SPOOL_REG_LOCATION, info2-location); + if (strlen(info2-comment) != 0) + ads_mod_str(ctx, mods, SPOOL_REG_DESCRIPTION, info2-comment); + if (strlen(info2-portname) != 0) + ads_mod_str(ctx, mods, SPOOL_REG_PORTNAME, info2-portname); + if (strlen(info2-sepfile) != 0) + ads_mod_str(ctx, mods, SPOOL_REG_PRINTSEPARATORFILE, info2-sepfile); + + info_str = talloc_asprintf(ctx, %u, info2-starttime); + if (info_str == NULL) { + return WERR_NOMEM; + } + ads_mod_str(ctx, mods, SPOOL_REG_PRINTSTARTTIME, info_str); + + info_str = talloc_asprintf(ctx, %u, info2-untiltime); + if (info_str == NULL) { + return WERR_NOMEM; + } + ads_mod_str(ctx, mods, SPOOL_REG_PRINTENDTIME, info_str); + + info_str = talloc_asprintf(ctx, %u, info2-priority); + if (info_str == NULL) { + return WERR_NOMEM; + } + ads_mod_str(ctx, mods, SPOOL_REG_PRIORITY, info_str); + + if (info2-attributes PRINTER_ATTRIBUTE_KEEPPRINTEDJOBS) { + ads_mod_str(ctx, mods, SPOOL_REG_PRINTKEEPPRINTEDJOBS, TRUE); + } else { + ads_mod_str(ctx, mods, SPOOL_REG_PRINTKEEPPRINTEDJOBS, FALSE); + } + + switch (info2-attributes 0x3) { + case 0: + ads_mod_str(ctx, mods, SPOOL_REG_PRINTSPOOLING, + SPOOL_REGVAL_PRINTWHILESPOOLING); + break; + case 1: + ads_mod_str(ctx, mods, SPOOL_REG_PRINTSPOOLING, + SPOOL_REGVAL_PRINTAFTERSPOOLED); + break; + case 2: + ads_mod_str(ctx, mods, SPOOL_REG_PRINTSPOOLING, + SPOOL_REGVAL_PRINTDIRECT); + break; + default: + DEBUG(3, (unsupported printer attributes %x\n, + info2-attributes)); + } + + return WERR_OK; +} + static WERROR nt_printer_publish_ads(struct messaging_context *msg_ctx, ADS_STRUCT *ads, struct spoolss_PrinterInfo2 *pinfo2) @@ -167,12 +247,15 @@ static WERROR nt_printer_publish_ads(struct messaging_context *msg_ctx,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9aca528 Tests: Fix the display of test vars in screen --testenv via b1e2313 libcli-acl: add documentation via 65396ad drsuapi: Add documentation via d7bbd18 drepl-notify: change misleading message from 0a4a4ba devel-script: add options for RODC and partial replica for replicate flags http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9aca52877a3f6f59887098ebb8e664922c8c7aad Author: Matthieu Patou m...@matws.net Date: Thu Jan 3 14:33:45 2013 -0800 Tests: Fix the display of test vars in screen --testenv The form bash -c echo important stuff blabla bla LD_LIBARY_PATH bash is not working in screen when it's working in xterm and the in_screen script already wrap all the command within a bash shell so there is no need to re-force bash as the echo will execute in a bash shell Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Jan 22 13:03:52 CET 2013 on sn-devel-104 commit b1e231384a9245a191ef5e004544d7cafe17e036 Author: Matthieu Patou m...@matws.net Date: Sun Oct 14 01:01:08 2012 -0700 libcli-acl: add documentation Reviewed-by: Andrew Bartlett abart...@samba.org commit 65396adaad18821568f727a223c38c36a2b16291 Author: Matthieu Patou m...@matws.net Date: Sun Oct 14 01:04:51 2012 -0700 drsuapi: Add documentation Reviewed-by: Andrew Bartlett abart...@samba.org commit d7bbd182b33441a0a4e91c00a31de29b2b09f59a Author: Matthieu Patou m...@matws.net Date: Mon Oct 15 22:15:17 2012 -0700 drepl-notify: change misleading message Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: libcli/security/access_check.c | 20 +++- selftest/selftest.pl| 15 --- source4/dsdb/repl/drepl_notify.c|2 +- source4/rpc_server/drsuapi/updaterefs.c | 21 ++--- 4 files changed, 46 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index f0a7b66..936ffca 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -374,7 +374,25 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) return NULL; } -/* modified access check for the purposes of DS security +/** + * @brief Perform directoryservice (DS) related access checks for a given user + * + * Perform DS access checks for the user represented by its security_token, on + * the provided security descriptor. If an tree associating GUID and access + * required is provided then object access (OA) are checked as well. * + * @param[in] sd The security descritor against which the required + * access are requested + * + * @param[in] token The security_token associated with the user to + * test + * + * @param[in] access_desired A bitfield of rights that must be granted for the + * given user in the specified SD. + * + * If one + * of the entry in the tree grants all the requested rights for the given GUID + * FIXME + * tree can be null if not null it's the * Lots of code duplication, it will ve united in just one * function eventually */ diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 4ac5aeb..639c8a2 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -849,13 +849,7 @@ if ($opt_testenv) { my $envvarstr = exported_envvars_str($testenv_vars); - my @term = (); - if ($ENV{TERMINAL}) { - @term = ($ENV{TERMINAL}); - } else { - @term = (xterm, -e); - } - my @term_args = (bash, -c, echo -e \ + my @term_args = (echo -e \ Welcome to the Samba4 Test environment '$testenv_name' This matches the client environment used in make test @@ -867,6 +861,13 @@ SMB_CONF_PATH=\$SMB_CONF_PATH $envvarstr \ LD_LIBRARY_PATH=$ENV{LD_LIBRARY_PATH} bash); + my @term = (); + if ($ENV{TERMINAL}) { + @term = ($ENV{TERMINAL}); + } else { + @term = (xterm, -e); + unshift(@term_args, (bash, -c)); + } system(@term, @term_args); diff --git a/source4/dsdb/repl/drepl_notify.c b/source4/dsdb/repl/drepl_notify.c index cd248d5..905fe5f 100644 --- a/source4/dsdb/repl/drepl_notify.c +++ b/source4/dsdb/repl/drepl_notify.c @@ -195,7 +195,7 @@ static void dreplsrv_notify_op_callback(struct tevent_req *subreq) ldb_dn_get_linearized(op-source_dsa-partition-dn), nt_errstr(status),
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d56b456 s3-winbind: fix the build of idmap_ldap. from 9aca528 Tests: Fix the display of test vars in screen --testenv http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d56b4560b585c613b65b05a9224c9e11f5038318 Author: Günther Deschner g...@samba.org Date: Tue Jan 22 11:54:19 2013 +0100 s3-winbind: fix the build of idmap_ldap. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Jan 22 14:43:40 CET 2013 on sn-devel-104 --- Summary of changes: source3/winbindd/wscript_build |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/wscript_build b/source3/winbindd/wscript_build index 0d826f0..7e80727 100644 --- a/source3/winbindd/wscript_build +++ b/source3/winbindd/wscript_build @@ -65,7 +65,8 @@ bld.SAMBA3_MODULE('idmap_ldap', deps='smbldap smbldaphelper pdb', init_function='', internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ldap'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ldap') and bld.CONFIG_SET(HAVE_LDAP)) + enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ldap') and bld.CONFIG_SET(HAVE_LDAP), + allow_undefined_symbols=True) bld.SAMBA3_MODULE('idmap_nss', subsystem='idmap', -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 988350c libcli/auth: fix void function cannot return value error from d56b456 s3-winbind: fix the build of idmap_ldap. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 988350ccefbe8f22eb1814e071386ef2dfe6d6dd Author: Andrew Bartlett abart...@samba.org Date: Mon Jan 21 10:45:10 2013 +1100 libcli/auth: fix void function cannot return value error Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Jan 22 22:32:31 CET 2013 on sn-devel-104 --- Summary of changes: libcli/auth/credentials.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 9d3df9f..2f14374 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -583,7 +583,7 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential uint16_t validation_level, union netr_Validation *validation) { - return netlogon_creds_crypt_samlogon_validation(creds, validation_level, + netlogon_creds_crypt_samlogon_validation(creds, validation_level, validation, false); } @@ -591,7 +591,7 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential uint16_t validation_level, union netr_Validation *validation) { - return netlogon_creds_crypt_samlogon_validation(creds, validation_level, + netlogon_creds_crypt_samlogon_validation(creds, validation_level, validation, true); } -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-2.1-8-gb054193
The branch, master has been updated via b054193d1d19a8eef998fa690899501f79badb8a (commit) via 109f428aa34f8f4cc0329880d2f4a5593a6cc6f3 (commit) via 258092aaf6b7a9bdc14f0fb35e8bd7f7dc742b3f (commit) via d202b2fdd4fd70172e5e44583627b57a1b7ad2ed (commit) via 3c6a9b73364c9543366fa033c778145dc7a152a9 (commit) via 95fc493a7d4145f976cb3fe928d9e92faec4dd71 (commit) via 506ecd186759675a1cf50a0a05a285fee03fc51e (commit) from 0e651e9da0f1f3c836b4474612ab13d0ccd272d9 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit b054193d1d19a8eef998fa690899501f79badb8a Author: Mathieu Parent math.par...@gmail.com Date: Mon Jan 14 17:48:01 2013 +0100 common: Don't lie on unimplemented gratuitous arp Signed-off-by: Mathieu Parent math.par...@gmail.com commit 109f428aa34f8f4cc0329880d2f4a5593a6cc6f3 Author: Mathieu Parent math.par...@gmail.com Date: Mon Jan 14 17:21:01 2013 +0100 tests: Test portability Curiously test_ctdb_sys_check_iface_exists fails on Linux Signed-off-by: Mathieu Parent math.par...@gmail.com commit 258092aaf6b7a9bdc14f0fb35e8bd7f7dc742b3f Author: Mathieu Parent math.par...@gmail.com Date: Mon Jan 14 12:13:24 2013 +0100 common: FreeBSD+kFreeBSD: Implement get_process_name (same as in Linux) Signed-off-by: Mathieu Parent math.par...@gmail.com commit d202b2fdd4fd70172e5e44583627b57a1b7ad2ed Author: Mathieu Parent math.par...@gmail.com Date: Mon Jan 14 11:23:46 2013 +0100 common: Detailed platform-specific FIXME Signed-off-by: Mathieu Parent math.par...@gmail.com commit 3c6a9b73364c9543366fa033c778145dc7a152a9 Author: Mathieu Parent math.par...@gmail.com Date: Sun Jan 13 14:15:20 2013 +0100 build: Update config.guess 2012-12-30 and config.sub to 2013-01-11 Signed-off-by: Mathieu Parent math.par...@gmail.com commit 95fc493a7d4145f976cb3fe928d9e92faec4dd71 Author: Mathieu Parent math.par...@gmail.com Date: Sat Jan 12 16:43:03 2013 +0100 doc: allows to - allows one to Signed-off-by: Mathieu Parent math.par...@gmail.com commit 506ecd186759675a1cf50a0a05a285fee03fc51e Author: Mathieu Parent math.par...@gmail.com Date: Sat Jan 12 15:14:48 2013 +0100 build: Add missing LDFLAGS Original Author: Simon Ruderich si...@ruderich.org Signed-off-by: Mathieu Parent math.par...@gmail.com --- Summary of changes: Makefile.in|9 +- common/system_aix.c| 11 +- common/system_freebsd.c| 27 ++- common/system_gnu.c| 13 +- common/system_kfreebsd.c | 28 ++- config.guess | 426 config.sub | 274 +- config/ctdb.sysconfig |2 +- doc/ctdbd.1.xml|2 +- tests/src/ctdb_porting_tests.c | 305 10 files changed, 768 insertions(+), 329 deletions(-) mode change 100755 = 100644 config.guess mode change 100755 = 100644 config.sub create mode 100644 tests/src/ctdb_porting_tests.c Changeset truncated at 500 lines: diff --git a/Makefile.in b/Makefile.in index fef2e45..e704d63 100755 --- a/Makefile.in +++ b/Makefile.in @@ -104,6 +104,7 @@ TEST_BINS=tests/bin/ctdb_bench tests/bin/ctdb_fetch tests/bin/ctdb_fetch_one \ tests/bin/ctdb_takeover_tests tests/bin/ctdb_update_record \ tests/bin/ctdb_update_record_persistent \ tests/bin/ctdb_tool_libctdb tests/bin/ctdb_tool_stubby \ + tests/bin/ctdb_porting_tests \ @INFINIBAND_BINS@ BINS = bin/ctdb @CTDB_SCSI_IO@ bin/smnotify bin/ping_pong bin/ltdbtool @CTDB_PMDA@ @@ -173,7 +174,7 @@ bin/ctdb: $(CTDB_CLIENT_OBJ) tools/ctdb.o tools/ctdb_vacuum.o libctdb/libctdb.a bin/ltdbtool: tools/ltdbtool.o $(TDB_OBJ) @echo Linking $@ - @$(CC) $(CFLAGS) -o $@ $+ $(TDB_LIBS) + @$(CC) $(CFLAGS) -o $@ $+ $(TDB_LIBS) $(LIB_FLAGS) bin/smnotify: utils/smnotify/gen_xdr.o utils/smnotify/gen_smnotify.o utils/smnotify/smnotify.o $(POPT_OBJ) @echo Linking $@ @@ -195,7 +196,7 @@ utils/smnotify/gen_smnotify.c: utils/smnotify/smnotify.x utils/smnotify/smnotify bin/ping_pong: utils/ping_pong/ping_pong.o @echo Linking $@ - @$(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o + @$(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o $(LIB_FLAGS) bin/pmdactdb: $(CTDB_CLIENT_OBJ) utils/pmda/pmda_ctdb.o @echo Linking $@ @@ -257,6 +258,10 @@ tests/bin/ctdb_persistent: $(CTDB_CLIENT_OBJ) tests/src/ctdb_persistent.o @echo Linking $@ @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_persistent.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS) +tests/bin/ctdb_porting_tests: $(CTDB_CLIENT_OBJ) tests/src/ctdb_porting_tests.o + @echo Linking $@ + $(CC)
[SCM] CTDB repository - branch master updated - ctdb-2.1-9-g124e2a4
The branch, master has been updated via 124e2a471aeda9c900fd898178a30522d7d74221 (commit) from b054193d1d19a8eef998fa690899501f79badb8a (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 124e2a471aeda9c900fd898178a30522d7d74221 Author: Amitay Isaacs ami...@gmail.com Date: Wed Jan 23 14:35:47 2013 +1100 recoverd: Fix printing of node flags from local information Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: server/ctdb_recoverd.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_recoverd.c b/server/ctdb_recoverd.c index 0f8aa91..bffe2be 100644 --- a/server/ctdb_recoverd.c +++ b/server/ctdb_recoverd.c @@ -3699,7 +3699,7 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, nodemap-nodes[j].pnn, nodemap-nodes[i].pnn, remote_nodemaps[j]-nodes[i].flags, - nodemap-nodes[j].flags)); + nodemap-nodes[i].flags)); if (i == j) { DEBUG(DEBUG_ERR,(Use flags 0x%02x from remote node %d for cluster update of its own flags\n, remote_nodemaps[j]-nodes[i].flags, j)); update_flags_on_all_nodes(ctdb, nodemap, nodemap-nodes[i].pnn, remote_nodemaps[j]-nodes[i].flags); -- CTDB repository