Re: [Samba] Samba + ACLs: Can’t add group write permissions
Am Tue, 26 Mar 2013 19:38:48 +0100 schrieb steve st...@steve-ss.com: WTF? Where did the write access for the group go? Hi Marvin Hi Steve, Just a thought but I found out the hard way that when there are acl's set, e.g. in your file called test2, the -rw-r- bit of the listing bit bears little resemblance to what the actual permissions are. Have you actually checked to see that the file test2 really isn't group writeable? Maybe worth a quick test. I just tested it with another user and no, the file is really not group-writable. But I found another really mysterious behaviour... This time I’ve connected as user steffi who is in the share group as well: % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt I tried to create a file now as this user: (1067) [9:28:47 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 rootquintus0 Mar 28 09:28 . drwxr-xr-x 20 rootroot4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus0 Mar 26 15:04 test2 (1068) [9:29:29 quintus@hades] /mnt % touch test3 touch: cannot touch ‘test3’: Permission denied (1069) [9:29:34 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 rootquintus0 Mar 28 09:29 . drwxr-xr-x 20 rootroot4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus0 Mar 26 15:04 test2 -rw-r-+ 11002 quintus0 Mar 28 09:29 test3 That is, I get a permission denied on the touch command, but the file is there nevertheless...? How is this possible at all? Even worse, I cannot write to the file I just created: (1070) [9:29:35 quintus@hades] /mnt % echo foo test3 zsh: permission denied: test3 And no, the file is really empty (I’ve chceked it on the server via SSH). Writing to the files owned by someone else, but still in the share group doesn’t work either: (1071) [9:31:19 quintus@hades] /mnt % echo foo test2 zsh: permission denied: test2 And again, this file really is empty. On the server, the permissions are reported like this: (433) [9:33:34 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share0 28. Mär 09:29 test3 (434) [9:33:41 quintus@avalon] /srv/cifs/share % getfacl test3 # file: test3 # owner: steffi # group: share user::rw- group::rwx #effective:r-- group:share:rwx #effective:r-- mask::r-- other::--- And I cannot write to the test3 as user quintus on the server, but as user steffi it works (again, through SSH): (436) [9:35:32 quintus@avalon] /srv/cifs/share % echo foo test3 zsh: permission denied: test3 (437) [9:36:55 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share0 28. Mär 09:29 test3 (438) [9:36:57 quintus@avalon] /srv/cifs/share % sudo su -s /bin/zsh - steffi [sudo] password for quintus: (1) [9:37:31 steffi@avalon] / % cd /srv/cifs/share (2) [9:37:35 steffi@avalon] /srv/cifs/share % echo foo test3 (3) [9:37:38 steffi@avalon] /srv/cifs/share % ls -ahl insgesamt 12K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share4 28. Mär 09:37 test3 (4) [9:37:39 steffi@avalon] /srv/cifs/share % cat test3 foo Cheers, Steve Any idea? Vale, Marvin -- Blog: http://pegasus-alpha.eu/blog ASCII-Ribbon-Kampagne() | ASCII Ribbon Campaign() - Stoppt HTML-E-Mail /\ | - Against HTML E-Mail/\ - Stoppt proprietäre Anhänge | - Against proprietary attachments www.asciiribbon.org/index-de.html | www.asciiribbon.org signature.asc Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to connect from Windows 7 on samba server 3.4.7 running on ubuntu 10.04
Hi, I cannot connect from W7 on my server Samba 3.4.7 on ubuntu 10.04. I have tested the share on an other Linux machine, it is working fine. The command to test is : smbclient -U me //ipserver/me, On windows 7 I am logged as me, with the samba password When I create a network drive (Z: connected to //ipserver/me), it says that it cannot connect. Acces denied, but the icon become green (not red crossed). But, surprisingly, in a console (cmd.exe), I can access to the content of Z: , read, write, creating directory, ... I have made many changes in smb.conf without any result. Tested in an other windows 7 : same error. The directory has access only for the user. If I give access to the group, I can acces tot it by the network drive . Any idea ? Of course I cannot update Samba to 3.6, because it needs to upgrade all the system, and I cannot stop the server for several hours. Thank you, Francis My configuration (The problem is with [homes], the others shares are working well) : /etc/samba/smb.conf [global] log level = 3 workgroup = MYWORKGROUP netbios name = GARGANTUA public = Yes server string = serveur %h (Samba %v, Ubuntu) encrypt passwords = Yes passdb backend = tdbsam log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes time server = Yes os level = 255 preferred master = Yes domain master = Yes local master = Yes security = user logon drive = V: logon script = STARTUP.BAT logon path = dns proxy = No wins support = No dos charset = 850 oplocks = no level2 oplocks = no kernel oplocks = no lock directory = /var/lock/samba locking = Yes strict locking = no posix locking = No [echanges] comment = Repertoire d'echanges path = /home/echanges writeable = Yes read only = No create mask = 0666 directory mask = 0777 inherit permissions = Yes guest ok = No follow symlinks = Yes browsable = Yes [logiciels] comment = Applications path = /home/logiciels writeable = Yes browseable = Yes create mask = 0644 directory mask = 0755 inherit permissions = Yes guest ok = No follow symlinks = no [publis] comment = Publications path = /home/publis writeable = Yes browseable = Yes create mask = 0644 directory mask = 0755 inherit permissions = Yes guest ok = No follow symlinks = no [homes] comment = Repertoire personnel browseable = No writeable = Yes read only = No preserve case = Yes short preserve case = Yes create mask = 0644 directory mask = 0755 inherit permissions = Yes guest ok = No path = /home/users/%S follow symlinks = No testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [echanges] Processing section [logiciels] Processing section [publis] Processing section [homes] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] dos charset = 850 unix charset = ISO8859-1 workgroup = LIVIC server string = serveur %h (Samba %v, Ubuntu) log level = 3 log file = /var/log/samba/log.%m time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = STARTUP.BAT logon path = logon drive = V: domain logons = Yes os level = 255 preferred master = Yes domain master = Yes dns proxy = No kernel oplocks = No lock directory = /var/lock/samba guest ok = Yes oplocks = No level2 oplocks = No posix locking = No strict locking = No [echanges] comment = Repertoire d'echanges path = /home/echanges read only = No create mask = 0666 directory mask = 0777 inherit permissions = Yes guest ok = No [logiciels] comment = Applications path = /home/logiciels read only = No create mask = 0644 inherit permissions = Yes guest ok = No follow symlinks = No [publis] comment = Publications path = /home/publis read only = No create mask = 0644 inherit permissions = Yes guest ok = No follow symlinks = No [homes] comment = Repertoire personnel path = /home/users/%S read only = No create mask = 0644 inherit permissions = Yes guest ok = No browseable = No browsable = No follow symlinks = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + ACLs: Can’t add group write permissions
Am 28.03.2013 09:40, schrieb Quintus: Am Tue, 26 Mar 2013 19:38:48 +0100 schrieb steve st...@steve-ss.com: WTF? Where did the write access for the group go? Hi Marvin Hi Steve, Just a thought but I found out the hard way that when there are acl's set, e.g. in your file called test2, the -rw-r- bit of the listing bit bears little resemblance to what the actual permissions are. Have you actually checked to see that the file test2 really isn't group writeable? Maybe worth a quick test. I just tested it with another user and no, the file is really not group-writable. But I found another really mysterious behaviour... This time I’ve connected as user steffi who is in the share group as well: % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt I tried to create a file now as this user: (1067) [9:28:47 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 rootquintus0 Mar 28 09:28 . drwxr-xr-x 20 rootroot4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus0 Mar 26 15:04 test2 (1068) [9:29:29 quintus@hades] /mnt % touch test3 touch: cannot touch ‘test3’: Permission denied (1069) [9:29:34 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 rootquintus0 Mar 28 09:29 . drwxr-xr-x 20 rootroot4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus0 Mar 26 15:04 test2 -rw-r-+ 11002 quintus0 Mar 28 09:29 test3 That is, I get a permission denied on the touch command, but the file is there nevertheless...? How is this possible at all? Even worse, I cannot write to the file I just created: (1070) [9:29:35 quintus@hades] /mnt % echo foo test3 zsh: permission denied: test3 And no, the file is really empty (I’ve chceked it on the server via SSH). Writing to the files owned by someone else, but still in the share group doesn’t work either: (1071) [9:31:19 quintus@hades] /mnt % echo foo test2 zsh: permission denied: test2 And again, this file really is empty. On the server, the permissions are reported like this: (433) [9:33:34 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share0 28. Mär 09:29 test3 (434) [9:33:41 quintus@avalon] /srv/cifs/share % getfacl test3 # file: test3 # owner: steffi # group: share user::rw- group::rwx #effective:r-- group:share:rwx #effective:r-- mask::r-- other::--- And I cannot write to the test3 as user quintus on the server, but as user steffi it works (again, through SSH): (436) [9:35:32 quintus@avalon] /srv/cifs/share % echo foo test3 zsh: permission denied: test3 (437) [9:36:55 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share0 28. Mär 09:29 test3 (438) [9:36:57 quintus@avalon] /srv/cifs/share % sudo su -s /bin/zsh - steffi [sudo] password for quintus: (1) [9:37:31 steffi@avalon] / % cd /srv/cifs/share (2) [9:37:35 steffi@avalon] /srv/cifs/share % echo foo test3 (3) [9:37:38 steffi@avalon] /srv/cifs/share % ls -ahl insgesamt 12K drwxrws---+ 2 rootshare 4,0K 28. Mär 09:29 . drwxr-xr-x 7 rootroot 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share0 26. Mär 14:54 test -rw-r-+ 1 quintus share0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share4 28. Mär 09:37 test3 (4) [9:37:39 steffi@avalon] /srv/cifs/share % cat test3 foo Cheers, Steve Any idea? Vale, Marvin Hi Marvin, Just an idea: I remeber having an issue with testing permissions on cifs mounted filesystems. I was using touch to create files and kept failing. It turned out I had to make sure the file size exeeded 0 for the test to succeed. Mind you this was a couple of years ago and is possilbly not relevant any more. Greatings, Jochen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Connect printer fails with W2K8R2 error 6d1
I've samba 3.6.6 with cups 1.4.4 running. Printing from XP and 2003 works, by just browsing to the printers folder on the samba server, connecting with automatic download of the printer driver. I also succeeded uploading a 64bit driver using the 2003 server. So 32 bit world works smoothly. When I try to connect from a 2008R2 server, I get could not connect, error 06d1. Displaying the printer with remote printers, I can see all properties, but printing a testpage fails with the same 6d1, no errors logged by smbd. Local port using the samba printer works, but that's quite unfortunate because I'd like to have the department printer managed centrally. I've found an older message stating that spoolss-rpc had been changed after samba 3.3 with patches in 3.4 which enabled printing on 32 bit windows, but not 64 bit. I'm using 3.6.6 so I assumed this would be fixed. As a sidenote, printing to http://server-ip/printers/PrinterName doesn't work on the 2008R2 machine either (2003 does work). So I wonder if 64 bit is still broken? Regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [4.0] Inter-realm trust
Hello I know that inter-domain trust is not supported in Samba, but is it possible to create an inter-realm trust on Kerberos level? I have a kerberized service in realm X (Samba 4.0 as DC) and I want to allow users from realm Y (also Samba 4.0, but different domain) to access it using SPNEGO GSSAPI. If it is possible, how can I accomplish this? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clients no longer updating DNS unable to delete MX records
On Thu, Mar 21, 2013 at 2:21 PM, Thomas Simmons twsn...@gmail.com wrote: On Wed, Mar 20, 2013 at 3:29 PM, Thomas Simmons twsn...@gmail.com wrote: On Wed, Mar 20, 2013 at 9:05 AM, Thomas Simmons twsn...@gmail.com wrote: Hello, After noticing some odd behavior on my domain, I realized that many of my DNS records are incorrect and that clients are no longer properly updating DNS. While looking into this, I also discovered that I am unable to delete MX records via AD DNS Manager or samba-tool. Both tools see the record but report it does not exist when I attempt to delete it. I can create new MX records, but cannot delete them. I can create and delete both A and CNAME records. The same behavior occurs under all zones. I can create and delete new forward lookup zones. [root@ADC1 log]# samba-tool dns query adc1 internal.testdom.com mailsrv MX GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] Name=, Records=3, Children=0 MX: mailsrv.internal.testdom.com. (10) (flags=f0, serial=4, ttl=900) [root@ADC1 log]# samba-tool dns delete adc1 internal.testdom.com mailsrv MX 'mailsrv.internal.testdom.com 10' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:adc1[,sign] ERROR(runtime): uncaught exception - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py, line 1169, in run del_rec_buf) With log level = 10, when attempting to deleting the record, it appears to find it, but reports it doesn't exist anyway. Has anyone seen this behavior before? The last DNS update was nearly 2 weeks ago and I am not aware of anything that happened around that time that would have triggered this. I don't know it this MX problem and the clients being unable to update DNS are related. [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=internal.testdom.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com scope: one expr: ((objectClass=dnsNode)(name=mailsrv)) attr: dnsRecord control: NONE [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_request: (resolve_oids)-search ... ... ... [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: DC=mailsrv,DC=internal.testdom.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com dnsRecord:: IgAPAAXwAAAEAAADhAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX lzZXMDY29tAA== dnsRecord:: EAAPAAXwAAA+AADcIjcAAAoMAgZnb29nbGUDY29tAA== dnsRecord:: IgAPAAXwAAAEAAADhAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX lzZXMDY29tAA== [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: ldb_trace_response: DONE error: 0 [2013/03/20 13:52:20, 1, pid=2064, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug) DnssrvUpdateRecord2: struct DnssrvUpdateRecord2 out: struct DnssrvUpdateRecord2 result : WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST It looks like the last DNS update occurred on March 7th. I restored a backup from March 5th to a sandbox environment and it's displaying the same behavior. I then restored a December backup (taken just after performing the classicupgrade) and do not have the problem. I'm not sure what would be the best way to recover from this. Is there anyway to reset DNS? Apart from that, all I can think to do is start at March 4th and restore each backup until the problem goes away. Would it be possible to restore AD (minus DNS) once this is done? The last time a client successfully updated DNS was Mar 7 17:58:08: Mar 7 17:58:08 ADC1 named[977]: samba_dlz: starting transaction on zone internal.testdom.com Mar 7 17:58:08 ADC1 named[977]: samba_dlz: allowing update of signer=aspire\$\@INTERNAL.TESTDOM.COM name=ASPIRE.internal.testdom.com
[Samba] Samba4: File ownership for Domain Admins members
Hi I've just installed Samba 4.0.4 on FreeBSD to test for the moment. Everything so far has gone very well: joining the domain, GPO's etc. However one thing that is happening which I find unusual, is the owner of files created by a user who is a member of the Domain Admins group as well as Domain Users. All files created by the user are owned by id 300 (which I believe S4 maps to BUILTIN/Administrators) and not the actual user. If they are then removed from the Domain Admins groups (and so left only in Domain Users) and the file created, the owner is the actual user. I presumed a file would be owned by the user regardless of what group they were in. These file tests were carried out on each user's home directory, which was also owned by the user. The question is: is that the way it's supposed to be? Regards Daren -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + ACLs: Can’t add group write permissions
Hi MarvinI just tested it like this:-Made a domain group called staff. getent group gives: staff:*:21114:lynn2,steve2-Domain users steve2 and lynn2 are members of staff-Made a share in smb.conf:[shared] path = /home/shared read only = No-Set the ACL on /home/shared: chown root:staff /home/shared chmod g+s /home/shared setfacl -R -m g:staff:rw,d:g:staff:rw /home/shareddrwxrws---+ 2 root staff 4096 Mar 28 09:58 sharedwhich gives:# file: home/shared# owner: root# group: staff# flags: -s-user::rwxgroup::rwxgroup:staff:rw-mask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:staff:rw-default:mask::rwxdefault:other::--- - Mounted the share:mount -t cifs //hh1/shared /mnt -osec=krb5,multiuser Here is a session with the 2 users: steve@hh1:/mnt su steve2Password:steve2@hh1:/mnt touch hola.txtsteve2@hh1:/mnt ls -ltotal 1024-rwxrwx---+ 1 steve2 Domain Users 0 Mar 28 10:29 hola.txtsteve2@hh1:/mnt getfacl hola.txt# file: hola.txt# owner: steve2# group: Domain40Usersuser::rwxuser:steve2:rwxgroup::rwxgroup:Domain40Users:rwxgroup:staff:rw-mask::rwxother::---steve2@hh1:/mnt su lynn2Password:lynn2@hh1:/mnt echo foo hola.txtlynn2@hh1:/mnt cat hola.txtfoolynn2@hh1:/mnt touch hola2.txtlynn2@hh1:/mnt ls -ltotal 2048-rwxrwx---+ 1 lynn2 Domain Users 0 Mar 28 10:30 hola2.txt-rwxrwx---+ 1 steve2 Domain Users 4 Mar 28 10:30 hola.txtlynn2@hh1:/mnt Notes:- I set the ACL as group rw but it appears as rwx- the sticky bit g+s is not working for file creation on the cifs mount- the sticky bit only works on the unmounted sharelynn2@hh1:/home/shared touch hola3.txtlynn2@hh1:/home/shared ls -l hola3.txt-rw-rw+ 1 lynn2 staff 0 Mar 28 10:36 hola3.txtlynn2@hh1:/home/shared getfacl hola3.txt# file: hola3.txt# owner: lynn2# group: staffuser::rw-group::rwx #effective:rw-group:staff:rw-mask::rw-other:: - - So, a bit of a mess. OK, so the group rw is working on this install but not for you. How about setting the ACL's as I have them and give it another try? Maybe mounting as multiuser also has something to do with it? HTH to clear the confusion a bit. It's certainly got me even more ACL'd out than ever before:(Cheers,Steve On Thu 28/03/13 9:40 AM , Quintus wrote:Am Tue, 26 Mar 2013 19:38:48 +0100 schrieb steve : WTF? Where did the write access for the group go? Hi Marvin Hi Steve, Just a thought but I found out the hard way that when there are acl's set, e.g. in your file called test2, the -rw-r- bit of the listing bit bears little resemblance to what the actual permissions are. Have you actually checked to see that the file test2 really isn't group writeable? Maybe worth a quick test. I just tested it with another user and no, the file is really not group-writable. But I found another really mysterious behaviour... This time I’ve connected as user steffi who is in the share group as well: % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt I tried to create a file now as this user: (1067) [9:28:47 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:28 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus 0 Mar 26 15:04 test2 (1068) [9:29:29 quintus@hades] /mnt % touch test3 touch: cannot touch ‘test3’: Permission denied (1069) [9:29:34 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:29 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus 0 Mar 26 15:04 test2 -rw-r-+ 1 1002 quintus 0 Mar 28 09:29 test3 That is, I get a permission denied on the touch command, but the file is there nevertheless...? How is this possible at all? Even worse, I cannot write to the file I just created: (1070) [9:29:35 quintus@hades] /mnt % echo foo test3 zsh: permission denied: test3 And no, the file is really empty (I’ve chceked it on the server via SSH). Writing to the files owned by someone else, but still in the share group doesn’t work either: (1071) [9:31:19 quintus@hades] /mnt % echo foo test2 zsh: permission denied: test2 And again, this file really is empty. On the server, the permissions are reported like this: (433) [9:33:34 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 root share 4,0K 28. Mär 09:29 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share 0 26. Mär 14:54 test -rw-r-+ 1 quintus share 0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share 0 28. Mär 09:29 test3 (434) [9:33:41 quintus@avalon] /srv/cifs/share % getfacl test3 # file: test3 # owner: steffi # group: share user::rw- group::rwx#effective:r-- group:share:rwx#effective:r-- mask::r-- other::---
Re: [Samba] Samba + ACLs: Can’t add group write permissions
Hi MarvinI just tested it like this:-Made a domain group called staff. getent group gives: staff:*:21114:lynn2,steve2-Domain users steve2 and lynn2 are members of staff-Made a share in smb.conf:[shared] path = /home/shared read only = No-Set the ACL on /home/shared: chown root:staff /home/shared chmod g+s /home/shared setfacl -R -m g:staff:rw,d:g:staff:rw /home/shareddrwxrws---+ 2 root staff 4096 Mar 28 09:58 sharedwhich gives:# file: home/shared# owner: root# group: staff# flags: -s-user::rwxgroup::rwxgroup:staff:rw-mask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:staff:rw-default:mask::rwxdefault:other::--- - Mounted the share:mount -t cifs //hh1/shared /mnt -osec=krb5,multiuser Here is a session with the 2 users: steve@hh1:/mnt su steve2Password:steve2@hh1:/mnt touch hola.txtsteve2@hh1:/mnt ls -ltotal 1024-rwxrwx---+ 1 steve2 Domain Users 0 Mar 28 10:29 hola.txtsteve2@hh1:/mnt getfacl hola.txt# file: hola.txt# owner: steve2# group: Domain40Usersuser::rwxuser:steve2:rwxgroup::rwxgroup:Domain40Users:rwxgroup:staff:rw-mask::rwxother::---steve2@hh1:/mnt su lynn2Password:lynn2@hh1:/mnt echo foo hola.txtlynn2@hh1:/mnt cat hola.txtfoolynn2@hh1:/mnt touch hola2.txtlynn2@hh1:/mnt ls -ltotal 2048-rwxrwx---+ 1 lynn2 Domain Users 0 Mar 28 10:30 hola2.txt-rwxrwx---+ 1 steve2 Domain Users 4 Mar 28 10:30 hola.txtlynn2@hh1:/mnt Notes:- I set the ACL as group rw but it appears as rwx- the sticky bit g+s is not working for file creation on the cifs mount- the sticky bit only works on the unmounted sharelynn2@hh1:/home/shared touch hola3.txtlynn2@hh1:/home/shared ls -l hola3.txt-rw-rw+ 1 lynn2 staff 0 Mar 28 10:36 hola3.txtlynn2@hh1:/home/shared getfacl hola3.txt# file: hola3.txt# owner: lynn2# group: staffuser::rw-group::rwx #effective:rw-group:staff:rw-mask::rw-other:: - - So, a bit of a mess. OK, so the group rw is working on this install but not for you. How about setting the ACL's as I have them and give it another try? Maybe mounting as multiuser also has something to do with it? HTH to clear the confusion a bit. It's certainly got me even more ACL'd out than ever before:(Cheers,Steve On Thu 28/03/13 9:40 AM , Quintus wrote:Am Tue, 26 Mar 2013 19:38:48 +0100 schrieb steve : WTF? Where did the write access for the group go? Hi Marvin Hi Steve, Just a thought but I found out the hard way that when there are acl's set, e.g. in your file called test2, the -rw-r- bit of the listing bit bears little resemblance to what the actual permissions are. Have you actually checked to see that the file test2 really isn't group writeable? Maybe worth a quick test. I just tested it with another user and no, the file is really not group-writable. But I found another really mysterious behaviour... This time I’ve connected as user steffi who is in the share group as well: % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt I tried to create a file now as this user: (1067) [9:28:47 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:28 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus 0 Mar 26 15:04 test2 (1068) [9:29:29 quintus@hades] /mnt % touch test3 touch: cannot touch ‘test3’: Permission denied (1069) [9:29:34 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:29 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-+ 1 quintus quintus 0 Mar 26 15:04 test2 -rw-r-+ 1 1002 quintus 0 Mar 28 09:29 test3 That is, I get a permission denied on the touch command, but the file is there nevertheless...? How is this possible at all? Even worse, I cannot write to the file I just created: (1070) [9:29:35 quintus@hades] /mnt % echo foo test3 zsh: permission denied: test3 And no, the file is really empty (I’ve chceked it on the server via SSH). Writing to the files owned by someone else, but still in the share group doesn’t work either: (1071) [9:31:19 quintus@hades] /mnt % echo foo test2 zsh: permission denied: test2 And again, this file really is empty. On the server, the permissions are reported like this: (433) [9:33:34 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 root share 4,0K 28. Mär 09:29 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw+ 1 quintus share 0 26. Mär 14:54 test -rw-r-+ 1 quintus share 0 26. Mär 15:04 test2 -rw-r-+ 1 steffi share 0 28. Mär 09:29 test3 (434) [9:33:41 quintus@avalon] /srv/cifs/share % getfacl test3 # file: test3 # owner: steffi # group: share user::rw- group::rwx#effective:r-- group:share:rwx#effective:r-- mask::r-- other::---
Re: [Samba] samba-tool classicupgrade (from v3 to v4) aborts with Unable to get id for sid
- Original Message - From: Jon Detert jdet...@infinityhealthcare.com To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 4:37:59 PM Subject: Re: [Samba] samba-tool classicupgrade (from v3 to v4) aborts with Unable to get id for sid - Original Message - From: Andrew Bartlett abart...@samba.org To: Max Olivas moli...@northglenn.org Cc: Jon Detert jdet...@infinityhealthcare.com, samba@lists.samba.org Sent: Friday, March 22, 2013 7:01:34 AM Subject: Re: [Samba] samba-tool classicupgrade (from v3 to v4) aborts with Unable to get id for sid On Thu, 2013-03-21 at 10:15 -0600, Max Olivas wrote: On 3/19/2013 at 8:28 AM, in message 2119021439.23770729.1363703293922.javamail.r...@infinityhealthcare.com, Jon Detert jdet...@infinityhealthcare.com wrote: I'm trying to upgrade from samba3 - 4. I ran this command: WORKDIR=/usr/local/mobius /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=$WORKDIR/var --use-xattrs=yes --realm=infinityhealthcare.com $WORKDIR/smb.conf but it failed with the error given in this email's subject. What does it mean, and how do I fix it? -- snip -- The big issue here is that passdb has never had a 'fsck', and Samba operates quite well as a 'classic' DC with an almost totally invalid database! --snip -- As to what has happened in your particular instance, could you please post me the output of ldbdump private/idmap.ldb? I'd be happy to, but I can't find ldbdump. I have tdbdump and never mind. I found it. As to posting the dump for you - I'm not sure it's wise to post it to this list. never mind. I was confused again. Here's the requested dump: # /home/jdetert/samba4-master/bin/ldbdump /usr/local/samba/private/idmap.ldb dn: CN=CONFIG cn: CONFIG upperBound: 400 lowerBound: None xidNumber: None dn: CN=S-1-5-7 cn: S-1-5-7 objectClass: sidMap objectSid: S-1-5-7 type: ID_TYPE_UID xidNumber: 65534 dn: CN=S-1-5-21-4219228698-1431711829-1578001372-500 cn: S-1-5-21-4219228698-1431711829-1578001372-500 objectClass: sidMap objectSid: S-1-5-21-4219228698-1431711829-1578001372-500 type: ID_TYPE_UID xidNumber: 0 dn: CN=S-1-5-21-4219228698-1431711829-1578001372-513 cn: S-1-5-21-4219228698-1431711829-1578001372-513 objectClass: sidMap objectSid: S-1-5-21-4219228698-1431711829-1578001372-513 type: ID_TYPE_GID xidNumber: 100 dn: @INDEXLIST @IDXATTR: xidNumber @IDXATTR: objectSid # -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (no subject)
Hello list Iam add a server as BDC with samba4, my PDC samba 4 too, I read the how to and everything ok, but but give me this error Partition[DC=eccmg,DC=cupet,DC=cu] objects[11735/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[12137/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[12539/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[12941/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[13343/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[13745/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[14147/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[14549/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[14951/15277] linked_values[0/0] Partition[DC=eccmg,DC=cupet,DC=cu] objects[15353/15277] linked_values[255/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=eccmg,DC=cupet,DC=cu Partition[DC=DomainDnsZones,DC=eccmg,DC=cupet,DC=cu] objects[399/399] linked_values[0/0] Refusing to replicate DC=4\0ADEL:169f9b66-aeb6-4753-bba7-e27a96f0c3f5,CN=Deleted Objects,DC=DomainDnsZones,DC=eccmg,DC=cupet,DC=cu from a read-only repilca into a read-write replica! Failed to convert object DC=4\0ADEL:169f9b66-aeb6-4753-bba7-e27a96f0c3f5,CN=Deleted Objects,DC=DomainDnsZones,DC=eccmg,DC=cupet,DC=cu: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Join failed - cleaning up checking sAMAccountName Deleted CN=OKA,OU=Domain Controllers,DC=eccmg,DC=cupet,DC=cu Deleted CN=NTDS Settings,CN=OKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=eccmg,DC=cupet,DC=cu Deleted CN=OKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=eccmg,DC=cupet,DC=cu ERROR(type 'exceptions.TypeError'): uncaught exception - Failed to process chunk: NT code 0xc0002111 File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/local/samba/lib/python2.6/site-packages/samba/join.py, line 1104, in join_DC ctx.do_join() File /usr/local/samba/lib/python2.6/site-packages/samba/join.py, line 1009, in do_join ctx.join_replicate() File /usr/local/samba/lib/python2.6/site-packages/samba/join.py, line 756, in join_replicate replica_flags=ctx.replica_flags) File /usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py, line 252, in replicate schema=schema, req_level=req_level, req=req) Somebody can helpme? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, Would this work: ### def HexToByte( hexStr ): ## ## Taken from ActiveState Code recipes: ## http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend s4_passdb = passdb.PDB(samba4) # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = HextoByte(878D8014606CDA29677A44EFA1353FC7) admin_userdata.lanman_passwd = HextoByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(admin_userdata) ### I'm trying to figure out how to connect to the local Samba4 database... What I have above 's4_passdb = passdb.PDB(samba4)' doesn't work. I tried 'ldb', 'samba_dsdb', and 'samba4' without success. Any hints please? Thanks! - Original Message - From: Andrew Bartlett abart...@samba.org To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 6:18:15 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal DNS CNAME not working
Samba 4.0.0 I am running all of these commands from the PDC DC1. /etc/resolv.conf domain mydomain.com nameserver 127.0.0.1 smb.conf does have a dns forwarder = 192.168.1.2 samba-001 the actual host name, and also a PDC, in the same domain. I would like to have the alias my-server point to samba-001. I added a CNAME record: bin/samba-tool dns add 127.0.0.1 mydomain.com my-server CNAME samba-001 -Uadministrator I can query it. bin/samba-tool dns query 127.0.0.1 mydomain.com my-server CNAME Password for [administra...@mydomain.com]: Name=, Records=1, Children=0 CNAME: samba-001. (flags=f0, serial=6, ttl=900) Host finds it. host -t CNAME my-server.mydomain.com my-server.mydomain.com is an alias for samba-001. I cannot ping it, it is not resolving properly. ping samba-001, resolves to the proper IP ping samba-001.mydomain.com, resolves to the proper IP ping my-server, ping: unknown host ping my-server.mydomain.com, ping: unknown host -- Wayne Andersen System Administrator Clima-Tech Corporation 208-947-1849 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS CNAME not working
Am Donnerstag, 28. März 2013, 23:42:50 schrieb Wayne Andersen: Samba 4.0.0 I am running all of these commands from the PDC DC1. /etc/resolv.conf domain mydomain.com nameserver 127.0.0.1 smb.conf does have a dns forwarder = 192.168.1.2 samba-001 the actual host name, and also a PDC, in the same domain. I would like to have the alias my-server point to samba-001. I added a CNAME record: bin/samba-tool dns add 127.0.0.1 mydomain.com my-server CNAME samba-001 -Uadministrator I can query it. bin/samba-tool dns query 127.0.0.1 mydomain.com my-server CNAME Password for [administra...@mydomain.com]: Name=, Records=1, Children=0 CNAME: samba-001. (flags=f0, serial=6, ttl=900) Host finds it. host -t CNAME my-server.mydomain.com my-server.mydomain.com is an alias for samba-001. I cannot ping it, it is not resolving properly. ping samba-001, resolves to the proper IP ping samba-001.mydomain.com, resolves to the proper IP ping my-server, ping: unknown host , ping: unknown host which unix/linux distro and version are you running? Try strace ping -c1 my-server.mydomain.com and look for errors. I did the same tests here on opensuse (samba git master) and don't see that failure. What do you get with: dig @localhost my-server.mydomain.com ? Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via adbe6cb libcli/auth: avoid using transactions a chainlock is enough from 40d783c Call smb_panic when we try to exit the server uncleanly. This gives us the normal traceback and memory dump, but also runs the normal panic action. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit adbe6cba005a2060b0f641e91b500574f4637a36 Author: Stefan Metzmacher me...@samba.org Date: Wed Mar 27 08:43:18 2013 +0100 libcli/auth: avoid using transactions a chainlock is enough We're just writting a single record into a CLEAR_IF_FIRST|TDB_NOSYNC tdb. We just need to make sure we lock the record between reading and writting. Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Volker Lendecke v...@samba.org Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Thu Mar 28 14:52:14 CET 2013 on sn-devel-104 --- Summary of changes: libcli/auth/schannel_state_tdb.c | 36 ++-- 1 files changed, 26 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index bc91104..eecd00e 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -285,19 +285,41 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState *creds; NTSTATUS status; int ret; + char *name_upper = NULL; + char *keystr = NULL; + TDB_DATA key; + + if (creds_out != NULL) { + *creds_out = NULL; + } tmpctx = talloc_named(mem_ctx, 0, schannel_check_creds_state); if (!tmpctx) { return NT_STATUS_NO_MEMORY; } + name_upper = strupper_talloc(tmpctx, computer_name); + if (!name_upper) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + keystr = talloc_asprintf(tmpctx, %s/%s, +SECRETS_SCHANNEL_STATE, name_upper); + if (!keystr) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + key = string_term_tdb_data(keystr); + tdb_sc = open_schannel_session_store(tmpctx, lp_ctx); if (!tdb_sc) { status = NT_STATUS_ACCESS_DENIED; goto done; } - ret = tdb_transaction_start(tdb_sc-tdb); + ret = tdb_chainlock(tdb_sc-tdb, key); if (ret != 0) { status = NT_STATUS_INTERNAL_DB_CORRUPTION; goto done; @@ -310,7 +332,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, status = schannel_fetch_session_key_tdb(tdb_sc, tmpctx, computer_name, creds); if (!NT_STATUS_IS_OK(status)) { - tdb_transaction_cancel(tdb_sc-tdb); + tdb_chainunlock(tdb_sc-tdb, key); goto done; } @@ -318,19 +340,13 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, received_authenticator, return_authenticator); if (!NT_STATUS_IS_OK(status)) { - tdb_transaction_cancel(tdb_sc-tdb); + tdb_chainunlock(tdb_sc-tdb, key); goto done; } status = schannel_store_session_key_tdb(tdb_sc, tmpctx, creds); + tdb_chainunlock(tdb_sc-tdb, key); if (!NT_STATUS_IS_OK(status)) { - tdb_transaction_cancel(tdb_sc-tdb); - goto done; - } - - ret = tdb_transaction_commit(tdb_sc-tdb); - if (ret != 0) { - status = NT_STATUS_INTERNAL_DB_CORRUPTION; goto done; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ffe14d9 Optimization suggested by Volker. Don't do a stat system call on normal read path. from adbe6cb libcli/auth: avoid using transactions a chainlock is enough http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ffe14d99083fe5344fa7678e7ad780d930398427 Author: Jeremy Allison j...@samba.org Date: Mon Mar 25 09:54:50 2013 -0700 Optimization suggested by Volker. Don't do a stat system call on normal read path. Only do it if we need it in the sendfile() path. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Volker Lendecke v...@samba.org Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Thu Mar 28 17:51:22 CET 2013 on sn-devel-104 --- Summary of changes: source3/smbd/reply.c | 30 +++--- 1 files changed, 15 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 8b500c5..0d9f415 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3666,11 +3666,6 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req, struct lock_struct lock; int saved_errno = 0; - if(fsp_stat(fsp) == -1) { - reply_nterror(req, map_nt_error_from_unix(errno)); - return; - } - init_strict_lock_struct(fsp, (uint64_t)req-smbpid, (uint64_t)startpos, (uint64_t)smb_maxcnt, READ_LOCK, lock); @@ -3680,16 +3675,6 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req, return; } - if (!S_ISREG(fsp-fsp_name-st.st_ex_mode) || - (startpos fsp-fsp_name-st.st_ex_size) - || (smb_maxcnt (fsp-fsp_name-st.st_ex_size - startpos))) { - /* -* We already know that we would do a short read, so don't -* try the sendfile() path. -*/ - goto nosendfile_read; - } - /* * We can only use sendfile on a non-chained packet * but we can use on a non-oplocked file. tridge proved this @@ -3704,6 +3689,21 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req, uint8 headerbuf[smb_size + 12 * 2]; DATA_BLOB header; + if(fsp_stat(fsp) == -1) { + reply_nterror(req, map_nt_error_from_unix(errno)); + goto strict_unlock; + } + + if (!S_ISREG(fsp-fsp_name-st.st_ex_mode) || + (startpos fsp-fsp_name-st.st_ex_size) || + (smb_maxcnt (fsp-fsp_name-st.st_ex_size - startpos))) { + /* +* We already know that we would do a short read, so don't +* try the sendfile() path. +*/ + goto nosendfile_read; + } + /* * Set up the packet header before send. We * assume here the sendfile will work (get the -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7fd926f Make sure that we only propogate the INHERITED flag when we are allowed to. from ffe14d9 Optimization suggested by Volker. Don't do a stat system call on normal read path. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7fd926fcdcb92a8e1e2b0c29371f2eb2ae4057df Author: Richard Sharpe realrichardsha...@gmail.com Date: Wed Mar 27 19:36:43 2013 -0700 Make sure that we only propogate the INHERITED flag when we are allowed to. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Richard Sharpe realrichardsha...@gmail.com Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Mar 28 19:43:41 CET 2013 on sn-devel-104 --- Summary of changes: libcli/security/secdesc.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c index d2c5833..a7e9900 100644 --- a/libcli/security/secdesc.c +++ b/libcli/security/secdesc.c @@ -614,7 +614,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, if (!container) { new_flags = 0; } else { - new_flags = ~SEC_ACE_FLAG_INHERIT_ONLY; + new_flags = ~(SEC_ACE_FLAG_INHERIT_ONLY + | SEC_ACE_FLAG_INHERITED_ACE); if (!(new_flags SEC_ACE_FLAG_CONTAINER_INHERIT)) { new_flags |= SEC_ACE_FLAG_INHERIT_ONLY; -- Samba Shared Repository