[Samba] Samba 3.0.23d + winbind
Hello, I have AIX 5.2.0.0 , this server have installed ( Samba 3.0.23d + winbind ), user of domain NT working OK. this user are authenticated OK ( see smb.conf ). [global] workgroup = Mydomain server string = My server samba security = DOMAIN auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = Myserver WINS ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes NOW, I need change NT for Active Directory WIN2003 Server, and SMB.CONF not working properly ( see smb.conf). workgroup = Mydomain server string = Myserver samba security = SERVER password server = my server AD auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = My wins server ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes In this smb, re-direct all incoming connections to the AD server for authentication, but no working. This command work OK: ./net rpc join -S ADSERV -U wbinfo -u winfo -g Please help me -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: slow logon with many ldap groups
Dear all, I'm having some problems with my samba-ldap configuration. The server is a domain controler. Most of the time there is no problem. But when some use rs try to logon, the workstation gets very slow. After some testing i found the cause. When a user is a member of many lda p groups (more then 64), i get the following error: smbd[32384]: nss_ldap: could not get LDAP result - Decoding error 99% that's a nss_ldap bug. Can you try to upgrade that and the openldap libs? Thanks Volker, After the update of nss_ldap the logon problem is solved. All works fine. Only when i reboot my server it takes very long (about 5 min) to start the named service and another 5 mins to start ldap. Any idea? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: slow logon with many ldap groups
Are you now timing out on dns during boot? Check your /etc/nsswitch.conf and /etc/resolv.conf As this is an old Centos, maybe the startup scripts are not ordered well - is the network interface up correctly when named and ldap start? 2009/1/22 Robin Harteveld robinhartev...@gmail.com Dear all, I'm having some problems with my samba-ldap configuration. The server is a domain controler. Most of the time there is no problem. But when some use rs try to logon, the workstation gets very slow. After some testing i found the cause. When a user is a member of many lda p groups (more then 64), i get the following error: smbd[32384]: nss_ldap: could not get LDAP result - Decoding error 99% that's a nss_ldap bug. Can you try to upgrade that and the openldap libs? Thanks Volker, After the update of nss_ldap the logon problem is solved. All works fine. Only when i reboot my server it takes very long (about 5 min) to start the named service and another 5 mins to start ldap. Any idea? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Q -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question regarding permission bits for a share
Hi, Relatively Samba newbie here. I have a laptop which has to be remain set to a Windows NT Domain instead of a workgroup. I found that even from this laptop I can still map a network drive to my Samba server. However, when I drag and drop files the permission bits for group are not set the way I want them to be; there remains no permissions for the group. Now I would like the the group to have read/write permissions set automatically. Another computer I have on my network is set to the Samba workgroup and dragging/dropping from this computer sets the permissions for group properly. The only problem I have is setting permissions for group properly when I drag and drop from a laptop set to a Windows NT Domain. Here is my share definition... [ABCDEFGHIJK] comment = ABCDEFGHIJK path = /path/to/the/directory guest account = ours read only = no create mask = 0760 guest ok = yes browseable = yes writable = yes directory mask = 0770 volume = ABCDEFGHIJK force create mode = 775 force directory mode = 775 Any suggestions for me to get this working the way I want? Again, what I want is to get the group bits set to read/write when I dragdrop files from a laptop set to a Windows NT Domain and not a workgroup. Thanks! Hi, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Log partition fills, process hangs... Need help debugging
Greetings List, I've had a persistent problem that's been going on for a couple years, through several Samba and Linux upgrades, and I need some ideas on how to debug this and provide enough useful information to solve the issue. Here are the symptoms: 1) An instance of smbd spins one CPU up to 100% utilization, and can only be kill -9'ed. 2) Either because of #1, or causing #1 (hard to tell which) the partition that the samba log files are on fills completely. The sum of all file sizes of all log files does not equal the amount of space on the partition - it *should* be less than 25% full. Simply deleting the log files out from under the running smbd processes does not reduce the amount of used blocks on the filesystem. Only killing the smbd process discussed above returns the used space. 3) Most other processes continue to function normally, except for a few profile loading errors, or delayed write failed errors, since the log filesystem (which also has the locks directory and tdbs on it) is full. These errors disappear after killing the aforementioned process. 4) The log files say nothing out of the ordinary when this occurs 5) I can make this occur every day or two if I turn the logging level up, and/or set the max log file size to anything over 5k. 6) With the logging turned down to the lowest level, and the log files set to turn over at 5k, the system will go for months without issue. Currently, this system is Fedora 9, Samba 3.0.29 (compiled from source). Although, I've had this error occur across several distributions and samba versions over the past couple years. I'd love to post log file entries, but they never contain anything unusual, even if I turn them way up, and cause the error to happen quickly. I'm stumped. Any ideas on what to try? Thanks, -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: slow logon with many ldap groups
Hi can you try nss_initgroups_ignoreusers ldap in /etc/ldap.conf regards Hansjörg Robin Harteveld wrote: Dear all, I'm having some problems with my samba-ldap configuration. The server is a domain controler. Most of the time there is no problem. But when some use rs try to logon, the workstation gets very slow. After some testing i found the cause. When a user is a member of many lda p groups (more then 64), i get the following error: smbd[32384]: nss_ldap: could not get LDAP result - Decoding error 99% that's a nss_ldap bug. Can you try to upgrade that and the openldap libs? Thanks Volker, After the update of nss_ldap the logon problem is solved. All works fine. Only when i reboot my server it takes very long (about 5 min) to start the named service and another 5 mins to start ldap. Any idea? -- _ Deutsches Zentrum fuer Luft- und Raumfahrt e.V. in der Helmholtz-Gemeinschaft Institut fuer Robotik und Mechatronik Dr. Hansjörg Maurer LAN- und Systemmanager Münchner Strasse 20 82234 Wessling Germany Telefon: 08153/28-2431 Telefax: 08153/28-1134 E-Mail: hansjoerg.mau...@dlr.de Internet: http://www.robotic.dlr.de/ __ There are 10 types of people in this world, those who understand binary and those who don't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP PDC not working together
Hi, I have configured my machine to run samba and LDAP as the PDC. But whenever i enter the passdb backend: ldapsam:ldap://localhost/ on my smb.conf, i see from my SWAT that smdb is not running and i cannot join the domain. Below are my smb.conf and slapd.conf files smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2009/01/22 16:01:58 [global] workgroup = LONDIANI server string = Samba Server Version %v map to guest = Bad User passdb backend = ldapsam:ldap://localhost/ printcap name = /etc/printcap logon path = \\%L\profiles\%U logon drive = M: logon home = \\%L\%U\.profiles domain logons = Yes os level = 50 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = uid=root,dc=kefri,dc=org ldap group suffix = ou=group,dc=kefri,dc=org ldap machine suffix = ou=machines,dc=kefri,dc=org ldap passwd sync = Yes ldap suffix = dc=kefri,dc=org ldap user suffix = ou=people,dc=kefri,dc=org printing = cups cups options = raw print command = lpq command = %p lprm command = [netlogon] path = /etc/samba/netlogon write list = admin read only = No guest ok = Yes [profiles] path = /etc/samba/profiles read only = No create mask = 0600 [homes] comment = Linux Home org space path = %H valid users = %S read only = No create mask = 0600 locking = No [share] path = /etc/samba/share read only = No [cdrom] comment = Linux CD-ROM path = /media/cdrom locking = No root preexec = /bin/mount /dev/cdrom /media/cdrom root postexec = /bin/umount /media/cdrom [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_anon_dn # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org pidfile/var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath/usr/lib64/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions #Require integrity protection (prevent hijacking) #Require 112-bit (3DES or better) encryption for updates #Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: #Root DSE: allow anyone to read it #Subschema (sub)entry DSE: allow anyone to read it #Other DSEs: #Allow self write access #Allow authenticated users read access #Allow anonymous users to authenticate #Directives needed to implement policy: # access to dn.base= by * read # access to dn.base=cn=Subschema by * read # access to * #by self write #by users read #by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., access to * by * read) # # rootdn can always read and write EVERYTHING! ### # ldbm and/or bdb database definitions ### databasebdb suffix dc=kefri,dc=org rootdn uid=root,dc=kefri,dc=org # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpwsecret # rootpw{crypt}ijFYNcSNctBYg rootpw{SSHA}+KMNtuLOV40UQ1HzHiXzi9KgalThtC0w # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory/var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index
Re: [Samba] Samba 3.0.23d + winbind
Hi, your active directory use Kerberos or LDAP, for authenticate the users?, if kerberos use: security = ads plus other configurations for kerberos support if ldap use security = domain password server = netbiosName or dnsName or hosts. No ip address, here not resolve that Check this link, it is in spanish, but its an example, in the samba.org how to, appear somethink like that, in english http://proyectofedora.org/wiki/index.php/Proxies/Squid/Squid_en_dominios_Windows#Archivos_de_configuraci.C3.B3n Ariel Llauger Rabaza escribió: Hello, I have AIX 5.2.0.0 , this server have installed ( Samba 3.0.23d + winbind ), user of domain NT working OK. this user are authenticated OK ( see smb.conf ). [global] workgroup = Mydomain server string = My server samba security = DOMAIN auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = Myserver WINS ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes NOW, I need change NT for Active Directory WIN2003 Server, and SMB.CONF not working properly ( see smb.conf). workgroup = Mydomain server string = Myserver samba security = SERVER password server = my server AD auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = My wins server ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes In this smb, re-direct all incoming connections to the AD server for authentication, but no working. This command work OK: ./net rpc join -S ADSERV -U wbinfo -u winfo -g Please help me -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.23d + winbind
Another test you may to do is: wbinfo -a username%password Another test, is debug the service winbindd, using --debuglevel=3 or other number , this output, should to write in a log file in your linux. With parameter -Si --debuglevel=3, print debug in stdout orlandox escribió: Hi, your active directory use Kerberos or LDAP, for authenticate the users?, if kerberos use: security = ads plus other configurations for kerberos support if ldap use security = domain password server = netbiosName or dnsName or hosts. No ip address, here not resolve that Check this link, it is in spanish, but its an example, in the samba.org how to, appear somethink like that, in english http://proyectofedora.org/wiki/index.php/Proxies/Squid/Squid_en_dominios_Windows#Archivos_de_configuraci.C3.B3n Ariel Llauger Rabaza escribió: Hello, I have AIX 5.2.0.0 , this server have installed ( Samba 3.0.23d + winbind ), user of domain NT working OK. this user are authenticated OK ( see smb.conf ). [global] workgroup = Mydomain server string = My server samba security = DOMAIN auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = Myserver WINS ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes NOW, I need change NT for Active Directory WIN2003 Server, and SMB.CONF not working properly ( see smb.conf). workgroup = Mydomain server string = Myserver samba security = SERVER password server = my server AD auth methods = guest, winbind, sam map to guest = Bad User passdb backend = tdbsam:/opt/pware/samba/3.0.23d/private/passdb.tdb guest account = guest username map = /opt/pware/samba/3.0.23d/lib/smb_users.map log level = 0 name resolve order = wins lmhosts host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No machine password timeout = 86400 preferred master = No local master = No dns proxy = No wins server = My wins server ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes In this smb, re-direct all incoming connections to the AD server for authentication, but no working. This command work OK: ./net rpc join -S ADSERV -U wbinfo -u winfo -g Please help me -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.7 server loses printer - driver assignment - aditional info
Jeremy Allison wrote: On Wed, Jan 21, 2009 at 09:54:03AM +0100, Remy Zandwijk wrote: OK, we have a backtrace (using dbx from Sun Studio): /opt/SUNWspro/bin/dbx -I /var/tmp/source -S /opt/samba/sbin/smbd 24586 Reading smbd Reading ld.so.1 Reading libthread.so.1 Reading libldap.so.5 Reading libcups.so.2 Reading libz.so.1 Reading libpthread.so.1 Reading libresolv.so.2 Reading libnsl.so.1 Reading libsocket.so.1 Reading libm.so.1 Reading libsec.so.1 Reading libsendfile.so.1 Reading libdl.so.1 Reading libtalloc.so.1 Reading libtdb.so.1 Reading libwbclient.so.0 Reading libc.so.1 Reading librt.so.1 Reading libmd5.so.1 Reading libmp.so.2 Reading libaio.so.1 Reading libc_psr.so.1 Reading UTF-16LE%CP850.so Reading CP850%UTF-16LE.so Reading nss_files.so.1 Reading nss_ldap.so.1 Reading libsldap.so.1 Reading libdoor.so.1 Attached to process 24586 t...@1 (l...@1) stopped in _waitid at 0x7d1a8788 0x7d1a8788: _waitid+0x0008: ta %icc,0x0040 Current function is smb_panic (optimized) dbx: warning: File `util.c' has been modified more recently than `smbd' 1669 result = system(cmd); (dbx) where current thread: t...@1 [1] _waitid(0x0, 0x600b, 0x7fffee40, 0x103, 0x0, 0x0), at 0x7d1a8788 [2] _libc_waitpid(0x600b, 0x7000, 0x100, 0xfff8, 0x0, 0x7071), at 0x7d1603a0 [3] system(0x100862200, 0x100862200, 0x10060f770, 0x1, 0x684, 0x1007b43d0), at 0x7d19e744 =[4] smb_panic(why = ???) (optimized), at 0x100318de4 (line ~1669) in util.c [5] cups_pcap_load_async(pfd = ???) (optimized), at 0x1002d26e4 (line ~393) in print_cups.c [6] cups_cache_reload() (optimized), at 0x1002d2e24 (line ~522) in print_cups.c [7] pcap_cache_reload() (optimized), at 0x1002d0e4c (line ~149) in pcap.c [8] reload_printers() (optimized), at 0x10058dbb8 (line ~799) in server.c [9] check_reload(t = ???) (optimized), at 0x100100b98 (line ~1887) in process.c [10] timeout_processing(select_timeout = ???, last_timeout_processing_time = ???) (optimized), at 0x100100c00 (line ~1908) in process.c [11] smbd_process() (optimized), at 0x1001010b0 (line ~2078) in process.c [12] main(argc = ???, argv = ???) (optimized), at 0x10058f180 (line ~1450) in server.c (dbx) From the logfile: [2009/01/21 08:57:01, 0] lib/util_tdb.c:(682) tdb(/var/opt/samba/locks/printing/st-compacta.tdb): tdb_reopen: file dev/inode has changed! Ok, you're hitting a strange panic I've only ever heard of on CentOS before. It's caused by too strict checking in the reinit_after_fork code. Here is the patch that has gone in for 3.2.8. Jeremy. -- next part -- diff --git a/source/Makefile.in b/source/Makefile.in index 730e130..a4944b1 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -693,7 +693,7 @@ NMBD_OBJ = $(NMBD_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \ web/swat.o web/neg_lang.o -SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(LIBSMB_OBJ) \ +SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(PRINTBASE_OBJ) $(LIBSMB_OBJ) \ $(LOCKING_OBJ) $(PASSDB_OBJ) @LIBWBCLIENT_STATIC@ $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) $(GROUPDB_OBJ) $(PLAINTEXT_AUTH_OBJ) \ $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) $(RPC_PARSE_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBMSRPC_OBJ) \ diff --git a/source/printing/print_cups.c b/source/printing/print_cups.c index 1bb149c..f3eb73c 100644 --- a/source/printing/print_cups.c +++ b/source/printing/print_cups.c @@ -388,6 +388,8 @@ static bool cups_pcap_load_async(int *pfd) } /* Child. */ + close_all_print_db(); + if (!reinit_after_fork(smbd_messaging_context(), true)) { DEBUG(0,(cups_pcap_load_async: reinit_after_fork() failed\n)); smb_panic(cups_pcap_load_async: reinit_after_fork() failed); I got the same crash and then applied your patch. commit 101ef64e3181335b66524296af08f7df04391b9a . The panics stopped, but we I still have user who lose their printing settings/ driver assignment. And if one loses it its a short while till people start reporting that they are unable to print. From what i can figure out its seems to relate to the amount of clients that are connected to the server. I currently have 2 servers on the 3.2. (3.2.7 + the above patch). With one server that has about 35 clients at any time the drivers get unset about 2-3 times a day. My second server that is in a now almost empty branch office has about 5 clients and there the driver unset about once per 3 days. The machines are almost identical and both run gentoo. I hope this info helps. -Martijn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] getent group shows AD groups; getent passwd only shows local users
I had winbind configured so that it could fetch users from AD. Everything was working properly, but something happened in the past couple of days (no change in the Samba config) I'm not able to diagnose. getent group enumerates groups, getent passwd doesn't. wbinfo -g returns groups, whereas I get this error when trying to get users: # wbinfo -u Error looking up domain users # net rpc join -S GNCNET -U user_linux Password: Joined domain NUT. # net ads join -S GNCNET -U user_linux user_linux's password: [2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers I see the Samba machine sends and receives packets on port 389 when I do getent passwd, but just no users are returned. Ideas? This is my smb.conf: workgroup = NUT password server = GNCNET realm = GNCNET.GEORGIANUT.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind separator = + template homedir = /home/%D/cbl template shell = /bin/bash winbind use default domain = true winbind offline logon = false server string = Samba Server %v encrypt passwords = Yes log file = /var/log/samba/log.%m max log size = 100 log level = 8 os level = 18 local master = No dns proxy = No winbind enum users = yes winbind enum groups = yes In log.winbindd I can see errors like: [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696) ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) - Operations error [2009/01/22 10:44:55, 3] libads/ldap_utils.c:ads_do_search_retry_internal(76) Reopening ads connection to realm 'GEORGIANUT.COM' after error Operations error [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677) sitename_fetch: Returning sitename for georgianut.com: Default-First-Site-Name [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'georgianut.com' [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name georgianut.com (sitename Default-First-Site-Name) using [ads] -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] List search question
Hello everyone, I'm a new member here at Samba lists. I've been a lightweight Samba user for several years, but now I am investigating replacing our Active Directory domain with a pure Samba domain. I already have a few questions, but before I start posting them I though I'd ask about searching the list archives. I might be missing something here, but I haven't found a way to do it? I found the list archives, but it would be impractical to browse through all the historical postings to find an answer. Surely there is a way to search that I haven't found? If so, I'd love some pointers. Then I can search for answers to my questions before I begin posting them here. I don't want to rehash old topics if it's not necessary. Thanks in advance for your help! Troy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] List search question
On Thu, Jan 22, 2009 at 11:52:13AM -0600, Troy Heidner wrote: I'm a new member here at Samba lists. I've been a lightweight Samba user for several years, but now I am investigating replacing our Active Directory domain with a pure Samba domain. I already have a few questions, but before I start posting them I though I'd ask about searching the list archives. I might be missing something here, but I haven't found a way to do it? I found the list archives, but it would be impractical to browse through all the historical postings to find an answer. Surely there is a way to search that I haven't found? If so, I'd love some pointers. Then I can search for answers to my questions before I begin posting them here. I don't want to rehash old topics if it's not necessary. Hi Troy, I would recommend searching from Google, and after the keywords you want to search for, append site:lists.samba.org/archive/samba/. For example, here's the URL for the search 'active directory replacement': http://www.google.com/search?hl=enq=active+directory+replacement+site%3Alists.samba.org%2Farchive%2Fsamba%2FbtnG=Search It won't include messages posted since the last time Google indexed the site, but otherwise it works pretty well. Dan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Account Manager 2.5.0 released
Just going to be direct, not to insult or disparage. First thoughts were: Cool an LDAP browser/interface. Ugh, it's in PHP. Hmm, it seems to be specific to a fixed set of schemas, seems like a limiting feature. What's the reason for limiting its use with certain schemas? Will it work when pointed at any LDAP db? Does it scale for 10.000, 50., 250.000 entries and beyond? Do you have data to support its scalability? On Wed, 21 Jan 2009 20:16:37 +0100 Roland Gruber p...@rolandgruber.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LDAP Account Manager (LAM) 2.5.0 - January 21th, 2009 = LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: - - LAM Pro now allows you to manage groups with the rfc2307bis schema and aliases (object class alias). The Samba module is able to manage more password options and the DHCP extension was enhanced for better stability. Full changelog: http://lam.sourceforge.net/changelog/index.htm Features: - - * management of Unix user and group accounts (posixAccount/posixGroup) * management of Samba 2.x/3 user and host accounts (sambaAccount/sambaSamAccount) * management of Kolab 2 accounts (kolabInetorgPerson) * profiles for account creation * account creation via file upload * automatic creation/deletion of home directories * setting quotas * PDF output for all accounts * editor for organizational units (OU) * schema browser * tree view * multiple configuration files * multi-language support: Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian and Spanish * support for LDAP+SSL/TLS Availability: - - This software is available under the GNU General Public License V2.0. You can get the newest version at http://lam.sf.net. File formats: DEB, RPM, tar.gz There is also a FreeBSD port. Debian users may use the packages in unstable. Demo installation: - -- You can try our demo installation online. http://lam.sf.net/live-demo/index.htm Support: - If you find a bug please file a bug report. For questions or implementing new features please use the forum and feature request tracker at our Sourceforge homepage http://www.sf.net/projects/lam. Authors Copyright: - Copyright (C) 2003 - 2009: Michael Duergner mich...@duergner.com Roland Gruber p...@rolandgruber.de Tilo Lutz tilol...@gmx.de LAM is published under the GNU General Public License. The comlete list of licenses can be found in the copyright file. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl3dJUACgkQq/ywNCsrGZ4/zQCdGrqQ0apkI9bg0eZ9sNHQzvrJ 3pIAn0LiYvMtFWPJIY9anYC8WEnV/YKB =sMPe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] List search question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Troy Heidner wrote: Hello everyone, I'm a new member here at Samba lists. I've been a lightweight Samba user for several years, but now I am investigating replacing our Active Directory domain with a pure Samba domain. I already have a few questions, but before I start posting them I though I'd ask about searching the list archives. I might be missing something here, but I haven't found a way to do it? http://marc.info/ cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl4yvkACgkQIR7qMdg1EfaovACeO7jPgXGY+TrcCrVDQTB+y756 wNIAoJv2Drxo1v6KfVsnxHPQi03UL6pj =Xblu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] OT? File order on CentOS/Samba server
I hope someone familiar with the way Linux processes files can enlighten me on the following: I recently replaced an old Windows 2000 server with a new machine running CentOS 5.2. It uses Samba 3.2.7 to serve a network of Windows XP clients. We are a newspaper. We use Acrobat Distiller to batch-convert a folder of single-page PostScript files (for print) to a multipage PDF file (for electronic distribution). Running on a workstation, Distiller watches the folder on a Samba share and does the conversion, automatically creating bookmarks, indexes and other information. On the Windows server, Distiller processes the files by filename order: M09010901A001C.ps M09010901A002C.ps M09010901A003C.ps ... and so on. On the Linux server, Distiller processes the files in an order that seems arbitrary, for example: M09010901A021C.ps M09010901A005C.ps M09010901A015C.ps ... and so on. The order Distiller uses is NOT related to the time stamp of the files. I tried to copy the files to the watched folder one by one in the correct order; the result is the same. This creates the need to open the final PDF and reshuffle the pages by hand, which is very time consuming and prone to error. There is a workaround to this: use the runfilex script that comes with Acrobat: it can contain a list of files to convert, in the order you want. Unfortunately, this is not acceptable for us since the process then takes about 40 minutes (irrespective of platform or filesystem), instead of 3 or 4 minutes. My question is: how is the order of files determined by Linux when a particular order is not explicitly required by a program? I noted the following: I have 4 files in a folder: file1.ps, file2.ps, file3.ps, file4.ps. When I order them by date, they appear in Windows Explorer in, say, the following order: 3, 4, 1, 2 If I copy them to a new folder one by one in the order 1, 2, 3, 4, they will still appear in the order 3, 4, 1, 2 when ordered by date. So, what information is transported with the files that makes the Linux server present them to the world in this order? Does someone know a workaround to this situation or can someone point me to information about file ordering with Linux? By the way, I am using the EXT3 file system. I tried the same on a VFAT file system and the result is the same. It seems to be a Linux thing, not a file system thing. Thank you for your patience. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [CentOS] OT? File order on CentOS/Samba server
If you are processing on the linux side and not via samba, and your program will take a list of files on the command line instead of groveling through the directory itself, you might simply start it with a wild-card filename on the command line. The shell will sort the list as it expands it so programs see the sorted list. The processing is done via Samba. Acrobat Distiller is not simply processing a list of files, it is consolidating a group of files onto a single file, discarding repeated graphic objects and creating a single subset of fonts from the various font subsets present on the original pages. There is a workaround to this: use the runfilex script that comes with Acrobat: it can contain a list of files to convert, in the order you want. Unfortunately, this is not acceptable for us since the process then takes about 40 minutes (irrespective of platform or filesystem), instead of 3 or 4 minutes. That's very strange. Maybe you should look for a different tool. Won't ghostscript/psutils or OOo do this? The tools you quote do not apply in this case. I am not talking about office style PDFs, I am talking about full professional PDFs for printing presses, with embedded color profiles such as ISO Newspaper, JPEG2000 compression, bicubic resampling, etc. Not even Ghostscript does that kind of thing. I wish it did, but it doesn't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent group shows AD groups; getent passwd only shows local users
Tomasz Chmielewski wrote: I had winbind configured so that it could fetch users from AD. Everything was working properly, but something happened in the past couple of days (no change in the Samba config) I'm not able to diagnose. getent group enumerates groups, getent passwd doesn't. wbinfo -g returns groups, whereas I get this error when trying to get users: # wbinfo -u Error looking up domain users # net rpc join -S GNCNET -U user_linux Password: Joined domain NUT. # net ads join -S GNCNET -U user_linux user_linux's password: [2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers I see the Samba machine sends and receives packets on port 389 when I do getent passwd, but just no users are returned. Ideas? This is my smb.conf: workgroup = NUT password server = GNCNET realm = GNCNET.GEORGIANUT.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind separator = + template homedir = /home/%D/cbl template shell = /bin/bash winbind use default domain = true winbind offline logon = false server string = Samba Server %v encrypt passwords = Yes log file = /var/log/samba/log.%m max log size = 100 log level = 8 os level = 18 local master = No dns proxy = No winbind enum users = yes winbind enum groups = yes In log.winbindd I can see errors like: [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696) ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) - Operations error [2009/01/22 10:44:55, 3] libads/ldap_utils.c:ads_do_search_retry_internal(76) Reopening ads connection to realm 'GEORGIANUT.COM' after error Operations error [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677) sitename_fetch: Returning sitename for georgianut.com: Default-First-Site-Name [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'georgianut.com' [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name georgianut.com (sitename Default-First-Site-Name) using [ads] check that your clock on the linux box matches the clock on the DC. --Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OT? File order on CentOS/Samba server
On Thu, Jan 22, 2009 at 08:28:41PM +, Miguel Medalha wrote: My question is: how is the order of files determined by Linux when a particular order is not explicitly required by a program? There is not ordering in POSIX filesystems. If you want an ordered list you must sort them yourself. This isn't guarenteed in Windows either btw. Someone has posted a Samba VFS that will sort directory output in alphabetical order (but only for the current locale). You could examine that. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OT? File order on CentOS/Samba server
Someone has posted a Samba VFS that will sort directory output in alphabetical order (but only for the current locale). You could examine that. http://www.mail-archive.com/samba@lists.samba.org/msg98048.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [cups.general] slow printing from cups
Hello Samba, I have a samba/cups problem I need help with. I'd appreciate an advice you can offer. Please see my thread with cups below: Ryan Suarez wrote: Ryan Suarez wrote: Michael R Sweet wrote: Ryan Suarez wrote: Greetings, We're running samba v3.2.4 cups v1.3.7. The problem queue (oa-e202-e1) is printing to the lpd port Lexmark T644 printer. I'm trying to print from Windows Vista 32bit client using the 'Lexmark T644 PS (MS)' driver installed from the clients local driver repository. The problem is that it takes a *minute* to print a simple test notepad file. The job hits the printer immediately since the roller on the printer starts spinning (slowly). But the roller keeps spinning (slowly) for a while and the job eventually prints (slowly) after a minute of waiting. If I print directly to the IP of the printer, using the same driver on the client, the job prints *right away*. I have cups job files and error_log here: http://it.sheridanc.on.ca/cups Any advice? We're getting alot of complaints with this. More than likely the issue is that the print file probably gets spooled 4 times - first as a metafile for the printer driver, then from the driver to disk, then over to Samba (which puts a copy on disk), and then finally to CUPS which puts a copy on disk before running the backend which sends it to the printer. You can use IPP (URL = http://cupsserver:631/printers/cupsqueue) to print directly from the Windows system through CUPS to eliminate two of those copies. Hi Michael, I'll confirm if bypassing samba and mapping directly to cups IPP speeds up the print. Unfortunately, thats probably not an option for us. We take advantage of Samba's point and print tech to support the students here. They simply map the server on their laptops and double-click on the queue they want to connect to. Having to train students to manually map each printer they need and choose the correct driver, as they roam to different locations, would prove too cumbersome. Are there any workarounds I can pursue? thanks and much appreciated, Ryan yup, printing to cups directly is also fast, arghh... what do I do now? ___ cups mailing list c...@easysw.com http://lists.easysw.com/mailman/listinfo/cups -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OT? File order on CentOS/Samba server
On Thu, Jan 22, 2009 at 09:20:42PM -0500, John Drescher wrote: Someone has posted a Samba VFS that will sort directory output in alphabetical order (but only for the current locale). You could examine that. http://www.mail-archive.com/samba@lists.samba.org/msg98048.html FYI: This is still in my inbox to get into upstream :-) Volker pgpaNgzHEjOpR.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-3-stable updated - release-3-3-0rc2-162-g5739cc5
The branch, v3-3-stable has been updated via 5739cc5eb4d222b435a3cc32c1733288bf3d5635 (commit) via 73b8c4f330de5cd839c17e20194fa73bac77c8e7 (commit) via 22661691f8b3954bc00ccbfffc536fdf6add9825 (commit) via 5ba5772f15b07bec765585327b455d8cdd8d (commit) via 6778099259661a65337a66282db6d0228e453545 (commit) via 340931bd335e9906cc72e7d4f7f1ae15d2906dcd (commit) via dc13349f46a6cd8a0428df083a47c40e3b32ac2f (commit) via 73444ccb1e3ecf25d9ae0616cf83534781de94a7 (commit) via 0e9a11c95786cbdc828cf964550ffdca8d0e6d6e (commit) via ea1c6bf5b3d7a122f6d7f07342e50504aa3d76dd (commit) via a22441750b2f696713c5b39633ae7a2b1a407096 (commit) via 522f80f42723c5b0b9be43315008203324a07e2a (commit) via eb462e71913d4ba83afaed7007545239cdafd2b0 (commit) via bd414008b921f3277c6df8a8f0e86676c4bdd102 (commit) from 5a882d8b5801f1d7c8a70d1a50b474066b1bf0fb (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable - Log - commit 5739cc5eb4d222b435a3cc32c1733288bf3d5635 Author: Michael Adam ob...@samba.org Date: Wed Jan 21 15:10:10 2009 +0100 build-docs: cleanup exit of the script exit in the directory where it was called using pushd/popd. Michael (cherry picked from commit b319549f129b1c79afc9bfd4a84f2730b96d69a3) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit b7d6536b323df9c5503b6a225e03a47ae2112e5c) commit 73b8c4f330de5cd839c17e20194fa73bac77c8e7 Author: Michael Adam ob...@samba.org Date: Wed Jan 21 15:09:46 2009 +0100 s3:docs: clean build/catalog.xml in make clean Michael (cherry picked from commit 5e21fc3506f2ba7b1135b1acad2697dfb86b5df0) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit a33ec84ef7c64bf94526383340fb446e86d919e0) commit 22661691f8b3954bc00ccbfffc536fdf6add9825 Author: Michael Adam ob...@samba.org Date: Wed Jan 21 15:09:12 2009 +0100 s3:docs: clean generated .png images in make clean Michael (cherry picked from commit 9b32e839bec8611c30745607a3a6b124d5b34c01) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit 6a9346f0c2f900d95d0ba3ae0bdb22a6e88a7916) commit 5ba5772f15b07bec765585327b455d8cdd8d Author: Michael Adam ob...@samba.org Date: Wed Jan 21 10:56:34 2009 +0100 s3:docs: clarify explanation of the allocator in the idmap_ldap manpage Michael (cherry picked from commit 816934faa8bbe53dd299bc5e39f471eafdddefa8) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit 0b1036d5d6e06e2fa14dab163d51a902ca63fc0a) commit 6778099259661a65337a66282db6d0228e453545 Author: Michael Adam ob...@samba.org Date: Wed Jan 21 10:55:19 2009 +0100 s3:docs: clarify explanation of the allocator in the idmap_tdb manpage Michael (cherry picked from commit 665b5dc70333ca36129a6fe06645bd9faa4f2350) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit 83a03a3ced255f0a64935fe788ac3b0ddf669ca5) commit 340931bd335e9906cc72e7d4f7f1ae15d2906dcd Author: Michael Adam ob...@samba.org Date: Wed Jan 21 10:49:48 2009 +0100 s3:docs: clarify explanation of allocator in the idmap_tdb2 manpage Michael (cherry picked from commit 65b79200e46751278c125ad260d899d10d6466a2) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit 73a835335e329f0aaa0b72ebfd538b8c2b813812) commit dc13349f46a6cd8a0428df083a47c40e3b32ac2f Author: Michael Adam ob...@samba.org Date: Wed Jan 21 10:38:49 2009 +0100 s3:docs: fix copy and paste error in the idmap_tdb2 manpage Michael (cherry picked from commit bd252ad665547d2ad012725ccb18720e160d221f) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit ea5be10d0656d4f7edec43a4cb926573050823aa) commit 73444ccb1e3ecf25d9ae0616cf83534781de94a7 Author: Michael Adam ob...@samba.org Date: Wed Jan 21 00:56:03 2009 +0100 s3:docs: add a manpage for idmap_tdb2 Michael (cherry picked from commit 84f2b2d731fb7d97c98414196bf96ee94ea88bb3) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit c52948a2b019bb1620ffa69605673d88bfa34bb4) commit 0e9a11c95786cbdc828cf964550ffdca8d0e6d6e Author: Michael Adam ob...@samba.org Date: Wed Jan 21 00:13:29 2009 +0100 s3:docs: update the idmap_ldap manpage to reflect current facts. Michael (cherry picked from commit 7c5621b6e09d9ae3fe936a86e46d1b0f35906e6d) Signed-off-by: Michael Adam ob...@samba.org (cherry picked from commit 1bbc5f228b8b73a623f7afc5eb79c08757366029) commit ea1c6bf5b3d7a122f6d7f07342e50504aa3d76dd Author: Michael Adam ob...@samba.org Date: Wed Jan 21 00:06:10 2009 +0100 s3:docs: update the idmap_tdb manpage to reflect current facts.
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-74-g3662c2b
The branch, master has been updated via 3662c2b0f648d1719cbb26f9abfc61dbe03f8a2a (commit) from 63e23a7d648cb608a9834b4397c0aed765a1d459 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3662c2b0f648d1719cbb26f9abfc61dbe03f8a2a Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 11:36:16 2009 +0100 cli_get_pipe_name_from_iface does not need the cli_state I leave the TALLOC_CTX in, we might have to allocate it in the future --- Summary of changes: source3/include/proto.h |1 - source3/rpc_client/cli_pipe.c |5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index 1445b10..632f820 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5771,7 +5771,6 @@ bool prs_data_blob(prs_struct *prs, DATA_BLOB *blob, TALLOC_CTX *mem_ctx); /* The following definitions come from rpc_parse/parse_rpc.c */ const char *cli_get_pipe_name_from_iface(TALLOC_CTX *mem_ctx, -struct cli_state *cli, const struct ndr_syntax_id *interface); void init_rpc_hdr(RPC_HDR *hdr, enum RPC_PKT_TYPE pkt_type, uint8 flags, uint32 call_id, int data_len, int auth_len); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 6e2ffc9..bf19160 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -82,7 +82,6 @@ static const struct pipe_id_info { / const char *cli_get_pipe_name_from_iface(TALLOC_CTX *mem_ctx, -struct cli_state *cli, const struct ndr_syntax_id *interface) { int i; @@ -3594,7 +3593,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, result-transport_type = NCACN_NP; result-trans.np.pipe_name = cli_get_pipe_name_from_iface( - result, cli, abstract_syntax); + result, abstract_syntax); if (result-trans.np.pipe_name == NULL) { DEBUG(1, (Could not find pipe for interface\n)); TALLOC_FREE(result); @@ -3713,7 +3712,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, } DEBUG(lvl, (cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n, - cli_get_pipe_name_from_iface(debug_ctx(), cli, + cli_get_pipe_name_from_iface(debug_ctx(), interface), nt_errstr(status) )); TALLOC_FREE(result); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-75-g3b34486
The branch, master has been updated via 3b34486f6aaeb81376d9522a01bc6b69d34b4572 (commit) from 3662c2b0f648d1719cbb26f9abfc61dbe03f8a2a (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3b34486f6aaeb81376d9522a01bc6b69d34b4572 Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 12:13:29 2009 +0100 Actually complete 3662c2b... --- Summary of changes: source3/lib/netapi/cm.c |3 +-- source3/rpcclient/rpcclient.c |6 +++--- source3/utils/net_rpc.c |2 +- 3 files changed, 5 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c index e616a25..d5ef09d 100644 --- a/source3/lib/netapi/cm.c +++ b/source3/lib/netapi/cm.c @@ -184,8 +184,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx, status = pipe_cm_open(ctx, cli, interface, result); if (!NT_STATUS_IS_OK(status)) { libnetapi_set_error_string(ctx, failed to open PIPE %s: %s, - cli_get_pipe_name_from_iface(debug_ctx(), cli, -interface), + cli_get_pipe_name_from_iface(debug_ctx(), interface), get_friendly_nt_error_msg(status)); return WERR_DEST_NOT_FOUND; } diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 7e31862..050e78d 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -620,7 +620,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, DEBUG(0, (Could not initialise %s. Invalid auth type %u\n, cli_get_pipe_name_from_iface( - debug_ctx(), cli, + debug_ctx(), cmd_entry-interface), pipe_default_auth_type )); return NT_STATUS_UNSUCCESSFUL; @@ -628,7 +628,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, if (!NT_STATUS_IS_OK(ntresult)) { DEBUG(0, (Could not initialise %s. Error was %s\n, cli_get_pipe_name_from_iface( - debug_ctx(), cli, + debug_ctx(), cmd_entry-interface), nt_errstr(ntresult) )); return ntresult; @@ -658,7 +658,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, if (!NT_STATUS_IS_OK(ntresult)) { DEBUG(0, (Could not initialise credentials for %s.\n, cli_get_pipe_name_from_iface( - debug_ctx(), cli, + debug_ctx(), cmd_entry-interface))); return ntresult; } diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index c000b58..0f59f02 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -182,7 +182,7 @@ int run_rpc_command(struct net_context *c, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, (Could not initialise pipe %s. Error was %s\n, cli_get_pipe_name_from_iface( - debug_ctx(), cli, interface), + debug_ctx(), interface), nt_errstr(nt_status) )); cli_shutdown(cli); return -1; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-87-gc5e242b
The branch, master has been updated via c5e242b1a39f0bb26c8c922f25cf7b072e5e834c (commit) via 240762aefe1af16d56a0a1bc4880702a006fe050 (commit) via 7a07fcdc1e1f01483ae9d509a9d42eea4d454529 (commit) via cf53e48fecf2a4410ff641eb6e0edd8578cccb15 (commit) via 4d413381a2496a4d73e4d406efbfd68c28fee3b4 (commit) via 830b31a41aeadf6b688c5f60f114f6137ea13afb (commit) via a4d605344bcd16d01b7049c477d99f8d9841f13c (commit) via c44a0ae87aef333570ce588fc9b46392dd528030 (commit) via f029b2b05872f6cfe214241a614081f81c43c7bd (commit) via 196028ab7b578526179d4fcff42a5d73ba07ccbb (commit) via 048f8dba141c2f9898aad67e09925f03394a946e (commit) via f9dcd3d2b79e4c1e19ac1c81e3e75370c8716586 (commit) from 3b34486f6aaeb81376d9522a01bc6b69d34b4572 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c5e242b1a39f0bb26c8c922f25cf7b072e5e834c Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:39:28 2009 +0100 s3:printing: make some functions static and use tevent functions metze commit 240762aefe1af16d56a0a1bc4880702a006fe050 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:39:56 2009 +0100 s3:messages: finally make message_dispatch() static metze commit 7a07fcdc1e1f01483ae9d509a9d42eea4d454529 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:37:07 2009 +0100 s3:printing: handle tevent_context events in the sys_select() call metze commit cf53e48fecf2a4410ff641eb6e0edd8578cccb15 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:35:07 2009 +0100 s3:winbindd: we don't need to call message_dispatch() anymore it's event triggered now metze commit 4d413381a2496a4d73e4d406efbfd68c28fee3b4 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:34:49 2009 +0100 s3:nmbd: we don't need to call message_dispatch() anymore it's event triggered now metze commit 830b31a41aeadf6b688c5f60f114f6137ea13afb Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:33:19 2009 +0100 s3:smbd: we don't need to call message_dispatch() anymore it's event triggered now metze commit a4d605344bcd16d01b7049c477d99f8d9841f13c Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:31:33 2009 +0100 s3:msgtest: don't call message_dispatch() anymore, use tevent_loop_once() instead metze commit c44a0ae87aef333570ce588fc9b46392dd528030 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 21 07:30:13 2009 +0100 s3:smbcontrol: don't call message_dispatch() anymore, it's triggered by tevent_loop_once() metze commit f029b2b05872f6cfe214241a614081f81c43c7bd Author: Stefan Metzmacher me...@samba.org Date: Mon Jan 12 18:14:04 2009 +0100 s3:messaging: start with to use signal events instead of the raw signal interfaces metze commit 196028ab7b578526179d4fcff42a5d73ba07ccbb Author: Stefan Metzmacher me...@samba.org Date: Fri Jan 9 14:02:18 2009 +0100 s3:smbd: restructure kernel oplocks code This converts the irix oplocks code to use a fd event and removes the last special case for file descriptors for the main sys_select(). metze commit 048f8dba141c2f9898aad67e09925f03394a946e Author: Stefan Metzmacher me...@samba.org Date: Tue Jan 20 04:14:20 2009 +0100 s3: always call run_events() before and after sys_select() And always setup the fd events. metze commit f9dcd3d2b79e4c1e19ac1c81e3e75370c8716586 Author: Stefan Metzmacher me...@samba.org Date: Tue Jan 20 01:58:04 2009 +0100 s3:events: always run_events() before sys_select() We might have pending signal events not only timed events. metze --- Summary of changes: source3/include/messages.h |1 - source3/include/proto.h | 10 +-- source3/include/smb.h| 19 -- source3/lib/events.c |9 +-- source3/lib/messages_local.c | 105 + source3/nmbd/nmbd.c |4 - source3/nmbd/nmbd_packets.c | 16 ++--- source3/printing/notify.c| 20 --- source3/printing/printing.c | 58 +- source3/smbd/globals.c | 13 + source3/smbd/globals.h |9 +--- source3/smbd/oplock.c| 33 +++--- source3/smbd/oplock_irix.c | 118 -- source3/smbd/oplock_linux.c | 36 source3/smbd/process.c | 79 - source3/smbd/server.c| 15 +++-- source3/torture/msgtest.c| 27 ++--- source3/utils/smbcontrol.c | 29 + source3/winbindd/winbindd.c |8 +--
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-88-g7fc7ee9
The branch, master has been updated via 7fc7ee9331d0539359ad88c527f59d5fdf212209 (commit) from c5e242b1a39f0bb26c8c922f25cf7b072e5e834c (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7fc7ee9331d0539359ad88c527f59d5fdf212209 Author: Stefan Metzmacher me...@samba.org Date: Thu Jan 22 11:52:54 2009 +0100 lib/replace: add defines to let the callers find out if pwrite and pread are thread/fork safe metze --- Summary of changes: lib/replace/replace.h |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/replace/replace.h b/lib/replace/replace.h index c3b0604..688a746 100644 --- a/lib/replace/replace.h +++ b/lib/replace/replace.h @@ -434,11 +434,17 @@ char *rep_mkdtemp(char *template); #ifndef HAVE_PREAD #define pread rep_pread ssize_t rep_pread(int __fd, void *__buf, size_t __nbytes, off_t __offset); +#define LIBREPLACE_PREAD_REPLACED 1 +#else +#define LIBREPLACE_PREAD_NOT_REPLACED 1 #endif #ifndef HAVE_PWRITE #define pwrite rep_pwrite ssize_t rep_pwrite(int __fd, const void *__buf, size_t __nbytes, off_t __offset); +#define LIBREPLACE_PWRITE_REPLACED 1 +#else +#define LIBREPLACE_PWRITE_NOT_REPLACED 1 #endif #if !defined(HAVE_INET_NTOA) || defined(REPLACE_INET_NTOA) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-89-g031f246
The branch, master has been updated via 031f24694197ab2c90418c5a5285a2932b71e998 (commit) from 7fc7ee9331d0539359ad88c527f59d5fdf212209 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 031f24694197ab2c90418c5a5285a2932b71e998 Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 17:53:22 2009 +0100 Fix a segfault: rpccli_* expect the reply_pdu to always be initialized --- Summary of changes: source3/rpc_client/cli_pipe.c |5 + 1 files changed, 5 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index bf19160..cf2c833 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2367,6 +2367,11 @@ NTSTATUS rpc_api_pipe_req_recv(struct async_req *req, TALLOC_CTX *mem_ctx, NTSTATUS status; if (async_req_is_error(req, status)) { + /* +* We always have to initialize to reply pdu, even if there is +* none. The rpccli_* caller routines expect this. +*/ + prs_init_empty(reply_pdu, mem_ctx, UNMARSHALL); return status; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-90-g3942e53
The branch, master has been updated via 3942e53357146c9c5419313efc4c91b85f7e508b (commit) from 031f24694197ab2c90418c5a5285a2932b71e998 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3942e53357146c9c5419313efc4c91b85f7e508b Author: Simo Sorce i...@samba.org Date: Thu Jan 22 11:51:37 2009 -0500 Do not start a transaction this way. Because we still want to commit any changes that successfully apply we never want to do a global cancel, and because of how transaction nesting works that means we never cancel any transaction at the single modify operation level. Let each operation start its own transaction so that the transaction is properly canceled if any error is returned and half committed operations (though plugins failing) are properly reverted on a per operation basis. --- Summary of changes: source4/lib/ldb/tools/ldbmodify.c | 10 -- 1 files changed, 0 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/ldb/tools/ldbmodify.c b/source4/lib/ldb/tools/ldbmodify.c index d73937c..6e355a1 100644 --- a/source4/lib/ldb/tools/ldbmodify.c +++ b/source4/lib/ldb/tools/ldbmodify.c @@ -93,11 +93,6 @@ int main(int argc, const char **argv) options = ldb_cmdline_process(ldb, argc, argv, usage); - if (ldb_transaction_start(ldb) != 0) { - printf(Failed to start transaction: %s\n, ldb_errstring(ldb)); - exit(1); - } - if (options-argc == 0) { ret = process_file(ldb, stdin, count); } else { @@ -113,11 +108,6 @@ int main(int argc, const char **argv) } } - if (count != 0 ldb_transaction_commit(ldb) != 0) { - printf(Failed to commit transaction: %s\n, ldb_errstring(ldb)); - exit(1); - } - talloc_free(ldb); printf(Modified %d records with %d failures\n, count, failures); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4855-gba576ef
The branch, v3-3-test has been updated via ba576efa8f884f3dd37bb5035fbb47ae0305c0b0 (commit) from b7d6536b323df9c5503b6a225e03a47ae2112e5c (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit ba576efa8f884f3dd37bb5035fbb47ae0305c0b0 Author: todd stecher todd.stec...@gmail.com Date: Thu Jan 22 10:17:37 2009 -0800 Memory leaks and other fixes found by Coverity --- Summary of changes: source/auth/pampass.c |4 ++- source/include/proto.h |2 +- source/lib/dprintf.c| 26 -- source/libsmb/clikrb5.c | 10 +++--- source/nmbd/nmbd_incomingrequests.c |4 +- source/nmbd/nmbd_serverlistdb.c |2 +- source/passdb/pdb_interface.c |6 +++ source/passdb/pdb_ldap.c|1 + source/rpc_client/cli_spoolss.c | 66 +++--- source/rpc_parse/parse_buffer.c | 11 +++--- source/rpc_server/srv_pipe.c|4 ++- source/rpc_server/srv_spoolss_nt.c |3 +- source/rpc_server/srv_svcctl_nt.c |1 - source/utils/net_rpc.c | 12 +- source/winbindd/winbindd_group.c|8 - source/winbindd/winbindd_user.c |8 - source/winbindd/winbindd_util.c | 12 +- source/winbindd/winbindd_wins.c | 10 - 18 files changed, 131 insertions(+), 59 deletions(-) Changeset truncated at 500 lines: diff --git a/source/auth/pampass.c b/source/auth/pampass.c index 9345eed..4312b77 100644 --- a/source/auth/pampass.c +++ b/source/auth/pampass.c @@ -462,7 +462,9 @@ static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) { int pam_error; +#ifdef PAM_RHOST const char *our_rhost; +#endif char addr[INET6_ADDRSTRLEN]; *pamh = (pam_handle_t *)NULL; @@ -475,6 +477,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho return False; } +#ifdef PAM_RHOST if (rhost == NULL) { our_rhost = client_name(get_client_fd()); if (strequal(our_rhost,UNKNOWN)) @@ -483,7 +486,6 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho our_rhost = rhost; } -#ifdef PAM_RHOST DEBUG(4,(smb_pam_start: PAM: setting rhost to: %s\n, our_rhost)); pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost); if(!smb_pam_error_handler(*pamh, pam_error, set rhost failed, 0)) { diff --git a/source/include/proto.h b/source/include/proto.h index 6b7291f..b1e3a08 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -7632,7 +7632,7 @@ NTSTATUS cli_do_rpc_ndr(struct rpc_pipe_client *cli, /* The following definitions come from rpc_parse/parse_buffer.c */ -void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx); +bool rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx); bool prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buffer); bool prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **buffer); bool rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size); diff --git a/source/lib/dprintf.c b/source/lib/dprintf.c index a3bb5be..34cc92a 100644 --- a/source/lib/dprintf.c +++ b/source/lib/dprintf.c @@ -32,24 +32,27 @@ int d_vfprintf(FILE *f, const char *format, va_list ap) { - char *p, *p2; + char *p = NULL, *p2 = NULL; int ret, maxlen, clen; const char *msgstr; va_list ap2; + VA_COPY(ap2, ap); + /* do any message translations */ msgstr = lang_msg(format); - if (!msgstr) return -1; - - VA_COPY(ap2, ap); + if (!msgstr) { + ret = -1; + goto out; + } ret = vasprintf(p, msgstr, ap2); lang_msg_free(msgstr); if (ret = 0) { - va_end(ap2); - return ret; + ret = -1; + goto out; } /* now we have the string in unix format, convert it to the display @@ -58,10 +61,10 @@ again: p2 = (char *)SMB_MALLOC(maxlen); if (!p2) { - SAFE_FREE(p); - va_end(ap2); - return -1; + ret = -1; + goto out; } + clen = convert_string(CH_UNIX, CH_DISPLAY, p, ret, p2, maxlen, True); if (clen = maxlen) { @@ -72,10 +75,11 @@ again: } /* good, its converted OK */ - SAFE_FREE(p); ret = fwrite(p2, 1, clen, f); - SAFE_FREE(p2); +out: + SAFE_FREE(p); + SAFE_FREE(p2); va_end(ap2); return ret; diff --git a/source/libsmb/clikrb5.c
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-91-g2d81c9e
The branch, master has been updated via 2d81c9e957a21191c5b4e2b28a4599052c1357a1 (commit) from 3942e53357146c9c5419313efc4c91b85f7e508b (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2d81c9e957a21191c5b4e2b28a4599052c1357a1 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 10:57:10 2009 -0800 Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs. Simo is completely correct. We should be doing the chown *first*, and fail the ACL set if this fails. The long standing assumption I made when writing the initial POSIX ACL code was that Windows didn't control who could chown a file in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure who could do this in Windows at the time (I didn't understand the privilege model). So the assumption was that setting the ACL was more important (early tests showed many failed ACL set's due to inability to chown). But now we have privileges in smbd, and we must always fail an ACL set when we can't chown first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL incoming are relative to the *new* owner, not the old one. This is why the old user owner disappears on ACL set - their access was set via the USER_OBJ in the creator POSIX ACL and when the ownership changes they lose their access. Patch is simple - just ensure we do the chown first before evaluating the incoming ACL re-read the owners. We already have code to do this it just wasn't rigorously being applied. Jeremy. --- Summary of changes: source3/smbd/posix_acls.c | 29 - 1 files changed, 4 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 8fe7a9a..951046c 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3428,7 +3428,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC NTSTATUS status; uid_t orig_uid; gid_t orig_gid; - bool need_chown = False; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3464,14 +3463,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } /* -* Do we need to chown ? +* Do we need to chown ? If so this must be done first as the incoming +* CREATOR_OWNER acl will be relative to the *new* owner, not the old. +* Noticed by Simo. */ if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { - need_chown = True; - } - - if (need_chown (user == (uid_t)-1 || user == current_user.ut.uid)) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3511,9 +3508,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC orig_mode = sbuf.st_mode; orig_uid = sbuf.st_uid; orig_gid = sbuf.st_gid; - - /* We did chown already, drop the flag */ - need_chown = False; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); @@ -3664,24 +3658,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } free_canon_ace_list(file_ace_list); - free_canon_ace_list(dir_ace_list); + free_canon_ace_list(dir_ace_list); } - /* Any chown pending? */ - if (need_chown) { - DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); - - if(try_chown( fsp-conn, fsp-fsp_name, user, grp) == -1) { - DEBUG(3,(set_nt_acl: chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) )); - if (errno == EPERM) { - return NT_STATUS_INVALID_OWNER; - } - return map_nt_error_from_unix(errno); - } - } - return NT_STATUS_OK; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-121-g9a95b6c
The branch, v3-0-test has been updated via 9a95b6cac2dea88cb9e9b428292dfca9d1e3e801 (commit) from 0098eb45d99373a4d1945e61dda24ea282c377e7 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log - commit 9a95b6cac2dea88cb9e9b428292dfca9d1e3e801 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 10:58:38 2009 -0800 Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs. Simo is completely correct. We should be doing the chown *first*, and fail the ACL set if this fails. The long standing assumption I made when writing the initial POSIX ACL code was that Windows didn't control who could chown a file in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure who could do this in Windows at the time (I didn't understand the privilege model). So the assumption was that setting the ACL was more important (early tests showed many failed ACL set's due to inability to chown). But now we have privileges in smbd, and we must always fail an ACL set when we can't chown first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL incoming are relative to the *new* owner, not the old one. This is why the old user owner disappears on ACL set - their access was set via the USER_OBJ in the creator POSIX ACL and when the ownership changes they lose their access. Patch is simple - just ensure we do the chown first before evaluating the incoming ACL re-read the owners. We already have code to do this it just wasn't rigorously being applied. Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 27 --- 1 files changed, 0 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 33cba6a..23bf40f 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3338,7 +3338,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) mode_t orig_mode = (mode_t)0; uid_t orig_uid; gid_t orig_gid; - BOOL need_chown = False; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3377,16 +3376,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) */ if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { - need_chown = True; - } - - /* -* Chown before setting ACL only if we don't change the user, or -* if we change to the current user, but not if we want to give away -* the file. -*/ - - if (need_chown (user == (uid_t)-1 || user == current_user.ut.uid)) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3423,9 +3412,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) orig_mode = sbuf.st_mode; orig_uid = sbuf.st_uid; orig_gid = sbuf.st_gid; - - /* We did it, don't try again */ - need_chown = False; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); @@ -3577,19 +3563,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) free_canon_ace_list(dir_ace_list); } - /* Any chown pending? */ - if (need_chown) { - - DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, - fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); - - if(try_chown( fsp-conn, fsp-fsp_name, user, grp) == -1) { - DEBUG(3,(set_nt_acl: chown %s, %u, %u failed. Error = %s.\n, - fsp-fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) )); - return False; - } - } - return True; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4856-g96b819e
The branch, v3-3-test has been updated via 96b819e04cd71a6c899801ae68031bf55b54ea46 (commit) from ba576efa8f884f3dd37bb5035fbb47ae0305c0b0 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit 96b819e04cd71a6c899801ae68031bf55b54ea46 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 10:59:14 2009 -0800 Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs. Simo is completely correct. We should be doing the chown *first*, and fail the ACL set if this fails. The long standing assumption I made when writing the initial POSIX ACL code was that Windows didn't control who could chown a file in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure who could do this in Windows at the time (I didn't understand the privilege model). So the assumption was that setting the ACL was more important (early tests showed many failed ACL set's due to inability to chown). But now we have privileges in smbd, and we must always fail an ACL set when we can't chown first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL incoming are relative to the *new* owner, not the old one. This is why the old user owner disappears on ACL set - their access was set via the USER_OBJ in the creator POSIX ACL and when the ownership changes they lose their access. Patch is simple - just ensure we do the chown first before evaluating the incoming ACL re-read the owners. We already have code to do this it just wasn't rigorously being applied. Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 29 - 1 files changed, 4 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 75cca51..5ccfb26 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3424,7 +3424,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC NTSTATUS status; uid_t orig_uid; gid_t orig_gid; - bool need_chown = False; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3460,14 +3459,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } /* -* Do we need to chown ? +* Do we need to chown ? If so this must be done first as the incoming +* CREATOR_OWNER acl will be relative to the *new* owner, not the old. +* Noticed by Simo. */ if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { - need_chown = True; - } - - if (need_chown (user == (uid_t)-1 || user == current_user.ut.uid)) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3507,9 +3504,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC orig_mode = sbuf.st_mode; orig_uid = sbuf.st_uid; orig_gid = sbuf.st_gid; - - /* We did chown already, drop the flag */ - need_chown = False; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); @@ -3660,24 +3654,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } free_canon_ace_list(file_ace_list); - free_canon_ace_list(dir_ace_list); + free_canon_ace_list(dir_ace_list); } - /* Any chown pending? */ - if (need_chown) { - DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); - - if(try_chown( fsp-conn, fsp-fsp_name, user, grp) == -1) { - DEBUG(3,(set_nt_acl: chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) )); - if (errno == EPERM) { - return NT_STATUS_INVALID_OWNER; - } - return map_nt_error_from_unix(errno); - } - } - return NT_STATUS_OK; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3390-g9c3da89
The branch, v3-2-test has been updated via 9c3da895e6dd5df2f4e3377e1bf562b376436081 (commit) from 0ee05c012e5f58c9132549c59cfd1ed74dd27759 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 9c3da895e6dd5df2f4e3377e1bf562b376436081 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 10:59:47 2009 -0800 Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs. Simo is completely correct. We should be doing the chown *first*, and fail the ACL set if this fails. The long standing assumption I made when writing the initial POSIX ACL code was that Windows didn't control who could chown a file in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure who could do this in Windows at the time (I didn't understand the privilege model). So the assumption was that setting the ACL was more important (early tests showed many failed ACL set's due to inability to chown). But now we have privileges in smbd, and we must always fail an ACL set when we can't chown first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL incoming are relative to the *new* owner, not the old one. This is why the old user owner disappears on ACL set - their access was set via the USER_OBJ in the creator POSIX ACL and when the ownership changes they lose their access. Patch is simple - just ensure we do the chown first before evaluating the incoming ACL re-read the owners. We already have code to do this it just wasn't rigorously being applied. Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 29 - 1 files changed, 4 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 09165e7..534c2b9 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3439,7 +3439,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) NTSTATUS status; uid_t orig_uid; gid_t orig_gid; - bool need_chown = False; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3475,14 +3474,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) } /* -* Do we need to chown ? +* Do we need to chown ? If so this must be done first as the incoming +* CREATOR_OWNER acl will be relative to the *new* owner, not the old. +* Noticed by Simo. */ if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { - need_chown = True; - } - - if (need_chown (user == (uid_t)-1 || user == current_user.ut.uid)) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3522,9 +3519,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) orig_mode = sbuf.st_mode; orig_uid = sbuf.st_uid; orig_gid = sbuf.st_gid; - - /* We did chown already, drop the flag */ - need_chown = False; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); @@ -3673,24 +3667,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) } free_canon_ace_list(file_ace_list); - free_canon_ace_list(dir_ace_list); + free_canon_ace_list(dir_ace_list); } - /* Any chown pending? */ - if (need_chown) { - DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); - - if(try_chown( fsp-conn, fsp-fsp_name, user, grp) == -1) { - DEBUG(3,(set_nt_acl: chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) )); - if (errno == EPERM) { - return NT_STATUS_INVALID_OWNER; - } - return map_nt_error_from_unix(errno); - } - } - return NT_STATUS_OK; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-92-g8e2b48e
The branch, master has been updated via 8e2b48e1b7c7fd6b6080f2e56f654b682c6426a3 (commit) from 2d81c9e957a21191c5b4e2b28a4599052c1357a1 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8e2b48e1b7c7fd6b6080f2e56f654b682c6426a3 Author: Tim Prouty tpro...@samba.org Date: Thu Jan 22 13:14:04 2009 -0800 s3: Fix warning --- Summary of changes: source3/include/proto.h |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index 40ced54..d55546f 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -7024,7 +7024,7 @@ NTSTATUS get_relative_fid_filename(connection_struct *conn, /* The following definitions come from smbd/oplock.c */ int32 get_number_of_exclusive_open_oplocks(void); -bool oplock_message_waiting(); +bool oplock_message_waiting(void); void process_kernel_oplocks(struct messaging_context *msg_ctx); bool set_file_oplock(files_struct *fsp, int oplock_type); void release_file_oplock(files_struct *fsp); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-98-g1fcd85e
The branch, master has been updated via 1fcd85e8b9235301c7bc6c4c0878e73ddcbd4b16 (commit) via ebb929779bf9f4aa0cb9695a3ee5ce5d550bcecc (commit) via a4afed1e9a28498885382daf96ab7b8997821dca (commit) via fc50f7ecbab4bf273697f2114a723eae917251bb (commit) via 8f68a716fdefb153811d7d930fdd73df9963246a (commit) via e490c1b8c858ea42e31ae1a6504c4788e0fb1545 (commit) from 8e2b48e1b7c7fd6b6080f2e56f654b682c6426a3 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1fcd85e8b9235301c7bc6c4c0878e73ddcbd4b16 Merge: ebb929779bf9f4aa0cb9695a3ee5ce5d550bcecc 8e2b48e1b7c7fd6b6080f2e56f654b682c6426a3 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 22:49:30 2009 +0100 Merge branch 'master' of ssh://git.samba.org/data/git/samba commit ebb929779bf9f4aa0cb9695a3ee5ce5d550bcecc Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 15:23:32 2009 +0100 Remove obsolete samr Python module - use samba.dcerpc.samr instead. commit a4afed1e9a28498885382daf96ab7b8997821dca Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 14:49:51 2009 +0100 Implement as_sddl. commit fc50f7ecbab4bf273697f2114a723eae917251bb Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 14:37:59 2009 +0100 Support parsing sddl for security descriptors. commit 8f68a716fdefb153811d7d930fdd73df9963246a Merge: e490c1b8c858ea42e31ae1a6504c4788e0fb1545 3662c2b0f648d1719cbb26f9abfc61dbe03f8a2a Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 11:37:27 2009 +0100 Merge branch 'master' of ssh://git.samba.org/data/git/samba commit e490c1b8c858ea42e31ae1a6504c4788e0fb1545 Author: Jelmer Vernooij jel...@samba.org Date: Thu Jan 22 11:35:28 2009 +0100 Move configure test files to the top-level and share them between s3 and s4. --- Summary of changes: source3/configure.in | 22 +- source3/tests/trivial.c|4 - source4/build/m4/check_cc.m4 |2 +- source4/build/m4/check_ld.m4 |6 +- source4/build/m4/public.m4 |2 +- source4/build/tests/README | 10 - source4/build/tests/crypttest.c| 851 source4/build/tests/fcntl_lock.c | 112 --- source4/build/tests/fcntl_lock64.c | 87 -- source4/build/tests/shlib.c|6 - source4/build/tests/summary.c | 22 - source4/configure.ac |2 +- source4/libcli/security/tests/bindings.py | 18 + source4/librpc/ndr/py_security.c | 49 ++- source4/scripting/python/samba/samr.py | 759 - {source3/tests = tests}/README|0 {source3/tests = tests}/crypttest.c |0 {source3/tests = tests}/fcntl_lock.c |0 {source3/tests = tests}/fcntl_lock64.c|0 {source4/build/tests = tests}/fcntl_lock_thread.c |0 {source3/tests = tests}/ftruncate.c |0 {source3/tests = tests}/getgroups.c |0 {source4/build/tests = tests}/shared_mmap.c |0 {source3/tests = tests}/shlib.c |0 {source3/tests = tests}/summary.c |2 + {source4/build/tests = tests}/trivial.c |0 26 files changed, 84 insertions(+), 1870 deletions(-) delete mode 100644 source3/tests/trivial.c delete mode 100644 source4/build/tests/README delete mode 100644 source4/build/tests/crypttest.c delete mode 100644 source4/build/tests/fcntl_lock.c delete mode 100644 source4/build/tests/fcntl_lock64.c delete mode 100644 source4/build/tests/shlib.c delete mode 100644 source4/build/tests/summary.c delete mode 100644 source4/scripting/python/samba/samr.py rename {source3/tests = tests}/README (100%) rename {source3/tests = tests}/crypttest.c (100%) rename {source3/tests = tests}/fcntl_lock.c (100%) rename {source3/tests = tests}/fcntl_lock64.c (100%) rename {source4/build/tests = tests}/fcntl_lock_thread.c (100%) rename {source3/tests = tests}/ftruncate.c (100%) rename {source3/tests = tests}/getgroups.c (100%) rename {source4/build/tests = tests}/shared_mmap.c (100%) rename {source3/tests = tests}/shlib.c (100%) rename {source3/tests = tests}/summary.c (98%) rename {source4/build/tests = tests}/trivial.c (100%) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index 87b4c33..44a932c 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -1916,7 +1916,7 @@ AC_CACHE_CHECK([whether building shared libraries actually works], # The $SHLD and $LDSHFLAGS variables may contain references
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-103-gb7094c0
The branch, master has been updated via b7094c0b804984de8e0b50c17e7908a2685df557 (commit) via b7bd71b34969927e39d5d24c766efeda262ee5bd (commit) via c5b43710543a83e25c387566691031a357f5a1da (commit) via 9b140c7c81c87c229fb7b95cf817bafb0da7fae0 (commit) via 42fa1441bf17ae486ebca5553e503242a653c92c (commit) from 1fcd85e8b9235301c7bc6c4c0878e73ddcbd4b16 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b7094c0b804984de8e0b50c17e7908a2685df557 Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 18:52:15 2009 +0100 Abstract away the transport in cli_pipe.c Sorry for the monster checkin, I could not really find a way to do this in steps. commit b7bd71b34969927e39d5d24c766efeda262ee5bd Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 18:39:29 2009 +0100 Add the socket rpc client transport commit c5b43710543a83e25c387566691031a357f5a1da Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 18:34:06 2009 +0100 Add the named pipe rpc client transport commit 9b140c7c81c87c229fb7b95cf817bafb0da7fae0 Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 22:04:55 2009 +0100 RPC_CLIENT_OBJ is the right variable for cli_pipe.o commit 42fa1441bf17ae486ebca5553e503242a653c92c Author: Volker Lendecke v...@samba.org Date: Thu Jan 22 18:50:37 2009 +0100 Add struct rpc_cli_transport --- Summary of changes: source3/Makefile.in |7 +- source3/include/client.h| 63 - source3/include/proto.h | 12 +- source3/rpc_client/cli_pipe.c | 477 +++ source3/rpc_client/rpc_transport_np.c | 329 + source3/rpc_client/rpc_transport_sock.c | 116 6 files changed, 684 insertions(+), 320 deletions(-) create mode 100644 source3/rpc_client/rpc_transport_np.c create mode 100644 source3/rpc_client/rpc_transport_sock.c Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 1924ade..3cbefc8 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -576,7 +576,8 @@ RPC_PARSE_OBJ = $(RPC_PARSE_OBJ2) \ rpc_parse/parse_spoolss.o \ rpc_parse/parse_eventlog.o rpc_parse/parse_buffer.o -RPC_CLIENT_OBJ = rpc_client/cli_pipe.o +RPC_CLIENT_OBJ = rpc_client/cli_pipe.o rpc_client/rpc_transport_np.o \ + rpc_client/rpc_transport_sock.o LOCKING_OBJ = locking/locking.o locking/brlock.o locking/posix.o @@ -761,7 +762,7 @@ SMBCONTROL_OBJ = utils/smbcontrol.o $(LOCKING_OBJ) $(PARAM_OBJ) \ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \ $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \ - rpc_client/cli_pipe.o ../librpc/rpc/binding.o $(RPC_PARSE_OBJ2) \ + $(RPC_CLIENT_OBJ) ../librpc/rpc/binding.o $(RPC_PARSE_OBJ2) \ $(RPC_CLIENT_OBJ1) \ $(PASSDB_OBJ) @LIBWBCLIENT_STATIC@ $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \ $(LIBMSRPC_GEN_OBJ) @@ -844,7 +845,7 @@ LIBBIGBALLOFMUD_OBJ = $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_OBJ) @LIBWBCLIENT_STATIC@ \ $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) -CLIENT_OBJ1 = client/client.o client/clitar.o rpc_client/cli_pipe.o \ +CLIENT_OBJ1 = client/client.o client/clitar.o $(RPC_CLIENT_OBJ) \ ../librpc/rpc/binding.o \ client/dnsbrowse.o \ $(RPC_CLIENT_OBJ1) \ diff --git a/source3/include/client.h b/source3/include/client.h index 09fdb81..d62d1c0 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -61,21 +61,60 @@ struct cli_pipe_auth_data { } a_u; }; +/** + * rpc_cli_transport defines a transport mechanism to ship rpc requests + * asynchronously to a server and receive replies + */ + +struct rpc_cli_transport { + + /** +* Trigger an async read from the server. May return a short read. +*/ + struct async_req *(*read_send)(TALLOC_CTX *mem_ctx, + struct event_context *ev, + uint8_t *data, size_t size, + void *priv); + /** +* Get the result from the read_send operation. +*/ + NTSTATUS (*read_recv)(struct async_req *req, ssize_t *preceived); + + /** +* Trigger an async write to the server. May return a short write. +*/ + struct async_req *(*write_send)(TALLOC_CTX *mem_ctx, + struct event_context *ev, + const uint8_t *data, size_t size, + void
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4857-g90b660e
The branch, v3-3-test has been updated via 90b660e2382711d005e8c4c4ae1c6adbd5e5b687 (commit) from 96b819e04cd71a6c899801ae68031bf55b54ea46 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit 90b660e2382711d005e8c4c4ae1c6adbd5e5b687 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 14:32:32 2009 -0800 Second part of the attemt to fix #4308 - Excel save operation corrupts file ACLs. If the chown succeeds then the ACL set should also. Ensure this is the case (refactor some of this code to make it simpler to read also). Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 273 -- 1 files changed, 143 insertions(+), 130 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 5ccfb26..0882cb5 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3422,8 +3422,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC bool acl_perms = False; mode_t orig_mode = (mode_t)0; NTSTATUS status; - uid_t orig_uid; - gid_t orig_gid; + bool set_acl_as_root = false; + bool acl_set_support = false; + bool ret = false; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3444,10 +3445,8 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; /* * Unpack the user/group/world id's. @@ -3464,7 +3463,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC * Noticed by Simo. */ - if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { + if (((user != (uid_t)-1) (sbuf.st_uid != user)) || (( grp != (gid_t)-1) (sbuf.st_gid != grp))) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3489,174 +3488,188 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } } else { - int ret; + int sret; if(fsp-fh-fd == -1) - ret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); + sret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); else - ret = SMB_VFS_FSTAT(fsp, sbuf); + sret = SMB_VFS_FSTAT(fsp, sbuf); - if(ret != 0) + if(sret != 0) return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); -#if 0 - /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ - - /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx -* for details and also the log trace in bug #4308. JRA. -*/ - - if ((security_info_sent DACL_SECURITY_INFORMATION) - psd-dacl != NULL - (psd-type (SE_DESC_DACL_AUTO_INHERITED| - SE_DESC_DACL_AUTO_INHERIT_REQ))== - (SE_DESC_DACL_AUTO_INHERITED| -SE_DESC_DACL_AUTO_INHERIT_REQ) ) { - SEC_DESC *new_sd = NULL; - status = append_parent_acl(fsp, psd, new_sd); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - psd = new_sd; - } -#endif - acl_perms = unpack_canon_ace( fsp, sbuf, file_owner_sid, file_grp_sid, file_ace_list, dir_ace_list, security_info_sent, psd); /* Ignore W2K traverse DACL set. */ - if (file_ace_list || dir_ace_list) { + if (!file_ace_list !dir_ace_list) { + return NT_STATUS_OK; + } - if (!acl_perms) { -
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3391-g7e38054
The branch, v3-2-test has been updated via 7e38054a94d3feacda9c249549d2721a4ee0b261 (commit) from 9c3da895e6dd5df2f4e3377e1bf562b376436081 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 7e38054a94d3feacda9c249549d2721a4ee0b261 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 14:32:44 2009 -0800 Second part of the attemt to fix #4308 - Excel save operation corrupts file ACLs. If the chown succeeds then the ACL set should also. Ensure this is the case (refactor some of this code to make it simpler to read also). Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 270 -- 1 files changed, 142 insertions(+), 128 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 534c2b9..0598384 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3437,8 +3437,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) bool acl_perms = False; mode_t orig_mode = (mode_t)0; NTSTATUS status; - uid_t orig_uid; - gid_t orig_gid; + bool set_acl_as_root = false; + bool acl_set_support = false; + bool ret = false; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3459,10 +3460,8 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; /* * Unpack the user/group/world id's. @@ -3479,7 +3478,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) * Noticed by Simo. */ - if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { + if (((user != (uid_t)-1) (sbuf.st_uid != user)) || (( grp != (gid_t)-1) (sbuf.st_gid != grp))) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3504,172 +3503,187 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) } } else { - int ret; + int sret; if(fsp-fh-fd == -1) - ret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); + sret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); else - ret = SMB_VFS_FSTAT(fsp, sbuf); + sret = SMB_VFS_FSTAT(fsp, sbuf); - if(ret != 0) + if(sret != 0) return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); -#if 0 - /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ - - /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx -* for details and also the log trace in bug #4308. JRA. -*/ - - if ((security_info_sent DACL_SECURITY_INFORMATION) - psd-dacl != NULL - (psd-type (SE_DESC_DACL_AUTO_INHERITED| - SE_DESC_DACL_AUTO_INHERIT_REQ))== - (SE_DESC_DACL_AUTO_INHERITED| -SE_DESC_DACL_AUTO_INHERIT_REQ) ) { - status = append_parent_acl(fsp, sbuf, psd, psd); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } -#endif - acl_perms = unpack_canon_ace( fsp, sbuf, file_owner_sid, file_grp_sid, file_ace_list, dir_ace_list, security_info_sent, psd); /* Ignore W2K traverse DACL set. */ - if (file_ace_list || dir_ace_list) { + if (!file_ace_list !dir_ace_list) { + return NT_STATUS_OK; + } - if (!acl_perms) { - DEBUG(3,(set_nt_acl: cannot set permissions\n)); -
[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-122-g0883672
The branch, v3-0-test has been updated via 08836722e63cfd6cfd88059dd3f10d98474f49cb (commit) from 9a95b6cac2dea88cb9e9b428292dfca9d1e3e801 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log - commit 08836722e63cfd6cfd88059dd3f10d98474f49cb Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 14:31:27 2009 -0800 Second part of the attemt to fix #4308 - Excel save operation corrupts file ACLs. If the chown succeeds then the ACL set should also. Ensure this is the case (refactor some of this code to make it simpler to read also). Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 264 -- 1 files changed, 140 insertions(+), 124 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 23bf40f..945dc99 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3336,8 +3336,9 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) canon_ace *dir_ace_list = NULL; BOOL acl_perms = False; mode_t orig_mode = (mode_t)0; - uid_t orig_uid; - gid_t orig_gid; + BOOL set_acl_as_root = false; + BOOL acl_set_support = false; + BOOL ret = false; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3360,8 +3361,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) /* Save the original elements we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; /* * Unpack the user/group/world id's. @@ -3375,7 +3374,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) * Do we need to chown ? */ - if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { + if (((user != (uid_t)-1) (sbuf.st_uid != user)) || (( grp != (gid_t)-1) (sbuf.st_gid != grp))) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3397,172 +3396,189 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) } } else { - int ret; + int sret; if(fsp-fh-fd == -1) - ret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); + sret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); else - ret = SMB_VFS_FSTAT(fsp,fsp-fh-fd,sbuf); + sret = SMB_VFS_FSTAT(fsp,fsp-fh-fd,sbuf); - if(ret != 0) + if(sret != 0) return False; } /* Save the original elements we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ +set_acl_as_root = true; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); -#if 0 - /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ + acl_perms = unpack_canon_ace( fsp, sbuf, file_owner_sid, file_grp_sid, + file_ace_list, dir_ace_list, security_info_sent, psd); - /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx -* for details and also the log trace in bug #4308. JRA. - */ + /* Ignore W2K traverse DACL set. */ + if (!file_ace_list !dir_ace_list) { + return True; + } - if ((security_info_sent DACL_SECURITY_INFORMATION) - psd-dacl != NULL - (psd-type (SE_DESC_DACL_AUTO_INHERITED| - SE_DESC_DACL_AUTO_INHERIT_REQ))== - (SE_DESC_DACL_AUTO_INHERITED| -SE_DESC_DACL_AUTO_INHERIT_REQ) ) { - NTSTATUS status = append_parent_acl(fsp, sbuf, psd, psd); - if (!NT_STATUS_IS_OK(status)) { - return False; - } + if (!acl_perms) { + DEBUG(3,(set_nt_acl: cannot set permissions\n)); + free_canon_ace_list(file_ace_list); + free_canon_ace_list(dir_ace_list); + return False; } -#endif - acl_perms = unpack_canon_ace( fsp, sbuf, file_owner_sid, file_grp_sid, -
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-104-g81533e2
The branch, master has been updated via 81533e2d39cae11b7ea06f289a7c398ed3c51da9 (commit) from b7094c0b804984de8e0b50c17e7908a2685df557 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 81533e2d39cae11b7ea06f289a7c398ed3c51da9 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 14:38:57 2009 -0800 Second part of the attemt to fix #4308 - Excel save operation corrupts file ACLs. If the chown succeeds then the ACL set should also. Ensure this is the case (refactor some of this code to make it simpler to read also). Jeremy. --- Summary of changes: source3/smbd/posix_acls.c | 273 +++- 1 files changed, 143 insertions(+), 130 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 951046c..627bfb4 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3426,8 +3426,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC bool acl_perms = False; mode_t orig_mode = (mode_t)0; NTSTATUS status; - uid_t orig_uid; - gid_t orig_gid; + bool set_acl_as_root = false; + bool acl_set_support = false; + bool ret = false; DEBUG(10,(set_nt_acl: called for file %s\n, fsp-fsp_name )); @@ -3448,10 +3449,8 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; /* * Unpack the user/group/world id's. @@ -3468,7 +3467,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC * Noticed by Simo. */ - if (((user != (uid_t)-1) (orig_uid != user)) || (( grp != (gid_t)-1) (orig_gid != grp))) { + if (((user != (uid_t)-1) (sbuf.st_uid != user)) || (( grp != (gid_t)-1) (sbuf.st_gid != grp))) { DEBUG(3,(set_nt_acl: chown %s. uid = %u, gid = %u.\n, fsp-fsp_name, (unsigned int)user, (unsigned int)grp )); @@ -3493,174 +3492,188 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC } } else { - int ret; + int sret; if(fsp-fh-fd == -1) - ret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); + sret = SMB_VFS_STAT(fsp-conn, fsp-fsp_name, sbuf); else - ret = SMB_VFS_FSTAT(fsp, sbuf); + sret = SMB_VFS_FSTAT(fsp, sbuf); - if(ret != 0) + if(sret != 0) return map_nt_error_from_unix(errno); } - /* Save the original elements we check against. */ + /* Save the original element we check against. */ orig_mode = sbuf.st_mode; - orig_uid = sbuf.st_uid; - orig_gid = sbuf.st_gid; + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } create_file_sids(sbuf, file_owner_sid, file_grp_sid); -#if 0 - /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ - - /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx -* for details and also the log trace in bug #4308. JRA. -*/ - - if ((security_info_sent DACL_SECURITY_INFORMATION) - psd-dacl != NULL - (psd-type (SE_DESC_DACL_AUTO_INHERITED| - SE_DESC_DACL_AUTO_INHERIT_REQ))== - (SE_DESC_DACL_AUTO_INHERITED| -SE_DESC_DACL_AUTO_INHERIT_REQ) ) { - SEC_DESC *new_sd = NULL; - status = append_parent_acl(fsp, psd, new_sd); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - psd = new_sd; - } -#endif - acl_perms = unpack_canon_ace( fsp, sbuf, file_owner_sid, file_grp_sid, file_ace_list, dir_ace_list, security_info_sent, psd); /* Ignore W2K traverse DACL set. */ - if (file_ace_list || dir_ace_list) { + if (!file_ace_list !dir_ace_list) { + return NT_STATUS_OK; + } - if (!acl_perms) { -
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-105-g634cc6b
The branch, master has been updated via 634cc6b64ad7e840a26400b0ee9c075176d2db3a (commit) from 81533e2d39cae11b7ea06f289a7c398ed3c51da9 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 634cc6b64ad7e840a26400b0ee9c075176d2db3a Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 15:57:41 2009 -0800 Fix logic error in try_chown - we shouldn't arbitrarily chown to ourselves unless that was passed in. Jeremy. --- Summary of changes: source3/modules/vfs_aixacl2.c |2 -- source3/smbd/posix_acls.c | 15 +-- 2 files changed, 9 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aixacl2.c b/source3/modules/vfs_aixacl2.c index a078b9f..5ebc3a1 100644 --- a/source3/modules/vfs_aixacl2.c +++ b/source3/modules/vfs_aixacl2.c @@ -25,8 +25,6 @@ #define AIXACL2_MODULE_NAME aixacl2 -extern int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid); - extern SMB_ACL_T aixacl_to_smbacl( struct acl *file_acl); extern struct acl *aixacl_smb_to_aixacl(SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl); diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 627bfb4..72f5c94 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3187,6 +3187,15 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } + /* only allow chown to the current user. This is more secure, + and also copes with the case where the SID in a take ownership ACL is + a local SID on the users workstation + */ + if (uid != current_user.ut.uid) { + errno = EPERM; + return -1; + } + if (SMB_VFS_STAT(conn,fname,st)) { return -1; } @@ -3195,12 +3204,6 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } - /* only allow chown to the current user. This is more secure, - and also copes with the case where the SID in a take ownership ACL is - a local SID on the users workstation - */ - uid = current_user.ut.uid; - become_root(); /* Keep the current file gid the same. */ ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1); -- Samba Shared Repository
Build status as of Fri Jan 23 00:00:02 2009
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2009-01-22 00:00:36.0 + +++ /home/build/master/cache/broken_results.txt 2009-01-23 00:00:32.0 + @@ -1,23 +1,23 @@ -Build status as of Thu Jan 22 00:00:02 2009 +Build status as of Fri Jan 23 00:00:02 2009 Build counts: Tree Total Broken Panic build_farm 0 0 0 -ccache 28 6 0 +ccache 29 6 0 ctdb 0 0 0 distcc 1 0 0 -ldb 27 28 0 -libreplace 27 10 0 -lorikeet-heimdal 24 16 0 -pidl 17 15 0 -ppp 10 0 0 -rsync28 9 0 +ldb 29 29 0 +libreplace 28 10 0 +lorikeet-heimdal 25 16 0 +pidl 18 17 0 +ppp 11 0 0 +rsync29 9 0 samba-docs 0 0 0 samba-gtk4 4 0 -samba_3_X_devel 26 26 0 -samba_3_X_test 26 21 0 -samba_4_0_test 28 26 1 -smb-build26 5 0 -talloc 28 28 0 -tdb 25 9 0 +samba_3_X_devel 27 26 1 +samba_3_X_test 27 22 0 +samba_4_0_test 29 24 1 +smb-build27 6 0 +talloc 29 29 0 +tdb 27 8 0
[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-123-g6028918
The branch, v3-0-test has been updated via 60289187a91e23787be581b824076651230245b2 (commit) from 08836722e63cfd6cfd88059dd3f10d98474f49cb (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log - commit 60289187a91e23787be581b824076651230245b2 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:04:36 2009 -0800 Fix logic error in try_chown - we shouldn't arbitrarily chown to ourselves unless that was passed in. Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 945dc99..2fd047b 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3095,6 +3095,15 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } + /* only allow chown to the current user. This is more secure, + and also copes with the case where the SID in a take ownership ACL is + a local SID on the users workstation + */ + if (uid != current_user.ut.uid) { + errno = EPERM; + return -1; + } + if (SMB_VFS_STAT(conn,fname,st)) { return -1; } @@ -3103,12 +3112,6 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } - /* only allow chown to the current user. This is more secure, - and also copes with the case where the SID in a take ownership ACL is - a local SID on the users workstation - */ - uid = current_user.ut.uid; - become_root(); /* Keep the current file gid the same. */ ret = SMB_VFS_FCHOWN(fsp, fsp-fh-fd, uid, (gid_t)-1); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4858-gdb2d564
The branch, v3-3-test has been updated via db2d56484e21daeb91df4b5e2286d242910336e8 (commit) from 90b660e2382711d005e8c4c4ae1c6adbd5e5b687 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit db2d56484e21daeb91df4b5e2286d242910336e8 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:09:26 2009 -0800 Fix logic error in try_chown - we shouldn't arbitrarily chown to ourselves unless that was passed in. Jeremy. --- Summary of changes: source/modules/vfs_aixacl2.c |2 -- source/smbd/posix_acls.c | 15 +-- 2 files changed, 9 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source/modules/vfs_aixacl2.c b/source/modules/vfs_aixacl2.c index a078b9f..5ebc3a1 100644 --- a/source/modules/vfs_aixacl2.c +++ b/source/modules/vfs_aixacl2.c @@ -25,8 +25,6 @@ #define AIXACL2_MODULE_NAME aixacl2 -extern int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid); - extern SMB_ACL_T aixacl_to_smbacl( struct acl *file_acl); extern struct acl *aixacl_smb_to_aixacl(SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl); diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 0882cb5..b862699 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3187,6 +3187,15 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } + /* only allow chown to the current user. This is more secure, + and also copes with the case where the SID in a take ownership ACL is + a local SID on the users workstation + */ + if (uid != current_user.ut.uid) { + errno = EPERM; + return -1; + } + if (SMB_VFS_STAT(conn,fname,st)) { return -1; } @@ -3195,12 +3204,6 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } - /* only allow chown to the current user. This is more secure, - and also copes with the case where the SID in a take ownership ACL is - a local SID on the users workstation - */ - uid = current_user.ut.uid; - become_root(); /* Keep the current file gid the same. */ ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3392-gd04d93f
The branch, v3-2-test has been updated via d04d93f783533612e20326b7b6ea5958eb5fcdc6 (commit) from 7e38054a94d3feacda9c249549d2721a4ee0b261 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit d04d93f783533612e20326b7b6ea5958eb5fcdc6 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:10:36 2009 -0800 Fix logic error in try_chown - we shouldn't arbitrarily chown to ourselves unless that was passed in. Jeremy. --- Summary of changes: source/smbd/posix_acls.c | 15 +-- 1 files changed, 9 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 0598384..97c3f82 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -3197,6 +3197,15 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } + /* only allow chown to the current user. This is more secure, + and also copes with the case where the SID in a take ownership ACL is + a local SID on the users workstation + */ + if (uid != current_user.ut.uid) { + errno = EPERM; + return -1; + } + if (SMB_VFS_STAT(conn,fname,st)) { return -1; } @@ -3205,12 +3214,6 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } - /* only allow chown to the current user. This is more secure, - and also copes with the case where the SID in a take ownership ACL is - a local SID on the users workstation - */ - uid = current_user.ut.uid; - become_root(); /* Keep the current file gid the same. */ ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-106-gb30b1cf
The branch, master has been updated via b30b1cfcaf81bfe091893f51ce6a33fdf9a6dbc6 (commit) from 634cc6b64ad7e840a26400b0ee9c075176d2db3a (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b30b1cfcaf81bfe091893f51ce6a33fdf9a6dbc6 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:21:02 2009 -0800 Apply same logic fix for #4308 Excel save operation corrupts file ACLs to NFSv4 ACL code as this uses the same flawed logic as posix_acls.c. Jeremy. --- Summary of changes: source3/modules/nfs4_acls.c | 84 +++ 1 files changed, 37 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index f411176..556dad6 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -698,9 +698,10 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, boolresult; SMB_STRUCT_STAT sbuf; - bool need_chown = False; + bool set_acl_as_root = false; uid_t newUID = (uid_t)-1; gid_t newGID = (gid_t)-1; + int saved_errno; DEBUG(10, (smb_set_nt_acl_nfs4 invoked for %s\n, fsp-fsp_name)); @@ -728,59 +729,48 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } if (((newUID != (uid_t)-1) (sbuf.st_uid != newUID)) || ((newGID != (gid_t)-1) (sbuf.st_gid != newGID))) { - need_chown = True; - } - if (need_chown) { - if ((newUID == (uid_t)-1 -|| newUID == fsp-conn-server_info-utok.uid)) { - if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { - DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, -strerror(errno))); - return map_nt_error_from_unix(errno); - } - - DEBUG(10,(chown %s, %u, %u succeeded.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); - if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) - return map_nt_error_from_unix(errno); - need_chown = False; - } else { /* chown is needed, but _after_ changing acl */ - sbuf.st_uid = newUID; /* OWNER@ in case of e_special */ - sbuf.st_gid = newGID; /* GROUP@ in case of e_special */ + if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { + DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, +fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, +strerror(errno))); + return map_nt_error_from_unix(errno); } + + DEBUG(10,(chown %s, %u, %u succeeded.\n, + fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); + if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) + return map_nt_error_from_unix(errno); + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } } - if ((security_info_sent DACL_SECURITY_INFORMATION)!=0 psd-dacl!=NULL) - { - acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); - if (!acl) - return map_nt_error_from_unix(errno); + if (!(security_info_sent DACL_SECURITY_INFORMATION) || psd-dacl ==NULL) { + DEBUG(10, (no dacl found; security_info_sent = 0x%x\n, security_info_sent)); + return NT_STATUS_OK; + } - smbacl4_dump_nfs4acl(10, acl); + acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); + if (!acl) + return map_nt_error_from_unix(errno); - result = set_nfs4_native(fsp, acl); - if (result!=True) - { - DEBUG(10, (set_nfs4_native failed with %s\n, strerror(errno))); - return map_nt_error_from_unix(errno); - } - } else - DEBUG(10, (no dacl found;
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4859-gcad872f
The branch, v3-3-test has been updated via cad872fc385ba30fb72baab25ee6341a41396e39 (commit) from db2d56484e21daeb91df4b5e2286d242910336e8 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit cad872fc385ba30fb72baab25ee6341a41396e39 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:22:04 2009 -0800 Apply same logic fix for #4308 Excel save operation corrupts file ACLs to NFSv4 ACL code as this uses the same flawed logic as posix_acls.c. Jeremy. --- Summary of changes: source/modules/nfs4_acls.c | 84 +++ 1 files changed, 37 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/source/modules/nfs4_acls.c b/source/modules/nfs4_acls.c index f411176..556dad6 100644 --- a/source/modules/nfs4_acls.c +++ b/source/modules/nfs4_acls.c @@ -698,9 +698,10 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, boolresult; SMB_STRUCT_STAT sbuf; - bool need_chown = False; + bool set_acl_as_root = false; uid_t newUID = (uid_t)-1; gid_t newGID = (gid_t)-1; + int saved_errno; DEBUG(10, (smb_set_nt_acl_nfs4 invoked for %s\n, fsp-fsp_name)); @@ -728,59 +729,48 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } if (((newUID != (uid_t)-1) (sbuf.st_uid != newUID)) || ((newGID != (gid_t)-1) (sbuf.st_gid != newGID))) { - need_chown = True; - } - if (need_chown) { - if ((newUID == (uid_t)-1 -|| newUID == fsp-conn-server_info-utok.uid)) { - if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { - DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, -strerror(errno))); - return map_nt_error_from_unix(errno); - } - - DEBUG(10,(chown %s, %u, %u succeeded.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); - if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) - return map_nt_error_from_unix(errno); - need_chown = False; - } else { /* chown is needed, but _after_ changing acl */ - sbuf.st_uid = newUID; /* OWNER@ in case of e_special */ - sbuf.st_gid = newGID; /* GROUP@ in case of e_special */ + if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { + DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, +fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, +strerror(errno))); + return map_nt_error_from_unix(errno); } + + DEBUG(10,(chown %s, %u, %u succeeded.\n, + fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); + if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) + return map_nt_error_from_unix(errno); + + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } } - if ((security_info_sent DACL_SECURITY_INFORMATION)!=0 psd-dacl!=NULL) - { - acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); - if (!acl) - return map_nt_error_from_unix(errno); + if (!(security_info_sent DACL_SECURITY_INFORMATION) || psd-dacl ==NULL) { + DEBUG(10, (no dacl found; security_info_sent = 0x%x\n, security_info_sent)); + return NT_STATUS_OK; + } - smbacl4_dump_nfs4acl(10, acl); + acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); + if (!acl) + return map_nt_error_from_unix(errno); - result = set_nfs4_native(fsp, acl); - if (result!=True) - { - DEBUG(10, (set_nfs4_native failed with %s\n, strerror(errno))); - return map_nt_error_from_unix(errno); - } - } else - DEBUG(10, (no dacl found;
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3393-g7b994fc
The branch, v3-2-test has been updated via 7b994fc658ad175bc40af9e38a8f1b870276d980 (commit) from d04d93f783533612e20326b7b6ea5958eb5fcdc6 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 7b994fc658ad175bc40af9e38a8f1b870276d980 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:25:30 2009 -0800 Apply same logic fix for #4308 Excel save operation corrupts file ACLs to NFSv4 ACL code as this uses the same flawed logic as posix_acls.c. Jeremy. --- Summary of changes: source/modules/nfs4_acls.c | 82 +++ 1 files changed, 36 insertions(+), 46 deletions(-) Changeset truncated at 500 lines: diff --git a/source/modules/nfs4_acls.c b/source/modules/nfs4_acls.c index 5e90afa..bf25c45 100644 --- a/source/modules/nfs4_acls.c +++ b/source/modules/nfs4_acls.c @@ -703,9 +703,10 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, boolresult; SMB_STRUCT_STAT sbuf; - bool need_chown = False; + bool set_acl_as_root = false; uid_t newUID = (uid_t)-1; gid_t newGID = (gid_t)-1; + int saved_errno; DEBUG(10, (smb_set_nt_acl_nfs4 invoked for %s\n, fsp-fsp_name)); @@ -733,58 +734,47 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } if (((newUID != (uid_t)-1) (sbuf.st_uid != newUID)) || ((newGID != (gid_t)-1) (sbuf.st_gid != newGID))) { - need_chown = True; - } - if (need_chown) { - if ((newUID == (uid_t)-1 || newUID == current_user.ut.uid)) { - if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { - DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, -fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, -strerror(errno))); - return map_nt_error_from_unix(errno); - } - - DEBUG(10,(chown %s, %u, %u succeeded.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); - if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) - return map_nt_error_from_unix(errno); - need_chown = False; - } else { /* chown is needed, but _after_ changing acl */ - sbuf.st_uid = newUID; /* OWNER@ in case of e_special */ - sbuf.st_gid = newGID; /* GROUP@ in case of e_special */ + if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { + DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, +fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, +strerror(errno))); + return map_nt_error_from_unix(errno); } + + DEBUG(10,(chown %s, %u, %u succeeded.\n, + fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); + if (smbacl4_GetFileOwner(fsp-conn, fsp-fsp_name, sbuf)) + return map_nt_error_from_unix(errno); + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = true; } } - if ((security_info_sent DACL_SECURITY_INFORMATION)!=0 psd-dacl!=NULL) - { - acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); - if (!acl) - return map_nt_error_from_unix(errno); + if (!(security_info_sent DACL_SECURITY_INFORMATION) || psd-dacl ==NULL) { + DEBUG(10, (no dacl found; security_info_sent = 0x%x\n, security_info_sent)); + return NT_STATUS_OK; + } - smbacl4_dump_nfs4acl(10, acl); + acl = smbacl4_win2nfs4(fsp-fsp_name, psd-dacl, params, sbuf.st_uid, sbuf.st_gid); + if (!acl) + return map_nt_error_from_unix(errno); - result = set_nfs4_native(fsp, acl); - if (result!=True) - { - DEBUG(10, (set_nfs4_native failed with %s\n, strerror(errno))); - return map_nt_error_from_unix(errno); - } - } else - DEBUG(10, (no dacl found; security_info_sent = 0x%x\n, security_info_sent)); +
[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-124-g11fbc11
The branch, v3-0-test has been updated via 11fbc11e396a300aed04a37d44411d287d4c17d3 (commit) from 60289187a91e23787be581b824076651230245b2 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log - commit 11fbc11e396a300aed04a37d44411d287d4c17d3 Author: Jeremy Allison j...@samba.org Date: Thu Jan 22 16:29:46 2009 -0800 Apply same logic fix for #4308 Excel save operation corrupts file ACLs to NFSv4 ACL code as this uses the same flawed logic as posix_acls.c. Jeremy. --- Summary of changes: source/modules/nfs4_acls.c | 79 +++- 1 files changed, 34 insertions(+), 45 deletions(-) Changeset truncated at 500 lines: diff --git a/source/modules/nfs4_acls.c b/source/modules/nfs4_acls.c index 8530a5d..b203828 100644 --- a/source/modules/nfs4_acls.c +++ b/source/modules/nfs4_acls.c @@ -587,9 +587,10 @@ BOOL smb_set_nt_acl_nfs4(files_struct *fsp, BOOLresult; SMB_STRUCT_STAT sbuf; - BOOL need_chown = False; + BOOL set_acl_as_root = False; uid_t newUID = (uid_t)-1; gid_t newGID = (gid_t)-1; + int saved_errno; DEBUG(10, (smb_set_nt_acl_nfs4 invoked for %s\n, fsp-fsp_name)); @@ -617,56 +618,44 @@ BOOL smb_set_nt_acl_nfs4(files_struct *fsp, } if (((newUID != (uid_t)-1) (sbuf.st_uid != newUID)) || ((newGID != (gid_t)-1) (sbuf.st_gid != newGID))) { - need_chown = True; - } - if (need_chown) { - if ((newUID == (uid_t)-1 || newUID == current_user.ut.uid)) { - if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { - DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, strerror(errno) )); - return False; - } - DEBUG(10,(chown %s, %u, %u succeeded.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); - if (smbacl4_GetFileOwner(fsp, sbuf)) - return False; - need_chown = False; - } else { /* chown is needed, but _after_ changing acl */ - sbuf.st_uid = newUID; /* OWNER@ in case of e_special */ - sbuf.st_gid = newGID; /* GROUP@ in case of e_special */ + if(try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { + DEBUG(3,(chown %s, %u, %u failed. Error = %s.\n, + fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, strerror(errno) )); + return False; } + DEBUG(10,(chown %s, %u, %u succeeded.\n, + fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); + if (smbacl4_GetFileOwner(fsp, sbuf)) + return False; + /* If we successfully chowned, we know we must +* be able to set the acl, so do it as root. +*/ + set_acl_as_root = True; } } - if ((security_info_sent DACL_SECURITY_INFORMATION)!=0 psd-dacl!=NULL) - { - acl = smbacl4_win2nfs4(psd-dacl, params, sbuf.st_uid, sbuf.st_gid); - if (!acl) - return False; - - smbacl4_dump_nfs4acl(10, acl); - - result = set_nfs4_native(fsp, acl); - if (result!=True) - { - DEBUG(10, (set_nfs4_native failed with %s\n, strerror(errno))); - return False; - } - } else + if (!(security_info_sent DACL_SECURITY_INFORMATION) || psd-dacl ==NULL) { DEBUG(10, (no dacl found; security_info_sent = 0x%x\n, security_info_sent)); + return True; + } + acl = smbacl4_win2nfs4(psd-dacl, params, sbuf.st_uid, sbuf.st_gid); + if (!acl) + return False; - /* Any chown pending? */ - if (need_chown) { - DEBUG(3,(chown#2 %s. uid = %u, gid = %u.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID)); - if (try_chown(fsp-conn, fsp-fsp_name, newUID, newGID)) { - DEBUG(2,(chown#2 %s, %u, %u failed. Error = %s.\n, - fsp-fsp_name, (unsigned int)newUID, (unsigned int)newGID, -