[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  08fa573... s3: Enable use of ccache by default for libsmbclient
  from  1e2e92f... Correct fix for unused variable return from ndr_decode. 
Use it :-). Jeremy.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 08fa57335a2e1ac44764330c0d95aaf099aa0c15
Author: Volker Lendecke v...@samba.org
Date:   Tue Jan 26 10:51:32 2010 +0100

s3: Enable use of ccache by default for libsmbclient

Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, 
which
has the advantage over an smb.conf option to be easily settable per
application.

---

Summary of changes:
 source3/libsmb/libsmb_context.c |3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
index 2e56911..c44d92c 100644
--- a/source3/libsmb/libsmb_context.c
+++ b/source3/libsmb/libsmb_context.c
@@ -173,6 +173,9 @@ smbc_new_context(void)
 smbc_setOptionBrowseMaxLmbCount(context, 3);/* # LMBs to query */
 smbc_setOptionUrlEncodeReaddirEntries(context, False);
 smbc_setOptionOneSharePerServer(context, False);
+   if (getenv(LIBSMBCLIENT_NO_CCACHE) == NULL) {
+   smbc_setOptionUseCCache(context, true);
+   }
 
 smbc_setFunctionAuthData(context, SMBC_get_auth_data);
 smbc_setFunctionCheckServer(context, SMBC_check_server);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Jeff Layton]

The branch, master has been updated
   via  a0c31ec... mount.cifs: don't allow it to be run as setuid root 
program
   via  a065c17... mount.cifs: check for invalid characters in device name 
and mountpoint
   via  3ae5dac... mount.cifs: take extra care that mountpoint isn't 
changed during mount
  from  7148eff... s4-smbtorture: also test smbc_getOptionUseCCache

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5
Author: Jeff Layton jlay...@redhat.com
Date:   Tue Jan 26 08:15:41 2010 -0500

mount.cifs: don't allow it to be run as setuid root program

mount.cifs has been the subject of several security fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.

To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.

A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit a065c177dfc8f968775593ba00dffafeebb2e054
Author: Jeff Layton jlay...@redhat.com
Date:   Tue Jan 26 08:15:41 2010 -0500

mount.cifs: check for invalid characters in device name and mountpoint

It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.

Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit 3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
Author: Jeff Layton jlay...@redhat.com
Date:   Tue Jan 26 08:15:41 2010 -0500

mount.cifs: take extra care that mountpoint isn't changed during mount

It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.

To guard against this, chdir to the mountpoint very early, and only deal
with it as . from then on out.

Signed-off-by: Jeff Layton jlay...@redhat.com

---

Summary of changes:
 client/mount.cifs.c |  107 ++
 1 files changed, 98 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/client/mount.cifs.c b/client/mount.cifs.c
index 459a9f3..9044184 100644
--- a/client/mount.cifs.c
+++ b/client/mount.cifs.c
@@ -43,7 +43,7 @@
 #include mount.h
 
 #define MOUNT_CIFS_VERSION_MAJOR 1
-#define MOUNT_CIFS_VERSION_MINOR 13
+#define MOUNT_CIFS_VERSION_MINOR 14
 
 #ifndef MOUNT_CIFS_VENDOR_SUFFIX
  #ifdef _SAMBA_BUILD_
@@ -87,6 +87,17 @@
 #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
 
 /*
+ * mount.cifs has been the subject of many security bugs that have arisen
+ * because of users and distributions installing it as a setuid root program.
+ * mount.cifs has not been audited for security. Thus, we strongly recommend
+ * that it not be installed setuid root. To make that abundantly clear,
+ * mount.cifs now check whether it's running setuid root and exit with an
+ * error if it is. If you wish to disable this check, then set the following
+ * #define to 1, but please realize that you do so at your own peril.
+ */
+#define CIFS_DISABLE_SETUID_CHECK 0
+
+/*
  * By default, mount.cifs follows the conventions set forth by /bin/mount
  * for user mounts. That is, it requires that the mount be listed in
  * /etc/fstab with the user option when run as an unprivileged user and
@@ -178,7 +189,7 @@ check_mountpoint(const char *progname, char *mountpoint)
struct stat statbuf;
 
/* does mountpoint exist and is it a directory? */
-   err = stat(mountpoint, statbuf);
+   err = stat(., statbuf);
if (err) {
fprintf(stderr, %s: failed to stat %s: %s\n, progname,
mountpoint, strerror(errno));
@@ -212,6 +223,29 @@ check_mountpoint(const char *progname, char *mountpoint)
return 0;
 }
 
+#if CIFS_DISABLE_SETUID_CHECK
+static int
+check_setuid(void)
+{
+   return 0;
+}
+#else /* CIFS_DISABLE_SETUID_CHECK */
+static int
+check_setuid(void)
+{
+   if (getuid()  !geteuid()) {
+   printf(This mount.cifs program has been built with the 
+

[SCM] Samba Shared Repository - branch v3-5-test updated

[Karolin Seeger]

The branch, v3-5-test has been updated
   via  77bb3f2... s3-docs: Fix version in man ldbrename.
   via  0e8552a... s3: Enable use of ccache by default for libsmbclient
   via  9698c21... s3-libsmbclient: Add smbc_setOptionUseCCache()
   via  af32a49... s3: Add --use-ccache to net
   via  b99ab82... s3: add libnetapi_set_use_ccache()
   via  3402773... s3: Fix a bug in net's use of popt
   via  2aca69e... s3: Enable -C in rpcclient
   via  36854ea... s3: Add CLI_FULL_CONNECTION_USE_CCACHE
   via  5e91f9e... s3: Use -C in smbclient
   via  58ebc50... s3: Add -C (--use-ccache) to popt_common_credentials
   via  e06abe4... s3: Add ccache use to cli_session_setup_ntlmssp
   via  8e96e1f... s3: Add NTLMSSP_FEATURE_CCACHE
   via  7ab798d... libwbclient: Actually implement wbcCredentialCache()
   via  99f6f32... s3: Add the session key to the ccache_ntlm_auth response
   via  1ae7b07... s3: Add wbinfo --ccache-save
  from  007dbc5... lib/popt: Fix typo in README.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -
commit 77bb3f2a5596c84e99b9006d2a31a752c68ab34a
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 26 14:19:31 2010 +0100

s3-docs: Fix version in man ldbrename.

Karolin

commit 0e8552abc1b48e62aaac3cab7c13c8dea60c9f9b
Author: Volker Lendecke v...@samba.org
Date:   Tue Jan 26 10:51:32 2010 +0100

s3: Enable use of ccache by default for libsmbclient

Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, 
which
has the advantage over an smb.conf option to be easily settable per
application.

commit 9698c214624678125551f2d65b95deb29ea72b64
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 19:24:10 2010 +0100

s3-libsmbclient: Add smbc_setOptionUseCCache()

Can we enable this by default? This would be a change in behaviour, but this
feature is just too cool for everyone to catch up in the apps.

The patch would be

commit af32a49c7d8803f597e184f1361e795f179b809f
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:50:48 2010 +0100

s3: Add --use-ccache to net

commit b99ab82ebab598b45eb6729498c9e67b195e698d
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:50:31 2010 +0100

s3: add libnetapi_set_use_ccache()

commit 340277382518c62e23faae4af69a9c5c32b96af2
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:51:58 2010 +0100

s3: Fix a bug in net's use of popt

In order to add --use-ccache to net, I added another bool opt_ccache; to
struct net_context. popt did not like this, it took a while to figure out 
why.
Popt has the lines

/* XXX Check alignment, may fail on funky platforms. */
if (arg == NULL || (((unsigned long)arg)  (sizeof(*arg)-1)))
return POPT_ERROR_NULLARG;

The bool opt_ccache; was not aligned anymore...

commit 2aca69ef0df02e655125d9db31e1f0144d21a144
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:35:04 2010 +0100

s3: Enable -C in rpcclient

commit 36854ea0aa260dfe23f77825e942f5b3905d396d
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:34:13 2010 +0100

s3: Add CLI_FULL_CONNECTION_USE_CCACHE

commit 5e91f9eb10404a1df470fd87fc8c1cae5ea7b70c
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:08:56 2010 +0100

s3: Use -C in smbclient

$ bin/wbinfo --ccache-save=w2k3ad\\vl%Password
saving creds succeeded
$ bin/smbclient //192.168.42.160/tmp -Uvl -N -C -W w2k3ad
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 
R2 5.2]
smb: \
$ bin/wbinfo --ccache-save=w2k3ad\\vl%WrongPassword
saving creds succeeded
$ bin/smbclient //192.168.42.160/tmp -Uvl -N -C -W w2k3ad
Anonymous login successful
Domain=[W2K3AD] OS=[Windows Server 2003 R2 3790 Service Pack 2] 
Server=[Windows Server 2003 R2 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
$

commit 58ebc50663a299e16684aa24cfae95954d5a14f0
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:07:24 2010 +0100

s3: Add -C (--use-ccache) to popt_common_credentials

commit e06abe412f78b58f36998037637d1b3478fdc477
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 16:50:46 2010 +0100

s3: Add ccache use to cli_session_setup_ntlmssp

commit 8e96e1f49867d1260aa291b688fbb58e01ef2009
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 16:47:24 2010 +0100

s3: Add NTLMSSP_FEATURE_CCACHE

Uses the winbind ccache to do authentication if asked to do so

commit 7ab798d141bf715808fa0941f19422069e65fa0e
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 16:44:15 2010 +0100

libwbclient: Actually implement wbcCredentialCache()

commit 99f6f322ae5aa13596c5b0f1a6e600b6fec48896
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 16:41:30 2010 +0100

s3: Add the 

[SCM] Samba Shared Repository - branch v3-4-test updated

[Karolin Seeger]

The branch, v3-4-test has been updated
   via  69100db... s3-docs: Adapt version in man ldbrename.
   via  ba665a5... s3/docs: Add missing meta data to man ldbrename.
  from  28b3cf3... s3: Fix bug 7052: DFS broken on AIX (maybe others) 
(cherry picked from commit c531d00abdb19ff6ba4c60ebdcc8319949c6) (cherry 
picked from commit f21796955e7aa2e84a1c810612f2fdee2bde611c)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test


- Log -
commit 69100db8c331ed15651ae52b88632d047f148ae4
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 26 14:28:12 2010 +0100

s3-docs: Adapt version in man ldbrename.

Karolin

commit ba665a53b3a86a56b1cf3adeccf6764291dc264b
Author: Karolin Seeger ksee...@samba.org
Date:   Thu Oct 15 12:27:24 2009 +0200

s3/docs: Add missing meta data to man ldbrename.

Avoid warnings.

Karolin
(cherry picked from commit 6a9e88e08bfa4463ce5bdc57183f6518b524c98c)
(cherry picked from commit 1a25ef232bacb59aa753fbe21fed53a996d2e6b3)

---

Summary of changes:
 docs-xml/manpages-3/ldbrename.1.xml |3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages-3/ldbrename.1.xml 
b/docs-xml/manpages-3/ldbrename.1.xml
index 391ec84..8567cd4 100644
--- a/docs-xml/manpages-3/ldbrename.1.xml
+++ b/docs-xml/manpages-3/ldbrename.1.xml
@@ -5,6 +5,9 @@
 refmeta
refentrytitleldbrename/refentrytitle
manvolnum1/manvolnum
+refmiscinfo class=sourceSamba/refmiscinfo
+refmiscinfo class=manualUser Commands/refmiscinfo
+refmiscinfo class=version3.4/refmiscinfo
 /refmeta
 
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-5-test updated

[Karolin Seeger]

The branch, v3-5-test has been updated
   via  048adb5... WHATSNEW: Update changes.
  from  77bb3f2... s3-docs: Fix version in man ldbrename.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -
commit 048adb50d83a3928820e6607451d582696cd7cc7
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 26 14:58:45 2010 +0100

WHATSNEW: Update changes.

Karolin

---

Summary of changes:
 WHATSNEW.txt |   11 +++
 1 files changed, 11 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ac82c51..1a30e15 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -13,6 +13,7 @@ Major enhancements in Samba 3.5.0 include:
 General changes:
 o Add support for full Windows timestamp resolution
 o The Using Samba HTML book has been removed.
+o 'net', 'smbclient' and libsmbclient can use credentials cached by Winbind.
 
 Protocol changes:
 o Experimental implementation of SMB2
@@ -38,6 +39,12 @@ kernel (2.6.22 and higher) and the glibc (2.6 and higher).
 The Using Samba HTML book has been removed from the Samba tarball.
 It is still available at http://www.samba.org/samba/docs/using_samba/toc.html.
 
+Samba client tools like 'net', 'smbclient' and libsmbclient can use the user
+credentials cached by Winbind at logon time. This is very useful e.g. when
+connecting to a Samba server using Nautilus without re-entering username and
+password. This feature is enabled by default and can be disabled per 
application
+by setting the LIBSMBCLIENT_NO_CCACHE environment variable.
+
 Protocol changes
 
 
@@ -105,6 +112,8 @@ o   Björn Jacke b...@sernet.de
 o   Volker Lendecke v...@samba.org
 * Major internal refactoring of the Winbind daemon.
 * Make Winbind asynchronous.
+* Make 'net', 'smbclient' and libsmbclient use the logon credentials cached
+  by Winbind.
 
 
 o   Stefan Metzmacher me...@samba.org
@@ -159,6 +168,8 @@ o   Volker Lendecke v...@samba.org
 * BUG 7027: Fix a segfault in winbindd_dual_ccache_ntlm_auth().
 * BUG 7037: Fix a Winbind segfault in trusted_domains.
 * BUG 7046: Fix libsmbclient crash against OpenSolaris CIFS server.
+* BUG 7062: Make 'net', 'smbclient' and libsmbclient use the logon
+  credentials cached by Winbind.
 * Lock down some srvsvc calls according to what w2k3 seems to do.
 
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - annotated tag release-3-5-0rc2 created

[Karolin Seeger]

The annotated tag, release-3-5-0rc2 has been created
at  94bf3471d9196f3bf070d73ef2fa804f09c106b2 (tag)
   tagging  6e4252217a6f239a64afc5103d6416c402e5e10f (commit)
  replaces  release-3-5-0rc1
 tagged by  Karolin Seeger
on  Tue Jan 26 15:11:54 2010 +0100

- Log -
tag release-3-5-0rc2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.12 (GNU/Linux)

iD8DBQBLXvhGbzORW2Vot+oRAhbcAKCMxgBPqfsN5HvWo7Uy4apLyvuyQACgoqqJ
c3EZUrn5lamOPpPunOw4CoI=
=tT+U
-END PGP SIGNATURE-

André Hentschel (1):
  net: Add German translation, specially for the command listing

Björn Jacke (3):
  s3/i18n/de: improve some German translations
  ѕ3/i18n/de: fix typo
  s3/net: split up some printable stings to ease i18n

Giovanni Bajo (1):
  s3-lanman: Allow a level2 descriptor for a level1 NetShareGetInfo

Günther Deschner (2):
  s3-docs: mention -K option in pdbedit manpage.
  s3-libsmbclient: Fix crash bug in SMBC_parse_path().

Jeremy Allison (7):
  Re-fix bug 5202 - cannot change ACLs on writable file with dos 
filemode=yes
  Fix bug #7033 - SMBrmdir call always returns true, even on failure to 
delete a directory.
  Fix two uses of strncat - strlcat. Ensure proper use of strncpy when 
setting socket name.
  Fix bug #7036 - net rpc getsid fails in hardened windows environments.
  Fix bug #6876 - Delete of an object whose parent folder does not have 
delete rights fails even if the delete right is set on the object.
  Modification of fix for bug 6876 - Delete of an object whose parent 
folder does not have delete rights fails even if the delete right is set on the 
object
  Fix bug 7045 - Bad (non memory copying) interfaces in smbc_set calls.

Kai Blin (5):
  s3 net: Fix compile error with WITH_DNS_UPDATES
  s3 net/i18n: Use only one spelling for Usage:
  s3 net/i18n: update .po files
  s3 net: Fix compile warnings
  s3 net/i18n: Update .po files

Karolin Seeger (11):
  VERSION: Raise version number up to 3.5.0rc2.
  WHATSNEW: Start 3.5.0rc2 release notes.
  s3-docs: Adapt version number in man vfs_scannedonly.
  WHATSNEW: Update release notes.
  s3-docs: Fix typos.
  WHATSNEW: Update changes since 3.5.0rc1.
  WHATSNEW: Update changes.
  s3/docs: Fix typo.
  lib/popt: Fix typo in README.
  s3-docs: Fix version in man ldbrename.
  WHATSNEW: Update changes.

Michael Adam (15):
  docs: fix xml tag in the pdbedit manpage
  s3:check_sam_security: untangle assignment from statement
  s3:auth:sam_password_ok: enhance readability (imho) by adding some 
pointers
  s3:auth:sam_password_ok: fix allocation of a data blob.
  s3:auth: use data_blob_null instead of data_blob(NULL, 0) in 
sam_password_ok()
  s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not 
sampass
  s3:auth:check_sam_security: null out sampass after it has been stolen.
  s3:auth:check_sam_security: create (and use) a common exit point
  s3:auth:check_sam_security: fix a leading tab/ws mixup
  s3:auth:check_sam_security: improve calling and logging of 
pdb_update_sam_account
  s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash
  s3:passdb: store the plain nt passwords hashes in history, not salted md5
  s3:auth:check_sam_security: introduce a bool var to control pad_pw_count 
incrementation
  s3:auth: don't update the bad pw count if pw is among last 2 history 
entries
  s3:auth: fix account unlock regression introduced with fix for bug #4347

Olivier Sessink (3):
  Bug #7028 part1
  Part 4 of bug #7028 - include scannedonly VFS module
  s3-docs: Add man page for vfs_scannedonly.

SASAJIMA Toshihiro (1):
  Fix bug #7034 - vfs_cap causes signal 11 (SIGSEGV) (cherry picked from 
commit ca847952054f5bbde1d40ad4260589b6fcc9721d)

Stefan Metzmacher (2):
  s3:smbldap: add smbldap_talloc_first_attribute()
  s3:pdb_ldap: restore Samba 3.0.x behavior and use the first uid value.

Volker Lendecke (33):
  s3: Lock down some srvsvc calls according to what w2k3 seems to do
  s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()
  s3: Fix a winbind segfault in trusted_domains
  s3: Lift the version of the scannedonly VFS module (cherry picked from 
commit 2d4dda0688d5c88fb73ae17db970afe9d0f77f6a)
  s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS server
  s3:pdb_ldap: Fix large paged search.
  s3: Avoid a memset(, 0, ) call
  s3: Fix a typo
  s3: Simplify pdb_set_plaintext_passwd() slightly
  s3: Simplify pdb_set_plaintext_passwd() a bit
  s3: Make use of talloc_array in pdb_set_plaintext_passwd()
  s3: Simplify pdb_set_plaintext_passwd by using talloc_zero_array
  s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes
  s3: Simplify pdb_set_plaintext_passwd() by 

[SCM] Samba Shared Repository - branch v3-5-stable updated

[Karolin Seeger]

The branch, v3-5-stable has been updated
   via  6e42522... WHATSNEW: Update changes.
   via  ff7027a... s3-docs: Fix version in man ldbrename.
   via  a4e7412... s3: Enable use of ccache by default for libsmbclient
   via  b244e3e... s3-libsmbclient: Add smbc_setOptionUseCCache()
   via  ce033a7... s3: Add --use-ccache to net (cherry picked from commit 
af32a49c7d8803f597e184f1361e795f179b809f)
   via  b2c393a... s3: add libnetapi_set_use_ccache() (cherry picked from 
commit b99ab82ebab598b45eb6729498c9e67b195e698d)
   via  e2e48df... s3: Fix a bug in net's use of popt
   via  a97d76b... s3: Enable -C in rpcclient (cherry picked from commit 
2aca69ef0df02e655125d9db31e1f0144d21a144)
   via  a361992... s3: Add CLI_FULL_CONNECTION_USE_CCACHE (cherry picked 
from commit 36854ea0aa260dfe23f77825e942f5b3905d396d)
   via  f3428ec... s3: Use -C in smbclient
   via  1fcfa0b... s3: Add -C (--use-ccache) to popt_common_credentials 
(cherry picked from commit 58ebc50663a299e16684aa24cfae95954d5a14f0)
   via  bef877a... s3: Add ccache use to cli_session_setup_ntlmssp (cherry 
picked from commit e06abe412f78b58f36998037637d1b3478fdc477)
   via  7928241... s3: Add NTLMSSP_FEATURE_CCACHE
   via  dc3e7f7... libwbclient: Actually implement wbcCredentialCache() 
(cherry picked from commit 7ab798d141bf715808fa0941f19422069e65fa0e)
   via  2643ff4... s3: Add the session key to the ccache_ntlm_auth response 
(cherry picked from commit 99f6f322ae5aa13596c5b0f1a6e600b6fec48896)
   via  b444541... s3: Add wbinfo --ccache-save
  from  43c03a6... lib/popt: Fix typo in README.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -
commit 6e4252217a6f239a64afc5103d6416c402e5e10f
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 26 14:58:45 2010 +0100

WHATSNEW: Update changes.

Karolin
(cherry picked from commit 048adb50d83a3928820e6607451d582696cd7cc7)

commit ff7027abcba3bfc69f068da2a8c3b0792c72e870
Author: Karolin Seeger ksee...@samba.org
Date:   Tue Jan 26 14:19:31 2010 +0100

s3-docs: Fix version in man ldbrename.

Karolin
(cherry picked from commit 77bb3f2a5596c84e99b9006d2a31a752c68ab34a)

commit a4e7412578752a03a10d5c6a95221cba8c7bb077
Author: Volker Lendecke v...@samba.org
Date:   Tue Jan 26 10:51:32 2010 +0100

s3: Enable use of ccache by default for libsmbclient

Disable this by setting the environment variable LIBSMBCLIENT_NO_CCACHE, 
which
has the advantage over an smb.conf option to be easily settable per
application.
(cherry picked from commit 0e8552abc1b48e62aaac3cab7c13c8dea60c9f9b)

commit b244e3ec83d508c4515dd0987c2880117ae9119f
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 19:24:10 2010 +0100

s3-libsmbclient: Add smbc_setOptionUseCCache()

Can we enable this by default? This would be a change in behaviour, but this
feature is just too cool for everyone to catch up in the apps.

The patch would be
(cherry picked from commit 9698c214624678125551f2d65b95deb29ea72b64)

commit ce033a724aff9bf587e8b3ba02e3010b565f3912
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:50:48 2010 +0100

s3: Add --use-ccache to net
(cherry picked from commit af32a49c7d8803f597e184f1361e795f179b809f)

commit b2c393a4bd4c9d8a8c2f5007fa287ca0a97a0919
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:50:31 2010 +0100

s3: add libnetapi_set_use_ccache()
(cherry picked from commit b99ab82ebab598b45eb6729498c9e67b195e698d)

commit e2e48df6dc9efb245f4c16d46f487a065d806d99
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 18:51:58 2010 +0100

s3: Fix a bug in net's use of popt

In order to add --use-ccache to net, I added another bool opt_ccache; to
struct net_context. popt did not like this, it took a while to figure out 
why.
Popt has the lines

/* XXX Check alignment, may fail on funky platforms. */
if (arg == NULL || (((unsigned long)arg)  (sizeof(*arg)-1)))
return POPT_ERROR_NULLARG;

The bool opt_ccache; was not aligned anymore...
(cherry picked from commit 340277382518c62e23faae4af69a9c5c32b96af2)

commit a97d76b1515be57746b22413ec4bc1533feee71d
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:35:04 2010 +0100

s3: Enable -C in rpcclient
(cherry picked from commit 2aca69ef0df02e655125d9db31e1f0144d21a144)

commit a3619926795f2bb139e9b9a3c9c4ceb40858d38e
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:34:13 2010 +0100

s3: Add CLI_FULL_CONNECTION_USE_CCACHE
(cherry picked from commit 36854ea0aa260dfe23f77825e942f5b3905d396d)

commit f3428ecb6b3c640e703822592cb369c4bbe4d8fa
Author: Volker Lendecke v...@samba.org
Date:   Sun Jan 24 17:08:56 2010 +0100

s3: Use -C in smbclient

$ bin/wbinfo --ccache-save=w2k3ad\\vl%Password
saving 

svn commit: samba-web r1361 - in trunk: .

[kseeger]

Author: kseeger
Date: 2010-01-26 08:10:26 -0700 (Tue, 26 Jan 2010)
New Revision: 1361

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=samba-webrev=1361

Log:
Announce Samba 3.5.0rc2
Karolin
Modified:
   trunk/index.html


Changeset:
Modified: trunk/index.html
===
--- trunk/index.html2010-01-19 11:08:25 UTC (rev 1360)
+++ trunk/index.html2010-01-26 15:10:26 UTC (rev 1361)
@@ -24,6 +24,38 @@
 h2Latest News/h2
 !--#include virtual=/samba/news/headlines.html --
 
+h426 January 2010/h4
+p class=headlineSamba 3.5.0rc2 Available for Download/p
+
+pSamba 3.5.0rc2 is now available for download.  This the second
+release candidate of the next upgrade production release version of Samba.
+It is intended for testing purposes only.  Please test and
+a href=https://bugzilla.samba.org/;report any bugs that you
+find/a. Please read the changes in the
+a href=/samba/ftp/rc/WHATSNEW-3-5-0rc2.txtRelease Notes/a
+for details on new features and difference in behavior from
+previous releases./p
+
+pPlans are to ship the final 3.5.0 release on February 16 if there
+are no major issues with 3.5.0rc2. Please see
+a href=http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.5;
+Samba 3.5 Release Planning/a for more information on the current release
+schedule./p
+
+pThe a href=/samba/ftp/rc/samba-3.5.0rc2.tar.gzSamba 3.5.0rc2
+source code/a can be downloaded now.  The a
+href=/samba/ftp/rc/samba-3.5.0rc2.tar.ascGnuPG
+signature is for the for the emun/emcompressed tarball/a.
+If you prefer, the a
+href=/samba/ftp/rc/patch-3.5.0rc1-3.5.0rc2.diffs.gzpatch
+file against Samba 3.5.0rc1/a
+(a href=/samba/ftp/rc/patch-3.5.0rc1-3.5.0rc2.diffs.ascGnuPG
+signature/a) is also available for download.
+Please read these a href=/samba/download/instructions on
+how to verify the gpg signature/a.  Precompiled packages will
+be made available on a volunteer basis and can be found in the
+a href=/samba/ftp/Binary_Packages/Binary_Packages download 
area/a./p
+
 h4a name=latest19 January 2010/a/h4
 p class=headlineSamba 3.4.5 Available for Download/p
 
@@ -68,7 +100,7 @@
 signature is for the for the emun/emcompressed tarball/a.
 If you prefer, the a
 href=/samba/ftp/rc/patch-3.5.0pre2-3.5.0rc1.diffs.gzpatch
-file against Samba 3.3.0pre2/a
+file against Samba 3.5.0pre2/a
 (a href=/samba/ftp/rc/patch-3.5.0pre2-3.5.0rc1.diffs.ascGnuPG
 signature/a) is also available for download.
 Please read these a href=/samba/download/instructions on

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  137fd79... s4:winsrepl.idl: add random interface uuid
   via  601642d... s4:smbtorture: add BASE-BENCH-HOLDOPEN
  from  a0c31ec... mount.cifs: don't allow it to be run as setuid root 
program

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 137fd79f445c30b04d443288c03db2b1cc5dcba3
Author: Stefan Metzmacher me...@samba.org
Date:   Tue Jan 26 15:22:09 2010 +0100

s4:winsrepl.idl: add random interface uuid

This is needed to include the wrepl interface into
ndrdump.

metze

commit 601642d92369ca9c572e40aa32b5b3b53eeb8dbf
Author: Stefan Metzmacher me...@samba.org
Date:   Tue Jan 26 15:20:57 2010 +0100

s4:smbtorture: add BASE-BENCH-HOLDOPEN

This is useful for manual performance testing with a large
number of share mode entries.

metze

---

Summary of changes:
 source4/librpc/idl/winsrepl.idl |5 ++-
 source4/torture/basic/base.c|1 +
 source4/torture/basic/misc.c|   63 +++
 3 files changed, 68 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/librpc/idl/winsrepl.idl b/source4/librpc/idl/winsrepl.idl
index 0ec05e8..cedc70b 100644
--- a/source4/librpc/idl/winsrepl.idl
+++ b/source4/librpc/idl/winsrepl.idl
@@ -11,7 +11,10 @@
 
 import nbt.idl;
 
-interface wrepl
+[
+   uuid(915f5653-bac1-431c-97ee-9ffb34526921),
+   helpstring(WINS Replication PDUs)
+] interface wrepl
 {
const int WINS_REPLICATION_PORT = 42;
 
diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c
index 2c72257..ed389fb 100644
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -1771,6 +1771,7 @@ NTSTATUS torture_base_init(void)
torture_suite_add_1smb_test(suite, MAXIMUM_ALLOWED, 
torture_maximum_allowed);
 
torture_suite_add_simple_test(suite, BENCH-HOLDCON, torture_holdcon);
+   torture_suite_add_1smb_test(suite, BENCH-HOLDOPEN, torture_holdopen);
torture_suite_add_simple_test(suite, BENCH-READWRITE, run_benchrw);
torture_suite_add_smb_multi_test(suite, BENCH-TORTURE, run_torture);
torture_suite_add_1smb_test(suite, SCAN-PIPE_NUMBER, run_pipe_number);
diff --git a/source4/torture/basic/misc.c b/source4/torture/basic/misc.c
index a8ea88f..ab79d79 100644
--- a/source4/torture/basic/misc.c
+++ b/source4/torture/basic/misc.c
@@ -231,6 +231,69 @@ bool torture_holdcon(struct torture_context *tctx)
 }
 
 /*
+  open a file N times on the server and just hold them open
+  used for testing performance when there are N file handles
+  alopenn
+ */
+bool torture_holdopen(struct torture_context *tctx,
+ struct smbcli_state *cli)
+{
+   int i, fnum;
+   const char *fname = \\holdopen.dat;
+   NTSTATUS status;
+
+   smbcli_unlink(cli-tree, fname);
+
+   fnum = smbcli_open(cli-tree, fname, O_RDWR|O_CREAT|O_EXCL, DENY_NONE);
+   if (fnum == -1) {
+   torture_comment(tctx, open of %s failed (%s)\n, fname, 
smbcli_errstr(cli-tree));
+   return false;
+   }
+
+   smbcli_close(cli-tree, fnum);
+
+   for (i=0;itorture_numops;i++) {
+   union smb_open op;
+
+   op.generic.level = RAW_OPEN_NTCREATEX;
+   op.ntcreatex.in.root_fid.fnum = 0;
+   op.ntcreatex.in.flags = 0;
+   op.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
+   op.ntcreatex.in.create_options = 0;
+   op.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+   op.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_MASK;
+   op.ntcreatex.in.alloc_size = 0;
+   op.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+   op.ntcreatex.in.impersonation = 
NTCREATEX_IMPERSONATION_ANONYMOUS;
+   op.ntcreatex.in.security_flags = 0;
+   op.ntcreatex.in.fname = fname;
+   status = smb_raw_open(cli-tree, tctx, op);
+   if (!NT_STATUS_IS_OK(status)) {
+   torture_warning(tctx, open %d failed\n, i);
+   continue;
+   }
+
+   if (torture_setting_bool(tctx, progress, true)) {
+   torture_comment(tctx, opened %d file\r, i);
+   fflush(stdout);
+   }
+   }
+
+   torture_comment(tctx, \nStarting pings\n);
+
+   while (1) {
+   struct smb_echo ec;
+
+   status = smb_raw_echo(cli-transport, ec);
+   torture_comment(tctx, .);
+   fflush(stdout);
+   sleep(15);
+   }
+
+   return true;
+}
+
+/*
 test how many open files this server supports on the one socket
 */
 bool run_maxfidtest(struct torture_context *tctx, struct smbcli_state *cli, 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  899bd00... Fix bug #7067 - Linux asynchronous IO (aio) can cause 
smbd to fail to respond to a read or write.
  from  2dd301e... Add dependency of bin/smbfilter to libwbclient.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 899bd0005f56dcc1e95c3988d41ab3f628bb15db
Author: Jeremy Allison j...@samba.org
Date:   Tue Jan 26 16:51:57 2010 -0800

Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to 
respond to a read or write.

Only works on Linux kernels 2.6.26 and above. Grants CAP_KILL capability
to allow Linux threads under different euids to send signals to each other.

Jeremy.

---

Summary of changes:
 source3/include/smb.h |3 +-
 source3/lib/system.c  |   65 ++---
 source3/smbd/server.c |8 ++
 3 files changed, 71 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index bc7a90d..041c96b 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1723,7 +1723,8 @@ minimum length == 24.
 enum smbd_capability {
 KERNEL_OPLOCK_CAPABILITY,
 DMAPI_ACCESS_CAPABILITY,
-LEASE_CAPABILITY
+LEASE_CAPABILITY,
+KILL_CAPABILITY
 };
 
 /*
diff --git a/source3/lib/system.c b/source3/lib/system.c
index a58d903..9c1da3a 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -883,6 +883,11 @@ char *sys_getwd(char *s)
 
 #if defined(HAVE_POSIX_CAPABILITIES)
 
+/* This define hasn't made it into the glibc capabilities header yet. */
+#ifndef SECURE_NO_SETUID_FIXUP
+#define SECURE_NO_SETUID_FIXUP  2
+#endif
+
 /**
  Try and abstract process capabilities (for systems that have them).
 /
@@ -913,6 +918,32 @@ static bool set_process_capability(enum smbd_capability 
capability,
}
 #endif
 
+#if defined(HAVE_PRCTL)  defined(PR_SET_SECUREBITS)  
defined(SECURE_NO_SETUID_FIXUP)
+/* New way of setting capabilities as sticky. */
+
+   /*
+* Use PR_SET_SECUREBITS to prevent setresuid()
+* atomically dropping effective capabilities on
+* uid change. Only available in Linux kernels
+* 2.6.26 and above.
+*
+* See here:
+* 
http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
+* for details.
+*
+* Specifically the CAP_KILL capability we need
+* to allow Linux threads under different euids
+* to send signals to each other.
+*/
+
+   if (prctl(PR_SET_SECUREBITS, 1  SECURE_NO_SETUID_FIXUP)) {
+   DEBUG(0,(set_process_capability: 
+   prctl PR_SET_SECUREBITS failed with error %s\n,
+   strerror(errno) ));
+   return false;
+   }
+#endif
+
cap = cap_get_proc();
if (cap == NULL) {
DEBUG(0,(set_process_capability: cap_get_proc failed: %s\n,
@@ -941,6 +972,11 @@ static bool set_process_capability(enum smbd_capability 
capability,
cap_vals[num_cap_vals++] = CAP_LEASE;
 #endif
break;
+   case KILL_CAPABILITY:
+#ifdef CAP_KILL
+   cap_vals[num_cap_vals++] = CAP_KILL;
+#endif
+   break;
}
 
SMB_ASSERT(num_cap_vals = ARRAY_SIZE(cap_vals));
@@ -950,16 +986,37 @@ static bool set_process_capability(enum smbd_capability 
capability,
return True;
}
 
-   cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
-   enable ? CAP_SET : CAP_CLEAR);
+   /*
+* Ensure the capability is effective. We assume that as a root
+* process it's always permitted.
+*/
+
+   if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+   enable ? CAP_SET : CAP_CLEAR) == -1) {
+   DEBUG(0, (set_process_capability: cap_set_flag effective 
+   failed (%d): %s\n,
+   (int)capability,
+   strerror(errno)));
+   cap_free(cap);
+   return false;
+   }
 
/* We never want to pass capabilities down to our children, so make
 * sure they are not inherited.
 */
-   cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
+   if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals,
+   cap_vals, CAP_CLEAR) == -1) {
+   DEBUG(0, (set_process_capability: cap_set_flag inheritable 
+   failed (%d): %s\n,
+   (int)capability,
+   strerror(errno)));
+  

Build status as of Wed Jan 27 07:00:05 2010

[build]

URL: http://build.samba.org/

--- /home/build/master/cache/broken_results.txt.old 2010-01-26 
00:00:07.0 -0700
+++ /home/build/master/cache/broken_results.txt 2010-01-27 00:00:05.0 
-0700
@@ -1,22 +1,22 @@
-Build status as of Tue Jan 26 07:00:07 2010
+Build status as of Wed Jan 27 07:00:05 2010
 
 Build counts:
 Tree Total  Broken Panic 
 build_farm   0  0  0 
-ccache   1  0  0 
+ccache   19 13 0 
 distcc   0  0  0 
-ldb  27 27 0 
-libreplace   27 12 0 
+ldb  28 28 0 
+libreplace   29 12 0 
 lorikeet 0  0  0 
 pidl 0  0  0 
-ppp  0  0  0 
+ppp  1  0  0 
 rsync0  0  0 
 samba-docs   0  0  0 
 samba-web0  0  0 
-samba_3_current 26 26 0 
-samba_3_master 26 25 3 
-samba_3_next 26 25 3 
+samba_3_current 27 26 0 
+samba_3_master 27 26 3 
+samba_3_next 27 25 3 
 samba_4_0_test 28 27 0 
-talloc   27 10 0 
-tdb  25 17 0 
+talloc   29 10 0 
+tdb  26 17 0