[Samba] Anything like nss_updatedb for ldapsam account information backend?
Is there anything like nss_updatedb [1] for ldapsam account information backend? nss_updatedb caches unix account information, so it is available even when the LDAP directory isn't available But ldapsam stores additional account information. How can I cache this additional account information, so it is also available even when the LDAP directory isn't available? [1] http://www.padl.com/OSS/nss_updatedb.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] New Windows 7 PC in samba network sees itself as logonserver respectively can not access subdirectories
Hello, we are preparing a new image for our windows 7 computers. We can connect to the domain, we also see all of our samba servers. On one server we can logon, see also the directories in the share, but when we try to open subdirectories explorer hangs for a long time and then a dialog appears telling me that I probably don't have the rights on this directory. The only strange thins I see in this PC is that the environment variable LOGONSERVER is set to the name of the PC itself. On this server on the share we want to access we have set force user = wwwrun force group = nogroup I tried via ssh to cd to the directories I want to go via samba and I have enough rights as wwwrun All works well from all our XP and also older Win 7 computers. Can anyone please help me. Thanks Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 xidNumber and idmap.ldb
On 2012-02-26 18:15, steve wrote: Hi Steve, Sorry. Just one more thing. Could you point me at the code which finds the next free xid when e.g. you create a new user? That's not how samba4 id mapping works at the moment I'm afraid. It will ignore the Posix attributes that might exist in the AD. It's non-trivial to manage the mappings across servers. Cheers, Kai -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anything like nss_updatedb for ldapsam account information backend?
On Tue, 2012-02-28 at 00:31 -0800, Jack Bates wrote: Is there anything like nss_updatedb [1] for ldapsam account information backend? nss_updatedb caches unix account information, so it is available even when the LDAP directory isn't available But ldapsam stores additional account information. How can I cache this additional account information, so it is also available even when the LDAP directory isn't available? I don't believe this is possible; and a DC always requires write access to the backend, so it probably just isn't feasible. You can configure a local slapd an use OpenLDAP's very fine replication technology to just have a DSA on every DC; which is pretty much what multiple PDC/BDCs would have accomplished in a pure Microsoft solution. [1] http://www.padl.com/OSS/nss_updatedb.html signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
On Sat, 2012-02-25 at 19:49 +0100, steve wrote: one little problem. When I execute ls -la in the directory there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this problem, there is no delay. Is there any solution without using nscd? nss-ldapd with nslcd. Much quicker mappings. http://arthurdejong.org/nss-pam-ldapd/ +1 Use nslcd, not nscd. It also reduces the number of separate connections to the DSA. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
Andrew Bartlett wrote: On Mon, 2012-02-27 at 19:45 -0500, simo wrote: On Tue, 2012-02-28 at 10:16 +1100, Andrew Bartlett wrote: On Mon, 2012-02-27 at 17:53 -0500, David Collier-Brown wrote: Am I correct in thinking this would make all shares have the same password as the guest user, or do you mean there really is no password at all, or alternatively that one would specify the share, provide it's password and be logged on as guest??? It's been a while since I had a security=share setup, but I remember WfW clients thinking that they had per-share passwords... In the past, Samba tried to match the 'per share' password provided by the client against a list of users, falling back to guest if 'guest ok = yes' was set on the share. What will happen now is that the password will be ignored, and only the 'guest ok' will be checked, and access will be as guest. This in effect means dropping security = share, can't we just effectively drop it instead of deceiving our users and making them believe they are using it ? I am fully in support of dropping it. Kai asked that we still have a way to 'simply' configure the system for trivial file access. These semantics (guest only) broadly matches the default file sharing access on WinXP. (Windows 7 instead wants you to use a HomeGroup, and makes just sharing a folder with no pw substantially more difficult). If the consensus of the list is to drop it outright, and simply error on parsing security=share, I will prepare a patch to do that. The recommended simple sharing option of 'map to guest = bad user' naturally remains. Thanks, Andrew Bartlett FWIW. It's interesting that this comes up now. We (a school district in MI US) are now part way though the process of deploying about 25 boxes in our various buildings one of the purposes for which will be a simple sharing of public access space for users within a given building. Our goal was to have no user/password overhead and security (with the term applied loosely) is merely to limit access to the share to the network subnet the building lives in (all of our buildings have individual subnets). These shares are publicized as basically temporary scratch pads which are not backed up or supported in any way other than simply being there. In spite of that potentially transient nature they are still used heavily. From what I saw in the rest of the thread it looks like there will still be a way to do this but I thought I'd chime in since the subject has come up and we do use security=share to accomplish this at present. Regards, -- Mike Rambo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 xidNumber and idmap.ldb
On 28/02/12 11:14, Kai Blin wrote: On 2012-02-26 18:15, steve wrote: Hi Steve, Sorry. Just one more thing. Could you point me at the code which finds the next free xid when e.g. you create a new user? That's not how samba4 id mapping works at the moment I'm afraid. It will ignore the Posix attributes that might exist in the AD. It's non-trivial to manage the mappings across servers. Cheers, Kai Hi Kai It seems to be working for us at least. We've added the posix attrs and classes as defined in the ms schema to our s4 domain users and groups: http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html The mapping works fine over nfs4 for our Linux clients:-) I was just wandering how s4 decides what the next xid will be before it writes a sid and xid entry to idmap.ldb. This was mainly to ease the readability of our posix scripts and tidy up idmap.ldb when e.g. a user is deleted. Do you know where I could find that bit in the source? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 error? A global catalog (GC) cannot be contacted
Hi everyone Every so often we get this error: http://dl.dropbox.com/u/45150875/samba-list.png The error disappears around 5 minutes after Admin has logged in, Meanwhile the user can logon and none of his group acls seem to be affected. Nothing unusual appears at d3 level either. Anyone else? Slow network (It's supermarket-sourced-adsl-router wifi)? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows and nfs4 acls
2012-02-28 08:27 keltezéssel, steve írta: Hi everyone We're really struggling with nfs4 -- windows acls. Scenario Samba4 share -- cifs -- win7. No problem Samba4 share -- nfs4 -- Linux. acls not inherited Neither is there inheritance vica versa. e.g. It is not possible to create files with group rw on a umask 0022 nfs4 share. nfs4_setfacl cannot override umask. Using POSIX or windows acls this works fine. I've approached the nfs4 devs and they've said that they'll look into it, but so far. Exporting nfs4 with -o noacl (in the hope that the windows acl would take effect) has no effect. 1. Is it possible to get Samba to override the nfs4 acl and use whatever I've set on windows security acl instead? 2. Is there a way to export a single directory with a umask of my choice? 3. Would it be reasonable to ask my distro (openSUSE) to consider this problem as a feature request? Perhaps as a patch over nfs4_setfacl? Thanks, L S at lcb IMHO Samba4 sets the windows (non posix) acls as extended attributes. In order to get them applied o the Linux (or NFS4) side there should be a Linux kernel security module (LSM) which would override the posix acls. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote: On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Actually, ignore that previous patch (breaks other tests). Try this one instead - I think this fixes the problem in the right place. Jeremy. diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 34b24f3..f57e57f 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } / + Setup the share access mask for a connection. +/ + +static void create_share_access_mask(connection_struct *conn, int snum) +{ + const struct security_token *token = conn-session_info-security_token; + + share_access_check(token, + lp_servicename(snum), + MAXIMUM_ALLOWED_ACCESS, + conn-share_access); + + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + conn-share_access |= SEC_FLAG_SYSTEM_SECURITY; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + conn-share_access |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + conn-share_access |= (SEC_RIGHTS_PRIV_BACKUP); + } + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + conn-share_access |= (SEC_STD_WRITE_OWNER); + } +} + +/ Make a connection, given the snum to connect to, and the vuser of the connecting user if appropriate. / @@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc * */ - share_access_check(conn-session_info-security_token, - lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, - conn-share_access); + create_share_access_mask(conn, snum); if ((conn-share_access FILE_WRITE_DATA) == 0) { if ((conn-share_access FILE_READ_DATA) == 0) { -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows and nfs4 acls
On Tue, Feb 28, 2012 at 06:37:21PM +0100, Gémes Géza wrote: 2012-02-28 08:27 keltezéssel, steve írta: Hi everyone We're really struggling with nfs4 -- windows acls. Scenario Samba4 share -- cifs -- win7. No problem Samba4 share -- nfs4 -- Linux. acls not inherited Neither is there inheritance vica versa. e.g. It is not possible to create files with group rw on a umask 0022 nfs4 share. nfs4_setfacl cannot override umask. Using POSIX or windows acls this works fine. I've approached the nfs4 devs and they've said that they'll look into it, but so far. Exporting nfs4 with -o noacl (in the hope that the windows acl would take effect) has no effect. 1. Is it possible to get Samba to override the nfs4 acl and use whatever I've set on windows security acl instead? 2. Is there a way to export a single directory with a umask of my choice? 3. Would it be reasonable to ask my distro (openSUSE) to consider this problem as a feature request? Perhaps as a patch over nfs4_setfacl? Thanks, L S at lcb IMHO Samba4 sets the windows (non posix) acls as extended attributes. In order to get them applied o the Linux (or NFS4) side there should be a Linux kernel security module (LSM) which would override the posix acls. If RichACLs gets adopted (I'm assuming this will be the same model as NFSv4) then we'll just add a Samba VFS module to map incoming Windows ACLs to RichACLs. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
I have tested with this fix and it looks like it does take care of the problem. We'll look forward to seeing this update in the latest 3.6.x codebase. Thanks a lot. On Tue, Feb 28, 2012 at 10:42 AM, Jeremy Allison j...@samba.org wrote: On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote: On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Actually, ignore that previous patch (breaks other tests). Try this one instead - I think this fixes the problem in the right place. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
On Tue, Feb 28, 2012 at 01:22:38PM -0700, Tom Lee wrote: I have tested with this fix and it looks like it does take care of the problem. We'll look forward to seeing this update in the latest 3.6.x codebase. Thanks a lot. Thanks ! It's tracked as bug #8784 https://bugzilla.samba.org/show_bug.cgi?id=8784 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
On Tue, 2012-02-28 at 07:30 -0500, Mike Rambo wrote: From what I saw in the rest of the thread it looks like there will still be a way to do this but I thought I'd chime in since the subject has come up and we do use security=share to accomplish this at present. There will always be a way to allow guest access to a Samba server. We may change the smb.conf option, but this facility will always remain. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
Andrew, On Wed, Feb 29, 2012 at 10:53:47AM +1100, Andrew Bartlett wrote: On Tue, 2012-02-28 at 07:30 -0500, Mike Rambo wrote: From what I saw in the rest of the thread it looks like there will still be a way to do this but I thought I'd chime in since the subject has come up and we do use security=share to accomplish this at present. There will always be a way to allow guest access to a Samba server. We may change the smb.conf option, but this facility will always remain. to support your proposal, could you start documentation on wiki.samba.org (if it's not already there) how to do the closest possible equivalent to the public security=share server using alternatives? I think we need a precise to-the-point reference we can reply with when confused users enter the mailing lists that is very available to everyone. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
On Wed, Feb 29, 2012 at 01:00:00AM +0100, Volker Lendecke wrote: Andrew, On Wed, Feb 29, 2012 at 10:53:47AM +1100, Andrew Bartlett wrote: On Tue, 2012-02-28 at 07:30 -0500, Mike Rambo wrote: From what I saw in the rest of the thread it looks like there will still be a way to do this but I thought I'd chime in since the subject has come up and we do use security=share to accomplish this at present. There will always be a way to allow guest access to a Samba server. We may change the smb.conf option, but this facility will always remain. to support your proposal, could you start documentation on wiki.samba.org (if it's not already there) how to do the closest possible equivalent to the public security=share server using alternatives? I think we need a precise to-the-point reference we can reply with when confused users enter the mailing lists that is very available to everyone. +1 for that. We need to make it *really obvious* how people can do the transition.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
On Tue, 2012-02-28 at 16:34 -0800, Jeremy Allison wrote: On Wed, Feb 29, 2012 at 01:00:00AM +0100, Volker Lendecke wrote: Andrew, On Wed, Feb 29, 2012 at 10:53:47AM +1100, Andrew Bartlett wrote: On Tue, 2012-02-28 at 07:30 -0500, Mike Rambo wrote: From what I saw in the rest of the thread it looks like there will still be a way to do this but I thought I'd chime in since the subject has come up and we do use security=share to accomplish this at present. There will always be a way to allow guest access to a Samba server. We may change the smb.conf option, but this facility will always remain. to support your proposal, could you start documentation on wiki.samba.org (if it's not already there) how to do the closest possible equivalent to the public security=share server using alternatives? I think we need a precise to-the-point reference we can reply with when confused users enter the mailing lists that is very available to everyone. +1 for that. We need to make it *really obvious* how people can do the transition.. I'm about to write that up. For the original proposal, public smb servers would be unchanged (as guest access was to be retained). However, the view of the list seems to be to remove security=share entirely, so I'm about to write up test such a page. (The change boils down to 'map to guest = bad user', but I'll fully explain it, including the 'guest ok = yes' on each share, required unix permission etc). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 how to enable winbindd
On 2012-02-27 14:13, Alain Toussaint wrote: Hi Alain, I configured a domain controller on a ubuntu server using samba 4 alpha 15 using ubuntu's distribution packages and followed this howto: https://wiki.samba.org/index.php/Samba4/Winbind to have unix account for domain users but winbindd is not running; these two commands from the howto does not work: Wbinfo -p Wbinfo -u Are you running a version of wbinfo that was compiled with your Samba4 install, or is this one your package manager installed at some point? The winbind named pipe wbinfo uses for communication changed location at some point, and your wbinfo might be looking at the wrong place. HTH, Kai -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0c4d1d6 upgradedns: Missing rename from upgradedns to samba_upgradedns from d92b955 s4:torture:smb2:durable-open: fix a silly access-after-free panic http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0c4d1d6b19891f7a6446e7d265800c686f78e32a Author: Amitay Isaacs ami...@gmail.com Date: Tue Feb 28 18:26:28 2012 +1100 upgradedns: Missing rename from upgradedns to samba_upgradedns Autobuild-User: Amitay Isaacs ami...@samba.org Autobuild-Date: Tue Feb 28 10:06:03 CET 2012 on sn-devel-104 --- Summary of changes: source4/scripting/bin/wscript_build |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build index 71be328..459b917 100644 --- a/source4/scripting/bin/wscript_build +++ b/source4/scripting/bin/wscript_build @@ -5,4 +5,4 @@ bld.SAMBA_SCRIPT('samba_spnupdate', pattern='samba_spnupdate', installdir='.') bld.SAMBA_SCRIPT('samba_kcc', pattern='samba_kcc', installdir='.') bld.SAMBA_SCRIPT('upgradeprovision', pattern='upgradeprovision', installdir='.') bld.SAMBA_SCRIPT('samba-tool', pattern='samba-tool', installdir='.') -bld.SAMBA_SCRIPT('samba_upgradedns', pattern='upgradedns', installdir='.') +bld.SAMBA_SCRIPT('samba_upgradedns', pattern='samba_upgradedns', installdir='.') -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-02-28-1127/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-28-1127/samba3.stderr http://git.samba.org/autobuild.flakey/2012-02-28-1127/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-02-28-1127/samba4.stderr http://git.samba.org/autobuild.flakey/2012-02-28-1127/samba4.stdout The top commit at the time of the failure was: commit d92b955cca3adf25de7d58cf7c0b8ff110eb736c Author: Michael Adam ob...@samba.org Date: Tue Feb 28 05:33:23 2012 +0100 s4:torture:smb2:durable-open: fix a silly access-after-free panic Autobuild-User: Michael Adam ob...@samba.org Autobuild-Date: Tue Feb 28 08:33:44 CET 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d12bad7 torture: added samba4-ntvfs target via e2e2e60 s3fs: when samba is logging to stdout, ask smbd to also do so via 1da318d smbd: detect EOF on stdin in --foreground mode via 645fcc5 selftest: added a pipe on stdin in s3 child processes via 8db121b s3fs: added file_server directory via 63c96b3 s4-smb_server Remove inetd-mode samba3 hook from 0c4d1d6 upgradedns: Missing rename from upgradedns to samba_upgradedns http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d12bad72ba4c6492b137fb6fa04b595e64e6d993 Author: Andrew Tridgell tri...@samba.org Date: Thu Feb 9 14:33:09 2012 +1100 torture: added samba4-ntvfs target this will be used for the samba4 server with the ntvfs backend Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Tue Feb 28 13:34:44 CET 2012 on sn-devel-104 commit e2e2e60b619f1df8beccbe27cf40b4dcbd82ff57 Author: Andrew Tridgell tri...@samba.org Date: Thu Feb 9 14:07:00 2012 +1100 s3fs: when samba is logging to stdout, ask smbd to also do so this prevents make test getting spurious errors about opening log files in the install prefix commit 1da318d97da6c7f9e8d5d389fc06619b423fcda0 Author: Andrew Tridgell tri...@samba.org Date: Wed Nov 30 14:08:28 2011 +1100 smbd: detect EOF on stdin in --foreground mode if EOF is detected on stdin then exit commit 645fcc5375325b700ac58cb25c498f6f7b91421b Author: Andrew Tridgell tri...@samba.org Date: Tue Jan 3 16:48:29 2012 +1100 selftest: added a pipe on stdin in s3 child processes this adds a pipe for STDIN in smbd, nmbd and winbindd when run in selftest. This allows those processes to detect when they should exit by looking for EOF on stdin. commit 8db121be4265bc4de3b34c6eab1b5ae2fd882957 Author: Andrew Tridgell tri...@samba.org Date: Tue May 3 09:35:07 2011 +1000 s3fs: added file_server directory this contains a file server backend that forks and starts smbd Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 63c96b3a58accffba21981563b8b53c33f8b8f37 Author: Andrew Bartlett abart...@samba.org Date: Tue Sep 6 11:34:35 2011 +1000 s4-smb_server Remove inetd-mode samba3 hook --- Summary of changes: file_server/file_server.c | 126 ++ .../dns_update.h = file_server/file_server.h | 14 +- file_server/wscript_build | 10 + selftest/target/Samba3.pm | 17 ++ source3/smbd/server.c | 25 +++ source4/smb_server/service_smb.c |1 + source4/smb_server/smb_samba3.c| 181 source4/smb_server/wscript_build | 10 - source4/torture/smbtorture.c |3 + wscript_build |1 + 10 files changed, 190 insertions(+), 198 deletions(-) create mode 100644 file_server/file_server.c copy source4/dns_server/dns_update.h = file_server/file_server.h (80%) create mode 100644 file_server/wscript_build delete mode 100644 source4/smb_server/smb_samba3.c Changeset truncated at 500 lines: diff --git a/file_server/file_server.c b/file_server/file_server.c new file mode 100644 index 000..3f5ca77 --- /dev/null +++ b/file_server/file_server.c @@ -0,0 +1,126 @@ +/* + Unix SMB/CIFS implementation. + + run s3 file server within Samba4 + + Copyright (C) Andrew Tridgell 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include includes.h +#include talloc.h +#include tevent.h +#include system/filesys.h +#include lib/param/param.h +#include source4/smbd/service.h +#include source4/smbd/process_model.h +#include file_server/file_server.h +#include dynconfig.h + +/* + generate a smbd config file for the file server + */ +static const char *generate_smb_conf(struct task_server *task) +{ + int fd; + struct loadparm_context *lp_ctx = task-lp_ctx; + const char *path = smbd_tmp_path(task, lp_ctx, fileserver.conf); + + if
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 9902744 s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path from 4d60392 Honor SeTakeOwnershiPrivilege when client asks for SEC_STD_WRITE_OWNER but has no permission for that, but token has SeTakeOwnershipPrivilege http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 990274481795a47376cdbc95d5f80d830079d702 Author: Matthieu Patou m...@matws.net Date: Fri Feb 24 16:13:10 2012 -0800 s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path If not the child process would hang for quite a long time up to the moment when the connection is cleaned by the kernel (took ~ 20 minutes) in my tests. Fix bug #8771 (Winbind takes up to 20 minutes to change from DC 1 to DC 2 and keeps in the meantime to respond NT_STATUS_IO_TIMEOUT). --- Summary of changes: source3/winbindd/winbindd_pam.c | 21 - 1 files changed, 20 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 79189ba..9801f53 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1166,6 +1166,18 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) { DEBUG(3,(could not open handle to NETLOGON pipe (error: %s)\n, nt_errstr(result))); + if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { + if (attempts 0) { + DEBUG(3, (This is the second problem for this + particular call, forcing the close of + this connection\n)); + invalidate_cm_connection(domain-conn); + } else { + DEBUG(3, (First call to cm_connect_netlogon + has timed out, retrying\n)); + continue; + } + } return result; } auth = netlogon_pipe-auth; @@ -1309,7 +1321,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, rpc changetrustpw' */ if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { - DEBUG(3,(winbindd_pam_auth: sam_logon returned + DEBUG(3,(winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the trust account password was changed and we didn't know it. Killing connections to domain %s\n, @@ -1320,6 +1332,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, } while ( (attempts 2) retry ); + if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { + DEBUG(3,(winbind_samlogon_retry_loop: sam_network_logon(ex) + returned NT_STATUS_IO_TIMEOUT after the retry. + Killing connections to domain %s\n, + domainname)); + invalidate_cm_connection(domain-conn); + } return result; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6081fab Fix problem reported by Tom Lee tlee2...@gmail.com - when calculating the share security mask, take priviliges into account for the connecting user. from d12bad7 torture: added samba4-ntvfs target http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6081fabe7e0f461ea7d288c40727d4fb5defce5d Author: Jeremy Allison j...@samba.org Date: Tue Feb 28 09:47:50 2012 -0800 Fix problem reported by Tom Lee tlee2...@gmail.com - when calculating the share security mask, take priviliges into account for the connecting user. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Tue Feb 28 20:21:26 CET 2012 on sn-devel-104 --- Summary of changes: source3/smbd/service.c | 31 --- 1 files changed, 28 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/service.c b/source3/smbd/service.c index b08811b..8436fbe 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -523,6 +523,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } / + Setup the share access mask for a connection. +/ + +static void create_share_access_mask(connection_struct *conn, int snum) +{ + const struct security_token *token = conn-session_info-security_token; + + share_access_check(token, + lp_servicename(snum), + MAXIMUM_ALLOWED_ACCESS, + conn-share_access); + + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + conn-share_access |= SEC_FLAG_SYSTEM_SECURITY; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + conn-share_access |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + conn-share_access |= (SEC_RIGHTS_PRIV_BACKUP); + } + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + conn-share_access |= (SEC_STD_WRITE_OWNER); + } +} + +/ Make a connection, given the snum to connect to, and the vuser of the connecting user if appropriate. / @@ -636,9 +663,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, * */ - share_access_check(conn-session_info-security_token, - lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, - conn-share_access); + create_share_access_mask(conn, snum); if ((conn-share_access FILE_WRITE_DATA) == 0) { if ((conn-share_access FILE_READ_DATA) == 0) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via a0d5194 s3: Add sys_statvfs() wrapper support for OpenBSD/FreeBSD/DragonFly. from 9902744 s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit a0d51949abde68134eb35150d797387a1fb57ab7 Author: Brad Smith b...@comstyle.com Date: Tue Feb 28 20:45:41 2012 +0100 s3: Add sys_statvfs() wrapper support for OpenBSD/FreeBSD/DragonFly. Fix bug #8777. --- Summary of changes: source3/configure.in | 10 - source3/modules/vfs_default.c |2 +- source3/smbd/statvfs.c| 43 ++-- 3 files changed, 50 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index d8d3a1f..67e08c1 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -6754,13 +6754,21 @@ CFLAGS=$CFLAGS_SAVE # Start AC_CHECK_FUNC(getmntent) -AC_CHECK_HEADERS(sys/statfs.h) +AC_CHECK_HEADERS(sys/param.h sys/statfs.h sys/mount.h) AC_MSG_CHECKING([vfs_fileid: checking for statfs() and struct statfs.f_fsid)]) AC_CACHE_VAL(vfsfileid_cv_statfs,[ AC_TRY_RUN([ #include sys/types.h + #ifdef HAVE_SYS_PARAM_H + #include sys/param.h + #endif + #ifdef HAVE_SYS_MOUNT_H + #include sys/mount.h + #endif + #ifdef HAVE_SYS_STATFS_H #include sys/statfs.h + #endif int main(void) { struct statfs fsd; diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 27e9b9b..8a31d23 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -107,7 +107,7 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle, NTSTATUS status; int ret = -1; -#if defined(DARWINOS) +#if defined(DARWINOS) || (defined(BSD) defined(MNT_RDONLY)) struct vfs_statvfs_struct statbuf; ZERO_STRUCT(statbuf); sys_statvfs(conn-connectpath, statbuf); diff --git a/source3/smbd/statvfs.c b/source3/smbd/statvfs.c index 2de015a..bcdcd91 100644 --- a/source3/smbd/statvfs.c +++ b/source3/smbd/statvfs.c @@ -49,9 +49,7 @@ static int linux_statvfs(const char *path, vfs_statvfs_struct *statbuf) } return result; } -#endif - -#if defined(DARWINOS) +#elif defined(DARWINOS) #include sys/attr.h @@ -125,6 +123,43 @@ static int darwin_statvfs(const char *path, vfs_statvfs_struct *statbuf) return 0; } +#elif defined(BSD) defined(MNT_RDONLY) +static int bsd_statvfs(const char *path, vfs_statvfs_struct *statbuf) +{ + struct statfs statfs_buf; + int result; + + result = statfs(path, statfs_buf); + if (result != 0) { + return result; + } + + statbuf-OptimalTransferSize = statfs_buf.f_iosize; + statbuf-BlockSize = statfs_buf.f_bsize; + statbuf-TotalBlocks = statfs_buf.f_blocks; + statbuf-BlocksAvail = statfs_buf.f_bfree; + statbuf-UserBlocksAvail = statfs_buf.f_bavail; + statbuf-TotalFileNodes = statfs_buf.f_files; + statbuf-FreeFileNodes = statfs_buf.f_ffree; + statbuf-FsIdentifier = + (((uint64_t) statfs_buf.f_fsid.val[0] 32) 0xLL) | + (uint64_t) statfs_buf.f_fsid.val[1]; + /* Try to extrapolate some of the fs flags into the +* capabilities +*/ + statbuf-FsCapabilities = + FILE_CASE_SENSITIVE_SEARCH | FILE_CASE_PRESERVED_NAMES; +#ifdef MNT_ACLS + if (statfs_buf.f_flags MNT_ACLS) + statbuf-FsCapabilities |= FILE_PERSISTENT_ACLS; +#endif + if (statfs_buf.f_flags MNT_QUOTA) + statbuf-FsCapabilities |= FILE_VOLUME_QUOTAS; + if (statfs_buf.f_flags MNT_RDONLY) + statbuf-FsCapabilities |= FILE_READ_ONLY_VOLUME; + + return 0; +} #endif /* @@ -139,6 +174,8 @@ int sys_statvfs(const char *path, vfs_statvfs_struct *statbuf) return linux_statvfs(path, statbuf); #elif defined(DARWINOS) return darwin_statvfs(path, statbuf); +#elif defined(BSD) defined(MNT_RDONLY) + return bsd_statvfs(path, statbuf); #else /* BB change this to return invalid level */ #ifdef EOPNOTSUPP -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 01747a5 s3-winbindd: set the can_do_validation6 also for trusted domain from a0d5194 s3: Add sys_statvfs() wrapper support for OpenBSD/FreeBSD/DragonFly. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 01747a5554839f21992b8845328c4b08c3dd8ff8 Author: Matthieu Patou m...@matws.net Date: Fri Feb 10 11:45:21 2012 -0800 s3-winbindd: set the can_do_validation6 also for trusted domain The flag can_do_validation6 was only set for the domain to which winbindd is the member. Setting this flag in other domains (trusted domain) if it's active directory domain is a good idea as it allow to do level 6 validation also when winbindd is querying them directly. (cherry picked from commit 05036fab0a9847219c73c0abd931a39fba0bccfd) Address bug #8599 (WINBINDD_PAM_AUTH_CRAP returns invalid user session key). --- Summary of changes: source3/winbindd/winbindd_cm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index e208f88..062714b 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1926,6 +1926,8 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) running active directory.\n, domain-name, domain-active_directory ? : NOT )); + domain-can_do_ncacn_ip_tcp = domain-active_directory; + domain-can_do_validation6 = domain-active_directory; domain-initialized = True; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 6c1501a s3-winbindd: set the can_do_validation6 also for trusted domain from 12b60f9 s3:loadparm: fix the reload of the configuration: also reload activated registry shares http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 6c1501a8efd49efb7b9f5c75963c2f1124e7e258 Author: Matthieu Patou m...@matws.net Date: Fri Feb 10 11:45:21 2012 -0800 s3-winbindd: set the can_do_validation6 also for trusted domain The flag can_do_validation6 was only set for the domain to which winbindd is the member. Setting this flag in other domains (trusted domain) if it's active directory domain is a good idea as it allow to do level 6 validation also when winbindd is querying them directly. (cherry picked from commit 05036fab0a9847219c73c0abd931a39fba0bccfd) Address bug #8599 (WINBINDD_PAM_AUTH_CRAP returns invalid user session key). (cherry picked from commit 01747a5554839f21992b8845328c4b08c3dd8ff8) --- Summary of changes: source3/winbindd/winbindd_cm.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index cc3e3ed..a63c3f5 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1766,6 +1766,8 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) running active directory.\n, domain-name, domain-active_directory ? : NOT )); + domain-can_do_ncacn_ip_tcp = domain-active_directory; + domain-can_do_validation6 = domain-active_directory; domain-initialized = True; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c5c67ca s3: Add a test that makes a chained open break an oplock via e916778 s3: More fix for smbd -i from 6081fab Fix problem reported by Tom Lee tlee2...@gmail.com - when calculating the share security mask, take priviliges into account for the connecting user. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c5c67cacd979c5ea6a9ca9acdac104212556ec62 Author: Volker Lendecke v...@samba.org Date: Tue Feb 28 20:28:55 2012 +0100 s3: Add a test that makes a chained open break an oplock Autobuild-User: Volker Lendecke v...@samba.org Autobuild-Date: Wed Feb 29 01:13:03 CET 2012 on sn-devel-104 commit e916778e6eb34c956c5e6559bbf3f6dfd17a8ba1 Author: Volker Lendecke v...@samba.org Date: Tue Feb 28 22:36:06 2012 +0100 s3: More fix for smbd -i We need a full re-initialize, otherwise we don't re-init the USR1 signal handler --- Summary of changes: source3/Makefile.in |1 + source3/selftest/tests.py |1 + source3/smbd/server.c |2 +- source3/torture/proto.h |1 + source3/torture/test_chain3.c | 294 + source3/torture/torture.c |1 + source3/wscript_build |1 + 7 files changed, 300 insertions(+), 1 deletions(-) create mode 100644 source3/torture/test_chain3.c Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 0a189b5..71a18d6 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1266,6 +1266,7 @@ SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/uta torture/test_case_insensitive.o \ torture/test_posix_append.o \ torture/test_smb2.o \ + torture/test_chain3.o \ torture/test_authinfo_structs.o \ torture/test_cleanup.o \ torture/t_strappend.o diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 163cfb4..eab1356 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -69,6 +69,7 @@ tests=[ FDPASS, LOCK1, LOCK2, LOCK3, LOCK4, LOCK5, LOCK6, LOCK7, DIR, DIR1, DIR-CREATETIME, TCON, TCONDEV, RW1, RW2, RW3, RW-SIGNING, OPEN, XCOPY, RENAME, DELETE, DELETE-LN, PROPERTIES, W2K, TCON2, IOCTL, CHKPATH, FDSESS, CHAIN1, CHAIN2, +CHAIN3, GETADDRINFO, POSIX, UID-REGRESSION-TEST, SHORTNAME-TEST, POSIX-APPEND, CASE-INSENSITIVE-CREATE, SMB2-BASIC, NTTRANS-FSCTL, SMB2-NEGPROT, diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 986eb21..0fb7d16 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -466,7 +466,7 @@ static void smbd_accept_connection(struct tevent_context *ev, } if (s-parent-interactive) { - tevent_re_initialise(ev); + reinit_after_fork(msg_ctx, sconn-ev_ctx, true); smbd_process(ev, sconn); exit_server_cleanly(end of interactive mode); return; diff --git a/source3/torture/proto.h b/source3/torture/proto.h index 8d661aa..e65b272 100644 --- a/source3/torture/proto.h +++ b/source3/torture/proto.h @@ -99,6 +99,7 @@ bool run_smb2_session_reconnect(int dummy); bool run_smb2_tcon_dependence(int dummy); bool run_smb2_multi_channel(int dummy); bool run_smb2_session_reauth(int dummy); +bool run_chain3(int dummy); bool run_local_conv_auth_info(int dummy); bool run_local_sprintf_append(int dummy); bool run_cleanup1(int dummy); diff --git a/source3/torture/test_chain3.c b/source3/torture/test_chain3.c new file mode 100644 index 000..7b9eeb0 --- /dev/null +++ b/source3/torture/test_chain3.c @@ -0,0 +1,294 @@ +/* + Unix SMB/CIFS implementation. + Test smbd chain routines + + Copyright (C) Volker Lendecke 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include includes.h +#include torture/proto.h +#include libsmb/libsmb.h +#include system/filesys.h +#include async_smb.h +#include lib/util/tevent_ntstatus.h +#include libcli/security/security.h + +struct chain3_andx_state { + uint16_t fnum; + size_t written; + char str[6]; +}; +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via de870e9 s3: Introduce req helper var in reply_lockingX_success via adac885 s3: Fix a const warning from c5c67ca s3: Add a test that makes a chained open break an oplock http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit de870e979b1082ffd4d88350dfd4e073bd5d0789 Author: Volker Lendecke v...@samba.org Date: Tue Feb 28 02:47:46 2012 +0100 s3: Introduce req helper var in reply_lockingX_success Autobuild-User: Volker Lendecke v...@samba.org Autobuild-Date: Wed Feb 29 03:08:53 CET 2012 on sn-devel-104 commit adac8858817c1a153fecb3b02b59cbffc23ec1cb Author: Volker Lendecke v...@samba.org Date: Tue Feb 28 03:14:37 2012 +0100 s3: Fix a const warning --- Summary of changes: source3/smbd/blocking.c |8 +--- source3/smbd/process.c |2 +- 2 files changed, 6 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c index 028adce..6496e43 100644 --- a/source3/smbd/blocking.c +++ b/source3/smbd/blocking.c @@ -268,7 +268,9 @@ bool push_blocking_lock_request( struct byte_range_lock *br_lck, static void reply_lockingX_success(struct blocking_lock_record *blr) { - reply_outbuf(blr-req, 2, 0); + struct smb_request *req = blr-req; + + reply_outbuf(req, 2, 0); /* * As this message is a lockingX call we must handle @@ -278,8 +280,8 @@ static void reply_lockingX_success(struct blocking_lock_record *blr) * that here and must set up the chain info manually. */ - chain_reply(blr-req); - TALLOC_FREE(blr-req-outbuf); + chain_reply(req); + TALLOC_FREE(req-outbuf); } / diff --git a/source3/smbd/process.c b/source3/smbd/process.c index ba6314c..fc18f5e 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1784,7 +1784,7 @@ static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf) uint8_t wct = CVAL(andx_buf, smb_wct); const uint16_t *vwv = (const uint16_t *)(andx_buf + smb_vwv); uint32_t num_bytes = smb_buflen(andx_buf); - const uint8_t *bytes= (const uint8_t *)smb_buf(andx_buf); + const uint8_t *bytes= (const uint8_t *)smb_buf_const(andx_buf); uint8_t *outbuf; size_t old_size, new_size; -- Samba Shared Repository
[SCM] CTDB repository - branch 1.2.39 updated - ctdb-1.9.1-499-gf053a6d
The branch, 1.2.39 has been updated via f053a6d2948a1933d38d6cdd4cae55349e71b7d4 (commit) from 6f6dac21f93c38c3abcbebc1b786b4da2ef9f563 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.39 - Log - commit f053a6d2948a1933d38d6cdd4cae55349e71b7d4 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Feb 29 12:25:41 2012 +1100 Vacuuming: change default timeout to 120 seconds S1035431 --- Summary of changes: server/ctdb_tunables.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_tunables.c b/server/ctdb_tunables.c index eb90f51..62a4dd4 100644 --- a/server/ctdb_tunables.c +++ b/server/ctdb_tunables.c @@ -58,7 +58,7 @@ static const struct { { RecoveryDropAllIPs, 120, offsetof(struct ctdb_tunable, recovery_drop_all_ips) }, { VerifyRecoveryLock, 1, offsetof(struct ctdb_tunable, verify_recovery_lock) }, { VacuumDefaultInterval, 10, offsetof(struct ctdb_tunable, vacuum_default_interval) }, - { VacuumMaxRunTime, 30, offsetof(struct ctdb_tunable, vacuum_max_run_time) }, + { VacuumMaxRunTime, 120, offsetof(struct ctdb_tunable, vacuum_max_run_time) }, { RepackLimit, 1, offsetof(struct ctdb_tunable, repack_limit) }, { VacuumLimit, 5000, offsetof(struct ctdb_tunable, vacuum_limit) }, { VacuumMinInterval, 10, offsetof(struct ctdb_tunable, vacuum_min_interval) }, -- CTDB repository
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.9.1-542-gfd33e6f
The branch, 1.2.40 has been updated via fd33e6ff1e349e3d6d1d2e78ab14942c97aba731 (commit) from a02fa85678cc5061042ab6d448b8a3f5993f2d70 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit fd33e6ff1e349e3d6d1d2e78ab14942c97aba731 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Feb 29 12:25:41 2012 +1100 Vacuuming: change default timeout to 120 seconds S1035431 --- Summary of changes: server/ctdb_tunables.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_tunables.c b/server/ctdb_tunables.c index eb90f51..62a4dd4 100644 --- a/server/ctdb_tunables.c +++ b/server/ctdb_tunables.c @@ -58,7 +58,7 @@ static const struct { { RecoveryDropAllIPs, 120, offsetof(struct ctdb_tunable, recovery_drop_all_ips) }, { VerifyRecoveryLock, 1, offsetof(struct ctdb_tunable, verify_recovery_lock) }, { VacuumDefaultInterval, 10, offsetof(struct ctdb_tunable, vacuum_default_interval) }, - { VacuumMaxRunTime, 30, offsetof(struct ctdb_tunable, vacuum_max_run_time) }, + { VacuumMaxRunTime, 120, offsetof(struct ctdb_tunable, vacuum_max_run_time) }, { RepackLimit, 1, offsetof(struct ctdb_tunable, repack_limit) }, { VacuumLimit, 5000, offsetof(struct ctdb_tunable, vacuum_limit) }, { VacuumMinInterval, 10, offsetof(struct ctdb_tunable, vacuum_min_interval) }, -- CTDB repository
[SCM] CTDB repository - branch master updated - ctdb-1.12-223-g5ae94c6
The branch, master has been updated via 5ae94c6b9b3000a6c79fccaaea1e007ebd5be1a9 (commit) from 49791db7dc74cffd7e88bd73091590cdc1909328 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 5ae94c6b9b3000a6c79fccaaea1e007ebd5be1a9 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Feb 29 12:29:22 2012 +1100 Vacuuming: change default timeout to 120 seconds --- Summary of changes: server/ctdb_tunables.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_tunables.c b/server/ctdb_tunables.c index c5e15c1..76af85d 100644 --- a/server/ctdb_tunables.c +++ b/server/ctdb_tunables.c @@ -60,7 +60,7 @@ static const struct { { VerifyRecoveryLock, 1, offsetof(struct ctdb_tunable, verify_recovery_lock), false }, { VacuumInterval, 10, offsetof(struct ctdb_tunable, vacuum_interval), false }, { VacuumDefaultInterval, 10, offsetof(struct ctdb_tunable, vacuum_default_interval), true }, - { VacuumMaxRunTime, 30, offsetof(struct ctdb_tunable, vacuum_max_run_time), false }, + { VacuumMaxRunTime, 120, offsetof(struct ctdb_tunable, vacuum_max_run_time), false }, { RepackLimit, 1, offsetof(struct ctdb_tunable, repack_limit), false }, { VacuumLimit, 5000, offsetof(struct ctdb_tunable, vacuum_limit), false }, { VacuumMinInterval, 10, offsetof(struct ctdb_tunable, vacuum_min_interval), true }, -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c9219fe libcli/smb/smbXcli: use smb2_key_deviration() to setup SMB 2.24 keys via 39ae473 libcli/smb/smb2_signing: implement aes_cmac_128 based signing for SMB 2.24 via 7f5e569 libcli/smb/smb2_signing: add smb2_key_deviration() via 7102eaf lib/crypto: add aes_cmac_128_test.c as local.crypto.aes_cmac_128 test via 062d1a0 lib/crypto: add aes_cmac_128* (rfc 4493) from de870e9 s3: Introduce req helper var in reply_lockingX_success http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c9219fe5859957589570ff0deeaccd17125d347e Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 09:33:46 2012 +0100 libcli/smb/smbXcli: use smb2_key_deviration() to setup SMB 2.24 keys This uses the key diveration function from NIST Special Publication 800-108 in counter mode (section 5.1). Thanks to Jeremy, Michael and Volker for the debugging! metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Feb 29 04:54:48 CET 2012 on sn-devel-104 commit 39ae4737e0fbf8db348db76f7a534a55304918f0 Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 09:32:33 2012 +0100 libcli/smb/smb2_signing: implement aes_cmac_128 based signing for SMB 2.24 metze commit 7f5e56971f617fd71ec47a54866577d08dabd1d7 Author: Stefan Metzmacher me...@samba.org Date: Wed Feb 22 13:13:47 2012 +0100 libcli/smb/smb2_signing: add smb2_key_deviration() This implements a simplified version of NIST Special Publication 800-108 section 5.1 using hmac-sha256. Thanks to Jeremy, Michael and Volker for the debugging! metze commit 7102eafc266e82121b1a267991584885ebfa9a65 Author: Stefan Metzmacher me...@samba.org Date: Wed Feb 29 01:39:31 2012 +0100 lib/crypto: add aes_cmac_128_test.c as local.crypto.aes_cmac_128 test metze commit 062d1a09c2ef5efcdb85c77d7d27109b1317b46c Author: Stefan Metzmacher me...@samba.org Date: Sat Feb 18 11:47:31 2012 +0100 lib/crypto: add aes_cmac_128* (rfc 4493) Thanks to Jeremy, Michael and Volker for the debugging! metze --- Summary of changes: lib/crypto/aes_cmac_128.c | 184 .../netlogon.h = lib/crypto/aes_cmac_128.h| 40 ++-- lib/crypto/aes_cmac_128_test.c | 92 ++ lib/crypto/crypto.h|1 + lib/crypto/wscript_build | 11 +- libcli/smb/smb2_signing.c | 108 ++-- libcli/smb/smb2_signing.h |5 + libcli/smb/smbXcli_base.c | 43 +- source3/Makefile.in|3 +- source4/torture/local/local.c |2 + 10 files changed, 443 insertions(+), 46 deletions(-) create mode 100644 lib/crypto/aes_cmac_128.c copy libcli/netlogon/netlogon.h = lib/crypto/aes_cmac_128.h (50%) create mode 100644 lib/crypto/aes_cmac_128_test.c Changeset truncated at 500 lines: diff --git a/lib/crypto/aes_cmac_128.c b/lib/crypto/aes_cmac_128.c new file mode 100644 index 000..b630eea --- /dev/null +++ b/lib/crypto/aes_cmac_128.c @@ -0,0 +1,184 @@ +/* + AES-CMAC-128 (rfc 4493) + Copyright (C) Stefan Metzmacher 2012 + Copyright (C) Jeremy Allison 2012 + Copyright (C) Michael Adam 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include replace.h +#include ../lib/crypto/crypto.h + +static const uint8_t const_Zero[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +static const uint8_t const_Rb[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 +}; + +#define _MSB(x) (((x)[0] 0x80)?1:0) + +static inline void aes_cmac_128_left_shift_1(const uint8_t in[AES_BLOCK_SIZE], +uint8_t out[AES_BLOCK_SIZE]) +{ + uint8_t overflow = 0; + int8_t i; + + for (i = AES_BLOCK_SIZE - 1; i = 0; i--) { + out[i] = in[i] 1; + + out[i] |= overflow; + +
[SCM] CTDB repository - branch master updated - ctdb-1.12-224-g7417d99
The branch, master has been updated via 7417d994c2a159f71d27d4bcd2f53684862eece3 (commit) from 5ae94c6b9b3000a6c79fccaaea1e007ebd5be1a9 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 7417d994c2a159f71d27d4bcd2f53684862eece3 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Feb 29 16:09:24 2012 +1100 READONLY: skip vacuuming or deleting records with readonly delegations. they are hot. wait until they have been revoked before we recall them. --- Summary of changes: server/ctdb_recover.c | 14 ++ server/ctdb_vacuum.c |6 ++ 2 files changed, 20 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c index 3d56f77..06b5ed1 100644 --- a/server/ctdb_recover.c +++ b/server/ctdb_recover.c @@ -954,6 +954,20 @@ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context * return -1; } + /* do not allow deleting record that have readonly flags set. */ + if (hdr-flags (CTDB_REC_RO_HAVE_DELEGATIONS|CTDB_REC_RO_HAVE_READONLY|CTDB_REC_RO_REVOKING_READONLY|CTDB_REC_RO_REVOKE_COMPLETE)) { + tdb_chainunlock(ctdb_db-ltdb-tdb, key); + DEBUG(DEBUG_INFO,(__location__ Skipping record with readonly flags set\n)); + free(data.dptr); + return -1; + } + if (hdr2-flags (CTDB_REC_RO_HAVE_DELEGATIONS|CTDB_REC_RO_HAVE_READONLY|CTDB_REC_RO_REVOKING_READONLY|CTDB_REC_RO_REVOKE_COMPLETE)) { + tdb_chainunlock(ctdb_db-ltdb-tdb, key); + DEBUG(DEBUG_INFO,(__location__ Skipping record with readonly flags set\n)); + free(data.dptr); + return -1; + } + if (hdr2-dmaster == ctdb-pnn) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); DEBUG(DEBUG_INFO,(__location__ Attempted delete record where we are the dmaster\n)); diff --git a/server/ctdb_vacuum.c b/server/ctdb_vacuum.c index e0e1e3b..b492f9b 100644 --- a/server/ctdb_vacuum.c +++ b/server/ctdb_vacuum.c @@ -491,6 +491,12 @@ static int delete_record_traverse(void *param, void *data) header = (struct ctdb_ltdb_header *)tdb_data.dptr; + if (header-flags (CTDB_REC_RO_HAVE_DELEGATIONS|CTDB_REC_RO_HAVE_READONLY|CTDB_REC_RO_REVOKING_READONLY|CTDB_REC_RO_REVOKE_COMPLETE)) { + /* The record has readonly flags set. skip deleting */ + vdata-delete_skipped++; + goto done; + } + if (header-dmaster != ctdb-pnn) { /* The record has been migrated off the node. Skip. */ vdata-delete_skipped++; -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 65d42ab s3:torture/test_smb2: test path based calls during reauth in SMB2-MULTI-CHANNEL via 300ab04 s3:torture/test_smb2: test handle based calls during reauth in SMB2-MULTI-CHANNEL via 2fced53 s3:torture/test_smb2: do a reauth over multiple channels in SMB2-MULTI-CHANNEL via 670ea3e s3:torture/test_smb2: add a 3rd channel to SMB2-MULTI-CHANNEL via c0dac92 s3:torture/test_smb2: expect FILE_CLOSED on invalid handles in SMB2-MULTI-CHANNEL via 51a15e9 s4:torture/smb2: remove unused var from c9219fe libcli/smb/smbXcli: use smb2_key_deviration() to setup SMB 2.24 keys http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 65d42ab727d4a335ef4265030d16d31aae015371 Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 13:27:38 2012 +0100 s3:torture/test_smb2: test path based calls during reauth in SMB2-MULTI-CHANNEL metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Feb 29 07:23:14 CET 2012 on sn-devel-104 commit 300ab04a07b1de2674528474dba55726c3a3bef1 Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 13:27:38 2012 +0100 s3:torture/test_smb2: test handle based calls during reauth in SMB2-MULTI-CHANNEL metze commit 2fced53cfe768b15791208331dea5a9e91ac9567 Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 11:19:22 2012 +0100 s3:torture/test_smb2: do a reauth over multiple channels in SMB2-MULTI-CHANNEL metze commit 670ea3e3a35e97ce34f60b6a1f0aff8bfede5353 Author: Stefan Metzmacher me...@samba.org Date: Mon Feb 27 11:50:40 2012 +0100 s3:torture/test_smb2: add a 3rd channel to SMB2-MULTI-CHANNEL metze commit c0dac92b429b014c4c3d0778800d2baaf2610892 Author: Stefan Metzmacher me...@samba.org Date: Wed Feb 29 03:57:34 2012 +0100 s3:torture/test_smb2: expect FILE_CLOSED on invalid handles in SMB2-MULTI-CHANNEL metze commit 51a15e9d312f7e73b708f6e63452809c100fbd7a Author: Stefan Metzmacher me...@samba.org Date: Wed Feb 29 03:42:52 2012 +0100 s4:torture/smb2: remove unused var metze --- Summary of changes: source3/torture/test_smb2.c| 327 +++- source4/torture/smb2/session.c |1 - 2 files changed, 324 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c index 83d59ff..7ad8f96 100644 --- a/source3/torture/test_smb2.c +++ b/source3/torture/test_smb2.c @@ -767,6 +767,7 @@ bool run_smb2_multi_channel(int dummy) { struct cli_state *cli1; struct cli_state *cli2; + struct cli_state *cli3; NTSTATUS status; bool ok; uint64_t fid_persistent, fid_volatile; @@ -793,6 +794,11 @@ bool run_smb2_multi_channel(int dummy) } cli2-smb2.pid = 0xFEFF; + if (!torture_init_connection(cli3)) { + return false; + } + cli3-smb2.pid = 0xFEFF; + status = smbXcli_negprot(cli1-conn, cli1-timeout, PROTOCOL_SMB2_22, PROTOCOL_SMB2_24); if (!NT_STATUS_IS_OK(status)) { @@ -807,6 +813,13 @@ bool run_smb2_multi_channel(int dummy) return false; } + status = smbXcli_negprot(cli3-conn, cli3-timeout, +PROTOCOL_SMB2_22, PROTOCOL_SMB2_24); + if (!NT_STATUS_IS_OK(status)) { + printf(smbXcli_negprot returned %s\n, nt_errstr(status)); + return false; + } + status = cli_session_setup(cli1, username, password, strlen(password), password, strlen(password), @@ -956,6 +969,134 @@ bool run_smb2_multi_channel(int dummy) cli2-smb2.tid = cli1-smb2.tid; + status = smb2cli_session_create_channel(cli3, + cli2-smb2.session, + cli3-conn, + cli3-smb2.session); + if (!NT_STATUS_IS_OK(status)) { + printf(smb2cli_session_create_channel returned %s\n, + nt_errstr(status)); + return false; + } + + status = auth_generic_client_prepare(talloc_tos(), auth_generic_state); + if (!NT_STATUS_IS_OK(status)) { + printf(auth_generic_client_prepare returned %s\n, nt_errstr(status)); + return false; + } + + gensec_want_feature(auth_generic_state-gensec_security, + GENSEC_FEATURE_SESSION_KEY); + status = auth_generic_set_username(auth_generic_state, username); + if (!NT_STATUS_IS_OK(status)) { +