Re: [Samba] LDAP access to Samba 4
On 29 August 2012 21:48, Kristofer kristo...@cybernetik.net wrote: Hello, I am currently migrating from OpenLDAP to Samba 4 PDC, and I have a webpage (PHP/Apache) available for users so that they can change their password on the existing LDAP server. I attempted to adjust that script to change the password on the Samba 4 AD controller, but I get a cannot connect error to LDAP. The web server the password script is running on is not on the same machine as the Samba 4 controller, and is not joined to the AD domain. What is the best way to connect to the LDAP server from PHP to make this happen? Is there something with Kerberos I need to do? or am I going to have to fully join the machine to the domain before it can connect to LDAP? You basically need to do whatever would be needed with a Windows AD server. You'll need to do it over TLS (on port 636. Make sure you compiled with GnuTLS support if you do this.) or using GSSAPI (Kerberos). It goes something like this (pseudocode), I believe: # Bind to the directory ldap_simple_bind_s(userdn, oldpass) # or: tokens = ldap.sasl.gssapi(); ldap_sasl_interactive_bind_s(, tokens) oldencoded = encode_pass(oldpass) newencoded = encode_pass(newpass) modlist = make_modlist(oldencoded, newencoded) ldap_modify_s(userdn, modlist) The encoding works like this: * First wrap the password in double quotes. * Then encode it using UTF-16-le format. so the string 'PASSWORD' would be encoded as '\0P\0A\0S\0S\0W\0O\0R\0D\0\0' In Python this would be done like this: encodedpass = ('%s' % password).encode(utf-16-le) The modlist is basically a delete of the unicodePwd attribute followed by an add with the new encoded password. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 and Office 2010
Besides what Jeremy suggested I think it can be solved on the client side with: Word Options - Trust Center - Trust Center Settings - 1. Trusted locations: Check Allow trusted locations.. 2. Trusted documents: Check Allow documents on a network to be trusted 3. Protected view: Uncheck fist 2. These should do it. Ps: At point 1 you might need to define your network location though it should work since point 2. Dragos On Fri, Aug 31, 2012 at 12:16 AM, Jeremy Allison j...@samba.org wrote: On Thu, Aug 30, 2012 at 11:46:55AM +0400, Андрей Гребенников wrote: Hi there people! I'd like someone to help me with samba shares and Office 2010. Whe a user opens a file from a share, msword or excel tells him that the file was got from internet and if you like to edit it you should push the button allow. How could I solve the issue from samba side? It's almost certainly the alternate data stream with Internet Zone being required. Try using the streams_xattr module on the share. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] A conceptual question - a special samba-soluion in a cluster
Hi SambaGurus!! I have a question regarding samba+winbind in a cluster - but it is a bit tricky - any pointers would be very much appreciated: Got a two-node cluster, using pacemaker/corosync/openais/whatever, with a resource-group which includes an IP and a shared disk, which is only active on one node at the time (failover, no ocfs2, as I don't have that much faith in it - sorry). I have smb+winbind running on both nodes, for normal Linux-login user-integration to a Windows AD. What I need in the cluster-resource-group is a samba-share (local users, not AD integrated), which can move with the IP and shared disk (aka the resource group). How do I get there? What concepts should I thing lf? Thanks in advance. Greetings from Danny Petterson Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy. __ www.accenture.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replication error?
On Fri, 31 Aug 2012, Andrew Bartlett wrote: On Thu, 2012-08-30 at 09:33 -0400, Steve Thompson wrote: On Wed, 29 Aug 2012, Steve Thompson wrote: On Wed, 29 Aug 2012, Steve Thompson wrote: More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and krb5_server in sssd.conf directly at dc1, it always works. If I point either of those parameters at dc2, it always fails. Well, this was a red herring. Wait long enough (overnight) and it turns out that dc1 stops working as well (dc2 never works). This stuff is unusable. Does this configuration of SSSD work any differently against a windows domain? (Trial versions of windows server can be downloaded). I do not have the resources available to try this against a windows domain, and I don't care very much for Windows in any event, but as I mentioned before, it works perfectly against a single samba4 DC. It is only when I add a second DC that problems occur. BTW, a samba-tool demote does not work to reduce to one DC; I've tried it many times (but of course this is probably a separate issue). These issues appear to be client-side (using the wrong ticket, or attempting to do krb5 against a name mapping to more than one server), but with so little detail it is hard to say with clarity. I included plenty of detail in my earlier messages on the subject, and while I can see why it looks client-side, I note that I can successfully do a GSSAPI bind and a kinit with /etc/krb5.keytab when getent is failing. I've tried several different configurations with different clients and servers, and they all work with one DC and they all fail when there is more than one DC, all with no changes on the client side. A windows PC that is bound to the samba4 domain does not work either when getent fails, so I don't think that it is sssd. I appreciate your input. I like what I've seen of samba4 so far, except possibly the diddling with DNS, but this has me stumped. Steve -- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 186,282 miles per second: it's not just a good idea, it's the law -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Does samba-3.6.7's libsmbclient supports SMB2 protocol?
Hi, I'm using libsmbclient library built from source3 directory of samba-3.6.7. When I connect to a vista/2008 server using this libsmbclient library, communication is happening in SMB1 protocol and NOT in SMB2. Please note that I've enabled SMB2 by adding following line to smb.conf max protocol = SMB2 Does libsmbclient library built from source3 directory of samba-3.6.7 supports SMB2? thanks, -Kishore -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does samba-3.6.7's libsmbclient supports SMB2 protocol?
On Fri, Aug 31, 2012 at 06:56:04AM -0700, naga_kishore_komm...@yahoo.com wrote: Hi, I'm using libsmbclient library built from source3 directory of samba-3.6.7. When I connect to a vista/2008 server using this libsmbclient library, communication is happening in SMB1 protocol and NOT in SMB2. Please note that I've enabled SMB2 by adding following line to smb.conf max protocol = SMB2 Does libsmbclient library built from source3 directory of samba-3.6.7 supports SMB2? No, it does not yet. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba complie problem
Well managed to fix it, it was openladap. Now I have problem with make: - SONAMEFLAG = -Wl,-soname= Linking shared library bin/libtalloc.so.2 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: anonymous version tag cannot be combined with other version tags collect2: ld returned 1 exit status *** Error code 1 The following command caused the error: gcc -I/opt/local/samba/include -I/opt/local/samba/include -I. -I/opt/local/samba-3.6.7/source3 -I/opt/local/samba-3.6.7/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/talloc -I../lib/tdb/include -DHAVE_CONFIG_H -I/opt/local/samba/include -I/opt/local/samba/include -I/usr/local/inclue -I/usr/sfw/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLDAP_DEPRECATED -DSUNOS5-I/opt/local/samba-3.6.7/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -shared -Wl,-z,relro -L/opt/local/samba/lib -R/opt/local/samba/lib -L/opt/local/samba/lib -R/opt/local/samba/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/lib -R/usr/sfw/lib -R/usr/lib -lthread -L./bin -lc -Wl,-z,defs -Wl,--version-script,/opt/local/samba-3.6.7/source3/exports/`basename bin/libtalloc.so.2 | sed 's:\.so[\.0-9]*$:.syms:'` -o bin/libtalloc.so.2 ../lib/talloc/talloc.o ./../lib/replace/replace.o ./../lib/replace /snprintf.o ./../lib/replace/getpass.o ./../lib/replace/strptime.o ./../lib/replace/timegm.o ./../lib/replace/getifaddrs.o -lnsl -lsocket -Wl,-soname=`basename bin/libtalloc.so.2` make: Fatal error: Command failed for target `bin/libtalloc.so.2' Any idea? Thanks Nitin From: nitintha...@hotmail.com To: samba@lists.samba.org Date: Thu, 30 Aug 2012 18:49:50 + Subject: Samba complie problem hi all Samba build problem when compiling with --with-ads I have complid, kerberos and openldap in /opt/local/samba and I am using gcc with gnu binutils. Its a solaris 10 sparc. Configure gives me following error: - checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... yes checking for ber_sockbuf_add_io... yes checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: error: libldap is needed for LDAP support Config.log output: - configure:25335: gcc -o conftest -I/opt/local/samba/include -I/opt/local/samba/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include -L/opt/local/samba/lib -R/opt/local/samba/lib -lthread -L./bin -L/usr/lib conftest.c -lldap -llber -lresolv -lrt-lnsl -lsocket -lmd5 -lrt -liconv 5 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: /opt/local/samba/lib/libldap.so: dladdr: invalid version 12 (max 0) /opt/local/samba/lib/libldap.so: could not read symbols: Bad value I installed openldap in /opt/local/samba. # find /opt/local/samba -name libldap\* /opt/local/samba/lib/libldap_r.a /opt/local/samba/lib/libldap.so /opt/local/samba/lib/libldap.la /opt/local/samba/lib/libldap-2.4.so.2 /opt/local/samba/lib/libldap.a /opt/local/samba/lib/libldap_r.so /opt/local/samba/lib/libldap_r-2.4.so.2 /opt/local/samba/lib/libldap-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r.la Thanks Nitin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba complie problem
Compiling Samba on Solaris 10 can be a real challenge. A lot of the issues seem to be related to the old version of ld. I would expect that you would have more luck on Solaris 11 but I have not tried it yet. I ended up using Sun Studio and dmake. If you can look for older posts from me there should be notes on what I did. Solaris 10 (with the latest updates) should include samba 3.5.x .A lot less aggravation than compiling IF it meets your needs. On 08/31/12 12:16, Nitin Thakur wrote: Well managed to fix it, it was openladap. Now I have problem with make: - SONAMEFLAG = -Wl,-soname= Linking shared library bin/libtalloc.so.2 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: anonymous version tag cannot be combined with other version tags collect2: ld returned 1 exit status *** Error code 1 The following command caused the error: gcc -I/opt/local/samba/include -I/opt/local/samba/include -I. -I/opt/local/samba-3.6.7/source3 -I/opt/local/samba-3.6.7/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/talloc -I../lib/tdb/include -DHAVE_CONFIG_H -I/opt/local/samba/include -I/opt/local/samba/include -I/usr/local/inclue -I/usr/sfw/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLDAP_DEPRECATED -DSUNOS5-I/opt/local/samba-3.6.7/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -shared -Wl,-z,relro -L/opt/local/samba/lib -R/opt/local/samba/lib -L/opt/local/samba/lib -R/opt/local/samba/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/lib -R/usr/sfw/lib -R/usr/lib -lthread -L./bin -lc -Wl,-z,defs -Wl,--version-script,/opt/local/samba-3.6.7/source3/exports/`basename bin/libtalloc.so.2 | sed 's:\.so[\.0-9]*$:.syms:'` -o bin/libtalloc.so.2 ../lib/talloc/talloc.o ./../lib/replace/replace.o ./../lib/repla ce /snprintf.o ./../lib/replace/getpass.o ./../lib/replace/strptime.o ./../lib/replace/timegm.o ./../lib/replace/getifaddrs.o -lnsl -lsocket -Wl,-soname=`basename bin/libtalloc.so.2` make: Fatal error: Command failed for target `bin/libtalloc.so.2' Any idea? Thanks Nitin From: nitintha...@hotmail.com To: samba@lists.samba.org Date: Thu, 30 Aug 2012 18:49:50 + Subject: Samba complie problem hi all Samba build problem when compiling with --with-ads I have complid, kerberos and openldap in /opt/local/samba and I am using gcc with gnu binutils. Its a solaris 10 sparc. Configure gives me following error: - checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... yes checking for ber_sockbuf_add_io... yes checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: error: libldap is needed for LDAP support Config.log output: - configure:25335: gcc -o conftest -I/opt/local/samba/include -I/opt/local/samba/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include -L/opt/local/samba/lib -R/opt/local/samba/lib -lthread -L./bin -L/usr/lib conftest.c -lldap -llber -lresolv -lrt-lnsl -lsocket -lmd5 -lrt -liconv 5 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: /opt/local/samba/lib/libldap.so: dladdr: invalid version 12 (max 0) /opt/local/samba/lib/libldap.so: could not read symbols: Bad value I installed openldap in /opt/local/samba. # find /opt/local/samba -name libldap\* /opt/local/samba/lib/libldap_r.a /opt/local/samba/lib/libldap.so /opt/local/samba/lib/libldap.la /opt/local/samba/lib/libldap-2.4.so.2 /opt/local/samba/lib/libldap.a /opt/local/samba/lib/libldap_r.so /opt/local/samba/lib/libldap_r-2.4.so.2 /opt/local/samba/lib/libldap-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r.la Thanks Nitin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba share an NFS import?
Is it a problem to share a folder via Samba that is actually an NFS import from another machine? Looking at Samba documentation, it seems it shouldn't be. But I find only this one reference to re-exporting an NFS import via Samba (this is under Samba 3.6 Features added/changed): http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#NFS_quota_backend_on_Linux which says A new nfs quota backend for Linux has been added that is based on the existing Solaris/FreeBSD implementation. This allows samba to communicate correct diskfree information for nfs imports that are re-exported as samba shares. But googling the problem, I find numerous discussions, where most contain something along the lines of this: http://serverfault.com/questions/68330/samba-sharing-an-nfs-mount-point which says, The Samba manual mentions that re-exporting a NFS mountpoint over Samba does not work correctly. NFS is not 100% POSIX compatible, so some things work differently than what Samba expects. I.e. you should run Samba on the same server where you run the NFS service, exporting the local disks directly. I also came across various folks claiming one needs to play with the timing parameters in smb.conf. We're currently running Samba 3.5.10, under RHEL 6.2 (3.5.10 is the version currently supplied with RHEL 6.2). Machine Q nfs-mounts machine M's data disks, and re-exports them via Samba for users to access. We are experiencing problems with the NFS share occasionally becoming very slow (both for machine Q and the machines that mount them via Samba), and I'm wondering if the re-export is the problem. Question 1: When was samba re-export of NFS import considered stable? I.e., Do I need to update to 3.6 (move ahead of RHEL distribution) for this to be OK? Question 2: Can someone point me to more official Samba documentation on exporting? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba share an NFS import?
On Fri, Aug 31, 2012 at 08:45:28PM +, Scott-Fleming, Ian wrote: Is it a problem to share a folder via Samba that is actually an NFS import from another machine? Looking at Samba documentation, it seems it shouldn't be. But I find only this one reference to re-exporting an NFS import via Samba (this is under Samba 3.6 Features added/changed): http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#NFS_quota_backend_on_Linux which says A new nfs quota backend for Linux has been added that is based on the existing Solaris/FreeBSD implementation. This allows samba to communicate correct diskfree information for nfs imports that are re-exported as samba shares. But googling the problem, I find numerous discussions, where most contain something along the lines of this: http://serverfault.com/questions/68330/samba-sharing-an-nfs-mount-point which says, The Samba manual mentions that re-exporting a NFS mountpoint over Samba does not work correctly. NFS is not 100% POSIX compatible, so some things work differently than what Samba expects. I.e. you should run Samba on the same server where you run the NFS service, exporting the local disks directly. I also came across various folks claiming one needs to play with the timing parameters in smb.conf. We're currently running Samba 3.5.10, under RHEL 6.2 (3.5.10 is the version currently supplied with RHEL 6.2). Machine Q nfs-mounts machine M's data disks, and re-exports them via Samba for users to access. We are experiencing problems with the NFS share occasionally becoming very slow (both for machine Q and the machines that mount them via Samba), and I'm wondering if the re-export is the problem. Question 1: When was samba re-export of NFS import considered stable? I.e., Do I need to update to 3.6 (move ahead of RHEL distribution) for this to be OK? Question 2: Can someone point me to more official Samba documentation on exporting? Bottom line - it'll mostly work. Caveat. Don't come complaining here when the locking doesn't work :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d2c0387 s4-kdc: Give information on how long the password history is via efec5a9 s4-libnet: Fix memory leak of lsa_RefDomainList and lsa_String onto libnet_ctx via a5d57a0 auth/credentials: Do not print passwords in a talloc memory dump from a3b67e5 VERSION: Move on to beta9 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d2c0387d66038fb474daa1507923c2138a6e584f Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 31 14:02:28 2012 +1000 s4-kdc: Give information on how long the password history is Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Aug 31 08:06:17 CEST 2012 on sn-devel-104 commit efec5a9299455bd53cc770f2bc364f9a6f4f8def Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 31 12:38:41 2012 +1000 s4-libnet: Fix memory leak of lsa_RefDomainList and lsa_String onto libnet_ctx These are only needed for as long as the call, and should be children of the private context. This was found based on a log provided by Ricky Nance ricky.na...@weaubleau.k12.mo.us. Thanks Ricky! Andrew Bartlett commit a5d57a04c2e515212cc1f2b51c9a02acb33a79ba Author: Andrew Bartlett abart...@samba.org Date: Fri Aug 31 11:19:54 2012 +1000 auth/credentials: Do not print passwords in a talloc memory dump The fact that a password was created here is enough information, so overwrite with the function name and line. Andrew Bartlett --- Summary of changes: auth/credentials/credentials.c |8 source4/kdc/kpasswdd.c |3 ++- source4/libnet/libnet_lookup.c |4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 05f0a62..e636123 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -371,6 +371,10 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, { if (obtained = cred-password_obtained) { cred-password = talloc_strdup(cred, val); + if (cred-password) { + /* Don't print the actual password in talloc memory dumps */ + talloc_set_name_const(cred-password, password set via cli_credentials_set_password); + } cred-password_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred-password_obtained); @@ -416,6 +420,10 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred, enum credentials_obtained obtained) { cred-old_password = talloc_strdup(cred, val); + if (cred-old_password) { + /* Don't print the actual password in talloc memory dumps */ + talloc_set_name_const(cred-old_password, password set via cli_credentials_set_old_password); + } return true; } diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 8bed20e..c05ea82 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -119,7 +119,8 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, reject_string = Password does not meet complexity requirements; break; case SAM_PWD_CHANGE_PWD_IN_HISTORY: - reject_string = Password is already in password history; + reject_string = talloc_asprintf(mem_ctx, Password is already in password history, cannot match any of your %d passwords, + dominfo-password_history_length); break; default: reject_string = talloc_asprintf(mem_ctx, Password must be at least %d characters long, and cannot match any of your %d previous passwords, diff --git a/source4/libnet/libnet_lookup.c b/source4/libnet/libnet_lookup.c index 31ac6e4..cf2d70c 100644 --- a/source4/libnet/libnet_lookup.c +++ b/source4/libnet/libnet_lookup.c @@ -308,7 +308,7 @@ static bool prepare_lookup_params(struct libnet_context *ctx, s-sids.count = 0; s-sids.sids = NULL; - s-names = talloc_array(ctx, struct lsa_String, single_name); + s-names = talloc_array(s, struct lsa_String, single_name); if (composite_nomem(s-names, c)) return false; s-names[0].string = s-name; @@ -320,7 +320,7 @@ static bool prepare_lookup_params(struct libnet_context *ctx, s-lookup.in.count = s-count; s-lookup.out.count= s-count; s-lookup.out.sids = s-sids; - s-lookup.out.domains = talloc_zero(ctx, struct lsa_RefDomainList
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 1bb5d20 Fix bug #9124 - Samba fails to set inherited bit on inherited ACE's. via c36e78f Windows does canonicalization of inheritance bits. Do the same. via 7e03ebf Change the other two places where we set a security descriptor given by the client to got through set_sd(), the canonicalize sd function. via 67f82b4 Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL canonicalization. (cherry picked from commit 05734b67b8ed5516d81000eac48acd0915567629) via b6791f4 Rename set_sd() to set_sd_blob() - this describes what it does. (cherry picked from commit 61957ff9f6124eabae050f5425d7d0597ae6a127) from 4f4a972 s3-smbd: Fix flooding the logs with records we don't find in pcap. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 1bb5d205ecc071a98ce5717e2e009fb1875aeae2 Author: Jeremy Allison j...@samba.org Date: Wed Aug 29 16:55:21 2012 -0700 Fix bug #9124 - Samba fails to set inherited bit on inherited ACE's. Change se_create_child_secdesc() to handle inheritance correctly. commit c36e78f98f45b51a2d1fba6bedb5e4d39c0f4bbe Author: Jeremy Allison j...@samba.org Date: Wed Aug 29 13:40:29 2012 -0700 Windows does canonicalization of inheritance bits. Do the same. We need to filter out the SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set when an ACE is inherited. Otherwise we zero these bits out. See: http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531 for details. (cherry picked from commit d02f39f97624260bd226977b30c80974d0ce0fe0) commit 7e03ebf094a98c572816cb81ef3cf4c02aaafcfd Author: Jeremy Allison j...@samba.org Date: Wed Aug 29 16:52:02 2012 -0700 Change the other two places where we set a security descriptor given by the client to got through set_sd(), the canonicalize sd function. commit 67f82b4cb65294dc2e3c3a144d91df9bbfdaa90c Author: Jeremy Allison j...@samba.org Date: Wed Aug 29 13:29:34 2012 -0700 Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL canonicalization. (cherry picked from commit 05734b67b8ed5516d81000eac48acd0915567629) commit b6791f4878bfdd2266f27b1e962324966ef03e31 Author: Jeremy Allison j...@samba.org Date: Wed Aug 29 13:23:06 2012 -0700 Rename set_sd() to set_sd_blob() - this describes what it does. (cherry picked from commit 61957ff9f6124eabae050f5425d7d0597ae6a127) --- Summary of changes: source3/lib/secdesc.c | 10 +++- source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 21 + source3/smbd/nttrans.c| 73 +++- source3/smbd/open.c |6 +-- source3/smbd/proto.h |4 +- source3/smbd/smb2_setinfo.c |2 +- 6 files changed, 73 insertions(+), 43 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index 007e097..b7c9fc5 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -563,6 +563,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, struct security_acl *new_dacl = NULL, *the_acl = NULL; struct security_ace *new_ace_list = NULL; unsigned int new_ace_list_ndx = 0, i; + bool set_inherited_flags = (parent_ctr-type SEC_DESC_DACL_AUTO_INHERITED); *ppsd = NULL; *psize = 0; @@ -625,7 +626,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, /* First add the regular ACE entry. */ init_sec_ace(new_ace, ptrustee, ace-type, - ace-access_mask, 0); + ace-access_mask, + set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0); DEBUG(5,(se_create_child_secdesc(): %s:%d/0x%02x/0x%08x inherited as %s:%d/0x%02x/0x%08x\n, @@ -648,7 +650,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, } init_sec_ace(new_ace, ptrustee, ace-type, -ace-access_mask, new_flags); + ace-access_mask, new_flags | + (set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0)); DEBUG(5, (se_create_child_secdesc(): %s:%d/0x%02x/0x%08x inherited as %s:%d/0x%02x/0x%08x\n, @@ -675,7 +678,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, *ppsd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2eb606b s3:build fix autoconf build on RHEL5 via 3dfd179 s3:doc Fix name of timeout parameter in documentation via 424492a s3:dbwrap_ctdb: Add DB name and key to warning message from 7204dc9 s4 dns: Negotiate GSSAPI-based TKEYs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2eb606bfa907aea0a93f3eef550316fb1d663084 Author: Christian Ambach a...@samba.org Date: Fri Aug 31 11:00:23 2012 +0200 s3:build fix autoconf build on RHEL5 RHEL5 only has autoconf 2.59, so autogen.sh still needs to find autoconf-2.60.m4 somewhere, but it was removed with 5f58359 Autobuild-User(master): Christian Ambach a...@samba.org Autobuild-Date(master): Fri Aug 31 12:50:03 CEST 2012 on sn-devel-104 commit 3dfd179638a821e83a18476dc607fe34e7e5ec57 Author: Christof Schmitt christof.schm...@us.ibm.com Date: Thu Aug 30 15:42:51 2012 -0700 s3:doc Fix name of timeout parameter in documentation The name is time_audit:timeout, not time_audit:audit_timeout. Signed-off-by: Christian Ambach a...@samba.org commit 424492a96358dd52b8cc48ec26b25b97ae809e57 Author: Christof Schmitt christof.schm...@us.ibm.com Date: Thu Aug 30 13:16:24 2012 -0700 s3:dbwrap_ctdb: Add DB name and key to warning message When a operation takes too long, it is useful for debugging to know the DB and the key. Signed-off-by: Christian Ambach a...@samba.org --- Summary of changes: docs-xml/manpages-3/vfs_time_audit.8.xml |6 +- source3/lib/dbwrap/dbwrap_ctdb.c |9 +- source3/m4/autoconf-2.60.m4 | 236 ++ 3 files changed, 247 insertions(+), 4 deletions(-) create mode 100644 source3/m4/autoconf-2.60.m4 Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/vfs_time_audit.8.xml b/docs-xml/manpages-3/vfs_time_audit.8.xml index fc71e28..d79acc8 100644 --- a/docs-xml/manpages-3/vfs_time_audit.8.xml +++ b/docs-xml/manpages-3/vfs_time_audit.8.xml @@ -31,7 +31,7 @@ paraThe commandtime_audit/command VFS module logs system calls that take longer than the number of milliseconds defined by the variable - commandtime_audit:audit_timeout/command. It will log the calls and + commandtime_audit:timeout/command. It will log the calls and the time spent in it. /para @@ -51,7 +51,7 @@ varlistentry - termtime_audit:audit_timeout = number of milliseconds/term + termtime_audit:timeout = number of milliseconds/term listitem paraVFS calls that take longer than the defined number of milliseconds that should be logged. The default is 1 (10s). @@ -74,7 +74,7 @@ smbconfsection name=[sample_share]/ smbconfoption name=path/test/sample_share/smbconfoption smbconfoption name=vfs objectstime_audit/smbconfoption - smbconfoption name=time_audit: audit_timeout3000/smbconfoption + smbconfoption name=time_audit:timeout3000/smbconfoption /programlisting /refsect1 diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c index 0a57997..6d46586 100644 --- a/source3/lib/dbwrap/dbwrap_ctdb.c +++ b/source3/lib/dbwrap/dbwrap_ctdb.c @@ -996,7 +996,14 @@ static int db_ctdb_record_destr(struct db_record* data) if (threshold != 0) { double timediff = timeval_elapsed(crec-lock_time); if ((timediff * 1000) threshold) { - DEBUG(0, (Held tdb lock %f seconds\n, timediff)); + const char *key; + + key = hex_encode_talloc(data, + (unsigned char *)data-key.dptr, + data-key.dsize); + DEBUG(0, (Held tdb lock on db %s, key %s %f seconds\n, + tdb_name(crec-ctdb_ctx-wtdb-tdb), key, + timediff)); } } diff --git a/source3/m4/autoconf-2.60.m4 b/source3/m4/autoconf-2.60.m4 new file mode 100644 index 000..b2694fd --- /dev/null +++ b/source3/m4/autoconf-2.60.m4 @@ -0,0 +1,236 @@ +# AC_GNU_SOURCE +# -- +AC_DEFUN([AC_GNU_SOURCE], +[AH_VERBATIM([_GNU_SOURCE], +[/* Enable GNU extensions on systems that have them. */ +#ifndef _GNU_SOURCE +# undef _GNU_SOURCE +#endif])dnl +AC_BEFORE([$0], [AC_COMPILE_IFELSE])dnl +AC_BEFORE([$0], [AC_RUN_IFELSE])dnl +AC_DEFINE([_GNU_SOURCE]) +]) + +# _AC_C_STD_TRY(STANDARD, TEST-PROLOGUE, TEST-BODY, OPTION-LIST, +# ACTION-IF-AVAILABLE, ACTION-IF-UNAVAILABLE) +# -- +# Check whether the C compiler accepts features of STANDARD
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e4505fc tdb: return unpack error on strdup failure from 85706c4 s3: Fix a few warning: ISO C90 forbids mixed declarations and code http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e4505fc27bf31dbf922635fac19ea52a2a002bd4 Author: David Disseldorp dd...@samba.org Date: Fri Aug 31 17:41:31 2012 +0200 tdb: return unpack error on strdup failure Signed-off-by: Lars Müller l...@samba.org Autobuild-User(master): David Disseldorp dd...@samba.org Autobuild-Date(master): Fri Aug 31 21:05:21 CEST 2012 on sn-devel-104 --- Summary of changes: source3/lib/util_tdb.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index c6c6d26..8bfc75f 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -237,6 +237,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...) if (bufsize len) goto no_space; *ps = SMB_STRDUP((const char *)buf); + if (*ps == NULL) { + goto no_space; + } break; case 'f': /* null-terminated string */ s = va_arg(ap,char *); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c256566 s4 dns: Store TKEYs in a ringbuffer from e4505fc tdb: return unpack error on strdup failure http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c256566aa97e040a9b3007c779b1006d20462ccb Author: Kai Blin k...@samba.org Date: Fri Aug 31 13:41:19 2012 +0200 s4 dns: Store TKEYs in a ringbuffer This stops us from potentially being DoSed by tons of TKEYs Autobuild-User(master): Kai Blin k...@samba.org Autobuild-Date(master): Fri Aug 31 22:46:01 CEST 2012 on sn-devel-104 --- Summary of changes: source4/dns_server/dns_query.c | 125 ++- source4/dns_server/dns_server.c | 27 source4/dns_server/dns_server.h | 11 +++- 3 files changed, 106 insertions(+), 57 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index e9c3a24..530b7b2 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -36,7 +36,6 @@ #include auth/auth.h #include auth/credentials/credentials.h #include auth/gensec/gensec.h -#include lib/util/dlinklist.h static WERROR create_response_rr(const struct dns_name_question *question, const struct dnsp_DnssrvRpcRecord *rec, @@ -321,19 +320,73 @@ static WERROR handle_question(struct dns_server *dns, return WERR_OK; } -static NTSTATUS create_new_tkey(TALLOC_CTX *mem_ctx, - struct dns_server *dns, - struct dns_server_tkey **tkey, - const char* name) +static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, + struct dns_server *dns, + struct dns_server_tkey *tkey, + const DATA_BLOB *key, + DATA_BLOB *reply, + uint16_t *dns_auth_error) +{ + NTSTATUS status; + + status = gensec_update(tkey-gensec, mem_ctx, dns-task-event_ctx, + *key, reply); + + if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { + *dns_auth_error = DNS_RCODE_OK; + return status; + } + + if (NT_STATUS_IS_OK(status)) { + + status = gensec_session_info(tkey-gensec, tkey, tkey-session_info); + if (!NT_STATUS_IS_OK(status)) { + *dns_auth_error = DNS_RCODE_BADKEY; + return status; + } + *dns_auth_error = DNS_RCODE_OK; + } + + return status; +} + +static struct dns_server_tkey *find_tkey(struct dns_server_tkey_store *store, +const char *name) +{ + struct dns_server_tkey *tkey = NULL; + uint16_t i = 0; + + do { + struct dns_server_tkey *tmp_key = store-tkeys[i]; + + i++; + i %= TKEY_BUFFER_SIZE; + + if (tmp_key == NULL) { + continue; + } + if (dns_name_equal(name, tmp_key-name)) { + tkey = tmp_key; + break; + } + } while (i != 0); + + return tkey; +} + +static NTSTATUS create_tkey(struct dns_server *dns, + const char* name, + struct dns_server_tkey **tkey) { NTSTATUS status; - struct dns_server_tkey *k = talloc_zero(mem_ctx, struct dns_server_tkey); + struct dns_server_tkey_store *store = dns-tkeys; + struct dns_server_tkey *k = talloc_zero(store, struct dns_server_tkey); if (k == NULL) { return NT_STATUS_NO_MEMORY; } - k-name = talloc_strdup(mem_ctx, name); + k-name = talloc_strdup(k, name); if (k-name == NULL) { return NT_STATUS_NO_MEMORY; @@ -363,52 +416,16 @@ static NTSTATUS create_new_tkey(TALLOC_CTX *mem_ctx, return status; } - *tkey = k; - return NT_STATUS_OK; -} - -static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, - struct dns_server *dns, - struct dns_server_tkey *tkey, - const DATA_BLOB *key, - DATA_BLOB *reply, - uint16_t *dns_auth_error) -{ - NTSTATUS status; - - status = gensec_update(tkey-gensec, mem_ctx, dns-task-event_ctx, - *key, reply); - - if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { - *dns_auth_error = DNS_RCODE_OK; - return status; + if
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4d7dad1 s4-dsdb: Remove unused variables via 8557c69 s4-kdc: Improve grammer and clarity of password change failure messages. via f0a9180 s3: Fix warnings in aio_fork.c via 2ffe690 s3: Remove a shadowing variable declaration via 01ade93 s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_context from c256566 s4 dns: Store TKEYs in a ringbuffer http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4d7dad13158fe6d998d7f63ed0f4ac7935a29bf8 Author: Andrew Bartlett abart...@samba.org Date: Sat Sep 1 11:36:36 2012 +1000 s4-dsdb: Remove unused variables Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104 commit 8557c692f613847d190891b6d79498f4e8fb9096 Author: Andrew Bartlett abart...@samba.org Date: Sat Sep 1 11:34:33 2012 +1000 s4-kdc: Improve grammer and clarity of password change failure messages. This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett commit f0a9180ae9dd565e4772ba9027ade0edfe1fc8d8 Author: Volker Lendecke v...@samba.org Date: Fri Aug 31 14:45:08 2012 +0200 s3: Fix warnings in aio_fork.c commit 2ffe69082e23675a96e59eea0954a6b17530e82c Author: Volker Lendecke v...@samba.org Date: Fri Aug 31 14:17:49 2012 +0200 s3: Remove a shadowing variable declaration commit 01ade93c7c0c2f2e992f5295976bbfc20429023a Author: Andrew Bartlett abart...@samba.org Date: Sat Sep 1 11:29:46 2012 +1000 s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_context This was found based on a log provided by Ricky Nance ricky.na...@weaubleau.k12.mo.us. Thanks Ricky! Andrew Bartlett --- Summary of changes: source3/modules/vfs_aio_fork.c |6 -- source3/passdb/lookup_sid.c|2 -- source4/dsdb/common/util.c |5 - source4/kdc/kpasswdd.c |7 +++ 4 files changed, 7 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_fork.c b/source3/modules/vfs_aio_fork.c index 2ec3d3d..3db336f 100644 --- a/source3/modules/vfs_aio_fork.c +++ b/source3/modules/vfs_aio_fork.c @@ -590,9 +590,10 @@ static struct tevent_req *aio_fork_pread_send(struct vfs_handle_struct *handle, ssize_t written; int err; struct aio_fork_config *config; + SMB_VFS_HANDLE_GET_DATA(handle, config, struct aio_fork_config, - return -1); + return NULL); req = tevent_req_create(mem_ctx, state, struct aio_fork_pread_state); if (req == NULL) { @@ -821,9 +822,10 @@ static struct tevent_req *aio_fork_fsync_send( ssize_t written; int err; struct aio_fork_config *config; + SMB_VFS_HANDLE_GET_DATA(handle, config, struct aio_fork_config, - return -1); + return NULL); req = tevent_req_create(mem_ctx, state, struct aio_fork_fsync_state); if (req == NULL) { diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 530fa6b..76a454c 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1096,8 +1096,6 @@ static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) if ((sid_check_is_in_builtin(psid) || sid_check_is_in_wellknown_domain(psid))) { - bool ret; - map = talloc_zero(NULL, GROUP_MAP); if (!map) { return false; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 5d73df2..086f2a5 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1618,12 +1618,10 @@ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_ int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa) { NTSTATUS status; - TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct GUID dn_guid; const struct GUID *our_ntds_guid; status = dsdb_get_extended_dn_guid(dn, dn_guid, GUID); if (!NT_STATUS_IS_OK(status)) { - talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -1645,10 +1643,7 @@ int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base { int ret; struct ldb_dn *referenced_dn; - NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_new(ldb); - struct GUID referenced_guid; - const struct GUID *our_ntds_guid; if (tmp_ctx == NULL) { return
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d5f845c s3: Make an if statement a bit easier to read via 5e0365d Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges. via 6550bc0 Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing. via 64e57a1 Add a comment showing where to set log level in tests. via 4645564 Change the S3 fileserver over to se_file_access_check(). via 2b89e1a Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter. via 69d925d SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed). from 4d7dad1 s4-dsdb: Remove unused variables http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d5f845c0d3ca185181760bce3731d31a71db4f32 Author: Volker Lendecke v...@samba.org Date: Fri Aug 31 14:11:45 2012 +0200 s3: Make an if statement a bit easier to read Fix indentation a bit Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Sat Sep 1 07:07:12 CEST 2012 on sn-devel-104 commit 5e0365dfe891f556eed180bc44ac7120c37141fb Author: Jeremy Allison j...@samba.org Date: Fri Aug 31 14:42:21 2012 -0700 Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges. Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT. commit 6550bc0d26278ce96a2a752231efef274c0dcf12 Author: Jeremy Allison j...@samba.org Date: Fri Aug 31 12:42:16 2012 -0700 Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing. commit 64e57a1770b61593082ddd1191f26fa314ddafcd Author: Jeremy Allison j...@samba.org Date: Fri Aug 31 12:41:48 2012 -0700 Add a comment showing where to set log level in tests. commit 46455642a78f7a1c60f56dec8ad907d0cfd326ea Author: Jeremy Allison j...@samba.org Date: Mon Aug 27 16:07:32 2012 -0700 Change the S3 fileserver over to se_file_access_check(). Don't set the priv_open_requested yet until the open-for-backup request is correctly passed in. commit 2b89e1a20a6c726e5c3219a944143f0beb7c5920 Author: Jeremy Allison j...@samba.org Date: Mon Aug 27 15:41:18 2012 -0700 Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter. commit 69d925d110a23e9f1cf9e6013729eb611b8ab58a Author: Jeremy Allison j...@samba.org Date: Mon Aug 27 14:15:35 2012 -0700 SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed). Ensure the privilege rights are always specific rights, not generic. By the time the privilege rights are examined, we've already mapped from generic to specific in the access_mask. --- Summary of changes: libcli/security/access_check.c | 86 +++--- libcli/security/access_check.h | 11 librpc/idl/security.idl | 15 ++--- selftest/knownfail |1 + selftest/target/Samba4.pm|3 + source3/lib/sharesec.c |2 +- source3/smbd/open.c | 20 --- source4/torture/basic/denytest.c | 31 - source4/torture/rpc/samba3rpc.c | 123 +- source4/torture/rpc/testjoin.c | 74 +++ 10 files changed, 320 insertions(+), 46 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 7f08cb5..9153dad 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -274,16 +274,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, } } - /* TODO: remove this, as it is file server specific */ - if ((bits_remaining SEC_RIGHTS_PRIV_RESTORE) - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining = ~(SEC_RIGHTS_PRIV_RESTORE); - } - if ((bits_remaining SEC_RIGHTS_PRIV_BACKUP) - security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - bits_remaining = ~(SEC_RIGHTS_PRIV_BACKUP); - } - if ((bits_remaining SEC_STD_WRITE_OWNER)