[SCM] Samba Shared Repository - branch v3-4-stable updated -
release-3-4-0pre2-42-g3c6d8df
Karolin Seeger
kseeger at samba.org
Fri Jun 19 06:47:57 GMT 2009
The branch, v3-4-stable has been updated
via 3c6d8df7f6cb7cbc806218fc24f9dee069c63d18 (commit)
via 09393cc0c3deaeda8eb86827ebec9171cffdc5a2 (commit)
via ffe520aab3191929816f9c5724d3b9e3da5a5e86 (commit)
via 778c2ba4fa6e6541b8973dcd4bcbd91c8de1700a (commit)
via 2241690802b995ae71dc6c28df786dd0da4e2e3a (commit)
from 119ba61a75a4da6066b4f62d9b4fb444aa37c38b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-stable
- Log -----------------------------------------------------------------
commit 3c6d8df7f6cb7cbc806218fc24f9dee069c63d18
Author: Günther Deschner <gd at samba.org>
Date: Fri Jun 19 01:52:11 2009 +0200
s3-pam_winbind: Fix Bug 6253: Use correct value for password expiry calculation.
Based on patch from Blindauer Emmanuel <samba at mooby.net>.
Guenther
(cherry picked from commit e77355fec0f3b30cadcefc106c4f7957bf763c6b)
commit 09393cc0c3deaeda8eb86827ebec9171cffdc5a2
Author: Kai Blin <kai at samba.org>
Date: Wed Jun 10 13:08:40 2009 +0200
Revert "net: Use samba default command line arguments."
This reverts commit c039bc15ba597d955d0ccbf5642388b0a03ba40b and dependent
commits 33c6ba805756739b7b4395bedb66ae00797cbcb1 and
ce18ba7e24b5578672d2f2ffaab97ef708421067.
While it certainly would be a nice to have feature, this has caused more
hassle than reasonable, e.g. in net commands that need to use the machine
account like net (ads|rpc) testjoin.
This un-fixes bug #6305.
(cherry picked from commit eadbd85b2797683b3a17a1919c4aea28d6519a01)
commit ffe520aab3191929816f9c5724d3b9e3da5a5e86
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jun 17 13:56:21 2009 -0700
Fix bug #6476 - more then 3000 smbd-zombies in memory
We weren't reaping children in the [x]inetd case.
Jeremy.
(cherry picked from commit 7d20e8f7f4d3d1a17b3817cea370304f2f437809)
(cherry picked from commit ec18e0f11eda8d25feb14c92cf7d90bda8d79269)
commit 778c2ba4fa6e6541b8973dcd4bcbd91c8de1700a
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 18 09:32:10 2009 +0200
s3/docs: Add documentation for 'net sam rights'.
This is part of a fix for bug #6328.
Karolin
(cherry picked from commit e912764a5e0c1f05f921667eb56ef58552de454b)
(cherry picked from commit a291e88019771bb2703bf9854483404a6ee8d622)
commit 2241690802b995ae71dc6c28df786dd0da4e2e3a
Author: David Markey <admin at dmarkey.com>
Date: Wed Jun 17 18:29:20 2009 +0200
s3-net: Fix Bug #6328: support "net sam rights grant/revoke" with multiple rights.
David
Signed-off-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4d189ed0be01d71689731d315b53d8ba1d158be3)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 39 --------------
docs-xml/manpages-3/net.8.xml | 27 ++++++++++
nsswitch/pam_winbind.c | 3 +-
source3/smbd/server.c | 12 ++++
source3/utils/net.c | 43 ++++++++++++----
source3/utils/net.h | 9 +++-
source3/utils/net_ads.c | 82 +++++++++++++++---------------
source3/utils/net_dom.c | 8 +--
source3/utils/net_help.c | 1 -
source3/utils/net_proto.h | 3 +
source3/utils/net_rpc.c | 74 +++++++++-----------------
source3/utils/net_rpc_join.c | 3 +-
source3/utils/net_rpc_samsync.c | 4 +-
source3/utils/net_rpc_shell.c | 9 +--
source3/utils/net_sam.c | 64 +++++++++++++----------
source3/utils/net_util.c | 109 ++++++++++++++++++++++++++++++++------
16 files changed, 287 insertions(+), 203 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a8c4afe..108945a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -35,9 +35,6 @@ o The code has been cleaned up and the major basic interfaces are shared with
Samba4 now.
o An asynchronous API has been added.
-net Command Changes:
-o Parameter syntax made more consistent.
-
Configuration changes
=====================
@@ -120,38 +117,6 @@ these two versions.
An asynchronous API has been added.
-net Command Changes
-===================
-
-The net command now accepts the common command line parameters most other Samba
-command line utilities use, with a couple of remaining differences:
-
--l still gives long output for net commands supporting the --long flag. This was
-more useful than the common --log-base parameter.
-
--i still tells net to read data from stdin (like --stdin) instead of toggling
-the common --scope flag.
-
--S still tells net the server to connect to (like --server) instead of
-negotiating the common --signing flag. As -S is probably used by most scripts
-doing net rpc commands, this would have been a high-impact change for little
-gain.
-
-This change was mainly done to unify the authentification options. Here, one
-flag changed it's meaning and one useful flag was added.
-
--N used to be the short version of --ntname. It now matches the Samba default of
---no-pass. Use this to stop net from prompting for a password if you want
-anonymous authentication.
-
--A --authentication-file now takes an authentication file with the username and
-password you want net to use, avoiding a password prompt as with plain -U user
-or having to give a password on the command line as in -U user%pass.
-
-Last but not least net now always falls back to your local unix username if no
--U is specified and a username is needed. net rpc commands will now prompt for a
-password unless one is specified using either -U user%pass or -A auth_file
-
######################################################################
Changes
#######
@@ -302,10 +267,6 @@ o Michael Adam <obnox at samba.org>
* Fix linking with --disable-shared-libs.
-o Kai Blin <kai at samba.org>
- * BUG #6357: Use Samba default command line arguments in 'net'.
-
-
o Steven Danneman <steven.danneman at isilon.com>
* Fix issue with missing entries when enumerating directories.
* Map NULL domains to our global sam name.
diff --git a/docs-xml/manpages-3/net.8.xml b/docs-xml/manpages-3/net.8.xml
index b6e7042..a0cba83 100644
--- a/docs-xml/manpages-3/net.8.xml
+++ b/docs-xml/manpages-3/net.8.xml
@@ -1056,6 +1056,33 @@ the rid and description is also provided for each account.
</refsect2>
<refsect2>
+<title>SAM RIGHTS LIST</title>
+
+<para>
+List all available privileges.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>SAM RIGHTS GRANT <NAME> <PRIVILEGE></title>
+
+<para>
+Grant one or more privileges to a user.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>SAM RIGHTS REVOKE <NAME> <PRIVILEGE></title>
+
+<para>
+Revoke one or more privileges from a user.
+</para>
+
+</refsect2>
+
+<refsect2>
<title>SAM SHOW <NAME></title>
<para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 545c87d..e90f1b7 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -914,7 +914,8 @@ static void _pam_warn_password_expiry(struct pwb_context *ctx,
/* now check for the global password policy */
/* good catch from Ralf Haferkamp: an expiry of "never" is translated
* to -1 */
- if (policy->expire == -1) {
+ if ((policy->expire == (int64_t)-1) ||
+ (policy->expire == 0)) {
return;
}
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 685b26f..30addaf 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1045,6 +1045,11 @@ extern void build_options(bool screen);
BlockSignals(False, SIGUSR1);
BlockSignals(False, SIGTERM);
+ /* Ensure we leave no zombies until we
+ * correctly set up child handling below. */
+
+ CatchChild();
+
/* we want total control over the permissions on created files,
so set our umask to 0 */
umask(0);
@@ -1211,6 +1216,13 @@ extern void build_options(bool screen);
/* close our standard file descriptors */
close_low_fds(False); /* Don't close stderr */
+#ifdef HAVE_ATEXIT
+ atexit(killkids);
+#endif
+
+ /* Stop zombies */
+ smbd_setup_sig_chld_handler();
+
smbd_process();
exit_server_cleanly(NULL);
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 2033082..d58858c 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -618,6 +618,7 @@ static struct functable net_func[] = {
int main(int argc, const char **argv)
{
int opt,i;
+ char *p;
int rc = 0;
int argc_new = 0;
const char ** argv_new;
@@ -628,10 +629,12 @@ static struct functable net_func[] = {
struct poptOption long_options[] = {
{"help", 'h', POPT_ARG_NONE, 0, 'h'},
{"workgroup", 'w', POPT_ARG_STRING, &c->opt_target_workgroup},
+ {"user", 'U', POPT_ARG_STRING, &c->opt_user_name, 'U'},
{"ipaddress", 'I', POPT_ARG_STRING, 0,'I'},
{"port", 'p', POPT_ARG_INT, &c->opt_port},
{"myname", 'n', POPT_ARG_STRING, &c->opt_requester_name},
{"server", 'S', POPT_ARG_STRING, &c->opt_host},
+ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },
{"container", 'c', POPT_ARG_STRING, &c->opt_container},
{"comment", 'C', POPT_ARG_STRING, &c->opt_comment},
{"maxusers", 'M', POPT_ARG_INT, &c->opt_maxusers},
@@ -642,13 +645,15 @@ static struct functable net_func[] = {
{"stdin", 'i', POPT_ARG_NONE, &c->opt_stdin},
{"timeout", 't', POPT_ARG_INT, &c->opt_timeout},
{"request-timeout",0,POPT_ARG_INT, &c->opt_request_timeout},
+ {"machine-pass",'P', POPT_ARG_NONE, &c->opt_machine_pass},
+ {"kerberos", 'k', POPT_ARG_NONE, &c->opt_kerberos},
{"myworkgroup", 'W', POPT_ARG_STRING, &c->opt_workgroup},
{"verbose", 'v', POPT_ARG_NONE, &c->opt_verbose},
{"test", 'T', POPT_ARG_NONE, &c->opt_testmode},
/* Options for 'net groupmap set' */
{"local", 'L', POPT_ARG_NONE, &c->opt_localgroup},
{"domain", 'D', POPT_ARG_NONE, &c->opt_domaingroup},
- {"ntname", 0, POPT_ARG_STRING, &c->opt_newntname},
+ {"ntname", 'N', POPT_ARG_STRING, &c->opt_newntname},
{"rid", 'R', POPT_ARG_INT, &c->opt_rid},
/* Options for 'net rpc share migrate' */
{"acls", 0, POPT_ARG_NONE, &c->opt_acls},
@@ -663,7 +668,6 @@ static struct functable net_func[] = {
{"clean-old-entries", 0, POPT_ARG_NONE, &c->opt_clean_old_entries},
POPT_COMMON_SAMBA
- POPT_COMMON_CREDENTIALS
{ 0, 0, 0, 0}
};
@@ -677,13 +681,6 @@ static struct functable net_func[] = {
dbf = x_stderr;
c->private_data = net_func;
- c->auth_info = user_auth_info_init(frame);
- if (c->auth_info == NULL) {
- d_fprintf(stderr, "\nOut of memory!\n");
- exit(1);
- }
- popt_common_set_auth_info(c->auth_info);
-
pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
@@ -691,7 +688,9 @@ static struct functable net_func[] = {
switch (opt) {
case 'h':
c->display_usage = true;
- set_cmdline_auth_info_password(c->auth_info, "");
+ break;
+ case 'e':
+ c->smb_encrypt = true;
break;
case 'I':
if (!interpret_string_addr(&c->opt_dest_ip,
@@ -701,6 +700,15 @@ static struct functable net_func[] = {
c->opt_have_ip = true;
}
break;
+ case 'U':
+ c->opt_user_specified = true;
+ c->opt_user_name = SMB_STRDUP(c->opt_user_name);
+ p = strchr(c->opt_user_name,'%');
+ if (p) {
+ *p = 0;
+ c->opt_password = p+1;
+ }
+ break;
default:
d_fprintf(stderr, "\nInvalid option %s: %s\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -734,6 +742,10 @@ static struct functable net_func[] = {
set_global_myname(c->opt_requester_name);
}
+ if (!c->opt_user_name && getenv("LOGNAME")) {
+ c->opt_user_name = getenv("LOGNAME");
+ }
+
if (!c->opt_workgroup) {
c->opt_workgroup = smb_xstrdup(lp_workgroup());
}
@@ -751,6 +763,17 @@ static struct functable net_func[] = {
that it won't assert becouse we are not root */
sec_init();
+ if (c->opt_machine_pass) {
+ /* it is very useful to be able to make ads queries as the
+ machine account for testing purposes and for domain leave */
+
+ net_use_krb_machine_account(c);
+ }
+
+ if (!c->opt_password) {
+ c->opt_password = getenv("PASSWD");
+ }
+
rc = net_run_function(c, argc_new-1, argv_new+1, "net", net_func);
DEBUG(2,("return code = %d\n", rc));
diff --git a/source3/utils/net.h b/source3/utils/net.h
index f604d96..d88f962 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -28,8 +28,11 @@
struct net_context {
const char *opt_requester_name;
const char *opt_host;
- int opt_long_list_entries;
+ const char *opt_password;
+ const char *opt_user_name;
+ bool opt_user_specified;
const char *opt_workgroup;
+ int opt_long_list_entries;
int opt_reboot;
int opt_force;
int opt_stdin;
@@ -42,6 +45,7 @@ struct net_context {
int opt_timeout;
int opt_request_timeout;
const char *opt_target_workgroup;
+ int opt_machine_pass;
int opt_localgroup;
int opt_domaingroup;
int do_talloc_report;
@@ -53,14 +57,15 @@ struct net_context {
const char *opt_exclude;
const char *opt_destination;
int opt_testmode;
+ bool opt_kerberos;
int opt_force_full_repl;
int opt_single_obj_repl;
int opt_clean_old_entries;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
+ bool smb_encrypt;
struct libnetapi_ctx *netapi_ctx;
- struct user_auth_info *auth_info;
bool display_usage;
void *private_data;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 588f57f..8e927be 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -231,22 +231,32 @@ retry_connect:
ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
+ if (!c->opt_user_name) {
+ c->opt_user_name = "administrator";
+ }
+
+ if (c->opt_user_specified) {
+ need_password = true;
+ }
+
retry:
- if (need_password) {
- set_cmdline_auth_info_getpass(c->auth_info);
+ if (!c->opt_password && need_password && !c->opt_machine_pass) {
+ c->opt_password = net_prompt_pass(c, c->opt_user_name);
+ if (!c->opt_password) {
+ ads_destroy(&ads);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
}
- if (get_cmdline_auth_info_got_pass(c->auth_info)) {
+ if (c->opt_password) {
use_in_memory_ccache();
SAFE_FREE(ads->auth.password);
- ads->auth.password = smb_xstrdup(
- get_cmdline_auth_info_password(c->auth_info));
+ ads->auth.password = smb_xstrdup(c->opt_password);
}
ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
- ads->auth.user_name = smb_xstrdup(
- get_cmdline_auth_info_username(c->auth_info));
+ ads->auth.user_name = smb_xstrdup(c->opt_user_name);
/*
* If the username is of the form "name at realm",
@@ -865,7 +875,6 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
TALLOC_CTX *ctx;
struct libnet_UnjoinCtx *r = NULL;
WERROR werr;
- struct user_auth_info *ai = c->auth_info;
if (c->display_usage) {
d_printf("Usage:\n"
@@ -884,7 +893,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
return -1;
}
- if (!get_cmdline_auth_info_use_kerberos(ai)) {
+ if (!c->opt_kerberos) {
use_in_memory_ccache();
}
@@ -894,14 +903,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
return -1;
}
- set_cmdline_auth_info_getpass(ai);
-
r->in.debug = true;
- r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai);
+ r->in.use_kerberos = c->opt_kerberos;
r->in.dc_name = c->opt_host;
r->in.domain_name = lp_realm();
- r->in.admin_account = get_cmdline_auth_info_username(ai);
- r->in.admin_password = get_cmdline_auth_info_password(ai);
+ r->in.admin_account = c->opt_user_name;
+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
r->in.modify_config = lp_config_backend_is_registry();
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
@@ -952,8 +959,7 @@ static NTSTATUS net_ads_join_ok(struct net_context *c)
return NT_STATUS_ACCESS_DENIED;
}
- set_cmdline_auth_info_use_machine_account(c->auth_info);
- set_cmdline_auth_info_machine_account_creds(c->auth_info);
+ net_use_krb_machine_account(c);
status = ads_startup(c, true, &ads);
if (!ADS_ERR_OK(status)) {
@@ -1184,7 +1190,6 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
const char *os_name = NULL;
const char *os_version = NULL;
bool modify_config = lp_config_backend_is_registry();
- struct user_auth_info *ai = c->auth_info;;
if (c->display_usage)
return net_ads_join_usage(c, argc, argv);
@@ -1204,7 +1209,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
goto fail;
}
- if (!get_cmdline_auth_info_use_kerberos(ai)) {
+ if (!c->opt_kerberos) {
use_in_memory_ccache();
}
@@ -1254,8 +1259,6 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
/* Do the domain join here */
- set_cmdline_auth_info_getpass(ai);
-
r->in.domain_name = domain;
r->in.create_upn = createupn;
r->in.upn = machineupn;
@@ -1263,10 +1266,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
r->in.os_name = os_name;
r->in.os_version = os_version;
r->in.dc_name = c->opt_host;
- r->in.admin_account = get_cmdline_auth_info_username(ai);
- r->in.admin_password = get_cmdline_auth_info_password(ai);
+ r->in.admin_account = c->opt_user_name;
+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
r->in.debug = true;
- r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai);
+ r->in.use_kerberos = c->opt_kerberos;
r->in.modify_config = modify_config;
r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
@@ -1577,7 +1580,6 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
char *prt_dn, *srv_dn, **srv_cn;
char *srv_cn_escaped = NULL, *printername_escaped = NULL;
LDAPMessage *res = NULL;
- struct user_auth_info *ai = c->auth_info;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
@@ -1609,9 +1611,8 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
nt_status = cli_full_connection(&cli, global_myname(), servername,
&server_ss, 0,
"IPC$", "IPC",
- get_cmdline_auth_info_username(ai),
- c->opt_workgroup,
- get_cmdline_auth_info_password(ai),
+ c->opt_user_name, c->opt_workgroup,
+ c->opt_password ? c->opt_password : "",
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
@@ -1799,8 +1800,8 @@ static int net_ads_printer(struct net_context *c, int argc, const char **argv)
static int net_ads_password(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
- const char *auth_principal;
- const char *auth_password;
+ const char *auth_principal = c->opt_user_name;
+ const char *auth_password = c->opt_password;
char *realm = NULL;
char *new_password = NULL;
char *chr, *prompt;
@@ -1815,9 +1816,10 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
return 0;
}
- auth_principal = get_cmdline_auth_info_username(c->auth_info);
- set_cmdline_auth_info_getpass(c->auth_info);
- auth_password = get_cmdline_auth_info_password(c->auth_info);
+ if (c->opt_user_name == NULL || c->opt_password == NULL) {
+ d_fprintf(stderr, "You must supply an administrator username/password\n");
+ return -1;
+ }
if (argc < 1) {
d_fprintf(stderr, "ERROR: You must say which username to change password for\n");
@@ -1899,7 +1901,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
return -1;
}
- set_cmdline_auth_info_use_machine_account(c->auth_info);
+ net_use_krb_machine_account(c);
use_in_memory_ccache();
@@ -2281,7 +2283,6 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
int ret = -1;
- struct user_auth_info *ai = c->auth_info;
if (c->display_usage) {
d_printf("Usage:\n"
@@ -2295,11 +2296,11 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
--
Samba Shared Repository
More information about the samba-cvs
mailing list