[SCM] Samba Shared Repository - branch v3-5-stable updated

Karolin Seeger kseeger at samba.org
Fri Feb 19 05:50:24 MST 2010 

The branch, v3-5-stable has been updated
       via  8096297... Fix bug #6557 - Do not work VFS full_audit
       via  f79c8cf... s3: Fix bug 7139 owner of file not available with kerberos.
       via  d4d84f4... WHATSNEW: Update changes.
       via  7363b08... cifs.upcall: allocate a talloc context for smb_krb5_unparse_name
      from  01c21d7... s3-docs: Document 'smbclient -C'. (cherry picked from commit f6c39cec27eea2522c62e6f1ff85efdafde351ac) (cherry picked from commit f6a7e9eadf85b19ec0ccca513a261bcad0bcf048)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -----------------------------------------------------------------
commit 8096297973d911f9736646a31773e38f79deadae
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Feb 17 10:11:57 2010 -0800

    Fix bug #6557 - Do not work VFS full_audit
    
    Re-arrange the operations order so SMB_VFS_CONNECT is done
    first as root (to allow modules to correctly initialize themselves).
    
    Reviewed modules to check if they needed CONNECT invoked as
    a user (which we previously did) and it turns out any of them
    that cared needed root permissions anyway.
    
    Jeremy.
    (cherry picked from commit 1d71d4b6b5f5fdf5caf9fed861c2032bb307a32f)

commit f79c8cff1494e9c6b5d02773727e735eed528bfb
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 16 23:29:48 2010 +0100

    s3: Fix bug 7139 owner of file not available with kerberos.
    
    To provide the user with the same SID when doing Kerberos logins, attempt to do
    a make_server_info_sam instead of a make_server_info_pw.
    (cherry picked from commit 45c634eafa2f398827f16345b56603b969964527)

commit d4d84f47fc26b564bcab00bbe1d2e68004fbade1
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 17 14:51:03 2010 +0100

    WHATSNEW: Update changes.
    
    Karolin
    (cherry picked from commit 3bb72e7f3e6be64011cabfd37866b29ffb0e18a4)

commit 7363b088c5bd41f6d3502c154ab45d87197f6943
Author: Jeff Layton <jlayton at redhat.com>
Date:   Tue Feb 16 09:16:42 2010 -0500

    cifs.upcall: allocate a talloc context for smb_krb5_unparse_name
    
    cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context.
    Older versions of this function though will conditionally use
    SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed
    in. To make it more consistent, just spawn a talloc context that
    we can pass into this function.
    
    Resolves:
    https://bugzilla.redhat.com/show_bug.cgi?id=565446
    https://bugzilla.samba.org/show_bug.cgi?id=6868
    
    Reported-by: Ludek Finstrle <luf at seznam.cz>
    Signed-off-by: Jeff Layton <jlayton at redhat.com>
    Signed-off-by: Günther Deschner <gd at samba.org>
    (cherry picked from commit a8cc2fa09ed43a167f62711bef363a5ac335dc78)
    
    Fix bug #6868 (make bin/cifs.upcall fails).
    (cherry picked from commit 01750852c1e9983b9d59a73d412101b4e0eb81a1)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt             |    4 ++++
 client/cifs.upcall.c     |    5 ++++-
 source3/smbd/service.c   |   35 ++++++++++++++++-------------------
 source3/smbd/sesssetup.c |   34 ++++++++++++++++++++++++++++++++--
 4 files changed, 56 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4c14ea2..8951071 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -163,6 +163,10 @@ o   Björn Jacke <bj at sernet.de>
     * Fix some wrong newlines in de translation strings.
 
 
+o   Jeff Layton <jlayton at redhat.com>
+    * BUG 6868: Fix crash bug in 'cifs.upcall'.
+
+
 o   Volker Lendecke <vl at samba.org>
     * BUG 7085: Fix an early release of the global lock that can cause data
       corruption in libtdb.
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c
index bfc70d1..42632a0 100644
--- a/client/cifs.upcall.c
+++ b/client/cifs.upcall.c
@@ -56,6 +56,7 @@ get_tgt_time(const char *ccname) {
 	krb5_principal principal;
 	time_t credtime = 0;
 	char *realm = NULL;
+	TALLOC_CTX *mem_ctx;
 
 	if (krb5_init_context(&context)) {
 		syslog(LOG_DEBUG, "%s: unable to init krb5 context", __func__);
@@ -87,9 +88,10 @@ get_tgt_time(const char *ccname) {
 		goto err_ccstart;
 	}
 
+	mem_ctx = talloc_init("cifs.upcall");
 	while (!credtime && !krb5_cc_next_cred(context, ccache, &cur, &creds)) {
 		char *name;
-		if (smb_krb5_unparse_name(NULL, context, creds.server, &name)) {
+		if (smb_krb5_unparse_name(mem_ctx, context, creds.server, &name)) {
 			syslog(LOG_DEBUG, "%s: unable to unparse name", __func__);
 			goto err_endseq;
 		}
@@ -102,6 +104,7 @@ get_tgt_time(const char *ccname) {
 		TALLOC_FREE(name);
         }
 err_endseq:
+	TALLOC_FREE(mem_ctx);
         krb5_cc_end_seq_get(context, ccache, &cur);
 err_ccstart:
 	krb5_free_principal(context, principal);
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index d8ba4fe..572861a 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -652,7 +652,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 	fstring dev;
 	int ret;
 	char addr[INET6_ADDRSTRLEN];
-	bool on_err_call_dis_hook = false;
 	NTSTATUS status;
 
 	fstrcpy(dev, pdev);
@@ -887,6 +886,18 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 		return NULL;
 	}  
 
+	/* Invoke VFS make connection hook - must be the first
+	   VFS operation we do. */
+
+	if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
+			    conn->server_info->unix_name) < 0) {
+		DEBUG(0,("make_connection: VFS make connection failed!\n"));
+		yield_connection(conn, lp_servicename(snum));
+		conn_free(conn);
+		*pstatus = NT_STATUS_UNSUCCESSFUL;
+		return NULL;
+	}
+
 	/*
 	 * Fix compatibility issue pointed out by Volker.
 	 * We pass the conn->connectpath to the preexec
@@ -917,6 +928,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 		if (ret != 0 && lp_rootpreexec_close(snum)) {
 			DEBUG(1,("root preexec gave %d - failing "
 				 "connection\n", ret));
+			SMB_VFS_DISCONNECT(conn);
 			yield_connection(conn, lp_servicename(snum));
 			conn_free(conn);
 			*pstatus = NT_STATUS_ACCESS_DENIED;
@@ -928,6 +940,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 	if (!change_to_user(conn, conn->vuid)) {
 		/* No point continuing if they fail the basic checks */
 		DEBUG(0,("Can't become connected user!\n"));
+		SMB_VFS_DISCONNECT(conn);
 		yield_connection(conn, lp_servicename(snum));
 		conn_free(conn);
 		*pstatus = NT_STATUS_LOGON_FAILURE;
@@ -993,20 +1006,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 				lp_aio_write_behind(snum));
 	}
 	
-	/* Invoke VFS make connection hook - do this before the VFS_STAT call
-	   to allow any filesystems needing user credentials to initialize
-	   themselves. */
-
-	if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
-			    conn->server_info->unix_name) < 0) {
-		DEBUG(0,("make_connection: VFS make connection failed!\n"));
-		*pstatus = NT_STATUS_UNSUCCESSFUL;
-		goto err_root_exit;
-	}
-
-	/* Any error exit after here needs to call the disconnect hook. */
-	on_err_call_dis_hook = true;
-
 	status = create_synthetic_smb_fname(talloc_tos(), conn->connectpath,
 					    NULL, NULL, &smb_fname_cpath);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -1085,10 +1084,8 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
   err_root_exit:
 	TALLOC_FREE(smb_fname_cpath);
 	change_to_root_user();
-	if (on_err_call_dis_hook) {
-		/* Call VFS disconnect hook */
-		SMB_VFS_DISCONNECT(conn);
-	}
+	/* Call VFS disconnect hook */
+	SMB_VFS_DISCONNECT(conn);
 	yield_connection(conn, lp_servicename(snum));
 	conn_free(conn);
 	return NULL;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index addd386..1529166 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -485,10 +485,40 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		}
 
 	} else {
-		ret = make_server_info_pw(&server_info, real_username, pw);
+		/*
+		 * We didn't get a PAC, we have to make up the user
+		 * ourselves. Try to ask the pdb backend to provide
+		 * SID consistency with ntlmssp session setup
+		 */
+		struct samu *sampass;
+
+		sampass = samu_new(talloc_tos());
+		if (sampass == NULL) {
+			ret = NT_STATUS_NO_MEMORY;
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			TALLOC_FREE(mem_ctx);
+			reply_nterror(req, nt_status_squash(ret));
+			return;
+		}
+
+		if (pdb_getsampwnam(sampass, real_username)) {
+			DEBUG(10, ("found user %s in passdb, calling "
+				   "make_server_info_sam\n", real_username));
+			ret = make_server_info_sam(&server_info, sampass);
+		} else {
+			/*
+			 * User not in passdb, make it up artificially
+			 */
+			TALLOC_FREE(sampass);
+			DEBUG(10, ("didn't find user %s in passdb, calling "
+				   "make_server_info_pw\n", real_username));
+			ret = make_server_info_pw(&server_info, real_username,
+						  pw);
+		}
 
 		if ( !NT_STATUS_IS_OK(ret) ) {
-			DEBUG(1,("make_server_info_pw failed: %s!\n",
+			DEBUG(1,("make_server_info_[sam|pw] failed: %s!\n",
 				 nt_errstr(ret)));
 			data_blob_free(&ap_rep);
 			data_blob_free(&session_key);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list