[SCM] Samba Shared Repository - branch v3-3-stable updated
Karolin Seeger
kseeger at samba.org
Wed Jan 13 06:02:40 MST 2010
The branch, v3-3-stable has been updated
via 354e810... s3:pdb_ldap: restore Samba 3.0.x behavior and use the first "uid" value.
via a1c58a8... s3:smbldap: add smbldap_talloc_first_attribute()
via 2dbe990... smbd: Fix opening the quota magic file
via 191b247... s3:smbd: Fix bug 6696
via 5f0f1ff... Second part of fix for bug 6696 - smbd 3.3.7 crashes (signal 11) in dns_register_smbd_reply. Restore the code from 3.2 that actually initializes the struct dns_reg_state handle. Jeremy. (cherry picked from commit b87c794f99d7909e907b1d115c317bebd55984ed)
via 31d45ea... Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes"
via 26bb48e... Prevent NULL dereference if group has no members
via ff8ab11... Fix bug 7005 - mangle method = hash truncates files with dot '. ' character
via 9aab74e... Fix bug #6939 - mangling method = hash breaks long filenames.
via 9eabcc6... Second part of fix for 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dial
via a7b8557... s3 aclocal.m4: Fix iconv checks, clean up m4 code
via 00b4f8e... s3: Fix a segfault in "net" version 3.3
via 3a102a7... s3-kerberos: fix the build on Mac OS X 10.6.2.
via 3fe9cd3... s3-kerberos: add a missing reference to authdata headers.
via 88c822d... s3-kerberos: do not include authdata headers before including krb5 headers.
via d68c0dd... s3-kerberos: only use krb5 headers where required.
via e9d8462... s3-kerberos: Fix Bug #6929: build with recent heimdal.
via 1114a6f... s3-kerberos: next step to resolve Bug #6929: build with recent heimdal.
via 38454d8... s3-kerberos: add check for prerequisite krb5/krb5.h header while checking for krb5/locate_plugin.h.
via 6e0d2b6... nsswitch: fix compile of winbind_krb5_locator with recent Heimdal versions.
via 94eb5db... cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we well as with MIT.
via d26bf9d... s3-build: really fix build of winbind_krb5_locator.
via 794e898... nsswitch: fix the build of the winbind krb5 locator plugin.
via 55bd846... cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.
via 31fd5b4... s3-kerberos: add smb_krb5_principal_get_realm().
via ff544dc... s3-kerberos: fix some build warnings when building against heimdal.
via 749762a... kerberos: fix some heimdal build warnings.
via 3a8c26e... s3: Fix shadow copy display on Windows 7
via db9df98... s3:docs: Fix typo in man mount.cifs.
via ef74f0f... s3:docs: Document "aio write behind".
via c343816... s3:docs: Document "ldap page size".
via 1202fa7... s3:docs: Document "enable core files".
via 0adc4fe... s3: Fix bug 6338 -- net rpc trustdom list always display "none" (cherry picked from commit ff9d20909cdce671d92f1d5cee1249db465efa9b)
via deec7b8... docs: Fix Bug 6922: Add Registry patchfile for Win7 domain join.
via 93909d8... clikrb5: Prefer krb5_free_keytab_entry_contents to krb5_kt_free_entry.
via a52476b... s3:idmap_ldap: trim the " chars from the location string in idmap_ldap_db_init
via 3e5e42d... s3: fixed krb5 build problem on ubuntu karmic
via 00e8942... s3-rpc_client: make sure cli_rpc_pipe_open_schannel() does not always return NT_STATUS_OK.
via d38e82f... s3-rpc_client: protect rpc_pipe_np_smb_conn against a NULL struct rpc_pipe_client.
via 40dfe4d... Second part of the fix for bug 6828 - infinite timeout occurs when byte lock held outside of samba. Fixes case where a connection with a pending lock can me marked "idle", and ensures that the lock queue timeout is always recalculated. Jeremy. (cherry picked from commit 31bb625273aac6e3e19f95465580b3bcb1885549)
via b16230c... Fix bug 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dialect Jeremy. (cherry picked from commit f871ff6367b7bd1b49e8aab649f614fd511bfa6a)
via a3f264f... Fix bug 6880 - cannot list workgroup servers reported by Alban Browaeys <prahal at yahoo.com> with fix. Revert 2e989bab0764c298a2530a2d4c8690258eba210c with extra comments - this broke workgroup enumeration. Jeremy. (cherry picked from commit ed99189208b65bcc1a108c4f1a60c0535e75022c)
via 835e7aa... Fix bug 6867 - trans2findnext returns reply_nterror(req, ntstatus) In a directory with a lot of files. Jeremy. (cherry picked from commit 92c618cf167b3e9b18db986b05b2c4188b57f882)
via f98f6d2... s3: Fix crash in pam_winbind, another reference to freed memory.
via 26cc033... Fix bug 6829 - smbclient does not show special characters properly. All successful calls to cli_session_setup() *must* be followed by calls to cli_init_creds() to stash the credentials we successfully connected with. There were 2 codepaths where this was missing. This caused smbclient to be unable to open the \srvsvc pipe to do an RPC netserverenum, and cause it to fall back to a RAP netserverenum, which uses DOS codepage conversion rather than the full UCS2 of RPC, so the returned characters were not correct (unless the DOS codepage was set correctly). Phew. That was fun to track down :-). Includes logic simplification in libsmb_server.c Jeremy. (cherry picked from commit bbeda1398687b79596769a5d046e1e0f249bd382)
via b516f88... Fix bug 6828 - infinite timeout occurs when byte lock held outside of samba Jeremy. (cherry picked from commit 4fce98ce2578f4bc5063a766fdacbdd5f840e446)
via d935ac9... s3: Don't fail authentication when one or some group of require-membership-of is invalid.
via 5df02f6... s3:packaging: Adapt directory name.
via 835906f... cifs.upcall: do a brute-force search for KRB5 credcache
via 3d9e22f... cifs.upcall: make using ip address conditional on new option
via 157cc06... cifs.upcall: switch to getopt_long
via 6472943... cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimiters
via ddbd5be... cifs.upcall: use ip address passed by kernel to get server's hostname
via 4d2e71c... cifs.upcall: clean up flag handling
via 41f47df... cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
via 2f4d681... cifs.upcall: declare a structure for holding decoded args
via 1876763... cifs.upcall: formatting cleanup
via 7ec21d5... cifs.upcall: clean up logging and add debug messages
via 098781a... Attempt to fix the build -- jlayton, please check! (cherry picked from commit 223bee1fc5f655adb61db603a5423c8bf4a5f582)
via b681b97... cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
via 62a1d91... s3:winbind: Fix bug 6793 -- segfault in winbindd_pam_auth (cherry picked from commit 96b600d429561f3ea155ffcb51a87c0d74151f52)
via d36b9ec... s3/aio: Correctly handle aio_error() and errno.
via ba50cbc... Fix bug 6811 - pam_winbind references freed memory. s3: Fix reference to freed memory in pam_winbind. (cherry picked from commit 80c18ba49f4751dc104062de6a438f00a7afc39d)
via a2f126f... WHATSNEW: Start WHATSNEW for 3.3.10.
via 53e2bb6... VERSION: Raise version number up to 3.3.10.
from bb9f768... WHATSNEW: Update changes.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit 354e8104e5d0beb1eea2883d7b010d168d55ada5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 5 13:30:42 2010 +0100
s3:pdb_ldap: restore Samba 3.0.x behavior and use the first "uid" value.
See bug #6157 for more details.
metze
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25806f43ddee7e2653e907eea2c6fcc075960fa1)
commit a1c58a8f96f0c5ede36e25a1c6aced175bec6a9d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 5 13:30:19 2010 +0100
s3:smbldap: add smbldap_talloc_first_attribute()
metze
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c992127f8a96c37940a6d298c7c6859c47f83d9b)
commit 2dbe990fe492872d3a9e63cc1115e6f8b363faa1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 16:26:34 2009 +0100
smbd: Fix opening the quota magic file
This fixes bug #6642 and bug #6919.
metze
(cherry picked from commit c30bd2f2ac1c79a4c3893b2c28e0ba7997685c01)
commit 191b247bd3fc2c8644cbf7c36c7c5e9465674ada
Author: Timothy Miller <theosib at gmail.com>
Date: Mon Sep 7 12:01:58 2009 +0200
s3:smbd: Fix bug 6696
smbd crashes when using mdns (not avahi) support
(cherry picked from commit b6ce8928e88d92c5a5d703b52e6dc95a5c79d732)
commit 5f0f1fff7552254023a712daacd40faacb35130e
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 8 17:22:39 2009 -0700
Second part of fix for bug 6696 - smbd 3.3.7 crashes (signal 11) in dns_register_smbd_reply. Restore the code from 3.2 that actually initializes the struct dns_reg_state handle. Jeremy.
(cherry picked from commit b87c794f99d7909e907b1d115c317bebd55984ed)
commit 31d45ea2091222fac27b82df7e69fdd5bbe375d6
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 8 10:24:34 2010 -0800
Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes"
This bug re-occurred for 3.3.x and above.
The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.
Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.
Jeremy.
(cherry picked from commit 9bd957580360ed7a0f98b02d1e03d7fcaf8a878e)
commit 26bb48ec4d14addbf915d80bbec5656dc0fff155
Author: Jim McDonough <jmcd at samba.org>
Date: Wed Dec 30 18:19:46 2009 -0800
Prevent NULL dereference if group has no members
Fix bug #7014 (domain mode winbind crashes retriveing empty group members).
(cherry picked from commit 5fd32614f147a045aaee30ed9cf62e42ac6e30d8)
commit ff8ab11dacb7e4f4c2cba76af46de88f24336309
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 21 21:16:15 2009 -0800
Fix bug 7005 - mangle method = hash truncates files with dot '. ' character
Don't change the contents of a const string via a pointer
alias (or if you do, change it back.....).
Jeremy.
(cherry picked from commit e3be5ddae764fae7ff4a3ef502e8461d0535bdc5)
commit 9aab74eaca37b49ad9453d64ede85651f56280b6
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 17 16:36:53 2009 -0800
Fix bug #6939 - mangling method = hash breaks long filenames.
We were returning the wrong sense of the bool. must_mangle()
has to return !NT_STATUS_IS_OK, not NT_STATUS_IS_OK.
Jeremy.
(cherry picked from commit f249d2d5893a3f8494e43fd1a805c78cee8eeec5)
commit 9eabcc653730418c9910635218c93b7fad1ecd3a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 15 18:38:06 2009 -0800
Second part of fix for 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dial
Ensure dos_mode can return FILE_ATTRIBUTE_NORMAL, then filter the returned attributes by protocol level.
This makes us consistant in returning DOS attrs across all replies. Tested on OS/2 by Günter Kukkukk.
Jeremy.
(cherry picked from commit b53ee9ffe9d265e254a2c0b11bfcd7e6314ab13f)
commit a7b85574f8558f8da438afc0a6f6a369deddb97a
Author: Kai Blin <kai at samba.org>
Date: Fri Dec 4 09:47:25 2009 +0100
s3 aclocal.m4: Fix iconv checks, clean up m4 code
The check for iconv requiring giconv.h and libgiconv as well as
the check for iconv requiring biconv.h and libbiconv were using the wrong
variable to check for previous successful test results. This caused the checks
to always fall back to libbiconv on systems where that library was available.
In the course of fixing this, I had to clean up the indentation in that piece of
code, and I also rewrote/added some comments.
Many thanks to Tsurutani Naoki <turutani at scphys.kyoto-u.ac.jp> for the initial
patch and diagnosis.
(cherry picked from commit f5aff324cb9d965bbc75634596c3c40ffc588183)
Fix bug #4832 (iconv library is not used).
(cherry picked from commit a706038680ffcc3124b5e476810bffb1f7578c06)
commit 00b4f8eb86ede7728fc6f1c20d89de08f6b98f0c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 7 22:35:35 2009 +0100
s3: Fix a segfault in "net" version 3.3
When neither LOGNAME nor -U is set, "net" and probably other client utils
segfault. Reported by "vinnix" on irc.
Volker
Fix bug #6973 (segfault in client tools).
(cherry picked from commit 6aa17a7b82333de674274045f574bf6c0ce72638)
commit 3a102a75700c26c54ccf7801ef91d0db47550ae8
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 27 20:08:44 2009 +0100
s3-kerberos: fix the build on Mac OS X 10.6.2.
Guenther
(cherry picked from commit 51328a7056918bc75a7c1c442f47cf0271075542)
(cherry picked from commit 0a165844459eb0e04fa14a33f338c80669e3a92c)
commit 3fe9cd3829532734c2cdaf8edd717acba1e8fa8c
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 27 18:51:56 2009 +0100
s3-kerberos: add a missing reference to authdata headers.
Guenther
(cherry picked from commit da79cbb0800dd647be864e8bbb5fe1132708174b)
(cherry picked from commit 9acd2394edf2504df23d0ce93f4bafc88c83323b)
commit 88c822d56294c49859d8858075273de60729f7ed
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 27 18:30:18 2009 +0100
s3-kerberos: do not include authdata headers before including krb5 headers.
Guenther
(cherry picked from commit 9329564e44a1432251acb7f0afaf1bd04b8cb957)
commit d68c0ddaa442ec9e40a192d0b399109fc9b2d511
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 27 15:52:57 2009 +0100
s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
(cherry picked from commit 60262369fc2ae19f6d9263e35b5db9b09b603a1b)
commit e9d846263b692c47550fc0ae0dbdf073886934bf
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 27 01:06:36 2009 +0100
s3-kerberos: Fix Bug #6929: build with recent heimdal.
Heimdal changed the KRB5_DEPRECATED define (which now may not take an identifier
for activation) in new releases (like 1.3.1).
Guenther
(cherry picked from commit 1a8f8382740e352a83133b8c49aaedd4716210cd)
(cherry picked from commit a6572bb03fcd323ce03b22ccd713181235f3b0e6)
commit 1114a6f46d645e674ea362a771beb8498ba79855
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 26 10:15:45 2009 +0100
s3-kerberos: next step to resolve Bug #6929: build with recent heimdal.
Based on patch from Allan <allan at archlinux.org>.
Also should fix the FreeBSD build on the buildfarm.
Guenther
(cherry picked from commit 5b3a32be97a37c119e837bdee8f049684565458c)
(cherry picked from commit d89231e76c618c5d10244ed4bec68dac8fa9cb3c)
commit 38454d893f5b96880168c4040539fa25db334a3f
Author: Günther Deschner <gd at samba.org>
Date: Wed Nov 25 21:33:48 2009 +0100
s3-kerberos: add check for prerequisite krb5/krb5.h header while checking for krb5/locate_plugin.h.
(Needed for new Heimdal versions).
Guenther
(cherry picked from commit c438b2b3923db66672ec82e795eef543de5fcb8a)
(cherry picked from commit e5592560bb8f90446bd8cbe8019663cbf00e22ab)
commit 6e0d2b6110f8bc9ccf1175b19cecff7c597e169b
Author: Günther Deschner <gd at samba.org>
Date: Wed Nov 25 15:21:54 2009 +0100
nsswitch: fix compile of winbind_krb5_locator with recent Heimdal versions.
Guenther
(cherry picked from commit 51864219cc12ceb66c281355f3e1191d5e32842d)
(cherry picked from commit dff3d01119c91fbdac613508c64f3f8fc0b8a413)
commit 94eb5db77ff9a94b4899a056278309d42797de6d
Author: Günther Deschner <gd at samba.org>
Date: Wed Nov 25 15:06:19 2009 +0100
cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we well as with MIT.
Guenther
(cherry picked from commit 660ee2e74523194e5f6b2b6428d76628beb74717)
(cherry picked from commit 1d5af511dd6f88d211b6c63b1e2d9d7ec97b03ad)
commit d26bf9d27fc485a5c6835db86d815725b2aaa49e
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 19 13:44:33 2009 +0100
s3-build: really fix build of winbind_krb5_locator.
Guenther
(cherry picked from commit fc9f199f2619635f73e8ee7f3b5359521d63f325)
(cherry picked from commit 3aaec6a346a88b732e66796514bc21e47c23e850)
commit 794e8985f38f218fc81540de87a84ea2c74696d6
Author: Günther Deschner <gd at samba.org>
Date: Wed Oct 21 02:44:44 2009 +0200
nsswitch: fix the build of the winbind krb5 locator plugin.
Guenther
(cherry picked from commit b9d9353b548d9b2ab684aa171f511174e6414762)
(cherry picked from commit 087c41e390b8be513016ca29a96d1702b0d03587)
commit 55bd846f208c536cf8bbe7e0da27558147e60364
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 12 00:52:38 2009 +0100
cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.
Guenther
(cherry picked from commit b29eed492f1c056adb0b53510be10e738276ca11)
(cherry picked from commit cca1f7a80317e09208a9e56ff2744b113e0dfbc5)
commit 31fd5b4df941ab43067f8251c05a93153e866365
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 12 00:51:46 2009 +0100
s3-kerberos: add smb_krb5_principal_get_realm().
Guenther
(cherry picked from commit bddafc6de8e37e014d7f074b6107dda6f76ebdc5)
commit ff544dc50d132eebb5e7e7d58285a7bd297decae
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 6 10:25:53 2009 +0100
s3-kerberos: fix some build warnings when building against heimdal.
Guenther
(cherry picked from commit 6664d015c986946c509f4f8d3524f84fb2f34ff1)
commit 749762a7f809cac50c01a922b58289dee6a7279e
Author: Günther Deschner <gd at samba.org>
Date: Thu Oct 9 11:05:42 2008 +0200
kerberos: fix some heimdal build warnings.
Guenther
(cherry picked from commit ce1bea7d692dcf09faafa0941c15313d0d75a9c8)
commit 3a8c26e832057486f923c1d1f1bfd6da71559dd4
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 8 14:02:39 2009 +0200
s3: Fix shadow copy display on Windows 7
Windows 7 is a bit more picky on our NT_STATUS_BUFFER_TOO_SMALL. Announce the
right buffer size, the same amount we later check for.
Fix bug #6850 (Shadow Copy Support for VISTA / Windows 7).
(cherry picked from commit dc3d1f2f073f135bf48a08163010465ba88b9d37)
commit db9df986d4603a2e034625be3ed9720df6843c0a
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 30 14:53:23 2009 +0100
s3:docs: Fix typo in man mount.cifs.
Fix bug #6844 (wrong credential file format in mount.cifs manpage).
Thanks to the Debian Samba package maintainers for reporting!
Karolin
(cherry picked from commit 3b7f8a759f57f32a8c1bc2db85236e88f616ffd9)
(cherry picked from commit 54e2e0ae51e2e126696570104ed64d0458beb4ce)
(cherry picked from commit dbe41dce7491df93a26bb0f4bd2a33b53fe90188)
(cherry picked from commit 04fa292f6e7948c10da378ca4b8a741324478008)
commit ef74f0f9b14736d9c134a0bb54f2e1ae91c4d616
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 30 13:34:34 2009 +0100
s3:docs: Document "aio write behind".
Part of a fix for bug #6890 (Some smb.conf parameters are undocumented).
Karolin
(cherry picked from commit fde7c2ab19bc7442d8ee9d85ab2fe54e0cfb4782)
(cherry picked from commit 267ebc03b43dd8c11f5aebf341620b0d94d95135)
(cherry picked from commit 93bbbd3cc776e4aa69239cb086067ec953fc8c8e)
(cherry picked from commit 65a3f18ccd9aa8b4ec31e9e7e5465631ee53afca)
commit c3438160e758f5c1fc3c8b4e33aeccb99e825ffa
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 30 12:29:27 2009 +0100
s3:docs: Document "ldap page size".
Part of a fix for bug #6890 (Some smb.conf parameters are undocumented).
Karolin
(cherry picked from commit 9478ec35b5349f50a61bbe2aa88af88577918e91)
(cherry picked from commit 940121d666b9e0645584c93db178b763ac5c8c04)
(cherry picked from commit a1d8a6127448fbdc25d1d87a2541a2ea8e430e17)
(cherry picked from commit eeea76ff150964c7b6db87fb670dbfd1ae68608e)
commit 1202fa7d999616ce041b9f14a982602d67328d60
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 30 11:40:06 2009 +0100
s3:docs: Document "enable core files".
Part of a fix for bug #6890 (Some smb.conf parameters are undocumented).
Karolin
(cherry picked from commit b03ad70848e6ea889f382c0cb9f21057370f1ab6)
(cherry picked from commit 15f7b70b0e6b6bd2604255cff1c351bb0425e9f3)
(cherry picked from commit 5832bc1c5896b391131952a06013154cbdafe3f9)
(cherry picked from commit f83733838bf94348c98dbc724d86c9021053639b)
commit 0adc4feb774eb6df0608a8bbb1f57eef5d55a0b4
Author: Volker Lendecke <vl at samba.org>
Date: Sun Nov 22 22:38:45 2009 +0100
s3: Fix bug 6338 -- net rpc trustdom list always display "none"
(cherry picked from commit ff9d20909cdce671d92f1d5cee1249db465efa9b)
commit deec7b8d777ebcfdda5ed84bbdd522fca02633c1
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 24 11:36:14 2009 +0100
docs: Fix Bug 6922: Add Registry patchfile for Win7 domain join.
Patchfile from SATOH Fumiyasu <fumiyas at osstech.co.jp>.
Thanks!
Guenther
(cherry picked from commit 95d0f0aab01fdd751841d57cebe6150cd6fdf80c)
(cherry picked from commit 91deb46d6a4dc1e5290e816c40925598e2c6ded9)
commit 93909d8a4e517a779ea73d9102a3b34e7202d6b5
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Thu Jun 4 23:43:31 2009 +0200
clikrb5: Prefer krb5_free_keytab_entry_contents to krb5_kt_free_entry.
Both functions exist in MIT Kerberos >= 1.7, but only
krb5_free_keytab_entry_contents has a prototype.
Part of a fix for bug #6918 (Build breaks with krb5-client-1.7-6.1.i586).
(cherry picked from commit f7f183aba2c53426620bab7e934ce79b516dc4fc)
commit a52476b2beb464ccb33f4ce263ab061885bcc5f4
Author: Michael Adam <obnox at samba.org>
Date: Fri Nov 20 12:44:43 2009 +0100
s3:idmap_ldap: trim the " chars from the location string in idmap_ldap_db_init
Fix bug #6910 (idmap_ldap stumbles over idmap backend = ldap:"ldap://ldap1
ldap://ldap2"=.
When idmap backend is specified as
idmap backend = ldap:"ldap://server1 ldap://server2"
then currently "ldap://server1 ldap://server2" was passed to
ldap_initialize including the quotes, leading to an ldap error.
Michael
(cherry picked from commit 67f1d0ac6edecec4efb100ae61bc23bd321f518f)
commit 3e5e42dd3fcefb481fc2d3fd71f9ca5fd0b1aa03
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Oct 16 10:40:50 2009 +1100
s3: fixed krb5 build problem on ubuntu karmic
Karmic has MIT krb5 1.7-beta3, which has the symbol
krb5_auth_con_set_req_cksumtype but no prototype for it.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531635
(cherry picked from commit a6e4cb500b4162cae1d906a1762507370b4ee89e)
Part of a fix for bug #6918.
(cherry picked from commit fbaed41c8f583f633673aca2f600c517744d28b5)
commit 00e8942b330972bcf2e611571b3ad0cbdd6c8191
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 10 13:10:12 2009 +0100
s3-rpc_client: make sure cli_rpc_pipe_open_schannel() does not always return NT_STATUS_OK.
Guenther
Part of a fix for bug #6697.
And hopefully a fix for bug #6889.
(cherry picked from commit b6f1eced1f88b747c4cc8077ebf6bf4370100e09)
commit d38e82fc78d6008a4c0ee7407296494d3fc5098b
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 10 11:04:08 2009 +0100
s3-rpc_client: protect rpc_pipe_np_smb_conn against a NULL struct rpc_pipe_client.
Guenther
Part of a fix for bug #6697.
(cherry picked from commit 1fe281e25708b999a3e9ef1d5808a79995fbb438)
commit 40dfe4df2002d9d852dcb3a3dfe7c719336ea7bd
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 27 11:55:34 2009 -0700
Second part of the fix for bug 6828 - infinite timeout occurs when byte lock held outside of samba. Fixes case where a connection with a pending lock can me marked "idle", and ensures that the lock queue timeout is always recalculated. Jeremy.
(cherry picked from commit 31bb625273aac6e3e19f95465580b3bcb1885549)
commit b16230c603cb21d24e150ac04f868def227bc934
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 6 14:10:49 2009 -0800
Fix bug 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dialect Jeremy.
(cherry picked from commit f871ff6367b7bd1b49e8aab649f614fd511bfa6a)
commit a3f264ffd954e596c7bb732341435729735f50ab
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 9 12:41:13 2009 -0800
Fix bug 6880 - cannot list workgroup servers reported by Alban Browaeys <prahal at yahoo.com> with fix. Revert 2e989bab0764c298a2530a2d4c8690258eba210c with extra comments - this broke workgroup enumeration. Jeremy.
(cherry picked from commit ed99189208b65bcc1a108c4f1a60c0535e75022c)
commit 835e7aac96eec5e9d8d6b58ece7687f5fa73e3c5
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 2 13:51:27 2009 -0800
Fix bug 6867 - trans2findnext returns reply_nterror(req, ntstatus) In a directory with a lot of files. Jeremy.
(cherry picked from commit 92c618cf167b3e9b18db986b05b2c4188b57f882)
commit f98f6d210acc552ac35598950c250e8b87c7cc76
Author: Bo Yang <boyang at samba.org>
Date: Sat Oct 24 10:55:36 2009 +0800
s3: Fix crash in pam_winbind, another reference to freed memory.
Fix bug #6840.
Signed-off-by: Bo Yang <boyang at samba.org>
(cherry picked from commit 1791b1cc43ce744c73b473aff0e311acbdf0ee4e)
commit 26cc0331a3776d5b4ec9e4e5a65211968d3598b7
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 22 15:35:59 2009 -0700
Fix bug 6829 - smbclient does not show special characters properly. All successful calls to cli_session_setup() *must* be followed by calls to cli_init_creds() to stash the credentials we successfully connected with. There were 2 codepaths where this was missing. This caused smbclient to be unable to open the \srvsvc pipe to do an RPC netserverenum, and cause it to fall back to a RAP netserverenum, which uses DOS codepage conversion rather than the full UCS2 of RPC, so the returned characters were not correct (unless the DOS codepage was set correctly). Phew. That was fun to track down :-). Includes logic simplification in libsmb_server.c Jeremy.
(cherry picked from commit bbeda1398687b79596769a5d046e1e0f249bd382)
commit b516f88218b83f3ed222ae78f6546aeab0960ea5
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 20 18:17:19 2009 -0700
Fix bug 6828 - infinite timeout occurs when byte lock held outside of samba Jeremy.
(cherry picked from commit 4fce98ce2578f4bc5063a766fdacbdd5f840e446)
commit d935ac91bce2d46f3dd9f9297e1fa1045d5b4b79
Author: Bo Yang <boyang at samba.org>
Date: Tue Oct 20 02:23:36 2009 +0800
s3: Don't fail authentication when one or some group of require-membership-of is invalid.
Signed-off-by: Bo Yang <boyang at samba.org>
Fix bug #6826.
(cherry picked from commit 74b861908edc427d57928a7af0aa7ffd5fdb8d5a)
commit 5df02f641b011c8bf35ea456e154ec6965e4dbff
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Oct 16 16:06:17 2009 +0200
s3:packaging: Adapt directory name.
Karolin
(cherry picked from commit 606ec3a311067377ec3d633ee23155f6800dc73f)
commit 835906f3985cd9ea5f63d23e284b88a05145d9b5
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:06:23 2009 -0400
cifs.upcall: do a brute-force search for KRB5 credcache
A few weeks ago, I added some code to cifs.upcall to take the pid sent
by the kernel and use that to get the value of the $KRB5CCNAME
environment var for the process. That works fine on the initial mount,
but could be problematic on reconnect.
There's no guarantee on a reconnect that the process that initiates the
upcall will have $KRB5CCNAME pointed at the correct credcache. Because
of this, the current scheme isn't going to be reliable enough and we
need to use something different.
This patch replaces that scheme with one very similar to the one used by
rpc.gssd in nfs-utils. It searches the credcache dir (currently
hardcoded to /tmp) for a valid credcache for the given uid. If it finds
one then it uses that as the credentials cache. If it finds more than
one, it uses the one with the latest TGT expiration.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Addresses bug #6810.
(cherry picked from commit 6eacb25d736d47e1b4572aec5a143b15fbed619e)
commit 3d9e22f284e2988c6ba78b11dac02d208baf2d00
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:06:21 2009 -0400
cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 6aa0f05509ec1b8578021051f83627f4ca296ef8)
commit 157cc06bbdcfca861e2bf30a0532d6060cd82265
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:06:20 2009 -0400
cifs.upcall: switch to getopt_long
...to allow long option names.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 8fed5de25979654baf1c62b0346c725b9c6b6866)
commit 6472943d242ad347ce48ec69d838606c3d759e42
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:06:19 2009 -0400
cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimiters
Current kernels don't send IPv6 addresses with the colon delimiters, add
a routine to add them when they're not present.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 177e5437a75267fdfce8ba693f039a10344e5974)
commit ddbd5be71987a446a24c49f68075b6c645539e4f
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:06:18 2009 -0400
cifs.upcall: use ip address passed by kernel to get server's hostname
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit ff1b2c8725e21ed7fc944020a1c1cc12a80a9bec)
commit 4d2e71c4f6d31c0032b39b92d814ec4dfe074db3
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:58 2009 -0400
cifs.upcall: clean up flag handling
Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".
With this, we can drop privs before trying to find the location of
the credcache.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit fe57399ac4ddbdc601871579478b996cfc85fcee)
commit 41f47df8c811b04657b20a75e5d6868e92b7632b
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:56 2009 -0400
cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com at REALM" instead of
"host/hostname.example.com at REALM". This has turned out to be a source of
great confusion for users.
Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit e919c3ac1229eae35614b92a9daebc71e770ca1b)
commit 2f4d681e867e4ee1a3f9d0357045eb4f0e0ae686
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:55 2009 -0400
cifs.upcall: declare a structure for holding decoded args
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 0b516e8e9e5b1c4b2ab32b27c37ec708d6afd5d2)
commit 1876763728a74f98033be32d439b09ad22a25dbf
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:54 2009 -0400
cifs.upcall: formatting cleanup
Clean up some unneeded curly braces, and fix some indentation.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 56de963329bed9a06d27d70dad1d6a21f5f9213a)
commit 7ec21d593518b0116a7674a217ac9d119a9bf05e
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:53 2009 -0400
cifs.upcall: clean up logging and add debug messages
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.
Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit e9b932b242cac1061a19da9421b515cacf6c631b)
commit 098781a405af31e4bd8a6fc3ffaebc652f075f98
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 14 11:04:52 2009 -0400
Attempt to fix the build -- jlayton, please check!
(cherry picked from commit 223bee1fc5f655adb61db603a5423c8bf4a5f582)
commit b681b97e7182dcfe6a6dc13271ccfec6e5d1a493
Author: Jeff Layton <jlayton at redhat.com>
Date: Wed Oct 14 11:04:50 2009 -0400
cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME
value out of it.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit 9ecd9e7dbd6f5f6a07614084207b4891a93ca79b)
commit 62a1d9101cf0c2d45f81ba703cfdef5f42006b3f
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 14 11:37:10 2009 -0700
s3:winbind: Fix bug 6793 -- segfault in winbindd_pam_auth
(cherry picked from commit 96b600d429561f3ea155ffcb51a87c0d74151f52)
commit d36b9ecc4a7f354a00a6c26eeeb3c0eaf0aefccb
Author: Olaf Flebbe <o.flebbe at science-computing.de>
Date: Tue Oct 13 16:49:21 2009 -0700
s3/aio: Correctly handle aio_error() and errno.
Fix bug #6805.
(cherry picked from commit 4a6a623affe9e055340fee51d10bc321e175a31b)
commit ba50cbc623153911d374695613c5c6d6fba6bf17
Author: Bo Yang <boyang at samba.org>
Date: Wed Oct 14 12:47:49 2009 -0700
Fix bug 6811 - pam_winbind references freed memory. s3: Fix reference to freed memory in pam_winbind.
(cherry picked from commit 80c18ba49f4751dc104062de6a438f00a7afc39d)
commit a2f126feb1d2c262826fcf9c97810d5eed9aaba8
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Oct 15 12:43:47 2009 +0200
WHATSNEW: Start WHATSNEW for 3.3.10.
Karolin
(cherry picked from commit 1b2536765b8678ac27c213244b4b301b142a17bd)
commit 53e2bb6e18b2a11b70b87c5750c6e5ee651a380a
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Oct 15 12:40:37 2009 +0200
VERSION: Raise version number up to 3.3.10.
Karolin
(cherry picked from commit 6147260f3d258d58f71f3bf32717d50419c68a9e)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 48 +++-
docs-xml/manpages-3/cifs.upcall.8.xml | 19 +-
docs-xml/manpages-3/mount.cifs.8.xml | 2 +-
docs-xml/registry/Win7_Samba3DomainMember.reg | Bin 0 -> 424 bytes
docs-xml/smbdotconf/base/enablecorefiles.xml | 15 +
docs-xml/smbdotconf/ldap/ldappagesize.xml | 18 +
docs-xml/smbdotconf/tuning/aiowritebehind.xml | 23 ++
packaging/RHEL/makerpms.sh.tmpl | 4 +-
source/Makefile.in | 2 +-
source/VERSION | 2 +-
source/client/cifs.upcall.c | 489 +++++++++++++++++++------
source/configure.in | 27 ++-
source/include/ads.h | 59 ---
source/include/includes.h | 138 +-------
source/include/krb5_protos.h | 146 ++++++++
source/include/smb_krb5.h | 78 ++++
source/include/smbldap.h | 3 +
source/lib/smbldap.c | 34 ++
source/libads/ads_status.c | 1 +
source/libads/authdata.c | 3 +
source/libads/kerberos.c | 5 +-
source/libads/kerberos_keytab.c | 1 +
source/libads/kerberos_verify.c | 1 +
source/libads/krb5_errs.c | 1 +
source/libads/krb5_setpw.c | 9 +-
source/libnet/libnet_keytab.h | 2 +
source/libsmb/cliconnect.c | 1 +
source/libsmb/clidfs.c | 3 +
source/libsmb/clientgen.c | 2 +-
source/libsmb/clikrb5.c | 50 +++-
source/libsmb/libsmb_dir.c | 19 +-
source/libsmb/libsmb_server.c | 2 +
source/m4/aclocal.m4 | 57 ++--
source/nsswitch/pam_winbind.c | 42 ++-
source/nsswitch/winbind_krb5_locator.c | 5 +
source/passdb/pdb_ldap.c | 2 +-
source/rpc_client/cli_pipe.c | 8 +-
source/smbd/aio.c | 61 ++--
source/smbd/blocking.c | 35 +-
source/smbd/dnsregister.c | 2 +-
source/smbd/dosmode.c | 26 ++
source/smbd/mangle_hash.c | 14 +-
source/smbd/nttrans.c | 2 +-
source/smbd/posix_acls.c | 3 +
source/smbd/reply.c | 15 +-
source/smbd/server.c | 6 +
source/smbd/trans2.c | 43 +--
source/utils/net_rpc.c | 28 +-
source/utils/ntlm_auth.c | 1 +
source/winbindd/idmap_ldap.c | 2 +
source/winbindd/winbindd_cred_cache.c | 2 +
source/winbindd/winbindd_pam.c | 17 +-
source/winbindd/winbindd_rpc.c | 8 +-
53 files changed, 1106 insertions(+), 480 deletions(-)
create mode 100644 docs-xml/registry/Win7_Samba3DomainMember.reg
create mode 100644 docs-xml/smbdotconf/base/enablecorefiles.xml
create mode 100644 docs-xml/smbdotconf/ldap/ldappagesize.xml
create mode 100644 docs-xml/smbdotconf/tuning/aiowritebehind.xml
create mode 100644 source/include/krb5_protos.h
create mode 100644 source/include/smb_krb5.h
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2d4262c..0285af8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,47 @@
+ ==============================
+ Release Notes for Samba 3.3.10
+ 2009
+ ==============================
+
+
+This is the latest bugfix release of the Samba 3.3 series.
+
+Major enhancements in Samba 3.3.10 include:
+
+ o
+
+######################################################################
+Changes
+#######
+
+Changes since 3.3.9
+-------------------
+
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
=============================
Release Notes for Samba 3.3.9
October, 15 2009
@@ -108,8 +152,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.3.8
diff --git a/docs-xml/manpages-3/cifs.upcall.8.xml b/docs-xml/manpages-3/cifs.upcall.8.xml
index 9782987..a60dd9d 100644
--- a/docs-xml/manpages-3/cifs.upcall.8.xml
+++ b/docs-xml/manpages-3/cifs.upcall.8.xml
@@ -19,8 +19,8 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>cifs.upcall</command>
- <arg choice="opt">-c</arg>
- <arg choice="opt">-v</arg>
+ <arg choice="opt">--trust-dns|-t</arg>
+ <arg choice="opt">--version|-v</arg>
<arg choice="req">keyid</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -48,12 +48,17 @@ to be run that way.</para>
<variablelist>
<varlistentry>
<term>-c</term>
- <listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal.
+ <listitem><para>This option is deprecated and is currently ignored.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--trust-dns|-t</term>
+ <listitem><para>With krb5 upcalls, the name used as the host portion of the service principal defaults to the hostname portion of the UNC. This option allows the upcall program to reverse resolve the network address of the server in order to get the hostname.</para>
+ <para>This is less secure than not trusting DNS. When using this option, it's possible that an attacker could get control of DNS and trick the client into mounting a different server altogether. It's preferable to instead add server principals to the KDC for every possible hostname, but this option exists for cases where that isn't possible. The default is to not trust reverse hostname lookups in this fashion.
</para></listitem>
</varlistentry>
-
<varlistentry>
- <term>-v</term>
+ <term>--version|-v</term>
<listitem><para>Print version number and exit.
</para></listitem>
</varlistentry>
@@ -85,8 +90,8 @@ to be run that way.</para>
<para>To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf<manvolnum>5</manvolnum>. Here's an example of an entry for each key type:</para>
<programlisting>
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
-#========= ============= = = ==========================================
-create cifs.spnego * * /usr/local/sbin/cifs.upcall -c %k
+#========= ============= = = ================================
+create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
create dns_resolver * * /usr/local/sbin/cifs.upcall %k
</programlisting>
<para>
diff --git a/docs-xml/manpages-3/mount.cifs.8.xml b/docs-xml/manpages-3/mount.cifs.8.xml
index dae54e1..9e856ca 100644
--- a/docs-xml/manpages-3/mount.cifs.8.xml
+++ b/docs-xml/manpages-3/mount.cifs.8.xml
@@ -116,7 +116,7 @@ below) or entered at the password prompt will be read correctly.
<programlisting>
username=<replaceable>value</replaceable>
password=<replaceable>value</replaceable>
- workgroup=<replaceable>value</replaceable>
+ domain=<replaceable>value</replaceable>
</programlisting>
<para>
diff --git a/docs-xml/registry/Win7_Samba3DomainMember.reg b/docs-xml/registry/Win7_Samba3DomainMember.reg
new file mode 100644
index 0000000..b5de9e2
Binary files /dev/null and b/docs-xml/registry/Win7_Samba3DomainMember.reg differ
diff --git a/docs-xml/smbdotconf/base/enablecorefiles.xml b/docs-xml/smbdotconf/base/enablecorefiles.xml
new file mode 100644
index 0000000..8c8bacf
--- /dev/null
+++ b/docs-xml/smbdotconf/base/enablecorefiles.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="enable core files"
+ context="G"
+ basic="1" advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+ <para>This parameter specifies whether core dumps should be written
+ on internal exits. Normally set to <constant>yes</constant>.
+ You should never need to change this.
+ </para>
+</description>
+
+ <value type="default">yes</value>
+ <value type="example">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldappagesize.xml b/docs-xml/smbdotconf/ldap/ldappagesize.xml
new file mode 100644
index 0000000..bc09b98
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldappagesize.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap page size"
+ context="G"
+ type="integer"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the number of entries per page.
+ </para>
+
+ <para>If the LDAP server supports paged results, clients can
+ request subsets of search results (pages) instead of the entire list.
+ This parameter specifies the size of these pages.
+ </para>
+</description>
+<value type="default">1024</value>
+<value type="example">512</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/tuning/aiowritebehind.xml b/docs-xml/smbdotconf/tuning/aiowritebehind.xml
new file mode 100644
index 0000000..c88cd97
--- /dev/null
+++ b/docs-xml/smbdotconf/tuning/aiowritebehind.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="aio write behind"
+ context="S"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>If Samba has been built with asynchronous I/O support,
+ Samba will not wait until write requests are finished before returning
+ the result to the client for files listed in this parameter.
+ Instead, Samba will immediately return that the write
+ request has been finished successfully, no matter if the
+ operation will succeed or not. This might speed up clients without
+ aio support, but is really dangerous, because data could be lost
+ and files could be damaged.
+ </para>
+ <para>
+ The syntax is identical to the <smbconfoption name="veto files"/>
+ parameter.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/*.tmp/</value>
+</samba:parameter>
diff --git a/packaging/RHEL/makerpms.sh.tmpl b/packaging/RHEL/makerpms.sh.tmpl
index 5b377bd..93d2d82 100644
--- a/packaging/RHEL/makerpms.sh.tmpl
+++ b/packaging/RHEL/makerpms.sh.tmpl
@@ -40,8 +40,8 @@ case $RPMVER in
esac
pushd .
-cd ../../source
-if [ -f Makefile ]; then
+cd ../../source3
+if [ -f Makefile ]; then
make distclean
fi
popd
diff --git a/source/Makefile.in b/source/Makefile.in
index 474bc1e..8b364e3 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -2207,7 +2207,7 @@ bin/vlp at EXEEXT@: $(BINARY_PREREQS) $(VLP_OBJ) @LIBTALLOC_SHARED@ @LIBTDB_SHARED@
bin/winbind_krb5_locator. at SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) @LIBWBCLIENT_SHARED@
@echo "Linking $@"
- @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(WINBIND_LIBS) \
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(WINBIND_LIBS) $(KRB5LIBS) \
@SONAMEFLAG@`basename $@`
bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_SHARED@ @LIBWBCLIENT_SHARED@
diff --git a/source/VERSION b/source/VERSION
index 863ef6c..9b13830 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c
index 4110de3..7bc370c 100644
--- a/source/client/cifs.upcall.c
+++ b/source/client/cifs.upcall.c
@@ -1,6 +1,7 @@
/*
* CIFS user-space helper.
* Copyright (C) Igor Mammedov (niallain at gmail.com) 2007
+* Copyright (C) Jeff Layton (jlayton at redhat.com) 2009
*
* Used by /sbin/request-key for handling
* cifs upcall for kerberos authorization of access to share and
@@ -25,17 +26,168 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
*/
#include "includes.h"
+#include "smb_krb5.h"
#include <keyutils.h>
+#include <getopt.h>
#include "cifs_spnego.h"
-const char *CIFSSPNEGO_VERSION = "1.2";
+#define CIFS_DEFAULT_KRB5_DIR "/tmp"
+#define CIFS_DEFAULT_KRB5_PREFIX "krb5cc_"
+
+#define MAX_CCNAME_LEN PATH_MAX + 5
+
+const char *CIFSSPNEGO_VERSION = "1.3";
static const char *prog = "cifs.upcall";
-typedef enum _secType {
+typedef enum _sectype {
NONE = 0,
KRB5,
MS_KRB5
-} secType_t;
+} sectype_t;
+
+/* does the ccache have a valid TGT? */
+static time_t
+get_tgt_time(const char *ccname) {
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_cc_cursor cur;
+ krb5_creds creds;
+ krb5_principal principal;
+ time_t credtime = 0;
+ char *realm = NULL;
+
+ if (krb5_init_context(&context)) {
+ syslog(LOG_DEBUG, "%s: unable to init krb5 context", __func__);
+ return 0;
+ }
+
+ if (krb5_cc_resolve(context, ccname, &ccache)) {
+ syslog(LOG_DEBUG, "%s: unable to resolve krb5 cache", __func__);
+ goto err_cache;
+ }
+
+ if (krb5_cc_set_flags(context, ccache, 0)) {
+ syslog(LOG_DEBUG, "%s: unable to set flags", __func__);
+ goto err_cache;
+ }
+
+ if (krb5_cc_get_principal(context, ccache, &principal)) {
+ syslog(LOG_DEBUG, "%s: unable to get principal", __func__);
+ goto err_princ;
+ }
+
+ if (krb5_cc_start_seq_get(context, ccache, &cur)) {
+ syslog(LOG_DEBUG, "%s: unable to seq start", __func__);
+ goto err_ccstart;
+ }
+
+ if ((realm = smb_krb5_principal_get_realm(context, principal)) == NULL) {
+ syslog(LOG_DEBUG, "%s: unable to get realm", __func__);
+ goto err_ccstart;
+ }
+
+ while (!credtime && !krb5_cc_next_cred(context, ccache, &cur, &creds)) {
+ char *name;
+ if (smb_krb5_unparse_name(context, creds.server, &name)) {
+ syslog(LOG_DEBUG, "%s: unable to unparse name", __func__);
+ goto err_endseq;
+ }
+ if (krb5_realm_compare(context, creds.server, principal) &&
+ strnequal(name, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE) &&
+ strnequal(name+KRB5_TGS_NAME_SIZE+1, realm, strlen(realm)) &&
+ creds.times.endtime > time(NULL))
+ credtime = creds.times.endtime;
+ krb5_free_cred_contents(context, &creds);
+ SAFE_FREE(name);
+ }
+err_endseq:
+ krb5_cc_end_seq_get(context, ccache, &cur);
+err_ccstart:
+ krb5_free_principal(context, principal);
+err_princ:
+#if defined(KRB5_TC_OPENCLOSE)
+ krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
+#endif
+ krb5_cc_close(context, ccache);
+err_cache:
+ krb5_free_context(context);
+ return credtime;
+}
+
+static int
+krb5cc_filter(const struct dirent *dirent)
+{
+ if (strstr(dirent->d_name, CIFS_DEFAULT_KRB5_PREFIX))
+ return 1;
+ else
+ return 0;
+}
+
+/* search for a credcache that looks like a likely candidate */
+static char *
+find_krb5_cc(const char *dirname, uid_t uid)
+{
+ struct dirent **namelist;
+ struct stat sbuf;
+ char ccname[MAX_CCNAME_LEN], *credpath, *best_cache = NULL;
+ int i, n;
+ time_t cred_time, best_time = 0;
+
+ n = scandir(dirname, &namelist, krb5cc_filter, NULL);
+ if (n < 0) {
+ syslog(LOG_DEBUG, "%s: scandir error on directory '%s': %s",
+ __func__, dirname, strerror(errno));
+ return NULL;
+ }
+
+ for (i = 0; i < n; i++) {
+ snprintf(ccname, sizeof(ccname), "FILE:%s/%s", dirname,
+ namelist[i]->d_name);
+ credpath = ccname + 5;
+ syslog(LOG_DEBUG, "%s: considering %s", __func__, credpath);
+
+ if (lstat(credpath, &sbuf)) {
+ syslog(LOG_DEBUG, "%s: stat error on '%s': %s",
+ __func__, credpath, strerror(errno));
+ free(namelist[i]);
+ continue;
+ }
+ if (sbuf.st_uid != uid) {
+ syslog(LOG_DEBUG, "%s: %s is owned by %u, not %u",
+ __func__, credpath, sbuf.st_uid, uid);
+ free(namelist[i]);
+ continue;
+ }
+ if (!S_ISREG(sbuf.st_mode)) {
+ syslog(LOG_DEBUG, "%s: %s is not a regular file",
+ __func__, credpath);
+ free(namelist[i]);
+ continue;
+ }
+ if (!(cred_time = get_tgt_time(ccname))) {
+ syslog(LOG_DEBUG, "%s: %s is not a valid credcache.",
+ __func__, ccname);
+ free(namelist[i]);
+ continue;
+ }
+
+ if (cred_time <= best_time) {
+ syslog(LOG_DEBUG, "%s: %s expires sooner than current "
+ "best.", __func__, ccname);
+ free(namelist[i]);
+ continue;
+ }
+
+ syslog(LOG_DEBUG, "%s: %s is valid ccache", __func__, ccname);
+ free(best_cache);
+ best_cache = SMB_STRNDUP(ccname, MAX_CCNAME_LEN);
+ best_time = cred_time;
+ free(namelist[i]);
+ }
+ free(namelist);
+
+ return best_cache;
+}
/*
* Prepares AP-REQ data for mechToken and gets session key
@@ -56,20 +208,28 @@ typedef enum _secType {
* sess_key- pointer for SessionKey data to be stored
*
* ret: 0 - success, others - failure
-*/
+ */
static int
-handle_krb5_mech(const char *oid, const char *principal,
- DATA_BLOB * secblob, DATA_BLOB * sess_key)
+handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB *secblob,
+ DATA_BLOB *sess_key, const char *ccname)
{
int retval;
DATA_BLOB tkt, tkt_wrapped;
+ syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__,
+ principal);
+
/* get a kerberos ticket for the service and extract the session key */
- retval = cli_krb5_get_ticket(principal, 0,
- &tkt, sess_key, 0, NULL, NULL);
+ retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, ccname,
+ NULL);
- if (retval)
+ if (retval) {
+ syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
+ __func__, retval);
return retval;
+ }
+
+ syslog(LOG_DEBUG, "%s: obtained service ticket", __func__);
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
@@ -82,18 +242,27 @@ handle_krb5_mech(const char *oid, const char *principal,
return retval;
}
-#define DKD_HAVE_HOSTNAME 1
-#define DKD_HAVE_VERSION 2
-#define DKD_HAVE_SEC 4
-#define DKD_HAVE_IPV4 8
-#define DKD_HAVE_IPV6 16
-#define DKD_HAVE_UID 32
+#define DKD_HAVE_HOSTNAME 0x1
+#define DKD_HAVE_VERSION 0x2
+#define DKD_HAVE_SEC 0x4
+#define DKD_HAVE_IP 0x8
+#define DKD_HAVE_UID 0x10
+#define DKD_HAVE_PID 0x20
#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
-static int
-decode_key_description(const char *desc, int *ver, secType_t * sec,
- char **hostname, uid_t * uid)
+struct decoded_args {
+ int ver;
+ char *hostname;
+ char *ip;
+ uid_t uid;
+ pid_t pid;
+ sectype_t sec;
+};
+
+static unsigned int
+decode_key_description(const char *desc, struct decoded_args *arg)
{
+ int len;
int retval = 0;
char *pos;
const char *tkn = desc;
@@ -101,35 +270,52 @@ decode_key_description(const char *desc, int *ver, secType_t * sec,
do {
--
Samba Shared Repository
More information about the samba-cvs
mailing list