[SCM] Samba Shared Repository - branch master updated

Andrew Tridgell tridge at samba.org
Sun Sep 26 01:10:01 MDT 2010


The branch, master has been updated
       via  7dbfeb0 s4-auth: fixed the SID list for DCs in the PAC
       via  65fc066e autobuild: fixed detection of master changes
       via  c0a1cbd s3-selftest: added samba3.posix_s3.rap.printing as a knownfail
       via  f1c2702 idl-pac: add a decoder for the pac info ctr
       via  f33fc39 s4-drs: use the system sam_ctx for updaterefs
       via  f3ceec9 s4-spn: don't try to do SPN updates as a RODC
      from  95b56aa libcli/ldap: let ldap_full_packet() use asn1_peek_tag_needed_size()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7dbfeb0dc040889244a1110940af2d070f823374
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 19:14:42 2010 -0700

    s4-auth: fixed the SID list for DCs in the PAC
    
    the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
    receives the PAC
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User: Andrew Tridgell <tridge at samba.org>
    Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104

commit 65fc066ef43786faae9d4adf8f0941d86315f398
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 19:43:13 2010 -0700

    autobuild: fixed detection of master changes

commit c0a1cbda5d70d2a6e0ffedb07cfaaadc01b0fc8d
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 19:23:02 2010 -0700

    s3-selftest: added samba3.posix_s3.rap.printing as a knownfail
    
    this fails intermittently on sn-devel, Günther suggests adding this to
    knownfail for now

commit f1c2702b268ce2f48cab793422b3c0b7954e9a38
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 19:13:28 2010 -0700

    idl-pac: add a decoder for the pac info ctr
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit f33fc39f37c21e0d1d5cf926db1a742395f25ea7
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 17:53:14 2010 -0700

    s4-drs: use the system sam_ctx for updaterefs
    
    this is needed for RODC clients calling updaterefs

commit f3ceec9b1b9e0f2a4a40cf25cacbd157fb690de4
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 25 17:52:43 2010 -0700

    s4-spn: don't try to do SPN updates as a RODC
    
    we don't have the permissions to do it

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/krb5pac.idl                  |    4 ++++
 script/autobuild.py                     |    7 ++++---
 source3/selftest/knownfail              |    1 +
 source4/auth/auth.h                     |    1 -
 source4/auth/sam.c                      |   16 ++++++++++++++++
 source4/auth/session.c                  |   18 ------------------
 source4/dsdb/samdb/samdb.c              |   10 ----------
 source4/rpc_server/drsuapi/updaterefs.c |   17 +++++++++--------
 source4/scripting/bin/samba_spnupdate   |    4 ++++
 9 files changed, 38 insertions(+), 40 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 24c55b8..d7a99c9 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -122,6 +122,10 @@ interface krb5pac
 		[in] PAC_LOGON_INFO logon_info
 		);
 
+	void decode_login_info_ctr(
+		[in] PAC_LOGON_INFO_CTR logon_info_ctr
+		);
+
 	void decode_pac_validate(
 		[in] PAC_Validate pac_validate
 		);
diff --git a/script/autobuild.py b/script/autobuild.py
index 4941562..f75ccd7 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -62,12 +62,13 @@ tasks = {
 
 retry_task = [ '''set -e
                 git remote add -t master master %s
+                git fetch master
                 while :; do
                   sleep 60
+                  git describe master/master > old_master.desc
                   git fetch master
-                  git describe > HEAD.desc
-                  git describe > master.desc
-                  diff HEAD.desc master.desc
+                  git describe master/master > master.desc
+                  diff old_master.desc master.desc
                 done
                ''' % samba_master]
 
diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
index 4e9906d..da38f88 100644
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -1 +1,2 @@
 .*printer.*print_test_extended # fails on some hosts due to timing issues ?
+samba3.posix_s3.rap.printing # fails sometimes on sn-devel
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index ce583c8..2f0af02 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -46,7 +46,6 @@ struct loadparm_context;
 
 #define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
 #define AUTH_SESSION_INFO_AUTHENTICATED  0x02 /* Add the user to the 'authenticated users' group */
-#define AUTH_SESSION_INFO_ENTERPRISE_DC  0x04 /* Add the user to the 'enterprise DC' group */
 
 struct auth_serversupplied_info
 {
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 6bf1d5f..bdbf690 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 						  server_info);
 	}
 
+	if (server_info->acct_flags & ACB_SVRTRUST) {
+		/* the SID_NT_ENTERPRISE_DCS SID gets added into the
+		   PAC */
+		server_info->domain_groups = talloc_realloc(server_info,
+							    server_info->domain_groups,
+							    struct dom_sid *,
+							    server_info->n_domain_groups+1);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
+		server_info->domain_groups[server_info->n_domain_groups] =
+			dom_sid_parse_talloc(server_info->domain_groups,
+					     SID_NT_ENTERPRISE_DCS);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+						  server_info);
+		server_info->n_domain_groups++;
+	}
+
 	server_info->authenticated = true;
 
 	talloc_free(tmp_ctx);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bd1be8e..68d03ae 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -91,24 +91,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 	} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
 		/* Don't expand nested groups of system, anonymous etc*/
 	} else if (auth_context) {
-		if (server_info->acct_flags & ACB_SVRTRUST) {
-			dom_sid = samdb_domain_sid(auth_context->sam_ctx);
-			if (dom_sid) {
-				if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
-				session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
-				} else {
-					DEBUG(2, ("DC %s is not in our domain.  "
-						  "It will not have Enterprise Domain Controllers membership on this server",
-						  server_info->account_name));
-				}
-			} else {
-				DEBUG(2, ("Could not obtain local domain SID, "
-					  "so can not determine if DC %s is a DC of this domain.  "
-					  "It will not have Enterprise Domain Controllers membership",
-					  server_info->account_name));
-			}
-		}
-		
 		groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
 		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
 		if (!groupSIDs) {
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 32698ea..637da4f 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -202,16 +202,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		ptoken->num_sids++;
 	}
 
-	if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) {
-		ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
-		NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
-		if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS, &ptoken->sids[ptoken->num_sids])) {
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-		ptoken->num_sids++;
-	}
-
 	for (i = 0; i < n_groupSIDs; i++) {
 		size_t check_sid_idx;
 		for (check_sid_idx = 1; 
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index a41eec8..3863ac7 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -125,25 +125,26 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ct
 {
 	WERROR werr;
 	struct ldb_dn *dn;
+	struct ldb_context *sam_ctx = b_state->sam_ctx_system?b_state->sam_ctx_system:b_state->sam_ctx;
 
 	DEBUG(4,("DsReplicaUpdateRefs for host '%s' with GUID %s options 0x%08x nc=%s\n",
 		 req->dest_dsa_dns_name, GUID_string(mem_ctx, &req->dest_dsa_guid),
 		 req->options,
 		 drs_ObjectIdentifier_to_string(mem_ctx, req->naming_context)));
 
-	dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, req->naming_context->dn);
+	dn = ldb_dn_new(mem_ctx, sam_ctx, req->naming_context->dn);
 	if (dn == NULL) {
 		return WERR_DS_INVALID_DN_SYNTAX;
 	}
 
-	if (ldb_transaction_start(b_state->sam_ctx) != LDB_SUCCESS) {
+	if (ldb_transaction_start(sam_ctx) != LDB_SUCCESS) {
 		DEBUG(0,(__location__ ": Failed to start transaction on samdb: %s\n",
-			 ldb_errstring(b_state->sam_ctx)));
+			 ldb_errstring(sam_ctx)));
 		return WERR_DS_DRA_INTERNAL_ERROR;		
 	}
 
 	if (req->options & DRSUAPI_DRS_DEL_REF) {
-		werr = uref_del_dest(b_state->sam_ctx, mem_ctx, dn, &req->dest_dsa_guid, req->options);
+		werr = uref_del_dest(sam_ctx, mem_ctx, dn, &req->dest_dsa_guid, req->options);
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("Failed to delete repsTo for %s: %s\n",
 				 GUID_string(mem_ctx, &req->dest_dsa_guid),
@@ -164,7 +165,7 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ct
 		dest.source_dsa_obj_guid = req->dest_dsa_guid;
 		dest.replica_flags       = req->options;
 
-		werr = uref_add_dest(b_state->sam_ctx, mem_ctx, dn, &dest, req->options);
+		werr = uref_add_dest(sam_ctx, mem_ctx, dn, &dest, req->options);
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,("Failed to add repsTo for %s: %s\n",
 				 GUID_string(mem_ctx, &dest.source_dsa_obj_guid),
@@ -173,16 +174,16 @@ WERROR drsuapi_UpdateRefs(struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ct
 		}
 	}
 
-	if (ldb_transaction_commit(b_state->sam_ctx) != LDB_SUCCESS) {
+	if (ldb_transaction_commit(sam_ctx) != LDB_SUCCESS) {
 		DEBUG(0,(__location__ ": Failed to commit transaction on samdb: %s\n",
-			 ldb_errstring(b_state->sam_ctx)));
+			 ldb_errstring(sam_ctx)));
 		return WERR_DS_DRA_INTERNAL_ERROR;		
 	}
 
 	return WERR_OK;
 
 failed:
-	ldb_transaction_cancel(b_state->sam_ctx);
+	ldb_transaction_cancel(sam_ctx);
 	return werr;
 }
 
diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate
index c675a54..7c9ed4f 100755
--- a/source4/scripting/bin/samba_spnupdate
+++ b/source4/scripting/bin/samba_spnupdate
@@ -102,6 +102,10 @@ except ldb.LdbError, (num, msg):
     print("Unable to open sam database %s : %s" % (lp.get("sam database"), msg))
     sys.exit(1)
 
+if samdb.am_rodc():
+    # don't try and update SPNs on RODC
+    exit(0)
+
 # get the substitution dictionary
 sub_vars = get_subst_vars(samdb)
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list