[SCM] Samba Shared Repository - branch v4-0-test updated
Andrew Bartlett
abartlet at samba.org
Thu Aug 30 19:43:11 MDT 2012
The branch, v4-0-test has been updated
via 524876a VERSION: Mark as the beta8 release
via 757df37 WHATSNEW: prepare for 4.0 beta8
via 4ff4466 The NTVFS server doesn't pass the SMB1 INHERITFLAGS test.
via 7c4ae72 Now ACL inheritance flags are working, add test_inheritance_flags() back into raw.acls to ensure we don't regress.
via da670e4 With the inheritance ACL changes we now pass samba3.smb2.acls.INHERITFLAGS.
via cf29863 Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
via 3d34406 Windows does canonicalization of inheritance bits. Do the same.
via 795920c Change the other two places where we set a security descriptor given by the client to got through set_sd(), the canonicalize sd function.
via 70ebf1d Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL canonicalization.
via 8c84ece Rename set_sd() to set_sd_blob() - this describes what it does.
via 02aacb1 s3:libsmb correctly set isFsctl for snapshot list
via 4612092 selftest: Remove spoolss tests from knownfail.
via 20cfa38 selftest: Add missing printing options for plugin_s4_dc.
via fb917eb file_server: Fix spoolss support with s3fs.
via bf36462 selftest: Define the log directory for s3fs.
via 5131359 auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()
via a58bf44 s4-torture: Add start of a test to confirm winbindd PAC parsing
via fe36bb4 lib/krb4_wrap: Add const to kt_copy_one_principal
via 6678907 s3:vfs_gpfs: Use directory not file to get fileset id
via f31d0d0 vfs_media_harmony: fix some compile warnings with llvm
via fb15e5a s3-printing: fix bug 9123 lprng job tracking errors
via 24356f3 libkrb5: Fix build with MIT Kerberos.
via e39cce4 s4-libnet: Fix passing samba_all_enctypes as a fn rather than the encrypt array it returns
via 5d96498 s4-dsdb: Avoid printing secret attributes in ldb trace logs
via 395b8e4 lib/ldb: Avoid printing secret attributes in ldb trace logs
via 17337cf auth/credentials: Remove unused, and un-declared cli_credentials_set_krbtgt()
via beafdd6 auth/credentials: Better integrate fetch of secrets.tdb and secrets.ldb records
via a0e4bdc auth/credentials: Improve memory handling in cli_credentials_set_machine_account
via 3a303ae5 selftest: Add a test for smbclient --machine-pass without secrets.tdb
via bcc29f9 auth/credentials: Avoid double-free in the failure case
via ba862f4 s3-smbd: Fix flooding the logs with records we don't find in pcap.
via 9e441c4 s3-classicupgrade: Fix import from ldap
via dd21bb0 lib/ldb: Bump ldb version to 1.1.11
via dc8d29c s3-vfs: Indicate the symlink destination when failing check_reduced_name
via f2ccff7 s3-vfs: Try to be consistent about localtime vs GMT handling in vfs_shadow_copy2
via de20958 s3-vfs_shadow_copy2: Also accept a sscanf result
via 11a5646 VERSION: Move on to beta8
from c41894c VERSION: Mark as the beta7 release
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 65 ++++----
auth/credentials/credentials_krb5.c | 11 +-
auth/credentials/credentials_secrets.c | 168 ++++++++++----------
file_server/file_server.c | 2 +-
lib/krb5_wrap/enctype_convert.c | 12 +-
lib/krb5_wrap/keytab_util.c | 2 +-
lib/krb5_wrap/krb5_samba.h | 2 +-
lib/ldb-samba/ldif_handlers.c | 8 +
lib/ldb/ABI/{ldb-1.1.10.sigs => ldb-1.1.11.sigs} | 0
lib/ldb/ABI/{ldb-1.1.10.sigs => ldb-1.1.12.sigs} | 1 +
...ldb-util-1.1.10.sigs => pyldb-util-1.1.11.sigs} | 0
...ldb-util-1.1.10.sigs => pyldb-util-1.1.12.sigs} | 0
lib/ldb/common/ldb.c | 31 +++-
lib/ldb/common/ldb_ldif.c | 47 +++++-
lib/ldb/common/ldb_modules.c | 15 ++-
lib/ldb/include/ldb_module.h | 4 +
lib/ldb/include/ldb_private.h | 5 +
lib/ldb/wscript | 2 +-
libcli/security/secdesc.c | 10 +-
selftest/knownfail | 68 +--------
selftest/target/Samba4.pm | 36 ++++
source3/libsmb/clifile.c | 2 +-
source3/modules/gpfs.c | 16 ++-
source3/modules/vfs_gpfs.c | 24 +++-
source3/modules/vfs_media_harmony.c | 132 ++++++++--------
source3/modules/vfs_shadow_copy2.c | 87 +++++++---
source3/printing/print_generic.c | 2 +-
source3/printing/printing.c | 4 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 21 +---
source3/selftest/tests.py | 4 +-
source3/smbd/nttrans.c | 73 +++++++--
source3/smbd/open.c | 6 +-
source3/smbd/proto.h | 4 +-
source3/smbd/server_reload.c | 2 +-
source3/smbd/smb2_setinfo.c | 2 +-
source3/smbd/vfs.c | 4 +-
source4/auth/kerberos/kerberos.h | 1 +
source4/auth/kerberos/kerberos_util.c | 1 +
source4/libnet/libnet_export_keytab.c | 2 +-
source4/scripting/python/samba/upgrade.py | 4 +-
source4/selftest/tests.py | 2 +-
source4/torture/raw/acls.c | 15 ++-
source4/torture/rpc/remote_pac.c | 2 +-
source4/torture/winbind/winbind.c | 153 ++++++++++++++++++
45 files changed, 683 insertions(+), 371 deletions(-)
copy lib/ldb/ABI/{ldb-1.1.10.sigs => ldb-1.1.11.sigs} (100%)
copy lib/ldb/ABI/{ldb-1.1.10.sigs => ldb-1.1.12.sigs} (99%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.11.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.12.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index b9b3e8c..8dbd87b 100644
--- a/VERSION
+++ b/VERSION
@@ -67,7 +67,7 @@ SAMBA_VERSION_ALPHA_RELEASE=
# e.g. SAMBA_VERSION_BETA_RELEASE=1 #
# -> "4.0.0beta1" #
########################################################
-SAMBA_VERSION_BETA_RELEASE=7
+SAMBA_VERSION_BETA_RELEASE=8
########################################################
# For 'pre' releases the version will be #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d9f2333..4b1f0fe 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,4 @@
-What's new in Samba 4.0 beta7
+What's new in Samba 4.0 beta8
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
@@ -11,7 +11,7 @@ and above.
WARNINGS
========
-Samba 4.0 beta7 is not a final Samba release, however we are now making
+Samba 4.0 beta8 is not a final Samba release, however we are now making
good progress towards a Samba 4.0 release. However, this is expected to be the
last beta release before we start on our release candidate series.
@@ -77,7 +77,7 @@ the longer term.
For pure file server work, the binaries users would expect from that
series (nmbd, winbindd, smbpasswd) continue to be available. When
running an AD DC, you only need to run 'samba' (not
-nmbd/smbd/winbind), as the required services are co-ordinated by this
+nmbd/smbd/winbind), as the required services are co-coordinated by this
master binary.
As DNS is an integral part of Active Directory, we also provide a DNS
@@ -98,56 +98,51 @@ Python programs to interface to Samba's internals, and many tools and
internal workings of the DC code is now implemented in python.
-CHANGES SINCE beta6
+CHANGES SINCE beta7
=====================
-For a list of changes since beta6, please see the git log.
+For a list of changes since beta7, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log samba-4.0.0beta6..samba-4.0.0beta7
+$ git log samba-4.0.0beta7..samba-4.0.0beta8
Some major user-visible changes include:
-- ACLs are now set during provision at the POSIX layer for the sysvol
- share. This allows group policies to be modified by Domain
- Administrators (Policy Administrators) that are not the actual
- Administrator user.
+- A fix for a segfault/abort on startup of the 'samba' binary in the
+ credentials_secrets code.
-- A number of verified fixes for expanding memory use across the AD
- domain controller, including in the Bind9 DLZ module.
+- A fix for samba-tool classicupgrade of pdb_ldap-based domains
-- A fix for bug #9097 (the winbind in the AD DC would lock up under
- parallel requests).
+- A fix for samba-tool domain exportkeyab only exporting DES keys
-- wbinfo --ping-dc now returns helpful information on what failed and
- against which DC it failed
+- Printing is now enabled on the AD DC
-- SMB3 encryption support
+- Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
-- New 'samba-tool ntacl' commands:
- - samba-tool ntacl sysvolreset
- - samba-tool ntacl sysvolcheck
+- We now avoid printing secret attributes (such as unicodePwd and
+ suppliementalCredentials) in ldb trace logs
-Less visible, but important changes under the hood include:
+- s3-printing: fix bug 9123 lprng job tracking errors
-- Continued work to support SMB2 and SMB3
-
-- Continued work to use async IO to improve file server performance.
-
-- Patches to ensure that talloc_tos() and talloc_stackframe() are
- always used correctly.
-
-- We can now test the implementation of NT -> POSIX ACL mapping in a
- unit test with VFS bindings exposing both to python. We also store
- the posix ACL in a tdb during make test, allowing testing of this
- feature on all platforms, regardless of local FS settings.
-
-- Python bindings for the source3 async libsmb library (for use in testing)
+- A fix for building with MIT Kerberos
KNOWN ISSUES
============
+- 'samba-tool domain classicupgrade' will fail when setting ACLs on
+ the GPO folders with NT_STATUS_INVALID_ONWER in the default
+ configuration. This happens if, as is typical a 'domain admins'
+ group (-512) is mapped in the passdb backend being upgraded. This
+ is because the group mapping to a GID only prevents Samba from
+ allocating a uid for that group. The uid is needed so the 'domain
+ admins' group can own the GPO file objects.
+
+ To work around this issue, remove the 'domain admins' group before
+ upgrade, as it will be re-created automatically. You will
+ of course need to fill in the group membership again. A future release
+ will make this automatic, or find some other workaround.
+
- This release makes the s3fs file server the default, as this is the
file server combination we will use for the Samba 4.0 release.
@@ -161,7 +156,7 @@ KNOWN ISSUES
this partition is not yet reliable.
- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
- containing _. A workaround will be in a future next beta.
+ containing _. A workaround will be in a future beta.
- upgradeprovision should not be run when upgrading to this release
from a recent release. No important database format changes have
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688..459e948 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -717,6 +717,11 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
+ /* We make this keytab up based on a password. Therefore
+ * match-by-key is acceptable, we can't match on the wrong
+ * principal */
+ ktc->password_based = true;
+
talloc_steal(cred, ktc);
cred->keytab = ktc;
*_ktc = cred->keytab;
@@ -818,12 +823,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- if (obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
&gcc->creds);
} else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
&gcc->creds);
}
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 3304200..a44fe1c 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -46,12 +46,14 @@
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
-_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
- struct loadparm_context *lp_ctx,
- struct ldb_context *ldb,
- const char *base,
- const char *filter,
- char **error_string)
+static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *ldb,
+ const char *base,
+ const char *filter,
+ time_t secrets_tdb_last_change_time,
+ const char *secrets_tdb_password,
+ char **error_string)
{
TALLOC_CTX *mem_ctx;
@@ -66,6 +68,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
const char *salt_principal;
char *keytab;
const struct ldb_val *whenChanged;
+ time_t lct;
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = false;
@@ -73,14 +76,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* some other parts of the system will key off this */
cred->machine_account = true;
- mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
+ mem_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
if (!ldb) {
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx, lp_ctx);
if (!ldb) {
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
*error_string = talloc_strdup(cred, "Could not open secrets.ldb");
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
@@ -96,14 +97,32 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
*error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s",
filter, base ? base : "",
ldb_strerror(ldb_ret), ldb_errstring(ldb));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
password = ldb_msg_find_attr_as_string(msg, "secret", NULL);
+ whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
+ if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) {
+ /* This attribute is mandetory */
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ /* Don't set secrets.ldb info if the secrets.tdb entry was more recent */
+ if (lct < secrets_tdb_last_change_time) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ if (lct == secrets_tdb_last_change_time && secrets_tdb_password && strcmp(password, secrets_tdb_password) != 0) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ cli_credentials_set_password_last_changed_time(cred, lct);
+
machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
if (!machine_account) {
@@ -117,8 +136,6 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
"'servicePrincipalName' or "
"'ldapBindDn' in secrets record: %s",
ldb_dn_get_linearized(msg->dn));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
@@ -169,14 +186,6 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0));
- whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
- if (whenChanged) {
- time_t lct;
- if (ldb_val_to_time(whenChanged, &lct) == LDB_SUCCESS) {
- cli_credentials_set_password_last_changed_time(cred, lct);
- }
- }
-
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
@@ -190,6 +199,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
return NT_STATUS_OK;
}
+
+/**
+ * Fill in credentials for the machine trust account, from the secrets database.
+ *
+ * @param cred Credentials structure to fill in
+ * @retval NTSTATUS error detailing any failure
+ */
+_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *ldb,
+ const char *base,
+ const char *filter,
+ char **error_string)
+{
+ NTSTATUS status = cli_credentials_set_secrets_lct(cred, lp_ctx, ldb, base, filter, 0, NULL, error_string);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+ }
+ return status;
+}
+
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
@@ -203,16 +234,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
char *filter;
char *error_string;
const char *domain;
- const char *realm;
bool secrets_tdb_password_more_recent;
time_t secrets_tdb_lct = 0;
char *secrets_tdb_password = NULL;
char *keystr;
char *keystr_upper = NULL;
- char *secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
- struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
- TDB_DEFAULT, O_RDWR, 0600,
- DBWRAP_LOCK_ORDER_1);
+ char *secrets_tdb;
+ struct db_context *db_ctx;
+ TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+ if (!secrets_tdb) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
+ TDB_DEFAULT, O_RDWR, 0600,
+ DBWRAP_LOCK_ORDER_1);
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -221,29 +262,24 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
/* We have to do this, as the fallback in
* cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
domain = cli_credentials_get_domain(cred);
- realm = cli_credentials_get_realm(cred);
if (db_ctx) {
TDB_DATA dbuf;
- keystr = talloc_asprintf(cred, "%s/%s",
+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_LAST_CHANGE_TIME,
domain);
- keystr_upper = strupper_talloc(cred, keystr);
- TALLOC_FREE(keystr);
- status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
- TALLOC_FREE(keystr_upper);
if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
secrets_tdb_lct = IVAL(dbuf.dptr,0);
}
- TALLOC_FREE(dbuf.dptr);
- keystr = talloc_asprintf(cred, "%s/%s",
+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD,
domain);
- keystr_upper = strupper_talloc(cred, keystr);
- TALLOC_FREE(keystr);
- status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_password = (char *)dbuf.dptr;
@@ -252,9 +288,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
domain);
- status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
- SECRETS_PRIMARY_DOMAIN_DN,
- filter, &error_string);
+ status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
+ SECRETS_PRIMARY_DOMAIN_DN,
+ filter, secrets_tdb_lct, secrets_tdb_password, &error_string);
if (secrets_tdb_password == NULL) {
secrets_tdb_password_more_recent = false;
} else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
@@ -269,15 +305,11 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
}
if (secrets_tdb_password_more_recent) {
- char *machine_account = talloc_asprintf(cred, "%s$", lpcfg_netbios_name(lp_ctx));
+ char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
- cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
- cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
- TALLOC_FREE(machine_account);
- } else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
- || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
+ } else if (!NT_STATUS_IS_OK(status)) {
if (db_ctx) {
error_string = talloc_asprintf(cred,
"Failed to fetch machine account password from "
@@ -289,45 +321,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
"secrets.ldb: %s and failed to open %s",
error_string, secrets_tdb);
}
- }
-
- TALLOC_FREE(secrets_tdb_password);
- TALLOC_FREE(secrets_tdb);
- TALLOC_FREE(db_ctx);
- if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
error_string, nt_errstr(status)));
- talloc_free(error_string);
- }
- return status;
-}
-
-/**
- * Fill in credentials for the machine trust account, from the secrets database.
- *
- * @param cred Credentials structure to fill in
- * @retval NTSTATUS error detailing any failure
- */
-NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
- struct loadparm_context *lp_ctx)
-{
- NTSTATUS status;
- char *filter;
- char *error_string;
- /* Bleh, nasty recursion issues: We are setting a machine
- * account here, so we don't want the 'pending' flag around
- * any more */
- cred->machine_account_pending = false;
- filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
- cli_credentials_get_realm(cred),
- cli_credentials_get_domain(cred));
- status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
- SECRETS_PRINCIPALS_DN,
- filter, &error_string);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s: %s\n", nt_errstr(status), error_string));
- talloc_free(error_string);
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
}
+
+ TALLOC_FREE(tmp_ctx);
return status;
}
@@ -352,9 +352,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
+ status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter,
- &error_string);
+ 0, NULL, &error_string);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find %s principal in secrets database: %s: %s\n", serviceprincipal, nt_errstr(status), error_string));
}
diff --git a/file_server/file_server.c b/file_server/file_server.c
index b6f7382..a3efcb2 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -59,7 +59,7 @@ static const char *generate_smb_conf(struct task_server *task)
fdprintf(fd, "rpc_server:ntsvcs = embedded\n");
fdprintf(fd, "rpc_server:winreg = embedded\n");
fdprintf(fd, "rpc_server:spoolss = embedded\n");
- fdprintf(fd, "rpc_daemon:spoolssd = disabled\n");
+ fdprintf(fd, "rpc_daemon:spoolssd = embedded\n");
fdprintf(fd, "rpc_server:tcpip = no\n");
fdprintf(fd, "map hidden = no\n");
diff --git a/lib/krb5_wrap/enctype_convert.c b/lib/krb5_wrap/enctype_convert.c
index 446384e..b78304f 100644
--- a/lib/krb5_wrap/enctype_convert.c
+++ b/lib/krb5_wrap/enctype_convert.c
@@ -28,11 +28,11 @@ const krb5_enctype *samba_all_enctypes(void)
{
/* TODO: Find a way not to have to use a fixed list */
static const krb5_enctype enctypes[] = {
- KRB5_ENCTYPE_DES_CBC_CRC,
- KRB5_ENCTYPE_DES_CBC_MD5,
- KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_ARCFOUR_HMAC,
0
};
return enctypes;
@@ -47,7 +47,7 @@ uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum)
return ENC_CRC32;
case ENCTYPE_DES_CBC_MD5:
--
Samba Shared Repository
More information about the samba-cvs
mailing list