[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Fri Nov 9 10:22:01 MST 2012
The branch, master has been updated
via 5205747 doc: list arguments for rpcclient FSRVP commands
via c70ffac doc: describe samlogon cache caveat for winbindd -n
via 9195792 Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
from ec0104b Makefile: Allow specifying PYTHON environment variable.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 52057477ee0642af4d6e9c220195c0933de7ba2e
Author: David Disseldorp <ddiss at samba.org>
Date: Wed Nov 7 13:06:54 2012 +0100
doc: list arguments for rpcclient FSRVP commands
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Nov 9 18:21:39 CET 2012 on sn-devel-104
commit c70ffacf9406aa0c5aa417046aaa8f9c319fc8c2
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Nov 6 12:49:42 2012 +0100
doc: describe samlogon cache caveat for winbindd -n
The samlogon cache is never bypassed, even when winbindd is run with the
-n argument.
See https://bugzilla.samba.org/show_bug.cgi?id=9125
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9195792a38027eb30b6ac36a134d52be4db0087c
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Nov 6 12:29:24 2012 +0100
Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/rpcclient.1.xml | 23 +++++++++++++++--------
docs-xml/manpages/winbindd.8.xml | 6 ++++--
source3/winbindd/winbindd_ads.c | 2 +-
source3/winbindd/winbindd_cache.c | 4 ----
source3/winbindd/winbindd_creds.c | 4 ----
source3/winbindd/winbindd_msrpc.c | 6 ++----
6 files changed, 22 insertions(+), 23 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
index f50e4fa..8d08d27 100644
--- a/docs-xml/manpages/rpcclient.1.xml
+++ b/docs-xml/manpages/rpcclient.1.xml
@@ -430,7 +430,7 @@ Comma Separated list of Files
<title>FSRVP</title>
<variablelist>
- <varlistentry><term>fss_is_path_sup</term>
+ <varlistentry><term>fss_is_path_sup <share></term>
<listitem>
<para>Check whether a share supports shadow-copy
requests</para>
@@ -441,29 +441,36 @@ Comma Separated list of Files
<para>Get supported FSRVP version from server</para>
</listitem>
</varlistentry>
- <varlistentry><term>fss_create_expose</term>
+ <varlistentry><term>fss_create_expose <context> <[ro|rw]>
+ <share1>
+ [share2] ... [shareN]</term>
<listitem>
- <para>Request shadow-copy creation and exposure</para>
+ <para>Request shadow-copy creation and exposure as a
+ new share</para>
</listitem>
</varlistentry>
- <varlistentry><term>fss_delete</term>
+ <varlistentry><term>fss_delete <base_share>
+ <shadow_copy_set_id>
+ <shadow_copy_id></term>
<listitem>
<para>Request shadow-copy share deletion</para>
</listitem>
</varlistentry>
- <varlistentry><term>fss_has_shadow_copy</term>
+ <varlistentry><term>fss_has_shadow_copy <base_share></term>
<listitem>
<para>Check for an associated share shadow-copy</para>
</listitem>
</varlistentry>
- <varlistentry><term>fss_get_mapping</term>
+ <varlistentry><term>fss_get_mapping <base_share>
+ <shadow_copy_set_id>
+ <shadow_copy_id></term>
<listitem>
<para>Get shadow-copy share mapping information</para>
</listitem>
</varlistentry>
- <varlistentry><term>fss_recovery_complete</term>
+ <varlistentry><term>fss_recovery_complete <shadow_copy_set_id></term>
<listitem>
- <para>Flag read-write snapshot as recovery complete,
+ <para>Flag read-write shadow-copy as recovery complete,
allowing further shadow-copy requests</para>
</listitem>
</varlistentry>
diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
index acde022..e224620 100644
--- a/docs-xml/manpages/winbindd.8.xml
+++ b/docs-xml/manpages/winbindd.8.xml
@@ -183,12 +183,14 @@ hosts: files wins
<varlistentry>
<term>-n</term>
- <listitem><para>Disable caching. This means winbindd will
- always have to wait for a response from the domain controller
+ <listitem><para>Disable some caching. This means winbindd will
+ often have to wait for a response from the domain controller
before it can respond to a client and this thus makes things
slower. The results will however be more accurate, since
results from the cache might not be up-to-date. This
might also temporarily hang winbindd if the DC doesn't respond.
+ This does not disable the samlogon cache, which is required for
+ group membership tracking in trusted environments.
</para></listitem>
</varlistentry>
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 628fd1c..921d408 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -503,7 +503,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
/* try netsamlogon cache first */
- if (winbindd_use_cache() && (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
+ if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
{
DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
sid_string_dbg(sid)));
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c79d3b6..517a302 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1302,10 +1302,6 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
uint32 rid;
fstring tmp;
- if (!winbindd_use_cache()) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
if (!cache->tdb) {
return NT_STATUS_INTERNAL_DB_ERROR;
}
diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c
index a160f7a..6bbd0ff 100644
--- a/source3/winbindd/winbindd_creds.c
+++ b/source3/winbindd/winbindd_creds.c
@@ -38,10 +38,6 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
struct netr_SamInfo3 *info;
NTSTATUS status;
- if (!winbindd_use_cache()) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 455de3d..39186f8 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -407,7 +407,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
{
struct rpc_pipe_client *samr_pipe;
struct policy_handle dom_pol;
- struct netr_SamInfo3 *user = NULL;
+ struct netr_SamInfo3 *user;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
@@ -425,9 +425,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
}
/* try netsamlogon cache first */
- if (winbindd_use_cache()) {
- user = netsamlogon_cache_get(tmp_ctx, user_sid);
- }
+ user = netsamlogon_cache_get(tmp_ctx, user_sid);
if (user != NULL) {
DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
sid_string_dbg(user_sid)));
--
Samba Shared Repository
More information about the samba-cvs
mailing list