[SCM] Samba Shared Repository - branch v4-1-test updated
Karolin Seeger
kseeger at samba.org
Wed Jul 24 14:38:03 MDT 2013
The branch, v4-1-test has been updated
via f65b92c pam_winbind: update documentation for "DIR" krb5ccname pragma.
via 2978a06 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
via 60be5a7 wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
via eb3b931 s3-waf: Rename regedit to samba-regedit.
via 2e6fdd7 lib/param: sync debug related options with source3/param
via 348cb51 lib/ldb-samba: only debug LDB_DEBUG_TRACE at level 10
via e92be34 lib/ldb-samba: make use of DBGC_LDB
via 65fadd4 lib/util: add 'ldb' debug class
from 2c8bd5b s3-winbind: Do not delete an existing valid credential cache.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit f65b92c0837d0ad0fe930a6755105e6663edb6b6
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:09:14 2013 +0200
pam_winbind: update documentation for "DIR" krb5ccname pragma.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
(cherry picked from commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb)
The last 3 patches address bug #10043 - Allow to change the default location for
Kerberos credential caches.
Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-1-test): Wed Jul 24 22:37:49 CEST 2013 on sn-devel-104
commit 2978a06c7773704552c351ac3bd011f4bf5a6a75
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:05:51 2013 +0200
s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7ad3a367d52b1f123c318946d654e95639202130)
commit 60be5a7710a204a685ae8edaab29f665d1285aa6
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:04:29 2013 +0200
wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95)
commit eb3b931b97201a9455c8da4a2029a51c4580343b
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 19 16:08:39 2013 +0200
s3-waf: Rename regedit to samba-regedit.
This is needed cause wine already provides a binary with the name
regedit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10040
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Kai Blin <kai at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jul 22 14:12:38 CEST 2013 on sn-devel-104
(cherry picked from commit b5051111d2fd3a9ae3b3aa028ccf013a98c20b38)
commit 2e6fdd7e0d109223502618c32c945dc80f401761
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 4 18:11:02 2013 +0200
lib/param: sync debug related options with source3/param
The most important change is "debug hires timestamp = Yes"
and "syslog = 1".
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Jacke <bj at sernet.de>
Autobuild-User(master): Björn Jacke <bj at sernet.de>
Autobuild-Date(master): Tue Jul 9 17:15:15 CEST 2013 on sn-devel-104
(cherry picked from commit cd36a3e902813c065e14059d325f7628b06595aa)
The last 4 patches fix bug #10015 - Fix/Improve debug options.
commit 348cb5137a9fd0c8db948ea90d5a92bad9c6cc76
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 9 13:56:35 2013 +0200
lib/ldb-samba: only debug LDB_DEBUG_TRACE at level 10
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Jacke <bj at sernet.de>
(cherry picked from commit 5f93822ede7ec3dc79a8057174342b2c6bb94a3b)
commit e92be34b6df53da3f8c5a1f230bba1db130124d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 9 13:56:08 2013 +0200
lib/ldb-samba: make use of DBGC_LDB
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Jacke <bj at sernet.de>
(cherry picked from commit 8e0752f4d6feea35304377222d3dd487355e4120)
commit 65fadd46e49f8f8b21f0f2e094805a4bded9e914
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 9 13:55:44 2013 +0200
lib/util: add 'ldb' debug class
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Jacke <bj at sernet.de>
(cherry picked from commit baecc863de0ceb64187c6eb3545bf28706bd84fc)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++-------
examples/pam_winbind/pam_winbind.conf | 3 +-
lib/ldb-samba/ldb_wrap.c | 4 ++-
lib/param/loadparm.c | 18 +++++++++++++-
lib/util/debug.c | 1 +
lib/util/debug.h | 3 +-
nsswitch/wbinfo.c | 6 +++-
source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++
source3/wscript_build | 2 +-
9 files changed, 82 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 7098ff4..be7f684 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication
- by enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a
- credential cache. The type of credential cache can be set with
- this option. Currently the only supported value is:
- <parameter>FILE</parameter>. In that case a credential cache in
- the form of /tmp/krb5cc_UID will be created, where UID is
- replaced with the numeric user id. Leave empty to just do
- kerberos authentication without having a ticket cache after the
- logon has succeeded. This setting is empty by default.
+ When pam_winbind is configured to try kerberos authentication by
+ enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a credential
+ cache. The type of credential cache can be controlled with this
+ option. The supported values are: <parameter>FILE</parameter>
+ and <parameter>DIR</parameter> (when the DIR type is supported
+ by the system's Kerberos library). In case of FILE a credential
+ cache in the form of /tmp/krb5cc_UID will be created - in case
+ of DIR it will be located under the /run/user/UID/krb5cc
+ directory. UID is replaced with the numeric user id.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitue the numeric user id.
+ Examples:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para> Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.
</para></listitem>
</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112..87bc388 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
#
# /etc/security/pam_winbind.conf
#
+# For more details see man pam_winbind.conf(5)
[global]
@@ -19,7 +20,7 @@
# authenticate using kerberos
;krb5_auth = no
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
diff --git a/lib/ldb-samba/ldb_wrap.c b/lib/ldb-samba/ldb_wrap.c
index 028bd6f..65956ef 100644
--- a/lib/ldb-samba/ldb_wrap.c
+++ b/lib/ldb-samba/ldb_wrap.c
@@ -37,6 +37,8 @@
#include "../lib/util/dlinklist.h"
#include <tdb.h>
+#define DBGC_CLASS DBGC_LDB
+
/*
this is used to catch debug messages from ldb
*/
@@ -58,7 +60,7 @@ static void ldb_wrap_debug(void *context, enum ldb_debug_level level,
samba_level = 2;
break;
case LDB_DEBUG_TRACE:
- samba_level = 5;
+ samba_level = 10;
break;
};
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 310f95a..455c5e6 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2083,6 +2083,15 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "log level", "0");
+ lpcfg_do_global_parameter(lp_ctx, "syslog", "1");
+ lpcfg_do_global_parameter(lp_ctx, "syslog only", "No");
+ lpcfg_do_global_parameter(lp_ctx, "debug timestamp", "Yes");
+ lpcfg_do_global_parameter(lp_ctx, "debug prefix timestamp", "No");
+ lpcfg_do_global_parameter(lp_ctx, "debug hires timestamp", "Yes");
+ lpcfg_do_global_parameter(lp_ctx, "debug pid", "No");
+ lpcfg_do_global_parameter(lp_ctx, "debug uid", "No");
+ lpcfg_do_global_parameter(lp_ctx, "debug class", "No");
+
lpcfg_do_global_parameter(lp_ctx, "share backend", "classic");
lpcfg_do_global_parameter(lp_ctx, "server role", "auto");
@@ -2302,7 +2311,14 @@ static bool lpcfg_update(struct loadparm_context *lp_ctx)
ZERO_STRUCT(settings);
/* Add any more debug-related smb.conf parameters created in
* future here */
- settings.timestamp_logs = true;
+ settings.syslog = lp_ctx->globals->syslog;
+ settings.syslog_only = lp_ctx->globals->bSyslogOnly;
+ settings.timestamp_logs = lp_ctx->globals->bTimestampLogs;
+ settings.debug_prefix_timestamp = lp_ctx->globals->bDebugPrefixTimestamp;
+ settings.debug_hires_timestamp = lp_ctx->globals->bDebugHiresTimestamp;
+ settings.debug_pid = lp_ctx->globals->bDebugPid;
+ settings.debug_uid = lp_ctx->globals->bDebugUid;
+ settings.debug_class = lp_ctx->globals->bDebugClass;
debug_set_settings(&settings);
/* FIXME: This is a bit of a hack, but we can't use a global, since
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 34aa76f..a46b275 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -178,6 +178,7 @@ static const char *default_classname_table[] = {
"registry", /* DBGC_REGISTRY */
"scavenger", /* DBGC_SCAVENGER */
"dns", /* DBGC_DNS */
+ "ldb", /* DBGC_LDB */
NULL
};
diff --git a/lib/util/debug.h b/lib/util/debug.h
index 30df787..f7ebfc0 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -81,9 +81,10 @@ bool dbghdr( int level, const char *location, const char *func);
#define DBGC_REGISTRY 19
#define DBGC_SCAVENGER 20
#define DBGC_DNS 21
+#define DBGC_LDB 22
/* Always ensure this is updated when new fixed classes area added, to ensure the array in debug.c is the right size */
-#define DBGC_MAX_FIXED 21
+#define DBGC_MAX_FIXED 22
/* So you can define DBGC_CLASS before including debug.h */
#ifndef DBGC_CLASS
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 1d1557d..cfb430b 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2083,6 +2083,7 @@ int main(int argc, char **argv, char **envp)
bool use_lanman = false;
char *logoff_user = getenv("USER");
int logoff_uid = geteuid();
+ const char *opt_krb5ccname = "FILE";
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -2164,6 +2165,7 @@ int main(int argc, char **argv, char **envp)
{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
/* destroys wbinfo --help output */
/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
#endif
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2533,13 +2535,13 @@ int main(int argc, char **argv, char **envp)
WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_CONTACT_TRUSTDOM;
- if (!wbinfo_auth_krb5(string_arg, "FILE",
+ if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
flags)) {
d_fprintf(stderr,
"Could not authenticate user "
"[%s] with Kerberos "
"(ccache: %s)\n", string_arg,
- "FILE");
+ opt_krb5ccname);
goto done;
}
break;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index aed4741..7b67154 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
}
+ if (strequal(type, "DIR")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+ }
+
+ if (strnequal(type, "FILE:/", 6) ||
+ strnequal(type, "WRFILE:/", 8) ||
+ strnequal(type, "DIR:/", 5)) {
+
+ /* we allow only one "%u" substitution */
+
+ char *p;
+
+ p = strchr(type, '%');
+ if (p != NULL) {
+
+ p++;
+
+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+ gen_cc = talloc_asprintf(mem_ctx, type, uid);
+ }
+ }
+ }
}
*user_ccache_file = gen_cc;
diff --git a/source3/wscript_build b/source3/wscript_build
index 19c6d08..a8bdaf0 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1615,7 +1615,7 @@ bld.SAMBA3_PYTHON('pylibsmb',
realname='samba/samba3/libsmb_samba_internal.so'
)
-bld.SAMBA3_BINARY('regedit',
+bld.SAMBA3_BINARY('samba-regedit',
source="""utils/regedit.c utils/regedit_samba3.c
utils/regedit_wrap.c utils/regedit_treeview.c
utils/regedit_valuelist.c utils/regedit_dialog.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list