[SCM] Samba Shared Repository - branch v4-1-stable updated
Karolin Seeger
kseeger at samba.org
Fri Oct 11 01:50:35 MDT 2013
The branch, v4-1-stable has been updated
via a6fb418 VERSION: Bump version number up to 4.1.0...
via 13b7959 WHATSNEW: Add release notes for Samba 4.1.0.
via 82d6a43 doc: Update documentation of pam_winbind krb5 support.
via 5a55cb6 s3-winbind: Add support for the kernel krb5 keyring buffer.
via 58038f6 s3-winbind: Don't set a default directory for DIR.
via 996415f Revert "Support UPN_DNS_INFO in the PAC"
via 76c4a51 Merge tag 'samba-4.1.0rc4' into v4-1-test
via 7160446 VERSION: Bump version up to 4.1.0rc5...
from fcf3fd6 VERSION: Disable git snapshots for the 4.1.0rc4 release.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 34 +++++++++++++++++++----------
docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++++++++++++++--------
librpc/idl/krb5pac.idl | 16 ++++++--------
source3/winbindd/winbindd_pam.c | 4 +-
5 files changed, 49 insertions(+), 33 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 74fa8d6..9576855 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c01cb70..857a7ce 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,10 +1,10 @@
-Release Announcements
-=====================
+ =============================
+ Release Notes for Samba 4.1.0
+ October 11, 2013
+ =============================
-This is the fourth release candidate of Samba 4.1. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
+
+This is is the first stable release of Samba 4.1.
Samba 4.1 will be the next version of the Samba suite and includes
all the technology found in both the Samba4 series and the stable 3.x
@@ -12,12 +12,7 @@ series. The primary additional features over Samba 3.6 are
support for the Active Directory logon protocols used by Windows 2000
and above.
-If you are upgrading, or looking to develop, test or deploy Samba 4.1
-releases candidates, you should backup all configuration and data.
-
-
-NEW FEATURES
-============
+Major enhancements in Samba 4.1.0 include:
Client tools support SMB2/3
===========================
@@ -126,6 +121,10 @@ REMOVED COMPONENTS
==================
The Samba Web Administration Tool (SWAT) has been removed.
+Details why SWAT has been removed can be found on the samba-technical mailing
+list:
+
+https://lists.samba.org/archive/samba-technical/2013-February/090572.html
######################################################################
@@ -166,6 +165,17 @@ o David Disseldorp <ddiss at samba.org>
SMB2 FSCTL_SRV_COPYCHUNK request.
+CHANGES SINCE 4.1.0rc4
+======================
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10178: Fix PAC parsing failure.
+
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 10132: pam_winbindd: Support the KEYRING ccache type.
+
+
CHANGES SINCE 4.1.0rc3
======================
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index be7f684..725e809 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,24 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication by
- enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a credential
- cache. The type of credential cache can be controlled with this
- option. The supported values are: <parameter>FILE</parameter>
- and <parameter>DIR</parameter> (when the DIR type is supported
- by the system's Kerberos library). In case of FILE a credential
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be
+ controlled with this option. The supported values are:
+ <parameter>KEYRING</parameter> (when supported by the system's
+ Kerberos library and Kernel), <parameter>FILE</parameter> and
+ <parameter>DIR</parameter> (when the DIR type is supported by
+ the system's Kerberos library). In case of FILE a credential
cache in the form of /tmp/krb5cc_UID will be created - in case
- of DIR it will be located under the /run/user/UID/krb5cc
- directory. UID is replaced with the numeric user id.</para>
+ of DIR you NEED to specify a directory. UID is replaced with
+ the numeric user id.</para>
+
+ <para>When using the KEYRING type, the supported mechanism is
+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux
+ kernel keyring to store credentials on a per-UID basis. This is
+ the recommended choice on latest Linux distributions, as it is
+ the most secure and predictable method.</para>
<para>It is also possible to define custom filepaths and use the "%u"
pattern in order to substitue the numeric user id.
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 0fce16b..8a6540c 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -37,20 +37,18 @@ interface krb5pac
[size_is(num_transited_services)] lsa_String *transited_services;
} PAC_CONSTRAINED_DELEGATION;
- typedef [public,bitmap32bit] bitmap {
- UDI_ACCT_HAS_NO_UPN = 0x00000001 /* 1= User account has no UPN */
- } upn_dns_info_flags;
-
typedef struct {
[value(2*strlen_m(upn_name))] uint16 upn_size;
uint16 upn_offset;
[value(2*strlen_m(domain_name))] uint16 domain_size;
uint16 domain_offset;
- upn_dns_info_flags flags;
- uint32 padding;
+ uint16 unknown3; /* 0x01 */
+ uint16 unknown4;
+ uint32 unknown5;
[charset(UTF16)] uint8 upn_name[upn_size+2];
[charset(UTF16)] uint8 domain_name[domain_size+2];
- } PAC_UPN_DNS_INFO;
+ uint32 unknown6; /* padding */
+ } PAC_UNKNOWN_12;
typedef [public] struct {
PAC_LOGON_INFO *info;
@@ -66,7 +64,7 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UPN_DNS_INFO = 12
+ PAC_TYPE_UNKNOWN_12 = 12
} PAC_TYPE;
typedef struct {
@@ -80,12 +78,12 @@ interface krb5pac
[case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
- [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
unknown types, which lets us ignore the data */
[default] [subcontext(0)] DATA_BLOB_REM unknown;
+ /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */
} PAC_INFO;
typedef [public,nopush,nopull,noprint] struct {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 7b67154..c356686 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,9 +492,9 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
}
- if (strequal(type, "DIR")) {
+ if (strequal(type, "KEYRING")) {
gen_cc = talloc_asprintf(
- mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+ mem_ctx, "KEYRING:persistent:%d", uid);
}
if (strnequal(type, "FILE:/", 6) ||
--
Samba Shared Repository
More information about the samba-cvs
mailing list