[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Jan 14 17:38:03 MST 2014
The branch, master has been updated
via 2c2f175 Revert "pam_winbind: fix segfault in pam_sm_authenticate()"
via 3a814e3 pam_winbind: Do not honour require_membership_of in the acct module parameters
via 6f4ec0c pam_winbind: Fix segfault caused by invalid configuration options
via e586e4b lib/param: fix unix extensions setting to be consistent with s3 and docs
via bd0f9f4 ntvfs: Remove CAP_UNIX from the ntvfs file server as it was never finished
from 24a6876 dfs: always call create_conn_struct with root privileges
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2c2f175b0d34b30813595a5c34290e325f775687
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Dec 16 16:51:10 2013 +1300
Revert "pam_winbind: fix segfault in pam_sm_authenticate()"
This reverts commit ec0f51b200d6e5b99bbd872e169621c17f33524c.
A more generic fix is now in use.
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jan 15 01:37:38 CET 2014 on sn-devel-104
commit 3a814e329bf5cf62a3d7c309b568b6dff5118960
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Dec 16 16:51:04 2013 +1300
pam_winbind: Do not honour require_membership_of in the acct module parameters
This needs a password to work, and it confuses users for it to appear to be valid here.
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit 6f4ec0c0416772040903c4c236fb14384c1ded6f
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Dec 16 16:50:37 2013 +1300
pam_winbind: Fix segfault caused by invalid configuration options
This is a better fix for 8564 and will allow ec0f51b200d6e5b99bbd872e169621c17f33524c to be reverted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8564
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit e586e4b50f3b2056abc81f62b8887a88036efd05
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 8 13:28:23 2014 +1300
lib/param: fix unix extensions setting to be consistent with s3 and docs
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>
commit bd0f9f4dec4151b6ab062711a4fcd3c296069c31
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 10 14:19:38 2014 +1300
ntvfs: Remove CAP_UNIX from the ntvfs file server as it was never finished
Only some of the unix extensions where implemented, but this was enough
to caused the samba3.smbtorture_s3.plain(dc).LARGE_READX to fail when they
are enabled (as is the default in source3/param).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.8.xml | 9 +++-
docs-xml/manpages/pam_winbind.conf.5.xml | 4 +-
lib/param/loadparm.c | 2 +-
nsswitch/pam_winbind.c | 70 ++++++++++++++++++++----------
source4/smb_server/smb/negprot.c | 4 --
5 files changed, 59 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index 4192130..08a8637 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -87,7 +87,14 @@
<parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo --user-sids=SID</command>.
- </para></listitem>
+ </para>
+
+ <para>
+ This option must only be specified on a auth
+ module declaration, as it only operates in conjunction
+ with password authentication.
+ </para>
+ </listitem>
</varlistentry>
<varlistentry>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index b318a3b..bef9421 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -72,7 +72,9 @@
<parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default.
- </para></listitem>
+ </para>
+ <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
+ </listitem>
</varlistentry>
<varlistentry>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 0e41aec..47acb04 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2174,7 +2174,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
- lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "False");
+ lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
lpcfg_do_global_parameter(lp_ctx, "PreferredMaster", "Auto");
lpcfg_do_global_parameter(lp_ctx, "LocalMaster", "True");
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index cd5e7ba..258e5ac 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -14,6 +14,17 @@
#include "pam_winbind.h"
+enum pam_winbind_request_type
+{
+ PAM_WINBIND_AUTHENTICATE,
+ PAM_WINBIND_SETCRED,
+ PAM_WINBIND_ACCT_MGMT,
+ PAM_WINBIND_OPEN_SESSION,
+ PAM_WINBIND_CLOSE_SESSION,
+ PAM_WINBIND_CHAUTHTOK,
+ PAM_WINBIND_CLEANUP
+};
+
static int wbc_error_to_pam_error(wbcErr status)
{
switch (status) {
@@ -140,7 +151,7 @@ static const char *_pam_error_code_str(int err)
#define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
do { \
_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
- function " returning %d (%s)", ctx->pamh, retval, \
+ function " returning %d (%s)", ctx ? ctx->pamh : NULL, retval, \
_pam_error_code_str(retval)); \
_pam_log_state(ctx); \
} while (0)
@@ -261,7 +272,7 @@ static void _pam_log_debug(struct pwb_context *r, int err, const char *format, .
{
va_list args;
- if (!_pam_log_is_debug_enabled(r->ctrl)) {
+ if (!r || !_pam_log_is_debug_enabled(r->ctrl)) {
return;
}
@@ -348,7 +359,7 @@ static char *iniparser_getstring_nonempty(dictionary *d, char *key, char *def)
static void _pam_log_state(struct pwb_context *ctx)
{
- if (!_pam_log_is_debug_state_enabled(ctx->ctrl)) {
+ if (!ctx || !_pam_log_is_debug_state_enabled(ctx->ctrl)) {
return;
}
@@ -384,6 +395,7 @@ static int _pam_parse(const pam_handle_t *pamh,
int flags,
int argc,
const char **argv,
+ enum pam_winbind_request_type type,
dictionary **result_d)
{
int ctrl = 0;
@@ -475,11 +487,15 @@ config_from_pam:
ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
else if (!strcasecmp(*v, "unknown_ok"))
ctrl |= WINBIND_UNKNOWN_OK_ARG;
- else if (!strncasecmp(*v, "require_membership_of",
- strlen("require_membership_of")))
+ else if ((type == PAM_WINBIND_AUTHENTICATE
+ || type == PAM_WINBIND_SETCRED)
+ && !strncasecmp(*v, "require_membership_of",
+ strlen("require_membership_of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
- else if (!strncasecmp(*v, "require-membership-of",
- strlen("require-membership-of")))
+ else if ((type == PAM_WINBIND_AUTHENTICATE
+ || type == PAM_WINBIND_SETCRED)
+ && !strncasecmp(*v, "require-membership-of",
+ strlen("require-membership-of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
else if (!strcasecmp(*v, "krb5_auth"))
ctrl |= WINBIND_KRB5_AUTH;
@@ -490,7 +506,7 @@ config_from_pam:
ctrl |= WINBIND_CACHED_LOGIN;
else if (!strcasecmp(*v, "mkhomedir"))
ctrl |= WINBIND_MKHOMEDIR;
- else {
+ else if (type != PAM_WINBIND_CLEANUP) {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
return -1;
@@ -526,6 +542,7 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
int flags,
int argc,
const char **argv,
+ enum pam_winbind_request_type type,
struct pwb_context **ctx_p)
{
struct pwb_context *r = NULL;
@@ -545,7 +562,7 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
r->flags = flags;
r->argc = argc;
r->argv = argv;
- r->ctrl = _pam_parse(pamh, flags, argc, argv, &r->dict);
+ r->ctrl = _pam_parse(pamh, flags, argc, argv, type, &r->dict);
if (r->ctrl == -1) {
TALLOC_FREE(r);
return PAM_SYSTEM_ERR;
@@ -560,7 +577,7 @@ static void _pam_winbind_cleanup_func(pam_handle_t *pamh,
void *data,
int error_status)
{
- int ctrl = _pam_parse(pamh, 0, 0, NULL, NULL);
+ int ctrl = _pam_parse(pamh, 0, 0, NULL, PAM_WINBIND_CLEANUP, NULL);
if (_pam_log_is_debug_state_enabled(ctrl)) {
__pam_log_debug(pamh, ctrl, LOG_DEBUG,
"[pamh: %p] CLEAN: cleaning up PAM data %p "
@@ -2449,7 +2466,8 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
}
static int _pam_delete_cred(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
+ int argc, enum pam_winbind_request_type type,
+ const char **argv)
{
int retval = PAM_SUCCESS;
struct pwb_context *ctx = NULL;
@@ -2460,7 +2478,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
ZERO_STRUCT(logoff);
- retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ retval = _pam_winbind_init_context(pamh, flags, argc, argv, type, &ctx);
if (retval) {
goto out;
}
@@ -2595,7 +2613,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
char *real_username = NULL;
struct pwb_context *ctx = NULL;
- retval = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ retval = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_AUTHENTICATE, &ctx);
if (retval) {
goto out;
}
@@ -2732,10 +2751,9 @@ out:
_pam_free_data_info3(pamh);
}
- if (ctx != NULL) {
- _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
- TALLOC_FREE(ctx);
- }
+ _PAM_LOG_FUNCTION_LEAVE("pam_sm_authenticate", ctx, retval);
+
+ TALLOC_FREE(ctx);
return retval;
}
@@ -2747,7 +2765,8 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
int ret = PAM_SYSTEM_ERR;
struct pwb_context *ctx = NULL;
- ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_SETCRED, &ctx);
if (ret) {
goto out;
}
@@ -2757,7 +2776,8 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
switch (flags & ~PAM_SILENT) {
case PAM_DELETE_CRED:
- ret = _pam_delete_cred(pamh, flags, argc, argv);
+ ret = _pam_delete_cred(pamh, flags, argc,
+ PAM_WINBIND_SETCRED, argv);
break;
case PAM_REFRESH_CRED:
_pam_log_debug(ctx, LOG_WARNING,
@@ -2801,7 +2821,8 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
const char *tmp = NULL;
struct pwb_context *ctx = NULL;
- ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_ACCT_MGMT, &ctx);
if (ret) {
goto out;
}
@@ -2896,7 +2917,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
int ret = PAM_SUCCESS;
struct pwb_context *ctx = NULL;
- ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_OPEN_SESSION, &ctx);
if (ret) {
goto out;
}
@@ -2922,7 +2944,8 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
int ret = PAM_SUCCESS;
struct pwb_context *ctx = NULL;
- ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_CLOSE_SESSION, &ctx);
if (ret) {
goto out;
}
@@ -3008,7 +3031,8 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
struct wbcAuthErrorInfo *error = NULL;
struct pwb_context *ctx = NULL;
- ret = _pam_winbind_init_context(pamh, flags, argc, argv, &ctx);
+ ret = _pam_winbind_init_context(pamh, flags, argc, argv,
+ PAM_WINBIND_CHAUTHTOK, &ctx);
if (ret) {
goto out;
}
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index 8621666..7c1d3a7 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -263,10 +263,6 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
capabilities |= CAP_EXTENDED_SECURITY;
}
- if (lpcfg_unix_extensions(req->smb_conn->lp_ctx)) {
- capabilities |= CAP_UNIX;
- }
-
if (lpcfg_large_readwrite(req->smb_conn->lp_ctx)) {
capabilities |= CAP_LARGE_READX | CAP_LARGE_WRITEX | CAP_W2K_SMBS;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list