[SCM] Samba Shared Repository - branch v4-2-test updated

Karolin Seeger kseeger at samba.org
Mon Oct 13 15:46:03 MDT 2014


The branch, v4-2-test has been updated
       via  2cd5450 libcli/smb: fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02
       via  066fb45 [PATCH] WHATSNEW: Added information about the VFS WORM module that is
       via  4cc2dda WHATSNEW: Fix typo.
       via  721033d WHATSNEW: Fix typos.
       via  63017ac [PATCH] WHATSNEW: Add more features for Samba 4.2
       via  25d26f4 WHATSNEW: Add samba-regedit.
       via  3430afa idmap_rfc2307: Fix a crash after connection problem to DC
      from  02e1c6b SO_PROTOCOL is platform-dependent

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-2-test


- Log -----------------------------------------------------------------
commit 2cd5450a4ee8b46cac18db17a0ac53d8178d0d34
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Oct 6 14:19:39 2014 +0200

    libcli/smb: fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02
    
    If the connection starts with a SMB Negprot, the server only implies the
    selected dialect, but not the clients security mode.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10866
    (cherry picked from commit 3eef853f741d9349e45a1a87e453c52bf56c4774)
    
    Autobuild-User(v4-2-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-2-test): Mon Oct 13 23:45:08 CEST 2014 on sn-devel-104

commit 066fb45c848b2fd3c37849740d25d671f0d9e9ac
Author: Marc Muehlfeld <mmuehlfeld at samba.org>
Date:   Mon Oct 13 20:50:02 2014 +0200

    [PATCH] WHATSNEW: Added information about the VFS WORM module that is
    
     new in 4.2.

commit 4cc2ddac01c4dd023408145c5ee7b0377f9397ac
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Oct 13 20:48:00 2014 +0200

    WHATSNEW: Fix typo.
    
    Thanks to Rowland Penny <repenny241155 at gmail.com> for reporting.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 721033d3c63f3a495e667b6e336de27031b266c5
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Oct 13 20:44:33 2014 +0200

    WHATSNEW: Fix typos.
    
    Thanks to Michael Wood <esiotrot at gmail.com> for reporting.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 63017ac86332d5383a245c29be4f98d03fff469b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Oct 13 20:36:21 2014 +0200

    [PATCH] WHATSNEW: Add more features for Samba 4.2
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 25d26f433c5b67eb8e3b97f922170d7d33c5d888
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Oct 10 09:43:04 2014 +0200

    WHATSNEW: Add samba-regedit.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>

commit 3430afabf1120a885a803859bb88245469478953
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Sep 17 13:23:11 2014 -0700

    idmap_rfc2307: Fix a crash after connection problem to DC
    
    When the connection to the DC has a problem, the code behind
    ads_do_search_retry closes the current connection and opens a new one.
    The new connection has a new struct LDAP to represent the connection. In
    this case, the LDAP pointer in the idmap_rfc2307_context becomes
    invalid.
    
    Fix this problem by updating the local pointer after calling
    ads_do_search_retry.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10837
    winbind crash in idmap_rfc2307 module

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                     |   80 ++++++++++++++++++++++++++++++++++++++
 libcli/smb/smbXcli_base.c        |    6 ++-
 source3/winbindd/idmap_rfc2307.c |    1 +
 3 files changed, 86 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index aaf17d9..bd11ce7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -170,6 +170,14 @@ use the following steps:
   $ make
   # make install
 
+Samba Registry Editor
+=====================
+
+The utitlity to browse the samba registry has been overhauled by our Google
+Summer of Code student Chris Davis. Now samba-regedit has a
+Midnight-Commander-like theme and UI experience. You can browse keys and edit
+the diffent value types. For a data value type a hexeditor has been
+implemented.
 
 ######################################################################
 Changes
@@ -194,6 +202,54 @@ smb.conf changes
 KNOWN ISSUES
 ============
 
+Bad Password Lockout in the AD DC
+=================================
+
+Samba's AD DC now implements bad password lockout (on a per-DC basis).
+
+That is, incorrect password attempts are tracked, and accounts locked
+out if too many bad passwords are submitted.  There is also a grace
+period of 60 minutes on the previous password when used for NTLM
+authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305).
+
+The relevant settings can be seen using 'samba-tool domain
+passwordsettings show' (the new settings being highlighted):
+
+Password informations for domain 'DC=samba,DC=example,DC=com'
+
+Password complexity: on
+Store plaintext passwords: off
+Password history length: 24
+Minimum password length: 7
+Minimum password age (days): 1
+Maximum password age (days): 42
+* Account lockout duration (mins): 30     *
+* Account lockout threshold (attempts): 0 *
+* Reset account lockout after (mins): 30  *
+
+These values can be set using 'samba-tool domain passwordsettings set'.
+
+Correct defaults in the smb.conf manpages
+=========================================
+
+The default values for smb.conf parameters are now correctly specified
+in the smb.conf manpage, even when they refer to build-time specified
+paths.  Provided Samba is built on a system with the right tools
+(xsltproc in particular) required to generate our man pages, then
+these will be built with the exact same embedded paths as used by the
+configuration parser at runtime.  Additionally, the default values
+read from the smb.conf manpage are checked by our test suite to match
+the values seen in testparm and used by the running binaries.
+
+Consistent behaviour between samba-tool testparm and testparm
+=============================================================
+
+With the exception of the registry backend, which remains only
+available in the file server, the behaviour of the smb.conf parser and
+the tools 'samba-tool testparm' and 'testparm' is now consistent,
+particularly with regard to default values.  Except with regard to
+registry shares, it is no longer needed to use one tool on the AD
+DC, and another on the file server.
 
 #######################################
 Reporting bugs & Development Discussion
@@ -208,6 +264,30 @@ the problem then you will probably be ignored.  All bug reports should
 be filed under the Samba 4.2 product in the project's Bugzilla
 database (https://bugzilla.samba.org/).
 
+VFS WORM module
+===============
+
+A VFS module for basic WORM (Write once read many) support has been
+added. It allows an additional layer on top of a Samba share, that provides
+a basic set of WORM functionality on the client side, to control the
+writeability of files and folders.
+
+As the module is simply an additional layer, share access and permissions
+work like expected - only WORM functionality is added on top. Removing the
+module from the share configuration, removes this layer again. The
+filesystem ACLs are not affected in any way from the module and treated
+as usual.
+
+The module does not provide complete WORM functions, like some archiving
+products do! It is not audit-proof, because the WORM function is only
+available on the client side, when accessing a share through SMB! If
+the same folder is shared by other services like NFS, the access only
+depents on the underlaying filesystem ACLs. Equally if you access the
+content directly on the server.
+
+For additional information, see
+https://wiki.samba.org/index.php/VFS/vfs_worm
+
 
 ======================================================================
 == Our Code, Our Bugs, Our Responsibility.
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ac81f7a..8a8bbd0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4649,7 +4649,11 @@ struct tevent_req *smb2cli_validate_negotiate_info_send(TALLOC_CTX *mem_ctx,
 	} else {
 		memset(buf+4, 0, 16);	/* ClientGuid */
 	}
-	SCVAL(buf, 20, conn->smb2.client.security_mode);
+	if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
+		SCVAL(buf, 20, conn->smb2.client.security_mode);
+	} else {
+		SCVAL(buf, 20, 0);
+	}
 	SCVAL(buf, 21, 0); /* reserved */
 
 	for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 2b7a593..db8bab6 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -103,6 +103,7 @@ static NTSTATUS idmap_rfc2307_ads_search(struct idmap_rfc2307_context *ctx,
 
 	status = ads_do_search_retry(ctx->ads, bind_path,
 				     LDAP_SCOPE_SUBTREE, expr, attrs, result);
+	ctx->ldap = ctx->ads->ldap.ld;
 	return ads_ntstatus(status);
 }
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list