[SCM] Samba Shared Repository - branch v4-1-test updated
Karolin Seeger
kseeger at samba.org
Sat Sep 27 15:13:03 MDT 2014
The branch, v4-1-test has been updated
via 7bbf54d nsswitch: Skip groups we were not able to map.
via bcc8912 s3: smbd - open logic fix.
via ad70de6 s3:smbd:open_file: use a more natural check.
via 4b3c8ad s3:smbd: fix a race in open code
via 6b1091dc s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs.
via 632e0bc s3-winbindd: Use correct realm for trusted domains in idmap child
via 5cf0aa0 libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL.
via 52b876a media_harmony: Fix a crash bug
from 62513b7 docs: mention incompatibility between kernel oplocks and streams_xattr
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit 7bbf54d232e7a43833520a3eebda05fcdf8dca27
Author: Andreas Schneider <asn at samba.org>
Date: Fri Sep 19 13:33:10 2014 +0200
nsswitch: Skip groups we were not able to map.
If we have configured the idmap_ad backend it is possible that the user
is in a group without a gid set. This will result in (uid_t)-1 as the
gid. We return this invalid gid to NSS which is wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
Signed-off-by: Andreas Schneider <asn at samba.org>
Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-1-test): Sat Sep 27 23:12:49 CEST 2014 on sn-devel-104
commit bcc891287b9bde839af8514062360afc0bbcca81
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 11 10:03:01 2014 -0700
s3: smbd - open logic fix.
As we atomically create using O_CREAT|O_EXCL,
then if new_file_created is true, then
file_existed *MUST* have been false (even
if the file was previously detected as being
there.
We use the variable file_existed again in logic
below this statement, so we must set file_existed = false,
if new_file_created returns are true from open_file().
Based on a fix from Michael Adam.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10809
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Thu Sep 11 22:29:22 CEST 2014 on sn-devel-104
(cherry picked from commit 518247bf80372eb003cb67036b9d9e7fe8aac303)
commit ad70de6a07ee9e66727df55a6506e8911cf27a0c
Author: Michael Adam <obnox at samba.org>
Date: Wed Sep 10 21:58:04 2014 +0200
s3:smbd:open_file: use a more natural check.
As suggested by Jeremy Allison <jra at samba.org>.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9da09b52e8cc0453e694d85fc2bd82994138e20b)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10809
commit 4b3c8ad314a95bfc265b8d3ef7f6241c25f9f526
Author: Michael Adam <obnox at samba.org>
Date: Wed Sep 10 00:31:25 2014 +0200
s3:smbd: fix a race in open code
The race is when a file vanishes between
existence check and acl check.
In this case, open_file_ncreate() returns
OBJECT_NAME_NOT_FOUND even if the create
was called with disposition OPEN_IF.
But in this case, the file should be created.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8ae8c63da19459fd4f1166e11406da2c919b7ed0)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10809
commit 6b1091dcd9a32977542692e78cfa2c930a691404
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 16 12:41:55 2014 -0700
s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs.
There are places in the code where we're not checking that alt_name is NULL
and then calling into the DC lookup code with a NULL name request. This can
happen in offline mode.
Fixes bug #10717 - Winbind crash on losing VPN connection
https://bugzilla.samba.org/show_bug.cgi?id=10717
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
(cherry picked from commit 92da0b243c18546275c4736507188eba425a0732)
commit 632e0bc215abaec2a3e3a3f0e889c481ddb0ee42
Author: Christof Schmitt <cs at samba.org>
Date: Fri Aug 22 09:15:59 2014 -0700
s3-winbindd: Use correct realm for trusted domains in idmap child
When authenticating users in a trusted domain, the idmap_ad module
always connects to a local DC instead of one in the trusted domain.
Fix this by passing the correct realm to connect to.
Also Comment parameters passed to ads_cached_connection_connect
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10826
Using SFU id mapping fails for users from a trusted domain
commit 5cf0aa0601fca88b8de23053ce38e6194ded3caa
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 17 15:17:50 2014 +0200
libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 52b876a4e23b26fc1eaa120f462f3d642b5e7ff2
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 11 11:33:42 2014 +0000
media_harmony: Fix a crash bug
Now that the dust has settled, fix a crash bug that was hidden behind
the warnings...
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10813
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Fri Sep 12 02:45:40 CEST 2014 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb1cli_echo.c | 1 -
nsswitch/winbind_nss_linux.c | 5 ++
source3/modules/vfs_media_harmony.c | 4 +-
source3/smbd/open.c | 72 ++++++++++++++++++++++++++--------
source3/winbindd/winbindd_ads.c | 14 +++++-
source3/winbindd/winbindd_cm.c | 8 +++-
6 files changed, 79 insertions(+), 25 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
index 4fb7c60..10dff2d 100644
--- a/libcli/smb/smb1cli_echo.c
+++ b/libcli/smb/smb1cli_echo.c
@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
NULL, /* pbytes_offset */
NULL, /* pinbuf */
expected, ARRAY_SIZE(expected));
- TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
return;
diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
index 8d66a74..70ede3e 100644
--- a/nsswitch/winbind_nss_linux.c
+++ b/nsswitch/winbind_nss_linux.c
@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
continue;
}
+ /* Skip groups without a mapping */
+ if (gid_list[i] == (uid_t)-1) {
+ continue;
+ }
+
/* Filled buffer ? If so, resize. */
if (*start == *size) {
diff --git a/source3/modules/vfs_media_harmony.c b/source3/modules/vfs_media_harmony.c
index ce981e8..eedbc95 100644
--- a/source3/modules/vfs_media_harmony.c
+++ b/source3/modules/vfs_media_harmony.c
@@ -492,8 +492,8 @@ static int alloc_get_client_smb_fname(struct vfs_handle_struct *handle,
DEBUG(MH_INFO_DEBUG, ("Entering with smb_fname->base_name '%s'\n",
smb_fname->base_name));
- clientFname = cp_smb_filename(ctx, smb_fname);
- if (clientFname == NULL) {
+ *clientFname = cp_smb_filename(ctx, smb_fname);
+ if ((*clientFname) == NULL) {
DEBUG(MH_ERR_DEBUG, ("alloc_get_client_smb_fname "
"NTERR\n"));
errno = ENOMEM;
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 16d4307..6bb37e9 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -818,24 +818,51 @@ static NTSTATUS open_file(files_struct *fsp,
smb_fname,
false,
access_mask);
- } else if (local_flags & O_CREAT){
- status = check_parent_access(conn,
- smb_fname,
- SEC_DIR_ADD_FILE);
- } else {
- /* File didn't exist and no O_CREAT. */
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_file: "
+ "smbd_check_access_rights "
+ "on file %s returned %s\n",
+ smb_fname_str_dbg(smb_fname),
+ nt_errstr(status)));
+ }
+
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status,
+ NT_STATUS_OBJECT_NAME_NOT_FOUND))
+ {
+ return status;
+ }
+
+ if (NT_STATUS_EQUAL(status,
+ NT_STATUS_OBJECT_NAME_NOT_FOUND))
+ {
+ DEBUG(10, ("open_file: "
+ "file %s vanished since we "
+ "checked for existence.\n",
+ smb_fname_str_dbg(smb_fname)));
+ file_existed = false;
+ SET_STAT_INVALID(fsp->fsp_name->st);
+ }
}
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("open_file: "
- "%s on file "
- "%s returned %s\n",
- file_existed ?
- "smbd_check_access_rights" :
- "check_parent_access",
- smb_fname_str_dbg(smb_fname),
- nt_errstr(status) ));
- return status;
+
+ if (!file_existed) {
+ if (!(local_flags & O_CREAT)) {
+ /* File didn't exist and no O_CREAT. */
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ status = check_parent_access(conn,
+ smb_fname,
+ SEC_DIR_ADD_FILE);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("open_file: "
+ "check_parent_access on "
+ "file %s returned %s\n",
+ smb_fname_str_dbg(smb_fname),
+ nt_errstr(status) ));
+ return status;
+ }
}
}
@@ -2417,6 +2444,17 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
return fsp_open;
}
+ if (new_file_created) {
+ /*
+ * As we atomically create using O_CREAT|O_EXCL,
+ * then if new_file_created is true, then
+ * file_existed *MUST* have been false (even
+ * if the file was previously detected as being
+ * there).
+ */
+ file_existed = false;
+ }
+
if (file_existed && !check_same_dev_ino(&saved_stat, &smb_fname->st)) {
/*
* The file did exist, but some other (local or NFS)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 4c26389..fb0bc26 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -169,6 +169,7 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
}
if (IS_DC) {
+ SMB_ASSERT(wb_dom->alt_name != NULL);
realm = SMB_STRDUP(wb_dom->alt_name);
} else {
struct winbindd_domain *our_domain = wb_dom;
@@ -187,8 +188,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
}
}
- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
- password, realm, 0);
+ status = ads_cached_connection_connect(
+ adsp, /* Returns ads struct. */
+ wb_dom->alt_name, /* realm to connect to. */
+ dom_name, /* 'workgroup' name for ads_init */
+ ldap_server, /* DNS name to connect to. */
+ password, /* password for auth realm. */
+ realm, /* realm used for krb5 ticket. */
+ 0); /* renewable ticket time. */
+
SAFE_FREE(realm);
return status;
@@ -217,7 +225,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
}
if ( IS_DC ) {
-
+ SMB_ASSERT(domain->alt_name != NULL);
realm = SMB_STRDUP(domain->alt_name);
}
else {
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 61917db..8bbc886 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -833,6 +833,10 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
+ if (our_domain->alt_name == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (asprintf(machine_krb5_principal, "%s$@%s",
account_name, our_domain->alt_name) == -1)
{
@@ -1199,7 +1203,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
/* For active directory servers, try to get the ldap server name.
None of these failures should be considered critical for now */
- if (lp_security() == SEC_ADS) {
+ if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
ADS_STRUCT *ads;
ADS_STATUS ads_status;
char addr[INET6_ADDRSTRLEN];
@@ -1327,7 +1331,7 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
return True;
}
- if (sec == SEC_ADS) {
+ if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
char *sitename = NULL;
/* We need to make sure we know the local site before
--
Samba Shared Repository
More information about the samba-cvs
mailing list