[SCM] Samba Shared Repository - branch v4-1-test updated

Karolin Seeger kseeger at samba.org
Fri Mar 27 18:23:03 MDT 2015 

The branch, v4-1-test has been updated
       via  af95423 s3: client - "client use spnego principal = yes" code checks wrong name.
       via  2f46746 docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
       via  c9a9483 s3:winbind:grent: don't stop group enumeration when a group has no gid
      from  f5e3b94 s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-test


- Log -----------------------------------------------------------------
commit af954230197daf391c71c521268f17e30610bd7e
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 19 13:10:33 2015 -0700

    s3: client - "client use spnego principal = yes" code checks wrong name.
    
    Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
    
    https://bugzilla.samba.org/show_bug.cgi?id=10888
    
    Code patch from <martin.wilck at ts.fujitsu.com>
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Mar 26 00:56:25 CET 2015 on sn-devel-104
    
    (cherry picked from commit e8932b92016fc7ece3169635fbe3d98cb0caa36b)
    
    Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-1-test): Sat Mar 28 01:22:31 CET 2015 on sn-devel-104

commit 2f46746071dbea6cdd30d3629899bb473db08afb
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 19 13:09:21 2015 -0700

    docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
    
    Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
    
    https://bugzilla.samba.org/show_bug.cgi?id=10888
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
    (cherry picked from commit c9299bd6a4e86dbec10ab7741056f331a18c44a0)

commit c9a9483aed2056be37f827989ab0fa74970c9fb1
Author: Michael Adam <obnox at samba.org>
Date:   Mon Jan 19 13:51:55 2015 +0100

    s3:winbind:grent: don't stop group enumeration when a group has no gid
    
    simply continue with the next group
    
    Note: this patch introduces some code duplication to make it
    easier to create minimal backport patch. Subsequent patches
    will provide some refactoring to reduce the duplication.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=8905
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 24015224da1f363019d9d2da81ce533463a16abb)

-----------------------------------------------------------------------

Summary of changes:
 .../security/clientusepsnegoprincipal.xml          |  7 +++
 lib/param/param_table.c                            |  2 +-
 source3/libsmb/cliconnect.c                        |  2 +-
 source3/winbindd/wb_next_grent.c                   | 51 +++++++++++++++++++++-
 4 files changed, 59 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
index 6ec1eb1..792a738 100644
--- a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -14,6 +14,10 @@
     servers known only by IP address.  Kerberos relies on names, so
     ordinarily cannot function in this situation. </para>
 
+    <para>This is a VERY BAD IDEA for security reasons, and so this
+    parameter SHOULD NOT BE USED. It will be removed in a future
+    version of Samba.</para>
+
     <para>If disabled, Samba will use the name used to look up the
     server when asking the KDC for a ticket.  This avoids situations
     where a server may impersonate another, soliciting authentication
@@ -23,6 +27,9 @@
     <para>Note that Windows XP SP2 and later versions already follow
     this behaviour, and Windows Vista and later servers no longer
     supply this 'rfc4178 hint' principal on the server side.</para>
+
+    <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+    (along with the functionality) in a later release of Samba.</para>
 </description>
 <value type="default">no</value>
 </samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 8e3f952..d590bd1 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -739,7 +739,7 @@ static struct parm_struct parm_table[] = {
 		.offset		= GLOBAL_VAR(client_use_spnego_principal),
 		.special	= NULL,
 		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED,
+		.flags		= FLAG_ADVANCED | FLAG_DEPRECATED,
 	},
 	{
 		.label		= "username",
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 5255e8a..b545cd9 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1670,7 +1670,7 @@ static char *cli_session_setup_get_principal(
 	char *principal = NULL;
 
 	if (!lp_client_use_spnego_principal() ||
-	    strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+	    strequal(spnego_principal, ADS_IGNORE_PRINCIPAL)) {
 		spnego_principal = NULL;
 	}
 	if (spnego_principal != NULL) {
diff --git a/source3/winbindd/wb_next_grent.c b/source3/winbindd/wb_next_grent.c
index d3b0333..d932384 100644
--- a/source3/winbindd/wb_next_grent.c
+++ b/source3/winbindd/wb_next_grent.c
@@ -168,9 +168,58 @@ static void wb_next_grent_getgrsid_done(struct tevent_req *subreq)
 	status = wb_getgrsid_recv(subreq, talloc_tos(), &domname, &name,
 				  &state->gr->gr_gid, &state->members);
 	TALLOC_FREE(subreq);
-	if (tevent_req_nterror(req, status)) {
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+		state->gstate->next_group += 1;
+
+		if (state->gstate->next_group >= state->gstate->num_groups) {
+			TALLOC_FREE(state->gstate->groups);
+
+			if (state->gstate->domain == NULL) {
+				state->gstate->domain = domain_list();
+			} else {
+				state->gstate->domain = state->gstate->domain->next;
+			}
+
+			if ((state->gstate->domain != NULL) &&
+			    sid_check_is_our_sam(&state->gstate->domain->sid))
+			{
+				state->gstate->domain = state->gstate->domain->next;
+			}
+
+			if (state->gstate->domain == NULL) {
+				tevent_req_nterror(req,
+						   NT_STATUS_NO_MORE_ENTRIES);
+				return;
+			}
+
+			subreq = dcerpc_wbint_QueryGroupList_send(
+				state, state->ev,
+				dom_child_handle(state->gstate->domain),
+				&state->next_groups);
+			if (tevent_req_nomem(subreq, req)) {
+				return;
+			}
+
+			tevent_req_set_callback(subreq,
+						wb_next_grent_fetch_done, req);
+			return;
+		}
+
+		subreq = wb_getgrsid_send(
+			state, state->ev,
+			&state->gstate->groups[state->gstate->next_group].sid,
+			state->max_nesting);
+		if (tevent_req_nomem(subreq, req)) {
+			return;
+		}
+		tevent_req_set_callback(subreq, wb_next_grent_getgrsid_done,
+					req);
+		return;
+	} else if (tevent_req_nterror(req, status)) {
 		return;
 	}
+
 	if (!fill_grent(talloc_tos(), state->gr, domname, name,
 			state->gr->gr_gid)) {
 		DEBUG(5, ("fill_grent failed\n"));


-- 
Samba Shared Repository

More information about the samba-cvs mailing list