[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Sat Dec 24 20:05:03 UTC 2016
The branch, master has been updated
via 1e52bb9 krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5
via 6308671 auth/credentials: Add missing error code check for MIT Kerberos
via fd98174 auth/gensec: Fix typo in log message
via 99d8788 auth/gensec: Remove unneeded cli_credentials_set_conf() call
via 5aa00d9 WHATSNEW: Add text for AD DC changes
from 77b51ba ldb_tdb: avoid erroneous error messages
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1e52bb9c34a77c8c79f0bfc81317aded183ada59
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 23 07:22:27 2016 +0100
krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5
krb5_cc_copy_creds() expects an already initialized output cache.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Dec 24 21:04:23 CET 2016 on sn-devel-144
commit 630867196b9e9d1096443f979b32957c5a0d2be2
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 22 17:01:35 2016 +0100
auth/credentials: Add missing error code check for MIT Kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fd98174443543ee3a150a10b056b45c4663bd7f7
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 13 11:33:06 2016 +0100
auth/gensec: Fix typo in log message
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 99d87880282dad4f9a5a6d9f1018329bb00e5112
Author: David Mulder <dmulder at suse.com>
Date: Wed Dec 21 21:49:36 2016 +0100
auth/gensec: Remove unneeded cli_credentials_set_conf() call
The cli_credentials_set_client_gss_creds() will set the correct realm
from the gss creds.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: David Mulder <dmulder at suse.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 5aa00d92ad31a241376263029318182165ee6707
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 23 13:55:30 2016 +1300
WHATSNEW: Add text for AD DC changes
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 44 +++++++++++++++++++++++++++++++++++++
auth/credentials/credentials_krb5.c | 6 ++++-
lib/krb5_wrap/krb5_samba.c | 12 ++++++++++
source4/auth/gensec/gensec_gssapi.c | 16 ++++++++------
4 files changed, 70 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f542a5b..b512796 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -81,6 +81,48 @@ A new option, "unix only", enables this feature only for the UNIX owner
of the file, not affecting the SID owner in the Windows NT ACL of the
file. This can be used to emulate something very similar to folder quotas.
+Multi-process Netlogon support
+------------------------------
+
+The Netlogon server in the Samba AD DC can now run as multiple
+processes. The Netlogon server is a part of the AD DC that handles
+NTLM authentication on behalf of domain members, including file
+servers, NTLM-authenticated web servers and 802.1x gateways. The
+previous restriction to running as a single process has been removed,
+and it will now run in the same process model as the rest of the
+'samba' binary.
+
+As part of this change, the NETLOGON service will now run on a distinct
+TCP port, rather than being shared with all other RPC services (LSA,
+SAMR, DRSUAPI etc).
+
+new options for controlling TCP ports used for RPC services
+-----------------------------------------------------------
+
+The new 'rpc server port' option controls the default port used for
+RPC services other than Netlogon. The Netlogon server honours instead
+the 'rpc server port:netlogon' option. The default value for both
+these options is the first available port including or after 1024.
+
+Improve AD performance and replication improvements
+---------------------------------------------------
+
+Samba's LDB and replication code continues to improve, particularly in
+respect to the handling of large numbers of linked attributes. We now
+respect an 'uptodateness vector' which will dramatically reduce the
+over-replication of links from new DCs. We have also made the parsing
+of on-disk linked attributes much more efficient.
+
+DNS improvements
+---------------------------
+
+The samba-tool dns subcommand is now much more robust and can delete
+records in a number of situations where it was not possible to do so
+in the past.
+
+On the server side, DNS names are now more strictly validated.
+
+
CTDB changes
------------
@@ -145,6 +187,8 @@ smb.conf changes
kerberos encryption types New all
inherit owner New option
fruit:resource Spelling correction
+ lsa over netlogon New (deprecated) no
+ rpc server port New 0
KNOWN ISSUES
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index ca62e30..e974df9 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -581,7 +581,11 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
- if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32) KRB5_CC_NOTFOUND)) {
+ if ((maj_stat == GSS_S_FAILURE) &&
+ (min_stat == (OM_uint32)KRB5_CC_END ||
+ min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
+ min_stat == (OM_uint32)KRB5_FCC_NOFILE))
+ {
/* This CCACHE is no good. Ensure we don't use it again */
cli_credentials_unconditionally_invalidate_ccache(cred);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a8eafcd..307be93 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2899,6 +2899,18 @@ krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
return krb5_cc_copy_cache(context, incc, outcc);
#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+ krb5_error_code ret;
+ krb5_principal princ = NULL;
+
+ ret = krb5_cc_get_principal(context, incc, &princ);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = krb5_cc_initialize(context, outcc, princ);
+ krb5_free_principal(context, princ);
+ if (ret != 0) {
+ return ret;
+ }
return krb5_cc_copy_creds(context, incc, outcc);
#else
#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a37a0a9..a6c4019 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -221,7 +221,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
ret = cli_credentials_get_server_gss_creds(machine_account,
gensec_security->settings->lp_ctx, &gcc);
if (ret) {
- DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
+ DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
error_message(ret)));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -1311,16 +1311,18 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
const char *error_string;
DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
- session_info->credentials = cli_credentials_init(session_info);
- if (!session_info->credentials) {
+
+ /*
+ * Create anonymous credentials for now.
+ *
+ * We will update them with the provided client gss creds.
+ */
+ session_info->credentials = cli_credentials_init_anon(session_info);
+ if (session_info->credentials == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(session_info->credentials);
-
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
--
Samba Shared Repository
More information about the samba-cvs
mailing list