[SCM] Samba Shared Repository - branch v4-6-stable updated
Karolin Seeger
kseeger at samba.org
Tue Mar 7 09:27:16 UTC 2017
The branch, v4-6-stable has been updated
via f17816a VERSION: Disable GIT_SNAPSHOTS for the 4.6.0 release.
via 93e804a WHATSNEW: Update release notes for Samba 4.6.0.
via 5fe0984 Re-enable token groups fallback
via 501d5d9 winbindd: find the domain based on the sid within wb_lookupusergroups_send()
via d08929e Revert "winbind: Remove wb_lookupusergroups"
via 86c025f Revert "winbind: Remove wbint_LookupUserGroups"
via 0c68d73 Revert "winbind: Remove wb_cache_lookup_usergroups"
via 06f5398 Revert "winbind: Remove wcache_lookup_usergroups"
via 3e6f1d5 Revert "winbind: Remove validate_ug"
via f4d5d16 Revert "winbind: Remove "lookup_usergroups" winbind method"
via d7b5e92 Revert "winbind: Remove rpc_lookup_usergroups"
via 76e643c WHATSNEW: Add release notes for Samba 4.6.0.
via 53b73f1 s4:ldap_server: match windows in the error messages of failing LDAP Bind requests
via 00e45e9 ldb-samba: remember the error string of a failing bind in ildb_connect()
via 632c6b5 s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained.
via 525752e0 s3:winbindd: fix endless forest trust scan
via 605e069 vfs_fruit: enabling AAPL extensions must be a global switch
via f9755bf ctdb-logging: CID 1396883 Dereference null return value (NULL_RETURNS)
via 888f433 WHATSNEW: Add idmap_hash deprecation warning
via 824faf6 idmap_hash: Add a deprecation message
via fdb1522 docs: Improve the idmap_hash manpage
via 145e98c s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
via f43ff04 gensec:spnego: Add debug message for the failed principal
via 83628b4 vfs_fruit: only veto AppleDouble files with fruit:resource=file
via f355f68 s4/torture: vfs_fruit: add stream with illegal ntfs characters to copyile test
via 9b9e88b vfs_fruit: use stat info from base_fsp
via d35e6f6 s4/torture: vfs_fruit: test invalid AFPINFO_STREAM_NAME
via 05d0b6d vfs_fruit: ignore or delete invalid AFP_AfpInfo streams
via aad3ccc selftest: add shares without vfs_fruit for the vfs_fruit tests
via 0631c0e s4/torture: change shares in used torture_suite_add_2ns_smb2_test()
via 8478500 docs/vfs_fruit: document known limitations with fruit:encoding=native
via 5f1284e s4/torture: add test for AAPL find with name with illegal NTFS characters
via 7f3c130 lib/torture: add torture_assert_mem_equal_goto
via 72031de s4/torture: add a vfs_fruit renaming test with open rsrc fork
via 81c8fd4 s4/torture: vfs_fruit: test deleting a file with resource fork
via 3d5674d s4/torture: vfs_fruit: add test_null_afpinfo test
via 64feccf selftest: add description to vfs_fruit testsuites
via 82b2bb2 selftest: also run vfs_fruit tests with streams_depot
via d6197d6 selftest: run vfs_fruit tests against share with fruit:metadata=stream
via b98e7ac selftest: move vfs_fruit tests that require "fruit:metadata=netatalk" to vfs.fruit_netatalk
via 7fb2f57 selftest: reenable vfs_fruit tests
via 31f7562 vfs_fruit: refactor fruit_ftruncate and use new adouble API
via 94616d1 vfs_fruit: use fio in fruit_fallocate
via 3e1a5bb vfs_fruit: refactor fruit_fstat and use new adouble API
via 408d21f vfs_fruit: refactor fruit_pread and fruit_pwrite and use new adouble API
via 96b51a4 vfs_fruit: refactor fruit_open and use new adouble API
via a55528b vfs_fruit: rework struct adouble API
via db79f89 selftest: disable vfs_fruit tests
via a6a0583 vfs_fruit: fix fruit_check_access()
via abf4ab6 vfs_fruit: remove base_fsp name translation
via d8d8360 vfs_fruit: use SMB_VFS_NEXT_OPEN in two places
via 3c7331a vfs_fruit: refactor readdir_attr_macmeta() resource fork size
via 9870810 vfs_fruit: refactor fruit_ftruncate() and fix stream case
via 744a042 vfs_fruit: fix fruit_ntimes() for the fruit:metadata!=netatalk case
via 41407c6 vfs_fruit: refactor fruit_streaminfo()
via ad59cbc vfs_fruit: add fruit_stat_rsrc_xattr() implementation
via 39c321f vfs_fruit: add fruit_stat_rsrc_stream() implementation
via 2a76f87 vfs_fruit: refactor fruit_stat_rsrc()
via 70842a8 vfs_fruit: refactor fruit_open_rsrc()
via 5a54bed vfs_fruit: in fruit_rmdir() check ._ files before deleting them
via a3c2db7 vfs_fruit: fix fruit_rmdir() for the fruit:resource!=file case
via e59e603 vfs_fruit: fix fruit_chown() for the fruit:resource!=file case
via 66c0572 vfs_fruit: fix fruit_chmod() for the fruit:resource!=file case
via 0ee7ebd vfs_fruit: refactor fruit_unlink()
via 6f43b66 vfs_fruit: fix fruit_rename() for the fruit:resource!=file case
via a72ad4f vfs_fruit: correct readdir_attr_meta_finderi_stream() implementation
via 5f568b9 vfs_fruit: refactor readdir_attr_meta()
via e074745 vfs_fruit: update_btime() is only needed for metadata=netatalk
via 8c32b40 vfs_fruit: correct fruit_stat_meta_stream() implementation
via 3365eca vfs_fruit: refactor fruit_stat_meta()
via b78855d vfs_fruit: correct fruit_open_meta_stream() implementation
via ebaecdb vfs_fruit: refactor fruit_open_meta()
via 159b2cc vfs_fruit: replace unsafe ad_entry macro with a function
via 3629253 vfs_fruit: fix fruit_pwrite() with metadata=stream
via 63a5419 vfs_fruit: rename empty_finderinfo() and make it more robust
via 1b04a91 vfs_fruit: fix fruit_ftruncate with metadata=stream
via 295f1c7 vfs_fruit: fix fruit_pread with metadata=stream
via 1b2b24d vfs_catia: add catia_(g|s)et_dos_attributes
via b13942e vfs_catia: add catia_readdir_attr
via af24b2f vfs_catia: run translation on all handle based VFS functions
via 26c4b5e vfs_streams_xattr: use SMB_VFS_NEXT_OPEN and CLOSE
via 6ceb756 vfs_streams_xattr: call SMB_VFS_OPEN with smb_fname_base
via 4a85fd6 s3/includes: add FinderInfo offset define to MacExtensions.h
via 30e2bff selftest: don't run vfs_fruit tests against ad_dc env
via 7a29fe4 s3:winbind: work around coverity false positive.
via d4ac505 ctdb: Fix posible NULL deref in logging_init()
via 002bfb9 s3:librpc: Fix OM_uint32 comparsion in if-clause
via 7dddc61 s3:librpc: Make sure kt_curser and kt_entry are initialized
via 3e5207d pam_winbind: Return if we do not have a domain
via efeb8b3 s3:lib: Do not segfault if username is NULL
via 17463ee s3:torture: Fix uint64_t comparsion in if-clause
via f34ff6a s4:torture: Make sure handles are initialized
via 33fdd9f ndrdump: Fix a possible NULL pointer dereference
via c240402 s3-vfs: Do not deref a NULL pointer in shadow_copy2_snapshot_to_gmt()
via c563d22 s4-kcc: Do not dereference a NULL pointer
via 2281afd s4-torture: Use the correct variable type in torture_smb2_maxfid()
via f50fa9f VERSION: Bump version up to 4.6.0rc5...
from 7600d32 VERSION: Disable git snapshots for the 4.6.0rc4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 117 +-
auth/gensec/spnego.c | 58 +-
ctdb/common/logging.c | 8 +
docs-xml/manpages/idmap_hash.8.xml | 24 +-
docs-xml/manpages/vfs_fruit.8.xml | 20 +-
lib/ldb-samba/ldb_ildap.c | 1 +
lib/torture/torture.h | 10 +
librpc/idl/winbind.idl | 5 +
librpc/tools/ndrdump.c | 4 +
nsswitch/pam_winbind.c | 10 +-
selftest/target/Samba3.pm | 24 +
source3/include/MacExtensions.h | 3 +
source3/lib/util_cmdline.c | 5 +-
source3/librpc/crypto/gse.c | 46 +-
source3/librpc/crypto/gse_krb5.c | 7 +-
source3/modules/vfs_catia.c | 1355 +++++++++-
source3/modules/vfs_fruit.c | 3525 ++++++++++++++++++-------
source3/modules/vfs_shadow_copy2.c | 3 +
source3/modules/vfs_streams_xattr.c | 14 +-
source3/selftest/tests.py | 7 +-
source3/smbd/smb2_server.c | 14 +-
source3/torture/torture.c | 4 +-
source3/winbindd/idmap_hash/idmap_hash.c | 4 +
source3/winbindd/wb_gettoken.c | 28 +-
source3/winbindd/wb_lookupusergroups.c | 106 +
source3/winbindd/winbindd.h | 8 +
source3/winbindd/winbindd_ads.c | 385 +++
source3/winbindd/winbindd_cache.c | 162 ++
source3/winbindd/winbindd_dual_srv.c | 17 +
source3/winbindd/winbindd_list_users.c | 2 +-
source3/winbindd/winbindd_msrpc.c | 72 +
source3/winbindd/winbindd_proto.h | 15 +
source3/winbindd/winbindd_reconnect.c | 21 +
source3/winbindd/winbindd_reconnect_ads.c | 22 +
source3/winbindd/winbindd_rpc.c | 74 +
source3/winbindd/winbindd_rpc.h | 9 +
source3/winbindd/winbindd_samr.c | 65 +
source3/winbindd/winbindd_util.c | 22 +
source3/winbindd/wscript_build | 1 +
source4/dsdb/kcc/garbage_collect_tombstones.c | 4 +-
source4/ldap_server/ldap_bind.c | 37 +-
source4/torture/smb2/maxfid.c | 8 +-
source4/torture/smb2/rename.c | 24 +
source4/torture/vfs/fruit.c | 409 ++-
source4/torture/vfs/vfs.c | 37 +-
46 files changed, 5625 insertions(+), 1173 deletions(-)
create mode 100644 source3/winbindd/wb_lookupusergroups.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ba5e85f..28167de 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a2f647a..66597bf 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,17 +1,27 @@
Release Announcements
=====================
-This is the fourth release candidate of Samba 4.6. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-
-Samba 4.6 will be the next version of the Samba suite.
+This is the first stable release of Samba 4.6.
+Please read the release notes carefully before upgrading.
UPGRADING
=========
+ID Mapping
+----------
+We discovered that the majority of users have an invalid or incorrect
+ID mapping configuration. We implemented checks in the 'testparm' tool to
+validate the ID mapping configuration. You should run it and check if it prints
+any warnings or errors after upgrading! If it does you should fix them. See the
+'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
+There are some ID mapping backends which are not allowed to be used for the
+default backend. Winbind will no longer start if an invalid backend is
+configured as the default backend.
+
+To avoid problems in future we advise all users to run 'testparm' after
+changing the smb.conf file!
+
vfs_fruit option "fruit:resource" spelling correction
-----------------------------------------------------
@@ -30,20 +40,6 @@ next Samba version 4.7 will not accept the wrong spelling.
Users who were using the wrong spelling "ressource" with two "s" can keep the
setting, but are advised to switch to the correct spelling.
-ID Mapping
-----------
-We discovered that the majority of users have an invalid or incorrect
-ID mapping configuration. We implemented checks in the 'testparm' tool to
-validate the ID mapping configuration. You should run it and check if it prints
-any warnings or errors after upgrading! If it does you should fix them. See the
-'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
-There are some ID mapping backends which are not allowed to be used for the
-default backend. Winbind will no longer start if an invalid backend is
-configured as the default backend.
-
-To avoid problems in future we advise all users to run 'testparm' after
-changing the smb.conf file!
-
vfs_fruit Netatalk metadata xattr name on *BSD
----------------------------------------------
@@ -93,7 +89,7 @@ The OS Version for the printing server has been increased to announce
Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
check the smb.conf manpage for details.
-new option for owner inheritance
+New option for owner inheritance
--------------------------------
The "inherit owner" smb.conf parameter instructs smbd to set the
owner of files to be the same as the parent directory's owner.
@@ -189,9 +185,9 @@ CTDB changes
Symbolic debug levels are recommended. See the DEBUG LEVEL section
of ctdb(7) for details.
-* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
+* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
- See ctdb-tunables(7) for details
+ See ctdb-tunables(7) for details.
* CTDB's configuration tunables should be consistently set across a cluster
@@ -200,16 +196,14 @@ CTDB changes
* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
- To build/install these, use the --enable-etcd-reclock and
- --enable-ceph-reclock configure options.
+ To build/install these, use the "--enable-etcd-reclock" and
+ "--enable-ceph-reclock" configure options.
winbind changes
---------------
-4.6 winbind simplifies the calculation of supplementary groups to make
-it more reliable and predictable. Before 4.6, winbind contained code
-that tried to emulate the group membership calculation that domain
-controllers do when a user logs in. This group membership calculation
+winbind contains code that tries to emulate the group membership calculation
+that domain controllers do when a user logs in. This group membership calculation
is a very complex process, in particular for domain trust relationship
situations. Also, in many scenarios it is impossible for winbind to
correctly do this calculation due to access restrictions in the
@@ -221,14 +215,21 @@ calculates the user's group memberships authoritatively and makes the
information available to the Samba server. This is the only reliable
way Samba can get informed about the groups a user is member of.
-Because of its flakiness, the fallback group membership code was
-removed.
+Because of its flakiness, the fallback group membership code is unwished,
+and our code pathes try hard to only use of the group memberships
+calculated by the domain controller.
+
+However, a lot of admins rely on the fallback behavior in order to support
+access for nfs access, ssh public key authentication and passwordless sudo.
+
+That's the reason for changing this back between 4.6.0rc4 and 4.6.0
+(See BUG 12612).
+
+The winbind change to simplify the calculation of supplementary groups to make
+it more reliable and predictable has been deferred to 4.7 or later.
-This means that "id <username>" without the user having logged in
-previously stops showing any supplementary groups. Also, it will show
-"DOMAIN\Domain Users" as the primary group. Once the user has logged
-in, "id <username>" will correctly show the primary group and
-supplementary group list.
+This means that 'id <username>' without the user having logged in
+previously works similar to 4.5.
winbind primary group and nss info
----------------------------------
@@ -268,6 +269,12 @@ files and directories in a directory tree.
-?, --help Show this help message
--usage Display brief usage message
+idmap_hash
+----------
+
+The idmap_hash module is marked as deprecated with this release and will be
+removed in a future version. See the manpage of the module for details.
+
smb.conf changes
================
@@ -287,6 +294,42 @@ KNOWN ISSUES
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.6#Release_blocking_bugs
+CHANGES SINCE 4.6.0rc4
+======================
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 12592: Fix several issues found by covscan.
+ * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send
+ queue is drained.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream.
+ * BUG 12526: vfs_fruit: Only veto AppleDouble files if "fruit:resource" is
+ set to "file".
+ * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12612: Re-enable token groups fallback.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 9048: Samba4 ldap error codes.
+ * BUG 12557: gensec:spnego: Add debug message for the failed principal.
+ * BUG 12605: s3:winbindd: Fix endless forest trust scan.
+ * BUG 12612: winbindd: Find the domain based on the sid within
+ wb_lookupusergroups_send().
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token()
+ correctly.
+ * BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash
+ manpage.
+ * BUG 12592: Fix several issues found by covscan.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 12592: ctdb-logging: CID 1396883 Dereference null return value
+ (NULL_RETURNS).
+
+
CHANGES SINCE 4.6.0rc3
======================
@@ -415,7 +458,7 @@ o Martin Schwenke <martin at meltin.net>
* BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to
send.
* BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp".
- * BUG 12516: /etc/iproute2/rt_tables gets populated with multiple
+ * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple
'default' entries.
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 4787892..f063f7b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
- /* Pretend we never started it (lets the first run find some incompatible demand) */
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+
+ if (all_sec[i+1].op != NULL) {
+ next = all_sec[i+1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal != NULL) {
+ principal = gensec_security->target.principal;
+ } else if (gensec_security->target.service != NULL &&
+ gensec_security->target.hostname != NULL)
+ {
+ principal = talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+ gensec_security->target.service,
+ gensec_security->target.hostname);
+ } else {
+ principal = gensec_security->target.hostname;
+ }
+
+ DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ principal,
+ next, nt_errstr(nt_status)));
- DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ /* Pretend we never started it (lets the first run find some incompatible demand) */
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
continue;
@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+
+ if (all_sec[i+1].op != NULL) {
+ next = all_sec[i+1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal != NULL) {
+ principal = gensec_security->target.principal;
+ } else if (gensec_security->target.service != NULL &&
+ gensec_security->target.hostname != NULL)
+ {
+ principal = talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+ gensec_security->target.service,
+ gensec_security->target.hostname);
+ } else {
+ principal = gensec_security->target.hostname;
+ }
+
+ DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ principal,
+ next, nt_errstr(nt_status)));
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
/* Pretend we never started it (lets the first run find some incompatible demand) */
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
index 3d586bf..8e547c9 100644
--- a/ctdb/common/logging.c
+++ b/ctdb/common/logging.c
@@ -521,7 +521,15 @@ int logging_init(TALLOC_CTX *mem_ctx, const char *logging,
}
name = strtok(str, ":");
+ if (name == NULL) {
+ talloc_free(str);
+ return EINVAL;
+ }
option = strtok(NULL, ":");
+ /*
+ * option can be NULL here, both setup()
+ * backends handle this.
+ */
for (i=0; i<ARRAY_SIZE(log_backend); i++) {
if (strcmp(log_backend[i].name, name) == 0) {
diff --git a/docs-xml/manpages/idmap_hash.8.xml b/docs-xml/manpages/idmap_hash.8.xml
index 6e876e6..9a56519 100644
--- a/docs-xml/manpages/idmap_hash.8.xml
+++ b/docs-xml/manpages/idmap_hash.8.xml
@@ -13,17 +13,35 @@
<refnamediv>
<refname>idmap_hash</refname>
- <refpurpose>Samba's idmap_hash Backend for Winbind</refpurpose>
+ <refpurpose>DO NOT USE THIS BACKEND</refpurpose>
</refnamediv>
<refsynopsisdiv>
<title>DESCRIPTION</title>
- <para>The idmap_hash plugin implements a hashing algorithm used to map
+ <para>DO NOT USE THIS PLUGIN
+
+ The idmap_hash plugin implements a hashing algorithm used to map
SIDs for domain users and groups to 31-bit uids and gids, respectively.
This plugin also implements the nss_info API and can be used
to support a local name mapping files if enabled via the
"winbind normalize names" and "winbind nss info"
parameters in smb.conf.
+ The module divides the range into subranges for each domain that is being
+ handled by the idmap config.
+
+ The module needs the complete UID and GID range to be able to map all
+ SIDs. The lowest value for the range should be the smallest ID
+ available in the system. This is normally 1000. The highest ID should
+ be set to 2147483647.
+
+ A smaller range will lead to issues because of the hashing algorithm
+ used. The overall range to map all SIDs is 0 - 2147483647. Any range
+ smaller than 0 - 2147483647 will filter some SIDs. As we can normally
+ only start with 1000, we are not able to map 1000 SIDs. This already
+ can lead to issues. The smaller the range the less SIDs can be mapped.
+
+ We do not recommend to use this plugin. It will be removed in a future
+ release of Samba.
</para>
</refsynopsisdiv>
@@ -53,7 +71,7 @@
<programlisting>
[global]
idmap config * : backend = hash
- idmap config * : range = 1000-4000000000
+ idmap config * : range = 1000-2147483647
winbind nss info = hash
winbind normalize names = yes
diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index fe0cd3c..fa86b6f 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -154,9 +154,13 @@
<para>Controls how the set of illegal NTFS ASCII
character, commonly used by OS X clients, are stored in
- the filesystem:</para>
+ the filesystem.</para>
- <itemizedlist>
+ <para><emphasis>Important:</emphasis> this is known to not fully
+ work with <emphasis>fruit:metadata=stream</emphasis> or
+ <emphasis>fruit:resource=stream</emphasis>.</para>
+
+ <itemizedlist>
<listitem><para><command>private (default)</command> -
store characters as encoded by the OS X client: mapped
@@ -220,10 +224,14 @@
<varlistentry>
<term>fruit:veto_appledouble = yes | no</term>
<listitem>
- <para>Whether ._ AppleDouble files are vetoed which
- prevents the client from seing and accessing internal
- AppleDouble files created by vfs_fruit itself for the
- purpose of storing a Mac resource fork.</para>
+ <para><emphasis>Note:</emphasis> this option only applies when
+ <parameter>fruit:resource</parameter> is set to
+ <parameter>file</parameter> (the default).</para>
+
+ <para>When <parameter>fruit:resource</parameter> is set to
+ <parameter>file</parameter>, vfs_fruit may create ._ AppleDouble
+ files. This options controls whether these ._ AppleDouble files
+ are vetoed which prevents the client from accessing them.</para>
<para>Vetoing ._ files may break some applications, eg
extracting Mac ZIP archives from Mac clients failes,
because they contain ._ files. Setting this option to
diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c
index 65f11db..541971f 100644
--- a/lib/ldb-samba/ldb_ildap.c
+++ b/lib/ldb-samba/ldb_ildap.c
@@ -863,6 +863,7 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
return LDB_SUCCESS;
failed:
+ ldb_set_errstring(ldb, ldap_errstr(ildb->ldap, module, status));
talloc_free(module);
if (NT_STATUS_IS_LDAP(status)) {
return NT_STATUS_LDAP_CODE(status);
diff --git a/lib/torture/torture.h b/lib/torture/torture.h
index 45332b2..b6d1301 100644
--- a/lib/torture/torture.h
+++ b/lib/torture/torture.h
@@ -357,6 +357,16 @@ void torture_result(struct torture_context *test,
} \
} while(0)
+#define torture_assert_mem_equal_goto(torture_ctx,got,expected,len,ret,label,cmt) \
+ do { const void *__got = (got), *__expected = (expected); \
+ if (memcmp(__got, __expected, len) != 0) { \
+ torture_result(torture_ctx, TORTURE_FAIL, \
+ __location__": "#got" of len %d did not match "#expected": %s", (int)len, cmt); \
+ ret = false; \
+ goto label; \
+ } \
+ } while(0)
+
static inline void torture_dump_data_str_cb(const char *buf, void *private_data)
{
char **dump = (char **)private_data;
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 6245e13..05db6b9 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -103,6 +103,11 @@ interface winbind
[out] wbint_RidArray *rids
);
+ NTSTATUS wbint_LookupUserGroups(
+ [in] dom_sid *sid,
+ [out] wbint_SidArray *sids
+ );
+
NTSTATUS wbint_QuerySequenceNumber(
[out] uint32 *sequence
);
diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c
index d534e3c..d8b9916 100644
--- a/librpc/tools/ndrdump.c
+++ b/librpc/tools/ndrdump.c
@@ -493,6 +493,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...)
bool differ;
ndr_v_push = ndr_push_init_ctx(mem_ctx);
+ if (ndr_v_push == NULL) {
+ printf("No memory\n");
+ exit(1);
+ }
if (assume_ndr64) {
ndr_v_push->flags |= LIBNDR_FLAG_NDR64;
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index b78c6bd..dca2c29 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -2479,10 +2479,14 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
if (!name) {
return NULL;
}
- if ((p = strchr(name, '@')) != NULL) {
- *p = 0;
- domain = p + 1;
+
+ p = strchr(name, '@');
+ if (p == NULL) {
+ TALLOC_FREE(name);
+ return NULL;
}
+ *p = '\0';
+ domain = p + 1;
/* Convert the UPN to a SID */
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f05eb16..013e8d5 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1661,6 +1661,30 @@ sub provision($$$$$$$$)
fruit:locking = netatalk
fruit:encoding = native
+[vfs_fruit_metadata_stream]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr
+ ea support = yes
+ fruit:resource = file
+ fruit:metadata = stream
+
+[vfs_fruit_stream_depot]
+ path = $shrdir
+ vfs objects = fruit streams_depot acl_xattr
+ ea support = yes
--
Samba Shared Repository
More information about the samba-cvs
mailing list