[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Wed Jan 10 04:20:03 UTC 2018
The branch, master has been updated
via a078042 selftest: split a large system invocation line
via ee6e0b1 selftest: split a large system invocation line
via 584a8ac selftest: split a large system invocation line
via 686fc41 selftest: set wrapper env variables when running net groupmap
via 53f709d selftest: remove second loop waiting for winbindd from wait_for_start()
via 0f5b1bd selftest: fix creation of builtin users in wait_for_start
via a206cf2 s4:dns_server: avoid debug noise on successful updates
via 09da62f s4:lib/tls: fix the developer build without gnutls support
via b1c88c0 WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'
via 0341e83 docs-xml: deprecate "server schannel" and change the default to "yes"
via 3a7d931 selftest: explicitly configure some dcs with 'server schannel = auto'
via c7acae9 docs-xml: deprecate "client schannel" and change the default to "yes"
via 1f91cdc WHATSNEW: document removal of 'use spnego" option
via cb5e192 docs-xml: remove deprecated 'use spnego" option
via 343b0e0 s4:smb_server: remove deprecated 'use spnego = no" handling
via 502aa78 s3:smbd: remove deprecated 'use spnego = no" handling
via b6d55ee s4:selftest: replace --option=usespnego= with --option=clientusespnego=
via bb3944c WHATSNEW: document removal 'winbind trusted domains only' option
via c465990 docs-xml: remove deprecated of 'winbind trusted domains only' option
via 6d339b4 winbindd: remove 'winbind trusted domains only' handling
via 22e309e s3:g_lock: keep old mylock on error and don't store new mylock on error
via da3f60b winbindd: use setproctitle
via 502ab53 vfs_fruit: initialise bandsize to please a compiler
from 977b3f6 python: Print the finddcs error message
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a07804278533e8e6d946c51447d940a8d0ed9e4d
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jan 9 10:46:40 2018 +0100
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jan 10 05:19:26 CET 2018 on sn-devel-144
commit ee6e0b19f670f370b5643699a194dec774494f74
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jan 9 10:45:59 2018 +0100
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 584a8ac4aa90707cf353975be0f2ddfe65fb065a
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jan 9 10:40:41 2018 +0100
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 686fc4126dc5b69d34e71f7d014c3c17ba0f649e
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 8 14:28:40 2018 +0100
selftest: set wrapper env variables when running net groupmap
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 53f709d6e0c9370eaf97554a9377e6d51a3b0e6b
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 8 18:45:01 2018 +0100
selftest: remove second loop waiting for winbindd from wait_for_start()
A few lines above we already checked that winbindd is running.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0f5b1bd9e2d16702a7be674fcd4ba4328d6befc1
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 8 18:38:08 2018 +0100
selftest: fix creation of builtin users in wait_for_start
If "BUILTIN\Users" already exists, attempting to create it would fail,
so we should check for the existence prior to the creation.
It is unclear *why* the mapping sometimes already exist and sometime
not. There are two places where they would have been created:
1. libnet_join_add_dom_rids_to_builtins tries to add the mapping when
joining a domain, but at that point winbindd isn't running
2. when a user is authenticated in smbd, which clearly can't have
happended when in the function wait_for_start
Go figure...
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a206cf2dc11159b0e9ebe4d1d1d23e4365bd2a8c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 11 08:48:04 2016 +0100
s4:dns_server: avoid debug noise on successful updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 09da62f1a34b85f2cbd1d6a95ec1a04d4d7e389e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 14 17:11:19 2017 +0100
s4:lib/tls: fix the developer build without gnutls support
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b1c88c01a6138bf29104facc960798f3c1e6b0ee
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 13:42:06 2017 +0100
WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0341e83d40dc42fbb1f1e467626418a9e4dedf40
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100
docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3a7d931127a8c739208ae6ca8124cd18fec6b7bb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 13 13:09:47 2017 +0100
selftest: explicitly configure some dcs with 'server schannel = auto'
This is required for some tests.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c7acae904301cfc6a281d63f4e7d3cc6f4fff938
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100
docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1f91cdc8bd2a50498a9e0293a75d4e41a3618f64
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100
WHATSNEW: document removal of 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cb5e19271db1967ed28e08e8969fc438f5942995
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100
docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 343b0e0af9f336233650c34cc1e4baf62c04989c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100
s4:smb_server: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 502aa787044d7215c4c509ee6305931a6eedcc44
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100
s3:smbd: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b6d55eefa21c548f962a0c5f290eb23c219f3bff
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 13:00:10 2017 +0100
s4:selftest: replace --option=usespnego= with --option=clientusespnego=
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bb3944c6083456b1de4fd88fda8b8186106687d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:17:20 2017 +0100
WHATSNEW: document removal 'winbind trusted domains only' option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c4659908abf01941148682eaa55b01cfa8c3f290
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 11:10:42 2017 +0100
docs-xml: remove deprecated of 'winbind trusted domains only' option
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6d339b480051b5efc80b895e97c2eaaf8dea6893
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 7 10:54:21 2017 +0100
winbindd: remove 'winbind trusted domains only' handling
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 22e309e541a1352a2a250d92a72434bb71c2bf45
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 20 08:41:09 2017 +0100
s3:g_lock: keep old mylock on error and don't store new mylock on error
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit da3f60b1e5c6420210d14c9924b3551d83e2f70c
Author: Ralph Boehme <slow at samba.org>
Date: Wed Dec 20 17:42:45 2017 +0100
winbindd: use setproctitle
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 502ab53d4a543c0d12072727fbfe7313e0acb26e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jan 10 00:08:01 2018 +1300
vfs_fruit: initialise bandsize to please a compiler
GCC on a Ubuntu 16.04 instance said:
[3174/4240] Compiling source3/modules/vfs_cap.c
In file included from ../source3/include/includes.h:301:0,
from ../source3/modules/vfs_fruit.c:20:
../source3/modules/vfs_fruit.c: In function
‘fruit_disk_free’:
../source3/../lib/util/debug.h:217:7: error: ‘bandsize’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
&& (dbgtext body) )
^
../source3/modules/vfs_fruit.c:6302:9: note: ‘bandsize’ was
declared here
size_t bandsize;
^
[3175/4240] Compiling source3/modules/vfs_expand_msdfs.c
[3176/4240] Compiling source3/modules/vfs_shadow_copy.c
[3177/4240] Compiling source3/modules/vfs_shadow_copy2.c
cc1: all warnings being treated as errors
Waf: Leaving directory
/home/ubuntu/autobuild/b17854/samba-o3/bin'
Build failed: -> task failed (err #1):
{task: cc vfs_fruit.c -> vfs_fruit_25.o}
make: *** [all] Error 1
As far as I can tell, it is wrong, and the bandsize variable never
gets passed uninititalised to DEBUG.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 6 ++
docs-xml/manpages/idmap_nss.8.xml | 3 +-
docs-xml/smbdotconf/protocol/usespnego.xml | 19 -----
docs-xml/smbdotconf/security/clientschannel.xml | 11 ++-
docs-xml/smbdotconf/security/serverschannel.xml | 13 +++-
.../winbind/winbindtrusteddomainsonly.xml | 22 ------
lib/param/loadparm.c | 6 +-
selftest/knownfail.d/ntlmv2-restrictions | 2 +
selftest/target/Samba3.pm | 80 ++++++++++++++++------
selftest/target/Samba4.pm | 4 ++
source3/lib/g_lock.c | 19 ++++-
source3/modules/vfs_fruit.c | 2 +-
source3/param/loadparm.c | 6 +-
source3/smbd/negprot.c | 1 -
source3/winbindd/wb_getgrsid.c | 11 ---
source3/winbindd/wb_queryuser.c | 12 ----
source3/winbindd/winbindd.c | 4 ++
source3/winbindd/winbindd_cm.c | 2 +
source3/winbindd/winbindd_dual.c | 6 ++
source3/winbindd/winbindd_getpwnam.c | 9 ---
source3/winbindd/winbindd_util.c | 5 +-
source4/dns_server/dns_query.c | 2 +-
source4/dns_server/dns_update.c | 2 +-
source4/lib/tls/tlscert.c | 1 +
source4/selftest/tests.py | 28 ++++----
source4/smb_server/smb/negprot.c | 1 -
26 files changed, 143 insertions(+), 134 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/usespnego.xml
delete mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
create mode 100644 selftest/knownfail.d/ntlmv2-restrictions
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9bcd03c..94278b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -92,6 +92,8 @@ smb.conf changes
-------------- ----------- -------
auth methods Removed
binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
gpo update command New
map untrusted to domain Removed
oplock contention limit Removed
@@ -99,6 +101,10 @@ smb.conf changes
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ winbind trusted domains only Removed
NT4-style replication based net commands removed
diff --git a/docs-xml/manpages/idmap_nss.8.xml b/docs-xml/manpages/idmap_nss.8.xml
index b7c5977..fa8a208 100644
--- a/docs-xml/manpages/idmap_nss.8.xml
+++ b/docs-xml/manpages/idmap_nss.8.xml
@@ -20,8 +20,7 @@
<title>DESCRIPTION</title>
<para>The idmap_nss plugin provides a means to map Unix users and groups
- to Windows accounts and obsoletes the "winbind trusted domains only"
- smb.conf option. This provides a simple means of ensuring that the SID
+ to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml
deleted file mode 100644
index 0c9ffbf..0000000
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<samba:parameter name="use spnego"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This deprecated variable controls whether samba will try
- to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
-</para>
-
-<para>
- Unless further issues are discovered with our SPNEGO
- implementation, there is no reason this should ever be
- disabled.</para>
-</description>
-
-<value type="default">yes</value>
-</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future.
+ </para>
+
+ <para>
This controls whether the client offers or even demands the use of the netlogon schannel.
<smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel,
<smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@
<para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+
+ <para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future. If you have the need for the behavior of "auto"
+ to be kept, please file a bug at https://bugzilla.samba.org.
+ </para>
+
<para>
This controls whether the server offers or even demands the use of the netlogon schannel.
<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
deleted file mode 100644
index 3d420c7..0000000
--- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="winbind trusted domains only"
- context="G"
- type="boolean"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This parameter is designed to allow Samba servers that are members
- of a Samba controlled domain to use UNIX accounts distributed via NIS,
- rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
- Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
- the account user1 in /etc/passwd instead of allocating a new uid for him or her.
- </para>
-
- <para>
- This parameter is now deprecated in favor of the newer idmap_nss backend.
- Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> man page for more information.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddb4507..a18407d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2749,8 +2749,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");
- lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
-
lpcfg_do_global_parameter(lp_ctx, "use mmap", "True");
lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
@@ -2786,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
- lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
@@ -2840,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
- lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+ lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/selftest/knownfail.d/ntlmv2-restrictions b/selftest/knownfail.d/ntlmv2-restrictions
new file mode 100644
index 0000000..eb50b13
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv2-restrictions
@@ -0,0 +1,2 @@
+# 'raw NTLMv2 auth' is not enabled on ad_member
+^samba4.smb.signing.disabled.on.with.-k.no.--option=clientusespnego=no.--signing=off.domain-creds.xcopy\(ad_member\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5e6472..f4ae0f3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -216,6 +216,7 @@ sub setup_nt4_dc($$)
lanman auth = yes
ntlm auth = yes
raw NTLMv2 auth = yes
+ server schannel = auto
rpc_server:epmapper = external
rpc_server:spoolss = external
@@ -2332,6 +2333,8 @@ force_user:x:$gid_force_user:
sub wait_for_start($$$$$)
{
my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+ my $cmd;
+ my $netcmd;
my $ret;
if ($nmbd eq "yes") {
@@ -2365,8 +2368,7 @@ sub wait_for_start($$$$$)
if ($winbindd eq "yes") {
print "checking for winbindd\n";
my $count = 0;
- my $cmd = "";
- $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
$cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
$cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
$cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
@@ -2405,38 +2407,72 @@ sub wait_for_start($$$$$)
}
# Ensure we have domain users mapped.
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
+ $netcmd = "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} ";
+
+ $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=512 unixgroup=domadmins type=domain");
+
+ $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin");
+
+ $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
+ # note: creating builtin groups requires winbindd for the
+ # unix id allocator
+ my $create_builtin_users = "no";
if ($winbindd eq "yes") {
- # note: creating builtin groups requires winbindd for the
- # unix id allocator
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} sam createbuiltingroup Users");
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ my $wbinfo_out = qx($cmd 2>&1);
+ if ($? != 0) {
+ # wbinfo doesn't give us a better error code then
+ # WBC_ERR_DOMAIN_NOT_FOUND, but at least that's
+ # different then WBC_ERR_WINBIND_NOT_AVAILABLE
+ if ($wbinfo_out !~ /WBC_ERR_DOMAIN_NOT_FOUND/) {
+ print("Failed to run \"wbinfo --sid-to-gid=S-1-5-32-545\": $wbinfo_out");
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ $create_builtin_users = "yes";
+ }
+ }
+ if ($create_builtin_users eq "yes") {
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "sam createbuiltingroup Users";
+ $ret = system($cmd);
if ($ret != 0) {
print "Failed to create BUILTIN\\Users group\n";
+ teardown_env($self, $envvars);
return 0;
}
- my $count = 0;
- do {
- system(Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} cache del IDMAP/SID2XID/S-1-5-32-545");
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545");
- if ($ret != 0) {
- sleep(2);
- }
- $count++;
- } while ($ret != 0 && $count < 10);
- if ($count == 10) {
- print "WINBINDD not reachable after 20 seconds\n";
+
+ $cmd = Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "cache del IDMAP/SID2XID/S-1-5-32-545";
+ system($cmd);
+
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print "Missing \"BUILTIN\\Users\", did net sam createbuiltingroup Users fail?\n";
teardown_env($self, $envvars);
return 0;
}
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e2e78ab..e6bc3bb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1031,6 +1031,7 @@ winbindd:use external pipes = true
# the source4 smb server doesn't allow signing by default
server signing = enabled
+raw NTLMv2 auth = yes
rpc_server:default = external
rpc_server:svcctl = embedded
@@ -1461,9 +1462,11 @@ sub provision_ad_dc_ntvfs($$)
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
+ server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
@@ -1831,6 +1834,7 @@ sub provision_ad_dc($$$$$$)
lpq cache time = 0
print notify backchannel = yes
+ server schannel = auto
auth event notification = true
$smbconf_args
";
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 68a9ab3..4c42fb0 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -200,6 +200,8 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
TDB_DATA data;
size_t i;
struct g_lock lck;
+ struct g_lock_rec _mylock;
+ struct g_lock_rec *mylock = NULL;
NTSTATUS status;
bool modified = false;
bool ok;
@@ -242,11 +244,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
status = NT_STATUS_WAS_LOCKED;
goto done;
}
+ if (mylock != NULL) {
+ status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ goto done;
+ }
+ _mylock = lock;
+ mylock = &_mylock;
/*
* Remove "our" lock entry. Re-add it later
* with our new lock type.
*/
g_lock_rec_del(&lck, i);
+ modified = true;
continue;
}
@@ -278,12 +287,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
modified = true;
+ _mylock = (struct g_lock_rec) {
+ .pid = self,
+ .lock_type = type
+ };
+ mylock = &_mylock;
+
status = NT_STATUS_OK;
done:
if (modified) {
- struct g_lock_rec mylock = { .pid = self, .lock_type = type };
NTSTATUS store_status;
- store_status = g_lock_store(rec, &lck, &mylock);
+
+ store_status = g_lock_store(rec, &lck, mylock);
if (!NT_STATUS_IS_OK(store_status)) {
DBG_WARNING("g_lock_record_store failed: %s\n",
nt_errstr(store_status));
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 9533da4..40ee255 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -6392,7 +6392,7 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct *handle,
bool ok;
char *p = NULL;
size_t sparsebundle_strlen = strlen("sparsebundle");
- size_t bandsize;
+ size_t bandsize = 0;
size_t nbands;
double tm_size;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a2fcc42..582c875 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,10 +651,10 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
- Globals.server_schannel = Auto;
+ Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
@@ -817,7 +817,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
@@ -831,7 +830,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.name_cache_timeout = 660; /* In seconds */
- Globals.use_spnego = true;
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdbc2c4..3a9363d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -282,7 +282,6 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
supports it and we can do encrypted passwords */
if (xconn->smb1.negprot.encrypted_passwords &&
- lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index b210645..fa26ea8 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -60,17 +60,6 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
- }
-
subreq = wb_lookupsid_send(state, ev, &state->sid);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 1c91949..17170c3 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -50,18 +50,6 @@ struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(user_sid, &our_domain->sid) == 0) {
- char buf[DOM_SID_STR_BUFLEN];
- dom_sid_string_buf(user_sid, buf, sizeof(buf));
- DBG_NOTICE("My domain -- rejecting %s\n", buf);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list