[SCM] Samba Shared Repository - branch v4-11-stable updated
Karolin Seeger
kseeger at samba.org
Fri Oct 18 09:21:38 UTC 2019
The branch, v4-11-stable has been updated
via be4cb417135 VERSION: Disable GIT_SNAPSHOT for Samba 4.11.1.
via ad617f2f294 WHATSNEW: Add release notes for Samba 4.11.1.
via 7f5334a92c4 s3:libsmb: Link libsmb against pthread
via 6902275b6f3 nsswitch: Link stress-nss-libwbclient against pthread
via 41e658f446a s3:libads: Do not turn on canonicalization flag for MIT Kerberos
via c191a37848b lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
via 0d292ca72a3 spnego: fix server handling of no optimistic exchange
via f3a02fdf780 python/tests/gensec: add spnego downgrade python tests
via 9c4cb9ba956 python/tests/gensec: make it possible to add knownfail tests for gensec.update()
via 425ac58f58c selftest: add tests for no optimistic spnego exchange
via 27982255d64 spnego: add client option to omit sending an optimistic token
via 7e40d859283 selftest: s3: add a test for spnego downgrade from krb5 to ntlm
via 5a6fed646c6 s3:libsmb: Do not check the SPNEGO neg token for KRB5
via 88abbea5065 spnego: ignore server mech_types list
via c79e3957191 s3:smbd: add a comment explaining the File-ID semantics when a file is created
via f9803360061 s3:smbd: ensure a created stream picks up the File-ID from the basefile
via 8f44a25e2a6 s3:lib: add is_named_stream()
via c48a5c6b8c9 s3:lib: use strequal_m() in is_ntfs_default_stream_smb_fname()
via 42bc7f28e1a s3:lib: implement logic directly in is_ntfs_default_stream_smb_fname()
via 23b4938c18a s3:lib: expand a comment with the function doc for is_ntfs_stream_smb_fname
via d7a2e7c3390 s3:lib: factor out stream name asserts to helper function
via 2ef4d9883f4 s3:lib: assert stream_name is NULL for POSIX paths
via 2da0f65cd91 s3:lib: rework a return expression into an if block
via 2d62bd58db9 s3:smbd: when storing DOS attribute call dos_mode() beforehand
via 459acf2728a s3:smbd: change the place where we call dos_mode() when processing SMB2_CREATE
via 2204788e596 torture:smb2: add a File-ID test on directories
via f5c8dea0ae7 torture:smb2: extend test for File-IDs
via fc0efd56d05 auth/gensec: fix non-AES schannel seal
via 8f4603fdc4e libcli/auth: add test for gensec_schannel code
via 8d426b146e7 testprogs: Add test for 'net ads join createcomputer='
via 440c8890798 s3:libads: Just change the machine password if account already exists
via 8fa84176dbc s3:libnet: Improve debug messages
via 86e86cddcb5 s3:libads: Fix creating machine account using LDAP
via e0be43a863b s3:libads: Don't set supported encryption types during account creation
via 8cc6e035b6e s3:libads: Fix detection if acount already exists in ads_find_machine_count()
via 023a59d4262 s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
via 96ee2408f5c s3:libads: Cleanup error code paths in ads_create_machine_acct()
via 2fa6dc27f37 s3:libnet: Require sealed LDAP SASL connections for joining
via 90566a8ef44 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
via adfcddc6815 testprogs: Fix failure count in test_net_ads.sh
via 2ce14ef46a5 s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
via e8cba5a8a88 ctdb-vacuum: Process all records not deleted on a remote node
via 42d530b0dbc winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
via 4a43d8b996b selftest: Test ID_TYPE_BOTH with idmap_rid module
via 0182ccfd22b waf:replace: Do not link against libpthread if not necessary
via b5dfe882ecb third_party: Link uid_wrapper against pthread
via 48cd645d1d8 third_party: Link nss_wrapper against pthread
via 62f0ce14a1b third_party: Only link cmocka against librt if really needed
via 82c9a6c4b0a pthreadpool: Only link pthreadpool against librt if we have to
via 7ec980b991f replace: Only link against librt if really needed
via 4709a848c55 s3:waf: Do not check for nanosleep() as we don't use it anywhere
via a89e8588449 s3-winbindd: fix forest trusts with additional trust attributes.
via 75702977dde fault.c: improve fault_report message text pointing to our wiki
via fcb247f4147 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
via f836385629c selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
via f0f2ce68e45 selftest/tests.py: test pam_winbind for trusts domains
via e3760d6e3a3 selftest: Export TRUST information in the ad_member target environment
via 2290dfe49bf selftest/tests.py: test pam_winbind with a lot of username variations
via e7b84754510 selftest/tests.py: test pam_winbind with krb5_auth
via cfee9031720 selftest/tests.py: prepare looping over pam_winbindd tests
via 8aae6dd753b test_pam_winbind.sh: allow different pam_winbindd config options to be specified
via 913c79d2e06 tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
via 5583d045a25 tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
via e8c701673a8 s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
via 82fb0291f1f docs-xml: add "winbind use krb5 enterprise principals" option
via 9de64feb1ec krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
via 2fd31d85701 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
via 5d9961e6454 s4:auth: kinit_to_ccache() should always use the canonicalized principal
via d3d951f4240 krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
via 35e3f1a4054 s3:libads/kerberos: always use the canonicalized principal after kinit
via 5628c4ffd32 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
via 7ed22554470 s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
via f5ea5a5e2a5 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
via 2ba8997d006 s4:auth: use the correct client realm in gensec_gssapi_update_internal()
via ed3ac77dc22 nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
via fa63860f7b1 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
via 18963e909d7 classicupgrade: fix a a bytes-like object is required, not 'str' error
via d42c7ffa6cb pod2man is no longer needed
via 361f4f5d247 ctdb-tools: Stop deleted nodes from influencing ctdb nodestatus exit code
via 4d41dc32653 s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
via d702f662901 s3/4: libsmbclient test. Test using smbc_telldir/smbc_lseekdir with smbc_readdir/smbc_readdirplus/smbc_getdents.
via 411eb45f2c9 s3: libsmbclient: Fix smbc_lseekdir() to work with smbc_readdirplus().
via a70eee31213 s3: libsmbclient: Ensure SMBC_getdents_ctx() also updates the readdirplus pointers.
via 0fbd2c08b54 s3: libsmbclient: Ensure SMBC_readdirplus_ctx() also updates the readdir pointers.
via a0342e92f3a s3: libsmbclient: Ensure SMBC_readdir_ctx() also updates the readdirplus pointers.
via 872e03c2dc8 VERSION: Bump version up to 4.11.1...
from d60cf580825 VERSION: Bump version up to 4.11.0...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 +++
auth/gensec/schannel.c | 9 +
auth/gensec/spnego.c | 55 +-
ctdb/server/ctdb_vacuum.c | 2 +-
ctdb/tools/ctdb.c | 8 +-
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 ++
lib/krb5_wrap/krb5_samba.c | 26 +-
lib/pthreadpool/wscript_build | 7 +-
lib/replace/wscript | 34 +-
lib/util/fault.c | 6 +-
libcli/auth/tests/test_schannel.c | 305 ++++++++++
libcli/auth/wscript_build | 8 +
libgpo/pygpo.c | 2 +-
nsswitch/pam_winbind.c | 4 +
nsswitch/tests/test_idmap_rid.sh | 132 +++++
nsswitch/wscript_build | 2 +-
pidl/wscript | 1 -
python/samba/tests/gensec.py | 34 +-
python/samba/tests/pam_winbind.py | 25 +-
python/samba/tests/pam_winbind_chauthtok.py | 10 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 +-
python/samba/tests/test_pam_winbind.sh | 12 +-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +-
python/samba/upgrade.py | 2 +-
selftest/target/Samba.pm | 22 +
selftest/target/Samba3.pm | 35 +-
selftest/tests.py | 173 +++++-
source3/client/client.c | 4 +
source3/client/smbspool.c | 16 +-
source3/include/proto.h | 1 +
source3/lib/filename_util.c | 53 +-
source3/lib/netapi/joindomain.c | 5 +-
source3/libads/ads_proto.h | 13 +-
source3/libads/ads_struct.c | 14 +-
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 54 +-
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 21 +
source3/libads/ldap.c | 339 ++++++++++--
source3/libnet/libnet_join.c | 31 +-
source3/libsmb/cliconnect.c | 91 ++-
source3/libsmb/libsmb_dir.c | 102 +++-
source3/libsmb/namequery_dc.c | 2 +-
source3/libsmb/wscript | 1 +
source3/printing/nt_printing_ads.c | 6 +-
source3/script/tests/test_smbd_no_krb5.sh | 46 ++
source3/selftest/tests.py | 7 +-
source3/smbd/open.c | 12 +-
source3/smbd/smb2_create.c | 5 +-
source3/utils/net_ads.c | 16 +-
source3/winbindd/wb_queryuser.c | 18 +-
source3/winbindd/winbindd_ads.c | 7 +-
source3/winbindd/winbindd_cm.c | 5 +-
source3/winbindd/winbindd_cred_cache.c | 6 +
source3/winbindd/winbindd_pam.c | 57 +-
source3/winbindd/winbindd_util.c | 2 +-
source3/wscript | 1 -
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
source4/selftest/tests.py | 4 +
source4/torture/libsmbclient/libsmbclient.c | 340 ++++++++++++
source4/torture/smb2/create.c | 613 +++++++++++++++++++--
testprogs/blackbox/test_net_ads.sh | 36 +-
third_party/cmocka/wscript | 7 +-
third_party/nss_wrapper/wscript | 2 +-
third_party/uid_wrapper/wscript | 2 +-
69 files changed, 2683 insertions(+), 343 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
create mode 100644 libcli/auth/tests/test_schannel.c
create mode 100755 source3/script/tests/test_smbd_no_krb5.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 29a4ca4e959..61c76acaef7 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d573bb65819..2e61702b71b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,89 @@
+ ==============================
+ Release Notes for Samba 4.11.1
+ October 18, 2019
+ ==============================
+
+
+This is the latest stable release of the Samba 4.11 release series.
+
+
+Changes since 4.11.0:
+---------------------
+
+o Michael Adam <obnox at samba.org>
+ * BUG 14141: getpwnam and getpwuid need to return data for ID_TYPE_BOTH
+ group.
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and
+ smbc_lseekdir().
+ * BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into
+ SMB1-specific calls.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14137: Fix stale file handle error when using mkstemp on a share.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server.
+ * BUG 14140: Overlinking libreplace against librt and pthread against every
+ binary or library causes issues.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 14130: s3-winbindd: Fix forest trusts with additional trust attributes.
+ * BUG 14134: auth/gensec: Fix non-AES schannel seal.
+
+o Amitay Isaacs <amitay at gmail.com>
+ * BUG 14147: Deleted records can be resurrected during recovery.
+
+o Björn Jacke <bj at sernet.de>
+ * BUG 14136: Fix uncaught exception in classicupgrade.
+ * BUG 14139: fault.c: Improve fault_report message text pointing to our wiki.
+
+o Bryan Mason <bmason at redhat.com>
+ * BUG 14128: s3:client: Use DEVICE_URI, instead of argv[0], for Device URI.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14124: pam_winbind with krb5_auth or wbinfo -K doesn't work for users
+ of trusted domains/forests.
+
+o Mathieu Parent <math.parent at gmail.com>
+ * BUG 14131: Remove 'pod2man' as it is no longer needed.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 13884: Joining Active Directory should not use SAMR to set the
+ password.
+ * BUG 14140: Overlinking libreplace against librt and pthread against every
+ binary or library causes issues.
+ * BUG 14155: 'kpasswd' fails when built with MIT Kerberos.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14129: Exit code of ctdb nodestatus should not be influenced by deleted
+ nodes.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.11.0
September 17, 2019
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8ba1eafc76d..74a3eb5c690 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -296,6 +296,15 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
ZERO_ARRAY(_sealing_key);
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
+ gnutls_cipher_deinit(cipher_hnd);
+ rc = gnutls_cipher_init(&cipher_hnd,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &sealing_key,
+ NULL);
+ if (rc < 0) {
+ ZERO_ARRAY(_sealing_key);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ }
rc = gnutls_cipher_encrypt(cipher_hnd,
data,
length);
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0b3fbdce7ac..ddbe03c5d6b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
bool done_mic_check;
bool simulate_w2k;
+ bool no_optimistic;
/*
* The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
+ "spnego",
+ "client_no_optimistic",
+ false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -511,7 +516,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
}
n->mech_idx = 0;
- n->mech_types = spnego_in->negTokenInit.mechTypes;
+
+ /* Do not use server mech list as it isn't protected. Instead, get all
+ * supported mechs (excluding SPNEGO). */
+ n->mech_types = gensec_security_oids(gensec_security, n,
+ GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -658,13 +667,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
DATA_BLOB *out)
{
struct spnego_data spnego_out;
- const char *my_mechs[] = {NULL, NULL};
+ const char * const *mech_types = NULL;
bool ok;
- my_mechs[0] = spnego_state->neg_oid;
+ if (n->mech_types == NULL) {
+ DBG_WARNING("No mech_types list\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
+ int cmp = strcmp(*mech_types, spnego_state->neg_oid);
+
+ if (cmp == 0) {
+ break;
+ }
+ }
+
+ if (*mech_types == NULL) {
+ DBG_ERR("Can't find selected sub mechanism in mech_types\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
@@ -676,7 +702,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
}
ok = spnego_write_mech_types(spnego_state,
- my_mechs,
+ mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
@@ -1295,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
spnego_state->mic_requested = true;
}
+ if (sub_in.length == 0) {
+ spnego_state->no_optimistic = true;
+ }
+
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
@@ -1923,6 +1953,21 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+ spnego_state->no_optimistic) {
+ /*
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
+ /*
+ * If we didn't like the mechanism for which the client sent us
+ * an optimistic token, or if he didn't send any, don't call
+ * the sub mechanism just yet.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
diff --git a/ctdb/server/ctdb_vacuum.c b/ctdb/server/ctdb_vacuum.c
index 0c3770267bc..4fd11e3738c 100644
--- a/ctdb/server/ctdb_vacuum.c
+++ b/ctdb/server/ctdb_vacuum.c
@@ -814,7 +814,7 @@ static void ctdb_process_delete_list(struct ctdb_db_context *ctdb_db,
*/
records = (struct ctdb_marshall_buffer *)outdata.dptr;
rec = (struct ctdb_rec_data_old *)&records->data[0];
- while (records->count-- > 1) {
+ while (records->count-- > 0) {
TDB_DATA reckey, recdata;
struct ctdb_ltdb_header *rechdr;
struct delete_record_data *dd;
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index 2cc72eedc76..6a15b61ccd1 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -5611,7 +5611,13 @@ static int control_nodestatus(TALLOC_CTX *mem_ctx, struct ctdb_context *ctdb,
ret = 0;
for (i=0; i<nodemap->num; i++) {
- ret |= nodemap->node[i].flags;
+ uint32_t flags = nodemap->node[i].flags;
+
+ if ((flags & NODE_FLAGS_DELETED) != 0) {
+ continue;
+ }
+
+ ret |= flags;
}
return ret;
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
new file mode 100644
index 00000000000..bfc11c8636c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -0,0 +1,34 @@
+<samba:parameter name="winbind use krb5 enterprise principals"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>winbindd is able to get kerberos tickets for
+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
+ </para>
+
+ <para>winbindd (at least on a domain member) is never be able
+ to have a complete picture of the trust topology (which is managed by the DCs).
+ There might be uPNSuffixes and msDS-SPNSuffixes values,
+ which don't belong to any AD domain at all.
+ </para>
+
+ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
+ winbindd don't even get an incomplete picture of the topology.
+ </para>
+
+ <para>It is not really required to know about the trust topology.
+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
+ and use enterprise principals e.g. upnfromB at B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
+ and follow the WRONG_REALM referrals in order to find the correct DC.
+ The final principal might be userfromB at INTERNALB.EXAMPLE.PRIVATE.
+ </para>
+
+ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
+ winbindd enterprise principals will be used.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..5aceae44eec 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
}
ret = krb5_parse_name(context, utf8_name, principal);
+ if (ret == KRB5_PARSE_MALFORMED) {
+ ret = krb5_parse_name_flags(context, utf8_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+ principal);
+ }
TALLOC_FREE(frame);
return ret;
}
@@ -1997,26 +2002,23 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
krb_options);
#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
{
-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
- char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
+ char tmp_name[64] = {0};
krb5_keytab_entry entry;
krb5_keytab keytab;
- int tmpfd;
- mode_t mask;
+ int rc;
memset(&entry, 0, sizeof(entry));
entry.principal = principal;
*(KRB5_KT_KEY(&entry)) = *keyblock;
- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
- mask = umask(S_IRWXO | S_IRWXG);
- tmpfd = mkstemp(tmp_name);
- umask(mask);
- if (tmpfd == -1) {
- DBG_ERR("Failed to mkstemp %s\n", tmp_name);
+ rc = snprintf(tmp_name, sizeof(tmp_name),
+ "%s-%p",
+ SMB_CREDS_KEYTAB,
+ &my_creds);
+ if (rc < 0) {
return KRB5_KT_BADNAME;
}
- close(tmpfd);
code = krb5_kt_resolve(ctx, tmp_name, &keytab);
if (code) {
return code;
@@ -2114,14 +2116,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
return code;
}
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
/*
* We need to store the principal as returned from the KDC to the
* credentials cache. If we don't do that the KRB5 library is not
* able to find the tickets it is looking for
*/
principal = my_creds.client;
-#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/lib/pthreadpool/wscript_build b/lib/pthreadpool/wscript_build
index 57df25548b1..70aa7cbf041 100644
--- a/lib/pthreadpool/wscript_build
+++ b/lib/pthreadpool/wscript_build
@@ -1,12 +1,17 @@
#!/usr/bin/env python
if bld.env.WITH_PTHREADPOOL:
+ extra_libs=''
+
+ # Link to librt if needed for clock_gettime()
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
+
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool.c
pthreadpool_pipe.c
pthreadpool_tevent.c
''',
- deps='pthread rt replace tevent-util')
+ deps='pthread replace tevent-util' + extra_libs)
else:
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool_sync.c
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 4df1b4d77c4..240d730cbee 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -458,11 +458,28 @@ def configure(conf):
conf.CHECK_C_PROTOTYPE('dlopen', 'void *dlopen(const char* filename, unsigned int flags)',
define='DLOPEN_TAKES_UNSIGNED_FLAGS', headers='dlfcn.h dl.h')
- if conf.CHECK_FUNCS_IN('fdatasync', 'rt', checklibc=True):
+ #
+ # Check for clock_gettime and fdatasync
+ #
+ # First check libc to avoid linking libreplace against librt.
+ #
+ if conf.CHECK_FUNCS('fdatasync'):
# some systems are missing the declaration
conf.CHECK_DECLS('fdatasync')
+ else:
+ if conf.CHECK_FUNCS_IN('fdatasync', 'rt'):
+ # some systems are missing the declaration
+ conf.CHECK_DECLS('fdatasync')
+
+ has_clock_gettime = False
+ if conf.CHECK_FUNCS('clock_gettime'):
+ has_clock_gettime = True
- if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ if not has_clock_gettime:
+ if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ has_clock_gettime = True
+
+ if has_clock_gettime:
for c in ['CLOCK_MONOTONIC', 'CLOCK_PROCESS_CPUTIME_ID', 'CLOCK_REALTIME']:
conf.CHECK_CODE('''
#if TIME_WITH_SYS_TIME
@@ -535,6 +552,11 @@ def configure(conf):
PTHREAD_CFLAGS='error'
PTHREAD_LDFLAGS='error'
+ if PTHREAD_LDFLAGS == 'error':
+ # Check if pthread_attr_init() is provided by libc first!
+ if conf.CHECK_FUNCS('pthread_attr_init'):
+ PTHREAD_CFLAGS='-D_REENTRANT'
+ PTHREAD_LDFLAGS=''
if PTHREAD_LDFLAGS == 'error':
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'pthread'):
PTHREAD_CFLAGS='-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS'
@@ -547,10 +569,7 @@ def configure(conf):
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'c_r'):
PTHREAD_CFLAGS='-D_THREAD_SAFE -pthread'
PTHREAD_LDFLAGS='-pthread'
- if PTHREAD_LDFLAGS == 'error':
- if conf.CHECK_FUNCS('pthread_attr_init'):
- PTHREAD_CFLAGS='-D_REENTRANT'
- PTHREAD_LDFLAGS='-lpthread'
+
# especially for HP-UX, where the CHECK_FUNC macro fails to test for
# pthread_attr_init. On pthread_mutex_lock it works there...
if PTHREAD_LDFLAGS == 'error':
@@ -816,6 +835,7 @@ def build(bld):
extra_libs = ''
if bld.CONFIG_SET('HAVE_LIBBSD'): extra_libs += ' bsd'
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC',
REPLACE_HOSTCC_SOURCE,
@@ -856,7 +876,7 @@ def build(bld):
# at the moment:
# hide_symbols=bld.BUILTIN_LIBRARY('replace'),
private_library=True,
- deps='crypt dl nsl socket rt attr' + extra_libs)
+ deps='crypt dl nsl socket attr' + extra_libs)
replace_test_cflags = ''
if bld.CONFIG_SET('HAVE_WNO_FORMAT_TRUNCATION'):
diff --git a/lib/util/fault.c b/lib/util/fault.c
index 5be9162679e..c42bc51789a 100644
--- a/lib/util/fault.c
+++ b/lib/util/fault.c
@@ -78,7 +78,11 @@ static void fault_report(int sig)
DEBUGSEP(0);
DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d (%s)",sig,(int)getpid(),SAMBA_VERSION_STRING));
- DEBUG(0,("\nPlease read the Trouble-Shooting section of the Samba HOWTO\n"));
+ DEBUG(0,("\nIf you are running a recent Samba version, and "
+ "if you think this problem is not yet fixed in the "
+ "latest versions, please consider reporting this "
+ "bug, see "
+ "https://wiki.samba.org/index.php/Bug_Reporting\n"));
DEBUGSEP(0);
smb_panic("internal error");
diff --git a/libcli/auth/tests/test_schannel.c b/libcli/auth/tests/test_schannel.c
new file mode 100644
index 00000000000..b1c88fdf667
--- /dev/null
+++ b/libcli/auth/tests/test_schannel.c
@@ -0,0 +1,305 @@
+/*
--
Samba Shared Repository
More information about the samba-cvs
mailing list