[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Sep 12 03:28:01 UTC 2022
The branch, master has been updated
via 66289ab678e s4:kdc: Set Kerberos debug class for all KDC files
via 534b88dea21 docs-xml: some fixes and updates for ea and acl docs in smb.conf
from 3ce1d2fde5d Fix spelling mistakes.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 66289ab678ebe998673e7cec510702ef40bbcd79
Author: Andreas Schneider <asn at samba.org>
Date: Fri Sep 9 12:32:57 2022 +0200
s4:kdc: Set Kerberos debug class for all KDC files
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184
commit 534b88dea210f5a35c16031d1c3a97bf182dd5a8
Author: Björn Jacke <bj at sernet.de>
Date: Sun Sep 11 21:35:07 2022 +0200
docs-xml: some fixes and updates for ea and acl docs in smb.conf
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/protocol/easupport.xml | 9 +++------
docs-xml/smbdotconf/protocol/mapaclinherit.xml | 18 +++++++++++-------
docs-xml/smbdotconf/security/inheritacls.xml | 7 +++++--
source4/kdc/db-glue.c | 3 +++
source4/kdc/hdb-samba4.c | 3 +++
source4/kdc/kdc-glue.c | 3 +++
source4/kdc/kdc-heimdal.c | 3 +++
source4/kdc/kdc-proxy.c | 2 ++
source4/kdc/kdc-server.c | 3 +++
source4/kdc/kpasswd-helper.c | 3 +++
source4/kdc/kpasswd-service-heimdal.c | 3 +++
source4/kdc/kpasswd-service-mit.c | 3 +++
source4/kdc/kpasswd-service.c | 3 +++
source4/kdc/kpasswd_glue.c | 3 +++
source4/kdc/mit_kdc_irpc.c | 3 +++
source4/kdc/sdb.c | 3 +++
source4/kdc/sdb_to_hdb.c | 3 +++
source4/kdc/sdb_to_kdb.c | 3 +++
source4/kdc/wdc-samba4.c | 3 +++
19 files changed, 66 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/easupport.xml b/docs-xml/smbdotconf/protocol/easupport.xml
index 403e48f5a89..fd425e8b514 100644
--- a/docs-xml/smbdotconf/protocol/easupport.xml
+++ b/docs-xml/smbdotconf/protocol/easupport.xml
@@ -18,12 +18,9 @@
<para>
Note that the SMB protocol allows setting attributes whose value is 64K bytes long,
and that on NTFS, the maximum storage space for extended attributes per file is 64K.
- On most UNIX systems (Solaris and ZFS file system being the exception), the limits
- are much lower - typically 4K. Worse, the same 4K space is often used to store
- system metadata such as POSIX ACLs, or Samba's NT ACLs. Giving clients
- access to this tight space via extended attribute support could consume all
- of it by unsuspecting client applications, which would prevent changing
- system metadata due to lack of space.
+ On some filesystem the limits may be lower. Filesystems with too limited EA
+ space may experience unexpected weird effects.
+
The default has changed to yes in Samba release 4.9.0 and above to allow better Windows
fileserver compatibility in a default install.
diff --git a/docs-xml/smbdotconf/protocol/mapaclinherit.xml b/docs-xml/smbdotconf/protocol/mapaclinherit.xml
index 28271f9d66b..c248a333b5c 100644
--- a/docs-xml/smbdotconf/protocol/mapaclinherit.xml
+++ b/docs-xml/smbdotconf/protocol/mapaclinherit.xml
@@ -3,13 +3,17 @@
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
- access control entry flags stored in Windows ACLs into an extended attribute
- called user.SAMBA_PAI (POSIX ACL Inheritance). This parameter requires
- supports for extended attributes on the filesystem and
- allows the Windows ACL editor to store inheritance information while
- NT ACLs are mapped best-effort to the POSIX ACLs.
+ <para>This boolean parameter is only relevant for systems that do not support
+ standardized NFS4 ACLs but only a POSIX draft implementation of ACLs. Linux
+ is the only common UNIX system which does still not offer standardized NFS4
+ ACLs actually. On such systems this parameter controls whether
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'protected'
+ (don't inherit) flags of the Windows ACLs into an extended attribute called
+ user.SAMBA_PAI (POSIX draft ACL Inheritance). This parameter requires
+ support for extended attributes on the filesystem and allows the Windows
+ ACL editor to store (non-)inheritance information while NT ACLs are mapped
+ best-effort to the POSIX draft ACLs that the OS and filesystem implements.
</para>
</description>
<value type="default">no</value>
diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml
index 4c6caefc920..4f1bf995d7a 100644
--- a/docs-xml/smbdotconf/security/inheritacls.xml
+++ b/docs-xml/smbdotconf/security/inheritacls.xml
@@ -3,12 +3,15 @@
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter can be used to ensure that if default acls
+ <para>This parameter is only relevant for filesystems that
+ do not support standardized NFS4 ACLs but only a POSIX draft ACL
+ implementation and which implements default ACLs like most filesystems
+ on Linux. It can be used to ensure that if default ACLs
exist on parent directories, they are always honored when creating a
new file or subdirectory in these parent directories. The default
behavior is to use the unix mode specified when creating the directory.
Enabling this option sets the unix mode to 0777, thus guaranteeing that
- default directory acls are propagated.
+ the default directory ACLs are propagated.
Note that using the VFS modules acl_xattr or acl_tdb which store native
Windows as meta-data will automatically turn this option on for any
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 024073eb5bd..0e12dc429c0 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -41,6 +41,9 @@
#include "librpc/gen_ndr/ndr_irpc_c.h"
#include "lib/messaging/irpc.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
#undef strcasecmp
#undef strncasecmp
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 13c3a8bd265..f4f97a60233 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -48,6 +48,9 @@
#include "hdb.h"
#include <kdc-audit.h>
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{
if (db->hdb_master_key_set) {
diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index 671e506b8cc..86c1eb5395f 100644
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -31,6 +31,9 @@
#include "auth/kerberos/pac_utils.h"
#include "kdc/kdc-glue.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
int kdc_check_pac(krb5_context context,
DATA_BLOB srv_sig,
struct PAC_SIGNATURE_DATA *kdc_sig,
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index 5b2b3e36652..de32f062310 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -40,6 +40,9 @@
#include <kdc.h>
#include <hdb.h>
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
NTSTATUS server_service_kdc_init(TALLOC_CTX *);
extern struct krb5plugin_kdc_ftable kdc_plugin_table;
diff --git a/source4/kdc/kdc-proxy.c b/source4/kdc/kdc-proxy.c
index 64160b3434d..bf14ccbb8b4 100644
--- a/source4/kdc/kdc-proxy.c
+++ b/source4/kdc/kdc-proxy.c
@@ -33,6 +33,8 @@
#include "libcli/composite/composite.h"
#include "libcli/resolve/resolve.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
/*
get a list of our replication partners from repsFrom, returning it in *proxy_list
diff --git a/source4/kdc/kdc-server.c b/source4/kdc/kdc-server.c
index de0ae8d1a72..c662c699ee7 100644
--- a/source4/kdc/kdc-server.c
+++ b/source4/kdc/kdc-server.c
@@ -30,6 +30,9 @@
#include "kdc/kdc-proxy.h"
#include "lib/stream/packet.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
/*
* State of an open tcp connection
*/
diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c
index 645f9c96989..3e4ea36dfff 100644
--- a/source4/kdc/kpasswd-helper.c
+++ b/source4/kdc/kpasswd-helper.c
@@ -27,6 +27,9 @@
#include "auth/auth.h"
#include "kdc/kpasswd-helper.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
krb5_error_code error_code,
const char *error_string,
diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c
index c92b13def93..340bc67fd8a 100644
--- a/source4/kdc/kpasswd-service-heimdal.c
+++ b/source4/kdc/kpasswd-service-heimdal.c
@@ -30,6 +30,9 @@
#include "kdc/kpasswd-service.h"
#include "kdc/kpasswd-helper.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
const struct gensec_security *gensec_security,
diff --git a/source4/kdc/kpasswd-service-mit.c b/source4/kdc/kpasswd-service-mit.c
index 053b1f2bb6f..528141640ee 100644
--- a/source4/kdc/kpasswd-service-mit.c
+++ b/source4/kdc/kpasswd-service-mit.c
@@ -31,6 +31,9 @@
#include "kdc/kpasswd-helper.h"
#include "../lib/util/asn1.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
#define RFC3244_VERSION 0xff80
krb5_error_code decode_krb5_setpw_req(const krb5_data *code,
diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
index d2f1bb02906..c20919b0799 100644
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -31,6 +31,9 @@
#include "kdc/kpasswd-helper.h"
#include "param/param.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
#define HEADER_LEN 6
#ifndef RFC3244_VERSION
#define RFC3244_VERSION 0xff80
diff --git a/source4/kdc/kpasswd_glue.c b/source4/kdc/kpasswd_glue.c
index 68f347c60bd..b8ae40029b7 100644
--- a/source4/kdc/kpasswd_glue.c
+++ b/source4/kdc/kpasswd_glue.c
@@ -28,6 +28,9 @@
#include "auth/auth.h"
#include "kdc/kpasswd_glue.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
/*
A user password change
diff --git a/source4/kdc/mit_kdc_irpc.c b/source4/kdc/mit_kdc_irpc.c
index 9113cf8a603..677e3ab6a23 100644
--- a/source4/kdc/mit_kdc_irpc.c
+++ b/source4/kdc/mit_kdc_irpc.c
@@ -37,6 +37,9 @@
#include "sdb.h"
#include "mit_kdc_irpc.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
struct mit_kdc_irpc_context {
struct task_server *task;
krb5_context krb5_context;
diff --git a/source4/kdc/sdb.c b/source4/kdc/sdb.c
index 0b8065b4934..43f0eb33c13 100644
--- a/source4/kdc/sdb.c
+++ b/source4/kdc/sdb.c
@@ -27,6 +27,9 @@
#include "samba_kdc.h"
#include "lib/krb5_wrap/krb5_samba.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
void sdb_key_free(struct sdb_key *k)
{
if (k == NULL) {
diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index d93309ac3bb..f1976573d0b 100644
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -28,6 +28,9 @@
#include "lib/krb5_wrap/krb5_samba.h"
#include "kdc/samba_kdc.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
HDBFlags *h)
{
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index c24fd738ad3..466e53921cd 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -28,6 +28,9 @@
#include "kdc/samba_kdc.h"
#include "lib/krb5_wrap/krb5_samba.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
static int SDBFlags_to_kflags(const struct SDBFlags *s,
krb5_flags *k)
{
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index a3f33f5d64f..2c9b81e0add 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -30,6 +30,9 @@
#include "librpc/gen_ndr/auth.h"
#include <krb5_locl.h>
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
{
krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r);
--
Samba Shared Repository
More information about the samba-cvs
mailing list