Patches to head (become_root and some RPC stuff)

Michael Stockman pgmtekn-micke at algonet.se
Tue Aug 24 20:15:42 GMT 1999 

> > lib/util_status.c <fixed a bug, added pid_to_uid(pid_t, uid_t *)>
> >
>
> Samba 2.1 Head branch CVS with LDAP
> Redhat 5.2, kernel 2.0.36, gcc 2.7.2.3-14
>
> lib/util_status.patch (pid_to_uid) was corrupted at the final
return. All I got was "retu".
> I assumed it was "return False".

The assumption is correct. I have included the patch again in this
message if that would be convenient.

> I checked out a fresh copy of samba Head branch & applied the
patches.
>
> 1. The "nobody" home share is still there.

This could be some NT thing. Do you know if NT tries to open some
connection (RPC?) that fails or if NT usually opens some anonymous
connection that for some reason hangs on?

It would be good if you could either send logs or extract what is
different between now and before in the logs (which api calls are
made).

> 2. I haven't used server admin much so I can't say about that.  But
I have complete
> lists of users,shares & connections.
>
> 3. Logged in as any member (member of "Domain Admins" or not):
> What functionallity/bugs I had from usrmgr.exe I had before, I seem
to still have:
>     I can't add a domain group to a user using usrmgr.exe even when
logged on
> as a "Domain Admin" (LDAP objectclass: sambaGroup), however I can
add/delete
> local groups (LDAP objectclass: sambaBuiltin).
>     Pedestal Software's ntuser.exe can add a user to "Domain Admins"
while
> logged on as a common user.
>     I also can do these things when logged on as a common user on a
different
> MS domain PDC.
>     These characteristics are pre & post patch.
>
> I feel I should point out normal NT operations doesn't allow a non
"Domain Admins"
> user to even -look- at their own account much less add another user
to
> the "Domain Admins" group.

You are using LDAP, right? The patches rely on trying to do something
and failing. If the ldap server gives out the information to a process
with user privileges, then you should get it. The idea is that smbd
acts with your privileges and smbd thus cannot do anything you
couldn't do anyway.

I don't know LDAP, so please, could you tell me how the LDAP server is
secured, because that is the key to what smbd is doing wrong.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se



begin 666 util_status.patch
M+2TM('5T:6Q?<W1A='5S+F,)4W5N($%U9R R,B Q,CHU,CHQ." Q.3DY"BLK
M*R!U=&EL7W-T871U<RYC+FYE=PE3=6X at 075G(#(R(# Y.C$V.C0Y(#$Y.3D*
M0$ @+3(T+#8@*S(T+#$T($! "B *(&5X=&5R;B!I;G0 at 1$5"54=,159%3#L*
M( HK<W1A=&EC('9O:60@;&]C:U]F:6QE7VYA;64H('!S=')I;F<@*F9N86UE
M("D**WL**R @<'-T<F-P>2 at J9FYA;64L;'!?;&]C:V1I<B at I*3L**R @<W1A
M;F1A<F1?<W5B7V)A<VEC*"IF;F%M92D["BL@('1R:6U?<W1R:6YG*"IF;F%M
M92PB(BPB+R(I.PHK("!P<W1R8V%T*"IF;F%M92PB+U-405154RXN3$-+(BD[
M"BM]"BL*("\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ"B!P87)S92!T:&4 at 4U1!
M5%53+BY,0TL at 9FEL92X@(&-A;&QE<B!I<R!R97-P;VYS:6)L92!F;W(@9G)E
M96EN9R J8W)E8RX*("HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PI 0" M-#(L
M,3$@*S4P+#@@0$ *(" @("!R971U<FX at 1F%L<V4["B @('T*( HM("!P<W1R
M8W!Y*&9N86UE+&QP7VQO8VMD:7(H*2D["BT@('-T86YD87)D7W-U8E]B87-I
M8RAF;F%M92D["BT@('1R:6U?<W1R:6YG*&9N86UE+"(B+"(O(BD["BT@('!S
M=')C870H9FYA;64L(B]35$%455,N+DQ#2R(I.PHM(" **R @;&]C:U]F:6QE
M7VYA;64H("9F;F%M92 I.PHK"B @(&9D(#T@<WES7V]P96XH9FYA;64L3U]2
M1$].3%DL(# I.PH@"B @(&EF("AF9" ]/2 M,2D*0$ @+3<W+#@@*S at R+#@@
M0$ *(" @(" @(" @("!$14)51R at P+"@B=6YA8FQE('1O(')E860 at 82!C<F5C
M(&EN(&=E=%]C;VYN96-T:6]N7W-T871U<UQN(BDI.PH@"2 @8G)E86L["B @
M(" @(" @('T*+0E$14)51R at Q,"PH(F-N=6TZ)74N("!P:60Z("5D(&UA9VEC
M.B E>%QN(BP*+0D@(" @(" @(" @(&,M/F-N=6TL(&,M/G!I9"P at 8RT^;6%G
M:6,I*3L**PE$14)51R at Q,"PH(FYU;2 E9" @8VYU;3HE=2X@('!I9#H@)60@
M;6%G:6,Z("5X('1I;64@)6QD7&XB+ HK"2 @(" @(" @(" @8V]N;BP at 8RT^
M8VYU;2P at 8RT^<&ED+"!C+3YM86=I8RP at 8RT^<W1A<G0I*3L*( H@"2\J('9A
M;&ED(&-O;FYE8W1I;VXL('-M8F0@<')O8V5S<R!S=&EL;"!G;VEN9RP at 8V]N
M;F5C=&EO;B!S=&EL;"!G;VEN9R J+PH@"6EF("@@8RT^;6%G:6,@/3T@,'@R
M.# R-C<@)B8@<')O8V5S<U]E>&ES=',H8RT^<&ED*2 F)B!C+3YC;G5M("$]
M("TQ("D*0$ @+3$T-"PV("LQ-#DL-R! 0 H@"2 @(&,M/G5I9" ](&-R96-;
M8V]N;ETN=6ED.PH@"2 @(&,M/G!I9" ](&-R96-;8V]N;ETN<&ED.PH@"2 @
M(&,M/F-N=6T@/2!C<F5C6V-O;FY=+F-N=6T["BL)(" @8RT^<W1A<G0@/2!C
M<F5C6V-O;FY=+G-T87)T.PH@"2 @('!S=')C<'DH8RT^;F%M92QC<F5C6V-O
M;FY=+FYA;64I.PH@"2 @( H@(" @(" @(" @("!-87A0:60K*SL*0$ @+3$U
M-BPU("LQ-C(L-#8 at 0$ *(" @(&9R964H8W)E8RD["B @(" H*G-E<W-I;VY?
M8V]U;G0I(#T at 36%X4&ED.PH@(" @<F5T=7)N(%1R=64["BM]"BL**T)/3TP@
M<&ED7W1O7W5I9"@@<&ED7W0@<&ED+"!U:61?=" J=6ED("D**WL**R @("!I
M;G0 at 9F0["BL@(" @<'-T<FEN9R!F;F%M93L**R @("!S=')U8W0 at 8V]N;F5C
M=%]R96-O<F0 at 8SL**R @("!I;G0@;G5M7W)E8W,["BL@(" @:6YT(&D["BL*
M*R @("!L;V-K7V9I;&5?;F%M92@@)F9N86UE("D["BL@( HK(" @(&9D(#T@
M<WES7V]P96XH9FYA;64L3U]21$].3%DL(# I.PHK"BL@(" @:68@*&9D(#T]
M("TQ*0HK(" @('L**PE$14)51R at P+"@B0V]U;&1N)W0@;W!E;B!S=&%T=7,@
M9FEL92 E<UQN(BQF;F%M92DI.PHK"7)E='5R;B!&86QS93L**R @("!]"BL@
M"BL@(" @;G5M7W)E8W,@/2!F:6QE7W-I>F4H9FYA;64I("\@<VEZ96]F*&,I
M.PHK(" @(&9O<B H:2 ](# [(&D@/"!N=6U?<F5C<SL@:2LK*0HK(" @('L*
M*PEI9B H<WES7VQS965K*&9D+&DJ<VEZ96]F*&,I+%-%14M?4T54*2 A/2!I
M*G-I>F5O9BAC*2!\? HK"2 @("!R96%D*&9D+"9C+'-I>F5O9BAC*2D@(3T@
M<VEZ96]F*&,I*0HK(" @(" @("!["BL@(" @"2 @("!$14)51R at P+"@B=6YA
M8FQE('1O(')E860 at 82!C<F5C(&EN(&=E=%]C;VYN96-T:6]N7W-T871U<UQN
M(BDI.PHK"2 @("!B<F5A:SL**R @(" @(" @?0HK"41%0E5'*#$P+"@B;G5M
M("5D("!C;G5M.B5U+B @<&ED.B E9"!M86=I8SH@)7@@=&EM92 E;&0@=6ED
M("5D7&XB+ HK"2 @(" @(" @(" @:2P at 8RYC;G5M+"!C+G!I9"P at 8RYM86=I
M8RP at 8RYS=&%R="P at 8RYU:60I*3L**PHK"6EF*"!C+F-N=6T@(3T at +3$@)B8@
M8RYM86=I8R ]/2 P>#(X,#(V-R F)B!C+G!I9" ]/2!P:60@*0HK"7L**PD@
M(" @8VQO<V4H9F0I.PHK"2 @(" J=6ED(#T at 8RYU:60["BL)(" @(')E='5R
M;B!4<G5E.PHK"7T**R @("!]"BL@(" @8VQO<V4H9F0I.PHK(" @(')E='5R
.;B!&86QS93L*('T*( H`
`
end

More information about the samba-technical mailing list