[PATCH] Some ADS fixes + pam_limits problem workaround

Antti Andreimann Antti.Andreimann at mail.ee
Sun Jul 20 02:24:44 GMT 2003


I have prepared a number of patches for consideration to be included in the
main tree. They are against 3.0.0beta3 and apply cleanly to CVS as well (as
of 20.07.2003 01:00 GMT).

Fixes the trust account automatic "demoting" to an NT4.0 in AD server.
Please see my previous posts in "authentication through transitive trusts"

The Problem:
When realm in smb.conf differs from the AD's realm where samba is a member
server, NegProt returns wrong principial to the client.
W2k clients seem to ignore this, but smbclient will be confused.

Proposed solution:
To overcome this, the realm of the current AD server is determined and used
in negotiation.
A side effect of this patch is that the realm does not have to be specified
in smb.conf anymore if it does not differ from the AD server's.

The problem:
It is impossible to remap kerberos authenticated users via username map

Proposed solution:
Included patch to add this functionality.

The problem:
An old bug that has been unanswered since 2001 (or maybe even earlier, at
least this was the earliest post I could find).
If You have:
        obey pam restrictions = yes AND
        You are using pam_limits module AND
        You have set users' max processes to a relatively low value (eg 40),
then samba is unable to print. You'll see fork failed errors in Your log.

The reason to this is that pam_limits module will set resource limits of the
calling process, but since real uid == "root" the system takes the resource
usage of the root user into account instead of the incoming user.

Proposed solution:
Save the resource limits before calling pam modules and restore them

Testing status:
All the changes have been tested on alpha24 and they also compile cleanly on

 Antti Andreimann - Security Expert
      Using Linux since 1993
  Member of ELUG since 29.01.2000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-ADdemotefix.patch
Type: text/x-diff
Size: 683 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-ADdemotefix.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-adsrealm.patch
Type: text/x-diff
Size: 3774 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-adsrealm.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-krb-smbusers.patch
Type: text/x-diff
Size: 1463 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-krb-smbusers.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-limits.patch
Type: text/x-diff
Size: 2917 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-limits.bin

More information about the samba-technical mailing list