[PATCH] Some ADS fixes + pam_limits problem workaround
Antti Andreimann
Antti.Andreimann at mail.ee
Sun Jul 20 02:24:44 GMT 2003
Hi!
I have prepared a number of patches for consideration to be included in the
main tree. They are against 3.0.0beta3 and apply cleanly to CVS as well (as
of 20.07.2003 01:00 GMT).
samba-3.0.0beta3-ADdemotefix.patch:
---------------------------------------------------
Fixes the trust account automatic "demoting" to an NT4.0 in AD server.
Please see my previous posts in "authentication through transitive trusts"
thread.
samba-3.0.0beta-adsrealm.patch:
--------------------------------------------
The Problem:
When realm in smb.conf differs from the AD's realm where samba is a member
server, NegProt returns wrong principial to the client.
W2k clients seem to ignore this, but smbclient will be confused.
Proposed solution:
To overcome this, the realm of the current AD server is determined and used
in negotiation.
A side effect of this patch is that the realm does not have to be specified
in smb.conf anymore if it does not differ from the AD server's.
samba-3.0.0beta3-krb-smbusers.patch:
----------------------------------------------------
The problem:
It is impossible to remap kerberos authenticated users via username map
(smbusers).
Proposed solution:
Included patch to add this functionality.
samba-3.0.0beta3-limits.patch:
-----------------------------------------
The problem:
An old bug that has been unanswered since 2001 (or maybe even earlier, at
least this was the earliest post I could find).
If You have:
obey pam restrictions = yes AND
You are using pam_limits module AND
You have set users' max processes to a relatively low value (eg 40),
then samba is unable to print. You'll see fork failed errors in Your log.
The reason to this is that pam_limits module will set resource limits of the
calling process, but since real uid == "root" the system takes the resource
usage of the root user into account instead of the incoming user.
Proposed solution:
Save the resource limits before calling pam modules and restore them
afterwards.
Testing status:
All the changes have been tested on alpha24 and they also compile cleanly on
beta3.
--
Antti Andreimann - Security Expert
Using Linux since 1993
Member of ELUG since 29.01.2000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-ADdemotefix.patch
Type: text/x-diff
Size: 683 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-ADdemotefix.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-adsrealm.patch
Type: text/x-diff
Size: 3774 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-adsrealm.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-krb-smbusers.patch
Type: text/x-diff
Size: 1463 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-krb-smbusers.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.0beta3-limits.patch
Type: text/x-diff
Size: 2917 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/129ad8ac/samba-3.0.0beta3-limits.bin
More information about the samba-technical
mailing list