[PATCH] Some ADS fixes + pam_limits problem workaround

Andrew Bartlett abartlet at samba.org
Wed Jul 23 12:40:06 GMT 2003

On Sun, 2003-07-20 at 12:24, Antti Andreimann wrote:
> Hi!
> I have prepared a number of patches for consideration to be included in the
> main tree. They are against 3.0.0beta3 and apply cleanly to CVS as well (as
> of 20.07.2003 01:00 GMT).

> samba-3.0.0beta-adsrealm.patch:
> --------------------------------------------
> The Problem:
> When realm in smb.conf differs from the AD's realm where samba is a member
> server, NegProt returns wrong principial to the client.
> W2k clients seem to ignore this, but smbclient will be confused.
> Proposed solution:
> To overcome this, the realm of the current AD server is determined and used
> in negotiation.
> A side effect of this patch is that the realm does not have to be specified
> in smb.conf anymore if it does not differ from the AD server's.

This patch has nasty performance implications.  A better way to work
would be to save the full principal name when we join.  Even better
would be to use this as an indication that we have joined an ADS domain,
removing the last references to 'security=ads' in our codebase...

(note:  removing 'security=ads' has already been vetoed by jerry, but I
still think it's a good idea).

> samba-3.0.0beta3-limits.patch:
> -----------------------------------------
> The problem:
> An old bug that has been unanswered since 2001 (or maybe even earlier, at
> least this was the earliest post I could find).
> If You have:
>         obey pam restrictions = yes AND
>         You are using pam_limits module AND
>         You have set users' max processes to a relatively low value (eg 40),
> then samba is unable to print. You'll see fork failed errors in Your log.
> The reason to this is that pam_limits module will set resource limits of the
> calling process, but since real uid == "root" the system takes the resource
> usage of the root user into account instead of the incoming user.
> Proposed solution:
> Save the resource limits before calling pam modules and restore them
> afterwards.

Should we then re-apply them every time we change user?

> Testing status:
> All the changes have been tested on alpha24 and they also compile cleanly on
> beta3.
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030723/c653a6f9/attachment.bin

More information about the samba-technical mailing list