[PATCH] Patches come from Centrify Corp.

Tue May 12 13:48:03 GMT 2009

On Tue, 2009-05-12 at 18:16 +0800, Zhou Weikuan wrote:
> Hello all,
> I'm working for Centrify Corp. My company is going to open our patches to samba source code. The base samba version is 3.0.32, and the patches can also be applied for later versions with some modifications manually:
> The patches are for the purposes listed as below:

Per the mail Kai sent 3 weeks ago, detailing the team's changed branch
policy at SambaXP 2009, we are no longer maintaining the 3.0 version for
anything other than serious security patches.  

We do appreciate vendor patches, provided under personal copyrights, but
we do need them against the current development version.

Please rebase your patches against 'master'. 

> 1)  cliconnect.c.patch
> If we want to do NTLM authentiction, and NTLM authentication require user's samAccountName. So we Added get_sid and get_sam_account functions for getting
> sam account by uid first. 

NTLM authentication should not require that.  Did you try logging in
with the exact same principal name as Kerberos used?

> 2) clikrb5.c.patch, sasl.c.patch
> Win2k8 encryption support, add AES into encryption list. Win2k8 uses AES as the preferred encryption if it runs in win2k8 function level.  If we use `kinit administrator` to create kerberos cache first, and then run `net ads user` without specifying the account explicitly,  net doesn't work. This patch resolves this.

I would rather see us remove this entirely, and use the defaults.  Since
we needed this, the Kerberos libs have impoved their defaults, and
hopefully there are not too many brain-dead config files left around

> 3) smbpasswd.c.patch
> Put smb-name in front of the local user when changed the password via smbpasswd, so that the local unix user will not be regarded as ad user and fail to smbpasswd again.
> 
> 4) srv_srvsvc_nt.c.patch 
> Added a lp_pathexist array to save the path status. If the path of the share resource does not exist, don't show it on client. A typical example is that some users' home directory will not be created until the users log in for the first time. But the home directory displays if we visit it from windows even if  it is not there.

This seems a very reasonable idea, but I'm not sure about having yet
more options, and is this the right place to do it?

> 5) testparm.c.patch 
> Check for invalid uid/gid. 
> Samba is sensitive to netative uid/gid pairs; the default guest account for samba is nobody, which is typically assigned -1/-2 on HP-UX.  A workaround is to create an smbnull user in file /etc/passwd with positive uid/gid pair and add the global parameter guest account = smbnull. We patch samba to make it explicitly. 

It is interesting to note the original issue with negative UID and GID
pairs and setreuid() (I think).  I wonder if it even applies to
HP/UX :-)

Anyway, it seems reasonable to check for an account - but is -2 a
problem, or just -1?

Regardless of my criticisms, thanks for posting the patches - we really
appreciate working with vendors.  I hope some of the folks who work more
closely with this code can provide a more useful comment when you see
which still apply to 'master'.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090512/1d5b617a/attachment.bin