Karolin Seeger [Wed, 17 Dec 2008 14:53:51 +0000 (15:53 +0100)]
s3/loadparm.c: Change default value for "ldap ssl".
LDAP_SSL_ON is not defined at all. That's why the actual default value
was "" for a long time. Set a more sensible default value without chnging the
default behaviour.
Jeremy Allison [Thu, 4 Dec 2008 19:07:53 +0000 (11:07 -0800)]
Fix bug #1254 - write list not working under share-level security
(mtab.c, fix build).
Jeremy.
(cherry picked from commit 680e4c398c79867f8a7ad40e9c2cd9c401922edd)
Jeremy Allison [Mon, 24 Nov 2008 23:40:50 +0000 (15:40 -0800)]
Fix bug #5873 - ACL inheritance cannot be broken. This regresses #4308, but that will have to
be fixed another way.
Jeremy.
(cherry picked from commit 649572c454328b81714b86d3f99f730bf61625e0)
Michael Adam [Fri, 21 Nov 2008 23:42:54 +0000 (00:42 +0100)]
winbindd_ads: use the reconnect methods instead of the rpc methods directly
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Carsten Dumke [Thu, 13 Nov 2008 18:05:00 +0000 (12:05 -0600)]
net: Fix documentation of net rap printq info (bug #5892)
The man-page (see net(8)) and the usage-info (call "net help rap printq") of
'net rap printq' do contain an option "list" but in net_rap.c
the option is named "info".
Rename the option "list" in the documentation (man-pages + usage) to "info" to
match the code.
Jeff Layton [Thu, 6 Nov 2008 20:20:55 +0000 (15:20 -0500)]
mount.cifs: use lock/unlock_mtab scheme from util-linux-ng mount prog
The util-linux-ng sources have a good, but rather complex scheme for
locking the mtab before updating it. Mount helpers need to follow the
same scheme. Advisory locking only works if everyone is using the same
locking scheme.
Copy the routines we need from util-linux-ng into a separate source file
and then have mount.cifs and umount.cifs link in this object.
The long term goal is to have these routines in a separate helper
library (libmount). Mount helpers can then dynamically link in that lib.
Until that happens, this should serve as a suitable stopgap solution.
saf_join_store() should be called after a successful
domain join, the affinity to the dc used at join time
has a larger ttl, to avoid problems with delayed replication.
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 80e74a27c55c01221091e3eec930c2ac4433c22c)
Michael Adam [Mon, 27 Oct 2008 13:28:44 +0000 (14:28 +0100)]
winbind: fix smbd hanging on Solaris when winbindd closes socket.
On some versions of Solaris, we observed a strange effect of close(2)
on a socket: After the server (here winbindd) called close, the client fd
was not marked as readable for select. And a write call to the fd did
not produce an error EPIPE but just returned as if successful.
So while winbindd had called remove_client(), the corresponding smbd
still thought that it was connected, but failed to retrieve answers
for its queries.
This patch works around the problem by forcing the client fd to
the readable state: Just write one byte into the socket before
closing.
Jeremy Allison [Fri, 17 Oct 2008 04:01:56 +0000 (21:01 -0700)]
Cope with bad trans2mkdir requests from System i QNTC IBM SMB client.
If total_data == 4 Windows doesn't care what values
are placed in that field, it just ignores them.
The System i QNTC IBM SMB client puts bad values here,
so ignore them.
Jeremy.
(cherry picked from commit cfdbe8a1f2057ad1a8886ca7445a812219648d19)
Jeff Layton [Thu, 9 Oct 2008 14:51:33 +0000 (10:51 -0400)]
mount.cifs: make return codes match the return codes for /bin/mount (try #3)
The manpage for /bin/mount specifies that the return code should be a
positive integer (actually, it's a bitfield). Clean up the return
codes from mount.cifs to make them match the expected return values
from /bin/mount. This necessary for proper integration with autofs.
This is the third attempt at this patch. The changes here are minor,
just changing some return's from main() into exit() calls for
consistency's sake.
Jeff Layton [Thu, 9 Oct 2008 14:47:45 +0000 (10:47 -0400)]
mount.cifs: have uppercase_string return success on NULL pointer
We currently don't attempt to uppercase the device portion of the mount
string if there isn't a prefixpath. Fix that by making uppercase_string
return success without doing anything on a NULL pointer.
Jeremy Allison [Wed, 8 Oct 2008 18:37:43 +0000 (11:37 -0700)]
Fix bug #5814 - Winbindd dumping core in a strange manner while doing "rescan_trusted_domain".
From analysis by hargagan <shargagan@novell.com> :
"The winbindd_child_died() is also getting called from process_loop() in case of
SIGCHLD signal. In this case it doesn't make the timeout_handler to NULL for
the first request. It then initiate a new request using
schedule_async_request() which installs a new timeout handler for the same
request. In such a case, for a badly unresponsive system both the timeout
handler can be called. For the first call the "private_data" will be cleared
and for another call the timeout handler will be detecting the double free. So,
for such a case as well, the winbindd_child_died() should make the
timeout_handler to NULL."
Jeremy.
(cherry picked from commit cfa9d20db78875969ea8065161f8efdf5281d003)
Jeremy Allison [Wed, 1 Oct 2008 20:23:36 +0000 (13:23 -0700)]
Fix use of DLIST_REMOVE as spotted by Constantine Vetoshev <gepardcv@gmail.com>.
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
(cherry picked from commit 45514fc5d85221339a4ee55b9f9f78c917b2fd19)
Jeremy Allison [Sat, 27 Sep 2008 01:41:05 +0000 (18:41 -0700)]
Fix for bug #5790 - samba returns STATUS_OBJECT_NAME_NOT_FOUND on set file disposition call.
This was my fault. I use a singleton cache (positive and negative) to speed up pathname based
qfileinfo/setfileinfo lookups for alternate fsp's open on the same path. I only invalidated the
negative cache on adding a new file fsp, as I incorrectly imagined the new fsp was put at the *end* of
the open files list. DLIST_ADD puts it at the start, meaning any subsequent open wasn't seen once the
cache was set. Doh !
Jeremy.
(cherry picked from commit 3d10c237a9b71d269d7936d58c2f8c0172165cbe)
Jeremy Allison [Tue, 23 Sep 2008 23:47:21 +0000 (16:47 -0700)]
Fix winbindd crash in an unusual failure mode. Bug #5737. Based on original patch from shargagan@novell.com
Jeremy.
(cherry picked from commit 2f230176a19788e659522c7ccccb19b289412166)
Jeff Layton [Fri, 12 Sep 2008 20:58:00 +0000 (16:58 -0400)]
mount.cifs: fix several problems when mounting subdirectories of shares (try 2)
This patch is the second patch to attempt to fix up some of the problems
with mounting subdirectories of shares. The earlier patch didn't handle
this correctly when POSIX extensions were enabled. This one does.
This is a bit of a confusing area since the different components of
a service string have different rules:
1) hostname: no '/' (slash) or '\' (backslash) is allowed to be
embedded within the string
2) sharename: same rules as hostname
3) prefixpath: '\' *is* allowed to be embedded in a path component,
iff POSIX extensions are enabled. Otherwise, neither
character is allowed.
The idea here is to allow either character to act as a delimiter when we
know that the character can't be anything but a delimiter (namely
everywhere up to the start of the prefixpath). The patch will convert
any '\' unconditionally to '/' in the UNC portion of the string.
However, inside the prefixpath, we can't make assumptions about what
constitutes a delimiter because POSIX allows for embedded '\'
characters. So there we don't attempt to do any conversion, and pass the
prefixpath to the kernel as is. Once the kernel determines whether POSIX
extensions are enabled, it can then convert the path if needed and it's
able to do so. A patch to handle this has already been committed to the
cifs-2.6 git tree.
This patch also fixes an annoyance. When you mount a subdir of a share,
mount.cifs munges the device string so that you can't tell what the
prefixpath is. So if I mount:
//server/share/p1/p2/p3
..then /proc/mounts and mtab will show only:
//server/share
Finally, it also tries to apply some consistent rules to the uppercasing
of strings.
Jeff Layton [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
cifs.upcall: bump SPNEGO msg version number and don't reject old versions
When we added the ability for the kernel to send sec=mskrb5 to the
upcall, we subtly broke old cifs.upcall versions that don't understand
it. Bump the spnego message version to 2 to make this clear. Also,
change cifs.upcall to not reject requests with a version that's lower
than the current one, and to send the reply with the same version that
the request sent. The idea is to try and keep cifs.upcall backward
compatible with old kernels.
Jeff Layton [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
cifs.upcall: handle MSKRB5 OID properly
When the kernel sends the upcall a sec=mskrb5 parameter, that means
the the MSKRB5 OID is preferred by the server. This patch fixes the
upcall to use that OID in place of the "normal" krb5 OID when it
gets a sec=mskrb5 parameter.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <smfrench@gmail.com>
(cherry picked from commit 340fdd5fed64ec4a8d7fc937956c722d59a73ba8)
Jeff Layton [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
cifs.upcall: negatively instantiate keys on error
When a request-key upcall exits without instantiating a key, the kernel
will negatively instantiate the key with a 60s timeout. Older kernels,
however seem to also link that key into the session keyring. This
behavior can interefere with subsequent mount attempts until the
key times out. The next request_key() call will get this negative key
even if the upcall would have worked the second time.
Fix this by having cifs.upcall negatively instantiate the key itself
with a 1s timeout and don't attach it to the session keyring.
Steve French [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
Building cifs.upcall is giving this build warning:
client/cifs.upcall.c:205: warning: function declaration isn’t a prototype
This patch fixes this by properly declaring usage() args as void.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@samba.org>
(cherry picked from commit 186eb5b26e29b687e9eab981a0ef673462f68f78)
Steve French [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
cifs.upcall was not recognizing the newer name "dns_resolver" key type
(as a synonym for the older "cifs.resolver" name) when resolving host
names to ip addresses for the kernel.
Steve French [Fri, 12 Sep 2008 20:57:59 +0000 (16:57 -0400)]
cifs.upcall: fix compile warning
Steve French noticed these warnings when building cifs.upcall:
Compiling client/cifs.upcall.c
client/cifs.upcall.c: In function 'usage':
client/cifs.upcall.c:204: warning: declaration of 'prog' shadows a global declaration
client/cifs.upcall.c:33: warning: shadowed declaration is here
Change the usage function to not take and arg and have it just use the global
"prog" variable. Fix a typo in the log message generated when an unknown
option is specified. Also getopt() always returns '?' when it sees an unknown
option so there's no point in printing it out.
Jeff Layton [Fri, 12 Sep 2008 20:57:58 +0000 (16:57 -0400)]
cifs.upcall: move default install location to EPREFIX/sbin
cifs.upcall links to libraries that live under /usr, so installing it
in /sbin doesn't seem appropriate. Move it to EPREFIX/sbin instead
(i.e. /usr/sbin).
Jeremy Allison [Fri, 12 Sep 2008 20:57:58 +0000 (16:57 -0400)]
This patchset comprises a number of cleanups for the cifs upcall
binary. The biggest change is that it renames it from cifs.spnego
to cifs.upcall since the cifs.spnego name really isn't applicable
anymore.
It also fixes a segfault when the program is run without any args
and adds a manpage. Comments and/or suggestions appreciated.
This set should apply cleanly to the 3.3 test branch.
Igor Mammedov [Fri, 12 Sep 2008 20:57:58 +0000 (16:57 -0400)]
* helper source for handling cifs kernel module upcall for kerberos
authorization
* Added -c option to set service prefix to "cifs" in service principal by
default service prefix "host" is used
* replaced malloc/free/srtncpy with replacements from samba project
Jeremy Allison [Fri, 12 Sep 2008 18:16:03 +0000 (11:16 -0700)]
Backport of bugfix for #5751, smbclient: cannot show ACLs on DFS, done by
SATOH Fumiyasu <fumiyas@osstech.co.jp>.
Jeremy.
(cherry picked from commit 5e73ddba11cbf9ea2d6ca63be098720ff0d5a0d1)
Jeremy Allison [Thu, 11 Sep 2008 19:16:31 +0000 (12:16 -0700)]
Here's the fix for bug #5750. Note this bug does *NOT* affect
3.2.x (code is different there).
Jeremy.
(cherry picked from commit d3e790fa70d083a53de221907c951580ce2537a4)
Jeremy Allison [Wed, 10 Sep 2008 23:23:54 +0000 (16:23 -0700)]
Fix bug #5052 - not work cancel inheritance on share. We were
using the parent security descriptor type and flags instead
of using the passed in SD.
Jeremy.
(cherry picked from commit 78941c166debc8315516d895b2ef77e52417f067)
Qiao Yang [Fri, 5 Sep 2008 12:17:04 +0000 (14:17 +0200)]
Fix a memleak
request.extra_data is not freed if there is no extra_data in response or when
there is some error happens in processing. This patch will free the buffer
right after processing a request before sending back a response.
(cherry picked from commit 05a80132ea95f40fdc8d4cfa6f90d8ba472a0272)
Simo Sorce [Wed, 3 Sep 2008 14:44:09 +0000 (10:44 -0400)]
The msync manpage reports that msync *must* be called before munmap. Failure to do so may result in lost data. Fix an ifdef check, I really think we meant to check HAVE_MMAP here.
(cherry picked from commit 0b39c04fed2720aad07544c65a57b6580ae322a0)
Günther Deschner [Thu, 28 Aug 2008 22:05:32 +0000 (00:05 +0200)]
Backport bugfix for bug #5710.
In order to successfully update a machine account password we need to use
Netlogon ServerPasswordSet2 when NETLOGON_NEG_PASSWORD_SET2 has been negotiated.
Andrew Tridgell [Tue, 26 Aug 2008 16:59:54 +0000 (09:59 -0700)]
become root for AIO operations
We need to become root for AIO read and write to allow the AIO thread
to send a completion signal to the parent process when the IO
completes
(cherry picked from commit 91dcce0e4deb87c6d5e491eb9dbb09fd04981d28)
Andrew Tridgell [Tue, 26 Aug 2008 16:59:20 +0000 (09:59 -0700)]
EINVAL is also a valid error return, meaning "this filesystem
cannot do sendfile for this file"
(cherry picked from commit 5f30f87dcbeaf30713fadeb130193cb86021e87f)
Andrew Tridgell [Sun, 24 Aug 2008 03:56:59 +0000 (13:56 +1000)]
Avoid a race condition in glibc between AIO and setresuid().
See this test: http://samba.org/~tridge/junkcode/aio_uid.c
The problem is that setresuid() tries to be clever about threads, and
tries to change the euid of any threads that are running. If a AIO read
or write completes while this is going on then the signal from the thread
where the IO completed is lost, as it gets -1/EPERM from rt_sigqueueinfo()
The simplest fix is to try to use setreuid() instead of setresuid(),
as setreuid() doesn't try to be clever. Unfortunately this also means
we must use become_root()/unbecome_root() in the aio code.
(cherry picked from commit 5e3b978c51e741d413b856adafa1b1090ed8dd7b)
Jeremy Allison [Fri, 22 Aug 2008 20:54:22 +0000 (13:54 -0700)]
Don't re-initialize a token when we already have one. This fixes the build farm failures when winbindd connects as guest.
This one took a *lot* of tracking down :-).
Jeremy.
At least the MQ Series message queing service that runs
on WebSphere will fail if you return any other errno in this case.
(cherry picked from commit ee26664602445fa7798e2061f6bcbef0756d6528)
projects / thirdparty / samba.git / log
