Jeremy Allison [Wed, 25 Apr 2012 22:17:09 +0000 (15:17 -0700)]
Fix bug #8897 - winbind_krb5_locator only returns one IP address.
Reported by Dina_Fine@Dell.com.
Don't ask the DC for an IP list when locating kdc's. Ask for the
name and use getaddrinfo to get all possible addresses instead.
(cherry picked from commit 56b0ec0e91f9af0eb6c109fc1cc300ad5fee3fe6)
The last 10 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 566295fa13ff4a848fea517d41bc08aee87966ac)
Jeremy Allison [Fri, 22 Jul 2011 23:40:54 +0000 (16:40 -0700)]
Fix bug 8314] - smbd crash with unknown user.
All other auth modules code with being called with
auth_method->private_data being NULL, make the auth_server
module cope with this too.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Jul 23 02:55:01 CEST 2011 on sn-devel-104
(cherry picked from commit 1832c9591099be941ef3afe7b0381c4af61f4728)
Andrew Bartlett [Wed, 14 Dec 2011 22:57:56 +0000 (09:57 +1100)]
s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.
The check comes from the fact that the credentials chain is tied to
the netlgon session key, and so if the credentials check passes then
the netlogon session key will be correct, and so the user session key
will be correctly decrypted.
Andrew Bartlett
Signed-off-by: Matthieu Patou <mat@matws.net>
s3: If we can't do validation 6 or sam_logon_ex use sam_logon only
Matthieu Patou [Fri, 24 Feb 2012 22:06:02 +0000 (14:06 -0800)]
s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path
If not the child process would hang for quite a long time up to the
moment when the connection is cleaned by the kernel (took ~ 20 minutes)
in my tests.
Fix bug #8771 (Winbind takes up to 20 minutes to change from DC 1 to DC 2 and
in the meantime to respond NT_STATUS_IO_TIMEOUT).
Matthieu Patou [Fri, 10 Feb 2012 19:45:21 +0000 (11:45 -0800)]
s3-winbindd: set the can_do_validation6 also for trusted domain
The flag can_do_validation6 was only set for the domain to which
winbindd is the member. Setting this flag in other domains (trusted
domain) if it's active directory domain is a good idea as it allow to do
level 6 validation also when winbindd is querying them directly.
(cherry picked from commit 05036fab0a9847219c73c0abd931a39fba0bccfd)
Michael Adam [Fri, 22 Jul 2011 08:11:52 +0000 (10:11 +0200)]
s3:loadparm: fix the reload of the configuration: also reload activated registry shares
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Fri Jul 22 16:53:49 CEST 2011 on sn-devel-104
(cherry picked from commit efbe1602bd014eada4811f336bdccbf4692d3807)
The last 2 patches address bug 8327 (config reload fails to reload shares from
registry).
s3:client: ignore SMBecho errors (the server may not support it) (bug #8139) Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit bb28a9387d3c76f6f8c7f79ec61d37a499d6c8f6)
Andrew Bartlett [Fri, 27 Jan 2012 02:53:34 +0000 (13:53 +1100)]
s3-libsmb Do not limit read replies to NBT packet sizes
With the posix extensions, we can read 16MB at a time, so we need to
check the full size of the packet, not the size rounded down to the
old NBT limit.
Andrew Bartlett
Fix bug #8727 (smbclient fails with posix large reads).
Jeremy Allison [Tue, 10 Jan 2012 22:43:04 +0000 (14:43 -0800)]
Second part of fix for bug #8673 - NT ACL issue.
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
Jeremy Allison [Fri, 16 Dec 2011 23:43:21 +0000 (15:43 -0800)]
Third part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share.
can_access_file_acl() - we can always delete a symlink.
can_delete_file_in_directory() - We don't need to do another STAT call
here, we know smb_fname->st is in a valid state.
smbd_check_open_rights() - we can always delete a symlink.
libcli/cldap: fix a crash bug in cldap_socket_recv_dgram() (bug #8593)
After a calling any wrapper of tevent_req_notify_callback(),
e.g. tevent_req_nterror(), tevent_req_done(), tevent_req_nomem(),
a function has to return immediately otherwise it is very likely to
crash.
s3:lib/ctdbd_conn: try ctdbd_init_connection() as root (bug #8684)
ctdbd_traverse is only called if the main db_context is already
open. So if we could get to information via dbwrap_fetch,
we should also be able to traverse.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Dec 23 18:19:14 CET 2011 on sn-devel-104
(cherry picked from commit 4a1895eb9921ad533910d08823c2814c470875fd)
Jeremy Allison [Thu, 5 Jan 2012 21:54:29 +0000 (13:54 -0800)]
Fix bug #8687 - net memberships usage info is wrong
Typo in usage.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jan 6 00:30:20 CET 2012 on sn-devel-104
(cherry picked from commit 0453544900ef2ebff7a3c677d4048ef530713b64)
s3-libsmb: Don't duplicate kerberos service tickets.
This fixes bug #8628.
Each time we do a client connection. Each time we call to function to
get the service ticket from the cache we duplicate it. So with each
connection we end up with one or three duplicated tickets.
Jeremy Allison [Sat, 31 Dec 2011 05:19:08 +0000 (21:19 -0800)]
Final part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write.
The code to set a DOS error on short writeX return is amazingly
legacy code, and also breaks the reply as fixup_chain_error_packet()
enforces a 2-byte wct on any reply where smb_rcls != 0.
Found in testing by Andrew Bartlett. Thanks Andrew !
Jeremy Allison [Fri, 2 Dec 2011 18:55:40 +0000 (10:55 -0800)]
Fix bug #8644 - vfs_acl_xattr and vfs_acl_tdb modules can fail to add inheritable entries on a directory with no stored ACL.
If referring to an fsp sbuf can be left as an uninitialized variable,
causing the 'is_directory' variable to be false when it should be true.
(cherry picked from commit 16c0d52842386fc2ebf975166b57b888d36796c5)
s3-winbind: Add an update function for winbind cache.
With 57b3d32 we changed the format for the winbind cache database and
the code deleted the database for the upgrade. As this database holds
also cached credentials, removing it is not an option. We need to update
from version 1 to version 2.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Dec 3 03:47:58 CET 2011 on sn-devel-104
(cherry picked from commit a3f600521122d1a6d74d16668bd1ea4447c5c867)
The last 3 patches address bug #8658 (Negative / positive winbind cache won't
expire till opposite type of query is made).
This adds a timeout value to cache entries and the NDR records
in the winbind cache.
The previous approach of just comparing the sequence number has some issues,
e.g. when retrying a wbinfo -n operation for a user in a not yet trusted
domain was always failing even after the trusted domain was added.
The new approach compares sequence number and timeout value to
determine if a cache entry is still valid or not.
I increased the cache version number so an old cache will be wiped
automatically after upgrade.
(cherry picked from commit 57b3d32c8d87c4273d30d73fe2bfd3de0178945d)
Björn Jacke [Sat, 10 Dec 2011 12:53:42 +0000 (13:53 +0100)]
s3/doc: document the ignore system acls option of vfs_acl_xattr and vfs_acl_tdb
Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Sat Dec 10 15:30:46 CET 2011 on sn-devel-104
(cherry picked from commit f452add2231906742c9fd119371cd4fd81a1bdd6)
Richard Sharpe [Mon, 14 Nov 2011 15:47:38 +0000 (07:47 -0800)]
Improve configure.in so it can be used outside the Samba source tree.
Autobuild-User: Richard Sharpe <sharpe@samba.org>
Autobuild-Date: Thu Nov 17 07:00:38 CET 2011 on sn-devel-104
(cherry picked from commit f50aa988c201c2fe78e467f1a419bedc741e1d31)
Fix bug #8607 (The configure.in in examples/VFS does not easily allow building
modules outside the Samba source tree).
(cherry picked from commit 7db7ea684a17b70ecae31c70c1b2e647ea0fafa1)
If you join samba with idmap_ad backend to an AD. When you try to
enumerate users with 'getent passwd' and the user doesn't have a uid
set, then getent is aborted cause of NT_STATUS_NONE_MAPPED. If we can't
map a user we should not stop but continue enumerating users.
This normally happens with the default user 'krbtgt' with idmap_ad but
could also happen with other backends.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Nov 15 16:52:04 CET 2011 on sn-devel-104
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 9 10:13:32 CET 2011 on sn-devel-104
(cherry picked from commit 4b31c4273c45faa639445614061f3da548eb8505)
s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326)
Print shares doesn't support CAP_LARGE_WRITEX, while it's negotiated
by the file server part.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Nov 8 17:01:36 CET 2011 on sn-devel-104
(cherry picked from commit 95595dd93fd04999fcf56ecaab7c29b064d021f8)
Jeremy Allison [Sat, 22 Oct 2011 01:35:15 +0000 (18:35 -0700)]
Third part of fix for bug #8541 - readlink() on Linux clients fails if the symlink target is outside of the share.
Missed passing ucf_flags instead of hard coded flags in findfirst call.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Oct 22 06:30:16 CEST 2011 on sn-devel-104
(cherry picked from commit f4593181876f7a9ef55ceee8d1a20369197a63ba)
Jeremy Allison [Mon, 25 Jul 2011 23:12:45 +0000 (16:12 -0700)]
Use existing ISDOT and ISDOTDOT macros.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Jul 28 02:09:20 CEST 2011 on sn-devel-104
(cherry picked from commit d82256ca119eb8315cc69ba725ba71c386caa901)
Björn Jacke [Thu, 20 Oct 2011 19:39:38 +0000 (21:39 +0200)]
s3:Makefile: make DSO_EXPORTS_CMD more portable (#8531)
It sems like every not completely trivial sed expression should be tested with
Solaris' sed. Its regexp engine is way more limited than the one of GNU
sed. Thanks to Michael Pelletier for finding this! This fixes bug #8531
Fix bug #8515 - Empty CIFS share can be blocked for other clients by deleting it via empty path (DELETE_PENDING until the last client)
Disallow "." in can_set_delete_on_close().
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 12 21:07:27 CEST 2011 on sn-devel-104
(cherry picked from commit bd260f03ab492d03c2890db47dc6fb4f1b824a1a)
Bug 7551: Return error of cli_push when 'put - /some/file' is used
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Sep 29 23:47:02 CEST 2011 on sn-devel-104
(cherry picked from commit d883cc664cac81633a60e5b04f99f23a3577ae65)
Jeremy Allison [Fri, 2 Sep 2011 22:08:42 +0000 (15:08 -0700)]
Part 3 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument)
Don't call check_owning_objs() to convert ACL_USER->ACL_USER_OBJ and
AC_GROUP->ACL_GROUP_OBJ for default (directory) ACLs, we do this separately
inside ensure_canon_entry_valid().
Jeremy Allison [Fri, 30 Sep 2011 20:35:59 +0000 (13:35 -0700)]
Fix bug #8493 - DFS breaks zip file extracting unless "follow symlinks = no" set
If a client sends a mangled name as part of a DFS path, use the
post-mangled name for the pathname walk, not the mangled name.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Oct 1 00:45:59 CEST 2011 on sn-devel-104
(cherry picked from commit 149875f887287dbbf016d2252962b023b0bae967)
projects / thirdparty / samba.git / log
