Björn Jacke [Thu, 12 Aug 2010 14:18:45 +0000 (16:18 +0200)]
s3: fall back to cups-config for underlinked libs
some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)
(cherry picked from commit 616e187d68e3e7b202413a96518b31d029e9563a)
Jeremy Allison [Thu, 29 Jul 2010 20:44:35 +0000 (13:44 -0700)]
Fix bug #7589 - ntlm_auth fails to use cached credentials.
In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
of the mapped username, but fails to canonicalize the actual username
sent to the backend domain process. When "winbind default domain"
is set this can lead to credentials being cached with an index of
user: user, not DOMAIN\user. All other code paths that use
canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
correctly canonicalize the data sent to the backend. All calls
the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
correctly call canonicalize_username() to create the credential
lookup key.
Jeremy Allison [Tue, 27 Jul 2010 08:54:01 +0000 (01:54 -0700)]
Fix bug 7590 - offline login fails because winbind deletes cache on every startup.
Sync lib/tdb_validate.c with the change in current master.
Change tdb_validate_open() to always use O_RDWR instead of O_RDONLY,
as (from the bug report): "db_check() will always return failure for a read-only database.
Silently, without any log output, when _tdb_lockall() fails."
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
s3-librpc: Fixed GUID_from_data_blob() with length of 32.
If we hit the case that the blob length is 32. The code goes to the end
of the function and generates a GUID with garbage.
So try to convert the blob to the GUID and return.
Fix bug #7538 (Backport fixes for GUID_from_data_blob).
Björn Jacke [Fri, 28 May 2010 23:40:21 +0000 (01:40 +0200)]
s3: fix check for pie compiler flags
some compilers (HP and Sun e.g.) output warning messages on stderr for unknown
options and we ended up partly using some unwanted random compile flags we
did't intend to use.
Björn Jacke [Mon, 24 May 2010 21:34:00 +0000 (23:34 +0200)]
s3:configure: turn "error warnings" into errors
By default "Missing argument(s)" is just an "error warning" for xlc :-)
The change to turn "error warnings" into errors should fix bug #7427.
(cherry picked from commit ff0872d59d78ad42212c88313ef924ea4eb7a8a1)
Fix bug #7427 (Using IBM xl_C compiler produces wrong results in configure).
Matthieu Patou [Fri, 21 May 2010 07:57:29 +0000 (11:57 +0400)]
s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
previous password key when the password is changed. It also check the
user ticket against previous password.
Signed-off-by: Günther Deschner <gd@samba.org>
Fix bug #7099 (Every Thursday at 11:08-11:15am Windows Client
Connections break with Kerberos errors).
Jeremy Allison [Thu, 20 May 2010 21:30:44 +0000 (14:30 -0700)]
Fix what looks like a cut-and-paste error in our read_negTokenInit() function.
We should never be calling asn1_push_XXX functions inside an asn1
reading function. Change asn1_push_tag() -> asn1_start_tag() and
asn1_pop_tag() -> asn1_end_tag(). This allows us to connect to a
NetApp filer at the Microsoft plugfest.
Jeremy Allison [Thu, 20 May 2010 18:36:47 +0000 (11:36 -0700)]
Fix bug #7410 - samba sends "raw" inode number as uniqueid with unix extensions.
Move to a consistent get_FileIndex() function for all inode returns,
that checks if st_dev on the file is identical to the top directory
dev_t of the exported share, and if so uses the raw 64-bit inode
number. If it isn't (we've traversed a mount point) - return what
we used to do for Windows which is the concatination of the bottom
32-bits of the inode with the 32-bit device number. We can get more
creative with this over time (hashing?) if we want as now all inode returns go
through this single function.
Günther Deschner [Fri, 14 May 2010 22:34:35 +0000 (00:34 +0200)]
s3-kerberos: temporary fix for ipv6 in print_kdc_line().
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
in just the kdc_name if we have it and let the krb5 lib figure out the
appropriate ipv6 address
Karolin Seeger [Wed, 12 May 2010 09:24:57 +0000 (11:24 +0200)]
s3-docs: Move -D option to the right paragraph in man winbindd.
Fix bug #7260 (Command line option documentation in wrong place in winbindd man
page.). Thanks to Ged Haywood <samba@jubileegroup.co.uk> for reporting!
Björn Jacke [Wed, 5 May 2010 18:17:39 +0000 (20:17 +0200)]
s3:configure: not simply check for "ld" but for the linker used by $CC
this hopefully fixes Solaris' gcc build which uses the system ld by default.
All in all we should clean up most of the compiler and linker flags depending
on the actual compilers and linkers we use. Only some tweaks are OS-specific.
A cleanup in this area should be done along with the move to a new build
system (whensoever that will be ...).
(cherry picked from commit 1969b4acc3fd7c124e288d0495b9b4665d4b42db)
Fix bug #7385 (Can't compile. Undefined symbol 'main').
Luca Olivetti [Tue, 4 May 2010 22:07:57 +0000 (15:07 -0700)]
Fix bug #7263 - Unable to print using Samba 3.5.1 and cups-1.1.23-40.46 on SLES10.
Fix cups encryption setting
I had the same problem and it's due to the fact that samba doesn't respect the
"cups encryption" setting since lp_cups_encrypt changes the value: if you set
"cups encryption=no", the first call will change it to HTTP_ENCRYPT_NEVER,
since that is 1 (i.e. true), the next call will change it to
HTTP_ENCRYPT_ALWAYS and after that it'll remain set as HTTP_ENCRYPT_ALWAYS.
This patch fixes this problem.
Don't mix up the HTTP_ENCRYPT_XXX constants up with the
enumeration constants (True, False, Auto) used in the
loadparm code.
(cherry picked from commit a9e008ee36c8fd9ca79b3bdfdc78111939c3e539)
add_trusted_domain() for a new domain always needs to be followed by a
setup_domain_child(). This was not always done, in particular not when walking
to the forest root for additional trusts.
This is a minimal patch, we need to fix add_trusted_domain().
Fix bug #7389 (Fix a winbind crash when scanning trusted domains).
Ira Cooper [Fri, 23 Apr 2010 17:55:46 +0000 (10:55 -0700)]
Fix bug #7384 - dptr_Close has a bitmap leak.
s3: Fix to dptr_Close
This fixes a bitmap "leak" in dptr_Close by making it use the same internal
routines the rest of the code does.
(cherry picked from commit dd2025947136f28b22b70de59309e149a1f45f3d)
Based on a patch from Michael Karcher <samba@mkarcher.dialup.fu-berlin.de>.
I think this is the correct fix. It causes cups_job_submit to use
print_parse_jobid(), which I've moved into printing/lpq_parse.c (to allow the
link to work).
It turns out the old print_parse_jobid() was *broken*, in that the pjob
filename was set as an absolute path - not relative to the sharename (due to it
not going through the VFS calls).
This meant that the original code doing a strncmp on the first part of the
filename would always fail - it starts with a "/", not the relative pathname of
PRINT_SPOOL_PREFIX ("smbprn.").
This fix could fix some other mysterious printing bugs - probably the ones
Guenther noticed where job control fails on non-cups backends.
libwbclient: Re-Fix a bug that was fixed with e5741e27c4c
> r21878: Fix a bug with smbd serving a windows terminal server: If winbind
> decides smbd to be idle it might happen that smbd needs to do a winbind
> operation (for example sid2name) as non-root. This then fails to get the
> privileged pipe. When later on on the same connection another authentication
> request comes in, we try to do the CRAP auth via the non-privileged pipe.
>
> This adds a winbindd_priv_request_response() request that kills the existing
> winbind pipe connection if it's not privileged.
The fix for this was lost during the conversion to libwbclient.
Thanks to Ira Cooper <samba@ira.wakeful.net> for pointing this out!
s3:winbindd: fix problems with SIGCHLD handling (bug #7317)
The main problem is that we call CatchChild() within the
parent winbindd, which overwrites the signal handler
that was registered by winbindd_setup_sig_chld_handler().
That means winbindd_sig_chld_handler() and winbind_child_died()
are never triggered when a winbindd domain child dies.
As a result will get "broken pipe" for all requests to that domain.
To reduce the risk of similar bugs in future we call
CatchChild() in winbindd_reinit_after_fork() now.
We also use a full winbindd_reinit_after_fork() in the
cache validation child now instead instead of just resetting
the SIGCHLD handler by hand. This will also fix possible
tdb problems on systems without pread/pwrite and disabled mmap
as we now correctly reopen the tdb handle for the child.
projects / thirdparty / samba.git / log
