Jeremy Allison [Wed, 6 Sep 2006 21:43:31 +0000 (21:43 +0000)]
r18191: Fix the online/offline state handling of winbindd.
Instead of trying to do this in the winbindd_cache
entries, add a timed even handler to probe every
5 mins when disconnected.
Fix events to run all pending events, rather than
only one.
Jeremy.
(This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
Jeremy Allison [Wed, 6 Sep 2006 19:02:39 +0000 (19:02 +0000)]
r18189: When tearing down a connection we can be harsher
with timeouts. Also, wait for 5 seconds not 10
on connecting to a DC.
Jeremy.
(This used to be commit 6792460ba6a198646404abae10979489ca03ca5c)
Gerald Carter [Wed, 6 Sep 2006 18:13:16 +0000 (18:13 +0000)]
r18187: Replace copy of idl files with a svn:externals link.
Will fix the build_idl.sh script to only process the files
we are concerned with in this branch.
(This used to be commit 647ed21b098e8fe6513040de7a540fe77fa0b37e)
Gerald Carter [Wed, 6 Sep 2006 15:17:25 +0000 (15:17 +0000)]
r18182: only grant privs to Administrators if privileges are enabled to avoid bopgus error messages
(This used to be commit 7d5356fd5db6ece2504c9c140d1f454056be7164)
Jeremy Allison [Wed, 6 Sep 2006 00:35:27 +0000 (00:35 +0000)]
r18116: Make max usershares an advisory limit, pointed out
by Cybionet <cybionet@videotron.ca>.
Jeremy.
(This used to be commit fb755e83ee98fb830fb2340f175e8ca8d89c84d5)
Jeremy Allison [Tue, 5 Sep 2006 06:32:46 +0000 (06:32 +0000)]
r18063: When we get a successful connection using ADS,
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb46698b3834c7caf5ee0cfe628086b5)
Jeremy Allison [Tue, 5 Sep 2006 05:28:31 +0000 (05:28 +0000)]
r18062: Fix to ensure the name used by pam matches the
name that will be returned by winbindd. This
(should) fix the bug where the user logs in
with DOMAIN\user but winbindd returns only
"user" for the username due to 'winbind use
default domain' being set.
Jeremy.
(This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
r18030: When compiling with C++, nested structs lead to nested class definitions which
are not compatible. I am aware that this would be a huge change in Samba4, but
I would like to see it in the code that is shared.
Stefan, when you do merge work, can you get this across to Samba4?
Jeremy Allison [Sun, 3 Sep 2006 03:46:07 +0000 (03:46 +0000)]
r18015: Try and detect network failures immediately in
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8)
NetApp filers expect paths in Open AndX Request to have a leading slash.
Windows clients send the leading slash, so we should too.
(This used to be commit fc5b6e4bd8a67994b0c56d1223c74d064164420f)
If the remote connection timed out while cli_list() was retrieving its list of
files, the error was not returned to the user, e.g. via smbc_opendir(), so the
user didn't have a way to know to set the timeout longer and try again. This
problem would occur when a very large directory is being read with a too-small
timeout on the cli.
Jeremy, although there were a couple of areas that needed to be handled, I
needed to make one change that you should bless, in libsmb/clientgen.c. It
was setting
cli->smb_rw_error = smb_read_error;
but smb_read_error is zero, so this had no effect. I'm now doing
cli->smb_rw_error = READ_TIMEOUT;
instead, and according to the OP, these (cumulative) changes (in a slightly
different form) solve the problem.
Please confirm this smb_rw_error change will have no other adverse effects
that you can see.
Jeremy Allison [Sat, 2 Sep 2006 23:06:21 +0000 (23:06 +0000)]
r18010: Ensure we don't timeout twice to the same
server in winbindd when it's down and listed
in the -ve connection cache. Fix memory leak,
reduce timeout for cldap calls - minimum 3 secs.
Jeremy.
(This used to be commit 10b32cb6de234fa17fdd691bb294864d4d40f782)
This completes the work Jeremy began last week, disambiguating the meaning of
c_time. (In POSIX terminology, c_time means "status Change time", not "create
time".) All uses of c_time, a_time and m_time have now been replaced with
change_time, access_time, and write_time, and when creation time is intended,
create_time is used.
Additionally, the capability of setting and retrieving the create time have
been added to the smbc_setxattr() and smbc_getxattr() functions. An example
of setting all four times can be seen with the program
The -f option turns on the new mode which uses full time names in the
attribute specification (e.g. ACCESS_TIME vs A_TIME).
(This used to be commit 8e119b64f1d92026dda855d904be09912a40601c)
r18008: Ok, same fix as before. But this time also allocate the session key. This had
worked in one test, no idea what memory I've overwritten that time. This time
it survives the unpatched w2k password change.
Jeremy Allison [Sat, 2 Sep 2006 20:17:05 +0000 (20:17 +0000)]
r18007: Ensure we don't namecache KDC entries with port 88
as a generic DC (that should be the LDAP port).
Jeremy.
(This used to be commit f16b41c3c92b1af5cf25d8d244b1f551573cb076)
Jeremy Allison [Sat, 2 Sep 2006 19:27:44 +0000 (19:27 +0000)]
r18006: Actually a smaller change than it looks. Leverage
the get_dc_list code to get the _kerberos. names
for site support. This way we don't depend on one
KDC to do ticket refresh. Even though we know it's
up when we add it, it may go down when we're trying
to refresh.
Jeremy.
(This used to be commit 77fe2a3d7418012a8dbfb6aaeb2a8dd57c6e1a5d)
Jeremy Allison [Sat, 2 Sep 2006 03:42:55 +0000 (03:42 +0000)]
r17999: No need to prevent others from reading. Use 755 instead
of 700, and 644 instead of 600. Reading might help
debugging.
Jeremy.
(This used to be commit 99f100cfecb53e00d17f7426251a3d4022db791a)
Jeremy Allison [Sat, 2 Sep 2006 02:04:41 +0000 (02:04 +0000)]
r17997: Ensure lockdir exists for winbindd. Store tmp
krb5.conf files under lockdir, not privatedir.
Jeremy.
(This used to be commit c59eff3e53f5bfae3a9fb136e8566628339863ad)
Jeremy Allison [Sat, 2 Sep 2006 01:23:08 +0000 (01:23 +0000)]
r17994: Add debugs that showed me why my site code wasn't
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
Jeremy Allison [Fri, 1 Sep 2006 04:33:33 +0000 (04:33 +0000)]
r17981: Hmmm. Don't break helper functions that don't need
the username by forcing it to be specified. Still
split out domain \ user for the ones that do use
it.
Jeremy.
(This used to be commit c097e107391cd97dd829c19b672b6a7adece504f)
Jeremy Allison [Fri, 1 Sep 2006 04:15:04 +0000 (04:15 +0000)]
r17979: Make ntlm_auth more intelligent about figuring out it's
domain and user args. if only given a parameter of the
form --username DOMAIN\user. When called by firefox
or other user apps they may not know what the domain
is (and they don't care). They just want to pass the
contents of $USERNAME without having to parse it
or guess a domain.
Jeremy.
(This used to be commit 5f51417916ed8bfc0dd08f44e669cb044fc83d01)
Volker Lendecke [Thu, 31 Aug 2006 20:45:29 +0000 (20:45 +0000)]
r17977: To be honest, I have NO idea whatsoever what this does, but it fixes what I
have been able to reproduce with smbtorture4 for bug number 4059. It's too
late here now to check with W2k native, I'll do that tomorrow or over the
weekend. I'll then also check in a samba4 torture test to walk this from now
on.
Abartlet, can you do me a favor and look over this? It is a 1:1 copy of the
corresponding Samba4 code.
Gerald Carter [Thu, 31 Aug 2006 18:32:23 +0000 (18:32 +0000)]
r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid/gid cache. FIxes a bug in token creation
(This used to be commit fa05708789654a8a34cb4a4068514a0b3d950653)
Jeremy Allison [Thu, 31 Aug 2006 16:26:32 +0000 (16:26 +0000)]
r17970: Add missing include-guards around ads.h and ads_cldap.h.
Remove all reference to "Default-First-Site-Name" and
treat it like any other site.
Jeremy.
(This used to be commit 5ae3564d6844f44a6943b2028917bd457371af1e)
Jeremy Allison [Thu, 31 Aug 2006 04:14:08 +0000 (04:14 +0000)]
r17945: Store the server and client sitenames in the ADS
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
Jeremy Allison [Thu, 31 Aug 2006 01:20:21 +0000 (01:20 +0000)]
r17943: The horror, the horror. Add KDC site support by
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
Jeremy Allison [Thu, 31 Aug 2006 00:07:24 +0000 (00:07 +0000)]
r17942: Jerry is right - when no site support is enabled
the client sitename is "Default-First-Site-Name".
Treat this as a blank site (no site configured).
Jeremy.
(This used to be commit 5c46381bd7dd1b3f11f427d111ded0b76fc1bec8)
Jeremy Allison [Wed, 30 Aug 2006 18:48:49 +0000 (18:48 +0000)]
r17937: Move the saf_ cache into the tcp ad connection code.
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
Jeremy Allison [Wed, 30 Aug 2006 05:52:31 +0000 (05:52 +0000)]
r17929: Ok, I think I finally figured out where to put
the code to redo the CLDAP query to restrict DC
DNS lookups to the sitename. Jerry, please check
to stop me going insane :-).
Jeremy.
(This used to be commit 8d22cc111579c57aec65be8884b41564b79b133a)
Jeremy Allison [Wed, 30 Aug 2006 04:40:03 +0000 (04:40 +0000)]
r17928: Implement the basic store for CLDAP sitename
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e9c5fd192c5514cbe9451b938f9cd5d)
Jeremy Allison [Tue, 29 Aug 2006 01:25:57 +0000 (01:25 +0000)]
r17903: Fix null deref caught by Stanford checker. Don't
call ntlmssp_end on a null pointer ! (Doh !).
Jeremy.
(This used to be commit 7b53932b5190c78b2b483f36af95174fe38ed45e)
Jeremy Allison [Tue, 29 Aug 2006 01:04:25 +0000 (01:04 +0000)]
r17901: Stanford checker fix. cookie here can't be null or we'd
deref null. Make interface explicit.
Jeremy.
(This used to be commit 4e99606ec16b978a76219b5362a23a7b06ee5468)
Jeremy Allison [Tue, 29 Aug 2006 00:56:08 +0000 (00:56 +0000)]
r17900: Fix from Michael Adam <ma@sernet.de> - make internal_resolve_name
do what it's supposed to.
Jeremy.
(This used to be commit 4b7387a054bfc1587e0b9b7088f420a5bcf0bad9)
Jeremy Allison [Mon, 28 Aug 2006 23:01:30 +0000 (23:01 +0000)]
r17897: Store the uid in the memory creds. Don't request the
krb5 refresh creds when doing cached NTLM auth, request
the memory creds instead.
Jeremy.
(This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
Volker Lendecke [Mon, 28 Aug 2006 09:19:30 +0000 (09:19 +0000)]
r17881: Another microstep towards better error reporting: Make get_sorted_dc_list
return NTSTATUS.
If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.
Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?
Volker Lendecke [Mon, 28 Aug 2006 07:56:15 +0000 (07:56 +0000)]
r17880: On host "tridge" in the build farm the tests fail because smbd hangs in in
'connecting to cups server on localhost'. There is no cups on that host, but
the TCP connection hangs in SYN_SENT. Probably some firewall rule.
Jeremy Allison [Mon, 28 Aug 2006 05:41:32 +0000 (05:41 +0000)]
r17879: Make it explicit that we can never pass NULL for buflen or stringlen.
Stanford Checker fix.
Jeremy.
(This used to be commit 2d8bdd2dce633253780a5b0378f229893d049666)
Jeremy Allison [Mon, 28 Aug 2006 05:27:30 +0000 (05:27 +0000)]
r17877: Make it explicit to the checker that we can never pass
in NULL as ctr to a void returning fn.
Jeremy.
(This used to be commit 397ab2b1ab72093ba0572493b2e97a93dfc75478)
projects / thirdparty / samba.git / log
