Gerald Carter [Wed, 30 May 2007 19:47:35 +0000 (19:47 +0000)]
r23244: Fix loop with nscd and NSS recusive calls.
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
Volker Lendecke [Tue, 29 May 2007 19:54:26 +0000 (19:54 +0000)]
r23228: Merge cleanup to the gpfs module from Tridge. Also potentially disable
gpfs share modes in special situations. This might be split up in
several modules later.
Volker Lendecke [Tue, 29 May 2007 19:31:57 +0000 (19:31 +0000)]
r23225: Attached find a patch that makes use of NetSamLogonEx in
winbind. With this and W2k3 DCs around it is possible to use
more than one winbind on the same machine account, because
NetSamLogonEx does not use the credentials chain.
I added the flag domain->can_do_samlogon_ex because this
only works against W2k3 and with schannel. The theory is to
try if we're AD and have schannel, and fall back to
NetSamLogon if this fails. can_do_samlogon_ex is thus a
protection against multiple failures.
Only checking into 3_0, this needs more review before going
into a production release.
Günther Deschner [Tue, 29 May 2007 15:27:13 +0000 (15:27 +0000)]
r23210: Very funny, we thought to use netr_GetDcName (e.g. in winbind) but were using
netr_GetDcAnyName all the time (which is the correct thing to do).
Volker Lendecke [Tue, 29 May 2007 09:30:34 +0000 (09:30 +0000)]
r23183: Check in a change made by Tridge:
This replaces the internal explicit dev/ino file id representation by a
"struct file_id". This is necessary as cluster file systems and NFS
don't necessarily assign the same device number to the shared file
system. With this structure in place we can now easily add different
schemes to map a file to a unique 64-bit device node.
Jeremy, you might note that I did not change the external interface of
smb_share_modes.c.
Jeremy Allison [Sat, 26 May 2007 01:26:09 +0000 (01:26 +0000)]
r23151: Re-arrange the logic so it looks identical to the
"file existed" case above. This has no functional
change but is easier to see that it's doing the
same thing.
Jeremy.
Jeremy Allison [Sat, 26 May 2007 01:19:51 +0000 (01:19 +0000)]
r23150: Fix Samba3 in the build farm again. In the case where the
file was being created and we go into the race condition check,
we were testing for compatible open modes, but were not breaking
oplocks in the same way as if the file existed. This meant that
we weren't going into the code path that sets fsp->oplock = FAKE_LEVEL_II_OPLOCK
if the client didn't ask for an oplock on file create. We need
to do this as internally it's what Windows does.
Jeremy.
Günther Deschner [Thu, 24 May 2007 23:11:11 +0000 (23:11 +0000)]
r23127: Fill in some more netlogon dsgetdcname flavours (netr_DsRGetDCNameEx,
netr_DsRGetDCNameEx2) and add new ds request and reply flags, also add some
more WERROR codes.
Jeremy Allison [Thu, 24 May 2007 20:40:46 +0000 (20:40 +0000)]
r23122: Fix bug #4655. We marshall the enumdataex correctly,
but W2K3 doesn't follow our rules when sending data to
us. Ensure we look for the data at the correct offsets
when reading the data.
Too late for 3.0.25a - don't merge.
Jeremy.
Volker Lendecke [Thu, 24 May 2007 14:47:24 +0000 (14:47 +0000)]
r23117: Factor out local messaging.
This removes message_block / message_unblock. I've talked to Jeremy and
Günther, giving them my reasons why I believe they have no effect.
Neither could come up with a counter-argument, so they go :-)
Volker Lendecke [Thu, 24 May 2007 11:09:37 +0000 (11:09 +0000)]
r23112: Trim down the message.c API slightly: The messages_pending_for_pid is now
replaced by MSG_FLAG_LOWPRIORITY or'ed into the msg_type. To enable this,
changed the msg_type definitions to hexadecimal.
This way we could theoretically add the MSG_FLAG_NODUPLICATES again, but I
would rather not do this, because that one is racy and can't be guaranteed at
all.
Jeremy Allison [Wed, 23 May 2007 21:32:10 +0000 (21:32 +0000)]
r23100: Implement the delete on close semantics I've just tested for
in Samba4 smbtorture. Fix rename on an open file handle.
Needed for 3.0.25a.
Jeremy.
James Peach [Wed, 23 May 2007 19:57:13 +0000 (19:57 +0000)]
r23094: Update the iconv detection to handle cross-compiles better. If we are
cross-compiling, we accept the first iconv library that we find (with a
warning).
Volker Lendecke [Wed, 23 May 2007 15:17:49 +0000 (15:17 +0000)]
r23091: Add rpccli_netlogon_sam_network_logon_ex, fix its parsing. This does not
use the credential chain and only works over netlogon, but it would
allow multiple outstanding auth requests for a single workstation
account.
Jeremy Allison [Tue, 22 May 2007 22:35:13 +0000 (22:35 +0000)]
r23087: Fix POSIX setfilepathinfo to use lstat, not stat.
Still missing lchown (will add this for 3.0.26).
Don't merge for 3.0.25a - possibly 3.0.25b (if it
exists).
Jeremy.
Michael Adam [Tue, 22 May 2007 15:13:32 +0000 (15:13 +0000)]
r23078: Don't handle return code NT_STATUS_NONE_MAPPED from lookup sids
as an error. (This is purely cosmetic here, issuing a success
message at the end.)
Michael Adam [Tue, 22 May 2007 13:40:01 +0000 (13:40 +0000)]
r23073: In the internal rpccli_lsa_lookup_sids_noalloc(), use a temporary
talloc context for use with the actual rpc query and response.
So the the parent context does not get flooded by the posslibly
large amount of response data (when looking up a lot of sids).
Note: It not possible, to simply use the names and domains arrays
as talloc contexts for the talloc_strdup calls, because from
rpccli_lsa_lookup_sids_all, this is called with names + offset
and domains + offset where names and domains are talloced
arraye for the complete response.
Michael Adam [Tue, 22 May 2007 12:49:41 +0000 (12:49 +0000)]
r23072: In winbindd_ads.c:lookup_groupmem, replace the bottleneck
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070)
call. This replaces one ldap search per member sid by one
rpc call per 1000 sids. This greatly speeds up groupmem
lookups for groups with lots of users.
Since the loop in lookup_groupmem was the only use of dn_lookup,
the function is removed.
Michael Adam [Tue, 22 May 2007 11:30:35 +0000 (11:30 +0000)]
r23070: The lsa rpc lookup sids call has a maximum number of SIDS to be
looked up at one time. This limit is at 20480 for w2k3.
Our rpccli_lsa_lookup_sids function ignores this limit, so when
we give the server too long a list of SIDs, then we will get
nothing back. Since typically rpccli_lsa_lookup_sids is given
one SID (or a small number of SIDS), this did not do harm
up to now. But since I want to use lsa_lookup_sids in a subsequent
modification to winbindd_ads.c:lookup_groupmem to get rid of
a vast number of dn_lookup calls to the server, I had to make
sure we do it correctly.
I have added a function rpccli_lsa_lookup_sids_all function
that has the same prototype but internally splits the list
of SIDs up into hunks of a (conservative, hard coded) 1000
SIDs each for a first go.
If this approach is agreed upon, the new function could replace
the original rpccli_lsa_lookup_sids function.
Volker Lendecke [Mon, 21 May 2007 22:17:13 +0000 (22:17 +0000)]
r23055: Rewrite messages.c to use auto-generated marshalling in the tdb. I'm
doing this because for the clustering the marshalling is needed in more
than one place, so I wanted a decent routine to marshall a message_rec
struct which was not there before.
Tridge, this seems about the same speed as it used to be before, the
librpc/ndr overhead in my tests was under the noise.
Gerald Carter [Mon, 21 May 2007 21:33:51 +0000 (21:33 +0000)]
r23054: Move the check for the lookup_domain of S-1-22-{1,2} before the
check for IS_DC. Otherwise we will for example fail to lookup a
sid of S-1-22-1-780 because it has no valid struct winbindd_domain*
in the list. Thanks to Simo for the catch.
Gerald Carter [Mon, 21 May 2007 20:36:22 +0000 (20:36 +0000)]
r23048: Simo is correct in that winbind_lookup{sid,name}_async() needs
to be able to handle SIDs in the S-1-22-{1,2} domain in order
for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a,
we will short circuit in the sid_to_uid() family of functions
so that smbd is ok.
For 3.0.26, we need to allow winbindd to handle all types of SIDs.
Volker Lendecke [Sun, 20 May 2007 20:11:23 +0000 (20:11 +0000)]
r23024: Ok, neither the duplicates_allowed nor the timeout argument to
message_send_pid is used anymore. Two users of duplicates_allowed: winbind and
the printer notify system.
I don't thing this really changes semantics: duplicates_allowed is hell racy
anyway, we can't guarantee that we don't send the same message in sequence
twice, and I think the only thing we can harm with the print notify is
performance.
For winbind I talked to Günther, and he did not seem too worried.
Volker Lendecke [Sun, 20 May 2007 19:43:49 +0000 (19:43 +0000)]
r23023: Get rid of the only caller of message_send_pid_with_timeout(). This replaces
the timeouts on the individual message send calls with an overall timeout on
all the calls.
The timeout in message_send_pid_with_timeout() did not make much sense IMO
anyway, because the tdb_fetch() for the messages_pending_for_pid was blocking
in a readlock anyway, we "just" did the timeout for the write lock.
This new code goes through the full wait for the write lock once and then
breaks out of sending the notifies instead of running into the timeout per
target.
Jeremy Allison [Sat, 19 May 2007 20:57:12 +0000 (20:57 +0000)]
r23014: For all branches, ensure that if we're blocked on a POSIX
lock we know nothing about that we retry the lock every
10 seconds instead of waiting for the standard select
timeout. This is how we used to (and are supposed to)
work.
Jeremy.
Jeremy Allison [Fri, 18 May 2007 23:38:56 +0000 (23:38 +0000)]
r23005: If we're running on a system where time_t is 8 bytes
we have to take care to preserve the "special" values
for Windows of 0x80000000 and 0x7FFFFFFF when casting
between time_t and uint32. Add conversion functions
(and use them).
Jeremy.
projects / thirdparty / samba.git / log
