- WHATS NEW IN Samba 3.0.1pre1
- October 10, 2003
+ WHATS NEW IN Samba 3.0.1pre2
+ November 7, 2003
==============================
This is a preview release of the Samba 3.0.1 code base and is
######################################################################
Changes
#######
-
-Changes since 3.0.0
--------------------
+Changes since 3.0.1pre1
+-----------------------
Please refer to the CVS log for the SAMBA_3_0 branch for complete
details:
+1) Match Samba 2.2 behavior; make ACB_NORMAL the default ACB value.
+2) Updated Japanese welcome file in SWAT.
+3) Fix to nt-time <-> unix-time functions reversible.
+4) Ensure that winbindd uses the the escaped DN when querying
+ an AD ldap server.
+5) Fix portability issues when compiling (bug 505, 550)
+6) Compile fix for tdbbackup when Samba needs to override
+ non-C99 compliant implementations of snprintf().
+7) Use @PICSUFFIX@ instead of .po in Makefile.in (bug 574).
+8) Make sure we break out of samsync loop on error.
+9) Ensure error code path doesn't free unmalloc()'d memory
+ (bug 628).
+10) Add configure test for krb5_keytab_entry keyblock vs key
+ member (bug 636).
+11) Fixed spinlocks.
+12) Modified testparm so that all output so all debug output goes
+ to stderr, and all file processing goes to stdout.
+13) Fix error return code for BUFFER_TOO_SMALL in smbcacls
+ and smbcquotas.
+14) Fix "NULL dest in safe_strcpy()" log message by ensuring that
+ we have a devmode before copying a string to the devicename.
+15) Support mapping REALM.COM\user to a local user account (without
+ running winbindd) for compatibility with 2.2.x release.
+16) Ensure we don't use mmap() on blacklisted systems.
+17) fixed a number of bugs and memory leaks in the AIX
+ winbindd shim
+18) Call initgroups() in SWAT before becomming the user so that
+ secondary group permissions can be used when writing to
+ smb.conf.
+19) Fix signing problems when reverse connecting back to a
+ client for printer notify
+20) Fix signing problems caused by a miss-sequence bug.
+21) Missing map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
+ Fixes NEXUS tools running on Win9x clients (bug 64).
+22) Don't leave the domain field uninitialized in cli_lsa.c if some
+ SID could not be mapped.
+23) Fix segfault in mount.cifs helper when there is no options
+ specified during mount.
+24) Change the \n after the password prompt to go to tty instead
+ of stdout (bug 668).
+25) Stop net -P from prompting for machine account password (bug 451).
+26) Change in behavior to Not only change the effective uid but also
+ the real uid when becoming unprivileged.
+27) Cope with Exchange 5.5 cleartext pop password auth.
+28) New files for support of initshutdown pipe. Win2k doesn't
+ respond properly to all requests on the winreg pipe, so we need
+ to handle this new pipe (bug 534).
+29) Added more va_copy() checks in configure.in.
+30) Include fixes for libsmbclient build problems.
+31) Missing UNIX -> DOS codepage conversion in lanman.c.
+32) Allow DFMS-S filenames can now have arbitrary case (bug 667).
+33) Parameterize the listen backlog in smbd and make it larger by
+ default. A backlog of 5 is way too small these days.
+34) Check for an invalid fid before dereferencing the fsp pointer
+ (bug 696).
+35) Remove invalid memory frees and return codes in pdb_ldap.c.
+36) Prompt for password when invoking --set-auth-user and no
+ password is given.
+37) Bind the nmbd sending socket to the 'socket address'.
+38) Re-order link command for smbd, rpcclient and smbpasswd to ensure
+ $LDFLAGS occurs before any library specification (bug 661).
+39) Fix large number of printf() calls for 64-bit size_t.
+40) Fix AC_CHECK_MEMBER so that SLES8 does correctly finds the
+ keyblock in the krb5 structs.
+41) Remove #include <compat.h> in hopes to avoid problems with
+ apache header files.
+42) COrrect winbindd build problems on HP-UX 11
+43) Lowercase netgroups lookups (bug 703).
+44) Use the actual size of the buffer in strftime instead of a made
+ up value which just happens to be less than sizeof(fstring).
+ (bug 713).
+45) Add ldaplibs to pdbedit link line (bug 651).
+46) Fix crash bug in smbclient completion (bug 659).
+47) Fix packet length for browse list reply (bug 771).
+48) Fix coredump in cli_get_backup_list().
+49) Make sure that we expand %N (bug 612).
+50) Allow rpcclient adddriver command to specify printer driver
+ version (bug 514).
+51) Compile tdbdump by default.
+52) Apply patches to fix iconv detection for FreeBSD.
+53) Do not allow the 'guest account' to be added to a passdb backend
+ using smbpasswd or pdbedit (bug 624).
+54) Save LDFLAGS during iconv detection (bug 57).
+55) Run krb5 logins through the username map if the winbindd
+ lookup fails (bug 698).
+56) Add const for lp_set_name_resolve_order() to avoid compiler warnings
+ (bug 471).
+57) Add support for the %i macro in smb.conf to stand in for the for
+ the local IP address to which a client connected.
+58) Allow winbindd to match local accounts to domain SID when
+ 'winbind trusted domains only = yes' (bug 680).
+59) Remove code in idmap_ldap that searches the user suffix and group
+ suffix. It's not needed and provides inconsistent functionality
+ from the tdb backend.
+
+
+Changes since 3.0.0
+-------------------
Modified parameters
* mangled map (deprecated)
-/*
+/*
Unix SMB/CIFS implementation.
idmap LDAP backend
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
Copyright (C) Simo Sorce 2003
Copyright (C) Gerald Carter 2003
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#include "smbldap.h"
-#define IDMAP_GROUP_SUFFIX "ou=idmap group"
-#define IDMAP_USER_SUFFIX "ou=idmap people"
-
-
struct ldap_idmap_state {
struct smbldap_state *smbldap_state;
TALLOC_CTX *mem_ctx;
};
-#define LDAP_MAX_ALLOC_ID 128 /* number tries while allocating
- new id */
-
static struct ldap_idmap_state ldap_state;
-static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type);
-static NTSTATUS ldap_set_mapping_internals(const DOM_SID *sid, unid_t id, int id_type,
- const char *ldap_dn, LDAPMessage *entry);
-static NTSTATUS ldap_idmap_close(void);
+/* number tries while allocating new id */
+#define LDAP_MAX_ALLOC_ID 128
+
+
+/***********************************************************************
+ This function cannot be called to modify a mapping, only set a new one
+***********************************************************************/
+
+static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
+{
+ pstring dn;
+ pstring id_str;
+ fstring type;
+ LDAPMod **mods = NULL;
+ int rc = -1;
+ int ldap_op;
+ fstring sid_string;
+ LDAPMessage *entry = NULL;
+
+ sid_to_string( sid_string, sid );
+
+ ldap_op = LDAP_MOD_ADD;
+ pstr_sprintf(dn, "%s=%s,%s", get_attr_key2string( sidmap_attr_list, LDAP_ATTR_SID),
+ sid_string, lp_ldap_idmap_suffix());
+
+ if ( id_type & ID_USERID )
+ fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER ) );
+ else
+ fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER ) );
+
+ pstr_sprintf(id_str, "%lu", ((id_type & ID_USERID) ? (unsigned long)id.uid :
+ (unsigned long)id.gid));
+
+ smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY );
+
+ smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
+ entry, &mods, type, id_str );
+
+ smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
+ entry, &mods,
+ get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
+ sid_string );
+
+ /* There may well be nothing at all to do */
+
+ if (mods) {
+ smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY );
+ rc = smbldap_add(ldap_state.smbldap_state, dn, mods);
+ ldap_mods_free( mods, True );
+ } else {
+ rc = LDAP_SUCCESS;
+ }
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state.smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(0,("ldap_set_mapping_internals: Failed to %s mapping from %s to %lu [%s]\n",
+ (ldap_op == LDAP_MOD_ADD) ? "add" : "replace",
+ sid_string, (unsigned long)((id_type & ID_USERID) ? id.uid : id.gid), type));
+ DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
+ ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
+ sid_string, ((id_type & ID_USERID) ? (unsigned long)id.uid :
+ (unsigned long)id.gid), type));
+ return NT_STATUS_OK;
+}
/**********************************************************************
Even if the sambaDomain attribute in LDAP tells us that this RID is
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
ldap_get_option(state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(2, ("Failed to check if sid %s is alredy in use: %s\n",
+ DEBUG(2, ("Failed to check if sid %s is alredy in use: %s\n",
sid_string, ld_error));
SAFE_FREE(ld_error);
}
/* yes, we keep 3 seperate counters, one for rids between 1000 (BASE_RID) and
- algorithmic_rid_base. The other two are to avoid stomping on the
+ algorithmic_rid_base. The other two are to avoid stomping on the
different sets of algorithmic RIDs */
if (smbldap_get_single_attribute(state->smbldap_state->ldap_struct, entry,
pstr_sprintf(filter, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
attr_list = get_attr_list( idpool_attr_list );
-
+
rc = smbldap_search(ldap_state.smbldap_state, lp_ldap_idmap_suffix(),
LDAP_SCOPE_SUBTREE, filter,
attr_list, 0, &result);
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
char **attr_list;
+ if ( id_type & ID_USERID )
+ type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
+ else
+ type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
+
pstrcpy( suffix, lp_ldap_idmap_suffix() );
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
LDAP_OBJ_IDMAP_ENTRY, type,
((id_type & ID_USERID) ? (unsigned long)id.uid : (unsigned long)id.gid));
- if ( id_type & ID_USERID ) {
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
- }
- else {
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
- }
DEBUG(5,("ldap_get_sid_from_id: Searching \"%s\"\n", filter ));
if ( !smbldap_get_single_attribute(ldap_state.smbldap_state->ldap_struct, entry, LDAP_ATTRIBUTE_SID, sid_str) )
goto out;
- if (!string_to_sid(sid, sid_str))
+ if (!string_to_sid(sid, sid_str))
goto out;
ret = NT_STATUS_OK;
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_SID, sid_str);
- if ( *id_type & ID_GROUPID ) {
+ if ( *id_type & ID_GROUPID )
type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER );
- }
- else {
+ else
type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER );
- }
DEBUG(10,("ldap_get_id_from_sid: Searching for \"%s\"\n", filter));
goto out;
}
-
/* try to allocate a new id if we still haven't found one */
- if ( (count==0) && !(*id_type & ID_QUERY_ONLY) ) {
+ if ( !count ) {
int i;
+ if (*id_type & ID_QUERY_ONLY) {
+ DEBUG(5,("ldap_get_id_from_sid: No matching entry found and QUERY_ONLY flag set\n"));
+ goto out;
+ }
+
DEBUG(8,("ldap_get_id_from_sid: Allocating new id\n"));
for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
return ret;
}
-/***********************************************************************
- This function cannot be called to modify a mapping, only set a new one
-
- This takes a possible pointer to the existing entry for the UID or SID
- involved.
-***********************************************************************/
-
-static NTSTATUS ldap_set_mapping_internals(const DOM_SID *sid, unid_t id,
- int id_type, const char *ldap_dn,
- LDAPMessage *entry)
-{
- pstring dn;
- pstring id_str;
- fstring type;
- LDAPMod **mods = NULL;
- int rc = -1;
- int ldap_op;
- fstring sid_string;
- char **values = NULL;
- int i;
-
- sid_to_string( sid_string, sid );
-
- if (ldap_dn) {
- DEBUG(10, ("Adding new IDMAP mapping on DN: %s", ldap_dn));
- ldap_op = LDAP_MOD_REPLACE;
- pstrcpy( dn, ldap_dn );
- } else {
- ldap_op = LDAP_MOD_ADD;
- pstr_sprintf(dn, "%s=%s,%s", get_attr_key2string( sidmap_attr_list, LDAP_ATTR_SID),
- sid_string, lp_ldap_idmap_suffix());
- }
-
- if ( id_type & ID_USERID )
- fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER ) );
- else
- fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER ) );
-
- pstr_sprintf(id_str, "%lu", ((id_type & ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid));
-
- if (entry)
- values = ldap_get_values(ldap_state.smbldap_state->ldap_struct, entry, "objectClass");
-
- if (values) {
- BOOL found_idmap = False;
- for (i=0; values[i]; i++) {
- if (StrCaseCmp(values[i], LDAP_OBJ_IDMAP_ENTRY) == 0) {
- found_idmap = True;
- break;
- }
- }
- if (!found_idmap)
- smbldap_set_mod( &mods, LDAP_MOD_ADD,
- "objectClass", LDAP_OBJ_IDMAP_ENTRY );
- } else {
- smbldap_set_mod( &mods, LDAP_MOD_ADD,
- "objectClass", LDAP_OBJ_IDMAP_ENTRY );
- }
-
- smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
- entry, &mods, type, id_str );
-
- smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
- entry, &mods,
- get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
- sid_string );
-
- /* There may well be nothing at all to do */
- if (mods) {
- switch(ldap_op)
- {
- case LDAP_MOD_ADD:
- smbldap_set_mod( &mods, LDAP_MOD_ADD,
- "objectClass", LDAP_OBJ_SID_ENTRY );
- rc = smbldap_add(ldap_state.smbldap_state, dn, mods);
- break;
- case LDAP_MOD_REPLACE:
- rc = smbldap_modify(ldap_state.smbldap_state, dn, mods);
- break;
- }
-
- ldap_mods_free( mods, True );
- } else {
- rc = LDAP_SUCCESS;
- }
-
- if (rc != LDAP_SUCCESS) {
- char *ld_error = NULL;
- ldap_get_option(ldap_state.smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
- &ld_error);
- DEBUG(0,("ldap_set_mapping_internals: Failed to %s mapping from %s to %lu [%s]\n",
- (ldap_op == LDAP_MOD_ADD) ? "add" : "replace",
- sid_string, (unsigned long)((id_type & ID_USERID) ? id.uid : id.gid), type));
- DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n", ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
- sid_string, ((id_type & ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid), type));
-
- return NT_STATUS_OK;
-}
-
-/***********************************************************************
- This function cannot be called to modify a mapping, only set a new one
-***********************************************************************/
-
-static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- char *dn = NULL;
- LDAPMessage *result = NULL;
- LDAPMessage *entry = NULL;
- const char *type;
- const char *obj_class;
- const char *posix_obj_class;
- const char *suffix;
- fstring sid_str;
- fstring id_str;
- pstring filter;
- char **attr_list;
- int rc;
- int count;
-
- /* try for a samba user or group mapping (looking for an entry with a SID) */
- if ( id_type & ID_USERID ) {
- obj_class = LDAP_OBJ_SAMBASAMACCOUNT;
- suffix = lp_ldap_suffix();
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
- posix_obj_class = LDAP_OBJ_POSIXACCOUNT;
- fstr_sprintf(id_str, "%lu", (unsigned long)id.uid );
- }
- else {
- obj_class = LDAP_OBJ_GROUPMAP;
- suffix = lp_ldap_group_suffix();
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
- posix_obj_class = LDAP_OBJ_POSIXGROUP;
- fstr_sprintf(id_str, "%lu", (unsigned long)id.gid );
- }
-
- sid_to_string(sid_str, sid);
- pstr_sprintf(filter,
- "(|"
- "(&(|(objectClass=%s)(|(objectClass=%s)(objectClass=%s)))(%s=%s))"
- "(&(objectClass=%s)(%s=%s))"
- ")",
- /* objectClasses that might contain a SID */
- LDAP_OBJ_SID_ENTRY, LDAP_OBJ_IDMAP_ENTRY, obj_class,
- get_attr_key2string( sidmap_attr_list, LDAP_ATTR_SID ),
- sid_str,
-
- /* objectClasses that might contain a Unix UID/GID */
- posix_obj_class,
- /* Unix UID/GID specifier*/
- type,
- /* actual ID */
- id_str);
-
- attr_list = get_attr_list( sidmap_attr_list );
- rc = smbldap_search(ldap_state.smbldap_state, suffix, LDAP_SCOPE_SUBTREE,
- filter, attr_list, 0, &result);
- free_attr_list( attr_list );
-
- if (rc != LDAP_SUCCESS)
- goto out;
-
- count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
-
- /* fall back to looking up an idmap entry if we didn't find anything under the idmap
- user or group suffix */
-
- if (count == 1) {
- entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
-
- dn = smbldap_get_dn(ldap_state.smbldap_state->ldap_struct, result);
- if (!dn)
- goto out;
- DEBUG(10, ("Found partial mapping entry at dn=%s, looking for %s\n", dn, type));
-
- ret = ldap_set_mapping_internals(sid, id, id_type, dn, entry);
-
- goto out;
- } else if (count > 1) {
- DEBUG(0, ("Too many entries trying to find DN to attach ldap \n"));
- goto out;
- }
-
- ret = ldap_set_mapping_internals(sid, id, id_type, NULL, NULL);
-
-out:
- if (result)
- ldap_msgfree(result);
- SAFE_FREE(dn);
-
- return ret;
-}
-
-
/**********************************************************************
Verify the sambaUnixIdPool entry in the directiry.
**********************************************************************/
projects / thirdparty / samba.git / commitdiff
