Jeremy Allison [Fri, 12 Jun 2009 08:27:07 +0000 (10:27 +0200)]
Revert the extra SAMR and LSA checks.
These were added between 3.2.4 and 3.2.5 that have caused users problems.
This fixes among others bug #6089 and #6112.
(cherry picked from commit f2a29585123e6072a75eb9abdd202f99f5a01e1e)
Karolin Seeger [Sat, 6 Jun 2009 13:56:47 +0000 (15:56 +0200)]
s3/docs: Fix example.
The 'ldap suffix' is not added automatically to the 'ldap admin dn'.
This fixes bug #5584.
Thanks to Stefan Bauer <stefan.bauer [at] plzk.de> for reporting!
Volker Lendecke [Sun, 24 May 2009 16:57:13 +0000 (18:57 +0200)]
Fix a race condition in winbind leading to a panic
In winbind, we do multiple events in one select round. This needs fixing, but
as long as we're still using it, for efficiency reasons we need to do that.
What can happen is the following: We have outgoing data pending for a client,
thus
state->fd_event.flags == EVENT_FD_WRITE
Now a new client comes in, we go through the list of clients to find an idle
one. The detection for idle clients in remove_idle_client does not take the
pending data into account. We close the socket that has pending outgoing data,
the accept(2) one syscall later gives us the same socket.
In new_connection(), we do a setup_async_read, setting up a read fde. The
select from before however had found the socket (that we had already closed!!)
to be writable. In rw_callback we only want to see a readable flag, and we
panic in the SMB_ASSERT(flags == EVENT_FD_READ).
Simo Sorce [Fri, 22 May 2009 01:32:17 +0000 (21:32 -0400)]
Insure we always return NULL on error.
It is not technically an ldb bug, but apparently some callers try to access
res before checking the ldb_search() return code.
So make their attempt very evident (a NULL dereference will make it cristal
clear where the bug is).
(cherry picked from commit c60539f31f63bd65e5b0e3ee16365f036bef3d5b)
Jeremy Allison [Mon, 11 May 2009 18:17:56 +0000 (11:17 -0700)]
After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.
(cherry picked from commit 59ee131464636d3363bc7ee398ba6390a6333558)
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check.
s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug#2346)
The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.
Simo Sorce [Wed, 22 Apr 2009 13:12:58 +0000 (09:12 -0400)]
Fix profile acls in some corner cases
Always add back the real original owner of the directory in the ACE List after
we steal its ACE for the Administrators group.
(cherry picked from commit 8e438431a1447fd482c107fbe0aee3af49afe068)
Simo Sorce [Wed, 22 Apr 2009 10:15:21 +0000 (06:15 -0400)]
Avoid duplicate aces
When adding arbitrary aces to an nt_ace_list we need to make sure we
are not actually adding a duplicate.
add_or_replace_ace() takes care of doing the right thing.
(cherry picked from commit 958207e321f330426536bf7e936b30fa2efffddc)
Jeremy Allison [Wed, 22 Apr 2009 09:24:27 +0000 (02:24 -0700)]
Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning LDAP_SUCCESS but not returning a result.
Jeremy
(cherry picked from commit e7687dd9ca244a53fdf2312a78cdb028dd8971d5)
Michael Adam [Fri, 17 Apr 2009 09:40:17 +0000 (11:40 +0200)]
s3:registry: Prevent creation of keys containing the '/' character.
Even though "net conf setparm abc/def comment xyz" does not
create a broken registry we do not want such keys to be created.
Since we get problems accessing these with "net registry" since
the registry code treats the '/' sign as a separator as a lower
level.
This makes e.g. "net conf setparm abc/def comment xyz" fail with
WERR_INVALID_PARAM, which is much more desirable than a broken
registry.tdb.
Jeremy Allison [Wed, 15 Apr 2009 21:09:32 +0000 (14:09 -0700)]
Fix bug #6089 - Winbind samr_OpenDomain not possible with Samba 3.2.6+
What a difference a name makes... :-). Just because something is missnamed
SA_RIGHT_SAM_OPEN_DOMAIN, when it should actually be SA_RIGHT_SAM_LOOKUP_DOMAIN,
don't automatically use it for a security check in _samr_OpenDomain().
Jeremy.
(cherry picked from commit 3591c95beaed3abfa10b1579e377b0103647a177)
Jeremy Allison [Fri, 10 Apr 2009 05:46:31 +0000 (22:46 -0700)]
Fix bug #6254 - PUT/GET produces an error in IPv6 to a smb-server(3.3)
has parameter "msdfs root = yes"
This was broken by the refactoring around create_file().
MSDFS pathname processing must be done FIRST.
MSDFS pathnames containing IPv6 addresses can
be confused with NTFS stream names (they contain
":" characters.
Jeremy.
(cherry picked from commit eb29aa406f14397e3c55e559e2c02da6eb6c4cbd)
Volker Lendecke [Sat, 28 Mar 2009 18:58:45 +0000 (19:58 +0100)]
Fix smbd crash for close_on_completion
handle_trans() can talloc_free "conn" if the client requests
close_on_completion. "state" is a talloc_child of conn, so it will be gone when
we later free state->data et al.
(cherry picked from commit 51ecc77eeabe5fc89e4d1b1fb8a15c71614d4049)
Jeremy Allison [Thu, 2 Apr 2009 03:14:35 +0000 (20:14 -0700)]
Allow pdbedit to change a user rid/sid. Based on a fix from Alexander
Zagrebin <alexz@visp.ru>.
Jeremy.
(cherry picked from commit 5b43fff78081541f642b07a70b03c6d5902e42dd)
Michael Adam [Wed, 1 Apr 2009 10:23:07 +0000 (12:23 +0200)]
s3: fix the fix for bug #6195 - dont let smbd child processes panic
This patch makes sure the original and temporary TDBs are closed
_before_ the rename. Originally, the open TDB was renamed, and so
the name passdb.tdb.tmp stayed around in the db context. Hence
upon client connect, the smbd children died because reinit_after_fork()
calling tdb_reopen_all() would try to reopen passdb.tdb.tmp which
existed no longer...
Jeremy Allison [Mon, 30 Mar 2009 22:09:10 +0000 (15:09 -0700)]
Ensure files starting with multiple dots are hidden
if "hide dot files" is set. Thanks to Barry Kelly <bkelly.ie@gmail.com>
for pointing this one out.
Jeremy.
(cherry picked from commit 5bdc16a867b9c14682b327c79f79834edcd6842d)
Jeremy Allison [Sat, 28 Mar 2009 04:26:56 +0000 (21:26 -0700)]
Fix the problem of 3.0.x passdb databases being version
3 but using a different hash calculation than 3.2.x passwd
databases (also version 3). Introduces a minor version
number.
Jeremy.
(cherry picked from commit 10b518592e616ecfaadd829ecd0674a04510b422)
Derrell Lipman [Fri, 27 Mar 2009 21:10:04 +0000 (17:10 -0400)]
[Bug 6228] SMBC_open_ctx failure due to path resolve failure doesn't set errno
Fixed.
It turns out there were a number of places where cli_resolve_path() was called
and the error path upon that function failing did not set errno. There were a
couple of places the failure handling code did set errno to ENOENT, so I made
them all consistent, although I think better errno choices for this condition
exist, e.g. EHOSTUNREACH.
Jeremy Allison [Fri, 27 Mar 2009 19:09:51 +0000 (12:09 -0700)]
Fix bug #6195 - Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. For the clustering case.
Clustered setups should have only ever used
the unsigned version of TDB_DATA in the
first place so they can't be in this mess :-).
Just do the normal upgrade in the clustered case.
Jeremy.
(cherry picked from commit 52fe104996439db24a7e6b17baa7fec47ba230bb)
Jeremy Allison [Thu, 26 Mar 2009 22:33:39 +0000 (15:33 -0700)]
Try and fix the build farm RAW-STREAMS errors. Ordering of
modules shouldn't matter, so as vfs_streams_depot doesn't
implement get/setxattrs then call into the full VFS stack
at the top.
Jeremy
(cherry picked from commit a1d9b31a0c8a38dbfa94f578830d5d35695aff3b)
Jeremy Allison [Thu, 26 Mar 2009 19:13:28 +0000 (12:13 -0700)]
Fix bug #6224 - nmbd waits 5 minutes at startup before checking if it needs to run elections
Fix logic bug that causes nmbd to wait 5 minutes before
looking for a master browser. This one is *old* :-). Thanks
for Simo for bugging me on this.
Jeremy.
(cherry picked from commit 857c2e4407a0f4fcee721372ffed5366bc3051f9)
Günther Deschner [Wed, 25 Mar 2009 16:06:57 +0000 (17:06 +0100)]
s3-net: Fix Bug #6193: avoid messing with sync_context in fetch_database_to_ldif().
We absolutely need to avoid messing with the sync_context as that breaks the
stream of replication data coming from the DC (only replicates ~350 instead of
~4000 groups).
projects / thirdparty / samba.git / log
