Matthieu Patou [Sat, 23 Oct 2010 18:01:30 +0000 (22:01 +0400)]
upgradeprovision: use the relax/(upgrade)provision when modifying object
For certain attribute we use the relax/provision control so that we
try to respect checks as this is not a good idea to always force
unwanted behavior.
Andrew Tridgell [Fri, 12 Nov 2010 06:23:34 +0000 (17:23 +1100)]
s4-kdc: added proxying of kdc requests for RODCs
when we are an RODC and we get a request for a principal that we don't
have the right secrets for, we need to proxy the request to a
writeable DC. This happens for both TCP and UDP requests, for both
krb5 and kpasswd
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
Andrew Bartlett [Fri, 12 Nov 2010 01:32:50 +0000 (12:32 +1100)]
s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODC
This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.
Andrew Bartlett [Fri, 12 Nov 2010 01:31:33 +0000 (12:31 +1100)]
heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett [Thu, 11 Nov 2010 07:36:06 +0000 (18:36 +1100)]
s4-dsdb Remove incorrectly declared ** variable used as *.
The cleartext_utf16_str variable was declared char **, but due to the
cast on convert_string_talloc() and the lack of type checking here and
on data_blob_const (due to void *) it was able to be used as if it was
a char *.
The simple solution seems to be to fill in cleartext_utf16 blob directly.
Andrew Bartlett [Thu, 11 Nov 2010 06:59:16 +0000 (17:59 +1100)]
s4-dsdb Return an error if we can't convert UTF16MUNGED -> UTF8
The UTF16MUNGED helper will map all invalid sequences (except odd
input length) to valid input sequences, per the rules. Therefore if
it fails, we need to bail out, somehing serious is wrong.
Zahari Zahariev [Tue, 9 Nov 2010 12:55:32 +0000 (14:55 +0200)]
Cannot create OU using custom Schema class
If we define our own child class 'subClassOf' system Schema class
e.g. organizationalUnit then we cannot create OU in the Dafualt
Naming Context that has this custom Schama class in the objectClass
attribute.
s4:password_hash LDB module - move "samdb_msg_find_old_and_new_ldb_val" into the password_hash LDB module
It's only used there and so I think it doesn't really belong in
"dsdb/common/util.c" (I first thought that it could be useful for ACL checking
but obviously it wasn't).
s4:selftest/tests.py - skip the "passwords.py" suite on Windows 2000 domain function level
The "userPassword" password change functionality isn't available and so it
causes big parts of the testsuite to fail. On the other hand we've basic tests
in "acl.py" and indirectly also over SAMR and kpasswd so I propose to simply
skip it.
Andrew Tridgell [Thu, 11 Nov 2010 02:09:29 +0000 (13:09 +1100)]
s4-provision: include command line provision options in the generated smb.conf
this saves the smb.conf using lp.dump_globals() to ensure that any
command line options (for example directory overrides) are saved in
the generated smb.conf
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Andrew Tridgell [Wed, 10 Nov 2010 23:39:19 +0000 (10:39 +1100)]
s4-loadparm: fixed dumping of non-default parms with testparm
when using testparm without -v we should only dump non-default
parameters. This patch fixes up the handling of the FLAG_DEFAULT flag
in loadparm to correctly mark parameters as default or not, including
parametric options
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Andrew Tridgell [Wed, 10 Nov 2010 23:35:38 +0000 (10:35 +1100)]
s4-server: move the creation of the IPC$ share into ntvfs
the IPC$ share is only used by the ntvfs backends, and doesn't need to
be created on every load of smb.conf. This fixes a problem with
testparm showing the ipc$ share when it isn't defined in smb.conf.
This also removes the admin$ share, which really shouldn't be on by
default. The admin$ share is used for remote software installation,
and normally exposes the c:\windows directory on a windows
server. That makes no sense on Samba. If for some reason a admin$
share is needed, then the admin can create one as usual. Exposing /tmp
via admin$ by default seems like a bad idea.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Thu, 11 Nov 2010 01:59:05 +0000 (17:59 -0800)]
Fix bug #7791 - gvfsd-smb (Gnome vfs) fails to copy files from a SMB share using SMB signing.
The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Nov 11 02:50:08 UTC 2010 on sn-devel-104
Jeremy Allison [Thu, 11 Nov 2010 01:54:57 +0000 (17:54 -0800)]
Add test that detects problems in the SMB signing code when run through cli_write() (which doesn't use the new async methods).
Unfortunately, and I think due to the socket wrapper code, this doesn't
detect the failure on the build farm, but running the RW-SIGNING test
separately against a Samba or Windows server using signing does.
Björn JACKE [Wed, 10 Nov 2010 23:12:07 +0000 (10:12 +1100)]
autobuild: perfer to use git mail address in autobuild comment
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Nov 10 23:56:37 UTC 2010 on sn-devel-104
Windows sends spoolss GetPrinterData requests with an offered buffer
size of zero, Model and TrayFormTable data is commonly requested in
this way.
Samba's GetPrinterData response for the above case includes the correct
error code (WERR_MORE_DATA), however the type field is set to REG_NONE.
This causes Windows (seen on XP and 2k3) to give up on the request.
If the type field is retained (not set to REG_NONE) when responding with
WERR_MORE_DATA, Windows reissues the GetPrinterData request with an
increased offered buffer size.