git.samba.org - samba.git/log

Fix inode generation so nautilus can count total dir size correctly

Fix bug #8010 (str_checksum often returns same value for different strings
[Patch]).
(cherry picked from commit e47dd1ed1a59d9fc721eeae0a9bb0f80e33be4c8)

s3: Attempt to fix bug 8016 -- gpfs_get_xattr broken
(cherry picked from commit 820628a6d06c715273ae221c926e1c1e7d7e8385)

Fix bug #8005 - smbtorture4 BASE-TCONDEV fails when tested on Samba

When pulling non-aligned ucs2 strings, we neglected to add in the
pad byte to the buffer length we've eaten. This caused the device
string in TCONX (which seems to be one of the few places that uses
non-aligned ucs2 strings) to be incorrectly read.

Volker please check.

Jeremy.
(cherry picked from commit e59a950c049679f0394ea41b463dbb9837eb5e63)
(cherry picked from commit 9cddb8e6df6cc47e22a572af164deaffc6e1a774)

nsswitch: fix a segfault in the krb5 locator plugin

after the number of retries was exceeded, the loop did not
bail out correctly with an error and went on using a null pointer

Fix bug #8008 (winbind krb5 locator crash).
(cherry picked from commit f5eba15db82ed679d72dc8b13912d54919343314)

s3: Fix bug 8009 - net rap session cannot get username

Looking in [MS-RAP].pdf - these strings are always 4 bytes as an
offset in the rparam area, the string length is the size in the rdata area.
Se we must always return we have consumed 4 param bytes.
(cherry picked from commit dd2e6fde0ab2e929b108c22244aac746e036a22c)

s3: Fix the talloc hierarchy in shadow_copy2_connectpath

We have to return on talloc_tos() because we don't have a mem_ctx given to us.
So we have to create a separate temporary talloc context.

Fix bug #8011 (memory corruption in shadow_copy2).

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Mar 14 19:21:11 CET 2011 on sn-devel-104
(cherry picked from commit 746b299ec1b11ea1e70c130b69a9a379ec478750)
(cherry picked from commit 5d734a32d9719d05f1dc53b3f61535778a7cdbf3)

WHATSNEW: Start release notes for 3.5.9.

Karolin
(cherry picked from commit e75afeb933931839b855da7700f5089551ae3551)

VERSION: Bump version number up to 3.5.9.

Karolin
(cherry picked from commit 0e2d341c28878fa6c0b369c494f75ddbc8a0a9e5)

WHATSNEW: Update release notes for 3.5.8.

Karolin
(cherry picked from commit fca681fede6d4b8b28490f58b5c3727f6c699e1a)

WHATSNEW: Start to list changes since 3.5.7.

Karolin
(cherry picked from commit 7c7742e589c7ed0f618eb8a1ad64e26715da34b4)

rerun 'make samba3-idl'

metze

The last 10 patches address bug #7567 (printing from Windows 7 fails with
0x000003e6 (in AD w2k8r2 controlled domain)).
(cherry picked from commit c81256b04ead01f0d44c8a235d2ac793b7a51364)

librpc/ndr: handle NOALIGN flag for relative pointers and alignment DATA_BLOBs

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Mar 1 17:11:03 CET 2011 on sn-devel-104
(cherry picked from commit ef224aa004d5f1726d8dca020e0ef96d8c58565e)
(cherry picked from commit 1ea17bacdb09d28a12a8b6ddeba3ac285cd9f905)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7c6bc031b3af3643027865e444fb16f7bb7c7152)

spoolss.idl: align spoolss_DriverFileInfo relative pointer to 4 byte

metze
(cherry picked from commit b6ece01c7922adeb3c9e718bc8cc610cae7c543c)
(cherry picked from commit ba1a72cb153892e491af91a6bb61e1820135fa12)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 25f93fe17a396f9c0372dd5d1f4210ecfce7ded9)

spoolss.idl: align spoolss_PrinterEnumValues 'data' based on the type

metze
(cherry picked from commit 341330600aebcec92fba64ea343888c15a0c3d44)
(cherry picked from commit 757471a5fcd4f95da28402bae6c9ceccff7d6548)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3cb71012a2cf26037323cded8cfd9ec5d12223c6)

librpc/ndr: remove align2 hack for relative pointers

metze
(cherry picked from commit 23f6f449792d889538e0d0028bb8fbd5c807b0da)
(cherry picked from commit 9313b5d1da24406dd7d26afb2488fee0cbea44a9)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1757dee05942add03edb51163bead807d839fcf6)

librpc: align nstring and nstring_array to 2 byte

metze
(cherry picked from commit 712ef2590d0ee59a4a659926cdf8aac6e968dfa8)
(cherry picked from commit 0fb64a26b3b35b75f2f548d882bed41aa0386c6b)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c26be77576e13582c7d51fe84f4c69f1c1abf28d)

librpc/ndr: ndr align relative pointers based on the given flags

We used to do this only for the reverse relative pointers
and now we always do it.

metze
(cherry picked from commit 84b884eb4bec38b721d6c38704f12d1d2c601bcb)
(cherry picked from commit 6648ce8990a97da739d4be69657e9ace6198068c)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 490d1553714ffc5afe0e49c3473e19697bdfbd53)

librpc/ndr: let ndr_push/pull_DATA_BLOB() look at LIBNDR_FLAG_REMAINING before LIBNDR_ALIGN_FLAGS

metze
(cherry picked from commit 6c3a49ced333988b21d86e47b2b1dd1a5957e15c)
(cherry picked from commit 5f8b7f95e9ce5946f048b242dbbaa14897aea919)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eab30c15b2528d92e09b774be453e657020e5aa7)

spoolss: pretty-print a struct spoolss_Time.

Guenther
(cherry picked from commit 440075247d11a7852d8567753f426fa67f41d875)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0396087c36652b6c3d2bf4206212c2823352f9e0)

spoolss: fix potential crash bug in spoolss_PrinterEnumValues push path.

Guenther
(cherry picked from commit 45952b56797982d27731b20d97f5648c9414814a)
(cherry picked from commit ad68e45b505331683a2510de20f113a7c20e68e1)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a660f3f15e1e04d556b34b9e49e7177193df026)

s3-param: Make "rlimit_max below minimum Windows limit" notification less scary

The fix to bug #6837 results in messages from testparm that look
like a misconfiguration even though they aren't:

rlimit_max: rlimit_max (8192) below minimum Windows limit (16384)

Apply a slight change in wording ("increasing rlimit_max to minimum
Windows limit") to make it clearer that the user has done nothing
wrong. (Similarly for sysctl_max.)

Reported-by: Miguel Medalha <miguelmedalha@sapo.pt>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
(cherry picked from commit 5d525ea0ed937e4146dee0859d0218ef730bfa27)

s3:vfs:gpfs: fix logic when gpfs:winattr is false (the default!)

On my autocluster setup, it's not set.  Maybe it should be?  Otherwise
smbclient and some Windows client programs will get errors like:

        # smbclient //localhost/data -Uadministrator%XXX
        Domain=[VSOFS1] OS=[Unix] Server=[Samba 3.4.2-ctdb-10]
        smb: \> put /etc/resolv.conf resolv.conf
        NT_STATUS_ACCESS_DENIED closing remote file \resolv.conf
        smb: \>

Caused by attempting to update the time on close.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 385d925f7e0fedca7d480e4f25d89e3194433b88)

Fix bug #7498 (robocopy fails to a GPFS share when setting the date).
(cherry picked from commit fd6af89cb86c7ffb99ba4de986d932ec58182c81)

Fix bug 7950 - Samba 3.5.x fails BASE-CREATEX_SHAREMODES_DIR smbtorture4 test
We need to revalidate the pathname once re-constructed from a root fsp.

Jeremy.
(cherry picked from commit 916e82823b56a70d7761644b38a250ea8c38e204)
(cherry picked from commit 203b4aa318ce2aa64812006ed94a1e4e1becf66f)

s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)

The benefit of this that it makes us more robust to secure channel resets
triggered from tools outside the winbind process. Long term we need to have a
shared tdb secure channel store though as well.

Guenther

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit f60398d7b20869d7b09d81854f3727fdcd897430)
(similar to commit 7add712498fe93603b1bffff2c633e097ce8fbdf)
(cherry picked from commit a5b388fc5ea81868f09590e8b7674826315c348c)

s3: Prune the printername cache when a printer is deleted.

Signed-off-by: Andreas Schneider <asn@samba.org>
Fix bug #7656 (Scalability problem with hundreds of printers).
(cherry picked from commit f0e39788d88c4e29d9724288565241c71b860bb2)

s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)

If winbindd connects to a domain controller it doesn't establish the lsa
connection over ncacn_ip_tcp direct. This happens only on demand.

If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with
ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.

This problem can also happen on other calls, but the
lookup_names/sids calls on thet lsa ncacn_ip_tcp connection
are the most important ones.

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.

The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a)
made this worse, as it assumes winbindd's in memory session key is
always the current one.

metze
(cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d)
(cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f)
(cherry picked from commit b40ce0559c6da04f269cb9ac4d4a215ea8e9f925)

librpc/rpc: display DCERPC_FAULT_SEC_PKG_ERROR nicely in dcerpc_errstr()

metze
(cherry picked from commit ab492152e86220600429d0bc85a3783463889cee)

rerun 'make samba3-idl'

metze
(cherry picked from commit 782726a5161da3ad1369dc63e13956a3faad4980)

dcerpc.idl: add DCERPC_FAULT_SEC_PKG_ERROR

metze
(cherry picked from commit 8d07deaeaacbd376f9824ac350c01510e05a76ca)
(cherry picked from commit 85358c0534472fde71e304ddada678b61637ba40)
(cherry picked from commit 80b95a13dd7c0ef57e079b370b80993326bc616d)

s3:lib/events: use DLIST_DEMOTE() for fd events

This makes sure that fd events doesn't dry out,
because a fd with a lower number is busy.

metze

The last 3 patches address bug #7942 (inotify can somehow cause endless loops in
with select()).

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jan 31 16:59:44 CET 2011 on sn-devel-104
(cherry picked from commit ad10289ebcc78ab62ec86abb29f81eb769d17f4e)
(cherry picked from commit 3d2f72844a221dbdfe94fbf6e2b45c98ee158a9b)
(cherry picked from commit 44a2e73cf07110e463f2262c50a377bdf17253d6)

s3:smbd: let smbd_server_connection_loop_once() check for select errors

metze
(cherry picked from commit 0bbe7334d69bcaa476f0741e0bd9685b023a4208)
(cherry picked from commit d677921237c66e6cdf83de04e16c576a101d6493)
(cherry picked from commit 8a82e65f711e2f4ac893bd7e2365b305e1b088b8)

s3:lib/events: don't loop over fd events is select gave -1

metze
(cherry picked from commit 1f2be10ebf4cc06e3b7aac41ea35bfc4a41ce828)
(cherry picked from commit d506b574bb94fdc23c5a62c5326cd478b5b63a11)
(cherry picked from commit 6647d687654aff806dfa8d797634b47ede36bf9c)

s3: Fix bug 7940 -- fall back for utimes calls

There are systems where ./configure has detected advanced utimes calls which
are then not available on other kernels. We should do a proper fallback.
(cherry picked from commit a50a0f438a928db9c2f25c779186611e40b2a960)

s3: Fix connecting to port-139 only servers

When the TCP RST came before the 5 msecs timeout kicked in, we
viewed this as final, as state->req_139 was not set yet.

Fix bug introduced by a fix for bug #7881 (winbind flaky against w2k8).
(cherry picked from commit f2a19b87725f9318e983dff6358a3eee721bff08)

Revert "s3-printing: update parent smbd pcap cache"

This reverts commit 5a2b2d4aeb6fe4af13aa0c92d22ba5bc9b7f7e13.
(cherry picked from commit b6268f507fa3276c2ef22c58bad400a3fed48cd9)

Revert "s3-printing: reload shares after pcap cache fill"

This reverts commit a8a01e4a3dcafd97372021d0d6f859fd3a69235f.

This commit seems to break 'make test'.
(cherry picked from commit e4579eab7fe3eab7a5209e6de74e6fd2f53099d0)

s3: Fix bug 7917: Yet another bug in chain_reply

Found by Michael Hanscho <samba@micha.priv.at> with a WinCE client.
(cherry picked from commit 8917d84130991ed24767f21876b18ac82b246d87)

s3-rpcclient: Fix bug #7880: cmd_spoolss_deletedriver() returned without checking all architectures.

Continues now with next architecture if no driver is available.

Because of the broken behavior of the rpccli_*() functions,
we need special error code handling.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f5af66e67d7c6d62315671c0cf57f47973316226)
(cherry picked from commit dc63f45b523deb5c3d0c4be4239507e5fc4f6a40)

s3-printing: update parent smbd pcap cache

If a client connects to a samba share and while connected a printer is
added, the client will see the new printer share after a maximum of
'printcap cache time' seconds.

smbd's forked for new client connections inherit printcap information
from the parent (listener) smbd, which does not perform updates on
printcap cache time expiry. Therefore newly connected clients may
initially be presented with stale printer shares.

Add a housekeeping function to the parent smbd to ensure newly connected
clients see up to date printer shares.

The last 2 patches address bug #7836 (A newly added printer isn't visbile to
clients).
(cherry picked from commit 5a2b2d4aeb6fe4af13aa0c92d22ba5bc9b7f7e13)

s3-printing: reload shares after pcap cache fill

Since commit eada8f8a, updates to the cups pcap cache are performed
asynchronously - cups_cache_reload() forks a child process to request
cups printer information and notify the parent smbd on completion.

Currently printer shares are reloaded immediately following the call to
cups_cache_reload(), this occurs prior to smbd receiving new cups pcap
information from the child process. Such behaviour can result in stale
print shares as outlined in bug 7836.

This fix ensures print shares are only reloaded after new pcap data has
been received.

Pair-Programmed-With: Lars Müller <lars@samba.org>
(cherry picked from commit a8a01e4a3dcafd97372021d0d6f859fd3a69235f)

s3-spoolss: Fix Bug #7641: handle win9x adddriver calls w/o config file.

This turned cupsaddsmb to run into an infinite loop.

Guenther
(cherry picked from commit c62509c8f2589e7b952517626d61ee34b83e96b3)
(cherry picked from commit 0a0f3b4947689ca4ab7015e9a1ace8d204bab9f3)
(cherry picked from commit b57378b3663fb796ed07c2a8c30f9bda27d3aa9c)

s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it (cherry picked from commit 280caa6b3bb1199939f9349ea5a436a491c81791)

The last 2 patches address bug #7356 (net ads dns register fails in 2008 R2
domain).
(cherry picked from commit 6857b749229cc72c604ab5646a4bae5f09b72e11)

s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it

Andrew Bartlett
(cherry picked from commit 0f1cc889a26477e9a98629f120fe5890b2e106fa)
(cherry picked from commit 2b463484cc7bb80cdfb6727ab9e5a873faff5ec8)

s3:net_rpc_vampire_keytab: don't return -1 on success (bug #7899)

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jan 3 19:05:11 CET 2011 on sn-devel-104
(cherry picked from commit ddbbc7b12ae8e51bc9658e3356bbeefe314f55bb)
(cherry picked from commit 32d111bef6d38bc3f946e68f133d37e1f1cc25bc)
(cherry picked from commit 86e72cb783fe74fd1504b111f615b71d4260e74e)

s3-nmbd: Fix bug #7875

nmbd --port didn't work
(cherry picked from commit 79280c99f67c3a3bfb1873b373ec181fa402f18c)

s3:lib/netapi: don't set SAMR_FIELD_FULL_NAME if we just want to set the account name (bug #7896)

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 30 18:09:13 CET 2010 on sn-devel-104
(cherry picked from commit f1d15ea54c313e71fc032b2ed191bdecad868858)
(cherry picked from commit c6a0971b3790253a906b370562237479d273bb94)

s3:libsmb: use 16 zero bytes as channel binding checksum in the gssapi checksum (bug #7883)

This fixes SMB session setups with kerberos against some closed
source SMB servers.

The new behavior matches heimdal and mit.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
(cherry picked from commit e9dddc55e324c62973e6a561477b532cf9ed79af)
(cherry picked from commit 3356192af5d36fbe986c4728162d10fe883ba2fd)
(cherry picked from commit 3d9dd75e811eb251002b7c1b958f58790a089086)

s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs

The idea of this patch is: Don't support a mix of different kerberos
features.

Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).

Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.

Andrew Bartlett
(cherry picked from commit 3b4db34011f06fb785153fa9070fb1da9d8f5c78)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b31c9cf18a5bd592912bd300e028d0798e93978d)

s3: Fix a memleak in receive_getdc_response

The last 2 patches addresbug #7879 (Memory problems in winbind).
(cherry picked from commit bba197b7ee6efbb6d271e6e60e53ae1632330086)

Fix a valgrind error

Thanks to Tridge for the hint.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Jan 2 10:58:51 CET 2011 on sn-devel-104
(cherry picked from commit 23693fe3c51ac89db64fefed292f7e4ff38e00e8)

s3: Fix bug 7066 -- wbcAuthenticateEx gives unix times

We might eventually want to change this, but right now we get unix times
out of the winbind pipe struct
(cherry picked from commit 993923880e213136de89b5b8d59f6f32a51b94b7)

s3: Fix another aspect of bug 7262

(Unable to maintain users' groups via UsrMgr)
(cherry picked from commit 9b1d0d409824cff275aaf9563eaa3ed77ccf8466)

ѕ3/configue: set Tru64 cc's PIC switch right (none)

-fPIC made shared library builds fail there

Fixes #7821

(cherry picked from commit dbcf73c45782c310cb7ff1f2177d410399e2f06d)
(cherry picked from commit 83eb2e9aef40e5e838d2654298e281ad3ec98af3)

s3:winbind: fix bug #7894 - sporadic winbind panic in rpc query_user_list

correctly evaluate return code of rpccli_samr_QueryDisplayInfo()
before accessing results.
(cherry picked from commit bdebae14aa646dd9f969db5b3d1aa25c971c9381)

Fix bug #7892 - open_file_fchmod() leaves a stale lock.
(cherry picked from commit 8d9ef26538a29ab9f5b0a3179c28beecab1a099a)

s3: Use smbsock_any_connect in winbind

The last 7 patches address bug #7881 (winbind flaky against w2k8).
(cherry picked from commit 969f452de253cd8dbe6f4448168eaa11baed1fbc)

s3: Retry *SMBSERVER in nb_connect
(cherry picked from commit 6e9e567dfeb860c8b9a342bf46765f8c9b8ea7db)

s3: Add smbsock_any_connect
(cherry picked from commit b289052828eb03b8c353b85691ce6af6aef6bf41)

s3: Add an async smbsock_connect

This connects to 445 and after 5 milliseconds also to 139. It treats a netbios
session setup failure as equivalent as a TCP connect failure. So if 139 is
faster but fails the nb session setup, the 445 still has the chance to succeed.
(cherry picked from commit 8b6b80ef591031ea6e394cebd6e0fdf8c7b8485a)

v3-5-test: Pull in tevent_req_poll_ntstatus from master
(cherry picked from commit 0b13028cb4d6fc2ff267df477b5c2c4291286a43)

s3: Add async cli_session_request

This does not do the redirects, but I think that might be obsolete anyway
(cherry picked from commit a30258cf98ff334a786ea1566b607208d82617a0)

s3: Add some const to name_mangle()
(cherry picked from commit 1552acea9a55dd6bc5f386a5f424e09875ed463c)

s3:net ads dns register: use "cluster addresses" option if configured (bug #7871)

metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Dec 17 16:49:14 CET 2010 on sn-devel-104
(cherry picked from commit 1dc2fa7616207a2d3a9f1cbe69b2ec1fc61634fd)
(cherry picked from commit 9a40e5f6a500571cc752383ca7fa27347e4efa45)
(cherry picked from commit 53f163bbc2e5722a46eeb55d15cca2c23994e71b)

s3:net ads dns register: add support for specifying addresse on the commandline (bug #7871)

In the clustering case, this is also made the only possiblity to do dns updates,
since the list addresses on the local interfaces is not suitable in that case.

This fixes the "net ads dns register" part of bug #7871.
It might be extended by a parsing of the "cluster addresses" setting.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5e83a05009787d8a2086db1adc1ed58d61b3725d)
(cherry picked from commit 9ed3d33fb3d7365a127ea2752032840272697902)
(cherry picked from commit 5e708489d56bc7a2b0a033a38e62bed519249b33)

s3:net: add net_update_dns_ext() that accepts a list of addresses as parameter (bug# 7871)

This generalized form of net_update_dns() will be used to
add support for specifying a list of addresses on the commandline
of "net ads dns register".

This prepares the "net ads dns register" part of the fix for bug #7871.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4d91f98b433e07922373bf4e3ba9668b7af71a00)
(cherry picked from commit 4b7775500b1055acf62decbc0fc8283b088da452)
(cherry picked from commit ed914296df896a3805c8c6b74ad8bd9e1dcac35b)

s3:net: disable dynamic dns updates at the end of "net ads join" in a cluster (bug #7871)

In a clustered environment, registering the set of ip addresses that are
assigned to the interfaces of the node that performs the join does usually
not have the desired effect, since the local interfaces do not carry
complete set of the cluster's public IP addresses. And it can also contain
internal addresses that should not be visible to the outside at all.
In order to do dns updates in a clustererd setup, use net ads dns register.

This fixes the net ads join part of bug #7871.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b8f19df53e66bf0260b4ae6c49acea87ac379deb)
(cherry picked from commit 1c73d52ddddfcec25cf079da4a0d6bf81fb030da)
(cherry picked from commit ae5ba417d3599cf6ad81a9612e7998a30d8a4061)

s3-net Allow 'net ads dns register' to take an optional hostname argument

This allows the administrator to more carefully chose what name to register.

Andrew Bartlett
(cherry picked from commit c2a1ad9047508cf2745a9019e6783c8b8f7ef475)
(cherry picked from commit 10c5a59315ef69eeb4d8bc19237de9787284a63d)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bce7e8c8e11321d98a30a8b6bb79a392a5e644ba)

s3:ntlm_auth: support clients which offer a spnego mechs we don't support (bug #7855)

Before we rejected the authentication if we don't support the
first spnego mech the client offered.

We now negotiate the first mech we support.

This fix works arround problems, when a client
sends the NEGOEX (1.3.6.1.4.1.311.2.2.30) oid,
which we don't support.

metze
(cherry picked from commit f802075f08fe0d86f3d176f2302236aeb5834f3d)
Modified to work in the v3-5-test branch, e.g. use ntlmssp_end()

The last 9 patches address bug #7855 (ntlm_auth only handles the first spnego
mech).
(cherry picked from commit ab69b55011eea73d7c8827fc339feb905474f201)

s3:ntlm_auth: free session key, as we don't use it (at least for now)

metze
(cherry picked from commit ee4f5ac6182969bcab91955e6d6581e408d222f1)
(cherry picked from commit e00cb883107753380272e128955ae5ad3057fd40)

s3:ntlm_auth: fix memory leak in the raw ntlmssp code path

metze
(cherry picked from commit 9a56ade6b1d627126418c75de4602610b4482503)
(cherry picked from commit 7c3bb9af54b40dbd24b781186607339c76a25a85)

s3: Correctly unwrap the krb ticket in gss-spnego (cherry picked from commit 547b268cfaa2e791bf92e8804bfa504c4e37050b)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
renamed to _spnego_parse_krb5_wrap()

metze
(cherry picked from commit 7cb3d84fc11490c97d7d84a3231e2d9f6b2d69fe)

s3: Fall back to raw NTLMSSP for the gss-spnego protocol

This is to handle the mod_auth_ntlm_winbind protocol
sending "Negotiate" to IE, which sends raw NTLMSSP
instead of a SPNEGO wrapped NTLMSSP blob.
(cherry picked from commit 70ab7eb5303a5ff058939541dd5bc1f81113a48e)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7652f2a782559bb0346b0976929b5b5b5377dcbc)

s3: Split off output generation from manage_squid_ntlmssp_request (cherry picked from commit de2c143f4d540f695db5c7fe8685614c03977365)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 8443abede7c3f6deb7a7c584937d9e28eb9274da)

s3: Wrap the ntlm_auth loop with a talloc_stackframe (cherry picked from commit ae483bbe9af526623189cefe7735f3f2813da6d7)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0d9b2e954d61c9f6211c867348a817e42bd4b12f)

s3: Fix some debug msgs in ntlm_auth (cherry picked from commit 6400f3ee62108e3dd1e6c1013ccea9fb4b08d562)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 498f1c87e6c9bc136da696bae5e9a71df9b8233e)

ntlm_auth: Fix a valgrind error (cherry picked from commit 69db4b4ccf051b05517e6eb9039ab48f90608075)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 63fa349916d72c158b1fc4ab7a60b9a909a15131)

Fix bso#3185, return false when EOF is encountered in param name.
(cherry picked from commit a9664633c667f6d02f33b951805882258604ff1c)

s3: Fix bug 7843: Expand the local SAMs aliases
(cherry picked from commit 50c8b426385df953d2e3748a39041d4b92cd7ed9)

s3: Fix bug 7842: WINBINDD_LOOKUPRIDS does not return the domain name
(cherry picked from commit 0737a34a12e46d53e4332ea06eac0ba948608fff)

s3: Fix bug 7841: WINBINDD_LOOKUPRIDS asks the wrong domain
(cherry picked from commit a257253f8f82bcab52508273b12cd92fadd3ba1a)

Fix bug #7835 - vfs_fill_sparse() doesn't use posix_fallocate when strict allocate is on

Tries posix_fallocate() and then falls back to old code.

Jeremy.
(cherry picked from commit 0c45b32bc7d93b03838405a97b054cb414267892)

s3: Fix "force group" with ntlmssp guest session setup

This one is subtle: Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with

make_connection: connection to share denied due to security descriptor

although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.

What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".

Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.

This seems not to happen to 3.6.

Volker

Fix bug #7817 ("force group" broken).
(cherry picked from commit 56b1082fe436e1f99a87d3e37d9ea8b017353b39)

s3: Make winbind recover from a signing error

When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.

Fix bug #7800 (winbind does not recover from smb signing errors).
(cherry picked from commit 49632d414e13ecd2f17362869c5dc1cceb47862b)

switch from mtime to ctime which is more reliable if files can be accessed outside samba as well

Fix bug #7789 (change vfs_scannedonly from mtime to ctime).
(cherry picked from commit 2d24c4a056e5c54b5ef4c9112cec076ac7c08d6f)

Fix bug #7812 - vfs_acl_xattr/vfs_acl_tdb: ACL inheritance cannot be disabled

We were losing the incoming security descriptor revision number and
most importantly the "type" field as sent by the client. Ensure we
correctly store these in the xattr object.

Jeremy.
(cherry picked from commit 67235a5532a00e6ccb41748dc9a8c3e9159ba79e)

Fix our privileges code to display privileges with the "high" 32-bit value set.

SeSecurityPrivilege is the first LUID we have added that has a non-zero
"high" value, ensure our LUID code correctly supports it.

Jeremy.

The last 14 patches address bug #7716 (acl_xattr and acl_tdb modules don't store
unmodified copies of security descriptors).
(cherry picked from commit 941129fb70261d4871de4804a81ce82e23d9d0f7)

Add SeSecurityPrivilige.

Jeremy.
(cherry picked from commit f11da60f3189bc70eb82259435e108f40b2bb333)

Ensure we have correct parameters to use Windows ACL modules.
(cherry picked from commit 117d14f108cded28ac2868d5040f633856cca923)

Add acl_xattr:ignore system acls boolean (normally false) to allow Samba ACL module to ignore mapping to lower POSIX layer. With this fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters set).

Jeremy.
(cherry picked from commit 7c892ed58f816985e58b9cef2ff4cd2a81d16995)

Add make_default_filesystem_acl() function to be used in following change to acl_xattr and acl_tdb module.
(cherry picked from commit 2d84fce8f20c4eac70b02f0fc4333b15e278edfc)

Fix handling of "NULL" DACL. Map to u/g/w - rwx.
(cherry picked from commit 84b2a3d013390c01ef27d10085a0bf10137c857f)

Fix "force unknown ACL user" to strip out foreign SIDs from POSIX ACLs if they can't be mapped.
(cherry picked from commit 3fcceb6c5ae55f5e3a66f71e44b5caa665596832)

Add debug message to get_nt_acl_internal() to see what we got.
(cherry picked from commit 514e3e786f999979f9fd85a9c08de9e06e50938b)

Fix valgrind "uninitialized read" error on "info" when returning !NT_STATUS_OK.
(cherry picked from commit 9b615ce8706f4f4c59055fe155446f1fdac36323)

Fix bug #7734 - When creating files with "inherit ACLs" set to true, we neglect to apply appropriate create masks.

Jeremy.
(cherry picked from commit 8cad5e23b6e2440a566def6fb138d484e3b47643)
(cherry picked from commit e675462b3cfc53d7fe0c6e07c13a386599c5afd9)

Fix bug #7733 - Invalid client DOS attributes on create can cause incorrect unix mode_t to be generated.

It turns out a client can send an NTCreateX call for a new file, but specify
FILE_ATTRIBUTE_DIRECTORY in the attribute list. Windows silently strips this,
but we don't - causing the unix_mode() function to go through the "mode bits
for new directory" codepath, instead of the "mode bits for new file" codepath.

Jeremy.
(cherry picked from commit 92adb686372a9b67e47efb5b051bc351212f1780)
(cherry picked from commit 6b4141e92151adaa0d2ef036657783a99ef517c6)

Make the vfs_acl_xattr and other modules work with NULL SD's. Fix the "protected" inheritance problem (bleeding up from the POSIX layer).

Jeremy
(cherry picked from commit fe5b8a9dc994d3020537f4e68f2105c806cd103b)

Canonicalize incoming and outgoing ACLs.

Jeremy.
(cherry picked from commit b01501af60d364ce7e7c96b7e4b93502c453ac6d)

Make the posix ACL module cope with a NULL incoming DACL and a missing owner/group.

Jeremy.
(cherry picked from commit 09ee42d774c0b0f8cf9a67feb80426c19b4ce24c)

Fix bug #7785 - atime limit.

On a 64-bit time_t system make MAX_TIME_T the max value that
can be represented in a struct tm. This allows applications to
set times in the future beyond the 32-bit time_t limit (2037).

This is only in source3/configure.in, needs adding to the waf
configure/build system (but I'll need help with that).

Jeremy.
(cherry picked from commit ff6c598f7f18e6ba945a3fe082b01255a0a42325)