Karolin Seeger [Thu, 29 Oct 2009 07:45:36 +0000 (08:45 +0100)]
WHATSNEW: Complete release notes.
Karolin
(cherry picked from commit
508ef0261c56a6d93257d4e2b4cb917cb8bd10bb)
Karolin Seeger [Mon, 26 Oct 2009 11:02:40 +0000 (12:02 +0100)]
WHATSNEW: Update release notes.
Karolin
(cherry picked from commit
5158bdcc222cb38b7cf4939e09f6d0fbb7868de2)
Karolin Seeger [Mon, 26 Oct 2009 09:14:51 +0000 (10:14 +0100)]
s3:docs: Public is not a synonym for access based shareenum.
Fix build warning.
Karolin
(cherry picked from commit
35dc481289c28a77f354dd76193d6298de32c66d)
(cherry picked from commit
7601427a2db1263b0192c1a78d8bacb7eb0b74da)
(cherry picked from commit
d6ecfb23cfc841ad0bfe8ae677ddbbba7fd36f31)
Bo Yang [Sat, 24 Oct 2009 01:20:00 +0000 (09:20 +0800)]
s3: Fix crash in pam_winbind, another reference to freed memory.
Fix bug #6840.
Signed-off-by: Bo Yang <boyang@samba.org>
(cherry picked from commit
b9a3f1dd85d168c15df846dba525f4f882d1acf8)
(cherry picked from commit
a0fbf067011ae50d63c6ed2a79f1ff00c2ce2d11)
Jeremy Allison [Thu, 22 Oct 2009 22:30:47 +0000 (15:30 -0700)]
Fix bug 6829 - smbclient does not show special characters properly. All successful calls to cli_session_setup() *must* be followed by calls to cli_init_creds() to stash the credentials we successfully connected with. There were 2 codepaths where this was missing. This caused smbclient to be unable to open the \srvsvc pipe to do an RPC netserverenum, and cause it to fall back to a RAP netserverenum, which uses DOS codepage conversion rather than the full UCS2 of RPC, so the returned characters were not correct (unless the DOS codepage was set correctly). Phew. That was fun to track down :-). Includes logic simplification in libsmb_server.c Jeremy.
(cherry picked from commit
587ca743bf1491e97c984ce4bec5a9bd0a1ae69a)
Jeremy Allison [Wed, 21 Oct 2009 01:10:30 +0000 (18:10 -0700)]
Fix bug 6828 - infinite timeout occurs when byte lock held outside of samba Jeremy.
(cherry picked from commit
a572c28ca3daa199d78fc340819c5c9ff53a3ed6)
Bo Yang [Wed, 14 Oct 2009 22:23:48 +0000 (06:23 +0800)]
s3: Don't fail authentication when one or some group of require-membership-of is invalid.
Signed-off-by: Bo Yang <boyang@samba.org>
(cherry picked from commit
31f1a36901b5b8959dc51401c09c114829b50392)
Fix bug #6826.
(cherry picked from commit
f383e5f549f9f2075a064ba3d88fa9b34c5e3389)
Karolin Seeger [Thu, 22 Oct 2009 14:22:10 +0000 (16:22 +0200)]
WHATSNEW: Update changes since 3.4.2.
Karolin
(cherry picked from commit
8e55d149ab4de1a769a8a720e6f432476e719055)
Volker Lendecke [Wed, 9 Sep 2009 21:08:28 +0000 (23:08 +0200)]
s3:docs: Add info about how to obtain cifs module in cifs mount helper manpage
(cherry picked from commit
a224392649ffb81dc1d67f41a01dd983b76d513b)
Fixes bug #5129.
(cherry picked from commit
646f0534acf0c480a61e0a02d1d815347b5e6d52)
Günther Deschner [Thu, 15 Oct 2009 14:01:36 +0000 (16:01 +0200)]
s3-spnego: Fix Bug #6815. Windows 2008 R2 SPNEGO negTokenTarg parsing failure.
When parsing a SPNEGO session setup retry (falling back from KRB5 to NTLMSSP),
we failed to parse the ASN1_ENUMERATED negResult in the negTokenTarg, thus
failing spnego_parse_auth() completely.
Guenther
(cherry picked from commit
78ba2e1b9e5a63443f4cd51d34c16bc7cc9c6941)
Günther Deschner [Thu, 15 Oct 2009 14:00:57 +0000 (16:00 +0200)]
s3-spnego: avoid NULL talloc context in read_spnego_data().
Guenther
(cherry picked from commit
a830aa269f44e28a2390e162adbb2e26092f179b)
Karolin Seeger [Mon, 19 Oct 2009 12:56:44 +0000 (14:56 +0200)]
WHATSNEW: Start release notes for Samba 3.4.3.
Karolin
(cherry picked from commit
e97037236fb82bd990382301fbab20e8d44e9371)
Karolin Seeger [Mon, 19 Oct 2009 12:54:37 +0000 (14:54 +0200)]
VERSION: Raise version number up to 3.4.3.
Karolin
(cherry picked from commit
de5151e59f2e060938b957b074e3d0dabd60161c)
Björn Jacke [Sun, 18 Oct 2009 15:01:57 +0000 (17:01 +0200)]
s3:configure: fix avahi activation
Avahi was correctly found but not activated since
e4a26c942.
(cherry picked from commit
718d2801d6bafedfe91d7b475294d69e2d6a77a4)
Fix bug #6824.
(cherry picked from commit
f1023e5f6252bc8efa732f519ec9588deed6c774)
Jeremy Allison [Mon, 19 Oct 2009 06:39:23 +0000 (08:39 +0200)]
Fix symlink calls in all vfs modules.
Additional patch to fix bug #6769.
(cherry picked from commit
d8c7a5aafe0c17c69013766022418edcec481f8c)
Karolin Seeger [Fri, 16 Oct 2009 14:00:26 +0000 (16:00 +0200)]
s3:packaging: Fix building RHEL packages.
Fix bug #6721.
Thanks to Eero Volotinen <eero.volotinen@medicel.com> for providing the patch!
Karolin
(cherry picked from commit
79c2c61b99eb7c47c8bfbbb479d9d2197d1ad1fb)
(cherry picked from commit
11a6d88ea387fa50690880561f0ffffefbeb8956)
(cherry picked from commit
ece84bf7a8066999ac7198e7625a4d1a8fddb91b)
Jeff Layton [Wed, 14 Oct 2009 14:59:00 +0000 (10:59 -0400)]
cifs.upcall: do a brute-force search for KRB5 credcache
A few weeks ago, I added some code to cifs.upcall to take the pid sent
by the kernel and use that to get the value of the $KRB5CCNAME
environment var for the process. That works fine on the initial mount,
but could be problematic on reconnect.
There's no guarantee on a reconnect that the process that initiates the
upcall will have $KRB5CCNAME pointed at the correct credcache. Because
of this, the current scheme isn't going to be reliable enough and we
need to use something different.
This patch replaces that scheme with one very similar to the one used by
rpc.gssd in nfs-utils. It searches the credcache dir (currently
hardcoded to /tmp) for a valid credcache for the given uid. If it finds
one then it uses that as the credentials cache. If it finds more than
one, it uses the one with the latest TGT expiration.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Addresses bug #6810.
(cherry picked from commit
5df191a5fdad480d00d278c7f5046c6f0b80e386)
Jeff Layton [Wed, 14 Oct 2009 14:58:56 +0000 (10:58 -0400)]
cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
f3b2402a737ff0a7e80a03ade9f57d65dabdc7eb)
Jeff Layton [Wed, 14 Oct 2009 14:58:48 +0000 (10:58 -0400)]
cifs.upcall: switch to getopt_long
...to allow long option names.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
d95570b60832e980f0ff6bad96a3a45a7ba9789a)
Jeff Layton [Wed, 14 Oct 2009 14:58:48 +0000 (10:58 -0400)]
cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimiters
Current kernels don't send IPv6 addresses with the colon delimiters, add
a routine to add them when they're not present.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
00f298804be8f561e6ed584fcd516634ec74c4d7)
Jeff Layton [Wed, 14 Oct 2009 14:58:48 +0000 (10:58 -0400)]
cifs.upcall: use ip address passed by kernel to get server's hostname
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
95d7a6d7699604ec1b5b0e90b341c57c2d3c55c2)
Jeff Layton [Wed, 14 Oct 2009 14:58:47 +0000 (10:58 -0400)]
cifs.upcall: clean up flag handling
Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".
With this, we can drop privs before trying to find the location of
the credcache.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
531a2f482d7519122f79d9d8049a96f63d361a2f)
Jeff Layton [Wed, 14 Oct 2009 14:58:20 +0000 (10:58 -0400)]
cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.
Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
edca7df0dd43ee1d7ae2fc4954470efdf64a4d8e)
Jeff Layton [Wed, 14 Oct 2009 14:44:40 +0000 (10:44 -0400)]
cifs.upcall: declare a structure for holding decoded args
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
3eac202b211b382ebe299538647cbbd7d0c803b1)
Jeff Layton [Wed, 14 Oct 2009 14:44:22 +0000 (10:44 -0400)]
cifs.upcall: formatting cleanup
Clean up some unneeded curly braces, and fix some indentation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
8bf083788bed03fdc7b535595eea8ce83a6f15f9)
Jeff Layton [Wed, 14 Oct 2009 14:43:18 +0000 (10:43 -0400)]
cifs.upcall: clean up logging and add debug messages
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.
Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
7c7bb1572c86767658852426e6eb7de901b1cab2)
Volker Lendecke [Wed, 14 Oct 2009 14:42:46 +0000 (10:42 -0400)]
Attempt to fix the build -- jlayton, please check!
(cherry picked from commit
78b53b878a7871ea0ef311317da561008ad07e08)
Jeff Layton [Wed, 14 Oct 2009 14:42:28 +0000 (10:42 -0400)]
cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME
value out of it.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit
416f92e3ae739d6ba6593c8e9c43192e4671fc77)
Jeremy Allison [Wed, 14 Oct 2009 18:11:26 +0000 (11:11 -0700)]
Final part of fix for bug 6793 - winbindd crash with "INTERNAL ERROR: Signal 6" Don't use mapped_user uninitialized. Jeremy.
(cherry picked from commit
85ee2971db36455d908066eae2630925081792c9)
Olaf Flebbe [Tue, 6 Oct 2009 09:09:28 +0000 (11:09 +0200)]
s3/aio: Correctly handle aio_error() and errno.
Fix bug #6805.
(cherry picked from commit
dd28b7850c7ace008558571caee9679ff97a5e91)
Bo Yang [Wed, 14 Oct 2009 19:45:16 +0000 (12:45 -0700)]
Fix bug 6811 - pam_winbind references freed memory. s3: Fix reference to freed memory in pam_winbind.
(cherry picked from commit
106e3d5bdb1683d53b5525e3fe2e9e2d9de27e2c)
Volker Lendecke [Sat, 10 Oct 2009 09:15:42 +0000 (11:15 +0200)]
s3: Fix bug 6606
This is a port of
1f34ffa0caae5 and
24309bdb2efc to 3.4.
Fix file corruption using smbclient with NT4 server.
(cherry picked from commit
c685beb091cb0fedfb3f64bcc2ec2beb00fc9328)
Volker Lendecke [Tue, 13 Oct 2009 18:56:28 +0000 (20:56 +0200)]
s3:winbind: Fix a double-free
Part of a fix for bug #6793.
(cherry picked from commit
0fc64947526f4eea896fd83b01194e40416d15f4)
Volker Lendecke [Fri, 9 Oct 2009 20:05:37 +0000 (22:05 +0200)]
s3:winbind: Fix bug 6793 -- segfault in winbindd_pam_auth
(cherry picked from commit
2e478cc8c31bc60325a8e01885222d1db29ca21c)
Volker Lendecke [Tue, 13 Oct 2009 13:56:00 +0000 (15:56 +0200)]
s3:net: Fix a segfault in "net rpc trustdom list" for overlong domain names
That was a complicated way to say "%-20.s"... But that code was from 2002 ...
(cherry picked from commit
8a27fdea89bc54aa35e363a376836662103c7cb7)
Fix Bug #6807.
(cherry picked from commit
aa5a43143f26dee14dc1efe2a979a6701ddc650b)
Olaf Flebbe [Tue, 13 Oct 2009 09:39:49 +0000 (11:39 +0200)]
s3/loadparm: Fix hpux compiler issue.
Fixes bug #6804.
(cherry picked from commit
bf64668cb114ca7afdc81545d229bcb73b59c8f6)
Volker Lendecke [Fri, 9 Oct 2009 20:58:14 +0000 (22:58 +0200)]
s3: Fix a memleak reported by dmarkey
(cherry picked from commit
5aeb954ba9382e1975c64ac96f1e377ed6af3ae0)
Fix bug #6797.
(cherry picked from commit
a5e71f765927de5aa2a8e6a21cc297d274e8a1c2)
Jeremy Allison [Fri, 9 Oct 2009 19:50:26 +0000 (12:50 -0700)]
Fix bug 6796 - Deleting an event context on shutdown can cause smbd to crash.
Sync's tevent signal code with 3.5.x tree.
Protects against ev pointer being NULL.
Jeremy
(cherry picked from commit
56290654c0c2056c31e0b348ba0d01e5c28ba89b)
Jeremy Allison [Fri, 9 Oct 2009 17:01:29 +0000 (10:01 -0700)]
Fix bug 6774 - smbd crashes if "aio write behind" is set.
Don't dereference a talloc_move'd pointer.
Jeremy.
(cherry picked from commit
951991df2976b5f8f57c0418257d9d817ebda661)
Olaf Flebbe [Wed, 30 Sep 2009 12:55:58 +0000 (14:55 +0200)]
s3/aio: allow for outstanding_aio_calls to be decremented.
Fixes bug #6772.
(cherry picked from commit
a13f8bf949300079419cd86982012212323fcb65)
Karolin Seeger [Fri, 9 Oct 2009 06:58:55 +0000 (08:58 +0200)]
s3/Makefile: BUG 6791: Fix link order for libwbclient.
Patch was provided by Buchan Milne <bgmilne@mandriva.org>.
Signed-off-by: Björn Jacke <bj@sernet.de>
(cherry picked from commit
c0cbfdef387bf70e589dec6a3bbd434d12cacc34)
Karolin Seeger [Fri, 9 Oct 2009 06:55:53 +0000 (08:55 +0200)]
s3/Makefile: BUG 6791: Fix linking order in cifs.upcall.
Patch was originally provided by Buchan Milne <bgmilne@mandriva.org>.
Signed-off-by: Björn Jacke <bj@sernet.de>
(cherry picked from commit
7aea6adcede87a2389d933eedc50f836ba161f95)
Jeremy Allison [Wed, 7 Oct 2009 22:46:57 +0000 (15:46 -0700)]
Correct fix for bug 6781 - Cannot rename subfolders in Explorer view with recent versions of Samba. Without this fix, renaming a directory ./a to ./b, whilst a directory ./aa was already open would fail. Simplifies logic of earlier code. Jeremy.
(cherry picked from commit
37f42ad6a1fff1e43bfd6dcaa8244b738ea37363)
Jeremy Allison [Thu, 8 Oct 2009 23:40:26 +0000 (16:40 -0700)]
Fix bug 6769 - symlink unlink does nothing. Jeremy.
(cherry picked from commit
9f7d155001bc4c2808b6d17e9cb5ce87173b6061)
Volker Lendecke [Wed, 7 Oct 2009 12:06:53 +0000 (14:06 +0200)]
s3:winbind: Only ever handle one event after a select call
While handling an fd event, the situation with other fds can change. I've just
seen a winbind stuck in the accept() call on the privileged pipe. I can only
imagine this happen because under high load we first handled other requests and
meanwhile the client on the privileged pipe went away.
(cherry picked from commit
8ef4a183da8bdc9997c198678a931b111396c104)
Jeremy Allison [Mon, 5 Oct 2009 21:22:05 +0000 (14:22 -0700)]
Fix bug 6776 - Running overlapping Byte Lock test will core dump Samba daemon. Re-write core of POSIX locking logic. Jeremy.
(cherry picked from commit
e3a41dd3167df58990d4b0f1f2ea6b6583826cf9)
Andrew Klosterman [Tue, 8 Sep 2009 15:38:37 +0000 (17:38 +0200)]
s3:smbd: Fix bug 6690, wrong error check
(cherry picked from commit
f1f6df1747164f3f57adc9c6912b27592baa0802)
Stefan Metzmacher [Fri, 25 Sep 2009 04:20:33 +0000 (06:20 +0200)]
s3:winbindd: only notify the client when we exist, if the connection isn't dead already
This is similar to commit
83edf3e43e86781872a07d8eb53084f59ad7384c.
metze
(cherry picked from commit
722ba568d79451a527976181b360de82b87b68e8)
Stefan Metzmacher [Thu, 24 Sep 2009 19:35:38 +0000 (21:35 +0200)]
s3:winbindd_cm: don't invalidate the whole connection when just samr gave ACCCESS_DENIED
metze
(cherry picked from commit
bfd3a6f13aa935950142a24bf331feb98f987bde)
(cherry picked from commit
53a426986a0ead7903ff6cf576b3d5501210e379)
Stefan Metzmacher [Sun, 20 Sep 2009 21:29:11 +0000 (23:29 +0200)]
s3:rpc_client: don't randomly fragment rpc pdu's in developer mode
This is really confusing and also breaks against windows,
as it doesn't accept fragmented bind requests.
metze
(cherry picked from commit
68b8149d1fb26b2fe1138c99d971754b0a30378b)
(cherry picked from commit
10ff61b24f0604c9686e728ac92c1a2987a31aed)
Stefan Metzmacher [Sun, 20 Sep 2009 21:29:34 +0000 (23:29 +0200)]
s3:lib/select: don't overwrite errno in the signal handler
metze
(cherry picked from commit
00e378f17c39c52689601bc622b9cd78a0cdce12)
(cherry picked from commit
8d8bcfbfbe95f1623870b54cfc9329187a06d526)
Stefan Metzmacher [Mon, 21 Sep 2009 01:16:18 +0000 (03:16 +0200)]
tevent: make sure we don't set errno within the signal handler function.
metze
(cherry picked from commit
d13dfbeb6c6ab5b20277439da5b95f1a7f2850eb)
(cherry picked from commit
017586bb84a073f03a04ade6fb0bbe26af4112c1)
Stefan Metzmacher [Thu, 24 Sep 2009 04:38:08 +0000 (06:38 +0200)]
s3:rpc_server: we need to make a copy of my_name in serverinfo_to_SamInfo_base()
This is important for the case the server_info already contains a logon_server.
metze
(This is similar to commit
9ef39406d8072a1a102813fb4448af76e9020fcd)
(cherry picked from commit
dd5519d926ecdccc38f488d9a6d5138bfd871aa0)
Volker Lendecke [Wed, 23 Sep 2009 04:23:50 +0000 (06:23 +0200)]
s3:winbind: Fix an uninitialized variable (cherry picked from commit
0724649a8a7c04d015317d9dc2ae43ee87c1bd25)
(cherry picked from commit
d6af2a5ff4e4f723e521a3f708751b3155f870fc)
Günther Deschner [Thu, 17 Sep 2009 07:43:36 +0000 (09:43 +0200)]
s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working.
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp
connection when talking to AD for LSA lookup calls.
In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an
schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve
sids and names.
Guenther
(cherry picked from commit
6a8ef6c424c52be861ed2a9806f917a64ec892a6)
(cherry picked from commit
3bd36630e402b6215a46f8b0ba98e9e2b18b44eb)
Günther Deschner [Sat, 12 Sep 2009 21:30:39 +0000 (23:30 +0200)]
s3-winbindd: add cm_connect_lsa_tcp().
Guenther
(cherry picked from commit
58f2deb94024f002e3c3df47f45454edc97f47e1)
(cherry picked from commit
b35d5cf97fd610874583f0d03c6cda4def0cf0f5)
Günther Deschner [Thu, 17 Sep 2009 07:42:49 +0000 (09:42 +0200)]
s3-rpc_client: fix non initialized structure in rpccli_lsa_lookup_sids_noalloc.
Guenther
(cherry picked from commit
a4b5c792c55ef90648a528d279beec32f86a9b22)
(cherry picked from commit
27219ada4ec86544ceb8488850293b07f1ea7a10)
Günther Deschner [Sat, 12 Sep 2009 22:28:49 +0000 (00:28 +0200)]
s3-rpc_client: add rpccli_lsa_lookup_sids3 wrapper.
Guenther
(cherry picked from commit
2f9adf04e4b3e16c046cb371a428a8a70d5de041)
(cherry picked from commit
e867d3d9bb6494cde621f8f951f7aece5798f5fe)
Günther Deschner [Fri, 11 Sep 2009 17:35:14 +0000 (19:35 +0200)]
s3-rpc_client: add rpccli_lsa_lookup_names4 wrapper.
Guenther
(cherry picked from commit
ff968712bab6c2635ef74723c6f52b0fdac4b424)
(cherry picked from commit
99627d8e38a28759095b6704e8314c931ca638a0)
Günther Deschner [Thu, 17 Sep 2009 06:06:34 +0000 (08:06 +0200)]
s3-winbindd: add and use winbindd_lookup_names().
Guenther
(cherry picked from commit
99c3fc19587431efda1ae6161453d84673b32071)
(cherry picked from commit
6bcf24a2affb4798840e5cc49aeeb6c78d0265d0)
Günther Deschner [Thu, 17 Sep 2009 05:59:25 +0000 (07:59 +0200)]
s3-winbindd: add and use winbindd_lookup_sids().
Guenther
(cherry picked from commit
f0b52b8c3133e3696db361d9d0e7d1fff0fab991)
(cherry picked from commit
faa6a8de595ea38d3291dc7fb80d314a3b3f05cc)
Günther Deschner [Thu, 10 Sep 2009 20:23:21 +0000 (22:23 +0200)]
s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel().
Guenther
(cherry picked from commit
bea8e5fa6038d5abd2ec1e12f9005c4a04abb79f)
(cherry picked from commit
5b44f54a18b60fe3814623f351025335a0273916)
Günther Deschner [Thu, 10 Sep 2009 20:23:21 +0000 (22:23 +0200)]
s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp and cli_rpc_pipe_open_ntlmssp.
Guenther
(cherry picked from commit
032e01e7c13724d057b5744d7d79613449c2f24f)
(cherry picked from commit
cd8874214dba810e60faca155611dbcf2f1351f7)
Günther Deschner [Tue, 4 Nov 2008 17:40:24 +0000 (18:40 +0100)]
s3-rpc_client: add cli_rpc_pipe_open_noauth_transport.
Guenther
(cherry picked from commit
87f61a144b8d25c90b847940ca03ced1f77b036c)
(cherry picked from commit
18b8928c8cb12d2f56efcc61df5b74db3caec29c)
Günther Deschner [Thu, 10 Sep 2009 17:59:37 +0000 (19:59 +0200)]
s3-rpc_client: add enum dcerpc_transport_t to rpc_cli_transport struct.
Guenther
(cherry picked from commit
393a1f594d5f03a51448cdc465f92c599a93904c)
(cherry picked from commit
ef11ccb47db899603a100e67c3ca9ecd3298e347)
Jeremy Allison [Fri, 2 Oct 2009 10:23:32 +0000 (12:23 +0200)]
Second part of a fix for bug #6235.
Domain enumeration breaks if master browser has space in name.
(cherry picked from commit
f3f9dfd667526611b1fed3d47dc60eb45932eee0)
Derrell Lipman [Fri, 2 Oct 2009 10:22:25 +0000 (12:22 +0200)]
Fix bug #6532.
Domain enumeration breaks if master browser has space in name.
(cherry picked from commit
6b4b66c0cbf6147c693a84e6aec0b5cd07fd2e54)
Simo Sorce [Fri, 25 Sep 2009 14:59:04 +0000 (10:59 -0400)]
Fixing timeval calculation
The code was always doubling microseconds when attempting to round up.
Fix bug #6764.
(cherry picked from commit
7f8e6b98822df2ea813e6a7da6a8f14c503935d9)
Volker Lendecke [Tue, 29 Sep 2009 12:34:16 +0000 (14:34 +0200)]
s3: Document the "share:fake_fscaps" parameter, fix bug 6765
(cherry picked from commit
21794b0dd28a80b149342b3218d7ebb4c8791e09)
(cherry picked from commit
d046ab32094caa9511862144df1c00e64c234487)
Volker Lendecke [Wed, 9 Sep 2009 19:58:47 +0000 (21:58 +0200)]
s3:smbd: Add a "hidden" parameter "share:fake_fscaps"
This is needed to support some special app I've just come across where I had to
set the SPARSE_FILES bit (0x40) to make it work against Samba at all. There
might be others to fake. This is definitely a "Don't touch if you don't know
what you're doing" thing, so I decided to make this an undocumented parametric
parameter.
I know this sucks, so feel free to beat me up on this. But I don't think it
will hurt.
(cherry picked from commit
a5cace128d1dcabd6cc90dda71a09dfa8ee8c6f6)
Fix bug #6765.
(cherry picked from commit
af0c2b78f7b697fae0fae6f88a5c9922abc7c514)
Lars Müller [Mon, 2 Feb 2009 20:38:38 +0000 (21:38 +0100)]
Adjust regex to match variable names including underscores
This is required to get the CIFSUPCALL_PROGS setting extracted from
config.log.
(cherry picked from commit
5148eefe1ea6e215dcbf4ffaa642860bd8dab45f)
Fix for bug #6710.
(cherry picked from commit
f142ae80e344f098fb01a4c154a9fe46ed9a4eae)
Bo Yang [Wed, 16 Sep 2009 15:57:01 +0000 (23:57 +0800)]
s3: Don't overwrite password in pam_winbind, subsequent pam modules might use the old password and new password.
Signed-off-by: Bo Yang <boyang@samba.org>
Fix bug #6735.
(cherry picked from commit
2a2779bb752d83ff51161a7e5d62ca21c4e6c909)
Volker Lendecke [Wed, 16 Sep 2009 01:20:49 +0000 (03:20 +0200)]
s3: Fix reading beyond the end of a named stream in xattr_streams
This was found thanks to a test by Sivani from Microsoft against Samba at the
SDC plugfest
(cherry picked from commit
444a05c28df693a745809fef73ae583a78be7c8f)
Fix bug #6731.
(cherry picked from commit
ff9355149c9af7ca0e31b36690b270a03cb787fc)
Björn Jacke [Tue, 15 Sep 2009 04:48:49 +0000 (06:48 +0200)]
s3: BSD needs sys/sysctl.h included to build properly
FreeBSD (and other BSDs, too) need sys/sysctl.h inclueded to use sysctlbyname().
Thanks to Timur Bakeyev for that.
Fix bug #6728.
(cherry picked from commit
9c86a96af381f2826456f91eb99073c9fca633de)
Volker Lendecke [Fri, 18 Sep 2009 16:27:16 +0000 (18:27 +0200)]
s3:smbstatus: Fix bug 6703, allow smbstatus as non-root
We only require a ctdb connection when clustering is enabled. This limits the
restriction for only-root smbstatus to the clustering case.
(cherry picked from commit
b22713717422b822c3b8fcba611fc01e262d52c9)
Björn Jacke [Tue, 7 Jul 2009 20:11:50 +0000 (22:11 +0200)]
s3: QNX doesn't know uint - replace with uint_t
(cherry picked from commit
a28596964b44f20d794999541d38fe4bae64b56b)
(cherry picked from commit
47c2dc4eee5f7644601db0c24dca0ca30b482940)
Jeremy Allison [Tue, 15 Sep 2009 07:40:48 +0000 (09:40 +0200)]
s3/libsmb: SIVAL should have been an SVAL.
Fix bug #6726.
(cherry picked from commit
7ec7440fc2f78ef49cebdc819ff81db5ce9d143c)
Marc Aurele La France [Thu, 10 Sep 2009 16:52:11 +0000 (09:52 -0700)]
Fix bug 6707 - 3.4.1 segfault in parsing configs.
Fixes an occasional segfault caused by an out-of-bounds reference in config file parsing.
(cherry picked from commit
7c00227f00a83345035c4c0a6716b46864f2da8d)
(cherry picked from commit
0241ba8ce2b6da049fb3cc512508a9e9c5732781)
Jeremy Allison [Wed, 9 Sep 2009 21:39:17 +0000 (14:39 -0700)]
Fix bug 6529 - Offline files conflict with Vista and Office 2003. Jeremy.
(cherry picked from commit
e971428f137dcb42e8b735386d79f1b3a6effe34)
Lars Müller [Mon, 2 Feb 2009 20:12:52 +0000 (21:12 +0100)]
Conditional install of the cifs.upcall man page
Only install the cifs.upcall man page if CIFSUPCALL_PROGS was set while
configure.
(cherry picked from commit
e9e2414e798a2eb447de45803e61cc0a49752f11)
(cherry picked from commit
5cd771b964aa36082716352522a68c962e1aaba8)
Björn Jacke [Fri, 3 Jul 2009 12:25:06 +0000 (14:25 +0200)]
s3:configure: fix syntax error in avahi configure test
(cherry picked from commit
b54e48b830dbc3d66f9de5d2711a57a1630809e2)
Should fix bug #6704.
(cherry picked from commit
686439599ad78c6f4d5609129113e6da51fb4a57)
Shirish Pargaonkar [Mon, 27 Jul 2009 16:02:35 +0000 (12:02 -0400)]
umount.cifs: do not attempt to update /etc/mtab if it is symbolic link
If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it.
This is a fix for a bug reported in 4675 on samba bugzilla
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
(cherry picked from commit
a869e4253a87f9a5e13dbe87b2799f8683d238d7)
Fixes bug #4675.
(cherry picked from commit
f710535e947008a083b49d8a3faa117208616d7f)
Jeremy Allison [Wed, 30 Sep 2009 12:17:40 +0000 (14:17 +0200)]
Fix for CVE-2009-2906.
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
Karolin Seeger [Wed, 30 Sep 2009 11:54:22 +0000 (13:54 +0200)]
WHATSNEW: Update release notes.
Karolin
Karolin Seeger [Mon, 28 Sep 2009 11:38:32 +0000 (13:38 +0200)]
WHATSNEW: Update release date.
Karolin
Jeremy Allison [Mon, 28 Sep 2009 11:26:37 +0000 (13:26 +0200)]
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
Jeff Layton [Fri, 25 Sep 2009 11:03:07 +0000 (07:03 -0400)]
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
Jeff Layton [Fri, 25 Sep 2009 10:51:01 +0000 (06:51 -0400)]
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
Karolin Seeger [Mon, 28 Sep 2009 11:21:07 +0000 (13:21 +0200)]
WHATSNEW: Prepare release notes for 3.4.2.
Karolin
Karolin Seeger [Thu, 24 Sep 2009 12:29:43 +0000 (14:29 +0200)]
Raise version number up to 3.4.2.
Karolin
Karolin Seeger [Wed, 9 Sep 2009 12:24:08 +0000 (14:24 +0200)]
WHATSNEW: Update changes.
Karolin
(cherry picked from commit
a87116873bdbb4301f35b1d3f6bc8596f96be975)
Volker Lendecke [Wed, 9 Sep 2009 10:24:08 +0000 (12:24 +0200)]
s3:libsmb: Correctly chew keepalive packets
Thanks a *lot* to Günther to send me the relevant traces!
Volker
Signed-off-by: Günther Deschner <gd@samba.org>
Fixes bug #6646 (Winbind authentication issue on 3.2.13/14 and 3.4.0 (was:
[Samba] Crazied NTLM_AUTH on samba 3.4.0)).
(cherry picked from commit
a4f9583ce364fad963cc154f0229cb57ec0043d2)
Karolin Seeger [Wed, 9 Sep 2009 10:53:36 +0000 (12:53 +0200)]
WHATSNEW: Update changes since 3.4.0.
Karolin
(cherry picked from commit
abc676bcd5eec40946c2e851345a6e973bf2cbea)
SATOH Fumiyasu [Tue, 8 Sep 2009 23:07:17 +0000 (16:07 -0700)]
Fix bug 6496 - libsmbclient: MS-DFS: cannot follow multibyte char link name. A server returns a byte of consumed path in UCS2, not UNIX charset.
(cherry picked from commit
ee70079d08acf23cf7c342f09a7db4f5fc7ca95e)
Jeremy Allison [Tue, 8 Sep 2009 23:22:46 +0000 (16:22 -0700)]
Fix bug 6673 - smbpasswd does not work with "unix password sync = yes". Revert change from 3.3 -> 3.4 with read_socket_with_timeout changed from sys_read() to sys_recv(). read_socket_with_timeout() is called with non-fd's (with a pty in chgpasswd.c and with a disk file in lib/dbwrap_file.c via read_data()). recv works for the disk file, but not the pty. Change the name of read_socket_with_timeout() to read_fd_with_timeout() to make this clear (and add comments). Jeremy.
(cherry picked from commit
91a5b8561e2f13f77fa5648f7cc373aff1701954)
Jeremy Allison [Thu, 3 Sep 2009 14:40:48 +0000 (07:40 -0700)]
Hopefully last part of the fix for bug 6651 - smbd SIGSEGV when breaking oplocks. This one is subtle. There is a race condition where a signal can be queued for oplock break, and then the file can be closed by the client before the signal can be processed. Currently if this occurs we panic (we can't match an incoming signal fd with a fsp pointer). Simply log the error (at debug level 10 right now, might be too much) and then return without processing the break request. It looks like there is another race condition with this fix, but here's why it won't happen. If the signal was pending (caused by a kernel oplock break from a local file open), and the client closed the file and then re-opened another file which happened to use the same file descriptor as the file just closed, then theoretically the oplock break requests could be processed on the wrong fd. Here's why this should be very rare.. Processing a pending signal always take precedence over an incoming network request, so as long as the client close request is non-chained then the break signal should always be harmlessly processed *before* the open can be called. If the open is chained onto the close, and the fd on the new open is the same as the old closed fd, then it's possible this race will occur. However, all that will happen is that we'll lose the oplock on this file. A shame, but not a fatal event. Jeremy. (cherry picked from commit
bdc7bdb0d3e02d04477906dbda8995bc5789ce22)
(cherry picked from commit
95cc5af5fd6150f3c54cd344b66393dbc186c2df)
Jeremy Allison [Tue, 25 Aug 2009 04:14:52 +0000 (21:14 -0700)]
Help debug for bug 6651 - smbd SIGSEGV when breaking oplocks. Should help track if we get invoked with an invalid fd from the signal handler. Jeremy. (cherry picked from commit
213546103749c30dbb3ad8472872b9a8fad34205)
(cherry picked from commit
6b9d518b9f1244c99fbaa2812886d02635caff14)
Stefan Metzmacher [Fri, 4 Sep 2009 10:56:39 +0000 (12:56 +0200)]
tevent: change version to 0.9.8 after some critical bugs have been fixed
metze
(cherry picked from commit
1bb68402a2e37f39118eaaaa039ac69e03ba66f2)
(cherry picked from commit
a9890fb49d2372edbf2050134bb21450d98ff7f6)
Jeremy Allison [Thu, 3 Sep 2009 14:38:21 +0000 (07:38 -0700)]
Another part of the fix for bug 6651 - smbd SIGSEGV when breaking oplocks. SA_INFO_QUEUE_COUNT *MUST* be a power of 2, in order for the ring buffer wrap to work correctly at the 32 bit boundary. Thanks to Petr Vandrovec <petr@vandrovec.name> for this. (cherry picked from commit
c97698e762b1ea8d7133f04ae822225676a6f135)
(cherry picked from commit
161e20843054ecc5745e967da2a9d08ed09229d0)
Volker Lendecke [Sat, 29 Aug 2009 07:41:32 +0000 (09:41 +0200)]
tevent: Fix a segfault upon the first signal
When the first signal arrives, tevent_common_signal_handler() crashed: "ev" is
initialized to NULL, so the first "write(ev->pipe_fds[1], &c, 1);" dereferences
NULL.
Rusty, Tridge, please check. Also, can you tell me a bit more about the
environment you tested this in? I'd be curious to see where this survived.
Thanks,
Volker
(cherry picked from commit
23abcd2318c69753aa2a144e1dc0f9cf9efdb705)
(cherry picked from commit
1108225c1316521bf2bb59c9b99b030440af0002)