Changeset 335 for branches/samba-3.2.x/source

Timestamp:

Sep 24, 2009, 9:15:13 AM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update 3.2 to 3.2.14 (final)

Location:

branches/samba-3.2.x/source

Files:

• VERSION (modified) (1 diff)
• include/version.h (modified) (1 diff)
• lib/netapi/joindomain.c (modified) (1 diff)
• lib/smbldap.c (modified) (1 diff)
• lib/util.c (modified) (1 diff)
• libnet/libnet_join.c (modified) (3 diffs)
• librpc/gen_ndr/libnet_join.h (modified) (1 diff)
• librpc/gen_ndr/ndr_libnet_join.c (modified) (1 diff)
• librpc/idl/libnet_join.idl (modified) (1 diff)
• libsmb/passchange.c (modified) (1 diff)
• nsswitch/pam_winbind.c (modified) (4 diffs)
• passdb/lookup_sid.c (modified) (1 diff)
• passdb/passdb.c (modified) (1 diff)
• rpc_server/srv_lsa_nt.c (modified) (1 diff)
• rpc_server/srv_samr_nt.c (modified) (1 diff)
• script/tests/test_posix_s3.sh (modified) (1 diff)
• smbd/lanman.c (modified) (1 diff)
• smbd/open.c (modified) (2 diffs)
• smbd/server.c (modified) (3 diffs)
• smbd/trans2.c (modified) (5 diffs)
• utils/net_ads.c (modified) (3 diffs)
• utils/net_rpc.c (modified) (1 diff)
• winbindd/idmap_ldap.c (modified) (2 diffs)
• winbindd/winbindd_ads.c (modified) (5 diffs)
• winbindd/winbindd_rpc.c (modified) (6 diffs)
• winbindd/winbindd_sid.c (modified) (1 diff)
• winbindd/winbindd_util.c (modified) (1 diff)

branches/samba-3.2.x/source/VERSION

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
 
 ########################################################

branches/samba-3.2.x/source/include/version.h

@@ -2 +2 @@
 #define SAMBA_VERSION_MAJOR 3
 #define SAMBA_VERSION_MINOR 2
-#define SAMBA_VERSION_RELEASE 13
-#define SAMBA_VERSION_OFFICIAL_STRING "3.2.13"
+#define SAMBA_VERSION_RELEASE 14
+#define SAMBA_VERSION_OFFICIAL_STRING "3.2.14"
 #define SAMBA_VERSION_STRING samba_version_string()

branches/samba-3.2.x/source/lib/netapi/joindomain.c

@@ -210 +210 @@
         u->in.domain_name = domain;
         u->in.unjoin_flags = r->in.unjoin_flags;
+        u->in.delete_machine_account = false;
         u->in.modify_config = true;
         u->in.debug = true;

branches/samba-3.2.x/source/lib/smbldap.c

@@ -1349 +1349 @@
         }
 
-        DEBUG(3,("smbldap_search_paged: search was successfull\n"));
+        DEBUG(3,("smbldap_search_paged: search was successful\n"));
 
         rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL, 

branches/samba-3.2.x/source/lib/util.c

@@ -2703 +2703 @@
                 }
                 if (name) {
-                        *name = "";
+                        *name = dir;
                 }
                 return True;

branches/samba-3.2.x/source/libnet/libnet_join.c

@@ -1836 +1836 @@
         }
 
+        if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
+            !r->in.delete_machine_account) {
+                libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+                return WERR_OK;
+        }
+
         if (!r->in.dc_name) {
                 struct netr_DsRGetDCNameInfo *info;
@@ -1861 +1867 @@
         }
 
-        status = libnet_join_unjoindomain_rpc(mem_ctx, r);
-        if (!NT_STATUS_IS_OK(status)) {
-                libnet_unjoin_set_error_string(mem_ctx, r,
-                        "failed to disable machine account via rpc: %s",
-                        get_friendly_nt_error_msg(status));
-                if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-                        return WERR_SETUP_NOT_JOINED;
-                }
-                return ntstatus_to_werror(status);
-        }
-
-        r->out.disabled_machine_account = true;
-
 #ifdef WITH_ADS
-        if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+        /* for net ads leave, try to delete the account.  If it works,
+           no sense in disabling.  If it fails, we can still try to
+           disable it. jmcd */
+
+        if (r->in.delete_machine_account) {
                 ADS_STATUS ads_status;
-                libnet_unjoin_connect_ads(mem_ctx, r);
-                ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
+                ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
+                if (ADS_ERR_OK(ads_status)) {
+                        /* dirty hack */
+                        r->out.dns_domain_name =
+                                talloc_strdup(mem_ctx,
+                                              r->in.ads->server.realm);
+                        ads_status =
+                                libnet_unjoin_remove_machine_acct(mem_ctx, r);
+                }
                 if (!ADS_ERR_OK(ads_status)) {
                         libnet_unjoin_set_error_string(mem_ctx, r,
@@ -1885 +1889 @@
                 } else {
                         r->out.deleted_machine_account = true;
-                        /* dirty hack */
-                        r->out.dns_domain_name = talloc_strdup(mem_ctx,
-                                                               r->in.ads->server.realm);
                         W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+                        libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
+                        return WERR_OK;
                 }
         }
 #endif /* WITH_ADS */
+
+        /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
+           "disable".  */
+        if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
+                status = libnet_join_unjoindomain_rpc(mem_ctx, r);
+                if (!NT_STATUS_IS_OK(status)) {
+                        libnet_unjoin_set_error_string(mem_ctx, r,
+                                "failed to disable machine account via rpc: %s",
+                                get_friendly_nt_error_msg(status));
+                        if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+                                return WERR_SETUP_NOT_JOINED;
+                        }
+                        return ntstatus_to_werror(status);
+                }
+
+                r->out.disabled_machine_account = true;
+        }
+
+        /* If disable succeeded or was not requested at all, we
+           should be getting rid of our end of things */
 
         libnet_join_unjoindomain_remove_secrets(mem_ctx, r);

branches/samba-3.2.x/source/librpc/gen_ndr/libnet_join.h

@@ -57 +57 @@
                 const char * machine_password;
                 uint32_t unjoin_flags;
+                uint8_t delete_machine_account;
                 uint8_t modify_config;
                 struct dom_sid *domain_sid;/* [ref] */

branches/samba-3.2.x/source/librpc/gen_ndr/ndr_libnet_join.c

@@ -88 +88 @@
 #endif
                 ndr_print_wkssvc_joinflags(ndr, "unjoin_flags", r->in.unjoin_flags);
+                ndr_print_uint8(ndr, "delete_machine_account", r->in.delete_machine_account);
                 ndr_print_uint8(ndr, "modify_config", r->in.modify_config);
                 ndr_print_ptr(ndr, "domain_sid", r->in.domain_sid);

branches/samba-3.2.x/source/librpc/idl/libnet_join.idl

@@ -52 +52 @@
                 [in] string machine_password,
                 [in] wkssvc_joinflags unjoin_flags,
+                [in] boolean8 delete_machine_account,
                 [in] boolean8 modify_config,
                 [in] dom_sid *domain_sid,

branches/samba-3.2.x/source/libsmb/passchange.c

@@ -170 +170 @@
                         asprintf(err_str, "SAMR connection to machine %s "
                                  "failed. Error was %s, but LANMAN password "
-                                 "changed are disabled\n",
+                                 "changes are disabled\n",
                                  nt_errstr(result), remote_machine);
                         result = cli_nt_error(cli);

branches/samba-3.2.x/source/nsswitch/pam_winbind.c

@@ -1911 +1911 @@
         int account_name_len;
         char sep;
+        char *p;
+        char *name;
+        char *domain;
 
         /* This cannot work when the winbind separator = @ */
@@ -1919 +1922 @@
         }
 
+        name = strdup(upn);
+        if (!name) {
+                return NULL;
+        }
+        if ((p = strchr(name, '@')) != NULL) {
+                *p = 0;
+                domain = p + 1;
+        }
+
         /* Convert the UPN to a SID */
 
@@ -1924 +1936 @@
         ZERO_STRUCT(resp);
 
-        strncpy(req.data.name.dom_name, "",
+        strncpy(req.data.name.dom_name, domain,
                 sizeof(req.data.name.dom_name) - 1);
-        strncpy(req.data.name.name, upn,
+        strncpy(req.data.name.name, name,
                 sizeof(req.data.name.name) - 1);
         retval = pam_winbind_request_log(ctx, WINBINDD_LOOKUPNAME,
@@ -1948 +1960 @@
                                     resp.data.name.dom_name,
                                     resp.data.name.name);
+        SAFE_FREE(name);
 
         return account_name;

branches/samba-3.2.x/source/passdb/lookup_sid.c

@@ -1086 +1086 @@
         DATA_BLOB cache_value;
 
-        if (!memcache_lookup(NULL, SID_UID_CACHE,
+        if (!memcache_lookup(NULL, SID_GID_CACHE,
                              data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
                              &cache_value)) {

branches/samba-3.2.x/source/passdb/passdb.c

@@ -676 +676 @@
                         }
 
-                        result = samu_set_unix( sam_pass, pwd );
+                        result = samu_alloc_rid_unix( sam_pass, pwd );
 
                         DEBUGLEVEL = tmp_debug;

branches/samba-3.2.x/source/rpc_server/srv_lsa_nt.c

@@ -1093 +1093 @@
         status = _lsa_LookupNames(p, &q);
 
+        sid_array2->count = sid_array->count;
         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
         if (!sid_array2->sids) {

branches/samba-3.2.x/source/rpc_server/srv_samr_nt.c

@@ -261 +261 @@
         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
 
-        /* At least try for generic read. */
-        *pacc_requested = GENERIC_READ_ACCESS;
+        /* At least try for generic read|execute - Everyone gets that. */
+        *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
 
         /* root gets anything. */

branches/samba-3.2.x/source/script/tests/test_posix_s3.sh

@@ -39 +39 @@
 rpc="$rpc RPC-SAMBA3-SPOOLSS RPC-SAMBA3-WKSSVC"
 rpc="$rpc RPC-NETLOGSAMBA3 RPC-SAMBA3SESSIONKEY RPC-SAMBA3-GETUSERNAME"
+rpc="$rpc RPC-LSA-LOOKUPSIDS RPC-JOIN RPC-SAMR-MACHINE-AUTH"
+
 
 # NOTE: to enable the UNIX-WHOAMI test, we need to change the default share

branches/samba-3.2.x/source/smbd/lanman.c

@@ -1218 +1218 @@
                 }
                 fstrcpy(s->comment, p);
+                string_truncate(s->comment, MAX_SERVER_STRING_LENGTH);
 
                 s->domain[0] = '\0';

branches/samba-3.2.x/source/smbd/open.c

@@ -251 +251 @@
         if (!CAN_WRITE(conn)) {
                 /* It's a read-only share - fail if we wanted to write. */
-                if(accmode != O_RDONLY) {
+                if(accmode != O_RDONLY || (flags & O_TRUNC) || (flags & O_APPEND)) {
                         DEBUG(3,("Permission denied opening %s\n", path));
                         return NT_STATUS_ACCESS_DENIED;
@@ -259 +259 @@
                            access into the directory.
                         */
-                        flags &= ~O_CREAT;
-                        local_flags &= ~O_CREAT;
+                        flags &= ~(O_CREAT|O_EXCL);
+                        local_flags &= ~(O_CREAT|O_EXCL);
                 }
         }

branches/samba-3.2.x/source/smbd/server.c

@@ -349 +349 @@
         unsigned dns_port = 0;
 
-        if (!is_daemon) {
-                return open_sockets_inetd();
-        }
-
 #ifdef HAVE_ATEXIT
         {
@@ -362 +358 @@
         }
 #endif
+
+        if (!is_daemon) {
+                /*
+                 * Stop zombies the old way.
+                 * We aren't forking any new
+                 * 'normal' connections when
+                 * run from [x]inetd.
+                 */
+                CatchChild();
+                return open_sockets_inetd();
+        }
 
         /* Stop zombies */
@@ -1207 +1214 @@
         BlockSignals(False, SIGTERM);
 
+        /* Ensure we leave no zombies until we
+         * correctly set up child handling below. */
+        CatchChild();
+
         /* we want total control over the permissions on created files,
            so set our umask to 0 */

branches/samba-3.2.x/source/smbd/trans2.c

@@ -4920 +4920 @@
         if (setting_write_time) {
                 /*
-                 * This was a setfileinfo on an open file.
+                 * This was a Windows setfileinfo on an open file.
                  * NT does this a lot. We also need to 
                  * set the time here, as it can be read by 
@@ -5997 +5997 @@
         bool delete_on_fail = False;
         enum perm_type ptype;
+        files_struct *all_fsps = NULL;
+        bool modify_mtime = true;
+        struct file_id id;
 
         if (total_data < 100) {
@@ -6143 +6146 @@
 
         /* Deal with any time changes. */
-
-        return smb_set_file_time(conn,
+        id = vfs_file_id_from_sbuf(conn, psbuf);
+        for(all_fsps = file_find_di_first(id); all_fsps;
+                        all_fsps = file_find_di_next(all_fsps)) {
+                /*
+                 * We're setting the time explicitly for UNIX.
+                 * Cancel any pending changes over all handles.
+                 */
+                all_fsps->update_write_time_on_close = false;
+                TALLOC_FREE(all_fsps->update_write_time_event);
+        }
+
+        /*
+         * Override the "setting_write_time"
+         * parameter here as it almost does what
+         * we need. Just remember if we modified
+         * mtime and send the notify ourselves.
+         */
+        if (null_timespec(ts[1])) {
+                modify_mtime = false;
+        }
+
+        status = smb_set_file_time(conn,
                                 fsp,
                                 fname,
                                 psbuf,
                                 ts,
-                                true);
+                                false);
+
+        if (modify_mtime) {
+                notify_fname(conn, NOTIFY_ACTION_MODIFIED,
+                        FILE_NOTIFY_CHANGE_LAST_WRITE, fname);
+        }
+        return status;
 }
 
@@ -6776 +6805 @@
         }
 
-        if (!CAN_WRITE(conn)) {
-                reply_doserror(req, ERRSRV, ERRaccess);
-                return;
-        }
-
         if (INFO_LEVEL_IS_UNIX(info_level) && !lp_unix_extensions()) {
                 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
                 return;
+        }
+
+        if (!CAN_WRITE(conn)) {
+                /* Allow POSIX opens. The open path will deny
+                 * any non-readonly opens. */
+                if (info_level != SMB_POSIX_PATH_OPEN) {
+                        reply_doserror(req, ERRSRV, ERRaccess);
+                        return;
+                }
         }
 
@@ -7090 +7123 @@
 
         DEBUG(3,("call_trans2mkdir : name = %s\n", directory));
+
+        status = resolve_dfspath(ctx,
+                                conn,
+                                req->flags2 & FLAGS2_DFS_PATHNAMES,
+                                directory,
+                                &directory);
+        if (!NT_STATUS_IS_OK(status)) {
+                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
+                        reply_botherror(req,
+                                        NT_STATUS_PATH_NOT_COVERED,
+                                        ERRSRV, ERRbadpath);
+                }
+                reply_nterror(req, status);
+                return;
+        }
 
         status = unix_convert(ctx, conn, directory, False, &directory, NULL, &sbuf);

branches/samba-3.2.x/source/utils/net_ads.c

@@ -836 +836 @@
         r->in.admin_password    = net_prompt_pass(opt_user_name);
         r->in.modify_config     = lp_config_backend_is_registry();
+
+        /* Try to delete it, but if that fails, disable it.  The
+           WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
         r->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
                                   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+        r->in.delete_machine_account = true;
 
         werr = libnet_Unjoin(ctx, r);
@@ -847 +851 @@
         }
 
-        if (W_ERROR_IS_OK(werr)) {
+        if (r->out.deleted_machine_account) {
                 d_printf("Deleted account for '%s' in realm '%s'\n",
                         r->in.machine_name, r->out.dns_domain_name);
@@ -861 +865 @@
         }
 
-        d_fprintf(stderr, "Failed to disable machine account for '%s' in realm '%s'\n",
+        /* Based on what we requseted, we shouldn't get here, but if
+           we did, it means the secrets were removed, and therefore
+           we have left the domain */
+        d_fprintf(stderr, "Machine '%s' Left domain '%s'\n",
                   r->in.machine_name, r->out.dns_domain_name);
 

branches/samba-3.2.x/source/utils/net_rpc.c

@@ -5939 +5939 @@
         union lsa_TrustedDomainInfo *info = NULL;
         char *cleartextpwd = NULL;
-        DATA_BLOB data;
+        DATA_BLOB data = data_blob_null;
 
         nt_status = rpccli_lsa_QueryTrustedDomainInfoBySid(pipe_hnd, mem_ctx,

branches/samba-3.2.x/source/winbindd/idmap_ldap.c

@@ -894 +894 @@
         struct idmap_ldap_context *ctx;
         LDAPMessage *result = NULL;
+        LDAPMessage *entry = NULL;
         const char *uidNumber;
         const char *gidNumber;
@@ -989 +990 @@
 
         for (i = 0; i < count; i++) {
-                LDAPMessage *entry = NULL;
                 char *sidstr = NULL;
                 char *tmp = NULL;

branches/samba-3.2.x/source/winbindd/winbindd_ads.c

@@ -1120 +1120 @@
         /* handle sids not resolved from cache by lsa_lookup_sids */
         if (num_nocache > 0) {
+                unsigned int orig_timeout;
 
                 status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy);
@@ -1126 +1127 @@
                         goto done;
                 }
+
+                /*
+                 * This call can take a long time
+                 * allow the server to time out.
+                 * 35 seconds should do it.
+                 */
+                orig_timeout = cli_set_timeout(cli->cli, 35000);
 
                 status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
@@ -1135 +1143 @@
                                                 &name_types_nocache);
 
+                /* And restore our original timeout. */
+                cli_set_timeout(cli->cli, orig_timeout);
+
                 if (!(NT_STATUS_IS_OK(status) ||
                       NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
@@ -1148 +1159 @@
                                 goto done;
                         }
+
+                        /*
+                         * This call can take a long time
+                         * allow the server to time out.
+                         * 35 seconds should do it.
+                         */
+                        orig_timeout = cli_set_timeout(cli->cli, 35000);
 
                         status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
@@ -1156 +1174 @@
                                                         &names_nocache,
                                                         &name_types_nocache);
+
+                        /* And restore our original timeout. */
+                        cli_set_timeout(cli->cli, orig_timeout);
                 }
 

branches/samba-3.2.x/source/winbindd/winbindd_rpc.c

@@ -280 +280 @@
         struct rpc_pipe_client *cli;
         POLICY_HND lsa_policy;
+        unsigned int orig_timeout;
 
         if (name == NULL || *name=='\0') {
@@ -303 +304 @@
                 return result;
 
+        /*
+         * This call can take a long time
+         * allow the server to time out.
+         * 35 seconds should do it.
+         */
+        orig_timeout = cli_set_timeout(cli->cli, 35000);
+
         result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1, 
                                          (const char**) &full_name, NULL, 1, &sids, &types);
-        
+
+        /* And restore our original timeout. */
+        cli_set_timeout(cli->cli, orig_timeout);
+
         if (!NT_STATUS_IS_OK(result))
                 return result;
@@ -333 +344 @@
         struct rpc_pipe_client *cli;
         POLICY_HND lsa_policy;
+        unsigned int orig_timeout;
 
         DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid),
@@ -345 +357 @@
         
 
+        /*
+         * This call can take a long time
+         * allow the server to time out.
+         * 35 seconds should do it.
+         */
+        orig_timeout = cli_set_timeout(cli->cli, 35000);
+
         result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
                                         1, sid, &domains, &names, &types);
+
+        /* And restore our original timeout. */
+        cli_set_timeout(cli->cli, orig_timeout);
+
         if (!NT_STATUS_IS_OK(result)) {         
                 DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids()  failed (%s)\n",
@@ -379 +402 @@
         size_t i;
         char **ret_names;
+        unsigned int orig_timeout;
 
         DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name ));
@@ -402 +426 @@
         }
 
+        /*
+         * This call can take a long time
+         * allow the server to time out.
+         * 35 seconds should do it.
+         */
+        orig_timeout = cli_set_timeout(cli->cli, 35000);
+
         result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
                                         num_rids, sids, &domains,
                                         names, types);
+
+        /* And restore our original timeout. */
+        cli_set_timeout(cli->cli, orig_timeout);
+
         if (!NT_STATUS_IS_OK(result) &&
             !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {

branches/samba-3.2.x/source/winbindd/winbindd_sid.c

@@ -94 +94 @@
                 name_domain = state->request.data.name.name;
                 name_user = p+1;
+        } else if ((p = strchr(state->request.data.name.name, '@')) != NULL) {
+                name_domain = p + 1;
+                *p = 0;
+                name_user = state->request.data.name.name;
         } else {
                 name_domain = state->request.data.name.dom_name;

branches/samba-3.2.x/source/winbindd/winbindd_util.c

@@ -1103 +1103 @@
                         fstrcpy(domain, lp_workgroup());
                 } else if ((p = strchr(domuser, '@')) != NULL) {
-                        fstrcpy(domain, "");                    
+                        fstrcpy(domain, p + 1);
+                        user[PTR_DIFF(p, domuser)] = 0;
                 } else {
                         return False;