diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Fedora/makerpms.sh samba-3.0.8/packaging/Fedora/makerpms.sh --- samba-3.0.8pre2/packaging/Fedora/makerpms.sh 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/Fedora/makerpms.sh 2004-11-07 22:07:57.114740000 -0600 @@ -18,7 +18,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.8pre2' +VERSION='3.0.8' SPECFILE="samba.spec" RPMVER=`rpm --version | awk '{print $3}'` RPM="rpmbuild" diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Fedora/samba.spec samba-3.0.8/packaging/Fedora/samba.spec --- samba-3.0.8pre2/packaging/Fedora/samba.spec 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/Fedora/samba.spec 2004-11-07 22:07:57.152734000 -0600 @@ -3,7 +3,7 @@ Summary: The Samba SMB server. Name: samba -Version: 3.0.8pre2 +Version: 3.0.8 Release: 1 License: GNU GPL Version 2 Group: System Environment/Daemons @@ -273,6 +273,7 @@ %{_bindir}/smbstatus # %{_bindir}/smbadduser %{_bindir}/tdbbackup +%{_bindir}/tdbtool %config(noreplace) %{_sysconfdir}/sysconfig/samba %config(noreplace) %{_sysconfdir}/samba/smbusers %attr(755,root,root) %config %{initdir}/smb diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Fedora/samba.spec.tmpl samba-3.0.8/packaging/Fedora/samba.spec.tmpl --- samba-3.0.8pre2/packaging/Fedora/samba.spec.tmpl 2004-08-16 07:52:04.000000000 -0500 +++ samba-3.0.8/packaging/Fedora/samba.spec.tmpl 2004-11-07 14:43:24.000000000 -0600 @@ -273,6 +273,7 @@ %{_bindir}/smbstatus # %{_bindir}/smbadduser %{_bindir}/tdbbackup +%{_bindir}/tdbtool %config(noreplace) %{_sysconfdir}/sysconfig/samba %config(noreplace) %{_sysconfdir}/samba/smbusers %attr(755,root,root) %config %{initdir}/smb diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Mandrake/makerpms.sh samba-3.0.8/packaging/Mandrake/makerpms.sh --- samba-3.0.8pre2/packaging/Mandrake/makerpms.sh 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/Mandrake/makerpms.sh 2004-11-07 22:07:57.187728000 -0600 @@ -20,7 +20,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.8pre2' +VERSION='3.0.8' RPMVER=`rpm --version | awk '{print $3}'` echo The RPM Version on this machine is: $RPMVER diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Mandrake/samba2.spec samba-3.0.8/packaging/Mandrake/samba2.spec --- samba-3.0.8pre2/packaging/Mandrake/samba2.spec 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/Mandrake/samba2.spec 2004-11-07 22:07:57.246719000 -0600 @@ -24,7 +24,7 @@ %define libname %mklibname smbclient %libsmbmajor # Version and release replaced by samba-team at release from samba cvs -%define pversion 3.0.8pre2 +%define pversion 3.0.8 %define prelease 1 #Check to see if p(version|release) has been replaced (1 if replaced) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/RedHat/makerpms.sh samba-3.0.8/packaging/RedHat/makerpms.sh --- samba-3.0.8pre2/packaging/RedHat/makerpms.sh 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/RedHat/makerpms.sh 2004-11-07 22:07:57.269716000 -0600 @@ -20,7 +20,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.8pre2' +VERSION='3.0.8' SPECFILE="samba3.spec" RPMVER=`rpm --version | awk '{print $3}'` RPM="rpm" diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/RedHat/samba.spec samba-3.0.8/packaging/RedHat/samba.spec --- samba-3.0.8pre2/packaging/RedHat/samba.spec 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/RedHat/samba.spec 2004-11-07 22:07:57.291712000 -0600 @@ -4,7 +4,7 @@ Summary: Samba SMB client and server Vendor: Samba Team Name: samba -Version: 3.0.8pre2 +Version: 3.0.8 Release: 1 License: GNU GPL version 2 Group: Networking diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/makepkg.sh samba-3.0.8/packaging/Solaris/makepkg.sh --- samba-3.0.8pre2/packaging/Solaris/makepkg.sh 2004-10-26 09:25:00.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/makepkg.sh 2004-11-07 14:43:38.000000000 -0600 @@ -1,182 +1,226 @@ #!/bin/sh # # Copyright (C) Shirish A Kalele 2000 +# Copyright (C) Gerald Carter 2004 # -# Builds a Samba package from the samba distribution. -# By default, the package will be built to install samba in /usr/local -# Change the INSTALL_BASE variable to change this: will modify the pkginfo -# and samba.server files to point to the new INSTALL_BASE +# script for build solaris Samba package # -INSTALL_BASE=/usr/local + +INSTALL_BASE=/opt/samba + +SBINPROS="smbd nmbd winbindd swat" +BINPROGS="findsmb nmblookup pdbedit rpcclient smbclient smbcquotas smbspool smbtar tdbbackup testparm wbinfo net ntlm_auth profiles smbcacls smbcontrol smbpasswd smbstatus smbtree tdbdump testprns" +MSGFILES="de.msg en.msg fr.msg it.msg ja.msg nl.msg pl.msg tr.msg" +VFSLIBS="audit.so default_quota.so extd_audit.so full_audit.so readonly.so shadow_copy.so cap.so expand_msdfs.so fake_perms.so netatalk.so recycle.so" +DATFILES="lowcase.dat upcase.dat valid.dat" +CHARSETLIBS="CP437.so CP850.so" add_dynamic_entries() { - # Add the binaries, docs and SWAT files + # Add the binaries, docs and SWAT files + cd $TMPINSTALLDIR/$INSTALL_BASE - echo "#\n# Binaries \n#" - cd $DISTR_BASE/source/bin - for binfile in * - do - if [ -f $binfile ]; then - case $file in - CP*.so) - echo echo f none samba/lib/charset/$binfile=source/bin/$binfile 0755 root other - ;; - *) - echo f none samba/bin/$binfile=source/bin/$binfile 0755 root other - ;; - esac - fi - done - - # Add the scripts to bin/ - echo "#\n# Scripts \n#" - cd $DISTR_BASE/source/script - for shfile in * - do - if [ -f $shfile ]; then - echo f none samba/bin/$shfile=source/script/$shfile 0755 root other - fi - done - - # add libraries to /lib for winbind - echo "#\n# Libraries \n#" - if [ -f $DISTR_BASE/source/nsswitch/libnss_winbind.so ] ; then - echo f none /usr/lib/libnss_winbind.so=source/nsswitch/libnss_winbind.so 0755 root other - echo s none /usr/lib/libnss_winbind.so.1=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/libnss_winbind.so.2=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/nss_winbind.so.1=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/nss_winbind.so.2=/usr/lib/libnss_winbind.so 0755 root other - fi - - # add pam_winbind module to /usr/lib/security - if [ -f $DISTR_BASE/source/nsswitch/pam_winbind.so ] ; then - echo f none /usr/lib/security/pam_winbind.so.1=source/nsswitch/pam_winbind.so 0755 root bin - echo s none /usr/lib/security/pam_winbind.so=/usr/lib/security/pam_winbind.so.1 0777 root root - fi - - # add the .dat codepages - echo "#\n# Codepages \n#" - for file in $DISTR_BASE/source/codepages/*.dat ; do - bfile=`basename $file` - echo f none /usr/local/samba/lib/$bfile=source/codepages/$bfile - done - - # Add the manpages - echo "#\n# man pages \n#" - echo d none /usr ? ? ? - echo d none /usr/share ? ? ? - echo d none /usr/share/man ? ? ? - - # Create directories for man page sections if nonexistent - cd $DISTR_BASE/docs/manpages - for i in 1 2 3 4 5 6 7 8 9 - do - manpages=`ls *.$i 2>/dev/null` - if [ $? -eq 0 ] - then - echo d none /usr/share/man/man$i ? ? ? - for manpage in $manpages - do - echo f none /usr/share/man/man${i}/${manpage}=docs/manpages/$manpage 0644 root other - done - fi - done - - echo "#\n# HTML documentation \n#" - cd $DISTR_BASE - list=`find docs/htmldocs -type d | grep -v "/CVS$"` - for docdir in $list - do - if [ -d $docdir ]; then - echo d none samba/$docdir 0755 root other - fi - done - - list=`find docs/htmldocs -type f | grep -v /CVS/` - for htmldoc in $list - do - if [ -f $htmldoc ]; then - echo f none samba/$htmldoc=$htmldoc 0644 root other - fi - done - - # Create a symbolic link to the Samba book in docs/ for beginners - echo 's none samba/docs/samba_book=htmldocs/using_samba' - - echo "#\n# SWAT \n#" - cd $DISTR_BASE - list=`find swat -type d | grep -v "/CVS$"` - for i in $list - do - echo "d none samba/$i 0755 root other" - done - list=`find swat -type f | grep -v /CVS/` - for i in $list - do - echo "f none samba/$i=$i 0644 root other" - done - # add the .msg files for SWAT - echo "#\n# msg files \n#" - for file in $DISTR_BASE/source/po/*.msg ; do - bfile=`basename $file` - echo f none /usr/local/samba/lib/$bfile=source/po/$bfile - done - - echo "#\n# HTML documentation for SWAT\n#" - cd $DISTR_BASE/docs/htmldocs - for htmldoc in * - do - if [ -f $htmldoc ]; then - echo f none samba/swat/help/$htmldoc=docs/htmldocs/$htmldoc 0644 root other - fi - done + echo "#\n# Server Binaries \n#" + for file in $SBINPROGS; do + echo f none sbin/$file 0755 root other + done - echo "#\n# Using Samba Book files for SWAT\n#" - cd $DISTR_BASE/docs/htmldocs + echo "#\n# User Binaries \n#" + for file in $BINPROGS; do + echo f none bin/$file 0755 root other + done + + echo "#\n# Libraries\n#" + for file in $MSGFILES; do + echo f none lib/$file 0644 root other + done + for file in $VFSLIBS; do + echo f none lib/vfs/$file 0755 root other + done + for file in $DATFILES; do + echo f none lib/$file 0644 root other + done + for file in $CHARSETLIBS; do + echo f none lib/charset/$file 0755 root other + done + + echo "#\n# libsmbclient\n#" + echo f none lib/libsmbclient.so 0755 root other + echo f none include/libsmbclient.h 0644 root other + + echo "#\n# smbwrapper\n#" + echo f none lib/smbwrapper.so 0755 root other + echo f none bin/smbsh 0755 root other + + echo "#\n# nss_winbind.so\n#" + echo f none /usr/lib/nss_winbind.so.1=lib/libnss_winbind.so 0755 root other + echo s none /lib/nss_winbind.so.1=../usr/lib/nss_winbind.so.1 0755 root other + if [ -f lib/pam_winbind.so ]; then + echo f none /usr/lib/security/pam_winbind.so=lib/pam_winbind.so 0755 root other + fi + + # Add the manpages + echo "#\n# man pages \n#" + echo d none /usr ? ? ? + echo d none /usr/share ? ? ? + echo d none /usr/share/man ? ? ? + + # Create directories for man page sections if nonexistent + cd man + for i in 1 2 3 4 5 6 7 8 9; do + manpages=`ls *.$i 2>/dev/null` + if [ $? -eq 0 ]; then + echo d none /usr/share/man/man$i ? ? ? + for manpage in $manpages; do + echo f none /usr/share/man/man${i}/${manpage}=docs/manpages/$manpage 0644 root other + done + fi + done + cd .. -# set up a symbolic link instead of duplicating the book tree - echo 's none samba/swat/using_samba=../docs/htmldocs/using_samba' + echo "#\n# SWAT \n#" + list=`find swat -type d | grep -v "/.svn$"` + for dir in $list; do + if [ -d $dir ]; then + echo d none $dir 0755 root other + fi + done + list=`find swat -type f | grep -v /.svn/` + for file in $list; do + if [ -f $file ]; then + echo f none $file 0644 root other + fi + done + + # Create entries for docs for the beginner + echo s none docs/using_samba=$BASEDIR/swat/help/using_samba + for file in docs/*pdf; do + echo f none $file 0644 root other + done } -if [ $# = 0 ] -then - # Try to guess the distribution base.. - CURR_DIR=`pwd` - DISTR_BASE=`echo $CURR_DIR | sed 's|\(.*\)/packaging.*|\1|'` - echo "Assuming Samba distribution is rooted at $DISTR_BASE.." -else - DISTR_BASE=$1 +##################################################################### +## BEGIN MAIN +##################################################################### + +TMPINSTALLDIR=$HOME/build + +# Try to guess the distribution base.. +CURR_DIR=`pwd` +DISTR_BASE=`echo $CURR_DIR | sed 's|\(.*\)/packaging.*|\1|'` +echo "Assuming Samba distribution is rooted at $DISTR_BASE.." + +## +## first build the source +## + +cd $DISTR_BASE/source + +if [ "x$1" != "xnobuild" ]; then + ./configure --prefix=$INSTALL_DIR \ + --with-acl-support \ + --with-included-popt \ + --localstatedir=/var/lib/samba \ + --with-piddir=/var/run \ + --with-logfilebase=/var/log/samba \ + --with-privatedir=/etc/samba/private \ + --with-configdir=/etc/samba \ + && make + + if [ $? -ne 0 ]; then + echo "Build failed! Exiting...." + exit 1 + fi fi + +make DESTDIR=$TMPINSTALLDIR install -# -if [ ! -d $DISTR_BASE ]; then - echo "Source build directory $DISTR_BASE does not exist." - exit 1 -fi +## clear out *.old +( cd $TMPINSTALLDIR; du -a | grep \.old$ | awk '{print "rm -rf "$2}' | sh ) -# Set up the prototype file from prototype.master -if [ -f prototype ]; then - rm prototype + +## +## Now get the install locations +## +SBINDIR=`bin/smbd -b | grep SBINDIR | awk '{print $2}'` +BINDIR=`bin/smbd -b | grep BINDIR | grep -v SBINDIR | awk '{print $2}'` +SWATDIR=`bin/smbd -b | grep SWATDIR | awk '{print $2}'` +CONFIGFILE=`bin/smbd -b | grep CONFIGFILE | awk '{print $2}'` +CONFIGDIR=`dirname $CONFIGFILE` +LOGFILEBASE=`bin/smbd -b | grep LOGFILEBASE | awk '{print $2}'` +LIBDIR=`bin/smbd -b | grep LIBDIR | awk '{print $2}'` +PIDDIR=`bin/smbd -b | grep PIDDIR | awk '{print $2}'` +PRIVATE_DIR=`bin/smbd -b | grep PRIVATE_DIR | awk '{print $2}'` +DOCDIR=$INSTALL_BASE/docs + +## +## copy some misc files that are ont done as part of 'make install' +## +cp -fp nsswitch/libnss_winbind.so $TMPINSTALLDIR/$LIBDIR/libnss_winbind.so +if [ -f nsswitch/pam_winbind.so ]; then + cp -fp nsswitch/pam_winbind.so $TMPINSTALLDIR/$LIBDIR/pam_winbind.so fi -# Setup version from version.h -VERSION=3.0.8pre2 -sed -e "s|__VERSION__|$VERSION|" -e "s|__ARCH__|`uname -p`|" -e "s|__BASEDIR__|$INSTALL_BASE|g" pkginfo.master >pkginfo +cp -p bin/smbwrapper.so $TMPINSTALLDIR/$INSTALL_BASE/lib +cp -p bin/smbsh $TMPINSTALLDIR/$INSTALL_BASE/bin + +mkdir -p $TMPINSTALLDIR/$INSTALL_BASE/docs +cp -p ../docs/*pdf $TMPINSTALLDIR/$INSTALL_BASE/docs -sed -e "s|__BASEDIR__|$INSTALL_BASE|g" inetd.conf.master >inetd.conf -sed -e "s|__BASEDIR__|$INSTALL_BASE|g" samba.server.master >samba.server + +cd $DISTR_BASE/packaging/Solaris + +## +## Main driver +## + +# Setup version from smbd -V + +VERSION=`$TMPINSTALLDIR/$SBINDIR/smbd -V | awk '{print $2}'` +sed -e "s|__VERSION__|$VERSION|" -e "s|__ARCH__|`uname -p`|" -e "s|__BASEDIR__|$INSTALL_BASE|g" pkginfo.master > pkginfo + +sed -e "s|__BASEDIR__|$INSTALL_BASE|g" inetd.conf.master > inetd.conf +sed -e "s|__BASEDIR__|$INSTALL_BASE|g" samba.init.master > samba.init + +## +## copy over some scripts need for packagaing +## +mkdir -p $TMPINSTALLDIR/$INSTALL_BASE/scripts +for i in inetd.conf samba.init smb.conf.default services; do + cp -fp $i $TMPINSTALLDIR/$INSTALL_BASE/scripts +done + +## +## Start building the prototype file +## +echo "SBINDIR=sbin" >> pkginfo +echo "BINDIR=bin" >> pkginfo +echo "SWATDIR=swat" >> pkginfo +echo "CONFIGDIR=$CONFIGDIR" >> pkginfo +echo "LOGFILEBASE=$LOGFILEBASE" >> pkginfo +echo "LIBDIR=lib" >> pkginfo +echo "PIDDIR=$PIDDIR" >> pkginfo +echo "DOCDIR=docs" >> pkginfo +echo "PRIVATE_DIR=$PRIVATE_DIR" >> pkginfo cp prototype.master prototype # Add the dynamic part to the prototype file (add_dynamic_entries >> prototype) +## +## copy packaging files +## +for i in prototype pkginfo copyright preremove postinstall request i.swat r.swat; do + cp $i $TMPINSTALLDIR/$INSTALL_BASE +done + # Create the package -pkgmk -o -d /tmp -b $DISTR_BASE -f prototype -if [ $? = 0 ] -then +pkgmk -o -d /tmp -b $TMPINSTALLDIR/$INSTALL_BASE -f prototype + +if [ $? = 0 ]; then pkgtrans /tmp samba.pkg samba fi + echo The samba package is in /tmp diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/makepkg.sh.tmpl samba-3.0.8/packaging/Solaris/makepkg.sh.tmpl --- samba-3.0.8pre2/packaging/Solaris/makepkg.sh.tmpl 2004-10-25 16:05:11.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/makepkg.sh.tmpl 1969-12-31 18:00:00.000000000 -0600 @@ -1,182 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Shirish A Kalele 2000 -# -# Builds a Samba package from the samba distribution. -# By default, the package will be built to install samba in /usr/local -# Change the INSTALL_BASE variable to change this: will modify the pkginfo -# and samba.server files to point to the new INSTALL_BASE -# -INSTALL_BASE=/usr/local - -add_dynamic_entries() -{ - # Add the binaries, docs and SWAT files - - echo "#\n# Binaries \n#" - cd $DISTR_BASE/source/bin - for binfile in * - do - if [ -f $binfile ]; then - case $file in - CP*.so) - echo echo f none samba/lib/charset/$binfile=source/bin/$binfile 0755 root other - ;; - *) - echo f none samba/bin/$binfile=source/bin/$binfile 0755 root other - ;; - esac - fi - done - - # Add the scripts to bin/ - echo "#\n# Scripts \n#" - cd $DISTR_BASE/source/script - for shfile in * - do - if [ -f $shfile ]; then - echo f none samba/bin/$shfile=source/script/$shfile 0755 root other - fi - done - - # add libraries to /lib for winbind - echo "#\n# Libraries \n#" - if [ -f $DISTR_BASE/source/nsswitch/libnss_winbind.so ] ; then - echo f none /usr/lib/libnss_winbind.so=source/nsswitch/libnss_winbind.so 0755 root other - echo s none /usr/lib/libnss_winbind.so.1=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/libnss_winbind.so.2=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/nss_winbind.so.1=/usr/lib/libnss_winbind.so 0755 root other - echo s none /usr/lib/nss_winbind.so.2=/usr/lib/libnss_winbind.so 0755 root other - fi - - # add pam_winbind module to /usr/lib/security - if [ -f $DISTR_BASE/source/nsswitch/pam_winbind.so ] ; then - echo f none /usr/lib/security/pam_winbind.so.1=source/nsswitch/pam_winbind.so 0755 root bin - echo s none /usr/lib/security/pam_winbind.so=/usr/lib/security/pam_winbind.so.1 0777 root root - fi - - # add the .dat codepages - echo "#\n# Codepages \n#" - for file in $DISTR_BASE/source/codepages/*.dat ; do - bfile=`basename $file` - echo f none /usr/local/samba/lib/$bfile=source/codepages/$bfile - done - - # Add the manpages - echo "#\n# man pages \n#" - echo d none /usr ? ? ? - echo d none /usr/share ? ? ? - echo d none /usr/share/man ? ? ? - - # Create directories for man page sections if nonexistent - cd $DISTR_BASE/docs/manpages - for i in 1 2 3 4 5 6 7 8 9 - do - manpages=`ls *.$i 2>/dev/null` - if [ $? -eq 0 ] - then - echo d none /usr/share/man/man$i ? ? ? - for manpage in $manpages - do - echo f none /usr/share/man/man${i}/${manpage}=docs/manpages/$manpage 0644 root other - done - fi - done - - echo "#\n# HTML documentation \n#" - cd $DISTR_BASE - list=`find docs/htmldocs -type d | grep -v "/CVS$"` - for docdir in $list - do - if [ -d $docdir ]; then - echo d none samba/$docdir 0755 root other - fi - done - - list=`find docs/htmldocs -type f | grep -v /CVS/` - for htmldoc in $list - do - if [ -f $htmldoc ]; then - echo f none samba/$htmldoc=$htmldoc 0644 root other - fi - done - - # Create a symbolic link to the Samba book in docs/ for beginners - echo 's none samba/docs/samba_book=htmldocs/using_samba' - - echo "#\n# SWAT \n#" - cd $DISTR_BASE - list=`find swat -type d | grep -v "/CVS$"` - for i in $list - do - echo "d none samba/$i 0755 root other" - done - list=`find swat -type f | grep -v /CVS/` - for i in $list - do - echo "f none samba/$i=$i 0644 root other" - done - # add the .msg files for SWAT - echo "#\n# msg files \n#" - for file in $DISTR_BASE/source/po/*.msg ; do - bfile=`basename $file` - echo f none /usr/local/samba/lib/$bfile=source/po/$bfile - done - - echo "#\n# HTML documentation for SWAT\n#" - cd $DISTR_BASE/docs/htmldocs - for htmldoc in * - do - if [ -f $htmldoc ]; then - echo f none samba/swat/help/$htmldoc=docs/htmldocs/$htmldoc 0644 root other - fi - done - - echo "#\n# Using Samba Book files for SWAT\n#" - cd $DISTR_BASE/docs/htmldocs - -# set up a symbolic link instead of duplicating the book tree - echo 's none samba/swat/using_samba=../docs/htmldocs/using_samba' - -} - -if [ $# = 0 ] -then - # Try to guess the distribution base.. - CURR_DIR=`pwd` - DISTR_BASE=`echo $CURR_DIR | sed 's|\(.*\)/packaging.*|\1|'` - echo "Assuming Samba distribution is rooted at $DISTR_BASE.." -else - DISTR_BASE=$1 -fi - -# -if [ ! -d $DISTR_BASE ]; then - echo "Source build directory $DISTR_BASE does not exist." - exit 1 -fi - -# Set up the prototype file from prototype.master -if [ -f prototype ]; then - rm prototype -fi - -# Setup version from version.h -VERSION=PVERSION -sed -e "s|__VERSION__|$VERSION|" -e "s|__ARCH__|`uname -p`|" -e "s|__BASEDIR__|$INSTALL_BASE|g" pkginfo.master >pkginfo - -sed -e "s|__BASEDIR__|$INSTALL_BASE|g" inetd.conf.master >inetd.conf -sed -e "s|__BASEDIR__|$INSTALL_BASE|g" samba.server.master >samba.server - -cp prototype.master prototype - -# Add the dynamic part to the prototype file -(add_dynamic_entries >> prototype) - -# Create the package -pkgmk -o -d /tmp -b $DISTR_BASE -f prototype -if [ $? = 0 ] -then - pkgtrans /tmp samba.pkg samba -fi -echo The samba package is in /tmp diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/pkginfo.master samba-3.0.8/packaging/Solaris/pkginfo.master --- samba-3.0.8pre2/packaging/Solaris/pkginfo.master 2004-04-09 14:03:17.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/pkginfo.master 2004-11-07 14:43:25.000000000 -0600 @@ -1,12 +1,12 @@ PKG=samba -NAME=SMB based file/printer sharing +NAME=CIFS File and Print server ARCH=__ARCH__ VERSION=__VERSION__ CATEGORY=system -VENDOR=Samba Team +VENDOR=Gerald (Jerry) Carter, Samba Team DESC=File and printer sharing for Windows workstations HOTLINE=Please contact your local UNIX support group -EMAIL=samba@samba.org +EMAIL=jerry@samba.org CLASSES=none BASEDIR=__BASEDIR__ INTONLY=1 diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/postinstall samba-3.0.8/packaging/Solaris/postinstall --- samba-3.0.8pre2/packaging/Solaris/postinstall 2004-04-09 14:03:18.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/postinstall 2004-11-07 14:43:38.000000000 -0600 @@ -9,12 +9,6 @@ ${BASEDIR}/samba/lib/smb.conf. For details on configuration, refer to the Samba man pages under ${PKG_INSTALL_ROOT}/usr/share/man and the documentation at ${BASEDIR}/samba/docs. - -BEGINNERS: -Beginners can also refer to the excellent "Using Samba" book published -by O'Reilly and Associates and officially supported by the Samba Team. -This book is supplied with this package and can be accessed at -${BASEDIR}/samba/docs/samba_book/index.html ___________________________________________________________________________ EOF diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/preremove samba-3.0.8/packaging/Solaris/preremove --- samba-3.0.8pre2/packaging/Solaris/preremove 2004-04-09 14:03:17.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/preremove 2004-11-07 14:43:24.000000000 -0600 @@ -5,8 +5,8 @@ then SMBD=`ps -e -o pid,comm | grep smbd | awk '{print $1}'` NMBD=`ps -e -o pid,comm | grep nmbd | awk '{print $1}'` - [ ! -z "$SMBD" ] && kill $SMBD - [ ! -z "$NMBD" ] && kill $NMBD + [ ! -z "$SMBD" ] && kill -TERM $SMBD + [ ! -z "$NMBD" ] && kill -TERM $NMBD sleep 2 fi diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/packaging/Solaris/prototype.master samba-3.0.8/packaging/Solaris/prototype.master --- samba-3.0.8pre2/packaging/Solaris/prototype.master 2004-10-25 16:05:11.000000000 -0500 +++ samba-3.0.8/packaging/Solaris/prototype.master 2004-11-07 14:43:24.000000000 -0600 @@ -1,13 +1,9 @@ # -# The static master prototype file for the Samba package. -# For files that can't be dynamically added to the prototype file at -# package build time -# # Information files. # i pkginfo=./pkginfo i copyright=./copyright -i request=./request +# i request=./request i preremove=./preremove i postinstall=./postinstall i i.swat=./i.swat @@ -15,40 +11,33 @@ # # Stuff that goes into the system areas of the filesystem. # -d none /etc ? ? ? +d none $CONFIGDIR ? ? ? d initscript /etc/init.d ? ? ? -f initscript /etc/init.d/samba.server=packaging/Solaris/samba.server 0744 root sys +f initscript /etc/init.d/samba=scripts/samba.init 0744 root sys d initscript /etc/rc3.d ? ? ? -s initscript /etc/rc3.d/S99samba.server=../init.d/samba.server # # Stuff to set up SWAT # d swat /etc/inet ? ? ? -e swat /etc/inet/services=packaging/Solaris/services ? ? ? -e swat /etc/inet/inetd.conf=packaging/Solaris/inetd.conf ? ? ? +e swat /etc/inet/services=scripts/services ? ? ? +e swat /etc/inet/inetd.conf=scripts/inetd.conf ? ? ? +# +# Create the samba subtree. # -# Create the samba subtree. (Usually /usr/local/samba ) +d none $DOCDIR 755 root other +d none $CONFIGDIR 755 root sys +d none $PRIVATE_DIR 700 root sys +d none $SBINDIR 0755 root other +d none $BINDIR 0755 root other +d none $LIBDIR 0755 root other +d none $LIBDIR/charset 0755 root other +d none $LIBDIR/vfs 0755 root other +d none include 0755 root other +d none $SWATDIR 0755 root other +d none $LOGFILEBASE 0755 root other +d none $PIDDIR 0755 root other # -d none samba 0755 root other -d none samba/var 0755 root other -d none samba/bin 0755 root other -d none samba/lib 0755 root other -d none samba/docs 0755 root other -# -# Stuff that goes into lib -# -d none samba/lib/charset 0755 root other -f none samba/lib/smb.conf.example=examples/smb.conf.default 0644 root other -d none samba/lib/regeditscripts 0755 root other -f none samba/lib/regeditscripts/NT4_PlainPassword.reg=docs/registry/NT4_PlainPassword.reg 0444 root other -f none samba/lib/regeditscripts/Win95_PlainPassword.reg=docs/registry/Win95_PlainPassword.reg 0444 root other -f none samba/lib/regeditscripts/Win98_PlainPassword.reg=docs/registry/Win98_PlainPassword.reg 0444 root other -f none samba/lib/regeditscripts/WinME_PlainPassword.reg=docs/registry/WinME_PlainPassword.reg 0444 root other -f none samba/lib/regeditscripts/Win2000_PlainPassword.reg=docs/registry/Win2000_PlainPassword.reg 0444 root other -f none samba/lib/regeditscripts/WinXP_PlainPassword.reg=docs/registry/WinXP_PlainPassword.reg 0444 root other # -# Random files -f none samba/docs/Samba-HOWTO-Collection.pdf=docs/Samba-HOWTO-Collection.pdf 0644 root other +f none $CONFIGDIR/smb.conf.default=scripts/smb.conf.default 0644 root other # -# Static part of prototype file ends. # diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/REVISION samba-3.0.8/REVISION --- samba-3.0.8pre2/REVISION 2004-10-26 09:25:03.000000000 -0500 +++ samba-3.0.8/REVISION 2004-11-07 22:08:12.736335000 -0600 @@ -1,11 +1,11 @@ Path: . URL: svn+ssh://svn.samba.org/home/svn/samba/branches/SAMBA_3_0_RELEASE Repository UUID: 0c0555d6-39d7-0310-84fc-f1cc0bd64818 -Revision: 3265 +Revision: 3615 Node Kind: directory Schedule: normal Last Changed Author: jerry -Last Changed Rev: 3265 -Last Changed Date: 2004-10-26 09:23:39 -0500 (Tue, 26 Oct 2004) -Properties Last Updated: 2004-10-25 16:05:12 -0500 (Mon, 25 Oct 2004) +Last Changed Rev: 3614 +Last Changed Date: 2004-11-07 21:44:13 -0600 (Sun, 07 Nov 2004) +Properties Last Updated: 2004-11-07 14:43:38 -0600 (Sun, 07 Nov 2004) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/client/client.c samba-3.0.8/source/client/client.c --- samba-3.0.8pre2/source/client/client.c 2004-10-25 16:05:11.000000000 -0500 +++ samba-3.0.8/source/client/client.c 2004-11-07 14:43:24.000000000 -0600 @@ -701,7 +701,7 @@ return 1; } - DEBUG(2,("getting file %s of size %.0f as %s ", + DEBUG(1,("getting file %s of size %.0f as %s ", rname, (double)size, lname)); if(!(data = (char *)malloc(read_size))) { @@ -758,7 +758,7 @@ get_total_time_ms += this_time; get_total_size += nread; - DEBUG(2,("(%3.1f kb/s) (average %3.1f kb/s)\n", + DEBUG(1,("(%3.1f kb/s) (average %3.1f kb/s)\n", nread / (1.024*this_time + 1.0e-4), get_total_size / (1.024*get_total_time_ms))); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/client/smbspool.c samba-3.0.8/source/client/smbspool.c --- samba-3.0.8pre2/source/client/smbspool.c 2004-10-25 16:05:11.000000000 -0500 +++ samba-3.0.8/source/client/smbspool.c 2004-11-07 14:43:24.000000000 -0600 @@ -118,13 +118,13 @@ * Find the URI... */ - if (strncmp(argv[0], "smb://", 6) == 0) - strncpy(uri, argv[0], sizeof(uri) - 1); - else if (getenv("DEVICE_URI") != NULL) + if (getenv("DEVICE_URI") != NULL) strncpy(uri, getenv("DEVICE_URI"), sizeof(uri) - 1); + else if (strncmp(argv[0], "smb://", 6) == 0) + strncpy(uri, argv[0], sizeof(uri) - 1); else { - fputs("ERROR: No device URI found in argv[0] or DEVICE_URI environment variable!\n", stderr); + fputs("ERROR: No device URI found in DEVICE_URI environment variable or argv[0] !\n", stderr); return (1); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/configure samba-3.0.8/source/configure --- samba-3.0.8pre2/source/configure 2004-10-26 09:26:28.000000000 -0500 +++ samba-3.0.8/source/configure 2004-11-07 22:09:03.714488210 -0600 @@ -3907,7 +3907,7 @@ _ACEOF case `uname -r` in - 5.0*|5.1*|5.2*|5.3*|5.5*) + 5.0|5.0.*|5.1|5.1.*|5.2|5.2.*|5.3|5.3.*|5.5|5.5.*) echo "$as_me:$LINENO: result: no large file support" >&5 echo "${ECHO_T}no large file support" >&6 ;; @@ -5389,8 +5389,7 @@ - -for ac_header in unistd.h utime.h grp.h sys/id.h limits.h memory.h net/if.h +for ac_header in unistd.h utime.h grp.h sys/id.h limits.h memory.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then @@ -6318,8 +6317,7 @@ - -for ac_header in sys/sysmacros.h security/pam_modules.h security/_pam_macros.h dlfcn.h +for ac_header in sys/sysmacros.h security/_pam_macros.h dlfcn.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then @@ -7297,8 +7295,7 @@ - -for ac_header in shadow.h netinet/ip.h netinet/tcp.h netinet/in_systm.h netinet/in_ip.h +for ac_header in shadow.h netinet/tcp.h netinet/in_systm.h netinet/in_ip.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then @@ -7453,8 +7450,7 @@ - -for ac_header in nss.h nss_common.h nsswitch.h ns_api.h sys/security.h security/pam_appl.h security/pam_modules.h +for ac_header in nss.h nss_common.h nsswitch.h ns_api.h sys/security.h security/pam_appl.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then @@ -8061,6 +8057,64 @@ done +# These faile to compile on Solaris so just check for their presence + + + +for ac_header in security/pam_modules.h net/if.h netinet/ip.h +do +as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 +if eval "test \"\${$as_ac_Header+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + ac_cpp_err=$ac_cpp_err$ac_c_werror_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + eval "$as_ac_Header=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_Header=no" +fi +rm -f conftest.err conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 +if test `eval echo '${'$as_ac_Header'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + # For experimental utmp support (lastlog on some BSD-like systems) @@ -28021,6 +28075,44 @@ # Do no harm to the values of CFLAGS and LIBS while testing for # Kerberos support. + if test x$FOUND_KRB5 = x"no"; then + ################################################# + # check for location of Kerberos 5 install + echo "$as_me:$LINENO: checking for kerberos 5 install path" >&5 +echo $ECHO_N "checking for kerberos 5 install path... $ECHO_C" >&6 + +# Check whether --with-krb5 or --without-krb5 was given. +if test "${with_krb5+set}" = set; then + withval="$with_krb5" + case "$withval" in + no) + echo "$as_me:$LINENO: result: no krb5-path given" >&5 +echo "${ECHO_T}no krb5-path given" >&6 + ;; + yes) + echo "$as_me:$LINENO: result: /usr" >&5 +echo "${ECHO_T}/usr" >&6 + FOUND_KRB5=yes + ;; + *) + echo "$as_me:$LINENO: result: $withval" >&5 +echo "${ECHO_T}$withval" >&6 + KRB5_CFLAGS="-I$withval/include" + KRB5_CPPFLAGS="-I$withval/include" + KRB5_LDFLAGS="-L$withval/lib" + FOUND_KRB5=yes + if test -x "$withval/bin/krb5-config"; then + KRB5_CONFIG=$withval/bin/krb5-config + fi + ;; + esac +else + echo "$as_me:$LINENO: result: no krb5-path given" >&5 +echo "${ECHO_T}no krb5-path given" >&6 + +fi; + fi + ################################################# # check for krb5-config from recent MIT and Heimdal kerberos 5 # Extract the first word of "krb5-config", so it can be a program name with args. @@ -28070,6 +28162,7 @@ ac_save_LDFLAGS=$LDFLAGS LDFLAGS="";export LDFLAGS KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`" + KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`" KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" CFLAGS=$ac_save_CFLAGS;export CFLAGS @@ -28084,41 +28177,6 @@ if test x$FOUND_KRB5 = x"no"; then ################################################# - # check for location of Kerberos 5 install - echo "$as_me:$LINENO: checking for kerberos 5 install path" >&5 -echo $ECHO_N "checking for kerberos 5 install path... $ECHO_C" >&6 - -# Check whether --with-krb5 or --without-krb5 was given. -if test "${with_krb5+set}" = set; then - withval="$with_krb5" - case "$withval" in - no) - echo "$as_me:$LINENO: result: no krb5-path given" >&5 -echo "${ECHO_T}no krb5-path given" >&6 - ;; - yes) - echo "$as_me:$LINENO: result: /usr" >&5 -echo "${ECHO_T}/usr" >&6 - FOUND_KRB5=yes - ;; - *) - echo "$as_me:$LINENO: result: $withval" >&5 -echo "${ECHO_T}$withval" >&6 - KRB5_CFLAGS="-I$withval/include" - KRB5_CPPFLAGS="-I$withval/include" - KRB5_LDFLAGS="-L$withval/lib" - FOUND_KRB5=yes - ;; - esac -else - echo "$as_me:$LINENO: result: no krb5-path given" >&5 -echo "${ECHO_T}no krb5-path given" >&6 - -fi; - fi - - if test x$FOUND_KRB5 = x"no"; then - ################################################# # see if this box has the SuSE location for the heimdal krb implementation echo "$as_me:$LINENO: checking for /usr/include/heimdal" >&5 echo $ECHO_N "checking for /usr/include/heimdal... $ECHO_C" >&6 @@ -28162,9 +28220,9 @@ ac_save_CPPFLAGS=$CPPFLAGS ac_save_LDFLAGS=$LDFLAGS - CFLAGS="$CFLAGS $KRB5_CFLAGS" - CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS" - LDFLAGS="$LDFLAGS $KRB5_LDFLAGS" + CFLAGS="$KRB5_CFLAGS $CFLAGS" + CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS" + LDFLAGS="$KRB5_LDFLAGS $LDFLAGS" KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS" @@ -31472,7 +31530,276 @@ fi - LIBS="$LIBS $KRB5_LIBS" + + + ac_check_func_ext_save_LIBS=$LIBS + LIBS="$KRB5_LIBS $LIBS" + echo "$as_me:$LINENO: checking for krb5_c_enctype_compare" >&5 +echo $ECHO_N "checking for krb5_c_enctype_compare... $ECHO_C" >&6 +if test "${ac_cv_func_ext_krb5_c_enctype_compare+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define krb5_c_enctype_compare to an innocuous variant, in case declares krb5_c_enctype_compare. + For example, HP-UX 11i declares gettimeofday. */ +#define krb5_c_enctype_compare innocuous_krb5_c_enctype_compare + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char krb5_c_enctype_compare (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef krb5_c_enctype_compare + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_c_enctype_compare (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_krb5_c_enctype_compare) || defined (__stub___krb5_c_enctype_compare) +choke me +#else +char (*f) () = krb5_c_enctype_compare; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != krb5_c_enctype_compare; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_ext_krb5_c_enctype_compare=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_ext_krb5_c_enctype_compare=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_ext_krb5_c_enctype_compare" >&5 +echo "${ECHO_T}$ac_cv_func_ext_krb5_c_enctype_compare" >&6 + LIBS=$ac_check_func_ext_save_LIBS + if test $ac_cv_func_ext_krb5_c_enctype_compare = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_C_ENCTYPE_COMPARE 1 +_ACEOF + +fi + + + + + ac_check_func_ext_save_LIBS=$LIBS + LIBS="$KRB5_LIBS $LIBS" + echo "$as_me:$LINENO: checking for krb5_enctypes_compatible_keys" >&5 +echo $ECHO_N "checking for krb5_enctypes_compatible_keys... $ECHO_C" >&6 +if test "${ac_cv_func_ext_krb5_enctypes_compatible_keys+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define krb5_enctypes_compatible_keys to an innocuous variant, in case declares krb5_enctypes_compatible_keys. + For example, HP-UX 11i declares gettimeofday. */ +#define krb5_enctypes_compatible_keys innocuous_krb5_enctypes_compatible_keys + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char krb5_enctypes_compatible_keys (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef krb5_enctypes_compatible_keys + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_enctypes_compatible_keys (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_krb5_enctypes_compatible_keys) || defined (__stub___krb5_enctypes_compatible_keys) +choke me +#else +char (*f) () = krb5_enctypes_compatible_keys; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != krb5_enctypes_compatible_keys; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_ext_krb5_enctypes_compatible_keys=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_func_ext_krb5_enctypes_compatible_keys=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_ext_krb5_enctypes_compatible_keys" >&5 +echo "${ECHO_T}$ac_cv_func_ext_krb5_enctypes_compatible_keys" >&6 + LIBS=$ac_check_func_ext_save_LIBS + if test $ac_cv_func_ext_krb5_enctypes_compatible_keys = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS 1 +_ACEOF + +fi + + + LIBS="$KRB5_LIBS $LIBS" + + echo "$as_me:$LINENO: checking for krb5_encrypt_block type" >&5 +echo $ECHO_N "checking for krb5_encrypt_block type... $ECHO_C" >&6 +if test "${samba_cv_HAVE_KRB5_ENCRYPT_BLOCK+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +krb5_encrypt_block block; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $samba_cv_HAVE_KRB5_ENCRYPT_BLOCK" >&5 +echo "${ECHO_T}$samba_cv_HAVE_KRB5_ENCRYPT_BLOCK" >&6 + + if test x"$samba_cv_HAVE_KRB5_ENCRYPT_BLOCK" = x"yes"; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_ENCRYPT_BLOCK 1 +_ACEOF + + fi echo "$as_me:$LINENO: checking for addrtype in krb5_address" >&5 echo $ECHO_N "checking for addrtype in krb5_address... $ECHO_C" >&6 @@ -31662,6 +31989,132 @@ fi + echo "$as_me:$LINENO: checking for keyblock in krb5_creds" >&5 +echo $ECHO_N "checking for keyblock in krb5_creds... $ECHO_C" >&6 +if test "${samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +krb5_creds creds; krb5_keyblock kb; creds.keyblock = kb; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS" >&5 +echo "${ECHO_T}$samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS" >&6 + + if test x"$samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS" = x"yes"; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_KEYBLOCK_IN_CREDS 1 +_ACEOF + + fi + + echo "$as_me:$LINENO: checking for session in krb5_creds" >&5 +echo $ECHO_N "checking for session in krb5_creds... $ECHO_C" >&6 +if test "${samba_cv_HAVE_KRB5_SESSION_IN_CREDS+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ +krb5_creds creds; krb5_keyblock kb; creds.session = kb; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + samba_cv_HAVE_KRB5_SESSION_IN_CREDS=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +samba_cv_HAVE_KRB5_SESSION_IN_CREDS=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $samba_cv_HAVE_KRB5_SESSION_IN_CREDS" >&5 +echo "${ECHO_T}$samba_cv_HAVE_KRB5_SESSION_IN_CREDS" >&6 + + if test x"$samba_cv_HAVE_KRB5_SESSION_IN_CREDS" = x"yes"; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_SESSION_IN_CREDS 1 +_ACEOF + + fi + echo "$as_me:$LINENO: checking for keyvalue in krb5_keyblock" >&5 echo $ECHO_N "checking for keyvalue in krb5_keyblock... $ECHO_C" >&6 if test "${samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE+set}" = set; then diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/configure.in samba-3.0.8/source/configure.in --- samba-3.0.8pre2/source/configure.in 2004-10-25 16:05:07.000000000 -0500 +++ samba-3.0.8/source/configure.in 2004-11-07 14:43:24.000000000 -0600 @@ -460,7 +460,7 @@ *solaris*) AC_DEFINE(SYSV, 1, [Whether to enable System V compatibility]) case `uname -r` in - 5.0*|5.1*|5.2*|5.3*|5.5*) + 5.0|5.0.*|5.1|5.1.*|5.2|5.2.*|5.3|5.3.*|5.5|5.5.*) AC_MSG_RESULT([no large file support]) ;; 5.*) @@ -654,13 +654,13 @@ AC_HEADER_TIME AC_HEADER_SYS_WAIT AC_CHECK_HEADERS(arpa/inet.h sys/fcntl.h sys/select.h fcntl.h sys/time.h sys/unistd.h) -AC_CHECK_HEADERS(unistd.h utime.h grp.h sys/id.h limits.h memory.h net/if.h) +AC_CHECK_HEADERS(unistd.h utime.h grp.h sys/id.h limits.h memory.h) AC_CHECK_HEADERS(rpc/rpc.h rpcsvc/nis.h rpcsvc/yp_prot.h rpcsvc/ypclnt.h) AC_CHECK_HEADERS(sys/param.h ctype.h sys/wait.h sys/resource.h sys/ioctl.h sys/ipc.h sys/mode.h) AC_CHECK_HEADERS(sys/mman.h sys/filio.h sys/priv.h sys/shm.h string.h strings.h stdlib.h sys/socket.h) AC_CHECK_HEADERS(sys/mount.h sys/vfs.h sys/fs/s5param.h sys/filsys.h termios.h termio.h) AC_CHECK_HEADERS(sys/termio.h sys/statfs.h sys/dustat.h sys/statvfs.h stdarg.h sys/sockio.h) -AC_CHECK_HEADERS(sys/sysmacros.h security/pam_modules.h security/_pam_macros.h dlfcn.h) +AC_CHECK_HEADERS(sys/sysmacros.h security/_pam_macros.h dlfcn.h) AC_CHECK_HEADERS(sys/syslog.h syslog.h execinfo.h) AC_CHECK_HEADERS(langinfo.h locale.h) @@ -687,11 +687,13 @@ fi ;; esac -AC_CHECK_HEADERS(shadow.h netinet/ip.h netinet/tcp.h netinet/in_systm.h netinet/in_ip.h) -AC_CHECK_HEADERS(nss.h nss_common.h nsswitch.h ns_api.h sys/security.h security/pam_appl.h security/pam_modules.h) +AC_CHECK_HEADERS(shadow.h netinet/tcp.h netinet/in_systm.h netinet/in_ip.h) +AC_CHECK_HEADERS(nss.h nss_common.h nsswitch.h ns_api.h sys/security.h security/pam_appl.h) AC_CHECK_HEADERS(stropts.h poll.h) AC_CHECK_HEADERS(sys/capability.h syscall.h sys/syscall.h) AC_CHECK_HEADERS(sys/acl.h sys/attributes.h attr/xattr.h sys/xattr.h sys/cdefs.h glob.h) +# These faile to compile on Solaris so just check for their presence +AC_CHECK_HEADERS(security/pam_modules.h net/if.h netinet/ip.h, [], [], -) # For experimental utmp support (lastlog on some BSD-like systems) AC_CHECK_HEADERS(utmp.h utmpx.h lastlog.h) @@ -2613,27 +2615,7 @@ # Do no harm to the values of CFLAGS and LIBS while testing for # Kerberos support. - - ################################################# - # check for krb5-config from recent MIT and Heimdal kerberos 5 - AC_PATH_PROG(KRB5_CONFIG, krb5-config) - AC_MSG_CHECKING(for working krb5-config) - if test -x "$KRB5_CONFIG"; then - ac_save_CFLAGS=$CFLAGS - CFLAGS="";export CFLAGS - ac_save_LDFLAGS=$LDFLAGS - LDFLAGS="";export LDFLAGS - KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`" - KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" - KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" - CFLAGS=$ac_save_CFLAGS;export CFLAGS - LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS - FOUND_KRB5=yes - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy) - fi - + if test x$FOUND_KRB5 = x"no"; then ################################################# # check for location of Kerberos 5 install @@ -2654,12 +2636,36 @@ KRB5_CPPFLAGS="-I$withval/include" KRB5_LDFLAGS="-L$withval/lib" FOUND_KRB5=yes + if test -x "$withval/bin/krb5-config"; then + KRB5_CONFIG=$withval/bin/krb5-config + fi ;; esac ], AC_MSG_RESULT(no krb5-path given) ) fi + ################################################# + # check for krb5-config from recent MIT and Heimdal kerberos 5 + AC_PATH_PROG(KRB5_CONFIG, krb5-config) + AC_MSG_CHECKING(for working krb5-config) + if test -x "$KRB5_CONFIG"; then + ac_save_CFLAGS=$CFLAGS + CFLAGS="";export CFLAGS + ac_save_LDFLAGS=$LDFLAGS + LDFLAGS="";export LDFLAGS + KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`" + KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`" + KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" + KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" + CFLAGS=$ac_save_CFLAGS;export CFLAGS + LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS + FOUND_KRB5=yes + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy) + fi + if test x$FOUND_KRB5 = x"no"; then ################################################# # see if this box has the SuSE location for the heimdal krb implementation @@ -2698,9 +2704,9 @@ ac_save_CPPFLAGS=$CPPFLAGS ac_save_LDFLAGS=$LDFLAGS - CFLAGS="$CFLAGS $KRB5_CFLAGS" - CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS" - LDFLAGS="$LDFLAGS $KRB5_LDFLAGS" + CFLAGS="$KRB5_CFLAGS $CFLAGS" + CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS" + LDFLAGS="$KRB5_LDFLAGS $LDFLAGS" KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS" @@ -2784,9 +2790,23 @@ AC_CHECK_FUNC_EXT(krb5_free_keytab_entry_contents, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_kt_free_entry, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS) - LIBS="$LIBS $KRB5_LIBS" + LIBS="$KRB5_LIBS $LIBS" + AC_CACHE_CHECK([for krb5_encrypt_block type], + samba_cv_HAVE_KRB5_ENCRYPT_BLOCK,[ + AC_TRY_COMPILE([#include ], + [krb5_encrypt_block block;], + samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=yes, + samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=no)]) + + if test x"$samba_cv_HAVE_KRB5_ENCRYPT_BLOCK" = x"yes"; then + AC_DEFINE(HAVE_KRB5_ENCRYPT_BLOCK,1, + [Whether the type krb5_encrypt_block exists]) + fi + AC_CACHE_CHECK([for addrtype in krb5_address], samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[ AC_TRY_COMPILE([#include ], @@ -2822,6 +2842,30 @@ [Whether the krb5_ticket struct has a enc_part2 property]) fi + AC_CACHE_CHECK([for keyblock in krb5_creds], + samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS,[ + AC_TRY_COMPILE([#include ], + [krb5_creds creds; krb5_keyblock kb; creds.keyblock = kb;], + samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=yes, + samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=no)]) + + if test x"$samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS" = x"yes"; then + AC_DEFINE(HAVE_KRB5_KEYBLOCK_IN_CREDS,1, + [Whether the krb5_creds struct has a keyblock property]) + fi + + AC_CACHE_CHECK([for session in krb5_creds], + samba_cv_HAVE_KRB5_SESSION_IN_CREDS,[ + AC_TRY_COMPILE([#include ], + [krb5_creds creds; krb5_keyblock kb; creds.session = kb;], + samba_cv_HAVE_KRB5_SESSION_IN_CREDS=yes, + samba_cv_HAVE_KRB5_SESSION_IN_CREDS=no)]) + + if test x"$samba_cv_HAVE_KRB5_SESSION_IN_CREDS" = x"yes"; then + AC_DEFINE(HAVE_KRB5_SESSION_IN_CREDS,1, + [Whether the krb5_creds struct has a session property]) + fi + AC_CACHE_CHECK([for keyvalue in krb5_keyblock], samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE,[ AC_TRY_COMPILE([#include ], diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/groupdb/mapping.c samba-3.0.8/source/groupdb/mapping.c --- samba-3.0.8pre2/source/groupdb/mapping.c 2004-10-25 16:04:58.000000000 -0500 +++ samba-3.0.8/source/groupdb/mapping.c 2004-11-07 14:43:23.000000000 -0600 @@ -135,11 +135,10 @@ static BOOL init_group_mapping(void) { - static pid_t local_pid; const char *vstring = "INFO/version"; int32 vers_id; - if (tdb && local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -147,8 +146,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring, 0); diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/include/config.h.in samba-3.0.8/source/include/config.h.in --- samba-3.0.8pre2/source/include/config.h.in 2004-10-26 09:26:24.000000000 -0500 +++ samba-3.0.8/source/include/config.h.in 2004-11-07 22:08:59.467142004 -0600 @@ -461,9 +461,18 @@ /* Define to 1 if you have the `krb5_auth_con_setuseruserkey' function. */ #undef HAVE_KRB5_AUTH_CON_SETUSERUSERKEY +/* Define to 1 if you have the `krb5_c_enctype_compare' function. */ +#undef HAVE_KRB5_C_ENCTYPE_COMPARE + +/* Whether the type krb5_encrypt_block exists */ +#undef HAVE_KRB5_ENCRYPT_BLOCK + /* Define to 1 if you have the `krb5_encrypt_data' function. */ #undef HAVE_KRB5_ENCRYPT_DATA +/* Define to 1 if you have the `krb5_enctypes_compatible_keys' function. */ +#undef HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS + /* Define to 1 if you have the `krb5_free_data_contents' function. */ #undef HAVE_KRB5_FREE_DATA_CONTENTS @@ -488,6 +497,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_KRB5_H +/* Whether the krb5_creds struct has a keyblock property */ +#undef HAVE_KRB5_KEYBLOCK_IN_CREDS + /* Whether the krb5_keyblock struct has a keyvalue property */ #undef HAVE_KRB5_KEYBLOCK_KEYVALUE @@ -521,6 +533,9 @@ /* Whether krb5_princ_component is available */ #undef HAVE_KRB5_PRINC_COMPONENT +/* Whether the krb5_creds struct has a session property */ +#undef HAVE_KRB5_SESSION_IN_CREDS + /* Define to 1 if you have the `krb5_set_default_in_tkt_etypes' function. */ #undef HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/include/includes.h samba-3.0.8/source/include/includes.h --- samba-3.0.8pre2/source/include/includes.h 2004-10-25 16:05:06.000000000 -0500 +++ samba-3.0.8/source/include/includes.h 2004-11-07 14:43:23.000000000 -0600 @@ -455,13 +455,9 @@ #if HAVE_GSSAPI_H #include -#endif - -#if HAVE_GSSAPI_GSSAPI_H +#elif HAVE_GSSAPI_GSSAPI_H #include -#endif - -#if HAVE_GSSAPI_GSSAPI_GENERIC_H +#elif HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif @@ -1340,6 +1336,7 @@ /* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); +int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); @@ -1347,6 +1344,10 @@ void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote); krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); +krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); +void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); +BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); +void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); #endif /* HAVE_KRB5 */ diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/include/secrets.h samba-3.0.8/source/include/secrets.h --- samba-3.0.8pre2/source/include/secrets.h 2004-10-25 16:05:07.000000000 -0500 +++ samba-3.0.8/source/include/secrets.h 2004-11-07 14:43:23.000000000 -0600 @@ -32,6 +32,9 @@ /* this one is for storing trusted domain account password */ #define SECRETS_DOMTRUST_ACCT_PASS "SECRETS/$DOMTRUST.ACC" +/* Store the principal name used for Kerberos DES key salt under this key name. */ +#define SECRETS_SALTING_PRINCIPAL "SECRETS/SALTING_PRINCIPAL" + /* The domain sid and our sid are stored here even though they aren't really secret. */ #define SECRETS_DOMAIN_SID "SECRETS/SID" diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/include/version.h samba-3.0.8/source/include/version.h --- samba-3.0.8pre2/source/include/version.h 2004-10-26 09:26:06.000000000 -0500 +++ samba-3.0.8/source/include/version.h 2004-11-07 22:08:41.502907266 -0600 @@ -2,6 +2,5 @@ #define SAMBA_VERSION_MAJOR 3 #define SAMBA_VERSION_MINOR 0 #define SAMBA_VERSION_RELEASE 8 -#define SAMBA_VERSION_PRE_RELEASE 2 -#define SAMBA_VERSION_OFFICIAL_STRING "3.0.8pre2" +#define SAMBA_VERSION_OFFICIAL_STRING "3.0.8" #define SAMBA_VERSION_STRING samba_version_string() diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/lib/account_pol.c samba-3.0.8/source/lib/account_pol.c --- samba-3.0.8pre2/source/lib/account_pol.c 2004-10-25 16:04:59.000000000 -0500 +++ samba-3.0.8/source/lib/account_pol.c 2004-11-07 14:43:23.000000000 -0600 @@ -30,11 +30,10 @@ BOOL init_account_policy(void) { - static pid_t local_pid; const char *vstring = "INFO/version"; uint32 version; - if (tdb && local_pid == sys_getpid()) + if (tdb) return True; tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { @@ -42,8 +41,6 @@ return False; } - local_pid = sys_getpid(); - /* handle a Samba upgrade */ tdb_lock_bystring(tdb, vstring,0); if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) { diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/kerberos.c samba-3.0.8/source/libads/kerberos.c --- samba-3.0.8pre2/source/libads/kerberos.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/kerberos.c 2004-11-07 14:43:24.000000000 -0600 @@ -3,8 +3,9 @@ kerberos utility library Copyright (C) Andrew Tridgell 2001 Copyright (C) Remus Koos 2001 - - + Copyright (C) Nalin Dahyabhai 2004. + Copyright (C) Jeremy Allison 2004. + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -24,6 +25,8 @@ #ifdef HAVE_KRB5 +#define LIBADS_CCACHE_NAME "MEMORY:libads" + /* we use a prompter to avoid a crash bug in the kerberos libs when dealing with empty passwords @@ -38,7 +41,7 @@ { if (num_prompts == 0) return 0; - memset(prompts[0].reply->data, 0, prompts[0].reply->length); + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); if (prompts[0].reply->length > 0) { if (data) { strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1); @@ -51,10 +54,15 @@ } /* - simulate a kinit, putting the tgt in the default cache location + simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL + place in default cache location. remus@snapserver.com */ -int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time) +int kerberos_kinit_password(const char *principal, + const char *password, + int time_offset, + time_t *expire_time, + const char *cache_name) { krb5_context ctx = NULL; krb5_error_code code = 0; @@ -69,7 +77,8 @@ krb5_set_real_time(ctx, time(NULL) + time_offset, 0); } - if ((code = krb5_cc_default(ctx, &cc))) { + if ((code = krb5_cc_resolve(ctx, cache_name ? + cache_name : krb5_cc_default_name(ctx), &cc))) { krb5_free_context(ctx); return code; } @@ -129,7 +138,8 @@ return KRB5_LIBOS_CANTREADPWD; } - ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire); + ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, + &ads->auth.expire, NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", @@ -174,4 +184,580 @@ return code; } +/************************************************************************ + Routine to fetch the salting principal for a service. Active + Directory may use a non-obvious principal name to generate the salt + when it determines the key to use for encrypting tickets for a service, + and hopefully we detected that when we joined the domain. + ************************************************************************/ + +static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype) +{ + char *key = NULL; + char *ret = NULL; + + asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, service, enctype); + if (!key) { + return NULL; + } + ret = (char *)secrets_fetch(key, NULL); + SAFE_FREE(key); + return ret; +} + +/************************************************************************ + Routine to get the salting principal for this service. Active + Directory may use a non-obvious principal name to generate the salt + when it determines the key to use for encrypting tickets for a service, + and hopefully we detected that when we joined the domain. + Caller must free if return is not null. + ************************************************************************/ + +krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, + krb5_principal host_princ, + int enctype) +{ + char *unparsed_name = NULL, *salt_princ_s = NULL; + krb5_principal ret_princ = NULL; + + if (krb5_unparse_name(context, host_princ, &unparsed_name) != 0) { + return (krb5_principal)NULL; + } + + if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) { + krb5_free_unparsed_name(context, unparsed_name); + return (krb5_principal)NULL; + } + + if (krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) { + krb5_free_unparsed_name(context, unparsed_name); + SAFE_FREE(salt_princ_s); + return (krb5_principal)NULL; + } + krb5_free_unparsed_name(context, unparsed_name); + SAFE_FREE(salt_princ_s); + return ret_princ; +} + +/************************************************************************ + Routine to set the salting principal for this service. Active + Directory may use a non-obvious principal name to generate the salt + when it determines the key to use for encrypting tickets for a service, + and hopefully we detected that when we joined the domain. + Setting principal to NULL deletes this entry. + ************************************************************************/ + + BOOL kerberos_secrets_store_salting_principal(const char *service, + int enctype, + const char *principal) +{ + char *key = NULL; + BOOL ret = False; + krb5_context context = NULL; + krb5_principal princ = NULL; + char *princ_s = NULL; + char *unparsed_name = NULL; + + krb5_init_context(&context); + if (!context) { + return False; + } + if (strchr_m(service, '@')) { + asprintf(&princ_s, "%s", service); + } else { + asprintf(&princ_s, "%s@%s", service, lp_realm()); + } + + if (krb5_parse_name(context, princ_s, &princ) != 0) { + goto out; + + } + if (krb5_unparse_name(context, princ, &unparsed_name) != 0) { + goto out; + } + + asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype); + if (!key) { + goto out; + } + + if ((principal != NULL) && (strlen(principal) > 0)) { + ret = secrets_store(key, principal, strlen(principal) + 1); + } else { + ret = secrets_delete(key); + } + + out: + + SAFE_FREE(key); + SAFE_FREE(princ_s); + + if (unparsed_name) { + krb5_free_unparsed_name(context, unparsed_name); + } + if (context) { + krb5_free_context(context); + } + + return ret; +} + +/************************************************************************ + Routine to get initial credentials as a service ticket for the local machine. + Returns a buffer initialized with krb5_mk_req_extended. + ************************************************************************/ + +static krb5_error_code get_service_ticket(krb5_context ctx, + krb5_ccache ccache, + const char *service_principal, + int enctype, + krb5_data *p_outbuf) +{ + krb5_creds creds, *new_creds = NULL; + char *service_s = NULL; + char *machine_account = NULL, *password = NULL; + krb5_data in_data; + krb5_auth_context auth_context = NULL; + krb5_error_code err = 0; + + asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm()); + if (machine_account == NULL) { + goto out; + } + password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (password == NULL) { + goto out; + } + if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) { + DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n", + machine_account, + lp_realm(), + error_message(err))); + goto out; + } + + /* Ok - the above call has gotten a TGT. Now we need to get a service + ticket to ourselves. */ + + /* Set up the enctype and client and server principal fields for krb5_get_credentials. */ + memset(&creds, '\0', sizeof(creds)); + kerberos_set_creds_enctype(&creds, enctype); + + if ((err = krb5_cc_get_principal(ctx, ccache, &creds.client))) { + DEBUG(3, ("get_service_ticket: krb5_cc_get_principal failed: %s\n", + error_message(err))); + goto out; + } + + if (strchr_m(service_principal, '@')) { + asprintf(&service_s, "%s", service_principal); + } else { + asprintf(&service_s, "%s@%s", service_principal, lp_realm()); + } + + if ((err = krb5_parse_name(ctx, service_s, &creds.server))) { + DEBUG(0,("get_service_ticket: krb5_parse_name %s failed: %s\n", + service_s, error_message(err))); + goto out; + } + + if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) { + DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n", + service_s, enctype, error_message(err))); + goto out; + } + + memset(&in_data, '\0', sizeof(in_data)); + if ((err = krb5_mk_req_extended(ctx, &auth_context, 0, &in_data, + new_creds, p_outbuf)) != 0) { + DEBUG(0,("get_service_ticket: krb5_mk_req_extended failed: %s\n", + error_message(err))); + goto out; + } + + out: + + if (auth_context) { + krb5_auth_con_free(ctx, auth_context); + } + if (new_creds) { + krb5_free_creds(ctx, new_creds); + } + if (creds.server) { + krb5_free_principal(ctx, creds.server); + } + if (creds.client) { + krb5_free_principal(ctx, creds.client); + } + + SAFE_FREE(service_s); + SAFE_FREE(password); + SAFE_FREE(machine_account); + return err; +} + +/************************************************************************ + Check if the machine password can be used in conjunction with the salting_principal + to generate a key which will successfully decrypt the AP_REQ already + gotten as a message to the local machine. + ************************************************************************/ + +static BOOL verify_service_password(krb5_context ctx, + int enctype, + const char *salting_principal, + krb5_data *in_data) +{ + BOOL ret = False; + krb5_principal salting_kprinc = NULL; + krb5_ticket *ticket = NULL; + krb5_keyblock key; + krb5_data passdata; + char *salting_s = NULL; + char *machine_account = NULL, *password = NULL; + krb5_auth_context auth_context = NULL; + krb5_error_code err; + + memset(&passdata, '\0', sizeof(passdata)); + memset(&key, '\0', sizeof(key)); + + asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm()); + if (machine_account == NULL) { + goto out; + } + password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (password == NULL) { + goto out; + } + + if (strchr_m(salting_principal, '@')) { + asprintf(&salting_s, "%s", salting_principal); + } else { + asprintf(&salting_s, "%s@%s", salting_principal, lp_realm()); + } + + if ((err = krb5_parse_name(ctx, salting_s, &salting_kprinc))) { + DEBUG(0,("verify_service_password: krb5_parse_name %s failed: %s\n", + salting_s, error_message(err))); + goto out; + } + + passdata.length = strlen(password); + passdata.data = (char*)password; + if ((err = create_kerberos_key_from_string_direct(ctx, salting_kprinc, &passdata, &key, enctype))) { + DEBUG(0,("verify_service_password: create_kerberos_key_from_string %d failed: %s\n", + enctype, error_message(err))); + goto out; + } + + if ((err = krb5_auth_con_init(ctx, &auth_context)) != 0) { + DEBUG(0,("verify_service_password: krb5_auth_con_init failed %s\n", error_message(err))); + goto out; + } + + if ((err = krb5_auth_con_setuseruserkey(ctx, auth_context, &key)) != 0) { + DEBUG(0,("verify_service_password: krb5_auth_con_setuseruserkey failed %s\n", error_message(err))); + goto out; + } + + if (!(err = krb5_rd_req(ctx, &auth_context, in_data, NULL, NULL, NULL, &ticket))) { + DEBUG(10,("verify_service_password: decrypted message with enctype %u salt %s!\n", + (unsigned int)enctype, salting_s)); + ret = True; + } + + out: + + memset(&passdata, 0, sizeof(passdata)); + krb5_free_keyblock_contents(ctx, &key); + if (ticket != NULL) { + krb5_free_ticket(ctx, ticket); + } + if (salting_kprinc) { + krb5_free_principal(ctx, salting_kprinc); + } + SAFE_FREE(salting_s); + SAFE_FREE(password); + SAFE_FREE(machine_account); + return ret; +} + +/************************************************************************ + * + * From the current draft of kerberos-clarifications: + * + * It is not possible to reliably generate a user's key given a pass + * phrase without contacting the KDC, since it will not be known + * whether alternate salt or parameter values are required. + * + * And because our server has a password, we have this exact problem. We + * make multiple guesses as to which principal name provides the salt which + * the KDC is using. + * + ************************************************************************/ + +static void kerberos_derive_salting_principal_for_enctype(const char *service_principal, + krb5_context ctx, + krb5_ccache ccache, + krb5_enctype enctype, + krb5_enctype *enctypes) +{ + char *salting_principals[3] = {NULL, NULL, NULL}, *second_principal = NULL; + krb5_error_code err = 0; + krb5_data outbuf; + int i, j; + + memset(&outbuf, '\0', sizeof(outbuf)); + + /* Check that the service_principal is useful. */ + if ((service_principal == NULL) || (strlen(service_principal) == 0)) { + return; + } + + /* Generate our first guess -- the principal as-given. */ + asprintf(&salting_principals[0], "%s", service_principal); + if ((salting_principals[0] == NULL) || (strlen(salting_principals[0]) == 0)) { + return; + } + + /* Generate our second guess -- the computer's principal, as Win2k3. */ + asprintf(&second_principal, "host/%s.%s", global_myname(), lp_realm()); + if (second_principal != NULL) { + strlower_m(second_principal); + asprintf(&salting_principals[1], "%s@%s", second_principal, lp_realm()); + SAFE_FREE(second_principal); + } + if ((salting_principals[1] == NULL) || (strlen(salting_principals[1]) == 0)) { + goto out; + } + + /* Generate our third guess -- the computer's principal, as Win2k. */ + asprintf(&second_principal, "HOST/%s", global_myname()); + if (second_principal != NULL) { + strlower_m(second_principal + 5); + asprintf(&salting_principals[2], "%s@%s", + second_principal, lp_realm()); + SAFE_FREE(second_principal); + } + if ((salting_principals[2] == NULL) || (strlen(salting_principals[2]) == 0)) { + goto out; + } + + /* Get a service ticket for ourselves into our memory ccache. */ + /* This will commonly fail if there is no principal by that name (and we're trying + many names). So don't print a debug 0 error. */ + + if ((err = get_service_ticket(ctx, ccache, service_principal, enctype, &outbuf)) != 0) { + DEBUG(3, ("verify_service_password: get_service_ticket failed: %s\n", + error_message(err))); + goto out; + } + + /* At this point we have a message to ourselves, salted only the KDC knows how. We + have to work out what that salting is. */ + + /* Try and find the correct salting principal. */ + for (i = 0; i < sizeof(salting_principals) / sizeof(salting_principals[i]); i++) { + if (verify_service_password(ctx, enctype, salting_principals[i], &outbuf)) { + break; + } + } + + /* If we failed to get a match, return. */ + if (i >= sizeof(salting_principals) / sizeof(salting_principals[i])) { + goto out; + } + + /* If we succeeded, store the principal for use for all enctypes which + * share the same cipher and string-to-key function. Doing this here + * allows servers which just pass a keytab to krb5_rd_req() to work + * correctly. */ + for (j = 0; enctypes[j] != 0; j++) { + if (enctype != enctypes[j]) { + /* If this enctype isn't compatible with the one which + * we used, skip it. */ + + if (!kerberos_compatible_enctypes(ctx, enctypes[j], enctype)) + continue; + } + /* If the principal which gives us the proper salt is the one + * which we would normally guess, don't bother noting anything + * in the secrets tdb. */ + if (strcmp(service_principal, salting_principals[i]) != 0) { + kerberos_secrets_store_salting_principal(service_principal, + enctypes[j], + salting_principals[i]); + } + } + + out : + + kerberos_free_data_contents(ctx, &outbuf); + SAFE_FREE(salting_principals[0]); + SAFE_FREE(salting_principals[1]); + SAFE_FREE(salting_principals[2]); + SAFE_FREE(second_principal); +} + +/************************************************************************ + Go through all the possible enctypes for this principal. + ************************************************************************/ + +static void kerberos_derive_salting_principal_direct(krb5_context context, + krb5_ccache ccache, + krb5_enctype *enctypes, + char *service_principal) +{ + int i; + + /* Try for each enctype separately, because the rules are + * different for different enctypes. */ + for (i = 0; enctypes[i] != 0; i++) { + /* Delete secrets entry first. */ + kerberos_secrets_store_salting_principal(service_principal, 0, NULL); +#ifdef ENCTYPE_ARCFOUR_HMAC + if (enctypes[i] == ENCTYPE_ARCFOUR_HMAC) { + /* Of course this'll always work, so just save + * ourselves the effort. */ + continue; + } +#endif + /* Try to figure out what's going on with this + * principal. */ + kerberos_derive_salting_principal_for_enctype(service_principal, + context, + ccache, + enctypes[i], + enctypes); + } +} + +/************************************************************************ + Wrapper function for the above. + ************************************************************************/ + +BOOL kerberos_derive_salting_principal(char *service_principal) +{ + krb5_context context = NULL; + krb5_enctype *enctypes = NULL; + krb5_ccache ccache = NULL; + krb5_error_code ret = 0; + + initialize_krb5_error_table(); + if ((ret = krb5_init_context(&context)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n", + error_message(ret))); + return False; + } + if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n", + error_message(ret))); + goto out; + } + + if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { + DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", + LIBADS_CCACHE_NAME, error_message(ret))); + goto out; + } + + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal); + + out: + if (enctypes) { + free_kerberos_etypes(context, enctypes); + } + if (ccache) { + krb5_cc_destroy(context, ccache); + } + if (context) { + krb5_free_context(context); + } + + return ret ? False : True; +} + +/************************************************************************ + Core function to try and determine what salt is being used for any keytab + keys. + ************************************************************************/ + +BOOL kerberos_derive_cifs_salting_principals(void) +{ + fstring my_fqdn; + char *service = NULL; + krb5_context context = NULL; + krb5_enctype *enctypes = NULL; + krb5_ccache ccache = NULL; + krb5_error_code ret = 0; + BOOL retval = False; + + initialize_krb5_error_table(); + if ((ret = krb5_init_context(&context)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n", + error_message(ret))); + return False; + } + if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n", + error_message(ret))); + goto out; + } + + if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { + DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", + LIBADS_CCACHE_NAME, error_message(ret))); + goto out; + } + + if (asprintf(&service, "%s$", global_myname()) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + if (asprintf(&service, "cifs/%s", global_myname()) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + if (asprintf(&service, "host/%s", global_myname()) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + name_to_fqdn(my_fqdn, global_myname()); + if (asprintf(&service, "cifs/%s", my_fqdn) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + if (asprintf(&service, "host/%s", my_fqdn) != -1) { + strlower_m(service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); + SAFE_FREE(service); + } + + retval = True; + + out: + if (enctypes) { + free_kerberos_etypes(context, enctypes); + } + if (ccache) { + krb5_cc_destroy(context, ccache); + } + if (context) { + krb5_free_context(context); + } + return retval; +} #endif diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/kerberos_keytab.c samba-3.0.8/source/libads/kerberos_keytab.c --- samba-3.0.8pre2/source/libads/kerberos_keytab.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/kerberos_keytab.c 2004-11-07 14:43:24.000000000 -0600 @@ -101,7 +101,34 @@ /* Construct our principal */ name_to_fqdn(my_fqdn, global_myname()); strlower_m(my_fqdn); - asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()); + + if (strchr_m(srvPrinc, '@')) { + /* It's a fully-named principal. */ + asprintf(&princ_s, "%s", srvPrinc); + } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { + /* It's the machine account, as used by smbclient clients. */ + asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()); + } else { + /* It's a normal service principal. Add the SPN now so that we + * can obtain credentials for it and double-check the salt value + * used to generate the service's keys. */ + asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()); + /* Update the directory with the SPN */ + DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s)); + if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), srvPrinc))) { + DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n")); + goto out; + } + } + + ret = get_kerberos_allowed_etypes(context,&enctypes); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret))); + goto out; + } + + /* Guess at how the KDC is salting keys for this principal. */ + kerberos_derive_salting_principal(princ_s); ret = krb5_parse_name(context, princ_s, &princ); if (ret) { @@ -121,7 +148,7 @@ if (ret != KRB5_KT_END && ret != ENOENT ) { DEBUG(3,("ads_keytab_add_entry: Will try to delete old keytab entries\n")); while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) { - BOOL compare_ok = False; + BOOL compare_name_ok = False; ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc); if (ret) { @@ -139,43 +166,59 @@ */ #ifdef HAVE_KRB5_KT_COMPARE - compare_ok = ((krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True) && (kt_entry.vno != kvno - 1)); + compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True); #else - compare_ok = ((strcmp(ktprinc, princ_s) == 0) && (kt_entry.vno != kvno - 1)); + compare_name_ok = (strcmp(ktprinc, princ_s) == 0); #endif + + if (!compare_name_ok) { + DEBUG(10,("ads_keytab_add_entry: ignoring keytab entry principal %s, kvno = %d\n", + ktprinc, kt_entry.vno)); + } + krb5_free_unparsed_name(context, ktprinc); ktprinc = NULL; - if (compare_ok) { - DEBUG(3,("ads_keytab_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n", - princ_s, kt_entry.vno)); - ret = krb5_kt_end_seq_get(context, keytab, &cursor); - ZERO_STRUCT(cursor); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get() failed (%s)\n", - error_message(ret))); - goto out; - } - ret = krb5_kt_remove_entry(context, keytab, &kt_entry); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n", - error_message(ret))); - goto out; - } - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_start_seq failed (%s)\n", - error_message(ret))); - goto out; - } - ret = smb_krb5_kt_free_entry(context, &kt_entry); - ZERO_STRUCT(kt_entry); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n", - error_message(ret))); - goto out; + if (compare_name_ok) { + if (kt_entry.vno == kvno - 1) { + DEBUG(5,("ads_keytab_add_entry: Saving previous (kvno %d) entry for principal: %s.\n", + kvno - 1, princ_s)); + } else { + + DEBUG(5,("ads_keytab_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n", + princ_s, kt_entry.vno)); + ret = krb5_kt_end_seq_get(context, keytab, &cursor); + ZERO_STRUCT(cursor); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get() failed (%s)\n", + error_message(ret))); + goto out; + } + ret = krb5_kt_remove_entry(context, keytab, &kt_entry); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n", + error_message(ret))); + goto out; + } + + DEBUG(5,("ads_keytab_add_entry: removed old entry for principal: %s (kvno %d).\n", + princ_s, kt_entry.vno)); + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_start_seq failed (%s)\n", + error_message(ret))); + goto out; + } + ret = smb_krb5_kt_free_entry(context, &kt_entry); + ZERO_STRUCT(kt_entry); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n", + error_message(ret))); + goto out; + } + continue; } - continue; } /* Not a match, just free this entry and continue. */ @@ -201,12 +244,6 @@ /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */ - ret = get_kerberos_allowed_etypes(context,&enctypes); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret))); - goto out; - } - /* Now add keytab entries for all encryption types */ for (i = 0; enctypes[i]; i++) { krb5_keyblock *keyp; @@ -241,13 +278,6 @@ krb5_kt_close(context, keytab); keytab = NULL; /* Done with keytab now. No double free. */ - /* Update the LDAP with the SPN */ - DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s)); - if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), srvPrinc))) { - DEBUG(1,("ads_keytab_add_entry: ads_add_service_principcal_name failed.\n")); - goto out; - } - out: SAFE_FREE(principal); @@ -410,8 +440,10 @@ krb5_kt_cursor cursor; krb5_keytab_entry kt_entry; krb5_kvno kvno; + fstring my_fqdn, my_Fqdn, my_name, my_NAME; + char *p_fqdn; int i, found = 0; - char **oldEntries = NULL; + char **oldEntries = NULL, *princ_s[18];; ret = ads_keytab_add_entry(ads, "host"); if (ret) { @@ -424,6 +456,51 @@ return ret; } + fstrcpy(my_name, global_myname()); + strlower_m(my_name); + + fstrcpy(my_NAME, global_myname()); + strupper_m(my_NAME); + + my_fqdn[0] = '\0'; + name_to_fqdn(my_fqdn, global_myname()); + strlower_m(my_fqdn); + + p_fqdn = strchr_m(my_fqdn, '.'); + fstrcpy(my_Fqdn, my_NAME); + if (p_fqdn) { + fstrcat(my_Fqdn, p_fqdn); + } + + asprintf(&princ_s[0], "%s$@%s", my_name, lp_realm()); + asprintf(&princ_s[1], "%s$@%s", my_NAME, lp_realm()); + asprintf(&princ_s[2], "host/%s@%s", my_name, lp_realm()); + asprintf(&princ_s[3], "host/%s@%s", my_NAME, lp_realm()); + asprintf(&princ_s[4], "host/%s@%s", my_fqdn, lp_realm()); + asprintf(&princ_s[5], "host/%s@%s", my_Fqdn, lp_realm()); + asprintf(&princ_s[6], "HOST/%s@%s", my_name, lp_realm()); + asprintf(&princ_s[7], "HOST/%s@%s", my_NAME, lp_realm()); + asprintf(&princ_s[8], "HOST/%s@%s", my_fqdn, lp_realm()); + asprintf(&princ_s[9], "HOST/%s@%s", my_Fqdn, lp_realm()); + asprintf(&princ_s[10], "cifs/%s@%s", my_name, lp_realm()); + asprintf(&princ_s[11], "cifs/%s@%s", my_NAME, lp_realm()); + asprintf(&princ_s[12], "cifs/%s@%s", my_fqdn, lp_realm()); + asprintf(&princ_s[13], "cifs/%s@%s", my_Fqdn, lp_realm()); + asprintf(&princ_s[14], "CIFS/%s@%s", my_name, lp_realm()); + asprintf(&princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm()); + asprintf(&princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm()); + asprintf(&princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm()); + + for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) { + if (princ_s[i] != NULL) { + ret = ads_keytab_add_entry(ads, princ_s[i]); + if (ret != 0) { + DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding '%s'.\n", princ_s[i])); + } + SAFE_FREE(princ_s[i]); + } + } + kvno = (krb5_kvno) ads_get_kvno(ads, global_myname()); if (kvno == -1) { DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n")); @@ -495,6 +572,11 @@ * or mb strings into account. Maybe this is because they assume utf8 ? * In this case we may need to convert from utf8 to mb charset here ? JRA. */ + p = strchr_m(ktprinc, '@'); + if (p) { + *p = '\0'; + } + p = strchr_m(ktprinc, '/'); if (p) { *p = '\0'; diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/kerberos_verify.c samba-3.0.8/source/libads/kerberos_verify.c --- samba-3.0.8pre2/source/libads/kerberos_verify.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/kerberos_verify.c 2004-11-07 14:43:24.000000000 -0600 @@ -41,14 +41,13 @@ { krb5_error_code ret = 0; BOOL auth_ok = False; - krb5_keytab keytab = NULL; - krb5_kt_cursor cursor; - krb5_keytab_entry kt_entry; - char *princ_name = NULL; - - ZERO_STRUCT(kt_entry); - ZERO_STRUCT(cursor); + fstring my_fqdn, my_name; + fstring my_Fqdn, my_NAME; + char *p_fqdn; + char *host_princ_s[18]; + krb5_principal host_princ; + int i; ret = krb5_kt_default(context, &keytab); if (ret) { @@ -56,69 +55,78 @@ goto out; } - ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret))); - goto out; - } + /* Generate the list of principal names which we expect clients might + * want to use for authenticating to the file service. */ - while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) { - ret = krb5_unparse_name(context, kt_entry.principal, &princ_name); - if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); - goto out; - } - /* Look for a CIFS ticket */ - if (!StrnCaseCmp(princ_name, "cifs/", 5)) { -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK - krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock); -#else - krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.key); -#endif + fstrcpy(my_name, global_myname()); + strlower_m(my_name); - p_packet->length = ticket->length; - p_packet->data = (krb5_pointer)ticket->data; + fstrcpy(my_NAME, global_myname()); + strupper_m(my_NAME); - if (!(ret = krb5_rd_req(context, &auth_context, p_packet, NULL, NULL, NULL, pp_tkt))) { - unsigned int keytype; - krb5_free_unparsed_name(context, princ_name); - princ_name = NULL; -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK - keytype = (unsigned int) kt_entry.keyblock.keytype; -#else - keytype = (unsigned int) kt_entry.key.enctype; -#endif - DEBUG(10,("ads_keytab_verify_ticket: enc type [%u] decrypted message !\n", - keytype)); - auth_ok = True; - break; - } + my_fqdn[0] = '\0'; + name_to_fqdn(my_fqdn, global_myname()); + strlower_m(my_fqdn); + + p_fqdn = strchr_m(my_fqdn, '.'); + fstrcpy(my_Fqdn, my_NAME); + if (p_fqdn) { + fstrcat(my_Fqdn, p_fqdn); + } + + asprintf(&host_princ_s[0], "%s$@%s", my_name, lp_realm()); + asprintf(&host_princ_s[1], "%s$@%s", my_NAME, lp_realm()); + asprintf(&host_princ_s[2], "host/%s@%s", my_name, lp_realm()); + asprintf(&host_princ_s[3], "host/%s@%s", my_NAME, lp_realm()); + asprintf(&host_princ_s[4], "host/%s@%s", my_fqdn, lp_realm()); + asprintf(&host_princ_s[5], "host/%s@%s", my_Fqdn, lp_realm()); + asprintf(&host_princ_s[6], "HOST/%s@%s", my_name, lp_realm()); + asprintf(&host_princ_s[7], "HOST/%s@%s", my_NAME, lp_realm()); + asprintf(&host_princ_s[8], "HOST/%s@%s", my_fqdn, lp_realm()); + asprintf(&host_princ_s[9], "HOST/%s@%s", my_Fqdn, lp_realm()); + asprintf(&host_princ_s[10], "cifs/%s@%s", my_name, lp_realm()); + asprintf(&host_princ_s[11], "cifs/%s@%s", my_NAME, lp_realm()); + asprintf(&host_princ_s[12], "cifs/%s@%s", my_fqdn, lp_realm()); + asprintf(&host_princ_s[13], "cifs/%s@%s", my_Fqdn, lp_realm()); + asprintf(&host_princ_s[14], "CIFS/%s@%s", my_name, lp_realm()); + asprintf(&host_princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm()); + asprintf(&host_princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm()); + asprintf(&host_princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm()); + + /* Now try to verify the ticket using the key associated with each of + * the principals which we think clients will expect us to be + * participating as. */ + for (i = 0; i < sizeof(host_princ_s) / sizeof(host_princ_s[0]); i++) { + host_princ = NULL; + ret = krb5_parse_name(context, host_princ_s[i], &host_princ); + if (ret) { + DEBUG(1, ("ads_keytab_verify_ticket: krb5_parse_name(%s) failed (%s)\n", + host_princ_s[i], error_message(ret))); + goto out; } - krb5_free_unparsed_name(context, princ_name); - princ_name = NULL; + p_packet->length = ticket->length; + p_packet->data = (krb5_pointer)ticket->data; + *pp_tkt = NULL; + ret = krb5_rd_req(context, &auth_context, p_packet, host_princ, keytab, NULL, pp_tkt); + krb5_free_principal(context, host_princ); + if (ret) { + DEBUG(0, ("krb5_rd_req(%s) failed: %s\n", host_princ_s[i], error_message(ret))); + } else { + DEBUG(10,("krb5_rd_req succeeded for principal %s\n", host_princ_s[i])); + auth_ok = True; + break; + } } - if (ret && ret != KRB5_KT_END) { - /* This failed because something went wrong, not because the keytab file was empty. */ - DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_next_entry failed (%s)\n", error_message(ret))); - goto out; + + for (i = 0; i < sizeof(host_princ_s) / sizeof(host_princ_s[0]); i++) { + SAFE_FREE(host_princ_s[i]); } out: - if (princ_name) { - krb5_free_unparsed_name(context, princ_name); - } - { - krb5_kt_cursor zero_csr; - ZERO_STRUCT(zero_csr); - if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) { - krb5_kt_end_seq_get(context, keytab, &cursor); - } - } if (keytab) { krb5_kt_close(context, keytab); } - return auth_ok; } @@ -223,7 +231,6 @@ char *host_princ_s = NULL; BOOL got_replay_mutex = False; - fstring myname; BOOL auth_ok = False; ZERO_STRUCT(packet); @@ -254,9 +261,8 @@ goto out; } - name_to_fqdn(myname, global_myname()); - strlower_m(myname); - asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm()); + asprintf(&host_princ_s, "%s$", global_myname()); + strlower_m(host_princ_s); ret = krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n", diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/krb5_setpw.c samba-3.0.8/source/libads/krb5_setpw.c --- samba-3.0.8pre2/source/libads/krb5_setpw.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/krb5_setpw.c 2004-11-07 14:43:24.000000000 -0600 @@ -25,7 +25,9 @@ #define DEFAULT_KPASSWD_PORT 464 #define KRB5_KPASSWD_VERS_CHANGEPW 1 +#ifndef KRB5_KPASSWD_VERS_SETPW #define KRB5_KPASSWD_VERS_SETPW 2 +#endif #define KRB5_KPASSWD_VERS_SETPW_MS 0xff80 #define KRB5_KPASSWD_ACCESSDENIED 5 #define KRB5_KPASSWD_BAD_VERSION 6 @@ -667,7 +669,7 @@ { int ret; - if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) { + if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) { DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); return ADS_ERROR_KRB5(ret); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/ldap.c samba-3.0.8/source/libads/ldap.c --- samba-3.0.8pre2/source/libads/ldap.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/ldap.c 2004-11-07 14:43:24.000000000 -0600 @@ -1228,11 +1228,11 @@ ADS_STATUS ret; TALLOC_CTX *ctx; LDAPMessage *res = NULL; - char *host_spn, *host_upn, *psp1, *psp2; + char *host_spn, *host_upn, *psp1, *psp2, *psp3; ADS_MODLIST mods; fstring my_fqdn; char *dn_string = NULL; - const char *servicePrincipalName[3] = {NULL, NULL, NULL}; + const char *servicePrincipalName[4] = {NULL, NULL, NULL, NULL}; ret = ads_find_machine_acct(ads, (void **)&res, machine_name); if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { @@ -1251,6 +1251,8 @@ } name_to_fqdn(my_fqdn, machine_name); + strlower_m(my_fqdn); + if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", my_fqdn))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1274,6 +1276,17 @@ DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp2, machine_name)); servicePrincipalName[1] = psp2; + /* Add another principal in case the realm != the DNS domain, so that + * the KDC doesn't send "server principal unknown" errors to clients + * which use the DNS name in determining service principal names. */ + psp3 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn); + strupper_m(psp3); + strlower_m(&psp3[strlen(spn)]); + if (strcmp(psp2, psp3) != 0) { + DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp3, machine_name)); + servicePrincipalName[2] = psp3; + } + if (!(mods = ads_init_mods(ctx))) { talloc_destroy(ctx); ads_msgfree(ads, res); @@ -1325,12 +1338,13 @@ ADS_MODLIST mods; const char *objectClass[] = {"top", "person", "organizationalPerson", "user", "computer", NULL}; - const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL}; - char *psp, *psp2; + const char *servicePrincipalName[7] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL}; + char *psp, *psp2, *psp3, *psp4; unsigned acct_control; unsigned exists=0; fstring my_fqdn; LDAPMessage *res = NULL; + int i, next_spn; if (!(ctx = talloc_init("ads_add_machine_acct"))) return ADS_ERROR(LDAP_NO_MEMORY); @@ -1384,6 +1398,30 @@ strlower_m(&psp2[5]); servicePrincipalName[3] = psp2; + /* Ensure servicePrincipalName[4] and [5] are unique. */ + strlower_m(my_fqdn); + psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn); + strlower_m(&psp3[5]); + + next_spn = 4; + for (i = 0; i < next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp3; + } + + psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn); + strlower_m(&psp4[5]); + for (i = 0; i < next_spn; i++) { + if (strequal(servicePrincipalName[i], psp3)) + break; + } + if (i == next_spn) { + servicePrincipalName[next_spn++] = psp4; + } + if (!(samAccountName = talloc_asprintf(ctx, "%s$", machine_name))) { goto done; } @@ -1683,14 +1721,14 @@ status = ads_add_machine_acct(ads, machine, account_type, org_unit); if (!ADS_ERR_OK(status)) { - DEBUG(0, ("ads_add_machine_acct (%s): %s\n", machine, ads_errstr(status))); + DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status))); SAFE_FREE(machine); return status; } status = ads_find_machine_acct(ads, (void **)&res, machine); if (!ADS_ERR_OK(status)) { - DEBUG(0, ("Host account test failed for machine %s\n", machine)); + DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine)); SAFE_FREE(machine); return status; } @@ -2261,7 +2299,7 @@ breaks winbindd_getpwnam() */ ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName"); - if (ret && (p = strchr(ret, '@'))) { + if (ret && (p = strchr_m(ret, '@'))) { *p = 0; return ret; } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libads/util.c samba-3.0.8/source/libads/util.c --- samba-3.0.8pre2/source/libads/util.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/libads/util.c 2004-11-07 14:43:24.000000000 -0600 @@ -24,39 +24,45 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) { - char *tmp_password; - char *password; - char *new_password; - char *service_principal; - ADS_STATUS ret; - uint32 sec_channel_type; + char *password; + char *new_password; + char *service_principal; + ADS_STATUS ret; + uint32 sec_channel_type; - if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { - DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); - return ADS_ERROR_SYSTEM(ENOENT); - } + if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { + DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); + return ADS_ERROR_SYSTEM(ENOENT); + } - tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_password = strdup(tmp_password); + new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - asprintf(&service_principal, "HOST/%s", host_principal); + asprintf(&service_principal, "HOST/%s", host_principal); - ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); + ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); - if (!ADS_ERR_OK(ret)) goto failed; - - if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_SYSTEM(EACCES); - } + if (!ADS_ERR_OK(ret)) { + goto failed; + } + + if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { + DEBUG(1,("Failed to save machine password\n")); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } + + /* Determine if the KDC is salting keys for this principal in a + * non-obvious way. */ + if (!kerberos_derive_salting_principal(service_principal)) { + DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal)); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } failed: - SAFE_FREE(service_principal); - SAFE_FREE(new_password); - - return ret; + SAFE_FREE(service_principal); + SAFE_FREE(password); + SAFE_FREE(new_password); + return ret; } - - - #endif diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libsmb/cliconnect.c samba-3.0.8/source/libsmb/cliconnect.c --- samba-3.0.8pre2/source/libsmb/cliconnect.c 2004-10-25 16:05:01.000000000 -0500 +++ samba-3.0.8/source/libsmb/cliconnect.c 2004-11-07 14:43:23.000000000 -0600 @@ -757,7 +757,7 @@ int ret; use_in_memory_ccache(); - ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL); if (ret){ SAFE_FREE(principal); diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libsmb/clikrb5.c samba-3.0.8/source/libsmb/clikrb5.c --- samba-3.0.8pre2/source/libsmb/clikrb5.c 2004-10-25 16:05:00.000000000 -0500 +++ samba-3.0.8/source/libsmb/clikrb5.c 2004-11-07 14:43:23.000000000 -0600 @@ -77,11 +77,11 @@ pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr); } #else - __ERROR__XX__UNKNOWN_ADDRTYPE +#error UNKNOWN_ADDRTYPE #endif -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) - int create_kerberos_key_from_string(krb5_context context, +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK) + int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, @@ -102,7 +102,7 @@ return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string(krb5_context context, + int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, @@ -120,9 +120,30 @@ salt, key); } #else - __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#error UNKNOWN_CREATE_KEY_FUNCTIONS #endif + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype) +{ + krb5_principal salt_princ = NULL; + int ret; + /* + * Check if we've determined that the KDC is salting keys for this + * principal/enctype in a non-obvious way. If it is, try to match + * its behavior. + */ + salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); + if (salt_princ) { + krb5_free_principal(context, salt_princ); + } + return ret; +} + #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes) @@ -251,6 +272,42 @@ } #endif + void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) +{ +#if defined(HAVE_KRB5_FREE_DATA_CONTENTS) + if (pdata->data) { + krb5_free_data_contents(context, pdata); + } +#else + SAFE_FREE(pdata->data); +#endif +} + + void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) +{ +#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS) + KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype; +#elif defined(HAVE_KRB5_SESSION_IN_CREDS) + KRB5_KEY_TYPE((&pcreds->session)) = enctype; +#else +#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT +#endif +} + + BOOL kerberos_compatible_enctypes(krb5_context context, + krb5_enctype enctype1, + krb5_enctype enctype2) +{ +#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE) + krb5_boolean similar = 0; + + krb5_c_enctype_compare(context, enctype1, enctype2, &similar); + return similar ? True : False; +#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS) + return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False; +#endif +} + static BOOL ads_cleanup_expired_creds(krb5_context context, krb5_ccache ccache, krb5_creds *credsp) @@ -273,13 +330,13 @@ we're using creds obtained outside of our exectuable */ if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) { - DEBUG(5, ("We do not remove creds from a FILE ccache\n")); + DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n")); return False; } retval = krb5_cc_remove_cred(context, ccache, 0, credsp); if (retval) { - DEBUG(1, ("krb5_cc_remove_cred failed, err %s\n", + DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n", error_message(retval))); /* If we have an error in this, we want to display it, but continue as though we deleted it */ @@ -306,7 +363,7 @@ retval = krb5_parse_name(context, principal, &server); if (retval) { - DEBUG(1,("Failed to parse principal %s\n", principal)); + DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); return retval; } @@ -319,7 +376,9 @@ } if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) { - DEBUG(1,("krb5_cc_get_principal failed (%s)\n", + /* This can commonly fail on smbd startup with no ticket in the cache. + * Report at higher level than 1. */ + DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n", error_message(retval))); goto cleanup_creds; } @@ -327,7 +386,7 @@ while(!creds_ready) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", + DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", principal, error_message(retval))); goto cleanup_creds; } @@ -336,7 +395,7 @@ if ((unsigned)credsp->times.starttime > time(NULL)) { time_t t = time(NULL); int time_offset =(unsigned)credsp->times.starttime-t; - DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); + DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); krb5_set_real_time(context, t + time_offset + 1, 0); } @@ -344,7 +403,7 @@ creds_ready = True; } - DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", + DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", principal, krb5_cc_default_name(context), http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); @@ -353,7 +412,7 @@ retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); if (retval) { - DEBUG(1,("krb5_mk_req_extended failed (%s)\n", + DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", error_message(retval))); } @@ -389,7 +448,7 @@ retval = krb5_init_context(&context); if (retval) { - DEBUG(1,("krb5_init_context failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", error_message(retval))); goto failed; } @@ -399,13 +458,13 @@ } if ((retval = krb5_cc_default(context, &ccdef))) { - DEBUG(1,("krb5_cc_default failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n", error_message(retval))); goto failed; } if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { - DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n", error_message(retval))); goto failed; } @@ -422,10 +481,7 @@ *ticket = data_blob(packet.data, packet.length); -/* Hmm, heimdal dooesn't have this - what's the correct call? */ -#ifdef HAVE_KRB5_FREE_DATA_CONTENTS - krb5_free_data_contents(context, &packet); -#endif + kerberos_free_data_contents(context, &packet); failed: diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libsmb/ntlm_check.c samba-3.0.8/source/libsmb/ntlm_check.c --- samba-3.0.8pre2/source/libsmb/ntlm_check.c 2004-10-25 16:05:00.000000000 -0500 +++ samba-3.0.8/source/libsmb/ntlm_check.c 2004-11-07 14:43:23.000000000 -0600 @@ -93,6 +93,7 @@ uchar value_from_encryption[16]; uchar client_response[16]; DATA_BLOB client_key_data; + BOOL res; if (part_passwd == NULL) { DEBUG(10,("No password set - DISALLOWING access\n")); @@ -146,7 +147,10 @@ dump_data(100, value_from_encryption, 16); #endif data_blob_clear_free(&client_key_data); - return (memcmp(value_from_encryption, client_response, 16) == 0); + res = (memcmp(value_from_encryption, client_response, 16) == 0); + if ((!res) && (user_sess_key != NULL)) + data_blob_clear_free(user_sess_key); + return res; } /** diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/libsmb/smb_signing.c samba-3.0.8/source/libsmb/smb_signing.c --- samba-3.0.8pre2/source/libsmb/smb_signing.c 2004-10-25 16:05:00.000000000 -0500 +++ samba-3.0.8/source/libsmb/smb_signing.c 2004-11-07 14:43:23.000000000 -0600 @@ -255,6 +255,7 @@ const size_t offset_end_of_sig = (smb_ss_field + 8); unsigned char sequence_buf[8]; struct MD5Context md5_ctx; + unsigned char key_buf[16]; /* * Firstly put the sequence number into the first 4 bytes. @@ -276,8 +277,14 @@ MD5Init(&md5_ctx); /* intialise with the key */ - MD5Update(&md5_ctx, data->mac_key.data, - data->mac_key.length); + /* NB. When making and verifying SMB signatures, Windows apparently + zero-pads the key to 128 bits if it isn't long enough. + From Nalin Dahyabhai */ + MD5Update(&md5_ctx, data->mac_key.data, data->mac_key.length); + if (data->mac_key.length < sizeof(key_buf)) { + memset(key_buf, 0, sizeof(key_buf)); + MD5Update(&md5_ctx, key_buf, sizeof(key_buf) - data->mac_key.length); + } /* copy in the first bit of the SMB header */ MD5Update(&md5_ctx, buf + 4, smb_ss_field - 4); diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/Makefile.in samba-3.0.8/source/Makefile.in --- samba-3.0.8pre2/source/Makefile.in 2004-10-25 16:04:53.000000000 -0500 +++ samba-3.0.8/source/Makefile.in 2004-11-07 14:43:23.000000000 -0600 @@ -124,7 +124,8 @@ BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \ bin/testparm@EXEEXT@ bin/testprns@EXEEXT@ bin/smbstatus@EXEEXT@ BIN_PROGS2 = bin/smbcontrol@EXEEXT@ bin/smbtree@EXEEXT@ bin/tdbbackup@EXEEXT@ \ - bin/nmblookup@EXEEXT@ bin/pdbedit@EXEEXT@ bin/tdbdump@EXEEXT@ + bin/nmblookup@EXEEXT@ bin/pdbedit@EXEEXT@ bin/tdbdump@EXEEXT@ \ + bin/tdbtool@EXEEXT@ BIN_PROGS3 = bin/smbpasswd@EXEEXT@ bin/rpcclient@EXEEXT@ bin/smbcacls@EXEEXT@ \ bin/profiles@EXEEXT@ bin/ntlm_auth@EXEEXT@ \ bin/smbcquotas@EXEEXT@ @@ -545,7 +546,7 @@ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ) MOUNT_OBJ = client/smbmount.o \ - $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) + $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(SECRETS_OBJ) MNT_OBJ = client/smbmnt.o $(VERSION_OBJ) $(SNPRINTF_OBJ) @@ -564,13 +565,13 @@ $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ - $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) + $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(SECRETS_OBJ) LOCKTEST_OBJ = torture/locktest.o $(PARAM_OBJ) $(LOCKING_OBJ) $(KRBCLIENT_OBJ) \ - $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(DUMMYROOT_OBJ) + $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(DUMMYROOT_OBJ) $(SECRETS_OBJ) NSSTEST_OBJ = torture/nsstest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ - $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) + $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(SECRETS_OBJ) VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ) @@ -579,7 +580,7 @@ LOG2PCAP_OBJ = utils/log2pcaphex.o LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \ - $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(DUMMYROOT_OBJ) + $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(DUMMYROOT_OBJ) $(SECRETS_OBJ) SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \ @@ -605,7 +606,7 @@ DEBUG2HTML_OBJ = utils/debug2html.o ubiqx/debugparse.o -SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ +SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(SECRETS_OBJ) \ $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) PROTO_OBJ = $(SMBD_OBJ_MAIN) \ @@ -677,6 +678,8 @@ TDBBACKUP_OBJ = tdb/tdbbackup.o tdb/tdbback.o $(SNPRINTF_OBJ) $(TDBBASE_OBJ) +TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ) + TDBDUMP_OBJ = tdb/tdbdump.o $(TDBBASE_OBJ) NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o @@ -1249,6 +1252,10 @@ @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(DYNEXP) $(TDBBACKUP_OBJ) +bin/tdbtool@EXEEXT@: $(TDBTOOL_OBJ) bin/.dummy + @echo Linking $@ + @$(CC) $(FLAGS) -o $@ $(DYNEXP) $(TDBTOOL_OBJ) + bin/tdbdump@EXEEXT@: $(TDBDUMP_OBJ) bin/.dummy @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(DYNEXP) $(TDBDUMP_OBJ) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/param/loadparm.c samba-3.0.8/source/param/loadparm.c --- samba-3.0.8pre2/source/param/loadparm.c 2004-10-25 16:04:57.000000000 -0500 +++ samba-3.0.8/source/param/loadparm.c 2004-11-07 14:43:23.000000000 -0600 @@ -541,7 +541,7 @@ False, /* bForcePrintername */ True, /* bNTAclSupport */ False, /* bForceUnknownAclUser */ - True, /* bUseSendfile */ + False, /* bUseSendfile */ False, /* bProfileAcls */ False, /* bMap_acl_inherit */ False, /* bAfs_Share */ @@ -794,8 +794,8 @@ {"server schannel", P_ENUM, P_GLOBAL, &Globals.serverSchannel, NULL, enum_bool_auto, FLAG_BASIC | FLAG_ADVANCED}, {"allow trusted domains", P_BOOL, P_GLOBAL, &Globals.bAllowTrustedDomains, NULL, NULL, FLAG_ADVANCED}, {"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL, NULL, FLAG_ADVANCED}, - {"min passwd length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED}, {"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED}, + {"min passwd length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, FLAG_ADVANCED}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, FLAG_ADVANCED}, {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, FLAG_ADVANCED}, @@ -881,8 +881,8 @@ {"log file", P_STRING, P_GLOBAL, &Globals.szLogFile, NULL, NULL, FLAG_ADVANCED}, {"max log size", P_INTEGER, P_GLOBAL, &Globals.max_log_size, NULL, NULL, FLAG_ADVANCED}, - {"timestamp logs", P_BOOL, P_GLOBAL, &Globals.bTimestampLogs, NULL, NULL, FLAG_ADVANCED}, {"debug timestamp", P_BOOL, P_GLOBAL, &Globals.bTimestampLogs, NULL, NULL, FLAG_ADVANCED}, + {"timestamp logs", P_BOOL, P_GLOBAL, &Globals.bTimestampLogs, NULL, NULL, FLAG_ADVANCED}, {"debug hires timestamp", P_BOOL, P_GLOBAL, &Globals.bDebugHiresTimestamp, NULL, NULL, FLAG_ADVANCED}, {"debug pid", P_BOOL, P_GLOBAL, &Globals.bDebugPid, NULL, NULL, FLAG_ADVANCED}, {"debug uid", P_BOOL, P_GLOBAL, &Globals.bDebugUid, NULL, NULL, FLAG_ADVANCED}, @@ -890,9 +890,9 @@ {N_("Protocol Options"), P_SEP, P_SEPARATOR}, {"smb ports", P_STRING, P_GLOBAL, &Globals.smb_ports, NULL, NULL, FLAG_ADVANCED}, - {"protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, FLAG_ADVANCED}, {"large readwrite", P_BOOL, P_GLOBAL, &Globals.bLargeReadwrite, NULL, NULL, FLAG_ADVANCED}, {"max protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, FLAG_ADVANCED}, + {"protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, FLAG_ADVANCED}, {"min protocol", P_ENUM, P_GLOBAL, &Globals.minprotocol, NULL, enum_protocol, FLAG_ADVANCED}, {"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, FLAG_ADVANCED}, {"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, FLAG_ADVANCED}, @@ -1131,8 +1131,8 @@ {"copy", P_STRING, P_LOCAL, &sDefault.szCopy, handle_copy, NULL, FLAG_HIDE}, {"include", P_STRING, P_LOCAL, &sDefault.szInclude, handle_include, NULL, FLAG_HIDE}, - {"exec", P_STRING, P_LOCAL, &sDefault.szPreExec, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT}, - {"preexec", P_STRING, P_LOCAL, &sDefault.szPreExec, NULL, NULL, FLAG_ADVANCED}, + {"preexec", P_STRING, P_LOCAL, &sDefault.szPreExec, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT}, + {"exec", P_STRING, P_LOCAL, &sDefault.szPreExec, NULL, NULL, FLAG_ADVANCED}, {"preexec close", P_BOOL, P_LOCAL, &sDefault.bPreexecClose, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, {"postexec", P_STRING, P_LOCAL, &sDefault.szPostExec, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT}, diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/python/py_lsa.c samba-3.0.8/source/python/py_lsa.c --- samba-3.0.8pre2/source/python/py_lsa.c 2004-10-25 16:04:52.000000000 -0500 +++ samba-3.0.8/source/python/py_lsa.c 2004-11-07 14:43:22.000000000 -0600 @@ -55,7 +55,7 @@ static char *kwlist[] = { "servername", "creds", "access", NULL }; char *server, *errstr; PyObject *creds = NULL, *result = NULL; - uint32 desired_access = MAXIMUM_ALLOWED_ACCESS; + uint32 desired_access = GENERIC_EXECUTE_ACCESS; struct cli_state *cli = NULL; NTSTATUS ntstatus; TALLOC_CTX *mem_ctx = NULL; @@ -90,7 +90,7 @@ } ntstatus = cli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, &hnd); + desired_access, &hnd); if (!NT_STATUS_IS_OK(ntstatus)) { PyErr_SetObject(lsa_ntstatus, py_ntstatus_tuple(ntstatus)); diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/python/samba/printerdata.py samba-3.0.8/source/python/samba/printerdata.py --- samba-3.0.8pre2/source/python/samba/printerdata.py 2004-10-25 16:04:52.000000000 -0500 +++ samba-3.0.8/source/python/samba/printerdata.py 2004-11-07 14:43:22.000000000 -0600 @@ -62,4 +62,5 @@ return self.hnd.getprinterdataex(self.key, key)['data'] def __getitem__(self, key): - return self.printerdata_ex_subkey(self.host, key, self.creds, access) + return self.printerdata_ex_subkey( + self.host, key, self.creds, self.access) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/sam/idmap_rid.c samba-3.0.8/source/sam/idmap_rid.c --- samba-3.0.8pre2/source/sam/idmap_rid.c 2004-10-25 16:05:05.000000000 -0500 +++ samba-3.0.8/source/sam/idmap_rid.c 2004-11-07 14:43:23.000000000 -0600 @@ -152,13 +152,32 @@ char *domain = NULL; uint32 info_class = 5; char *domain_name = NULL; - DOM_SID *domain_sid; + DOM_SID *domain_sid, sid; fstring sid_str; int i; uint32 trusted_num_domains = 0; char **trusted_domain_names; DOM_SID *trusted_domain_sids; - + uint32 enum_ctx = 0; + + /* put the results together */ + *num_domains = 1; + *domain_names = (fstring *) malloc(sizeof(fstring) * *num_domains); + *domain_sids = (DOM_SID *) malloc(sizeof(DOM_SID) * *num_domains); + + /* avoid calling a DC when trusted domains are not allowed anyway */ + if (!lp_allow_trusted_domains()) { + + fstrcpy((*domain_names)[0], lp_workgroup()); + if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) { + DEBUG(0,("rid_idmap_get_domains: failed to retrieve domain sid\n")); + return status; + } + sid_copy(&(*domain_sids)[0], &sid); + + return NT_STATUS_OK; + } + /* create mem_ctx */ if (!(mem_ctx = talloc_init("rid_idmap_get_trusted_domains"))) { DEBUG(0, ("rid_idmap_get_domains: talloc_init() failed\n")); @@ -229,37 +248,32 @@ sid_to_string(sid_str, domain_sid); DEBUG(10,("rid_idmap_get_domains: my domain: [%s], sid: [%s]\n", domain_name, sid_str)); - if (lp_allow_trusted_domains()) { - - uint32 enum_ctx = 0; - - /* scan trusted domains */ - DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n")); - status = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, - &trusted_num_domains, - &trusted_domain_names, - &trusted_domain_sids); - - if (!NT_STATUS_IS_OK(status) && - !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) && - !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { - DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n")); - goto out; - } + /* scan trusted domains */ + DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n")); + status = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, + &trusted_num_domains, + &trusted_domain_names, + &trusted_domain_sids); + + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) && + !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { + DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n")); + goto out; + } - /* show trusted domains */ - DEBUG(10,("rid_idmap_get_domains: scan for trusted domains gave %d results:\n", trusted_num_domains)); - for (i=0; ist_mode); + if (!get_acl_group_bits(conn, fname, &st->st_mode)) { + return(-1); + } if (S_ISDIR(st->st_mode)) dosmode |= aDIR; diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/smbd/posix_acls.c samba-3.0.8/source/smbd/posix_acls.c --- samba-3.0.8pre2/source/smbd/posix_acls.c 2004-10-25 16:04:54.000000000 -0500 +++ samba-3.0.8/source/smbd/posix_acls.c 2004-11-07 14:43:23.000000000 -0600 @@ -180,7 +180,7 @@ entry_offset = pai_buf + PAI_ENTRIES_BASE; - for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) { + for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) { if (ace_list->inherited) { uint8 type_val = (unsigned char)ace_list->owner_type; uint32 entry_val = get_entry_val(ace_list); @@ -191,7 +191,7 @@ } } - for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) { + for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) { if (ace_list->inherited) { uint8 type_val = (unsigned char)ace_list->owner_type; uint32 entry_val = get_entry_val(ace_list); @@ -3226,7 +3226,7 @@ } } SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl); - return -1; + return result; } /**************************************************************************** diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/smbd/server.c samba-3.0.8/source/smbd/server.c --- samba-3.0.8pre2/source/smbd/server.c 2004-10-25 16:04:54.000000000 -0500 +++ samba-3.0.8/source/smbd/server.c 2004-11-07 14:43:23.000000000 -0600 @@ -910,6 +910,15 @@ smbd_process(); namecache_shutdown(); + + if (interactive) { + TALLOC_CTX *mem_ctx = talloc_init("end_description"); + char *description = talloc_describe_all(mem_ctx); + + DEBUG(3, ("tallocs left:\n%s\n", description)); + talloc_destroy(mem_ctx); + } + exit_server("normal exit"); return(0); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/smbd/trans2.c samba-3.0.8/source/smbd/trans2.c --- samba-3.0.8pre2/source/smbd/trans2.c 2004-10-25 16:04:55.000000000 -0500 +++ samba-3.0.8/source/smbd/trans2.c 2004-11-07 14:43:23.000000000 -0600 @@ -1662,7 +1662,7 @@ * depend on the last file name instead. */ - if(requires_resume_key && *resume_name && !continue_bit) { + if(*resume_name && !continue_bit) { /* * Fix for NT redirector problem triggered by resume key indexes @@ -1714,7 +1714,7 @@ if(current_pos < 0) { DEBUG(7,("call_trans2findnext: notfound: seeking to pos %d\n", start_pos)); SeekDir(dirptr, start_pos); - for(current_pos = start_pos; (dname = ReadDirName(dirptr)) != NULL; SeekDir(dirptr,++current_pos)) { + for(current_pos = start_pos; (dname = ReadDirName(dirptr)) != NULL; ++current_pos) { /* * Remember, mangle_map is called by @@ -1737,7 +1737,11 @@ } } /* end for */ } /* end if current_pos */ - } /* end if requires_resume_key && !continue_bit */ + /* Can't find the name. Just resume from where we were... */ + if (dname == 0) { + SeekDir(dirptr, start_pos); + } + } /* end if resume_name && !continue_bit */ for (i=0;(i<(int)maxentries) && !finished && !out_of_space ;i++) { BOOL got_exact_match = False; diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/utils/net_ads.c samba-3.0.8/source/utils/net_ads.c --- samba-3.0.8pre2/source/utils/net_ads.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/utils/net_ads.c 2004-11-07 14:43:24.000000000 -0600 @@ -169,7 +169,7 @@ * extract the realm and convert to upper case. * This is only used to establish the connection. */ - if ((cp = strchr(ads->auth.user_name, '@'))!=0) { + if ((cp = strchr_m(ads->auth.user_name, '@'))!=0) { *cp++ = '\0'; ads->auth.realm = smb_xstrdup(cp); strupper_m(ads->auth.realm); @@ -823,6 +823,20 @@ return -1; } +#ifdef HAVE_KRB5 + if (!kerberos_derive_salting_principal(machine_account)) { + DEBUG(1,("Failed to determine salting principal\n")); + ads_destroy(&ads); + return -1; + } + + if (!kerberos_derive_cifs_salting_principals()) { + DEBUG(1,("Failed to determine salting principals\n")); + ads_destroy(&ads); + return -1; + } +#endif + if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) { DEBUG(1,("Failed to save domain sid\n")); ads_destroy(&ads); @@ -1126,7 +1140,7 @@ } use_in_memory_ccache(); - c = strchr(auth_principal, '@'); + c = strchr_m(auth_principal, '@'); if (c) { realm = ++c; } else { diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/utils/ntlm_auth.c samba-3.0.8/source/utils/ntlm_auth.c --- samba-3.0.8pre2/source/utils/ntlm_auth.c 2004-10-25 16:05:09.000000000 -0500 +++ samba-3.0.8/source/utils/ntlm_auth.c 2004-11-07 14:43:24.000000000 -0600 @@ -920,7 +920,7 @@ if (NT_STATUS_IS_OK(status)) { - domain = strchr(principal, '@'); + domain = strchr_m(principal, '@'); if (domain == NULL) { DEBUG(1, ("Did not get a valid principal " @@ -1184,7 +1184,7 @@ pstr_sprintf(user, "%s@%s", opt_username, opt_domain); if ((retval = kerberos_kinit_password(user, opt_password, - 0, NULL))) { + 0, NULL, NULL))) { DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); return False; } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/source/VERSION samba-3.0.8/source/VERSION --- samba-3.0.8pre2/source/VERSION 2004-10-25 16:04:55.000000000 -0500 +++ samba-3.0.8/source/VERSION 2004-11-07 14:43:23.000000000 -0600 @@ -29,7 +29,7 @@ # e.g. SAMBA_VERSION_PRE_RELEASE=1 # # -> "2.2.9pre1" # ######################################################## -SAMBA_VERSION_PRE_RELEASE=2 +SAMBA_VERSION_PRE_RELEASE= ######################################################## # For 'rc' releases the version will be # diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8pre2/WHATSNEW.txt samba-3.0.8/WHATSNEW.txt --- samba-3.0.8pre2/WHATSNEW.txt 2004-10-25 21:39:34.000000000 -0500 +++ samba-3.0.8/WHATSNEW.txt 2004-11-07 21:45:46.294534000 -0600 @@ -1,29 +1,52 @@ - ================================= - Release Notes for Samba 3.0.8pre2 - Oct 25, 2004 - ================================= - -This is a preview release of the Samba 3.0.8 code base. -It is *not* intended for production use but rather is -provided to allow people to test the bug fixes and new -features in the upcoming 3.0.8 release. Use at your own -risk. - -Common bugs fixed in 3.0.8pre2 include: - - o Several bugs in the spoolss printing code. - o Inconsistencies in the username map functionality - when configured on domain member servers. + ============================= + Release Notes for Samba 3.0.8 + Nov 7, 2004 + ============================= + +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all +current bug-fixes. There have been several important issues +fixes since the 3.0.7 release. See the "Changes" section for +details on exact updates. + +Common bugs fixed in 3.0.8 include: + + o Compile fixes for HP-UX + o Fixes for the printer publishing code used when joined to + an AD domain. + o Incompatibilities with file system quotas. + o Several bugs in the spoolss printing code and print system + backends. + o Inconsistencies in the username map functionality when + configured on domain member servers. o Various compile warnings and errors on various platforms. + o Fixes for kerberos interoperability with Windows 200x + domains when using DES keys. + o Fix for CAN-2004-0930 -- smbd remote DoS vulnerability. + -New features included in the 3.0.8pre1 release are: +New features included in the 3.0.8 release are: + o New migration functionality added the the net tool + for files/directories, printers, and shares. o New experimental idmap backend for assigning uids/gids directly based on the user/group RID when acting as a member of single domain without any trusts. o Additional printer migration support for XP/2003 platforms. - - + + +Change in Winbindd Behavior +--------------------------- + +All usernames returned by winbindd are now converted to lower +case for better consistency. This means any winbind installation +relying on the winbind username will need to rename existing +directories and/or files based on the username (%u and %U) to lower +case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`). This may +include mail spool files, home directories, valid user lines in +smb.conf, etc.... + + Change in Username Map ---------------------- @@ -34,7 +57,7 @@ used for matches. This resulted in inconsistent behavior sometimes even on the same server. -Samba 3.0.8pre2 obeys the following rules when applying the username +Samba 3.0.8 obeys the following rules when applying the username map functionality: * When performing local authentication, the username map is @@ -46,13 +69,84 @@ after the user has been successfully authenticated. - ###################################################################### Changes ####### -Changes since 3.0.8pre1 +Changes since 3.0.8pre2 ----------------------- + Parameter Name Action + -------------- ------ + sendfile disabled by default + + +commits +------- + +o Jeremy Allison + * BUG 1651: Adapted patch from Nalin Dahyabhai for ensuring + that all of the appropriate service principal names are set + upon joining an AD domain. + * Fix the correct use of resume name in the trans2 code. + * BUG 1717: Adapted patch from Nalin Dahyabhai to detect the + correct salt used when generated the DES key after joining an + AD domain. + * Enhanced krb5 detection routines in the autoconf scripts. + + +o Gerald Carter + * Packaging fixes for Solaris, Redhat, & Fedora. + + +o Nalin Dahyabhai + * SMB signing fix for 56-bit DES session keys. + + +o Guenther Deschner + * BUG 1661: Fix build with recent heimdal releases. + * Prevent idmap_rid from making unnecessary calls to domain + controllers for trusted domains. + + +o SATOH Fumiyasu + * BUG 1498: Ensure that acl entries are stored in the correct + order. + + +o Brett Funderburg + * BUG 1884: Fixes for the Python bindings to use the value + of the desired_access filed passed into the lsa_open_policy() + routines. + + +o Volker Lendecke + * Memory leak fixes. + * Fix checks for the local pid of an smbd process after + reopening tdbs. + +o Herb Lewis + * Added tdbtool to be built by default. + + +o Luke Mewburn + * BUG 1782: Prevent testparm from displaying parameter synonyms. + + +o Narayana Pattipati + * Solaris autoconf detection fixes. + + +o Matt Selsky + * BUG 350: use autoconf 2.57 feature for checking header file + preprocessing (fixes configure warnings on Solaris). + + +o Michael Sweet + * BUG 1892: Updated smbspool for use with newer CUPS libraries. + + +Changes since 3.0.7 +------------------- smb.conf changes ---------------- @@ -65,6 +159,24 @@ ------- o Jeremy Allison + * Ensure extended security bit is on only if we negotiated + extended security. + * Simplify statcache to use an in-memory tdb. + * If you're selecting a hash algorithm for tdb, you need + to do it at open time. + * Removed old dir caching code - not being used now we + have the statcache anyway. + * Simplify the mangle hash code to use an in-memory tdb. + * Merge iconv changes from Samba 4 branch. + * Fix parsing of names ending in dot and a few other error + returns. + * BUG 1667: Smbpasswd file could be left locked on some + error exits. + * Fixes for smbclient tar functionality. + * BUG 1743: Fix logic bug the deferred open code. + * Don't try to set security descriptors on shares where + this has been turned off. + * Return correct error codes on old SEARCH call. * Ensure we set errno = E2BIG when we overflow in the fast-path character conversion code. * Fix the roundup problem (returning 1mb roundup) for @@ -84,6 +196,12 @@ o Andrew Bartlett + * Avoid changing the machine account password in the passdb + backend, when it has 'already been changed'. This occurs + in situations where the secure channel between the workstation + and the DC breaks down, such as occurred in the MS04-11 + security patch. + * Fix utility name in error message in ntlm_auth. * Fix NTLMv2 for use with pam_winbind. * Remove conversion to and from UTF8 on the winbind pipe. * Allow 'require_membership_of' and 'require-membership-of'. @@ -93,7 +211,22 @@ when generating SAMR replies. +o Igor Belyi + * Ensure pdb user is deleted first before deleting UNIX + user (LDAP backend needs this ordering). + + +o Cornelio Bondad Jr + * Fix core dump in 'net rpc vampire'. + + +o Vince Brimhall + * Make ldapsam_compat robust against NULL attributes. + + o Gerald Carter + * Don't limit the number of groups returned by winbindd_getgroups() + by NGROUPS_MAX. * BUG 1519: Match Windows 2000 behavior when opening a printer using a servername in the form of an IP address or DNS name. @@ -111,11 +244,32 @@ and not the complete domain\username string. +o Sean Chandler + * Fix memlieak in cliconnect.c. + + o Darren Chew * Solaris packaging fixes. o Guenther Deschner + * add IA64 to the architecture table of printer-drivers. + * Add file/share/printer migration functionality to + the net command. + * Show correct help for net groupmap commands. + * Fix deadlock loop in winbind's required_membership_sid + verification. + * Bring the same level of "required_membership"-functionality + that ntlm_auth uses, to pam_winbindd as well. + * Prevent "net lookup kdc" from seg-faulting when + using our own implementation of krb5_lookup_kdc with + heimdal. + * Adding getprinter level 7 to rpcclient. + * Support migrating printers|shares|files from Server A + to Server B while running the net-command on client C. + * Fixed krb5_krbhost_get_addrinfo()-parameters and make + failure of this call non-critical (Thanks to Love @ Heimdal + for the explanation and patch). * Fix typos in net's usage-output. * Fix the paranoia-check to ensure the ldap-attribute and the smb.conf-parameter for samba's "algorithmic rid base" in ldapsam @@ -139,6 +293,22 @@ Sumit Bose ). +o Arthur van Dongen + * Fix typos in pam_winbind log messages and SuSE + packaging files. + + +o Rob Foehl + * Typo fixes for log messages in printer publishing code. + * Fix memory leak in printer publishing code. + * Ensure print_backend_init() only gets called once. + * Have smbd check the published status of all printers + at startup. + * Cleanup up the XXX_a_printer() API for consistency. + * Refactored the printer publishing code and include better + error handling. + + o Steve French * Fix IP address override in mount.cifs mount helper and clean up warning messages from the sparse tool and expand syntax help. @@ -151,7 +321,7 @@ character width, not unix character width. -o Brett Funderburg +o Brett Funderburg * Pass create options parameter to nt_create_andx() function from the python bindings. * BUG 1864: Add sd->type field to security descriptor Python @@ -167,6 +337,8 @@ o Chris Hertel + * Fix logic bug in splay tree data structure when finding + a leaf node. * Fix bug where an invalid MAC address would be printed by a node status lookup from nmblookup. @@ -184,11 +356,26 @@ * Convert files from status page from unix charset to UTF-8. +o Guenter Kukkukk + * BUG 1590: Fix for talking to OS/2 clients (max_mux ignored). + + o Tom Lackemann - BUG 1954: Fix memory leak in posix acl code. + * BUG 1954: Fix memory leak in posix acl code. o Volker Lendecke + * Robustnss fix for winbindd when sending multiple requests + at a high rate for a slow operation. + * Solve the problem of user sids ending up with gid's + and vice versa. + * Use sys_fork instead of fork for the dual daemon so that + we get the correct debug pid in the logfiles. + * Based on patch from jmcd, implement special lists for the LDAP + user attributes to delete. + * Fix creation of aliases via usrmgr. Winbind was too strict + checking the type of sids. + * Lowercase all usernames returned by winbind. * BUG 1545, 1823: Only issue the ldap extended password change operation if the ldap server supports it. Also ignore object class violation errors from the extended operation. @@ -210,8 +397,15 @@ * Memory leak fix. +o Jim McDonough + * Allow 'net ads lookup' to rely on command line arguments + if contacting an ADS server fails; utilize cldap for lookups. + * Fixup formatting errors in TDB_LOG calls; add printf attribute + support to tdb log functions. + + o Bill McGonigle - BUG 1926: Type in debug message. + * BUG 1926: Type in debug message. o Sean McGrath @@ -219,199 +413,16 @@ for libsmbclient. -o Tim Potter - * Fix bug in Python printerdata wrapper. - * BUG 1762: nss_winbind fixes on AIX 5.x (patch from - ). - * Fix parameter confusion in priming of name-to-sid cache - (Found by Qiao Yang). - * BUG 1888: Remove '..' from all pre-processor commands. - * BUG 1903: Change some #if DEBUG_PASSWORD's to #ifdef - DEBUG_PASSWORD. - - -o Richard Sharpe - * Ensure cli_write() can support writes >= 65536 bytes. - - -o Simo Sorce - * Fix memory corruption bug caused in freeing static memory. - - -o Andrew Tridgell - * Reduces the number of tdb locking calls made on file IO. - - -o Jelmer Vernooij - * Complain if 'password chat' doesn't contain the %u variable - (based on a patch by Ronan Waide). - - -Changes for older versions follow below: - - -------------------------------------------------- - ================================= - Release Notes for Samba 3.0.8pre1 - Sept 24, 2004 - ================================= - -Common bugs fixed in 3.0.8pre1 include: - - o Compile fixes for HP-UX - o Fixes for the printer publishing code used when - joined to an AD domain. - o Incompatibilities with file system quotas. - -New features included in the 3.0.8pre1 release are: - - o New migration functionality added the the net tool - for files/directories, printers, and shares. - - -Change in Winbindd Behavior ---------------------------- - -All usernames returned by winbindd are now converted to lower -case for better consistency. This means any winbind installation -relying on the winbind username will need to rename existing -directories and/or files based on the username (%u and %U) to lower -case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`). This may -include mail spool files, home directories, valid user lines in -smb.conf, etc.... - -Changes since 3.0.7 -------------------- - -commits -------- -o Jeremy Allison - * Ensure extended security bit is on only if we negotiated - extended security. - * Simplify statcache to use an in-memory tdb. - * If you're selecting a hash algorithm for tdb, you need - to do it at open time. - * Removed old dir caching code - not being used now we - have the statcache anyway. - * Simplify the mangle hash code to use an in-memory tdb. - * Merge iconv changes from Samba 4 branch. - * Fix parsing of names ending in dot and a few other error - returns. - * BUG 1667: Smbpasswd file could be left locked on some - error exits. - * Fixes for smbclient tar functionality. - * BUG 1743: Fix logic bug the deferred open code. - * Don't try to set security descriptors on shares where - this has been turned off. - * Return correct error codes on old SEARCH call. - - -o Andrew Bartlett - * Avoid changing the machine account password in the passdb - backend, when it has 'already been changed'. This occurs - in situations where the secure channel between the workstation - and the DC breaks down, such as occurred in the MS04-11 - security patch. - * Fix utility name in error message in ntlm_auth. - - -o Igor Belyi - * Ensure pdb user is deleted first before deleting UNIX - user (LDAP backend needs this ordering). - - -o Cornelio Bondad Jr - * Fix core dump in 'net rpc vampire'. - - -o Vince Brimhall - * Make ldapsam_compat robust against NULL attributes. - - -o Gerald Carter - * Don't limit the number of groups returned by winbindd_getgroups() - by NGROUPS_MAX. - - -o Sean Chandler - * Fix memlieak in cliconnect.c. - - -o Guenther Deschner - * add IA64 to the architecture table of printer-drivers. - * Add file/share/printer migration functionality to - the net command. - * Show correct help for net groupmap commands. - * Fix deadlock loop in winbind's required_membership_sid - verification. - * Bring the same level of "required_membership"-functionality - that ntlm_auth uses, to pam_winbindd as well. - * Prevent "net lookup kdc" from seg-faulting when - using our own implementation of krb5_lookup_kdc with - heimdal. - * Adding getprinter level 7 to rpcclient. - * Support migrating printers|shares|files from Server A - to Server B while running the net-command on client C. - * Fixed krb5_krbhost_get_addrinfo()-parameters and make - failure of this call non-critical (Thanks to Love @ Heimdal - for the explanation and patch). - - -o Arthur van Dongen - * Fix typos in pam_winbind log messages and SuSE - packaging files. - - -o Rob Foehl - * Typo fixes for log messages in printer publishing code. - * Fix memory leak in printer publishing code. - * Ensure print_backend_init() only gets called once. - * Have smbd check the published status of all printers - at startup. - * Cleanup up the XXX_a_printer() API for consistency. - * Refactored the printer publishing code and include better - error handling. - - -o Chris Hertel - * Fix logic bug in splay tree data structure when finding - a leaf node. - - -o Guenter Kukkukk - * BUG 1590: Fix for talking to OS/2 clients (max_mux ignored). - - -o Volker Lendecke - * Robustnss fix for winbindd when sending multiple requests - at a high rate for a slow operation. - * Solve the problem of user sids ending up with gid's - and vice versa. - * Use sys_fork instead of fork for the dual daemon so that - we get the correct debug pid in the logfiles. - * Based on patch from jmcd, implement special lists for the LDAP - user attributes to delete. - * Fix creation of aliases via usrmgr. Winbind was too strict - checking the type of sids. - * Lowercase all usernames returned by winbind. - - -o Jim McDonough - * Allow 'net ads lookup' to rely on command line arguments - if contacting an ADS server fails; utilize cldap for lookups. - * Fixup formatting errors in TDB_LOG calls; add printf attribute - support to tdb log functions. +o Stefan Metzmacher + * Fix crash in smbcquotas and smbcacls caused by setup_logging(). + * Fix client quota support. + * Fix opening of system quota file. o Lars Mueller * Small fixes for autogen.sh to deal with version detection of autoconf and autoheader; fixes for examples using libtool to adhere to stricter syntax of newer version. - - -o Stefan Metzmacher - * Fix crash in smbcquotas and smbcacls caused by setup_logging(). - * Fix client quota support. - * Fix opening of system quota file. o Henrik Nordstrom @@ -426,6 +437,14 @@ * BUG 1731: More HP-UX compiles fixes. * BUG 1778: Include yp_prot.h before ypclnt.h as AIX 5.2 spits the dummy otherwise. + * Fix bug in Python printerdata wrapper. + * BUG 1762: nss_winbind fixes on AIX 5.x (patch from + ). + * Fix parameter confusion in priming of name-to-sid cache + (Found by Qiao Yang). + * BUG 1888: Remove '..' from all pre-processor commands. + * BUG 1903: Change some #if DEBUG_PASSWORD's to #ifdef + DEBUG_PASSWORD. o Richard Renard @@ -437,8 +456,13 @@ truncation as create_workgroup. +o Richard Sharpe + * Ensure cli_write() can support writes >= 65536 bytes. + + o Simo Sorce * Added check password script code in examples/auth/crackcheck/ + * Fix memory corruption bug caused in freeing static memory. o Andrew Tridgell @@ -450,10 +474,13 @@ code. * Changed iconv to recognise UCS-2LE and UTF-16LE as synonyms. * Ensure configure only uses '=' instead of the bashism '=='. - + * Reduces the number of tdb locking calls made on file IO. + o Jelmer Vernooij * Convert internal data to UTF-8 before calling libxml2. + * Complain if 'password chat' doesn't contain the %u variable + (based on a patch by Ronan Waide). o Josef Zlomek @@ -465,6 +492,8 @@ option. +Changes for older versions follow below: + -------------------------------------------------- ============================= Release Notes for Samba 3.0.7