IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
to break. The Solaris CC put the static char InBuffer[TOTAL_BUFFER_SIZE] on an
odd address, the malloc'ed one is always aligned. The problem showed up in
pull_ucs2, ucs2_align uses the address of InBuffer as an indication whether to
bump up the src of the string by one. Unfortunately in the trans calls the
data portion is malloced and thus has different alignment guarantees than a
static variable. This one is bigger....
Volker
(This used to be commit 6affd7818f6981be2a9f44fcf302e7fddb468347)
In make_server_info_pw() we assign a user SID in our
authoritative SAM, even though this may be from a
pure "Unix User" that doesn't exist in the SAM.
This causes lookups on "[in]valid users" to fail as they
will lookup this name as a "Unix User" SID to check against
the user token. Fix this by adding the "Unix User"\unix_username
SID to the sid array. The correct fix should probably be
changing the server_info->sam_account user SID to be a
S-1-22 Unix SID, but this might break old configs where
plaintext passwords were used with no SAM backend.
Jeremy
(This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db)
Remove the allocated inbuf/output. In async I/O we copy the buffers
explicitly now, so NewInBuffer is called exactly once. This does not
reduce memory footprint, but removes one of the larger chunks that
clobber the rest of the massif output
In getgroups_unix_user on Linux 2.6 we allocated 64k groups x 4 bytes
per group x 2 (once in the routine itself and once in libc) = 512k just
to throw it away directly again. This reduces it do a more typical limit
of 32 groups per user. We certainly cope with overflow fine if 32 is not
enough. Not 100% sure about this one, a DEVELOPER only thing?
(This used to be commit 009af0909944e0f303c5d496b56fb65ca40a41d5)
Got report this is all ok form a tester. Close a loong
standing bug preventing people to freely use any character
in their password when printing via cups were involved.
(This used to be commit 54ca011212982cf1d94a76ca9d39c391783da04f)
why check_path_syntax should not be able to run in-line. The destination
pointer either walks side by side with the source pointer or is
decremented. So as far as I can see s>=d is true throughout the whole
routine.
Jeremy, I'm checking this only into 3_0 for now. Please review and ack
or directly merge this to 3_0_26.
Thanks,
Volker
(This used to be commit 34a13c82a3b72d6900614b57c58fbaefeeca8fa7)
Jeremy, I am always very confused about the different length arguments
in convert_string and friends. Can you take a look at the change in
string_replace and verify it's ok? Thanks!
While at it, remove the pstring limit for strhasupper and strhaslower.
(This used to be commit e6e5703658aeaeb0cca5d7281095e17553001d4b)
Change rename_internals to open the file/directory and then call
rename_internals_fsp. Two reasons: Remove code duplication and remove a
race condition. The race condition was due to the fact that in
can_rename the share mode check closed the file and then after that did
the rename.
(This used to be commit aa16d8a649d1a38593edd5ca94ed2c7d4291911b)
- when cleaning up invalid locks make sure we mark the lck
struct as modified so it'll get saved back correctly (that
was the original intent).
Jeremy.
(This used to be commit cbf0829abcc3689edd7ab225054dfc79d43c6309)
reg #defines use "REG_" prefix. Michael - please check
gcc warnings on compiles.
Jeremy.
(This used to be commit 7885b68bb5df0ebe290feca0e74b4a20ef59e718)
The global options are stored as values in the subkey "global"
of the SMBCONF registry key.
The activation is accomplished in smb.conf though a new special
semantic of the "include" parameter: "include = registry" triggers
the processing of the registry global options exactly at the
position of the include statement. Options read from the registry
take the same precedence as parameters loaded from a file via
include. Need to reload the registry globals is detected by
watching the tdb sequence number.
Registry shares are automatically activated when the registry
globals are processed.
So a "registry only" configuration can be realized by an
smb.conf that looks as follows:
================================
[global]
include = registry
================================
The global options and registry shares can be conveniently
edited with the "net conf" utility.
Caveat:
A possible pitfall consists in using "include = registry"
together with the "lock directory" directive in the registry.
This problem will be addressed in the next time.
Note on the code:
Processing of the registry options is accomplished by a function
process_registry_globals() in loadparm.c The current version is
only an interim solution: It is handcoded instead of using the
infrastructure of reg_api.c. The reason for this is that using
reg_api still has too large linker dependencies, bloating virtually
all targets by PASSDB_OBJ, SMBLDAP_OBJ, GROUPDB_OBJ and LDB stuff.
A version of process_registry_globals that uses reg_api is
included but commented out. The goal is to eventually refactor
and restructure the registry code so that one can use the reg_api
to access only the registry tdb and not link all the dynamic
backends with all their linking implications.
(This used to be commit 24b0cbcb3741dd14b04728448a85cc04a057e7d0)
This eliminates the need of maintaining reg_db's own
reference counter for the tdb. Maybe as a next step...
Michael
(This used to be commit 31d64767fc8a73be1f6b81e2712d687897f812a0)
With the target being open we have to return NT_STATUS_ACCESS_DENIED and
root_fid != 0 leads to NT_STATUS_INVALID_PARAMETER
(This used to be commit b599e5b1e10bdf825b2ce53de4a6ec35726d00f6)
Further reduce the diff between 3_0 and 3_0_26 by some reformatting
and rearrangements.
Michael
(This used to be commit 02685358d104775e6b8cad156aa70458ab3a55f6)
activation of global registry options in loadparm.c, mainly to
extract functionality from net_conf.c to be made availabel elsewhere
and to minimize linker dependencies.
In detail:
* move functions registry_push/pull_value from lib/util_reg.c to new file
lib/util_reg_api.c
* create a fake user token consisting of builtin administrators sid and
se_disk_operators privilege by hand instead of using get_root_nt_token()
to minimize linker deps for bin/net.
+ new function registry_create_admin_token() in new lib/util_reg_smbconf.c
+ move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c
+ adapt net_conf.c and Makefile.in accordingly.
* split lib/profiles.c into two parts: new file lib/profiles_basic.c
takes all the low level mask manipulation and format conversion functions
(se_priv, privset, luid). the privs array is completely hidden from
profiles.c by adding some access-functions. some mask-functions are not
static anymore.
Generally, SID- and LUID-related stuff that has more dependencies
is kept in lib/profiles.c
* Move initialization of regdb from net_conf.c into a function
registry_init_regdb() in lib/util_reg_smbconf.c.
Michael
(This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
emited to the Makefile in the DEVELOPER_CFLAGS variable. This makes
it easy to turn developer mode on and off without waiting for
configure to run. The developer flags are only added to CFLAGS for
the --enable-developer and --enable-krb5developer cases.
(This used to be commit 4b392a76eb392375f369c8c64fccd138833dcb52)
when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.
There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator. Checked against MIT 1.5.1. Have not
researched how Heimdal does it.
My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
in the winbindd_getgrnam() call. Couple of comments:
* Adds "winbind expand groups" parameter which defines the
max depth winbindd will expand group members. The default
is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async. I
haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
its own function.
(This used to be commit 3d3a8130351753dc5caa2a270d130e2150da6b54)
Add a function to retrieve the registry db sequence number.
This is in preparation of loadparm integration of registry global
smb.conf options: this will allow to detect changes in order to trigger reload.
Michael
(This used to be commit ebe2ea8f22bfe0855beee087af771c690db443c1)
