IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We use cli_state.smb_rw_error to pass this specific case into cli_close_connection()
from smbmount as smb_rw_error can have only selected number of states and
it is ignored in cli_close_connection().
Compiled and tested by Lars Mueller from SuSE on x86, x86_64, ppc, ppc64, s390 and
s390x.
New protocol option "ea support" to turn them on (off by default). Conrad
at Apple may like this as it allows MacOS resource forks to be stored on
a file. Passes valgrind. Documentation to follow.
Jeremy.
ago.
This patch re-adds support for 'optional' SMB signing. It also ensures that
we are much more careful about when we enable signing, particularly with
on-the-fly smb.conf reloads.
The client code will now attempt to use smb signing by default, and disable
it if the server doesn't correctly support it.
Andrew Bartlett
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
converted to pull/push_ascii. This will not work right at the moment for non
English codepages, but compiles - I will finish the work over the weekend.
Then nmbd should be completely codepage correct.
Jeremy.
Ensure a server can't do a downgrade attack if client signing is mandatory.
Add a lp_server_signing() function and a 'server signing' parameter that
will act as the client one does.
Jeremy
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(to match win2003 behaviour)
- added the STR_TERMINATE_ASCII flag from samba4 so we can get the
string termination right for the case where it is supposed to be
non-terminated for UCS2 and terminated when ASCII
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab
2. Disabled by default and when requested, will be probed and enabled only on Linux where it works
3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far
Documentation to follow
1. Finally work with cascaded modules with private data storage per module
2. Convert VFS API to macro calls to simplify cascading
3. Add quota support to VFS layer (prepare to NT quota support)
Patch by Stefan (metze) Metzemacher, with review of Jelmer and me
Tested in past few weeks. Documentation to new VFS API for third-party developers to follow
-------------------------------------------------------------------------
I think there are basically two problem:
1. Windows clients do not always send ACEs for SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ,
and SMB_ACL_OTHER.
The function ensure_canon_entry_valid() is prepared for that, but tries
to "guess" values from group or other permissions, respectively, otherwise
falling back to minimum r-- for the owner. Even if the owner had full
permissions before setting ACL. This is the problem with W2k clients.
2. Function set_nt_acl() always chowns *before* attempting to set POSIX ACLs.
This is ok in a take-ownership situation, but must fail if the file is
to be given away. This is the problem with XP clients, trying to transfer
ownership of the original file to the temp file.
The problem with NT4 clients (no ACEs are transferred to the temp file, thus
are lost after moving the temp file to the original name) is a client problem.
It simply doesn't attempt to.
I have played around with that using posic_acls.c from 3.0 merged into 2.2.
As a result I can now present two patches, one for each branch. They
basically modify:
1. Interpret missing SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, or SMB_ACL_OTHER
as "preserve current value" instead of attempting to build one ourself.
The original code is still in, but only as fallback in case current values
can't be retrieved.
2. Rearrange set_nt_acl() such that chown is only done before setting
ACLs if there is either no change of owning user, or change of owning
user is towards the current user. Otherwise chown is done after setting
ACLs.
It now seems to produce reasonable results. (Well, as far as it can. If
NT4 doesn't even try to transfer ACEs, only deliberate use of named default
ACEs and/or "force group" or the crystal ball can help :)
-------------------------------------------------------------------------
Jeremy.
