IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This makes it clear that they cannot be a DC until they are upgraded with
samba-tool domain dcpromo.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 6 09:59:13 CEST 2012 on sn-devel-104
This command is like dcpromo in that it upgrades the existing workstation account
to be a domain controller.
The SID (and therefore any file ownerships) is preserved.
Andrew Bartlett
This allows the parent to be renmaed while a new object is added on another replica.
This rename may also be a delete, in which case we must move it to lostandfound.
Andrew Bartlett
Thanks to Torsten Kurbad. This fixes#9025.
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Wed Jul 4 13:51:07 CEST 2012 on sn-devel-104
In create and fetch subcommands, we also need to know DC hostname. So first
find a DC and use DC hostname to construct connection url. If ldap:// url is
specified with -H, then use that to construct DC hostname.
This version of BIND only ever caused pain when trying to do dynamic DNS.
If users are using this version, simply treat it as a static server.
Andrew Bartlett
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
Will allow thread-specific credentials to be added by modifying
the central definitions. Deliberately left the setXX[ug]id()
call in popt as this is not used in Samba.
This validates the password expiry, account disable in the s3 auth code
and the save/restore of values in tdbsam.
It also provides the first test of some net sam set subcommands.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 28 20:39:38 CEST 2012 on sn-devel-104
In particular, on a virtual machine after a forced reboot, it
contained "Ille" instead of a valid PID. Given it was the right
length, I'm assuming it was filesystem corruption.
process_exists_by_pid() then panics, when given a pid < 1.
Reported-by: lostogre on #samba-technical
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Thu Jun 28 05:19:24 CEST 2012 on sn-devel-104
This was an interesting hack, and the local_password module still exists, but
until it has a use case and a test case, remove the bypass of password_hash.
Andrew Bartlett
This means we do not need to run samba_upgradedns any more.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 24 18:10:10 CEST 2012 on sn-devel-104
This also tests the comparison with LDAP on anonymous connections
and marks this as knownfail, while we investigate the correct
behaviour here.
Andrew Bartlett
We need to have the struct dreplsrv_partition_source_dsa around until the end of the
async op, so we use talloc_reference after carefully checking the callers and
making the modifications required.
This prevents a crash when replicating partitions in the vampire_dc test after
adding DNS replication at join time.
Andrew Bartlett
modifyTimeStamp is a generated attribute, for most object it's generated
directly from the whenChanged attribute. But for the CN=aggregate object
in the schema we have to handle it in a different way, that's because
for this object whenChanged!=modifyTimeStamp (as checked against Windows
2003R2 DCs) instead the modifyTimeStamp reflect the timestamp of the
most recently modified and loaded schema object (that is to the one with
the highest USN before the schema was reload due to timeout or by the
reloadSchemaNow command).
Some third party are using this information to know if they have to
update their schema cache and also to check that schema updates have
been correctly reloaded by the DC, a good example of this behavior is
exchange 2010.
If the value has changed then reload the schema, this means that now the
schema is only reloaded on a periodical basis or if we have been asked
explicitly to do it and not necesserly if the schema partition has
changed.
In theory when presented this control and not a GC we should use the
specified name as the DC to contact for cross-domain link verification.
But for the moment we don't support this so we just fail when we have
this control and are not a GC.
We search in the schema if we have already this intid (using dsdb_attribute_by_attributeID_id because
in the range 0x80000000 0xBFFFFFFFF, attributeID is a DSDB_ATTID_TYPE_INTID).
If so generate another random value.
If not check if the highest USN in the database for the schema partition is the
one that we know.
If so it means that's only this ldb context that is touching the schema in the database.
If not it means that's someone else has modified the database while we are doing our changes too
(this case should be very bery rare) in order to be sure do the search in the database.
Samba 4 use to try to reload the schema every time dsdb_get_schema was
called (which could be 20+ time per ldb request). Now we only reload at
most every xx seconds (xx being the value of dsdb:"schema_reload_interval"
or 120). The timestamp of the last reloaded schema is kept in the
dsdb_schema object. There is also a timestamp in the ldb_context, that
is used by the LDAP server to know if it has to reload the schema after
handling the request. This is used to allow that the schema will be
immediately reload after a schemaUpdateNow request has been issued, the
reload can't occur in the handling of the LDAP request itself because
we have a transaction autostarted.
This way we can give anonymous full access to the directory.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jun 22 11:30:06 CEST 2012 on sn-devel-104
This uses the tokenGroups attribute on LDAP and the posix whoami call
to confirm that user token matches between LDAP and CIFS.
I have a seperate patch for the anonymous case, because this isn't
consistent at this stage, and we need to study and fix that.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 20 18:43:43 CEST 2012 on sn-devel-104
This just leaves a default enough for the test code to still check the start
of the provision. This may well be removed in future, and we wish to reduce
the extra options to provision.
Andrew Bartlett
This reverts commit 06c90cb6f5.
There is genuine interest in using this currently unused code, so put
it back into the tree to avoid folks having to rewrite it.
It should be carefully hooked back into libnet at some point, and
possibly told how to talk to the s3 nmbd socket if nbt_server isn't
running.
The wscript patches are skipped, due to the way the extra
dep interacted with the build system. When used, this will be resolved.
Andrew Bartlett
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
This makes sure config.h gets includes first.
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 17 16:16:24 CEST 2012 on sn-devel-104
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 23:59:07 CEST 2012 on sn-devel-104
This is a static const struct and the name is never used,
so just make it an anonymous struct.
This hopefully fixes the build on AIX:
"../source4/heimdal/lib/roken/roken-common.h", line 276.9: 1506-236 (W) Macro name __attribute__ has been redefined.
"../source4/heimdal/lib/roken/roken-common.h", line 276.9: 1506-358 (I) "__attribute__" is defined on line 45 of ../source4/heimdal/lib/com_err/com_err.h.
"../source4/heimdal/lib/krb5/expand_path.c", line 331.21: 1506-334 (S) Identifier token has already been defined on line 98 of "/usr/include/net/if_arp.h".
"../source4/heimdal/lib/krb5/expand_path.c", line 390.43: 1506-019 (S) Expecting an array or a pointer to object type.
"../source4/heimdal/lib/krb5/expand_path.c", line 391.31: 1506-019 (S) Expecting an array or a pointer to object type.
"../source4/heimdal/lib/krb5/expand_path.c", line 392.20: 1506-019 (S) Expecting an array or a pointer to object type.
"../source4/heimdal/lib/krb5/expand_path.c", line 392.48: 1506-019 (S) Expecting an array or a pointer to object type.
"../source4/heimdal/lib/krb5/expand_path.c", line 393.39: 1506-019 (S) Expecting an array or a pointer to object type.
Waf: Leaving directory `/opt/home/build/build_farm/samba_4_0_test/bin'
Build failed: -> task failed (err #1):
{task: cc expand_path.c -> expand_path_52.o}
gmake: *** [all] Error 1
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 15:20:59 CEST 2012 on sn-devel-104
This commit changes the default file server to be s3fs. Existing
installs wishing to keep the ntvfs file server need to set this in
their smb.conf:
server services = +smb -s3fs
dcerpc endpoint services = +winreg +srvsvc
Andrew Bartlett
This is a solution for users who are upgrading from Samba 3.x in
particuar, or have clients that will be using idmap_ad. This avoids
needing to have duplicate values in idmap.ldb and in the directory.
No check for conflicts is made with the idmap.ldb - the AD store always wins.
Andrew Bartlett
We changed a lot since alpha13, so there are lots of legitimate errors to fix.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 16 05:44:15 CEST 2012 on sn-devel-104
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
This hopefully fixes the build on systems where _LARGE_FILES
triggers defines of syscalls e.g. '#define lseek lseek64'
on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 13 11:03:15 CEST 2012 on sn-devel-104
cc-1028 cc: ERROR File = ../source4/heimdal/lib/asn1/gen_template.c, Line = 548
The expression used must have a constant value.
struct templatehead template = { 0L, &(template). tqh_first };
^
If this really fixes the IRIX build, we'll propose this for heimdal upstream.
metze
--without-ad-dc was hardwired to mean --with-system-mitkrb5. With this change
it also possible to build source3/ code and source4/ client side without
building AD DC functionality using Heimdal (embedded or system).
This would only do the NBT getdc lookup for a single DC (but would
find multiple DCs at first stage), but more particular it of course
uses Netbios rather than DNS names.
In any case it was also unused, as we use CLDAP for reliable DC
location these days.
Found by callcatcher
Andrew Bartlett
To remove finddcs_nbt these missing deps need to be added. These
subsystems linked to to implicit dependencies provided by finddcs.
Due to the new arrangmenet of subsystems, MESSAGING needs to be a
private library to avoid being a source of duplicate symbols.
Andrew Bartlett
When an A/AAAA lookup is made for a name that actually is a CNAME
record, we need to return the CNAME record, and then do the A/AAAA
lookup for the name the CNAME points at.
This still fails for CNAMEs pointing at records for domains we need to
ask our forwarders for.
Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Wed Jun 6 15:23:55 CEST 2012 on sn-devel-104
This avoids issues in the previous location where lp may not be initialised at this point
and instead simply waits until we have a known sysvol path, and test for ACL support
there.
Andrew Bartlett
This patch does two things: it fixes up the spelling of "state dir" to
"state directory" so that we actually find the smb.conf parameter, and
we move it to after we process the global settings in case this is
changed in the future.
Andrew Bartlett
This reverts commit f8c447b1a4.
After discussing with Julien (Openchange) and Metze, I decided to revert this code.
Instead I made a patch to Openchange which allows to build client side only.
Openchange server code requires working s4 member DC and --without-ad-dc build
does not provide working provisioning even if we enable dcerpc_server and end point mapper.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Fri Jun 1 16:46:08 CEST 2012 on sn-devel-104
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Fri Jun 1 11:23:21 CEST 2012 on sn-devel-104
Thanks to Matthieu Patou <mat@matws.net> for pointing it out.
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed May 30 17:00:01 CEST 2012 on sn-devel-104
This covers both migrations from s3 and joining a domain as a new DC.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed May 30 14:57:22 CEST 2012 on sn-devel-104
This is also where the related krb5_princ_component is declared.
Also fix the configure check to use the correct name
This helps the autoconf build on Heimdal.
Andrew Bartlett
This means that *no* fixing will be done, also the first possible one
will be omitted as well.
Reviewed-by: abartlet
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue May 29 21:36:25 CEST 2012 on sn-devel-104
to make smbtorture report the error instead of complaining about missing torture_ call
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue May 29 13:57:42 CEST 2012 on sn-devel-104
With s3fs now well settled into master, we now throw the swtich and make
it the default.
There is still much to do, but we need to be using s3fs by default to
find out exactly what that is.
Andrew Bartlett
When reloading zones, named first creates new zone instance and then shuts down
the old instance. Since ldb layer, keeps the same LDB open, talloc_free() on samdb
handle, causes talloc "access after use" error.
This patch keeps only single context (dlz_bind9_data) and uses reference counting
to decide when to actually free the context. Since samdb handle is reused, use
talloc_unlink() instead of talloc_free() on samdb handle.
After consolidating DNS resolver code to lib/addns, there is one piece
that still needs to be moved into a common DNS resolver library: DNS_HOSTS_FILE
subsystem. Unfortunately, direct move would require lib/addns to depend on
libcli/util/{ntstatus.h,werror.h} (provided by errors subsystem).
In addition, moving libcli/dns/* code to lib/addns/ would make conflicting
the dns_tkey_record struct. The conflict comes from source4/dns_server/ and is due
to use of IDL to define the struct. lib/addns/ library also provides its own definition
so we either need to keep them in sync (rewrite code in lib/addns/ a bit) or
depend on generated IDL headers.
Thus, making a private library and subsystem clidns is an intermediate step
that allows to buy some time fore refactoring.
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
When export_keytab is not compiled in (pure client-side Samba 4 build as with
system MIT krb5), export-keytab command of samba-tool will not be available.
Make sure it is not provided but its absence does not break the Python tool.
After migrating to use libaddns, reply_to_addrs() needed to change the
way answers are iterated through. Originally libroken implementation
gave all answers as separate records with last one being explicitly NULL.
libaddns unmarshalling code gives all non-NULL answers and should be
iterated with explicit reply->num_answers in use.
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri May 18 18:25:42 CEST 2012 on sn-devel-104
This ensures that if this fails, it is reported as a subunit error correctly.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri May 18 09:35:13 CEST 2012 on sn-devel-104
Thanks to Wolfgang Sourdeau for reporting this.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8946
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri May 18 04:50:17 CEST 2012 on sn-devel-104
This replaces "bin/python" with the correct path for python libraries. The
pattern requires double quotes (") instead of single quotes (').
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Tue May 15 05:19:46 CEST 2012 on sn-devel-104
On a session setup with EXTENDED_SECURITY we'll get ERRSRV:ERRbaduid,
while a session setup without EXTENDED_SECURITY ignores the given vuid.
Before this test was doing a reauth of a given vuid, which works for newer
Windows versions, but Windows 2000 gives INVALID_PARAMETER.
metze
TODO: add test_session with 'use spnego = false'.
We need a way to do set an option just for one test case.
Note: the 'use spnego = false' was ignored before as it's
only used on the first session setup on a connection.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue May 8 04:50:39 CEST 2012 on sn-devel-104
If the try a session setup without EXTENDED_SECURITY after
one with EXTENDED_SECURITY Windows 2008 R2 returns INVALID_PARAMETER,
while Windows 2000 sp4 returns LOGON_FAILURE...
metze
This fixes rpath for samdb-common private library after make install.
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Mon May 7 07:40:29 CEST 2012 on sn-devel-104
This cases upgraded domains to have a too-long password expiry, which in extreme
cases can cause the KDC to misfunction.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun May 6 14:49:39 CEST 2012 on sn-devel-104
For now let's just loose this functionality with the MIT build.
gss_import/export_cred should be availa ble when MIT 1.11 is released and this
code is used only in some proxy scenario. Not normally needed for common
configurations.
Unfortunately these functions are not available in MIT and there is no easy
workaround or compat funciton I can see at this stage. Will fix properly once
MIT gets the necessary functions or if another workaround can be found.
Make it clearly a gensec_krb5 accessory file.
This function should never be used anywhere else.
This function was copied out from the Heimdal tree and is kept in a separate
file for clarity and to keep the original license boilerplate.
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
The service principal names need to be case-insensitively unique, otherwise we
end up in a LDB ERR_ATTRIBUTE_OR_VALUE_EXISTS error.
This issue has been discovered on the technical mailing list (thread:
cannot rename windows xp machine in samba4) when trying to rename a AD
client workstation.
This is the unique username value.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu May 3 01:57:41 CEST 2012 on sn-devel-104
While this setting is not the default in Samba3, any domain that is
in a suitable condition to upgrade to Samba4 should already be in the
layout that ldapsam:trusted uses. It can be turned off by setting
ldapsam:trusted=false in the smb.conf.
Many upgrades to Samba4 happen on a different host to the old Samba3 domain
and this avoids the need to configure nss_ldap only for the duration of
the upgrade.
Andrew Bartlett
This fixes an issue where some group types were not upgraded, as we
did not upgrade alias memberships.
It also uses enum_group_memberships() to try and find the memberships
from the other direction, by asking which groups a user is a member
of. As Samba3 (and NT4) does not implement nested groups, this should
be safe.
Andrew Bartlett
- open a pipe via smb2
- trigger a read which hangs since there is nothing to read
- do a logoff
- wait for the read to return and check the status
(STATUS_PIPE_BROKEN)
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Wed May 2 19:57:45 CEST 2012 on sn-devel-104
- open a pipe via smb2
- trigger a read which hangs since there is nothing to read
- do a tree disconnect
- wait for the read to return and check the status
(STATUS_PIPE_BROKEN)
* open a pipe via smb2
* trigger a read which hangs since there is nothing to read
* close the pipe file handle
* wait for the read to reaturn and check the status
(NT_STATUS_PIPE_BROKEN)
The VFS objects are now set in the fileserver.conf, but this is only read by smbd, so
the provision-time smb.conf needs to turn off the extra Samba4 DCE/RPC services.
Andrew Bartlett
This fixes the issue of ldb 'Operations Error' when trying to modify
hasPartialReplicaNCs attribute.
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Tue May 1 05:28:04 CEST 2012 on sn-devel-104
First they do not need to be "static" any longer since we have abandoned
asynchronous result handling (where global variables have been important).
In addition add some "const" in order to protect us from unwanted writes.
Reviewed-by: Andrew Bartlett
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Apr 30 16:46:20 CEST 2012 on sn-devel-104
This started per https://bugzilla.samba.org/show_bug.cgi?id=8872#c4
and avoids any possible collision with a different process.
We also need to ensure that across a Samba installation on a single
node that id.vnn is the same. Samba4 previously used 0, while Samba3
used NONCLUSTER_VNN. When a message is sent between these 'different'
nodes, the error NT_STATUS_INVALID_DEVICE_REQUEST is raised.
Andrew Bartlett
This helps us when these tests fail, as subunit-formatted failures can
be declared as knownfail entries, and show up correctly in the make
test output.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Apr 30 08:34:52 CEST 2012 on sn-devel-104
This is a very essential attribute since it references to various domain
master roles (PDC emulator, schema...) depending on which entry it has
been set. Incautious modifications can cause severe problems.
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Apr 30 02:04:24 CEST 2012 on sn-devel-104
