IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The global options are stored as values in the subkey "global"
of the SMBCONF registry key.
The activation is accomplished in smb.conf though a new special
semantic of the "include" parameter: "include = registry" triggers
the processing of the registry global options exactly at the
position of the include statement. Options read from the registry
take the same precedence as parameters loaded from a file via
include. Need to reload the registry globals is detected by
watching the tdb sequence number.
Registry shares are automatically activated when the registry
globals are processed.
So a "registry only" configuration can be realized by an
smb.conf that looks as follows:
================================
[global]
include = registry
================================
The global options and registry shares can be conveniently
edited with the "net conf" utility.
Caveat:
A possible pitfall consists in using "include = registry"
together with the "lock directory" directive in the registry.
This problem will be addressed in the next time.
Note on the code:
Processing of the registry options is accomplished by a function
process_registry_globals() in loadparm.c The current version is
only an interim solution: It is handcoded instead of using the
infrastructure of reg_api.c. The reason for this is that using
reg_api still has too large linker dependencies, bloating virtually
all targets by PASSDB_OBJ, SMBLDAP_OBJ, GROUPDB_OBJ and LDB stuff.
A version of process_registry_globals that uses reg_api is
included but commented out. The goal is to eventually refactor
and restructure the registry code so that one can use the reg_api
to access only the registry tdb and not link all the dynamic
backends with all their linking implications.
activation of global registry options in loadparm.c, mainly to
extract functionality from net_conf.c to be made availabel elsewhere
and to minimize linker dependencies.
In detail:
* move functions registry_push/pull_value from lib/util_reg.c to new file
lib/util_reg_api.c
* create a fake user token consisting of builtin administrators sid and
se_disk_operators privilege by hand instead of using get_root_nt_token()
to minimize linker deps for bin/net.
+ new function registry_create_admin_token() in new lib/util_reg_smbconf.c
+ move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c
+ adapt net_conf.c and Makefile.in accordingly.
* split lib/profiles.c into two parts: new file lib/profiles_basic.c
takes all the low level mask manipulation and format conversion functions
(se_priv, privset, luid). the privs array is completely hidden from
profiles.c by adding some access-functions. some mask-functions are not
static anymore.
Generally, SID- and LUID-related stuff that has more dependencies
is kept in lib/profiles.c
* Move initialization of regdb from net_conf.c into a function
registry_init_regdb() in lib/util_reg_smbconf.c.
Michael
I'm 100% certain I've forgotten to merge something, but the main code
should be in. It's mainly in dbwrap_ctdb.c, ctdbd_conn.c and
messages_ctdbd.c.
There should be no changes to the non-cluster case, it does survive make
test on my laptop.
It survives some very basic tests with ctdbd enables, I did not do the
full test suite for clusters yet.
Phew...
Volker
in a lookup_sidX reply isn't optional - like the
lookup_sidX query it needs to be defined in the
struct.
All this will go away with PIDL (thank goodness....).
Jerry - I think this is a showstopper to be merged
for 3.0.25b.
I'll be watching the build farm to see if anything broke.
Jeremy.
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
branch, please check if it fulfils your needs.
Two changes: The validation is not done inside the brlock.c traverse_fn,
it's done as a separate routine.
Secondly, this patch does not call the checker routines in smbcontrol
directly but depends on a running smbd.
This replaces the internal explicit dev/ino file id representation by a
"struct file_id". This is necessary as cluster file systems and NFS
don't necessarily assign the same device number to the shared file
system. With this structure in place we can now easily add different
schemes to map a file to a unique 64-bit device node.
Jeremy, you might note that I did not change the external interface of
smb_share_modes.c.
Volker
This removes message_block / message_unblock. I've talked to Jeremy and
Günther, giving them my reasons why I believe they have no effect.
Neither could come up with a counter-argument, so they go :-)
replaced by MSG_FLAG_LOWPRIORITY or'ed into the msg_type. To enable this,
changed the msg_type definitions to hexadecimal.
This way we could theoretically add the MSG_FLAG_NODUPLICATES again, but I
would rather not do this, because that one is racy and can't be guaranteed at
all.
doing this because for the clustering the marshalling is needed in more
than one place, so I wanted a decent routine to marshall a message_rec
struct which was not there before.
Tridge, this seems about the same speed as it used to be before, the
librpc/ndr overhead in my tests was under the noise.
Volker
database backends in place dynamically.
The main abstractions are db_context and db_record, it should be mainly
self-describing, see include/dbwrap.h. You open the db just as you would open
a tdb, this time with db_open(). If you want to fetch a record, just do the
db->fetch() call, if you want to do operations on it, you need to get it with
fetch_locked().
I added dbwrap_file.c (not heavily tested lately) as an example for what can
be done with that abstraction, uses a file per key. So if anybody is willing
to shape that up, we might have a chance on reiserfs again.... :-)
This abstraction works fine for brlock.tdb, locking.tdb, connections.tdb and
sessionid.tdb. It should work fine for the others as well, I just did not yet
get around to convert them.
If nobody loudly screams NO, then I will import the code that uses this soon.
Volker
lib/util_tdb.c exactly match the definitions. (There were
some [u]int_32_t instead of [u]int32, which made a gcc 2.95
on an old AIX without system [u]int32[_t] types complain...)
Vista. Vista provides a plethora of kludges to simulate older versions of
Windows. The kludges are in the form of shortcuts (or more likely symbolic
links, but I don't know enough about Vista to determine that definitively)
and in most cases, attempts to access them get back an "access denied"
error. On one particular folder, however, "<share>/Users/All Users", it
returns an unknown (to ethereal and the Samba3 code) NT status code:
0x8000002d. Although this code does not have a high byte of 0xc0 indicating
that it is an error, it appears to be an alternate form of "access denied".
Without this patch, libsmbclient times out on an attempt to enumerate that
folder rather than returning an error to the caller. This patch corrects
that problem.
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.
This will give us a complete trust topology including
domains via transitive Krb5 trusts. We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.
"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
sockets to listen on a little, because in the launchd case these
are provided for us. We also add an idle timeout so that a daemon
can exit after a period of inactivity.
loop when allocating a new id for a SID:
auth_util.patch Revert create_local_token() to
the 3.0.24 codebase
idmap_type.patch Have the caller fillin the
id_map.xid.type field when
resolving a SID so that if we allocate
a new id, we know what type to use
winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls
from the public winbindd interface
for the 3.0.25 release
idmap_rid.patch Cleanup the idmap_rid backend to not
call back into winbindd to resolve
the SID in order to verify it's type.
talloc_free()'ed at the end of a session.
Rework the passwd cache code to use talloc_unlink and
talloc_reference, to more carefully manage the cache.
Andrew Bartlett
for the server side enc. (doesn't break anything).
I'll keep updating this until I've got NTLM seal working
on both client and server, then add in the gss level
seal.
Jeremy.
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
works from smbclient and Windows, and I am promising to
support and fix both client and server code moving forward.
Still need to test the RPC admin support but I haven't
changed that code.
Jeremy.
from POSIX_OPEN and POSIX_MKDIR as specified
by Stevef in the wikki (extra 4 byte field).
Also fix horrible bug in James's code (James
you should review this for your Apple patch
tree) where he failed to allocate the correct
return memory size when returning a INFO2
struct. Added #define for the size of the
INFO2 struct and made sure we allocate the
correct size for return.
Jeremy.
process deep dfs links (ie. links that go to non root
parts of a share). Make the directory handling conanonical
in POSIX and Windows pathname processing.
dfs should not be fully working in client tools. Please
bug me if not.
Jeremy.
for utimes - change the call to ntimes. This preserves
nsec timestamps we get from stat (if the system supports
it) and only maps back down to usec or sec resolution
on time set. Looks bigger than it is as I had to move
lots of internal code from using time_t and struct utimebuf
to struct timespec.
Jeremy.
others don't get stuck with the winbindd hang.
Still waiting on additional confirmation from Guenther
that this fixes thes issues he was observing as well.
But it's been running in my local tree for a day without
problems.
it should be abstracted a little higher up so other os'es can have an
entry, but it will take a bit more work. Thanks to Chetan Shringarpure
and Mathias Dietz.
I didn't increment the vfs number again because the kernel change notify
stuff hasn't been released yet anyway.
based on the flags2 values in the negprot request.
This also includes some code for testing the dialect
strings for "SMB 2.001" but this is unreliable as Vista
only sends that in the 1st negprot and caches the fact
that we don't support it. Restartnig the WOrkstation
service on the client clears the cache.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
- Should fix bug 4115 (but needs confirmation from OP). If the kerberos use
flag is set in the context, then also pass it to smbc_attr_server for use by
cli_full_connection()
- Should fix bug 4309 (but needs confirmation from OP). We no longer send a
keepalive packet unconditionally. Instead, we assume (yes, possibly
incorrectly, but it's the best guess we can make) that if the connection is
on port 139, it's netbios and otherwise, it isn't. If netbios is in use, we
send a keepalive packet. Otherwise, we check that the connection is alive
using getpeername().
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
domain SID lookups through the struct winbindd_domain *domain_list
by searching by name.
Refactor the order lookup when searching for the correct idmap_domain
to a single function and remove the requirement that the default
domain be listed first in the config file.
I would still like to make the idmap_domain array a linked list and
remove the existing code which makes use of indexes into the list.
Basic testing with tdb pans out ok.
based approach. The only remaining hook into the backend is now
void *(*notify_add)(TALLOC_CTX *mem_ctx,
struct event_context *event_ctx,
files_struct *fsp, uint32 *filter);
(Should we put this through the VFS, so that others can more easily plug in?)
The trick here is that the backend can pick filter bits that the main smbd
should not handle anymore. Thanks to tridge for this idea.
The backend can notify the main smbd process via
void notify_fsp(files_struct *fsp, uint32 action, char *name);
The core patch is not big, what makes this more than 1800 lines are the
individual backends that are considerably changed but can be reviewed
one by one.
Based on this I'll continue with inotify now.
Volker
works - even with the strange "initial delete on close"
semantics. The "initial delete on close" flag isn't
committed to the share mode db until the handle is
closed, and is discarded if any real "delete on close"
was set. This allows me to remove the "initial_delete_on_close"
flag from the share db, and move it into a BOOL in files_struct.
Warning ! You must do a make clean after this. Cope with
the wrinkle in directory delete on close which is done
differently from files. We now pass all Samba4 smbtortute
BASE-DELETE tests except for the one checking that files
can't be created in a directory which has the delete on
close set (possibly expensive to fix).
Jeremy.
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
This add a struct event_context and infrastructure for fd events to smbd. This
is step zero to import lib/events.
Jeremy, I rely on you to watch the change in receive_message_or_smb()
closely. For the normal code path this should be the only relevant change. The
rest is either not yet used or is cosmetic.
Volker
