Matthias Dieter Wallnöfer | 30 Aug 19:13 2015
Picon

s4 with older GNUTLS

I need the attached patch to make s4 work with an older GNUTLS library,
which does not provide any gnutls_priority...() calls.

Cheers,
Matthias
commit 6ef5a0514a7a4713edaae2c13c2fb5576e15893f
Author: Matthias Dieter Wallnöfer <mdw <at> samba.org>
Date:   Sat Aug 8 21:26:51 2015 +0200

    s4:lib/tls - fix it on older GNUTLS libraries

    GNUTLS < 3 does not provide gnutls_priority_set_direct(). The only workaround is
    the fallback to gnutls_set_default_priority(), which existed since the beginning.

    GNUTLS documentation: http://gnutls.org/manual/html_node/Core-TLS-API.html#Core-TLS-API
    Similar situation in the IM client Pidgin: https://developer.pidgin.im/ticket/14365

diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 2fe4ff7..23dc119 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
 <at>  <at>  -597,7 +597,10  <at>  <at>  struct socket_context *tls_init_client(struct socket_context *socket_ctx,
 	gnutls_certificate_set_x509_trust_file(tls->xcred, ca_path, GNUTLS_X509_FMT_PEM);
 	TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT));
 	TLSCHECK(gnutls_set_default_priority(tls->session));
+#if GNUTLS_VERSION_MAJOR >= 3
 	gnutls_priority_set_direct(tls->session, "NORMAL:+CTYPE-OPENPGP", NULL);
+#endif
(Continue reading)

Stefan Metzmacher | 29 Aug 11:10 2015
Picon

Re: Patches for bug #11458

Hi Jelmer,

> On Thu, Aug 27, 2015 at 08:53:58PM +0200, Stefan Metzmacher wrote:
>> From 550eb499fddbf4846277cf51ea9c28f167c64ad0 Mon Sep 17 00:00:00 2001
>> From: Stefan Metzmacher <metze <at> samba.org>
>> Date: Thu, 27 Aug 2015 11:14:51 +0200
>> Subject: [PATCH 1/5] ldb:wscript: make it possible to build samba with a
>>  system ldb again
>>
>> This fixes a regression in commit fcf4a891945b22dc6eccdc71fd441f1a879f556a.
>>
>> If we check for 'ldb' later the 'pyldb-util' can't depend on the 'ldb' check.
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11458
>>
>> Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
>> ---
>>  lib/ldb/wscript | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/lib/ldb/wscript b/lib/ldb/wscript
>> index 0e81932..0996f51 100755
>> --- a/lib/ldb/wscript
>> +++ b/lib/ldb/wscript
>>  <at>  <at>  -56,11 +56,11  <at>  <at>  def configure(conf):
>>  
>>      if not conf.env.standalone_ldb:
>>          if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
>> -                                     onlyif='talloc tdb tevent ldb',
>> +                                     onlyif='talloc tdb tevent',
(Continue reading)

Picon

Need help on "net ads join" fails when we have "%" in the username

Hi All

I am working on critical bug and I need your help on the below query

We are unable to join the domain and create computer account when username contains % in it.

I found this bug in samba website.  I believe this is the issue that we are seeing now https://bugzilla.samba.org/show_bug.cgi?id=8758

I believe the issue could be that we use "%" as the delimiter between username and password

net ads join -s XYZ.conf -U "username%"%"password" createcomputer= XXXXXXXX hostnames=XXXXXXX

If you have seen this issue earlier if so please let me how to overcome this or any available workaround for it

Is there a way to change the delimiter from % to any other character?

Thanks,
Lokesh

Volker Lendecke | 28 Aug 15:53 2015
Picon

[Volker.Lendecke <at> SerNet.DE: [PATCH] fix spinning winbind]

Hi!

Forgot to mention: MANY thanks to "L.P.H. van Belle" <belle <at> bazuin.nl>
for giving me root access to a box where this happens!

Volker

----- Forwarded message from Volker Lendecke <Volker.Lendecke <at> SerNet.DE> -----

Date: Fri, 28 Aug 2015 15:51:20 +0200
From: Volker Lendecke <Volker.Lendecke <at> SerNet.DE>
To: samba-technical <at> lists.samba.org
Subject: [PATCH] fix spinning winbind

Hi!

For everyone who has not followed samba <at> samba.org: Attached
find a patch that fixes the spinning winbind when a user's
password has expired.

I'm sure this needs a ton of #ifdefs, so I'd like to ask the
Kerberos interop people (gd, asn, obnox?) to take a look.

Nevertheless, please review!

Thanks,

Volker

--

-- 
(Continue reading)

Volker Lendecke | 28 Aug 15:51 2015
Picon

[PATCH] fix spinning winbind

Hi!

For everyone who has not followed samba <at> samba.org: Attached
find a patch that fixes the spinning winbind when a user's
password has expired.

I'm sure this needs a ton of #ifdefs, so I'd like to ask the
Kerberos interop people (gd, asn, obnox?) to take a look.

Nevertheless, please review!

Thanks,

Volker

--

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt <at> sernet.de
From 20b4ad857bcc0b382f856150afa3b305c2b2a61e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl <at> samba.org>
Date: Fri, 28 Aug 2015 12:33:13 +0200
Subject: [PATCH] winbind: Fix 100% loop

Signed-off-by: Volker Lendecke <vl <at> samba.org>
---
 source3/libads/kerberos.c | 16 ++++++++++++++++
(Continue reading)

Ralph Wuerthner | 28 Aug 15:36 2015
Picon

[PATCH] add suport for SMB3_10 and SMB3_11 protocols in smbstatus

Hi!

I noticed the following bug in smbstatus in 4.3.0rc3:

clients connected via SMB3_10 or SMB3_11 are not correctly listed via
smbstatus:

$ smbstatus

Samba version 4.3.0rc3
PID     Username      Group         Machine            Protocol Version

------------------------------------------------------------------------------
0:22008   VIRTUAL1\administrator  VIRTUAL1\domain users  127.0.0.1
(ipv4:127.0.0.1:47531) Unknown (0x0311)

Service      pid     machine       Connected at
-------------------------------------------------------
share        0:22008   127.0.0.1     Fri Aug 28 14:38:18 2015

Please see my proposed fix in attached patch.

See also https://bugzilla.samba.org/show_bug.cgi?id=11472
paul.a.bolton | 28 Aug 14:28 2015

Samba winbind authentication for login and sudo

Hi Samba Developers,

I've been asked by my employer to look at a PoC using Samba as an
authentication client among other things such as GPO enforcement.

Whilst I've managed to get this working, when we scale to the requirements
of (at least some) large organisations there seems to be a few features that
would be nice to add. Some I have already coded into my demo but there are a
few more in-depth things to do - in terms of scale think an AD domain with
200K users and 100K machines as a ballpark measure for the order of
magnitude.

In any case I would be keen to feedback such potential enhancements into the
Samba codebase should you feel it is of benefit, and would be interested in
receiving advice on the best approach to modifying Samba.

The key one I'm looking at now is being able to authenticate the user via
winbind using non-Unix enabled groups, both for login and for 'sudo'
commands yet still map the user's profile to an rfc2307 compliant (and
consistent) mapping of UIDs and GIDs for those groups that are so enabled.

The rational here is that the size of the environment, users may have many
groups, but only need some UNIX aware groups. Having unix-enabled
authentication groups would easily push some users into over 50 groups and
with certain OS's having a constraint of no-more-than 16 supplemental
groups, this represents a problem.

My initial thoughts are to get the idmap_ad part of winbind to capture all
group membership and then for both winbind and a sudo plugin wrapper to use
that as well for the authentication phase.
(Continue reading)

Petr Viktorin | 28 Aug 12:57 2015
Picon

Porting Samba's CPython extensions to Python 3

Hello,
Sorry for this long mail: a lot has happened since the last discussions,
and I need to refresh some points buried in the e-mail thread here:
https://lists.samba.org/archive/samba-technical/2015-March/106177.html

In previous discussions, we agreed on a strategy for porting Samba to
Python 3. the stand-alone libraries would get a supported Python 3 port.
Patches for the rest of Samba would be tolerated if they do not
inconvenience other developers, and they would be unsupported (if it
breaks, it's on whomever cares about Python 3 to fix it).

With the patches for the last stand-alone library reviewed, I think it's
time to revive that discussion, to get a better idea of how porting
Samba to Python 3 should work.
Specifically, I'd like to come to understand what would least
inconvenience you, while allowing some kind of progress on this front.

In the mentioned thread, there is an idea that there is no rush to port
– Python 2 will be around for another five years.
But, while five years is a lot of time, if we spend time waiting there
*will* be a rush later. I'm trying to avoid that. If five years is an
absolute deadline for porting to py3, testing, and removing support for
py2, I think it does make sense to start.
In particular, waiting until enterprise Linux distributions switch to
Python 3 creates a Catch-22 that would most likely result in everyone
waiting till the last possible moment, and then rushing wildly. Like
Samba, a distribution wants to switch all at once; but to do that the
code must be ready.

Moving from the "when" to the "how":
(Continue reading)

Garming Sam | 28 Aug 04:06 2015
Picon

[PATCH] Renaming a printer fails in Printer Management Console

Hi,

This is patch (with some additional allocation checks) I wrote late last 
year that was somewhat forgotten about. It fixes bug 10770, which 
explains that Samba doesn't allow renaming of a printer using the F2 key.

What was missing was the info level 4 call of _spoolss_SetPrinter, and 
here I've just retrieved the old printer, filled it in and used the 
update_printer_call which takes struct info level 2. I previously tried 
removing some of the additional talloc calls, but it seemed more trouble 
than it was worth at the time with some parts freeing somewhat unexpectedly.

Please review and push.

https://bugzilla.samba.org/show_bug.cgi?id=10770

Cheers.
Stefan Metzmacher | 27 Aug 20:53 2015
Picon

Patches for bug #11458

Hi,

here's some patches related to
https://bugzilla.samba.org/show_bug.cgi?id=11458

Samba 4.3.0rcX doesn't build with a system libldb.

Please review and push.

Thanks!
metze
From 550eb499fddbf4846277cf51ea9c28f167c64ad0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Thu, 27 Aug 2015 11:14:51 +0200
Subject: [PATCH 1/5] ldb:wscript: make it possible to build samba with a
 system ldb again

This fixes a regression in commit fcf4a891945b22dc6eccdc71fd441f1a879f556a.

If we check for 'ldb' later the 'pyldb-util' can't depend on the 'ldb' check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11458

Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
---
 lib/ldb/wscript | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(Continue reading)

Oliver Liebel | 27 Aug 16:54 2015
Picon

Re: s4 ldb tdb limits

As i wrote earlier to this list and to Jakub,
this is not an  emergency / Rescue Job.  No existing  S4 Environment.
Customers with (big) existing MS-AD, who would like to switch to S4.
Extensive Pre-Testing is possible and necessary.

Am 27.08.2015 um 16:23 schrieb Jakub Hrozek:
> (Top posting; travelling with only mobile)
>
> As I wrote to oliver earlier while I think using lmdb as ldb back end is eventually a good idea it should be
done together with refactoring the tdb back end and should not be done in haste. There is also no guarantee
it would help the particular customer..
>
> For problems with existing environments Matthieu's unpack patches (he also had some other about
reallocs..) or maybe even using the nosync ldb option might be less risky..
>
> On Aug 27, 2015 12:31 PM, Nadezhda Ivanova <nivanova <at> samba.org> wrote:
>> Hi Oliver,
>> I don't think I can be particularly helpful in this matter - the scope
>> and goal of our project is quite different - we seek to replace the
>> Samba LDAP service with OpenLDAP, rather than just write a new ldb
>> backend. If Jakub or you have any specific questions, I'll see if I can
>> be of assistance.
>>
>> Best Regards,
>> Nadya
>>
>> On 08/27/2015 03:23 PM, Oliver Liebel wrote:
>>>
>>> Am 27.08.2015 um 00:21 schrieb Oliver Liebel:
>>>> Am 26.08.2015 um 18:02 schrieb Jeremy Allison:
(Continue reading)


Gmane