Christof Schmitt | 19 Dec 23:16 2014
Picon

[PATCHES] Retry ping-dc when session expires

The call to wbinfo --ping-dc can return an error when the underlying SMB
connection expires. Since the goal of --ping-dc is to test whether the
DC is available, temporary session status changes should not be returned
to the caller.

In a test, i have seen two instances where the call to ping-dc fails:

1) The RPC call LogonControl returns NT_STATUS_IO_DEVICE_ERROR when the session expires:

[2014/12/19 19:21:30.712908,  5, pid=2611671, effective(0, 0), real(0, 0), class=rpc_cli] rpc_client/cli_pipe.c:759(rpc_api_pipe_send)
  rpc_api_pipe: host 2k12r2.virtual2.com
[2014/12/19 19:21:30.712966,  5, pid=2611671, effective(0, 0), real(0, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message
[2014/12/19 19:21:30.713688,  5, pid=2611671, effective(0, 0), real(0, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message
[2014/12/19 19:21:30.714281,  5, pid=2611671, effective(0, 0), real(0, 0), class=rpc_cli] rpc_client/cli_pipe.c:821(rpc_api_pipe_trans_done)
  cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
[2014/12/19 19:21:30.714337,  2, pid=2611671, effective(0, 0), real(0, 0), class=winbind] winbindd/winbindd_dual_srv.c:723(_wbint_PingDc)
  dcerpc_netr_LogonControl failed: NT_STATUS_IO_DEVICE_ERROR
[2014/12/19 19:21:30.714370,  1, pid=2611671, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
       wbint_PingDc: struct wbint_PingDc
          out: struct wbint_PingDc
              dcname                   : *
                  dcname                   : *
                      dcname                   : '2k12r2.virtual2.com'
              result                   : NT_STATUS_IO_DEVICE_ERROR

2) Opening the netlogon pipe can fail with NT_STATUS_NETWORK_SESSION_EXPIRED:

[2014/12/19 19:21:46.798170,  5, pid=2611671, effective(0, 0), real(0, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
(Continue reading)

David Disseldorp | 19 Dec 18:08 2014
Picon

[PATCH 0/3] drop the SPOOLSS_BUFFER_OK macro

#define SPOOLSS_BUFFER_OK(val_true,val_false) ((r->in.offered >= *r->out.needed)?val_true:val_false)

This macro has a couple of issues:
- It assumes the existence of the r->in.offered and r->out.needed local
  variables.
- In most cases it is called two or three times successively, meaning
  that the bounds check expression is unnecessarily evaluated multiple
  times.

These patches are based atop the 10984 fixes, which just went into
master.

Cheers, David

--

 source3/rpc_server/spoolss/srv_spoolss_nt.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------
 1 file changed, 88 insertions(+), 45 deletions(-)

Shekhar Amlekar | 19 Dec 08:13 2014
Picon

[PATCH] Statlite - without VFS changes

Hi,

Few days back I submitted a stat-lite patch that proposed a
new samba VFS call and hence needed changes to few
VFS modules. Here's an attempt to implement the functionality
without making changes to Samba VFS. The interface is as
follows-

The statlite mask (in stat structure) is always populated by
Samba before making a stat call and entering the VFS. For
normal stat calls, all the bits are set and for partial stats, only
the select bits are set. Samba also updates the mask, after
the call.(1)

The opaque VFS modules that support statlite functionality
(currently vfs_gpfs) read the mask and retrieve requested
attribs. If all the requested attribs can't be retrieved, an error
is returned. (2)

Because of (1) and (2), no changes are required to the
opaque modules that do not support statlite functionality.
They overwriting the mask field would cause no harm
(vfs_ceph and vfs_glusterfs zero out the stat structure).

Request your kind review.

Thanks,
shekhar.

(Continue reading)

Richard Sharpe | 19 Dec 00:05 2014
Picon

What formats does the createcomputer accept in the net ads join command?

Hi folks,

I have seen documentation that suggests that both

createcomputer="/USA/CA/SANJOSE/Department/Servers" and

createcomputer="OU=Servers,OU=Department,..."

Are they both acceptable?

--

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

Stefan (metze) Metzmacher | 18 Dec 21:12 2014
Picon

[PATCH] s4:kdc: add aes key support for trusted domains

Hi,

here's a patch to add support to provide aes key for cross-forest
kerberos tickets.

Please review and push.

Thanks!
metze
From c21c1e9331adebea3a92b94390f718ce5e25c386 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Mon, 15 Dec 2014 16:48:27 +0100
Subject: [PATCH] s4:kdc: add aes key support for trusted domains

We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008

Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
---
 source4/kdc/db-glue.c | 185 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 148 insertions(+), 37 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 00b58fd..68380f3 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
 <at>  <at>  -858,17 +858,27  <at>  <at>  static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 	struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
 	const char *dnsdomain;
(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 21:07 2014
Picon

[PATCHES] s4:rpc_server/lsa: bugs...

Hi,

here're some fixes for bugs triggered by FreeIPA trying to establish a
forest trust against a Samba4 AD domain.

Please review and push.

Thanks!
metze
From 78a3a4908de68b75bc800149925e701f707ce6f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Mon, 15 Dec 2014 16:03:49 +0100
Subject: [PATCH 1/4] s4:rpc_server/lsa: pass the correct variable to
 setInfoTrustedDomain_base()

This requires 'struct lsa_policy_state', we now pass this directly
instead of a instead of an opaque 'struct dcesrv_handle'.

dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle'
with 'struct lsa_trusted_domain_state' before, which results in segfaults.

Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 6c09649..40867dd 100644
(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 20:52 2014
Picon

[PATCHES] handle random UTF16MUNGED passwords and use SEC_CHAN_DNS_DOMAIN

Hi,

here're patches for https://bugzilla.samba.org/show_bug.cgi?id=11016
and more.

Please review and push.

Thanks!
metze
From 739c6b2635ce2ac972b29364a915ddf397d394a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Wed, 17 Dec 2014 18:42:55 +0000
Subject: [PATCH 01/11] auth/gensec: make sure we keep a
 DCERPC_AUTH_TYPE_SCHANNEL backend if required

Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.
---
 auth/gensec/gensec_start.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a..955cc36 100644
(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 20:39 2014
Picon

[PATCHES] allow 'wbinfo --ping-dc --domain=SOMEDOMAIN'

Hi,

here're some patches to allow 'wbinfo --ping-dc --domain=SOMEDOMAIN',
this is every useful to test trusted domains on a DC.

Please review and push.

Thanks!
metze
From 86aa0cefeb1cddc216a041357776df45e8673efd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Wed, 10 Dec 2014 12:25:55 +0000
Subject: [PATCH 1/4] s3:winbindd: report our own name for PING_DC and internal
 domains

This means "wbinfo --ping-dc" works fine on a DC.
---
 source3/winbindd/winbindd_ping_dc.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/source3/winbindd/winbindd_ping_dc.c b/source3/winbindd/winbindd_ping_dc.c
index 0a767d9..b5a6977 100644
--- a/source3/winbindd/winbindd_ping_dc.c
+++ b/source3/winbindd/winbindd_ping_dc.c
 <at>  <at>  -54,10 +54,32  <at>  <at>  struct tevent_req *winbindd_ping_dc_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 	if (domain->internal) {
(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 20:36 2014
Picon

[PATCHEs] wafsamba: fix ordering problems with lib-provided and internal RPATHs

Hi Michael,

here's a better fix for https://bugzilla.samba.org/show_bug.cgi?id=10548,
which avoids modifying wafadmin.

Something like this can later also be used to remove wellknown
library path names.

Please review and push.

Thanks!
metze
From 12010105b4394ae7fbc1c80e1275c7cac046e23c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Thu, 18 Dec 2014 18:09:15 +0100
Subject: [PATCH 1/2] wafsamba: fix ordering problems with lib-provided and
 internal RPATHs

When a library or system (like cups) provides an RPATH,
e.g. with -Wl,-R or -Wl,-rpath, this was added by waf
to the LINKFLAGS, wich was later prepended to our RPATH.
But if the path by chance contains an older version of
one of our internal libraries like talloc, this would lead
to linking the too old talloc into our binaries.

This has been observed on, e.g., FreeBSD, but it is a general
problem.

(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 11:18 2014
Picon

[PATCHES] lib/texpect: prefer bsd/libutil.h if available

Hi Günther,

can you please review and push the following patches.

They avoid a compiler warning on ubuntu 12.04, where libutil.h is
deprecated.

Thanks!
metze
From 093f8f40127ee1e99119d7db0193bfdc67961f40 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Thu, 18 Dec 2014 02:05:28 +0000
Subject: [PATCH 1/2] s4:heimdal_build: remove unused openpty check

commit 638a8edd7ce708cf550c054ac16dade795b6448b removed
HEIMDAL_BINARY('rkpty', 'lib/roken/rkpty.c',...)
(the only heimdal user of openpty().

Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
---
 source4/heimdal_build/wscript_configure | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 5b7109e..9a68656 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
 <at>  <at>  -64,7 +64,6  <at>  <at>  conf.CHECK_FUNCS_IN('res_search res_nsearch res_ndestroy dns_search dn_expand',
(Continue reading)

Stefan (metze) Metzmacher | 18 Dec 11:15 2014
Picon

[PATCHES] fix soname of linux nss_*.so.2 modules

Hi Andreas,

as discussed yesterday, here're better fixes for
https://bugzilla.samba.org/show_bug.cgi?id=9299

Please review and push.

Thanks!
metze
From 18c2e7a8f13ecb2d00dedc95e6fa280e7aca54de Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Thu, 18 Dec 2014 10:21:30 +0100
Subject: [PATCH 1/2] wafsamba: add optional keep_underscore=True to
 SAMBA_LIBRARY()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze <at> samba.org>
---
 buildtools/wafsamba/wafsamba.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 020516b..bd2ca89 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
 <at>  <at>  -110,6 +110,7  <at>  <at>  def SAMBA_LIBRARY(bld, libname, source,
                   ldflags='',
(Continue reading)


Gmane