headers
Jeremy Allison | 1 Sep 2006 02:33
Picon
Favicon

Re: svn commit: samba r17943 - in branches/SAMBA_3_0/source: include libads libsmb nsswitch

On Fri, Sep 01, 2006 at 08:39:19AM +1000, Andrew Bartlett wrote:
> On Thu, 2006-08-31 at 01:20 +0000, jra <at> samba.org wrote:
> > Author: jra
> > Date: 2006-08-31 01:20:21 +0000 (Thu, 31 Aug 2006)
> > New Revision: 17943
> > 
> > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17943
> > 
> > Log:
> > The horror, the horror. Add KDC site support by
> > writing out a custom krb5.conf file containing
> > the KDC I need. This may suck.... Needs some
> > testing :-).
> > Jeremy.
> 
> I'll note that this is much the same as what Snap did (and may still
> do).  (They were trying to avoid needing to do TCP lookups, so they
> wrote out what winbindd thought the KDC list was for each realm).

So at least we have company in purgatory :-).

Jeremy.
Permalink | Reply | 0 comments |
headers
Andrew Bartlett | 1 Sep 2006 02:55
Picon
Favicon

Re: svn commit: samba r17977 - in branches/SAMBA_3_0/source/libsmb: .

On Thu, 2006-08-31 at 20:45 +0000, vlendec <at> samba.org wrote:
> Author: vlendec
> Date: 2006-08-31 20:45:29 +0000 (Thu, 31 Aug 2006)
> New Revision: 17977
> 
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17977
> 
> Log:
> To be honest, I have NO idea whatsoever what this does, but it fixes what I
> have been able to reproduce with smbtorture4 for bug number 4059. It's too
> late here now to check with W2k native, I'll do that tomorrow or over the
> weekend. I'll then also check in a samba4 torture test to walk this from now
> on.
> 
> Abartlet, can you do me a favor and look over this? It is a 1:1 copy of the
> corresponding Samba4 code.

This looks entirely reasonable:  The input session key for a 'there is
no session key' case should be all zeros, and if 'LM key' is selected,
this should then be forced past the LM key weakening algorithm. 

I agree we need more tests on this: copying in the sample values from
the updated davenport docs would do a lot of good.

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Bartlett | 1 Sep 2006 02:59
Picon
Favicon

Re: [SAMBA4] Make paged results the default in ldb_ildap

On Tue, 2006-08-15 at 07:46 +1000, Andrew Bartlett wrote:
> On Mon, 2006-08-14 at 12:20 -0400, simo wrote:
> 
> > > I'm happy to have a 'no supprises' flag, to turn this off, or an
> > > 'automagic' flag to turn this on, or a module that sets this, or
> > > something.  But it would be pointless if the ldb_request interface,
> > > which is what an async winbind would use doesn't do the 'right thing' by
> > > default.
> > 
> > Ok, I think this is a perfect match for our first "client side" module.
> > I can make it up if you want.
> 
> That would be great.

Now that we have this module, what would be a good way to ensure that
client tools use it, when talking to an LDAP server?

That would avoid needing to remember to add the right magic to the
ldbsearch/ad2oLschema etc command line.

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
Permalink | Reply | 1 comment |
headers
Andrew Bartlett | 1 Sep 2006 06:39
Picon
Favicon

Re: svn commit: samba r17979 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils

On Fri, 2006-09-01 at 04:15 +0000, jra <at> samba.org wrote:
> Author: jra
> Date: 2006-09-01 04:15:04 +0000 (Fri, 01 Sep 2006)
> New Revision: 17979
> 
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17979
> 
> Log:
> Make ntlm_auth more intelligent about figuring out it's 
> domain and user args. if only given a parameter of the
> form --username DOMAIN\user. When called by firefox
> or other user apps they may not know what the domain
> is (and they don't care). They just want to pass the
> contents of $USERNAME without having to parse it
> or guess a domain.
> Jeremy.

Why not just add a '--full-username' option? 

This is how I tried to avoid this kind of problem in the ntlm-server-1
server protocol.  

But I fail to see why firefox needs to specify this:  Winbindd should
fill in the username, from the session (Even if checkied, I would be
worried if the user could specify it, given we are returning cached
credentials).

Andrew Bartlett

--

--
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jeremy Allison | 1 Sep 2006 06:39
Picon
Favicon

Re: svn commit: samba r17979 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils

On Fri, Sep 01, 2006 at 02:39:41PM +1000, Andrew Bartlett wrote:
> Why not just add a '--full-username' option? 

I'm trying not to add any more command line options. That
way lies madness, looking at the complexity of this code.

> But I fail to see why firefox needs to specify this:  Winbindd should
> fill in the username, from the session (Even if checkied, I would be
> worried if the user could specify it, given we are returning cached
> credentials).

Don't worry, it's checking the user on the other end of the pipe
using the kernel peercred function - the given username is a sanity
check that who winbindd thinks it is matches who the client claims
to be.

Jeremy.
Permalink | Reply | 1 comment |
headers
tridge | 1 Sep 2006 07:16
Picon
Favicon
Gravatar

Re: NTVFS disconnect

Murali,

 > The NTVFS disconnect operation in the CIFS back-end (vfs_cifs.c) does not
 > seem to disconnect from the corresponding back-end share on the server, is
 > there any reason why this is so? If it doesn't disconnect the back-end
 > share, then it is leaving a dangling share, isn't it?

It should be disconnecting, are you sure it isn't?

It does this:

	/* first cleanup pending requests */
	for (a=private->pending; a; a = an) {
		an = a->next;
		smbcli_request_destroy(a->c_req);
		talloc_free(a);
	}

	talloc_free(private);

the first part ensures that any async outstanding requests are
destroyed. 

The 2nd part (the talloc_free() of private) destroys the private
context, which should be a parent of everything related to the
connection to the server. That talloc_free() call should be
disconnecting the connection, unless that connection is in use by some
other part of smbd. See the cvfs_connect() code, which sets up the
whole connection as a child of that pointer.
(Continue reading)

Permalink | Reply | 3 comments |
headers
tridge | 1 Sep 2006 07:23
Picon
Favicon
Gravatar

Re: View on project leadership and failures....

Jerry,

 > True.  I'll admit it. I learned that from Jeremy btw... :-)
 > but the fact is that very little code that comes in
 > from external sources takes everything into account.
 > If anything our major fault is fixing things when we
 > should push back and and say "fix this and that....
 > then we'll accept it into the tree".  And I think this goes
 > back to (a) not wanting to risk loosing a needed feature,
 > and (b) checking in incomplete things ourselves.

This is a key point I think. I remember Linus pointing out that one of
the things he liked about bk (and now git), is that it doesn't
encourage (or even allow?) for pulls where you edit the code the
person supplies. You can pull and then do your own commit to cleanup
the code, but the tools really encourage rejecting code if you don't
like it, and waiting for the submitter to fix it to the point you are
happy with it.

It would be a huge change for us to work like this though. It is
arguably a worthwhile change, as it would strongly push us into a
system where we train up submitters to produce code that we find
acceptable, but it would (at least in the short term) increase our
workload, as its so often easier to just fix code than to explain in
sufficient detail why it isn't acceptable as-is.

Cheers, Tridge
Permalink | Reply | 0 comments |
headers
tridge | 1 Sep 2006 08:17
Picon
Favicon
Gravatar

Re: svn commit: samba r17842 - in branches/SAMBA_4_0/source/lib: ldb/replace replace

Volker,

 > After talking to Simo, apply the next attempt to resolve the strnlen
 > problem. Timegm is the same. Simo says this is just a workaround, but it helps
 > for now. Feel free to revert.

timegm.c was in a separate file as the copyright notice and license
must be different. It is a breach of the license to integrate it into
replace.c like has been done now.

Any idea thy the timegm.c in lib/ldb/replace/ isn't being used? What
platform and problem were you trying to solve?

Cheers, Tridge
Permalink | Reply | 0 comments |
headers
Murali Bashyam | 1 Sep 2006 08:23
Picon

Re: NTVFS disconnect

Tridge

You are right, this is happening, i missed the implicit TCP connection
teardown under the talloc_free.

Is there any reason why we are not doing an explicit raw tree disconnect as
part of the ntvfs disconnect? Is there any reason it may not work correctly?
I guess that was the question on my mind.

Murali

On 8/31/06, tridge <at> samba.org <tridge <at> samba.org> wrote:
>
> Murali,
>
> > The NTVFS disconnect operation in the CIFS back-end (vfs_cifs.c) does
> not
> > seem to disconnect from the corresponding back-end share on the server,
> is
> > there any reason why this is so? If it doesn't disconnect the back-end
> > share, then it is leaving a dangling share, isn't it?
>
> It should be disconnecting, are you sure it isn't?
>
> It does this:
>
>         /* first cleanup pending requests */
>         for (a=private->pending; a; a = an) {
>                 an = a->next;
>                 smbcli_request_destroy(a->c_req);
(Continue reading)

Permalink | Reply | 2 comments |
headers
Andrew Bartlett | 1 Sep 2006 08:57
Picon
Favicon

Re: svn commit: samba r17979 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils

On Thu, 2006-08-31 at 21:39 -0700, Jeremy Allison wrote:
> On Fri, Sep 01, 2006 at 02:39:41PM +1000, Andrew Bartlett wrote:
> > Why not just add a '--full-username' option? 
> 
> I'm trying not to add any more command line options. That
> way lies madness, looking at the complexity of this code.

I realise this has gone though a couple of revisions.  I'll need to look
over the final code I suppose...

> > But I fail to see why firefox needs to specify this:  Winbindd should
> > fill in the username, from the session (Even if checkied, I would be
> > worried if the user could specify it, given we are returning cached
> > credentials).
> 
> Don't worry, it's checking the user on the other end of the pipe
> using the kernel peercred function - the given username is a sanity
> check that who winbindd thinks it is matches who the client claims
> to be.

My thought is that some applications of this would prefer not to have to
specify a username, and would prefer to 'hope for the best', if cached
credentials are called for.  Allowing an additional assert isn't too
harmful I suppose...  

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
(Continue reading)

Permalink | Reply | 0 comments |

Gmane