Re: [SCM] Samba Shared Repository - branch master updated - 4d82f69f884c0c9105d7c1cc53a1235e26222fbc

On Wed, Dec 31, 2008 at 11:27:04PM -0600, Tim Prouty wrote:
> The branch, master has been updated
>        via  4d82f69f884c0c9105d7c1cc53a1235e26222fbc (commit)
>       from  9c92cb763653644e129b0777b3f8fc2f333bb7c6 (commit)
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit 4d82f69f884c0c9105d7c1cc53a1235e26222fbc
> Author: Tim Prouty <tprouty <at> samba.org>
> Date:   Wed Dec 31 21:24:25 2008 -0800
> 
>     s3: Fix caller of print_fsp_open

Thanks 

Volker

Commit 07e0094365e8dc360a83eec2e7cf9b1d5d8d6d00

Hi guys,
	This doesn't seem right; isn't the sense of the test wrong? Seems to me we 
are printing and freeing the string if we failed

Best regards

Andrew

diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c
 index 1d2b47c..921af15 100644 (file)

--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
 <at>  <at>  -757,8 +757,7  <at>  <at>  _PUBLIC_ void ndr_print_array_uint8(struct ndr_print *ndr, 
const char *name,
        ndr->depth++;
        for (i=0;i<count;i++) {
                char *idx=NULL;
-               asprintf(&idx, "[%d]", i);
-               if (idx) {
+               if (asprintf(&idx, "[%d]", i) == -1) {
                        ndr_print_uint8(ndr, idx, data[i]);
                        free(idx);
                }

Re: Commit 07e0094365e8dc360a83eec2e7cf9b1d5d8d6d00

On Thu, Jan 01, 2009 at 12:27:49PM +0000, Andrew Bird (Sphere Systems) wrote:
> Hi guys,
> 	This doesn't seem right; isn't the sense of the test wrong? Seems to me we 
> are printing and freeing the string if we failed

Hey, people are watching 

Already fixed in 9c92cb763653644e129b0777b3f8fc2f333bb7c6

Thanks for the review!

Volker

Re: [openchange]Thanks to Andrew(s), OpenChange Schema works again

_______________________________________________
devel mailing list
devel <at> openchange.org
http://mailman.openchange.org/listinfo/devel

Re: [openchange]Thanks to Andrew(s), OpenChange Schema works again

On Thu, 2009-01-01 at 15:08 +0200, Sassy Natan wrote:
> Hi All
>  
> Does this mean that the openchange provision script now works?

Hi Sassy,

I've been testing both schema provisioning and extending user and it
works fine for me so far - at least are sufficient for me to work on
fixing EMSABP provider.

e.g.: the newuser script extends user attributes properly,
enable/disable modify mandatory attributes properly, etc.

In the meantime, I have not been doing extensive tests such as testing
all the script options I had implemented, so there may be remaining bugs
which I'll deal with later (when I have done good progress with
openchange server implementation).

> I'm in a middle of a process to rewrite the Windows 2008 Schema Files
> located in the Samba4 head version so I hope this will not impact my
> work.

At the moment, openchange_provision scripts performs the following
steps:
        1. Register Exchange OIDs
        2. Add new Exchange classes and attributes to Samba schema
        3. Add missing ADSC classes to Samba schema
        4. Extend existing Samba classes and attributes
        5. Exchange Samba with Exchange configuration objects

I have not been looking at Windows 2008 schemas, so I'm not sure whether
this may have any impact on your work.

> Why not to combine the exchange schema and windows 2008 schema
> together?

For the same reasons why Windows AD doesn't come with Exchange schemas
and require Exchange to be installed to extend AD.

I don't see good reasons why someone would need Exchange schemas if he
only intends to run Samba4. It would IMHO be pointless to add Exchange
complexity while it is not needed.

Maybe one good example would be that someone needs to create a windows
account, but doesn't want to create an Exchange mailbox which would turn
into:
        1. run samba ./setup/newuser to create user account in Samba4 AD
        2. run openchange ./setup/openchange_newuser to extend
        attributes and create the mailbox.

Cheers,
Julien.

--

-- 
Julien Kerihuel
j.kerihuel <at> openchange.org
OpenChange Project Manager

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79

_______________________________________________
devel mailing list
devel <at> openchange.org
http://mailman.openchange.org/listinfo/devel

Re: [openchange]Thanks to Andrew(s), OpenChange Schema works again

_______________________________________________
devel mailing list
devel <at> openchange.org
http://mailman.openchange.org/listinfo/devel

Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.

First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic
to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to
debug, here's the one we see most:

KDC has no support for encryption type (14)

But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.

We've tried following some of the instructions on the BEA website (which contain several errors).

One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the
following error (it seems with multiple SPN's it only takes the first or last SPN that was set):

Client not found in Kerberos database (6)

Next try was using the host/ SPN but that results in the following error:

Integrity check on decrypted field failed (31)

We've tried changing the default_*_enctypes in KRB5.INI (We've removed the entries, and also tried only
DES_CBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.

We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either.

We are not sure what details you need for this to debug, so here's what we've done to install the environment
(please note that ip-addresses, domain, client and server names are made up and are different in real-life),

We have two domains:

Domain1 (DOMAIN1.COM) contains:

Domain Controller          "AD1"                with IP 192.168.0.1
Domain Controller          "AD2"                with IP 192.168.1.1
Client                            "Client1"            with IP 192.168.2.1

Domain2 (DOMAIN2.COM) contains:

Domain Controller          "AD3"                with IP 10.0.0.1
Server   (WebLogic)        "Server1"           with IP 10.0.1.2

Between Domain1 and Domain2 a firewall exists in which we've opened the relevant ports like LDAP (TCP 389),
Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports...

We've configured AD1 (Microsoft AD with KDC) as follows:

 1.  Account "SSOAccountAD" created
 2.  Password never expires
 3.  DES encryption on
 4.  Do not require Kerberos preauthentication off
 5.  Password "Password" was reset several times
 6.  ServicePrincipalName was set using this
setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD

 1.  ServicePrincipalName on AD1 was checked (and found to be ok) using this command:
setspn -L SSOAccountAD

 1.  KTPass was executed:
ktpass -princ HTTP/Server1 <at> DOMAIN1.COM -mapuser SSOAccountAD -pass Password

 1.  User Logon name was checked:
HTTP/Server1

 1.  ServicePrincipalName on AD2 was checked (and found to be ok) using this command:
setspn -L SSOAccountAD

We've configured the WebLogic Server (Server1) as follows:

 1.  LDAP authentication was activated and test ok
 2.  Single Pass Negotiate Identity Asserter was created with Chosen Type "Authorization"
 3.  KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and
kinit which do not look in the %windir% folder):
[libdefaults]
default_realm = DOMAIN1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes=DES-CBC-CRC
default_tgs_enctypes=DES-CBC-CRC

[realms]
DOMAIN1.COM = {
kdc = 192.168.0.1
admin_server = 192.168.0.1
default_domain = DOMAIN1.COM
}

[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

 1.  We've installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe
 2.  Keytab File was created (with password "Password"):
ktab -k SSOKeyTabFile -a HTTP/Server1 <at> DOMAIN1.COM

 1.  Keytab File and Kerberos communication was tested using:
kinit -k -t SSOKeyTabFile HTTP/Server1 <at> DOMAIN1.COM

 1.  Keytab File and Kerberos communication was tested using Java (incl. Debugging):
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t SSOKeyTabFile HTTP/Server1 <at> DOMAIN1.COM

 1.  Keytab was listed:
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Klist

 1.  SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
 2.  The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder:
com.sun.security.jgss.initiate {

     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/Server1 <at> DOMAIN1.COM" useKeyTab=true
     keyTab=SSOKeyTabFile storeKey=true debug=true;
};

com.sun.security.jgss.accept {

     com.sun.security.auth.module.Krb5LoginModule required
     principal=" HTTP/Server1 <at> DOMAIN1.COM " useKeyTab=true
     keyTab=SSOKeyTabFile storeKey=true debug=true;
};

 1.  WebLogic service and startWeblogic.cmd were modified with the following parameters:
-Djava.security.krb5.realm=DOMAIN1.COM
-Djava.security.krb5.kdc=192.168.0.1
-Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dweblogic.debug.DebugSecurityAtz=true
-Dweblogic.Debug.DebugSecurityATN=true
-Dweblogic.StdoutSeverityLevel=64
-Dweblogic.StdoutDebugEnabled=true

For the client pc (Client1) we've checked the browser settings:

Automatic Logon only in Intranet Zone
            Enable Integrated Windows Authentication

On the client we've used "kerbtray.exe" to see whether a kerberos token is created, and it is (although with
the full domain name, HTTP/Server1.domain1.com).

We've checked for Kerberos communication with Wireshark and see that the client does communicate, and
passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the
WebLogic server. The server simply requests Authorisation again...

If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very
detailed WebLogic tracing which I can provide.

Kind Regards,

Nika.

Nika Gerson Lohman
Senior Software Engineer

Tele'Train Software BV, http://www.teletrain.nl<http://www.teletrain.nl/>
Paasheuvelweg 1
1105 BE Amsterdam

Telefoon:

+31 (0)20 379 03 52

Fax:

+31 (0)20 379 03 53

Private Fax:

+31 (0)84 222 49 06

Mobiel:

+31 (0)62 040 13 50

E-Mail:

nika <at> teletrain.nl<mailto:nika <at> teletrain.nl>

MSN:

nika <at> teletrain.nl

Re: [SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4737-g3d22b77

Hi Michael,

On Wed, Dec 31, 2008 at 04:13:38PM -0500, simo wrote:
> On Thu, 2008-12-25 at 23:45 +0100, Michael Adam wrote:
> > Hi Karo,
> > 
> > please pick this important idmapping fix (2 commits) for 3.3.0 final.
> > I originally missed these when sychronizing fixes from v3-2-ctdb.
> > 
> > Thanks - Michael
> 
> Michael,
> I have given just a quick look to the patch, but it seem to me the right
> fix would be to fix the return error of the passdb backend rather than
> removing the code to call it. The reason why the passdb backend is
> called first (IIRC) is because passdb always takes precedence and may
> contain group mappings for example.

do you agree?

As 3.3.0 is planned for Tuesday we should decide/fix that soon.

Karo

--

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info  <at>  SerNet.DE

[PATCH] Fixes uninitialised access as reported by valgrind.

---
 source4/lib/registry/regf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source4/lib/registry/regf.c b/source4/lib/registry/regf.c
index a869ed4..d6fb413 100644
--- a/source4/lib/registry/regf.c
+++ b/source4/lib/registry/regf.c
 <at>  <at>  -543,7 +543,7  <at>  <at>  static WERROR regf_get_value(TALLOC_CTX *ctx, struct hive_key *key,

 	if (vk->data_length & 0x80000000) {
 		vk->data_length &=~0x80000000;
-		data->data = (uint8_t *)&vk->data_offset;
+		data->data = talloc_memdup(ctx, (uint8_t *)&vk->data_offset, vk->data_length);
 		data->length = vk->data_length;
 	} else {
 		*data = hbin_get(regf, vk->data_offset);
--

-- 
1.5.4.3

[PATCH] Changed code to use proper talloc context instead of NULL to control memory leak.

---
 source4/lib/registry/regf.c         |    2 +-
 source4/lib/registry/tools/common.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/lib/registry/regf.c b/source4/lib/registry/regf.c
index d6fb413..4cbcb09 100644
--- a/source4/lib/registry/regf.c
+++ b/source4/lib/registry/regf.c
 <at>  <at>  -2045,7 +2045,7  <at>  <at>  WERROR reg_open_regf_file(TALLOC_CTX *parent_ctx, const char *location,
 	struct tdr_pull *pull;
 	int i;

-	regf = (struct regf_data *)talloc_zero(NULL, struct regf_data);
+	regf = (struct regf_data *)talloc_zero(parent_ctx, struct regf_data);

 	regf->iconv_convenience = iconv_convenience;

diff --git a/source4/lib/registry/tools/common.c b/source4/lib/registry/tools/common.c
index c9f1248..d997cb0 100644
--- a/source4/lib/registry/tools/common.c
+++ b/source4/lib/registry/tools/common.c
 <at>  <at>  -51,7 +51,7  <at>  <at>  struct registry_key *reg_common_open_file(const char *path,
 	struct registry_context *h = NULL;
 	WERROR error;

-	error = reg_open_hive(NULL, path, NULL, creds, ev_ctx, lp_ctx, &hive_root);
+	error = reg_open_hive(ev_ctx, path, NULL, creds, ev_ctx, lp_ctx, &hive_root);

 	if(!W_ERROR_IS_OK(error)) {
 		fprintf(stderr, "Unable to open '%s': %s \n",
--

-- 
1.5.4.3