Allowing veto files = /blah-blah-blah/ to contain \3 ...

Hi,

In mixed environments (Mac and Windows) you don't want to veto /Icon?/
because iTunes needs to create files like Icon1 Icon2 etc.

However, if Mac users copy folders onto a Samba server that have
customized icons in them, they end up with a file called Icon\r.

We wanted to veto just these files.

The following patch allows you to do: veto files = /Icon\r/

--- ../rootfs-components/samba-3.4.4/source3/lib/util.c 2010-04-30
11:24:04.000000000 -0700
+++ samba-3.4.4/source3/lib/util.c      2010-04-30 16:02:44.000000000 -0700
 <at>  <at>  -1708,6 +1708,36  <at>  <at>  bool is_in_path(const char *name, name_c
        return False;
 }

+/*
+ * This does an inplace conversion of \\ and \r to \ and 0x0D. Yes, it is
+ * O(n^2) but where it is used we don't care.
+ */
+static void convert_non_print(char * str)
+{
+        int i = 0;
+
+        if (str == NULL || strlen(str) == 0)
+                return;
+

Re: Allowing veto files = /blah-blah-blah/ to contain \3 ...

On Fri, Apr 30, 2010 at 04:06:28PM -0700, Richard Sharpe wrote:
> Hi,
> 
> In mixed environments (Mac and Windows) you don't want to veto /Icon?/
> because iTunes needs to create files like Icon1 Icon2 etc.
> 
> However, if Mac users copy folders onto a Samba server that have
> customized icons in them, they end up with a file called Icon\r.
> 
> We wanted to veto just these files.
> 
> The following patch allows you to do: veto files = /Icon\r/

Hmmm. This is horrid, but I'm sure it works. Can't you
use talloc_all_string_sub(ctx, buf, "\\r", "\r", 0);
to do the same (look at the use in smbd/chgpasswd.c).

Jeremy.

Re: Allowing veto files = /blah-blah-blah/ to contain \3 ...

On Fri, Apr 30, 2010 at 5:21 PM, Jeremy Allison <jra <at> samba.org> wrote:
> On Fri, Apr 30, 2010 at 04:06:28PM -0700, Richard Sharpe wrote:
>> Hi,
>>
>> In mixed environments (Mac and Windows) you don't want to veto /Icon?/
>> because iTunes needs to create files like Icon1 Icon2 etc.
>>
>> However, if Mac users copy folders onto a Samba server that have
>> customized icons in them, they end up with a file called Icon\r.
>>
>> We wanted to veto just these files.
>>
>> The following patch allows you to do: veto files = /Icon\r/
>
> Hmmm. This is horrid, but I'm sure it works. Can't you
> use talloc_all_string_sub(ctx, buf, "\\r", "\r", 0);
> to do the same (look at the use in smbd/chgpasswd.c).

Don't have a talloc context laying around, so I did this:

--- ../rootfs-components/samba-3.4.4/source3/lib/util.c 2010-04-30
11:24:04.000000000 -0700
+++ samba-3.4.4/source3/lib/util.c      2010-04-30 17:40:25.000000000 -0700
 <at>  <at>  -1787,6 +1787,9  <at>  <at>  void set_namearray(name_compare_entry **
                        return;
                }

+                /* DRI mod ... transform \r and \\ into 0x0D and \. RJS */
+                all_string_sub((*ppname_array)[i].name, "\\r", "\r", 0);
+

Videos of Samba4 capabilities

I've put together a few more videos showing the capabilities of Samba4
as an AD domain controller. These videos are intended to complement
the Samba4 HOWTO on the wiki.

  http://wiki.samba.org/index.php/Samba4/videos

Currently there are 4 videos, with more planned in the future.

 1) joining a Samba4 domain
 2) group policy management
 3) roaming profiles
 4) dcpromo

I've tried to keep the videos a bit shorter than the previous videos
I've done. The idea is to build up a set of videos that covers the
main features of Samba4 with each feature in a separate video, rather
than a single video that tries to cover all features.

If anyone wants to work on making these videos more accessible to
people running Windows desktops that would be most welcome.

Metze has also asked me to add a video on the details of dynamic DNS
setup. I'll work on that when I have the time. If there are any other
requests please let me know.

Cheers, Tridge

[PATCH] Documentation fix for talloc

Hi all,

I am not sure if that list is appropriate for sending patches, if not
please point me to the right place. We are using talloc in OpenBSC and I
was going through the documentation yesterday and think I found a small
issue.

I think the author of the documentation meant to write existing instead
of exiting. Please consider applying the patch.

thanks
	z.

Index: talloc/talloc.3.xml
===================================================================
--- talloc.orig/talloc.3.xml
+++ talloc/talloc.3.xml
 <at>  <at>  -362,7 +362,7  <at>  <at>  talloc_set_name_const(ptr, name);</progr
     <refsect2><title>void *talloc_new(void *<emphasis role="italic">ctx</emphasis>);</title>
         <para>
 	  This is a utility macro that creates a new memory context hanging
-	  off an exiting context, automatically naming it "talloc_new:
+	  off an existing context, automatically naming it "talloc_new:
 	  __location__" where __location__ is the source line it is called
 	  from.  It is particularly useful for creating a new temporary
 	  working context.
Index: talloc/talloc.h
===================================================================
--- talloc.orig/talloc.h

Re: [PATCH] Documentation fix for talloc

On Sat, May 01, 2010 at 07:43:59PM +0800, Holger Hans Peter Freyther wrote:
> I am not sure if that list is appropriate for sending patches, if not
> please point me to the right place. We are using talloc in OpenBSC and I
> was going through the documentation yesterday and think I found a small
> issue.

This is exactly the right list. Pushed to samba master,
thanks.

Volker

domain dfs implementation for s4

Hello,
you can find here: 
http://repo.or.cz/w/Samba/ekacnet.git/shortlog/refs/heads/dfs, two 
patches for dfs implementation on s4.

With those patch + host msdfs =yes, I am able to correctly answer 
requests for sysvol and netlogon domain dfs (it has been tested with 
windows 7 and windows xp sp2).

Most of the infrastucture for domain DFS is implemented I have to decide 
where we will keep parameters like reply only for same site referral or 
least-expensive referral, or replying with the DCs of your site first.

Implementing other domain DFS is a bit more tricky because they are 
stored as blob in the AD and in order to create this blobs we have to 
implement more RPC so I didn't plan in a short term to implement them. 
Non domain DFS are not implemented as well although it shouldn't be to 
"front" port the s3 code (I'm not sure that there is much interest in 
doing so although s3 code seems not to care about site proximity).

What is left ?

* Randomize DCs withing a set of equal cost (ie. all the DC in the 
client site or all the DC that are in sites distant from 50 cost of the 
client's site)
* Get list of site sorted by cost and put DCs in sets according to costs
* pidl for the moment generate two aditionals null bytes at the end of 
the DC lists although the idl state this:
[relative_short] [flag(STR_NOTERM|NDR_REMAINING)] nstring_array 
*expanded_names;

Re: Max connections vulnerability?

On Tue, Mar 30, 2010 at 10:14:27PM -0400, Mike Gagnon wrote:
> Prior to Samba 3.0.23, Samba was vulnerable to a DOS because an
> unbounded number of connections could be opened (see reference below).
>  This vulnerability was fixed in 3.0.23 by limiting the maximum number
> of connections to 2047.  However, in modern versions of Samba the
> maximum number of connections is user-configurable--and defaults to
> infinity.  Is the default configuration of modern Samba versions
> vulnerable to this attack? Or, is the system invulnerable to this
> attack via some other mechanism?
> 
> Reference: http://www.derkeiler.com/Mailing-Lists/Securiteam/2006-07/msg00023.html

Those two are slightly different things. Prior versions had
been vulnerable to an attack where you could very easily
make a single smbd use arbitrary amounts of memory by
issuing so-called Tree Connect requests. This has been
fixed. The "max connections" parameter controls how many
overall smbds can connect to a share. This is indeed
unlimited by default, but you need to use multiple smbds to
exploit this. If you want to limit the overall resource
usage, you need to put the "max connections" and "max smbd
processes" to low values. However, probably with
well-crafted requests it will still be possible to make smbd
use lots of RAM. You might want to look at the system
ulimits if you want to confine this.

Volker

Re: [PATCH] smbcacls added support for a -I flag

On Wed, Apr 28, 2010 at 01:20:15AM -0700, matthew <at> mcgillis.org wrote:
> This message should include an attachment of the patch.
> This used MacOS X Mail.
> 
> Let me know if your still running into problems.

Ok, this works fine, thanks!

Some comments on the patch: It still compiles with warnings
about unused variables and declarations after statements.
Those are easy to fix. I always compile with

-g -Wall -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -DDEBUG_PASSWORD -DDEVELOPER
-Wdeclaration-after-statement -Werror-implicit-function-declaration -Wc++-compat -pipe -g -O3
-D_FORTIFY_SOURCE=2 -Wshadow -Wpointer-arith -Wcast-align -Wfloat-equal -Wstrict-aliasing=2
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wnested-externs

which catches many of these problems for me.

One real requestion though: Your patch contains changes to
for example cacl_dump, to owner_set etc. Some of those seem
to be pure reformattings, but to me that seems a bit
difficult to really review for the real changes. For example
there's a hunk in your patch that says

 static int owner_set(struct cli_state *cli, enum chown_mode change_mode, 
-                       const char *filename, const char *new_username)
+                    char *filename, const char *new_username)
 {

Re: Patches for dealing a bit more cleanly with NTTIME

Hello all,

Any news on this patch ? it seems that it's not in master.

On 20/04/2010 11:25, Matthias Dieter Wallnöfer wrote:
> Hi Jelmer,
>
> this is the thread where ekacnet posted his NTTIME patch (I think you 
> haven't noticed it).
>
> Matthias
>
> Matthieu Patou wrote:
>> Hi jelmer,
>>
>> Find attach the new version without any cast + assignement in SamDB.
>>
>> On 15/04/2010 00:47, Jelmer Vernooij wrote:
>>> Hi Matthieu,
>>>
>>> On Thu, 2010-04-15 at 00:37 +0400, Matthieu Patou wrote:
>>>> Hello jelmer,
>>>>
>>>> This patch is for dealing correctly with NTTIME (64bits) + allowing to
>>>> print a NTTIME object in a string.
>>> You're using PyInt_FromLong((uint64_t)t). That seems wrong because
>>> sizeof(uint64_t)>  sizeof(long) and t is a time_t. Perhaps you just
>>> don't want to cast at all?
>>>
>>> Cheers,