rpms
/
samba
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to Samba 4.1.0rc2. 

related: #985609
This commit is contained in:
Andreas Schneider 2013-08-12 10:30:14 +02:00
parent 0fe8d6657b
commit 9220df7904
7 changed files with 12 additions and 715 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -27,3 +27,4 @@ samba-3.6.0pre1.tar.gz
/samba-4.0.6.tar.bz2
/samba-4.0.7.tar.xz
/samba-4.1.0rc1.tar.xz
/samba-4.1.0rc2.tar.xz

406
samba-4.0.6_add_passdb_upn_enum.patch
View File

@ -1,406 +0,0 @@
From bc7060261e5ad4db03d49414f8d3910ae231b79f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 3 Apr 2013 15:52:06 +0300
Subject: [PATCH 1/4] wafsamba: fix samba_abi for default catch-all case
Only filter out the symbol when positive match was not found and there is
negative match.
ABI signature file generator worked incorrectly for cases when mixture of
positive and negative matches were provided. This resulted in generating empty
signature file for libpdb since there was no catch-all positive match anymore.
Commit 9ba44cc610426fb558b49aa9680b5bdf55c29082 removed explicit '*' positive
match and corresponding vscript generator adds '*' by default if global match
list is empty, so this commit introduces feature parity into signature
generator.
Reviewed-by: Andreas Schneider <asn@samba.org>
---
buildtools/wafsamba/samba_abi.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index 488dab8..76acd00 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -50,13 +50,15 @@ def parse_sigs(sigs, abi_match):
sa = s.split(':')
if abi_match:
matched = False
+ negative = False
for p in abi_match:
if p[0] == '!' and fnmatch.fnmatch(sa[0], p[1:]):
+ negative = True
break
elif fnmatch.fnmatch(sa[0], p):
matched = True
break
- if not matched:
+ if (not matched) and negative:
continue
Logs.debug("%s -> %s" % (sa[1], normalise_signature(sa[1])))
ret[sa[0]] = normalise_signature(sa[1])
--
1.8.1.4
From ff9cbe37219a41ceb0c624a995f12692f6634760 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 3 Apr 2013 16:01:34 +0300
Subject: [PATCH 2/4] s3-waf: filter out ldapsam internal init functions
pdb_ldapsam_init* functions (init and init_common) are used in
pdb_ipa.c and pdb_nds.c which are always linked together with
pdb_ldap.c where pdb_ldapsam_init* functions reside.
Tested with both ldapsam integrated (into libpdb) and as
a separate module.
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/wscript_build | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/wscript_build b/source3/wscript_build
index 02040bf..fd20b81 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -716,6 +716,7 @@ ldapsam_pdb_match = ['!priv2ld', '!smbldap_search_domain_info',
'!get_attr_list']
private_pdb_match.append('!pdb_nds_*')
private_pdb_match.append('!pdb_init_ldapsam')
+private_pdb_match.append('!pdb_ldapsam_init*')
private_pdb_match = private_pdb_match + ldapsam_pdb_match
private_pdb_match = private_pdb_match + map(lambda x: '!pdb_%s_init' % x, static_pdb_match)
--
1.8.1.4
From 67e4a28c0b14259f0f25a292f91924f82c84bae1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 3 Apr 2013 16:37:00 +0300
Subject: [PATCH 3/4] PASSDB: add support to set and enumerate UPN suffixes
associated with our forest
Samba PDC may manage a forest containing DNS domains in addition to the primary one.
Information about them is advertised via netr_DsRGetForestTrustInformation when
trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and
via netr_GetForestTrustInformation.
This changeset only expands PASSDB API; how suffixes are maintained is left
to specific PDB modules. Set function is added so that suffixes could be
managed through 'net' and other Samba utilities, if possible.
One possible implementation is available for ipasam module in FreeIPA:
http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/include/passdb.h | 18 +++++++++++++++++-
source3/passdb/ABI/pdb-0.sigs | 2 ++
source3/passdb/pdb_interface.c | 36 ++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 908631d..5e5a7bf 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -412,9 +412,10 @@ enum pdb_policy_type {
* Changed to 18, pdb_rid_algorithm -> pdb_capabilities
* Changed to 19, removed uid_to_rid
* Changed to 20, pdb_secret calls
+ * Changed to 21, set/enum_upn_suffixes. AB.
*/
-#define PASSDB_INTERFACE_VERSION 20
+#define PASSDB_INTERFACE_VERSION 21
struct pdb_methods
{
@@ -614,6 +615,15 @@ struct pdb_methods
NTSTATUS (*delete_secret)(struct pdb_methods *methods,
const char *secret_name);
+ NTSTATUS (*enum_upn_suffixes)(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes);
+
+ NTSTATUS (*set_upn_suffixes)(struct pdb_methods *methods,
+ uint32_t num_suffixes,
+ const char **suffixes);
+
void *private_data; /* Private data of some kind */
void (*free_private_data)(void **);
@@ -911,6 +921,12 @@ NTSTATUS pdb_delete_secret(const char *secret_name);
bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
struct unixid *id);
+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes);
+
+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
+ const char **suffixes);
/* The following definitions come from passdb/pdb_util.c */
diff --git a/source3/passdb/ABI/pdb-0.sigs b/source3/passdb/ABI/pdb-0.sigs
index 4108b9a..51810ef 100644
--- a/source3/passdb/ABI/pdb-0.sigs
+++ b/source3/passdb/ABI/pdb-0.sigs
@@ -112,6 +112,7 @@ pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t
pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
pdb_get_acct_ctrl: uint32_t (const struct samu *)
@@ -230,6 +231,7 @@ pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain
pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 775f8a3..36dde6f 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -2340,6 +2340,39 @@ static struct pdb_domain_info *pdb_default_get_domain_info(
return NULL;
}
+/*****************************************************************
+ UPN suffixes
+ *****************************************************************/
+static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
+ uint32_t num_suffixes,
+ const char **suffixes)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
+ uint32_t *num_suffixes,
+ char ***suffixes)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
+}
+
+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
+ const char **suffixes)
+{
+ struct pdb_methods *pdb = pdb_get_methods();
+ return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
+}
+
/*******************************************************************
secret methods
*******************************************************************/
@@ -2487,5 +2520,8 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods )
(*methods)->set_secret = pdb_default_set_secret;
(*methods)->delete_secret = pdb_default_delete_secret;
+ (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
+ (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
+
return NT_STATUS_OK;
}
--
1.8.1.4
From 801d299067c1ad8e9e63e0c675a4d1284de2f85c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 3 Apr 2013 16:52:45 +0300
Subject: [PATCH 4/4] s3-netlogon: enumerate UPN suffixes from PASSDB when
available
Optionally append list of UPN suffixes if PDB module returns non-empty one.
Refactor fill_forest_trust_array() in source3 to allow reuse of the code between
_netr_DsRGetForestTrustInformation() and _netr_GetForestTrustInformation()
Implement a special case of _netr_DsRGetForestTrustInformation in smbd
when trusted_domain_name is NULL (covered by test_DsrEnumerateDomainTrusts()
in rpc.netlogon torture tests, see comment in source4/torture/rpc/netlogon.c).
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 9 22:19:34 CEST 2013 on sn-devel-104
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 106 ++++++++++++++++++++++++----
1 file changed, 94 insertions(+), 12 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 9b50655..c45f33f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2309,22 +2309,16 @@ NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
/****************************************************************
****************************************************************/
-WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
- struct netr_DsRGetForestTrustInformation *r)
-{
- p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
- return WERR_NOT_SUPPORTED;
-}
-
-/****************************************************************
-****************************************************************/
-
static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
struct lsa_ForestTrustInformation *info)
{
struct lsa_ForestTrustRecord *e;
struct pdb_domain_info *dom_info;
struct lsa_ForestTrustDomainInfo *domain_info;
+ char **upn_suffixes = NULL;
+ uint32_t num_suffixes = 0;
+ uint32_t i = 0;
+ NTSTATUS status;
dom_info = pdb_get_domain_info(mem_ctx);
if (dom_info == NULL) {
@@ -2332,7 +2326,15 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
}
info->count = 2;
- info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, 2);
+
+ become_root();
+ status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes);
+ unbecome_root();
+ if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) {
+ info->count += num_suffixes;
+ }
+
+ info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count);
if (info->entries == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -2350,6 +2352,21 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
info->entries[0] = e;
+ if (num_suffixes > 0) {
+ for (i = 0; i < num_suffixes ; i++) {
+ e = talloc(info, struct lsa_ForestTrustRecord);
+ if (e == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ e->flags = 0;
+ e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
+ e->time = 0; /* so far always 0 in traces. */
+ e->forest_trust_data.top_level_name.string = upn_suffixes[i];
+ info->entries[1 + i] = e;
+ }
+ }
+
e = talloc(info, struct lsa_ForestTrustRecord);
if (e == NULL) {
return NT_STATUS_NO_MEMORY;
@@ -2368,12 +2385,76 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
domain_info->netbios_domain_name.string = talloc_steal(info,
dom_info->name);
- info->entries[1] = e;
+ info->entries[info->count - 1] = e;
return NT_STATUS_OK;
}
/****************************************************************
+****************************************************************/
+
+WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ struct netr_DsRGetForestTrustInformation *r)
+{
+ NTSTATUS status;
+ struct lsa_ForestTrustInformation *info, **info_ptr;
+
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return WERR_ACCESS_DENIED;
+ }
+
+ if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_INVALID_FLAGS;
+ }
+
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_NERR_NOTPRIMARY;
+ }
+
+ if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_INVALID_PARAMETER;
+ }
+
+ /* retrieve forest trust information and stop further processing */
+ if (r->in.trusted_domain_name == NULL) {
+ info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
+ if (info_ptr == NULL) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOMEM;
+ }
+ info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
+ if (info == NULL) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOMEM;
+ }
+
+ /* Fill forest trust information and expand UPN suffixes list */
+ status = fill_forest_trust_array(p->mem_ctx, info);
+ if (!NT_STATUS_IS_OK(status)) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOMEM;
+ }
+
+ *info_ptr = info;
+ r->out.forest_trust_info = info_ptr;
+
+ return WERR_OK;
+
+ }
+
+ /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
+ * when trusted_domain_name is not NULL */
+
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_NOT_SUPPORTED;
+}
+
+/****************************************************************
_netr_GetForestTrustInformation
****************************************************************/
@@ -2417,6 +2498,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
return NT_STATUS_NO_MEMORY;
}
+ /* Fill forest trust information, do expand UPN suffixes list */
status = fill_forest_trust_array(p->mem_ctx, info);
if (!NT_STATUS_IS_OK(status)) {
return status;
--
1.8.1.4

44
samba-4.0.8-fix_winbind_ccache_cleanup.patch
View File

@ -1,44 +0,0 @@
From 91300255f4b93dad920af2399a6cd64720d47e4f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 11 Jul 2013 13:44:53 +0200
Subject: [PATCH] s3-winbind: Do not delete an existing valid credential cache.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994
Thanks to David Woodhouse <dwmw2@infradead.org>.
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
(cherry picked from commit 0529b59fbe3f96509893fc4e93a75d6928b5a532)
---
source3/winbindd/winbindd_pam.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b23d421..99794e6 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -677,6 +677,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
failed:
+ /*
+ * Do not delete an existing valid credential cache, if the user
+ * e.g. enters a wrong password
+ */
+ if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
+ && user_ccache_file != NULL) {
+ return result;
+ }
/* we could have created a new credential cache with a valid tgt in it
* but we werent able to get or verify the service ticket for this
--
1.8.3.1

217
samba-4.1.0rc1-add_support_for_cc_type_dir.patch
View File

@ -1,217 +0,0 @@
From bfbf322626965100a72eeaed31573a36a61b33d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 18 Jul 2013 19:04:29 +0200
Subject: [PATCH 1/3] wbinfo: allow to define a custom krb5ccname for
kerberized pam auth.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95)
---
nsswitch/wbinfo.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 1d1557d..cfb430b 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2083,6 +2083,7 @@ int main(int argc, char **argv, char **envp)
bool use_lanman = false;
char *logoff_user = getenv("USER");
int logoff_uid = geteuid();
+ const char *opt_krb5ccname = "FILE";
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -2164,6 +2165,7 @@ int main(int argc, char **argv, char **envp)
{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
/* destroys wbinfo --help output */
/* "user%password,DOM\\user%password,user@EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
#endif
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2533,13 +2535,13 @@ int main(int argc, char **argv, char **envp)
WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_CONTACT_TRUSTDOM;
- if (!wbinfo_auth_krb5(string_arg, "FILE",
+ if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
flags)) {
d_fprintf(stderr,
"Could not authenticate user "
"[%s] with Kerberos "
"(ccache: %s)\n", string_arg,
- "FILE");
+ opt_krb5ccname);
goto done;
}
break;
--
1.8.3.1
From b9c191e3cde6aa5d726f3bea46d853441bf7daf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 18 Jul 2013 19:05:51 +0200
Subject: [PATCH 2/3] s3-winbindd: support the DIR pragma for raw kerberos user
pam authentication.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7ad3a367d52b1f123c318946d654e95639202130)
---
source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index aed4741..7b67154 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
}
+ if (strequal(type, "DIR")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+ }
+
+ if (strnequal(type, "FILE:/", 6) ||
+ strnequal(type, "WRFILE:/", 8) ||
+ strnequal(type, "DIR:/", 5)) {
+
+ /* we allow only one "%u" substitution */
+
+ char *p;
+
+ p = strchr(type, '%');
+ if (p != NULL) {
+
+ p++;
+
+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+ gen_cc = talloc_asprintf(mem_ctx, type, uid);
+ }
+ }
+ }
}
*user_ccache_file = gen_cc;
--
1.8.3.1
From c488253925831a3683446e93bd79d9593c4f9295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 18 Jul 2013 19:09:14 +0200
Subject: [PATCH 3/3] pam_winbind: update documentation for "DIR" krb5ccname
pragma.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
(cherry picked from commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb)
---
docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++++--------
examples/pam_winbind/pam_winbind.conf | 3 ++-
2 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 7098ff4..be7f684 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication
- by enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a
- credential cache. The type of credential cache can be set with
- this option. Currently the only supported value is:
- <parameter>FILE</parameter>. In that case a credential cache in
- the form of /tmp/krb5cc_UID will be created, where UID is
- replaced with the numeric user id. Leave empty to just do
- kerberos authentication without having a ticket cache after the
- logon has succeeded. This setting is empty by default.
+ When pam_winbind is configured to try kerberos authentication by
+ enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a credential
+ cache. The type of credential cache can be controlled with this
+ option. The supported values are: <parameter>FILE</parameter>
+ and <parameter>DIR</parameter> (when the DIR type is supported
+ by the system's Kerberos library). In case of FILE a credential
+ cache in the form of /tmp/krb5cc_UID will be created - in case
+ of DIR it will be located under the /run/user/UID/krb5cc
+ directory. UID is replaced with the numeric user id.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitue the numeric user id.
+ Examples:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para> Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.
</para></listitem>
</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112..87bc388 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
#
# /etc/security/pam_winbind.conf
#
+# For more details see man pam_winbind.conf(5)
[global]
@@ -19,7 +20,7 @@
# authenticate using kerberos
;krb5_auth = no
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
--
1.8.3.1

36
samba-4.1.0rc1-fix_regedit_name.patch
View File

@ -1,36 +0,0 @@
From f0ff2d8ee925921c70f2b9149316f123402ab81b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 19 Jul 2013 16:08:39 +0200
Subject: [PATCH] s3-waf: Rename regedit to samba-regedit.
This is needed cause wine already provides a binary with the name
regedit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10040
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 22 14:12:38 CEST 2013 on sn-devel-104
(cherry picked from commit b5051111d2fd3a9ae3b3aa028ccf013a98c20b38)
---
source3/wscript_build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/wscript_build b/source3/wscript_build
index 19c6d08..a8bdaf0 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1615,7 +1615,7 @@ bld.SAMBA3_PYTHON('pylibsmb',
realname='samba/samba3/libsmb_samba_internal.so'
)
-bld.SAMBA3_BINARY('regedit',
+bld.SAMBA3_BINARY('samba-regedit',
source="""utils/regedit.c utils/regedit_samba3.c
utils/regedit_wrap.c utils/regedit_treeview.c
utils/regedit_valuelist.c utils/regedit_dialog.c
--
1.8.3.1

21
samba.spec
View File

@ -1,7 +1,7 @@
# Set --with testsuite or %bcond_without to run the Samba torture testsuite.
%bcond_with testsuite
%define main_release 2
%define main_release 3
%define samba_version 4.1.0
%define talloc_version 2.0.8
@ -10,7 +10,7 @@
%define tevent_version 0.9.18
%define ldb_version 1.1.16
# This should be rc1 or nil
%define pre_release rc1
%define pre_release rc2
%if "x%{?pre_release}" != "x"
%define samba_release 0.%{main_release}.%{pre_release}%{?dist}
@ -44,7 +44,7 @@
Name: samba
Version: %{samba_version}
Release: %{samba_release}.1
Release: %{samba_release}
%if 0%{?rhel}
Epoch: 0
@ -75,10 +75,6 @@ Source6: samba.pamd
Source200: README.dc
Source201: README.downgrade
Patch0: samba-4.0.8-fix_winbind_ccache_cleanup.patch
Patch1: samba-4.1.0rc1-fix_regedit_name.patch
Patch2: samba-4.1.0rc1-add_support_for_cc_type_dir.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires(pre): /usr/sbin/groupadd
@ -435,9 +431,6 @@ the local kerberos library to use the same KDC as samba and winbind use
%prep
%setup -q -n samba-%{version}%{pre_release}
%patch0 -p1 -b .samba-4.0.8-fix_winbind_ccache_cleanup.patch
%patch1 -p1 -b .samba-4.1.0rc1-fix_regedit_name.patch
%patch2 -p1 -b .samba-4.1.0rc1-add_support_for_cc_type_dir.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -708,7 +701,10 @@ rm -rf %{buildroot}
%{_bindir}/eventlogadm
%{_sbindir}/nmbd
%{_sbindir}/smbd
%{_libdir}/samba/auth
%dir %{_libdir}/samba/auth
%{_libdir}/samba/auth/script.so
%{_libdir}/samba/auth/unix.so
%{_libdir}/samba/auth/wbc.so
%dir %{_libdir}/samba/vfs
%{_libdir}/samba/vfs/acl_tdb.so
%{_libdir}/samba/vfs/acl_xattr.so
@ -1463,6 +1459,9 @@ rm -rf %{buildroot}
%{_mandir}/man7/winbind_krb5_locator.7*
%changelog
* Mon Aug 12 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.3
- related: #985609 - Update to Samba 4.1.0rc2.
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 2:4.1.0-0.2.rc1.1
- Perl 5.18 rebuild

2
sources
View File

@ -1 +1 @@
0ce7a9ca50e4cca0c6d5da4a4e0e03c1 samba-4.1.0rc1.tar.xz
ee14addf3363d93ce8c62dcc5d6dc94b samba-4.1.0rc2.tar.xz