Update to Samba 4.0.0rc6.

* Add /etc/pam.d/samba for swat to work correctly. * resolves #882700
2012-12-04 15:34:18 +01:00 · 2012-12-04 15:34:18 +01:00 · ea0b80fa78
parent a4ad4da48e
commit ea0b80fa78
7 changed files with 29 additions and 218 deletions
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,4 @@ samba-3.6.0pre1.tar.gz
 /samba-4.0.0rc3.tar.bz2
 /samba-4.0.0rc4.tar.bz2
 /samba-4.0.0rc5.tar.bz2
+/samba-4.0.0rc6.tar.bz2
--- a/samba-4.0.0rc6-LogonSamLogon_failover.patch
+++ b/samba-4.0.0rc6-LogonSamLogon_failover.patch
@ -1,95 +0,0 @@
-commit 3b01dd5f59841b11e9906b8c23345946e0d0ea8c
-Author:     Andreas Schneider <asn@samba.org>
-AuthorDate: Fri Nov 9 15:33:09 2012 +0100
-Commit:     Stefan Metzmacher <metze@samba.org>
-CommitDate: Mon Nov 12 18:57:18 2012 +0100
-
-    s3:winbind: BUG 9386: Failover if netlogon pipe is not available.
-    
-    Samba continues to query a broken DC while the DC did not finish to
-    rebuild Sysvol (after a Windows crash, for example). It causes end users
-    to received strange codes while trying to authenticate, even if there is
-    a secondary DC available.
-    
-    Signed-off-by: Andreas Schneider <asn@samba.org>
-    Reviewed-by: Stefan Metzmacher <metze@samba.org>
-    
-    Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-    Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
---
- source3/winbindd/winbindd_pam.c | 52 ++++++++++++++++++++++++++++++-----------
- 1 file changed, 39 insertions(+), 13 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 5b6b77b..b23d421 100644
--- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -1175,6 +1175,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- 					    struct netr_SamInfo3 **info3)
- {
- 	int attempts = 0;
-+	int netr_attempts = 0;
- 	bool retry = false;
- 	NTSTATUS result;
- 
-@@ -1189,22 +1190,47 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
- 		result = cm_connect_netlogon(domain, &netlogon_pipe);
- 
- 		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n",
-				  nt_errstr(result)));
-			if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
-				if (attempts > 0) {
-					DEBUG(3, ("This is the second problem for this "
-						"particular call, forcing the close of "
-						"this connection\n"));
-					invalidate_cm_connection(&domain->conn);
-				} else {
-					DEBUG(3, ("First call to cm_connect_netlogon "
-						"has timed out, retrying\n"));
-					continue;
-				}
-+			DEBUG(3,("Could not open handle to NETLOGON pipe "
-+				 "(error: %s, attempts: %d)\n",
-+				  nt_errstr(result), netr_attempts));
-+
-+			/* After the first retry always close the connection */
-+			if (netr_attempts > 0) {
-+				DEBUG(3, ("This is again a problem for this "
-+					  "particular call, forcing the close "
-+					  "of this connection\n"));
-+				invalidate_cm_connection(&domain->conn);
-+			}
-+
-+			/* After the second retry failover to the next DC */
-+			if (netr_attempts > 1) {
-+				/*
-+				 * If the netlogon server is not reachable then
-+				 * it is possible that the DC is rebuilding
-+				 * sysvol and shutdown netlogon for that time.
-+				 * We should failover to the next dc.
-+				 */
-+				DEBUG(3, ("This is the third problem for this "
-+					  "particular call, adding DC to the "
-+					  "negative cache list\n"));
-+				add_failed_connection_entry(domain->name,
-+							    domain->dcname,
-+							    result);
-+				saf_delete(domain->name);
-+			}
-+
-+			/* Only allow 3 retries */
-+			if (netr_attempts < 3) {
-+				DEBUG(3, ("The connection to netlogon "
-+					  "failed, retrying\n"));
-+				netr_attempts++;
-+				retry = true;
-+				continue;
- 			}
- 			return result;
- 		}
-+		netr_attempts = 0;
-+
- 		auth = netlogon_pipe->auth;
- 		if (netlogon_pipe->dc) {
- 			neg_flags = netlogon_pipe->dc->negotiate_flags;
--- a/samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch
+++ b/samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch
@ -1,40 +0,0 @@
-From 2032f2746d70bbebd1af26a7a046eb1cc61ac175 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 23 Nov 2012 13:19:53 +0100
-Subject: [PATCH] s3-rpc_client: lookup nametype 0x20 in
- rpc_pipe_open_tcp_port(). (bug #9426)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The server name type (0x20) is much more likely to be available in the name cache, as
-this type gets stored by winbind itself - the primary user of the ncacn_ip_tcp
-code currently.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Fri Nov 23 16:30:57 CET 2012 on sn-devel-104
---
- source3/rpc_client/cli_pipe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index edb3876..f8c7b24 100644
--- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2448,7 +2448,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
- 	result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
- 	result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
- 
-	if (!resolve_name(host, &addr, 0, false)) {
-+	if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) {
- 		status = NT_STATUS_NOT_FOUND;
- 		goto fail;
- 	}
-- 
-1.7.11.7
-
--- a/samba-4.0.0rc6-winbind_default_domain_workaround.patch
+++ b/samba-4.0.0rc6-winbind_default_domain_workaround.patch
@ -1,48 +0,0 @@
-commit 3bbe690c50a5d4e2ff81ff1eeeaa728990b73637
-Author:     Sumit Bose <sbose@redhat.com>
-AuthorDate: Mon Oct 29 12:09:22 2012 +0100
-Commit:     Andreas Schneider <asn@cryptomilk.org>
-CommitDate: Mon Nov 12 15:54:15 2012 +0100
-
-    Use work around for 'winbind use default domain' only if it is set
-    
-    Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator
-    character is always added to the user name returned by Get_Pwnam_alloc() if it
-    does not contain the winbind separator character. As comments in the code
-    indicates this is done as a work around if 'winbind use default domain' is set
-    to yes in the samba configuration.
-    
-    This make sense if the option is set because otherwise the domain information is
-    lost from the user name. But it causes errors if other services than winbind are
-    used for user lookup, e.g. sssd. sssd can handle different kind of fully
-    qualified user names as input, e.g. user@domain.name or DOM\user, but returns a
-    canonical name, by default user@domain.name.
-    
-    While it would be possible to get around this issue with a special configuration
-    either on the sssd or samba side I think the cleaner solution is to use the work
-    around only if 'winbind use default domain' is set to yes which is what this
-    patch does.
-    
-    Reviewed-by: Andreas Schneider <asn@samba.org>
-    Reviewed-by: Alexander Bokovoy <ab@samba.org>
-    
-    Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-    Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
---
- source3/auth/auth_util.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index a08d094..83c95a9 100644
--- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -1331,7 +1331,8 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
- 			/* make sure we get the case of the username correct */
- 			/* work around 'winbind use default domain = yes' */
- 
-			if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
-+			if ( lp_winbind_use_default_domain() &&
-+			     !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
- 				char *domain;
- 
- 				/* split the domain and username into 2 strings */
--- a/samba.pamd
+++ b/samba.pamd
@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required	pam_nologin.so
+auth       include	password-auth
+account    include	password-auth
+session    include	password-auth
+password   include	password-auth
--- a/samba.spec
+++ b/samba.spec
@ -1,4 +1,4 @@
-%define main_release 169
+%define main_release 170

 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@ -6,7 +6,7 @@
 %define tdb_version 1.2.10
 %define tevent_version 0.9.17
 %define ldb_version 1.1.12
-%define pre_release rc5
+%define pre_release rc6

 %define samba_release %{main_release}%{?dist}.%{pre_release}

@ -57,14 +57,11 @@ Source2: samba.xinetd
 Source3: swat.desktop
 Source4: smb.conf.default
 Source5: pam_winbind.conf
+Source6: samba.pamd

 Source200: README.dc
 Source201: README.downgrade

-Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch
-Patch1: samba-4.0.0rc6-winbind_default_domain_workaround.patch
-Patch2: samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch
-
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 Requires(pre): /usr/sbin/groupadd
@ -415,10 +412,6 @@ the local kerberos library to use the same KDC as samba and winbind use
 %prep
 %setup -q -n samba-%{version}%{pre_release}

-%patch0 -p1 -b .samlogon_failover
-%patch1 -p1 -b .winbind_default_domain_workaround
-%patch2 -p1 -b .ncacn_ip_tcp_resolve_name
-
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
 %global _tevent_lib ,tevent,pytevent
@ -506,7 +499,6 @@ rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}

 install -d -m 0755 %{buildroot}/usr/{sbin,bin}
-install -d -m 0755 %{buildroot}%{_sysconfdir}/{logrotate.d,security}
 install -d -m 0755 %{buildroot}%{_libdir}/security
 install -d -m 0755 %{buildroot}/var/lib/samba
 install -d -m 0755 %{buildroot}/var/lib/samba/private
@ -529,10 +521,18 @@ rm -rf %{buildroot}/%{_datadir}/perl5
 ( cd pidl && make install PERL_INSTALL_ROOT=%{buildroot} )

 # Install other stuff
+install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba
+
 install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/security
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf

+# Install pam file for swat
+install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d
+install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/samba
+
 echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts

 install -d -m 0755 %{buildroot}%{_sysconfdir}/openldap/schema
@ -691,8 +691,6 @@ rm -rf %{buildroot}
 %defattr(-,root,root)
 %{_bindir}/cifsdd
 %{_bindir}/dbwrap_tool
-%{_bindir}/debug2html
-%{_bindir}/log2pcap
 %{_bindir}/nmblookup
 %{_bindir}/nmblookup4
 %{_bindir}/oLschema2ldif
@ -706,7 +704,6 @@ rm -rf %{buildroot}
 %{_bindir}/smbclient
 %{_bindir}/smbclient4
 %{_bindir}/smbcquotas
-%{_bindir}/smbfilter
 %{_bindir}/smbget
 #%{_bindir}/smbiconv
 %{_bindir}/smbpasswd
@ -714,7 +711,6 @@ rm -rf %{buildroot}
 %{_bindir}/smbspool
 %{_bindir}/smbta-util
 %{_bindir}/smbtree
-%{_bindir}/split_tokens
 %{_libdir}/samba/libldb-cmdline.so
 %{_mandir}/man1/nmblookup.1*
 %{_mandir}/man1/oLschema2ldif.1*
@ -814,7 +810,6 @@ rm -rf %{buildroot}
 ### DC
 %files dc
 %defattr(-,root,root)
-%{_bindir}/samba-dig
 %{_libdir}/samba/ldb
 %{_libdir}/samba/libdfs_server_ad.so
 %{_libdir}/samba/libdsdb-module.so
@ -838,8 +833,11 @@ rm -rf %{buildroot}
 %dir /var/lib/samba/sysvol
 %{_datadir}/samba/setup
 %{_mandir}/man8/samba.8.gz
+%{_mandir}/man8/samba-tool.8.gz
 %else # with_dc
 %doc %{_defaultdocdir}/%{name}/README.dc
+%exclude %{_mandir}/man8/samba.8.gz
+%exclude %{_mandir}/man8/samba-tool.8.gz
 %endif # with_dc

 ### DC-LIBS
@ -1229,6 +1227,7 @@ rm -rf %{buildroot}
 %files swat
 %defattr(-,root,root)
 %config(noreplace) %{_sysconfdir}/xinetd.d/swat
+%config(noreplace) %{_sysconfdir}/pam.d/samba
 %{_datadir}/samba/swat
 %{_sbindir}/swat
 %{_mandir}/man8/swat.8*
@ -1237,28 +1236,11 @@ rm -rf %{buildroot}
 ### TEST
 %files test
 %defattr(-,root,root)
-%{_bindir}/asystest
-%{_bindir}/dbwrap_torture
 %{_bindir}/gentest
 %{_bindir}/locktest
-%{_bindir}/locktest2
-%{_bindir}/locktest3
 %{_bindir}/masktest
-%{_bindir}/masktest3
-%{_bindir}/msgtest
 %{_bindir}/ndrdump
-%{_bindir}/nsstest
-%{_bindir}/pdbtest
-%{_bindir}/pthreadpooltest
-%{_bindir}/rpc_open_tcp
-%{_bindir}/smbconftort
 %{_bindir}/smbtorture
-%{_bindir}/smbtorture3
-%{_bindir}/test_lp_load
-%{_bindir}/timelimit
-%{_bindir}/versiontest
-%{_bindir}/vfstest
-%{_bindir}/vlp
 %{_libdir}/libtorture.so.*
 %{_libdir}/samba/libsubunit.so
 %if %with_dc
@ -1297,13 +1279,13 @@ rm -rf %{buildroot}
 %files winbind-clients
 %defattr(-,root,root)
 %{_bindir}/ntlm_auth
-%{_bindir}/ntlm_auth3
 %{_bindir}/wbinfo
 %{_libdir}/libnss_winbind.so*
 %{_libdir}/libnss_wins.so*
 %{_libdir}/security/pam_winbind.so
 %config(noreplace) %{_sysconfdir}/security/pam_winbind.conf
 %{_mandir}/man1/ntlm_auth.1.gz
+%exclude %{_mandir}/man1/ntlm_auth4.1.gz
 %{_mandir}/man1/wbinfo.1*
 %{_mandir}/man5/pam_winbind.conf.5*
 %{_mandir}/man8/pam_winbind.8*
@ -1316,6 +1298,11 @@ rm -rf %{buildroot}
 %{_mandir}/man7/winbind_krb5_locator.7*

 %changelog
+* Tue Dec 04 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-170.rc6
+- Update to Samba 4.0.0rc6.
+- Add /etc/pam.d/samba for swat to work correctly.
+- resolves #882700
+
 * Fri Nov 23 2012 Guenther Deschner <gdeschner@redhat.com> - 2:4.0.0-169.rc5
 - Make sure ncacn_ip_tcp client code looks for NBT_NAME_SERVER name types.

--- a/2
+++ b/2
@ -1 +1 @@
-08f81845ddafe76440b095279aa8b034  samba-4.0.0rc5.tar.bz2
+6618ea8ff7f587ed3f7c024849163695  samba-4.0.0rc6.tar.bz2