diff --git a/.gitignore b/.gitignore index b700901..02f00dd 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ samba-3.6.0pre1.tar.gz /samba-4.0.0rc3.tar.bz2 /samba-4.0.0rc4.tar.bz2 /samba-4.0.0rc5.tar.bz2 +/samba-4.0.0rc6.tar.bz2 diff --git a/samba-4.0.0rc6-LogonSamLogon_failover.patch b/samba-4.0.0rc6-LogonSamLogon_failover.patch deleted file mode 100644 index e4aa594..0000000 --- a/samba-4.0.0rc6-LogonSamLogon_failover.patch +++ /dev/null @@ -1,95 +0,0 @@ -commit 3b01dd5f59841b11e9906b8c23345946e0d0ea8c -Author: Andreas Schneider -AuthorDate: Fri Nov 9 15:33:09 2012 +0100 -Commit: Stefan Metzmacher -CommitDate: Mon Nov 12 18:57:18 2012 +0100 - - s3:winbind: BUG 9386: Failover if netlogon pipe is not available. - - Samba continues to query a broken DC while the DC did not finish to - rebuild Sysvol (after a Windows crash, for example). It causes end users - to received strange codes while trying to authenticate, even if there is - a secondary DC available. - - Signed-off-by: Andreas Schneider - Reviewed-by: Stefan Metzmacher - - Autobuild-User(master): Stefan Metzmacher - Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104 ---- - source3/winbindd/winbindd_pam.c | 52 ++++++++++++++++++++++++++++++----------- - 1 file changed, 39 insertions(+), 13 deletions(-) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 5b6b77b..b23d421 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -1175,6 +1175,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, - struct netr_SamInfo3 **info3) - { - int attempts = 0; -+ int netr_attempts = 0; - bool retry = false; - NTSTATUS result; - -@@ -1189,22 +1190,47 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, - result = cm_connect_netlogon(domain, &netlogon_pipe); - - if (!NT_STATUS_IS_OK(result)) { -- DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n", -- nt_errstr(result))); -- if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { -- if (attempts > 0) { -- DEBUG(3, ("This is the second problem for this " -- "particular call, forcing the close of " -- "this connection\n")); -- invalidate_cm_connection(&domain->conn); -- } else { -- DEBUG(3, ("First call to cm_connect_netlogon " -- "has timed out, retrying\n")); -- continue; -- } -+ DEBUG(3,("Could not open handle to NETLOGON pipe " -+ "(error: %s, attempts: %d)\n", -+ nt_errstr(result), netr_attempts)); -+ -+ /* After the first retry always close the connection */ -+ if (netr_attempts > 0) { -+ DEBUG(3, ("This is again a problem for this " -+ "particular call, forcing the close " -+ "of this connection\n")); -+ invalidate_cm_connection(&domain->conn); -+ } -+ -+ /* After the second retry failover to the next DC */ -+ if (netr_attempts > 1) { -+ /* -+ * If the netlogon server is not reachable then -+ * it is possible that the DC is rebuilding -+ * sysvol and shutdown netlogon for that time. -+ * We should failover to the next dc. -+ */ -+ DEBUG(3, ("This is the third problem for this " -+ "particular call, adding DC to the " -+ "negative cache list\n")); -+ add_failed_connection_entry(domain->name, -+ domain->dcname, -+ result); -+ saf_delete(domain->name); -+ } -+ -+ /* Only allow 3 retries */ -+ if (netr_attempts < 3) { -+ DEBUG(3, ("The connection to netlogon " -+ "failed, retrying\n")); -+ netr_attempts++; -+ retry = true; -+ continue; - } - return result; - } -+ netr_attempts = 0; -+ - auth = netlogon_pipe->auth; - if (netlogon_pipe->dc) { - neg_flags = netlogon_pipe->dc->negotiate_flags; diff --git a/samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch b/samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch deleted file mode 100644 index 6c374c1..0000000 --- a/samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 2032f2746d70bbebd1af26a7a046eb1cc61ac175 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 23 Nov 2012 13:19:53 +0100 -Subject: [PATCH] s3-rpc_client: lookup nametype 0x20 in - rpc_pipe_open_tcp_port(). (bug #9426) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The server name type (0x20) is much more likely to be available in the name cache, as -this type gets stored by winbind itself - the primary user of the ncacn_ip_tcp -code currently. - -Guenther - -Signed-off-by: Günther Deschner -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Fri Nov 23 16:30:57 CET 2012 on sn-devel-104 ---- - source3/rpc_client/cli_pipe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index edb3876..f8c7b24 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -2448,7 +2448,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host, - result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; - result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN; - -- if (!resolve_name(host, &addr, 0, false)) { -+ if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) { - status = NT_STATUS_NOT_FOUND; - goto fail; - } --- -1.7.11.7 - diff --git a/samba-4.0.0rc6-winbind_default_domain_workaround.patch b/samba-4.0.0rc6-winbind_default_domain_workaround.patch deleted file mode 100644 index 68ea6c7..0000000 --- a/samba-4.0.0rc6-winbind_default_domain_workaround.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 3bbe690c50a5d4e2ff81ff1eeeaa728990b73637 -Author: Sumit Bose -AuthorDate: Mon Oct 29 12:09:22 2012 +0100 -Commit: Andreas Schneider -CommitDate: Mon Nov 12 15:54:15 2012 +0100 - - Use work around for 'winbind use default domain' only if it is set - - Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator - character is always added to the user name returned by Get_Pwnam_alloc() if it - does not contain the winbind separator character. As comments in the code - indicates this is done as a work around if 'winbind use default domain' is set - to yes in the samba configuration. - - This make sense if the option is set because otherwise the domain information is - lost from the user name. But it causes errors if other services than winbind are - used for user lookup, e.g. sssd. sssd can handle different kind of fully - qualified user names as input, e.g. user@domain.name or DOM\user, but returns a - canonical name, by default user@domain.name. - - While it would be possible to get around this issue with a special configuration - either on the sssd or samba side I think the cleaner solution is to use the work - around only if 'winbind use default domain' is set to yes which is what this - patch does. - - Reviewed-by: Andreas Schneider - Reviewed-by: Alexander Bokovoy - - Autobuild-User(master): Andreas Schneider - Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104 ---- - source3/auth/auth_util.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index a08d094..83c95a9 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1331,7 +1331,8 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, - /* make sure we get the case of the username correct */ - /* work around 'winbind use default domain = yes' */ - -- if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { -+ if ( lp_winbind_use_default_domain() && -+ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { - char *domain; - - /* split the domain and username into 2 strings */ diff --git a/samba.pamd b/samba.pamd new file mode 100644 index 0000000..66cd2a9 --- /dev/null +++ b/samba.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth include password-auth +account include password-auth +session include password-auth +password include password-auth diff --git a/samba.spec b/samba.spec index ce4f189..a396231 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 169 +%define main_release 170 %define samba_version 4.0.0 %define talloc_version 2.0.7 @@ -6,7 +6,7 @@ %define tdb_version 1.2.10 %define tevent_version 0.9.17 %define ldb_version 1.1.12 -%define pre_release rc5 +%define pre_release rc6 %define samba_release %{main_release}%{?dist}.%{pre_release} @@ -57,14 +57,11 @@ Source2: samba.xinetd Source3: swat.desktop Source4: smb.conf.default Source5: pam_winbind.conf +Source6: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch -Patch1: samba-4.0.0rc6-winbind_default_domain_workaround.patch -Patch2: samba-4.0.0rc6-ncacn_ip_tcp_resolve_name.patch - BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -415,10 +412,6 @@ the local kerberos library to use the same KDC as samba and winbind use %prep %setup -q -n samba-%{version}%{pre_release} -%patch0 -p1 -b .samlogon_failover -%patch1 -p1 -b .winbind_default_domain_workaround -%patch2 -p1 -b .ncacn_ip_tcp_resolve_name - %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent @@ -506,7 +499,6 @@ rm -rf %{buildroot} make install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} -install -d -m 0755 %{buildroot}%{_sysconfdir}/{logrotate.d,security} install -d -m 0755 %{buildroot}%{_libdir}/security install -d -m 0755 %{buildroot}/var/lib/samba install -d -m 0755 %{buildroot}/var/lib/samba/private @@ -529,10 +521,18 @@ rm -rf %{buildroot}/%{_datadir}/perl5 ( cd pidl && make install PERL_INSTALL_ROOT=%{buildroot} ) # Install other stuff +install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba + install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf + +install -d -m 0755 %{buildroot}%{_sysconfdir}/security install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf +# Install pam file for swat +install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d +install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/samba + echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts install -d -m 0755 %{buildroot}%{_sysconfdir}/openldap/schema @@ -691,8 +691,6 @@ rm -rf %{buildroot} %defattr(-,root,root) %{_bindir}/cifsdd %{_bindir}/dbwrap_tool -%{_bindir}/debug2html -%{_bindir}/log2pcap %{_bindir}/nmblookup %{_bindir}/nmblookup4 %{_bindir}/oLschema2ldif @@ -706,7 +704,6 @@ rm -rf %{buildroot} %{_bindir}/smbclient %{_bindir}/smbclient4 %{_bindir}/smbcquotas -%{_bindir}/smbfilter %{_bindir}/smbget #%{_bindir}/smbiconv %{_bindir}/smbpasswd @@ -714,7 +711,6 @@ rm -rf %{buildroot} %{_bindir}/smbspool %{_bindir}/smbta-util %{_bindir}/smbtree -%{_bindir}/split_tokens %{_libdir}/samba/libldb-cmdline.so %{_mandir}/man1/nmblookup.1* %{_mandir}/man1/oLschema2ldif.1* @@ -814,7 +810,6 @@ rm -rf %{buildroot} ### DC %files dc %defattr(-,root,root) -%{_bindir}/samba-dig %{_libdir}/samba/ldb %{_libdir}/samba/libdfs_server_ad.so %{_libdir}/samba/libdsdb-module.so @@ -838,8 +833,11 @@ rm -rf %{buildroot} %dir /var/lib/samba/sysvol %{_datadir}/samba/setup %{_mandir}/man8/samba.8.gz +%{_mandir}/man8/samba-tool.8.gz %else # with_dc %doc %{_defaultdocdir}/%{name}/README.dc +%exclude %{_mandir}/man8/samba.8.gz +%exclude %{_mandir}/man8/samba-tool.8.gz %endif # with_dc ### DC-LIBS @@ -1229,6 +1227,7 @@ rm -rf %{buildroot} %files swat %defattr(-,root,root) %config(noreplace) %{_sysconfdir}/xinetd.d/swat +%config(noreplace) %{_sysconfdir}/pam.d/samba %{_datadir}/samba/swat %{_sbindir}/swat %{_mandir}/man8/swat.8* @@ -1237,28 +1236,11 @@ rm -rf %{buildroot} ### TEST %files test %defattr(-,root,root) -%{_bindir}/asystest -%{_bindir}/dbwrap_torture %{_bindir}/gentest %{_bindir}/locktest -%{_bindir}/locktest2 -%{_bindir}/locktest3 %{_bindir}/masktest -%{_bindir}/masktest3 -%{_bindir}/msgtest %{_bindir}/ndrdump -%{_bindir}/nsstest -%{_bindir}/pdbtest -%{_bindir}/pthreadpooltest -%{_bindir}/rpc_open_tcp -%{_bindir}/smbconftort %{_bindir}/smbtorture -%{_bindir}/smbtorture3 -%{_bindir}/test_lp_load -%{_bindir}/timelimit -%{_bindir}/versiontest -%{_bindir}/vfstest -%{_bindir}/vlp %{_libdir}/libtorture.so.* %{_libdir}/samba/libsubunit.so %if %with_dc @@ -1297,13 +1279,13 @@ rm -rf %{buildroot} %files winbind-clients %defattr(-,root,root) %{_bindir}/ntlm_auth -%{_bindir}/ntlm_auth3 %{_bindir}/wbinfo %{_libdir}/libnss_winbind.so* %{_libdir}/libnss_wins.so* %{_libdir}/security/pam_winbind.so %config(noreplace) %{_sysconfdir}/security/pam_winbind.conf %{_mandir}/man1/ntlm_auth.1.gz +%exclude %{_mandir}/man1/ntlm_auth4.1.gz %{_mandir}/man1/wbinfo.1* %{_mandir}/man5/pam_winbind.conf.5* %{_mandir}/man8/pam_winbind.8* @@ -1316,6 +1298,11 @@ rm -rf %{buildroot} %{_mandir}/man7/winbind_krb5_locator.7* %changelog +* Tue Dec 04 2012 - Andreas Schneider - 2:4.0.0-170.rc6 +- Update to Samba 4.0.0rc6. +- Add /etc/pam.d/samba for swat to work correctly. +- resolves #882700 + * Fri Nov 23 2012 Guenther Deschner - 2:4.0.0-169.rc5 - Make sure ncacn_ip_tcp client code looks for NBT_NAME_SERVER name types. diff --git a/sources b/sources index 2004749..14b91fd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -08f81845ddafe76440b095279aa8b034 samba-4.0.0rc5.tar.bz2 +6618ea8ff7f587ed3f7c024849163695 samba-4.0.0rc6.tar.bz2