r16119: pulling changes from 3_0 up to r16117

9 files changed, 149 insertions, 35 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2bdf2ea6da8..e65dbfa75eb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -42,6 +42,7 @@ o   Jeremy Allison <jra@samba.org>
     * Fix bug in OS/2 Warp - it doesn't set the ff_last offset 
       correctly when doing info level 1 directory scans.
     * Add Samba4 replacement for timegm() to work on Solaris.
+    * Remove extra add-byte in the trans2 UNIX_BASIC infolevel.
 
 
 o   Gerald (Jerry) Carter <jerry@samba.org>
@@ -60,6 +61,10 @@ o   Guenther Deschner <gd@samba.org>
     * Adding "own-domain" switch to wbinfo which is handy from time 
       to time.
     * BUG 3823: Fix in-forest domain trust enumeration in winbindd.
+    * Fix winbindd group enumeration for groups with no members.
+    * Correct "net ads changetrustpw" to use the sAMAccountName.
+    * Fix winbindd in ADS domains by removing code using the 
+      UPN and rely upon the sAMAccountName.
 
 
 o   Aleksey Fedoseev <fedoseev@ru.ibm.com>
@@ -70,6 +75,11 @@ o   Paul Green <paulg@samba.org>
     * Properly rebuild time limit on systems with executable extensions.
 
 
+o   Björn Jacke <samba@j3e.de>
+    * Fall back to less-preferred clocks until we find one that we 
+      can use if clock_gmtime() is not available at run-time.
+
+
 o   Volker Lendecke <vl@samba.org>
     * Fix more potential seg-faults when something on our way to a 
       DC connection fails.
@@ -110,6 +120,7 @@ o   James Peach <jpeach@sgi.com>
       parameters in dynconfig.c.
     * Avoid pulling in -lpthreads caused by -lrt.
     * Fix build failures on IRIX 6.4 due to DMAPI support.
+    * Isolate the slow CLOCK_REALTIME message in the profiling code.
 
 
 o   Aruna Prabakar <aruna.prabakar@hp.com>
diff --git a/source/aclocal.m4 b/source/aclocal.m4
index 8abecd216f0..59bd26bd245 100644
--- a/source/aclocal.m4
+++ b/source/aclocal.m4
@@ -839,10 +839,17 @@ dnl Test whether the current LIBS results in libpthread being present.
 dnl Execute the corresponding user action list.
 AC_DEFUN([SMB_IS_LIBPTHREAD_LINKED],
 [
+    AC_MSG_CHECKING(if libpthread is linked)
     AC_TRY_LINK([],
 	[return pthread_create(0, 0, 0, 0);],
-	[$1],
-	[$2])
+	[
+	    AC_MSG_RESULT(yes)
+	    $1
+	],
+	[
+	    AC_MSG_RESULT(no)
+	    $2
+	])
 ])
 
 dnl SMB_REMOVE_LIB(lib)
@@ -943,3 +950,34 @@ void main(void) {
     fi
 
 ])
+
+dnl SMB_CHECK_CLOCK_ID(clockid)
+dnl Test whether the specified clock_gettime clock ID is available. If it
+dnl is, we define HAVE_clockid
+AC_DEFUN([SMB_CHECK_CLOCK_ID],
+[
+    AC_MSG_CHECKING(for $1)
+    AC_TRY_LINK([
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+    ],
+    [
+clockid_t clk = $1;
+    ],
+    [
+	AC_MSG_RESULT(yes)
+	AC_DEFINE(HAVE_$1, 1,
+	    [Whether the clock_gettime clock ID $1 is available])
+    ],
+    [
+	AC_MSG_RESULT(no)
+    ])
+])
diff --git a/source/configure.in b/source/configure.in
index f8eba2349f9..799441ed950 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -2053,8 +2053,13 @@ if test x"$samba_cv_WITH_PROFILE" = x"yes"; then
 	    [
 		SMB_IS_LIBPTHREAD_LINKED(
 			[ SMB_REMOVELIB(rt) ],
-			[ AC_DEFINE(HAVE_CLOCK_GETTIME, 1,
-			    [Whether clock_gettime is available]) ])
+			[
+			    AC_DEFINE(HAVE_CLOCK_GETTIME, 1,
+				[Whether clock_gettime is available])
+			    SMB_CHECK_CLOCK_ID(CLOCK_MONOTONIC)
+			    SMB_CHECK_CLOCK_ID(CLOCK_PROCESS_CPUTIME_ID)
+			    SMB_CHECK_CLOCK_ID(CLOCK_REALTIME)
+			])
 	    ])
 
 fi
diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index bac85f3222b..7b8b41b10a8 100644
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -287,9 +287,13 @@ got_connection:
 		   not servicePrincipalName; found by Guenther Deschner @ Sernet.
 
 		   Is this still correct?  The comment does not match
-		   the code.   --jerry */
+		   the code.   --jerry 
+		   
+		   Yes it is :) 
+		   - Guenther
+		   */
 
-		asprintf(&ads->auth.user_name, "host/%s", global_myname() );
+		asprintf(&ads->auth.user_name, "%s$", global_myname() );
 	}
 
 	if (!ads->auth.realm) {
diff --git a/source/libads/util.c b/source/libads/util.c
index 4a4d90d7fbc..8e3001ccb04 100644
--- a/source/libads/util.c
+++ b/source/libads/util.c
@@ -26,7 +26,6 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
 {
 	char *password;
 	char *new_password;
-	char *service_principal;
 	ADS_STATUS ret;
 	uint32 sec_channel_type;
     
@@ -37,9 +36,7 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
 
 	new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
     
-	asprintf(&service_principal, "HOST/%s", host_principal);
-
-	ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
+	ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset);
 
 	if (!ADS_ERR_OK(ret)) {
 		goto failed;
@@ -53,14 +50,13 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
 
 	/* Determine if the KDC is salting keys for this principal in a
 	 * non-obvious way. */
-	if (!kerberos_derive_salting_principal(service_principal)) {
-		DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal));
+	if (!kerberos_derive_salting_principal(host_principal)) {
+		DEBUG(1,("Failed to determine correct salting principal for %s\n", host_principal));
 		ret = ADS_ERROR_SYSTEM(EACCES);
 		goto failed;
 	}
 
 failed:
-	SAFE_FREE(service_principal);
 	SAFE_FREE(password);
 	return ret;
 }
diff --git a/source/nsswitch/winbindd_group.c b/source/nsswitch/winbindd_group.c
index 7219292724b..5caaa7aa3ad 100644
--- a/source/nsswitch/winbindd_group.c
+++ b/source/nsswitch/winbindd_group.c
@@ -789,7 +789,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
 			/* Append to group membership list */
 			gr_mem_list = SMB_REALLOC( gr_mem_list, gr_mem_list_len + gr_mem_len);
 
-			if (!gr_mem_list) {
+			if (!gr_mem_list && (group_list[group_list_ndx].num_gr_mem != 0)) {
 				DEBUG(0, ("out of memory\n"));
 				gr_mem_list_len = 0;
 				break;
diff --git a/source/profile/profile.c b/source/profile/profile.c
index ba9596301c6..c3512ec01d8 100644
--- a/source/profile/profile.c
+++ b/source/profile/profile.c
@@ -30,6 +30,7 @@ static int shm_id;
 static BOOL read_only;
 #if defined(HAVE_CLOCK_GETTIME)
 clockid_t __profile_clock;
+BOOL have_profiling_clock = False;
 #endif
 #endif
 
@@ -62,6 +63,19 @@ void profile_message(int msg_type, struct process_id src, void *buf, size_t len)
 			 (int)procid_to_pid(&src)));
 		break;
 	case 2:		/* turn on complete profiling */
+
+#if defined(HAVE_CLOCK_GETTIME)
+		if (!have_profiling_clock) {
+			do_profile_flag = True;
+			do_profile_times = False;
+			DEBUG(1,("INFO: Profiling counts turned ON from "
+				"pid %d\n", (int)procid_to_pid(&src)));
+			DEBUGADD(1,("INFO: Profiling times disabled "
+				"due to lack of a suitable clock\n"));
+			break;
+		}
+#endif
+
 		do_profile_flag = True;
 		do_profile_times = True;
 		DEBUG(1,("INFO: Full profiling turned ON from pid %d\n",
@@ -100,28 +114,74 @@ void reqprofile_message(int msg_type, struct process_id src,
   open the profiling shared memory area
   ******************************************************************/
 #ifdef WITH_PROFILE
+
+#ifdef HAVE_CLOCK_GETTIME
+
+/* Find a clock. Just because the definition for a particular clock ID is
+ * present doesn't mean the system actually supports it.
+ */
+static void init_clock_gettime(void)
+{
+	struct timespec ts;
+
+	have_profiling_clock = False;
+
+#ifdef HAVE_CLOCK_PROCESS_CPUTIME_ID
+	/* CLOCK_PROCESS_CPUTIME_ID is sufficiently fast that the
+	 * always profiling times is plausible. Unfortunately on Linux
+	 * it is only accurate if we can guarantee we will not be scheduled
+	 * scheduled onto a different CPU between samples. Until there is
+	 * some way to set processor affinity, we can only use this on
+	 * uniprocessors.
+	 */
+	if (!this_is_smp()) {
+	    if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &ts) == 0) {
+		    DEBUG(10, ("Using CLOCK_PROCESS_CPUTIME_ID "
+				"for profile_clock\n"));
+		    __profile_clock = CLOCK_PROCESS_CPUTIME_ID;
+		    have_profiling_clock = True;
+	    }
+	}
+#endif
+
+#ifdef HAVE_CLOCK_MONOTONIC
+	if (!have_profiling_clock &&
+	    clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
+		DEBUG(10, ("Using CLOCK_MONOTONIC for profile_clock\n"));
+		__profile_clock = CLOCK_MONOTONIC;
+		have_profiling_clock = True;
+	}
+#endif
+
+#ifdef HAVE_CLOCK_REALTIME
+	/* POSIX says that CLOCK_REALTIME should be defined everywhere
+	 * where we have clock_gettime...
+	 */
+	if (!have_profiling_clock &&
+	    clock_gettime(CLOCK_REALTIME, &ts) == 0) {
+		__profile_clock = CLOCK_REALTIME;
+		have_profiling_clock = True;
+
+		SMB_WARN(__profile_clock != CLOCK_REALTIME,
+			("forced to use a slow profiling clock"));
+	}
+
+#endif
+
+	SMB_WARN(have_profiling_clock == True,
+		("could not find a working clock for profiling"));
+	return;
+}
+#endif
+
 BOOL profile_setup(BOOL rdonly)
 {
 	struct shmid_ds shm_ds;
 
 	read_only = rdonly;
 
-#if defined(HAVE_CLOCK_GETTIME)
-	if (this_is_smp()) {
-		/* This is faster that gettimeofday, but not fast enough to
-		 * leave it enabled in production.
-		 */
-		__profile_clock = CLOCK_MONOTONIC;
-	} else {
-		/* CLOCK_PROCESS_CPUTIME_ID is sufficiently fast that the
-		 * always profiling times is plausible. Unfortunately it is
-		 * only accurate if we can guarantee we will not be scheduled
-		 * onto a different CPU between samples. Until there is some
-		 * way to set processor affinity, we can only use this on
-		 * uniprocessors.
-		 */
-		__profile_clock = CLOCK_PROCESS_CPUTIME_ID;
-	}
+#ifdef HAVE_CLOCK_GETTIME
+	init_clock_gettime();
 #endif
 
  again:
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index eda4837ba4b..71ff79081de 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -3431,7 +3431,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 
 			SIVAL(pdata,0,sbuf.st_nlink);             /* number of hard links */
 			SIVAL(pdata,4,0);
-			pdata += 8+1;
+			pdata += 8;
 			data_size = PTR_DIFF(pdata,(*ppdata));
 
 			{
diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c
index e701803d17e..e82eece0f96 100644
--- a/source/utils/net_ads.c
+++ b/source/utils/net_ads.c
@@ -1529,19 +1529,19 @@ int net_ads_changetrustpw(int argc, const char **argv)
 
 	fstrcpy(my_name, global_myname());
 	strlower_m(my_name);
-	asprintf(&host_principal, "%s@%s", my_name, ads->config.realm);
-	d_printf("Changing password for principal: HOST/%s\n", host_principal);
+	asprintf(&host_principal, "%s$@%s", my_name, ads->config.realm);
+	d_printf("Changing password for principal: %s\n", host_principal);
 
 	ret = ads_change_trust_account_password(ads, host_principal);
 
 	if (!ADS_ERR_OK(ret)) {
-		d_fprintf(stderr, "Password change failed :-( ...\n");
+		d_fprintf(stderr, "Password change failed: %s\n", ads_errstr(ret));
 		ads_destroy(&ads);
 		SAFE_FREE(host_principal);
 		return -1;
 	}
     
-	d_printf("Password change for principal HOST/%s succeeded.\n", host_principal);
+	d_printf("Password change for principal %s succeeded.\n", host_principal);
 
 	if (lp_use_kerberos_keytab()) {
 		d_printf("Attempting to update system keytab with new password.\n");