diff options
| -rw-r--r-- | packaging/Fedora/samba.spec.tmpl | 1 | ||||
| -rw-r--r-- | source/VERSION | 2 | ||||
| -rw-r--r-- | source/auth/auth_sam.c | 42 | ||||
| -rw-r--r-- | source/include/includes.h | 1 | ||||
| -rw-r--r-- | source/lib/charcnv.c | 31 | ||||
| -rw-r--r-- | source/libads/kerberos_verify.c | 4 | ||||
| -rw-r--r-- | source/param/loadparm.c | 12 | ||||
| -rw-r--r-- | source/passdb/pdb_ldap.c | 36 | ||||
| -rw-r--r-- | source/python/py_spoolss_drivers.c | 4 | ||||
| -rw-r--r-- | source/smbd/posix_acls.c | 2 | ||||
| -rw-r--r-- | source/smbd/reply.c | 8 |
11 files changed, 115 insertions, 28 deletions
diff --git a/packaging/Fedora/samba.spec.tmpl b/packaging/Fedora/samba.spec.tmpl index 8255f4793b8..f3fae29a5ee 100644 --- a/packaging/Fedora/samba.spec.tmpl +++ b/packaging/Fedora/samba.spec.tmpl @@ -186,6 +186,7 @@ mkdir -p $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_includedir} install -m 755 source/bin/libsmbclient.so $RPM_BUILD_ROOT%{_libdir}/libsmbclient.so install -m 755 source/bin/libsmbclient.a $RPM_BUILD_ROOT%{_libdir}/libsmbclient.a install -m 644 source/include/libsmbclient.h $RPM_BUILD_ROOT%{_includedir} +rm -f $RPM_BUILD_ROOT%{_libdir}/samba/libsmbclient.* mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/xinetd.d install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/xinetd.d/swat diff --git a/source/VERSION b/source/VERSION index 6a3dd5010f9..6f2624f0460 100644 --- a/source/VERSION +++ b/source/VERSION @@ -39,7 +39,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=2 +SAMBA_VERSION_RC_RELEASE= ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/source/auth/auth_sam.c b/source/auth/auth_sam.c index 44e0a1810fe..4d2fb230027 100644 --- a/source/auth/auth_sam.c +++ b/source/auth/auth_sam.c @@ -65,6 +65,43 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, lm_pw, nt_pw, user_sess_key, lm_sess_key); } +/**************************************************************************** + Check if a user is allowed to logon at this time. Note this is the + servers local time, as logon hours are just specified as a weekly + bitmask. +****************************************************************************/ + +static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) +{ + /* In logon hours first bit is Sunday from 12AM to 1AM */ + extern struct timeval smb_last_time; + const uint8 *hours; + struct tm *utctime; + uint8 bitmask, bitpos; + + hours = pdb_get_hours(sampass); + if (!hours) { + DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n",pdb_get_username(sampass))); + return True; + } + + utctime = localtime(&smb_last_time.tv_sec); + + /* find the corresponding byte and bit */ + bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; + bitmask = 1 << (bitpos % 8); + + if (! (hours[bitpos/8] & bitmask)) { + DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (%s).\n", + pdb_get_username(sampass), asctime(utctime) )); + return False; + } + + DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n", + pdb_get_username(sampass), asctime(utctime) )); + + return True; +} /**************************************************************************** Do a specific test for a SAM_ACCOUNT being vaild for this connection @@ -93,6 +130,11 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_LOCKED_OUT; } + /* Quit if the account is not allowed to logon at this time. */ + if (! logon_hours_ok(sampass)) { + return NT_STATUS_INVALID_LOGON_HOURS; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); diff --git a/source/include/includes.h b/source/include/includes.h index 2664cad098f..09731a56653 100644 --- a/source/include/includes.h +++ b/source/include/includes.h @@ -1307,6 +1307,7 @@ krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote); +krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); #endif /* HAVE_KRB5 */ diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c index 3d7678c34cb..6cbf7562b06 100644 --- a/source/lib/charcnv.c +++ b/source/lib/charcnv.c @@ -23,6 +23,13 @@ */ #include "includes.h" +/* We can parameterize this if someone complains.... JRA. */ + +char lp_failed_convert_char(void) +{ + return '_'; +} + /** * @file * @@ -259,11 +266,11 @@ static size_t convert_string_internal(charset_t from, charset_t to, return destlen - o_len; if (from == CH_UCS2 && to != CH_UCS2) { - /* Can't convert from ucs2 to multibyte. Just truncate this char to ascii. */ + /* Can't convert from ucs2 to multibyte. Replace with the default fail char. */ if (i_len < 2) return destlen - o_len; if (i_len >= 2) { - *outbuf = inbuf[0]; + *outbuf = lp_failed_convert_char(); outbuf++; o_len--; @@ -279,11 +286,11 @@ static size_t convert_string_internal(charset_t from, charset_t to, goto again; } else if (from != CH_UCS2 && to == CH_UCS2) { - /* Can't convert to ucs2 - just widen by adding zero. */ + /* Can't convert to ucs2 - just widen by adding the default fail char then zero. */ if (o_len < 2) return destlen - o_len; - outbuf[0] = inbuf[0]; + outbuf[0] = lp_failed_convert_char(); outbuf[1] = '\0'; inbuf++; @@ -299,9 +306,9 @@ static size_t convert_string_internal(charset_t from, charset_t to, goto again; } else if (from != CH_UCS2 && to != CH_UCS2) { - /* Failed multibyte to multibyte. Just copy 1 char and + /* Failed multibyte to multibyte. Just copy the default fail char and try again. */ - outbuf[0] = inbuf[0]; + outbuf[0] = lp_failed_convert_char(); inbuf++; i_len--; @@ -581,12 +588,12 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to, goto out; if (from == CH_UCS2 && to != CH_UCS2) { - /* Can't convert from ucs2 to multibyte. Just truncate this char to ascii. */ + /* Can't convert from ucs2 to multibyte. Just use the default fail char. */ if (i_len < 2) goto out; if (i_len >= 2) { - *outbuf = inbuf[0]; + *outbuf = lp_failed_convert_char(); outbuf++; o_len--; @@ -602,11 +609,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to, goto again; } else if (from != CH_UCS2 && to == CH_UCS2) { - /* Can't convert to ucs2 - just widen by adding zero. */ + /* Can't convert to ucs2 - just widen by adding the default fail char then zero. */ if (o_len < 2) goto out; - outbuf[0] = inbuf[0]; + outbuf[0] = lp_failed_convert_char(); outbuf[1] = '\0'; inbuf++; @@ -622,9 +629,9 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to, goto again; } else if (from != CH_UCS2 && to != CH_UCS2) { - /* Failed multibyte to multibyte. Just copy 1 char and + /* Failed multibyte to multibyte. Just copy the default fail char and try again. */ - outbuf[0] = inbuf[0]; + outbuf[0] = lp_failed_convert_char(); inbuf++; i_len--; diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c index bdac22a9022..961b92ccc61 100644 --- a/source/libads/kerberos_verify.c +++ b/source/libads/kerberos_verify.c @@ -26,6 +26,10 @@ #ifdef HAVE_KRB5 +#if !defined(HAVE_KRB5_PRINC_COMPONENT) +const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int ); +#endif + /********************************************************************************** Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so it's more like what microsoft does... see comment in utils/net_ads.c in the diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 549e232fe07..4150f57e55d 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -4324,6 +4324,18 @@ BOOL lp_use_sendfile(int snum) } /******************************************************************* + Turn off sendfile if we find the underlying OS doesn't support it. +********************************************************************/ + +void set_use_sendfile(int snum, BOOL val) +{ + if (LP_SNUM_OK(snum)) + ServicePtrs[snum]->bUseSendfile = val; + else + sDefault.bUseSendfile = val; +} + +/******************************************************************* Turn off storing DOS attributes if this share doesn't support it. ********************************************************************/ diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index fed92cea568..37cc0c79029 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -701,23 +701,34 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, uint8 *pwhist = NULL; int i; - if ((pwhist = malloc(NT_HASH_LEN * pwHistLen)) == NULL){ + if ((pwhist = malloc(pwHistLen * PW_HISTORY_ENTRY_LEN)) == NULL){ DEBUG(0, ("init_sam_from_ldap: malloc failed!\n")); return False; } - memset(pwhist, '\0', NT_HASH_LEN * pwHistLen); + memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN); if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), temp)) { /* leave as default - zeros */ } else { + BOOL hex_failed = False; for (i = 0; i < pwHistLen; i++){ - if (!pdb_gethexpwd(&temp[i*32], smbntpwd)) { + /* Get the 16 byte salt. */ + if (!pdb_gethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN])) { + hex_failed = True; break; } - memset(&temp[i*32], '\0', 32); - memcpy(&pwhist[i*NT_HASH_LEN], smbntpwd, NT_HASH_LEN); - ZERO_STRUCT(smbntpwd); + /* Get the 16 byte MD5 hash of salt+passwd. */ + if (!pdb_gethexpwd(&temp[(i*64)+32], + &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN])) { + hex_failed = True; + break; + } + } + if (hex_failed) { + DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n", + username)); + memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN); } } if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){ @@ -1023,15 +1034,20 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen == 0) { /* Remove any password history from the LDAP store. */ - pstrcpy(temp, "00000000000000000000000000000000"); + memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */ + temp[64] = '\0'; } else { int i, currHistLen = 0; const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen); if (pwhist != NULL) { - /* We can only store (sizeof(pstring)-1)/32 password history entries. */ - pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/32)); + /* We can only store (sizeof(pstring)-1)/64 password history entries. */ + pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64)); for (i=0; i< pwHistLen && i < currHistLen; i++) { - pdb_sethexpwd (&temp[i*32], &pwhist[i*NT_HASH_LEN], 0); + /* Store the salt. */ + pdb_sethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0); + /* Followed by the md5 hash of salt + md4 hash */ + pdb_sethexpwd(&temp[(i*64)+32], + &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0); DEBUG(100, ("temp=%s\n", temp)); } } diff --git a/source/python/py_spoolss_drivers.c b/source/python/py_spoolss_drivers.c index 12190519ecc..9424fe1527d 100644 --- a/source/python/py_spoolss_drivers.c +++ b/source/python/py_spoolss_drivers.c @@ -190,12 +190,12 @@ PyObject *spoolss_hnd_getprinterdriver(PyObject *self, PyObject *args, werror = cli_spoolss_getprinterdriver( hnd->cli, hnd->mem_ctx, 0, &needed, &hnd->pol, level, - version, arch, &ctr); + arch, version, &ctr); if (W_ERROR_V(werror) == ERRinsufficientbuffer) werror = cli_spoolss_getprinterdriver( hnd->cli, hnd->mem_ctx, needed, NULL, &hnd->pol, - level, version, arch, &ctr); + level, arch, version, &ctr); if (!W_ERROR_IS_OK(werror)) { PyErr_SetObject(spoolss_werror, py_werror_tuple(werror)); diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 2d9591e6baa..95938b1e15c 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -2863,7 +2863,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc) } if (num_aces) { - if((psa = make_sec_acl( main_loop_talloc_get(), ACL_REVISION, num_aces, nt_ace_list)) == NULL) { + if((psa = make_sec_acl( main_loop_talloc_get(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) { DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n")); goto done; } diff --git a/source/smbd/reply.c b/source/smbd/reply.c index f3ab709df48..4125d71b840 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -1748,8 +1748,10 @@ void send_file_readbraw(connection_struct *conn, files_struct *fsp, SMB_OFF_T st * Special hack for broken Linux with no 64 bit clean sendfile. If we * return ENOSYS then pretend we just got a normal read. */ - if (errno == ENOSYS) + if (errno == ENOSYS) { + set_use_sendfile(SNUM(conn), False); goto normal_read; + } DEBUG(0,("send_file_readbraw: sendfile failed for file %s (%s). Terminating\n", fsp->fsp_name, strerror(errno) )); @@ -2111,8 +2113,10 @@ int send_file_readX(connection_struct *conn, char *inbuf,char *outbuf,int length * Special hack for broken Linux with no 64 bit clean sendfile. If we * return ENOSYS then pretend we just got a normal read. */ - if (errno == ENOSYS) + if (errno == ENOSYS) { + set_use_sendfile(SNUM(conn), False); goto normal_read; + } DEBUG(0,("send_file_readX: sendfile failed for file %s (%s). Terminating\n", fsp->fsp_name, strerror(errno) )); |