| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.
There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator. Checked against MIT 1.5.1. Have not
researched how Heimdal does it.
My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
in the winbindd_getgrnam() call. Couple of comments:
* Adds "winbind expand groups" parameter which defines the
max depth winbindd will expand group members. The default
is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async. I
haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
its own function.
|
| |
|
|
|
| |
the correct group list length and only truncate to NGROUPS_MAX if
it is too long.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add a function to retrieve the registry db sequence number.
This is in preparation of loadparm integration of registry global
smb.conf options: this will allow to detect changes in order to trigger reload.
Michael
|
| |
|
|
|
|
| |
first ask for existence of a file when we do the open_file_ntcreate in
can_rename later on anyway. That also gets us the right error message in
case the file is not there automatically.
|
| |
|
|
| |
inside close_file() already.
|
| |
|
|
|
|
|
|
|
|
|
| |
before writing to secdesc_buf->sd,
3_0 checked secdesc_buf->sd while 3_0_26 checked secdesc_buf->sd_size.
This patch makes both revisions check _both_ befor writing.
Jerry / Jeremy : please check if this is correct!
Michael
|
| |
|
|
|
|
| |
Sorry for the noise...
Michael
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The attached patch removes a little race condition for
people with real kernel oplock support, and reduces some
code paths. It changes reply_unlink to open_file_ntcreate,
set_delete_on_close and close_file.
The race condition happens if we break the oplock in
can_delete via open_file_ntcreate, we close the file,
someone else gets a batch oplock and we try to unlink.
It reduces code paths by calling SMB_VFS_UNLINK in 2 fewer
places.
|
| |
|
|
|
|
| |
request. Ignore it. Should fix bug #4689 but more tests and
valgrinding will follow.
Jeremy.
|
| |
|
|
|
| |
kill call as that sets pid = 0 ! :-).
Jeremy.
|
| |
|
|
|
| |
to Jerry add to 3.0.25b.
Jeremy.
|
| | |
|
| |
|
|
|
| |
if the name wasn't changed.
Jeremy.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
(A relict from regkey_open_internal days.)
Michael
|
| |
|
|
|
|
| |
Revert an accidential checkin of r23410.
Volker
|
| |
|
|
|
|
|
|
| |
there, do some reformatting.
Jeremy, I think we should also kill the child. It might hang in
something (an fcntl lock for example) that the next child might run into
immediately again.
|
| |
|
|
|
| |
code :-). Thanks Volker !
Jeremy.
|
| |
|
|
|
|
| |
winbindd: Exceeding 200 client connections, no idle connection found"
bug #3204. This fixes it in Jerry's testing !
Jeremy.
|
| |
|
|
|
| |
clear to my why the catia module feels it's necessary to implement
these operations, but at least they're now the right type.
|
| |
|
|
|
|
|
|
| |
from successfully deleting an entry when "account" is
the STRUCTURAL objectclass used for users and machines.
"account" is used each time the user entry is in /etc/passwd
and we have only the samba attributes in ldap, as well
as for rfc2307(bis) standard based directories.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm 100% certain I've forgotten to merge something, but the main code
should be in. It's mainly in dbwrap_ctdb.c, ctdbd_conn.c and
messages_ctdbd.c.
There should be no changes to the non-cluster case, it does survive make
test on my laptop.
It survives some very basic tests with ctdbd enables, I did not do the
full test suite for clusters yet.
Phew...
Volker
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
the code to add a machine was different then the one used
to add a user, the old code led to the machine SID not being
built out correctly allocationg a new RID out of the passdb
but instead by using the old algorithmic method.
This may easily end up in creating duplicated SID when the
RID counter get close to the values built by the algorithmic method.
Simo.
|
| |
|
|
|
|
| |
init also in idmap_nss and idmap_passdb for coherency and to
prevent errors in future if we change the init functions to
actually do something and not just return NT_STATUS_OK
|
| |
|
|
|
|
| |
evaluation loop
Fixes one of the segfaults in bug #4667
|
| |
|
|
|
|
| |
off the pipe ctx now ->names is part of the containing
struct.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
| |
in a lookup_sidX reply isn't optional - like the
lookup_sidX query it needs to be defined in the
struct.
All this will go away with PIDL (thank goodness....).
Jerry - I think this is a showstopper to be merged
for 3.0.25b.
I'll be watching the build farm to see if anything broke.
Jeremy.
|
| |
|
|
|
|
| |
to the
dynamic group resolution mechanism when switching UNIX credentials.
|
| |
|
|
| |
do not pass through.
|
| |
|
|
|
|
| |
always
passed as the first GID when calling setgroups(2).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the sequence :
gain_root();
sys_setgroups(ngroups, groups);
become_id(uid, gid);
to a function call :
set_unix_security_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups)
James - should be safe for you to create a Darwin-specific
version of this function now.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doing this in two stages to make it very easy to
review. Context switching must look like :
gain_root();
sys_setgroups(ngroups, groups);
become_id(uid, gid);
Re-arrange order so these three calls are always
seen together.
Next will be to turn these into a function.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Current configure check detects posix ACL support
but compile of modules/vfs_posixacl.c fails due
to missing defines in sys/acl.h:
ACL_USER, ACL_USER_OBJ, ACL_GROUP, ACL_GROUP_OBJ, ACL_OTHER,
ACL_MASK, ACL_WRITE, ACL_READ
It has to be investigated, if this can be fixed within
the posixacl vfs module or if we need a darwinacl module.
Michael
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux, FreeBSD and other (which?) ACL implementations
are now checked in the same block instead of in three
separate blocks. This was inspired by Timur Bakeyev
in Bug #4543. Since bugzilla is currently unavailable
this patch is probably slightly different from Timurs
original patch. This should finally fix Bug #4543.
2. The default of the --with-acl-support configure
option is changed to "auto" (which is actually the
same as "yes"). So configure tries to detect acl
support by default. This had been discussed with
Metze and others.
Michael
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Michael
|
| |
|
|
| |
with non-GNU implementations of tr in autogen.sh
|
| | |
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
| |
say "locks chain and returned record", not
"and returns record"
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
travlocks.lock_rw for lock read/write types, it
was sometimes using it (tdb_next_lock) and
sometimes explicitly using F_WRLCK instead.
Change this to consistently use travlocks.lock_rw
only.
I'm pretty sure about this fix (else I woudn't
be checking this in :-) but tridge and Volker
please review.
Jeremy.
|
| |
|
|
| |
the patch :-)
|
