| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
(cherry picked from commit c1a4a99f8cc5803682a94060efee1adf330c4f02)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP_SSL_ON is not defined at all. That's why the actual default value
was "" for a long time. Set a more sensible default value without chnging the
default behaviour.
-----8<------------------snip--------------8<--------------
user@host:/data/git/samba/v3-0-test/source> git grep LDAP_SSL_ON | cat
include/smb.h:enum ldap_ssl_types {LDAP_SSL_ON, LDAP_SSL_OFF,
LDAP_SSL_START_TLS};
param/loadparm.c: Globals.ldap_ssl = LDAP_SSL_ON;
----->8------------------snap-------------->8--------------
It's the same in 3.2 and 3.3 series.
Karolin
(cherry picked from commit e6d883e003d4560c55259ae1cfdf7319602f76e3)
(cherry picked from commit 5c686419096362176d80f3d05339b8836d0178a4)
|
|
|
|
| |
Jeremy
|
|
|
|
|
|
|
| |
"acl group control"
parameter and make it only apply to owning group. Also added man page fix.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If you create a share on a Windows machine called foo$ then this share is
of the type STYPE_DISKTREE. So it is possible to administrate this kind of
share. Tested on Windows NT and 2003.
In samba we assume that if a share with a $ at the end must be of the type
STYPE_DISKTREE_HIDDEN. This is wrong, so we need a variable in the config
to define if the share should be hidden or not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Logging of the ldap libraries appears with a [LDAP] prefix
inside the samba logs. This is controlled by two new parameters:
* "ldap debug level" sets the debug level of the ldap libraries.
It is the bit-field as understood by the openldap server.
* "ldap debug threshold" is the samba debug level at which ldap
logging appears inside the samba logs.
This probably needs some configure tests since it makes
use of the LBER_OPT_LOG_PRINT_FN option to redirect the
debug output of the ldap libraries.
Michael
|
| |
|
|
|
|
| |
Michael
|
|
|
|
|
|
| |
in "net conf setparm".
Michael
|
|
|
|
|
|
|
| |
given to "net conf setparm". Add a utility function
lp_parameter_valid() for this to loadparm.c.
Michael
|
|
|
|
|
|
|
| |
(This will be used in a next step to prevent storing these
values in reg_smbconf.c.)
Michael
|
|
|
|
|
|
| |
net as a non-root user, e.g.
Michael
|
|
|
|
|
|
|
|
|
|
|
|
| |
not effective for the global section (snum < 0). This checkin
makes it effective for the global section, too.
This does not produce changes in the results of the present calls of
lp_next_parameter: Beside the new use in utils/net_conf.c (which is
hereby fixed), the only calls of lp_next_parameter are in web/swat.c,
where it is effectively always called with allparameters == 1.
Michael
|
|
|
|
| |
Michael
|
|
|
|
| |
Michael
|
|
|
|
| |
Michael
|
|
|
|
| |
Michael
|
|
|
|
| |
Michael
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
failed expression in SMB_ASSERT.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The global options are stored as values in the subkey "global"
of the SMBCONF registry key.
The activation is accomplished in smb.conf though a new special
semantic of the "include" parameter: "include = registry" triggers
the processing of the registry global options exactly at the
position of the include statement. Options read from the registry
take the same precedence as parameters loaded from a file via
include. Need to reload the registry globals is detected by
watching the tdb sequence number.
Registry shares are automatically activated when the registry
globals are processed.
So a "registry only" configuration can be realized by an
smb.conf that looks as follows:
================================
[global]
include = registry
================================
The global options and registry shares can be conveniently
edited with the "net conf" utility.
Caveat:
A possible pitfall consists in using "include = registry"
together with the "lock directory" directive in the registry.
This problem will be addressed in the next time.
Note on the code:
Processing of the registry options is accomplished by a function
process_registry_globals() in loadparm.c The current version is
only an interim solution: It is handcoded instead of using the
infrastructure of reg_api.c. The reason for this is that using
reg_api still has too large linker dependencies, bloating virtually
all targets by PASSDB_OBJ, SMBLDAP_OBJ, GROUPDB_OBJ and LDB stuff.
A version of process_registry_globals that uses reg_api is
included but commented out. The goal is to eventually refactor
and restructure the registry code so that one can use the reg_api
to access only the registry tdb and not link all the dynamic
backends with all their linking implications.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
in the winbindd_getgrnam() call. Couple of comments:
* Adds "winbind expand groups" parameter which defines the
max depth winbindd will expand group members. The default
is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async. I
haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
its own function.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm 100% certain I've forgotten to merge something, but the main code
should be in. It's mainly in dbwrap_ctdb.c, ctdbd_conn.c and
messages_ctdbd.c.
There should be no changes to the non-cluster case, it does survive make
test on my laptop.
It survives some very basic tests with ctdbd enables, I did not do the
full test suite for clusters yet.
Phew...
Volker
|
|
|
|
| |
the patch :-)
|
| |
|
|
|
|
| |
Jeremy.
|
|
|
|
|
| |
32 unicode chars. Windows XP doesn't like that :-).
Jeremy
|
| |
|
|
|
|
|
| |
idmap expire time -> idmap cache time
idmap negative time -> idmap negative cache time
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
idmap domains as these should only be handled by the
winbindd_passdb.c backend
* Allow the alloc init to fail for backwards compatible
configurations like
idmap backend = ad
idmap uid = 1000-100000
....
* Remove the deprecated flags from idmap backend, et. al.
These are mutually exclusive with the new configuration
options (idmap domains). Logging annoying messages
about deprecated parameters is confusing. So we'll try
this apprpach for now.
|
|
|
|
|
|
| |
On the way, make lp_keepalive() a proper parameter.
Volker
|
| |
|
|
|
|
| |
added to debug messages
|
|
|
|
|
|
|
|
| |
path.
Thanks,
Volker
|
|
|
|
| |
Guenther
|
|
|
|
|
| |
Slightly change the DEBUG 0 message as suggested by Volker on
samba-technical.
|
|
|
|
|
|
|
| |
post 3.0.23.
This implementation considers spaces in ldapsam configs. Such configs
are trunkated after the closing quote.
|
|
|
|
|
|
|
|
| |
Change
back the 'msdfs root = yes' default to 'no'.
Volker
|
| |
|
|
|
|
|
|
| |
It should probably better be integrated with our write cache.
Volker
|
|
|
|
|
|
|
|
| |
Move more error code returns to NTSTATUS.
Client test code to follow... See if this
passes the build-farm before I add it into
3.0.25.
Jeremy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parameters
change notify = [yes]/no # do we do it at all
kernel change notify = [yes]/no # enable/disable inotify
Those who want FAM need to say
change notify = yes
vfs objects = notify_fam
Volker
|
|
|
|
|
| |
on the samba-technical ml. The replacement character is hardcoded
as a '_' for now.
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
|
|
|
|
| |
clean up a bunch of no previous prototype warnings
|
| |
|
|
|
|
| |
Simo.
|