Hello community,
here is the log from the commit of package samba
checked in at Tue May 9 00:49:45 CEST 2006.
--------
--- samba/samba.changes 2006-04-20 15:02:14.000000000 +0200
+++ STABLE/samba/samba.changes 2006-05-08 17:46:39.000000000 +0200
@@ -2 +2 @@
-Thu Apr 20 14:06:37 CEST 2006 - gd@suse.de
+Mon May 8 17:37:28 CEST 2006 - lmuelle@suse.de
@@ -3,0 +4,21 @@
+- Added "usershare allow guests" global parameter; [#144787].
+
+-------------------------------------------------------------------
+Thu May 4 19:52:01 CEST 2006 - gd@suse.de
+
+- Return domain name in samrquerydominfo 5; [#172756].
+
+-------------------------------------------------------------------
+Tue May 2 11:58:34 CEST 2006 - gd@suse.de
+
+- Fix unauthorized access when logging in with pam_winbind; [#156385].
+
+-------------------------------------------------------------------
+Thu Apr 27 17:40:34 CEST 2006 - lmuelle@suse.de
+
+- Don't ever set O_SYNC on open unless "strict sync = yes"; [#165431].
+
+-------------------------------------------------------------------
+Mon Apr 24 12:23:29 CEST 2006 - gd@suse.de
+
+- Correct fix to exit from "net" with an inproper configuration; [#163227].
@@ -30,0 +52,5 @@
+Fri Mar 31 13:20:05 CEST 2006 - gd@suse.de
+
+- Don't assume account objectclass for eDir; [#160169].
+
+-------------------------------------------------------------------
@@ -34 +59,0 @@
-- Don't assume account objectclass for eDir; [#160169].
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ samba-doc.spec ++++++
--- /var/tmp/diff_new_pack.YwBw35/_old 2006-05-09 00:49:26.000000000 +0200
+++ /var/tmp/diff_new_pack.YwBw35/_new 2006-05-09 00:49:26.000000000 +0200
@@ -16,7 +16,7 @@
License: GPL
URL: http://www.samba.org/
Version: 3.0.22
-Release: 10
+Release: 18
Summary: Samba Documentation
Group: Documentation/Other
Autoreqprov: on
++++++ samba.spec ++++++
--- /var/tmp/diff_new_pack.YwBw35/_old 2006-05-09 00:49:26.000000000 +0200
+++ /var/tmp/diff_new_pack.YwBw35/_new 2006-05-09 00:49:26.000000000 +0200
@@ -20,7 +20,7 @@
URL: http://www.samba.org/
Autoreqprov: on
Version: 3.0.22
-Release: 7
+Release: 12
Provides: sambaxp = %{version}-%{release} samba3 = %{version}-%{release}
Obsoletes: samba-classic samba-ldap sambaxp samba3 < %{version}
Requires: samba-client >= %{version}
@@ -165,7 +165,7 @@
Group: Productivity/Networking/Samba
Autoreqprov: on
Version: 1.34a
-Release: 12
+Release: 17
Requires: perl-ldap
%endif
%if %{suse_version} > 920
@@ -180,7 +180,7 @@
Group: Productivity/Networking/Samba
Autoreqprov: on
Version: 0.3.6b
-Release: 36
+Release: 41
Provides: samba3-vscan = 0.3.6b
Obsoletes: samba3-vscan
Requires: samba = %{samba_ver}
@@ -1216,7 +1216,16 @@
%endif
%changelog -n samba
-* Thu Apr 20 2006 - gd@suse.de
+* Mon May 08 2006 - lmuelle@suse.de
+- Added "usershare allow guests" global parameter; [#144787].
+* Thu May 04 2006 - gd@suse.de
+- Return domain name in samrquerydominfo 5; [#172756].
+* Tue May 02 2006 - gd@suse.de
+- Fix unauthorized access when logging in with pam_winbind; [#156385].
+* Thu Apr 27 2006 - lmuelle@suse.de
+- Don't ever set O_SYNC on open unless "strict sync = yes"; [#165431].
+* Mon Apr 24 2006 - gd@suse.de
+- Correct fix to exit from "net" with an inproper configuration; [#163227].
- Robustness fixes for winbind; [#167952].
- Fix build of own iniparser copy.
* Sat Apr 15 2006 - lmuelle@suse.de
@@ -1233,9 +1242,10 @@
* Mon Apr 03 2006 - lmuelle@suse.de
- Allow testparm to dump a paramatrical option.
- Update to 3.0.22; CVE-2006-1059; [#161778].
+* Fri Mar 31 2006 - gd@suse.de
+- Don't assume account objectclass for eDir; [#160169].
* Wed Mar 29 2006 - gd@suse.de
- Only send CLDAP request to an connect AD DC; [#159684].
-- Don't assume account objectclass for eDir; [#160169].
- Invalidate krb5 credential cache when pam_auth has failed; [#161018].
* Tue Mar 28 2006 - lmuelle@suse.de
- Enhance comment for the 'cups options = raw' line; [#160720].
++++++ patches.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15194 new/patches/samba.org/15194
--- old/patches/samba.org/15194 1970-01-01 01:00:00.000000000 +0100
+++ new/patches/samba.org/15194 2006-04-27 11:27:52.000000000 +0200
@@ -0,0 +1,40 @@
+------------------------------------------------------------------------
+r15194 | gd | 2006-04-24 12:09:45 +0200 (Mon, 24 Apr 2006) | 4 lines
+
+We need to be able to join as PDC as well. Thanks to Andrew Bartlett.
+
+Guenther
+
+------------------------------------------------------------------------
+Index: source/utils/net_ads.c
+===================================================================
+--- source/utils/net_ads.c (revision 15193)
++++ source/utils/net_ads.c (revision 15194)
+@@ -721,9 +721,8 @@
+ const char *short_domain_name = NULL;
+ TALLOC_CTX *ctx = NULL;
+
+- if ((lp_server_role() != ROLE_DOMAIN_MEMBER) &&
+- (lp_server_role() != ROLE_DOMAIN_BDC)) {
+- d_printf("can only join as domain member or as BDC\n");
++ if (lp_server_role() == ROLE_STANDALONE) {
++ d_printf("cannot join as standalone machine\n");
+ return -1;
+ }
+
+Index: source/utils/net_rpc.c
+===================================================================
+--- source/utils/net_rpc.c (revision 15193)
++++ source/utils/net_rpc.c (revision 15194)
+@@ -389,9 +389,8 @@
+
+ int net_rpc_join(int argc, const char **argv)
+ {
+- if ((lp_server_role() != ROLE_DOMAIN_MEMBER) &&
+- (lp_server_role() != ROLE_DOMAIN_BDC)) {
+- d_printf("can only join as domain member or as BDC\n");
++ if (lp_server_role() == ROLE_STANDALONE) {
++ d_printf("cannot join as standalone machine\n");
+ return -1;
+ }
+
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15293 new/patches/samba.org/15293
--- old/patches/samba.org/15293 1970-01-01 01:00:00.000000000 +0100
+++ new/patches/samba.org/15293 2006-04-27 17:46:42.000000000 +0200
@@ -0,0 +1,23 @@
+------------------------------------------------------------------------
+r15293 | jra | 2006-04-27 15:42:18 +0200 (Do, 27 Apr 2006) | 6 lines
+
+Don't ever set O_SYNC on open unless "strict sync = yes".
+This could be the cause of the perf. problem reported
+between 3.0.14a and 3.0.2x. Lufthansa has *wireless*
+on their flights to the USA now... (I'm in heaven ! :-).
+Jeremy.
+
+------------------------------------------------------------------------
+Index: source/smbd/open.c
+===================================================================
+--- source/smbd/open.c (Revision 15292)
++++ source/smbd/open.c (Revision 15293)
+@@ -1273,7 +1273,7 @@
+ */
+
+ #if defined(O_SYNC)
+- if (create_options & FILE_WRITE_THROUGH) {
++ if (lp_strict_sync(SNUM(conn)) && (create_options & FILE_WRITE_THROUGH)) {
+ flags2 |= O_SYNC;
+ }
+ #endif /* O_SYNC */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15438 new/patches/samba.org/15438
--- old/patches/samba.org/15438 1970-01-01 01:00:00.000000000 +0100
+++ new/patches/samba.org/15438 2006-05-08 13:33:47.000000000 +0200
@@ -0,0 +1,79 @@
+------------------------------------------------------------------------
+r15438 | gd | 2006-05-04 19:28:05 +0200 (Thu, 04 May 2006) | 7 lines
+
+Fix samrQueryDomainInfo level 5 where we returned our netbios
+name eversince instead of the domain name when we are a DC.
+
+Yes, there are applications relying on this call to be correct.
+
+Guenther
+
+------------------------------------------------------------------------
+Index: source/rpc_server/srv_samr_nt.c
+===================================================================
+--- source/rpc_server/srv_samr_nt.c (revision 15437)
++++ source/rpc_server/srv_samr_nt.c (revision 15438)
+@@ -2301,7 +2301,7 @@
+ init_unk_info3(&ctr->info.inf3, nt_logout);
+ break;
+ case 0x05:
+- init_unk_info5(&ctr->info.inf5, global_myname());
++ init_unk_info5(&ctr->info.inf5, get_global_sam_name());
+ break;
+ case 0x06:
+ init_unk_info6(&ctr->info.inf6);
+@@ -4802,7 +4802,7 @@
+ init_unk_info3(&ctr->info.inf3, nt_logout);
+ break;
+ case 0x05:
+- init_unk_info5(&ctr->info.inf5, global_myname());
++ init_unk_info5(&ctr->info.inf5, get_global_sam_name());
+ break;
+ case 0x06:
+ init_unk_info6(&ctr->info.inf6);
+Index: source/rpc_parse/parse_samr.c
+===================================================================
+--- source/rpc_parse/parse_samr.c (revision 15437)
++++ source/rpc_parse/parse_samr.c (revision 15438)
+@@ -662,10 +662,10 @@
+ inits a structure.
+ ********************************************************************/
+
+-void init_unk_info5(SAM_UNK_INFO_5 * u_5,const char *server)
++void init_unk_info5(SAM_UNK_INFO_5 * u_5,const char *domain)
+ {
+- init_unistr2(&u_5->uni_server, server, UNI_FLAGS_NONE);
+- init_uni_hdr(&u_5->hdr_server, &u_5->uni_server);
++ init_unistr2(&u_5->uni_domain, domain, UNI_FLAGS_NONE);
++ init_uni_hdr(&u_5->hdr_domain, &u_5->uni_domain);
+ }
+
+ /*******************************************************************
+@@ -681,10 +681,10 @@
+ prs_debug(ps, depth, desc, "sam_io_unk_info5");
+ depth++;
+
+- if(!smb_io_unihdr("hdr_server", &u_5->hdr_server, ps, depth))
++ if(!smb_io_unihdr("hdr_domain", &u_5->hdr_domain, ps, depth))
+ return False;
+
+- if(!smb_io_unistr2("uni_server", &u_5->uni_server, u_5->hdr_server.buffer, ps, depth))
++ if(!smb_io_unistr2("uni_domain", &u_5->uni_domain, u_5->hdr_domain.buffer, ps, depth))
+ return False;
+
+ return True;
+Index: source/include/rpc_samr.h
+===================================================================
+--- source/include/rpc_samr.h (revision 15437)
++++ source/include/rpc_samr.h (revision 15438)
+@@ -572,8 +572,8 @@
+
+ typedef struct sam_unknown_info_5_inf
+ {
+- UNIHDR hdr_server; /* server name unicode header */
+- UNISTR2 uni_server; /* server name unicode string */
++ UNIHDR hdr_domain; /* domain name unicode header */
++ UNISTR2 uni_domain; /* domain name unicode string */
+
+ } SAM_UNK_INFO_5;
+
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/series new/patches/series
--- old/patches/series 2006-04-20 14:37:50.000000000 +0200
+++ new/patches/series 2006-05-08 13:33:47.000000000 +0200
@@ -37,6 +37,9 @@
samba.org/15093 -p0
samba.org/15123 -p0
samba.org/15136 -p0
+samba.org/15194 -p0
+samba.org/15293 -p0
+samba.org/15438 -p0
# SuSE specific changes
# disabled -> WIP lmuelle
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/suse/netusershare.diff new/patches/suse/netusershare.diff
--- old/patches/suse/netusershare.diff 2006-03-15 15:43:53.000000000 +0100
+++ new/patches/suse/netusershare.diff 2006-05-08 17:36:23.000000000 +0200
@@ -570,7 +570,7 @@
SMBPASSWD_OBJ = utils/smbpasswd.o utils/passwd_util.o $(PASSCHANGE_OBJ) \
$(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
-@@ -573,7 +574,8 @@ NET_OBJ1 = utils/net.o utils/net_ads.o u
+@@ -572,7 +573,8 @@ NET_OBJ1 = utils/net.o utils/net_ads.o u
utils/net_rpc_join.o utils/net_time.o utils/net_lookup.o \
utils/net_cache.o utils/net_groupmap.o utils/net_idmap.o \
utils/net_status.o utils/net_rpc_printer.o utils/net_rpc_rights.o \
@@ -580,7 +580,7 @@
NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
-@@ -597,7 +599,7 @@ CIFS_MOUNT_OBJ = client/mount.cifs.o
+@@ -596,7 +598,7 @@ CIFS_MOUNT_OBJ = client/mount.cifs.o
CIFS_UMOUNT_OBJ = client/umount.cifs.o
@@ -589,7 +589,7 @@
$(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
-@@ -641,11 +643,12 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
+@@ -640,11 +642,12 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
EVTLOGADM_OBJ0 = utils/eventlogadm.o
EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(REGOBJS_OBJ) \
@@ -604,7 +604,7 @@
RPCTORTURE_OBJ = torture/rpctorture.o \
rpcclient/display.o \
-@@ -731,7 +734,7 @@ WINBINDD_OBJ = \
+@@ -730,7 +733,7 @@ WINBINDD_OBJ = \
$(LIBADS_SERVER_OBJ) $(SERVER_MUTEX_OBJ)
WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -613,13 +613,13 @@
WINBIND_NSS_OBJ = $(WBCOMMON_OBJ) lib/replace1.o @WINBIND_NSS_EXTRA_OBJS@
-@@ -751,7 +754,7 @@ NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils
+@@ -753,7 +756,7 @@ NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils
NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
libsmb/asn1.o libsmb/spnego.o libsmb/clikrb5.o libads/kerberos.o \
libads/kerberos_verify.o $(SECRETS_OBJ) $(SERVER_MUTEX_OBJ) \
- libads/authdata.o $(RPC_PARSE_OBJ0) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
+ libads/authdata.o $(RPC_PARSE_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SMBLDAP_OBJ) $(DOSERR_OBJ) rpc_parse/parse_net.o
+ $(SMBLDAP_OBJ) $(DOSERR_OBJ) rpc_parse/parse_net.o $(LIBNMB_OBJ)
######################################################################
Index: source/param/loadparm.c
@@ -657,11 +657,12 @@
int mangle_prefix;
int max_log_size;
char *szLogLevel;
-@@ -300,24 +306,27 @@ typedef struct
+@@ -300,24 +306,28 @@ typedef struct
BOOL bDeferSharingViolations;
BOOL bEnablePrivileges;
BOOL bASUSupport;
+ BOOL bUsershareOwnerOnly;
++ BOOL bUsershareAllowGuests;
int restrict_anonymous;
int name_cache_timeout;
int client_signing;
@@ -689,7 +690,7 @@
char *szService;
char *szPath;
char *szUsername;
-@@ -446,14 +455,15 @@ typedef struct
+@@ -446,14 +456,15 @@ typedef struct
param_opt_struct *param_opt;
char dummy[3]; /* for alignment */
@@ -707,10 +708,11 @@
NULL, /* szService */
NULL, /* szPath */
NULL, /* szUsername */
-@@ -1214,6 +1224,12 @@ static struct parm_struct parm_table[] =
+@@ -1214,6 +1225,13 @@ static struct parm_struct parm_table[] =
{"root preexec close", P_BOOL, P_LOCAL, &sDefault.bRootpreexecClose, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE},
{"root postexec", P_STRING, P_LOCAL, &sDefault.szRootPostExec, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT},
{"available", P_BOOL, P_LOCAL, &sDefault.bAvailable, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT},
++ {"usershare allow guests", P_BOOL, P_GLOBAL, &Globals.bUsershareAllowGuests, NULL, NULL, FLAG_ADVANCED},
+ {"usershare max shares", P_INTEGER, P_GLOBAL, &Globals.iUsershareMaxShares, NULL, NULL, FLAG_ADVANCED},
+ {"usershare owner only", P_BOOL, P_GLOBAL, &Globals.bUsershareOwnerOnly, NULL, NULL, FLAG_ADVANCED},
+ {"usershare path", P_STRING, P_GLOBAL, &Globals.szUsersharePath, NULL, NULL, FLAG_ADVANCED},
@@ -720,7 +722,7 @@
{"volume", P_STRING, P_LOCAL, &sDefault.volume, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE },
{"fstype", P_STRING, P_LOCAL, &sDefault.fstype, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE},
{"set directory", P_BOOLREV, P_LOCAL, &sDefault.bNo_set_dir, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE},
-@@ -1636,6 +1652,15 @@ static void init_globals(BOOL first_time
+@@ -1636,6 +1654,17 @@ static void init_globals(BOOL first_time
Globals.bEnablePrivileges = False;
Globals.bASUSupport = True;
@@ -733,10 +735,12 @@
+ Globals.iUsershareMaxShares = 0;
+ /* By default disallow sharing of directories not owned by the sharer. */
+ Globals.bUsershareOwnerOnly = True;
++ /* By default disallow guest access to usershares. */
++ Globals.bUsershareAllowGuests = False;
}
static TALLOC_CTX *lp_talloc;
-@@ -1823,9 +1848,13 @@ FN_GLOBAL_INTEGER(lp_ldap_page_size, &Gl
+@@ -1823,9 +1852,14 @@ FN_GLOBAL_INTEGER(lp_ldap_page_size, &Gl
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
@@ -746,11 +750,12 @@
FN_GLOBAL_LIST(lp_eventlog_list, &Globals.szEventLogs)
++FN_GLOBAL_BOOL(lp_usershare_allow_guests, &Globals.bUsershareAllowGuests)
+FN_GLOBAL_BOOL(lp_usershare_owner_only, &Globals.bUsershareOwnerOnly)
FN_GLOBAL_BOOL(lp_disable_netbios, &Globals.bDisableNetbios)
FN_GLOBAL_BOOL(lp_reset_on_zero_vc, &Globals.bResetOnZeroVC)
FN_GLOBAL_BOOL(lp_ms_add_printer_wizard, &Globals.bMsAddPrinterWizard)
-@@ -1913,6 +1942,8 @@ FN_GLOBAL_INTEGER(lp_map_to_guest, &Glob
+@@ -1913,6 +1947,8 @@ FN_GLOBAL_INTEGER(lp_map_to_guest, &Glob
FN_GLOBAL_INTEGER(lp_oplock_break_wait_time, &Globals.oplock_break_wait_time)
FN_GLOBAL_INTEGER(lp_lock_spin_count, &Globals.iLockSpinCount)
FN_GLOBAL_INTEGER(lp_lock_sleep_time, &Globals.iLockSpinTime)
@@ -759,7 +764,7 @@
FN_LOCAL_STRING(lp_preexec, szPreExec)
FN_LOCAL_STRING(lp_postexec, szPostExec)
FN_LOCAL_STRING(lp_rootpreexec, szRootPreExec)
-@@ -2480,7 +2511,7 @@ static char *canonicalize_servicename(co
+@@ -2480,7 +2516,7 @@ static char *canonicalize_servicename(co
}
fstrcpy( canon, src );
@@ -768,7 +773,7 @@
return canon;
}
-@@ -2617,7 +2648,7 @@ BOOL lp_add_printer(const char *pszPrint
+@@ -2617,7 +2653,7 @@ BOOL lp_add_printer(const char *pszPrint
string_set(&ServicePtrs[i]->szPrintername, pszPrintername);
string_set(&ServicePtrs[i]->comment, comment);
@@ -777,7 +782,7 @@
ServicePtrs[i]->bBrowseable = sDefault.bBrowseable;
/* Printers cannot be read_only. */
-@@ -4029,9 +4060,11 @@ void lp_killunused(BOOL (*snumused) (int
+@@ -4052,9 +4088,11 @@ void lp_killunused(BOOL (*snumused) (int
if (!VALID(i))
continue;
@@ -791,7 +796,7 @@
if (!snumused || !snumused(i)) {
free_service_byindex(i);
-@@ -4191,6 +4224,612 @@ static void set_allowed_client_auth(void
+@@ -4214,6 +4252,640 @@ static void set_allowed_client_auth(void
}
/***************************************************************************
@@ -854,29 +859,40 @@
+ int numlines,
+ pstring sharepath,
+ pstring comment,
-+ SEC_DESC **ppsd)
++ SEC_DESC **ppsd,
++ BOOL *pallow_guest)
+{
+ const char **prefixallowlist = lp_usershare_prefix_allow_list();
+ const char **prefixdenylist = lp_usershare_prefix_deny_list();
++ int us_vers;
+ SMB_STRUCT_DIR *dp;
+ SMB_STRUCT_STAT sbuf;
+
++ *pallow_guest = False;
++
+ if (numlines < 4) {
+ return USERSHARE_MALFORMED_FILE;
+ }
+
-+ if (!strequal(lines[0], "#VERSION 1")) {
++ if (strcmp(lines[0], "#VERSION 1") == 0) {
++ us_vers = 1;
++ } else if (strcmp(lines[0], "#VERSION 2") == 0) {
++ us_vers = 2;
++ if (numlines < 5) {
++ return USERSHARE_MALFORMED_FILE;
++ }
++ } else {
+ return USERSHARE_BAD_VERSION;
+ }
+
-+ if (!strnequal(lines[1], "path=", 5)) {
++ if (strncmp(lines[1], "path=", 5) != 0) {
+ return USERSHARE_MALFORMED_PATH;
+ }
+
+ pstrcpy(sharepath, &lines[1][5]);
+ trim_string(sharepath, " ", " ");
+
-+ if (!strnequal(lines[2], "comment=", 8)) {
++ if (strncmp(lines[2], "comment=", 8) != 0) {
+ return USERSHARE_MALFORMED_COMMENT_DEF;
+ }
+
@@ -884,7 +900,7 @@
+ trim_string(comment, " ", " ");
+ trim_char(comment, '"', '"');
+
-+ if (!strnequal(lines[3], "usershare_acl=", 14)) {
++ if (strncmp(lines[3], "usershare_acl=", 14) != 0) {
+ return USERSHARE_MALFORMED_ACL_DEF;
+ }
+
@@ -892,7 +908,16 @@
+ return USERSHARE_ACL_ERR;
+ }
+
-+ if (snum != -1 && strequal(sharepath, ServicePtrs[snum]->szPath)) {
++ if (us_vers == 2) {
++ if (strncmp(lines[4], "guest_ok=", 9) != 0) {
++ return USERSHARE_MALFORMED_ACL_DEF;
++ }
++ if (lines[4][9] == 'y') {
++ *pallow_guest = True;
++ }
++ }
++
++ if (snum != -1 && (strcmp(sharepath, ServicePtrs[snum]->szPath) == 0)) {
+ /* Path didn't change, no checks needed. */
+ return USERSHARE_OK;
+ }
@@ -1004,6 +1029,7 @@
+ int iService = -1;
+ TALLOC_CTX *ctx = NULL;
+ SEC_DESC *psd = NULL;
++ BOOL guest_ok = False;
+
+ /* Ensure share name doesn't contain invalid characters. */
+ if (!validate_net_name(file_name, INVALID_SHARENAME_CHARS, strlen(file_name))) {
@@ -1097,7 +1123,9 @@
+ return 1;
+ }
+
-+ if (parse_usershare_file(ctx, &sbuf, service_name, iService, lines, numlines, sharepath, comment, &psd) != USERSHARE_OK) {
++ if (parse_usershare_file(ctx, &sbuf, service_name,
++ iService, lines, numlines, sharepath,
++ comment, &psd, &guest_ok) != USERSHARE_OK) {
+ talloc_destroy(ctx);
+ SAFE_FREE(lines);
+ return -1;
@@ -1141,6 +1169,11 @@
+ /* Set the service as a valid usershare. */
+ ServicePtrs[iService]->usershare = USERSHARE_VALID;
+
++ /* Set guest access. */
++ if (lp_usershare_allow_guests()) {
++ ServicePtrs[iService]->bGuest_ok = guest_ok;
++ }
++
+ /* And note when it was loaded. */
+ ServicePtrs[iService]->usershare_last_mod = sbuf.st_mtime;
+ string_set(&ServicePtrs[iService]->szPath, sharepath);
@@ -1404,7 +1437,7 @@
Load the services array from the services file. Return True on success,
False on failure.
***************************************************************************/
-@@ -4340,8 +4979,9 @@ int lp_servicenumber(const char *pszServ
+@@ -4363,8 +5035,9 @@ int lp_servicenumber(const char *pszServ
int iService;
fstring serviceName;
@@ -1415,7 +1448,7 @@
for (iService = iNumServices - 1; iService >= 0; iService--) {
if (VALID(iService) && ServicePtrs[iService]->szService) {
-@@ -4351,8 +4991,30 @@ int lp_servicenumber(const char *pszServ
+@@ -4374,8 +5047,30 @@ int lp_servicenumber(const char *pszServ
*/
fstrcpy(serviceName, ServicePtrs[iService]->szService);
standard_sub_basic(get_current_username(), serviceName,sizeof(serviceName));
@@ -2039,7 +2072,7 @@
===================================================================
--- /dev/null
+++ source/utils/net_usershare.c
-@@ -0,0 +1,840 @@
+@@ -0,0 +1,876 @@
+/*
+ Samba Unix/Linux SMB client library
+ Distributed SMB/CIFS Server Management Utility
@@ -2104,12 +2137,13 @@
+{
+ char c = *lp_winbind_separator();
+ d_printf(
-+ "net usershare add [-l|--long] <sharename> <path> [<comment>] [<acl>]\n"
++ "net usershare add [-l|--long] <sharename> <path> [<comment>] [<acl>] []\n"
+ "\tAdds the specified share name for this user.\n"
+ "\t<sharename> is the new share name.\n"
+ "\t<path> is the path on the filesystem to export.\n"
+ "\t<comment> is the optional comment for the new share.\n"
+ "\t<acl> is an optional share acl in the format \"DOMAIN%cname:X,DOMAIN%cname:X,....\"\n"
++ "\t if present sets \"guest ok = yes\" on this usershare.\n"
+ "\t\t\"X\" represents a permission and can be any one of the characters f, r or d\n"
+ "\t\twhere \"f\" means full control, \"r\" means read-only, \"d\" means deny access.\n"
+ "\t\tname may be a domain user or group. For local users use the local server name "
@@ -2152,7 +2186,8 @@
+
+int net_usershare_usage(int argc, const char **argv)
+{
-+ d_printf("net usershare add <sharename> <path> [<comment>] [<acl>] to add or change a user defined share.\n"
++ d_printf("net usershare add <sharename> <path> [<comment>] [<acl>] [] to "
++ "add or change a user defined share.\n"
+ "net usershare delete <sharename> to delete a user defined share.\n"
+ "net usershare info [-l|--long] [wildcard sharename] to print info about a user defined share.\n"
+ "net usershare list [-l|--long] [wildcard sharename] to list user defined shares.\n"
@@ -2342,6 +2377,7 @@
+ int num_aces;
+ char sep_str[2];
+ enum usershare_err us_err;
++ BOOL guest_ok = False;
+
+ sep_str[0] = *lp_winbind_separator();
+ sep_str[1] = '\0';
@@ -2388,7 +2424,8 @@
+ us_err = parse_usershare_file(ctx, &sbuf, fl->pathname, -1, lines, numlines,
+ sharepath,
+ comment,
-+ &psd);
++ &psd,
++ &guest_ok);
+
+ if (us_err != USERSHARE_OK) {
+ d_fprintf(stderr, "info_fn: file %s is not a well formed usershare file.\n",
@@ -2440,7 +2477,8 @@
+ d_printf("[%s]\n", fl->pathname );
+ d_printf("path=%s\n", sharepath );
+ d_printf("comment=%s\n", comment);
-+ d_printf("%s\n\n", acl_str);
++ d_printf("%s\n", acl_str);
++ d_printf("guest_ok=%c\n\n", guest_ok ? 'y' : 'n');
+ } else if (pi->op == US_LIST_OP) {
+ d_printf("%s\n", fl->pathname);
+ }
@@ -2515,6 +2553,7 @@
+ const char *pacl;
+ size_t to_write;
+ uid_t myeuid = geteuid();
++ BOOL guest_ok = False;
+
+ us_comment = "";
+ arg_acl = "S-1-1-0:R";
@@ -2539,6 +2578,27 @@
+ us_comment = argv[2];
+ arg_acl = argv[3];
+ break;
++ case 5:
++ sharename = strdup_lower(argv[0]);
++ us_path = argv[1];
++ us_comment = argv[2];
++ arg_acl = argv[3];
++ if (!strnequal(argv[4], "guest_ok=", 9)) {
++ return net_usershare_add_usage(argc, argv);
++ }
++ switch (argv[4][9]) {
++ case 'y':
++ case 'Y':
++ guest_ok = True;
++ break;
++ case 'n':
++ case 'N':
++ guest_ok = False;
++ break;
++ default:
++ return net_usershare_add_usage(argc, argv);
++ }
++ break;
+ }
+
+ if (!validate_net_name(sharename, INVALID_SHARENAME_CHARS, strlen(sharename))) {
@@ -2682,6 +2742,15 @@
+ /* Remove the last ',' */
+ us_acl[strlen(us_acl)-1] = '\0';
+
++ if (guest_ok && !lp_usershare_allow_guests()) {
++ d_fprintf(stderr, "net usershare add: guest_ok=y requested "
++ "but the \"usershare allow guests\" parameter is not enabled "
++ "by this server.\n");
++ talloc_destroy(ctx);
++ SAFE_FREE(sharename);
++ return -1;
++ }
++
+ /* Create a temporary filename for this share. */
+ tmpfd = smb_mkstemp(full_path_tmp);
+
@@ -2728,9 +2797,9 @@
+ }
+
+ /* Create the in-memory image of the file. */
-+ file_img = talloc_strdup(ctx, "#VERSION 1\npath=");
-+ file_img = talloc_asprintf_append(file_img, "%s\ncomment=%s\nusershare_acl=%s\n",
-+ us_path, us_comment, us_acl );
++ file_img = talloc_strdup(ctx, "#VERSION 2\npath=");
++ file_img = talloc_asprintf_append(file_img, "%s\ncomment=%s\nusershare_acl=%s\nguest_ok=%c\n",
++ us_path, us_comment, us_acl, guest_ok ? 'y' : 'n');
+
+ to_write = strlen(file_img);
+
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/suse/samba3-pam_winbind.diff new/patches/suse/samba3-pam_winbind.diff
--- old/patches/suse/samba3-pam_winbind.diff 2006-04-20 16:13:55.000000000 +0200
+++ new/patches/suse/samba3-pam_winbind.diff 2006-05-02 16:23:49.000000000 +0200
@@ -15,7 +15,41 @@
LIBS="$KRB5_LIBS $LIBS"
-@@ -3445,6 +3448,29 @@ if test x"$with_ads_support" != x"no"; t
+@@ -3392,6 +3395,18 @@ if test x"$with_ads_support" != x"no"; t
+ [Whether krb5_keytab_entry has keyblock member])
+ fi
+
++ AC_CACHE_CHECK([for magic in krb5_address],
++ samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS,[
++ AC_TRY_COMPILE([#include ],
++ [krb5_address addr; addr.magic = 0;],
++ samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS=yes,
++ samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS=no)])
++
++ if test x"$samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS" = x"yes"; then
++ AC_DEFINE(HAVE_MAGIC_IN_KRB5_ADDRESS,1,
++ [Whether the krb5_address struct has a magic property])
++ fi
++
+ if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
+ AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
+@@ -3442,9 +3457,44 @@ if test x"$with_ads_support" != x"no"; t
+ [Whether krb5_princ_realm returns krb5_realm or krb5_data])
+ fi
+
++ AC_CACHE_CHECK([for krb5_addresses type],
++ samba_cv_HAVE_KRB5_ADDRESSES,[
++ AC_TRY_COMPILE([#include ],
++ [krb5_addresses addr;],
++ samba_cv_HAVE_KRB5_ADDRESSES=yes,
++ samba_cv_HAVE_KRB5_ADDRESSES=no)])
++
++ if test x"$samba_cv_HAVE_KRB5_ADDRESSES" = x"yes"; then
++ AC_DEFINE(HAVE_KRB5_ADDRESSES,1,
++ [Whether the type krb5_addresses type exists])
++ fi
++
LIBS="$ac_save_LIBS"
fi
@@ -45,7 +79,7 @@
########################################################
# Compile experimental passdb backends?
# (pdb_xml, pdb_mysql, pdb_pgsql)
-@@ -5121,6 +5147,43 @@ AC_SUBST(POPTLIBS)
+@@ -5121,6 +5171,43 @@ AC_SUBST(POPTLIBS)
AC_SUBST(FLAGS1)
#################################################
@@ -109,6 +143,26 @@
/* ldap attribute oids (Services for Unix) */
#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310"
+@@ -264,3 +266,19 @@ typedef void **ADS_MODLIST;
+
+ #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD"
+ #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD"
++
++#ifndef KRB5_ADDR_NETBIOS
++#define KRB5_ADDR_NETBIOS 0x14
++#endif
++
++#ifdef HAVE_KRB5
++typedef struct {
++#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
++ krb5_address **addrs;
++#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
++ krb5_addresses *addrs;
++#else
++#error UNKNOWN_KRB5_ADDRESS_TYPE
++#endif
++} smb_krb5_addresses;
++#endif
Index: source/include/doserr.h
===================================================================
--- source/include/doserr.h.orig
@@ -134,7 +188,7 @@
/*
* Type for wide character dirent structure.
* Only d_name is defined by POSIX.
-@@ -1534,8 +1536,9 @@ BOOL smb_krb5_principal_compare_any_real
+@@ -1534,8 +1536,15 @@ BOOL smb_krb5_principal_compare_any_real
krb5_const_principal princ1,
krb5_const_principal princ2);
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
@@ -142,6 +196,12 @@
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname);
PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *new_start_time);
++krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
++krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
++krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
++NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
++krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
++
#endif /* HAVE_KRB5 */
@@ -329,7 +389,12 @@
===================================================================
--- source/libads/kerberos.c.orig
+++ source/libads/kerberos.c
-@@ -62,13 +62,17 @@ int kerberos_kinit_password(const char *
+@@ -58,17 +58,23 @@ kerb_prompter(krb5_context ctx, void *da
+ place in default cache location.
+ remus@snapserver.com
+ */
+-int kerberos_kinit_password(const char *principal,
++int kerberos_kinit_password_ext(const char *principal,
const char *password,
int time_offset,
time_t *expire_time,
@@ -337,6 +402,7 @@
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
++ BOOL add_netbios_addr,
+ time_t renewable_time)
{
krb5_context ctx = NULL;
@@ -345,10 +411,11 @@
krb5_principal me;
krb5_creds my_creds;
+ krb5_get_init_creds_opt opt;
++ smb_krb5_addresses *addr = NULL;
initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
-@@ -77,9 +81,11 @@ int kerberos_kinit_password(const char *
+@@ -77,9 +83,11 @@ int kerberos_kinit_password(const char *
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
@@ -363,7 +430,7 @@
krb5_free_context(ctx);
return code;
}
-@@ -88,10 +94,20 @@ int kerberos_kinit_password(const char *
+@@ -88,16 +96,43 @@ int kerberos_kinit_password(const char *
krb5_free_context(ctx);
return code;
}
@@ -374,18 +441,47 @@
+ if (request_pac) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
-+ krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
++ code = krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
++ if (code) {
++ krb5_free_principal(ctx, me);
++ krb5_free_context(ctx);
++ return code;
++ }
+#endif
+ }
+
++ if (add_netbios_addr) {
++ code = smb_krb5_gen_netbios_krb5_address(&addr);
++ if (code) {
++ krb5_free_principal(ctx, me);
++ krb5_free_context(ctx);
++ return code;
++ }
++ krb5_get_init_creds_opt_set_address_list(&opt, addr->addrs);
++ }
++
if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
kerb_prompter,
- NULL, 0, NULL, NULL))) {
+ NULL, 0, NULL, &opt))) {
++ smb_krb5_free_addresses(ctx, addr);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
-@@ -111,9 +127,14 @@ int kerberos_kinit_password(const char *
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, me))) {
++ smb_krb5_free_addresses(ctx, addr);
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+@@ -106,16 +141,23 @@ int kerberos_kinit_password(const char *
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ krb5_cc_close(ctx, cc);
++ smb_krb5_free_addresses(ctx, addr);
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
}
@@ -401,26 +497,53 @@
+ }
krb5_cc_close(ctx, cc);
++ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
-@@ -157,7 +178,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+@@ -156,8 +198,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
+ return KRB5_LIBOS_CANTREADPWD;
}
- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
+- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
- &ads->auth.expire, NULL);
-+ &ads->auth.expire, NULL, NULL, False, ads->auth.renewable);
++ ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
++ &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
-@@ -349,7 +370,8 @@ static krb5_error_code get_service_ticke
+@@ -349,7 +391,8 @@ static krb5_error_code get_service_ticke
if (password == NULL) {
goto out;
}
- if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) {
-+ if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, NULL,
-+ LIBADS_CCACHE_NAME, False, 0)) != 0) {
++ if ((err = kerberos_kinit_password(machine_account, password,
++ 0, LIBADS_CCACHE_NAME)) != 0) {
DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n",
machine_account,
lp_realm(),
+@@ -780,4 +823,21 @@ BOOL kerberos_derive_cifs_salting_princi
+ }
+ return retval;
+ }
++
++int kerberos_kinit_password(const char *principal,
++ const char *password,
++ int time_offset,
++ const char *cache_name)
++{
++ return kerberos_kinit_password_ext(principal,
++ password,
++ time_offset,
++ 0,
++ 0,
++ cache_name,
++ False,
++ False,
++ 0);
++}
++
+ #endif
Index: source/libads/krb5_setpw.c
===================================================================
--- source/libads/krb5_setpw.c.orig
@@ -447,7 +570,7 @@
return (0);
}
-+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
++ krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
+{
+ switch(res_code) {
+ case KRB5_KPASSWD_ACCESSDENIED:
@@ -500,7 +623,7 @@
int ret;
- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) {
-+ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL, NULL, False, 0))) {
++ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
@@ -561,7 +684,7 @@
use_in_memory_ccache();
- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
-+ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0);
++ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL);
if (ret){
SAFE_FREE(principal);
@@ -646,7 +769,7 @@
DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
error_message(retval)));
goto failed;
-@@ -991,10 +994,154 @@ out:
+@@ -991,10 +994,261 @@ out:
#endif
}
@@ -793,6 +916,113 @@
+
+}
+
++ krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
++{
++ krb5_error_code ret = 0;
++ if (addr == NULL) {
++ return ret;
++ }
++#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
++ krb5_free_addresses(context, addr->addrs);
++#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
++ ret = krb5_free_addresses(context, addr->addrs);
++ SAFE_FREE(addr->addrs);
++#endif
++ SAFE_FREE(addr);
++ addr = NULL;
++ return ret;
++}
++
++ krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
++{
++ krb5_error_code ret = 0;
++ nstring buf;
++#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
++ krb5_address **addrs = NULL;
++#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
++ krb5_addresses *addrs = NULL;
++#endif
++
++ *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses));
++ if (*kerb_addr == NULL) {
++ return ENOMEM;
++ }
++
++ put_name(buf, global_myname(), ' ', 0x20);
++
++#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
++ {
++ int num_addr = 2;
++
++ addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr);
++ if (addrs == NULL) {
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ memset(addrs, 0, sizeof(krb5_address *) * num_addr);
++
++ addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
++ if (addrs[0] == NULL) {
++ SAFE_FREE(addrs);
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ addrs[0]->magic = KV5M_ADDRESS;
++ addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
++ addrs[0]->length = MAX_NETBIOSNAME_LEN;
++ addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
++ if (addrs[0]->contents == NULL) {
++ SAFE_FREE(addrs[0]);
++ SAFE_FREE(addrs);
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ memcpy(addrs[0]->contents, buf, addrs[0]->length);
++
++ addrs[1] = NULL;
++ }
++#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
++ {
++ addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
++ if (addrs == NULL) {
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ memset(addrs, 0, sizeof(krb5_addresses));
++
++ addrs->len = 1;
++ addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
++ if (addrs->val == NULL) {
++ SAFE_FREE(addrs);
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
++ addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
++ addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
++ if (addrs->val[0].address.data == NULL) {
++ SAFE_FREE(addrs->val);
++ SAFE_FREE(addrs);
++ SAFE_FREE(kerb_addr);
++ return ENOMEM;
++ }
++
++ memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
++ }
++#else
++#error UNKNOWN_KRB5_ADDRESS_FORMAT
++#endif
++ (*kerb_addr)->addrs = addrs;
++
++ return ret;
++}
++
++
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
@@ -877,6 +1107,15 @@
TDBBACKUP_OBJ = tdb/tdbbackup.o tdb/tdbback.o $(SNPRINTF_OBJ) $(TDBBASE_OBJ)
TDBTOOL_OBJ = tdb/tdbtool.o $(TDBBASE_OBJ) $(SNPRINTF_OBJ)
+@@ -745,7 +754,7 @@ NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBS
+ libsmb/asn1.o libsmb/spnego.o libsmb/clikrb5.o libads/kerberos.o \
+ libads/kerberos_verify.o $(SECRETS_OBJ) $(SERVER_MUTEX_OBJ) \
+ libads/authdata.o $(RPC_PARSE_OBJ0) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
+- $(SMBLDAP_OBJ) $(DOSERR_OBJ) rpc_parse/parse_net.o
++ $(SMBLDAP_OBJ) $(DOSERR_OBJ) rpc_parse/parse_net.o $(LIBNMB_OBJ)
+
+ ######################################################################
+ # now the rules...
@@ -1211,7 +1220,7 @@ bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @B
nsswitch/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy
@echo "Linking $@"
@@ -4101,7 +4340,7 @@
return find_our_domain();
}
-@@ -181,9 +259,388 @@ static void set_auth_errors(struct winbi
+@@ -181,9 +259,389 @@ static void set_auth_errors(struct winbi
resp->data.auth.pam_error = nt_status_to_pam(result);
}
@@ -4339,14 +4578,15 @@
+ DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
+ }
+
-+ krb5_ret = kerberos_kinit_password(principal_s,
-+ state->request.data.auth.pass,
-+ time_offset,
-+ &ticket_lifetime,
-+ &renewal_until,
-+ cc,
-+ True,
-+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
++ krb5_ret = kerberos_kinit_password_ext(principal_s,
++ state->request.data.auth.pass,
++ time_offset,
++ &ticket_lifetime,
++ &renewal_until,
++ cc,
++ True,
++ True,
++ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+
+ if (krb5_ret) {
+ DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
@@ -4492,7 +4732,7 @@
void winbindd_pam_auth(struct winbindd_cli_state *state)
{
-@@ -203,10 +660,19 @@ void winbindd_pam_auth(struct winbindd_c
+@@ -203,10 +661,19 @@ void winbindd_pam_auth(struct winbindd_c
/* Parse domain and username */
@@ -4515,7 +4755,7 @@
if (domain == NULL) {
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
-@@ -222,12 +688,226 @@ void winbindd_pam_auth(struct winbindd_c
+@@ -222,12 +689,226 @@ void winbindd_pam_auth(struct winbindd_c
sendto_domain(state, domain);
}
@@ -4746,7 +4986,7 @@
struct rpc_pipe_client *netlogon_pipe;
uchar chal[8];
DATA_BLOB lm_resp;
-@@ -236,17 +916,23 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -236,17 +917,23 @@ enum winbindd_result winbindd_dual_pam_a
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
struct winbindd_domain *contact_domain;
@@ -4776,7 +5016,7 @@
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
-@@ -332,7 +1018,7 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -332,7 +1019,7 @@ enum winbindd_result winbindd_dual_pam_a
do {
@@ -4785,7 +5025,7 @@
retry = False;
result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
-@@ -352,7 +1038,7 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -352,7 +1039,7 @@ enum winbindd_result winbindd_dual_pam_a
chal,
lm_resp,
nt_resp,
@@ -4794,7 +5034,7 @@
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
-@@ -381,25 +1067,184 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -381,25 +1068,184 @@ enum winbindd_result winbindd_dual_pam_a
} while ( (attempts < 2) && retry );
@@ -4985,7 +5225,7 @@
result = NT_STATUS_NO_LOGON_SERVERS;
}
-@@ -439,8 +1284,8 @@ done:
+@@ -439,8 +1285,8 @@ done:
DOM_SID user_sid;
fstring sidstr;
@@ -4996,7 +5236,7 @@
sid_to_string(sidstr, &user_sid);
afsname = talloc_string_sub(state->mem_ctx, afsname,
"%s", sidstr);
-@@ -525,7 +1370,7 @@ void winbindd_pam_auth_crap(struct winbi
+@@ -525,7 +1371,7 @@ void winbindd_pam_auth_crap(struct winbi
}
if (domain_name != NULL)
@@ -5005,7 +5245,7 @@
if (domain != NULL) {
sendto_domain(state, domain);
-@@ -626,6 +1471,7 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -626,6 +1472,7 @@ enum winbindd_result winbindd_dual_pam_a
ZERO_STRUCT(info3);
retry = False;
@@ -5013,7 +5253,7 @@
result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
-@@ -675,6 +1521,7 @@ enum winbindd_result winbindd_dual_pam_a
+@@ -675,6 +1522,7 @@ enum winbindd_result winbindd_dual_pam_a
} while ( (attempts < 2) && retry );
if (NT_STATUS_IS_OK(result)) {
@@ -5021,7 +5261,7 @@
netsamlogon_cache_store(name_user, &info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
-@@ -732,7 +1579,7 @@ done:
+@@ -732,7 +1580,7 @@ done:
/* give us a more useful (more correct?) error code */
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
@@ -5030,7 +5270,7 @@
result = NT_STATUS_NO_LOGON_SERVERS;
}
-@@ -763,12 +1610,16 @@ done:
+@@ -763,12 +1611,16 @@ done:
void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
{
@@ -5049,7 +5289,7 @@
DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
state->request.data.chauthtok.user));
-@@ -777,7 +1628,8 @@ void winbindd_pam_chauthtok(struct winbi
+@@ -777,7 +1629,8 @@ void winbindd_pam_chauthtok(struct winbi
parse_domain_user(state->request.data.chauthtok.user, domain, user);
@@ -5059,7 +5299,7 @@
DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
state->request.data.chauthtok.user, domain, user, domain));
result = NT_STATUS_NO_SUCH_USER;
-@@ -798,10 +1650,70 @@ void winbindd_pam_chauthtok(struct winbi
+@@ -798,10 +1651,70 @@ void winbindd_pam_chauthtok(struct winbi
goto done;
}
@@ -5133,7 +5373,7 @@
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
-@@ -814,8 +1726,114 @@ done:
+@@ -814,8 +1727,114 @@ done:
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
@@ -5695,7 +5935,7 @@
/* Only get a new TGT if username/password are given. */
if (username && password) {
- int ret = kerberos_kinit_password(username, password, 0, NULL, NULL);
-+ int ret = kerberos_kinit_password(username, password, 0, NULL, NULL, NULL, False, 0);
++ int ret = kerberos_kinit_password(username, password, 0, NULL);
if (ret) {
cli_rpc_pipe_close(result);
return NULL;
@@ -6130,12 +6370,13 @@
if (retval) {
-@@ -1191,12 +1191,12 @@ static BOOL manage_client_krb5_init(SPNE
+@@ -1190,13 +1190,12 @@ static BOOL manage_client_krb5_init(SPNE
+
pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
- if ((retval = kerberos_kinit_password(user, opt_password,
+- if ((retval = kerberos_kinit_password(user, opt_password,
- 0, NULL, NULL))) {
-+ 0, NULL, NULL, NULL, False, 0))) {
++ if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) {
DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
return False;
}
@@ -6315,7 +6556,7 @@
===================================================================
--- /dev/null
+++ source/libads/krb5_errs.c
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,107 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Kerberos error mapping functions
@@ -6341,7 +6582,7 @@
+#ifdef HAVE_KRB5
+
+static const struct {
-+ long krb5_code;
++ krb5_error_code krb5_code;
+ NTSTATUS ntstatus;
+} krb5_to_nt_status_map[] = {
+ {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR},
@@ -6358,7 +6599,7 @@
+#endif
+ {25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */
+ {KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE},
-+ {KRB5KDC_ERR_POLICY, NT_STATUS_PASSWORD_RESTRICTION},
++ {KRB5KDC_ERR_POLICY, NT_STATUS_INVALID_WORKSTATION},
+ {KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE},
+ {KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED},
+ {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
@@ -6376,7 +6617,7 @@
+
+static const struct {
+ NTSTATUS ntstatus;
-+ long krb5_code;
++ krb5_error_code krb5_code;
+} nt_status_to_krb5_map[] = {
+ {NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED},
+ {NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH},
@@ -6386,7 +6627,7 @@
+/*****************************************************************************
+convert a KRB5 error to a NT status32 code
+ *****************************************************************************/
-+NTSTATUS krb5_to_nt_status(int kerberos_error)
++ NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error)
+{
+ int i;
+
@@ -6405,7 +6646,7 @@
+/*****************************************************************************
+convert an NT status32 code to a KRB5 error
+ *****************************************************************************/
-+int nt_status_to_krb5(NTSTATUS nt_status)
++ krb5_error_code nt_status_to_krb5(NTSTATUS nt_status)
+{
+ int i;
+
@@ -6421,38 +6662,13 @@
+ return KRB5KRB_ERR_GENERIC;
+}
+
-+#else
-+
-+/*****************************************************************************
-+convert a KRB5 error to a NT status32 code
-+ *****************************************************************************/
-+NTSTATUS krb5_to_nt_status(int kerberos_error)
-+{
-+ if (kerberos_error == 0) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ return NT_STATUS_UNSUCCESSFUL;
-+}
-+
-+/*****************************************************************************
-+convert an NT status32 code to a KRB5 error
-+ *****************************************************************************/
-+int nt_status_to_krb5(NTSTATUS nt_status)
-+{
-+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) {
-+ return 0;
-+ }
-+ return -1; /* FIXME: what to return here ? */
-+}
-+
+#endif
+
Index: source/nsswitch/winbindd_cred_cache.c
===================================================================
--- /dev/null
+++ source/nsswitch/winbindd_cred_cache.c
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,271 @@
+/*
+ Unix SMB/CIFS implementation.
+
@@ -6560,14 +6776,15 @@
+
+ seteuid(entry->uid);
+
-+ ret = kerberos_kinit_password(entry->principal_name,
-+ entry->pass,
-+ 0, /* hm, can we do time correction here ? */
-+ &entry->refresh_time,
-+ &entry->renew_until,
-+ entry->ccname,
-+ False, /* no PAC required anymore */
-+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
++ ret = kerberos_kinit_password_ext(entry->principal_name,
++ entry->pass,
++ 0, /* hm, can we do time correction here ? */
++ &entry->refresh_time,
++ &entry->renew_until,
++ entry->ccname,
++ False, /* no PAC required anymore */
++ True,
++ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+ seteuid(0);
+
+ if (ret) {
@@ -6976,3 +7193,16 @@
state->request.data.username));
request_error(state);
return;
+Index: source/libsmb/nmblib.c
+===================================================================
+--- source/libsmb/nmblib.c.orig
++++ source/libsmb/nmblib.c
+@@ -265,7 +265,7 @@ static int parse_nmb_name(char *inbuf,in
+ [15 bytes name + padding][1 byte name type].
+ ****************************************************************************/
+
+-static void put_name(char *dest, const char *name, int pad, unsigned int name_type)
++void put_name(char *dest, const char *name, int pad, unsigned int name_type)
+ {
+ size_t len = strlen(name);
+
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/suse/winbind-offline.diff new/patches/suse/winbind-offline.diff
--- old/patches/suse/winbind-offline.diff 2006-04-12 15:29:34.000000000 +0200
+++ new/patches/suse/winbind-offline.diff 2006-05-02 15:05:39.000000000 +0200
@@ -291,7 +291,7 @@
+ * This deals with transient offline states... */
+
if ( !domain->online &&
- ( !NT_STATUS_IS_OK(check_negative_conn_cache(domain->name, domain->dcname)) || wcache_server_down(domain) ) ) {
+ ( !NT_STATUS_IS_OK(check_negative_conn_cache(domain->name, domain->dcname))) ) {
DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
@@ -1830,8 +1845,9 @@ static BOOL init_wcache(void)
return True;
++++++ vendor-files.tar.bz2 ++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...