Hello community, here is the log from the commit of package samba checked in at Tue May 23 01:32:55 CEST 2006. -------- --- samba/samba.changes 2006-05-21 14:21:16.000000000 +0200 +++ samba/samba.changes 2006-05-22 23:54:26.000000000 +0200 @@ -2,6 +2 @@ -Sun May 21 14:13:44 CEST 2006 - lmuelle@suse.de - -- Set the groups membership first whilst we're still root; [#177114]. - -------------------------------------------------------------------- -Fri May 19 20:23:46 CEST 2006 - lmuelle@suse.de +Mon May 22 20:14:38 CEST 2006 - lmuelle@suse.de @@ -8,0 +4,5 @@ +- Optimize lookup of user's group memberships via ExtendedDn LDAP control; + [#168100]. +- Restart winbind if the hostname is modified by the DHCP client; [#169260]. +- Set the groups membership first whilst we're still root and use execve() + instead of execv() in get_printing_ticket; [#177114]. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ samba-doc.spec ++++++ --- /var/tmp/diff_new_pack.CCQsqz/_old 2006-05-23 01:23:49.000000000 +0200 +++ /var/tmp/diff_new_pack.CCQsqz/_new 2006-05-23 01:23:49.000000000 +0200 @@ -16,7 +16,7 @@ License: GPL URL: http://www.samba.org/ Version: 3.0.22 -Release: 22 +Release: 24 Summary: Samba Documentation Group: Documentation/Other Autoreqprov: on ++++++ samba.spec ++++++ --- /var/tmp/diff_new_pack.CCQsqz/_old 2006-05-23 01:23:49.000000000 +0200 +++ /var/tmp/diff_new_pack.CCQsqz/_new 2006-05-23 01:23:49.000000000 +0200 @@ -20,7 +20,7 @@ URL: http://www.samba.org/ Autoreqprov: on Version: 3.0.22 -Release: 14 +Release: 15 Provides: sambaxp = %{version}-%{release} samba3 = %{version}-%{release} Obsoletes: samba-classic samba-ldap sambaxp samba3 < %{version} Requires: samba-client >= %{version} @@ -165,7 +165,7 @@ Group: Productivity/Networking/Samba Autoreqprov: on Version: 1.34a -Release: 19 +Release: 20 Requires: perl-ldap %endif %if %{suse_version} > 920 @@ -180,7 +180,7 @@ Group: Productivity/Networking/Samba Autoreqprov: on Version: 0.3.6b -Release: 43 +Release: 44 Provides: samba3-vscan = 0.3.6b Obsoletes: samba3-vscan Requires: samba = %{samba_ver} @@ -1229,9 +1229,12 @@ %endif %changelog -n samba -* Sun May 21 2006 - lmuelle@suse.de -- Set the groups membership first whilst we're still root; [#177114]. -* Fri May 19 2006 - lmuelle@suse.de +* Mon May 22 2006 - lmuelle@suse.de +- Optimize lookup of user's group memberships via ExtendedDn LDAP control; + [#168100]. +- Restart winbind if the hostname is modified by the DHCP client; [#169260]. +- Set the groups membership first whilst we're still root and use execve() + instead of execv() in get_printing_ticket; [#177114]. - Add samba-krb-printing sub package with get_printing_ticket wrapper binary; [#149698]. * Tue May 16 2006 - gd@suse.de ++++++ patches.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15306 new/patches/samba.org/15306 --- old/patches/samba.org/15306 1970-01-01 01:00:00.000000000 +0100 +++ new/patches/samba.org/15306 2006-05-22 17:31:03.000000000 +0200 @@ -0,0 +1,135 @@ +------------------------------------------------------------------------ +r15306 | gd | 2006-04-28 16:48:22 +0200 (Fr, 28 Apr 2006) | 5 lines + +Be consistent between rpc and ads winbind backend: let the ads backend +query the samlogon cache first as well. + +Guenther + +------------------------------------------------------------------------ +Index: source/nsswitch/winbindd_ads.c +=================================================================== +--- source/nsswitch/winbindd_ads.c.orig ++++ source/nsswitch/winbindd_ads.c +@@ -624,6 +624,12 @@ static NTSTATUS lookup_usergroups(struct + DEBUG(3,("ads: lookup_usergroups\n")); + *p_num_groups = 0; + ++ status = lookup_usergroups_cached(domain, mem_ctx, sid, ++ p_num_groups, user_sids); ++ if (NT_STATUS_IS_OK(status)) { ++ return NT_STATUS_OK; ++ } ++ + ads = ads_cached_connection(domain); + + if (!ads) { +@@ -669,10 +675,12 @@ static NTSTATUS lookup_usergroups(struct + + /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ ++ + if (count == 0) { ++ + status = lookup_usergroups_alt(domain, mem_ctx, user_dn, +- &primary_group, +- &num_groups, user_sids); ++ &primary_group, ++ &num_groups, user_sids); + *p_num_groups = (uint32)num_groups; + return status; + } +Index: source/nsswitch/winbindd_util.c +=================================================================== +--- source/nsswitch/winbindd_util.c.orig ++++ source/nsswitch/winbindd_util.c +@@ -1211,3 +1211,49 @@ BOOL winbindd_upgrade_idmap(void) + + return idmap_convert(idmap_name); + } ++NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, ++ TALLOC_CTX *mem_ctx, ++ const DOM_SID *user_sid, ++ uint32 *p_num_groups, DOM_SID **user_sids) ++{ ++ NET_USER_INFO_3 *info3 = NULL; ++ NTSTATUS status = NT_STATUS_NO_MEMORY; ++ int i; ++ size_t num_groups = 0; ++ DOM_SID group_sid, primary_group; ++ ++ DEBUG(3,(": lookup_usergroups_cached\n")); ++ ++ *user_sids = NULL; ++ num_groups = 0; ++ ++ info3 = netsamlogon_cache_get(mem_ctx, user_sid); ++ ++ if (info3 == NULL) { ++ return NT_STATUS_OBJECT_NAME_NOT_FOUND; ++ } ++ ++ if (info3->num_groups == 0) { ++ SAFE_FREE(info3); ++ return NT_STATUS_UNSUCCESSFUL; ++ } ++ ++ /* always add the primary group to the sid array */ ++ sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid); ++ ++ add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups); ++ ++ for (i=0; i<info3->num_groups; i++) { ++ sid_copy(&group_sid, &info3->dom_sid.sid); ++ sid_append_rid(&group_sid, info3->gids[i].g_rid); ++ ++ add_sid_to_array(mem_ctx, &group_sid, user_sids, ++ &num_groups); ++ } ++ ++ SAFE_FREE(info3); ++ *p_num_groups = num_groups; ++ status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; ++ ++ return status; ++} +Index: source/nsswitch/winbindd_rpc.c +=================================================================== +--- source/nsswitch/winbindd_rpc.c.orig ++++ source/nsswitch/winbindd_rpc.c +@@ -412,7 +412,6 @@ static NTSTATUS lookup_usergroups(struct + unsigned int i; + fstring sid_string; + uint32 user_rid; +- NET_USER_INFO_3 *user; + struct rpc_pipe_client *cli; + + DEBUG(3,("rpc: lookup_usergroups sid=%s\n", +@@ -425,23 +424,10 @@ static NTSTATUS lookup_usergroups(struct + *user_grpsids = NULL; + + /* so lets see if we have a cached user_info_3 */ +- +- if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) +- { +- DEBUG(5,("query_user: Cache lookup succeeded for %s\n", +- sid_string_static(user_sid))); +- +- *num_groups = user->num_groups; +- +- (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups); +- for (i=0;i<(*num_groups);i++) { +- sid_copy(&((*user_grpsids)[i]), &domain->sid); +- sid_append_rid(&((*user_grpsids)[i]), +- user->gids[i].g_rid); +- } +- +- SAFE_FREE(user); +- ++ result = lookup_usergroups_cached(domain, mem_ctx, user_sid, ++ num_groups, user_grpsids); ++ ++ if (NT_STATUS_IS_OK(result)) { + return NT_STATUS_OK; + } + diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15492 new/patches/samba.org/15492 --- old/patches/samba.org/15492 1970-01-01 01:00:00.000000000 +0100 +++ new/patches/samba.org/15492 2006-05-22 17:24:32.000000000 +0200 @@ -0,0 +1,61 @@ +------------------------------------------------------------------------ +r15492 | abartlet | 2006-05-07 17:05:32 +0200 (So, 07 Mai 2006) | 10 lines + +Without this patch, the LDAP client libs will call abort() in +ldap_get_values_len, because they were handed a NULL msgs pointer, for +example in ads_pull_sid(). + +This occurs when the AD server fails at the connect stage. (The +toubled AD server is actually Samba4 in my example). + +Andrew Bartlett + + +------------------------------------------------------------------------ +Index: source/libads/ldap_utils.c +=================================================================== +--- source/libads/ldap_utils.c (Revision 15491) ++++ source/libads/ldap_utils.c (Revision 15492) +@@ -48,16 +48,17 @@ + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + +- while (count--) { +- *res = NULL; +- status = ads_do_search_all(ads, bp, scope, expr, attrs, res); +- if (ADS_ERR_OK(status)) { +- DEBUG(5,("Search for %s gave %d replies\n", +- expr, ads_count_replies(ads, *res))); +- SAFE_FREE(bp); +- return status; +- } ++ *res = NULL; ++ status = ads_do_search_all(ads, bp, scope, expr, attrs, res); ++ if (ADS_ERR_OK(status)) { ++ DEBUG(5,("Search for %s gave %d replies\n", ++ expr, ads_count_replies(ads, *res))); ++ SAFE_FREE(bp); ++ return status; ++ } + ++ while (--count) { ++ + if (*res) + ads_msgfree(ads, *res); + *res = NULL; +@@ -79,6 +80,15 @@ + SAFE_FREE(bp); + return status; + } ++ ++ *res = NULL; ++ status = ads_do_search_all(ads, bp, scope, expr, attrs, res); ++ if (ADS_ERR_OK(status)) { ++ DEBUG(5,("Search for %s gave %d replies\n", ++ expr, ads_count_replies(ads, *res))); ++ SAFE_FREE(bp); ++ return status; ++ } + } + SAFE_FREE(bp); + diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15698 new/patches/samba.org/15698 --- old/patches/samba.org/15698 1970-01-01 01:00:00.000000000 +0100 +++ new/patches/samba.org/15698 2006-05-22 17:48:50.000000000 +0200 @@ -0,0 +1,639 @@ +------------------------------------------------------------------------ +r15698 | gd | 2006-05-18 21:34:25 +0200 (Do, 18 Mai 2006) | 24 lines + +An attempt to make the winbind lookup_usergroups() call in security=ads +more scalable: + +The most efficient way is to use the "tokenGroups" attribute which gives +the nested group membership. As this attribute can not always be +retrieved when binding with the machine account (the only garanteed way +to get the tokenGroups I could find is when the machine account is a +member of the "Pre Win2k Access" builtin group). + +Our current fallback when "tokenGroups" failed is looking for all groups +where the userdn was in the "member" attribute. This behaves not very +well in very large AD domains. + +The patch first tries the "memberOf" attribute on the user's dn in that +case and directly retrieves the group's sids by using the LDAP Extended +DN control from the user's object. + +The way to pass down the control to the ldap search call is rather +painfull and probably will be rearranged later on. + +Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. + +Guenther + +------------------------------------------------------------------------ +Index: source/nsswitch/winbindd_ads.c +=================================================================== +--- source/nsswitch/winbindd_ads.c.orig ++++ source/nsswitch/winbindd_ads.c +@@ -516,11 +516,11 @@ done: + + /* Lookup groups a user is a member of - alternate method, for when + tokenGroups are not available. */ +-static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain, +- TALLOC_CTX *mem_ctx, +- const char *user_dn, +- DOM_SID *primary_group, +- size_t *p_num_groups, DOM_SID **user_sids) ++static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, ++ TALLOC_CTX *mem_ctx, ++ const char *user_dn, ++ DOM_SID *primary_group, ++ size_t *p_num_groups, DOM_SID **user_sids) + { + ADS_STATUS rc; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; +@@ -533,7 +533,7 @@ static NTSTATUS lookup_usergroups_alt(st + char *escaped_dn; + size_t num_groups = 0; + +- DEBUG(3,("ads: lookup_usergroups_alt\n")); ++ DEBUG(3,("ads: lookup_usergroups_member\n")); + + ads = ads_cached_connection(domain); + +@@ -547,9 +547,6 @@ static NTSTATUS lookup_usergroups_alt(st + goto done; + } + +- /* buggy server, no tokenGroups. Instead lookup what groups this user +- is a member of by DN search on member*/ +- + if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) { + DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn)); + SAFE_FREE(escaped_dn); +@@ -593,7 +590,7 @@ static NTSTATUS lookup_usergroups_alt(st + *p_num_groups = num_groups; + status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; + +- DEBUG(3,("ads lookup_usergroups (alt) for dn=%s\n", user_dn)); ++ DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); + done: + if (res) + ads_msgfree(ads, res); +@@ -601,6 +598,89 @@ done: + return status; + } + ++/* Lookup groups a user is a member of - alternate method, for when ++ tokenGroups are not available. */ ++static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, ++ TALLOC_CTX *mem_ctx, ++ const char *user_dn, ++ DOM_SID *primary_group, ++ size_t *p_num_groups, DOM_SID **user_sids) ++{ ++ ADS_STATUS rc; ++ NTSTATUS status = NT_STATUS_UNSUCCESSFUL; ++ int count; ++ void *res = NULL; ++ ADS_STRUCT *ads; ++ const char *attrs[] = {"memberOf", NULL}; ++ size_t num_groups = 0; ++ DOM_SID *group_sids = NULL; ++ int i; ++ ++ DEBUG(3,("ads: lookup_usergroups_memberof\n")); ++ ++ ads = ads_cached_connection(domain); ++ ++ if (!ads) { ++ domain->last_status = NT_STATUS_SERVER_DISABLED; ++ goto done; ++ } ++ ++ rc = ads_search_retry_extended_dn(ads, &res, user_dn, attrs, ++ ADS_EXTENDED_DN_HEX_STRING); ++ ++ if (!ADS_ERR_OK(rc) || !res) { ++ DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n", ++ user_dn, ads_errstr(rc))); ++ return ads_ntstatus(rc); ++ } ++ ++ count = ads_count_replies(ads, res); ++ ++ if (count == 0) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ *user_sids = NULL; ++ num_groups = 0; ++ ++ /* always add the primary group to the sid array */ ++ add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups); ++ ++ count = ads_pull_sids_from_extendeddn(ads, mem_ctx, res, "memberOf", ++ ADS_EXTENDED_DN_HEX_STRING, ++ &group_sids); ++ if (count == 0) { ++ DEBUG(1,("No memberOf for this user?!?\n")); ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ for (i=0; i<count; i++) { ++ ++ /* ignore Builtin groups from ADS - Guenther */ ++ if (sid_check_is_in_builtin(&group_sids[i])) { ++ continue; ++ } ++ ++ add_sid_to_array(mem_ctx, &group_sids[i], user_sids, ++ &num_groups); ++ ++ } ++ ++ *p_num_groups = num_groups; ++ status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; ++ ++ DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn)); ++done: ++ TALLOC_FREE(group_sids); ++ if (res) ++ ads_msgfree(ads, res); ++ ++ return status; ++} ++ ++ + /* Lookup groups a user is a member of. */ + static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, +@@ -676,13 +756,29 @@ static NTSTATUS lookup_usergroups(struct + /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ + ++ /* actually this only happens when the machine account has no read ++ * permissions on the tokenGroup attribute - gd */ ++ + if (count == 0) { + +- status = lookup_usergroups_alt(domain, mem_ctx, user_dn, +- &primary_group, +- &num_groups, user_sids); +- *p_num_groups = (uint32)num_groups; +- return status; ++ /* no tokenGroups */ ++ ++ /* lookup what groups this user is a member of by DN search on ++ * "memberOf" */ ++ ++ status = lookup_usergroups_memberof(domain, mem_ctx, user_dn, ++ &primary_group, ++ p_num_groups, user_sids); ++ if (NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ /* lookup what groups this user is a member of by DN search on ++ * "member" */ ++ ++ return lookup_usergroups_member(domain, mem_ctx, user_dn, ++ &primary_group, ++ p_num_groups, user_sids); + } + + *user_sids = NULL; +@@ -704,7 +800,7 @@ static NTSTATUS lookup_usergroups(struct + *p_num_groups = (uint32)num_groups; + status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; + +- DEBUG(3,("ads lookup_usergroups for sid=%s\n", ++ DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n", + sid_to_string(sid_string, sid))); + done: + return status; +Index: source/nsswitch/winbindd_util.c +=================================================================== +--- source/nsswitch/winbindd_util.c.orig ++++ source/nsswitch/winbindd_util.c +@@ -1226,6 +1226,7 @@ NTSTATUS lookup_usergroups_cached(struct + + *user_sids = NULL; + num_groups = 0; ++ *p_num_groups = 0; + + info3 = netsamlogon_cache_get(mem_ctx, user_sid); + +@@ -1254,6 +1255,8 @@ NTSTATUS lookup_usergroups_cached(struct + SAFE_FREE(info3); + *p_num_groups = num_groups; + status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +- ++ ++ DEBUG(3,(": lookup_usergroups_cached succeeded\n")); ++ + return status; + } +Index: source/include/ads.h +=================================================================== +--- source/include/ads.h.orig ++++ source/include/ads.h +@@ -92,6 +92,7 @@ typedef void **ADS_MODLIST; + #define ADS_NO_REFERRALS_OID "1.2.840.113556.1.4.1339" + #define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473" + #define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413" ++#define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529" + + /* ldap attribute oids (Services for Unix) */ + #define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310" +@@ -264,3 +265,17 @@ typedef void **ADS_MODLIST; + + #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD" + #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD" ++ ++enum ads_extended_dn_flags { ++ ADS_EXTENDED_DN_HEX_STRING = 0, ++ ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */ ++}; ++ ++/* this is probably not very well suited to pass other controls generically but ++ * is good enough for the extended dn control where it is only used for atm */ ++ ++typedef struct { ++ const char *control; ++ int val; ++ int critical; ++} ads_control; +Index: source/libads/ldap_utils.c +=================================================================== +--- source/libads/ldap_utils.c.orig ++++ source/libads/ldap_utils.c +@@ -27,9 +27,9 @@ + a wrapper around ldap_search_s that retries depending on the error code + this is supposed to catch dropped connections and auto-reconnect + */ +-ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, +- const char *expr, +- const char **attrs, void **res) ++static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind_path, int scope, ++ const char *expr, ++ const char **attrs, void *args, void **res) + { + ADS_STATUS status = ADS_SUCCESS; + int count = 3; +@@ -49,7 +49,7 @@ ADS_STATUS ads_do_search_retry(ADS_STRUC + } + + *res = NULL; +- status = ads_do_search_all(ads, bp, scope, expr, attrs, res); ++ status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); + if (ADS_ERR_OK(status)) { + DEBUG(5,("Search for %s gave %d replies\n", + expr, ads_count_replies(ads, *res))); +@@ -82,7 +82,7 @@ ADS_STATUS ads_do_search_retry(ADS_STRUC + } + + *res = NULL; +- status = ads_do_search_all(ads, bp, scope, expr, attrs, res); ++ status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); + if (ADS_ERR_OK(status)) { + DEBUG(5,("Search for %s gave %d replies\n", + expr, ads_count_replies(ads, *res))); +@@ -99,6 +99,20 @@ ADS_STATUS ads_do_search_retry(ADS_STRUC + return status; + } + ++ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, ++ const char *expr, ++ const char **attrs, void **res) ++{ ++ return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, NULL, res); ++} ++ ++ADS_STATUS ads_do_search_retry_args(ADS_STRUCT *ads, const char *bind_path, int scope, ++ const char *expr, ++ const char **attrs, void *args, void **res) ++{ ++ return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, args, res); ++} ++ + + ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res, + const char *expr, +@@ -115,4 +129,19 @@ ADS_STATUS ads_search_retry_dn(ADS_STRUC + return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, res); + } ++ ++ADS_STATUS ads_search_retry_extended_dn(ADS_STRUCT *ads, void **res, ++ const char *dn, ++ const char **attrs, ++ enum ads_extended_dn_flags flags) ++{ ++ ads_control args; ++ ++ args.control = ADS_EXTENDED_DN_OID; ++ args.val = flags; ++ args.critical = True; ++ ++ return ads_do_search_retry_args(ads, dn, LDAP_SCOPE_BASE, ++ "(objectclass=*)", attrs, &args, res); ++} + #endif +Index: source/libads/ldap.c +=================================================================== +--- source/libads/ldap.c.orig ++++ source/libads/ldap.c +@@ -435,21 +435,25 @@ static char **ads_pull_strvals(TALLOC_CT + * @param cookie The paged results cookie to be returned on subsequent calls + * @return status of search + **/ +-ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, +- int scope, const char *expr, +- const char **attrs, void **res, +- int *count, void **cookie) ++ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, const char *bind_path, ++ int scope, const char *expr, ++ const char **attrs, void *args, void **res, ++ int *count, void **cookie) + { + int rc, i, version; + char *utf8_expr, *utf8_path, **search_attrs; +- LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols; ++ LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols; + BerElement *cookie_be = NULL; + struct berval *cookie_bv= NULL; ++ BerElement *extdn_be = NULL; ++ struct berval *extdn_bv= NULL; ++ + TALLOC_CTX *ctx; ++ ads_control *external_control = (ads_control *) args; + + *res = NULL; + +- if (!(ctx = talloc_init("ads_do_paged_search"))) ++ if (!(ctx = talloc_init("ads_do_paged_search_args"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + /* 0 means the conversion worked but the result was empty +@@ -499,10 +503,47 @@ ADS_STATUS ads_do_paged_search(ADS_STRUC + NoReferrals.ldctl_value.bv_len = 0; + NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, ""); + ++ if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) { ++ ++ ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control); ++ ExtendedDn.ldctl_iscritical = (char) external_control->critical; ++ ++ /* win2k does not accept a ldctl_value beeing passed in */ ++ ++ if (external_control->val != 0) { ++ ++ if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) { ++ rc = LDAP_NO_MEMORY; ++ goto done; ++ } ++ ++ if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) { ++ rc = LDAP_NO_MEMORY; ++ goto done; ++ } ++ if ((ber_flatten(extdn_be, &extdn_bv)) == -1) { ++ rc = LDAP_NO_MEMORY; ++ goto done; ++ } ++ ++ ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len; ++ ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val; ++ ++ } else { ++ ExtendedDn.ldctl_value.bv_len = 0; ++ ExtendedDn.ldctl_value.bv_val = CONST_DISCARD(char *, ""); ++ } + +- controls[0] = &NoReferrals; +- controls[1] = &PagedResults; +- controls[2] = NULL; ++ controls[0] = &NoReferrals; ++ controls[1] = &PagedResults; ++ controls[2] = &ExtendedDn; ++ controls[3] = NULL; ++ ++ } else { ++ controls[0] = &NoReferrals; ++ controls[1] = &PagedResults; ++ controls[2] = NULL; ++ } + + /* we need to disable referrals as the openldap libs don't + handle them and paged results at the same time. Using them +@@ -523,7 +564,7 @@ ADS_STATUS ads_do_paged_search(ADS_STRUC + ber_bvfree(cookie_bv); + + if (rc) { +- DEBUG(3,("ads_do_paged_search: ldap_search_with_timeout(%s) -> %s\n", expr, ++ DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr, + ldap_err2string(rc))); + goto done; + } +@@ -555,12 +596,29 @@ ADS_STATUS ads_do_paged_search(ADS_STRUC + + done: + talloc_destroy(ctx); ++ ++ if (extdn_be) { ++ ber_free(extdn_be, 1); ++ } ++ ++ if (extdn_bv) { ++ ber_bvfree(extdn_bv); ++ } ++ + /* if/when we decide to utf8-encode attrs, take out this next line */ + str_list_free(&search_attrs); + + return ADS_ERROR(rc); + } + ++ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, ++ int scope, const char *expr, ++ const char **attrs, void **res, ++ int *count, void **cookie) ++{ ++ return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie); ++} ++ + + /** + * Get all results for a search. This uses ads_do_paged_search() to return +@@ -573,16 +631,16 @@ done: + * @param res ** which will contain results - free res* with ads_msgfree() + * @return status of search + **/ +-ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, +- int scope, const char *expr, +- const char **attrs, void **res) ++ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path, ++ int scope, const char *expr, ++ const char **attrs, void *args, void **res) + { + void *cookie = NULL; + int count = 0; + ADS_STATUS status; + + *res = NULL; +- status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res, ++ status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res, + &count, &cookie); + + if (!ADS_ERR_OK(status)) +@@ -594,8 +652,8 @@ ADS_STATUS ads_do_search_all(ADS_STRUCT + ADS_STATUS status2; + LDAPMessage *msg, *next; + +- status2 = ads_do_paged_search(ads, bind_path, scope, expr, +- attrs, &res2, &count, &cookie); ++ status2 = ads_do_paged_search_args(ads, bind_path, scope, expr, ++ attrs, args, &res2, &count, &cookie); + + if (!ADS_ERR_OK(status2)) break; + +@@ -616,6 +674,13 @@ ADS_STATUS ads_do_search_all(ADS_STRUCT + return status; + } + ++ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, ++ int scope, const char *expr, ++ const char **attrs, void **res) ++{ ++ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res); ++} ++ + /** + * Run a function on all results for a search. Uses ads_do_paged_search() and + * runs the function as each page is returned, using ads_process_results() +@@ -2701,4 +2766,127 @@ ADS_STATUS ads_workgroup_name(ADS_STRUCT + return ADS_SUCCESS; + } + ++/** ++ * pull a DOM_SID from an extended dn string ++ * @param mem_ctx TALLOC_CTX ++ * @param flags string type of extended_dn ++ * @param sid pointer to a DOM_SID ++ * @return boolean inidicating success ++ **/ ++BOOL ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, ++ const char *dn, ++ enum ads_extended_dn_flags flags, ++ DOM_SID *sid) ++{ ++ char *p, *q; ++ ++ if (!dn) { ++ return False; ++ } ++ ++ /* ++ * ADS_EXTENDED_DN_HEX_STRING: ++ * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de ++ * ++ * ADS_EXTENDED_DN_STRING (only with w2k3): ++ <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de ++ */ ++ ++ p = strchr(dn, ';'); ++ if (!p) { ++ return False; ++ } ++ ++ if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) { ++ return False; ++ } ++ ++ p += strlen(";<SID="); ++ ++ q = strchr(p, '>'); ++ if (!q) { ++ return False; ++ } ++ ++ *q = '\0'; ++ ++ DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p)); ++ ++ switch (flags) { ++ ++ case ADS_EXTENDED_DN_STRING: ++ if (!string_to_sid(sid, p)) { ++ return False; ++ } ++ break; ++ case ADS_EXTENDED_DN_HEX_STRING: { ++ pstring buf; ++ size_t buf_len; ++ ++ buf_len = strhex_to_str(buf, strlen(p), p); ++ if (buf_len == 0) { ++ return False; ++ } ++ ++ if (!sid_parse(buf, buf_len, sid)) { ++ DEBUG(10,("failed to parse sid\n")); ++ return False; ++ } ++ break; ++ } ++ default: ++ DEBUG(10,("unknown extended dn format\n")); ++ return False; ++ } ++ ++ return True; ++} ++ ++/** ++ * pull an array of DOM_SIDs from a ADS result ++ * @param ads connection to ads server ++ * @param mem_ctx TALLOC_CTX for allocating sid array ++ * @param msg Results of search ++ * @param field Attribute to retrieve ++ * @param flags string type of extended_dn ++ * @param sids pointer to sid array to allocate ++ * @return the count of SIDs pulled ++ **/ ++int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads, ++ TALLOC_CTX *mem_ctx, ++ void *msg, ++ const char *field, ++ enum ads_extended_dn_flags flags, ++ DOM_SID **sids) ++{ ++ int i; ++ size_t dn_count; ++ char **dn_strings; ++ ++ if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field, ++ &dn_count)) == NULL) { ++ return 0; ++ } ++ ++ (*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1); ++ if (!(*sids)) { ++ TALLOC_FREE(dn_strings); ++ return 0; ++ } ++ ++ for (i=0; i<dn_count; i++) { ++ ++ if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i], ++ flags, &(*sids)[i])) { ++ TALLOC_FREE(*sids); ++ TALLOC_FREE(dn_strings); ++ return 0; ++ } ++ } ++ ++ TALLOC_FREE(dn_strings); ++ ++ return dn_count; ++} ++ + #endif diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/samba.org/15822 new/patches/samba.org/15822 --- old/patches/samba.org/15822 1970-01-01 01:00:00.000000000 +0100 +++ new/patches/samba.org/15822 2006-05-22 22:44:16.000000000 +0200 @@ -0,0 +1,19 @@ +------------------------------------------------------------------------ +r15822 | lmuelle | 2006-05-22 22:35:55 +0200 (Mo, 22 Mai 2006) | 2 lines + +Add suggestion made by Ralf Haferkamp. + +------------------------------------------------------------------------ +Index: source/libads/ldap.c +=================================================================== +--- source/libads/ldap.c (Revision 15821) ++++ source/libads/ldap.c (Revision 15822) +@@ -531,7 +531,7 @@ + + } else { + ExtendedDn.ldctl_value.bv_len = 0; +- ExtendedDn.ldctl_value.bv_val = CONST_DISCARD(char *, ""); ++ ExtendedDn.ldctl_value.bv_val = NULL; + } + + controls[0] = &NoReferrals; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/series new/patches/series --- old/patches/series 2006-05-19 21:06:17.000000000 +0200 +++ new/patches/series 2006-05-22 22:44:59.000000000 +0200 @@ -39,9 +39,13 @@ samba.org/15136 -p0 samba.org/15194 -p0 samba.org/15293 -p0 +samba.org/15306 -p0 samba.org/15438 -p0 samba.org/15460 -p0 +samba.org/15492 -p0 samba.org/15542 -p0 +samba.org/15698 -p0 +samba.org/15822 -p0 # SuSE specific changes # disabled -> WIP lmuelle diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/suse/samba3-pam_winbind.diff new/patches/suse/samba3-pam_winbind.diff --- old/patches/suse/samba3-pam_winbind.diff 2006-05-16 16:53:35.000000000 +0200 +++ new/patches/suse/samba3-pam_winbind.diff 2006-05-22 17:55:27.000000000 +0200 @@ -123,14 +123,13 @@ #define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473" #define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413" +#define ADS_ASQ_OID "1.2.840.113556.1.4.1504" + #define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529" /* ldap attribute oids (Services for Unix) */ - #define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310" -@@ -264,3 +266,19 @@ typedef void **ADS_MODLIST; - +@@ -266,6 +268,22 @@ typedef void **ADS_MODLIST; #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD" #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD" -+ + +#ifndef KRB5_ADDR_NETBIOS +#define KRB5_ADDR_NETBIOS 0x14 +#endif @@ -146,6 +145,10 @@ +#endif +} smb_krb5_addresses; +#endif ++ + enum ads_extended_dn_flags { + ADS_EXTENDED_DN_HEX_STRING = 0, + ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */ Index: source/include/doserr.h =================================================================== --- source/include/doserr.h.orig @@ -2840,7 +2843,7 @@ status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { extern struct winbindd_methods msrpc_methods, cache_methods; -@@ -889,8 +891,7 @@ static NTSTATUS trusted_domains(struct w +@@ -993,8 +995,7 @@ static NTSTATUS trusted_domains(struct w struct ds_domain_trust *domains = NULL; int count = 0; int i; @@ -2850,7 +2853,7 @@ struct rpc_pipe_client *cli; DEBUG(3,("ads: trusted_domains\n")); -@@ -963,6 +964,8 @@ struct winbindd_methods ads_methods = { +@@ -1067,6 +1068,8 @@ struct winbindd_methods ads_methods = { msrpc_lookup_useraliases, lookup_groupmem, sequence_number, @@ -5639,7 +5642,7 @@ =================================================================== --- source/nsswitch/winbindd_rpc.c.orig +++ source/nsswitch/winbindd_rpc.c -@@ -883,6 +883,71 @@ static NTSTATUS trusted_domains(struct w +@@ -869,6 +869,71 @@ static NTSTATUS trusted_domains(struct w return result; } @@ -5711,7 +5714,7 @@ /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { False, -@@ -896,5 +961,7 @@ struct winbindd_methods msrpc_methods = +@@ -882,5 +947,7 @@ struct winbindd_methods msrpc_methods = msrpc_lookup_useraliases, lookup_groupmem, sequence_number, diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/patches/suse/winbind-offline.diff new/patches/suse/winbind-offline.diff --- old/patches/suse/winbind-offline.diff 2006-05-02 15:05:39.000000000 +0200 +++ new/patches/suse/winbind-offline.diff 2006-05-22 17:56:01.000000000 +0200 @@ -293,7 +293,7 @@ if ( !domain->online && ( !NT_STATUS_IS_OK(check_negative_conn_cache(domain->name, domain->dcname))) ) { DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n", -@@ -1830,8 +1845,9 @@ static BOOL init_wcache(void) +@@ -1870,8 +1885,9 @@ static BOOL init_wcache(void) return True; /* when working offline we must not clear the cache on restart */ @@ -305,7 +305,7 @@ if (wcache->tdb == NULL) { DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); -@@ -2078,8 +2094,9 @@ void wcache_flush_cache(void) +@@ -2113,8 +2129,9 @@ void wcache_flush_cache(void) return; /* when working offline we must not clear the cache on restart */ @@ -317,7 +317,7 @@ if (!wcache->tdb) { DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); -@@ -2230,6 +2247,74 @@ done: +@@ -2265,6 +2282,74 @@ done: return status; } @@ -690,7 +690,7 @@ INSTALLCMD=@INSTALL@ INSTALLLIBCMD_SH=@INSTALLLIBCMD_SH@ -@@ -1202,7 +1203,7 @@ bin/librpc_echo.@SHLIBEXT@: $(RPC_ECHO_O +@@ -1204,7 +1205,7 @@ bin/librpc_echo.@SHLIBEXT@: $(RPC_ECHO_O bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @BUILD_POPT@ bin/.dummy @echo "Linking $@" @$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(WINBINDD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ @@ -711,7 +711,7 @@ # Set defaults PIE_CFLAGS="" -@@ -3529,6 +3530,8 @@ AC_ARG_WITH(automount, +@@ -3533,6 +3534,8 @@ AC_ARG_WITH(automount, AC_MSG_RESULT(no) ) @@ -724,9 +724,9 @@ =================================================================== --- source/nsswitch/winbindd.h.orig +++ source/nsswitch/winbindd.h -@@ -29,6 +29,10 @@ - - #include "winbindd_nss.h" +@@ -33,6 +33,10 @@ + #include <sys/mman.h> + #endif +#ifdef HAVE_LIBNSCD +#include "libnscd.h" @@ -739,9 +739,9 @@ =================================================================== --- source/nsswitch/winbindd_util.c.orig +++ source/nsswitch/winbindd_util.c -@@ -1217,3 +1217,25 @@ BOOL winbindd_upgrade_idmap(void) +@@ -1266,3 +1266,25 @@ NTSTATUS lookup_usergroups_cached(struct - return idmap_convert(idmap_name); + return status; } + +void winbindd_flush_nscd_cache(void) ++++++ vendor-files.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/vendor-files/tools/get_printing_ticket.c new/vendor-files/tools/get_printing_ticket.c --- old/vendor-files/tools/get_printing_ticket.c 2006-05-21 14:11:50.000000000 +0200 +++ new/vendor-files/tools/get_printing_ticket.c 2006-05-22 22:31:02.000000000 +0200 @@ -56,12 +56,14 @@ } #endif +char *null_envp[] = { NULL }; + int main (int argc, char **argv) { uid_t uid, LP_UID; gid_t gid, LP_GID; struct passwd *pw; - + /* Get uid and gid of user lp */ pw = getpwnam( "lp"); if (!pw) { @@ -136,10 +138,15 @@ return 1; } + /* Clear the environment to ensure nothing can + be loaded via LD_PRELOAD. Thanks to Sebastian Krahmer + from the SuSE security Team for reviewing this. */ + clearenv(); + /* * We are now the requested user. * From cups arg[0] is the smb:// uri and smbspool expects this */ - return execv ("/usr/bin/smbspool", argv); + return execve ("/usr/bin/smbspool", argv, null_envp); } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/vendor-files/tools/samba-winbindd new/vendor-files/tools/samba-winbindd --- old/vendor-files/tools/samba-winbindd 2006-04-23 13:39:15.000000000 +0200 +++ new/vendor-files/tools/samba-winbindd 2006-05-22 20:26:00.000000000 +0200 @@ -14,7 +14,7 @@ # this program; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA # -# Author: Lars Mueller <lmuelle at samba dot org> +# Author: Lars Mueller <lars at samba dot org> # samba-winbindd # @@ -59,6 +59,15 @@ log_msg=$( rcnmb start 2>&1) log_dbg "${log_msg}" fi + for configfile in dhcp "ifcfg-${configname}"; do + test -f "/etc/sysconfig/network/${configfile}" && \ + . "/etc/sysconfig/network/${configfile}" + done + DHCLIENT_SET_HOSTNAME=$( echo "${DHCLIENT_SET_HOSTNAME}" | tr '[:upper:]' '[:lower:]') + if test "${DHCLIENT_SET_HOSTNAME}" != "no" && chkconfig -c winbind; then + log_msg=$( rcwinbind restart 2>&1) + log_dbg "${log_msg}" + fi log_msg=$( smbcontrol winbindd online 2>&1) log_dbg "${log_msg}" ;; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...