Age | Commit message (Collapse) | Author | Files | Lines |
|
lp_use_kerberos_keytab parameter.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
|
|
This is a sample for other accesses to pdb to go via samr. The goal is to
access passdb only via srv_samr_nt.c. If that is done, then we can easily swap
in another samr implementation like for example samba4's via a unix domain
socket.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
the Windows ACL type and flags if "map acl inherit" is set.
Jeremy.
|
|
This allows module implementors to customize what allocation size is
returned to the client.
|
|
Michael
|
|
This restores the pre e0232934fbf69a9e72de1d9844b14d70b34a2d6a
behavior.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
And use signal events for Linux oplocks.
metze
|
|
This the process_kernel_oplock() function never response to messages,
it only generates messages to ourself.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
We should behave the same in inetd, interactive and deamon modes.
metze
|
|
metze
|
|
The caller might have over-allocated reply->outbuf. Deal with that.
Sorry, Günther, for giving you so much pain ...
Volker
|
|
1) Add in smb_file_time struct to clarify code and make room for createtime.
2) Get and set create time from SMB messages.
3) Fixup existing VFS modules + examples Some OS'es allow for the
setting of the birthtime through kernel interfaces. This value is
generically used for Windows createtime, but is not settable in the
code today.
|
|
to ourselves unless that was passed in.
Jeremy.
|
|
ACLs.
If the chown succeeds then the ACL set should also. Ensure this is the case
(refactor some of this code to make it simpler to read also).
Jeremy.
|
|
Simo is completely correct. We should be doing the chown *first*, and fail the
ACL set if this fails. The long standing assumption I made when writing the
initial POSIX ACL code was that Windows didn't control who could chown a file
in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure
who could do this in Windows at the time (I didn't understand the privilege
model). So the assumption was that setting the ACL was more important (early
tests showed many failed ACL set's due to inability to chown). But now we have
privileges in smbd, and we must always fail an ACL set when we can't chown
first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL
incoming are relative to the *new* owner, not the old one. This is why the old
user owner disappears on ACL set - their access was set via the USER_OBJ in the
creator POSIX ACL and when the ownership changes they lose their access.
Patch is simple - just ensure we do the chown first before evaluating the
incoming ACL re-read the owners. We already have code to do this it just wasn't
rigorously being applied.
Jeremy.
|
|
triggered now
metze
|
|
This converts the irix oplocks code to use a fd event
and removes the last special case for file descriptors
for the main sys_select().
metze
|
|
And always setup the fd events.
metze
|
|
|
|
|
|
np_open/read/write don't have to know about files_struct
|
|
This is a hack to fix races which happen with the RAW-RENAME and RAW-OPLOCK
tests. We should try to remove it later.
metze
|
|
We need to use CTDB_CONTROL_TCP_CLIENT instead of CTDB_CONTROL_TCP_ADD.
CTDB_CONTROL_TCP_CLIENT has support for 2 modes in newer ctdb versions:
- with struct ctdb_control_tcp it only supports ipv4.
- with struct ctdb_control_tcp_addr it supports ipv4 and ipv6.
You need new header files which defines struct ctdb_control_tcp_addr,
but at runtime it should be fine to work against older
ctdb versions (<= 1.0.68).
metze
|
|
|
|
|
|
This the global variable "orig_inbuf" in the old chain_reply code. This global
variable was one of the reasons why we had the silly restriction to not allow
async requests within a request chain.
|
|
Michael
|
|
version.h changes rather frequently. Since it is included via includes.h,
this means each C file will be a cache miss. This applies to the following
situations:
* When building a new package with a new Samba version
* building in a git branch after calling mkversion.sh
after a new commit (i.e. virtually always)
This patch improves the situation in the following way:
* remove inlude "version.h" from includes.h
* Use samba_version_string() instead of SAMBA_VERSION_STRING
in files that use no other macro from version.h instead of
SAMBA_VERSION_STRING.
* explicitly include "version.h" in those files that use more
macros from "version.h" than just SAMBA_VERSION_STRING.
Michael
|
|
Jeremy.
|
|
we might have to handle a short send by filling with zeros.
Jeremy.
|
|
Jeremy.
|
|
It is possible for a posix file created locally or over nfs to have a
":" in the name. Since ":" is a reserved character in windows,
filenames containing a colon must be mangled in a directory listing.
Right now files containing colons will not even be displayed in
directory listings if streams modules are in use. During the
directory listing the file will be detected as a stream because of the
colon, but the streams module will fail to find the stream since it
doesn't exist. This fix adds a step to is_ntfs_stream_name that stats
the filename to differentiate between actual streams and files
containing colons.
While this is an improvement, it isn't perfect. Consider the case
where there is a file on disk called "a.txt:s1" and also a file called
"a.txt" that has a stream called "s1". This patch will always
preference "a.txt:s1" over a.txt's s1 stream.
The real issue is that at the vfs level, the vfs modules have no way
to tell between a demangled name with a colon and an actual stream. A
more invasive, but better, long-term fix would be to add all paths
that come over the wire into a struct containing metadata about the
path. This metadata could include a flag to indicate whether the path
came over the wire with a colon ":" (guaranteeing that the client is
requesting a stream). Passing this struct down to the lower levels,
including all path-based vfs calls, would allow the above case to be
handled correctly in all cases.
|
|
|
|
|
|
The new create disposition test in smbtorture RAW-STREAMS verifies
this fix.
|