Index: head/net/samba34/Makefile =================================================================== --- head/net/samba34/Makefile (revision 256430) +++ head/net/samba34/Makefile (revision 256431) @@ -1,520 +1,520 @@ # New ports collection makefile for: samba34 # Date created: 1 May 2009 # Whom: timur@FreeBSD.org # # $FreeBSD$ # PORTNAME= samba34 -PORTVERSION= 3.4.5 -PORTREVISION?= 1 +PORTVERSION= 3.4.8 +PORTREVISION?= 0 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} MASTER_SITE_SUBDIR= . old-versions rc pre DISTNAME= ${PORTNAME:S|34$||}-${PORTVERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} MAINTAINER?= timur@FreeBSD.org COMMENT?= A free SMB and CIFS client and server for UNIX -CONFLICTS?= ja-samba-[23].* samba-[23].* sharity-light-1.* tdb-1.* +CONFLICTS?= ja-samba-[235].* samba-[235].* sharity-light-1.* tdb-1.* # Additional patches from Sernet.de PATCH_STRIP= -p1 EXTRA_PATCHES= ${PATCHDIR}/sernet.patch LATEST_LINK= ${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} EXAMPLESDIR= ${PREFIX}/share/examples/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX} PATCH_WRKSRC= ${WRKDIR}/${DISTNAME} WRKSRC= ${WRKDIR}/${DISTNAME}/source3 IPATHS= -I${WRKDIR}/${DISTNAME}/source3/m4 -I${WRKDIR}/${DISTNAME}/m4 -I${WRKDIR}/${DISTNAME}/lib/replace -I${WRKDIR}/${DISTNAME}/source4 AUTOHEADER_ARGS= ${IPATHS} AUTOCONF_ARGS= ${IPATHS} USE_GMAKE= yes USE_ICONV= yes GNU_CONFIGURE= yes USE_AUTOTOOLS= autoconf:262 autoheader:262 # directories VARDIR?= /var SAMBA_SPOOL?= ${VARDIR}/spool/${PORTNAME} SAMBA_LOGDIR= ${VARDIR}/log/${PORTNAME} SAMBA_RUNDIR= ${VARDIR}/run/${PORTNAME} SAMBA_LOCKDIR?= ${VARDIR}/db/${PORTNAME} SAMBA_CONFIG?= smb.conf SAMBA_CONFDIR?= ${PREFIX}/etc RC_DIR= ${PREFIX}/etc/rc.d SAMBA_SWATDIR= ${PREFIX}/share/swat SAMBA_LIBDIR= ${PREFIX}/lib SAMBA_MODULEDIR= ${SAMBA_LIBDIR}/${PORTNAME} SAMBA_INCLUDEDIR= ${PREFIX}/include/${PORTNAME} SAMBA_PRIVATEDIR?= ${SAMBA_CONFDIR}/${PORTNAME} CONFIGURE_ARGS+= --exec-prefix="${PREFIX}" \ --sysconfdir="${SAMBA_CONFDIR}" \ --with-configdir="${SAMBA_CONFDIR}" \ --includedir="${SAMBA_INCLUDEDIR}" \ --datadir="${DATADIR}" \ --with-swatdir="${SAMBA_SWATDIR}" \ --libdir="${SAMBA_LIBDIR}" \ --with-modulesdir="${SAMBA_MODULEDIR}" \ --with-pammodulesdir="${SAMBA_LIBDIR}" \ --localstatedir="${VARDIR}" \ --with-piddir="${SAMBA_RUNDIR}" \ --with-ncalrpcdir="${SAMBA_RUNDIR}/ncalrpc" \ --with-lockdir="${SAMBA_LOCKDIR}" \ --with-statedir="${SAMBA_LOCKDIR}" \ --with-cachedir="${SAMBA_LOCKDIR}" \ --with-privatedir="${SAMBA_PRIVATEDIR}" \ --with-logfilebase="${SAMBA_LOGDIR}" CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib CONFIGURE_ENV+= CPPFLAGS="${CPPFLAGS}" LDFLAGS="${LDFLAGS}" # pkg-config is used to find talloc PKGCONFIGDIR?= ${PREFIX}/libdata/pkgconfig PKGCONFIGDIR_REL?= ${PKGCONFIGDIR:S|^${PREFIX}/||} PKG_CONFIG?= ${LOCALBASE}/bin/pkg-config CONFIGURE_ENV+= PKG_CONFIG="${PKG_CONFIG}" BUILD_DEPENDS+= ${PKG_CONFIG}:${PORTSDIR}/devel/pkg-config # Let process generate meaningful backtrace on a core dump LIB_DEPENDS+= execinfo.1:${PORTSDIR}/devel/libexecinfo # Always use external libtalloc LIB_DEPENDS+= talloc.2:${PORTSDIR}/devel/talloc CONFIGURE_ARGS+= --without-libtalloc --enable-external-libtalloc # These options are common for all (sub)ports CONFIGURE_ARGS+= --without-libtdb --with-libiconv="${LOCALBASE}" .if !defined(SAMBA_SUBPORT) OPTIONS= LDAP "With LDAP support" on \ ADS "With Active Directory support" off \ CUPS "With CUPS printing support" on \ WINBIND "With WinBIND support" on \ SWAT "With SWAT WebGUI" off \ ACL_SUPPORT "With ACL support" off \ AIO_SUPPORT "With Asyncronous IO support" off \ FAM_SUPPORT "With File Alteration Monitor" off \ SYSLOG "With Syslog support" off \ QUOTAS "With Disk quota support" off \ UTMP "With UTMP accounting support" off \ PAM_SMBPASS "With PAM authentication vs passdb backends" off \ DNSUPDATE "With dynamic DNS update(require ADS)" off \ AVAHI "With Bonjour service discovery support" off \ EXP_MODULES "With experimental modules" off \ POPT "With system-wide POPT library" on \ MAX_DEBUG "With maximum debugging" off \ SMBTORTURE "With smbtorture" off # !SAMBA_SUBPORT .endif .include # XXX .if ${OSVERSION} >= 701000 && ${OSVERSION} < 702000 IGNORE= databases/tdb crashes on FreeBSD 7.1. Please, consider upgrading to 7.2 or higher .endif .if defined(SAMBA_SUBPORT) # Switch off all extra functionality CONFIGURE_ARGS+= --disable-cups --disable-fam --without-winbind \ --without-syslog --without-quotas --without-utmp \ --without-pam --without-pam_smbpass \ --without-aio-support # Dirty hack to work around usage of OPTIONS in slave ports . if exists(${.CURDIR}/Makefile.inc) . include "${.CURDIR}/Makefile.inc" . endif .else # Samba server itself USE_RC_SUBR= samba SUB_FILES= pkg-install pkg-message pkg-deinstall smb.conf.sample PLIST= ${WRKDIR}/.PLIST # We don't (yet) have clustered FS for cluster support CONFIGURE_ARGS+= --with-pam --with-readline=/usr \ --with-included-iniparser \ --with-sendfile-support \ --enable-largefile \ --without-cluster-support \ --without-libsmbclient \ --without-libaddns \ --without-libnetapi \ --without-libsmbsharemodes .if !defined(WITHOUT_LDAP) SAMBA_WANT_LDAP= yes .endif .if !defined(WITHOUT_CUPS) LIB_DEPENDS+= cups.2:${PORTSDIR}/print/cups-client CONFIGURE_ARGS+= --enable-cups --enable-iprint SUB_LIST+= CUPS="" .else CONFIGURE_ARGS+= --disable-cups --disable-iprint SUB_LIST+= CUPS="@comment " .endif .if defined(WITH_MAX_DEBUG) CPPFLAGS+= -g LDFLAGS+= -g LIB_DEPENDS+= dmalloc.1:${PORTSDIR}/devel/dmalloc CONFIGURE_ARGS+= --enable-debug \ --enable-socket-wrapper --enable-nss-wrapper \ --enable-developer --enable-krb5developer \ --enable-dmalloc --with-profiling-data CONFIGURE_ARGS+= --with-smbtorture4-path=${WRKDIR}/${DISTNAME}/source4/torture .else CONFIGURE_ARGS+= --disable-debug \ --disable-socket-wrapper --disable-nss-wrapper \ --disable-developer --disable-krb5developer \ --disable-dmalloc --without-profiling-data .endif .if defined(WITH_SYSLOG) CONFIGURE_ARGS+= --with-syslog .else CONFIGURE_ARGS+= --without-syslog .endif .if defined(WITH_QUOTAS) CONFIGURE_ARGS+= --with-quotas .else CONFIGURE_ARGS+= --without-quotas .endif .if !defined(WITHOUT_UTMP) CONFIGURE_ARGS+= --with-utmp .else CONFIGURE_ARGS+= --without-utmp .endif .if !defined(WITHOUT_WINBIND) CONFIGURE_ARGS+= --with-winbind PLIST_SUB+= WINBIND="" SUB_LIST+= WINBIND="" .else CONFIGURE_ARGS+= --without-winbind PLIST_SUB+= WINBIND="@comment " SUB_LIST+= WINBIND="@comment " .endif .if !defined(WITHOUT_SWAT) CONFIGURE_ARGS+= --enable-swat PLIST_SUB+= SWAT="" .else CONFIGURE_ARGS+= --disable-swat PLIST_SUB+= SWAT="@comment " .endif # Add some shared modules .if defined(WITH_EXP_MODULES) . if !defined(WANT_EXP_MODULES) || empty(WANT_EXP_MODULES) WANT_EXP_MODULES= idmap_tdb2 idmap_ad idmap_adex idmap_hash idmap_rid \ charset_weird . if !defined(WITH_MAX_DEBUG) WANT_EXP_MODULES+= rpc_echo . endif WANT_EXP_MODULES+= vfs_cacheprime vfs_catia vfs_commit vfs_dirsort \ vfs_readahead vfs_streams_depot vfs_syncops . endif .endif .if defined(WITH_FAM_SUPPORT) USE_FAM= yes WANT_EXP_MODULES+= vfs_notify_fam CONFIGURE_ARGS+= --enable-fam .else CONFIGURE_ARGS+= --disable-fam .endif .if defined(WITH_ACL_SUPPORT) CONFIGURE_ARGS+= --with-acl-support .else CONFIGURE_ARGS+= --without-acl-support .endif .if defined(WITH_AIO_SUPPORT) .if ${OSVERSION} < 700055 IGNORE= an AIO support requires 7.0-RELEASE or later. Disable AIO support .endif CONFIGURE_ARGS+= --with-aio-support .else CONFIGURE_ARGS+= --without-aio-support .endif .if defined(WITH_PAM_SMBPASS) CONFIGURE_ARGS+= --with-pam_smbpass PLIST_SUB+= SMBPASS="" .else CONFIGURE_ARGS+= --without-pam_smbpass PLIST_SUB+= SMBPASS="@comment " .endif .if defined(WITH_DNSUPDATE) . if !defined(WITH_ADS) IGNORE= dynamic DNS updates require ADS support. Disable DNSUPDATE support . endif LIB_DEPENDS+= uuid.1:${PORTSDIR}/misc/e2fsprogs-libuuid CONFIGURE_ARGS+= --with-dnsupdate .else CONFIGURE_ARGS+= --without-dnsupdate .endif .if defined(WITH_AVAHI) CPPFLAGS+= `${PKG_CONFIG} --cflags avahi-client` DNSSD_LIBS= `${PKG_CONFIG} --libs avahi-client` LIB_DEPENDS+= avahi-client.3:${PORTSDIR}/net/avahi-app CONFIGURE_ARGS+= --enable-avahi .else CONFIGURE_ARGS+= --disable-avahi .endif .if !defined(WITHOUT_POPT) LIB_DEPENDS+= popt.0:${PORTSDIR}/devel/popt CONFIGURE_ARGS+= --without-included-popt .else CONFIGURE_ARGS+= --with-included-popt .endif .if defined(WITH_SMBTORTURE) PLIST_SUB+= SMBTORTURE="" .else PLIST_SUB+= SMBTORTURE="@comment " .endif # !SAMBA_SUBPORT .endif ### ### Common part for port and it's subports ### .if defined(WITH_ADS) SAMBA_WANT_LDAP= yes SAMBA_WANT_KRB5= yes CONFIGURE_ARGS+= --with-ads .else CONFIGURE_ARGS+= --without-ads .endif # Kerberos5 is necessary for ADS .if defined(SAMBA_WANT_KRB5) .if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.so) CONFIGURE_ARGS+= --with-krb5="${KRB5_HOME}" .elif defined(HEIMDAL_HOME) && exists(${HEIMDAL_HOME}/lib/libgssapi.so) CONFIGURE_ARGS+= --with-krb5="${HEIMDAL_HOME}" .elif exists(/usr/lib/libkrb5.so) && exists(/usr/bin/krb5-config) CONFIGURE_ARGS+= --with-krb5="/usr" .else LIB_DEPENDS+= krb5:${PORTSDIR}/security/heimdal CONFIGURE_ARGS+= --with-krb5="${LOCALBASE}" .endif .else CONFIGURE_ARGS+= --without-krb5 .endif .if defined(SAMBA_WANT_LDAP) USE_OPENLDAP= yes CONFIGURE_ARGS+= --with-ldap .else CONFIGURE_ARGS+= --without-ldap .endif .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) CONFIGURE_ARGS+= --with-shared-modules="${WANT_EXP_MODULES:Q:C/(\\\\ )+/,/g}" .endif .include post-patch: @${REINPLACE_CMD} -e 's|%%SAMBA_CONFIG%%|${SAMBA_CONFIG}|g' \ ${WRKSRC}/Makefile.in ### ### end of common part ### .if !defined(SAMBA_SUBPORT) # Samba server only MAN1= findsmb.1 \ ldbadd.1 ldbdel.1 ldbedit.1 ldbmodify.1 ldbrename.1 ldbsearch.1 \ log2pcap.1 nmblookup.1 ntlm_auth.1 profiles.1 rpcclient.1 \ sharesec.1 smbcacls.1 smbclient.1 smbcontrol.1 smbcquotas.1 \ smbget.1 smbstatus.1 smbtar.1 smbtree.1 testparm.1 vfstest.1 MAN3= ldb.3 MAN5= lmhosts.5 smb.conf.5 smbgetrc.5 smbpasswd.5 MAN7= samba.7 MAN8= eventlogadm.8 net.8 nmbd.8 pdbedit.8 smbd.8 smbpasswd.8 \ smbspool.8 tdbbackup.8 tdbdump.8 tdbtool.8 \ idmap_nss.8 idmap_tdb.8 idmap_tdb2.8 \ vfs_acl_tdb.8 vfs_acl_xattr.8 \ vfs_audit.8 vfs_cap.8 vfs_default_quota.8 vfs_extd_audit.8 \ vfs_fake_perms.8 vfs_full_audit.8 vfs_netatalk.8 \ vfs_preopen.8 \ vfs_readahead.8 vfs_readonly.8 vfs_recycle.8 vfs_shadow_copy.8 \ vfs_shadow_copy2.8 vfs_smb_traffic_analyzer.8 \ vfs_streams_xattr.8 vfs_xattr_tdb.8 .if !defined(WITHOUT_WINBIND) MAN1+= wbinfo.1 MAN7+= winbind_krb5_locator.7 MAN8+= pam_winbind.8 winbindd.8 .endif .if !defined(WITHOUT_SWAT) MAN8+= swat.8 .endif .if defined(WITH_FAM_SUPPORT) MAN8+= vfs_notify_fam.8 .endif .if defined(SAMBA_WANT_LDAP) MAN8+= idmap_ldap.8 .endif .if !empty(WANT_EXP_MODULES:Midmap_ad) MAN8+= idmap_ad.8 .endif .if !empty(WANT_EXP_MODULES:Midmap_adex) MAN8+= idmap_adex.8 .endif .if !empty(WANT_EXP_MODULES:Midmap_hash) MAN8+= idmap_hash.8 .endif .if !empty(WANT_EXP_MODULES:Midmap_rid) MAN8+= idmap_rid.8 .endif .if !empty(WANT_EXP_MODULES:Mvfs_cacheprime) MAN8+= vfs_cacheprime.8 .endif .if !empty(WANT_EXP_MODULES:Mvfs_catia) MAN8+= vfs_catia.8 .endif .if !empty(WANT_EXP_MODULES:Mvfs_commit) MAN8+= vfs_commit.8 .endif .if !empty(WANT_EXP_MODULES:Mvfs_dirsort) MAN8+= vfs_dirsort.8 .endif .if !empty(WANT_EXP_MODULES:Mvfs_streams_depot) MAN8+= vfs_streams_depot.8 .endif SAMBA_SUB= SAMBA_LOGDIR="${SAMBA_LOGDIR}" \ SAMBA_LOCKDIR="${SAMBA_LOCKDIR}" \ SAMBA_CONFDIR="${SAMBA_CONFDIR}" \ SAMBA_CONFIG="${SAMBA_CONFIG}" \ SAMBA_RUNDIR="${SAMBA_RUNDIR}" \ SAMBA_SWATDIR="${SAMBA_SWATDIR}" \ SAMBA_SPOOL="${SAMBA_SPOOL}" \ SAMBA_PRIVATEDIR="${SAMBA_PRIVATEDIR}" \ PKGCONFIGDIR="${PKGCONFIGDIR_REL}" PLIST_SUB+= ${SAMBA_SUB} SUB_LIST+= ${SAMBA_SUB} ALL_TARGET= all .if defined(WITH_SMBTORTURE) ALL_TARGET+= smbtorture .endif # What will be installed INSTALL_TARGET= installservers installbin installscripts installdat \ installmodules installlibs .if !defined(WITHOUT_SWAT) INSTALL_TARGET+=installswat .endif .if defined(OPTIONS) pre-fetch: @${ECHO_MSG} "===> -------------------------------------------" @${ECHO_MSG} "===> Run 'make config' to (re)configure the port" @${ECHO_MSG} "===> -------------------------------------------" .endif pre-configure: @${FIND} ${WRKDIR}/${DISTNAME} -type d | ${XARGS} ${CHMOD} u+w,a+rx @${FIND} ${WRKDIR}/${DISTNAME} -type f | ${XARGS} ${CHMOD} u+w,a+r post-configure: # It's in another port @${RM} -f ${WRKDIR}/${DISTNAME}/docs/htmldocs/manpages/libsmbclient.7.html @${RM} -rf ${WRKDIR}/${DISTNAME}/examples/libsmbclient # This would speedup compilation .if !defined(WITHOUT_PCH) pre-build: cd ${WRKSRC} && ${MAKE} pch .endif pre-install: -@${FIND} "${SAMBA_MODULEDIR}" -type f -o -type l 2>/dev/null | ${SORT} | ${SED} -E 's|^${PREFIX}/?||;' > ${WRKDIR}/.PLIST.exclude @${CAT} ${PKGDIR}/pkg-plist > ${PLIST} .if !defined(WITHOUT_SWAT) @${CAT} ${PKGDIR}/pkg-plist.swat >> ${PLIST} .endif post-install: .for sect in 1 3 5 7 8 @${MKDIR} ${MAN${sect}PREFIX}/man/man${sect} . for man in ${MAN${sect}} @${INSTALL_MAN} "${WRKDIR}/${DISTNAME}/docs/manpages/${man}" "${MAN${sect}PREFIX}/man/man${sect}" . endfor .endfor # Put examples in place @${MKDIR} "${EXAMPLESDIR}" @${CP} -Rp ${WRKDIR}/${DISTNAME}/examples/* "${EXAMPLESDIR}" .if defined(WITH_PAM_SMBPASS) @${MKDIR} "${EXAMPLESDIR}/pam_smbpass" @${CP} -Rp ${WRKSRC}/pam_smbpass/samples/* "${EXAMPLESDIR}/pam_smbpass" .endif ${INSTALL_DATA} "${WRKDIR}/smb.conf.sample" "${EXAMPLESDIR}/${SAMBA_CONFIG}.sample" ${INSTALL_SCRIPT} "${WRKSRC}/script/mksmbpasswd.sh" "${PREFIX}/bin/make_smbpasswd" # Winbind .if !defined(WITHOUT_WINBIND) ${INSTALL_PROGRAM} "${WRKDIR}/${DISTNAME}/nsswitch/nss_winbind.so" "${SAMBA_LIBDIR}/nss_winbind.so.1" ${INSTALL_PROGRAM} "${WRKDIR}/${DISTNAME}/nsswitch/nss_wins.so" "${SAMBA_LIBDIR}/nss_wins.so.1" ${INSTALL_PROGRAM} "${WRKSRC}/bin/pam_winbind.so" "${SAMBA_LIBDIR}" .endif .if defined(WITH_PAM_SMBPASS) ${INSTALL_PROGRAM} "${WRKSRC}/bin/pam_smbpass.so" "${SAMBA_LIBDIR}" .endif # smbtorture .if defined(WITH_SMBTORTURE) ${INSTALL_PROGRAM} "${WRKSRC}/bin/smbtorture" "${PREFIX}/bin" .endif # Lib @${FIND} "${SAMBA_MODULEDIR}" -type f -o -type l | ${SED} -E 's|^${PREFIX}/?||;' | ${EGREP} -F -v -f ${WRKDIR}/.PLIST.exclude | ${SORT} >> ${TMPPLIST} @for d in `${FIND} "${SAMBA_MODULEDIR}" -type d | ${SORT} -r`; do \ ${ECHO_CMD} "@unexec ${RMDIR} \"$$d\" 2>/dev/null || true" >> ${TMPPLIST}; \ done # Documentation .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} @${CP} -Rp "${WRKDIR}/${DISTNAME}/docs/registry" "${DOCSDIR}" . for f in Samba3-ByExample.pdf Samba3-HOWTO.pdf Samba3-Developers-Guide.pdf @${INSTALL_DATA} "${WRKDIR}/${DISTNAME}/docs/${f}" "${DOCSDIR}" . endfor . for f in README COPYING MAINTAINERS PFIF.txt Manifest Roadmap \ WHATSNEW.txt docs/THANKS docs/history @${INSTALL_DATA} "${WRKDIR}/${DISTNAME}/${f}" "${DOCSDIR}" . endfor @${INSTALL_DATA} "${FILESDIR}/README.FreeBSD" "${DOCSDIR}" # !NOPORTDOCS .endif # Run post-install script @${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL @${CAT} ${PKGMESSAGE} .if defined(WITH_MAX_DEBUG) test: (cd ${WRKSRC} && ${GMAKE} test_nss_modules test_pam_modules && ${GMAKE} test) .endif # !SAMBA_SUBPORT .endif .include Property changes on: head/net/samba34/Makefile ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/net/samba34/distinfo =================================================================== --- head/net/samba34/distinfo (revision 256430) +++ head/net/samba34/distinfo (revision 256431) @@ -1,3 +1,3 @@ -MD5 (samba-3.4.5.tar.gz) = 8e8a484782f2b7716b6c6bd9a7d2bf71 -SHA256 (samba-3.4.5.tar.gz) = 7e4ead58a7c1c0dd1811d6f1df22c6ecf7a1dabf0e46ea7f20a6da9cd457d1ca -SIZE (samba-3.4.5.tar.gz) = 35377777 +MD5 (samba-3.4.8.tar.gz) = fe1f6c77be289fd65e19419c1bcaa42c +SHA256 (samba-3.4.8.tar.gz) = 5237bc7a32e0eafd70b78c9cd6735e46dbad0c6f9794f50476b50dd1b43752d6 +SIZE (samba-3.4.8.tar.gz) = 34851288 Property changes on: head/net/samba34/distinfo ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.1 \ No newline at end of property +1.2 \ No newline at end of property Index: head/net/samba34/files/patch-source3__Makefile.in =================================================================== --- head/net/samba34/files/patch-source3__Makefile.in (revision 256430) +++ head/net/samba34/files/patch-source3__Makefile.in (revision 256431) @@ -1,56 +1,113 @@ ---- ./source3/Makefile.in.orig 2010-01-18 12:38:09.000000000 +0100 -+++ ./source3/Makefile.in 2010-01-22 02:42:51.000000000 +0100 -@@ -851,6 +851,7 @@ - PAM_WINBIND_OBJ = ../nsswitch/pam_winbind.o localedir.o $(WBCOMMON_OBJ) \ +--- ./source3/Makefile.in.orig 2010-05-10 14:58:53.000000000 +0200 ++++ ./source3/Makefile.in 2010-06-10 17:59:21.000000000 +0200 +@@ -132,7 +132,7 @@ + # These can be overridden by command line switches (see smbd(8)) + # or in smb.conf (see smb.conf(5)) + LOGFILEBASE = @logfilebase@ +-CONFIGFILE = $(CONFIGDIR)/smb.conf ++CONFIGFILE = $(CONFIGDIR)/%%SAMBA_CONFIG%% + LMHOSTSFILE = $(CONFIGDIR)/lmhosts + NCALRPCDIR = @ncalrpcdir@ + +@@ -848,9 +848,11 @@ + $(LIBADS_OBJ) $(POPT_LIB_OBJ) \ + $(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(LDB_OBJ) + +-PAM_WINBIND_OBJ = ../nsswitch/pam_winbind.o localedir.o $(WBCOMMON_OBJ) \ ++PAM_WINBIND_OBJ = ../nsswitch/pam_winbind.o localedir.o \ ++ @LIBTALLOC_STATIC@ @LIBWBCLIENT_STATIC@ \ $(LIBREPLACE_OBJ) @BUILD_INIPARSER@ + LIBSMBCLIENT_OBJ0 = \ libsmb/libsmb_cache.o \ libsmb/libsmb_compat.o \ -@@ -1028,7 +1029,7 @@ +@@ -1028,7 +1030,7 @@ $(LIBSAMBA_OBJ) \ $(POPT_LIB_OBJ) -TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \ +TALLOCTORT_OBJ = ../lib/talloc/testsuite.o ../lib/talloc/testsuite_main.o \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSAMBA_OBJ) REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \ -@@ -1281,6 +1282,7 @@ +@@ -1044,9 +1046,9 @@ + $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \ + $(LIBNDR_GEN_OBJ0) +-WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \ +- $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) $(NSSWINS_OBJ) $(KRBCLIENT_OBJ) \ +- $(LIBNDR_GEN_OBJ0) $(LDB_OBJ) ++WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o @WINBIND_WINS_NSS_EXTRA_OBJS@ \ ++ $(PARAM_OBJ) $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) $(NSSWINS_OBJ) \ ++ $(KRBCLIENT_OBJ) $(LIBNDR_GEN_OBJ0) $(LDB_OBJ) + + PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \ + pam_smbpass/pam_smb_acct.o pam_smbpass/support.o +@@ -1281,6 +1283,7 @@ + .SUFFIXES: .SUFFIXES: .c .o .lo +.SUFFIXES: .h .h.gch .PHONY: showflags SHOWFLAGS -@@ -1342,6 +1344,9 @@ +@@ -1342,6 +1345,12 @@ $(COMPILE_CC) >/dev/null 2>&1 @BROKEN_CC@ -mv `echo $@ | sed 's%^.*/%%g'` $@ +.h.h.gch: + @echo Compiling $*.h + ++.h.h.gch: ++ @echo Compiling $*.h ++ PRECOMPILED_HEADER = $(builddir)/include/includes.h.gch # this adds support for precompiled headers. To use it, install a snapshot -@@ -2705,7 +2710,8 @@ +@@ -2388,14 +2397,15 @@ + $(LDAP_LIBS) $(KRB5LIBS) $(LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) \ + $(ZLIB_LIBS) @SONAMEFLAG@`basename $@`@NSSSONAMEVERSIONSUFFIX@ + +-bin/winbind_krb5_locator.@SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) @LIBWBCLIENT_TARGET@ ++bin/winbind_krb5_locator.@SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) @LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ + @echo "Linking $@" +- @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) $(KRB5LIBS) \ ++ @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBTALLOC_LIBS) $(LIBWBCLIENT_LIBS) $(KRB5LIBS) \ + @SONAMEFLAG@`basename $@` + + bin/pam_winbind.@SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ @echo "Linking shared library $@" + @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -lpam @INIPARSERLIBS@ \ ++ $(LIBS) $(LDAP_LIBS) $(KRB5LIBS) $(NSCD_LIBS) \ + $(PAM_WINBIND_EXTRA_LIBS) $(LIBTALLOC_LIBS) $(LIBWBCLIENT_LIBS) @SONAMEFLAG@`basename $@` + + bin/builtin.@SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_BUILTIN_OBJ) +@@ -2571,7 +2581,7 @@ + + bin/zfsacl.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_ZFSACL_OBJ) + @echo "Building plugin $@" +- @$(SHLD_MODULE) $(VFS_ZFSACL_OBJ) ++ @$(SHLD_MODULE) $(VFS_ZFSACL_OBJ) $(ACL_LIBS) + + bin/irixacl.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_IRIXACL_OBJ) + @echo "Building plugin $@" +@@ -2705,7 +2715,8 @@ + @echo "Linking shared library $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_OBJ) -lpam $(DYNEXP) \ $(LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \ - $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) + $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) \ + @SONAMEFLAG@`basename $@` bin/tdbbackup@EXEEXT@: $(BINARY_PREREQS) $(TDBBACKUP_OBJ) @LIBTALLOC_TARGET@ @LIBTDB_TARGET@ @echo Linking $@ -@@ -3028,7 +3034,7 @@ +@@ -3028,7 +3039,7 @@ @$(LIB_PATH_VAR)=./bin && \ export $(LIB_PATH_VAR) && \ for module in $(PAM_MODULES); do \ - ./script/tests/dlopen.sh -lpam -ldl bin/$${module}.@SHLIBEXT@ \ + ./script/tests/dlopen.sh -lpam bin/$${module}.@SHLIBEXT@ \ || exit 1; \ done Property changes on: head/net/samba34/files/patch-source3__Makefile.in ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.1 \ No newline at end of property +1.2 \ No newline at end of property Index: head/net/samba34/files/patch-source3__configure.in =================================================================== --- head/net/samba34/files/patch-source3__configure.in (revision 256430) +++ head/net/samba34/files/patch-source3__configure.in (revision 256431) @@ -1,239 +1,259 @@ ---- ./source3/configure.in.orig 2010-01-18 11:38:09.000000000 +0000 -+++ ./source3/configure.in 2010-02-06 12:37:49.000000000 +0000 +--- ./source3/configure.in.orig 2010-05-10 14:58:53.000000000 +0200 ++++ ./source3/configure.in 2010-06-10 17:50:46.000000000 +0200 @@ -210,16 +210,6 @@ fi fi -AC_ARG_ENABLE(dmalloc, [AS_HELP_STRING([--enable-dmalloc], [Enable heap debugging [default=no]])]) - -if test "x$enable_dmalloc" = xyes -then - AC_DEFINE(ENABLE_DMALLOC, 1, [Define to turn on dmalloc debugging]) - AC_DEFINE(DMALLOC_FUNC_CHECK, 1, - [Define to check invariants around some common functions]) - LIBS="$LIBS -ldmalloc" -fi - ################################################# # check for a shared memory profiling support AC_MSG_CHECKING(whether to use profiling) @@ -781,10 +771,10 @@ if test "x$CUPS_CONFIG" != x; then - ac_save_CFLAGS=$CFLAGS - ac_save_LDFLAGS=$LDFLAGS + ac_save_PRINT_CPPFLAGS=$CPPFLAGS + ac_save_PRINT_LDFLAGS=$LDFLAGS ac_save_PRINT_LIBS=$PRINT_LIBS - CFLAGS="$CFLAGS `$CUPS_CONFIG --cflags`" + CPPFLAGS="$CPPFLAGS `$CUPS_CONFIG --cflags`" LDFLAGS="$LDFLAGS `$CUPS_CONFIG --ldflags`" PRINT_LIBS="$PRINT_LIBS `$CUPS_CONFIG --libs`" AC_CHECK_HEADERS(cups/cups.h cups/language.h) @@ -794,8 +784,8 @@ samba_cv_HAVE_CUPS=yes else AC_MSG_WARN([cups-config around but cups-devel not installed]) - CFLAGS=$ac_save_CFLAGS - LDFLAGS=$ac_save_LDFLAGS + CPPFLAGS=$ac_save_PRINT_CPPFLAGS + LDFLAGS=$ac_save_PRINT_LDFLAGS PRINT_LIBS=$ac_save_PRINT_LIBS fi -@@ -1747,9 +1737,6 @@ +@@ -1749,9 +1739,6 @@ AC_MSG_CHECKING([PICFLAG]) AC_MSG_RESULT([$PICFLAG]) -AC_MSG_CHECKING([NSSSONAMEVERSIONSUFFIX]) -AC_MSG_RESULT([$NSSSONAMEVERSIONSUFFIX]) - AC_CACHE_CHECK([whether building shared libraries actually works], [ac_cv_shlib_works],[ # try building a trivial shared library -@@ -3959,10 +3946,10 @@ +@@ -3961,10 +3948,10 @@ ################################################################ # first test for Active Directory support being enabled - #if test x"$with_ads_support" = x"no"; then - # AC_MSG_ERROR(Active Directory support is required to enable DNS Update support) - # with_dnsupdate_support=no - #fi + if test x"$with_ads_support" = x"no"; then + AC_MSG_ERROR(Active Directory support is required to enable DNS Update support) + with_dnsupdate_support=no + fi ################################################################## # then test for uuid.h (necessary to generate unique DNS keynames # (uuid.h is required for this test) -@@ -4179,15 +4166,51 @@ +@@ -4181,15 +4168,51 @@ x"$ac_cv_header_pam_pam_modules_h" = x"no" ; then if test x"${try_pam}" = x"yes";then AC_MSG_ERROR([--with-pam=yes but pam_modules.h not found]) - fi + fi create_pam_modules=no - fi + fi if test x"$use_pam" = x"yes"; then - AC_DEFINE(WITH_PAM,1,[Whether to include PAM support]) + AC_DEFINE(WITH_PAM,1,[Whether to include PAM support]) AC_DEFINE(HAVE_LIBPAM,1,[Whether libpam is available]) AUTH_LIBS="$AUTH_LIBS $PAM_LIBS" - with_pam_for_crypt=yes + with_pam_for_crypt=yes + + AC_VERIFY_C_PROTOTYPE( + [int pam_get_data(const pam_handle_t *pamh, const char *module_data_name, const void **data)], + [return 0;], + [AC_DEFINE(PAM_GET_DATA_ARG3_CONST_VOID_PP, 1, [Whether pam_get_data 3 argument is a const pointer to pointer])], + [ + dnl Old OpenPAM declaration + AC_VERIFY_C_PROTOTYPE( + [int pam_get_data(pam_handle_t *pamh, const char *module_data_name, void **data)], + [return 0;], + [AC_DEFINE(PAM_GET_DATA_ARG3_VOID_PP, 1, [Whether pam_get_data 3 argument is a void pointer to pointer])], + [], [ + #include + #if HAVE_SECURITY_PAM_APPL_H + #include + #endif + #if HAVE_PAM_PAM_APPL_H + #include + #endif + #if HAVE_SECURITY_PAM_MODULES_H + #include + #endif + ] + )],[ + #include + #if HAVE_SECURITY_PAM_APPL_H + #include + #endif + #if HAVE_PAM_PAM_APPL_H + #include + #endif + #if HAVE_SECURITY_PAM_MODULES_H + #include + #endif + ] + ) if test x"$create_pam_modules" = x"yes"; then AC_DEFINE(WITH_PAM_MODULES,1,[Whether to include PAM MODULES support]) -@@ -4197,7 +4220,7 @@ +@@ -4199,7 +4222,7 @@ AC_CHECK_HEADERS(pam/pam_ext.h pam/_pam_macros.h) AC_CHECK_FUNC_EXT(pam_vsyslog,$PAM_LIBS) else - AC_MSG_WARN([PAM support detected but PAM MODULES support is missing]) + AC_MSG_WARN([PAM support detected but PAM MODULES support is missing]) fi fi AC_MSG_CHECKING(whether to use PAM support) -@@ -5794,6 +5817,7 @@ +@@ -5254,7 +5277,8 @@ + esac + fi # with_acl_support + +- ++# check for NFSv4 acl ++AC_CHECK_LIB(sunacl, acl, [ACL_LIBS="$ACL_LIBS -lsunacl"]) + + ################################################# + # check for AIO support +@@ -5796,6 +5820,7 @@ NSSSONAMEVERSIONSUFFIX=".1" WINBIND_NSS_EXTRA_OBJS="../nsswitch/winbind_nss_freebsd.o \ ../nsswitch/winbind_nss_linux.o" -+ WINBIND_WINS_NSS_EXTRA_OBJS="nsswitch/wins_freebsd.o" ++ WINBIND_WINS_NSS_EXTRA_OBJS="../nsswitch/wins_freebsd.o" WINBIND_NSS="../nsswitch/nss_winbind.$SHLIBEXT" WINBIND_WINS_NSS="../nsswitch/nss_wins.$SHLIBEXT" ;; -@@ -5886,17 +5910,10 @@ +@@ -5888,17 +5913,10 @@ AC_DEFINE(WITH_WINBIND,1,[Whether to link to wbclient]) EXTRA_BIN_PROGS="$EXTRA_BIN_PROGS bin/wbinfo\$(EXEEXT)" else - if test x"$enable_developer" = x"yes" -a x"$LINK_LIBWBCLIENT" = x"STATIC" ; then - BUILD_LIBWBCLIENT_SHARED=no - else - BUILD_LIBWBCLIENT_SHARED=yes - fi - LIBWBCLIENT_SHARED_TARGET=bin/libwbclient.$SHLIBEXT LIBWBCLIENT_STATIC_TARGET=bin/libwbclient.a LIBWBCLIENT_SOVER=0 if test $BLDSHARED = true -a x"$HAVE_WINBIND" = x"yes" -a x"$BUILD_LIBWBCLIENT_SHARED" = x"yes"; then - NSS_MODULES="${WINBIND_NSS} ${WINBIND_WINS_NSS}" ## Only worry about libwbclient if we have shared # library support LIBWBCLIENT_SHARED=$LIBWBCLIENT_SHARED_TARGET -@@ -5918,26 +5935,34 @@ +@@ -5920,26 +5938,34 @@ EXTRA_BIN_PROGS="$EXTRA_BIN_PROGS bin/wbinfo\$(EXEEXT)" EXTRA_SBIN_PROGS="$EXTRA_SBIN_PROGS bin/winbindd\$(EXEEXT)" - if test $BLDSHARED = true -a x"$create_pam_modules" = x"yes"; then + if test $BLDSHARED = true; then + NSS_MODULES="${WINBIND_NSS} ${WINBIND_WINS_NSS}" + if test x"$create_pam_modules" = x"yes"; then PAM_MODULES="$PAM_MODULES pam_winbind" INSTALL_PAM_MODULES="installpammodules" UNINSTALL_PAM_MODULES="uninstallpammodules" + fi fi else AC_MSG_RESULT(no$winbind_no_reason) fi -AC_CHECK_LIB(pthread, pthread_mutex_lock, [WINBIND_NSS_PTHREAD="-lpthread" +AC_MSG_CHECKING([NSSSONAMEVERSIONSUFFIX]) +AC_MSG_RESULT([$NSSSONAMEVERSIONSUFFIX]) + +AC_CHECK_LIB(pthread, pthread_mutex_lock, [WINBIND_NSS_PTHREAD="${PTHREAD_LIBS}" AC_DEFINE(HAVE_PTHREAD, 1, [whether pthread exists])]) AC_SUBST(WINBIND_NSS_PTHREAD) AC_SUBST(WINBIND_NSS) -AC_SUBST(WINBIND_WINS_NSS) AC_SUBST(WINBIND_NSS_LDSHFLAGS) AC_SUBST(WINBIND_NSS_EXTRA_OBJS) AC_SUBST(WINBIND_NSS_EXTRA_LIBS) -AC_SUBST(NSSSONAMEVERSIONSUFFIX) AC_SUBST(PAM_WINBIND_EXTRA_LIBS) +AC_SUBST(WINBIND_WINS_NSS) +AC_SUBST(WINBIND_WINS_NSS_EXTRA_OBJS) +AC_SUBST(WINBIND_WINS_NSS_EXTRA_LIBS) +AC_SUBST(NSSSONAMEVERSIONSUFFIX) AC_SUBST(WINBIND_KRB5_LOCATOR) -@@ -6129,13 +6154,21 @@ +@@ -6131,13 +6157,21 @@ # Start AC_CHECK_FUNC(getmntent) -AC_CHECK_HEADERS(sys/statfs.h) +AC_CHECK_HEADERS(sys/statfs.h sys/mount.h) AC_MSG_CHECKING([vfs_fileid: checking for statfs() and struct statfs.f_fsid)]) AC_CACHE_VAL(vfsfileid_cv_statfs,[ AC_TRY_RUN([ #include + #ifdef HAVE_SYS_PARAM_H + #include + #endif + #ifdef HAVE_SYS_MOUNT_H + #include + #endif + #ifdef HAVE_SYS_STATFS_H #include + #endif int main(void) { struct statfs fsd; -@@ -6447,6 +6480,16 @@ +@@ -6449,6 +6483,26 @@ CFLAGS="-I../lib/zlib $CFLAGS" ]) ++AC_ARG_ENABLE(dmalloc, [AS_HELP_STRING([--enable-dmalloc], [Enable heap debugging [default=no]])]) ++ ++if test "x$enable_dmalloc" = xyes ++then ++ AC_DEFINE(ENABLE_DMALLOC, 1, [Define to turn on dmalloc debugging]) ++ AC_DEFINE(DMALLOC_FUNC_CHECK, 1, ++ [Define to check invariants around some common functions]) ++ LIBS="$LIBS -ldmalloc" ++fi ++ +AC_ARG_ENABLE(dmalloc, [AS_HELP_STRING([--enable-dmalloc], [Enable heap debugging [default=no]])]) + +if test "x$enable_dmalloc" = xyes +then + AC_DEFINE(ENABLE_DMALLOC, 1, [Define to turn on dmalloc debugging]) + AC_DEFINE(DMALLOC_FUNC_CHECK, 1, + [Define to check invariants around some common functions]) + LIBS="$LIBS -ldmalloc" +fi + dnl Remove -L/usr/lib/? from LDFLAGS and LIBS LIB_REMOVE_USR_LIB(LDFLAGS) LIB_REMOVE_USR_LIB(LIBS) Property changes on: head/net/samba34/files/patch-source3__configure.in ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.2 \ No newline at end of property +1.3 \ No newline at end of property Index: head/net/samba34/files/sernet.patch =================================================================== --- head/net/samba34/files/sernet.patch (revision 256430) +++ head/net/samba34/files/sernet.patch (revision 256431) @@ -1,1027 +1,1563 @@ samba-3.4-check-bad-password-count.patch -samba-3.4-dont-search-for-empty-values.patch samba-3.4-net-trustdom-list-tidyup.patch -samba-3.4-search-accpolicies-in-sambaDomain.patch samba3-3.4-honor-all-loopback-ips.patch -samba3-3.4-skip-useless-ldap-queries-in-is_trusted_domain.patch -samba3-3.4.3-make-idmap-cache-persistent-ldapsam-trusted.patch -samba3-3.4.3-shortcut-uid_to_sid-when-ldapsam-trusted-yes.patch samba3-3.4.4-fix-account-unlock.patch +samba3-3.4.6-nmbd-bind-explicit.patch source3/auth/auth_sam.c | 159 +++++++++++++++++++++++++++++++++--------- source3/include/proto.h | 3 + source3/passdb/pdb_get_set.c | 132 +++++++++++++++++++---------------- source3/smbd/chgpasswd.c | 87 ++++++++++++++++------- 4 files changed, 262 insertions(+), 119 deletions(-) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fdfa292..24e7898 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -32,16 +32,14 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, - struct samu *sampass, + const char *username, + uint32_t acct_ctrl, + const uint8_t *lm_pw, + const uint8_t *nt_pw, const auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { - uint32 acct_ctrl; - const uint8 *lm_pw, *nt_pw; - const char *username = pdb_get_username(sampass); - - acct_ctrl = pdb_get_acct_ctrl(sampass); if (acct_ctrl & ACB_PWNOTREQ) { if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username)); @@ -52,9 +50,6 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } - lm_pw = pdb_get_lanman_passwd(sampass); - nt_pw = pdb_get_nt_passwd(sampass); - return ntlm_password_check(mem_ctx, &auth_context->challenge, &user_info->lm_resp, &user_info->nt_resp, &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, @@ -240,6 +235,75 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Check whether the given password is one of the last two + * password history entries. If so, the bad pwcount should + * not be incremented even thought the actual password check + * failed. + */ +static bool need_to_increment_bad_pw_count( + const struct auth_context *auth_context, + struct samu* sampass, + const auth_usersupplied_info *user_info) +{ + uint8_t i; + const uint8_t *pwhistory; + uint32_t pwhistory_len; + uint32_t policy_pwhistory_len; + uint32_t acct_ctrl; + const char *username; + TALLOC_CTX *mem_ctx = talloc_stackframe(); + bool result = true; + + pdb_get_account_policy(AP_PASSWORD_HISTORY, + &policy_pwhistory_len); + if (policy_pwhistory_len == 0) { + goto done; + } + + pwhistory = pdb_get_pw_history(sampass, &pwhistory_len); + if (!pwhistory || pwhistory_len == 0) { + goto done; + } + + acct_ctrl = pdb_get_acct_ctrl(sampass); + username = pdb_get_username(sampass); + + for (i=1; i < MIN(MIN(3, policy_pwhistory_len), pwhistory_len); i++) { + static const uint8_t zero16[SALTED_MD5_HASH_LEN]; + const uint8_t *salt; + const uint8_t *nt_pw; + NTSTATUS status; + DATA_BLOB user_sess_key = data_blob_null; + DATA_BLOB lm_sess_key = data_blob_null; + + salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN]; + nt_pw = salt + PW_HISTORY_SALT_LEN; + + if (memcmp(zero16, nt_pw, NT_HASH_LEN) == 0) { + /* skip zero password hash */ + continue; + } + + if (memcmp(zero16, salt, PW_HISTORY_SALT_LEN) != 0) { + /* skip nonzero salt (old format entry) */ + continue; + } + + status = sam_password_ok(auth_context, mem_ctx, + username, acct_ctrl, NULL, nt_pw, + user_info, &user_sess_key, &lm_sess_key); + if (NT_STATUS_IS_OK(status)) { + result = false; + break; + } + } + +done: + TALLOC_FREE(mem_ctx); + return result; +} + /**************************************************************************** check if a username/password is OK assuming the password is a 24 byte SMB hash supplied in the user_info structure @@ -259,6 +323,10 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, DATA_BLOB user_sess_key = data_blob_null; DATA_BLOB lm_sess_key = data_blob_null; bool updated_autolock = False, updated_badpw = False; + uint32_t acct_ctrl; + const char *username; + const uint8_t *nt_pw; + const uint8_t *lm_pw; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -267,7 +335,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, /* the returned struct gets kept on the server_info, by means of a steal further down */ - if ( !(sampass = samu_new( mem_ctx )) ) { + sampass = samu_new(mem_ctx); + if (sampass == NULL) { return NT_STATUS_NO_MEMORY; } @@ -284,16 +353,22 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } + acct_ctrl = pdb_get_acct_ctrl(sampass); + username = pdb_get_username(sampass); + nt_pw = pdb_get_nt_passwd(sampass); + lm_pw = pdb_get_lanman_passwd(sampass); + /* see if autolock flag needs to be updated */ - if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) + if (acct_ctrl & ACB_NORMAL) pdb_update_autolock_flag(sampass, &updated_autolock); /* Quit if the account was locked out. */ - if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { - DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass))); + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); return NT_STATUS_ACCOUNT_LOCKED_OUT; } - nt_status = sam_password_ok(auth_context, mem_ctx, sampass, + nt_status = sam_password_ok(auth_context, mem_ctx, + username, acct_ctrl, lm_pw, nt_pw, user_info, &user_sess_key, &lm_sess_key); /* Notify passdb backend of login success/failure. If not @@ -302,10 +377,19 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, update_login_attempts_status = pdb_update_login_attempts(sampass, NT_STATUS_IS_OK(nt_status)); if (!NT_STATUS_IS_OK(nt_status)) { + bool increment_bad_pw_count = false; + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && - pdb_get_acct_ctrl(sampass) &ACB_NORMAL && + acct_ctrl & ACB_NORMAL && NT_STATUS_IS_OK(update_login_attempts_status)) - { + { + increment_bad_pw_count = + need_to_increment_bad_pw_count(auth_context, + sampass, + user_info); + } + + if (increment_bad_pw_count) { pdb_increment_bad_password_count(sampass); updated_badpw = True; } else { @@ -313,18 +397,21 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, &updated_badpw); } if (updated_autolock || updated_badpw){ + NTSTATUS status; + become_root(); - if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass))) - DEBUG(1, ("Failed to modify entry.\n")); + status = pdb_update_sam_account(sampass); unbecome_root(); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to modify entry: %s\n", + nt_errstr(status))); + } } - data_blob_free(&user_sess_key); - data_blob_free(&lm_sess_key); - TALLOC_FREE(sampass); - return nt_status; + goto done; } - if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && + if ((acct_ctrl & ACB_NORMAL) && (pdb_get_bad_password_count(sampass) > 0)){ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); @@ -332,30 +419,32 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } if (updated_autolock || updated_badpw){ + NTSTATUS status; + become_root(); - if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass))) - DEBUG(1, ("Failed to modify entry.\n")); + status = pdb_update_sam_account(sampass); unbecome_root(); - } + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to modify entry: %s\n", + nt_errstr(status))); + } + } nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(sampass); - data_blob_free(&user_sess_key); - data_blob_free(&lm_sess_key); - return nt_status; + goto done; } become_root(); nt_status = make_server_info_sam(server_info, sampass); unbecome_root(); + sampass = NULL; if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); - data_blob_free(&user_sess_key); - data_blob_free(&lm_sess_key); - return nt_status; + goto done; } (*server_info)->user_session_key = @@ -370,6 +459,10 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, (*server_info)->nss_token |= user_info->was_mapped; +done: + TALLOC_FREE(sampass); + data_blob_free(&user_sess_key); + data_blob_free(&lm_sess_key); return nt_status; } diff --git a/source3/include/proto.h b/source3/include/proto.h index d2ae62c..2c72bc6 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -6179,6 +6179,9 @@ NTSTATUS pass_oem_change(char *user, uchar password_encrypted_with_nt_hash[516], const uchar old_nt_hash_encrypted[16], uint32 *reject_reason); +bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], + uint32_t pw_history_len, + const uint8_t *pw_history); NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, bool as_root, uint32 *samr_reject_reason); /* The following definitions come from smbd/close.c */ diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index c79caf2..6e6b82b 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -979,6 +979,9 @@ bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) { uchar new_lanman_p16[LM_HASH_LEN]; uchar new_nt_p16[NT_HASH_LEN]; + uchar *pwhistory; + uint32 pwHistLen; + uint32 current_history_len; if (!plaintext) return False; @@ -1008,68 +1011,79 @@ bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; - /* Store the password history. */ - if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) { - uchar *pwhistory; - uint32 pwHistLen; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); - if (pwHistLen != 0){ - uint32 current_history_len; - /* We need to make sure we don't have a race condition here - the - account policy history length can change between when the pw_history - was first loaded into the struct samu struct and now.... JRA. */ - pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len); - - if (current_history_len != pwHistLen) { - /* After closing and reopening struct samu the history - values will sync up. We can't do this here. */ - - /* current_history_len > pwHistLen is not a problem - we - have more history than we need. */ - - if (current_history_len < pwHistLen) { - /* Ensure we have space for the needed history. */ - uchar *new_history = (uchar *)TALLOC(sampass, - pwHistLen*PW_HISTORY_ENTRY_LEN); - if (!new_history) { - return False; - } - - /* And copy it into the new buffer. */ - if (current_history_len) { - memcpy(new_history, pwhistory, - current_history_len*PW_HISTORY_ENTRY_LEN); - } - /* Clearing out any extra space. */ - memset(&new_history[current_history_len*PW_HISTORY_ENTRY_LEN], - '\0', (pwHistLen-current_history_len)*PW_HISTORY_ENTRY_LEN); - /* Finally replace it. */ - pwhistory = new_history; - } - } - if (pwhistory && pwHistLen){ - /* Make room for the new password in the history list. */ - if (pwHistLen > 1) { - memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], - pwhistory, (pwHistLen -1)*PW_HISTORY_ENTRY_LEN ); - } - /* Create the new salt as the first part of the history entry. */ - generate_random_buffer(pwhistory, PW_HISTORY_SALT_LEN); - - /* Generate the md5 hash of the salt+new password as the second - part of the history entry. */ - - E_md5hash(pwhistory, new_nt_p16, &pwhistory[PW_HISTORY_SALT_LEN]); - pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED); - } else { - DEBUG (10,("pdb_get_set.c: pdb_set_plaintext_passwd: pwhistory was NULL!\n")); - } - } else { - /* Set the history length to zero. */ - pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED); + if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) { + /* + * No password history for non-user accounts + */ + return true; + } + + pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); + + if (pwHistLen == 0) { + /* Set the history length to zero. */ + pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED); + return true; + } + + /* + * We need to make sure we don't have a race condition here - + * the account policy history length can change between when + * the pw_history was first loaded into the struct samu struct + * and now.... JRA. + */ + pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len); + + if ((current_history_len != 0) && (pwhistory == NULL)) { + DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n")); + return false; + } + + if (current_history_len < pwHistLen) { + /* + * Ensure we have space for the needed history. This + * also takes care of an account which did not have + * any history at all so far, i.e. pwhistory==NULL + */ + uchar *new_history = talloc_zero_array( + sampass, uchar, + pwHistLen*PW_HISTORY_ENTRY_LEN); + + if (!new_history) { + return False; } + + memcpy(new_history, pwhistory, + current_history_len*PW_HISTORY_ENTRY_LEN); + + pwhistory = new_history; } + /* + * Make room for the new password in the history list. + */ + if (pwHistLen > 1) { + memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory, + (pwHistLen-1)*PW_HISTORY_ENTRY_LEN ); + } + + /* + * Fill the salt area with 0-s: this indicates that + * a plain nt has is stored in the has area. + * The old format was to store a 16 byte salt and + * then an md5hash of the nt_hash concatenated with + * the salt. + */ + memset(pwhistory, 0, PW_HISTORY_SALT_LEN); + + /* + * Generate the md5 hash of the salt+new password as the + * second part of the history entry. + */ + memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN); + + pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED); + return True; } diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 61c3afb..046cc2c 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -1007,6 +1007,59 @@ static NTSTATUS check_oem_password(const char *user, return NT_STATUS_WRONG_PASSWORD; } +bool password_in_history(uint8_t nt_pw[NT_HASH_LEN], + uint32_t pw_history_len, + const uint8_t *pw_history) +{ + static const uint8_t zero_md5_nt_pw[SALTED_MD5_HASH_LEN] = { 0, }; + int i; + + dump_data(100, nt_pw, NT_HASH_LEN); + dump_data(100, pw_history, PW_HISTORY_ENTRY_LEN * pw_history_len); + + for (i=0; i -Date: Sat Oct 31 00:45:09 2009 +0100 - - s3:ldap: don't search when no values where found - -diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c -index 54cb03d..87df75e 100644 ---- a/source3/passdb/pdb_ldap.c -+++ b/source3/passdb/pdb_ldap.c -@@ -2683,7 +2683,7 @@ static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods, - - values = ldap_get_values(conn->ldap_struct, entry, "memberUid"); - -- if (values) { -+ if ((values != NULL) && (values[0] != NULL)) { - - filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT); - if (filter == NULL) { --- a/source3/utils/net_rpc.c 2009-10-28 11:37:35.336126630 +0100 +++ b/source3/utils/net_rpc.c 2009-10-28 14:18:50.555361309 +0100 @@ -5709,7 +5709,9 @@ const char **argv) { fstring str_sid; - sid_to_fstring(str_sid, domain_sid); + if (!sid_to_fstring(str_sid, domain_sid)) { + return NT_STATUS_UNSUCCESSFUL; + } d_printf("%s\n", str_sid); return NT_STATUS_OK; } @@ -6182,14 +6184,14 @@ &ndr_table_lsarpc.syntax_id, 0, rpc_query_domain_sid, argc, argv)) - d_fprintf(stderr, "couldn't get domain's sid\n"); + d_printf("strange - couldn't get domain's sid\n"); cli_shutdown(remote_cli); - } else { d_fprintf(stderr, "domain controller is not " "responding: %s\n", nt_errstr(nt_status)); + d_printf("couldn't get domain's sid\n"); }; }; -commit 72cec4a03145e11d299a5b679bb4a7ed6818032b -Author: Björn Jacke -Date: Fri Oct 30 21:50:41 2009 +0100 - - ѕ3:ldap: search for account policies in objectclass sambaDomain, not * - -diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c -index c464a88..54cb03d 100644 ---- a/source3/passdb/pdb_ldap.c -+++ b/source3/passdb/pdb_ldap.c -@@ -3864,6 +3864,7 @@ static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods - int count; - int rc; - char **vals = NULL; -+ char *filter; - const char *policy_attr = NULL; - - struct ldapsam_privates *ldap_state = -@@ -3887,8 +3888,12 @@ static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods - attrs[0] = policy_attr; - attrs[1] = NULL; - -+ filter = talloc_asprintf(NULL, "(objectClass=%s)", LDAP_OBJ_DOMINFO); -+ if (filter == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } - rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn, -- LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, -+ LDAP_SCOPE_BASE, filter, attrs, 0, - &result); - - if (rc != LDAP_SUCCESS) { commit b6afe7ef236a454d8a6abf104b8846f817378f73 Author: Björn Jacke Date: Thu Oct 15 02:02:30 2009 +0200 util: cope the all loopback addresses IPv4 knows The fact that we just recogniced 127.0.0.1 as loopback IP address and not the rest of the 127.0.0.0/8 IP address range we used the lo interface for sending packages even though we should send them to some more physical interface. This way we ended up with failing WINS registration and so on like in #6348. On the lo interface sendto() returned "Invalid Argument" (EINVAL). diff --git a/lib/util/util_net.c b/lib/util/util_net.c index 0ce495e..0511a28 100644 --- a/lib/util/util_net.c +++ b/lib/util/util_net.c @@ -351,13 +351,11 @@ bool is_broadcast_addr(const struct sockaddr *pss) } /** - * Check if an IPv7 is 127.0.0.1 + * Check if an IPv4 is in IN_LOOPBACKNET (127.0.0.0/8) */ bool is_loopback_ip_v4(struct in_addr ip) { - struct in_addr a; - a.s_addr = htonl(INADDR_LOOPBACK); - return(ip.s_addr == a.s_addr); + return ((ntohl(ip.s_addr) & IN_CLASSA_NET) == (IN_LOOPBACKNET << IN_CLASSA_NSHIFT)); } /** -From 144c23893ec580eed1a38b2fd577b4bd4ebf491d Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Sat, 14 Nov 2009 01:12:22 +0100 -Subject: [PATCH] s3:is_trusted_domain: shortcut if domain name is NULL or empty - -This saves some roundtrips to LDAP in an ldapsm setup. - -Michael ---- - source3/auth/auth_util.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 1d25e22..512cae0 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -2181,6 +2181,10 @@ bool is_trusted_domain(const char* dom_name) - if ( lp_server_role() == ROLE_STANDALONE ) - return False; - -+ if (dom_name == NULL || dom_name[0] == '\0') { -+ return false; -+ } -+ - /* if we are a DC, then check for a direct trust relationships */ - - if ( IS_DC ) { --- -1.6.0.4 - - -From 2e3d9abeafebffa6ff1c7b3de80525cd5f6deb49 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Sat, 14 Nov 2009 01:21:42 +0100 -Subject: [PATCH] s3:is_trusted_domain: shortcut if domain name == global_sam_name - -A domain can't have a trust with itself. -This saves some roundtrips to the ldap server for ldapsam. - -Michael ---- - source3/auth/auth_util.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 512cae0..118f41c 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -2185,6 +2185,10 @@ bool is_trusted_domain(const char* dom_name) - return false; - } - -+ if (strequal(dom_name, get_global_sam_name())) { -+ return false; -+ } -+ - /* if we are a DC, then check for a direct trust relationships */ - - if ( IS_DC ) { --- -1.6.0.4 - -From 1f88d2b729a273b0d10e3b57695037dede290baf Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Fri, 13 Nov 2009 15:51:33 +0100 -Subject: [PATCH] s3:smbd: make idmap cache persistent for "ldapsam:trusted". - -This stores the mappings found in the idmap cache (which lives -inside gencache). This cache is already read in sid_to_Xid() -and Xid_to_sid() for ldapsam:trusted, this fills the opposite -direction, massively reducing the number of ldap roundtrips -across smbd restarts. - -Michael ---- - source3/passdb/pdb_ldap.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c -index d4a2fbe..7fda72e 100644 ---- a/source3/passdb/pdb_ldap.c -+++ b/source3/passdb/pdb_ldap.c -@@ -1038,6 +1038,7 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - /* We've got a uid, feed the cache */ - uid_t uid = strtoul(temp, NULL, 10); - store_uid_sid_cache(pdb_get_user_sid(sampass), uid); -+ idmap_cache_set_sid2uid(pdb_get_user_sid(sampass), uid); - } - } - -@@ -2449,6 +2450,7 @@ for gidNumber(%lu)\n",(unsigned long)map->gid)); - - if (lp_parm_bool(-1, "ldapsam", "trusted", false)) { - store_gid_sid_cache(&map->sid, map->gid); -+ idmap_cache_set_sid2gid(&map->sid, map->gid); - } - - TALLOC_FREE(ctx); -@@ -4967,6 +4969,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - - id->gid = strtoul(gid_str, NULL, 10); - *type = (enum lsa_SidType)strtoul(value, NULL, 10); -+ idmap_cache_set_sid2gid(sid, id->gid); - ret = True; - goto done; - } -@@ -4983,6 +4986,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - - id->uid = strtoul(value, NULL, 10); - *type = SID_NAME_USER; -+ idmap_cache_set_sid2uid(sid, id->uid); - - ret = True; - done: --- -1.6.0.4 - - -From a582d52c6180d334d42f4e3d27a455e5fce53d53 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Fri, 13 Nov 2009 16:16:50 +0100 -Subject: [PATCH] s3:smbd: also fill the memcache with sid<->id mappings in ldapsam_sid_to_id() - -not only the persistent idmap cache. - -Michael ---- - source3/passdb/pdb_ldap.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c -index 7fda72e..cce2cf1 100644 ---- a/source3/passdb/pdb_ldap.c -+++ b/source3/passdb/pdb_ldap.c -@@ -4969,6 +4969,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - - id->gid = strtoul(gid_str, NULL, 10); - *type = (enum lsa_SidType)strtoul(value, NULL, 10); -+ store_gid_sid_cache(sid, id->gid); - idmap_cache_set_sid2gid(sid, id->gid); - ret = True; - goto done; -@@ -4986,6 +4987,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - - id->uid = strtoul(value, NULL, 10); - *type = SID_NAME_USER; -+ store_uid_sid_cache(sid, id->uid); - idmap_cache_set_sid2uid(sid, id->uid); - - ret = True; --- -1.6.0.4 - -From d90798e8fa1f56a60cf0260dd8679bc11c41603b Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Mon, 16 Nov 2009 11:37:18 +0100 -Subject: [PATCH] s3: shortcut uid_to_sid when "ldapsam:trusted = yes" - -The normal uid_to_sid behaviour is to call sys_getpwuid() -to get the name for the given uid and then call the -getsampwnam passdb method for the resulting name. - -In the ldapsam:trusted case we can reduce the uid_to_sid -operation to one simple search for the uidNumber attribute -and only get the sambaSID attribute from the correspoinding -LDAP object. This reduces the number of ldap roundtrips -for this operation. - -Michael ---- - source3/passdb/pdb_ldap.c | 75 +++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 75 insertions(+), 0 deletions(-) - -diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c -index cce2cf1..401bf95 100644 ---- a/source3/passdb/pdb_ldap.c -+++ b/source3/passdb/pdb_ldap.c -@@ -4996,6 +4996,80 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - return ret; - } - -+/** -+ * Find the SID for a uid. -+ * This is shortcut is only used if ldapsam:trusted is set to true. -+ */ -+static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, -+ DOM_SID *sid) -+{ -+ struct ldapsam_privates *priv = -+ (struct ldapsam_privates *)methods->private_data; -+ char *filter; -+ const char *attrs[] = { "sambaSID", NULL }; -+ LDAPMessage *result = NULL; -+ LDAPMessage *entry = NULL; -+ bool ret = false; -+ char *user_sid_string; -+ DOM_SID *user_sid; -+ int rc; -+ TALLOC_CTX *tmp_ctx = talloc_stackframe(); -+ -+ filter = talloc_asprintf(tmp_ctx, -+ "(&(uidNumber=%u)" -+ "(objectClass=%s)" -+ "(objectClass=%s))", -+ (unsigned int)uid, -+ LDAP_OBJ_POSIXACCOUNT, -+ LDAP_OBJ_SAMBASAMACCOUNT); -+ if (filter == NULL) { -+ DEBUG(3, ("talloc_asprintf failed\n")); -+ goto done; -+ } -+ -+ rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result); -+ if (rc != LDAP_SUCCESS) { -+ goto done; -+ } -+ talloc_autofree_ldapmsg(tmp_ctx, result); -+ -+ if (ldap_count_entries(priv2ld(priv), result) != 1) { -+ DEBUG(3, ("ERROR: Got %d entries for uid %u, expected one\n", -+ ldap_count_entries(priv2ld(priv), result), -+ (unsigned int)uid)); -+ goto done; -+ } -+ -+ entry = ldap_first_entry(priv2ld(priv), result); -+ -+ user_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry, -+ "sambaSID", tmp_ctx); -+ if (user_sid_string == NULL) { -+ DEBUG(1, ("Could not find sambaSID in object '%s'\n", -+ smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry))); -+ goto done; -+ } -+ -+ user_sid = string_sid_talloc(tmp_ctx, user_sid_string); -+ if (user_sid == NULL) { -+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", -+ user_sid_string)); -+ goto done; -+ } -+ -+ sid_copy(sid, user_sid); -+ -+ store_uid_sid_cache(sid, uid); -+ idmap_cache_set_sid2uid(sid, uid); -+ -+ ret = true; -+ -+ done: -+ TALLOC_FREE(tmp_ctx); -+ return ret; -+} -+ -+ - /* - * The following functions is called only if - * ldapsam:trusted and ldapsam:editposix are -@@ -6344,6 +6418,7 @@ NTSTATUS pdb_init_ldapsam(struct pdb_methods **pdb_method, const char *location) - ldapsam_enum_group_memberships; - (*pdb_method)->lookup_rids = ldapsam_lookup_rids; - (*pdb_method)->sid_to_id = ldapsam_sid_to_id; -+ (*pdb_method)->uid_to_sid = ldapsam_uid_to_sid; - - if (lp_parm_bool(-1, "ldapsam", "editposix", False)) { - (*pdb_method)->create_user = ldapsam_create_user; --- -1.6.0.4 - From 179e63ae9aa93984ea3d237c1039460c5acf01a5 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 14 Jan 2010 14:24:35 +0100 Subject: [PATCH] s3:auth: fix account unlock regression introduced with fix for bug #4347 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit By an oversight, the patchset for #4347 made the unlocking of a locked account after the lockout duration ineffective. Thanks to Björn for finding this! Michael --- source3/auth/auth_sam.c | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 1dd8fc9..01b2517 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -369,7 +369,6 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, DATA_BLOB user_sess_key = data_blob_null; DATA_BLOB lm_sess_key = data_blob_null; bool updated_autolock = False, updated_badpw = False; - uint32_t acct_ctrl; const char *username; const uint8_t *nt_pw; const uint8_t *lm_pw; @@ -399,22 +398,21 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } - acct_ctrl = pdb_get_acct_ctrl(sampass); username = pdb_get_username(sampass); nt_pw = pdb_get_nt_passwd(sampass); lm_pw = pdb_get_lanman_passwd(sampass); /* see if autolock flag needs to be updated */ - if (acct_ctrl & ACB_NORMAL) + if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) pdb_update_autolock_flag(sampass, &updated_autolock); /* Quit if the account was locked out. */ - if (acct_ctrl & ACB_AUTOLOCK) { + if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); return NT_STATUS_ACCOUNT_LOCKED_OUT; } nt_status = sam_password_ok(auth_context, mem_ctx, - username, acct_ctrl, lm_pw, nt_pw, + username, pdb_get_acct_ctrl(sampass), lm_pw, nt_pw, user_info, &user_sess_key, &lm_sess_key); /* Notify passdb backend of login success/failure. If not @@ -426,7 +424,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, bool increment_bad_pw_count = false; if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && - acct_ctrl & ACB_NORMAL && + pdb_get_acct_ctrl(sampass) & ACB_NORMAL && NT_STATUS_IS_OK(update_login_attempts_status)) { increment_bad_pw_count = @@ -457,7 +455,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, goto done; } - if ((acct_ctrl & ACB_NORMAL) && + if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && (pdb_get_bad_password_count(sampass) > 0)){ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); +-- +1.6.3.3 + +From 2ad43c8c290ebb070d793fc24925f7c1ceb8a438 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 28 Jan 2010 11:04:05 +0100 +Subject: [PATCH 1/4] s3:nmbd: also listen explicit on the subnet broadcast addresses + +And send replies always via the unicast address of the subnet. + +This behavior is off by default (as before) +and can be enabled with "nmbd:bind explicit broadcast = yes". + +metze +(cherry picked from commit 30a1bc365071befd07e68e24ca4fa3843159ab13) +--- + source3/include/nameserv.h | 5 +- + source3/libsmb/namequery.c | 6 +- + source3/libsmb/nmblib.c | 9 ++- + source3/nmbd/nmbd.c | 5 +- + source3/nmbd/nmbd_packets.c | 189 ++++++++++++++++++++++++++++-------------- + source3/nmbd/nmbd_subnetdb.c | 123 ++++++++++++++++++---------- + 6 files changed, 222 insertions(+), 115 deletions(-) + +diff --git a/source3/include/nameserv.h b/source3/include/nameserv.h +index 496d87e..53ffd6f 100644 +--- a/source3/include/nameserv.h ++++ b/source3/include/nameserv.h +@@ -434,7 +434,9 @@ struct subnet_record { + struct in_addr mask_ip; + struct in_addr myip; + int nmb_sock; /* socket to listen for unicast 137. */ ++ int nmb_bcast; /* socket to listen for broadcast 137. */ + int dgram_sock; /* socket to listen for unicast 138. */ ++ int dgram_bcast; /* socket to listen for broadcast 138. */ + }; + + /* A resource record. */ +@@ -530,7 +532,8 @@ struct packet_struct + bool locked; + struct in_addr ip; + int port; +- int fd; ++ int recv_fd; ++ int send_fd; + time_t timestamp; + enum packet_type packet_type; + union { +diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c +index 50fb9f1..8f8d891 100644 +--- a/source3/libsmb/namequery.c ++++ b/source3/libsmb/namequery.c +@@ -301,7 +301,8 @@ NODE_STATUS_STRUCT *node_status_query(int fd, + + p.ip = ((const struct sockaddr_in *)to_ss)->sin_addr; + p.port = NMB_PORT; +- p.fd = fd; ++ p.recv_fd = -1; ++ p.send_fd = fd; + p.timestamp = time(NULL); + p.packet_type = NMB_PACKET; + +@@ -678,7 +679,8 @@ struct sockaddr_storage *name_query(int fd, + + p.ip = ((struct sockaddr_in *)to_ss)->sin_addr; + p.port = NMB_PORT; +- p.fd = fd; ++ p.recv_fd = -1; ++ p.send_fd = fd; + p.timestamp = time(NULL); + p.packet_type = NMB_PACKET; + +diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c +index 5f3eda4..1a21066 100644 +--- a/source3/libsmb/nmblib.c ++++ b/source3/libsmb/nmblib.c +@@ -601,6 +601,8 @@ static struct packet_struct *copy_nmb_packet(struct packet_struct *packet) + + /* Ensure this copy is not locked. */ + pkt_copy->locked = False; ++ pkt_copy->recv_fd = -1; ++ pkt_copy->send_fd = -1; + + /* Ensure this copy has no resource records. */ + nmb = &packet->packet.nmb; +@@ -666,6 +668,8 @@ static struct packet_struct *copy_dgram_packet(struct packet_struct *packet) + + /* Ensure this copy is not locked. */ + pkt_copy->locked = False; ++ pkt_copy->recv_fd = -1; ++ pkt_copy->send_fd = -1; + + /* There are no additional pointers in a dgram packet, + we are finished. */ +@@ -791,7 +795,8 @@ struct packet_struct *read_packet(int fd,enum packet_type packet_type) + if (!packet) + return NULL; + +- packet->fd = fd; ++ packet->recv_fd = fd; ++ packet->send_fd = -1; + + DEBUG(5,("Received a packet of len %d from (%s) port %d\n", + length, inet_ntoa(packet->ip), packet->port ) ); +@@ -1075,7 +1080,7 @@ bool send_packet(struct packet_struct *p) + if (!len) + return(False); + +- return(send_udp(p->fd,buf,len,p->ip,p->port)); ++ return(send_udp(p->send_fd,buf,len,p->ip,p->port)); + } + + /**************************************************************************** +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index f31e7b1..418771a 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -441,13 +441,14 @@ static void msg_nmbd_send_packet(struct messaging_context *msg, + local_ip = &((const struct sockaddr_in *)pss)->sin_addr; + subrec = FIRST_SUBNET; + +- p->fd = (p->packet_type == NMB_PACKET) ? ++ p->recv_fd = -1; ++ p->send_fd = (p->packet_type == NMB_PACKET) ? + subrec->nmb_sock : subrec->dgram_sock; + + for (subrec = FIRST_SUBNET; subrec != NULL; + subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { + if (ip_equal_v4(*local_ip, subrec->myip)) { +- p->fd = (p->packet_type == NMB_PACKET) ? ++ p->send_fd = (p->packet_type == NMB_PACKET) ? + subrec->nmb_sock : subrec->dgram_sock; + break; + } +diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c +index f69845b..51f4e32 100644 +--- a/source3/nmbd/nmbd_packets.c ++++ b/source3/nmbd/nmbd_packets.c +@@ -207,7 +207,8 @@ static struct packet_struct *create_and_init_netbios_packet(struct nmb_name *nmb + + packet->ip = to_ip; + packet->port = NMB_PORT; +- packet->fd = ClientNMB; ++ packet->recv_fd = -1; ++ packet->send_fd = ClientNMB; + packet->timestamp = time(NULL); + packet->packet_type = NMB_PACKET; + packet->locked = False; +@@ -258,7 +259,8 @@ static bool create_and_init_additional_record(struct packet_struct *packet, + our standard refresh cycle for that name which copes nicely + with disconnected networks. + */ +- packet->fd = find_subnet_fd_for_address(*register_ip); ++ packet->recv_fd = -1; ++ packet->send_fd = find_subnet_fd_for_address(*register_ip); + + return True; + } +@@ -743,7 +745,7 @@ struct response_record *queue_query_name( struct subnet_record *subrec, + } + + DEBUG(10,("queue_query_name: using source IP %s\n",inet_ntoa(*ifip))); +- p->fd = find_subnet_fd_for_address( *ifip ); ++ p->send_fd = find_subnet_fd_for_address( *ifip ); + break; + } + } +@@ -979,9 +981,14 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name), + } + + packet.packet_type = NMB_PACKET; ++ packet.recv_fd = -1; + /* Ensure we send out on the same fd that the original + packet came in on to give the correct source IP address. */ +- packet.fd = orig_packet->fd; ++ if (orig_packet->send_fd != -1) { ++ packet.send_fd = orig_packet->send_fd; ++ } else { ++ packet.send_fd = orig_packet->recv_fd; ++ } + packet.timestamp = time(NULL); + + debug_nmb_packet(&packet); +@@ -1679,50 +1686,74 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n + return True; + } + ++ /* The Client* sockets */ ++ count++; ++ + /* Check that we can add all the fd's we need. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) + count++; + +- if((count*2) + 2 > FD_SETSIZE) { ++ /* each interface gets 4 sockets */ ++ count *= 4; ++ ++ if(count > FD_SETSIZE) { + DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \ +-only use %d.\n", (count*2) + 2, FD_SETSIZE)); ++only use %d.\n", count, FD_SETSIZE)); + SAFE_FREE(pset); + return True; + } + +- if((sock_array = SMB_MALLOC_ARRAY(int, (count*2) + 2)) == NULL) { +- DEBUG(0,("create_listen_fdset: malloc fail for socket array.\n")); ++ if((sock_array = SMB_MALLOC_ARRAY(int, count)) == NULL) { ++ DEBUG(0,("create_listen_fdset: malloc fail for socket array. size %d\n", count)); + SAFE_FREE(pset); + return True; + } + + FD_ZERO(pset); + +- /* Add in the broadcast socket on 137. */ ++ /* Add in the lp_socket_address() interface on 137. */ + FD_SET(ClientNMB,pset); + sock_array[num++] = ClientNMB; + *maxfd = MAX( *maxfd, ClientNMB); + ++ /* the lp_socket_address() interface has only one socket */ ++ sock_array[num++] = -1; ++ + /* Add in the 137 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { + FD_SET(subrec->nmb_sock,pset); + sock_array[num++] = subrec->nmb_sock; + *maxfd = MAX( *maxfd, subrec->nmb_sock); ++ ++ sock_array[num++] = subrec->nmb_bcast; ++ if (subrec->nmb_bcast != -1) { ++ FD_SET(subrec->nmb_bcast,pset); ++ *maxfd = MAX( *maxfd, subrec->nmb_bcast); ++ } + } + +- /* Add in the broadcast socket on 138. */ ++ /* Add in the lp_socket_address() interface on 138. */ + FD_SET(ClientDGRAM,pset); + sock_array[num++] = ClientDGRAM; + *maxfd = MAX( *maxfd, ClientDGRAM); + ++ /* the lp_socket_address() interface has only one socket */ ++ sock_array[num++] = -1; ++ + /* Add in the 138 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { + FD_SET(subrec->dgram_sock,pset); + sock_array[num++] = subrec->dgram_sock; + *maxfd = MAX( *maxfd, subrec->dgram_sock); ++ ++ sock_array[num++] = subrec->dgram_bcast; ++ if (subrec->dgram_bcast != -1) { ++ FD_SET(subrec->dgram_bcast,pset); ++ *maxfd = MAX( *maxfd, subrec->dgram_bcast); ++ } + } + +- *listen_number = (count*2) + 2; ++ *listen_number = count; + + SAFE_FREE(*ppset); + SAFE_FREE(*psock_array); +@@ -1811,61 +1842,90 @@ bool listen_for_packets(bool run_election) + #endif + + for(i = 0; i < listen_number; i++) { ++ enum packet_type packet_type; ++ struct packet_struct *packet; ++ const char *packet_name; ++ int client_fd; ++ int client_port; ++ ++ if (sock_array[i] == -1) { ++ continue; ++ } ++ ++ if (!FD_ISSET(sock_array[i],&r_fds)) { ++ continue; ++ } ++ + if (i < (listen_number/2)) { +- /* Processing a 137 socket. */ +- if (FD_ISSET(sock_array[i],&r_fds)) { +- struct packet_struct *packet = read_packet(sock_array[i], NMB_PACKET); +- if (packet) { +- /* +- * If we got a packet on the broadcast socket and interfaces +- * only is set then check it came from one of our local nets. +- */ +- if(lp_bind_interfaces_only() && (sock_array[i] == ClientNMB) && +- (!is_local_net_v4(packet->ip))) { +- DEBUG(7,("discarding nmb packet sent to broadcast socket from %s:%d\n", +- inet_ntoa(packet->ip),packet->port)); +- free_packet(packet); +- } else if ((is_loopback_ip_v4(packet->ip) || +- ismyip_v4(packet->ip)) && packet->port == global_nmb_port && +- packet->packet.nmb.header.nm_flags.bcast) { +- DEBUG(7,("discarding own bcast packet from %s:%d\n", +- inet_ntoa(packet->ip),packet->port)); +- free_packet(packet); +- } else { +- /* Save the file descriptor this packet came in on. */ +- packet->fd = sock_array[i]; +- queue_packet(packet); +- } +- } +- } ++ /* Port 137 */ ++ packet_type = NMB_PACKET; ++ packet_name = "nmb"; ++ client_fd = ClientNMB; ++ client_port = global_nmb_port; + } else { +- /* Processing a 138 socket. */ +- if (FD_ISSET(sock_array[i],&r_fds)) { +- struct packet_struct *packet = read_packet(sock_array[i], DGRAM_PACKET); +- if (packet) { +- /* +- * If we got a packet on the broadcast socket and interfaces +- * only is set then check it came from one of our local nets. +- */ +- if(lp_bind_interfaces_only() && (sock_array[i] == ClientDGRAM) && +- (!is_local_net_v4(packet->ip))) { +- DEBUG(7,("discarding dgram packet sent to broadcast socket from %s:%d\n", +- inet_ntoa(packet->ip),packet->port)); +- free_packet(packet); +- } else if ((is_loopback_ip_v4(packet->ip) || +- ismyip_v4(packet->ip)) && packet->port == DGRAM_PORT) { +- DEBUG(7,("discarding own dgram packet from %s:%d\n", +- inet_ntoa(packet->ip),packet->port)); +- free_packet(packet); +- } else { +- /* Save the file descriptor this packet came in on. */ +- packet->fd = sock_array[i]; +- queue_packet(packet); +- } +- } ++ /* Port 137 */ ++ packet_type = DGRAM_PACKET; ++ packet_name = "dgram"; ++ client_fd = ClientDGRAM; ++ client_port = DGRAM_PORT; ++ } ++ ++ packet = read_packet(sock_array[i], packet_type); ++ if (!packet) { ++ continue; ++ } ++ ++ /* ++ * If we got a packet on the broadcast socket and interfaces ++ * only is set then check it came from one of our local nets. ++ */ ++ if (lp_bind_interfaces_only() && ++ (sock_array[i] == client_fd) && ++ (!is_local_net_v4(packet->ip))) { ++ DEBUG(7,("discarding %s packet sent to broadcast socket from %s:%d\n", ++ packet_name, inet_ntoa(packet->ip), packet->port)); ++ free_packet(packet); ++ continue; ++ } ++ ++ if ((is_loopback_ip_v4(packet->ip) || ismyip_v4(packet->ip)) && ++ packet->port == client_port) ++ { ++ if (client_port == DGRAM_PORT) { ++ DEBUG(7,("discarding own dgram packet from %s:%d\n", ++ inet_ntoa(packet->ip),packet->port)); ++ free_packet(packet); ++ continue; + } +- } /* end processing 138 socket. */ +- } /* end for */ ++ ++ if (packet->packet.nmb.header.nm_flags.bcast) { ++ DEBUG(7,("discarding own nmb bcast packet from %s:%d\n", ++ inet_ntoa(packet->ip),packet->port)); ++ free_packet(packet); ++ continue; ++ } ++ } ++ ++ /* ++ * 0,2,4,... are unicast sockets ++ * 1,3,5,... are broadcast sockets ++ * ++ * on broadcast socket we only receive packets ++ * and send replies via the unicast socket. ++ * ++ * 0,1 and 2,3 and ... belong together. ++ */ ++ if ((i % 2) != 0) { ++ /* this is a broadcast socket */ ++ packet->send_fd = sock_array[i-1]; ++ } else { ++ /* this is already a unicast socket */ ++ packet->send_fd = sock_array[i]; ++ } ++ ++ queue_packet(packet); ++ } ++ + return False; + } + +@@ -1944,7 +2004,8 @@ bool send_mailslot(bool unique, const char *mailslot,char *buf, size_t len, + + p.ip = dest_ip; + p.port = dest_port; +- p.fd = find_subnet_mailslot_fd_for_address( src_ip ); ++ p.recv_fd = -1; ++ p.send_fd = find_subnet_mailslot_fd_for_address( src_ip ); + p.timestamp = time(NULL); + p.packet_type = DGRAM_PACKET; + +diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c +index 13bc931..96d7b32 100644 +--- a/source3/nmbd/nmbd_subnetdb.c ++++ b/source3/nmbd/nmbd_subnetdb.c +@@ -76,18 +76,21 @@ static struct subnet_record *make_subnet(const char *name, enum subnet_type type + struct in_addr mask_ip) + { + struct subnet_record *subrec = NULL; +- int nmb_sock, dgram_sock; ++ int nmb_sock = -1; ++ int dgram_sock = -1; ++ int nmb_bcast = -1; ++ int dgram_bcast = -1; ++ bool bind_bcast = lp_parm_bool(-1, "nmbd", "bind explicit broadcast", false); + + /* Check if we are creating a non broadcast subnet - if so don't create + sockets. */ + +- if(type != NORMAL_SUBNET) { +- nmb_sock = -1; +- dgram_sock = -1; +- } else { ++ if (type == NORMAL_SUBNET) { + struct sockaddr_storage ss; ++ struct sockaddr_storage ss_bcast; + + in_addr_to_sockaddr_storage(&ss, myip); ++ in_addr_to_sockaddr_storage(&ss_bcast, bcast_ip); + + /* + * Attempt to open the sockets on port 137/138 for this interface +@@ -95,60 +98,74 @@ static struct subnet_record *make_subnet(const char *name, enum subnet_type type + * Fail the subnet creation if this fails. + */ + +- if((nmb_sock = open_socket_in(SOCK_DGRAM, global_nmb_port,0, &ss,true)) == -1) { +- if( DEBUGLVL( 0 ) ) { +- Debug1( "nmbd_subnetdb:make_subnet()\n" ); +- Debug1( " Failed to open nmb socket on interface %s ", inet_ntoa(myip) ); +- Debug1( "for port %d. ", global_nmb_port ); +- Debug1( "Error was %s\n", strerror(errno) ); ++ nmb_sock = open_socket_in(SOCK_DGRAM, global_nmb_port, ++ 0, &ss, true); ++ if (nmb_sock == -1) { ++ DEBUG(0, ("nmbd_subnetdb:make_subnet()\n")); ++ DEBUGADD(0,(" Failed to open nmb socket on interface %s ", ++ inet_ntoa(myip))); ++ DEBUGADD(0,("for port %d. ", global_nmb_port)); ++ DEBUGADD(0,("Error was %s\n", strerror(errno))); ++ goto failed; ++ } ++ set_socket_options(nmb_sock,"SO_BROADCAST"); ++ set_blocking(nmb_sock, false); ++ ++ if (bind_bcast) { ++ nmb_bcast = open_socket_in(SOCK_DGRAM, global_nmb_port, ++ 0, &ss_bcast, true); ++ if (nmb_bcast == -1) { ++ DEBUG(0, ("nmbd_subnetdb:make_subnet()\n")); ++ DEBUGADD(0,(" Failed to open nmb bcast socket on interface %s ", ++ inet_ntoa(bcast_ip))); ++ DEBUGADD(0,("for port %d. ", global_nmb_port)); ++ DEBUGADD(0,("Error was %s\n", strerror(errno))); ++ goto failed; + } +- return NULL; ++ set_socket_options(nmb_bcast, "SO_BROADCAST"); ++ set_blocking(nmb_bcast, false); + } + +- if((dgram_sock = open_socket_in(SOCK_DGRAM,DGRAM_PORT,3, &ss, true)) == -1) { +- if( DEBUGLVL( 0 ) ) { +- Debug1( "nmbd_subnetdb:make_subnet()\n" ); +- Debug1( " Failed to open dgram socket on interface %s ", inet_ntoa(myip) ); +- Debug1( "for port %d. ", DGRAM_PORT ); +- Debug1( "Error was %s\n", strerror(errno) ); ++ dgram_sock = open_socket_in(SOCK_DGRAM, DGRAM_PORT, ++ 3, &ss, true); ++ if (dgram_sock == -1) { ++ DEBUG(0, ("nmbd_subnetdb:make_subnet()\n")); ++ DEBUGADD(0,(" Failed to open dgram socket on interface %s ", ++ inet_ntoa(myip))); ++ DEBUGADD(0,("for port %d. ", DGRAM_PORT)); ++ DEBUGADD(0,("Error was %s\n", strerror(errno))); ++ goto failed; ++ } ++ set_socket_options(dgram_sock, "SO_BROADCAST"); ++ set_blocking(dgram_sock, false); ++ ++ if (bind_bcast) { ++ dgram_bcast = open_socket_in(SOCK_DGRAM, DGRAM_PORT, ++ 3, &ss_bcast, true); ++ if (dgram_bcast == -1) { ++ DEBUG(0, ("nmbd_subnetdb:make_subnet()\n")); ++ DEBUGADD(0,(" Failed to open dgram bcast socket on interface %s ", ++ inet_ntoa(bcast_ip))); ++ DEBUGADD(0,("for port %d. ", DGRAM_PORT)); ++ DEBUGADD(0,("Error was %s\n", strerror(errno))); ++ goto failed; + } +- return NULL; ++ set_socket_options(dgram_bcast, "SO_BROADCAST"); ++ set_blocking(dgram_bcast, false); + } +- +- /* Make sure we can broadcast from these sockets. */ +- set_socket_options(nmb_sock,"SO_BROADCAST"); +- set_socket_options(dgram_sock,"SO_BROADCAST"); +- +- /* Set them non-blocking. */ +- set_blocking(nmb_sock, False); +- set_blocking(dgram_sock, False); + } + + subrec = SMB_MALLOC_P(struct subnet_record); + if (!subrec) { + DEBUG(0,("make_subnet: malloc fail !\n")); +- if (nmb_sock != -1) { +- close(nmb_sock); +- } +- if (dgram_sock != -1) { +- close(dgram_sock); +- } +- return(NULL); ++ goto failed; + } + + ZERO_STRUCTP(subrec); + + if((subrec->subnet_name = SMB_STRDUP(name)) == NULL) { + DEBUG(0,("make_subnet: malloc fail for subnet name !\n")); +- if (nmb_sock != -1) { +- close(nmb_sock); +- } +- if (dgram_sock != -1) { +- close(dgram_sock); +- } +- ZERO_STRUCTP(subrec); +- SAFE_FREE(subrec); +- return(NULL); ++ goto failed; + } + + DEBUG(2, ("making subnet name:%s ", name )); +@@ -163,9 +180,27 @@ static struct subnet_record *make_subnet(const char *name, enum subnet_type type + subrec->myip = myip; + subrec->type = type; + subrec->nmb_sock = nmb_sock; ++ subrec->nmb_bcast = nmb_bcast; + subrec->dgram_sock = dgram_sock; +- ++ subrec->dgram_bcast = dgram_bcast; ++ + return subrec; ++ ++failed: ++ SAFE_FREE(subrec); ++ if (nmb_sock != -1) { ++ close(nmb_sock); ++ } ++ if (nmb_bcast != -1) { ++ close(nmb_bcast); ++ } ++ if (dgram_sock != -1) { ++ close(dgram_sock); ++ } ++ if (dgram_bcast != -1) { ++ close(dgram_bcast); ++ } ++ return NULL; + } + + /**************************************************************************** +-- +1.6.3.3 + + +From df62c7c73e1a30a7db1257df44bbb50471d782c8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 8 Feb 2010 12:51:29 +0100 +Subject: [PATCH 2/4] s3:nmbd: change "nmbd:bind explicit broadcast" into "nmbd bind explicit broadcast" + +metze +(cherry picked from commit 0140bc389d56511c3255720856bdb64803ba8930) +--- + source3/include/proto.h | 1 + + source3/nmbd/nmbd_subnetdb.c | 2 +- + source3/param/loadparm.c | 11 +++++++++++ + 3 files changed, 13 insertions(+), 1 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index d2ae62c..82c55d0 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -3934,6 +3934,7 @@ const char *lp_logon_drive(void); + const char *lp_logon_home(void); + char *lp_remote_announce(void); + char *lp_remote_browse_sync(void); ++bool lp_nmbd_bind_explicit_broadcast(void); + const char **lp_wins_server_list(void); + const char **lp_interfaces(void); + const char *lp_socket_address(void); +diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c +index 96d7b32..703e229 100644 +--- a/source3/nmbd/nmbd_subnetdb.c ++++ b/source3/nmbd/nmbd_subnetdb.c +@@ -80,7 +80,7 @@ static struct subnet_record *make_subnet(const char *name, enum subnet_type type + int dgram_sock = -1; + int nmb_bcast = -1; + int dgram_bcast = -1; +- bool bind_bcast = lp_parm_bool(-1, "nmbd", "bind explicit broadcast", false); ++ bool bind_bcast = lp_nmbd_bind_explicit_broadcast(); + + /* Check if we are creating a non broadcast subnet - if so don't create + sockets. */ +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 6e5e0b2..5e4f2f6 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -157,6 +157,7 @@ struct global { + char *szRemoteAnnounce; + char *szRemoteBrowseSync; + char *szSocketAddress; ++ bool bNmbdBindExplicitBroadcast; + char *szNISHomeMapName; + char *szAnnounceVersion; /* This is initialised in init_globals */ + char *szWorkgroup; +@@ -3929,6 +3930,15 @@ static struct parm_struct parm_table[] = { + .flags = FLAG_ADVANCED, + }, + { ++ .label = "nmbd bind explicit broadcast", ++ .type = P_BOOL, ++ .p_class = P_GLOBAL, ++ .ptr = &Globals.bNmbdBindExplicitBroadcast, ++ .special = NULL, ++ .enum_list = NULL, ++ .flags = FLAG_ADVANCED, ++ }, ++ { + .label = "homedir map", + .type = P_STRING, + .p_class = P_GLOBAL, +@@ -5269,6 +5279,7 @@ FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive) + FN_GLOBAL_CONST_STRING(lp_logon_home, &Globals.szLogonHome) + FN_GLOBAL_STRING(lp_remote_announce, &Globals.szRemoteAnnounce) + FN_GLOBAL_STRING(lp_remote_browse_sync, &Globals.szRemoteBrowseSync) ++FN_GLOBAL_BOOL(lp_nmbd_bind_explicit_broadcast, &Globals.bNmbdBindExplicitBroadcast) + FN_GLOBAL_LIST(lp_wins_server_list, &Globals.szWINSservers) + FN_GLOBAL_LIST(lp_interfaces, &Globals.szInterfaces) + FN_GLOBAL_STRING(lp_nis_home_map_name, &Globals.szNISHomeMapName) +-- +1.6.3.3 + + +From 4b52a598f0eb179183b66a05707a3d7e3eaf50a6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 8 Feb 2010 12:59:13 +0100 +Subject: [PATCH 3/4] s3:docs-xml: document "nmbd bind explicit broadcast" + +metze +(cherry picked from commit 9887751f6fa6f7e4fd5c79c637e0576405000c01) +--- + .../smbdotconf/misc/nmbdbindexplicitbroadcast.xml | 16 ++++++++++++++++ + 1 files changed, 16 insertions(+), 0 deletions(-) + create mode 100644 docs-xml/smbdotconf/misc/nmbdbindexplicitbroadcast.xml + +diff --git a/docs-xml/smbdotconf/misc/nmbdbindexplicitbroadcast.xml b/docs-xml/smbdotconf/misc/nmbdbindexplicitbroadcast.xml +new file mode 100644 +index 0000000..f328594 +--- /dev/null ++++ b/docs-xml/smbdotconf/misc/nmbdbindexplicitbroadcast.xml +@@ -0,0 +1,16 @@ ++ ++ ++ ++ This option allows you to setup nmbd ++ 8 to explicit bind to the ++ broadcast address of the local subnets. This is only useful in ++ combination with the option. ++ ++ ++ ++no ++ +-- +1.6.3.3 + + +From fa11a65188c2973ebba441d7b4f528831bfe3882 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 10 Feb 2010 12:32:05 -0800 +Subject: [PATCH 4/4] More of the fix for bug #7118 - nmbd problems with socket address. + +Add a simple "processed packet queue" cache to stop nmbd responding to +packets received on the broadcast and non-broadcast socket (which +it has opened when "nmbd bind explicit broadcast = yes"). + +This is a very simple packet queue - it only keeps the packets +processed during a single call to listen_for_packets() (i.e. one +select call). This means that if the delivery notification for a +packet received on both broadcast and non-broadcast addresses +is done in two different select calls, the packet will still be +processed twice. This is a very rare occurrance and we can just +live with it when it does as the protocol is stateless. If this +is ever flagged as a repeatable problem then we can add a longer +lived cache, using timeout processing to clear etc. etc. But without +storing all packets processed we can never be *sure* we've eliminated +the race condition so I'm going to go with this simple solution until +someone proves a more complex one is needed :-). + +Jeremy. +(cherry picked from commit 6fe7ee1d216fcf722b3efa23fd80782ce0dd0e9f) +--- + source3/nmbd/nmbd_packets.c | 89 +++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 89 insertions(+), 0 deletions(-) + +diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c +index 51f4e32..6c4b96a 100644 +--- a/source3/nmbd/nmbd_packets.c ++++ b/source3/nmbd/nmbd_packets.c +@@ -1765,6 +1765,83 @@ only use %d.\n", count, FD_SETSIZE)); + } + + /**************************************************************************** ++ List of packets we're processing this select. ++***************************************************************************/ ++ ++struct processed_packet { ++ struct processed_packet *next; ++ struct processed_packet *prev; ++ enum packet_type packet_type; ++ struct in_addr ip; ++ int packet_id; ++}; ++ ++/**************************************************************************** ++ Have we seen this before ? ++***************************************************************************/ ++ ++static bool is_processed_packet(struct processed_packet *processed_packet_list, ++ struct packet_struct *packet) ++{ ++ struct processed_packet *p = NULL; ++ ++ for (p = processed_packet_list; p; p = p->next) { ++ if (ip_equal_v4(p->ip, packet->ip) && p->packet_type == packet->packet_type) { ++ if ((p->packet_type == NMB_PACKET) && ++ (p->packet_id == ++ packet->packet.nmb.header.name_trn_id)) { ++ return true; ++ } else if ((p->packet_type == DGRAM_PACKET) && ++ (p->packet_id == ++ packet->packet.dgram.header.dgm_id)) { ++ return true; ++ } ++ } ++ } ++ return false; ++} ++ ++/**************************************************************************** ++ Keep a list of what we've seen before. ++***************************************************************************/ ++ ++static bool store_processed_packet(struct processed_packet **pp_processed_packet_list, ++ struct packet_struct *packet) ++{ ++ struct processed_packet *p = SMB_MALLOC_P(struct processed_packet); ++ if (!p) { ++ return false; ++ } ++ p->packet_type = packet->packet_type; ++ p->ip = packet->ip; ++ if (packet->packet_type == NMB_PACKET) { ++ p->packet_id = packet->packet.nmb.header.name_trn_id; ++ } else if (packet->packet_type == DGRAM_PACKET) { ++ p->packet_id = packet->packet.dgram.header.dgm_id; ++ } else { ++ return false; ++ } ++ ++ DLIST_ADD(*pp_processed_packet_list, p); ++ return true; ++} ++ ++/**************************************************************************** ++ Throw away what we've seen before. ++***************************************************************************/ ++ ++static void free_processed_packet_list(struct processed_packet **pp_processed_packet_list) ++{ ++ struct processed_packet *p = NULL, *next = NULL; ++ ++ for (p = *pp_processed_packet_list; p; p = next) { ++ next = p->next; ++ DLIST_REMOVE(*pp_processed_packet_list, p); ++ SAFE_FREE(p); ++ } ++} ++ ++/**************************************************************************** + Listens for NMB or DGRAM packets, and queues them. + return True if the socket is dead + ***************************************************************************/ +@@ -1784,6 +1861,7 @@ bool listen_for_packets(bool run_election) + #ifndef SYNC_DNS + int dns_fd; + #endif ++ struct processed_packet *processed_packet_list = NULL; + + if(listen_set == NULL || rescan_listen_set) { + if(create_listen_fdset(&listen_set, &sock_array, &listen_number, &maxfd)) { +@@ -1906,6 +1984,16 @@ bool listen_for_packets(bool run_election) + } + } + ++ ++ if (is_processed_packet(processed_packet_list, packet)) { ++ DEBUG(7,("discarding duplicate packet from %s:%d\n", ++ inet_ntoa(packet->ip),packet->port)); ++ free_packet(packet); ++ continue; ++ } ++ ++ store_processed_packet(&processed_packet_list, packet); ++ + /* + * 0,2,4,... are unicast sockets + * 1,3,5,... are broadcast sockets +@@ -1926,6 +2014,7 @@ bool listen_for_packets(bool run_election) + queue_packet(packet); + } + ++ free_processed_packet_list(&processed_packet_list); + return False; + } + -- 1.6.3.3 Property changes on: head/net/samba34/files/sernet.patch ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.1 \ No newline at end of property +1.2 \ No newline at end of property