Re: Centrify Samba 3.3.9 Patches
Volker Lendecke
> Here is the latest set of patches from Centrify along with a brief
> explanation of each patch. Some of these have been submitted to the
> list before. If you are interested in more details about these let us
> know.
Any chance we can get this in a format that actually applies
using unix tools? :-)
Volker
P.S: Not daring to ask for a git patchset...
Volker Lendecke
On Tue, Dec 01, 2009 at 11:48:19AM -0800, Dave Daugherty wrote:
> Here is the latest set of patches from Centrify along with a brief
> explanation of each patch. Some of these have been submitted to the
> list before. If you are interested in more details about these let us
> know.
Dave has sent me a unified diff off-list, thanks for that!
For reference, I've attached it for consumption by git am.
Now to look at it more closely :-)
Volker
Dave Daugherty
was too big.
Here is a brief explanation of each patch.
1) winbindd/winbindd.c
Limit maximum simutaneous connections to 200
(Centrify will probably drop this patch next Samba synch up).
2) utils/testparm.c
HPUX - Guard against invalid uid/gid.
3) utils/smbpasswd.c,
Automatically prepend the host machine name when setting a users'
password so that it does not need to be typed.
smbpasswd -r rh9v2 -U rh9v2\\normal
(Centrify will review and possibly drop this patch in the next Samba
synch up).
4) sasl.c
clikrb5.c
kerberos_verify.c
Add support for AES encryption types (Windows 2008)
net ads user will fail if these encryption types exist in
/etc/krb5.conf - MIT kerberos
net ads user
root's password:
[2008/04/07 23:24:19, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password ro...@EASY.THING failed: Client not found in
Kerberos database
5) cliconnect.c
Makefile.in
Add support for NTLM authentication for AD users, where the assigned
Unix name is not the same as the user's samAccountName. This may only
apply to Centrify zones.
6) rpc_server/srv_srvsvc_nt.c
Added a lp_pathexist array to save the path status. If the directory
path for a shared resource does not exist do not present the share to
the client.
7) vfs_hpuxacl.c
initialized pointer before using it, so that SAFE_FREE() won't free
an uninitialized pointer
8) proto.h
loadparm.c
sec_ctx.c
Solaris 10 SPARC
The smb server stopped responding when ad user who belong to more
than 20 AD groups connect the smb server.
3.3.X, samba will panic if sys_setgroups fails
Resolution: Add a new smb.conf option "ignore syssetgroups error",
default value is "No", allow the customers
to set it to Yes when necessary
(This is a controversial patch in that the Solaris system does not
get the real group list, but at least it prevents the crash).
9) libtdb.c
libtdb.h
Centrify created - wrapper functions around LGPL'D tdb sources to
help with maintaining secrets.tdb file
Samba team probably has no interest in these - especially since they
now have a library with the same name!
This library is only kept around if we run into problems in the
field again with
exec'ing "net change secretpw" (which we have reverted to doing).
10) configure
includes.h
capibility.h
filesys.h
Resolve some SUSE-8 related build errors using GNU 3.2 compiler
1) update configure, remove CFLAGS +z for gcc 3.3 doesn't support
this
2) update includes.h, we should change the order for capability.h
and filesys.h
3) update capability.h, to prevent redefinition on struct statfs.
11) winbind_nss_hpux.h
Fix a compile error conflict for h_error and /usr/include/netdb.h
~~~~~~~~~~~~~~~~~~~~~
miguel....@arcelormittal.com
I'm also interested in the following patch
sec_ctx.c
Solaris 10 SPARC
The smb server stopped responding when ad user who belong to more than 20 AD groups connect the smb server.
3.3.X, samba will panic if sys_setgroups fails
Resolution: Add a new smb.conf option "ignore syssetgroups error", default value is "No", allow the customers
to set it to Yes when necessary
(This is a controversial patch in that the Solaris system does not get the real group list, but at least
it prevents the crash).
Since I am on AIX, (NGROUPS_MAX=128), I also have to change the code in sec_ctx every time before compiling.
I don't know if the Samba team is willing to make this configurable...
Met vriendelijke groet
Best regards
Bien à vous
Miguel SANDERS
ArcelorMittal Gent
UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent
T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel....@arcelormittal.com
www.arcelormittal.com/gent
-----Oorspronkelijk bericht-----
Van: samba-techn...@lists.samba.org [mailto:samba-techn...@lists.samba.org] Namens Dave Daugherty
Verzonden: dinsdag 1 december 2009 20:48
Aan: samba-t...@samba.org
Onderwerp: Centrify Samba 3.3.9 Patches
Here is the latest set of patches from Centrify along with a brief explanation of each patch. Some of these have been submitted to the list before. If you are interested in more details about these let us know.
Regards
Dave Daugherty
Centrify Corp.
****
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights.
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited.
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient.
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.
****
Volker Lendecke
On Fri, Dec 04, 2009 at 12:38:54PM +0100, miguel....@arcelormittal.com wrote:
> I don't know if the Samba team is willing to make this configurable...
To make this panic was a very conscious decision. The
problem is that not to panic makes access to the Samba
shares pretty random, depending on the sorting order the DC
decides to use for the group list. What we could do instead
of panic is to refuse access with NT_STATUS_ACCESS_DENIED,
which is not really much better.
There also have been attempts (I think there's even a bug
report) to filter the group memberships when logging in.
That is the right way to deal with that problem. It's just
not done yet.
Volker