samba - Aug 2006 - Preliminary 3.0.23c patch for testing and review

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

I've upload the preliminary patch against 3.0.23b that will
become 3.0.23c so people can do full testing against what
we hope to be the release code.  Note that the reported version
in the patch is 3.0.23c-gwc-1 to prevent confusion from the
final 3.0.23c release.

You can download the gzipped patch file from
http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz.
The uncompressed patch file has been signed using the
normal samba software release key (ID 157BC95E).

Please report *any* bugs that you find.  Don't assume
someone else will do it for you.  of course, we can't fix
all the bugs in this release, but if something is
broken that was working in a previous release, we need to
know.  Thanks.



cheers, jerry




Here's the relevant sections from the WHATSNEW.txt file:


- ------
Common bugs fixed in 3.0.23c include:

  o Authentication failures in pam_winbind when the AD domain
    policy is set to not expire passwords.
  o Authorization failures when using smb.conf options such
    as "valid users" with the smbpasswd passdb backend.


RID Algorithms & Passdb
======================
Starting with the 3.0.23c release, the officially supported passdb
backends (smbpasswd, tdbsam, and ldapsam) now operate identically
with regards to the historical RID algorithm for unmapped users
and groups (i.e. accounts not in the passdb or group mapping table).
The resulting behavior is that all unmapped users are resolved
to a SID in the S-1-22-1 domain and all unmapped groups resolve
to a SID in the S-1-22-2 domain.  Previously, when using the
smbpasswd passdb, such users and groups would resolve to an
algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX).
However, the smbpasswd backend still utilizes the RID algorithm
when creating new user accounts or allocating a RID for a new
group mapping entry.

With the changes in the 3.0.23c release, it is now possible to
resolve a uid/gid, name, or SID in any direction and always obtain
a symmetric mapping.  This is important so that values for smb.conf
parameters such as "valid users" resolve to the same SIDs as those
included  in the local user's initial token.

Most installations will notice no change.  However, because
an unmapped account's SID will now change even when using
smbpasswd it is possible that any security descriptors on files
previously copied from a Samba host to a Windows NTFS partition
may now fail to give access. The workaround is to either manually
map all affect groups (or add impacted users to the server's
passdb) or to manually reset the file's ACL.


######################################################################
Changes
#######

Changes since 3.0.23b
- ---------------------

commits
- -------
o   Jeremy Allison <jra@samba.org>
    * Various fixes for winbindd's offline mode.
    * OS/2 fixes for large Extended Attributes data.
    * Fix nmbd crashes caused by miscalculation in pushing
      announcements.


o   Gerald (Jerry) Carter <jerry@samba.org>
    * RHEL4  and Fedora packaging updates.
    * Remove RID algorithm support for unmapped users and groups
      when using an smbpasswd backend.
    * Extend the NT token for local users' with the S-1-22-2
      SID for each supplementary group
    * BUG 3969: Fix unsigned time comparison with expiration
      policy from AD DC.
    * Merge Guenther's fixes from the SuSE SLES10 tree to ensure
      that winbindd talks to the correct DC when servicing PAM
      authentication requests.


o   Guenther Deschner <gd@samba.org>
    * Fix msdfs RPC client and server management RPCs.
    * Align idmap_ad with the current idmap_methods interface.


o   Volker Lendecke <vl@samba.org>
    * Re-add support for "username level" when looking up the
      matching Unix user for an smbpasswd entry.


o   Simo Sorce <idra@samba.org>
    * Let innetgr() work without binding its use to a
      NIS domain to support netgroups in local files.


o   Ben Winslow <rain@bluecherry.net>
    * Allow client smb signing to be turned off correctly.

- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7IcTIR7qMdg1EfYRAk9YAJ0cnanW7ob+gGabvtfCrctgncwJHwCg4KIk
k3aWQ+qOS8HGdnAsT0Kad2s=bkTC
-----END PGP SIGNATURE-----

>From: "Gerald (Jerry) Carter" <jerry@samba.org>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Folks,
>
>
> Please report *any* bugs that you find.  Don't assume
> someone else will do it for you.  of course, we can't fix
> all the bugs in this release, but if something is
> broken that was working in a previous release, we need to
> know.  Thanks.
>
Patch went fine.......

[david@bonza source]$
./configure --prefix=/usr --infodir=/usr/share --mandir=/usr/share --with-co
nfigdir=/etc/samba

...went fine... But, it looks like a compile error in rpc_parse/parse_dfs.c
See below:

[root@bonza source]# make
Using FLAGS
=  -O -D_SAMBA_BUILD_ -I/home/david/updates/src/samba-3.0.23b/source/popt -I
/home/david/updates/src/samba-3.0.23b/source/iniparser/src -Iinclude -I/home
/david/updates/src/samba-3.0.23b/source/include -I/home/david/updates/src/sa
mba-3.0.23b/source/tdb  -I. -DHAVE_CONFIG_H  -D_LARGEFILE64_SOURCE -D_FILE_O
FFSET_BITS=64 -D_GNU_SOURCE -I/home/david/updates/src/samba-3.0.23b/source -
D_SAMBA_BUILD_
      LIBS = -lcrypt -lresolv -lresolv -lnsl -ldl
      LDSHFLAGS = -shared -Wl,-Bsymbolic
      LDFLAGS       PIE_CFLAGS = -fPIE
      PIE_LDFLAGS = -pie
Compiling dynconfig.c
Compiling smbd/password.c
Compiling smbd/share_access.c
Compiling smbd/vfs.c
Compiling smbd/service.c
Compiling smbd/msdfs.c
Compiling rpc_server/srv_dfs_nt.c
Compiling rpc_parse/parse_dfs.c
rpc_parse/parse_dfs.c:1866: error: conflicting types for
'init_netdfs_q_dfs_Enum'
include/proto.h:4890: error: previous declaration of
'init_netdfs_q_dfs_Enum' was here
rpc_parse/parse_dfs.c:1866: error: conflicting types for
'init_netdfs_q_dfs_Enum'
include/proto.h:4890: error: previous declaration of
'init_netdfs_q_dfs_Enum' was here
make: *** [rpc_parse/parse_dfs.o] Error 1

Help,

    Did I do something wrong? Or, is there really a screwed up type/type
cast somewhere in the file???

--
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
www.rankinlawfirm.com



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 8/23/06

Hi

the Patch compiles and installs fine here.
[root@donau tmp]# smbstatus
Processing section "[ftp]"

Samba version 3.0.23c-gwc-1
PID     Username      Group         Machine
-------------------------------------------------------------------


But we still have the behavior described in the thread "New approach to
the valid user fix"

we are running winbind in security=ads
and all AD Domain Users exist on the Unix-System as Unix-User (nis) with
identical Usernames.

and our config contains
     idmap uid = 10000-10000
       idmap gid = 10000-10000
       winbind use default domain = Yes
       winbind trusted domains only = Yes


In version 3.0.21 if a Windows User creates a file on the samba server,
it was owned (Windows Security Settings /ACL Editor)
of the User DOM\username.
Starting from 3.0.23 it is owned form
Unix User\username

If I add an ACL to this file from windows (eg. DOM\user2)
first it is shown after a reopen of the ACL Editor as DOM\user2

But this might be a client cache issue, because when I restart samba,
the User is shown as
Unix User\user2

Was this patch intended to solve this Unix User\username DOM\username
mapping problem
or do I miss a config setting?

Greetings


Hansj?rg


Gerald (Jerry) Carter wrote:
> Folks,
>
> I've upload the preliminary patch against 3.0.23b that will
> become 3.0.23c so people can do full testing against what
> we hope to be the release code.  Note that the reported version
> in the patch is 3.0.23c-gwc-1 to prevent confusion from the
> final 3.0.23c release.
>
> You can download the gzipped patch file from
> http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz.
> The uncompressed patch file has been signed using the
> normal samba software release key (ID 157BC95E).
>
> Please report *any* bugs that you find.  Don't assume
> someone else will do it for you.  of course, we can't fix
> all the bugs in this release, but if something is
> broken that was working in a previous release, we need to
> know.  Thanks.
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew Mastracci wrote:
>> Common bugs fixed in 3.0.23c include:
>>
>>   o Authentication failures in pam_winbind when the AD domain
>>     policy is set to not expire passwords.
>>   o Authorization failures when using smb.conf options such
>>     as "valid users" with the smbpasswd passdb backend.
> 
> This fixes the problem that I was having with winbind failing to
> authenticate any user on a member server.  It was giving the
> NEW_AUTHTOK_REQD message before, works perfectly now!
Great. Thanks for the feedback.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7hFtIR7qMdg1EfYRAvVRAKC4BZGgn9PRmQFq8M3eqNmMGV6eDQCeKpPV
p0BYiOJKt5AsVmo/bL9LwF0=W5o5
-----END PGP SIGNATURE-----

Gerald (Jerry) Carter wrote:
> I've upload the preliminary patch against 3.0.23b that will
> become 3.0.23c so people can do full testing against what
> we hope to be the release code.  Note that the reported version
> in the patch is 3.0.23c-gwc-1 to prevent confusion from the
> final 3.0.23c release.
> - ------
> Common bugs fixed in 3.0.23c include:
> 
>   o Authentication failures in pam_winbind when the AD domain
>     policy is set to not expire passwords.
>   o Authorization failures when using smb.conf options such
>     as "valid users" with the smbpasswd passdb backend.
This fixes the problem that I was having with winbind failing to 
authenticate any user on a member server.  It was giving the 
NEW_AUTHTOK_REQD message before, works perfectly now!

Matt.

Dear Jerry,
> I've upload the preliminary patch against 3.0.23b that will 
> become 3.0.23c so people can do full testing against what we 
> hope to be the release code.  Note that the reported version 
> in the patch is 3.0.23c-gwc-1 to prevent confusion from the 
> final 3.0.23c release.
Patching went fine, and "password expired" problem seems to be solved.
However, the group membership problem (
https://bugzilla.samba.org/show_bug.cgi?id=3990 ) still remains.
Please let me know if it is going to be fixed in the official 3.0.23c
release, or I will have to downgrade to 3.0.22.
This feature is likely to be intensively used in the next few months, so I
have to put the server into the working state somehow. 


Many thanks in advance. 


With best regards,
P. Trifonov