8 years agos3-winbind Don't send the LM password to the server, ever
Andrew Bartlett [Fri, 10 Dec 2010 01:10:07 +0000 (12:10 +1100)]
s3-winbind Don't send the LM password to the server, ever

This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.

We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT

Andrew Bartlett

8 years agos3-libsmb Don't ever ask for machine$ principals as a target.
Andrew Bartlett [Thu, 9 Dec 2010 20:57:59 +0000 (07:57 +1100)]
s3-libsmb Don't ever ask for machine$ principals as a target.

It is never correct to ask for a machine$ principal as the target of a
kerberos connection.  You should always connect via the

This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.

Andrew Bartlett

8 years agos3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
Andrew Bartlett [Thu, 9 Dec 2010 06:37:14 +0000 (17:37 +1100)]
s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'

Andrew Bartlett

8 years agos3-docs Explain change to NTLMv2 by default in the client
Andrew Bartlett [Thu, 9 Dec 2010 05:47:08 +0000 (16:47 +1100)]
s3-docs Explain change to NTLMv2 by default in the client

8 years agos3-client Use NTLMv2 by default in the Samba client
Andrew Bartlett [Sat, 4 Dec 2010 03:57:46 +0000 (14:57 +1100)]
s3-client Use NTLMv2 by default in the Samba client

This matches the improved security measures of Windows Vista.

Andrew Bartlett

8 years agos3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
Andrew Bartlett [Sat, 4 Dec 2010 03:11:57 +0000 (14:11 +1100)]
s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default

This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.

This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour.  It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.

Andrew Bartlett

8 years agos3-libads Default to NOT using the server-supplied principal from SPNEGO
Andrew Bartlett [Sat, 4 Dec 2010 02:48:37 +0000 (13:48 +1100)]
s3-libads Default to NOT using the server-supplied principal from SPNEGO

This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks.  (Becuase
it isn't the name being contacted that is verified with the KDC).

This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour.  As in Samba4, this
defaults to false.

Against 2008 servers, this will not change behaviour.  Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.

Andrew Bartlett

8 years agosubunitrun: Use unittest.TestProgram if subunit.TestProgram is not
Jelmer Vernooij [Fri, 10 Dec 2010 02:03:18 +0000 (03:03 +0100)]
subunitrun: Use unittest.TestProgram if subunit.TestProgram is not

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri Dec 10 03:49:03 CET 2010 on sn-devel-104

8 years agos4-python: Add convenience function for forcibly importing bundled
Jelmer Vernooij [Thu, 9 Dec 2010 23:47:33 +0000 (00:47 +0100)]
s4-python: Add convenience function for forcibly importing bundled

8 years agosubunitrun: Extend hack to cope with older system subunit run installs.
Jelmer Vernooij [Thu, 9 Dec 2010 22:28:25 +0000 (23:28 +0100)]
subunitrun: Extend hack to cope with older system subunit run installs.

8 years agosubunitrun: Remove global subunit module when reimporting from a
Jelmer Vernooij [Thu, 9 Dec 2010 21:48:16 +0000 (22:48 +0100)]
subunitrun: Remove global subunit module when reimporting from a
different location.

8 years agos4-dist: Remove no longer existing files from blacklist (fixes 'make
Jelmer Vernooij [Thu, 9 Dec 2010 21:46:08 +0000 (22:46 +0100)]
s4-dist: Remove no longer existing files from blacklist (fixes 'make
dist' inclusion of configure)

8 years agos4-python: Fix use of bundled modules.
Jelmer Vernooij [Thu, 9 Dec 2010 20:38:48 +0000 (21:38 +0100)]
s4-python: Fix use of bundled modules.

8 years agos4-python: Split up ensure_external_module.
Jelmer Vernooij [Thu, 9 Dec 2010 18:45:37 +0000 (19:45 +0100)]
s4-python: Split up ensure_external_module.

8 years agoselftest: Make sure system subunit.run has TestProgram.
Jelmer Vernooij [Thu, 9 Dec 2010 17:49:38 +0000 (18:49 +0100)]
selftest: Make sure system subunit.run has TestProgram.

8 years agosmbtorture: Rename --list to --list-suites, add stub --list.
Jelmer Vernooij [Thu, 9 Dec 2010 15:57:45 +0000 (16:57 +0100)]
smbtorture: Rename --list to --list-suites, add stub --list.

8 years agoselftest: Check exit code when listing tests.
Jelmer Vernooij [Thu, 9 Dec 2010 15:48:24 +0000 (16:48 +0100)]
selftest: Check exit code when listing tests.

8 years agos4-selftest: Add convenience function for running testsuites using
Jelmer Vernooij [Thu, 9 Dec 2010 15:28:31 +0000 (16:28 +0100)]
s4-selftest: Add convenience function for running testsuites using

8 years agoselftest: Allow discovering tests in pure python testsuites.
Jelmer Vernooij [Thu, 9 Dec 2010 14:41:17 +0000 (15:41 +0100)]
selftest: Allow discovering tests in pure python testsuites.

8 years agosubunitrun: Support --list.
Jelmer Vernooij [Thu, 9 Dec 2010 14:35:51 +0000 (15:35 +0100)]
subunitrun: Support --list.

8 years agoselftest: Rename $LIST to $LISTOPT for consistency with testrepository.
Jelmer Vernooij [Thu, 9 Dec 2010 14:35:23 +0000 (15:35 +0100)]
selftest: Rename $LIST to $LISTOPT for consistency with testrepository.

8 years agodnspython: Update to newer upstream snapshot.
Jelmer Vernooij [Thu, 9 Dec 2010 13:53:45 +0000 (14:53 +0100)]
dnspython: Update to newer upstream snapshot.

8 years agosubunit: Update to newer upstream snapshot.
Jelmer Vernooij [Thu, 9 Dec 2010 13:51:51 +0000 (14:51 +0100)]
subunit: Update to newer upstream snapshot.

8 years agotesttools: Import new upstream snapshot.
Jelmer Vernooij [Thu, 9 Dec 2010 13:51:17 +0000 (14:51 +0100)]
testtools: Import new upstream snapshot.

8 years agoselftest: add --list option.
Jelmer Vernooij [Thu, 9 Dec 2010 13:46:09 +0000 (14:46 +0100)]
selftest: add --list option.

8 years agoselftest: Document --testenv in --help output, remove documentation for
Jelmer Vernooij [Thu, 9 Dec 2010 12:37:13 +0000 (13:37 +0100)]
selftest: Document --testenv in --help output, remove documentation for
now obsolete --analyse-cmd.

8 years agopidl: use $CC -E if $CPP is not defined, if both undefined use cpp
Matthieu Patou [Thu, 9 Dec 2010 23:03:40 +0000 (02:03 +0300)]
pidl: use $CC -E if $CPP is not defined, if both undefined use cpp

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Fri Dec 10 01:26:44 CET 2010 on sn-devel-104

8 years agobuild: use CPP and CC values when calling pidl
Matthieu Patou [Thu, 9 Dec 2010 23:36:24 +0000 (02:36 +0300)]
build: use CPP and CC values when calling pidl

8 years agobuild: introduce SAMBA_CHECK_PYTHON_HEADERS
Matthieu Patou [Thu, 9 Dec 2010 22:42:32 +0000 (01:42 +0300)]

This function is a wrapper around waf's check_python_header.
It avoids searching more than once for the headers bringing a small
speed improvement and a better lisibility of the logs.

But it's mainly to avoid a nasty bug when python libraries are in path
pointed by python_LIBPL (ie. /usr/local/lib/python2.6/config/) instead
of python_LIBDIR (ie. /usr/local/lib).

On the first call waf will correctly find that in order to link with
python libs it needs to add -L$python_LIBPL.

But on the next calls of check_python_headers, waf will use both the
current library path value (ie. -L/usr/local/lib/python2.6/config) and
-L$python_LIBDIR (ie. /usr/local/lib/) which will make him beleive that
python libraries are in $python_LIBDIR which at the end will make the
final link test fails in check_python_headers as it will not use the
good directory.

So by avoiding calling check_python_headers more than once we avoid
making waf fooling itself.

8 years agobuild: finishing fixing broken libiconv on hpux
Matthieu Patou [Thu, 9 Dec 2010 20:31:16 +0000 (23:31 +0300)]
build: finishing fixing broken libiconv on hpux

8 years agos4 libcli: Add libcli_echo lib and torture test
Kai Blin [Mon, 15 Nov 2010 22:01:57 +0000 (23:01 +0100)]
s4 libcli: Add libcli_echo lib and torture test

Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Thu Dec  9 23:57:03 CET 2010 on sn-devel-104

8 years agos4: Implement UDP echo server example
Kai Blin [Sun, 7 Nov 2010 09:05:56 +0000 (10:05 +0100)]
s4: Implement UDP echo server example

This is a simple UDP-based echo server. It is mainly intended as an
example on how to do server service tasks in s4.

8 years agos4:pyrpc_util: s/typename/type_name to avoid c++ warnings
Stefan Metzmacher [Thu, 9 Dec 2010 08:59:52 +0000 (09:59 +0100)]
s4:pyrpc_util: s/typename/type_name to avoid c++ warnings


Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec  9 17:55:57 CET 2010 on sn-devel-104

8 years agotalloc: pytalloc-util should not have an ABI-file yet
Stefan Metzmacher [Thu, 9 Dec 2010 08:36:55 +0000 (09:36 +0100)]
talloc: pytalloc-util should not have an ABI-file yet

Somehow I forgot to remove this after discussion with Jelmer.


8 years agowintest Remove the password expiry as the first step
Andrew Bartlett [Thu, 9 Dec 2010 11:05:14 +0000 (22:05 +1100)]
wintest Remove the password expiry as the first step

This is particularly important before dcpromo, as the password will
otherwise be expired in the new domain.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec  9 13:33:00 CET 2010 on sn-devel-104

8 years agowaf: remove the restriction that private libraries must not have a vnum
Andrew Tridgell [Thu, 9 Dec 2010 10:58:20 +0000 (21:58 +1100)]
waf: remove the restriction that private libraries must not have a vnum

we need the vnum for ABI checking for public libraries built as
private libraries when bundled

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Dec  9 12:47:41 CET 2010 on sn-devel-104

8 years agowaf: fixed path to abi_directory
Andrew Tridgell [Thu, 9 Dec 2010 10:49:01 +0000 (21:49 +1100)]
waf: fixed path to abi_directory

this broke in a recent patch

8 years agos4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett [Thu, 9 Dec 2010 06:51:36 +0000 (17:51 +1100)]
s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec  9 08:50:28 CET 2010 on sn-devel-104

8 years agos4-lsa Implement kerberos ticket life policy
Andrew Bartlett [Thu, 9 Dec 2010 03:17:54 +0000 (14:17 +1100)]
s4-lsa Implement kerberos ticket life policy

We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC.  We should get
this from group policy, but for now it's parametric smb.conf options.

Andrew Bartlett

8 years agos4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests
Andrew Bartlett [Sat, 4 Dec 2010 06:02:49 +0000 (17:02 +1100)]
s4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests

The new default breaks some tests that were assuming LM or NTLM auth

Andrew Bartlett

8 years agos4-client Use NTLMv2 by default in the Samba4 client.
Andrew Bartlett [Sat, 4 Dec 2010 03:59:29 +0000 (14:59 +1100)]
s4-client Use NTLMv2 by default in the Samba4 client.

8 years agowaf: add a dependency between the library and its vscript
Andrew Tridgell [Thu, 9 Dec 2010 02:06:22 +0000 (13:06 +1100)]
waf: add a dependency between the library and its vscript

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Dec  9 04:32:18 CET 2010 on sn-devel-104

8 years agowaf: don't use symbol versioning on our modules
Andrew Tridgell [Thu, 9 Dec 2010 01:30:30 +0000 (12:30 +1100)]
waf: don't use symbol versioning on our modules

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agowaf: use vscripts for our private libraries too
Andrew Tridgell [Thu, 9 Dec 2010 01:24:48 +0000 (12:24 +1100)]
waf: use vscripts for our private libraries too

if the library has a vnum, then use it. If it doesn't have a vnum then
use the application version for symbol versions

8 years agowaf: make mkdir_p on a empty string not recurse forever
Andrew Tridgell [Thu, 9 Dec 2010 01:23:40 +0000 (12:23 +1100)]
waf: make mkdir_p on a empty string not recurse forever

8 years agowaf-abi: auto-generate per-symbol versions from ABI files
Andrew Tridgell [Thu, 9 Dec 2010 00:10:45 +0000 (11:10 +1100)]
waf-abi: auto-generate per-symbol versions from ABI files

This changes our version-script generation to use the ABI files that
are saved in git with each version number change of our public

We use these ABI files to generate a linker version script that gives
the exact version number that each symbol was introduced. This
provides us with automatic fine grained symbol versioning.

Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agobuild: do not duplicate the checks for python in samba4
Matthieu Patou [Wed, 8 Dec 2010 21:38:12 +0000 (00:38 +0300)]
build: do not duplicate the checks for python in samba4

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Thu Dec  9 00:47:23 CET 2010 on sn-devel-104

8 years agobuild: Cope with broken libiconv
Matthieu Patou [Wed, 8 Dec 2010 21:17:37 +0000 (00:17 +0300)]
build: Cope with broken libiconv

library iconv needs mbrtowc but some system didn't provide it (ie.
HP-UX 11.0)

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Dec  8 23:19:19 CET 2010 on sn-devel-104

8 years agodcerpc.idl: fix typo 0x800000000 => 0x80000000
Stefan Metzmacher [Wed, 8 Dec 2010 18:01:45 +0000 (19:01 +0100)]
dcerpc.idl: fix typo 0x800000000 => 0x80000000


Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Dec  8 20:13:03 CET 2010 on sn-devel-104

8 years agos4:ldb: add ABI/ldb-0.9.20.sigs
Stefan Metzmacher [Wed, 8 Dec 2010 15:08:19 +0000 (16:08 +0100)]
s4:ldb: add ABI/ldb-0.9.20.sigs


8 years agos4:ldb: build libldb and pyldb-util as private libraries when building for samba4
Stefan Metzmacher [Wed, 8 Dec 2010 14:12:57 +0000 (15:12 +0100)]
s4:ldb: build libldb and pyldb-util as private libraries when building for samba4

This matches the behavior of the talloc and tdb builds.


8 years agotalloc: build pytalloc-util with the same logic as libtalloc
Stefan Metzmacher [Wed, 8 Dec 2010 11:42:02 +0000 (12:42 +0100)]
talloc: build pytalloc-util with the same logic as libtalloc


8 years agotalloc: mark pytalloc-util functions as _PUBLIC_
Stefan Metzmacher [Wed, 8 Dec 2010 14:10:21 +0000 (15:10 +0100)]
talloc: mark pytalloc-util functions as _PUBLIC_


8 years agotalloc: remove unused PyString_FromString_check_null() from pytalloc-util
Stefan Metzmacher [Wed, 8 Dec 2010 14:09:33 +0000 (15:09 +0100)]
talloc: remove unused PyString_FromString_check_null() from pytalloc-util


8 years agopidl:Samba4/Python.pm: use PyString_FromStringOrNULL() from pyrpc_util
Stefan Metzmacher [Wed, 8 Dec 2010 14:08:45 +0000 (15:08 +0100)]
pidl:Samba4/Python.pm: use PyString_FromStringOrNULL() from pyrpc_util


8 years agos4:python: add PyString_FromStringOrNULL() to pyrpc_util
Stefan Metzmacher [Wed, 8 Dec 2010 14:07:32 +0000 (15:07 +0100)]
s4:python: add PyString_FromStringOrNULL() to pyrpc_util


8 years agobuildtools: private_libraries should not have a version in the soname
Stefan Metzmacher [Wed, 8 Dec 2010 11:40:19 +0000 (12:40 +0100)]
buildtools: private_libraries should not have a version in the soname


8 years agobuildtools: add the PRIVATE_EXTENSION for private libraries
Stefan Metzmacher [Wed, 8 Dec 2010 11:02:51 +0000 (12:02 +0100)]
buildtools: add the PRIVATE_EXTENSION for private libraries


8 years agobuildtools: make sure we have no '+' in the version scripts
Stefan Metzmacher [Wed, 8 Dec 2010 11:40:59 +0000 (12:40 +0100)]
buildtools: make sure we have no '+' in the version scripts

This happens if '--git-local-changes' was used.


8 years agosmbtorture: use xxxULL notation instead of INT64_C(xxx)
Matthieu Patou [Wed, 8 Dec 2010 12:32:49 +0000 (15:32 +0300)]
smbtorture: use xxxULL notation instead of INT64_C(xxx)

The first one is portable the second not always

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Dec  8 15:48:10 CET 2010 on sn-devel-104

8 years agos4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only one using...
Nadezhda Ivanova [Wed, 8 Dec 2010 12:30:23 +0000 (14:30 +0200)]
s4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only one using this result message.

No need to reference as no one further up the stack uses the result, it is the result of a secondary request sent by aclread.

As a result from code review by Kamen Mazdrashki and Anatoliy Atanasov

Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec  8 15:01:51 CET 2010 on sn-devel-104

8 years agoAdd ncacn_http (RTS) IDL implementation in dcerpc.idl
Julien Kerihuel [Sun, 5 Dec 2010 22:10:30 +0000 (23:10 +0100)]
Add ncacn_http (RTS) IDL implementation in dcerpc.idl

Signed-off-by: Julien Kerihuel <j.kerihuel@openchange.org>
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Wed Dec  8 14:17:45 CET 2010 on sn-devel-104

8 years agoldb: bump version number after introduction of new constant.
Jelmer Vernooij [Wed, 8 Dec 2010 12:19:20 +0000 (13:19 +0100)]
ldb: bump version number after introduction of new constant.

8 years agos4-acl: Fixed incorrect value of LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE
Nadezhda Ivanova [Wed, 8 Dec 2010 11:19:27 +0000 (13:19 +0200)]

Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec  8 13:31:48 CET 2010 on sn-devel-104

8 years agos4-pkgconfig: add @LIB_RPATH@ to our link flags
Andrew Tridgell [Wed, 8 Dec 2010 09:41:37 +0000 (20:41 +1100)]
s4-pkgconfig: add @LIB_RPATH@ to our link flags

this is only set when rpath is used on install. It ensures that
applications that link against Samba libraries get the rpath right

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec  8 12:46:00 CET 2010 on sn-devel-104

8 years agowaf: added --disable-symbol-versions configure option
Andrew Tridgell [Wed, 8 Dec 2010 08:00:00 +0000 (19:00 +1100)]
waf: added --disable-symbol-versions configure option

some people may not want symbol versions.

8 years agos4-ldb: added @LIB_RPATH@ to the ldb pc file
Andrew Tridgell [Wed, 8 Dec 2010 07:47:54 +0000 (18:47 +1100)]
s4-ldb: added @LIB_RPATH@ to the ldb pc file

8 years agowaf: support @LIB_RPATH@ in pc files
Andrew Tridgell [Wed, 8 Dec 2010 07:47:39 +0000 (18:47 +1100)]
waf: support @LIB_RPATH@ in pc files

this will be used to get the needed -Wl,-rpath options into our pc

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-acl: Changed the mechanism of attribute removal to speed it up.
Nadezhda Ivanova [Wed, 8 Dec 2010 10:12:34 +0000 (12:12 +0200)]
s4-acl: Changed the mechanism of attribute removal to speed it up.

Instead of using ldb_msg_remove_attr, now we are flagging the attributes to be removed,
and allocating the new elements array to be returned at once. This seems to decrease the
overhead by 50 percent.

Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec  8 12:00:27 CET 2010 on sn-devel-104

8 years agos4-acl: Added a flag to mark an element as failing an access check.
Nadezhda Ivanova [Wed, 8 Dec 2010 10:03:43 +0000 (12:03 +0200)]
s4-acl: Added a flag to mark an element as failing an access check.

8 years agondr: Another try to support the build on non-IPv6 systems
Kai Blin [Mon, 6 Dec 2010 06:43:35 +0000 (07:43 +0100)]
ndr: Another try to support the build on non-IPv6 systems

Signed-off-by: Matthieu Patou <mat@matws.net>
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Dec  8 10:26:00 CET 2010 on sn-devel-104

8 years agos4-param Allow +foo syntax in smb.conf list parsing
Andrew Bartlett [Wed, 8 Dec 2010 05:27:38 +0000 (16:27 +1100)]
s4-param Allow +foo syntax in smb.conf list parsing

The idea here is to allow an smb.conf file to work from the defaults,
rather than override them.  For example, 'server services = +openchange'.

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Dec  8 09:39:06 CET 2010 on sn-devel-104

8 years agos4-spnego use "not_defined_in_RFC4178@please_ignore" if no principal specified
Andrew Bartlett [Wed, 8 Dec 2010 07:52:33 +0000 (18:52 +1100)]
s4-spnego use "not_defined_in_RFC4178@please_ignore" if no principal specified

We need to make this the default, but for now just send it if we have
not been given a target principal.

Andrew Bartlett

8 years agolibcli/auth bring ADS_IGNORE_PRINCIPAL in common
Andrew Bartlett [Sat, 4 Dec 2010 04:23:44 +0000 (15:23 +1100)]
libcli/auth bring ADS_IGNORE_PRINCIPAL in common

8 years agobuild: tru64 needs -shared for building libs
Matthieu Patou [Wed, 8 Dec 2010 06:47:36 +0000 (09:47 +0300)]
build: tru64 needs -shared for building libs

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Dec  8 08:33:54 CET 2010 on sn-devel-104

8 years agowaf: added -Wmissing-prototypes to build
Andrew Tridgell [Wed, 8 Dec 2010 04:04:33 +0000 (15:04 +1100)]
waf: added -Wmissing-prototypes to build

This ensures that we always have a prototype for any function we

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec  8 06:12:07 CET 2010 on sn-devel-104

8 years agowaf: make all generators depend on their rules
Andrew Tridgell [Wed, 8 Dec 2010 04:03:35 +0000 (15:03 +1100)]
waf: make all generators depend on their rules

this ensures we rebuild when a constructed rule changes

8 years agos3-waf: fixed version number handling
Andrew Tridgell [Wed, 8 Dec 2010 03:58:12 +0000 (14:58 +1100)]
s3-waf: fixed version number handling

8 years agos4-heimdal: enable symbol versioning in heimdal
Andrew Tridgell [Wed, 8 Dec 2010 03:57:31 +0000 (14:57 +1100)]
s4-heimdal: enable symbol versioning in heimdal

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>

8 years agowaf: use -Wl,--version-script if available
Andrew Tridgell [Wed, 8 Dec 2010 03:52:43 +0000 (14:52 +1100)]
waf: use -Wl,--version-script if available

This enables symbol version on our libraries, if the system supports

If the library is a public library, then set the symbol version based
on the major number. If it is a private library then set it based on
the full version number (which will include the git hash if

This ensures that applications using our libraries don't use symbols
from other libraries that they may be linked to. It also ensures we
only use the right version of any private libraries.

Note that the linker ends up generating both a version and unversioned
symbol for all symbols. This means existing users of our public
libraries will continue to work, with symbols resolved to the
unversioned symbol. When applications are re-linked they will bind to
the specific symbol version.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>

8 years agowaf: added configure test for -Wl,--version-script
Andrew Tridgell [Wed, 8 Dec 2010 00:26:32 +0000 (11:26 +1100)]
waf: added configure test for -Wl,--version-script

this checks that the linker supports --version-script

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-dns: dlz_bind9 doesn't need to link to gensec any more
Andrew Tridgell [Wed, 8 Dec 2010 00:29:34 +0000 (11:29 +1100)]
s4-dns: dlz_bind9 doesn't need to link to gensec any more

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-waf: get the version number right on private libraries
Andrew Tridgell [Wed, 8 Dec 2010 00:25:28 +0000 (11:25 +1100)]
s4-waf: get the version number right on private libraries

use the first digit of the version number for the library version

Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>

8 years agos4-dns: use ldb hooks for samba extensions in dlz_bind9
Andrew Tridgell [Tue, 7 Dec 2010 22:58:52 +0000 (09:58 +1100)]
s4-dns: use ldb hooks for samba extensions in dlz_bind9

this avoids linking dlz_bind9 directly to heimdal, which allows a
RTLD_DEEPBIND in ldb module loading to find the right kerberos version

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-ldb: use RTLD_DEEPBIND if available for ldb modules
Andrew Tridgell [Tue, 7 Dec 2010 22:41:25 +0000 (09:41 +1100)]
s4-ldb: use RTLD_DEEPBIND if available for ldb modules

this allows us to avoid issues with ldb using heimdal while an
application using ldb using MIT kerberos

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-dns: allow a remote ldap server to be used with dlz_bind9
Andrew Tridgell [Tue, 7 Dec 2010 22:04:49 +0000 (09:04 +1100)]
s4-dns: allow a remote ldap server to be used with dlz_bind9

this allows for configs like this:

dlz "Samba zone" {
database "dlopen /usr/lib/samba/modules/bind9/dlz_bind9.so
-H ldap:// -Uadministrator@v2.tridgell.net%penguin -k no";

8 years agos4-dsdb: register samba handlers in dsdb module
Andrew Tridgell [Tue, 7 Dec 2010 21:22:21 +0000 (08:22 +1100)]
s4-dsdb: register samba handlers in dsdb module

8 years agos4-ldb: ensure ldb_register_samba_handlers() is not done twice
Andrew Tridgell [Tue, 7 Dec 2010 21:22:07 +0000 (08:22 +1100)]
s4-ldb: ensure ldb_register_samba_handlers() is not done twice

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agowintest: use --add-ref for RODC replication
Andrew Tridgell [Tue, 7 Dec 2010 21:21:40 +0000 (08:21 +1100)]
wintest: use --add-ref for RODC replication

this forces the creation of the repsTo attribute, and allows more
complete testing of RODC replication

8 years agosamba-tools: more reasonable defaults for samba-tool commands
Andrew Tridgell [Tue, 7 Dec 2010 21:20:54 +0000 (08:20 +1100)]
samba-tools: more reasonable defaults for samba-tool commands

- fallback to machine account where possible

- default to local hostname where this is reasonable

8 years agosamba-tools: export doesn't need any credentials
Andrew Tridgell [Tue, 7 Dec 2010 21:19:25 +0000 (08:19 +1100)]
samba-tools: export doesn't need any credentials

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

8 years agos4-provision Always run slaptest to convert the config file
Andrew Bartlett [Sat, 4 Dec 2010 02:47:05 +0000 (13:47 +1100)]
s4-provision Always run slaptest to convert the config file

If the directory exists, it does not mean that it is configured - we
may be on a re-run of the provision.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Dec  8 05:19:12 CET 2010 on sn-devel-104

8 years agos4-provision Add an invalid names check for 'domain == netbiosname'
Andrew Bartlett [Sat, 4 Dec 2010 01:34:44 +0000 (12:34 +1100)]
s4-provision Add an invalid names check for 'domain == netbiosname'

(This is also invalid)

Andrew Bartlett

8 years agobuild: fix hpux build pb
Matthieu Patou [Tue, 7 Dec 2010 20:42:15 +0000 (23:42 +0300)]
build: fix hpux build pb

Pair-Programmed-With: Thomas Nagy <tnagy2pow10@gmail.com>

Fix the library extension from .so to .sl
Add full path to library when linking this is needed due to a strange
behavior of HP-UX:

This command: gcc demo demo.c -L dir1/dir2/ -lsomelib
will give a binary with a hard coded lib like dir1/dir2/libsomelib.sl.
Somehow like a partial rpath, it has the first impact of fooling waf
detection of wether the plateform support libraries or not (leading to
being unable to compile samba on HPUX) and the impact of having non
functionnal binaries.

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Dec  8 00:32:50 CET 2010 on sn-devel-104

8 years agodocs: clarify the idmap_rid manpage (bug #7788)
Michael Adam [Tue, 7 Dec 2010 16:30:27 +0000 (17:30 +0100)]
docs: clarify the idmap_rid manpage (bug #7788)

The idmap_rid module should not be used as a default backend.
Also mention that the old snytax "idmap backend = rid:domain=range ..."
is not supported any more.

Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue Dec  7 19:07:57 CET 2010 on sn-devel-104

8 years agodocs: clarify the idmap_ad manpage (bug #6322)
Michael Adam [Tue, 7 Dec 2010 14:47:52 +0000 (15:47 +0100)]
docs: clarify the idmap_ad manpage (bug #6322)

The idmap_ad module can not be used as a default backend.

8 years agolibcli/auth: let spnego_write_mech_types() check the asn1_load() return
Stefan Metzmacher [Wed, 1 Dec 2010 23:40:01 +0000 (00:40 +0100)]
libcli/auth: let spnego_write_mech_types() check the asn1_load() return


Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec  7 18:23:41 CET 2010 on sn-devel-104

8 years agos3:ntlm_auth: support clients which offer a spnego mechs we don't support
Stefan Metzmacher [Wed, 1 Dec 2010 23:39:23 +0000 (00:39 +0100)]
s3:ntlm_auth: support clients which offer a spnego mechs we don't support

Before we rejected the authentication if we don't support the
first spnego mech the client offered.

We now negotiate the first mech we support.

This fix works arround problems, when a client
sends the NEGOEX ( oid,
which we don't support.


8 years agos3:ntlm_auth: free session key, as we don't use it (at least for now)
Stefan Metzmacher [Wed, 1 Dec 2010 04:52:29 +0000 (05:52 +0100)]
s3:ntlm_auth: free session key, as we don't use it (at least for now)


8 years agos3:ntlm_auth: fix memory leak in the raw ntlmssp code path
Stefan Metzmacher [Wed, 1 Dec 2010 04:50:59 +0000 (05:50 +0100)]
s3:ntlm_auth: fix memory leak in the raw ntlmssp code path