8 years agoEliminate dependency on an external uuid library.
Andriy Syrovenko [Sat, 26 May 2012 20:41:16 +0000 (23:41 +0300)]
Eliminate dependency on an external uuid library.

8 years agos3-build: Remove build of libaddns.a from the autoconf build
Andrew Bartlett [Tue, 22 May 2012 02:01:44 +0000 (12:01 +1000)]
s3-build: Remove build of libaddns.a from the autoconf build

We always link libaddns statically as part of the net object lists

This means that we no longer provide externally-available
libaddns, as the waf build declared this as a private library.

This never had a public API, .so or a header file.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <>
Autobuild-Date: Sat May 26 09:45:34 CEST 2012 on sn-devel-104

8 years agos3-utils: Use ads_do_search_retry in net ads search
Andrew Bartlett [Fri, 18 May 2012 12:02:57 +0000 (22:02 +1000)]
s3-utils: Use ads_do_search_retry in net ads search

This makes it possible to search against a slow server, as will
fallback from 1000 to (eventually) 125 users at a time.

Andrew Bartlett

Signed-off-by: Jeremy Allison <>
Autobuild-User: Jeremy Allison <>
Autobuild-Date: Sat May 26 03:53:34 CEST 2012 on sn-devel-104

8 years agos3-libads: Use a reducing page size to try and cope with a slow LDAP server
Andrew Bartlett [Fri, 18 May 2012 12:01:14 +0000 (22:01 +1000)]
s3-libads: Use a reducing page size to try and cope with a slow LDAP server

If we cannot get 1000 users downloaded in 15seconds, try with 500, 250
and then 125 users at a time.

Andrew Bartlett

Signed-off-by: Jeremy Allison <>
8 years agos3-winbindd: Always map the LDAP error code to an NTSTATUS
Andrew Bartlett [Fri, 18 May 2012 07:40:59 +0000 (17:40 +1000)]
s3-winbindd: Always map the LDAP error code to an NTSTATUS

We do this so that we catch LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUT, which
has special handling in winbindd_cache.c

Andrew Bartlett

Signed-off-by: Jeremy Allison <>
Andrew Bartlett [Fri, 18 May 2012 07:38:48 +0000 (17:38 +1000)]

This allows Samba to then handle this error in the same way it would for RPC connections

Andrew Bartlett

Signed-off-by: Jeremy Allison <>
8 years agodns_hosts_file: move to a separate subsystem
Alexander Bokovoy [Fri, 25 May 2012 15:45:17 +0000 (18:45 +0300)]
dns_hosts_file: move to a separate subsystem

After discussion with Kai move dns_hosts_file to a separate subsystem
and merge it into libaddns private library for s3/s4 client use.

Also remove dependency in libcli/nbt, the code from libcli/dns subsystems
is not used there at all.

Autobuild-User: Alexander Bokovoy <>
Autobuild-Date: Fri May 25 22:22:44 CEST 2012 on sn-devel-104

8 years when ADS support is disabled, unset HAVE_GSSAPI
Alexander Bokovoy [Fri, 25 May 2012 10:25:12 +0000 (13:25 +0300)] when ADS support is disabled, unset HAVE_GSSAPI

8 years agos3:selftest: run smbtorture3 CLEANUP3 in the s3dc:local environment
Stefan Metzmacher [Wed, 16 May 2012 07:11:40 +0000 (09:11 +0200)]
s3:selftest: run smbtorture3 CLEANUP3 in the s3dc:local environment


Signed-off-by: Jeremy Allison <>
Autobuild-User: Jeremy Allison <>
Autobuild-Date: Fri May 25 20:09:15 CEST 2012 on sn-devel-104

8 years agos3: Test whether get_share_mode_lock cleans up stale processes
Volker Lendecke [Fri, 11 May 2012 12:39:42 +0000 (14:39 +0200)]
s3: Test whether get_share_mode_lock cleans up stale processes

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Do not check the PIDs is parse_share_modes
Volker Lendecke [Mon, 7 May 2012 14:34:11 +0000 (16:34 +0200)]
s3: Do not check the PIDs is parse_share_modes

We do that when conflicts arise

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agoEnsure we only return NT_STATUS_DELETE_PENDING if the share modes are valid.
Jeremy Allison [Tue, 22 May 2012 19:28:04 +0000 (12:28 -0700)]
Ensure we only return NT_STATUS_DELETE_PENDING if the share modes are valid.

Ensure we only return *file_existed = true if there were valid share modes.

Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in close_directory
Volker Lendecke [Mon, 7 May 2012 13:23:29 +0000 (15:23 +0200)]
s3: Check for serverid_exists in close_directory

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in close_remove_share_mode
Volker Lendecke [Mon, 7 May 2012 13:23:29 +0000 (15:23 +0200)]
s3: Check for serverid_exists in close_remove_share_mode

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Be less picky on stale share mode entries
Volker Lendecke [Mon, 14 May 2012 12:57:34 +0000 (14:57 +0200)]
s3: Be less picky on stale share mode entries

If a process died, the share mode entry might be bogus. Ignore those entries.

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in find_oplock_types
Volker Lendecke [Mon, 7 May 2012 13:23:29 +0000 (15:23 +0200)]
s3: Check for serverid_exists in find_oplock_types

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in rename_share_filename
Volker Lendecke [Mon, 7 May 2012 13:23:10 +0000 (15:23 +0200)]
s3: Check for serverid_exists in rename_share_filename

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in smb_posix_unlink
Volker Lendecke [Mon, 7 May 2012 13:23:29 +0000 (15:23 +0200)]
s3: Check for serverid_exists in smb_posix_unlink

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in open_mode_check
Volker Lendecke [Mon, 7 May 2012 13:23:10 +0000 (15:23 +0200)]
s3: Check for serverid_exists in open_mode_check

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agos3: Check for serverid_exists in notify_deferred_opens
Volker Lendecke [Mon, 7 May 2012 10:22:50 +0000 (12:22 +0200)]
s3: Check for serverid_exists in notify_deferred_opens

We will remove the check in parse_share_modes soon

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agoFix an invalid state only reachable on server crash/abort.
Jeremy Allison [Tue, 22 May 2012 19:27:06 +0000 (12:27 -0700)]
Fix an invalid state only reachable on server crash/abort.

Remove any delete-on-close tokens and clear the count if there are no
valid share modes.

Signed-off-by: Stefan Metzmacher <>
8 years agos3: Add "share_mode_stale_pid"
Volker Lendecke [Mon, 7 May 2012 10:57:07 +0000 (12:57 +0200)]
s3: Add "share_mode_stale_pid"

This is a helper routine that prunes a dead share mode entry on demand. This
prepares for removing the serverids_exist call in parse_share_modes.

Signed-off-by: Jeremy Allison <>
Signed-off-by: Stefan Metzmacher <>
8 years agoFix bug #8373 - Can't join XP Pro workstations to 3.6.1 DC.
Jeremy Allison [Fri, 25 May 2012 16:16:50 +0000 (09:16 -0700)]
Fix bug #8373 - Can't join XP Pro workstations to 3.6.1 DC.

other align flags - make them mutually exclusive.

Combined work from Metze, G√ľnther and Jeremy.

8 years agos3:smbd: move global smbd_msg_state to smbXsrv_connection
Stefan Metzmacher [Thu, 24 May 2012 21:41:43 +0000 (23:41 +0200)]
s3:smbd: move global smbd_msg_state to smbXsrv_connection


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Fri May 25 11:01:27 CEST 2012 on sn-devel-104

8 years agos3:smbd: move global koplocks to smbd_server_connection
Stefan Metzmacher [Thu, 24 May 2012 21:33:32 +0000 (23:33 +0200)]
s3:smbd: move global koplocks to smbd_server_connection


8 years agos3:smbd: pass smbd_server_connection to should_notify_deferred_opens()
Stefan Metzmacher [Thu, 24 May 2012 21:32:04 +0000 (23:32 +0200)]
s3:smbd: pass smbd_server_connection to should_notify_deferred_opens()


8 years agos3:smbd: move global oplocks vars to smbd_server_connection
Stefan Metzmacher [Thu, 24 May 2012 21:15:08 +0000 (23:15 +0200)]
s3:smbd: move global oplocks vars to smbd_server_connection


8 years agos3:smbd: remove unused get_number_of_exclusive_open_oplocks()
Stefan Metzmacher [Thu, 24 May 2012 21:06:26 +0000 (23:06 +0200)]
s3:smbd: remove unused get_number_of_exclusive_open_oplocks()


8 years agomove VERSION to alpha22
Andrew Bartlett [Fri, 25 May 2012 00:20:46 +0000 (10:20 +1000)]
move VERSION to alpha22

We will change this to beta once we both fix the VERSION parsing scripts
and we agree that the next release will indeed be the beta.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <>
Autobuild-Date: Fri May 25 04:19:30 CEST 2012 on sn-devel-104

8 years agoWHATSNEW: update for alpha21, and mark as release samba-4.0.0alpha21
Andrew Bartlett [Fri, 25 May 2012 00:17:34 +0000 (10:17 +1000)]
WHATSNEW: update for alpha21, and mark as release

The plan has changed.  This will we hope be the last alpha.

Andrew Bartlett

8 years agowintest: s3fs is now the default in provision
Andrew Bartlett [Thu, 24 May 2012 22:52:47 +0000 (08:52 +1000)]
wintest: s3fs is now the default in provision

8 years agodoc: Explain our build systems for Samba 4.0
Andrew Bartlett [Thu, 24 May 2012 10:31:37 +0000 (20:31 +1000)]
doc: Explain our build systems for Samba 4.0

8 years agos3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 signing...
Stefan Metzmacher [Mon, 12 Dec 2011 12:50:04 +0000 (13:50 +0100)]
s3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 signing state


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Fri May 25 00:23:53 CEST 2012 on sn-devel-104

8 years agos3-passdb: Fix negative SID->uid/gid/both cache handling
Ira Cooper [Thu, 24 May 2012 01:42:26 +0000 (21:42 -0400)]
s3-passdb: Fix negative SID->uid/gid/both cache handling

-1 uid/gid/both signals a non existent uid/gid/both.

Signed-off-by: Stefan Metzmacher <>
8 years agos3:smbd: remove global 'smbd_server_conn' !!!
Stefan Metzmacher [Thu, 24 May 2012 11:46:11 +0000 (13:46 +0200)]
s3:smbd: remove global 'smbd_server_conn' !!!

For now we still use a global 'global_smbXsrv_connection'
in order to pass the connection state to exit_server*().


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Thu May 24 20:07:20 CEST 2012 on sn-devel-104

8 years agos3:smbd: only call file_init_global() in the parent smbd
Stefan Metzmacher [Thu, 24 May 2012 10:26:46 +0000 (12:26 +0200)]
s3:smbd: only call file_init_global() in the parent smbd


8 years agos3:smbd/files: split file_init_global() out of file_init()
Stefan Metzmacher [Thu, 24 May 2012 10:20:30 +0000 (12:20 +0200)]
s3:smbd/files: split file_init_global() out of file_init()


8 years agos3:smbd: remove unused var in smbXsrv_connection_init_tables()
Stefan Metzmacher [Thu, 24 May 2012 10:41:20 +0000 (12:41 +0200)]
s3:smbd: remove unused var in smbXsrv_connection_init_tables()


8 years agos4:smb_server/smb: fix talloc_free() bug
Stefan Metzmacher [Thu, 24 May 2012 09:57:02 +0000 (11:57 +0200)]
s4:smb_server/smb: fix talloc_free() bug

ERROR: talloc_free with references at ../source4/smb_server/smb/receive.c:637
        reference at ../source4/ntvfs/posix/pvfs_wait.c:86


8 years agowaf: for MIT krb5 build require kerberos version above 1.9
Alexander Bokovoy [Thu, 24 May 2012 13:28:31 +0000 (16:28 +0300)]
waf: for MIT krb5 build require kerberos version above 1.9

MIT krb5 implementation provides sufficient support for features
used in Samba 4 starting with 1.9. Require version above when using
system MIT krb5 build.

Autobuild-User: Alexander Bokovoy <>
Autobuild-Date: Thu May 24 18:15:36 CEST 2012 on sn-devel-104

8 years agos3-smbldap: Add API for external callback to perform LDAP bind in smbldap
Alexander Bokovoy [Thu, 24 May 2012 12:38:41 +0000 (15:38 +0300)]
s3-smbldap: Add API for external callback to perform LDAP bind in smbldap

In order to support other bind methods, introduce a generic bind callback.
When smbldap_state.bind_callback is set, it means there is an alternative
way to perform LDAP bind to ldap_simple_bind_s() so call it instead.
The call is wrapped in become_root()/unbecome_root() to allow proper permissions
in smbd to access needed resources in the callback, for example, credential caches.
When run outside smbd, become_root()/unbecome_root() are no-op.

The API expectation is similar to ldap_simple_bind_s().

A caller of smbldap API can pass additional information to the callback by setting
smbldap_state.bind_callback_data pointer.

Both callback and the data pointer elements of smbldap_state structure get
cleaned up if someone sets proper credentials on smbldap_state with
smbldap_set_creds() so if you are interested in using smbldap_state.bind_dn
with the callback, make sure to set callback after credentials are set.

8 years agos4/scripting: in MIT build do not install samba-tool, it is not usable yet
Alexander Bokovoy [Thu, 24 May 2012 12:24:12 +0000 (15:24 +0300)]
s4/scripting: in MIT build do not install samba-tool, it is not usable yet

8 years agos4-selftest: Demonstrate the correct behaviour between specified usernames and kerber...
Andrew Bartlett [Thu, 24 May 2012 03:36:20 +0000 (13:36 +1000)]
s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache

This shows that a username/password on the command line must always
override any credentials cache in the environment.

Andrew Bartlett

8 years agoauth/credentials: 'workgroup' set via command line will not drop existing ccache
Alexander Bokovoy [Thu, 24 May 2012 12:17:40 +0000 (15:17 +0300)]
auth/credentials: 'workgroup' set via command line will not drop existing ccache

The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache

The commit also reverts previous fix now that root cause is clear.

8 years agos3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard()
Stefan Metzmacher [Wed, 23 May 2012 11:22:47 +0000 (13:22 +0200)]
s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard()


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Thu May 24 16:14:01 CEST 2012 on sn-devel-104

8 years agos3:smbd/msdfs: pass 'allow_broken_path' to get_referred_path()
Stefan Metzmacher [Wed, 23 May 2012 11:09:40 +0000 (13:09 +0200)]
s3:smbd/msdfs: pass 'allow_broken_path' to get_referred_path()

Note the DCERPC code should not be smb2 specific!

I wonder why this is at all smb2 specific...


8 years agos3:smbd/msdfs: let create_conn_struct() also fake the 'smbd_server_connection'
Stefan Metzmacher [Wed, 23 May 2012 11:06:55 +0000 (13:06 +0200)]
s3:smbd/msdfs: let create_conn_struct() also fake the 'smbd_server_connection'


8 years agos3:smbd/files: work without sconn->file_bmap and assign fsp->fnum = -1
Stefan Metzmacher [Thu, 24 May 2012 08:43:56 +0000 (10:43 +0200)]
s3:smbd/files: work without sconn->file_bmap and assign fsp->fnum = -1

For faked connection_structs we do not need valid fnum values,
e.g. in the dfs and printing code.


8 years agos3:smbd/files: fix error path and correctly cleanup
Stefan Metzmacher [Thu, 24 May 2012 09:22:11 +0000 (11:22 +0200)]
s3:smbd/files: fix error path and correctly cleanup


8 years agoselftest: Run only the samba3 tests on builds without the AD DC
Andrew Bartlett [Thu, 24 May 2012 06:53:34 +0000 (16:53 +1000)]
selftest: Run only the samba3 tests on builds without the AD DC

Autobuild-User: Andrew Bartlett <>
Autobuild-Date: Thu May 24 11:51:40 CEST 2012 on sn-devel-104

8 years agoWHATSNEW: Move to document changes for beta1
Andrew Bartlett [Thu, 24 May 2012 06:30:00 +0000 (16:30 +1000)]
WHATSNEW: Move to document changes for beta1

This is not the beta1 release, but this is the preperation for such a release.

Andrew Bartlett

8 years agos4-provision: Make s3fs the default way to install a new Samba4 DC
Andrew Bartlett [Thu, 24 May 2012 04:56:27 +0000 (14:56 +1000)]
s4-provision: Make s3fs the default way to install a new Samba4 DC

With s3fs now well settled into master, we now throw the swtich and make
it the default.

There is still much to do, but we need to be using s3fs by default to
find out exactly what that is.

Andrew Bartlett

8 years agos4-selftest: Always delete the user at the end of
Andrew Bartlett [Thu, 24 May 2012 03:37:09 +0000 (13:37 +1000)]
s4-selftest: Always delete the user at the end of

If this test is run in the "dc" environment (rather than "dc:local") is would not delete the
test user.

Andrew Bartlett

8 years agodlz_bind9: Make the talloc destructor static and return 0.
Amitay Isaacs [Wed, 23 May 2012 01:53:59 +0000 (11:53 +1000)]
dlz_bind9: Make the talloc destructor static and return 0.

Autobuild-User: Amitay Isaacs <>
Autobuild-Date: Thu May 24 03:32:50 CEST 2012 on sn-devel-104

8 years agodlz_bind9: Fix the named crash on reloading named
Amitay Isaacs [Wed, 23 May 2012 01:52:16 +0000 (11:52 +1000)]
dlz_bind9: Fix the named crash on reloading named

When reloading zones, named first creates new zone instance and then shuts down
the old instance. Since ldb layer, keeps the same LDB open, talloc_free() on samdb
handle, causes talloc "access after use" error.

This patch keeps only single context (dlz_bind9_data) and uses reference counting
to decide when to actually free the context. Since samdb handle is reused, use
talloc_unlink() instead of talloc_free() on samdb handle.

8 years agos3-configure: Fix configure version information.
Ira Cooper [Wed, 23 May 2012 13:40:11 +0000 (09:40 -0400)]
s3-configure: Fix configure version information.

version.h moved from include -> include/autoconf.

Autobuild-User: Ira Cooper <>
Autobuild-Date: Thu May 24 01:34:24 CEST 2012 on sn-devel-104

8 years agos3:rpc_server/dfs: pass allow_broken_path=true to create_junction()
Stefan Metzmacher [Wed, 23 May 2012 10:46:20 +0000 (12:46 +0200)]
s3:rpc_server/dfs: pass allow_broken_path=true to create_junction()

DCERPC code can't be smb2 specific!

I'm not sure if 'true' is the correct value here, but at least
it matches the old behavior and the tcp and smb1 cases.


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Wed May 23 21:56:05 CEST 2012 on sn-devel-104

8 years agos3:smbd/proto.h: remove unused resolve_dfspath() prototype
Stefan Metzmacher [Wed, 23 May 2012 11:21:57 +0000 (13:21 +0200)]
s3:smbd/proto.h: remove unused resolve_dfspath() prototype


8 years agos3:smbd/files: remove unused VALID_FNUM()
Stefan Metzmacher [Wed, 23 May 2012 15:04:42 +0000 (17:04 +0200)]
s3:smbd/files: remove unused VALID_FNUM()


8 years agos3:smb2_server: make use of nt_status_np_pipe()
Stefan Metzmacher [Wed, 23 May 2012 13:24:01 +0000 (15:24 +0200)]
s3:smb2_server: make use of nt_status_np_pipe()


8 years agos3:smbd: use nt_status_np_pipe for smb1
Stefan Metzmacher [Wed, 23 May 2012 13:23:23 +0000 (15:23 +0200)]
s3:smbd: use nt_status_np_pipe for smb1


8 years agos3:smbd: add nt_status_np_pipe()
Stefan Metzmacher [Wed, 23 May 2012 13:21:28 +0000 (15:21 +0200)]
s3:smbd: add nt_status_np_pipe()



8 years agoblackbox: fix samba4.blackbox.kinit test
Alexander Bokovoy [Wed, 23 May 2012 14:34:24 +0000 (17:34 +0300)]
blackbox: fix samba4.blackbox.kinit test

This deserves some explanation.

With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
was wrapped with password settings reset before and after the tests with an idea to
maintain reliable state for the tests. As result, the resetting of the password
settings was done after the test that tried to use smbclient with a Kerberos ticket
obtained with machine account credentials.

However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
always re-kinited even if existing credentials were available in the ccache. This had an effect
on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.

When the issue of not using already initialized credentials from ccache was fixed with
d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
re-used already obtained credentials from ccaches. This caused failure of the test
'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
has no permissions to modify password settings.

Thus, the correct fix is to reset ccache state before performing the test.

Autobuild-User: Alexander Bokovoy <>
Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104

8 years agogse: Use the smb_gss_oid_equal wrapper.
Andreas Schneider [Mon, 21 May 2012 16:25:28 +0000 (18:25 +0200)]
gse: Use the smb_gss_oid_equal wrapper.

Signed-off-by: Andreas Schneider <>
8 years agokrb5samba: Add smb_gss_oid_equal wrapper.
Andreas Schneider [Mon, 21 May 2012 16:24:31 +0000 (18:24 +0200)]
krb5samba: Add smb_gss_oid_equal wrapper.

Signed-off-by: Andreas Schneider <>
8 years agos3-autoconf: fix typo after migrating DNS resolver code to lib/addns
Alexander Bokovoy [Tue, 22 May 2012 10:52:48 +0000 (13:52 +0300)]
s3-autoconf: fix typo after migrating DNS resolver code to lib/addns

8 years agowafsamba: ensure TO_LIST does not fail with empty string
Alexander Bokovoy [Mon, 21 May 2012 15:38:56 +0000 (18:38 +0300)]
wafsamba: ensure TO_LIST does not fail with empty string

8 years agolibcli/dns: make 'clidns' private library out of DNS code in WAF build
Alexander Bokovoy [Mon, 21 May 2012 14:54:13 +0000 (17:54 +0300)]
libcli/dns: make 'clidns' private library out of DNS code in WAF build

After consolidating DNS resolver code to lib/addns, there is one piece
that still needs to be moved into a common DNS resolver library: DNS_HOSTS_FILE
subsystem. Unfortunately, direct move would require lib/addns to depend on
libcli/util/{ntstatus.h,werror.h} (provided by errors subsystem).

In addition, moving libcli/dns/* code to lib/addns/ would make conflicting
the dns_tkey_record struct. The conflict comes from source4/dns_server/ and is due
to use of IDL to define the struct. lib/addns/ library also provides its own definition
so we either need to keep them in sync (rewrite code in lib/addns/ a bit) or
depend on generated IDL headers.

Thus, making a private library and subsystem clidns is an intermediate step
that allows to buy some time fore refactoring.

8 years agoIntroduce system MIT krb5 build with --with-system-mitkrb5 option.
Alexander Bokovoy [Mon, 21 May 2012 09:45:12 +0000 (12:45 +0300)]
Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.

8 years agos4: samba-tool is usable without export-keytab command, make sure it does not break
Alexander Bokovoy [Fri, 18 May 2012 12:24:38 +0000 (15:24 +0300)]
s4: samba-tool is usable without export-keytab command, make sure it does not break

When export_keytab is not compiled in (pure client-side Samba 4 build as with
system MIT krb5), export-keytab command of samba-tool will not be available.
Make sure it is not provided but its absence does not break the Python tool.

8 years agoauth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
Alexander Bokovoy [Fri, 18 May 2012 07:05:38 +0000 (10:05 +0300)]
auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials

When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets

8 years agos3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
Alexander Bokovoy [Fri, 18 May 2012 07:00:58 +0000 (10:00 +0300)]
s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API

struct unixid is defined in idmap.idl and therefore to use it one
would need generated headers from librpc/gen_ndr. Not all of these
files are installed and available as public headers. Also, they
pull in some support headers which requires them to be available
via specific locations like <librpc/gen_ndr/*> or <libcli/util>.

Instead of pulling the headers to get structure and enum definitions,
introduce three simple helpers to fill in 'struct unixid' based on
the type of id. This is sufficient for PASSDB users and does not
require exposing generated headers or code.

8 years agodns: fix comments and make s4/libcli/resolve dns resolver working
Alexander Bokovoy [Tue, 15 May 2012 13:28:44 +0000 (16:28 +0300)]
dns: fix comments and make s4/libcli/resolve dns resolver working

After migrating to use libaddns, reply_to_addrs() needed to change the
way answers are iterated through. Originally libroken implementation
gave all answers as separate records with last one being explicitly NULL.
libaddns unmarshalling code gives all non-NULL answers and should be
iterated with explicit reply->num_answers in use.

8 years agolib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
Alexander Bokovoy [Wed, 9 May 2012 21:00:03 +0000 (00:00 +0300)]
lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos

In case krb5_cc_get_lifetime is not available, iterate over
existing tickets in the keytab, find the one marked as TKT_FLAG_INITIAL,
and use its lifetime. This is how it is implemented in Heimdal and
how it was suggested to be done by MIT Kerberos developers.

8 years agogensec_gssapi: Make it possible to build with MIT krb5
Simo Sorce [Tue, 8 May 2012 16:38:20 +0000 (12:38 -0400)]
gensec_gssapi: Make it possible to build with MIT krb5

We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.

8 years agoauth and s4-rpc_server: Do not use features we currently can't implement with MIT...
Simo Sorce [Wed, 2 May 2012 16:53:34 +0000 (12:53 -0400)]
auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build

8 years agos4-resolve: Remove dependency on libroken
Simo Sorce [Sat, 5 May 2012 03:11:19 +0000 (23:11 -0400)]
s4-resolve: Remove dependency on libroken

Use available native samba resolver functions

8 years agoaddns: Make ads_dns_lookup_srv pulic
Simo Sorce [Sat, 5 May 2012 03:07:14 +0000 (23:07 -0400)]
addns: Make ads_dns_lookup_srv pulic

8 years agoMove source3/libads/dns.c to lib/addns
Simo Sorce [Fri, 4 May 2012 20:47:27 +0000 (16:47 -0400)]
Move source3/libads/dns.c to lib/addns

8 years agos3-ads-dns: Avoid unnecessary dependencies
Simo Sorce [Sat, 5 May 2012 02:32:47 +0000 (22:32 -0400)]
s3-ads-dns: Avoid unnecessary dependencies

8 years agos3-ads-dns: Break dependency on lp_parm
Simo Sorce [Fri, 4 May 2012 21:27:36 +0000 (17:27 -0400)]
s3-ads-dns: Break dependency on lp_parm

In preparation of making this code common to s3 and s4

8 years agos3-ad-dns: Use more standard uint and booleans defs
Simo Sorce [Fri, 4 May 2012 20:49:05 +0000 (16:49 -0400)]
s3-ad-dns: Use more standard uint and booleans defs

In preparation of making this code common to s3 and s4

8 years agoaddns: Fix talloc hiereachy
Simo Sorce [Mon, 7 May 2012 20:14:07 +0000 (16:14 -0400)]
addns: Fix talloc hiereachy

Attach request to local memory context not to potentially long lived connection

8 years agos3:smbd: use reply_force_doserror(req, ERRSRV, ERRbaduid) on SMBulogoff
Stefan Metzmacher [Thu, 3 May 2012 13:52:41 +0000 (15:52 +0200)]
s3:smbd: use reply_force_doserror(req, ERRSRV, ERRbaduid) on SMBulogoff

We don't support security = share anymore, so we should always have
a valid session.

Found by the raw.context test.


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Wed May 23 12:47:37 CEST 2012 on sn-devel-104

8 years agoSecond part of fix for bug 8953 - winbind can hang as nbt_getdc() has no timeout.
Herb Lewis [Tue, 22 May 2012 23:40:17 +0000 (16:40 -0700)]
Second part of fix for bug 8953 - winbind can hang as nbt_getdc() has no timeout.

If we're running with SEC_ADS and we don't get a cldap response from
the server when querying its name, don't fall back to NetBIOS requests
as they're unlikely to succeed.

Signed-off-by: Jeremy Allison <>
Autobuild-User: Jeremy Allison <>
Autobuild-Date: Wed May 23 03:49:36 CEST 2012 on sn-devel-104

8 years agoFix bug #8953 - winbind can hang as nbt_getdc() has no timeout.
Jeremy Allison [Tue, 22 May 2012 23:25:14 +0000 (16:25 -0700)]
Fix bug #8953 - winbind can hang as nbt_getdc() has no timeout.

Add a timeout_in_seconds parameter to nbt_getdc() to make it fail
after that time with NT_STATUS_IO_TIMEOUT.

8 years agos3:smbd: remove unused 'connection_struct->used'
Michael Adam [Tue, 22 May 2012 09:56:36 +0000 (11:56 +0200)]
s3:smbd: remove unused 'connection_struct->used'

Pair-Programmed-With: Stefan Metzmacher <>

Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Tue May 22 16:42:22 CEST 2012 on sn-devel-104

8 years agoAdded torture test for bug #8910. Test remove_duplicate_addrs2().
Jeremy Allison [Mon, 21 May 2012 21:29:11 +0000 (14:29 -0700)]
Added torture test for bug #8910. Test remove_duplicate_addrs2().

Autobuild-User: Jeremy Allison <>
Autobuild-Date: Tue May 22 01:31:17 CEST 2012 on sn-devel-104

8 years agos3: Fix vfs_xattr_tdb.c
Volker Lendecke [Mon, 21 May 2012 12:41:40 +0000 (14:41 +0200)]
s3: Fix vfs_xattr_tdb.c

"size" is the maximum buffer, only copy what we actually got. For me, this
fixes valgrind errors in the DIR1 test that might potentially make DIR1
non-flaky again.

Signed-off-by: Jeremy Allison <>
Autobuild-User: Jeremy Allison <>
Autobuild-Date: Mon May 21 22:10:15 CEST 2012 on sn-devel-104

8 years agos3:smb2_ioctl: Fix Coverity ID 701771 Uninitialized scalar variable
Stefan Metzmacher [Mon, 21 May 2012 09:44:09 +0000 (11:44 +0200)]
s3:smb2_ioctl: Fix Coverity ID 701771 Uninitialized scalar variable


Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Mon May 21 19:27:44 CEST 2012 on sn-devel-104

8 years agos4-dsdb: allow modification of some deleted object if the show-deleted control is...
Matthieu Patou [Fri, 11 May 2012 21:25:49 +0000 (14:25 -0700)]
s4-dsdb: allow modification of some deleted object if the show-deleted control is presented

Autobuild-User: Matthieu Patou <>
Autobuild-Date: Sat May 19 20:28:01 CEST 2012 on sn-devel-104

8 years agos4-dsdb: naming context needs to have the extended-dn syntax too
Matthieu Patou [Wed, 9 May 2012 15:51:57 +0000 (08:51 -0700)]
s4-dsdb: naming context needs to have the extended-dn syntax too

8 years agolibcli: make it easier to understand that a control was not correctly encoded
Matthieu Patou [Tue, 15 May 2012 17:10:16 +0000 (10:10 -0700)]
libcli: make it easier to understand that a control was not correctly encoded

8 years agoMove the set_write_time() call to after get_existing_share_mode_lock() returns with...
Jeremy Allison [Sat, 19 May 2012 02:29:36 +0000 (19:29 -0700)]
Move the set_write_time() call to after get_existing_share_mode_lock() returns with a share mode.

get_existing_share_mode_lock() isn't really the right
call here, as we're being called after
close_remove_share_mode() inside close_normal_file()
so it's quite normal to not have an existing share
mode here. However, get_share_mode_lock() doesn't
work because that will create a new share mode if
one doesn't exist - so stick with this call (just
ignore any error we get if the share mode doesn't

The previous commit raised the error message debug
level inside get_share_mode_lock_internal() so
we don't always get a level 1 error message if
get_existing_share_mode_lock() fails.

Autobuild-User: Jeremy Allison <>
Autobuild-Date: Sat May 19 06:26:33 CEST 2012 on sn-devel-104

8 years agoRaise the debug level from 1 to 5 in get_share_mode_lock_internal()
Jeremy Allison [Sat, 19 May 2012 02:24:51 +0000 (19:24 -0700)]
Raise the debug level from 1 to 5 in get_share_mode_lock_internal()

This isn't a fatal condition, there is a valid codepath
that can cause this message.

8 years agos4:torture: Add raw.session.reauth2 test
Volker Lendecke [Wed, 2 May 2012 13:54:03 +0000 (15:54 +0200)]
s4:torture: Add raw.session.reauth2 test

Signed-off-by: Stefan Metzmacher <>
Autobuild-User: Stefan Metzmacher <>
Autobuild-Date: Fri May 18 18:25:42 CEST 2012 on sn-devel-104

8 years agos4:torture: rename raw.session.reauth => raw.session.reauth1
Stefan Metzmacher [Fri, 18 May 2012 11:39:48 +0000 (13:39 +0200)]
s4:torture: rename raw.session.reauth => raw.session.reauth1


8 years agos3:smbd: allow creating new spnego sessions only with a 0 vuid
Stefan Metzmacher [Thu, 3 May 2012 14:13:08 +0000 (16:13 +0200)]
s3:smbd: allow creating new spnego sessions only with a 0 vuid

Found by the raw.context test.


8 years agos3:smbd: SMBtdis should return ERRSRV, ERRinvnid instead of NETWORK_NAME_DELETED
Stefan Metzmacher [Thu, 3 May 2012 13:53:56 +0000 (15:53 +0200)]
s3:smbd: SMBtdis should return ERRSRV, ERRinvnid instead of NETWORK_NAME_DELETED

Found by the raw.context test.


8 years agoselftest/Samba3: add 'smbd:suicide mode = yes'
Stefan Metzmacher [Wed, 16 May 2012 23:06:29 +0000 (01:06 +0200)]
selftest/Samba3: add 'smbd:suicide mode = yes'