From 3563bd6e6496dcd10477e44294d8b783988d325b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 16 Aug 2004 15:33:20 +0000 Subject: [PATCH] r1835: sync up logon hours changes with 3.0 tree (and update release notes) --- WHATSNEW.txt | 799 +++++++++++++++++++-------------------------- examples/LDAP/samba.schema | 7 +- source/include/smbldap.h | 1 + source/lib/smbldap.c | 1 + source/passdb/passdb.c | 51 +++ source/passdb/pdb_ldap.c | 23 +- source/utils/pdbedit.c | 33 +- 7 files changed, 450 insertions(+), 465 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b53ffe549aa..558656aec02 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,31 +1,71 @@ - ================================ - Release Notes for Samba 3.0.6rc2 - Aug 5, 2004 - ================================ - -This is a release candidate snapshot of the Samba 3.0.5 code -base and should be considered for testing only. A release -candidate (RC) means that we are close to the final, stable -release and in provided for Quality Assurance (QA) purposes. -This release is *not* intended for production servers. Use -at your own risk. + ============================= + Release Notes for Samba 3.0.6 + Aug XX, 2004 + ============================= -There have been several bug fixes since the 3.0.4 release that -we feel are important to make available to the Samba community -for wider testings. See the "Changes" section for details on -exact updates. +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all +current bug-fixes. There have been several issues fixes since +the 3.0.4/5 release and new features have been added as well. +See the "Changes" section for details on exact updates. -Common bugs fixed in 3.0.6rc2 include: +Common bugs fixed in 3.0.6 include: + o Schannel failure in winbindd. + o Numerous memory leaks. + o Incompatibilities between the 'write list' and 'force user' + smb.conf options. + o Premature optimization of the open_directory() internal + function that broke tools such as the ArcServe backup + agent, Macromedia HomeSite, and Robocopy. + o Corrupt workgroup names in nmbd's browse.dat. + o Sharing violation errors commonly seen when opening + when serving Microsoft Office documents from a Samba + file share. + o Browsing problems caused by an apostrophe (') in the + computer's description field. + o Problems creating special file types from UNIX CIFS + clients and enabling 'unix extensions'. o Fix stalls in smbd caused by inaccessible LDAP servers. o Remove various memory leaks. o Fix issues in the password lockout feature. - o Merge security fixes for CAN-2004-0600, CAN-2004-0686 - from 3.0.5. New features introduced in this release include: + O Support symlinks created by CIFS clients which + can be followed on the server. + o Using a cups server other than localhost. + o Maintaining the service principal entry in the system + keytab for integration with other kerberized services. + Please refer to the 'use kerberos keytab' entry in + smb.conf(5). When using the heimdal kerberos libraries, + you must also specify the following in /etc/krb5.conf: + [libdefaults] + default_keytab_name = FILE:/etc/krb5.keytab + o Support for maintaining individual printer names + stored separately from the printer's sharename. o Support for maintaining user password history. + o Support for honoring the logon times for user in a + Samba domain. + +-------------------------------------------- +unix extensions = yes (default) and symlinks +-------------------------------------------- + +Beginning with Samba 3.0.6pre1 (formally known as 3.0.5pre1), +clients supporting the UNIX extensions to the CIFS protocol +can create symlinks to absolute paths which will be **followed** +by the server. This functionality has been requested in order +to correctly support certain applications when the user's home +directory is mounted using some type of CIFS client (e.g. the +cifsvfs in the Linux 2.6 kernel). + +If this behavior is not acceptable for your production environment +you can set 'wide links = no' in the specific share declaration in +the server's smb.conf. Be aware that disabling wide link support +out of a share in Samba may impact the server's performance due +to the fact that smbd will now have to check each path additional +times before traversing it. ------------------------ Password History Support @@ -33,14 +73,13 @@ Password History Support The new password history feature allows smbd to check the new password in password change requests against a list of the user's -previous passwords. The number of previous passwords to save can be -set using pdbedit (4 in this example): +previous passwords. The number of previous passwords to save can +be set using pdbedit (4 in this example): root# pdbedit -P "password history" -C 4 -When using the ldapsam passdb backend, it is vital to secure -the following attributes from access by non-administrative -users: +When using the ldapsam passdb backend, it is vital to secure the +following attributes from access by non-administrative users: * sambaNTPassword * sambaLMPassword @@ -48,26 +87,77 @@ users: You should refer to your directory server's documentation on how to implement this restriction). + ###################################################################### Changes ####### -Changes since 3.0.6rc1 -(formally referred to as 3.0.5rc1) ----------------------------------- +Changes since 3.0.5 +------------------- smb.conf changes ---------------- Parameter Name Action -------------- ------ + cups server New + defer sharing violations New + force unknown acl user New ldap timeout New - + printcap cache time New + use kerberos keytab New commits ------- o Jeremy Allison + * Correct path parsing bug that broke DeletePrinterDriverEx(). + * Fix bugs in check_path_syntax() caught by asserts. + * Internal change - rearrange internal global case setting + variables to a per connection basis. + * BUG 1345: Fix premature optimization in unix_convert(). + * Allow clients to truncate a locked file. + * BUG 1319: Always check to see if a user as write access + to a share, even when 'force user' is set. + * Fix specific case of open that doesn't cause oplock break, + or share mode check. + * Correct sid type is WKN_GROUP, not alias. Added some + more known types (inspired by patch from Jianliang Lu). + * Allow creation of absolute symlink paths via CIFS clients. + * Fix charset bug in when invoking send_mailslot(). + * When using widelinks = no, use realpath to canonicalize + the connection path on connection create for the user. + * Enhance stat open code. + * Fix unix extensions mknod code path. + * Allow unix domain socket creation via unix extensions. + * Auto disable the 'store dos attribute' parameter if the + underlying filesystem doesn't support EAs. + * Implement deferred open code to fix a bug with Excel files + on Samba shares. + * BUG 1427: Catch bad path errors at the right point. Ensure + all our pathname parsing is consistent. + * Fix SMB signing error introduced by the new deferred open + code. + * Change default setting for case sensitivity to "auto". (see + commit message -- r1154 -- for details). + * Add new remote client arch -- CIFSFS. + * Allow smbd to maintain the service principal entry in the + system keytab file (based on patch Dan Perry , + Guenther Deschner, et. al.). + * Fix longstanding memleak bug with logfile name. + * Fix incorrect type in printer publishing (struct uuid, + not UUID_FLAT). + * Heimdal compile fixes after introduction of the new ketyab + feature. + * Ensure we check attributes correctly on rename request. + * Ensure we defer a sharing violation on rename correctly. + * BUG 607: Ensure we remove DNS and DNSFAIL records immediately + on timeout. + * Fix bogus error message when using "mangling method = hash" + rather than hash2. + * Turn on sendfile by default for non-Win9x clients. + * Handle non-io opens that cause oplock breaks correctly. + * Ensure ldap replication sleep time is not more than 5 seconds. * Add support for storing a user's password history. LDAP portion of the code was based on a patch from Jianliang Lu . @@ -90,12 +180,70 @@ o Tom Alsberg o Andrew Bartlett + * Fix parsing bug in GetDomPwInfo(). + * Fix segfault in 'ntlm_auth --diagnostics'. + * Re-enable code to allow sid_to_gid() to perform a group + mapping lookup before checking with winbindd. + * Fix memory leak in the trans2 signing code. + * Allow more flexible GSS-SPENGO client and server operation + in ntlm_auth. * Improve smbd's internal random number generation. * Fix a few outstanding long password changes in smbd. * Fix LANMAN2 session setup code. +o Eric Boehm + BUG 703: Final touches on netgroup case lookups. + + +o Jerome Borsboom + * Ensure error status codes don't get overwritten in + lsa_lookup_sids() server code. + * Correct bug that caused smbd to overwrite certain error + codes when returning up the call stack. + * Ensure the correct sid type returned for builtin sids. + + o Gerald Carter + * Fix a few bugs in the Fedora Packaging files. + * Fix for setting the called name to by our IP if the + called name was *SMBSERVER and *SMBSERV. Fixes issue + with connecting to printers via \\ip.ad.dr.ess\printer + UNC path. + * BUG 1315: fix for schannel client connections to servers + when we haven't specifically negotiated AUTH_PIPE_SEAL. + * Allow PrinterDriverData valuenames with embedded backslashes + (Fixes bug with one of the Konica Fiery drivers). + * Fixed string length miscalculation in netbios names that + resulted in corrupt workgroup names in browse.dat. + * When running smbd as a daemon, launch child smbd to update + the lpq cache listing in the background. + * Allow printers "Printers..." folder to be renamed to a string + other than the share name. + * Allow winbindd to use domain trust account passwords when + running on a Samba DC to establish an schannel to remote + domains. + * Fix bad merge and ensure that we always use tdb_open_log() + instead of tdb_open_ex() (the former call enforce the 'use + mmap' parameter). + * BUG 1221: revert old change that used single and double + quotes as delimeters in next_token(), and change + print_parameter() to print out parm values surrounded by + double quotes (instead of single quotes). + * Prevent home directories added during the SMBsesssetup&X from + being removed as unused services. + * Invalidate the print object cache for open printer handles when + smbd receives a message that an attribute on a given printer + has been changed. + * Cause the configure script to exit if --enable-cups[=yes] is + defined and the system does not have the cups devel files + installed. + * BUG 1297: Prevent map_username() from being called twice + during logon. + * Ensure that we use the userPrincipalName AD attribute + value for LDAP SASL binds. + * Ensure we remove the tdb entry when deleting a job that + is being spooled. * BUG 1520: Work around bug in Windows XP SP2 RC2 where the client sends a FindNextPrintChangeNotify() request without previously sending a FindFirstPrintChangeNotify(). Return @@ -109,7 +257,6 @@ o Gerald Carter sambaSidEntry, & sambaIdmapEntry object classes. - o Fabien Chevalier * Debian BUG 252591: Ensure that the return value from the number of available interfaces is initialized in case no @@ -117,14 +264,84 @@ o Fabien Chevalier o Guenther Deschner + * Implement 'rpcclient setprintername'. + * Add local groups to the user's NT_TOKEN since they are + actually supported now. + * Heimdal compile fixes after introduction of the new keytab + feature. + * Correctly honor the info level parameter in 'rpcclient + enumprinters'. + * Reintroduce 'force unknown acl user' parameter. When getting a + security descriptor for a file, if the owner sid is not known, + the owner uid is set to the current uid. Same for group sid. + * Ensure that REG_SZ values in the SetPrinterData actually + get written in UNICODE strings rather than ASCII. + * Ensure that the last kerberos error return is not invalid. * Display share ACL entries from rpcclient. +o Fabian Franz + * Support specifying a port in the device URL passed to smbspool. + + o Steve French + * Handle -S and user mount parms in mount.cifs. * Fix user unmount of shares mount with suid mount.cifs. +o Bjoern Jacke + * Install libsmbclient into $(LIBDIR), not into hard coded + ${prefix}/lib. This helps amd64 systems with /lib and /lib64 + and an explicit configure --libdir setting. + + +o + * Correct more memory leaks and initialization bugs. + * Fix bug that prevented core dumps from being generated + even if you tried. + * Connect to the winbind pipe in non-blocking mode to + prevent processes from hanging. + * Memory leak fixes. + + +o Stephan Kulow + * Fix crash bug in libsmbclient. + + o Volker Lendecke + * Added vfs_full_audit module. + * Add vfs_afsacl.c which can display & set AFS acls via + the NT security editor. + * Fix crash bug caused by trying to Base64 encode a NULL string. + * Fix DOS error code bug in reply_chkpath(). + * Correct misunderstanding of the max_size field in + cli_samr_enum_als_groups; it is more like an account_control + field with individual bits what to retrieve. + * Implement 'net rpc group rename' -- rename domain groups. + * Implement the 'cups server' option. This makes it possible + to have virtual smbd's connect to different cups daemons. + * Paranoia fixes when adding local aliases to a user's NT_TOKEN. + * Fix sid_to_gid() calls in winbindd to prevent loops. + * Ensure that local_sid_to_gid() sets the type of the group on + return. + * Make sure that the clients are given back the IP address to + which they connected in the case of a multi-homed host. Only + affects strings the spoolss printing replies. + * Fix the bad password lockout. This has not worked as pdb_ldap.c + did not ask for the modifyTimestamp attribute, so it could + not find it. Try not to regress by not putting that attrib + in the main list but append it manually for the relevant searches. + * Fix two memleaks in login_cache.c. + * fixes memory bloat when unmarshalling strings. + * Fix compile errors using gcc 3.2 on SuSE 8.2. + * Fix the build for systems without kerberos headers. + * Allow winbindd to handle authentication requests only when + started without either an 'idmap uid' or 'idmap gid' range. + * Fix the build for systems without ldap headers. + * Fix interaction between share security descriptor and the + 'read only' smb.conf option. + * Fix bug that caused _samr_lookupsids() with more than 32 ( + MAX_REF_DOMAINS) SIDs to fail. * Allow the 'idmap backend' parameter to accept a list of LDAP servers for failover purposes. * Revert code in smbd to remove a tdb when it has become @@ -138,25 +355,82 @@ o Volker Lendecke * Expand aliases for getusersids as well. -o James Peach - * More iconv detection fixes for IRIX. - * Compile fixed for systems that do not have C99/UNIX98 compliant - vsnprintf by default. +o Herb Lewis + * Add the acls debug class. + * Fix logic bug in netbios name truncate routine. + * Fix smbd crash caused by smbtorture IOCTL test. + * Fix errno tromping before calling iconv to reset the + conversion state. + * need to leave empty dacl so we can remove last ACE. -o Tim Potter - * BUG 1360: Use -Bsymbolic when creating shared libraries to - avoid conflicts with identical symbols in the global namespace - when loading libnss_wins.so. +o Jianliang Lu + * Fix to stop smbd hanging on missing group member in + get_memberuids(). + * Make sure Samba returns the correct group types. + * Reset the bad password count password counts upon a successful login. + + +o Jim McDonough + * BUG 1279: SMBjobid fix for Samba print servers running on + Big-Endian platforms. -o Richard Renard - * Save the current password as it is being changed into the - password history list. +o Joe Meadows + * Add optional timeout parameter to ldap open calls. + * Allow get_dc_list() to check the negative cache. -o Simo Source - * Tidy up parametric options in testparm output. +o Jason Mader + * BUG 1385: Don't use non-consts in a structure initialization. + + +o Stefan Metzmacher + * fix a configure logic bug for linux/XFS quotas when + using --with-sys-quotas. + * Use quota debug class in quota code. + * print out the SVN revision by configure, + + +o Lars Mueller + * BUG 1279: Added 'printcap cache time' parameter. + * Fix afs related build issues on SuSE. + + +o James Peach + * More iconv detection fixes for IRIX. + * Compile fixed for systems that do not have C99/UNIX98 compliant + vsnprintf by default. + + +o Dan Peterson + * Implement NFS quota support on FreeBSD. + + +o Tim Potter + * BUG 1360: Use -Bsymbolic when creating shared libraries to + avoid conflicts with identical symbols in the global namespace + when loading libnss_wins.so. + + +o Richard Renard + * Save the current password as it is being changed into the + password history list. + + +o Richard Sharpe + * Fix error return codes on some lock messages. + * BUG 1178: Make the libsmbclient routines callable + by C++ programs. + * BUG 1333: Make sure we return an error code when + things go wrong. + * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when + share mode locking requests fail. + + +o Simo Source + * Update Debian stable & unstable packaging. + * Tidy up parametric options in testparm output. o Richard Sharpe @@ -171,12 +445,35 @@ o Tom Shaw o Nick Thompson * Protect smbd against broken filesystems which return zero blocksize. + + +o Andrew Tridgell + * Fixed bug in handling of timeout in socket connections. + + +o Nick Wellnhofer + * Prevent lp_interfaces() list from being corrupted. Fixes + bug where nmbd would lose the list of network interfaces + on the system and consequently shutdown. + +o James Wilkinson + * Fix ntlm_auth memory leaks. + + +o Jelmer Vernooij + * Additional NT status to unix error mappings. + * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't + get duplicate symbol errors. + * Return an error when the last command read from stdin + fails in smbclient. + * Prepare for better error checking in tar. + Changes for older versions follow below: -------------------------------------------------- - + ============================= Release Notes for Samba 3.0.5 July 20, 2004 @@ -246,424 +543,8 @@ to upgrade to Samba 3.0.5. ################################################################## - - -------------------------------------------------- - - ================================ - Release Notes for Samba 3.0.5rc1 - July 8, 2004 - ================================ - -Common bugs fixed in this 3.0.5rc1 include: - - o Corrupt workgroup names in nmbd's browse.dat. - - o Sharing violation errors commonly seen when opening - when serving Microsoft Office documents from a Samba - file share. - - o Browsing problems caused by an apostrophe (') in the - computer's description field. - - o Problems creating special file types from UNIX CIFS - clients and enabling 'unix extensions'. - - -New features introduced in this release include: - - o Using a cups server other than localhost. - - o Maintaining the service principal entry in the system - keytab for integration with other kerberized services. - Please refer to the 'use kerberos keytab' entry in - smb.conf(5). When using the heimdal kerberos libraries, - you must also specify the following in /etc/krb5.conf: - [libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab - - o Support for maintaining individual printer names - stored separately from the printer's sharename. - - -###################################################################### -Changes -####### - -Changes since 3.0.5pre1 ------------------------ - -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - cups server New - defer sharing violations New - force unknown acl user New - ldap timeout New - use kerberos keytab New - -commits -------- -o Jeremy Allison - * Fix charset bug in when invoking send_mailslot(). - * When using widelinks = no, use realpath to canonicalize - the connection path on connection create for the user. - * Enhance stat open code. - * Fix unix extensions mknod code path. - * Allow unix domain socket creation via unix extensions. - * Auto disable the 'store dos attribute' parameter if the - underlying filesystem doesn't support EAs. - * Implement deferred open code to fix a bug with Excel files - on Samba shares. - * BUG 1427: Catch bad path errors at the right point. Ensure - all our pathname parsing is consistent. - * Fix SMB signing error introduced by the new deferred open - code. - * Change default setting for case sensitivity to "auto". (see - commit message -- r1154 -- for details). - * Add new remote client arch -- CIFSFS. - * Allow smbd to maintain the service principal entry in the - system keytab file (based on patch Dan Perry , - Guenther Deschner, et. al.). - * Fix longstanding memleak bug with logfile name. - * Fix incorrect type in printer publishing (struct uuid, - not UUID_FLAT). - * Heimdal compile fixes after introduction of the new ketyab - feature. - * Ensure we check attributes correctly on rename request. - * Ensure we defer a sharing violation on rename correctly. - * BUG 607: Ensure we remove DNS and DNSFAIL records immediately - on timeout. - * Fix bogus error message when using "mangling method = hash" - rather than hash2. - * Turn on sendfile by default for non-Win9x clients. - * Handle non-io opens that cause oplock breaks correctly. - * Ensure ldap replication sleep time is not more than 5 seconds. - - -o Andrew Bartlett - * Re-enable code to allow sid_to_gid() to perform a group - mapping lookup before checking with winbindd. - * Fix memory leak in the trans2 signing code. - * Allow more flexible GSS-SPENGO client and server operation - in ntlm_auth. - - -o Eric Boehm - BUG 703: Final touches on netgroup case lookups. - - -o Jerome Borsboom" - * Correct bug that caused smbd to overwrite certain error - codes when returning up the call stack. - * Ensure the correct sid type returned for builtin sids. - - -o Gerald Carter - * Fixed string length miscalculation in netbios names that - resulted in corrupt workgroup names in browse.dat. - * When running smbd as a daemon, launch child smbd to update - the lpq cache listing in the background. - * Allow printers "Printers..." folder to be renamed to a string - other than the share name. - * Allow winbindd to use domain trust account passwords when - running on a Samba DC to establish an schannel to remote - domains. - * Fix bad merge and ensure that we always use tdb_open_log() - instead of tdb_open_ex() (the former call enforce the 'use - mmap' parameter). - * BUG 1221: revert old change that used single and double - quotes as delimeters in next_token(), and change - print_parameter() to print out parm values surrounded by - double quotes (instead of single quotes). - * Prevent home directories added during the SMBsesssetup&X from - being removed as unused services. - * Invalidate the print object cache for open printer handles when - smbd receives a message that an attribute on a given printer - has been changed. - * Cause the configure script to exit if --enable-cups[=yes] is - defined and the system does not have the cups devel files - installed. - * BUG 1297: Prevent map_username() from being called twice - during logon. - * Ensure that we use the userPrincipalName AD attribute - value for LDAP SASL binds. - * Ensure we remove the tdb entry when deleting a job that - is being spooled. - - -o Guenther Deschner - * Implement 'rpcclient setprintername'. - * Add local groups to the user's NT_TOKEN since they are - actually supported now. - * Heimdal compile fixes after introduction of the new keytab - feature. - * Correctly honor the info level parameter in 'rpcclient - enumprinters'. - * Reintroduce 'force unknown acl user' parameter. When getting a - security descriptor for a file, if the owner sid is not known, - the owner uid is set to the current uid. Same for group sid. - * Ensure that REG_SZ values in the SetPrinterData actually - get written in UNICODE strings rather than ASCII. - * Ensure that the last kerberos error return is not invalid. - - -o Fabian Franz - * Support specifying a port in the device URL passed to smbspool. - - -o Bjoern Jacke - * Install libsmbclient into $(LIBDIR), not into hard coded - ${prefix}/lib. This helps amd64 systems with /lib and /lib64 - and an explicit configure --libdir setting. - - -o - * Memory leak fixes. - - -o Volker Lendecke - * Fix DOS error code bug in reply_chkpath(). - * Correct misunderstanding of the max_size field in - cli_samr_enum_als_groups; it is more like an account_control - field with individual bits what to retrieve. - * Implement 'net rpc group rename' -- rename domain groups. - * Implement the 'cups server' option. This makes it possible - to have virtual smbd's connect to different cups daemons. - * Paranoia fixes when adding local aliases to a user's NT_TOKEN. - * Fix sid_to_gid() calls in winbindd to prevent loops. - * Ensure that local_sid_to_gid() sets the type of the group on - return. - * Make sure that the clients are given back the IP address to - which they connected in the case of a multi-homed host. Only - affects strings the spoolss printing replies. - * Fix the bad password lockout. This has not worked as pdb_ldap.c - did not ask for the modifyTimestamp attribute, so it could - not find it. Try not to regress by not putting that attrib - in the main list but append it manually for the relevant searches. - * Fix two memleaks in login_cache.c. - * fixes memory bloat when unmarshalling strings. - * Fix compile errors using gcc 3.2 on SuSE 8.2. - * Fix the build for systems without kerberos headers. - * Allow winbindd to handle authentication requests only when - started without either an 'idmap uid' or 'idmap gid' range. - * Fix the build for systems without ldap headers. - * Fix interaction between share security descriptor and the - 'read only' smb.conf option. - * Fix bug that caused _samr_lookupsids() with more than 32 ( - MAX_REF_DOMAINS) SIDs to fail. - - -o Herb Lewis - * Fix errno tromping before calling iconv to reset the - conversion state. - * need to leave empty dacl so we can remove last ACE. - - -o Jianliang Lu - * Reset the bad password count password counts upon a successful login. - - -o Joe Meadows "Joe Meadows" - * Add optional timeout parameter to ldap open calls. - * Allow get_dc_list() to check the negative cache. - - -o Jason Mader - * BUG 1385: Don't use non-consts in a structure initialization. - - -o Stefan Metzmacher - * print out the SVN revision by configure, - - -o Lars Mueller - * Fix afs related build issues on SuSE. - - -o Dan Peterson - * Implement NFS quota support on FreeBSD. - - -o Nick Wellnhofer - * Prevent lp_interfaces() list from being corrupted. Fixes - bug where nmbd would lose the list of network interfaces - on the system and consequently shutdown. - - -o James Wilkinson - * Fix ntlm_auth memory leaks. - - -o Jelmer Vernooij - * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't - get duplicate symbol errors. - * Return an error when the last command read from stdin - fails in smbclient. - * Prepare for better error checking in tar. - - - -------------------------------------------------- - - ================================= - Release Notes for Samba 3.0.5pre1 - May 25, 2004 - ================================= - -Common bugs fixed in this preview release include: - - o Schannel failure in winbindd. - o Numerous memory leaks. - o Incompatibilities between the 'write list' and 'force user' - smb.conf options. - o Premature optimization of the open_directory() internal - function that broke tools such as the ArcServe backup - agent, Macromedia HomeSite, and Robocopy. - - -ATTENTION! NEW BEHAVIOR! -------------------------- - -Beginning with Samba 3.0.5pre1, clients supporting the UNIX -extensions to the CIFS protocol can create symlinks to -absolute paths which will be **followed** by the server. This -functionality has been requested in order to correctly support -certain applications when the user's home directory is mounted -using some type of CIFS client (e.g. the cifsvfs in the Linux -2.6 kernel). - -If this behavior is not acceptable for your production environment -you can set 'wide links = no' in the specific share declaration in -the server's smb.conf. Be aware that disabling wide link support -out of a share in Samba may impact the server's performance due -to the fact that smbd will now have to check each path additional -times before traversing it. - -Changes since 3.0.4 --------------------- - -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - printcap cache time New - - -commits -------- -o Jeremy Allison - * Correct path parsing bug that broke DeletePrinterDriverEx(). - * Fix bugs in check_path_syntax() caught by asserts. - * Internal change - rearrange internal global case setting - variables to a per connection basis. - * BUG 1345: Fix premature optimization in unix_convert(). - * Allow clients to truncate a locked file. - * BUG 1319: Always check to see if a user as write access - to a share, even when 'force user' is set. - * Fix specific case of open that doesn't cause oplock break, - or share mode check. - * Correct sid type is WKN_GROUP, not alias. Added some - more known types (inspired by patch from Jianliang Lu). - * Allow creation of absolute symlink paths via CIFS clients. - - -o Andrew Bartlett - * Fix parsing bug in GetDomPwInfo(). - * Fix segfault in 'ntlm_auth --diagnostics'. - - -o Jerome Borsboom - * Ensure error status codes don't get overwritten in - lsa_lookup_sids() server code. - - -o Gerald Carter - * Fix a few bugs in the Fedora Packaging files. - * Fix for setting the called name to by our IP if the - called name was *SMBSERVER and *SMBSERV. Fixes issue - with connecting to printers via \\ip.ad.dr.ess\printer - UNC path. - * BUG 1315: fix for schannel client connections to servers - when we haven't specifically negotiated AUTH_PIPE_SEAL. - * Allow PrinterDriverData valuenames with embedded backslashes - (Fixes bug with one of the Konica Fiery drivers). - - -o Steve French - * Handle -S and user mount parms in mount.cifs. - - -o kawasa_r@itg.hitachi.co.jp - * Correct more memory leaks and initialization bugs. - * Fix bug that prevented core dumps from being generated - even if you tried. - * Connect to the winbind pipe in non-blocking mode to - prevent processes from hanging. - - -o Stephan Kulow - * Fix crash bug in libsmbclient. - - -o Volker Lendecke - * Added vfs_full_audit module. - * Add vfs_afsacl.c which can display & set AFS acls via - the NT security editor. - * Fix crash bug caused by trying to Base64 encode a NULL string. - - -o Herb Lewis - * Add the acls debug class. - * Fix logic bug in netbios name truncate routine. - * Fix smbd crash caused by smbtorture IOCTL test. - - -o Jianliang Lu - * Fix to stop smbd hanging on missing group member in - get_memberuids(). - * Make sure Samba returns the correct group types. - - -o Jim McDonough - * BUG 1279: SMBjobid fix for Samba print servers running on - Big-Endian platforms. - - -o Stefan Metzmacher - * fix a configure logic bug for linux/XFS quotas when - using --with-sys-quotas. - * Use quota debug class in quota code. - - -o Lars Müller - * BUG 1279: Added 'printcap cache time' parameter. - - -o Richard Sharpe - * Fix error return codes on some lock messages. - * BUG 1178: Make the libsmbclient routines callable - by C++ programs. - * BUG 1333: Make sure we return an error code when - things go wrong. - * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when - share mode locking requests fail. - - -o Simo Source - * Update Debian stable & unstable packaging. - - -o Andrew Tridgell - * Fixed bug in handling of timeout in socket connections. - - -o Jelmer Vernooij - * Additional NT status to unix error mappings. - - -------------------------------------------------- + ============================= Release Notes for Samba 3.0.4 May 8, 2004 diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index d87815b3abc..8c6b8cb4e39 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -212,6 +212,10 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaLogonHours' + DESC 'Logon Hours' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) ## ## string settings @@ -334,7 +338,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ - sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory)) + sambaBadPasswordCount $ sambaBadPasswordTime $ + sambaPasswordHistory $ sambaLogonHours)) ## ## Group mapping info diff --git a/source/include/smbldap.h b/source/include/smbldap.h index 6046af464e6..953937fb75d 100644 --- a/source/include/smbldap.h +++ b/source/include/smbldap.h @@ -96,6 +96,7 @@ #define LDAP_ATTR_PWD_HISTORY 39 #define LDAP_ATTR_SID_LIST 40 #define LDAP_ATTR_MOD_TIMESTAMP 41 +#define LDAP_ATTR_LOGON_HOURS 42 typedef struct _attrib_map_entry { int attrib; diff --git a/source/lib/smbldap.c b/source/lib/smbldap.c index 0980b763adb..e66fb3640cf 100644 --- a/source/lib/smbldap.c +++ b/source/lib/smbldap.c @@ -102,6 +102,7 @@ ATTRIB_MAP_ENTRY attrib_map_v30[] = { { LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" }, { LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" }, { LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" }, + { LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" }, { LDAP_ATTR_LIST_END, NULL } }; diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index e404f5af3f9..0905d816920 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -583,6 +583,57 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) return (True); } +/************************************************************* + Routine to set 42 hex hours characters from a 21 byte array. +**************************************************************/ + +void pdb_sethexhours(char *p, const unsigned char *hours) +{ + if (hours != NULL) { + int i; + for (i = 0; i < 21; i++) { + slprintf(&p[i*2], 3, "%02X", hours[i]); + } + } else { + safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43); + } +} + +/************************************************************* + Routine to get the 42 hex characters and turn them + into a 21 byte array. +**************************************************************/ + +BOOL pdb_gethexhours(const char *p, unsigned char *hours) +{ + int i; + unsigned char lonybble, hinybble; + const char *hexchars = "0123456789ABCDEF"; + char *p1, *p2; + + if (!p) { + return (False); + } + + for (i = 0; i < 42; i += 2) { + hinybble = toupper(p[i]); + lonybble = toupper(p[i + 1]); + + p1 = strchr(hexchars, hinybble); + p2 = strchr(hexchars, lonybble); + + if (!p1 || !p2) { + return (False); + } + + hinybble = PTR_DIFF(p1, hexchars); + lonybble = PTR_DIFF(p2, hexchars); + + hours[i / 2] = (hinybble << 4) | lonybble; + } + return (True); +} + int algorithmic_rid_base(void) { static int rid_offset = 0; diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 37cc0c79029..9af34705df5 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -782,7 +782,15 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */ - pdb_set_hours(sampass, hours, PDB_SET); + if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) { + /* leave as default */ + } else { + pdb_gethexhours(temp, hours); + memset((char *)temp, '\0', strlen(temp) +1); + pdb_set_hours(sampass, hours, PDB_SET); + ZERO_STRUCT(hours); + } /* check the timestamp of the cache vs ldap entry */ if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state, @@ -1065,7 +1073,18 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } } - /* FIXME: Hours stuff goes in LDAP */ + if (need_update(sampass, PDB_HOURS)) { + const char *hours = pdb_get_hours(sampass); + if (hours) { + pdb_sethexhours(temp, hours); + smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, + existing, + mods, + get_userattr_key2string(ldap_state->schema_ver, + LDAP_ATTR_LOGON_HOURS), + temp); + } + } if (need_update(sampass, PDB_ACCTCTRL)) smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 1201cf88fcf..1eb6a135c51 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -49,6 +49,7 @@ #define BIT_EXPORT 0x02000000 #define BIT_FIX_INIT 0x04000000 #define BIT_BADPWRESET 0x08000000 +#define BIT_LOGONHOURS 0x10000000 #define MASK_ALWAYS_GOOD 0x0000001F #define MASK_USER_GOOD 0x00401F00 @@ -130,6 +131,9 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst if (!sam_pwent) return -1; if (verbosity) { + pstring temp; + const uint8 *hours; + printf ("Unix username: %s\n", pdb_get_username(sam_pwent)); printf ("NT username: %s\n", pdb_get_nt_username(sam_pwent)); printf ("Account Flags: %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN)); @@ -170,6 +174,10 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst printf ("Bad password count : %d\n", pdb_get_bad_password_count(sam_pwent)); + hours = pdb_get_hours(sam_pwent); + pdb_sethexhours(temp, (const char *)hours); + printf ("Logon hours : %s\n", temp); + } else if (smbpwdstyle) { char lm_passwd[33]; char nt_passwd[33]; @@ -294,7 +302,7 @@ static int set_user_info (struct pdb_context *in, const char *username, const char *drive, const char *script, const char *profile, const char *account_control, const char *user_sid, const char *group_sid, - const BOOL badpw) + const BOOL badpw, const BOOL hours) { BOOL updated_autolock = False, updated_badpw = False; SAM_ACCOUNT *sam_pwent=NULL; @@ -308,6 +316,16 @@ static int set_user_info (struct pdb_context *in, const char *username, pdb_free_sam(&sam_pwent); return -1; } + + if (hours) { + uint8 hours_array[MAX_HOURS_LEN]; + uint32 hours_len; + + hours_len = pdb_get_hours_len(sam_pwent); + memset(hours_array, 0xff, hours_len); + + pdb_set_hours(sam_pwent, hours_array, PDB_CHANGED); + } if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) { DEBUG(2,("pdb_update_autolock_flag failed.\n")); @@ -631,6 +649,7 @@ int main (int argc, char **argv) static long int account_policy_value = 0; BOOL account_policy_value_set = False; static BOOL badpw_reset = False; + static BOOL hours_reset = False; struct pdb_context *bin; struct pdb_context *bout; @@ -662,6 +681,7 @@ int main (int argc, char **argv) {"account-control", 'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL}, {"force-initialized-passwords", 0, POPT_ARG_NONE, &force_initialised_password, 0, "Force initialization of corrupt password strings in a passdb backend", NULL}, {"bad-password-count-reset", 'z', POPT_ARG_NONE, &badpw_reset, 0, "reset bad password count", NULL}, + {"logon-hours-reset", 'Z', POPT_ARG_NONE, &hours_reset, 0, "reset logon hours", NULL}, POPT_COMMON_SAMBA POPT_TABLEEND }; @@ -715,7 +735,8 @@ int main (int argc, char **argv) (account_policy_value_set ? BIT_ACCPOLVAL : 0) + (backend_in ? BIT_IMPORT : 0) + (backend_out ? BIT_EXPORT : 0) + - (badpw_reset ? BIT_BADPWRESET : 0); + (badpw_reset ? BIT_BADPWRESET : 0) + + (hours_reset ? BIT_LOGONHOURS : 0); if (setparms & BIT_BACKEND) { if (!NT_STATUS_IS_OK(make_pdb_context_string(&bdef, backend))) { @@ -829,6 +850,12 @@ int main (int argc, char **argv) checkparms |= BIT_MODIFY; checkparms &= ~BIT_BADPWRESET; } + + /* if logon hours is reset, must modify */ + if (checkparms & BIT_LOGONHOURS) { + checkparms |= BIT_MODIFY; + checkparms &= ~BIT_LOGONHOURS; + } /* account operation */ if ((checkparms & BIT_CREATE) || (checkparms & BIT_MODIFY) || (checkparms & BIT_DELETE)) { @@ -866,7 +893,7 @@ int main (int argc, char **argv) logon_script, profile_path, account_control, user_sid, group_sid, - badpw_reset); + badpw_reset, hours_reset); } } -- 2.11.4.GIT