Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lts-team/packages/samba
  • thctlo/samba-lintianfix
  • arnaudr/samba
  • jrwren/samba
  • paride/samba
  • athos/samba
  • henrich/samba
  • cnotin/samba
  • mimi89999/samba
  • samba-team/samba
  • ahasenack/samba
  • jrtc27/samba
  • noel/samba
13 results
Show changes
Commits on Source (65)
Showing
with 706 additions and 197 deletions
......@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
SAMBA_VERSION_RC_RELEASE=1
SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
......
Release Announcements
=====================
This is the first release candidate of Samba 4.21. This is *not*
This is the second release candidate of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
......@@ -180,8 +180,10 @@ Per-user and group "veto files" and "hide files"
"veto files" and "hide files" can optionally be restricted to certain users and
groups. To apply a veto or hide directive to a filename for a specific user or
group, prefix the filename with "../USERNAME/" or "../GROUPNAME/". For details
consult the updated smb.conf manpage.
group, a parametric option like this can be used:
hide files : USERNAME = /somefile.txt/
veto files : GROUPNAME = /otherfile.txt/
For details consult the updated smb.conf manpage.
Automatic keytab update after machine password change
-----------------------------------------------------
......@@ -191,9 +193,51 @@ updates or manually (e.g. net ads changetrustpw), now winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be updated.
From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
The functionaity provided by the removed commands "net ads keytab
add/delete/add_update_ads" can be achieved via the 'sync machine password to
keytab' as in these examples:
"net ads keytab add wurst/brot@REALM"
- this command is not adding <principal> to AD, so the best fit can be specifier
"spns"
- add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
- run:
"net ads keytab create"
"net ads keytab delete wurst/brot@REALM"
- remove the principal (or the whole keytab line if there was just one)
- run:
"net ads keytab create"
"net ads keytab add_update_ads wurst/brot@REALM"
- this command was adding the principal to AD, so for this case use a keytab
with specifier sync_spns
- add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- run:
"net ads setspn add wurst/brot@REALM" # this adds the principal to AD
"net ads keytab create" # this sync it from AD to local keytab
A new parameter 'sync machine password script' allows to specify external script
that will be triggered after the automatic keytab update. For detailed
information check the smb.conf manpage.
that will be triggered after the automatic keytab update. If keytabs should be
generated in clustered environments it is recommended to update them on all
nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
46.update-keytabs.script in section 'sync machine password script' for details.
For detailed information check the smb.conf(5) and net(8) manpages.
REMOVED FEATURES
================
......@@ -226,6 +270,40 @@ smb.conf changes
sync machine password script script
CHANGES SINCE 4.21.0rc1
=======================
o Andreas Schneider <asn@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
o Anoop C S <anoopcs@samba.org>
* BUG 15686: Add new vfs_ceph module (based on low level API)
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
o Jo Sutton <josutton@catalyst.net.nz>
* BUG 15690: ldb_version.h is missing from ldb public library
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
o Shachar Sharon <ssharon@redhat.com>
* BUG 15686: Add new vfs_ceph module (based on low level API)
o Stefan Metzmacher <metze@samba.org>
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15687: undefined reference to winbind_lookup_name_ex
* BUG 15688: per user veto and hide file syntax is to complex
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
o Volker Lendecke <vl@samba.org>
* BUG 15688: per user veto and hide file syntax is to complex
KNOWN ISSUES
============
......
......@@ -286,7 +286,7 @@ def abi_build_vscript(task):
f.close()
def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
version = re.sub(r'\W', '_', version).upper()
version = re.sub(r'[^.\w]', '_', version).upper()
t = bld.SAMBA_GENERATOR(private_vscript,
rule=abi_build_vscript,
source=orig_vscript,
......@@ -314,8 +314,8 @@ def ABI_VSCRIPT(bld, libname, abi_directory, version, vscript, abi_match=None, p
libname = os.path.basename(libname)
version = os.path.basename(version)
libname = re.sub(r'\W', '_', libname).upper()
version = re.sub(r'\W', '_', version).upper()
libname = re.sub(r'[^.\w]', '_', libname).upper()
version = re.sub(r'[^.\w]', '_', version).upper()
t = bld.SAMBA_GENERATOR(vscript,
rule=abi_build_vscript,
......
......@@ -80,12 +80,12 @@
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para>The Samba net utility is meant to work just like the net utility
available for windows and DOS. The first argument should be used
to specify the protocol to use when executing a certain command.
ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
clients and RPC can be used for NT4 and Windows 2000. If this
argument is omitted, net will try to determine it automatically.
<para>The Samba net utility is meant to work just like the net utility
available for windows and DOS. The first argument should be used
to specify the protocol to use when executing a certain command.
ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
clients and RPC can be used for NT4 and Windows 2000. If this
argument is omitted, net will try to determine it automatically.
Not all commands are available on all protocols.
</para>
......@@ -98,7 +98,7 @@
<varlistentry>
<term>-w|--target-workgroup target-workgroup</term>
<listitem><para>
Sets target workgroup or domain. You have to specify
Sets target workgroup or domain. You have to specify
either this option or the IP address or the name of a server.
</para></listitem>
</varlistentry>
......@@ -115,7 +115,7 @@
<varlistentry>
<term>-p|--port port</term>
<listitem><para>
Port on the target server to connect to (usually 139 or 445).
Port on the target server to connect to (usually 139 or 445).
Defaults to trying 445 first, then 139.
</para></listitem>
</varlistentry>
......@@ -123,7 +123,7 @@
<varlistentry>
<term>-S|--server server</term>
<listitem><para>
Name of target server. You should specify either
Name of target server. You should specify either
this option or a target workgroup or a target IP address.
</para></listitem>
</varlistentry>
......@@ -524,7 +524,7 @@ YOU HAVE BEEN WARNED.
<refsect3>
<title>TIME</title>
<para>Without any options, the <command>NET TIME</command> command
<para>Without any options, the <command>NET TIME</command> command
displays the time on the remote server. The remote server must be
specified with the -S option.
</para>
......@@ -542,7 +542,7 @@ The remote server must be specified with the -S option.
<refsect3>
<title>TIME SET</title>
<para>Tries to set the date and time of the local server to that on
<para>Tries to set the date and time of the local server to that on
the remote server using <command>/bin/date</command>.
The remote server must be specified with the -S option.
</para>
......@@ -565,8 +565,8 @@ The remote server must be specified with the -S option.
[osName=string osVer=string] [options]</title>
<para>
Join a domain. If the account already exists on the server, and
[TYPE] is MEMBER, the machine will attempt to join automatically.
Join a domain. If the account already exists on the server, and
[TYPE] is MEMBER, the machine will attempt to join automatically.
(Assuming that the machine has been created in server manager)
Otherwise, a password will be prompted for, and a new account may
be created.</para>
......@@ -590,7 +590,7 @@ format is host/netbiosname@REALM.
[OU] (ADS only) Precreate the computer account in a specific OU. The
OU string reads from top to bottom without RDNs, and is delimited by
a '/'. Please note that '\' is used for escape by both the shell
and ldap, so it may need to be doubled or quadrupled to pass through,
and ldap, so it may need to be doubled or quadrupled to pass through,
and it is not used as a delimiter.
</para>
<para>
......@@ -607,8 +607,8 @@ must be specified for either to take effect.
<refsect2>
<title>[RPC] OLDJOIN [options]</title>
<para>Join a domain. Use the OLDJOIN option to join the domain
using the old style of domain joining - you need to create a trust
<para>Join a domain. Use the OLDJOIN option to join the domain
using the old style of domain joining - you need to create a trust
account in server manager first.</para>
</refsect2>
......@@ -692,8 +692,8 @@ account in server manager first.</para>
<refsect3>
<title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets]</title>
<para>Adds a share from a server (makes the export active). Maxusers
specifies the number of users that can be connected to the
<para>Adds a share from a server (makes the export active). Maxusers
specifies the number of users that can be connected to the
share simultaneously.</para>
</refsect3>
......@@ -718,7 +718,7 @@ share simultaneously.</para>
<refsect3>
<title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title>
<para>Close file with specified <replaceable>fileid</replaceable> on
<para>Close file with specified <replaceable>fileid</replaceable> on
remote server.</para>
</refsect3>
......@@ -727,7 +727,7 @@ remote server.</para>
<title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title>
<para>
Print information on specified <replaceable>fileid</replaceable>.
Print information on specified <replaceable>fileid</replaceable>.
Currently listed are: file-id, username, locks, path, permissions.
</para>
......@@ -739,7 +739,7 @@ Currently listed are: file-id, username, locks, path, permissions.
<para>
List files opened by specified <replaceable>user</replaceable>.
Please note that <command>net rap file user</command> does not work
against Samba servers.
against Samba servers.
</para>
</refsect3>
......@@ -752,7 +752,7 @@ against Samba servers.
<refsect3>
<title>RAP SESSION</title>
<para>Without any other options, SESSION enumerates all active SMB/CIFS
<para>Without any other options, SESSION enumerates all active SMB/CIFS
sessions on the target server.</para>
</refsect3>
......@@ -784,7 +784,7 @@ to local domain.</para>
<refsect2>
<title>RAP DOMAIN</title>
<para>Lists all domains and workgroups visible on the
<para>Lists all domains and workgroups visible on the
current network.</para>
</refsect2>
......@@ -796,7 +796,7 @@ current network.</para>
<title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title>
<para>Lists the specified print queue and print jobs on the server.
If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
queues are listed.</para>
</refsect3>
......@@ -814,9 +814,9 @@ queues are listed.</para>
<title>RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>]</title>
<para>
Validate whether the specified user can log in to the
remote server. If the password is not specified on the commandline, it
will be prompted.
Validate whether the specified user can log in to the
remote server. If the password is not specified on the commandline, it
will be prompted.
</para>
&not.implemented;
......@@ -852,7 +852,7 @@ will be prompted.
<refsect2>
<title>RAP ADMIN <replaceable>command</replaceable></title>
<para>Execute the specified <replaceable>command</replaceable> on
<para>Execute the specified <replaceable>command</replaceable> on
the remote server. Only works with OS/2 servers.
</para>
......@@ -899,7 +899,7 @@ Change password of <replaceable>USER</replaceable> from <replaceable>OLDPASS</re
<title>LOOKUP HOST <replaceable>HOSTNAME</replaceable> [<replaceable>TYPE</replaceable>]</title>
<para>
Lookup the IP address of the given host with the specified type (netbios suffix).
Lookup the IP address of the given host with the specified type (netbios suffix).
The type defaults to 0x20 (workstation).
</para>
......@@ -965,7 +965,7 @@ or workgroup. Defaults to local domain.</para>
<refsect2>
<title>CACHE</title>
<para>Samba uses a general caching interface called 'gencache'. It
<para>Samba uses a general caching interface called 'gencache'. It
can be controlled using 'NET CACHE'.</para>
<para>All the timeout parameters support the suffixes:
......@@ -1044,7 +1044,7 @@ omitted, the SID of the local server.</para>
<refsect2>
<title>GETDOMAINSID</title>
<para>Prints the local machine SID and the SID of the current
<para>Prints the local machine SID and the SID of the current
domain.</para>
</refsect2>
......@@ -1158,15 +1158,15 @@ such as domain name, domain sid and number of users and groups.
<refsect3>
<title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title>
<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
with the account flag <constant>'I'</constant> (interdomain trust account).
<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
with the account flag <constant>'I'</constant> (interdomain trust account).
This is required for incoming trusts to work. It makes Samba be a
trusted domain of the foreign (trusting) domain.
Users of the Samba domain will be made available in the foreign domain.
If the command is used against localhost it has the same effect as
If the command is used against localhost it has the same effect as
<command>smbpasswd -a -i DOMAIN</command>. Please note that both commands
expect a appropriate UNIX account.
expect a appropriate UNIX account.
</para>
</refsect3>
......@@ -1174,9 +1174,9 @@ expect a appropriate UNIX account.
<refsect3>
<title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title>
<para>Remove interdomain trust account for
<replaceable>DOMAIN</replaceable>. If it is used against localhost
it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
<para>Remove interdomain trust account for
<replaceable>DOMAIN</replaceable>. If it is used against localhost
it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
</para>
</refsect3>
......@@ -1185,7 +1185,7 @@ it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
<title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title>
<para>
Establish a trust relationship to a trusted domain.
Establish a trust relationship to a trusted domain.
Interdomain account must already be created on the remote PDC.
This is required for outgoing trusts to work. It makes Samba be a
trusting domain of a foreign (trusted) domain.
......@@ -1326,9 +1326,9 @@ net rpc trust delete \
<refsect3>
<title>RPC RIGHTS</title>
<para>This subcommand is used to view and manage Samba's rights assignments (also
referred to as privileges). There are three options currently available:
<parameter>list</parameter>, <parameter>grant</parameter>, and
<para>This subcommand is used to view and manage Samba's rights assignments (also
referred to as privileges). There are three options currently available:
<parameter>list</parameter>, <parameter>grant</parameter>, and
<parameter>revoke</parameter>. More details on Samba's privilege model and its use
can be found in the Samba-HOWTO-Collection.</para>
......@@ -1367,14 +1367,14 @@ Force shutting down all applications.
<varlistentry>
<term>-t timeout</term>
<listitem><para>
Timeout before system will be shut down. An interactive
Timeout before system will be shut down. An interactive
user of the system can use this time to cancel the shutdown.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-C message</term>
<listitem><para>Display the specified message on the screen to
<listitem><para>Display the specified message on the screen to
announce the shutdown.</para></listitem>
</varlistentry>
</variablelist>
......@@ -1391,8 +1391,8 @@ to run this against the PDC, from a Samba machine joined as a BDC. </para>
<refsect2>
<title>RPC VAMPIRE</title>
<para>Export users, aliases and groups from remote server to
local server. You need to run this against the PDC, from a Samba machine joined as a BDC.
<para>Export users, aliases and groups from remote server to
local server. You need to run this against the PDC, from a Samba machine joined as a BDC.
This vampire command cannot be used against an Active Directory, only
against an NT4 Domain Controller.
</para>
......@@ -1486,7 +1486,7 @@ against an NT4 Domain Controller.
<title>ADS STATUS</title>
<para>Print out status of machine account of the local machine in ADS.
Prints out quite some debug info. Aimed at developers, regular
Prints out quite some debug info. Aimed at developers, regular
users should use <command>NET ADS TESTJOIN</command>.</para>
</refsect2>
......@@ -1498,7 +1498,7 @@ users should use <command>NET ADS TESTJOIN</command>.</para>
<title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>]</title>
<para>
Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the
Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the
server name defaults to the local host.</para>
</refsect3>
......@@ -1522,8 +1522,8 @@ server name defaults to the local host.</para>
<refsect2>
<title>ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable></title>
<para>Perform a raw LDAP search on a ADS server and dump the results. The
expression is a standard LDAP search expression, and the
<para>Perform a raw LDAP search on a ADS server and dump the results. The
expression is a standard LDAP search expression, and the
attributes are a list of LDAP fields to show in the results.</para>
<para>Example: <userinput>net ads search '(objectCategory=group)' sAMAccountName</userinput>
......@@ -1535,9 +1535,9 @@ attributes are a list of LDAP fields to show in the results.</para>
<title>ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable></title>
<para>
Perform a raw LDAP search on a ADS server and dump the results. The
DN standard LDAP DN, and the attributes are a list of LDAP fields
to show in the result.
Perform a raw LDAP search on a ADS server and dump the results. The
DN standard LDAP DN, and the attributes are a list of LDAP fields
to show in the result.
</para>
<para>Example: <userinput>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para>
......@@ -1558,8 +1558,28 @@ are made to the computer AD account.
</refsect2>
<refsect2>
<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
<title>(Removed!) ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
<para>
This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
</para>
To replace e.g. call of
<programlisting>
net ads keytab add wurst/brot@REALM
</programlisting>
Add to smb.conf:
<programlisting>
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
</programlisting>
and run:
<programlisting>
net ads keytab create
</programlisting>
<para>
Original description of this command:
</para>
<para>
Adds a new keytab entry, the entry can be either;
<variablelist>
......@@ -1600,7 +1620,48 @@ available.
</refsect2>
<refsect2>
<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
<title>(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
<para>
This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
</para>
<para>
To replace e.g. call of
<programlisting>
net ads keytab delete wurst/brot@REALM
</programlisting>
Delete from <smbconfoption name="sync machine password to keytab"/> principal "wurst/brot@REALM" and run:
<programlisting>
net ads keytab create
</programlisting>
</para>
</refsect2>
<refsect2>
<title>(Removed!) ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
<para>
This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
</para>
To replace e.g. call of
<programlisting>
net ads keytab add_update_ads wurst/brot@REALM
</programlisting>
Add to smb.conf:
<programlisting>
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
</programlisting>
and run:
<programlisting>
net ads setspn add wurst/brot@REALM
net ads keytab create
</programlisting>
<para>
Original description of this command:
</para>
<para>
Adds a new keytab entry (see section for net ads keytab add). In addition to
......@@ -2281,7 +2342,7 @@ share (no creation of new files or directories or writing to files).
</para>
<para>
The default if no "acl" is given is "Everyone:R", which means any
The default if no "acl" is given is "Everyone:R", which means any
authenticated user has read-only access.
</para>
......@@ -3675,20 +3736,20 @@ net witness force-response Force an AsyncNotify response based on json input (
<refsect1>
<title>VERSION</title>
<para>This man page is complete for version 3 of the Samba
<para>This man page is complete for version 3 of the Samba
suite.</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The net manpage was written by Jelmer Vernooij.</para>
</refsect1>
</refentry>
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="vfs_ceph_new.8">
<refmeta>
<refentrytitle>vfs_ceph_new</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>vfs_ceph_new</refname>
<refpurpose>
Utilize features provided by libcephfs low-level APIs
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>vfs objects = ceph_new</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This VFS module is part of the
<citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> suite.</para>
<para>
The <command>vfs_ceph_new</command> VFS module exposes
CephFS specific features for use by Samba.
</para>
<para>
Ceph is a distributed network file system designed to provide
excellent performance, reliability, and scalability. This is a
shared library allowing applications to access a Ceph
distributed file system via a POSIX-like interface.
</para>
<para>
This module can be combined with other modules, but it
should be the last module in the <command>vfs objects</command>
list. Modules added to this list to the right of the ceph
entry may not have any effect at all.
</para>
<para>
<command>vfs_ceph_new</command> performs mapping between Windows
and POSIX Access Control Lists (ACLs). To ensure correct
processing and enforcement of POSIX ACLs, the following Ceph
configuration parameters are automatically applied:
</para>
<programlisting>
<command>client acl type = posix_acl</command>
<command>fuse default permissions = false</command>
</programlisting>
<para>
<emphasis role="strong">NOTE</emphasis>:
This is a second implementation of a ceph module which uses libcephfs
low-level APIs (compared to the original
<citerefentry><refentrytitle>vfs_ceph</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> module which uses path-based
APIs). Using the low-level API allows more optimized and fine-grained
access to the Ceph storage layer.
</para>
</refsect1>
<refsect1>
<title>CONFIGURATION</title>
<para>
<command>vfs_ceph_new</command> requires that the underlying
share path is a Ceph filesystem.
</para>
<programlisting>
<smbconfsection name="[share]"/>
<smbconfoption name="vfs objects">ceph_new</smbconfoption>
<smbconfoption name="path">/non-mounted/cephfs/path</smbconfoption>
<smbconfoption name="kernel share modes">no</smbconfoption>
</programlisting>
<para>
Since <command>vfs_ceph_new</command> does not require a
filesystem mount, the share <command>path</command> is treated
differently: it is interpreted as an absolute path within the
Ceph filesystem on the attached Ceph cluster.
In a ctdb cluster environment where ctdb manages Samba,
<command>CTDB_SAMBA_SKIP_SHARE_CHECK=yes</command> must be
configured to disable local share path checks, otherwise ctdb
will not reach a healthy state.
</para>
<para>
Note that currently <command>kernel share modes</command> have
to be disabled in a share running with the CephFS vfs module for
file serving to work properly.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>ceph_new:config_file = path</term>
<listitem>
<para>
Allows one to define a ceph configfile to use. Empty by default.
</para>
<para>
Example: ceph_new:config_file =
/etc/ceph/ceph.conf
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ceph_new:user_id = name</term>
<listitem>
<para>
Allows one to explicitly set the client ID used for the
CephFS mount handle. Empty by default (use the libcephfs
client default).
</para>
<para>
Example: ceph_new:user_id = samba
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ceph_new:filesystem = fs_name</term>
<listitem>
<para>
Allows one to explicitly select the CephFS file system
to use when the Ceph cluster supports more than one
file system. Empty by default (use the default file
system of the Ceph cluster).
</para>
<para>
Example: ceph_new:filesystem = myfs2
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>
This man page is part of version &doc.version; of the Samba suite.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
</refsect1>
</refentry>
......@@ -14,14 +14,22 @@
as in DOS wildcards.</para>
<para>
If a file or directory name is prefixed by &quot;../USERNAME/&quot;
or &quot;../GROUPNAME/&quot;, then the subsequent filename is only hidden for the
given user or group. Instead of specifying users or groups by name, they
can also be specified by SID.
<smbconfoption name="hide files"/> can also be used as a
parametric option where NAME in</para>
<para>
hide files : NAME =
</para>
<para>User and group names use the same format as <smbconfoption
name="valid users"/>.</para>
<para>
specifies a user or group name with the same syntax as
<smbconfoption name="valid users"/>. This parametric form can
be specified multiple times for different users or
groups. This means that &quot;hide files : NAME&quot; set both
in the [global] and the share section add up, whereas normally
options set in a share section overwrite the default in the
[global] section.
</para>
<para>Each entry must be a Unix path, not a DOS path and must
not include the Unix directory separator '/'.</para>
......@@ -46,9 +54,12 @@
hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
; Hide some files for anyone and some files for specific users and groups
hide files = hideforall1/../joe/hideforuserjoe/hideforall2/../students/hideforstudents/hideforall3
hide files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt
hide files = ../S-1-5-21-123-456-789-1000/secretfile.txt
hide files = /hideforall1/
hide files : USER = /hidetoforuser/
hide files : GROUP = /hideforgroup/
hide files : UNIVERSITY\Alumnis = /somefile.txt/
hide files : john@university.org = /anotherfile.txt/
hide files : S-1-5-21-123-456-789-1000 = /secretfile.txt/
</programlisting>
</para>
......
......@@ -11,14 +11,22 @@
</para>
<para>
If a file or directory name is prefixed by &quot;../USERNAME/&quot;
or &quot;../GROUPNAME/&quot;, then the subsequent filename is only hidden for the
given user or group. Instead of specifying users or groups by name, they
can also be specified by SID.
<smbconfoption name="veto files"/> can also be used as a
parametric option where NAME in</para>
<para>
veto files : NAME =
</para>
<para>User and group names use the same format as <smbconfoption
name="valid users"/>.</para>
<para>
specifies a user or group name with the same syntax as
<smbconfoption name="valid users"/>. This parametric form can
be specified multiple times for different users or
groups. This means that &quot;veto files : NAME&quot; set both
in the [global] and the share section add up, whereas normally
options set in a share section overwrite the default in the
[global] section.
</para>
<para>
Each filename must be a unix path, not a DOS path and must
......@@ -51,9 +59,12 @@
veto files = /*Security*/*.tmp/*root*/
; Veto some files for anyone and some files for specific users and groups
veto files = /vetoforall1/../USER/vetoforuser/vetoforall2/../GROUP/vetoforgroup/vetoforall3/
veto files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt
veto files = ../S-1-5-21-123-456-789-1000/secretfile.txt
veto files = /vetoforall1/
veto files : USER = /vetotoforuser/
veto files : GROUP = /vetoforgroup/
veto files : UNIVERSITY\Alumnis = /somefile.txt/
veto files : john@university.org = /anotherfile.txt/
veto files : S-1-5-21-123-456-789-1000 = /secretfile.txt/
; Veto the Apple specific files that a NetAtalk server
; creates.
......
......@@ -35,6 +35,12 @@
<smbconfoption name="dedicated keytab file"/> must be set to
specify the location of the keytab file.
</para>
<para>
Suggested configuration is to use the default value 'secrets only' together with the
<smbconfoption name="sync machine password to keytab"/> option.
</para>
</description>
<related>dedicated keytab file</related>
<value type="default">default</value>
......
......@@ -8,8 +8,19 @@
This is the full pathname to a script that will be run by
<citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine account password is updated.
</para>
<para>
If keytabs should be generated in clustered environments it is recommended to update them on all nodes.
You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case.
It is also needed to activate the <constant>46.update-keytabs.script</constant> in ctdb,
it re-creates the keytab during the ctdb recovered event:
<programlisting>
onnode all ctdb event script enable legacy 46.update-keytabs.script
</programlisting>
</para>
</description>
<value type="default"/>
<value type="example">/usr/sbin/sync_machine_password</value>
<value type="example">&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value>
</samba:parameter>
......@@ -3,8 +3,9 @@
type="cmdlist"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option allows you to describe what keytabs and how should be
updated when machine account is changed via one of these commands
<para>
This option allows you to describe what keytabs and how should be updated when
machine account is changed via one of these commands
<programlisting>
wbinfo --change-secret
......@@ -13,57 +14,72 @@ net rpc changetrustpw
net ads changetrustpw
</programlisting>
or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>)
or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>)
</para>
<para>The option takes a list of keytab strings. Each string has this form:
<para>
The option takes a list of keytab strings. Each string has this form:
<programlisting>
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
where spn_spec can have exactly one of these three forms:
where spn_spec can have exactly one of these four forms:
<programlisting>
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
</programlisting>
<para>
No other combinations are allowed.
Specifiers:
account_name - creates entry using principal 'computer$@REALM'.
sync_spns - uses principals received from AD DC.
spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified.
spns - creates only the principals defined in the list.
No other combinations are allowed.
</para>
Options:
sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib.
sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1.
netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/>
additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/>
machine_password - mandatory, if missing the entry is ignored. For future use.
<para>
Specifiers:
<programlisting>
account_name - creates entry using principal 'computer$@REALM'.
sync_spns - uses principals received from AD DC.
spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified.
spns - creates only the principals defined in the list.
</programlisting>
</para>
<para>
Options:
<programlisting>
sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib.
sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1.
netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/>
additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/>
machine_password - mandatory, if missing the entry is ignored. For future use.
</programlisting>
</para>
<para>
Example:
<programlisting>
"/path/to/keytab0:account_name:machine_password",
"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
"/path/to/keytab2:sync_spns:machine_password",
"/path/to/keytab3:sync_spns:sync_kvno:machine_password",
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
"/path/to/keytab0:account_name:machine_password",
"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
"/path/to/keytab2:sync_spns:machine_password",
"/path/to/keytab3:sync_spns:sync_kvno:machine_password",
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
</para>
If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password
<para>
If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
</para>
<para>
Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
</para>
<para>
In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
</para>
</description>
</samba:parameter>
......@@ -78,6 +78,7 @@ vfs_module_manpages = ['vfs_acl_tdb',
'vfs_cap',
'vfs_catia',
'vfs_ceph',
'vfs_ceph_new',
'vfs_ceph_snapshots',
'vfs_commit',
'vfs_crossrename',
......
......@@ -174,7 +174,7 @@ def build(bld):
dep_vars=['LDB_VERSION'],
target='include/ldb_version.h',
public_headers='include/ldb_version.h',
public_headers_install=not bld.env.ldb_is_public_library)
public_headers_install=bld.env.ldb_is_public_library)
t.env.LDB_VERSION = LDB_VERSION
bld.SAMBA_MODULE('ldb_asq',
......
tdb_add_flags: void (struct tdb_context *, unsigned int)
tdb_append: int (struct tdb_context *, TDB_DATA, TDB_DATA)
tdb_chainlock: int (struct tdb_context *, TDB_DATA)
tdb_chainlock_mark: int (struct tdb_context *, TDB_DATA)
tdb_chainlock_nonblock: int (struct tdb_context *, TDB_DATA)
tdb_chainlock_read: int (struct tdb_context *, TDB_DATA)
tdb_chainlock_read_nonblock: int (struct tdb_context *, TDB_DATA)
tdb_chainlock_unmark: int (struct tdb_context *, TDB_DATA)
tdb_chainunlock: int (struct tdb_context *, TDB_DATA)
tdb_chainunlock_read: int (struct tdb_context *, TDB_DATA)
tdb_check: int (struct tdb_context *, int (*)(TDB_DATA, TDB_DATA, void *), void *)
tdb_close: int (struct tdb_context *)
tdb_delete: int (struct tdb_context *, TDB_DATA)
tdb_dump_all: void (struct tdb_context *)
tdb_enable_seqnum: void (struct tdb_context *)
tdb_error: enum TDB_ERROR (struct tdb_context *)
tdb_errorstr: const char *(struct tdb_context *)
tdb_exists: int (struct tdb_context *, TDB_DATA)
tdb_fd: int (struct tdb_context *)
tdb_fetch: TDB_DATA (struct tdb_context *, TDB_DATA)
tdb_firstkey: TDB_DATA (struct tdb_context *)
tdb_freelist_size: int (struct tdb_context *)
tdb_get_flags: int (struct tdb_context *)
tdb_get_logging_private: void *(struct tdb_context *)
tdb_get_seqnum: int (struct tdb_context *)
tdb_hash_size: int (struct tdb_context *)
tdb_increment_seqnum_nonblock: void (struct tdb_context *)
tdb_jenkins_hash: unsigned int (TDB_DATA *)
tdb_lock_nonblock: int (struct tdb_context *, int, int)
tdb_lockall: int (struct tdb_context *)
tdb_lockall_mark: int (struct tdb_context *)
tdb_lockall_nonblock: int (struct tdb_context *)
tdb_lockall_read: int (struct tdb_context *)
tdb_lockall_read_nonblock: int (struct tdb_context *)
tdb_lockall_unmark: int (struct tdb_context *)
tdb_log_fn: tdb_log_func (struct tdb_context *)
tdb_map_size: size_t (struct tdb_context *)
tdb_name: const char *(struct tdb_context *)
tdb_nextkey: TDB_DATA (struct tdb_context *, TDB_DATA)
tdb_null: dptr = 0xXXXX, dsize = 0
tdb_open: struct tdb_context *(const char *, int, int, int, mode_t)
tdb_open_ex: struct tdb_context *(const char *, int, int, int, mode_t, const struct tdb_logging_context *, tdb_hash_func)
tdb_parse_record: int (struct tdb_context *, TDB_DATA, int (*)(TDB_DATA, TDB_DATA, void *), void *)
tdb_printfreelist: int (struct tdb_context *)
tdb_remove_flags: void (struct tdb_context *, unsigned int)
tdb_reopen: int (struct tdb_context *)
tdb_reopen_all: int (int)
tdb_repack: int (struct tdb_context *)
tdb_rescue: int (struct tdb_context *, void (*)(TDB_DATA, TDB_DATA, void *), void *)
tdb_runtime_check_for_robust_mutexes: bool (void)
tdb_set_logging_function: void (struct tdb_context *, const struct tdb_logging_context *)
tdb_set_max_dead: void (struct tdb_context *, int)
tdb_setalarm_sigptr: void (struct tdb_context *, volatile sig_atomic_t *)
tdb_store: int (struct tdb_context *, TDB_DATA, TDB_DATA, int)
tdb_storev: int (struct tdb_context *, TDB_DATA, const TDB_DATA *, int, int)
tdb_summary: char *(struct tdb_context *)
tdb_transaction_active: bool (struct tdb_context *)
tdb_transaction_cancel: int (struct tdb_context *)
tdb_transaction_commit: int (struct tdb_context *)
tdb_transaction_prepare_commit: int (struct tdb_context *)
tdb_transaction_start: int (struct tdb_context *)
tdb_transaction_start_nonblock: int (struct tdb_context *)
tdb_transaction_write_lock_mark: int (struct tdb_context *)
tdb_transaction_write_lock_unmark: int (struct tdb_context *)
tdb_traverse: int (struct tdb_context *, tdb_traverse_func, void *)
tdb_traverse_chain: int (struct tdb_context *, unsigned int, tdb_traverse_func, void *)
tdb_traverse_key_chain: int (struct tdb_context *, TDB_DATA, tdb_traverse_func, void *)
tdb_traverse_read: int (struct tdb_context *, tdb_traverse_func, void *)
tdb_unlock: int (struct tdb_context *, int, int)
tdb_unlockall: int (struct tdb_context *)
tdb_unlockall_read: int (struct tdb_context *)
tdb_validate_freelist: int (struct tdb_context *, int *)
tdb_wipe_all: int (struct tdb_context *)
#!/usr/bin/env python
APPNAME = 'tdb'
VERSION = '1.4.11'
VERSION = '1.4.12'
import sys, os
......
......@@ -138,6 +138,13 @@ def check_symbols(sofile, expected_symbols=""):
return "objdump --dynamic-syms " + sofile + " | " + \
"awk \'$0 !~ /" + expected_symbols + "/ {if ($2 == \"g\" && $3 ~ /D(F|O)/ && $4 ~ /(.bss|.text)/ && $7 !~ /(__gcov_|mangle_path)/) exit 1}\'"
def check_versioned_symbol(sofile, symvol, version):
return "objdump --dynamic-syms " + sofile + " | " + \
"awk \'$7 == \"" + symvol + "\" { " + \
"if ($2 == \"g\" && $3 ~ /D(F|O)/ && $4 ~ /(.bss|.text)/ && " + \
"$6 == \"" + version + "\") print $0 }\'" + \
"| wc -l | grep -q \'^1$\'"
if args:
# If we are only running specific test,
# do not sleep randomly to wait for it to start
......@@ -877,14 +884,56 @@ tasks = {
("talloc-configure", "cd lib/talloc && " + samba_libs_configure_libs),
("talloc-make", "cd lib/talloc && make"),
("talloc-install", "cd lib/talloc && make install"),
("talloc-abi-check1",
check_versioned_symbol(
"./lib/talloc/bin/shared/libtalloc.so.2",
"talloc_named",
"TALLOC_2.0.2"
)
),
("talloc-abi-check2",
check_versioned_symbol(
"./lib/talloc/bin/shared/libtalloc.so.2",
"talloc_asprintf_addbuf",
"TALLOC_2.3.5"
)
),
("tdb-configure", "cd lib/tdb && " + samba_libs_configure_libs),
("tdb-make", "cd lib/tdb && make"),
("tdb-install", "cd lib/tdb && make install"),
("tdb-abi-check1",
check_versioned_symbol(
"./lib/tdb/bin/shared/libtdb.so.1",
"tdb_errorstr",
"TDB_1.2.1"
)
),
("tdb-abi-check2",
check_versioned_symbol(
"./lib/tdb/bin/shared/libtdb.so.1",
"tdb_traverse_chain",
"TDB_1.3.17"
)
),
("tevent-configure", "cd lib/tevent && " + samba_libs_configure_libs),
("tevent-make", "cd lib/tevent && make"),
("tevent-install", "cd lib/tevent && make install"),
("tevent-abi-check1",
check_versioned_symbol(
"./lib/tevent/bin/shared/libtevent.so.0",
"_tevent_loop_once",
"TEVENT_0.9.9"
)
),
("tevent-abi-check2",
check_versioned_symbol(
"./lib/tevent/bin/shared/libtevent.so.0",
"__tevent_req_create",
"TEVENT_0.15.0"
)
),
("nondevel-configure", samba_libs_envvars + " ./configure --private-libraries='!ldb' --vendor-suffix=TEST-STRING~5.1.2 ${PREFIX}"),
("nondevel-make", "make -j"),
......@@ -903,12 +952,16 @@ tasks = {
check_symbols("./bin/plugins/libnss_wins.so.2", "_nss_wins_")),
("nondevel-no-public-libwbclient",
check_symbols("./bin/shared/libwbclient.so.0", "wbc")),
("nondevel-libwbclient-wbcCtxPingDc2@WBCLIENT_0.12",
check_versioned_symbol("./bin/shared/libwbclient.so.0", "wbcCtxPingDc2", "WBCLIENT_0.12")),
("nondevel-no-public-pam_winbind",
check_symbols("./bin/plugins/pam_winbind.so", "pam_sm_")),
("nondevel-no-public-winbind_krb5_locator",
check_symbols("./bin/plugins/winbind_krb5_locator.so", "service_locator")),
("nondevel-no-public-async_dns_krb5_locator",
check_symbols("./bin/plugins/async_dns_krb5_locator.so", "service_locator")),
("nondevel-libndr-krb5pac-ndr_pull_PAC_DATA@NDR_KRB5PAC_0.0.1",
check_versioned_symbol("./bin/shared/libndr-krb5pac.so.0", "ndr_pull_PAC_DATA", "NDR_KRB5PAC_0.0.1")),
("nondevel-install", "make -j install"),
("nondevel-dist", "make dist"),
......@@ -1029,6 +1082,15 @@ tasks = {
("nonshared-lcov", LCOV_CMD),
("nonshared-check-clean-tree", CLEAN_SOURCE_TREE_CMD),
("nonshared-clean", "make clean"),
# retry without winbindd
("nonwinbind-distclean", "make distclean"),
("nonwinbind-configure", "./configure.developer " + samba_configure_params + " --bundled-libraries=ALL --with-static-modules=ALL --without-winbind"),
("nonwinbind-make", "make -j"),
("nonwinbind-test", make_test(TESTS="samba3.smb2.*.simpleserver")),
("nonwinbind-lcov", LCOV_CMD),
("nonwinbind-check-clean-tree", CLEAN_SOURCE_TREE_CMD),
("nonwinbind-clean", "make clean"),
],
},
......
......@@ -1968,6 +1968,8 @@ sub setup_fileserver
get quota command = $prefix_abs/getset_quota.py
set quota command = $prefix_abs/getset_quota.py
veto files : user1 = /user1file/
veto files : +group1 = /group1file/
[tarmode]
path = $tarmode_sharedir
comment = tar test share
......@@ -2079,7 +2081,9 @@ sub setup_fileserver
[veto_files]
path = $veto_sharedir
veto files = /veto_name*/../user1/user1file/../user2/user2file/../+group1/group1file/../+group2/group2file
veto files = /veto_name*/
veto files : user2 = /user2file/
veto files : +group2 = /group2file/
[delete_yes_unwrite]
read only = no
......
......@@ -326,9 +326,11 @@ bool token_contains_name(TALLOC_CTX *mem_ctx,
const struct security_token *token,
const char *name,
bool *match);
bool append_to_namearray(TALLOC_CTX *mem_ctx,
const char *namelist_in,
struct name_compare_entry **_name_array);
bool set_namearray(TALLOC_CTX *mem_ctx,
const char *namelist,
const struct security_token *token,
struct name_compare_entry **_name_array);
bool fcntl_lock(int fd, int op, off_t offset, off_t count, int type);
bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pid_t *ppid);
......
......@@ -179,6 +179,17 @@ bool token_contains_name(TALLOC_CTX *mem_ctx,
return true;
}
static size_t namearray_len(const struct name_compare_entry *array)
{
size_t i = 0;
while (array[i].name != NULL) {
i += 1;
}
return i;
}
/*******************************************************************
Strip a '/' separated list into an array of
name_compare_enties structures suitable for
......@@ -190,94 +201,70 @@ bool token_contains_name(TALLOC_CTX *mem_ctx,
if possible.
********************************************************************/
bool set_namearray(TALLOC_CTX *mem_ctx,
const char *namelist_in,
const struct security_token *token,
struct name_compare_entry **_name_array)
bool append_to_namearray(TALLOC_CTX *mem_ctx,
const char *namelist_in,
struct name_compare_entry **_name_array)
{
struct name_compare_entry *name_array = NULL;
struct name_compare_entry *e = NULL;
struct name_compare_entry *name_array = *_name_array;
size_t len;
char *namelist = NULL;
const char *p = NULL;
size_t num_entries;
bool ok;
*_name_array = NULL;
if ((namelist_in == NULL) || (namelist_in[0] == '\0')) {
return true;
}
namelist = path_to_strv(mem_ctx, namelist_in);
if (namelist == NULL) {
DBG_ERR("path_to_strv failed\n");
return false;
if (name_array == NULL) {
name_array = talloc_zero(mem_ctx, struct name_compare_entry);
if (name_array == NULL) {
return false;
}
}
len = namearray_len(name_array);
num_entries = strv_count(namelist);
name_array = talloc_zero_array(mem_ctx,
struct name_compare_entry,
num_entries + 1);
if (name_array == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(namelist);
namelist = path_to_strv(name_array, namelist_in);
if (namelist == NULL) {
DBG_ERR("path_to_strv failed\n");
return false;
}
namelist = talloc_reparent(mem_ctx, name_array, namelist);
e = &name_array[0];
while ((p = strv_next(namelist, p)) != NULL) {
struct name_compare_entry *tmp = NULL;
if (*p == '\0') {
/* cope with multiple (useless) /s) */
continue;
}
if (ISDOTDOT(p) && token != NULL) {
const char *username = NULL;
bool match;
/* Get the username */
p = strv_next(namelist, p);
if (p == NULL) {
DBG_ERR("Missing username\n");
TALLOC_FREE(namelist);
return false;
}
username = p;
/* Get the filename */
p = strv_next(namelist, p);
if (p == NULL) {
DBG_ERR("Missing filename after username '%s'\n",
username);
TALLOC_FREE(namelist);
return false;
}
ok = token_contains_name(talloc_tos(),
NULL,
NULL,
NULL,
token,
username,
&match);
if (!ok) {
TALLOC_FREE(namelist);
return false;
}
if (!match) {
continue;
}
tmp = talloc_realloc(mem_ctx,
name_array,
struct name_compare_entry,
len + 2);
if (tmp == NULL) {
return false;
}
e->name = p;
e->is_wild = ms_has_wild(e->name);
e++;
name_array = tmp;
name_array[len] = (struct name_compare_entry){
.name = p,
.is_wild = ms_has_wild(p),
};
name_array[len + 1] = (struct name_compare_entry){};
len += 1;
}
*_name_array = name_array;
return true;
}
bool set_namearray(TALLOC_CTX *mem_ctx,
const char *namelist_in,
struct name_compare_entry **_name_array)
{
bool ret;
*_name_array = NULL;
ret = append_to_namearray(mem_ctx, namelist_in, _name_array);
return ret;
}
......@@ -363,6 +363,17 @@ bool winbind_lookup_name(const char *dom_name, const char *name, struct dom_sid
return false;
}
_PRIVATE_
NTSTATUS winbind_lookup_name_ex(const char *dom_name,
const char *name,
struct dom_sid *sid,
enum lsa_SidType *name_type)
{
*name_type = SID_NAME_UNKNOWN;
ZERO_STRUCTP(sid);
return NT_STATUS_OK;
}
/* Call winbindd to convert sid to name */
bool winbind_lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
......
......@@ -66,7 +66,6 @@ static inline int status_code(int ret)
errno = -ret;
return -1;
}
errno = 0;
return ret;
}
......@@ -76,7 +75,6 @@ static inline ssize_t lstatus_code(intmax_t ret)
errno = -((int)ret);
return -1;
}
errno = 0;
return (ssize_t)ret;
}
......