| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The gssapi symbols are in gssapi_krb5 and gssapi in MIT and Heimdal
Kerberos, respectively. Including gssapi_generic.h is not necessary.
Signed-off-by: atheik <atteh.mailbox@gmail.com>
|
|
Add support for gssproxy usage through GSS-API. If no useable ticket cache or
keytab can be found, fall on through into credential handling anyway but then
divert into GSS routines. If no gssproxy is available this will still error out
silently because no ticket cache is available. With gssproxy enabled,
credentials can be retrieved from there and allow unattended access to shares
e.g. from batch jobs.
Signed-off-by: Michael Weiser <michael.weiser@atos.net>
|
|
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
When we compile cifs-utils, we may probabilistic
encounter install error like:
cd ***/sbin && ln -sf mount.cifs mount.smb3
***/sbin: No such file or directory
The reason of this problem is that if we compile
cifs-utils using multithreading, target
'install-sbinPROGRAMS' may be built after
target 'install-exec-hook' of the main Makefile.
Target 'install-sbinPROGRAMS' will copy the
executable file 'mount.cifs' to the $(ROOTSBINDIR),
which target 'install-exec-hook' will do the
'ln' command on.
This patch add the dependency of target
'install-exec-hook' to ensure the correct order
of the compiling.
Signed-off-by: lizhe <lizhe67@huawei.com>
|
|
|
|
When make install is run during package building, DESTDIR parameter is passed, e.g.:
$ rpm --eval %makeinstall_std
make DESTDIR=/root/rpmbuild/BUILDROOT/%{name}-%{version}-%{release}-rosa2016.1.x86_64-buildroot install
Without DESTDIR build scripts tried to create symlinks outside of the build root:
make[3]: Entering directory '/tmp/abf/rpmbuild/BUILD/cifs-utils-6.10'
(cd /sbin && ln -sf mount.cifs mount.smb3)
ln: failed to create symbolic link 'mount.smb3': Permission denied
The same fix was introduced in Arch Linux package when updating from 6.9 to 6.10:
https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/cifs-utils&id=c75b246a762ea9b90db404dfebc6d35d5b16972f
|
|
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
|
|
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
As we will slowly move towards smb3 filesystem,
supporting through "mount -t smb3" is important.
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
|
|
For example
smbinfo secdesc <file> will print the security descriptor
smbinfo quota <file> will print the quotas for the volume
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
|
|
Python3 version of rst2man is called rst2man-3
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
|
|
Aurelien did a big conversion of raw troff files into .pod docs in a
recent patch. That worked out pretty well, but I have some reservations
about using POD as a canonical format.
While it does make it pretty simple to write manpages, it's sort of an
obscure format, and is heavily associated with perl. Meanwhile, the
kernel is slowly moving to using ReStructured Text as its documentation
format. Given the simplicity of the cifs-utils manpages, I think we're
better suited to using rst as a canonical format, rather than pod.
This patch converts all of the .pod files in the code to .rst files,
and fixes the Makefile and autoconf to use the correct tools to turn
those into manpages.
The conversion was done with the pod2rst script, with some by-hand
modifications at the end to clean up the formatting and add the manual
section numbers. It's not perfect and could probably use a second pass
to clean up the warts in the formatting, but the content is all intact
and it should be readable.
Finally, convert the makefile rules to use standard SUFFIX rules
instead of the non-portable GNU make % style extension rules. We don't
really expect anyone to use anything other than GNU make here, but
this silences an automake warning.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Move all man pages to easily editable POD files and generate troff
source when building.
Previous .in troff file are still preprocessed before final generation
to use configured path (.pod.in -> .pod -> troff). All temporary
files (.pod.in and troff sources) are properly deleted on clean.
Remove all troff file, no need to keep generated copies under source
control.
This commit does not change the content of the man pages but makes
future editing easier.
Adds a new --enable-man/--disable-man configure option to control the
generation and installation of man pages. The option is automatically
enabled if the system supports it. Explicitly enabling it will make the
configure script fail if pod2man is not installed.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
Much of cifs.upcall can and should be run without elevated privileges.
On entry into the program, drop as many capabilities as we can get away
with, and then always drop any remaining caps after calling setuid().
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
We should pass the macros defined in $(DEFS) when building idmapwb.so
and pam_cifscreds.so. The autoconf process sets the macro HAVE_CONFIG_H
using the $(DEFS) variable. This macro has to be defined to allow the
source files to include config.h
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
|
|
Allow the pam module install directory to be set at build time.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Signed-off-by: Orion Poplawski <orion@nwra.com>
|
|
Split out some of the cifscreds key handling routines into a separate
file, and then link that in to both cifscreds and the new PAM module.
Fix up autoconf to handle building this automatically.
Signed-off-by: Orion Poplawski <orion@nwra.com>
|
|
...and clean up references to winbind in various tool manpages.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add routines for the various things that cifs.idmap needs and have it
call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add str_to_sid() functionality to the plugin API and have setcifsacl
use it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently, the ACL-related tools in cifs-utils call into the wbclient
libs directly in order to do their bidding. The wbclient developers want
to get away from needing to configure winbind on the clients and instead
allow sssd to handle the mapping in most cases.
This patch represents an initial step in that direction. It adds a
plugin architecture for cifs-utils, adds wrappers around the calls into
libwbclient that find an idmap plugin library to use and then has it
call into that plugin to do the actual ID mapping.
The application will call into a set of routines that find the correct
plugin and dlopen() it. Currently the plugin is located in a well-known
location that is settable via autoconf. That location is intended to be
a symlink that points to the real plugin (generally under $pkglibdir).
The plugin will export a number of functions with well-known names. The
wrappers find those by using dlsym() and then call them.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
People who want to build a plugin for the idmapping routines will need a
header to describe the data types that they need. Add a cifsidmap.h file
and move the struct cifs_sid definition into it, along with the
constants needed to describe it.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...which is really only mount.cifs.
Cc: Björn Jacke <bj@sernet.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
When I moved the manpages for this to section 1, I missed some references
to them. Also, get rid of the unneeded clean-local-aclprogs makefile target.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
-pie and -fpie enable the building of position-independent executables,
and -Wl,-z,relro turns on read-only relocation support in gcc. These
options are important for security purposes to guard against possible
buffer overflows that lead to exploits.
Follow the example of samba here and enable these by default, but add
configure options that allow people to turn them off at build-time if
necessary.
We may also want to eventually add checks to ensure that the compiler
and linker understand these options, but I'll wait until we have some
evidence that it's needed before I expend the effort.
Reported-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
I think in hindsight, that adding -Werror by default was a mistake.
cifs-utils is built in a wide range of environments and tools, and it's
very difficult to eliminate all of the possible warnings.
Let's go ahead and remove it and reduce the steady trickle of patches
that are simply to silence obscure warnings.
Cc: Suresh Jayaraman <sjayaraman@suse.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...and add -D_FORTIFY_SOURCE=2 to the default $CFLAGS.
Acked-by: Acked-by: Suresh Jayaraman <sjayaraman@suse.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
With the recent patch to fix the warnings in asn1.c, cifs-utils now
builds without any warnings. Ban them henceforth by adding -Werror for
builds.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Use the pkgconfig file that's included with wbclient to perform the test
for wbclient usability, and to set the correct CFLAGS and LDADD.
This is particularly necessary on recent Fedora with samba4 since it
puts the wbclient.h file in a different directory than before.
Also, remove a redundant test for wbclient.h from configure.ac.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...via the $ROOTSBINDIR environment variable, and AC_ARG_VAR macro.
The default is to use /sbin for this value, which only currently
affects the installation location of mount.cifs.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...I'm also including the POD sources here for easier editing, but we
may remove them in the future if it becomes burdensome to keep up 2
copies.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
These binaries don't use keys API at all. There's no need to link in
the keys library.
Reported-by: Frédéric L. W. Meunier <fredlwm@fredlwm.net>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Add a contrib directory, a set of sample /etc/request-key.d files and
a README that explains what they're for. This version sets the path
to the upcall programs based on the configure options.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Andrew Bartlett suggests the heuristic supplied in the comments.
For now, we don't try to guess the domainname when the hostname is not
qualified, but add a comment with what needs to be done in order to
support that.
Also, with this change we no longer need util.o to be linked in.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Move the manpages to section 1 since getcifsacl and setcifsacl are user,
not sysadmin tools. Get rid of the useless sed calls on the manpages.
They don't have any explicit paths in them that need replacing.
Also get rid of the "4.0" in the footers of all the manpages.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Add Makefile directives for setcifsacl.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Add configure directives for option cifsacl. The default action is
to enable cifsacl option.
cifsacl option is enabled or disabled in a similar way to cifs.idmap
in the same function. In addition, for cifsacl, check for sys/xattr.h
is done in the smae .m4 file.
Add directives to build getcifsacl in Makefile.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Create man pages for program cifs.idmap
Enable cifs.idmap config option by default.
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Handle cifs.idmap type of key. Extract a SID string from the description
and map it to either an uid or gid using winbind APIs.
If that fails (e.g. because winbind is not installed/running or winbind
returns an error), kernel assigns uid and gid (from mount superblock).
Enable including winbind header files and idmapping code conditional
to winbind devel rpms (header and library).
An entry such as this
create cifs.idmap * * /usr/sbin/cifs.idmap %k
is needed in the file /etc/request-key.conf.
[Note: Modified to not build new tool by default, and to fix up some
whitespace munging]
Modified-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
|
Fix up some small problems with pathname replacement:
1) replace the bare 'sed' with $(SED)
2) '\@' is apparently not portable, so we need to use a different scheme
in case we end up using a non-typical sed binary.
3) do the sed conversion to a new file and then move it into place. If
sed falls down halfway through the conversion we could end up with
a half-baked manpage.
4) use the $@ construct for brevity and maintainability
5) add a comment so that the rationale behind this is explained
Many thanks to several folks inside Red Hat who pointed out these
issues.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
Currently the manpages (particularly cifs.upcall.8) have hardcoded
paths in them that need to be manually adjusted. Replace those
paths with @sbindir@ and add a makefile target that will use sed
to replace those paths with the ones set by autoconf.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
It is a userspace part of a new infrastructure for stashing passwords
in kernel keyring per user basis. The patch adds the "cifscreds"
utility for management keys with credentials. Assembling of the utility
from the distribution is possible with --enable-cifscreds=yes option of
configure script.
Signed-off-by: Igor Druzhinin <jaxbrigs@gmail.com>
|
|
The resolve_host routine from mount.cifs is carried out in
separate file and appropriate corrections are made.
Signed-off-by: Igor Druzhinin <jaxbrigs@gmail.com>
|
|
...for extra warning goodness.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...use $(foo) instead. That doesn't rely on an explicit AC_SUBST().
Reported-by: Lars Müller <lars@samba.org>
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
...in preference to libcap if it's available.
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
|
mount.cifs is being linked against the krb5 library. Fix it so that
that doesn't happen.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
