samba.git/client, branch talloc-2.0.0 Unnamed repository; edit this file 'description' to name the repository. cifs.upcall: make using ip address conditional on new option 2009-08-26T10:26:02+00:00 Jeff Layton jlayton@redhat.com 2009-08-26T10:26:02+00:00 da99e3a724b493ba47a06d0704b891819ad16647 Igor Mammedov pointed out that reverse resolving an IP address to get the hostname portion of a principal could open a possible attack vector. If an attacker were to gain control of DNS, then he could redirect the mount to a server of his choosing, and fix the reverse resolution to point to a hostname of his choosing (one where he has the key for the corresponding cifs/ or host/ principal). That said, we often trust DNS for other reasons and it can be useful to do so. Make the code that allows trusting DNS to be enabled by adding --trust-dns to the cifs.upcall invocation. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).

That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: switch to getopt_long 2009-08-26T10:15:42+00:00 Jeff Layton jlayton@redhat.com 2009-08-26T10:15:42+00:00 3544e685ade5b331e473c8680d42a748d9389125 ...to allow long option names. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
...to allow long option names.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimiters 2009-08-14T11:59:51+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:51+00:00 19553e1552a57d5b0a9f3514bf64d2580b76a377 Current kernels don't send IPv6 addresses with the colon delimiters, add a routine to add them when they're not present. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Current kernels don't send IPv6 addresses with the colon delimiters, add
a routine to add them when they're not present.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: use ip address passed by kernel to get server's hostname 2009-08-14T11:59:50+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:50+00:00 2f95ccc1e2c7fe8efd341cd6fc5adc402a7a0a18 Instead of using the hostname given by the upcall to get the server's principal, take the IP address given in the upcall and reverse resolve it to a hostname. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: clean up flag handling 2009-08-14T11:59:50+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:50+00:00 acbf026012af1c87b680b8d80ea9e4123e24b91a Add a new stack var to hold the flags returned by the decoder routine so that we don't need to worry so much about preserving "rc". With this, we can drop privs before trying to find the location of the credcache. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Add a new stack var to hold the flags returned by the decoder routine
so that we don't need to worry so much about preserving "rc".

With this, we can drop privs before trying to find the location of
the credcache.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: try getting a "cifs/" principal and fall back to "host/" 2009-08-14T11:59:50+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:50+00:00 b10bdef4e75ffe48d563b2f0825b82519a71c9a7 cifs.upcall takes a "-c" flag that tells the upcall to get a principal in the form of "cifs/hostname.example.com@REALM" instead of "host/hostname.example.com@REALM". This has turned out to be a source of great confusion for users. Instead of requiring this flag, have the upcall try to get a "cifs/" principal first. If that fails, fall back to getting a "host/" principal. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.

Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: declare a structure for holding decoded args 2009-08-14T11:59:49+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:49+00:00 750ceb82390bd490bfd0431d52cd83b11201d548 The argument list for the decoder is becoming rather long. Declare an args structure and use that for holding the args. This also simplifies pointer handling a bit. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: formatting cleanup 2009-08-14T11:59:49+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:49+00:00 685fdc33d705b0d5cbb43f16cdcb2dccd85a652e Clean up some unneeded curly braces, and fix some indentation. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Clean up some unneeded curly braces, and fix some indentation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
cifs.upcall: clean up logging and add debug messages 2009-08-14T11:59:49+00:00 Jeff Layton jlayton@redhat.com 2009-08-14T11:59:49+00:00 378a2d9aa5e538144083ff53578af6105cd296c9 Change the log levels to be more appropriate to the messages being logged. Error messages should be LOG_ERR and not LOG_WARNING, for instance. Add some LOG_DEBUG messages that we can use to diagnose problems with krb5 upcalls. With these, someone can set up syslog to log daemon.debug and should be able to get more info when things aren't working. Signed-off-by: Jeff Layton <jlayton@redhat.com> 
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.

Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
umount.cifs: do not attempt to update /etc/mtab if it is symbolic link 2009-07-27T16:02:35+00:00 Shirish Pargaonkar shirishpargaonkar@gmail.com 2009-07-27T16:02:35+00:00 a869e4253a87f9a5e13dbe87b2799f8683d238d7 If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it. This is a fix for a bug reported in 4675 on samba bugzilla Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> 
If /etc/mtab is a symbolic link to e.g. /proc/mounts, do not update it.

This is a fix for a bug reported in 4675 on samba bugzilla

Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>