Karolin Seeger [Thu, 24 Jan 2013 10:52:15 +0000 (11:52 +0100)]
docs: ldbrename.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
99e2a63a0c64de4c3c26e66984a6c542052e97ba)
Karolin Seeger [Thu, 24 Jan 2013 10:51:49 +0000 (11:51 +0100)]
docs: ldbmodify.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
25cc400c64958e2e2e2e812a0d34064f1957d0c4)
Karolin Seeger [Thu, 24 Jan 2013 10:51:28 +0000 (11:51 +0100)]
docs: ldbedit.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f585052d888a3bb4f9c81d9a9512eca7f7867c98)
Karolin Seeger [Thu, 24 Jan 2013 10:50:55 +0000 (11:50 +0100)]
docs: ldbdel.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
918057bd11e9ed1457cf0119f4c0c1f9c418c566)
Karolin Seeger [Thu, 24 Jan 2013 10:50:26 +0000 (11:50 +0100)]
docs: ldbadd.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1d4346d4b7c7afc4f578afb3b8d0e08e36812b39)
Karolin Seeger [Thu, 24 Jan 2013 10:50:00 +0000 (11:50 +0100)]
docs: ldb.3.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7d56b9401129c18a948bbd0bb4fea547d4b3a7c4)
Andrew Bartlett [Tue, 22 Jan 2013 03:45:14 +0000 (14:45 +1100)]
gensec: Allow login without a PAC by default (bug #9581)
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
df004b5014b92b987f907047d2ca9f567e3d0ac1)
Matthieu Patou [Wed, 24 Oct 2012 05:09:20 +0000 (22:09 -0700)]
dbcheck: look in hasMasterNCs as well for determining the instance type of a NC
Forest of level 2000 don't hve the msDS-hasMasterNCs parameter
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix bug #9565 - Adding additional Samba 4.0 DC to W2k8 srv AD domain (in win200
functional level) produces dbcheck errors.
Andrew Bartlett [Tue, 22 Jan 2013 12:39:15 +0000 (23:39 +1100)]
selftest: Add test of upgradeprovision using the old alpha13 tree
This ensures that upgradeprovision works as expected on a known good old database.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jan 27 11:55:54 CET 2013 on sn-devel-104
(cherry picked from commit
0f8ef5a2c83e0496ef79c3d6f8b1188fdd1943a0)
Stefan Metzmacher [Fri, 25 Jan 2013 08:36:47 +0000 (09:36 +0100)]
samba_upgradeprovision: detect dns_backend for the reference provision
If we have a DomainDnsZone partition, we use BIND9_DLZ as backend
and fix errors in the ForestDnsZone and DomainDnsZone partitions.
Note: this should work fine also for SAMBA_INTERNAL.
If the current setup doesn't use dns specific partitions (e.g. alpha13 setups)
we pass dns_backend=BIND9_FLATFILE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
58d6d884cf8a8de5a1fa2dfd4a0cbacdff0d2483)
Stefan Metzmacher [Fri, 25 Jan 2013 08:36:47 +0000 (09:36 +0100)]
provision: setup names.dns_backend
If we have a DomainDnsZone partition:
- we use BIND9_DLZ as backend if a dns-<netbiosname> account is available
- otherwise, we use SAMBA_INTERNAL
else:
- we use BIND9_FLATFILE if a dns or dns-<netbiosname> account is available
- otherwise, we use NONE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b855df254de40d9de0b7f9042564f6d521ab1c5d)
Stefan Metzmacher [Thu, 13 Dec 2012 11:56:37 +0000 (12:56 +0100)]
samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4752731c2eb4abeb0b5da3e33aa3096786301a19)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5cf98823cc804906833f7ea763f99de0147b0fee)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a477649e568577875be577c70a6b25cbeea6985a)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor of CN={LostAndFound,System},${DOMAINDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1de5c2f78544385d2fe270d766fc1ca6726d71fb)
Stefan Metzmacher [Wed, 23 Jan 2013 14:45:33 +0000 (15:45 +0100)]
provision: setup names.name_map['DnsAdmins']
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4775f9ab345072e63d671e83ae2c054fd2f80c3b)
Stefan Metzmacher [Wed, 23 Jan 2013 14:43:54 +0000 (15:43 +0100)]
provision: introduce names.name_map = {}
This will be used to translated names in SDDL values,
which are not wellknown, e.g. 'DnsAdmins'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e0712a70f5a437eb60df3cebedbbe1c6c08bd6ae)
Stefan Metzmacher [Wed, 23 Jan 2013 14:55:31 +0000 (15:55 +0100)]
provision: add get_dns_{forest,domain}_microsoft_dns_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ebb73f1c5d577c1d32c5c0519dcf3fb25c578c45)
Stefan Metzmacher [Wed, 23 Jan 2013 14:39:07 +0000 (15:39 +0100)]
provision: add get_config_ntds_quotas_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d00fb6aff2f54b470304d3d77a53328bcbb16851)
Stefan Metzmacher [Wed, 23 Jan 2013 09:51:10 +0000 (10:51 +0100)]
provision: add get_{config,domain}_delete_protected*_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1207cbd123375f0ff1bfc51403af5d611a621091)
Stefan Metzmacher [Wed, 23 Jan 2013 14:53:00 +0000 (15:53 +0100)]
schema.py: add optional name_map={} to get_schema_descriptor()
This is not used, but makes the prototype compatible with the
other get_*_descriptor() functions.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8880c2d0d356e7208ca859e17caf208952af0e17)
Stefan Metzmacher [Wed, 23 Jan 2013 14:51:37 +0000 (15:51 +0100)]
provision: add optional name_map={} argument to get_*_descriptor()
This will allow subsitute non-wellkown names in the SDDL,
e.g. 'DnsAdmins'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
27a99c6236ab270a592b4e3242f92f8923a3d7e4)
Stefan Metzmacher [Wed, 23 Jan 2013 08:05:36 +0000 (09:05 +0100)]
provision: import/export get_dns_partition_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d4653e99b8be35b6d86605a1c4c624d5db2294b1)
Stefan Metzmacher [Wed, 23 Jan 2013 07:56:00 +0000 (08:56 +0100)]
provision: setup names.dns{forest,domain}dn
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b54b58e75d3c1a3080e81c61156b75ef1d241b71)
Stefan Metzmacher [Wed, 23 Jan 2013 14:24:11 +0000 (15:24 +0100)]
samba_upgradeprovision: fix resetting of 'nTSecurityDescriptor' on schema objects
Without this schema_data_modify() will reject updates to schema objects
by default.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f51248339ae7ba9843e477493a69b0c4f647935a)
Stefan Metzmacher [Wed, 23 Jan 2013 14:23:13 +0000 (15:23 +0100)]
samba_upgradeprovision: don't reset 'whenCreated' when resetting 'nTSecurityDescriptor'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b5cafa3b84e6cca5ca83fbcc0963def7d0c286d5)
Stefan Metzmacher [Sat, 19 Jan 2013 08:41:00 +0000 (09:41 +0100)]
dbckecker: fix nTSecurityDescriptor values from before 4.0.0rc6 (bug #9481)
They inherited effective ACE for the wrong object classes.
For SACL ACEs the problem was also present in 4.0.0.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ec466aa35656764c8a8af724cda692f2302a0c04)
Stefan Metzmacher [Thu, 24 Jan 2013 21:59:26 +0000 (22:59 +0100)]
dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
38655a89cf902d0ea6657415e2f546c7622e279d)
Stefan Metzmacher [Thu, 24 Jan 2013 12:07:32 +0000 (13:07 +0100)]
tests/sec_descriptor: the default owner behavior depends on domainControllerFunctionality (bug #9481)
Not on the domainFunctionality.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cd5cb843b4d698ed2fedf635a020ff978ae40558)
Stefan Metzmacher [Tue, 22 Jan 2013 14:38:07 +0000 (15:38 +0100)]
libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2413962d53c7923a453fc7579b24b90bc23173df)
Arvid Requate [Fri, 11 Jan 2013 13:17:06 +0000 (14:17 +0100)]
s4-resolve: Fix parsing of IPv6/AAAA in dns_lookup (bug #9555)
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
bdc172aca541046fd03b2b0cd69e054fe03d3a89)
Andrew Bartlett [Sat, 17 Nov 2012 02:49:00 +0000 (13:49 +1100)]
torture: Fix fsmo test to use correct -H samba-tool syntax
However, the test still does not pass.
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a0faf16ae9aefc4963b2583970509b1b23e27ce1)
The last 3 patches address bug #9461 - FSMO seize of naming role fails:
NT_STATUS_IO_TIMEOUT.
Andrew Bartlett [Mon, 14 Jan 2013 22:56:46 +0000 (09:56 +1100)]
dsdb: Do not hold the transaction over the IRPC call to perform a role transfer
This avoids one samba process locking out another from the DB.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
18d7e5df0eb8fb593e66daf25d142584f44b5b87)
Andrew Bartlett [Tue, 20 Nov 2012 03:59:17 +0000 (14:59 +1100)]
drs-fsmo: Improve handling of FSMO role takeover.
This needs to be more async, and give less scary errors.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
316fd085ad2b587b82d817358240f84ae054a543)
Matthieu Patou [Sun, 14 Oct 2012 08:01:08 +0000 (01:01 -0700)]
libcli-acl: add documentation
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b1e231384a9245a191ef5e004544d7cafe17e036)
The last 44 patches address bug #8909 - ACL problem with delegation of
privileges and deletion of accounts over LDAP interface.
Matthieu Patou [Sun, 14 Oct 2012 08:04:51 +0000 (01:04 -0700)]
drsuapi: Add documentation
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
65396adaad18821568f727a223c38c36a2b16291)
Matthieu Patou [Sat, 13 Oct 2012 22:02:57 +0000 (15:02 -0700)]
security: Add documentation
Names seems to be a bit cryptic and misleading (at least for me).
So documenting them should remove at least partially this problem.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7822952a11707ff8aaa415adef62082c158c2398)
Matthieu Patou [Sat, 13 Oct 2012 22:28:08 +0000 (15:28 -0700)]
libcli-security: Add documentation for object_tree_modify_access
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c0638dae6cbf8915e6a436d575562fc131ba772a)
Matthieu Patou [Sun, 30 Dec 2012 00:43:44 +0000 (16:43 -0800)]
dsdb: Fix warning about unused var
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 21 17:51:16 CET 2013 on sn-devel-104
(cherry picked from commit
abc0030f780b775bf7656b572ee754ebd8079b5d)
Andrew Bartlett [Tue, 1 Jan 2013 22:27:51 +0000 (09:27 +1100)]
dsdb: Explain ordering constraints on the ACL module as well.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c52408f461fb3515cde17eebb458b566fd0a049c)
Andrew Bartlett [Sat, 29 Dec 2012 04:13:54 +0000 (15:13 +1100)]
dsdb: Ensure "authenticated users" is processed for group memberships
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8f078cdf247476fad511bb6d7e00c8654fd26e85)
Andrew Bartlett [Thu, 3 Jan 2013 10:30:12 +0000 (21:30 +1100)]
libcli/security: remove useless if (root->num_of_children > 0) statements
The for loop does this implicitly when comparing for (i = 0; i < root->num_of_children; i++)
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d36c03056fb85dfedbafd3a59497e35db63ade17)
Stefan Metzmacher [Tue, 15 Jan 2013 18:03:00 +0000 (19:03 +0100)]
libcli/security: add init_mask to existing children in insert_in_object_tree
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
853ecd418afe15973d3e8844ad0e01d3d54536d5)
Andrew Bartlett [Thu, 3 Jan 2013 09:40:32 +0000 (20:40 +1100)]
libcli/security: handle node initialisation in one spot in insert_in_object_tree()
This removes special-case for initalising the children array in
insert_in_object_tree(). talloc_realloc() handles the intial allocate
case perfectly well, so there is no need to have this duplicated.
This also restores having just one place were the rest of the elements
are intialised, to ensure uniform behaviour.
To do this, we have to rework insert_in_object_tree to have only one
output variable, both because having both root and new_node as output
variables was too confusing, and because otherwise the two pointers
were being allowed to point at the same memory.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5b4e3de2bb25eeb85d72a886386c853cea3e9468)
Stefan Metzmacher [Wed, 16 Jan 2013 08:49:20 +0000 (09:49 +0100)]
libcli/security: avoid usage of dom_sid_parse_talloc() in sec_access_check_ds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a359aef0837781c42bf9dbcdd069796c72cc94c7)
Stefan Metzmacher [Wed, 16 Jan 2013 09:05:56 +0000 (10:05 +0100)]
libcli/security: simplify get_ace_object_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a3fffde368fa0c6594f7fd5309e0b20d3fa7c68e)
Stefan Metzmacher [Wed, 16 Jan 2013 08:46:48 +0000 (09:46 +0100)]
libcli/security: fix formating in access_check.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b0f731fc3b96edf91216829bd0dc63bb4269f458)
Stefan Metzmacher [Wed, 16 Jan 2013 08:43:44 +0000 (09:43 +0100)]
libcli/security: fix whitespaces in access_check.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
10a90ce8422ac4ff4461b13a3dd03bbcd9bd2258)
Stefan Metzmacher [Thu, 17 Jan 2013 15:22:09 +0000 (16:22 +0100)]
dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0ebb93708eb377e29eaaf4400c65399d18c229b6)
Stefan Metzmacher [Thu, 17 Jan 2013 15:21:10 +0000 (16:21 +0100)]
dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete()
We should only use dsdb_module_check_access_on_dn() on the parent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8f8d97f9fe05b2de1403676a148ab7b90a83812b)
Stefan Metzmacher [Wed, 16 Jan 2013 15:43:14 +0000 (16:43 +0100)]
dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in acl_rename()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8aa855573067418c84f71aa3a20e5f472343851d)
Stefan Metzmacher [Wed, 16 Jan 2013 15:41:51 +0000 (16:41 +0100)]
dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8d31e42eed71e9686b03c496eeff1ff96a6742ea)
Stefan Metzmacher [Wed, 16 Jan 2013 15:36:07 +0000 (16:36 +0100)]
dsdb-acl: remove unused acl_check_access_on_class()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8e47e64f5d73441b6eb13d59001d52ec77c1c7d5)
Stefan Metzmacher [Wed, 16 Jan 2013 15:35:33 +0000 (16:35 +0100)]
dsdb-acl: use acl_check_access_on_objectclass() instead of acl_check_access_on_class()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
34f1a52689f4cc64fb63118e685a4442e3fe187a)
Andrew Bartlett [Wed, 2 Jan 2013 04:01:23 +0000 (15:01 +1100)]
dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()
This commit enters the GUID into the object tree so that that access
rights assigned to the structural objectClass are also available, as
well as rights assigned to the attribute property groups.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6a4063f30273ff184364f276c5206c3507f37644)
Andrew Bartlett [Wed, 2 Jan 2013 04:01:00 +0000 (15:01 +1100)]
dsdb-acl: Pass the structural objectClass into acl_check_access_on_attribute
This will, when the GUID is entered into the object tree (not in this
commit) ensure that access rights assigned to the structural
objectClass are also available, as well as rights assigned to the
attribute property groups.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e8cc59eb781006c6193249128a1ffc4bcba8f28a)
Andrew Bartlett [Wed, 2 Jan 2013 03:55:36 +0000 (14:55 +1100)]
dsdb-acl: Remove unused get_oc_guid_from_message()
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
93944ea90069df5379993f5c186ffd68e166f1c4)
Andrew Bartlett [Wed, 2 Jan 2013 04:01:00 +0000 (15:01 +1100)]
dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search
This will be used later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a1b421e8cca24a5831f4c6d77714cf54faf8c48e)
Andrew Bartlett [Tue, 1 Jan 2013 22:26:15 +0000 (09:26 +1100)]
dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lDAPDisplayName
This uses dsdb_get_last_structural_objectclass(), which encodes this ordering
knowledge in one place in the code, rather than using this uncommented
magic expression:
(char *)oc_el->values[oc_el->num_values-1].data
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6ab41506857814d69d897471a14002d98fb4c172)
Andrew Bartlett [Wed, 2 Jan 2013 03:54:20 +0000 (14:54 +1100)]
dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename()
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
730433984c9f3dd30ee0b07dc22af56b4d3a062f)
Andrew Bartlett [Wed, 2 Jan 2013 03:53:02 +0000 (14:53 +1100)]
dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify()
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6d7e53aaac8c95f86e1eb8593880ae1c09d973d4)
Stefan Metzmacher [Wed, 16 Jan 2013 15:34:56 +0000 (16:34 +0100)]
dsdb-acl: add acl_check_access_on_objectclass() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
097fae2d1d6ae04a7bfc795803f200b6f703a904)
Andrew Bartlett [Wed, 2 Jan 2013 03:52:21 +0000 (14:52 +1100)]
dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg()
This will eventually replace get_oc_guid_from_message(), returning the full dsdb_class.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
74bfec026921fcfc430fb7cfaee44ed75f135a99)
Stefan Metzmacher [Wed, 16 Jan 2013 10:45:46 +0000 (11:45 +0100)]
dsdb-acl: attr is not optional to acl_check_access_on_attribute()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2685a4ed6681b1a20fb26087867737ecbf8fad73)
Stefan Metzmacher [Wed, 16 Jan 2013 15:39:35 +0000 (16:39 +0100)]
dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributes
"clearTextPassword" is the only exception.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d695b8abc7a2e4f7e1853d0c61fe0c03fc786111)
Stefan Metzmacher [Fri, 18 Jan 2013 08:17:25 +0000 (09:17 +0100)]
dsdb-acl: introduce a 'el' helper variable to acl_modify()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ddfb8fe89c493c485250d59868312614c79a9cc1)
Stefan Metzmacher [Fri, 18 Jan 2013 08:17:25 +0000 (09:17 +0100)]
dsdb-acl: introduce a 'msg' helper variable to acl_modify()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
71b856a3f08fbd095833c27c59d7ed382be70d2a)
Stefan Metzmacher [Thu, 17 Jan 2013 13:41:39 +0000 (14:41 +0100)]
dsdb-schema: make sure we build [system]PossibleInferiors completely
Otherwise callers like dsdb_schema_copy_shallow() will corrupt the
talloc hierarchie.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c2853f55fc603d4875bb1e50a1cbf409df0421ea)
Stefan Metzmacher [Thu, 17 Jan 2013 13:40:24 +0000 (14:40 +0100)]
dsdb-schema: make sure use clean caches in schema_inferiors.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1f673bf9209405dfa2593859bbc45d1c6dc2a960)
Stefan Metzmacher [Thu, 17 Jan 2013 13:14:37 +0000 (14:14 +0100)]
dsdb-schema: make schema_subclasses_order_recurse() static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c4b9ee255814b8121d13e33cd9b0cd7c093d736c)
Stefan Metzmacher [Tue, 8 Jan 2013 14:55:36 +0000 (15:55 +0100)]
dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"
acl_check_access_on_attribute should never be called with attr=NULL
because we don't check access on an attribute in that case
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104
(cherry picked from commit
6a1025551eb5b343ec996ae0c642d542162e8910)
Stefan Metzmacher [Tue, 8 Jan 2013 14:54:47 +0000 (15:54 +0100)]
dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffective
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit
ccf577da14194f5f3377226bcdb7e69b62a94851)
Stefan Metzmacher [Fri, 4 Jan 2013 15:03:42 +0000 (16:03 +0100)]
libcli/security: don't look at the inherited type in get_ace_object_type()
The inherited_type is only used to decide if aces should be inherited
effectively or not (INHERIT_ONLY) for the specified object.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit
629ce2a1ba392f2e8b632752c583843777471378)
Stefan Metzmacher [Thu, 17 Jan 2013 07:51:23 +0000 (08:51 +0100)]
dsdb-acl: fix the order of special and system checks
First we check for a special dn, then for system access.
All allocations happen after this checks in order to avoid
allocations we won't use.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit
70460605c6132ffbc6be825c24f188674c0ac979)
Matthieu Patou [Sun, 30 Dec 2012 10:27:25 +0000 (02:27 -0800)]
dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user shouldn't see
This fix frequent reindexing when using python script with a
user that is not system.
The reindexing is caused by ACL module hidding (removing) attributes in
the search request for all attributes in dn=@ATTRIBUTES and because
dsdb_schema_set_indices_and_attributes checks that the list of
attributes that it just calculated from the schema is the same as the
list written in @ATTRIBUTES, if not the list is replaced and a
reindexing is triggered.
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a0c59b4da1c5d8637c92e65c7cf54bb82bc8fca5)
Stefan Metzmacher [Thu, 17 Jan 2013 07:37:58 +0000 (08:37 +0100)]
dsdb-acl: talloc_free the private context when we pass to the next module
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit
961a1fbbbccb7fbb14634ec230985f3fd000b050)
Stefan Metzmacher [Thu, 17 Jan 2013 07:37:12 +0000 (08:37 +0100)]
dsdb-acl: don't call dsdb_user_password_support() if we don't use the result
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit
947985b259ac05e95d65be19c67f384579a797ce)
Andrew Bartlett [Thu, 3 Jan 2013 10:31:22 +0000 (21:31 +1100)]
dsdb-acl: give error string if we can not obtain the schema
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5812eb3c1deac51891f01338b4771b1e397dc24d)
Günther Deschner [Thu, 17 Jan 2013 23:22:31 +0000 (00:22 +0100)]
BUG 9474: Downgrade v4 printer driver requests to v3.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 21 16:11:02 CET 2013 on sn-devel-104
(cherry picked from commit
58fadf2f48a2a409b4ee98fdc0166c7f801a7629)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Wed Jan 23 10:54:31 CET 2013 on sn-devel-104
Günther Deschner [Mon, 7 Jan 2013 14:14:30 +0000 (15:14 +0100)]
spoolss: add SPOOLSS_DRIVER_VERSION_2012 (4) define to IDL.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
638ed90620e3c6a35ef56a11c612c13d6b7d6ff5)
David Disseldorp [Thu, 17 Jan 2013 12:21:25 +0000 (13:21 +0100)]
BUG 9378: Add extra attributes for AD printer publishing.
Currently attempting to publish a printer in AD fails with "Object class
violation", due to a number of missing attributes in the LDAP request.
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 18 17:27:35 CET 2013 on sn-devel-104
David Disseldorp [Fri, 18 Jan 2013 10:48:20 +0000 (11:48 +0100)]
printing: Remove invalid free from error path.
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 18 Jan 2013 17:04:17 +0000 (18:04 +0100)]
BUG 9574: Fix a possible null pointer dereference in spoolss.
If the the client enumerates the printers and didn't specify a
servername we have a null pointer dereference, so the process serving
the connection crashes.
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Jan 21 13:30:11 CET 2013 on sn-devel-104
(cherry picked from commit
c38fb0b106b62e42a5b75b1c78386bb8912c7d7e)
Andreas Schneider [Mon, 17 Dec 2012 14:31:21 +0000 (15:31 +0100)]
s3-rpc_server: Fix a possible null pointer dereference.
This variable can be set to NULL in an earlier function call.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit
72e02c73b64f1ff56b2d53ec63d68486a4f1ff90)
Volker Lendecke [Fri, 11 Jan 2013 09:36:04 +0000 (10:36 +0100)]
samr: Fix bug 9541, make use of posix_openpt
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Jan 21 13:00:07 CET 2013 on sn-devel-104
Volker Lendecke [Fri, 11 Jan 2013 09:31:42 +0000 (10:31 +0100)]
samr: Split up an assignment from an if condition
Michael Adam [Mon, 14 Jan 2013 16:15:08 +0000 (17:15 +0100)]
docs: document the command line options in dbwrap_tool(1)
Related to bug #9568.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
d67911bafc0d098e67c8ad8d9b4bc49f184ff832)
Michael Adam [Mon, 14 Jan 2013 16:08:30 +0000 (17:08 +0100)]
docs: add popt.common.samba.server and popt.common.samba.client entities
These are comprised by the popt.common.samba entity and the stdarg.server.debug
or the stdarg.client.debut entity, respectively.
The difference is only in the default value of the debug level setting.
Related to bug #9568.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
2d30e5deaf731839402b47751683d2c0e32d2bc7)
Michael Adam [Mon, 14 Jan 2013 16:12:51 +0000 (17:12 +0100)]
docs: fix the stdarg.configfile entity to print a "=" sign after the long option
This makes the appearance equal to the other options like --debuglevel or
--log-basename.
Related to bug #9568.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
2ab3a96d262f60d26a8cd16dded3296889ab7f3f)
Michael Adam [Mon, 14 Jan 2013 16:06:03 +0000 (17:06 +0100)]
docs: use the stdarg.option entity in the popt.common.samba entity
Related to bug #9568.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
e3db3db784085bb2fedbf3063154b7cd77630e59)
Michael Adam [Mon, 14 Jan 2013 16:05:05 +0000 (17:05 +0100)]
docs: add an entity stdarg.option for the "--option" command line parameter
Related to bug #9568.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
c9b95eb205abbdb77960eb0419937512358f7e64)
Björn Baumbach [Mon, 15 Oct 2012 15:20:07 +0000 (17:20 +0200)]
build(waf): docs-xml: build new dbwrap_tool.8 manual page (fix bug #9568 [2/2])
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
b7a091ecf48963e2a0d1757d0faf131ad8d940fa)
Björn Baumbach [Mon, 15 Oct 2012 15:17:29 +0000 (17:17 +0200)]
docs-xml: add dbwrap_tool.1 manual page (fix bug #9568 [1/2])
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
8d6104f02d9ab879efe7867fec53cbe5cc408ded)
Ira Cooper [Wed, 16 Jan 2013 19:33:31 +0000 (11:33 -0800)]
nsswitch: Fix two bitfield constants being the same.
WBFLAG_PAM_AUTH_PAC and WBFLAG_BIG_NTLMV2_BLOB
are the same causing errors in NTLMv2 authentication.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The last 2 patches address bug #9575 - Duplicate flags defined in the winbindd
protocol.
Jeremy Allison [Wed, 16 Jan 2013 19:31:32 +0000 (11:31 -0800)]
Sort winbind request flags. Ira saw we have a duplicate.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed by: Ira Cooper <ira@wakeful.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sat, 5 Jan 2013 03:53:13 +0000 (14:53 +1100)]
vfs: Fix compilation of solaris ACL module
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
26bae894f2ae898c51535dda14060ecf4786c6ec)
Fix bug #9564 - error too few arguments in function
`solarisacl_sys_acl_get_file`.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Fri Jan 18 11:25:36 CET 2013 on sn-devel-104
Björn Baumbach [Thu, 20 Dec 2012 09:01:43 +0000 (10:01 +0100)]
wafsamba: use additional xml catalog file (bug #9512)
Add additional "/usr/local/share/xml/catalog" catalog file
platforms (used by freebsd).
Fix manual page build on freebsd.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
d61d2af3727a19cc4ddc88ec2faa8aafff9c7422)
Björn Baumbach [Tue, 4 Dec 2012 09:54:05 +0000 (10:54 +0100)]
ntlm_auth(1): fix format and make examples visible (bug #9569)
"<example>" is no child of "<para>". So these examples were not visible.
Using a varlist instead may be not the best way but it does look nice.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
cabc89a1e72fc95300d4b6f8d480a7d666221b8b)
Jeremy Allison [Mon, 14 Jan 2013 23:22:11 +0000 (15:22 -0800)]
Fix bug 9550 - sigprocmask does not work on FreeBSD to stop further signals in a signal handler
Mask off signals the correct way from the signal handler.
Signed-off-by: Jeremy Allison <jra@samba.org>
The last 5 patches address bug #9550 - sigprocmask does not work on FreeBSD to
stop further signals in a signal handler.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Thu Jan 17 21:35:23 CET 2013 on sn-devel-104
Jeremy Allison [Mon, 14 Jan 2013 23:21:52 +0000 (15:21 -0800)]
Include sys/ucontext.h if available.
Signed-off-by: Jeremy Allison <jra@samba.org>