Michael Adam [Mon, 3 Dec 2012 07:34:43 +0000 (08:34 +0100)]
s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
The backends (tdbsam and ldapsam) do this.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
93c0c0749a2c3cbb1bc85e18b7dd77989a3eada8)
Michael Adam [Mon, 3 Dec 2012 00:44:49 +0000 (01:44 +0100)]
s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5fbdc5f35a122ff040c6120e2aa2cf5485e32097)
Michael Adam [Mon, 3 Dec 2012 00:42:38 +0000 (01:42 +0100)]
s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
wellknown sids and "Unix User" and "Unix Group" domains.
This broadens up the check moved here in commit
02e25b2a43ae02205a3412f862a1482d24b70aa4.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a0f41294488fcf4c9dbe5e85be6539394b6d6d1a)
Michael Adam [Mon, 3 Dec 2012 00:40:37 +0000 (01:40 +0100)]
s3:passdb: add sid_check_object_is_for_passdb()
Variant of sid_check_is_for_passdb() that only checks for objects
in the various domains, not for the domain sids themselves.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
671f534e5e02adafe945a4e77813e80b5adaeb70)
Michael Adam [Mon, 3 Dec 2012 00:34:32 +0000 (01:34 +0100)]
s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
The special treatment of the "Unix User" and "Unix Group" pseudo domains
can be reused.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d96aeded6193cb6381540c1073182bfb7f079025)
Michael Adam [Thu, 22 Nov 2012 22:12:19 +0000 (23:12 +0100)]
s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
This code treats the own sam, builtin, wellknown, and sids from the
"Unix User" and "Unix Group" pseudo-domains.
This reverts part of commit
02e25b2a43ae02205a3412f862a1482d24b70aa4.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ef0ed56eb15f24db5934f174f90f65d3f5c3c526)
Michael Adam [Fri, 30 Nov 2012 15:27:59 +0000 (16:27 +0100)]
s3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()
This is more correct than the original one:
It also hands the wellknown and "Unix Users" and "Unix Groups" sids to passdb
for id mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
2d3f7e31411cc63d5c83337f7280fcd6d2330282)
Michael Adam [Fri, 30 Nov 2012 15:26:28 +0000 (16:26 +0100)]
build the new sid_check_is_for_passdb() function into passdb
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
845a14210729c6a4c39a65be00e2f8b19fc13ec0)
Michael Adam [Fri, 30 Nov 2012 11:27:00 +0000 (12:27 +0100)]
s3:lib: add utility function sid_check_is_for_passdb()
This function checks whether the given sid should be treated
by passdb (e.g. for id mapping).
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
fecdf48aaf514e6cda5cd0412d7407319a3ff89f)
Michael Adam [Fri, 30 Nov 2012 14:27:15 +0000 (15:27 +0100)]
s3:winbindd: remove unused function idmap_backends_sid_to_unixid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
e3ee3971403c7dac4e8e3578a60973b97451af68)
Michael Adam [Tue, 27 Nov 2012 11:08:33 +0000 (12:08 +0100)]
s3:test:wbinfo_sids2xids: test the results with singular calls with filled and with empty cache
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7f2f29647a5d5906db5a267f614f30607d9162e3)
Michael Adam [Tue, 27 Nov 2012 21:43:04 +0000 (22:43 +0100)]
s3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
25018d8ae6de32a2a51168a30788545646fddcae)
Michael Adam [Mon, 15 Oct 2012 14:34:02 +0000 (16:34 +0200)]
s3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
This is to remove problems with the same unix-id being used both
as a uid and a gid.
The autorid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.
This patch lets the autorid backend always create sid->id mappings of type both.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a1411a884c5361bb8b090695236724cd25857269)
Michael Adam [Mon, 15 Oct 2012 14:32:25 +0000 (16:32 +0200)]
s3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
This is to remove problems with the same unix-id being used both
as a uid and a gid.
The rid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.
This patch lets the rid backend always create sid->id mappings of type both.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
55607f0f334ca5d72f35eb6b259db5283b35e86a)
Michael Adam [Fri, 23 Nov 2012 16:53:39 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_gid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c408126b47b0ce496a8b2293a8481d439b4234cf)
Michael Adam [Fri, 23 Nov 2012 16:53:04 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_uid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5f7a3720036c422142774ce49147328dc784fec8)
Michael Adam [Fri, 23 Nov 2012 16:50:50 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Gid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b47be53a1f68735b1a95d57781eaf9beea68481b)
Michael Adam [Fri, 23 Nov 2012 16:50:11 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Uid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c927ff4b3641e10369f9e17b20d92d3148f55633)
Michael Adam [Fri, 23 Nov 2012 16:49:09 +0000 (17:49 +0100)]
s3:winbindd: remove wbint_Sid2Gid from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
aa771618718378bc3449b1caa78d1d942ff937c4)
Michael Adam [Fri, 23 Nov 2012 16:48:36 +0000 (17:48 +0100)]
s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
8b73556e3f583af0a073a743f4973967aa5ad004)
Michael Adam [Fri, 23 Nov 2012 16:05:01 +0000 (17:05 +0100)]
s3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
de2cf94719fa07847b9c1b8149144bb1e36ba403)
Michael Adam [Fri, 23 Nov 2012 15:54:36 +0000 (16:54 +0100)]
s3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5e746768c8adf77551d7904f8534372f88475675)
Michael Adam [Fri, 23 Nov 2012 15:44:41 +0000 (16:44 +0100)]
s3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
eb0fca9b7b06a2aebce0da3031b1af313f0c8081)
Michael Adam [Fri, 23 Nov 2012 15:40:48 +0000 (16:40 +0100)]
s3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id
We can optimize this later and just do one wb_sids2xids_send/recv call.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
55ea9210e9b9cbb5a8b4633f492920af7eda77ab)
Michael Adam [Fri, 23 Nov 2012 00:35:30 +0000 (01:35 +0100)]
selftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd
Note that in order to create a local group (alias), the id-allocator of
id-mapping is needed, so this can only work if winbindd is running.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
46f2dfa7a51487e1b21c329dfb2e4cac3e6ada11)
Michael Adam [Thu, 22 Nov 2012 23:18:44 +0000 (00:18 +0100)]
selftest:Samba3: add "wbinfo -p" test to wait_for_start()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
11ca06338670c3aa1ad6928232f2c582116f42e8)
Michael Adam [Thu, 22 Nov 2012 23:09:43 +0000 (00:09 +0100)]
selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
to make checks conditional
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5b975ce78cc77bd9ff39e2ec0c2e7d674bf61ebe)
Michael Adam [Thu, 22 Nov 2012 23:02:33 +0000 (00:02 +0100)]
selftest:Samba3: call wait_for_start() from check_or_start()
...instead of calling the two one after another each time.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f7dca55224af2cb2ac172831755246f5c9b04e0f)
Michael Adam [Tue, 27 Nov 2012 00:11:16 +0000 (01:11 +0100)]
s3:winbindd: make idmap_find_domain() static.
idmap_find_domain_with_sid() should be used instead
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
4210e08109d9bc24168740f5a8a52953c532df4a)
Michael Adam [Sun, 25 Nov 2012 01:13:15 +0000 (02:13 +0100)]
s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
This is the way the singular calls work and how they should (currently) work.
The two code paths need to give the same results. It is important to use
the passdb backend, otherwise groups don't work.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
27f88ba2deeec8b5b0a72ef97ae84c1016532a3c)
Michael Adam [Thu, 22 Nov 2012 17:16:31 +0000 (18:16 +0100)]
s3:winbindd: add idmap_find_domain_with_sid()
This will return the passdb domain if the given sid is in our sam or builtin
or is the domain sid of those domains. Otherwise it returns the idmap domain
that results from the idmap configuration.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
370d62578dd171c6f898f4868f382cdddb908bcf)
Michael Adam [Thu, 22 Nov 2012 15:21:53 +0000 (16:21 +0100)]
s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
150cfb4b97e2ee67ec1fa8fc379ac03d42002da9)
Michael Adam [Tue, 20 Nov 2012 15:48:23 +0000 (16:48 +0100)]
selftest:Samba3: provision the domain adminstrators group in the s3 environments
I discovered that this sid / mapping is missing by working with the Sids2Uids
code and test. I do even wonder why this test could succeed prior to my pending
changes to the winbindd sids-to-xids code, for example against the s3:local
environment, since the test tries to map the sid <domsid>-512.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ee17a516c82acbdf347c2a47e7003b6a7fb879de)
Michael Adam [Sun, 18 Nov 2012 12:51:13 +0000 (13:51 +0100)]
s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
28e7d73bdcdf1a3d588e92eee982ff01db53d65d)
Michael Adam [Sun, 18 Nov 2012 18:58:07 +0000 (19:58 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
da8d0263806260fdb4973f22fc874710bd490421)
Michael Adam [Sun, 18 Nov 2012 18:29:37 +0000 (19:29 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
75a752473f932f84d15ba043c9b9167db10dd572)
Michael Adam [Sat, 17 Nov 2012 12:10:26 +0000 (13:10 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.
Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3e7f04b70f89d528aacfdc420b635d8aff0f4af6)
Michael Adam [Sat, 17 Nov 2012 12:04:41 +0000 (13:04 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.
Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7637c93472492f1bfd7bf46b8f855ef4818c75a9)
Michael Adam [Sat, 17 Nov 2012 01:30:07 +0000 (02:30 +0100)]
s3:winbindd: factor winbindd_sids_to_xids into external and internal part
- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists
The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.
The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
8e5ce1e2d53f36fd35eb8efad7da680dcf0b1ce1)
Michael Adam [Fri, 16 Nov 2012 16:49:25 +0000 (17:49 +0100)]
s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c58c68d5ba58855098d24c54db9c0cda19db0f4b)
Michael Adam [Fri, 9 Nov 2012 15:09:59 +0000 (16:09 +0100)]
s3:winbindd: add explaining comment winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
349b9ac05242f87fa5afcc06c72ccc02bdb05d8b)
Michael Adam [Fri, 9 Nov 2012 13:09:10 +0000 (14:09 +0100)]
s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()
for readability
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
be033a1d165f815bbddceda46384be1f9c0c2b7f)
Michael Adam [Fri, 9 Nov 2012 12:54:20 +0000 (13:54 +0100)]
s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b435e668aa8b2805cd94bde37b9ddf6a7ad335f8)
Michael Adam [Fri, 9 Nov 2012 10:32:47 +0000 (11:32 +0100)]
s3:winbindd:util: add a comment explaining the function parse_sidlist()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3f0c31fbd388986d636b5701f66ed7b215a1b903)
Christian Ambach [Sun, 23 Sep 2012 03:44:41 +0000 (20:44 -0700)]
s3:winbindd fix a compiler warning
about type potentially being used uninitialized
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Sep 24 03:49:53 CEST 2012 on sn-devel-104
(cherry picked from commit
f767059911460c0944d5e9289148a0776aeb97e5)
Christian Ambach [Sat, 22 Sep 2012 20:32:00 +0000 (13:32 -0700)]
s3:winbindd fix a compiler warning
about result being potentially uninitialized
(cherry picked from commit
1b5256c184ec378783e6219b34b5a3e512c4df99)
Michael Adam [Wed, 19 Sep 2012 00:57:37 +0000 (02:57 +0200)]
s3:winbind:idmap_tdb_common: improve readability of assignment by adding an "if"
in idmap_tdb_common_sids_to_unixids()
(cherry picked from commit
38994f6ff34316ad08961f62a1f57429f7968e70)
Michael Adam [Wed, 19 Sep 2012 00:57:37 +0000 (02:57 +0200)]
s3:winbind:idmap_tdb_common: improve readability of assignment by adding an "if"
in idmap_tdb_common_unixids_to_sids()
(cherry picked from commit
d1de2b4d3999dda96df9156da30a239af3b2b88e)
Volker Lendecke [Tue, 18 Sep 2012 22:31:26 +0000 (15:31 -0700)]
s3: Fix idmap_hash
Calling be_init with NULL safely crashes, because we dereference NULL. We
don't need to call it here, this is called in all workers anyway. Thanks
to Jiri Sasek <jiri.sasek@oracle.com> for finding this.
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 20 05:03:54 CEST 2012 on sn-devel-104
(cherry picked from commit
03055af9b2af8a5a1c23946369a21d6437cf1b8c)
Stefan Metzmacher [Sat, 1 Dec 2012 14:10:38 +0000 (15:10 +0100)]
s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.
We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
8ababf4367eb4faaeeda6cf66191aaf66a3a69da)
The last 33 patches address bug #8621 - ACL are not recalculated if parent is
changed and inherit is enabled.
Stefan Metzmacher [Fri, 16 Nov 2012 11:51:44 +0000 (12:51 +0100)]
s4:dsdb/tests: add SdAutoInheritTests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
(cherry picked from commit
057c56ac2443abffbe169b06a72a93f41096fb67)
Stefan Metzmacher [Fri, 23 Nov 2012 16:10:38 +0000 (17:10 +0100)]
s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes
We only do so if the replicated object is not deleted.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d31742641fb117e4249dcc317dac662bb5e1a690)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
fb2a41d9453d94860104b7b96a75bf8fa96996d6)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
f8c0ad65ad783b3c82ec8ab120d18ad454fe2665)
Stefan Metzmacher [Fri, 23 Nov 2012 15:46:51 +0000 (16:46 +0100)]
s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
dae1b0d85207040fed873d4232a45206b0162f53)
Stefan Metzmacher [Fri, 23 Nov 2012 14:55:24 +0000 (15:55 +0100)]
s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d6962f40caad861c7d240d80bd04070989c85a73)
Stefan Metzmacher [Thu, 22 Nov 2012 16:42:32 +0000 (17:42 +0100)]
s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
2101400af2e5e1b72a5d51e83f005f62bec1f482)
Stefan Metzmacher [Fri, 23 Nov 2012 09:45:02 +0000 (10:45 +0100)]
s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
This can only be triggered by ourself, that's why we expect
control->data == module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ddea8564901f5aa1a25cd84713bf86a2ce95bc07)
Stefan Metzmacher [Wed, 21 Nov 2012 15:12:54 +0000 (16:12 +0100)]
s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
1be4dbc0ca732bd2c35b6108331120a3f1a54ada)
Stefan Metzmacher [Fri, 23 Nov 2012 10:18:05 +0000 (11:18 +0100)]
s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
7f42a8b7b667c6a704ecd7bce1630971eb3f1e8c)
Stefan Metzmacher [Sat, 24 Nov 2012 14:25:06 +0000 (15:25 +0100)]
s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
cb9c7ee79b2f4e8c875bd15c1fddee90648eec19)
Stefan Metzmacher [Thu, 22 Nov 2012 16:42:32 +0000 (17:42 +0100)]
s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
60f0e172e3ce182324c4573fc05197ba241def89)
Stefan Metzmacher [Sat, 24 Nov 2012 09:16:45 +0000 (10:16 +0100)]
s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
7f88ad3efce5bc14de49b3d73a5dcb19499e1342)
Stefan Metzmacher [Sat, 24 Nov 2012 09:14:59 +0000 (10:14 +0100)]
s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)
Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.
We need to pass the TRUSTED flags as we operate from
the TOP module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
5dd4555f391d841b276e53e70eedde36f5190cdd)
Stefan Metzmacher [Sat, 24 Nov 2012 09:04:39 +0000 (10:04 +0100)]
s4:dsdb/subtree_delete: do an early return and avoid some nesting
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
60192fd1004015b50e208b3da6a07bd67f9d7990)
Stefan Metzmacher [Sat, 24 Nov 2012 22:21:10 +0000 (23:21 +0100)]
s4:dsdb/objectclass: do not pass the callers controls on helper searches
We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.
This also fixes a problem when the caller also specified AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ff274bafeb223c7440f4d97e2225b954b1031259)
Stefan Metzmacher [Sat, 24 Nov 2012 09:06:13 +0000 (10:06 +0100)]
s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
5838637b4218ecf88e7a650610da3be1a5a518c9)
Stefan Metzmacher [Sat, 24 Nov 2012 08:20:37 +0000 (09:20 +0100)]
s4:dsdb/dirsync: remove unused 'deletedattr' variable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
60c29a51a062640bf23c85d0d2f650d35a9ab59c)
Stefan Metzmacher [Sat, 24 Nov 2012 08:19:52 +0000 (09:19 +0100)]
s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ffaf9bb98b5322cca31ef6a43f8c27ca4e5fe42e)
Stefan Metzmacher [Sat, 24 Nov 2012 08:17:27 +0000 (09:17 +0100)]
s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX
See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
0c2c00e4b9afd72b4f4052e6b19e40096fd1e44c)
Stefan Metzmacher [Sat, 24 Nov 2012 08:15:24 +0000 (09:15 +0100)]
s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes
The @KLUDGEACL record might not be uptodate.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
b54d268e2042f36bc670cf8f4f33cddd957e1d34)
Stefan Metzmacher [Fri, 23 Nov 2012 09:58:49 +0000 (10:58 +0100)]
s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
f67f469ce101e48301de790b5c31f8d4e712e0ea)
Stefan Metzmacher [Fri, 23 Nov 2012 08:55:17 +0000 (09:55 +0100)]
s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
5aa7dbe546ff18e521e72c0af713a2509201e00d)
Stefan Metzmacher [Fri, 23 Nov 2012 08:31:05 +0000 (09:31 +0100)]
s4:dsdb/descriptor: remove some nesting from descriptor_modify
If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
4ef36fda681409bf7050adb98bb4b3d574bc01a9)
Stefan Metzmacher [Fri, 23 Nov 2012 08:20:50 +0000 (09:20 +0100)]
s4:dsdb/descriptor: remove some unnecessary nesting
sd == NULL is checked before.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
8d60ac19ed0bc70ec3763614147465c04f28e286)
Stefan Metzmacher [Fri, 23 Nov 2012 08:19:11 +0000 (09:19 +0100)]
s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
813492676c5b876d309bb2db12c794c513fab5c7)
Stefan Metzmacher [Fri, 23 Nov 2012 08:15:25 +0000 (09:15 +0100)]
s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
b3486f4e1a2108bd3af7ce760c8410a560c5237d)
Stefan Metzmacher [Fri, 23 Nov 2012 06:18:35 +0000 (07:18 +0100)]
s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
74e3f0ea0aa0352bf15e92c70256fa9b4d291cd9)
Stefan Metzmacher [Thu, 22 Nov 2012 15:22:30 +0000 (16:22 +0100)]
s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
4136d969cab5d4690f00c855bd98dc01253d73d9)
Stefan Metzmacher [Thu, 22 Nov 2012 13:09:34 +0000 (14:09 +0100)]
s4:provision: add get_empty_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
118db4ca11bec17b8f5955f188c07f154b85c87b)
Stefan Metzmacher [Thu, 22 Nov 2012 14:53:14 +0000 (15:53 +0100)]
s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
7a3e4d04c7e06379eddacb4f025a3c48a0a754a4)
Stefan Metzmacher [Thu, 22 Nov 2012 13:07:04 +0000 (14:07 +0100)]
s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
c2c715f9c9e0d465857ad118d632493131a5f9c5)
Stefan Metzmacher [Sun, 18 Nov 2012 17:57:03 +0000 (18:57 +0100)]
s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
990448b4997d1a2423e5dd4da1e37ad51f99bf3a)
The last 22 patches address bug #8620 - Read ACL are not enabled by default on
DS.
Stefan Metzmacher [Wed, 21 Nov 2012 13:04:09 +0000 (14:04 +0100)]
s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
fa676769e0d5d3f161b295f06f643fdacebb82ca)
Stefan Metzmacher [Wed, 21 Nov 2012 08:31:25 +0000 (09:31 +0100)]
s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ca3c0e28ef5d43f0af487e45a56f2929f5f23b4e)
Stefan Metzmacher [Wed, 21 Nov 2012 13:10:43 +0000 (14:10 +0100)]
s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor
The access_mask depends on the SD Flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
53b100bb59dadbc7cfb727a4ad1566302ff6c831)
Stefan Metzmacher [Wed, 21 Nov 2012 11:12:41 +0000 (12:12 +0100)]
s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set
In that case the acl_read module does the protection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
95b480fd98d9647c679672abac49c9f4ca5b3219)
Stefan Metzmacher [Wed, 21 Nov 2012 11:15:00 +0000 (12:15 +0100)]
s4:dsdb/acl: remove unused "acl:perform" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
3d57f17db94ddb5d5d8021158548ea7aebe16cd1)
Stefan Metzmacher [Wed, 21 Nov 2012 06:14:31 +0000 (07:14 +0100)]
s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED
The searches are done in order to do access checks
and the results are not directly exposed to the client.
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
329afc1a203056b1f4a43dd6c98ec2067c64f962)
Stefan Metzmacher [Wed, 21 Nov 2012 13:13:17 +0000 (14:13 +0100)]
s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add
See [MS-ADTS] 6.1.3.2 SD Flags Control:
...
When performing an LDAP add operation, the client can supply an SD flags control
with the operation; however, it will be ignored by the server.
...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
42898590bb386a13b4f0d7b0294561a78df7e268)
Stefan Metzmacher [Wed, 21 Nov 2012 12:05:31 +0000 (13:05 +0100)]
s4:dsdb/descriptor: make use of dsdb_request_sd_flags()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
f018772e0ca981857036078342456ef17858b966)
Stefan Metzmacher [Wed, 21 Nov 2012 14:24:46 +0000 (15:24 +0100)]
s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor
If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().
This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
67045fafe8a826792a51a504aa85ee6d8e137059)
Stefan Metzmacher [Wed, 21 Nov 2012 09:15:58 +0000 (10:15 +0100)]
s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
690b5e11618eb0385272d6a003761db22369e620)
Stefan Metzmacher [Wed, 21 Nov 2012 11:33:35 +0000 (12:33 +0100)]
s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
2916313f8016720fb36180db341efbf7b91522f6)
Stefan Metzmacher [Wed, 21 Nov 2012 06:14:31 +0000 (07:14 +0100)]
s4:dsdb/acl_util: do helper searches AS_SYSTEM
The search is done in order to do access checks.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
1cdecf1234bffc37a9898b666371b2dd25ad158d)
Stefan Metzmacher [Wed, 21 Nov 2012 08:33:53 +0000 (09:33 +0100)]
s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
8d900d06ff89136016ef2f139d6c33b306c87e93)
Stefan Metzmacher [Mon, 19 Nov 2012 05:59:33 +0000 (06:59 +0100)]
s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
659277a89dfd4226db9ea44709010ad7e3768fd6)
Stefan Metzmacher [Mon, 19 Nov 2012 05:59:33 +0000 (06:59 +0100)]
s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Note that SHOW_RECYCLED implies SHOW_DELETED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
844b736a1dd05159850ccc28eee1b3e625489139)
Stefan Metzmacher [Mon, 12 Nov 2012 13:19:34 +0000 (14:19 +0100)]
s4:dsdb/rootdse: do helper searches AS_SYSTEM
As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
a882b41d44b20476a0b1549260e07be3398f9752)
Stefan Metzmacher [Mon, 26 Nov 2012 12:38:07 +0000 (13:38 +0100)]
s4:dsdb/rootdse: remove unused variable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
964d96d2c31211601b8854dd3d532112fd2aaece)
git.samba.org / samba.git / log