Karolin Seeger [Tue, 2 Jun 2009 07:28:49 +0000 (09:28 +0200)]
s3/WHATSNEW: Update changes since 3.4.0pre1.
Karolin
(cherry picked from commit
36b8bbb0328bbcccdc6e9fe99ae4933c916885da)
Kumar Thangavelu [Fri, 29 May 2009 09:27:38 +0000 (11:27 +0200)]
s3/getdcname: Fix 'net' crash.
'net' command crashed when attempting to join a
domain. This occurred in a very specific case where
the DC had multiple IPs and one of the IPs was invalid.
Signed-off-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
795692bd9546b91647ea96cc43ebb5c8efc0aaf2)
(cherry picked from commit
1b401a1b5374d037757954bb023287fa57b1c9b9)
Günther Deschner [Thu, 28 May 2009 09:51:46 +0000 (11:51 +0200)]
nss_wrapper: fix nss_wrapper build for solaris.
Guenther
(cherry picked from commit
136b2a3eb21eda28e7a18547751ee20f097e7492)
(cherry picked from commit
0677a068dce0bd1cc76fc3ea13322e57b1d1c3af)
Günther Deschner [Thu, 28 May 2009 08:53:53 +0000 (10:53 +0200)]
nss_wrapper: remove re-structuring leftovers (unused variables).
Guenther
(cherry picked from commit
37e4c92b383397a2c77db7e5d8adf2fa4a24d398)
(cherry picked from commit
db2fa7179db37d5cb6475006b88ff648636ac602)
Günther Deschner [Thu, 28 May 2009 08:40:22 +0000 (10:40 +0200)]
s3-selftest: use nss_wrapper.pl as "add user to group" and "delete user from group" script.
Guenther
(cherry picked from commit
7a5475f098c6a20f867adc081ca455e6c393755b)
(cherry picked from commit
1a129e79baac7c7ebbc63c9e077ede4b123cf390)
Günther Deschner [Thu, 28 May 2009 08:39:37 +0000 (10:39 +0200)]
nss_wrapper: support member add and delete for groups in nss_wrapper.pl.
Guenther
(cherry picked from commit
ebf8df35c9583619a012e85964f2ad5187a199fe)
(cherry picked from commit
0f93abf8222672e5f7c09fd0b55337de82e9569f)
Günther Deschner [Wed, 27 May 2009 20:35:14 +0000 (22:35 +0200)]
nss_wrapper: split out passwd and group paths in nss_wrapper.pl.
Guenther
(cherry picked from commit
7bb9e08d7e75be88a9788563f053794554f680a8)
(cherry picked from commit
8bda8295ffc6fa9a9776f821b11075b6bac7a80d)
Günther Deschner [Wed, 27 May 2009 16:38:10 +0000 (18:38 +0200)]
nss_wrapper: restructure nwrap calls.
Guenther
(cherry picked from commit
ec9a0917055d731aa95e2fea2045445f9945b74d)
(cherry picked from commit
bf255ec2a81f2f44a9ef0379beaec0a51bbfb000)
Karolin Seeger [Tue, 2 Jun 2009 06:21:04 +0000 (08:21 +0200)]
s3/WHATSNEW: Mention new passdb backend default.
Karolin
(cherry picked from commit
b1f7b6ebb9ea1ac53a83eca734e271e0a7137d0b)
Jeremy Allison [Mon, 1 Jun 2009 21:36:34 +0000 (14:36 -0700)]
Fix bug #6419 - smbclient -L 127.0.0.1" displays "netbios name" instead of "workgroup"
Unify the handling of the sessionsetup parsing so we don't get different
results when parsing a guest reply than an ntlmssp reply.
Jeremy.
(cherry picked from commit
736c4dddef28d53b55e58a6f62784f068e88dc01)
Björn Jacke [Wed, 27 May 2009 10:01:21 +0000 (12:01 +0200)]
s3: update manpage as to the new passdb backend default
(cherry picked from commit
83613fd2fa6d4c6e7d9eb9bdb60aac31a37bbcaf)
Björn Jacke [Mon, 25 May 2009 12:55:04 +0000 (14:55 +0200)]
s3: make passdb backend defaults to tdbsam
(cherry picked from commit
f15af8bf2def12eedd967b6e0e411f690be2f804)
Jeremy Allison [Sat, 30 May 2009 20:28:03 +0000 (13:28 -0700)]
Fix bug #6421 - POSIX read-only open fails on read-only shares.
The change to smbd/trans2.c opens up
SETFILEINFO calls to POSIX_OPEN only. The change to first smbd/open.c closes 2
holes that would have been exposed by allowing POSIX_OPENS on readonly shares,
and their ability to set arbitrary flags permutations. The O_CREAT ->
O_CREAT|O_EXCL change removes an illegal combination (O_EXCL without O_CREAT)
that previously was being passed down to the open syscall.
Jeremy.
(cherry picked from commit
d49ae9c87d182f32702a0b6a1cc2a2038f31d81d)
Jeremy Allison [Sat, 30 May 2009 09:30:16 +0000 (11:30 +0200)]
Simplify the dropbox patch
(cherry picked from commit
0d32230c17dbfa5e790d2023ba655f109938ef28)
Volker Lendecke [Wed, 13 May 2009 13:46:35 +0000 (15:46 +0200)]
Re-Add the "dropbox" functionality with -wx rights on a directory
(cherry picked from commit
78aecba62195822f3edb6134548657cf7ba9037c)
Günther Deschner [Fri, 29 May 2009 11:15:27 +0000 (13:15 +0200)]
s3-netlogon: Fix _netr_LogonSamLogon{Ex} with validation level != 3.
Guenther
(cherry picked from commit
90b38906541de554e3964d96ed83a7c71b5ea05c)
(cherry picked from commit
a8868d7fbf51e4706a7d2ee44a9066a8e1efcb4a)
Günther Deschner [Fri, 29 May 2009 10:42:15 +0000 (12:42 +0200)]
s3-netlogon: return proper error code for unsupported validation class.
Guenther
(cherry picked from commit
65f86a644a8171a99c63b6cb32e01e22897174f6)
(cherry picked from commit
745f8d37fffe9d2ac2938101b08ff39ebf50c94c)
Günther Deschner [Fri, 29 May 2009 10:41:41 +0000 (12:41 +0200)]
s3-rpc_server: increase max number of open policy handles per pipe to 2048.
Guenther
(cherry picked from commit
9bd8b0a15773d3d5c0649bfb49bb16acfb4bb5f1)
(cherry picked from commit
aebc22c407c60588eabae324eb9cc06e73538dd4)
Karolin Seeger [Fri, 29 May 2009 12:42:03 +0000 (14:42 +0200)]
WHATSNEW: Update changes since 3.4.0pre1.
Karolin
(cherry picked from commit
7021008d5ed401d60b3b2d5f7fe6c78d63c3495b)
Karolin Seeger [Fri, 29 May 2009 08:57:48 +0000 (10:57 +0200)]
s3/VERSION: Raise version number up to 3.4.0pre2.
Karolin
(cherry picked from commit
51610de47bb709739ba84075395f5409be5ebc5c)
Karolin Seeger [Wed, 27 May 2009 16:13:09 +0000 (18:13 +0200)]
s3/docs: Correct version number.
Karolin
(cherry picked from commit
136b885461b730cf226999b07d2198de8441ebc9)
Karolin Seeger [Fri, 29 May 2009 07:49:49 +0000 (09:49 +0200)]
s3/docs: Fix typo.
This fixes bug #4341.
Thanks to Michael Cartmell <michael.cartmell [at] thomson.com> for reporting!
Karolin
(cherry picked from commit
2228cc6a0f942b774bef7fb0b99009897fa4dff4)
(cherry picked from commit
e1b1f14e0260395a8d452ea0a129bcc9bb3f98cc)
Jeremy Allison [Thu, 28 May 2009 20:33:06 +0000 (13:33 -0700)]
Fix uninitialized variable use caught by valgrind.
Jeremy.
(cherry picked from commit
62d767d57fafd869ec956cbcc84e8c866c6d665b)
Steven Danneman [Thu, 28 May 2009 00:14:49 +0000 (17:14 -0700)]
s3/auth map NULL domains to our global sam name
This is an addendum to
d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.
This fix was being circumvented in the case where the client passed
a NULL domain. Vista clients do this. In that case smbd was always
remapping the name to the machine workgroup. The NULL domain case
should also be mapped to the global sam name.
Removing the code in this patch, causes us to fall down to the logic
added in
d8c54fdd and properly map the domain.
(cherry picked from commit
fbca26923915a70031f561b198cfe2cc0d9c3aa6)
(cherry picked from commit
22b9d9d28d9acd68a9bc492530fcd0a565ff0aa3)
Michael Adam [Wed, 27 May 2009 17:25:44 +0000 (19:25 +0200)]
s3:idmap_ldap: filter out of range mappings in default idmap config
This fixes bug #6417
Michael
(cherry picked from commit
e381c13b023f2b512b3f6aec133db9f323bc8132)
(cherry picked from commit
4ca03e3bb96518665c296ba2cf5aa1d91916897e)
Michael Adam [Wed, 27 May 2009 17:26:32 +0000 (19:26 +0200)]
s3:idmap: fix a comment typo
Michael
(cherry picked from commit
3fe9859342c28fe9da7011fb18a5fb5de8b29fa6)
(cherry picked from commit
df4a0fabff06ea31149aac45d6477564cf96179b)
Michael Adam [Wed, 27 May 2009 17:24:03 +0000 (19:24 +0200)]
s3:idmap_tdb2: filter out of range mappings in default idmap config
This fixes bug #6416
Michael
(cherry picked from commit
e12670a1053edf57af137026bd3fdb9fc7dfb0b2)
(cherry picked from commit
b369902cddd55fab74ca6e0743e15e0f8cbfc4cc)
Michael Adam [Wed, 27 May 2009 17:12:28 +0000 (19:12 +0200)]
s3:idmap_tdb: filter out of range mappings in default idmap config
This fixes bug #6415
Michael
(cherry picked from commit
3d3f39838261ddc401053dadcc5bd8e6317a3a8e)
(cherry picked from commit
34500d59b6f35de2c3d273d3523708ec22df59ce)
Marc VanHeyningen [Tue, 5 May 2009 21:18:50 +0000 (21:18 +0000)]
s3: Allow child processes to exit gracefully if we are out of fds
When we run out of file descriptors for some reason, every new
connection forks a child that immediately panics causing smbd to
coredump. This seems unnecessarily harsh; with this code change we
now catch that error and merely log a message about it and exit
without the core dump.
Signed-off-by: Tim Prouty <tprouty@samba.org>
(cherry picked from commit
1c8f9892010ce8cc754089b25313c6bc8e622165)
Marc VanHeyningen [Tue, 5 May 2009 22:07:40 +0000 (22:07 +0000)]
s3: zero an uninitialized array
Invalid pointers were being dereferenced in lookup_sids causing
occasional seg faults.
Signed-off-by: Tim Prouty <tprouty@samba.org>
(cherry picked from commit
5afacc0a65e52e73e3887545c4e5e1ad44264b66)
Karolin Seeger [Tue, 26 May 2009 12:16:10 +0000 (14:16 +0200)]
s3/docs: Fix typo in man idmap_rid.
Karolin
(cherry picked from commit
73eaff7a395c9a7a0042f2c50f8817499b6cfdcd)
(cherry picked from commit
b85c2cbcc57291ff88d8d490f548faa675b689be)
Steven Danneman [Fri, 22 May 2009 23:57:52 +0000 (16:57 -0700)]
s3/docs Add manpage for "map untrusted to domain" parameter
This fixes bug 6352.
(cherry picked from commit
bf5fb8b58cb1813fdadabe8f96ef8af305d4d582)
Michael Adam [Mon, 25 May 2009 22:47:15 +0000 (00:47 +0200)]
s3:dbwrap_tool: add listkeys operation
Michael
(cherry picked from commit
714acfac013a46c3677c3eb72ad57db6d97c7d61)
(cherry picked from commit
816776d2f81c1ae90e52612af76aaafeaeb04598)
Michael Adam [Mon, 25 May 2009 22:26:39 +0000 (00:26 +0200)]
s3:dbwrap_tool: remove superfluous command mapping
Michael
(cherry picked from commit
11f07599006cf2ce6760095d07bfe22680c3744e)
(cherry picked from commit
53dfa79e07b22325c0f290b05d4b87dde0cbf3cb)
Michael Adam [Mon, 25 May 2009 21:27:28 +0000 (23:27 +0200)]
s3:dbwrap_tool: add "erase" opearation
Michael
(cherry picked from commit
dfe06d21bdc4c715e02c9f80c4bc7144a0d9ee59)
(cherry picked from commit
2e051ece16e7b18e9e82ef36f7d7e8e39d00e66d)
Björn Jacke [Tue, 26 May 2009 13:40:21 +0000 (15:40 +0200)]
s3:pam_smbpass: don't call openlog() or closelog() from pam_smbpass
Patch from Steve Langasek with tiny fixes by me to make it apply to master.
Also see Debian bug #434372 and bugzilla #4831.
Calling openlog() or closelog() inside a pam module is not good as these
functions are not stackable and no program won't re-do openlog() just because a
pam module might have called closelog().
(cherry picked from commit
5c34ea94bdf9e3efb6743e52dd3c0c0088cff7d8)
Karolin Seeger [Tue, 26 May 2009 07:48:37 +0000 (09:48 +0200)]
WHATSNEW: Unify spelling.
Karolin
(cherry picked from commit
41644f222542442f2df6f989989aea1c38735d8d)
Karolin Seeger [Tue, 26 May 2009 07:44:39 +0000 (09:44 +0200)]
WHATSNEW: Start release notes for 3.4.0pre2.
Karolin
(cherry picked from commit
635127a87b8473a01e20338206c2e5b546de5865)
Kai Blin [Tue, 26 May 2009 07:29:35 +0000 (09:29 +0200)]
WHATSNEW: Add net command changes
(cherry picked from commit
ce18ba7e24b5578672d2f2ffaab97ef708421067)
Kai Blin [Thu, 14 May 2009 09:39:01 +0000 (11:39 +0200)]
net: Use samba default command line arguments.
Attention:
The meaning of the -N flag changed.
To get the old meaning for net groupmap set, use the long option --ntname
The long option for using kerberos changed from --kerberos to --use-kerberos
net rpc commands will now prompt for a password if none is given.
As a benefit, net will now accept an authentication file like other samba
command line tools. So no need to specify the password on the command line in
scripts anymore.
This should fix bug #6357
Signed-off-by: Kai Blin <kai@samba.org>
(cherry picked from commit
fb262f79fab00374023e59476e8d05a1015a7041)
(cherry picked from commit
c039bc15ba597d955d0ccbf5642388b0a03ba40b)
Slava Semushin [Fri, 22 May 2009 18:10:05 +0000 (01:10 +0700)]
source3/utils/log2pcaphex.c(main): fixed file descriptors leak.
One of leaks found by cppcheck:
[./source3/utils/log2pcaphex.c:367]: (error) Resource leak: out
(cherry picked from commit
8987ca29062db53db117d6c9d9ce2ad01ed17d22)
Slava Semushin [Sat, 23 May 2009 13:51:53 +0000 (20:51 +0700)]
source{3,4}/torture/smbiconv.c(main): fixed file descriptor leak.
File descriptor leaks only when we use file instead of stdout.
Found by cppcheck:
[./source3/torture/smbiconv.c:219]: (error) Resource leak: out
[./source4/torture/smbiconv.c:211]: (error) Resource leak: out
(cherry picked from commit
61cca8aa5f5e3ad665c3b1acfab20802dd0f3f3a)
Slava Semushin [Sat, 23 May 2009 14:02:40 +0000 (21:02 +0700)]
nsswitch/winbind_nss_aix.c(fill_grent): fixed memory leak.
Found by cppcheck:
[./nsswitch/winbind_nss_aix.c:241]: (error) Memory leak: result
(cherry picked from commit
bfe6186c600470916d73c3d3b17b6dfc27c299bd)
Günther Deschner [Mon, 25 May 2009 13:55:26 +0000 (15:55 +0200)]
s3-selftest: fix typo.
Guenther
(cherry picked from commit
4258750e4f112040b3537c2c479f62b6e59b32e3)
(cherry picked from commit
b9344264c0d2108fbbb6ed9b19da9a56b6444211)
Michael Adam [Mon, 25 May 2009 09:54:43 +0000 (11:54 +0200)]
s3:winbind:idmap_ldap: warn about duplicate SID->XID mappings (bug #6387)
With the current infrastructure, we should not return error on
duplicate mappings but just warn instead (because an error would
trigger the attempt to create yet another mapping).
Michael
(cherry picked from commit
3111d78001f458cfcaf81123a1d1c23d5927a6c2)
(cherry picked from commit
5328f600bbc6535d8880b1b0c74bcfbd9b7a162a)
Michael Adam [Mon, 25 May 2009 09:29:14 +0000 (11:29 +0200)]
s3:winbind:idmap_ldap: warn about duplicate XID->SID mappings (bug #6387)
With the current infrastructure, we should not return error on
duplicate mappings but just warn instead (because an error would
trigger the attempt to create yet another mapping).
Michael
(cherry picked from commit
35c3f4162d15f9846a645444e623178b78c52994)
(cherry picked from commit
751b6b07c5ea25809b1766a01fc859d580304ae9)
Günther Deschner [Mon, 25 May 2009 12:05:18 +0000 (14:05 +0200)]
s3-samr: Fix Bug #6372, usermanager only displaying 1024 groups and aliases.
This is now also verified with the RPC-SAMR-LARGE-DC test.
Guenther
(cherry picked from commit
fca7dce1a908570e463ddcbd663955fcafd1d843)
(cherry picked from commit
69907810fee3253096958bf174a052d3cb3b385c)
Günther Deschner [Mon, 25 May 2009 12:03:16 +0000 (14:03 +0200)]
s3-selftest: enable RPC-SAMR-LARGE-DC against Samba3.
This will fail for alias creation as nss_wrapper does not yet wrap around
libnss_winbind.
Guenther
(cherry picked from commit
f0139e3b69a866a6154d0b349410fc0b3bfc30af)
(cherry picked from commit
e9ed9e7f90c39d38dd40871bb915adda2e9951ff)
Günther Deschner [Mon, 25 May 2009 11:08:58 +0000 (13:08 +0200)]
s4-smbtorture: add RPC-SAMR-LARGE-DC test.
This rather simple test creates 4500 objects on a domain controller and checks
the enum calls for the correct number of results.
Guenther
(cherry picked from commit
eb5e8dc82efae20c95a391a15c1264f2267e5a74)
(cherry picked from commit
c1dca5a5f0becdd5f7041e91245cf9d9ae0dfd13)
Günther Deschner [Fri, 22 May 2009 17:04:25 +0000 (19:04 +0200)]
s4-smbtorture: rename test_EnumDomain{Users,Groups,Aliases} in RPC-SAMR.
Guenther
(cherry picked from commit
a75698bdf3b62d43e4909e5bfded70f6675b2058)
(cherry picked from commit
b4817feb9ec5e9ac9e610fdda31dfa64295c6822)
Günther Deschner [Thu, 21 May 2009 16:12:29 +0000 (18:12 +0200)]
s4-smbtorture: re-work test_Create{User,Group,Alias} a little.
Guenther
(cherry picked from commit
05e6ebb7f812eed95b8407e65cf438e04d6e3789)
(cherry picked from commit
5e726f1843cd8ecb29588f6a00196354c6bc6708)
Günther Deschner [Fri, 22 May 2009 15:56:37 +0000 (17:56 +0200)]
s3-pamsmbpass: copy _pam_get_item and _pam_get_data from pam_winbind.
Guenther
(cherry picked from commit
1950e180caf707346300b83021624d586cc3776d)
(cherry picked from commit
7e41fce5aa9b97eb4cf3c29bf6542b05051e1f27)
Günther Deschner [Fri, 22 May 2009 14:48:01 +0000 (16:48 +0200)]
s3-rpcclient: use get_domain_handle() fn in enum domain users & groups.
Guenther
(cherry picked from commit
86d087fccc30a82cb1fe3a71d0353634496e72c4)
(cherry picked from commit
e172757782d17ba1066d1cefe18e2a8d55b3ce96)
Volker Lendecke [Mon, 25 May 2009 10:36:30 +0000 (12:36 +0200)]
Attempt to fix a debian build problem
(cherry picked from commit
31eec30c33b300d93f6d6895f6d0e6b06e0c2185)
Volker Lendecke [Sun, 24 May 2009 16:57:13 +0000 (18:57 +0200)]
Fix a race condition in winbind leading to a panic
In winbind, we do multiple events in one select round. This needs fixing, but
as long as we're still using it, for efficiency reasons we need to do that.
What can happen is the following: We have outgoing data pending for a client,
thus
state->fd_event.flags == EVENT_FD_WRITE
Now a new client comes in, we go through the list of clients to find an idle
one. The detection for idle clients in remove_idle_client does not take the
pending data into account. We close the socket that has pending outgoing data,
the accept(2) one syscall later gives us the same socket.
In new_connection(), we do a setup_async_read, setting up a read fde. The
select from before however had found the socket (that we had already closed!!)
to be writable. In rw_callback we only want to see a readable flag, and we
panic in the SMB_ASSERT(flags == EVENT_FD_READ).
Found using
bin/smbtorture //127.0.0.1/tmp -U% -N 500 -o 2 local-wbclient
Volker
(cherry picked from commit
bfeab3a0f621dbea50f43c98ba70b0ccd8323bff)
Jeremy Allison [Fri, 22 May 2009 22:56:59 +0000 (15:56 -0700)]
Ensure we return NT_STATUS_FILE_IS_A_DIRECTORY on a posix open on a
directory name.
Jeremy.
(cherry picked from commit
689664ad7acf13b07409abd4c2820dbe10255b68)
Jeremy Allison [Fri, 22 May 2009 22:56:46 +0000 (15:56 -0700)]
Test that POSIX open of a directory returns NT_STATUS_FILE_IS_A_DIRECTORY (ERRDOS, EISDIR).
Jeremy.
(cherry picked from commit
935a1a89c6c027e068f79e3686396c28812f9e67)
Michael Adam [Fri, 22 May 2009 09:58:00 +0000 (11:58 +0200)]
s3:winbind:idmap_ldap: fix a crash bug in idmap_ldap_unixids_to_sids (#6387)
This fixes a crash bug hit when multiple mappings were found by
the ldap search. This crash was caused by an ldap asssertion
in ldap_next_entry because was set to NULL in each iteration.
The corresponding fix was applied to the idmap_ldap_sids_to_unixids()
by Jerry in 2007 (
b066668b74768d9ed547f16bf7b6ba6aea5df20a).
This fixes the crash part of bug #6387.
There is a logic part, too:
The problem currently only occurs when multiple mappings are found
for one given unixid. Now winbindd does not crash any more but
it does not correctly handle this situation. It just returns the
last mapping from the ldap search results.
This needs fixing.
Michael
(cherry picked from commit
e9010fa366746ec1ae948dbcf3493d446e23b14c)
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
2b6dbddb9cc723fcbd2e4e22a9404d6b4ff805d7)
Jeremy Allison [Fri, 22 May 2009 01:48:17 +0000 (18:48 -0700)]
Don't steal when we know the ptr will be null. Thanks to Simo for
pointing this out.
Jeremy.
(cherry picked from commit
b6769282d60d20301f085243b3e747efffe2d637)
Jeremy Allison [Fri, 22 May 2009 01:37:36 +0000 (18:37 -0700)]
Revert the last two commits (fix for #6386). The actual problem
was a bug in ldb in 3.2 which could return a freed pointer on
ret != LDAP_SUCCESS. The main thing we must ensure is that we
never talloc_steal until we know LDAP_SUCCESS was returned.
Jeremy.
(cherry picked from commit
f3c3ee0f5dc6266f58e96606b73f55b812fe5171)
Jeremy Allison [Fri, 22 May 2009 01:00:54 +0000 (18:00 -0700)]
Ensure all possible uses of indirection through res are checked after
an ldb_search.
Jeremy.
(cherry picked from commit
64f6bd6c9b24e985fcd56765190046d3e9a5344e)
Jeremy Allison [Fri, 22 May 2009 00:27:25 +0000 (17:27 -0700)]
Attempt to fix bug #6386 - Samba Panic triggered by Sophos Control Centre.
Don't indirect a potentially null pointer.
Jeremy.
(cherry picked from commit
b4f6bb84d1bcd5a09d7c20c2a7dac0bfb11f199f)
Jim McDonough [Thu, 21 May 2009 20:26:26 +0000 (16:26 -0400)]
Detect tight loop in tdb_find()
(cherry picked from commit
dbd5dd808f14b1df0ed3dabd0553baddad2d186b)
Jeremy Allison [Wed, 20 May 2009 18:52:11 +0000 (11:52 -0700)]
Add a security model to LSA. Similar to the SAMR code - using
the MS-LSA docs.
Jeremy.
(cherry picked from commit
c57de2c23d4208d4d7d06decdb1663670faa228d)
Volker Lendecke [Mon, 18 May 2009 04:18:57 +0000 (06:18 +0200)]
Use SMB_VFS_NEXT_CLOSE. This VFS stuff is really opaque to me...
Thanks Michael to provide some transparency :-)
(cherry picked from commit
db9f5e1d7bb5a2ee3a42428dd1406f27c09d671f)
Volker Lendecke [Mon, 18 May 2009 04:02:07 +0000 (06:02 +0200)]
Fix bug disclosed by lock8 torture test
We have to drop the gpfs level share modes, regardless of whether we put
the file into the pending close queue.
(cherry picked from commit
0eaf040f469972d1dfd2b53d8df97bb135e3e4d4)
Günther Deschner [Wed, 20 May 2009 00:12:17 +0000 (02:12 +0200)]
s3-selftest: add add and delete group scripts using nss_wrapper.
Guenther
(cherry picked from commit
e11f9b46c6345471cca76b9772080d3bfd687852)
(cherry picked from commit
f6b0448f814e47ea9eccf895c5182565104acae7)
Günther Deschner [Wed, 20 May 2009 00:10:12 +0000 (02:10 +0200)]
nsswrapper: implement group_del() in nss_wrapper.pl.
Guenther
(cherry picked from commit
3bd360c73de77559593e11301d247fd53c4ce128)
(cherry picked from commit
28ed6d144647c4f0181e9a2650cabba91eb56f3e)
Günther Deschner [Wed, 20 May 2009 00:06:22 +0000 (02:06 +0200)]
nsswrapper: implement group_add() in nss_wrapper.pl.
Guenther
(cherry picked from commit
b3cc01fd68e30ebd616897982e0d8befd2a2a7e0)
(cherry picked from commit
e8c9731d5ffa1503dd695e2ab89450973c8a7acb)
Jeremy Allison [Tue, 19 May 2009 21:47:25 +0000 (14:47 -0700)]
Added mapping table for account object in lsa.
Jeremy.
(cherry picked from commit
1a219740537319c4369a10572c46949de566ce49)
Aravind Srinivasan [Thu, 14 May 2009 15:54:46 +0000 (15:54 +0000)]
s3 onefs: Removing an incorrect TALLOC_FREE
Signed-off-by: Tim Prouty <tprouty@samba.org>
(cherry picked from commit
bb454b5fd95185a1456ea120b3a7c56f4a4f1c78)
(cherry picked from commit
d3bb598e656c22955dcb2f34dabcdc4946b61725)
Aravind Srinivasan [Mon, 11 May 2009 22:39:05 +0000 (22:39 +0000)]
s3: Always allocate memory in dptr_ReadDirName
This is a follow up to
69d61453df6019caef4e7960fa78c6a3c51f3d2a to
adjust the API to allow the lower layers allocate memory. Now the
memory can explicitly be freed rather than relying on talloc_tos().
Signed-off-by: Tim Prouty <tprouty@samba.org>
(cherry picked from commit
bfe7383d7f0349fec796d04772d42d566f7f083b)
Tim Prouty [Tue, 19 May 2009 01:31:46 +0000 (18:31 -0700)]
s4 torture: Fix typo
(cherry picked from commit
52d26c3a3a8914a608d8b318e01fee636cc83042)
Tim Prouty [Tue, 19 May 2009 01:20:18 +0000 (18:20 -0700)]
s3 sendfile: Fix two bugs in sendfile
These were found interally via code inspection.
1) fake_sendfile was incorrectly writing zeros over real data on a
short read.
2) sendfile_short_send was doing 4 byte writes instead of 1024 byte
writes due to an incorrect sizeof usage.
Jermey, Vl please check
(cherry picked from commit
7cd8dfc7bdbc6e0715bbd8eddf1ef11c622a8f72)
Günther Deschner [Tue, 19 May 2009 00:01:27 +0000 (02:01 +0200)]
s4-smbtorture: Fix build warning in RPC-SAMR tests.
Guenther
(cherry picked from commit
518666102367ce21782cb0f597c136ac125cef05)
(cherry picked from commit
e14d0a1b3b4875db08d967131efb4e300d22bc12)
Günther Deschner [Tue, 19 May 2009 00:00:34 +0000 (02:00 +0200)]
s3: re-run make samba3-idl.
Guenther
(cherry picked from commit
d7142fb1b56073ca0d078d0214f70c2c77186fce)
(cherry picked from commit
3f9e43e026d904798998a3d94e7f2e9318fd4d85)
Günther Deschner [Mon, 18 May 2009 23:59:55 +0000 (01:59 +0200)]
lsa: add access_masks for accounts, secrets and trusted domains to IDL.
Guenther
(cherry picked from commit
7c22eed419fe877c51c6c4d1fecea0e2e4aa0b1b)
(cherry picked from commit
3821bd0dec854e4ded4f01f58a13a65068be5643)
Jeremy Allison [Mon, 18 May 2009 22:50:47 +0000 (15:50 -0700)]
Change access_check_samr_object -> access_check_object.
Make map_max_allowed_access global. Change lsa_get_generic_sd
to add Everyone:LSA_POLICY_READ|LSA_POLICY_EXECUTE, not just
LSA_POLICY_EXECUTE.
Jeremy.
(cherry picked from commit
86e10fee0284bc1b9e68c0fc9720b80df3580517)
Günther Deschner [Mon, 18 May 2009 22:16:26 +0000 (00:16 +0200)]
s3-lsa: let _lsa_OpenPolicy() just call _lsa_OpenPolicy2().
Guenther
(cherry picked from commit
d06051cc51ded9649d4c201afdf338c2426e6f5f)
(cherry picked from commit
966faaf60758cfc112a5779e357d434b4d045f9c)
Günther Deschner [Mon, 18 May 2009 19:14:42 +0000 (21:14 +0200)]
s3-selftest: enable RPC-SAMR-USERS-PRIVILEGES.
Guenther
(cherry picked from commit
9e741b34b29eebfa3c0ca664a48e806007d572da)
(cherry picked from commit
34da4e42cf077b4a8e4788156b7d7a980e1eefc7)
Günther Deschner [Mon, 18 May 2009 19:05:08 +0000 (21:05 +0200)]
s3-lsa: let _lsa_GetSystemAccessAccount() call into _lsa_EnumPrivsAccount().
Inspired by lsa server from Samba 4.
Just removing a user in SAMR does not remove a user in LSA. If you use
usermanager from windows, the "User Rights" management gui gets unaccessable as
soon as you delete a user that had privileges granted. With this fix, that
no longer existing user would properly appear as an unknown account in the GUI
(as it does while using usermanager with windows domains).
This almost makes Samba3 pass the RPC-SAMR-USERS-PRIVILEGES test.
Guenther
(cherry picked from commit
6ab0c83570b2e60e0cd3bd5f5bfb1923fd359994)
(cherry picked from commit
7303efac8438c17290d66ef48ba6321e57b7bdf9)
Günther Deschner [Mon, 18 May 2009 19:00:29 +0000 (21:00 +0200)]
s3-lsa: start a very basic implementation of _lsa_DeleteObject().
Certainly not the full story but this gets us closer to pass the
RPC-SAMR-USERS-PRIVILEGES test.
Guenther
(cherry picked from commit
4724fef8979c3f0e66cb8e41936af270901093b4)
(cherry picked from commit
0792ff10d5d7379bd5da81a05c642db1e66c6f4b)
Günther Deschner [Mon, 18 May 2009 17:37:13 +0000 (19:37 +0200)]
s4-smbtorture: add RPC-SAMR-USERS-PRIVILEGES test.
This test demonstrates the independence of the lsa and samr accounts while
remove a samr users that still has privileges granted.
Guenther
(cherry picked from commit
0a9049be872a0eaf56c1449f8b362b6d91dd781b)
(cherry picked from commit
53324b397ed17a08eb093c8f98e8d645da68aac5)
Günther Deschner [Fri, 15 May 2009 23:22:28 +0000 (01:22 +0200)]
s3-privileges: add privilege_delete_account().
Guenther
(cherry picked from commit
dccecdf33850ec4d763b8b0e7ba7be7a8eb873de)
(cherry picked from commit
e3be289df092f3b16bdd06904cd543920e3da307)
Günther Deschner [Fri, 15 May 2009 23:21:08 +0000 (01:21 +0200)]
s3-privileges: remove trailing whitespace from privileges codes.
Guenther
(cherry picked from commit
118f343b05ba86a1f8fd28394433aa6e961e2d6c)
(cherry picked from commit
0f6e4c62c97e983a99ff2c917b0c7f2db3ca289b)
Jeremy Allison [Mon, 18 May 2009 21:26:37 +0000 (14:26 -0700)]
Fix SAMR server for winbindd access. Ensure we allow
MAX_ACCESS to be mapped to what we're giving Everyone.
Jeremy.
(cherry picked from commit
cb49ceb25d8be05148e3081a73f8db10915963f0)
Guenther Deschner [Sat, 16 May 2009 01:11:30 +0000 (18:11 -0700)]
s3-samr: Fix samr access checks in _samr_SetUserInfo().
Guenther
(cherry picked from commit
c79ceb3345c56cff28b5e828188611c5fc80b1a7)
Guenther Deschner [Sat, 16 May 2009 01:03:34 +0000 (18:03 -0700)]
s3-samr: Fix samr access checks in _samr_QueryUserInfo().
Guenther
(cherry picked from commit
5c3c7f6921c9cff58cf4f85c0b691566bf4cd02e)
Jeremy Allison [Sat, 16 May 2009 00:55:41 +0000 (17:55 -0700)]
Ensure users with SeAddUser privs get full access to
groups/aliases when opening.
Jeremy.
(cherry picked from commit
72f90581a78443efd6cf24bac635fe9032df18fd)
Jeremy Allison [Sat, 16 May 2009 00:54:27 +0000 (17:54 -0700)]
Add extra abilities for a user with SeAddUsers, so they
can manipulate groups and aliases.
Jeremy.
(cherry picked from commit
361caafeebb37f6247f7ede38a50a70323fdd107)
Jeremy Allison [Sat, 16 May 2009 00:52:40 +0000 (17:52 -0700)]
DeleteUser doesn't need the priv checks, this is done at OpenUser time.
Jeremy.
(cherry picked from commit
c0ff7e5459bdf1351f6cb69e58a1f8105bcfd3dc)
Guenther Deschner [Sat, 16 May 2009 00:50:49 +0000 (17:50 -0700)]
s3-samr: Fix samr access checks in _samr_RemoveMemberFromForeignDomain().
Guenther
(cherry picked from commit
6d0981845ec005a48a82280e2ebfe85ac9b72537)
Guenther Deschner [Sat, 16 May 2009 00:49:02 +0000 (17:49 -0700)]
s3-samr: Fix samr access checks in _samr_SetDomainInfo().
Guenther
(cherry picked from commit
c7e6db566ad2bd5ea6473753a720a9ccc9772b59)
Guenther Deschner [Sat, 16 May 2009 00:47:16 +0000 (17:47 -0700)]
s3-samr: Fix samr access checks in _samr_QueryDomainInfo().
Guenther
(cherry picked from commit
42ad75c9d31f6101103870e1055a7cd4b7f149fd)
Jeremy Allison [Sat, 16 May 2009 00:43:41 +0000 (17:43 -0700)]
Fix the core of the SAMR access functions. This passes make test, but
usrmgr fails against it. The core of this patch is to move all the
access mask setup into the _samr_OpenXXX functions, and then have
each specific function check the attached access_mask against the
required bits. We can then go through the MS-SAMR doc and match
things up. Signed off by Guenther, and writespace cleanup removal
by Volker.
Jeremy.
(cherry picked from commit
bdc797135151d4f85e6368d016bfb26389c6f055)
Günther Deschner [Fri, 15 May 2009 17:43:19 +0000 (19:43 +0200)]
s3-netdomjoin-gui: allow to switch between workgroups/domains with the same name.
Guenther
(cherry picked from commit
d800ee50335ecbd2dbd3b451a18a00780ac28f04)
(cherry picked from commit
9db1fc45786872d938939bd33b3b867ee599c9a2)
Günther Deschner [Fri, 15 May 2009 17:42:05 +0000 (19:42 +0200)]
s3-netdomjoin-gui: cosmetic fix for empty hostnames.
Guenther
(cherry picked from commit
8c74d31962eb82f7dcc07000aeb27a84a633a225)
(cherry picked from commit
c03287c2f8d03363a26b0518b6370ddfaa7b5915)
Günther Deschner [Fri, 15 May 2009 15:06:54 +0000 (17:06 +0200)]
s3-netdomjoin-gui: only gray out labels when not root and not connecting to
remote machines.
Guenther
(cherry picked from commit
473bf41d20b25bd7d98ea6647e6295b3fb6f34e1)
(cherry picked from commit
7115126d0f7d97c3633b62e76e2fdc681dedb36d)
Volker Lendecke [Mon, 18 May 2009 08:32:27 +0000 (10:32 +0200)]
Fix bug 5681: Do not limit the number of network interfaces
Jeremy as far as I can see there is no real technical reason to limit the
number of interfaces. If you like this patch, can you please merge it to 3.4?
If you don't please tell me :-)
Thanks,
Volker
(cherry picked from commit
71e835942522992c08267da74d480ad6552c6508)
Volker Lendecke [Mon, 18 May 2009 11:30:16 +0000 (13:30 +0200)]
Move down the become_root()/unbecome_root() calls into the VFS modules
The aio_fork module does not need this, as it does not communicate via signals
but with pipes. Watching a strace log with those become_root() calls in aio.c
is absolutely awful, and it does affect performance.
(cherry picked from commit
b8d12d3ffce304b4086488d999f85d80667e196e)