kai/samba.git
6 years agos3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
Michael Adam [Sat, 17 Nov 2012 12:10:26 +0000 (13:10 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid

The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.

Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
Michael Adam [Sat, 17 Nov 2012 12:04:41 +0000 (13:04 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid

The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.

Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: factor winbindd_sids_to_xids into external and internal part
Michael Adam [Sat, 17 Nov 2012 01:30:07 +0000 (02:30 +0100)]
s3:winbindd: factor winbindd_sids_to_xids into external and internal part

- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists

The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.

The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
Michael Adam [Fri, 16 Nov 2012 16:49:25 +0000 (17:49 +0100)]
s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: add explaining comment winbindd_sids_to_xids_send()
Michael Adam [Fri, 9 Nov 2012 15:09:59 +0000 (16:09 +0100)]
s3:winbindd: add explaining comment winbindd_sids_to_xids_send()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_...
Michael Adam [Fri, 9 Nov 2012 13:09:10 +0000 (14:09 +0100)]
s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()

for readability

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
Michael Adam [Fri, 9 Nov 2012 12:54:20 +0000 (13:54 +0100)]
s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd:util: add a comment explaining the function parse_sidlist()
Michael Adam [Fri, 9 Nov 2012 10:32:47 +0000 (11:32 +0100)]
s3:winbindd:util: add a comment explaining the function parse_sidlist()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
Stefan Metzmacher [Thu, 29 Nov 2012 08:57:44 +0000 (09:57 +0100)]
s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()

This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:python/ntacl: allow string or objects for sd/sid in setntacl()
Stefan Metzmacher [Thu, 29 Nov 2012 08:28:23 +0000 (09:28 +0100)]
s4:python/ntacl: allow string or objects for sd/sid in setntacl()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: fix the operation order when creating gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: fix the operation order when creating gpos

We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use the dns_domain from the server when creating gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:libcli/finddcs_cldap: allow io->in.server_address as hostname
Stefan Metzmacher [Sat, 1 Dec 2012 08:14:19 +0000 (09:14 +0100)]
s4:libcli/finddcs_cldap: allow io->in.server_address as hostname

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:libcli/finddcs_cldap: try all NBT#1C addresses
Stefan Metzmacher [Sat, 1 Dec 2012 07:56:57 +0000 (08:56 +0100)]
s4:libcli/finddcs_cldap: try all NBT#1C addresses

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbcacls: add --query-security-info and --set-security-info options
Stefan Metzmacher [Fri, 30 Nov 2012 13:36:07 +0000 (14:36 +0100)]
s3:smbcacls: add --query-security-info and --set-security-info options

This allows the caller to specify the security_information flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags
Stefan Metzmacher [Fri, 30 Nov 2012 12:52:53 +0000 (13:52 +0100)]
s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags

In order to set and get security_descriptors it's important to specify
the sec_info flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agolibcli/security: remove duplicate aces in se_create_child_secdesc()
Stefan Metzmacher [Thu, 29 Nov 2012 11:33:22 +0000 (12:33 +0100)]
libcli/security: remove duplicate aces in se_create_child_secdesc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group
Stefan Metzmacher [Fri, 30 Nov 2012 12:33:59 +0000 (13:33 +0100)]
s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid
Stefan Metzmacher [Fri, 30 Nov 2012 12:32:04 +0000 (13:32 +0100)]
s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: use Builtin_Administrators as owner of files (if possible)
Stefan Metzmacher [Thu, 29 Nov 2012 09:00:03 +0000 (10:00 +0100)]
s3:smbd/open: use Builtin_Administrators as owner of files (if possible)

We do this if the idmap layer resolves Builtin_Administrators
as ID_TYPE_BOTH and if the current token has the
Builtin_Administrators SID or it's SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
Stefan Metzmacher [Sat, 1 Dec 2012 14:10:38 +0000 (15:10 +0100)]
s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags

A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.

We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/tests: add SdAutoInheritTests
Stefan Metzmacher [Fri, 16 Nov 2012 11:51:44 +0000 (12:51 +0100)]
s4:dsdb/tests: add SdAutoInheritTests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104

6 years agos4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated...
Stefan Metzmacher [Fri, 23 Nov 2012 16:10:38 +0000 (17:10 +0100)]
s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes

We only do so if the replicated object is not deleted.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
Stefan Metzmacher [Fri, 23 Nov 2012 15:46:51 +0000 (16:46 +0100)]
s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Fri, 23 Nov 2012 14:55:24 +0000 (15:55 +0100)]
s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Thu, 22 Nov 2012 16:42:32 +0000 (17:42 +0100)]
s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Fri, 23 Nov 2012 09:45:02 +0000 (10:45 +0100)]
s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

This can only be triggered by ourself, that's why we expect
control->data == module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Stefan Metzmacher [Wed, 21 Nov 2012 15:12:54 +0000 (16:12 +0100)]
s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Stefan Metzmacher [Fri, 23 Nov 2012 10:18:05 +0000 (11:18 +0100)]
s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Stefan Metzmacher [Sat, 24 Nov 2012 14:25:06 +0000 (15:25 +0100)]
s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Thu, 22 Nov 2012 16:42:32 +0000 (17:42 +0100)]
s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)
Stefan Metzmacher [Sat, 24 Nov 2012 09:16:45 +0000 (10:16 +0100)]
s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)
Stefan Metzmacher [Sat, 24 Nov 2012 09:14:59 +0000 (10:14 +0100)]
s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)

Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/subtree_delete: do an early return and avoid some nesting
Stefan Metzmacher [Sat, 24 Nov 2012 09:04:39 +0000 (10:04 +0100)]
s4:dsdb/subtree_delete: do an early return and avoid some nesting

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/objectclass: do not pass the callers controls on helper searches
Stefan Metzmacher [Sat, 24 Nov 2012 22:21:10 +0000 (23:21 +0100)]
s4:dsdb/objectclass: do not pass the callers controls on helper searches

We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.

This also fixes a problem when the caller also specified AS_SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug...
Stefan Metzmacher [Sat, 24 Nov 2012 09:06:13 +0000 (10:06 +0100)]
s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/dirsync: remove unused 'deletedattr' variable
Stefan Metzmacher [Sat, 24 Nov 2012 08:20:37 +0000 (09:20 +0100)]
s4:dsdb/dirsync: remove unused 'deletedattr' variable

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL
Stefan Metzmacher [Sat, 24 Nov 2012 08:19:52 +0000 (09:19 +0100)]
s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX
Stefan Metzmacher [Sat, 24 Nov 2012 08:17:27 +0000 (09:17 +0100)]
s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX

See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes
Stefan Metzmacher [Sat, 24 Nov 2012 08:15:24 +0000 (09:15 +0100)]
s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes

The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify
Stefan Metzmacher [Fri, 23 Nov 2012 09:58:49 +0000 (10:58 +0100)]
s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescr...
Stefan Metzmacher [Fri, 23 Nov 2012 08:55:17 +0000 (09:55 +0100)]
s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: remove some nesting from descriptor_modify
Stefan Metzmacher [Fri, 23 Nov 2012 08:31:05 +0000 (09:31 +0100)]
s4:dsdb/descriptor: remove some nesting from descriptor_modify

If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: remove some unnecessary nesting
Stefan Metzmacher [Fri, 23 Nov 2012 08:20:50 +0000 (09:20 +0100)]
s4:dsdb/descriptor: remove some unnecessary nesting

sd == NULL is checked before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: add some error checks to descriptor_{add,modify}
Stefan Metzmacher [Fri, 23 Nov 2012 08:19:11 +0000 (09:19 +0100)]
s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID
Stefan Metzmacher [Fri, 23 Nov 2012 08:15:25 +0000 (09:15 +0100)]
s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify...
Stefan Metzmacher [Fri, 23 Nov 2012 06:18:35 +0000 (07:18 +0100)]
s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd
Stefan Metzmacher [Thu, 22 Nov 2012 15:22:30 +0000 (16:22 +0100)]
s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd

The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:provision: add get_empty_descriptor()
Stefan Metzmacher [Thu, 22 Nov 2012 13:09:34 +0000 (14:09 +0100)]
s4:provision: add get_empty_descriptor()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one
Stefan Metzmacher [Thu, 22 Nov 2012 14:53:14 +0000 (15:53 +0100)]
s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid
Stefan Metzmacher [Thu, 22 Nov 2012 13:07:04 +0000 (14:07 +0100)]
s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_read: enable acl checking on search by default (bug #8620)
Stefan Metzmacher [Sun, 18 Nov 2012 17:57:03 +0000 (18:57 +0100)]
s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor
Stefan Metzmacher [Wed, 21 Nov 2012 13:04:09 +0000 (14:04 +0100)]
s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor

We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED
Stefan Metzmacher [Wed, 21 Nov 2012 08:31:25 +0000 (09:31 +0100)]
s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor
Stefan Metzmacher [Wed, 21 Nov 2012 13:10:43 +0000 (14:10 +0100)]
s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor

The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set
Stefan Metzmacher [Wed, 21 Nov 2012 11:12:41 +0000 (12:12 +0100)]
s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set

In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: remove unused "acl:perform" option
Stefan Metzmacher [Wed, 21 Nov 2012 11:15:00 +0000 (12:15 +0100)]
s4:dsdb/acl: remove unused "acl:perform" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Stefan Metzmacher [Wed, 21 Nov 2012 06:14:31 +0000 (07:14 +0100)]
s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED

The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: make it clear that the SD Flags are ignored on add
Stefan Metzmacher [Wed, 21 Nov 2012 13:13:17 +0000 (14:13 +0100)]
s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add

See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: make use of dsdb_request_sd_flags()
Stefan Metzmacher [Wed, 21 Nov 2012 12:05:31 +0000 (13:05 +0100)]
s4:dsdb/descriptor: make use of dsdb_request_sd_flags()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDesc...
Stefan Metzmacher [Wed, 21 Nov 2012 14:24:46 +0000 (15:24 +0100)]
s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor

If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED
Stefan Metzmacher [Wed, 21 Nov 2012 09:15:58 +0000 (10:15 +0100)]
s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_util: add dsdb_request_sd_flags() helper function
Stefan Metzmacher [Wed, 21 Nov 2012 11:33:35 +0000 (12:33 +0100)]
s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_util: do helper searches AS_SYSTEM
Stefan Metzmacher [Wed, 21 Nov 2012 06:14:31 +0000 (07:14 +0100)]
s4:dsdb/acl_util: do helper searches AS_SYSTEM

The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/extended_dn_store: do helper searches AS_SYSTEM
Stefan Metzmacher [Wed, 21 Nov 2012 08:33:53 +0000 (09:33 +0100)]
s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Stefan Metzmacher [Mon, 19 Nov 2012 05:59:33 +0000 (06:59 +0100)]
s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED
Stefan Metzmacher [Mon, 19 Nov 2012 05:59:33 +0000 (06:59 +0100)]
s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/rootdse: do helper searches AS_SYSTEM
Stefan Metzmacher [Mon, 12 Nov 2012 13:19:34 +0000 (14:19 +0100)]
s4:dsdb/rootdse: do helper searches AS_SYSTEM

As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/rootdse: remove unused variable
Stefan Metzmacher [Mon, 26 Nov 2012 12:38:07 +0000 (13:38 +0100)]
s4:dsdb/rootdse: remove unused variable

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:tests/samba_tool/gpo.py: fix accidential line break
Michael Adam [Tue, 27 Nov 2012 15:43:25 +0000 (16:43 +0100)]
s4:tests/samba_tool/gpo.py: fix accidential line break

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos4:tests/samba_tool/gpo.py: add test_show_as_admin()
Stefan Metzmacher [Tue, 20 Nov 2012 14:02:05 +0000 (15:02 +0100)]
s4:tests/samba_tool/gpo.py: add test_show_as_admin()

This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor
Stefan Metzmacher [Tue, 20 Nov 2012 13:58:13 +0000 (14:58 +0100)]
s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor
Stefan Metzmacher [Tue, 20 Nov 2012 13:56:56 +0000 (14:56 +0100)]
s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user
Stefan Metzmacher [Sat, 17 Nov 2012 06:13:40 +0000 (07:13 +0100)]
s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor
Stefan Metzmacher [Tue, 20 Nov 2012 13:51:46 +0000 (14:51 +0100)]
s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF
Stefan Metzmacher [Thu, 22 Nov 2012 07:59:40 +0000 (08:59 +0100)]
s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF

A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector
Stefan Metzmacher [Wed, 21 Nov 2012 08:51:45 +0000 (09:51 +0100)]
s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root
Stefan Metzmacher [Tue, 27 Nov 2012 13:49:11 +0000 (14:49 +0100)]
s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/schema_data: fix debug message in schema_data_modify()
Stefan Metzmacher [Wed, 21 Nov 2012 15:12:22 +0000 (16:12 +0100)]
s4:dsdb/schema_data: fix debug message in schema_data_modify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agoldb: fix a typo in the comment for ldb_req_is_untrusted()
Michael Adam [Wed, 28 Nov 2012 20:55:47 +0000 (21:55 +0100)]
ldb: fix a typo in the comment for ldb_req_is_untrusted()

Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov 30 15:44:46 CET 2012 on sn-devel-104

6 years agolibnet: Fix a typo in dbsync error message.
Michael Adam [Fri, 30 Nov 2012 11:31:55 +0000 (12:31 +0100)]
libnet: Fix a typo in dbsync error message.

Signed-off-by: Michael Adam <obnox@samba.org>
6 years agolibnet: Fix copy and paste error in dbsync error message.
Andreas Schneider [Fri, 30 Nov 2012 10:01:47 +0000 (11:01 +0100)]
libnet: Fix copy and paste error in dbsync error message.

6 years agotorture: Fix copy and paste error in debug message.
Andreas Schneider [Fri, 30 Nov 2012 09:59:06 +0000 (10:59 +0100)]
torture: Fix copy and paste error in debug message.

Found by Coverity.

6 years agotorture: Fix copy and paste error.
Andreas Schneider [Fri, 30 Nov 2012 09:57:39 +0000 (10:57 +0100)]
torture: Fix copy and paste error.

Found by Coverity.

6 years agos3-reg: Fix copy and paste error in debug message.
Andreas Schneider [Fri, 30 Nov 2012 09:53:55 +0000 (10:53 +0100)]
s3-reg: Fix copy and paste error in debug message.

Found by coverity.

6 years agos3:popt_common: Fix password processing.
Stefan Metzmacher [Fri, 30 Nov 2012 11:07:39 +0000 (12:07 +0100)]
s3:popt_common: Fix password processing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 30 14:01:08 CET 2012 on sn-devel-104

6 years agos3:util: fix usage of popt_burn_cmdline_password()
Stefan Metzmacher [Fri, 30 Nov 2012 08:31:34 +0000 (09:31 +0100)]
s3:util: fix usage of popt_burn_cmdline_password()

We should only call popt_burn_cmdline_password() after poptFreeContext(),
otherwise we remove the password to early.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbind: use new reconnect logic in rpc_lookup_sids() also.
Günther Deschner [Thu, 29 Nov 2012 13:31:19 +0000 (14:31 +0100)]
s3-winbind: use new reconnect logic in rpc_lookup_sids() also.

Volker, please check.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbindd: rework reconnect logic in winbindd_lookup_names().
Günther Deschner [Thu, 29 Nov 2012 11:03:53 +0000 (12:03 +0100)]
s3-winbindd: rework reconnect logic in winbindd_lookup_names().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbindd: rework reconnect logic in winbindd_lookup_sids().
Günther Deschner [Thu, 29 Nov 2012 11:03:16 +0000 (12:03 +0100)]
s3-winbindd: rework reconnect logic in winbindd_lookup_sids().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbindd: remove lookup_sids_fn_t.
Günther Deschner [Wed, 28 Nov 2012 19:41:21 +0000 (20:41 +0100)]
s3-winbindd: remove lookup_sids_fn_t.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbindd: remove lookup_names_fn_t.
Günther Deschner [Wed, 28 Nov 2012 16:03:40 +0000 (17:03 +0100)]
s3-winbindd: remove lookup_names_fn_t.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-rpc_client: make dcerpc_lsa_lookup_names_generic() public.
Günther Deschner [Wed, 28 Nov 2012 16:00:49 +0000 (17:00 +0100)]
s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public.
Günther Deschner [Wed, 28 Nov 2012 15:57:57 +0000 (16:57 +0100)]
s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-winbindd: add cm_connect_lsat().
Günther Deschner [Wed, 28 Nov 2012 15:57:24 +0000 (16:57 +0100)]
s3-winbindd: add cm_connect_lsat().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agos3-rpc_cli: Remove some unused wrapping code.
Günther Deschner [Wed, 28 Nov 2012 13:53:27 +0000 (14:53 +0100)]
s3-rpc_cli: Remove some unused wrapping code.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agoFix Bug 9422 - large read requests cause server to issue malformed reply
Volker Lendecke [Tue, 27 Nov 2012 22:58:09 +0000 (14:58 -0800)]
Fix Bug 9422 - large read requests cause server to issue malformed reply

Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 30 03:27:07 CET 2012 on sn-devel-104