s3:winbindd:util: add a comment explaining the function parse_sidlist()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()

This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:python/ntacl: allow string or objects for sd/sid in setntacl()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:samba-tool/gpo: fix the operation order when creating gpos

We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:samba-tool/gpo: use the dns_domain from the server when creating gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:libcli/finddcs_cldap: allow io->in.server_address as hostname

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:libcli/finddcs_cldap: try all NBT#1C addresses

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:smbcacls: add --query-security-info and --set-security-info options

This allows the caller to specify the security_information flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags

In order to set and get security_descriptors it's important to specify
the sec_info flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

libcli/security: remove duplicate aces in se_create_child_secdesc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:smbd/open: use Builtin_Administrators as owner of files (if possible)

We do this if the idmap layer resolves Builtin_Administrators
as ID_TYPE_BOTH and if the current token has the
Builtin_Administrators SID or it's SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags

A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.

We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/tests: add SdAutoInheritTests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104

s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes

We only do so if the replicated object is not deleted.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

This can only be triggered by ourself, that's why we expect
control->data == module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)

Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/subtree_delete: do an early return and avoid some nesting

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/objectclass: do not pass the callers controls on helper searches

We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.

This also fixes a problem when the caller also specified AS_SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/dirsync: remove unused 'deletedattr' variable

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX

See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes

The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: remove some nesting from descriptor_modify

If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: remove some unnecessary nesting

sd == NULL is checked before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd

The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:provision: add get_empty_descriptor()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor

We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor

The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set

In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: remove unused "acl:perform" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED

The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add

See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: make use of dsdb_request_sd_flags()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor

If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/acl_util: do helper searches AS_SYSTEM

The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/rootdse: do helper searches AS_SYSTEM

As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/rootdse: remove unused variable

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:tests/samba_tool/gpo.py: fix accidential line break

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:tests/samba_tool/gpo.py: add test_show_as_admin()

This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF

A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:dsdb/schema_data: fix debug message in schema_data_modify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

ldb: fix a typo in the comment for ldb_req_is_untrusted()

Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov 30 15:44:46 CET 2012 on sn-devel-104

libnet: Fix a typo in dbsync error message.

Signed-off-by: Michael Adam <obnox@samba.org>

libnet: Fix copy and paste error in dbsync error message.

torture: Fix copy and paste error in debug message.

Found by Coverity.

torture: Fix copy and paste error.

Found by Coverity.

s3-reg: Fix copy and paste error in debug message.

Found by coverity.

s3:popt_common: Fix password processing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 30 14:01:08 CET 2012 on sn-devel-104

s3:util: fix usage of popt_burn_cmdline_password()

We should only call popt_burn_cmdline_password() after poptFreeContext(),
otherwise we remove the password to early.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbind: use new reconnect logic in rpc_lookup_sids() also.

Volker, please check.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbindd: rework reconnect logic in winbindd_lookup_names().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbindd: rework reconnect logic in winbindd_lookup_sids().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbindd: remove lookup_sids_fn_t.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbindd: remove lookup_names_fn_t.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-winbindd: add cm_connect_lsat().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-rpc_cli: Remove some unused wrapping code.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Fix Bug 9422 - large read requests cause server to issue malformed reply

Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 30 03:27:07 CET 2012 on sn-devel-104

dbwrap: Do not rely on dbwrap_record_get_value to return a talloc object

db_tdb_fetch_locked returns the value as part of a larger talloc object
that also contains the key.  This means we can not realloc, but have to
freshly alloc.

Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Nov 29 20:21:51 CET 2012 on sn-devel-104

dbwrap: Remove an unnecessary if-statement

TALLOC_FREE can live with a NULL pointer

Reviewed-by: Michael Adam <obnox@samba.org>

dbwrap: No need to NULL out a talloc_zero'ed structure element

Reviewed-by: Michael Adam <obnox@samba.org>

dbwrap: Use talloc_zero in db_open_rbt

Reviewed-by: Michael Adam <obnox@samba.org>

dbwrap: Use talloc_zero in db_open_cache

Reviewed-by: Michael Adam <obnox@samba.org>

s3: Remove db_ctdb_fetch

Note that this also makes the request for read only copies
much more explicity visible in the code.

Reviewed-by: Michael Adam <obnox@samba.org>

s3: Directly parse local existing records in db_ctdb_parse_record

Reviewed-by: Michael Adam <obnox@samba.org>