kai/samba.git
6 years agoClean up client timeout definitions [rev. 2]
Scott Lovenberg [Tue, 4 Dec 2012 14:15:38 +0000 (09:15 -0500)]
Clean up client timeout definitions [rev. 2]

The definitions for default client timeout values have been moved to client.h.  When initializing a client struct we use this value instead of the old hardcoded value.  The timeout value remains 20 seconds.

Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec  6 03:25:58 CET 2012 on sn-devel-104

6 years agos3:smbd: fix a cut and paste error in a debug message
Michael Adam [Tue, 4 Dec 2012 15:26:36 +0000 (16:26 +0100)]
s3:smbd: fix a cut and paste error in a debug message

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>

6 years agoDocumentation fixes for bug #9462 - Users can not be given write permissions any...
Jeremy Allison [Tue, 4 Dec 2012 23:47:06 +0000 (15:47 -0800)]
Documentation fixes for bug #9462 - Users can not be given write permissions any more by default

Ensure we don't apply the masks + force modes on security setting
changes, only on create.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd: don't apply create/directory mask and modes in apply_default_perms()
Michael Adam [Wed, 5 Dec 2012 14:04:01 +0000 (15:04 +0100)]
s3:smbd: don't apply create/directory mask and modes in apply_default_perms()

The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.

This fixes bug #9462: Users can not be given write permissions any more by default

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>

6 years agoFix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
Richard Sharpe [Wed, 5 Dec 2012 01:21:29 +0000 (17:21 -0800)]
Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.

Ensure we check the buffer size correctly.

Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec  6 01:31:08 CET 2012 on sn-devel-104

6 years agowsgi: Serve '500 Internal Server Error' page when errors occur.
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:23 +0000 (20:44 +0100)]
wsgi: Serve '500 Internal Server Error' page when errors occur.

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Dec  5 18:40:25 CET 2012 on sn-devel-104

6 years agoweb_server: Make second argument to websrv_output const.
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:08 +0000 (20:44 +0100)]
web_server: Make second argument to websrv_output const.

6 years agowsgi: When encountering error in Python code, print traceback to logs.
Jelmer Vernooij [Sat, 24 Nov 2012 18:35:33 +0000 (19:35 +0100)]
wsgi: When encountering error in Python code, print traceback to logs.

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
6 years agoBUG 9459: Install manpages only if we install the target.
Andreas Schneider [Tue, 4 Dec 2012 14:03:40 +0000 (15:03 +0100)]
BUG 9459: Install manpages only if we install the target.

Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec  4 18:07:47 CET 2012 on sn-devel-104

6 years agoRemove unused append_parent_acl().
Jeremy Allison [Mon, 3 Dec 2012 23:07:16 +0000 (15:07 -0800)]
Remove unused append_parent_acl().

Get rid of a large chunk of unused code.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Dec  4 11:59:30 CET 2012 on sn-devel-104

6 years agos3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIED
Michael Adam [Tue, 4 Dec 2012 01:02:07 +0000 (02:02 +0100)]
s3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIED

Omission to free the talloc frame causes a panic (at least in developer mode)
in the next main event loop due to "Frame not freed in order."
(Freed frame ../source3/smbd/process.c:3617, expected ../source3/modules/vfs_acl_common.c:534.)

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec  4 09:03:25 CET 2012 on sn-devel-104

6 years agos3:passdb: fix building pdb_ldap as shared module
Michael Adam [Mon, 3 Dec 2012 15:52:12 +0000 (16:52 +0100)]
s3:passdb: fix building pdb_ldap as shared module

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec  3 19:12:29 CET 2012 on sn-devel-104

6 years agodocs: Merge both samba.8 manpages.
Karolin Seeger [Fri, 30 Nov 2012 10:33:04 +0000 (11:33 +0100)]
docs: Merge both samba.8 manpages.

Remove source4/smbd/samba.8.xml and add the additional content to
docs-xml/samba.8.xml to be able to build this manpage with the autoconf build
also.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec  3 16:28:32 CET 2012 on sn-devel-104

6 years agodocs: Add samba.8 and samba-tool manpage to waf build.
Karolin Seeger [Fri, 30 Nov 2012 09:39:06 +0000 (10:39 +0100)]
docs: Add samba.8 and samba-tool manpage to waf build.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agodocs: Update man 7 samba.
Karolin Seeger [Fri, 30 Nov 2012 10:37:33 +0000 (11:37 +0100)]
docs: Update man 7 samba.

Update man 7 samba. Still incomplete, but at least a bit more up to date.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agolib/talloc: Move manpage to man/.
Karolin Seeger [Fri, 30 Nov 2012 08:43:33 +0000 (09:43 +0100)]
lib/talloc: Move manpage to man/.

Trying to be more consistent.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agolib/tdb: Rename manpages/ to man/.
Karolin Seeger [Fri, 30 Nov 2012 08:39:22 +0000 (09:39 +0100)]
lib/tdb: Rename manpages/ to man/.

Trying to be more consistent.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
6 years agoreplace: Remove deprecated getpass() support.
Andreas Schneider [Fri, 23 Nov 2012 13:58:38 +0000 (14:58 +0100)]
replace: Remove deprecated getpass() support.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agontlm_auth4: Use new samba_getpass() function.
Andreas Schneider [Fri, 23 Nov 2012 13:55:48 +0000 (14:55 +0100)]
ntlm_auth4: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agocmdline: Use new samba_getpass() function.
Andreas Schneider [Fri, 23 Nov 2012 13:48:00 +0000 (14:48 +0100)]
cmdline: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agosmbget: Use new samba_getpass() function.
Andreas Schneider [Fri, 23 Nov 2012 13:38:14 +0000 (14:38 +0100)]
smbget: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agoutil: Use new samba_getpass() function for passwd util.
Andreas Schneider [Fri, 23 Nov 2012 13:34:39 +0000 (14:34 +0100)]
util: Use new samba_getpass() function for passwd util.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agontlm_auth: Use new samba_getpass() function.
Andreas Schneider [Fri, 23 Nov 2012 13:29:38 +0000 (14:29 +0100)]
ntlm_auth: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agonet: Use samba_getpass() function in net util.
Andreas Schneider [Fri, 23 Nov 2012 12:17:13 +0000 (13:17 +0100)]
net: Use samba_getpass() function in net util.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agonet: Use new samba_getpass() function for 'net rpc'.
Andreas Schneider [Fri, 23 Nov 2012 14:05:51 +0000 (15:05 +0100)]
net: Use new samba_getpass() function for 'net rpc'.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agonet: Use new samba_getpass() function for 'net ads'.
Andreas Schneider [Thu, 22 Nov 2012 14:51:33 +0000 (15:51 +0100)]
net: Use new samba_getpass() function for 'net ads'.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agotorture: Use new samba_getpass() in masktest.
Andreas Schneider [Thu, 22 Nov 2012 14:46:20 +0000 (15:46 +0100)]
torture: Use new samba_getpass() in masktest.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agotorture: Use new samba_getpass() in smbtorture3.
Andreas Schneider [Thu, 22 Nov 2012 14:46:06 +0000 (15:46 +0100)]
torture: Use new samba_getpass() in smbtorture3.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agotorture: Use new samba_getpass() in locktest2.
Andreas Schneider [Thu, 22 Nov 2012 14:39:34 +0000 (15:39 +0100)]
torture: Use new samba_getpass() in locktest2.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agoutil: Use new samba_getpass() function.
Andreas Schneider [Thu, 22 Nov 2012 14:34:06 +0000 (15:34 +0100)]
util: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agosmbclient: Use new samba_getpass() function.
Andreas Schneider [Thu, 22 Nov 2012 14:33:52 +0000 (15:33 +0100)]
smbclient: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agowbinfo: Use new samba_getpass() function.
Andreas Schneider [Thu, 22 Nov 2012 14:33:10 +0000 (15:33 +0100)]
wbinfo: Use new samba_getpass() function.

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agoutil: Add a UNIX platform independent samba_getpass().
Andreas Schneider [Thu, 22 Nov 2012 14:22:40 +0000 (15:22 +0100)]
util: Add a UNIX platform independent samba_getpass().

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
6 years agodocs: Fix typo in the howto collection.
Karolin Seeger [Mon, 3 Dec 2012 08:08:47 +0000 (09:08 +0100)]
docs: Fix typo in the howto collection.

Thanks to Hermann Gausterer <git-samba-2012@mrq1.org> for reporting!

Karolin

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec  3 12:36:14 CET 2012 on sn-devel-104

6 years agos3:selftest: extend sids2xids test script to cope with "ID_TYPE_BOTH mappings
Michael Adam [Mon, 3 Dec 2012 01:25:40 +0000 (02:25 +0100)]
s3:selftest: extend sids2xids test script to cope with "ID_TYPE_BOTH mappings

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Dec  3 10:47:17 CET 2012 on sn-devel-104

6 years agos3:passdb: don't look into group mappings in legacy_sid_to_unixid()
Michael Adam [Mon, 3 Dec 2012 07:34:43 +0000 (08:34 +0100)]
s3:passdb: don't look into group mappings in legacy_sid_to_unixid()

The backends (tdbsam and ldapsam) do this.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
Michael Adam [Mon, 3 Dec 2012 00:44:49 +0000 (01:44 +0100)]
s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
Michael Adam [Mon, 3 Dec 2012 00:42:38 +0000 (01:42 +0100)]
s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()

instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
wellknown sids and "Unix User" and "Unix Group" domains.

This broadens up the check moved here in commit
02e25b2a43ae02205a3412f862a1482d24b70aa4.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:passdb: add sid_check_object_is_for_passdb()
Michael Adam [Mon, 3 Dec 2012 00:40:37 +0000 (01:40 +0100)]
s3:passdb: add sid_check_object_is_for_passdb()

Variant of sid_check_is_for_passdb() that only checks for objects
in the various domains, not for the domain sids themselves.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
Michael Adam [Mon, 3 Dec 2012 00:34:32 +0000 (01:34 +0100)]
s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()

The special treatment of the "Unix User" and "Unix Group" pseudo domains
can be reused.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
Michael Adam [Thu, 22 Nov 2012 22:12:19 +0000 (23:12 +0100)]
s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam

This code treats the own sam, builtin, wellknown, and sids from the
"Unix User" and "Unix Group" pseudo-domains.

This reverts part of commit 02e25b2a43ae02205a3412f862a1482d24b70aa4.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()
Michael Adam [Fri, 30 Nov 2012 15:27:59 +0000 (16:27 +0100)]
s3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()

This is more correct than the original one:
It also hands the wellknown and "Unix Users" and "Unix Groups" sids to passdb
for id mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agobuild the new sid_check_is_for_passdb() function into passdb
Michael Adam [Fri, 30 Nov 2012 15:26:28 +0000 (16:26 +0100)]
build the new sid_check_is_for_passdb() function into passdb

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:lib: add utility function sid_check_is_for_passdb()
Michael Adam [Fri, 30 Nov 2012 11:27:00 +0000 (12:27 +0100)]
s3:lib: add utility function sid_check_is_for_passdb()

This function checks whether the given sid should be treated
by passdb (e.g. for id mapping).

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove unused function idmap_backends_sid_to_unixid()
Michael Adam [Fri, 30 Nov 2012 14:27:15 +0000 (15:27 +0100)]
s3:winbindd: remove unused function idmap_backends_sid_to_unixid()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:test:wbinfo_sids2xids: test the results with singular calls with filled and with...
Michael Adam [Tue, 27 Nov 2012 11:08:33 +0000 (12:08 +0100)]
s3:test:wbinfo_sids2xids: test the results with singular calls with filled and with empty cache

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh
Michael Adam [Tue, 27 Nov 2012 21:43:04 +0000 (22:43 +0100)]
s3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
Michael Adam [Mon, 15 Oct 2012 14:34:02 +0000 (16:34 +0200)]
s3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping

This is to remove problems with the same unix-id being used both
as a uid and a gid.

The autorid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.

This patch lets the autorid backend always create sid->id mappings of type both.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
Michael Adam [Mon, 15 Oct 2012 14:32:25 +0000 (16:32 +0200)]
s3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping

This is to remove problems with the same unix-id being used both
as a uid and a gid.

The rid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.

This patch lets the rid backend always create sid->id mappings of type both.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove unused idmap_sid_to_gid()
Michael Adam [Fri, 23 Nov 2012 16:53:39 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_gid()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove unused idmap_sid_to_uid()
Michael Adam [Fri, 23 Nov 2012 16:53:04 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_uid()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove unused server implementation of wbint_Sid2Gid()
Michael Adam [Fri, 23 Nov 2012 16:50:50 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Gid()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove unused server implementation of wbint_Sid2Uid()
Michael Adam [Fri, 23 Nov 2012 16:50:11 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Uid()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove wbint_Sid2Gid from the wbint.idl
Michael Adam [Fri, 23 Nov 2012 16:49:09 +0000 (17:49 +0100)]
s3:winbindd: remove wbint_Sid2Gid from the wbint.idl

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
Michael Adam [Fri, 23 Nov 2012 16:48:36 +0000 (17:48 +0100)]
s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules
Michael Adam [Fri, 23 Nov 2012 16:05:01 +0000 (17:05 +0100)]
s3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid
Michael Adam [Fri, 23 Nov 2012 15:54:36 +0000 (16:54 +0100)]
s3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid
Michael Adam [Fri, 23 Nov 2012 15:44:41 +0000 (16:44 +0100)]
s3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id
Michael Adam [Fri, 23 Nov 2012 15:40:48 +0000 (16:40 +0100)]
s3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id

We can optimize this later and just do one wb_sids2xids_send/recv call.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agoselftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd
Michael Adam [Fri, 23 Nov 2012 00:35:30 +0000 (01:35 +0100)]
selftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd

Note that in order to create a local group (alias), the id-allocator of
id-mapping is needed, so this can only work if winbindd is running.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agoselftest:Samba3: add "wbinfo -p" test to wait_for_start()
Michael Adam [Thu, 22 Nov 2012 23:18:44 +0000 (00:18 +0100)]
selftest:Samba3: add "wbinfo -p" test to wait_for_start()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agoselftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
Michael Adam [Thu, 22 Nov 2012 23:09:43 +0000 (00:09 +0100)]
selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()

to make checks conditional

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agoselftest:Samba3: call wait_for_start() from check_or_start()
Michael Adam [Thu, 22 Nov 2012 23:02:33 +0000 (00:02 +0100)]
selftest:Samba3: call wait_for_start() from check_or_start()

...instead of calling the two one after another each time.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: make idmap_find_domain() static.
Michael Adam [Tue, 27 Nov 2012 00:11:16 +0000 (01:11 +0100)]
s3:winbindd: make idmap_find_domain() static.

idmap_find_domain_with_sid() should be used instead

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
Michael Adam [Sun, 25 Nov 2012 01:13:15 +0000 (02:13 +0100)]
s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()

This is the way the singular calls work and how they should (currently) work.
The two code paths need to give the same results. It is important to use
the passdb backend, otherwise groups don't work.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: add idmap_find_domain_with_sid()
Michael Adam [Thu, 22 Nov 2012 17:16:31 +0000 (18:16 +0100)]
s3:winbindd: add idmap_find_domain_with_sid()

This will return the passdb domain if the given sid is in our sam or builtin
or is the domain sid of those domains. Otherwise it returns the idmap domain
that results from the idmap configuration.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
Michael Adam [Thu, 22 Nov 2012 15:21:53 +0000 (16:21 +0100)]
s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agoselftest:Samba3: provision the domain adminstrators group in the s3 environments
Michael Adam [Tue, 20 Nov 2012 15:48:23 +0000 (16:48 +0100)]
selftest:Samba3: provision the domain adminstrators group in the s3 environments

I discovered that this sid / mapping is missing by working with the Sids2Uids
code and test. I do even wonder why this test could succeed prior to my pending
changes to the winbindd sids-to-xids code, for example against the s3:local
environment, since the test tries to map the sid <domsid>-512.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
Michael Adam [Sun, 18 Nov 2012 12:51:13 +0000 (13:51 +0100)]
s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child

This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Michael Adam [Sun, 18 Nov 2012 18:58:07 +0000 (19:58 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Michael Adam [Sun, 18 Nov 2012 18:29:37 +0000 (19:29 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
Michael Adam [Sat, 17 Nov 2012 12:10:26 +0000 (13:10 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid

The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.

Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
Michael Adam [Sat, 17 Nov 2012 12:04:41 +0000 (13:04 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid

The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.

Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: factor winbindd_sids_to_xids into external and internal part
Michael Adam [Sat, 17 Nov 2012 01:30:07 +0000 (02:30 +0100)]
s3:winbindd: factor winbindd_sids_to_xids into external and internal part

- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists

The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.

The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
Michael Adam [Fri, 16 Nov 2012 16:49:25 +0000 (17:49 +0100)]
s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: add explaining comment winbindd_sids_to_xids_send()
Michael Adam [Fri, 9 Nov 2012 15:09:59 +0000 (16:09 +0100)]
s3:winbindd: add explaining comment winbindd_sids_to_xids_send()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_...
Michael Adam [Fri, 9 Nov 2012 13:09:10 +0000 (14:09 +0100)]
s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()

for readability

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
Michael Adam [Fri, 9 Nov 2012 12:54:20 +0000 (13:54 +0100)]
s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos3:winbindd:util: add a comment explaining the function parse_sidlist()
Michael Adam [Fri, 9 Nov 2012 10:32:47 +0000 (11:32 +0100)]
s3:winbindd:util: add a comment explaining the function parse_sidlist()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
6 years agos4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
Stefan Metzmacher [Thu, 29 Nov 2012 08:57:44 +0000 (09:57 +0100)]
s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()

This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:python/ntacl: allow string or objects for sd/sid in setntacl()
Stefan Metzmacher [Thu, 29 Nov 2012 08:28:23 +0000 (09:28 +0100)]
s4:python/ntacl: allow string or objects for sd/sid in setntacl()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: fix the operation order when creating gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: fix the operation order when creating gpos

We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use the dns_domain from the server when creating gpos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:libcli/finddcs_cldap: allow io->in.server_address as hostname
Stefan Metzmacher [Sat, 1 Dec 2012 08:14:19 +0000 (09:14 +0100)]
s4:libcli/finddcs_cldap: allow io->in.server_address as hostname

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:libcli/finddcs_cldap: try all NBT#1C addresses
Stefan Metzmacher [Sat, 1 Dec 2012 07:56:57 +0000 (08:56 +0100)]
s4:libcli/finddcs_cldap: try all NBT#1C addresses

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbcacls: add --query-security-info and --set-security-info options
Stefan Metzmacher [Fri, 30 Nov 2012 13:36:07 +0000 (14:36 +0100)]
s3:smbcacls: add --query-security-info and --set-security-info options

This allows the caller to specify the security_information flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags
Stefan Metzmacher [Fri, 30 Nov 2012 12:52:53 +0000 (13:52 +0100)]
s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags

In order to set and get security_descriptors it's important to specify
the sec_info flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agolibcli/security: remove duplicate aces in se_create_child_secdesc()
Stefan Metzmacher [Thu, 29 Nov 2012 11:33:22 +0000 (12:33 +0100)]
libcli/security: remove duplicate aces in se_create_child_secdesc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group
Stefan Metzmacher [Fri, 30 Nov 2012 12:33:59 +0000 (13:33 +0100)]
s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid
Stefan Metzmacher [Fri, 30 Nov 2012 12:32:04 +0000 (13:32 +0100)]
s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos3:smbd/open: use Builtin_Administrators as owner of files (if possible)
Stefan Metzmacher [Thu, 29 Nov 2012 09:00:03 +0000 (10:00 +0100)]
s3:smbd/open: use Builtin_Administrators as owner of files (if possible)

We do this if the idmap layer resolves Builtin_Administrators
as ID_TYPE_BOTH and if the current token has the
Builtin_Administrators SID or it's SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
Stefan Metzmacher [Sat, 1 Dec 2012 14:10:38 +0000 (15:10 +0100)]
s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags

A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.

We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/tests: add SdAutoInheritTests
Stefan Metzmacher [Fri, 16 Nov 2012 11:51:44 +0000 (12:51 +0100)]
s4:dsdb/tests: add SdAutoInheritTests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104

6 years agos4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated...
Stefan Metzmacher [Fri, 23 Nov 2012 16:10:38 +0000 (17:10 +0100)]
s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes

We only do so if the replicated object is not deleted.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)
Stefan Metzmacher [Fri, 16 Nov 2012 11:49:16 +0000 (12:49 +0100)]
s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
Stefan Metzmacher [Fri, 23 Nov 2012 15:46:51 +0000 (16:46 +0100)]
s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Fri, 23 Nov 2012 14:55:24 +0000 (15:55 +0100)]
s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
6 years agos4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Stefan Metzmacher [Thu, 22 Nov 2012 16:42:32 +0000 (17:42 +0100)]
s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>