[SCM] Samba Shared Repository - branch master updated -
f84093df863eb00238a6be1caba59d926f18e7a5
Andrew Tridgell
tridge at samba.org
Tue Sep 30 20:02:38 GMT 2008
The branch, master has been updated
via f84093df863eb00238a6be1caba59d926f18e7a5 (commit)
via ef6fc37add1fd9164eb143c953fde0d5a9fc584a (commit)
via dab5d4abbce7fc54427e5eb130e36860ffa74685 (commit)
via be050125b60028ab05dfd685291d2163c2e5903a (commit)
via 4f07894c29996eb3e30fc79287d224ec2dbd80ee (commit)
via 717b36c672441f8cd86bf550ab0fabc52a3a3821 (commit)
via d87e9ba56b00962be6b797464e77619bc6f0ba2c (commit)
via 8104968004a3a7fcfe4febb9918ecbf37ba948ac (commit)
via c951a881da60b51e06a5182c5ad9fb32482b0ab5 (commit)
via 28482efa5ceebdea821b9368a2761e93ee2fff59 (commit)
via 40fa4c4154aa572f39fddf16b2fefbe370910360 (commit)
via 385015f8f2ea44e8f846e72c7bc74d4c489ae49e (commit)
via 750a848d0dbae8ea66a9f265294d7f95556c0c27 (commit)
via a270ddb6e3d5bd5b72558809877d27c3c344797d (commit)
from 687ce0b60a3913b0f2eca2365a5ab56e78523ab5 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f84093df863eb00238a6be1caba59d926f18e7a5
Merge: ef6fc37add1fd9164eb143c953fde0d5a9fc584a 687ce0b60a3913b0f2eca2365a5ab56e78523ab5
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 13:02:09 2008 -0700
Merge branch 'master' of ssh://git.samba.org/data/git/samba
commit ef6fc37add1fd9164eb143c953fde0d5a9fc584a
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 08:44:31 2008 -0700
check call status not rpc fault code when calling to different levels
of calls
commit dab5d4abbce7fc54427e5eb130e36860ffa74685
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 08:44:06 2008 -0700
cope with NULL attr
commit be050125b60028ab05dfd685291d2163c2e5903a
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 08:42:12 2008 -0700
- make bcast name resolution match other name resolution modules for
host not found errors
- when we have no resolve context return NT_STATUS_OBJECT_NAME_NOT_FOUND
commit 4f07894c29996eb3e30fc79287d224ec2dbd80ee
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 07:17:02 2008 -0700
The author of the upstream code asked for this code to be GPLv2+ not GPLv3
commit 717b36c672441f8cd86bf550ab0fabc52a3a3821
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 30 07:14:31 2008 -0700
merged a bugfix for the idtree code from the Linux kernel. This
matches commit 7aae6dd80e265aa9402ed507caaff4a5dba55069 in the kernel.
Many thanks to Jim Houston for pointing out this fix to us
commit d87e9ba56b00962be6b797464e77619bc6f0ba2c
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 21:59:50 2008 -0700
setup the loadparm context for ldb in testjoin
commit 8104968004a3a7fcfe4febb9918ecbf37ba948ac
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 21:59:04 2008 -0700
return a more useful error message when no name resolution methods are
available
commit c951a881da60b51e06a5182c5ad9fb32482b0ab5
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 16:51:21 2008 -0700
added new level for lsalookupnames2
commit 28482efa5ceebdea821b9368a2761e93ee2fff59
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 16:51:05 2008 -0700
WSPP docs say we need to check that root_dir is NULL
commit 40fa4c4154aa572f39fddf16b2fefbe370910360
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 16:50:46 2008 -0700
we need to return NT_STATUS_INVALID_PARAMETER for bad levels in
lsalookupnames2
commit 385015f8f2ea44e8f846e72c7bc74d4c489ae49e
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 16:10:54 2008 -0700
unmapped SIDs should be rid 0 not rid -1
commit 750a848d0dbae8ea66a9f265294d7f95556c0c27
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 16:01:07 2008 -0700
added some more well known SIDs - thanks to the WSPP LSAT test suite
commit a270ddb6e3d5bd5b72558809877d27c3c344797d
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 29 14:04:48 2008 -0700
make the schannel creentials persistent
this makes testing with the WSPP test suite much easier over samba
restarts
-----------------------------------------------------------------------
Summary of changes:
source4/auth/gensec/schannel_state.c | 2 +-
source4/lib/util/idtree.c | 16 ++++++++-
source4/libcli/resolve/bcast.c | 8 ++++-
source4/libcli/resolve/resolve.c | 4 ++
source4/librpc/idl/lsa.idl | 3 +-
source4/librpc/idl/security.idl | 6 +++
source4/rpc_server/lsa/lsa_init.c | 8 ++++
source4/rpc_server/lsa/lsa_lookup.c | 61 ++++++++++++++++++++++++++++++---
source4/setup/provision_users.ldif | 60 +++++++++++++++++++++++++++++++++
source4/torture/rpc/testjoin.c | 1 +
10 files changed, 158 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 0388b3c..64c21d0 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -44,7 +44,7 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_contex
"computerName: CASE_INSENSITIVE\n" \
"flatname: CASE_INSENSITIVE\n";
- path = smbd_tmp_path(mem_ctx, lp_ctx, "schannel.ldb");
+ path = private_path(mem_ctx, lp_ctx, "schannel.ldb");
if (!path) {
return NULL;
}
diff --git a/source4/lib/util/idtree.c b/source4/lib/util/idtree.c
index 1e2cc29..1939229 100644
--- a/source4/lib/util/idtree.c
+++ b/source4/lib/util/idtree.c
@@ -12,7 +12,7 @@
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
+ the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
@@ -105,12 +105,13 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
int n, m, sh;
struct idr_layer *p, *new;
struct idr_layer *pa[MAX_LEVEL];
- int l, id;
+ int l, id, oid;
uint32_t bm;
memset(pa, 0, sizeof(pa));
id = *starting_id;
+restart:
p = idp->top;
l = idp->layers;
pa[l--] = NULL;
@@ -124,12 +125,23 @@ static int sub_alloc(struct idr_context *idp, void *ptr, int *starting_id)
if (m == IDR_SIZE) {
/* no space available go back to previous layer. */
l++;
+ oid = id;
id = (id | ((1 << (IDR_BITS*l))-1)) + 1;
+
+ /* if already at the top layer, we need to grow */
if (!(p = pa[l])) {
*starting_id = id;
return -2;
}
+
+ /* If we need to go up one layer, continue the
+ * loop; otherwise, restart from the top.
+ */
+ sh = IDR_BITS * (l + 1);
+ if (oid >> sh == id >> sh)
continue;
+ else
+ goto restart;
}
if (m != n) {
sh = IDR_BITS*l;
diff --git a/source4/libcli/resolve/bcast.c b/source4/libcli/resolve/bcast.c
index 2e2eb05..ca78a2c 100644
--- a/source4/libcli/resolve/bcast.c
+++ b/source4/libcli/resolve/bcast.c
@@ -75,7 +75,13 @@ struct composite_context *resolve_name_bcast_send(TALLOC_CTX *mem_ctx,
NTSTATUS resolve_name_bcast_recv(struct composite_context *c,
TALLOC_CTX *mem_ctx, const char **reply_addr)
{
- return resolve_name_nbtlist_recv(c, mem_ctx, reply_addr);
+ NTSTATUS status = resolve_name_nbtlist_recv(c, mem_ctx, reply_addr);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ /* this makes much more sense for a bcast name resolution
+ timeout */
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+ return status;
}
/*
diff --git a/source4/libcli/resolve/resolve.c b/source4/libcli/resolve/resolve.c
index d89b50e..dbc4a2e 100644
--- a/source4/libcli/resolve/resolve.c
+++ b/source4/libcli/resolve/resolve.c
@@ -165,6 +165,10 @@ struct composite_context *resolve_name_send(struct resolve_context *ctx,
}
state->method = ctx->methods;
+ if (state->method == NULL) {
+ composite_error(c, NT_STATUS_BAD_NETWORK_NAME);
+ return c;
+ }
state->creq = setup_next_method(c);
if (composite_nomem(state->creq, c)) return c;
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 9a6e4a2..eed713f 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -387,7 +387,8 @@ import "misc.idl", "security.idl";
LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY = 3,
LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY = 4,
LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY = 5,
- LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 = 6
+ LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 = 6,
+ LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC = 7
} lsa_LookupNamesLevel;
[public] NTSTATUS lsa_LookupNames (
diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl
index 80efe46..ac7641c 100644
--- a/source4/librpc/idl/security.idl
+++ b/source4/librpc/idl/security.idl
@@ -153,6 +153,7 @@ interface security
const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
const string SID_CREATOR_OWNER = "S-1-3-0";
const string SID_CREATOR_GROUP = "S-1-3-1";
+ const string SID_OWNER_RIGHTS = "S-1-3-4";
/* SECURITY_NT_AUTHORITY */
const string NAME_NT_AUTHORITY = "NT AUTHORITY";
@@ -172,9 +173,14 @@ interface security
const string SID_NT_TERMINAL_SERVER_USERS = "S-1-5-13";
const string SID_NT_REMOTE_INTERACTIVE = "S-1-5-14";
const string SID_NT_THIS_ORGANISATION = "S-1-5-15";
+ const string SID_NT_IUSR = "S-1-5-17";
const string SID_NT_SYSTEM = "S-1-5-18";
const string SID_NT_LOCAL_SERVICE = "S-1-5-19";
const string SID_NT_NETWORK_SERVICE = "S-1-5-20";
+ const string SID_NT_DIGEST_AUTHENTICATION = "S-1-5-64-21";
+ const string SID_NT_NTLM_AUTHENTICATION = "S-1-5-64-10";
+ const string SID_NT_SCHANNEL_AUTHENTICATION = "S-1-5-64-14";
+ const string SID_NT_OTHER_ORGANISATION = "S-1-5-1000";
/* SECURITY_BUILTIN_DOMAIN_RID */
const string NAME_BUILTIN = "BUILTIN";
diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c
index e5e31c7..8d84171 100644
--- a/source4/rpc_server/lsa/lsa_init.c
+++ b/source4/rpc_server/lsa/lsa_init.c
@@ -199,6 +199,12 @@ NTSTATUS dcesrv_lsa_OpenPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *
ZERO_STRUCTP(r->out.handle);
+ if (r->in.attr != NULL &&
+ r->in.attr->root_dir != NULL) {
+ /* MS-LSAD 3.1.4.4.1 */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -211,6 +217,8 @@ NTSTATUS dcesrv_lsa_OpenPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *
handle->data = talloc_steal(handle, state);
+ /* need to check the access mask against - need ACLs - fails
+ WSPP test */
state->access_mask = r->in.access_mask;
state->handle = handle;
*r->out.handle = handle->wire_handle;
diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 30bceb8..a71bd57 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -44,6 +44,11 @@ static const struct {
.rtype = SID_NAME_WKN_GRP,
},
{
+ .name = "Owner Rights",
+ .sid = SID_OWNER_RIGHTS,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
.domain = "NT AUTHORITY",
.name = "Dialup",
.sid = SID_NT_DIALUP,
@@ -111,7 +116,7 @@ static const struct {
},
{
.domain = "NT AUTHORITY",
- .name = "Termainal Server User",
+ .name = "Terminal Server User",
.sid = SID_NT_TERMINAL_SERVER_USERS,
.rtype = SID_NAME_WKN_GRP,
},
@@ -146,6 +151,42 @@ static const struct {
.rtype = SID_NAME_WKN_GRP,
},
{
+ .domain = "NT AUTHORITY",
+ .name = "Digest Authentication",
+ .sid = SID_NT_DIGEST_AUTHENTICATION,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .name = "Enterprise Domain Controllers",
+ .sid = SID_NT_ENTERPRISE_DCS,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .name = "NTLM Authentication",
+ .sid = SID_NT_NTLM_AUTHENTICATION,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .name = "Other Organization",
+ .sid = SID_NT_OTHER_ORGANISATION,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .name = "SChannel Authentication",
+ .sid = SID_NT_SCHANNEL_AUTHENTICATION,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
+ .domain = "NT AUTHORITY",
+ .name = "IUSR",
+ .sid = SID_NT_IUSR,
+ .rtype = SID_NAME_WKN_GRP,
+ },
+ {
.sid = NULL,
}
};
@@ -608,7 +649,7 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
r2.out.names = r->out.names;
status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
+ if (NT_STATUS_IS_ERR(status)) {
return status;
}
@@ -641,7 +682,7 @@ NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
r2.out.names = NULL;
status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
+ if (NT_STATUS_IS_ERR(status)) {
return status;
}
@@ -795,7 +836,7 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
r2.out.count = r->out.count;
status = dcesrv_lsa_LookupNames3(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
+ if (NT_STATUS_IS_ERR(status)) {
return status;
}
@@ -821,6 +862,11 @@ NTSTATUS dcesrv_lsa_LookupNames2(struct dcesrv_call_state *dce_call,
DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
+ if (r->in.level < LSA_LOOKUP_NAMES_ALL ||
+ r->in.level > LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
state = h->data;
r->out.domains = talloc_zero(mem_ctx, struct lsa_RefDomainList);
@@ -851,7 +897,10 @@ NTSTATUS dcesrv_lsa_LookupNames2(struct dcesrv_call_state *dce_call,
r->out.sids->count++;
r->out.sids->sids[i].sid_type = SID_NAME_UNKNOWN;
- r->out.sids->sids[i].rid = 0xFFFFFFFF;
+ /* MS-LSAT 3.1.4.7 - rid zero is considered equivalent
+ to sid NULL - so we should return 0 rid for
+ unmapped entries */
+ r->out.sids->sids[i].rid = 0;
r->out.sids->sids[i].sid_index = 0xFFFFFFFF;
r->out.sids->sids[i].unknown = 0;
@@ -906,7 +955,7 @@ NTSTATUS dcesrv_lsa_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *
r2.out.count = r->out.count;
status = dcesrv_lsa_LookupNames2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
+ if (NT_STATUS_IS_ERR(status)) {
return status;
}
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 854c42d..c61cb80 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -137,6 +137,66 @@ sAMAccountName: RAS and IAS Servers
groupType: -2147483644
isCriticalSystemObject: TRUE
+dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Read-Only Domain Controllers
+description: read-only domain controllers
+objectSid: ${DOMAINSID}-521
+sAMAccountName: Read-Only Domain Controllers
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Read-Only Domain Controllers
+description: enterprise read-only domain controllers
+objectSid: ${DOMAINSID}-498
+sAMAccountName: Enterprise Read-Only Domain Controllers
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Certificate Service DCOM Access
+description: Certificate Service DCOM Access
+objectSid: ${DOMAINSID}-574
+sAMAccountName: Certificate Service DCOM Access
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Cryptographic Operators
+description: Cryptographic Operators
+objectSid: ${DOMAINSID}-569
+sAMAccountName: Cryptographic Operators
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Event Log Readers
+description: Event Log Readers
+objectSid: ${DOMAINSID}-573
+sAMAccountName: Event Log Readers
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=IIS_IUSRS,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: IIS_IUSRS
+description: IIS_IUSRS
+objectSid: ${DOMAINSID}-568
+sAMAccountName: IIS_IUSRS
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c
index 21542e9..3408a19 100644
--- a/source4/torture/rpc/testjoin.c
+++ b/source4/torture/rpc/testjoin.c
@@ -472,6 +472,7 @@ static NTSTATUS torture_leave_ads_domain(struct torture_context *torture,
}
ldb_set_opaque(ldb_ctx, "credentials", cmdline_credentials);
+ ldb_set_opaque(ldb_ctx, "loadparm", cmdline_lp_ctx);
rtn = ldb_connect(ldb_ctx, remote_ldb_url, 0, NULL);
if (rtn != 0) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list