[SCM] Samba Shared Repository - branch v3-5-stable updated

Karolin Seeger kseeger at samba.org
Tue Dec 29 03:46:25 MST 2009


The branch, v3-5-stable has been updated
       via  ea7c356... WHATSNEW: Update changes.
       via  3b0deeb... s3: Check for lp_winbind_trusted_domains_only in wb_gettoken()
       via  208a83b... s3: Move a lp_winbind_trusted_domains_only() check to wb_getgrsid()
       via  e0d2d1c... s3: Pass netr_DomainTrustList instead of names and sids through (*trusted_domains) (cherry picked from commit a4def0bfd88fb9c951f87834e07791e07a966727)
       via  c0625dc... s3: Simplify winbindd_ads.c:trusted_domains()
       via  633a95b... s3: Remove some unused code
       via  411c265... s3: Simplify winbindd_list_trusted_domains() slightly (cherry picked from commit a85067e00013254caf358e05ccba5fae7e875c49)
       via  9b37950... s3: Simplify "setup_domain_child" slightly (cherry picked from commit f85a5f0508999b5c3c586353e0decd95178a5957)
       via  d53ad85... s3:winbind Make the normal client exit message a bit more understandable (cherry picked from commit 00b62c64f33a5fc2cd5170b31324fb0d2e1cdf7b)
       via  f10fe61... s3: Fix a typo found by Matthias Dieter Wallnöfer <mdw at samba.org> -- thanks :-) (cherry picked from commit f8e3fee3fe42e15fbfdbeeadd17f6ee1392687a5)
       via  1431e82... s3: Fix a bogus uninitialized variable warning (cherry picked from commit 2b0ffa2b9a5b95608102437d9be7ba2c4a18515d)
       via  7d66137... s3: Replace IS_DOMAIN_OFFLINE by a function (cherry picked from commit 826aaecc6bca06a8d978530859e2e985197811a5)
       via  6363ce7... s3: Fix some nonempty blank lines (cherry picked from commit b4dd801f457e142f5a412bf8af9edcfb3c0f86d4)
       via  615b72f... s3: winbindd_cli_state->getgrent_state is no longer used (cherry picked from commit 6b6b47c0baf014e8e97e49fd81668297682e3ac7)
       via  321f988... s3: getgrent_state has been replaced by grent_state (cherry picked from commit 48945cd1ebfa657ae96217200dd5a06dbe90729b)
       via  f7b5876... s3: Remove unused delete_negative_conn_cache() (cherry picked from commit 413f458984241b28e79e7ad127f6104c76374e71)
       via  71e19ec... s3: Remove unused flush_negative_conn_cache() (cherry picked from commit d40510055c835d13d6e6b5f6a6e76046d67d7692)
       via  1274009... s3: Remove some unnecessary variables from libsmb/conn_cache.c (cherry picked from commit e599a467b1bcb1f17e9e14bb04460031973d1d4e)
       via  d3015de... s3: Fix a comment in conn_cache.c (cherry picked from commit 1090d6745678cb21b234aa61ba7c373a786a217e)
       via  b1f00db... s3: Fix a 64-bit error (cherry picked from commit b1effa274513b2b22313e80140601fa444459e79)
       via  4f92f83... s3: Remove some pointless SMB_ASSERTs (cherry picked from commit 1eb6d313d358774d637471481cf4292554ec9453)
       via  0041781... s3: Remove some pointless casts (cherry picked from commit d3855f78be27b21d1d56bf9ceda3f2b7bbb52d73)
       via  b882490... Attempt to fix one of the last two bugs with the full Windows ACL support.
       via  88a4a62... The posix acl version of set_nt_acl() could set the stat_ex struct in the fsp->fsp_name pointer incorrectly for a directory.
       via  806ac45... doc: update mount.cifs man page with nounix option
       via  81557a4... s3: wbinfo --ping-dc is not cacheable (cherry picked from commit c8733d989981315b422857e7b4be9a2035914606)
       via  ab35ec5... s3: Remove some unused code (cherry picked from commit 1eb03d6090a80316925de996b0af72eb70f7dc44)
       via  a680b87... s3: Remove unused sendto_child() (cherry picked from commit 791b6d37a9e07d6f009a6fa9d575c4471ecb84a3)
      from  621ad11... WHATSNEW: Update changes.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -----------------------------------------------------------------
commit ea7c3567aa3963c7c35a7de0fd4b5c08c1d8cfec
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Dec 29 11:19:36 2009 +0100

    WHATSNEW: Update changes.
    
    Karolin
    (cherry picked from commit 86def5d9f2618cff4d22122e651988c9a608ba96)

commit 3b0deeb861a6025917e6b18badff619fa9361825
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 23:35:25 2009 +0100

    s3: Check for lp_winbind_trusted_domains_only in wb_gettoken()
    
    This avoids one walk of the domain list
    (cherry picked from commit 10ae5a1a20852a3ebd582eb051f92ee08f61c50f)

commit 208a83b859f7d08174a20a810e79ed2718d00797
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 23:14:43 2009 +0100

    s3: Move a lp_winbind_trusted_domains_only() check to wb_getgrsid()
    
    winbindd_getgrgid was not protected by this.
    (cherry picked from commit 7929e7854eaf69a5893fd5f63d97ff5dff864f31)

commit e0d2d1c58de4e7cde1b1d5725b7a65c675f816de
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 15:51:36 2009 +0100

    s3: Pass netr_DomainTrustList instead of names and sids through (*trusted_domains)
    (cherry picked from commit a4def0bfd88fb9c951f87834e07791e07a966727)

commit c0625dcc189957083c5bfc93b7848ec5db942998
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 15:27:42 2009 +0100

    s3: Simplify winbindd_ads.c:trusted_domains()
    
    No real code change, this just removes an indentation by turning
    
    if ( NT_STATUS_IS_OK(result) && trusts.count) {
    
    into
    
    if (!NT_STATUS_IS_OK(result)) {
            return result;
    }
    if (trusts.count == 0) {
            return NT_STATUS_OK;
    }
    (cherry picked from commit 46b29dc1f664d7a9b378ded90ce9562ade07ddfd)

commit 633a95b8127ba3d8b45acd5a3fd7e49aa9beda8a
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 14:56:58 2009 +0100

    s3: Remove some unused code
    
    Watch the #if 0 -- we never stored this in the cache anymore
    (cherry picked from commit f362be18f7cdc9634bbe5e8f306a380e1e0bc06f)

commit 411c265284ee1ea3e6877c879e73daa8d284b858
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 13:49:01 2009 +0100

    s3: Simplify winbindd_list_trusted_domains() slightly
    (cherry picked from commit a85067e00013254caf358e05ccba5fae7e875c49)

commit 9b37950ae3033b7792695f24af5c09a1e412db0d
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Dec 28 10:57:01 2009 +0100

    s3: Simplify "setup_domain_child" slightly
    (cherry picked from commit f85a5f0508999b5c3c586353e0decd95178a5957)

commit d53ad85d9965a58d020b0ad4a76e47ffdc356e7c
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Dec 26 18:00:32 2009 +0100

    s3:winbind Make the normal client exit message a bit more understandable
    (cherry picked from commit 00b62c64f33a5fc2cd5170b31324fb0d2e1cdf7b)

commit f10fe61e486a109090625698df283680b9856872
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Dec 26 15:20:22 2009 +0100

    s3: Fix a typo found by Matthias Dieter Wallnöfer <mdw at samba.org> -- thanks :-)
    (cherry picked from commit f8e3fee3fe42e15fbfdbeeadd17f6ee1392687a5)

commit 1431e8229ef782a685a2b1f1816cf04db23cb5a3
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 12:56:09 2009 +0100

    s3: Fix a bogus uninitialized variable warning
    (cherry picked from commit 2b0ffa2b9a5b95608102437d9be7ba2c4a18515d)

commit 7d66137a752ed436e22ac4d18dd1c806e881c8b1
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 12:52:24 2009 +0100

    s3: Replace IS_DOMAIN_OFFLINE by a function
    (cherry picked from commit 826aaecc6bca06a8d978530859e2e985197811a5)

commit 6363ce777e06d32afeafcec7a8d7e6e14e7c08e7
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Dec 23 15:22:09 2009 +0100

    s3: Fix some nonempty blank lines
    (cherry picked from commit b4dd801f457e142f5a412bf8af9edcfb3c0f86d4)

commit 615b72f08905984d196905eb0d303c4cb17777e1
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 12:52:00 2009 +0100

    s3: winbindd_cli_state->getgrent_state is no longer used
    (cherry picked from commit 6b6b47c0baf014e8e97e49fd81668297682e3ac7)

commit 321f988fd6cfe5a01123b2a75463d5d34e650614
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 12:51:09 2009 +0100

    s3: getgrent_state has been replaced by grent_state
    (cherry picked from commit 48945cd1ebfa657ae96217200dd5a06dbe90729b)

commit f7b5876623fc9c75b61815be1d9a8005e9e5b996
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:51:50 2009 +0100

    s3: Remove unused delete_negative_conn_cache()
    (cherry picked from commit 413f458984241b28e79e7ad127f6104c76374e71)

commit 71e19ecad8a4476ee6f06329a9c4c7f42eef7973
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:50:39 2009 +0100

    s3: Remove unused flush_negative_conn_cache()
    (cherry picked from commit d40510055c835d13d6e6b5f6a6e76046d67d7692)

commit 12740099feca69c152c966f6a69580892502fd24
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:47:35 2009 +0100

    s3: Remove some unnecessary variables from libsmb/conn_cache.c
    (cherry picked from commit e599a467b1bcb1f17e9e14bb04460031973d1d4e)

commit d3015de4cb0134744efe8d442526897133217871
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:46:16 2009 +0100

    s3: Fix a comment in conn_cache.c
    (cherry picked from commit 1090d6745678cb21b234aa61ba7c373a786a217e)

commit b1f00db0a34032acbf06295fbfef35750f5d01ac
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:40:24 2009 +0100

    s3: Fix a 64-bit error
    (cherry picked from commit b1effa274513b2b22313e80140601fa444459e79)

commit 4f92f8396287f8d6e071f017b552551e9cdd7f94
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:36:00 2009 +0100

    s3: Remove some pointless SMB_ASSERTs
    (cherry picked from commit 1eb6d313d358774d637471481cf4292554ec9453)

commit 00417814fe8951bc2f7ae0193013444ef704be75
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 24 13:14:18 2009 +0100

    s3: Remove some pointless casts
    (cherry picked from commit d3855f78be27b21d1d56bf9ceda3f2b7bbb52d73)

commit b88249080a1d5df08d114cad408ab0575d88f04a
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Dec 23 17:19:22 2009 -0800

    Attempt to fix one of the last two bugs with the full Windows ACL support.
    
    When returning an underlying ACL on a directory, normally on a
    POSIX system it has no inheritable entries, which breaks the
    Windows ACL when a user does a get/set of a Windows ACL on a
    POSIX directory with no existing stored Windows ACL from
    the Windows ACL editor. What happens is any new entry added
    by the user gets set inheritable, but none of the others
    entries are (as returned by default). So any new files then
    only inherit the single new ACE entry (the one marked inheritable
    by the ACL editor).
    
    Fix this by faking up a default 3 element inheritable ACL that
    represents what a user creating a POSIX file or directory will
    get by default from the smbd code.
    
    Jeremy.
    (cherry picked from commit 6dcbb84d485b8a8ccf0c3a70d9f5f7e951aaf1c6)
    (cherry picked from commit c5fa822d59b55b8f62e3c619004e9fb2005879eb)

commit 88a4a62a3a1217e3da4de45f6ac9c9fdde61e01e
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Dec 23 17:17:48 2009 -0800

    The posix acl version of set_nt_acl() could set the stat_ex
    struct in the fsp->fsp_name pointer incorrectly for a directory.
    
    Fix this. Make map_canon_ace_perms() public.
    
    Jeremy.
    (cherry picked from commit 3d85b1ebe5e3484250b6810f1a45c1ba5a4900f7)
    (cherry picked from commit ddf5ce0073127c9c708bba8a3e7470e4ef6b77ac)

commit 806ac4527304c025a08b7c8b3cb131a973ad8db6
Author: Suresh Jayaraman <sjayaraman at suse.de>
Date:   Wed Dec 23 11:45:20 2009 -0500

    doc: update mount.cifs man page with nounix option
    
    Change since last post:
    	- fix build error due to superfluous </para> tag.
    	- ensure it builds fine.
    
    Also add a section on INODE NUMBERS that discusses inode numbers more
    thoroughly and add reference to it in "nounix" and "noserverino"
    options.
    
    Thanks to Jeff Layton for explaining those details.
    
    Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
    Signed-off-by: Jeff Layton <jlayton at redhat.com>
    (cherry picked from commit 091360d52fa2958f5f143aa3f0c4ce54d4fe120b)

commit 81557a4a0deff5e3c44cd854106e0ad4b583f7e3
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Dec 23 13:10:55 2009 +0100

    s3: wbinfo --ping-dc is not cacheable
    (cherry picked from commit c8733d989981315b422857e7b4be9a2035914606)

commit ab35ec51125e43d22db35a9e238656c209b71c6e
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Dec 23 11:48:33 2009 +0100

    s3: Remove some unused code
    (cherry picked from commit 1eb03d6090a80316925de996b0af72eb70f7dc44)

commit a680b8786c682a492053867d63056c58478427b0
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Dec 23 11:39:10 2009 +0100

    s3: Remove unused sendto_child()
    (cherry picked from commit 791b6d37a9e07d6f009a6fa9d575c4471ecb84a3)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                          |    8 +
 docs-xml/manpages-3/mount.cifs.8.xml  |   54 ++++++++-
 source3/include/proto.h               |    6 +-
 source3/libsmb/conncache.c            |   82 ++++--------
 source3/modules/vfs_acl_common.c      |  106 +++++++++++++++
 source3/smbd/posix_acls.c             |   22 ++-
 source3/winbindd/wb_getgrsid.c        |   11 ++
 source3/winbindd/wb_gettoken.c        |    7 +
 source3/winbindd/wb_sid2gid.c         |    2 +-
 source3/winbindd/wb_sid2uid.c         |    2 +-
 source3/winbindd/winbindd.c           |   15 +-
 source3/winbindd/winbindd.h           |   23 +---
 source3/winbindd/winbindd_ads.c       |  228 ++++++++++++++------------------
 source3/winbindd/winbindd_cache.c     |  119 +----------------
 source3/winbindd/winbindd_domain.c    |    2 -
 source3/winbindd/winbindd_dual.c      |   92 +-------------
 source3/winbindd/winbindd_getgrnam.c  |   23 +---
 source3/winbindd/winbindd_getgroups.c |   24 ----
 source3/winbindd/winbindd_misc.c      |  102 ++++++---------
 source3/winbindd/winbindd_passdb.c    |   72 ++++-------
 source3/winbindd/winbindd_proto.h     |   21 +---
 source3/winbindd/winbindd_reconnect.c |   12 +--
 source3/winbindd/winbindd_rpc.c       |   49 ++++---
 source3/winbindd/winbindd_util.c      |  100 ++-------------
 24 files changed, 459 insertions(+), 723 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f2e9964..a7906c8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -107,6 +107,7 @@ o   Jeremy Allison <jra at samba.org>
     * Ensure dos_mode can return FILE_ATTRIBUTE_NORMAL, then filter the returned
       attributes by protocol level.
     * Vector correctly through reply_openerror() (which uses the same logic).
+    * Fix bugs with the full Windows ACL support.
 
 
 o   Günther Deschner <gd at samba.org>
@@ -119,11 +120,18 @@ o   Jonas Gorski <jonas.gorski+samba at gmail.com>
     * BUG 6992: make test for getgrouplist cacheable.
 
 
+o   Suresh Jayaraman <sjayaraman at suse.de>
+    * Update mount.cifs man page with nounix option.
+
+
 o   Volker Lendecke <vl at samba.org>
     * Fix _samr_GetAliasMembership for results with 0 rids.
     * Fix an error case in cli_negprot.
     * Add a lower-cost alternative to wbinfo -t: wbinfo --ping-dc.
     * Restore correct timeouts for SMB requests.
+    * Fix a 64-bit error in libsmb.
+    * Replace IS_DOMAIN_OFFLINE by a function in Winbind.
+    * Simplify/cleanup Winbind code.
 
 
 o   Kamen Mazdrashki <kamen.mazdrashki at postpath.com>
diff --git a/docs-xml/manpages-3/mount.cifs.8.xml b/docs-xml/manpages-3/mount.cifs.8.xml
index 0beb968..c4fe2e8 100644
--- a/docs-xml/manpages-3/mount.cifs.8.xml
+++ b/docs-xml/manpages-3/mount.cifs.8.xml
@@ -477,12 +477,35 @@ permissions in memory that can't be stored on the server. This information can d
 
         <varlistentry>
                 <term>noserverino</term>
-                <listitem><para>client generates inode numbers (rather than using the actual one
-                from the server) by default.
+		<listitem>
+		<para>
+			Client generates inode numbers (rather than
+		using the actual one from the server) by default.
+		</para>
+		<para>
+			See section <emphasis>INODE NUMBERS</emphasis> for
+		more information.
 		</para></listitem>
         </varlistentry>
 
         <varlistentry>
+		<term>nounix</term>
+		<listitem>
+		<para>
+			Disable the CIFS Unix Extensions for this mount. This
+		can be useful in order to turn off multiple settings at once.
+		This includes POSIX acls, POSIX locks, POSIX paths, symlink
+		support and retrieving uids/gids/mode from the server. This
+		can also be useful to work around a bug in a server that
+		supports Unix Extensions.
+		</para>
+		<para>
+		See section <emphasis>INODE NUMBERS</emphasis> for
+		more information.
+		</para> </listitem>
+        </varlistentry>
+
+        <varlistentry>
                 <term>nouser_xattr</term>
                 <listitem><para>(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise. </para></listitem>
         </varlistentry>
@@ -533,6 +556,33 @@ permissions in memory that can't be stored on the server. This information can d
 </refsect1>
 
 <refsect1>
+	<title>INODE NUMBERS</title>
+	<para>
+		When Unix Extensions are enabled, we use the actual inode
+	number provided by the server in response to the POSIX calls as an
+	inode number.
+	</para>
+	<para>
+		When Unix Extensions are disabled and "serverino" mount option
+	is enabled there is no way to get the server inode number. The
+	client typically maps the server-assigned "UniqueID" onto an inode
+	number.
+	</para>
+	<para>
+		Note that the UniqueID is a different value from the server
+	inode number. The UniqueID value is unique over the scope of the entire
+	server and is often greater than 2 power 32. This value often makes
+	programs that are not compiled with LFS (Large File Support), to
+	trigger a glibc EOVERFLOW error as this won't fit in the target
+	structure field. It is strongly recommended to compile your programs
+	with LFS support (i.e. with -D_FILE_OFFSET_BITS=64) to prevent this
+	problem. You can also use "noserverino" mount option to generate inode
+	numbers smaller than 2 power 32 on the client. But you may not be able
+	to detect hardlinks properly.
+	</para>
+</refsect1>
+
+<refsect1>
 	<title>FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS</title>
 
 	<para> The core CIFS protocol does not provide unix ownership
diff --git a/source3/include/proto.h b/source3/include/proto.h
index b6c10ea..d2ebd92 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3044,8 +3044,6 @@ NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli,
 NTSTATUS check_negative_conn_cache_timeout( const char *domain, const char *server, unsigned int failed_cache_timeout );
 NTSTATUS check_negative_conn_cache( const char *domain, const char *server);
 void add_failed_connection_entry(const char *domain, const char *server, NTSTATUS result) ;
-void delete_negative_conn_cache(const char *domain, const char *server);
-void flush_negative_conn_cache( void );
 void flush_negative_conn_cache_for_domain(const char *domain);
 
 /* The following definitions come from ../librpc/rpc/dcerpc_error.c  */
@@ -6719,6 +6717,10 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req);
 
 void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid);
 bool nt4_compatible_acls(void);
+uint32_t map_canon_ace_perms(int snum,
+                                enum security_ace_type *pacl_type,
+                                mode_t perms,
+                                bool directory_ace);
 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl);
 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index b440d61..85a09cc 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -7,17 +7,18 @@
    Copyright (C) Andrew Bartlett 	2002
    Copyright (C) Gerald (Jerry) Carter 	2003
    Copyright (C) Marc VanHeyningen      2008
-   
+   Copyright (C) Volker Lendecke	2009
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -37,11 +38,6 @@
 
 
 /**
- * prefix used for all entries put into the general cache
- */
-static const char NEGATIVE_CONN_CACHE_PREFIX[] = "NEG_CONN_CACHE";
-
-/**
  * Marshalls the domain and server name into the key for the gencache
  * record
  *
@@ -53,15 +49,16 @@ static const char NEGATIVE_CONN_CACHE_PREFIX[] = "NEG_CONN_CACHE";
  */
 static char *negative_conn_cache_keystr(const char *domain, const char *server)
 {
-	const char NEGATIVE_CONN_CACHE_KEY_FMT[] = "%s/%s,%s";
 	char *keystr = NULL;
 
-	SMB_ASSERT(domain != NULL);
+	if (domain == NULL) {
+		return NULL;
+	}
 	if (server == NULL)
 		server = "";
 
-	keystr = talloc_asprintf(talloc_tos(),NEGATIVE_CONN_CACHE_KEY_FMT,
-				 NEGATIVE_CONN_CACHE_PREFIX, domain, server);
+	keystr = talloc_asprintf(talloc_tos(), "NEG_CONN_CACHE/%s,%s",
+				 domain, server);
 	if (keystr == NULL) {
 		DEBUG(0, ("negative_conn_cache_keystr: malloc error\n"));
 	}
@@ -100,13 +97,16 @@ static char *negative_conn_cache_valuestr(NTSTATUS status)
  */
 static NTSTATUS negative_conn_cache_valuedecode(const char *value)
 {
-	NTSTATUS result = NT_STATUS_OK;
+	unsigned int v = NT_STATUS_V(NT_STATUS_INTERNAL_ERROR);;
 
-	SMB_ASSERT(value != NULL);
-	if (sscanf(value, "%x", &(NT_STATUS_V(result))) != 1)
-		DEBUG(0, ("negative_conn_cache_valuestr: unable to parse "
+	if (value != NULL) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	if (sscanf(value, "%x", &v) != 1) {
+		DEBUG(0, ("negative_conn_cache_valuedecode: unable to parse "
 			  "value field '%s'\n", value));
-	return result;
+	}
+	return NT_STATUS(v);
 }
 
 /**
@@ -143,7 +143,7 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server)
 	if (key == NULL)
 		goto done;
 
-	if (gencache_get(key, &value, (time_t *) NULL))
+	if (gencache_get(key, &value, NULL))
 		result = negative_conn_cache_valuedecode(value);
  done:
 	DEBUG(9,("check_negative_conn_cache returning result %d for domain %s "
@@ -154,29 +154,6 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server)
 }
 
 /**
- * Delete any negative cache entry for the given domain/server
- *
- * @param[in] domain
- * @param[in] server may be either a FQDN or an IP address
- */
-void delete_negative_conn_cache(const char *domain, const char *server)
-{
-	char *key = NULL;
-
-	key = negative_conn_cache_keystr(domain, server);
-	if (key == NULL)
-		goto done;
-
-	gencache_del(key);
-	DEBUG(9,("delete_negative_conn_cache removing domain %s server %s\n",
-		  domain, server));
- done:
-	TALLOC_FREE(key);
-	return;
-}
-
-
-/**
  * Add an entry to the failed connection cache
  *
  * @param[in] domain
@@ -189,7 +166,10 @@ void add_failed_connection_entry(const char *domain, const char *server,
 	char *key = NULL;
 	char *value = NULL;
 
-	SMB_ASSERT(!NT_STATUS_IS_OK(result));
+	if (NT_STATUS_IS_OK(result)) {
+		/* Nothing failed here */
+		return;
+	}
 
 	key = negative_conn_cache_keystr(domain, server);
 	if (key == NULL) {
@@ -204,15 +184,14 @@ void add_failed_connection_entry(const char *domain, const char *server,
 	}
 
 	if (gencache_set(key, value,
-			 time((time_t *) NULL)
-			 + FAILED_CONNECTION_CACHE_TIMEOUT))
+			 time(NULL) + FAILED_CONNECTION_CACHE_TIMEOUT))
 		DEBUG(9,("add_failed_connection_entry: added domain %s (%s) "
 			  "to failed conn cache\n", domain, server ));
 	else
 		DEBUG(1,("add_failed_connection_entry: failed to add "
 			  "domain %s (%s) to failed conn cache\n",
 			  domain, server));
-	
+
  done:
 	TALLOC_FREE(key);
 	TALLOC_FREE(value);
@@ -220,15 +199,6 @@ void add_failed_connection_entry(const char *domain, const char *server,
 }
 
 /**
- * Deletes all records from the negative connection cache in all domains
- */
-void flush_negative_conn_cache( void )
-{
-	flush_negative_conn_cache_for_domain("*");
-}
-
-
-/**
  * Deletes all records for a specified domain from the negative connection
  * cache
  *
@@ -246,10 +216,10 @@ void flush_negative_conn_cache_for_domain(const char *domain)
 		goto done;
 	}
 
-	gencache_iterate(delete_matches, (void *) NULL, key_pattern);
+	gencache_iterate(delete_matches, NULL, key_pattern);
 	DEBUG(8, ("flush_negative_conn_cache_for_domain: flushed domain %s\n",
 		  domain));
-	
+
  done:
 	TALLOC_FREE(key_pattern);
 	return;
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 06bcfb8..1eec448 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -157,6 +157,85 @@ static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
 }
 
 /*******************************************************************
+ Add in 3 inheritable components for a non-inheritable directory ACL.
+ CREATOR_OWNER/CREATOR_GROUP/WORLD.
+*******************************************************************/
+
+static void add_directory_inheritable_components(vfs_handle_struct *handle,
+                                const char *name,
+				SMB_STRUCT_STAT *psbuf,
+				struct security_descriptor *psd)
+{
+	struct connection_struct *conn = handle->conn;
+	int num_aces = (psd->dacl ? psd->dacl->num_aces : 0);
+	struct smb_filename smb_fname;
+	enum security_ace_type acl_type;
+	uint32_t access_mask;
+	mode_t dir_mode;
+	mode_t file_mode;
+	mode_t mode;
+	struct security_ace *new_ace_list = TALLOC_ZERO_ARRAY(talloc_tos(),
+						struct security_ace,
+						num_aces + 3);
+
+	if (new_ace_list == NULL) {
+		return;
+	}
+
+	/* Fake a quick smb_filename. */
+	ZERO_STRUCT(smb_fname);
+	smb_fname.st = *psbuf;
+	smb_fname.base_name = CONST_DISCARD(char *, name);
+
+	dir_mode = unix_mode(conn,
+			FILE_ATTRIBUTE_DIRECTORY, &smb_fname, NULL);
+	file_mode = unix_mode(conn,
+			FILE_ATTRIBUTE_ARCHIVE, &smb_fname, NULL);
+
+	mode = dir_mode | file_mode;
+
+	DEBUG(10, ("add_directory_inheritable_components: directory %s, "
+		"mode = 0%o\n",
+		name,
+		(unsigned int)mode ));
+
+	if (num_aces) {
+		memcpy(new_ace_list, psd->dacl->aces,
+			num_aces * sizeof(struct security_ace));
+	}
+	access_mask = map_canon_ace_perms(SNUM(conn), &acl_type,
+				mode & 0700, false);
+
+	init_sec_ace(&new_ace_list[num_aces],
+			&global_sid_Creator_Owner,
+			acl_type,
+			access_mask,
+			SEC_ACE_FLAG_CONTAINER_INHERIT|
+				SEC_ACE_FLAG_OBJECT_INHERIT|
+				SEC_ACE_FLAG_INHERIT_ONLY);
+	access_mask = map_canon_ace_perms(SNUM(conn), &acl_type,
+				(mode << 3) & 0700, false);
+	init_sec_ace(&new_ace_list[num_aces+1],
+			&global_sid_Creator_Group,
+			acl_type,
+			access_mask,
+			SEC_ACE_FLAG_CONTAINER_INHERIT|
+				SEC_ACE_FLAG_OBJECT_INHERIT|
+				SEC_ACE_FLAG_INHERIT_ONLY);
+	access_mask = map_canon_ace_perms(SNUM(conn), &acl_type,
+				(mode << 6) & 0700, false);
+	init_sec_ace(&new_ace_list[num_aces+2],
+			&global_sid_World,
+			acl_type,
+			access_mask,
+			SEC_ACE_FLAG_CONTAINER_INHERIT|
+				SEC_ACE_FLAG_OBJECT_INHERIT|
+				SEC_ACE_FLAG_INHERIT_ONLY);
+	psd->dacl->aces = new_ace_list;
+	psd->dacl->num_aces += 3;
+}
+
+/*******************************************************************
  Pull a DATA_BLOB from an xattr given a pathname.
  If the hash doesn't match, or doesn't exist - return the underlying
  filesystem sd.
@@ -261,6 +340,33 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
 		/* We're returning the blob, throw
  		 * away the filesystem SD. */
 		TALLOC_FREE(pdesc_next);
+	} else {
+		SMB_STRUCT_STAT sbuf;
+		SMB_STRUCT_STAT *psbuf = &sbuf;
+		bool is_directory = false;
+		/*
+		 * We're returning the underlying ACL from the
+		 * filesystem. If it's a directory, and has no
+		 * inheritable ACE entries we have to fake them.
+		 */
+		if (fsp) {
+			is_directory = fsp->is_directory;
+			psbuf = &fsp->fsp_name->st;
+		} else {
+			if (vfs_stat_smb_fname(handle->conn,
+						name,
+						&sbuf) == 0) {
+				is_directory = S_ISDIR(sbuf.st_ex_mode);
+			}
+		}
+		if (is_directory &&
+				!sd_has_inheritable_components(psd,
+							true)) {
+			add_directory_inheritable_components(handle,
+							name,
+							psbuf,
+							psd);
+		}
 	}
 
 	if (!(security_info & OWNER_SECURITY_INFORMATION)) {
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 65d0929..8280538 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1068,7 +1068,7 @@ bool nt4_compatible_acls(void)
  not get. Deny entries are implicit on get with ace->perms = 0.
 ****************************************************************************/
 
-static uint32_t map_canon_ace_perms(int snum,
+uint32_t map_canon_ace_perms(int snum,
 				enum security_ace_type *pacl_type,
 				mode_t perms,
 				bool directory_ace)
@@ -1570,7 +1570,7 @@ static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
 ****************************************************************************/
 
 static bool create_canon_ace_lists(files_struct *fsp,
-					SMB_STRUCT_STAT *pst,
+					const SMB_STRUCT_STAT *pst,
 					DOM_SID *pfile_owner_sid,
 					DOM_SID *pfile_grp_sid,
 					canon_ace **ppfile_ace,
@@ -2305,7 +2305,7 @@ static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
 ****************************************************************************/
 
 static bool unpack_canon_ace(files_struct *fsp,
-				SMB_STRUCT_STAT *pst,
+				const SMB_STRUCT_STAT *pst,
 				DOM_SID *pfile_owner_sid,
 				DOM_SID *pfile_grp_sid,
 				canon_ace **ppfile_ace,
@@ -2313,6 +2313,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 				uint32 security_info_sent,
 				const SEC_DESC *psd)
 {
+	SMB_STRUCT_STAT st;
 	canon_ace *file_ace = NULL;
 	canon_ace *dir_ace = NULL;
 
@@ -2376,14 +2377,17 @@ static bool unpack_canon_ace(files_struct *fsp,
 
 	print_canon_ace_list( "file ace - before valid", file_ace);
 
+	st = *pst;
+
 	/*
 	 * A default 3 element mode entry for a file should be r-- --- ---.
 	 * A default 3 element mode entry for a directory should be rwx --- ---.
 	 */
 
-	pst->st_ex_mode = create_default_mode(fsp, False);
+	st.st_ex_mode = create_default_mode(fsp, False);
 
-	if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
+	if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params,
+			fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
 		free_canon_ace_list(file_ace);
 		free_canon_ace_list(dir_ace);
 		return False;
@@ -2397,9 +2401,10 @@ static bool unpack_canon_ace(files_struct *fsp,
 	 * it's a directory.
 	 */
 
-	pst->st_ex_mode = create_default_mode(fsp, True);
+	st.st_ex_mode = create_default_mode(fsp, True);
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list