[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Aug 23 08:43:03 MDT 2012
The branch, master has been updated
via e14bf39 s4-selftest: Always set vfs objects in selftest smb.conf
via 123ee7f s4-selftest: Add test for samba-tool ntacl sysvolcheck
via ebcdc4a s4-samba-tool: Add samba-tool ntacl sysvolcheck command
via 0aed291 s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snum
via e058dfb s3-pysmbd: Fix return type of smbd.get_nt_acl
via e8e24a2 s3-smbd: Add talloc_stackframe() to get_nt_acl_no_snum()
via 7cf50b9 s4-selftest: Add testing of samba-tool ntacl sysvolreset
via 8c71dc3 param: Add startup checks for valid server role/binary combinations
via 332efe1 s3-pysmbd: Fix error message
via 7e7ed72 s4-provision: Fix internal documentation
via 51e3547 s3-pysmbd: Allow a mode to be specified for the simple ACL
via 8f90919 s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool
via 56fd072 selftest: Add a test of the NT ACL -> posix ACL mapping layer to selftest
via 4fe344e selftest: Cope with the multiple possible representations of -1 in posixacl.py
via bd00c92 selftest: Extend posixacl test to check the actual ACL
via 318b8cb selftest: Add a test of the NT ACL -> posix ACL mapping layer
via b1825c6 s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directly
via a778662 s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs)
via 8518dd6 file_server: Move default VFS module settings to loadparm.c
via be9a8cf s4-dsdb: Remove unused variables
via d1eac79 s4-dsdb: Do not use a possibly-old loadparm context in schema reload
via a58ac39 s4-upgradeprovision: Use ntvfs in reference provision
via ccac50c selftest: Set --use-ntvfs for rodc, vampire_dc, promoted_vampire_dc and subdom_dc
via c1012c6 selftest: Specify --use-ntvfs when testing the group code
via b2ff365 selftest: Specify --use-ntvfs when testing the newuser code
via 2fc6760 selftest: Specify --use-ntvfs when testing the LDAP backend init code
via 8c7f4f0 selftest: Specify --use-ntvfs for the chdcpass environment
from 069db9b s3:smb2_break: encrypt OPLOCK BREAK notifications
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e14bf399cfa767ffa065a1f50df07b3cf446b375
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 20:13:45 2012 +1000
s4-selftest: Always set vfs objects in selftest smb.conf
This sets it for all enviornments, as it is harmless if ntvfs is used
and critical if the provision script runs in s3fs mode.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Aug 23 16:42:41 CEST 2012 on sn-devel-104
commit 123ee7f9b5e5ccac6740e5fdfff2a8a24f98087d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 10:38:06 2012 +1000
s4-selftest: Add test for samba-tool ntacl sysvolcheck
commit ebcdc4a36be9b79325b11ec0c44a43db93e29519
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 10:37:46 2012 +1000
s4-samba-tool: Add samba-tool ntacl sysvolcheck command
This command verifies that the current on-disk ACLs match the directory and
the defaults from provision.
Unlike sysvolreset, this does not change any of the permissions.
Andrew Bartlett
commit 0aed29105e9d8ddcd27a70d7af820da8813ca47b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 09:45:07 2012 +1000
s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snum
I need to get at the owner, group, DACL and SACL when testing correct
ACL storage.
Andrew Bartlett
commit e058dfb3b0714da229d1bddf96c72611af7b1fab
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 09:39:32 2012 +1000
s3-pysmbd: Fix return type of smbd.get_nt_acl
The security_ prefix is stripped off in the python bindings.
Andrew Bartlett
commit e8e24a251b7625647352764298f108769bbad922
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 09:38:54 2012 +1000
s3-smbd: Add talloc_stackframe() to get_nt_acl_no_snum()
This is required because the functions it calls use talloc_tos().
Andrew Bartlett
commit 7cf50b9f305d6c2cdc57f38c9b4e5f8b73301f8a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 21:19:41 2012 +1000
s4-selftest: Add testing of samba-tool ntacl sysvolreset
commit 8c71dc3505ab83ce95ab40a56f77313c4448be16
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 21:01:16 2012 +1000
param: Add startup checks for valid server role/binary combinations
This should eliminate confusion from our users about what they can
expect to successfully run.
Andrew Bartlett
commit 332efe1539d83c0971f151f902f234e5a8bf0690
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 21:00:17 2012 +1000
s3-pysmbd: Fix error message
commit 7e7ed72bbe8949b828000049a87f87d29f4587c2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 18:35:52 2012 +1000
s4-provision: Fix internal documentation
commit 51e3547426bcfe9ae086c12bff95dfc31aba5e24
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 18:35:01 2012 +1000
s3-pysmbd: Allow a mode to be specified for the simple ACL
The additional group for the ACL is now optional.
Andrew Bartlett
commit 8f909199c4964a4f501520bb687d88471daf6af6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 18:32:18 2012 +1000
s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool
This will reset the NT ACL on the sysvol share to the default from
provision, with GPO objects matching the LDAP ACL (as required).
Andrew Bartlett
commit 56fd072fdd0761d485571d9f9dcfea675bd282e4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 15:52:04 2012 +1000
selftest: Add a test of the NT ACL -> posix ACL mapping layer to selftest
commit 4fe344ef054e22b3c7ed5ff167a6713e59820a40
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 15:50:20 2012 +1000
selftest: Cope with the multiple possible representations of -1 in posixacl.py
commit bd00c9286556aacb45fcd457751ccb43ef605329
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 21 23:21:58 2012 +1000
selftest: Extend posixacl test to check the actual ACL
Needing to be able to write this test is the primary reason I have
been reworking the VFS and posix ACL layer over the past few weeks.
By exposing the POSIX ACL as a IDL object we can eaisly manipulate it
in python, and then verify that the ACL was handled correctly.
This ensures the when we write an ACL in provision, that it will
indeed allow that access at the FS layer.
We need to extend this beyond just the critical two ACLs set during
provision, to also include some special (hard) cases involving the
merging of ACE entries, as this is the most delicate part of the ACL
transfomation.
A similar test should also be written to read the posix ACL and the
mapped NT ACL on a file that has never had an NT ACL set.
Andrew Bartlett
commit 318b8cb4fafcc48bb0f8266171d667a6316f66d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 21 22:42:54 2012 +1000
selftest: Add a test of the NT ACL -> posix ACL mapping layer
This is the start of what will be a series of tests confirming exactly how
some NT ACLs are mapped to posix ACLs.
Andrew Bartlett
commit b1825c64215ac304eff8fcd3555e9f5943f3ba63
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 7 16:54:28 2012 +1000
s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directly
This allows us to write tests that compare the smbd vfs with what is
in the DB or xattr.
Andrew Bartlett
commit a778662da8b1dfc65bde55644703f2a3146ef7a8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 2 16:15:27 2012 +1000
s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs)
This handles the fact that smbd will rarely override the POSIX ACL enforced by
the kernel. This has caused issues with the creation of group policies by
other members of the Domain Admins group.
Andrew Bartlett
commit 8518dd6406c0132dfd8c44e084c2b39792974f2c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 23:34:24 2012 +1000
file_server: Move default VFS module settings to loadparm.c
This means that any utility that calls into the VFS layer will get the
right modules.
Because we use the fake_acls backend we need to override this whole
list in Samba4.pm however.
Andrew Bartlett
commit be9a8cf4caaec26180c732041aeeb1b1bbda8e9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 22:13:25 2012 +1000
s4-dsdb: Remove unused variables
commit d1eac79690d0fe8f8a5a78bcb83a6b4783279e27
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 22 22:08:36 2012 +1000
s4-dsdb: Do not use a possibly-old loadparm context in schema reload
The loadparm context on the schema DB might have gone away already.
Pre-cache the schema refresh interval at load time to avoid worrying
about this.
Andrew Bartlett
commit a58ac39a5ae97b3aebfde10466798b41baccaacf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 17:27:50 2012 +1000
s4-upgradeprovision: Use ntvfs in reference provision
We do not need filesystem ACLs set when creating the reference provision, so it is
easier to use the NTVFS backend as it does not cause trouble with make test.
Andrew Bartlett
commit ccac50c7c45034b0daf6e0fb098b14b0ec01573b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 20:17:57 2012 +1000
selftest: Set --use-ntvfs for rodc, vampire_dc, promoted_vampire_dc and subdom_dc
commit c1012c6817d7ce378af5e88da12d84f99720bdab
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 21:09:39 2012 +1000
selftest: Specify --use-ntvfs when testing the group code
We do not need to set filesystem ACLs in this case.
Andrew Bartlett
commit b2ff36566b51e99ba224298bf52b4802aa875c15
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 19:35:41 2012 +1000
selftest: Specify --use-ntvfs when testing the newuser code
We do not need to set filesystem ACLs in this case.
Andrew Bartlett
commit 2fc6760d5ab9864486fe3e16fff3963e9d6b63f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 18:03:45 2012 +1000
selftest: Specify --use-ntvfs when testing the LDAP backend init code
We do not need to set filesystem ACLs in this case.
Andrew Bartlett
commit 8c7f4f05f2e9ee9d1adf4c784dcad813f603af97
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 23 13:27:35 2012 +1000
selftest: Specify --use-ntvfs for the chdcpass environment
-----------------------------------------------------------------------
Summary of changes:
file_server/file_server.c | 13 +-
selftest/target/Samba4.pm | 17 +-
source3/nmbd/nmbd.c | 10 +
source3/param/loadparm.c | 13 +
source3/rpc_server/eventlog/srv_eventlog_nt.c | 2 +-
source3/smbd/posix_acls.c | 15 +-
source3/smbd/proto.h | 2 +-
source3/smbd/pysmbd.c | 71 ++--
source3/smbd/server.c | 7 +
source3/winbindd/winbindd.c | 6 +
source4/dsdb/samdb/ldb_modules/schema_load.c | 15 +-
source4/dsdb/schema/schema.h | 1 +
source4/dsdb/schema/schema_init.c | 26 +-
source4/scripting/python/samba/netcmd/ntacl.py | 108 +++++-
source4/scripting/python/samba/ntacls.py | 77 +++--
.../scripting/python/samba/provision/__init__.py | 187 ++++++++--
source4/scripting/python/samba/tests/ntacls.py | 4 +-
source4/scripting/python/samba/tests/posixacl.py | 404 ++++++++++++++++++++
.../python/samba/tests/samba_tool/ntacl.py | 70 ++++
source4/scripting/python/samba/upgradehelpers.py | 2 +-
source4/selftest/tests.py | 2 +
source4/setup/tests/blackbox_group.sh | 2 +-
source4/setup/tests/blackbox_newuser.sh | 2 +-
source4/setup/tests/blackbox_provision-backend.sh | 10 +-
source4/smbd/server.c | 11 +
25 files changed, 927 insertions(+), 150 deletions(-)
create mode 100644 source4/scripting/python/samba/tests/posixacl.py
create mode 100644 source4/scripting/python/samba/tests/samba_tool/ntacl.py
Changeset truncated at 500 lines:
diff --git a/file_server/file_server.c b/file_server/file_server.c
index 2b9e48a..b6f7382 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -50,6 +50,7 @@ static const char *generate_smb_conf(struct task_server *task)
fdprintf(fd, "[globals]\n");
fdprintf(fd, "# auto-generated config for fileserver\n");
+ fdprintf(fd, "server role check:inhibit=yes\n");
fdprintf(fd, "passdb backend = samba4\n");
fdprintf(fd, "rpc_server:default = external\n");
fdprintf(fd, "rpc_server:svcctl = embedded\n");
@@ -61,15 +62,6 @@ static const char *generate_smb_conf(struct task_server *task)
fdprintf(fd, "rpc_daemon:spoolssd = disabled\n");
fdprintf(fd, "rpc_server:tcpip = no\n");
- /* If we are using xattr_tdb:file or posix:eadb then we need to load another VFS object */
- if (lpcfg_parm_string(lp_ctx, NULL, "xattr_tdb", "file")) {
- fdprintf(fd, "vfs objects = acl_xattr xattr_tdb\n");
- } else if (lpcfg_parm_string(lp_ctx, NULL, "posix", "eadb")) {
- fdprintf(fd, "vfs objects = acl_xattr posix_eadb\n");
- } else {
- fdprintf(fd, "vfs objects = acl_xattr\n");
- }
-
fdprintf(fd, "map hidden = no\n");
fdprintf(fd, "map system = no\n");
fdprintf(fd, "map readonly = no\n");
@@ -77,9 +69,6 @@ static const char *generate_smb_conf(struct task_server *task)
fdprintf(fd, "include = %s\n", lpcfg_configfile(lp_ctx));
- fdprintf(fd, "[IPC$]\n");
- fdprintf(fd, " vfs objects = dfs_samba4\n");
-
close(fd);
return path;
}
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index b8d245c..5442281 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -534,6 +534,7 @@ sub provision_raw_prepare($$$$$$$$$$)
push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
push (@provision_options, "--dns-backend=BIND9_DLZ");
+
if ($use_ntvfs) {
push (@provision_options, "--use-ntvfs");
}
@@ -598,6 +599,8 @@ sub provision_raw_step1($$)
passdb backend = samba4
+ vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
+
# remove this again, when our smb2 client library
# supports signin on compound related requests
server signing = on
@@ -1020,7 +1023,7 @@ sub provision_promoted_vampire_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1079,7 +1082,7 @@ sub provision_vampire_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1142,7 +1145,7 @@ sub provision_subdom_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
$cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1205,7 +1208,7 @@ sub provision_fl2000dc($$)
"samba2000.example.com",
"2000",
"locDCpass5",
- undef, "", 1);
+ undef, "", "", 1);
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
@@ -1312,7 +1315,7 @@ sub provision_rodc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --server=$dcvars->{DC_SERVER}";
+ $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
unless (system($cmd) == 0) {
warn("RODC join failed\n$cmd");
@@ -1367,8 +1370,6 @@ sub provision_plugin_s4_dc($$)
create mask = 755
dos filemode = yes
- vfs objects = acl_xattr fake_acls xattr_tdb streams_depot
-
dcerpc endpoint servers = -winreg -srvsvc
printcap name = /dev/null
@@ -1442,7 +1443,7 @@ sub provision_chgdcpass($$)
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, 1);
+ undef, "", "", 1);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index 1728bb9..d4df202 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -888,6 +888,16 @@ static bool open_sockets(bool isdaemon, int port)
exit(1);
}
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
+ && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
+ /* TODO: when we have a merged set of defaults for
+ * loadparm, we could possibly check if the internal
+ * nbt server is in the list, and allow a startup if disabled */
+ DEBUG(0, ("server role = 'active directory domain controller' not compatible with running nmbd standalone. \n"));
+ DEBUGADD(0, ("You should start 'samba' instead, and it will control starting the internal nbt server\n"));
+ exit(1);
+ }
+
msg = messaging_init(NULL, server_event_context());
if (msg == NULL) {
return 1;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0b5a0e8..d9ce4b4 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4902,6 +4902,19 @@ static bool lp_load_ex(const char *pszFname,
fault_configure(smb_panic_s3);
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ const char **vfs_objects = lp_vfs_objects(-1);
+ if (!vfs_objects || !vfs_objects[0]) {
+ if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) {
+ lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb");
+ } else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) {
+ lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb");
+ } else {
+ lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr");
+ }
+ }
+ }
+
bAllowIncludeRegistry = true;
return (bRetval);
diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c
index 67ab471..a05ea3f 100644
--- a/source3/rpc_server/eventlog/srv_eventlog_nt.c
+++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c
@@ -91,7 +91,7 @@ static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token
/* get the security descriptor for the file */
- sec_desc = get_nt_acl_no_snum( info, tdbname );
+ sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
TALLOC_FREE( tdbname );
if ( !sec_desc ) {
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 7e1bab5..c5dea9c 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4842,15 +4842,16 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
Assume we are dealing with files (for now)
********************************************************************/
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
+struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted)
{
struct security_descriptor *psd, *ret_sd;
connection_struct *conn;
files_struct finfo;
struct fd_handle fh;
NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
- conn = talloc_zero(ctx, connection_struct);
+ conn = talloc_zero(frame, connection_struct);
if (conn == NULL) {
DEBUG(0, ("talloc failed\n"));
return NULL;
@@ -4858,7 +4859,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
if (!(conn->params = talloc(conn, struct share_params))) {
DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
- TALLOC_FREE(conn);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -4869,6 +4870,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
if (!smbd_vfs_init(conn)) {
DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -4880,17 +4882,19 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
finfo.fh = &fh;
finfo.fh->fd = -1;
- status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL,
+ status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
&finfo.fsp_name);
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
- if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) {
+ if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, security_info_wanted, &psd))) {
DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
@@ -4898,6 +4902,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
+ TALLOC_FREE(frame);
return ret_sd;
}
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index aa79688..5a38474 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -729,7 +729,7 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname,
const SMB_STRUCT_STAT *psbuf,
uint16 num_def_acls, const char *pdata);
bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata);
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname);
+struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted);
NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
const char *name,
SMB_STRUCT_STAT *psbuf,
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 6456797..74acc01 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -151,10 +151,13 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
}
-static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid)
+static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
{
mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE;
- mode_t mode0 = 0;
+
+ mode_t mode_user = (chmod_mode & 0700) >> 16;
+ mode_t mode_group = (chmod_mode & 070) >> 8;
+ mode_t mode_other = chmod_mode & 07;
SMB_ACL_ENTRY_T entry;
SMB_ACL_T acl = sys_acl_init(4);
@@ -173,7 +176,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid)
return NULL;
}
- if (sys_acl_set_permset(entry, &mode) != 0) {
+ if (sys_acl_set_permset(entry, &mode_user) != 0) {
TALLOC_FREE(acl);
return NULL;
}
@@ -188,7 +191,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid)
return NULL;
}
- if (sys_acl_set_permset(entry, &mode) != 0) {
+ if (sys_acl_set_permset(entry, &mode_group) != 0) {
TALLOC_FREE(acl);
return NULL;
}
@@ -203,29 +206,31 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid)
return NULL;
}
- if (sys_acl_set_permset(entry, &mode0) != 0) {
+ if (sys_acl_set_permset(entry, &mode_other) != 0) {
TALLOC_FREE(acl);
return NULL;
}
- if (sys_acl_create_entry(&acl, &entry) != 0) {
- TALLOC_FREE(acl);
- return NULL;
- }
-
- if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
- TALLOC_FREE(acl);
- return NULL;
- }
-
- if (sys_acl_set_qualifier(entry, &gid) != 0) {
- TALLOC_FREE(acl);
- return NULL;
- }
-
- if (sys_acl_set_permset(entry, &mode) != 0) {
- TALLOC_FREE(acl);
- return NULL;
+ if (gid != -1) {
+ if (sys_acl_create_entry(&acl, &entry) != 0) {
+ TALLOC_FREE(acl);
+ return NULL;
+ }
+
+ if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
+ TALLOC_FREE(acl);
+ return NULL;
+ }
+
+ if (sys_acl_set_qualifier(entry, &gid) != 0) {
+ TALLOC_FREE(acl);
+ return NULL;
+ }
+
+ if (sys_acl_set_permset(entry, &mode_group) != 0) {
+ TALLOC_FREE(acl);
+ return NULL;
+ }
}
if (sys_acl_create_entry(&acl, &entry) != 0) {
@@ -238,7 +243,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid)
return NULL;
}
- if (sys_acl_set_permset(entry, &mode0) != 0) {
+ if (sys_acl_set_permset(entry, &mode) != 0) {
TALLOC_FREE(acl);
return NULL;
}
@@ -252,14 +257,14 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args)
{
NTSTATUS status;
char *fname;
- int uid, gid;
+ int mode, gid = -1;
SMB_ACL_T acl;
TALLOC_CTX *frame;
- if (!PyArg_ParseTuple(args, "sii", &fname, &uid, &gid))
+ if (!PyArg_ParseTuple(args, "si|i", &fname, &mode, &gid))
return NULL;
- acl = make_simple_acl(uid, gid);
+ acl = make_simple_acl(gid, mode);
frame = talloc_stackframe();
@@ -310,8 +315,8 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args)
ret = SMB_VFS_CHOWN( conn, fname, uid, gid);
if (ret != 0) {
- status = map_nt_error_from_unix_common(ret);
- DEBUG(0,("chwon returned failure: %s\n", strerror(ret)));
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
}
conn_free(conn);
@@ -367,17 +372,17 @@ static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args)
static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args)
{
char *fname;
- int security_info_sent;
+ int security_info_wanted;
PyObject *py_sd;
struct security_descriptor *sd;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
- if (!PyArg_ParseTuple(args, "si", &fname, &security_info_sent))
+ if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
return NULL;
- sd = get_nt_acl_no_snum(tmp_ctx, fname);
+ sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
- py_sd = py_return_ndr_struct("samba.dcerpc.security", "security_descriptor", sd, sd);
+ py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
talloc_free(tmp_ctx);
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 6abf8cc..d53b19a 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1227,6 +1227,13 @@ extern void build_options(bool screen);
exit(1);
}
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
+ && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
+ DEBUG(0, ("server role = 'active directory domain controller' not compatible with running smbd standalone. \n"));
+ DEBUGADD(0, ("You should start 'samba' instead, and it will control starting smbd if required\n"));
+ exit(1);
+ }
+
/* ...NOTE... Log files are working from this point! */
DEBUG(3,("loaded services\n"));
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index c43b585..eab62a7 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1406,6 +1406,12 @@ int main(int argc, char **argv, char **envp)
*/
dump_core_setup("winbindd", lp_logfile(talloc_tos()));
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the winbindd binary. \n"));
+ DEBUGADD(0, ("You should start 'samba' instead, and it will control starting the internal AD DC winbindd implementation, which is not the same as this one\n"));
+ exit(1);
+ }
+
/* Initialise messaging system */
if (winbind_messaging_context() == NULL) {
diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c
index be7915e..faaf3f2 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_load.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_load.c
@@ -159,17 +159,9 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct
{
uint64_t current_usn, value;
int ret;
- struct ldb_result *res;
- struct ldb_request *treq;
- struct ldb_seqnum_request *tseq;
- struct ldb_seqnum_result *tseqr;
- struct dsdb_control_current_partition *ctrl;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct dsdb_schema *new_schema;
- int interval;
- time_t ts, lastts;
- struct loadparm_context *lp_ctx =
- (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm");
+ time_t ts, lastts;
struct schema_load_private_data *private_data = talloc_get_type(ldb_module_get_private(module), struct schema_load_private_data);
if (!private_data) {
@@ -184,9 +176,8 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct
lastts = schema->last_refresh;
ts = time(NULL);
- interval = lpcfg_parm_int(lp_ctx, NULL, "dsdb", "schema_reload_interval", 120);
- if (lastts > (ts - interval)) {
- DEBUG(11, ("Less than %d seconds since last reload, returning cached version ts = %d\n", interval, (int)lastts));
+ if (lastts > (ts - schema->refresh_interval)) {
+ DEBUG(11, ("Less than %d seconds since last reload, returning cached version ts = %d\n", (int)schema->refresh_interval, (int)lastts));
return schema;
}
diff --git a/source4/dsdb/schema/schema.h b/source4/dsdb/schema/schema.h
index 81ac129..eb288e6 100644
--- a/source4/dsdb/schema/schema.h
+++ b/source4/dsdb/schema/schema.h
@@ -247,6 +247,7 @@ struct dsdb_schema {
bool refresh_in_progress;
time_t ts_last_change;
time_t last_refresh;
+ time_t refresh_interval;
/* This 'opaque' is stored in the metadata and is used to check if the currently
* loaded schema needs a reload because another process has signaled that it has been
* requested to reload the schema (either due through DRS or via the schemaUpdateNow).
diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index 8385ac2..752d4f5 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -39,6 +39,7 @@ struct dsdb_schema *dsdb_new_schema(TALLOC_CTX *mem_ctx)
if (!schema) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list