[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Tue Dec 11 02:50:04 MST 2012
The branch, v4-0-test has been updated
via 3ecca2d WHATSNEW: Update changes since rc6.
via cfe4b43 s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
via 78814f7 s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
via 8e2c71f s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
via e037bac s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
via 7e50d96 s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
via 58a2a5e s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
via 1e3f0e4 s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
via 2cb4450 s4:dsdb/descriptor: pass object_list to create_security_descriptor()
via 566aae7 libcli/security: calculate the correct inherited_object GUID
via 3cda521 libcli/security: implement object_in_list()
via bde0414 WHATSNEW: Update release notes for Samba 4.0.0.
via 1afacd4 s3:auth: fix create_token_from_sid() to not fail in the winbindd case
via c14d1da s3:auth: fix function header comment for user_sid_in_group_sid()
via 8ee8ebb s3:auth: fix header comment for user_sid_in_group_sid()
via b9241d6 s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps working
via 73c2db7 s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags interaction
via c6cb652 s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute
via ac3dd3c s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is given (bug #9470)
via b73f780 s4:dsdb/acl_read: give some variables a better name
via 111ecf1 s4:dsdb/acl_read: fix the calculation of the attribute array for the sub search
via 3407dd4 s4:dsdb/acl_read: check the ldb_attr_list_copy_add() result
via 5321239 s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)
via 45e53f0 s4:dsdb/descriptor: fix replication of NC heads
via d0237f6 s4:dsdb/acl_read: improve debugging for fatal error
via 630bde0 s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
via 0da785a s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
via 1762d14 s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
from 9eab38b WHATSNEW: Update changes since rc6.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 3ecca2ddb7ee57c3a7416bf04d22ba7f5bcf6540
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 09:05:47 2012 +0100
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Tue Dec 11 10:49:36 CET 2012 on sn-devel-104
commit cfe4b43b13ad9d9a25c2072f6ccf55066cea19f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:15:26 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
(cherry picked from commit 914a61d9e5b7a182592f3afe60f4dad1cd342fc4)
commit 78814f79e2af7ee5a155dc006f7fa61b8c061f11
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:15:26 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3)
commit 8e2c71f2003feeebc3291599afa5e2882a40c90f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 19b03834f08c2a6645a31fe18121534c692c18d1)
commit e037bac1f7c7bfdaddfb97a16c200e57ba087bc9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit e1301fef735b305736db0b6db335c37aa9fea832)
commit 7e50d9655461e28b67e4fc0eb5dcf026f9c17d2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit ebb0a88722d416ad470497fd6ffa7b26abfe58bc)
commit 58a2a5ef45287e60f578e88821ba11b8cdeb5a4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 999c068113af6158355634eb9a9c4b5a4d3066d8)
commit 1e3f0e4b3d2d145ccc7ed96700e148ff64c7fdd7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 649fb5b61492562f1400996a6ccf33af17af5b6b)
commit 2cb4450b83bef7a6817b95228d55eca48b1f4ef0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 02:01:12 2012 +0100
s4:dsdb/descriptor: pass object_list to create_security_descriptor()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit a97b5f219678e409a851d9caf8317a6ef130c12f)
commit 566aae7a0edadcca5869db07a8ce3471b25c3804
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:17:42 2012 +0100
libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit d20c46a520a7e39dd87476cd81edab56b5543892)
commit 3cda521c0800d7ebceb4a583372b0f80f5ba11fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 02:00:38 2012 +0100
libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 75729e6703c5b5dff7feefed590086898fc03c74)
commit bde0414a07f6a25562aee21253a655fc0522180c
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Dec 11 09:00:44 2012 +0100
WHATSNEW: Update release notes for Samba 4.0.0.
Karolin
commit 1afacd4bdd2de12bffa8899c9b4d90c456d78536
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 10 15:06:27 2012 +0100
s3:auth: fix create_token_from_sid() to not fail in the winbindd case
Commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.
This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.
This fixes bug #9457.
Signed-off-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
(cherry picked from commit c5b150b33fc54ed97dbd0736cc6f4c15977d6e70)
commit c14d1da132da186b0d3da3acc10768a9f607628e
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 10 21:56:42 2012 +0100
s3:auth: fix function header comment for user_sid_in_group_sid()
This is embarrassing: the commit 0770a4c01bef26ec51321cd5b97aea4eab9e00a8
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...
Signed-off-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
(cherry picked from commit 1d949cb0e51a086006612271d6f08305b68aa09c)
commit 8ee8ebb9d7143fe334e7eadb9b51edd7a5f826c1
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 10 14:48:43 2012 +0100
s3:auth: fix header comment for user_sid_in_group_sid()
This function was created in 1c3c5e2156d9096f60bd53a96b88c2f1001d898a
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.
Signed-off-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 0770a4c01bef26ec51321cd5b97aea4eab9e00a8)
commit b9241d62bdd1dab49867d290fbdaa48aeb4a3661
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 18:58:57 2012 +0100
s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps working
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Mon Dec 10 15:41:12 CET 2012 on sn-devel-104
(cherry picked from commit 53b736444d55c4eed3abbc34974b655cc2607cd6)
The last 13 patches address bug #9470 - MMC crashes.
commit 73c2db7ba4a29d3b6041d5263748dc1172cdf090
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 6 14:04:47 2012 +0100
s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags interaction
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit e617a3fecb797031cf5a6545d51d7e116716ab52)
commit c6cb652d1d7d9b7178e192608a92f3b1be41dd5f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 6 15:56:26 2012 +0100
s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute
If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.
If there's a list of only explicit attribute names, we should ignore
the sd_flags control.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 6bc2caed8b3f153f92af013275f39c803f886a22)
commit ac3dd3ca042d59dd925d1d8bec62dc86cd1fab1e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 6 12:36:09 2012 +0100
s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is given (bug #9470)
Not returning the nTSecurityDescriptor causes a lot of problems.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 22bb2fd868b8df2244b801aeaa515a8a4036bce8)
commit b73f780f5cf4dd64b8da8d4cb45554ce0202a14f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 6 12:29:49 2012 +0100
s4:dsdb/acl_read: give some variables a better name
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 4f8558ffaf4c9fb9e350ec528ec1ce60de5f2e24)
commit 111ecf10a7feba32fd9449388dcf97b879e3451f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 18:40:25 2012 +0100
s4:dsdb/acl_read: fix the calculation of the attribute array for the sub search
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit db15fcfa899e1fe4d6994f68ceb299921b8aa6f1)
commit 3407dd4ee448151111c835fded0b9b6628bfeaa0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 18:39:29 2012 +0100
s4:dsdb/acl_read: check the ldb_attr_list_copy_add() result
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit e2181617a00d7982e4e6ced1c51aa2ee8a40df26)
commit 5321239a48bc9c14300fe34ddc449d3b2afb5b3f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 19:02:10 2012 +0100
s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 6bcafceb750d5c4d24e2ddbef35b411bebccd66f)
commit 45e53f029e528407642dc137ca898077ead329f2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 12:56:21 2012 +0000
s4:dsdb/descriptor: fix replication of NC heads
The sub NC heads maybe replicated with the parent partition,
if we don't need to recalculate the nTSecurityDescriptor attribute in that
case, the replication of the of the sub partition should handle that.
This fixes error messages like this:
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 734d14b54834a4d03e67bcaece4f4e3cf1d10925)
commit d0237f652ea0852f2ae76267ae326b470f339222
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 13:39:31 2012 +0100
s4:dsdb/acl_read: improve debugging for fatal error
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 802124789513ef207a154ee950dc03e66a80e0b1)
commit 630bde0aba42bb5f181b7ebda305ed6794e6052d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 11:02:49 2012 +0100
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
Some modules might not allocate values on the correct memory context.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 14b5b729049d92c30ba518adb82c9396fdddd09f)
commit 0da785a14b9966b42a9415b905881f5511ba9032
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 10:08:14 2012 +0000
s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
We should keep the talloc hierarchy sane.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 3535f8effefef6a68d2b686abe2769d797531dd9)
commit 1762d1436217874df06d36284e1bfaef385ebdb4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 7 10:34:58 2012 +0100
s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
We should always update the ts_last_change.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
(cherry picked from commit 944b6863a71efc48ccc8cd9ae8ad1a3081bc1805)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 270 +++++++++++---------
libcli/security/create_descriptor.c | 33 +++-
source3/auth/token_util.c | 16 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 95 +++++--
source4/dsdb/samdb/ldb_modules/descriptor.c | 19 +-
source4/dsdb/samdb/ldb_modules/dirsync.c | 6 +-
source4/dsdb/samdb/ldb_modules/operational.c | 14 +-
source4/dsdb/samdb/ldb_modules/schema_data.c | 24 ++-
source4/dsdb/schema/schema_set.c | 14 +-
source4/dsdb/tests/python/sec_descriptor.py | 123 +++++++++
.../scripting/python/samba/provision/__init__.py | 31 ++-
.../scripting/python/samba/provision/descriptor.py | 137 ++++++++++
source4/setup/provision.ldif | 3 +
source4/setup/provision_computers_add.ldif | 1 +
source4/setup/provision_configuration.ldif | 2 +
source4/setup/provision_users_add.ldif | 1 +
16 files changed, 607 insertions(+), 182 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bcf90de..3a27fda 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,68 +1,20 @@
-Release Announcements
-=====================
+ =============================
+ Release Notes for Samba 4.0.0
+ December 11, 2012
+ =============================
-This is the sixth release candidate of Samba 4.0. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-In this release candidate, we have a significant number of improvements
-to our Access Control List (ACL) code, particularly for the Active
-Directory Domain Controller, but also in our general purpose file
-server.
-
-These changes are important, as they enable Group Policy Objects to work
-correctly, allow administrators to impose restrictions on some users
-reading certain parts of the directory and correctly propagating
-inherited ACLs down the LDAP directory tree.
-
-Users of the Active Directory Domain Controller upgrading from any
-previous release should run 'samba-tool ntacl sysvolreset' to re-sync
-ACLs on the sysvol share with those matching the GPOs in LDAP and the
-defaults from an initial provision. This will set an underlying POSIX
-ACL if required.
-
-Samba 4.0 will be the next version of the Samba suite and incorporates
-all the technology found in both the Samba4 series and the
-stable 3.x series. The primary additional features over Samba 3.6 are
-support for the Active Directory logon protocols used by Windows 2000
-and above.
+This is is the first stable release of Samba 4.0.
This release contains the best of all of Samba's
technology parts, both a file server (that you can reasonably expect
to upgrade existing Samba 3.x releases to) and the AD domain
controller work previously known as 'samba4'.
-If you are upgrading, or looking to develop, test or deploy Samba 4.0
-releases candidates, you should backup all configuration and data.
-
-
-UPGRADING
-=========
-
-Users upgrading from Samba 3.x domain controllers and wanting to use
-Samba 4.0 as an AD DC should use the 'samba-tool domain
-classicupgrade' command. See the wiki for more details:
-https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO.
-
-Users upgrading from Samba 4.0 alpha and beta releases since alpha15
-should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
-Samba. Users upgrading from earlier alpha releases should contact the
-team for advice.
-
-Users upgrading an AD DC from any previous release should run
-'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
-with those matching the GPOs in LDAP and the defaults from an initial
-provision. This will set an underlying POSIX ACL if required (eg not
-using the NTVFS file server).
-
-If you used the BIND9_FLATFILE or BIND9_DLZ features,
-you'll have to add '-dns' to the 'server services' option,
-as the internal dns server (SAMBA_INTERNAL) is the default now.
+Major enhancements in Samba 4.0.0 include:
-
-NEW FEATURES
-============
+Active Directory services
+=========================
Samba 4.0 supports the server-side of the Active Directory logon
environment used by Windows 2000 and later, so we can do full domain
@@ -74,7 +26,11 @@ Samba3-like logon services provided over CIFS. We correctly generate
the infamous Kerberos PAC, and include it with the Kerberos tickets we
issue.
-Samba 4.0.0rc5 ships with two distinct file servers. We now use the
+
+File Services
+=============
+
+Samba 4.0.0 ships with two distinct file servers. We now use the
file server from the Samba 3.x series 'smbd' for all file serving by
default.
@@ -92,6 +48,10 @@ running an AD DC, you only need to run 'samba' (not
nmbd/smbd/winbind), as the required services are co-coordinated by this
master binary.
+
+DNS
+===
+
As DNS is an integral part of Active Directory, we also provide two DNS
solutions, a simple internal DNS server for 'out of the box' configurations
and a more elaborate BIND plugin using the BIND DLZ mechanism in versions
@@ -101,16 +61,114 @@ If you chose the BIND_DLZ backend, a configuration file will be generated
for bind to make it use this plugin, as well as a file explaining how to
set up bind.
+
+NTP
+===
+
To provide accurate timestamps to Windows clients, we integrate with
the NTP project to provide secured NTP replies. To use you need to
start ntpd and configure it with the 'restrict ... ms-sntp' and
ntpsigndsocket options.
+
+Python Scripting Interface
+==========================
+
Finally, a new scripting interface has been added to Samba 4, allowing
Python programs to interface to Samba's internals, and many tools and
internal workings of the DC code is now implemented in python.
+Known Issues
+============
+
+- 'samba-tool domain classicupgrade' will fail when setting ACLs on
+ the GPO folders with NT_STATUS_INVALID_ONWER in the default
+ configuration. This happens if, as is typical a 'domain admins'
+ group (-512) is mapped in the passdb backend being upgraded. This
+ is because the group mapping to a GID only prevents Samba from
+ allocating a uid for that group. The uid is needed so the 'domain
+ admins' group can own the GPO file objects.
+
+ To work around this issue, remove the 'domain admins' group before
+ upgrade, as it will be re-created automatically. You will
+ of course need to fill in the group membership again. A future release
+ will make this automatic, or find some other workaround.
+
+- This release makes the s3fs file server the default, as this is the
+ file server combination we will use for the Samba 4.0 release.
+
+- For similar reasons, sites with ACLs stored by the ntvfs file server
+ may wish to continue to use that file server implementation, as a
+ posix ACL will similarly not be set in this case.
+
+- Replication of DNS data from one AD server to another may not work.
+ The DNS data used by the internal DNS server and bind9_dlz is stored
+ in an application partition in our directory. The replication of
+ this partition is not yet reliable.
+
+- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
+ containing _. A workaround will be in a future release.
+
+- samba_upgradeprovision should not be run when upgrading to this release
+ from a recent release. No important database format changes have
+ been made since alpha16.
+
+- Installation on systems without a system iconv (and developer
+ headers at compile time) is known to cause errors when dealing with
+ non-ASCII characters.
+
+- Domain member support in the 'samba' binary is in its infancy, and
+ is not comparable to the support found in winbindd. As such, do not
+ use the 'samba' binary (provided for the AD server) on a member
+ server.
+
+- There is no NetBIOS browsing support (network neighbourhood)
+ available for the AD domain controller. (Support in nmbd and smbd
+ for classic domains and member/standalone servers is unchanged).
+
+- Clock Synchronisation is critical. Many 'wrong password' errors are
+ actually due to Kerberos objecting to a clock skew between client
+ and server. (The NTP work in the previous alphas are partly to assist
+ with this problem).
+
+- The DRS replication code may fail. Please contact the team if you
+ experience issues with DRS replication, as we have fixed many issues
+ here in response to feedback from our production users.
+
+
+Running Samba 4.0 as an AD DC
+=============================
+
+A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
+
+ http://wiki.samba.org/index.php/Samba4/HOWTO
+
+
+Upgrading
+=========
+
+Users upgrading from Samba 3.x domain controllers and wanting to use
+Samba 4.0 as an AD DC should use the 'samba-tool domain
+classicupgrade' command. See the wiki for more details:
+https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO.
+
+Users upgrading from Samba 4.0 alpha and beta releases since alpha15
+should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
+Samba. Users upgrading from earlier alpha releases should contact the
+team for advice.
+
+Users upgrading an AD DC from any previous release should run
+'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
+with those matching the GPOs in LDAP and the defaults from an initial
+provision. This will set an underlying POSIX ACL if required (eg not
+using the NTVFS file server).
+
+If you used the BIND9_FLATFILE or BIND9_DLZ features,
+you'll have to add '-dns' to the 'server services' option,
+as the internal dns server (SAMBA_INTERNAL) is the default now.
+
+
######################################################################
Changes
#######
@@ -181,12 +239,18 @@ smb.conf changes
winbindd socket directory New
+Commit Highlights
+=================
+
+
+
CHANGES SINCE 4.0.0rc6
======================
o Michael Adam <obnox at samba.org>
* BUG 9456: developer-build: Fix panic when acl_xattr fails with access
denied.
+ * BUG 9457: Fix "map username script" with "security=ads" and Winbind.
o Jeremy Allison <jra at samba.org>
@@ -210,6 +274,11 @@ o Tsukasa Hamano <hamano at osstech.co.jp>
* BUG 9471: Fix SEGV when using second vfs module.
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 9470: Fix MMC crashes.
+ * BUG 9481: Fix ACL on "cn=partitions,cn=configuration".
+
+
o Andreas Schneider <asn at samba.org>
* BUG 9459: Install manpages only if we install the target.
@@ -221,9 +290,25 @@ o Richard Sharpe <realrichardsharpe at gmail.com>
CHANGES SINCE 4.0.0rc5
======================
-With this release candidate the ACLs in the Active Directory
-are also checked on searches by default. The automatic inheritance
-of ACLs is also correctly recalculated on changes now.
+In this release candidate, we have a significant number of improvements
+to our Access Control List (ACL) code, particularly for the Active
+Directory Domain Controller, but also in our general purpose file
+server.
+
+These changes are important, as they enable Group Policy Objects to work
+correctly, allow administrators to impose restrictions on some users
+reading certain parts of the directory and correctly propagating
+inherited ACLs down the LDAP directory tree.
+
+Users of the Active Directory Domain Controller upgrading from any
+previous release should run 'samba-tool ntacl sysvolreset' to re-sync
+ACLs on the sysvol share with those matching the GPOs in LDAP and the
+defaults from an initial provision. This will set an underlying POSIX
+ACL if required.
+
+The ACLs in the Active Directory are also checked on searches by default.
+The automatic inheritance of ACLs is also correctly recalculated on
+changes now.
o Michael Adam <obnox at samba.org>
* BUG 9350: Fail "configure --with-ads" if ads support is not available.
@@ -678,71 +763,6 @@ o Andreas Schneider <asn at samba.org>
registry.
-KNOWN ISSUES
-============
-
-- 'samba-tool domain classicupgrade' will fail when setting ACLs on
- the GPO folders with NT_STATUS_INVALID_ONWER in the default
- configuration. This happens if, as is typical a 'domain admins'
- group (-512) is mapped in the passdb backend being upgraded. This
- is because the group mapping to a GID only prevents Samba from
- allocating a uid for that group. The uid is needed so the 'domain
- admins' group can own the GPO file objects.
-
- To work around this issue, remove the 'domain admins' group before
- upgrade, as it will be re-created automatically. You will
- of course need to fill in the group membership again. A future release
- will make this automatic, or find some other workaround.
-
-- This release makes the s3fs file server the default, as this is the
- file server combination we will use for the Samba 4.0 release.
-
-- For similar reasons, sites with ACLs stored by the ntvfs file server
- may wish to continue to use that file server implementation, as a
- posix ACL will similarly not be set in this case.
-
-- Replication of DNS data from one AD server to another may not work.
- The DNS data used by the internal DNS server and bind9_dlz is stored
- in an application partition in our directory. The replication of
- this partition is not yet reliable.
-
-- Replication may fail on FreeBSD due to getaddrinfo() rejecting names
- containing _. A workaround will be in a future release.
-
-- samba_upgradeprovision should not be run when upgrading to this release
- from a recent release. No important database format changes have
- been made since alpha16.
-
-- Installation on systems without a system iconv (and developer
- headers at compile time) is known to cause errors when dealing with
- non-ASCII characters.
-
-- Domain member support in the 'samba' binary is in its infancy, and
- is not comparable to the support found in winbindd. As such, do not
- use the 'samba' binary (provided for the AD server) on a member
- server.
-
-- There is no NetBIOS browsing support (network neighbourhood)
- available for the AD domain controller. (Support in nmbd and smbd
- for classic domains and member/standalone servers is unchanged).
-
-- Clock Synchronisation is critical. Many 'wrong password' errors are
- actually due to Kerberos objecting to a clock skew between client
- and server. (The NTP work in the previous alphas are partly to assist
- with this problem).
-
-- The DRS replication code may fail. Please contact the team if you
- experience issues with DRS replication, as we have fixed many issues
- here in response to feedback from our production users.
-
-
-RUNNING Samba 4.0 as an AD DC
-=============================
-
-A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
-
- http://wiki.samba.org/index.php/Samba4/HOWTO
-
#######################################
Reporting bugs & Development Discussion
#######################################
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 0cac2e4..42ca1a7 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -80,9 +80,30 @@ uint32_t map_generic_rights_ds(uint32_t access_mask)
* and it does not seem to have any influence */
static bool object_in_list(struct GUID *object_list, struct GUID *object)
{
- return true;
+ size_t i;
+
+ if (object_list == NULL) {
+ return true;
+ }
+
+ if (GUID_all_zero(object)) {
+ return true;
+ }
+
+ for (i=0; ; i++) {
+ if (GUID_all_zero(&object_list[i])) {
+ return false;
+ }
+ if (!GUID_equal(&object_list[i], object)) {
+ continue;
+ }
+
+ return true;
+ }
+
+ return false;
}
-
+
/* returns true if the ACE gontains generic information
* that needs to be processed additionally */
@@ -165,7 +186,13 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
- if (!object_in_list(object_list, &ace->object.object.type.type)) {
+ struct GUID inherited_object = GUID_zero();
+
+ if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
+ inherited_object = ace->object.object.inherited_type.inherited_type;
+ }
+
+ if (!object_in_list(object_list, &inherited_object)) {
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
}
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index aad34cb..841bc52 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -610,6 +610,11 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
+ if (found_username == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
/*
* If the SID from lookup_name() was the guest sid, passdb knows
* about the mapping of guest sid to lp_guestaccount()
@@ -700,6 +705,10 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
/* Ensure we're returning the found_username on the right context. */
*found_username = talloc_strdup(mem_ctx, pass->pw_name);
+ if (found_username == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
} else {
/* This user is from winbind, force the primary gid to the
@@ -737,7 +746,6 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
gids = gid;
- /* Ensure we're returning the found_username on the right context. */
*found_username = NULL;
}
@@ -770,7 +778,7 @@ static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
*token = create_local_nt_token(mem_ctx, user_sid,
is_guest, num_group_sids, group_sids);
- if ((*token == NULL) || (*found_username == NULL)) {
+ if (*token == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
@@ -845,9 +853,9 @@ done:
}
/***************************************************************************
- Build upon create_token_from_username:
+ Build upon create_token_from_sid:
- Expensive helper function to figure out whether a user given its name is
+ Expensive helper function to figure out whether a user given its sid is
member of a particular group.
***************************************************************************/
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 92744f2..9955451 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -45,9 +45,9 @@ struct aclread_context {
const char * const *attrs;
const struct dsdb_schema *schema;
uint32_t sd_flags;
- bool sd;
- bool instance_type;
- bool object_sid;
+ bool added_nTSecurityDescriptor;
+ bool added_instanceType;
+ bool added_objectSid;
bool indirsync;
};
@@ -91,7 +91,9 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
msg = ares->message;
ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
if (ret != LDB_SUCCESS || sd == NULL ) {
- DEBUG(10, ("acl_read: cannot get descriptor\n"));
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s\n",
+ ldb_dn_get_linearized(msg->dn));
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
@@ -113,6 +115,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
talloc_free(tmp_ctx);
return LDB_SUCCESS;
} else if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: %s check parent %s - %s\n",
+ ldb_dn_get_linearized(msg->dn),
+ ldb_strerror(ret),
+ ldb_errstring(ldb));
goto fail;
}
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list