[SCM] Samba Shared Repository - branch master updated
Christian Ambach
ambi at samba.org
Tue May 8 03:16:02 MDT 2012
The branch, master has been updated
via 2ae02ef s3:vfs/shadow_copy2 fix some compiler warnings
via 617b636 s3:vfs/shadow_copy2 make descending sort order the default
via a7df061 docs:autorid document ignore builtin parameter
via 0bedec7 s3:winbindd/autorid add ignore builtin parameter
via da97234 docs:autorid document read-only parameter
via 2997f2f s3:winbindd/autorid add support for read-only mode
via 6bda0f6 docs:autorid document how well-known SIDs will be mapped
via 920e3e3 s3:winbindd/autorid preallocate well-known SIDs
from e8e5afd krb5samba: Add smb_krb5_make_pac_checksum.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2ae02efabd5151c849ea079851607e7f45cf7a6f
Author: Christian Ambach <ambi at samba.org>
Date: Tue May 8 09:15:12 2012 +0200
s3:vfs/shadow_copy2 fix some compiler warnings
about unused variables
Autobuild-User: Christian Ambach <ambi at samba.org>
Autobuild-Date: Tue May 8 11:15:07 CEST 2012 on sn-devel-104
commit 617b63658b02957422359a76fd8b8e4748d228ee
Author: Christian Ambach <ambi at samba.org>
Date: Tue May 8 09:11:36 2012 +0200
s3:vfs/shadow_copy2 make descending sort order the default
otherwise Explorer won't work correctly when trying to restore a folder
commit a7df061ddfc9cdb8ea41cf770ce9c28523246d45
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 7 19:17:18 2012 +0200
docs:autorid document ignore builtin parameter
commit 0bedec7abea5f8dea5d6bd1fbb600f7beebabef9
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 7 19:14:56 2012 +0200
s3:winbindd/autorid add ignore builtin parameter
BUILTIN should be handled by passdb, however if passdb does not know
about a SID, autorid creates a range for BUILTIN and does deterministic mapping
make it possible to turn off this behavior
commit da9723478321565fc552cced964d3e72c69f634b
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 7 19:02:23 2012 +0200
docs:autorid document read-only parameter
commit 2997f2fe807cde8d22eaf4f253f9a64a8aca833a
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 7 14:19:26 2012 +0200
s3:winbindd/autorid add support for read-only mode
make it possible to set read-only = yes for the backend
so users can replicate an autorid.tdb to another server
to use the same mappings without risking that updates
are done on both sides
commit 6bda0f6f88d381c93d1a46b46ad7fce7bed2d2de
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 7 19:08:10 2012 +0200
docs:autorid document how well-known SIDs will be mapped
they consume space of the allocation pool and a list of most known well-known SIDs is
preallocated to create a deterministic mapping
commit 920e3e301d066d1307f2ca7f21248891e484842e
Author: Christian Ambach <ambi at samba.org>
Date: Fri May 4 17:56:26 2012 +0200
s3:winbindd/autorid preallocate well-known SIDs
preallocate the list of well-known SIDs that Win2008R2 reports
to be groups and that are on the list in KB243330
This will allow for deterministic mapping of these SIDs, even if they
are stored in the allocation pool as this is the first thing that autorid
will allocate from the pool during module initialization
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages-3/idmap_autorid.8.xml | 18 +++++-
source3/modules/vfs_shadow_copy2.c | 9 +--
source3/winbindd/idmap_autorid.c | 99 +++++++++++++++++++++++++++++--
3 files changed, 114 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages-3/idmap_autorid.8.xml b/docs-xml/manpages-3/idmap_autorid.8.xml
index e563cdd..498ef68 100644
--- a/docs-xml/manpages-3/idmap_autorid.8.xml
+++ b/docs-xml/manpages-3/idmap_autorid.8.xml
@@ -52,7 +52,11 @@
plan accordingly for your expected number of users in a domain
with safety margins.
</para>
- <para>One range will be used for local users and groups.
+ <para>One range will be used for local users and groups and for
+ non-domain well-known SIDs like Everyone (S-1-1-0) or Creator Owner (S-1-3-0).
+ A chosen list of well-known SIDs will be preallocated on first start
+ to create deterministic mappings for those.</para>
+ <para>
Thus the number of local users and groups that can be created is
limited by this option as well. If you plan to create a large amount
of local users or groups, you will need set this parameter accordingly.
@@ -60,6 +64,18 @@
<para>The default value is 100000.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>read only = [ yes | no ]</term>
+ <listitem><para>Turn the module into read-only mode. No new ranges will be allocated
+ nor will new mappings be created in the idmap pool. Defaults to no.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ignore builtin = [ yes | no ]</term>
+ <listitem><para>Ignore any mapping requests for the BUILTIN domain.
+ Defaults to no.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index 24356ec..0e6e14f 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -159,7 +159,7 @@ static char *shadow_copy2_insert_string(TALLOC_CTX *mem_ctx,
DEBUG(10, ("strftime failed\n"));
return NULL;
}
- return talloc_asprintf(talloc_tos(), "/%s/%s",
+ return talloc_asprintf(mem_ctx, "/%s/%s",
lp_parm_const_string(
SNUM(handle->conn), "shadow", "snapdir",
".snapshots"),
@@ -997,8 +997,7 @@ static char *shadow_copy2_find_snapdir(TALLOC_CTX *mem_ctx,
return NULL;
}
-static bool shadow_copy2_snapshot_to_gmt(TALLOC_CTX *mem_ctx,
- vfs_handle_struct *handle,
+static bool shadow_copy2_snapshot_to_gmt(vfs_handle_struct *handle,
const char *name,
char *gmt, size_t gmt_len)
{
@@ -1047,7 +1046,7 @@ static void shadow_copy2_sort_data(vfs_handle_struct *handle,
const char *sort;
sort = lp_parm_const_string(SNUM(handle->conn), "shadow",
- "sort", NULL);
+ "sort", "desc");
if (sort == NULL) {
return;
}
@@ -1112,7 +1111,7 @@ static int shadow_copy2_get_shadow_copy_data(
* directory
*/
if (!shadow_copy2_snapshot_to_gmt(
- tmp_ctx, handle, d->d_name,
+ handle, d->d_name,
snapshot, sizeof(snapshot))) {
DEBUG(6, ("shadow_copy2_get_shadow_copy_data: "
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index ab84104..08dcc65 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -46,6 +46,7 @@ struct autorid_global_config {
uint32_t minvalue;
uint32_t rangesize;
uint32_t maxranges;
+ bool ignore_builtin;
};
struct autorid_domain_config {
@@ -135,17 +136,22 @@ error:
}
-static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom)
+static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom,
+ bool read_only)
{
NTSTATUS ret;
/*
* try to find mapping without locking the database,
- * if it is not found create a mapping in a transaction
+ * if it is not found create a mapping in a transaction unless
+ * read-only mode has been set
*/
ret = dbwrap_fetch_uint32(autorid_db, dom->sid, &(dom->domainnum));
- if (!NT_STATUS_IS_OK(ret)) {;
+ if (!NT_STATUS_IS_OK(ret)) {
+ if (read_only) {
+ return NT_STATUS_NOT_FOUND;
+ }
ret = dbwrap_trans_do(autorid_db,
idmap_autorid_get_domainrange_action, dom);
}
@@ -171,6 +177,12 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
globalcfg = talloc_get_type(commoncfg->private_data,
struct autorid_global_config);
+ if (dom->read_only) {
+ DEBUG(3, ("Backend is read-only, refusing "
+ "new allocation request\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
/* fetch the range for the allocation pool */
ZERO_STRUCT(domaincfg);
@@ -178,7 +190,7 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
domaincfg.globalcfg = globalcfg;
fstrcpy(domaincfg.sid, ALLOC_RANGE);
- ret = idmap_autorid_get_domainrange(&domaincfg);
+ ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(3, ("Could not determine range for allocation pool, "
@@ -413,6 +425,12 @@ static NTSTATUS idmap_autorid_map_sid_to_id(struct idmap_domain *dom,
return ret;
}
+ if (dom->read_only) {
+ DEBUG(3, ("Not allocating new mapping for %s, because backend "
+ "is read-only\n", sid_string_dbg(map->sid)));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
DEBUG(10, ("Creating new mapping in pool for %s\n",
sid_string_dbg(map->sid)));
@@ -475,6 +493,8 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
ZERO_STRUCT(domaincfg);
+ DEBUG(10, ("Trying to map %s\n", sid_string_dbg(ids[i]->sid)));
+
sid_copy(&domainsid, ids[i]->sid);
if (!sid_split_rid(&domainsid, &rid)) {
DEBUG(4, ("Could not determine domain SID from %s, "
@@ -501,11 +521,20 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
goto failure;
}
- num_mapped++;
+ if (ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
continue;
}
+ /* BUILTIN is passdb's job */
+ if (dom_sid_equal(&domainsid, &global_sid_Builtin) &&
+ global->ignore_builtin) {
+ DEBUG(10, ("Ignoring request for BUILTIN domain\n"));
+ continue;
+ }
+
/*
* Check if the domain is around
*/
@@ -521,7 +550,16 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
domaincfg.globalcfg = global;
sid_to_fstring(domaincfg.sid, &domainsid);
- ret = idmap_autorid_get_domainrange(&domaincfg);
+ ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only);
+
+ /* read-only mode and a new domain range would be required? */
+ if (NT_STATUS_EQUAL(ret, NT_STATUS_NOT_FOUND) &&
+ dom->read_only) {
+ DEBUG(10, ("read-only is enabled, did not allocate "
+ "new range for domain %s\n",
+ sid_string_dbg(&domainsid)));
+ continue;
+ }
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(3, ("Could not determine range for domain, "
@@ -684,6 +722,49 @@ static NTSTATUS idmap_autorid_saveconfig(struct autorid_global_config *cfg)
return status;
}
+static NTSTATUS idmap_autorid_preallocate_wellknown(struct idmap_domain *dom)
+{
+ const char *groups[] = { "S-1-1-0", "S-1-2-0", "S-1-2-1",
+ "S-1-3-0", "S-1-3-1", "S-1-3-2", "S-1-3-3", "S-1-3-4",
+ "S-1-5-1", "S-1-5-2", "S-1-5-3", "S-1-5-4", "S-1-5-6",
+ "S-1-5-7", "S-1-5-8", "S-1-5-9", "S-1-5-10", "S-1-5-11",
+ "S-1-5-12", "S-1-5-13", "S-1-5-14", "S-1-5-15",
+ "S-1-5-17", "S-1-5-18", "S-1-5-19", "S-1-5-20"
+ };
+
+ struct id_map **maps;
+ int i, num;
+ NTSTATUS status;
+
+ if (dom->read_only) {
+ return NT_STATUS_OK;
+ }
+
+ num = sizeof(groups)/sizeof(char*);
+
+ maps = talloc_zero_array(talloc_tos(), struct id_map*, num+1);
+ if (!maps) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < num; i++) {
+ maps[i] = talloc(maps, struct id_map);
+ maps[i]->xid.type = ID_TYPE_GID;
+ maps[i]->sid = dom_sid_parse_talloc(maps, groups[i]);
+ }
+
+ maps[num] = NULL;
+
+ status = idmap_autorid_sids_to_unixids(dom, maps);
+
+ DEBUG(10,("Preallocation run finished with status %s\n",
+ nt_errstr(status)));
+
+ talloc_free(maps);
+
+ return NT_STATUS_IS_OK(status)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
+}
+
static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
{
struct idmap_tdb_common_context *commonconfig;
@@ -798,6 +879,9 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
DEBUG(5, ("%d domain ranges with a size of %d are available\n",
config->maxranges, config->rangesize));
+ config->ignore_builtin = lp_parm_bool(-1, "idmap config *",
+ "ignore builtin", false);
+
/* fill the TDB common configuration */
commonconfig->private_data = config;
@@ -810,6 +894,9 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
dom->private_data = commonconfig;
+ /* preallocate well-known SIDs in the pool */
+ status = idmap_autorid_preallocate_wellknown(dom);
+
goto done;
error:
--
Samba Shared Repository
More information about the samba-cvs
mailing list