[SCM] Samba Shared Repository - branch master updated
Christian Ambach
ambi at samba.org
Wed Sep 26 22:19:02 MDT 2012
The branch, master has been updated
via 965a2fb Revert "smb.conf(5): Remove 'idmap config' documentation - the parameter has"
via 1947164 s3:nfs4acls filter away inheritance flags on files
via 19631e8 s3:nfs4acls pass down fsp instead of just the filename
via 43606bc s3:passdb formatting changes
from ee0012d samba-tool domain provision: DNS forwarder default
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 965a2fb6b6bd0401baf273b28d0a5560cde6ebcc
Author: Christian Ambach <ambi at samba.org>
Date: Wed Sep 26 18:30:37 2012 -0700
Revert "smb.conf(5): Remove 'idmap config' documentation - the parameter has"
This reverts commit e809abf55f6a2e6d93bcb5678142f56c49aea397.
This parameter still exists, it is just only used as parametric option
in the code and not easy to spot when looking out for lp_xxx
Autobuild-User(master): Christian Ambach <ambi at samba.org>
Autobuild-Date(master): Thu Sep 27 06:18:38 CEST 2012 on sn-devel-104
commit 1947164feb41710842277874cae0c35bfc97e3ab
Author: Christian Ambach <ambi at samba.org>
Date: Tue Sep 25 03:25:36 2012 +0200
s3:nfs4acls filter away inheritance flags on files
While it is possible to define inheritance flags on files on Windows, this will
be denied by GPFS and UFS (and potentially others).
So it will be better to strip of these bits when being set for files instead of
failing to set the ACL completely (this is current behavior).
Users that want to retain the full SD will have to use acl_xattr (acl_tdb), as
other pieces of the SD are also lost when translating to NFSv4. So this should
not be a too intrusive change, but allow users to migrate data with such flags
instead of failing to migrate the ACL completely.
commit 19631e8e7e7d871261642340ffdcec3f73dccca6
Author: Christian Ambach <ambi at samba.org>
Date: Tue Sep 25 01:34:04 2012 +0200
s3:nfs4acls pass down fsp instead of just the filename
commit 43606bcbbfe237990ab0b100cf322c0c80e90eb2
Author: Christian Ambach <ambi at samba.org>
Date: Mon Sep 24 03:03:26 2012 +0200
s3:passdb formatting changes
fix some trailing whitespace and a typo
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/winbind/idmapconfig.xml | 124 +++++++++++++++++++++++++++
source3/modules/nfs4_acls.c | 21 ++++-
source3/passdb/machine_sid.c | 14 ++--
3 files changed, 148 insertions(+), 11 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/idmapconfig.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
new file mode 100644
index 0000000..53af31f
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -0,0 +1,124 @@
+<samba:parameter name="idmap config"
+ context="G"
+ type="string"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ ID mapping in Samba is the mapping between Windows SIDs and Unix user
+ and group IDs. This is performed by Winbindd with a configurable plugin
+ interface. Samba's ID mapping is configured by options starting with the
+ <smbconfoption name="idmap config"/> prefix.
+ An idmap option consists of the <smbconfoption name="idmap config"/>
+ prefix, followed by a domain name or the asterisk character (*),
+ a colon, and the name of an idmap setting for the chosen domain.
+ </para>
+
+ <para>
+ The idmap configuration is hence divided into groups, one group
+ for each domain to be configured, and one group with the the
+ asterisk instead of a proper domain name, which specifies the
+ default configuration that is used to catch all domains that do
+ not have an explicit idmap configuration of their own.
+ </para>
+
+ <para>
+ There are three general options available:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>backend = backend_name</term>
+ <listitem><para>
+ This specifies the name of the idmap plugin to use as the
+ SID/uid/gid backend for this domain. The standard backends are
+ tdb
+ (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+ tdb2
+ (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ldap
+ (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ rid
+ (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ hash
+ (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ autorid
+ (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ ad
+ (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ ,
+ and nss.
+ (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ The corresponding manual pages contain the details, but
+ here is a summary.
+ </para>
+ <para>
+ The first three of these create mappings of their own using
+ internal unixid counters and store the mappings in a database.
+ These are suitable for use in the default idmap configuration.
+ The rid and hash backends use a pure algorithmic calculation
+ to determine the unixid for a SID. The autorid module is a
+ mixture of the tdb and rid backend. It creates ranges for
+ each domain encountered and then uses the rid algorithm for each
+ of these automatically configured domains individually.
+ The ad backend usees unix IDs stored in Active Directory via
+ the standard schema extensions. The nss backend reverses
+ the standard winbindd setup and gets the unixids via names
+ from nsswitch which can be useful in an ldap setup.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative. For allocating backends, this also
+ defines the start and the end of the range for allocating
+ new unique IDs.
+ </para>
+ <para>
+ winbind uses this parameter to find the backend that is
+ authoritative for a unix ID to SID mapping, so it must be set
+ for each individually configured domain and for the default
+ configuration. The configured ranges must be mutually disjoint.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>read only = yes|no</term>
+ <listitem><para>
+ This option can be used to turn the writing backends
+ tdb, tdb2, and ldap into read only mode. This can be useful
+ e.g. in cases where a pre-filled database exists that should
+ not be extended automatically.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ The following example illustrates how to configure the <citerefentry>
+ <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
+ </citerefentry> backend for the CORP domain and the
+ <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> backend for all other
+ domains. This configuration assumes that the admin of CORP assigns
+ unix ids below 1000000 via the SFU extensions, and winbind is supposed
+ to use the next million entries for its own mappings from trusted
+ domains and for local groups for example.
+ </para>
+
+ <programlisting>
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config CORP : backend = ad
+ idmap config CORP : range = 1000-999999
+ </programlisting>
+
+</description>
+</samba:parameter>
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index ac56bfb..b4fd514 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -574,7 +574,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
static bool smbacl4_fill_ace4(
TALLOC_CTX *mem_ctx,
- const char *filename,
+ const files_struct *fsp,
smbacl4_vfs_params *params,
uid_t ownerUID,
gid_t ownerGID,
@@ -582,6 +582,7 @@ static bool smbacl4_fill_ace4(
SMB_ACE4PROP_T *ace_v4 /* output */
)
{
+ const char *filename = fsp->fsp_name->base_name;
DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee)));
memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T));
@@ -591,6 +592,17 @@ static bool smbacl4_fill_ace4(
ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(
ace_nt->flags);
+
+ /* remove inheritance flags on files */
+ if (VALID_STAT(fsp->fsp_name->st) &&
+ !S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("Removing inheritance flags from a file\n"));
+ ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE|
+ SMB_ACE4_DIRECTORY_INHERIT_ACE|
+ SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
+ SMB_ACE4_INHERIT_ONLY_ACE);
+ }
+
ace_v4->aceMask = ace_nt->access_mask &
(SEC_STD_ALL | SEC_FILE_ALL);
@@ -673,7 +685,7 @@ static int smbacl4_MergeIgnoreReject(
}
static SMB4ACL_T *smbacl4_win2nfs4(
- const char *filename,
+ const files_struct *fsp,
const struct security_acl *dacl,
smbacl4_vfs_params *pparams,
uid_t ownerUID,
@@ -683,6 +695,7 @@ static SMB4ACL_T *smbacl4_win2nfs4(
SMB4ACL_T *theacl;
uint32 i;
TALLOC_CTX *mem_ctx = talloc_tos();
+ const char *filename = fsp->fsp_name->base_name;
DEBUG(10, ("smbacl4_win2nfs4 invoked\n"));
@@ -694,7 +707,7 @@ static SMB4ACL_T *smbacl4_win2nfs4(
SMB_ACE4PROP_T ace_v4;
bool addNewACE = True;
- if (!smbacl4_fill_ace4(mem_ctx, filename, pparams,
+ if (!smbacl4_fill_ace4(mem_ctx, fsp, pparams,
ownerUID, ownerGID,
dacl->aces + i, &ace_v4)) {
DEBUG(3, ("Could not fill ace for file %s, SID %s\n",
@@ -791,7 +804,7 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
return NT_STATUS_OK;
}
- theacl = smbacl4_win2nfs4(fsp->fsp_name->base_name, psd->dacl, ¶ms,
+ theacl = smbacl4_win2nfs4(fsp, psd->dacl, ¶ms,
sbuf.st_ex_uid, sbuf.st_ex_gid);
if (!theacl)
return map_nt_error_from_unix(errno);
diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c
index 56edb17..cdef1d6 100644
--- a/source3/passdb/machine_sid.c
+++ b/source3/passdb/machine_sid.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Jeremy Allison 1996-2002
@@ -180,7 +180,7 @@ static struct dom_sid *pdb_generate_sam_sid(void)
}
return sam_sid;
-}
+}
/* return our global_sam_sid */
struct dom_sid *get_global_sam_sid(void)
@@ -194,7 +194,7 @@ struct dom_sid *get_global_sam_sid(void)
* memory for global_sam_sid is allocated in
* pdb_generate_sam_sid() as needed
*
- * Note: this is garded by a transaction
+ * Note: this is guarded by a transaction
* to prevent races on startup which
* can happen with some dbwrap backends
*/
@@ -220,8 +220,8 @@ struct dom_sid *get_global_sam_sid(void)
return global_sam_sid;
}
-/**
- * Force get_global_sam_sid to requery the backends
+/**
+ * Force get_global_sam_sid to requery the backends
*/
void reset_global_sam_sid(void)
{
@@ -230,7 +230,7 @@ void reset_global_sam_sid(void)
/*****************************************************************
Check if the SID is our sam SID (S-1-5-21-x-y-z).
-*****************************************************************/
+*****************************************************************/
bool sid_check_is_our_sam(const struct dom_sid *sid)
{
@@ -239,7 +239,7 @@ bool sid_check_is_our_sam(const struct dom_sid *sid)
/*****************************************************************
Check if the SID is our domain SID (S-1-5-21-x-y-z).
-*****************************************************************/
+*****************************************************************/
bool sid_check_is_in_our_sam(const struct dom_sid *sid)
{
--
Samba Shared Repository
More information about the samba-cvs
mailing list