[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Feb 5 02:42:04 MST 2014
The branch, master has been updated
via 741e5dc dsdb: Add more tests for DN+String and DN+Binary comparisons
via f279a29 provision: capture slightly less generic exceptions during the test for acls
via ad773cc pysmbd: improve the return of error codes in the python smbd bindings
via b27543a provision: improve error message when connecting to samdb without the correct permissions
via e76bbef ldb: pass module init errors back to the caller
via 262c3de dsdb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
via 673d415 ldb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
via a89060a provision: Fix failures on re-provision incorrectly blamed on posix acl support.
from 40e6456 s3-auth: Add passwd_to_SamInfo3().
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 741e5dca09053d0fc9a6e2a112113f1828a95759
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 5 16:22:11 2014 +1300
dsdb: Add more tests for DN+String and DN+Binary comparisons
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Feb 5 10:41:37 CET 2014 on sn-devel-104
commit f279a297a4a94c5cbc049c9b2cde14b02960a76f
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 5 15:40:59 2014 +1300
provision: capture slightly less generic exceptions during the test for acls
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit ad773cc01435e65fa5d8e84758b0642069e96c40
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 5 15:31:22 2014 +1300
pysmbd: improve the return of error codes in the python smbd bindings
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit b27543aa729ca893270831d5c4fc74ea7ac6d407
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 5 15:29:18 2014 +1300
provision: improve error message when connecting to samdb without the correct permissions
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit e76bbef8b796441985550c553db1ab48d6495709
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 5 15:19:41 2014 +1300
ldb: pass module init errors back to the caller
This makes provision errors clearer in Samba, as we can now get
permission denied errors presented from LDB modules.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit 262c3de3f880bb08b1220d1e755bb31365dab49b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 5 14:53:26 2014 +1300
dsdb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
This makes provision errors clearer in Samba.
Andrew Bartlett
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit 673d41503c6e391337df1b86e49108d58f1af6bd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 5 14:52:28 2014 +1300
ldb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
This makes provision errors clearer in Samba.
Andrew Bartlett
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit a89060a0217f8740798d1dac4466222301a4d81b
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Nov 27 15:26:14 2013 +1300
provision: Fix failures on re-provision incorrectly blamed on posix acl support.
By doing the test later, there is an actual sam.ldb file that can be connected to.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb.c | 5 +-
lib/ldb/ldb_tdb/ldb_tdb.c | 7 ++-
python/samba/provision/__init__.py | 59 +++++++++++---------
source3/smbd/pysmbd.c | 58 +++++++++----------
source4/dsdb/common/tests/dsdb_dn.c | 14 +++++
.../dsdb/samdb/ldb_modules/partition_metadata.c | 11 ++-
6 files changed, 88 insertions(+), 66 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index e5fa819..36f1c37 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -257,11 +257,12 @@ int ldb_connect(struct ldb_context *ldb, const char *url,
return ret;
}
- if (ldb_load_modules(ldb, options) != LDB_SUCCESS) {
+ ret = ldb_load_modules(ldb, options);
+ if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_FATAL,
"Unable to load modules for %s: %s",
url, ldb_errstring(ldb));
- return LDB_ERR_OTHER;
+ return ret;
}
/* set the default base dn */
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 30c58f5..d3c83f5 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -1560,10 +1560,13 @@ static int ltdb_connect(struct ldb_context *ldb, const char *url,
ldb_get_create_perms(ldb), ldb);
if (!ltdb->tdb) {
ldb_asprintf_errstring(ldb,
- "Unable to open tdb '%s'", path);
+ "Unable to open tdb '%s': %s", path, strerror(errno));
ldb_debug(ldb, LDB_DEBUG_ERROR,
- "Unable to open tdb '%s'", path);
+ "Unable to open tdb '%s': %s", path, strerror(errno));
talloc_free(ltdb);
+ if (errno == EACCES || errno == EPERM) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
return LDB_ERR_OPERATIONS_ERROR;
}
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 151444d..0acd6f4 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1203,7 +1203,13 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
# And now we can connect to the DB - the schema won't be loaded from the
# DB
- samdb.connect(path)
+ try:
+ samdb.connect(path)
+ except ldb.LdbError, (num, string_error):
+ if (num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS):
+ raise ProvisioningError("Permission denied connecting to %s, are you running as root?" % path)
+ else:
+ raise
# But we have to give it one more kick to have it use the schema
# during provision - it needs, now that it is connected, to write
@@ -1527,6 +1533,31 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
s4_passdb = None
if not use_ntvfs:
+ s3conf = s3param.get_context()
+ s3conf.load(lp.configfile)
+
+ file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol))
+ try:
+ try:
+ smbd.set_simple_acl(file.name, 0755, gid)
+ except OSError:
+ if not smbd.have_posix_acls():
+ # This clue is only strictly correct for RPM and
+ # Debian-like Linux systems, but hopefully other users
+ # will get enough clue from it.
+ raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. "
+ "Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
+
+ raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. "
+ "Try the mounting the filesystem with the 'acl' option.")
+ try:
+ smbd.chown(file.name, uid, gid)
+ except OSError:
+ raise ProvisioningError("Unable to chown a file on your filesystem. "
+ "You may not be running provision as root.")
+ finally:
+ file.close()
+
# This will ensure that the smbd code we are running when setting ACLs
# is initialised with the smb.conf
s3conf = s3param.get_context()
@@ -2032,32 +2063,6 @@ def provision(logger, session_info, smbconf=None,
if paths.sysvol and not os.path.exists(paths.sysvol):
os.makedirs(paths.sysvol, 0775)
- if not use_ntvfs and serverrole == "active directory domain controller":
- s3conf = s3param.get_context()
- s3conf.load(lp.configfile)
-
- if paths.sysvol is None:
- raise MissingShareError("sysvol", paths.smbconf)
-
- file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
- try:
- try:
- smbd.set_simple_acl(file.name, 0755, root_gid)
- except Exception:
- if not smbd.have_posix_acls():
- # This clue is only strictly correct for RPM and
- # Debian-like Linux systems, but hopefully other users
- # will get enough clue from it.
- raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
-
- raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.")
- try:
- smbd.chown(file.name, root_uid, root_gid)
- except Exception:
- raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.")
- finally:
- file.close()
-
ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
schema = Schema(domainsid, invocationid=invocationid,
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 683c48c..df0f430 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -76,11 +76,10 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
return conn;
}
-static NTSTATUS set_sys_acl_conn(const char *fname,
+static int set_sys_acl_conn(const char *fname,
SMB_ACL_TYPE_T acltype,
SMB_ACL_T theacl, connection_struct *conn)
{
- NTSTATUS status = NT_STATUS_OK;
int ret;
mode_t saved_umask;
@@ -91,16 +90,11 @@ static NTSTATUS set_sys_acl_conn(const char *fname,
saved_umask = umask(0);
ret = SMB_VFS_SYS_ACL_SET_FILE( conn, fname, acltype, theacl);
- if (ret != 0) {
- status = map_nt_error_from_unix_common(ret);
- DEBUG(0,("set_sys_acl_conn: SMB_VFS_SYS_ACL_SET_FILE "
- "returned zero.\n"));
- }
umask(saved_umask);
TALLOC_FREE(frame);
- return status;
+ return ret;
}
static NTSTATUS set_nt_acl_conn(const char *fname,
@@ -319,8 +313,8 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
{
const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
- NTSTATUS status;
char *fname, *service = NULL;
+ int ret;
int mode, gid = -1;
SMB_ACL_T acl;
TALLOC_CTX *frame;
@@ -340,12 +334,16 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject
return NULL;
}
- status = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
+ ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
TALLOC_FREE(acl);
- TALLOC_FREE(frame);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ errno = ret;
+ return PyErr_SetFromErrno(PyExc_OSError);
+ }
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
+ TALLOC_FREE(frame);
Py_RETURN_NONE;
}
@@ -357,7 +355,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
{
const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
connection_struct *conn;
- NTSTATUS status = NT_STATUS_OK;
int ret;
char *fname, *service = NULL;
@@ -383,27 +380,26 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
ret = SMB_VFS_CHOWN( conn, fname, uid, gid);
if (ret != 0) {
- status = map_nt_error_from_unix_common(errno);
- DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
+ umask(saved_umask);
+ TALLOC_FREE(frame);
+ errno = ret;
+ return PyErr_SetFromErrno(PyExc_OSError);
}
umask(saved_umask);
TALLOC_FREE(frame);
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
-
Py_RETURN_NONE;
}
/*
- chown a file
+ unlink a file
*/
static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
{
const char * const kwnames[] = { "fname", "service", NULL };
connection_struct *conn;
- NTSTATUS status = NT_STATUS_OK;
int ret;
struct smb_filename *smb_fname = NULL;
char *fname, *service = NULL;
@@ -427,19 +423,18 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs
smb_fname = synthetic_smb_fname_split(frame, fname, NULL);
if (smb_fname == NULL) {
TALLOC_FREE(frame);
- PyErr_NTSTATUS_IS_ERR_RAISE(NT_STATUS_NO_MEMORY);
+ return PyErr_NoMemory();
}
ret = SMB_VFS_UNLINK(conn, smb_fname);
if (ret != 0) {
- status = map_nt_error_from_unix_common(errno);
- DEBUG(0,("unlink returned failure: %s\n", strerror(errno)));
+ TALLOC_FREE(frame);
+ errno = ret;
+ return PyErr_SetFromErrno(PyExc_OSError);
}
TALLOC_FREE(frame);
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
-
Py_RETURN_NONE;
}
@@ -541,7 +536,7 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k
{
const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status;
+ int ret;
char *fname, *service = NULL;
PyObject *py_acl;
struct smb_acl_t *acl;
@@ -568,8 +563,12 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k
acl = pytalloc_get_type(py_acl, struct smb_acl_t);
- status = set_sys_acl_conn(fname, acl_type, acl, conn);
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
+ ret = set_sys_acl_conn(fname, acl_type, acl, conn);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ errno = ret;
+ return PyErr_SetFromErrno(PyExc_OSError);
+ }
TALLOC_FREE(frame);
Py_RETURN_NONE;
@@ -588,7 +587,6 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k
TALLOC_CTX *frame = talloc_stackframe();
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
connection_struct *conn;
- NTSTATUS status = NT_STATUS_OK;
char *service = NULL;
if (!tmp_ctx) {
PyErr_NoMemory();
@@ -614,9 +612,7 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k
if (!acl) {
TALLOC_FREE(frame);
TALLOC_FREE(tmp_ctx);
- status = map_nt_error_from_unix_common(errno);
- DEBUG(0,("sys_acl_get_file returned NULL: %s\n", strerror(errno)));
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
+ return PyErr_SetFromErrno(PyExc_OSError);
}
py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
diff --git a/source4/dsdb/common/tests/dsdb_dn.c b/source4/dsdb/common/tests/dsdb_dn.c
index 9ae0c8a..66c7e12 100644
--- a/source4/dsdb/common/tests/dsdb_dn.c
+++ b/source4/dsdb/common/tests/dsdb_dn.c
@@ -77,6 +77,13 @@ static bool torture_dsdb_dn_attrs(struct torture_context *torture)
syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
"compare of binary+dn an dn should have failed");
+ /* Test compare (false) with different binary prefix */
+ dn1 = data_blob_string_const("B:6:abcdef:dc=samba,dc=org");
+ dn2 = data_blob_string_const("B:4:abcd:dc=samba,dc=org");
+ torture_assert(torture,
+ syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
+ "compare of binary+dn an dn should have failed");
+
/* Test DN+String behaviour */
torture_assert(torture, syntax = ldb_samba_syntax_by_name(ldb, DSDB_SYNTAX_STRING_DN),
"Failed to get DN+String schema attribute");
@@ -107,6 +114,13 @@ static bool torture_dsdb_dn_attrs(struct torture_context *torture)
syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
"compare of string+dn an dn should have failed");
+ /* Test compare (false) with different string prefix */
+ dn1 = data_blob_string_const("S:6:abcdef:dc=samba,dc=org");
+ dn2 = data_blob_string_const("S:6:abcXYZ:dc=samba,dc=org");
+ torture_assert(torture,
+ syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
+ "compare of string+dn an dn should have failed");
+
talloc_free(mem_ctx);
return true;
}
diff --git a/source4/dsdb/samdb/ldb_modules/partition_metadata.c b/source4/dsdb/samdb/ldb_modules/partition_metadata.c
index db1815a..b3b5744 100644
--- a/source4/dsdb/samdb/ldb_modules/partition_metadata.c
+++ b/source4/dsdb/samdb/ldb_modules/partition_metadata.c
@@ -246,11 +246,14 @@ static int partition_metadata_open(struct ldb_module *module, bool create)
if (data->metadata->db == NULL) {
talloc_free(tmp_ctx);
if (create) {
- ldb_asprintf_errstring(ldb, "partition_metadata: Unable to create %s",
- filename);
+ ldb_asprintf_errstring(ldb, "partition_metadata: Unable to create %s: %s",
+ filename, strerror(errno));
} else {
- ldb_asprintf_errstring(ldb, "partition_metadata: Unable to open %s",
- filename);
+ ldb_asprintf_errstring(ldb, "partition_metadata: Unable to open %s: %s",
+ filename, strerror(errno));
+ }
+ if (errno == EACCES || errno == EPERM) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
return LDB_ERR_OPERATIONS_ERROR;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list