[SCM] Samba Shared Repository - branch master updated

Wed Feb 5 02:42:04 MST 2014

The branch, master has been updated
       via  741e5dc dsdb: Add more tests for DN+String and DN+Binary comparisons
       via  f279a29 provision: capture slightly less generic exceptions during the test for acls
       via  ad773cc pysmbd: improve the return of error codes in the python smbd bindings
       via  b27543a provision: improve error message when connecting to samdb without the correct permissions
       via  e76bbef ldb: pass module init errors back to the caller
       via  262c3de dsdb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
       via  673d415 ldb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
       via  a89060a provision: Fix failures on re-provision incorrectly blamed on posix acl support.
      from  40e6456 s3-auth: Add passwd_to_SamInfo3().

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 741e5dca09053d0fc9a6e2a112113f1828a95759
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Feb 5 16:22:11 2014 +1300

    dsdb: Add more tests for DN+String and DN+Binary comparisons
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Feb  5 10:41:37 CET 2014 on sn-devel-104

commit f279a297a4a94c5cbc049c9b2cde14b02960a76f
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Feb 5 15:40:59 2014 +1300

    provision: capture slightly less generic exceptions during the test for acls
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit ad773cc01435e65fa5d8e84758b0642069e96c40
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Feb 5 15:31:22 2014 +1300

    pysmbd: improve the return of error codes in the python smbd bindings
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit b27543aa729ca893270831d5c4fc74ea7ac6d407
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Feb 5 15:29:18 2014 +1300

    provision: improve error message when connecting to samdb without the correct permissions
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit e76bbef8b796441985550c553db1ab48d6495709
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Feb 5 15:19:41 2014 +1300

    ldb: pass module init errors back to the caller
    
    This makes provision errors clearer in Samba, as we can now get
    permission denied errors presented from LDB modules.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit 262c3de3f880bb08b1220d1e755bb31365dab49b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Feb 5 14:53:26 2014 +1300

    dsdb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
    
    This makes provision errors clearer in Samba.
    
    Andrew Bartlett
    
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit 673d41503c6e391337df1b86e49108d58f1af6bd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Feb 5 14:52:28 2014 +1300

    ldb: Return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS rather than OPERATIONS_ERROR on EACCES and EPERM
    
    This makes provision errors clearer in Samba.
    
    Andrew Bartlett
    
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

commit a89060a0217f8740798d1dac4466222301a4d81b
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Nov 27 15:26:14 2013 +1300

    provision: Fix failures on re-provision incorrectly blamed on posix acl support.
    
    By doing the test later, there is an actual sam.ldb file that can be connected to.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb.c                               |    5 +-
 lib/ldb/ldb_tdb/ldb_tdb.c                          |    7 ++-
 python/samba/provision/__init__.py                 |   59 +++++++++++---------
 source3/smbd/pysmbd.c                              |   58 +++++++++----------
 source4/dsdb/common/tests/dsdb_dn.c                |   14 +++++
 .../dsdb/samdb/ldb_modules/partition_metadata.c    |   11 ++-
 6 files changed, 88 insertions(+), 66 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index e5fa819..36f1c37 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -257,11 +257,12 @@ int ldb_connect(struct ldb_context *ldb, const char *url,
 		return ret;
 	}
 
-	if (ldb_load_modules(ldb, options) != LDB_SUCCESS) {
+	ret = ldb_load_modules(ldb, options);
+	if (ret != LDB_SUCCESS) {
 		ldb_debug(ldb, LDB_DEBUG_FATAL,
 			  "Unable to load modules for %s: %s",
 			  url, ldb_errstring(ldb));
-		return LDB_ERR_OTHER;
+		return ret;
 	}
 
 	/* set the default base dn */
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 30c58f5..d3c83f5 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -1560,10 +1560,13 @@ static int ltdb_connect(struct ldb_context *ldb, const char *url,
 				   ldb_get_create_perms(ldb), ldb);
 	if (!ltdb->tdb) {
 		ldb_asprintf_errstring(ldb,
-				       "Unable to open tdb '%s'", path);
+				       "Unable to open tdb '%s': %s", path, strerror(errno));
 		ldb_debug(ldb, LDB_DEBUG_ERROR,
-			  "Unable to open tdb '%s'", path);
+			  "Unable to open tdb '%s': %s", path, strerror(errno));
 		talloc_free(ltdb);
+		if (errno == EACCES || errno == EPERM) {
+			return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+		}
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 151444d..0acd6f4 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1203,7 +1203,13 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
 
     # And now we can connect to the DB - the schema won't be loaded from the
     # DB
-    samdb.connect(path)
+    try:
+        samdb.connect(path)
+    except ldb.LdbError, (num, string_error):
+        if (num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS):
+            raise ProvisioningError("Permission denied connecting to %s, are you running as root?" % path)
+        else:
+            raise
 
     # But we have to give it one more kick to have it use the schema
     # during provision - it needs, now that it is connected, to write
@@ -1527,6 +1533,31 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
     s4_passdb = None
 
     if not use_ntvfs:
+        s3conf = s3param.get_context()
+        s3conf.load(lp.configfile)
+
+        file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol))
+        try:
+            try:
+                smbd.set_simple_acl(file.name, 0755, gid)
+            except OSError:
+                if not smbd.have_posix_acls():
+                    # This clue is only strictly correct for RPM and
+                    # Debian-like Linux systems, but hopefully other users
+                    # will get enough clue from it.
+                    raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires.  "
+                                            "Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
+
+                raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  "
+                                        "Try the mounting the filesystem with the 'acl' option.")
+            try:
+                smbd.chown(file.name, uid, gid)
+            except OSError:
+                raise ProvisioningError("Unable to chown a file on your filesystem.  "
+                                        "You may not be running provision as root.")
+        finally:
+            file.close()
+
         # This will ensure that the smbd code we are running when setting ACLs
         # is initialised with the smb.conf
         s3conf = s3param.get_context()
@@ -2032,32 +2063,6 @@ def provision(logger, session_info, smbconf=None,
     if paths.sysvol and not os.path.exists(paths.sysvol):
         os.makedirs(paths.sysvol, 0775)
 
-    if not use_ntvfs and serverrole == "active directory domain controller":
-        s3conf = s3param.get_context()
-        s3conf.load(lp.configfile)
-
-        if paths.sysvol is None:
-            raise MissingShareError("sysvol", paths.smbconf)
-
-        file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
-        try:
-            try:
-                smbd.set_simple_acl(file.name, 0755, root_gid)
-            except Exception:
-                if not smbd.have_posix_acls():
-                    # This clue is only strictly correct for RPM and
-                    # Debian-like Linux systems, but hopefully other users
-                    # will get enough clue from it.
-                    raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires.  Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
-
-                raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
-            try:
-                smbd.chown(file.name, root_uid, root_gid)
-            except Exception:
-                raise ProvisioningError("Unable to chown a file on your filesystem.  You may not be running provision as root.")
-        finally:
-            file.close()
-
     ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
 
     schema = Schema(domainsid, invocationid=invocationid,
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 683c48c..df0f430 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -76,11 +76,10 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
 	return conn;
 }
 
-static NTSTATUS set_sys_acl_conn(const char *fname,
+static int set_sys_acl_conn(const char *fname,
 				 SMB_ACL_TYPE_T acltype,
 				 SMB_ACL_T theacl, connection_struct *conn)
 {
-	NTSTATUS status = NT_STATUS_OK;
 	int ret;
 	mode_t saved_umask;
 
@@ -91,16 +90,11 @@ static NTSTATUS set_sys_acl_conn(const char *fname,
 	saved_umask = umask(0);
 
 	ret = SMB_VFS_SYS_ACL_SET_FILE( conn, fname, acltype, theacl);
-	if (ret != 0) {
-		status = map_nt_error_from_unix_common(ret);
-		DEBUG(0,("set_sys_acl_conn: SMB_VFS_SYS_ACL_SET_FILE "
-			 "returned zero.\n"));
-	}
 
 	umask(saved_umask);
 
 	TALLOC_FREE(frame);
-	return status;
+	return ret;
 }
 
 static NTSTATUS set_nt_acl_conn(const char *fname,
@@ -319,8 +313,8 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode)
 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
 {
 	const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
-	NTSTATUS status;
 	char *fname, *service = NULL;
+	int ret;
 	int mode, gid = -1;
 	SMB_ACL_T acl;
 	TALLOC_CTX *frame;
@@ -340,12 +334,16 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject
 		return NULL;
 	}
 
-	status = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
+	ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
 	TALLOC_FREE(acl);
 
-	TALLOC_FREE(frame);
+	if (ret != 0) {
+		TALLOC_FREE(frame);
+		errno = ret;
+		return PyErr_SetFromErrno(PyExc_OSError);
+	}
 
-	PyErr_NTSTATUS_IS_ERR_RAISE(status);
+	TALLOC_FREE(frame);
 
 	Py_RETURN_NONE;
 }
@@ -357,7 +355,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
 {
 	const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
 	connection_struct *conn;
-	NTSTATUS status = NT_STATUS_OK;
 	int ret;
 
 	char *fname, *service = NULL;
@@ -383,27 +380,26 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
 
 	ret = SMB_VFS_CHOWN( conn, fname, uid, gid);
 	if (ret != 0) {
-		status = map_nt_error_from_unix_common(errno);
-		DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
+		umask(saved_umask);
+		TALLOC_FREE(frame);
+		errno = ret;
+		return PyErr_SetFromErrno(PyExc_OSError);
 	}
 
 	umask(saved_umask);
 
 	TALLOC_FREE(frame);
 
-	PyErr_NTSTATUS_IS_ERR_RAISE(status);
-
 	Py_RETURN_NONE;
 }
 
 /*
-  chown a file
+  unlink a file
  */
 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
 {
 	const char * const kwnames[] = { "fname", "service", NULL };
 	connection_struct *conn;
-	NTSTATUS status = NT_STATUS_OK;
 	int ret;
 	struct smb_filename *smb_fname = NULL;
 	char *fname, *service = NULL;
@@ -427,19 +423,18 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs
 	smb_fname = synthetic_smb_fname_split(frame, fname, NULL);
 	if (smb_fname == NULL) {
 		TALLOC_FREE(frame);
-		PyErr_NTSTATUS_IS_ERR_RAISE(NT_STATUS_NO_MEMORY);
+		return PyErr_NoMemory();
 	}
 
 	ret = SMB_VFS_UNLINK(conn, smb_fname);
 	if (ret != 0) {
-		status = map_nt_error_from_unix_common(errno);
-		DEBUG(0,("unlink returned failure: %s\n", strerror(errno)));
+		TALLOC_FREE(frame);
+		errno = ret;
+		return PyErr_SetFromErrno(PyExc_OSError);
 	}
 
 	TALLOC_FREE(frame);
 
-	PyErr_NTSTATUS_IS_ERR_RAISE(status);
-
 	Py_RETURN_NONE;
 }
 
@@ -541,7 +536,7 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k
 {
 	const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
 	TALLOC_CTX *frame = talloc_stackframe();
-	NTSTATUS status;
+	int ret;
 	char *fname, *service = NULL;
 	PyObject *py_acl;
 	struct smb_acl_t *acl;
@@ -568,8 +563,12 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k
 
 	acl = pytalloc_get_type(py_acl, struct smb_acl_t);
 
-	status = set_sys_acl_conn(fname, acl_type, acl, conn);
-	PyErr_NTSTATUS_IS_ERR_RAISE(status);
+	ret = set_sys_acl_conn(fname, acl_type, acl, conn);
+	if (ret != 0) {
+		TALLOC_FREE(frame);
+		errno = ret;
+		return PyErr_SetFromErrno(PyExc_OSError);
+	}
 
 	TALLOC_FREE(frame);
 	Py_RETURN_NONE;
@@ -588,7 +587,6 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k
 	TALLOC_CTX *frame = talloc_stackframe();
 	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
 	connection_struct *conn;
-	NTSTATUS status = NT_STATUS_OK;
 	char *service = NULL;
 	if (!tmp_ctx) {
 		PyErr_NoMemory();
@@ -614,9 +612,7 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k
 	if (!acl) {
 		TALLOC_FREE(frame);
 		TALLOC_FREE(tmp_ctx);
-		status = map_nt_error_from_unix_common(errno);
-		DEBUG(0,("sys_acl_get_file returned NULL: %s\n", strerror(errno)));
-		PyErr_NTSTATUS_IS_ERR_RAISE(status);
+		return PyErr_SetFromErrno(PyExc_OSError);
 	}
 
 	py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
diff --git a/source4/dsdb/common/tests/dsdb_dn.c b/source4/dsdb/common/tests/dsdb_dn.c
index 9ae0c8a..66c7e12 100644
--- a/source4/dsdb/common/tests/dsdb_dn.c
+++ b/source4/dsdb/common/tests/dsdb_dn.c
@@ -77,6 +77,13 @@ static bool torture_dsdb_dn_attrs(struct torture_context *torture)
 		       syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
 		       "compare of binary+dn an dn should have failed");
 
+	/* Test compare (false) with different binary prefix */
+	dn1 = data_blob_string_const("B:6:abcdef:dc=samba,dc=org");
+	dn2 = data_blob_string_const("B:4:abcd:dc=samba,dc=org");
+	torture_assert(torture,
+		       syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
+		       "compare of binary+dn an dn should have failed");
+
 	/* Test DN+String behaviour */
 	torture_assert(torture, syntax = ldb_samba_syntax_by_name(ldb, DSDB_SYNTAX_STRING_DN), 
 		       "Failed to get DN+String schema attribute");
@@ -107,6 +114,13 @@ static bool torture_dsdb_dn_attrs(struct torture_context *torture)
 		       syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
 		       "compare of string+dn an dn should have failed");
 
+	/* Test compare (false) with different string prefix */
+	dn1 = data_blob_string_const("S:6:abcdef:dc=samba,dc=org");
+	dn2 = data_blob_string_const("S:6:abcXYZ:dc=samba,dc=org");
+	torture_assert(torture,
+		       syntax->comparison_fn(ldb, mem_ctx, &dn1, &dn2) != 0,
+		       "compare of string+dn an dn should have failed");
+
 	talloc_free(mem_ctx);
 	return true;
 }
diff --git a/source4/dsdb/samdb/ldb_modules/partition_metadata.c b/source4/dsdb/samdb/ldb_modules/partition_metadata.c
index db1815a..b3b5744 100644
--- a/source4/dsdb/samdb/ldb_modules/partition_metadata.c
+++ b/source4/dsdb/samdb/ldb_modules/partition_metadata.c
@@ -246,11 +246,14 @@ static int partition_metadata_open(struct ldb_module *module, bool create)
 	if (data->metadata->db == NULL) {
 		talloc_free(tmp_ctx);
 		if (create) {
-			ldb_asprintf_errstring(ldb, "partition_metadata: Unable to create %s",
-					       filename);
+			ldb_asprintf_errstring(ldb, "partition_metadata: Unable to create %s: %s",
+					       filename, strerror(errno));
 		} else {
-			ldb_asprintf_errstring(ldb, "partition_metadata: Unable to open %s",
-					       filename);
+			ldb_asprintf_errstring(ldb, "partition_metadata: Unable to open %s: %s",
+					       filename, strerror(errno));
+		}
+		if (errno == EACCES || errno == EPERM) {
+			return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
 		}
 		return LDB_ERR_OPERATIONS_ERROR;
 	}


-- 
Samba Shared Repository
