[SCM] Samba Shared Repository - branch v4-3-test updated
Karolin Seeger
kseeger at samba.org
Wed Aug 3 12:43:07 UTC 2016
The branch, v4-3-test has been updated
via cf920bc vfs_acl_xattr: objects without NT ACL xattr
via a6939cf s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
via c25f48b smbd/notifyd: use smbd_reinit_after_fork()
via 21145f3 s3-rpc_server/mdssd: use smbd_reinit_after_fork()
via 0d8feb7 selftest: test idmap backend id allocation for unknown SIDS
via 62e7854 selftest: make autorid the default idmap backend in admember_rfc2307
via ec073871 winbindd: in wb_lookupsids return domain name if we have it
via 953d3dc winbindd/idmap_rfc2307: fix a crash
via 4594f1c s3:mdssvc: older glib2 versions require g_type_init()
via e60d145 ctdb-common: For AF_PACKET socket types, protocol is in network order
via f02671a s3: smbd: Fix delete operations enumerating streams inside a file. This must always be done as a Windows operation.
via 7e2f99c s3: smbd: Change lp_set_posix_pathnames() to take a newval parameter and return the old one.
via ebcbfe7 s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.
via f73f9f1 param: Correct the defaults for "dcerpc endpoint services"
via a47f896 build: Always build eventlog6. This is not a duplicate of eventlog
via 1139c8f libads: ensure the right ccache is used during spnego bind
via 0bbf381 libads: ensure the right ccache is used during gssapi bind
from e855e44 auth: fix a memory leak in gssapi_get_session_key()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit cf920bcb7fe9deb0096e2eeba5a356a345d5d247
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:48:19 2016 +0200
vfs_acl_xattr: objects without NT ACL xattr
Even with "ignore system acls" set to "yes", for objects without NT ACL
xattr we use the underlying filesystem permissions to construct an NT
ACL. This can result in *very* unexpected permissions, eg:
- a directory with the following ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL
So only one non-inheritable(!) ACE.
- creating a subdirectory:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"
- checking whether there's an ACL xattr:
$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB
So there isn't an ACL xattr, because there where no inheritable ACEs on
the parent folder.
- reading the new subdirectories ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
from the underlying filesystem. This is the problem.
- Windows assigns the following ACL in this situation:
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL
$ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
REVISION:1
CONTROL:SR|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL
By changing make_default_filesystem_acl() to only adds user and system
ACE to the ACL of objects that lack an ACL xattr, we match Windows
behaviour:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
(cherry picked from commit 961c4b591bb102751079d9cc92d7aa1c37f1958c)
Autobuild-User(v4-3-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-3-test): Wed Aug 3 14:42:05 CEST 2016 on sn-devel-104
commit a6939cf2435ec9259a0d5df861a4a1461476d505
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:56:02 2016 +0200
s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
This function is only used in vfs_acl_common.c and will be modified in
the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit afc2417b107af572081974ff9d013ddec890d31f)
commit c25f48bc8c8a0da00e69ea59b94be9b86768eac8
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jul 5 15:37:53 2016 +0200
smbd/notifyd: use smbd_reinit_after_fork()
Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
am_parent is reset to NULL. Otherwise, when exiting for some reason, the
inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
our whole process group including the main smbd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit bb90a8484a734b76ddd4d270f31fcdb4ae6cc48d)
commit 21145f37b24182aca03b3c77627b1f48a9fbc5cb
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jul 5 15:38:31 2016 +0200
s3-rpc_server/mdssd: use smbd_reinit_after_fork()
Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
am_parent is reset to NULL. Otherwise, when exiting for some reason, the
inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
our whole process group including the main smbd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jul 11 02:02:33 CEST 2016 on sn-devel-144
(backported from commit 6efd0af5e8d8ee81b5f53afb126d87950088b7cd)
commit 0d8feb781f2f68a1ce1f0b826e86aaa8bab59c97
Author: Ralph Boehme <slow at samba.org>
Date: Sun Jun 12 19:03:11 2016 +0200
selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2a322a7671c9ffd0dd600142dd76b5b51a67e185)
commit 62e78547231d225495044799bdc2ca2a809b8583
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 18:33:01 2016 +0200
selftest: make autorid the default idmap backend in admember_rfc2307
This is needed for a new test in the next commit. Exisiting tests aren't
affected by this, at least a private autobuild passed with this
change.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aa54fa4e88cc80bc7841beba3a5561ad2c83dc80)
commit ec07387160ab067dd3e06d04b99289cf6077b6da
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 15:16:42 2016 +0200
winbindd: in wb_lookupsids return domain name if we have it
When doing a SID to xid mapping for an unknown SID, the idmap child gets
passed a lsa_RefDomainList with an empty domain name (ie ""). This is
coming from LsaLookupSids() and causes the mapping request to end up in
the default idmap domain.
Example request with domain name "":
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
in: struct wbint_Sids2UnixIDs
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0002 (2)
string : *
string : ''
sid : *
sid : S-1-5-21-3152989960-574718769-2188965058
max_size : 0x00000020 (32)
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_NOT_SPECIFIED (0)
domain_index : 0x00000000 (0)
rid : 0x000029aa (66666)
xid: struct unixid
id : 0xffffffff (4294967295)
type : ID_TYPE_NOT_SPECIFIED (0)
In _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with the
domain name "" and this triggers use of the default idmap domain which
in case of idmap_autorid will allocate an id from a idmap_autorid range.
If we know the domain, ensure we return it for SIDs were the SID was not
found but the domain of the SID was found. Callers like sids2xids depend
on the domain name and returning an empty string "" for valid domain can
trigger unwanted idmap range allocations.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 9be918116e356c358ef77cc2933e471090088293)
commit 953d3dcf7b65bde636fbbbedea6a5cd7a0a9355d
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 18:31:45 2016 +0200
winbindd/idmap_rfc2307: fix a crash
map->map is NULL if lookupsid failed.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5e346af078847512e86755a4634583a8a5178c0e)
commit 4594f1cbae623ab68b8fe1cb32779d05ded3d682
Author: Ralph Boehme <slow at samba.org>
Date: Thu Mar 17 14:05:58 2016 +0100
s3:mdssvc: older glib2 versions require g_type_init()
Older glib2 versions will crash if g_type_init is not called:
(process:6712): GLib-GObject-CRITICAL **: ... ./gobject/gtype.c:2722:
You forgot to call g_type_init()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11801
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Mar 18 03:52:55 CET 2016 on sn-devel-144
(cherry picked from commit 3563d79a8cb625ae78523cb32330c9f61c6c3a2f)
commit e60d1455886aab95b872f2716d4bf5af6fcae466
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Mar 3 14:17:40 2016 +1100
ctdb-common: For AF_PACKET socket types, protocol is in network order
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11770
From man page of packet(7):
protocol is the IEEE 802.3
protocol number in network byte order. See the <linux/if_ether.h>
include file for a list of allowed protocols. When protocol is set to
htons(ETH_P_ALL), then all protocols are received.
Protocol argument was changed from network order to host order wrongly
in commit 9f8395cb7d49b63a82f75bf504f5f83920102b29.
Specifying "protocol" field to socket(AF_PACKET, ...) call only affects
the packets that are recevied. So use protocol = 0 when sending raw
packets.
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Fri Mar 4 12:58:50 CET 2016 on sn-devel-144
(cherry picked from commit f5b6a5b13406c245ab9cc8c1699483af9eb21f88)
commit f02671a4cc7fabedfbeb7dad856eecf619d389d2
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 20 11:34:48 2016 -0700
s3: smbd: Fix delete operations enumerating streams inside a file. This must always be done as a Windows operation.
When using UNIX extensions to delete a file containing streams,
the open for delete and close operations need to enumerate the
contained streams and do CREATE and UNLINK operations on the
stream names. These must always be done as Windows operations
(use lp_set_posix_pathnames(false) to flip the processing) as
the stream names are Windows paths.
Without this the create operation under the unlink will
recurse and cause the client to time out (or a server crash).
This (hack) is only needed for 4.4.x and below, it is fixed
correctly in 4.5.x.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12021
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 7e2f99c7245b910bf213829a6df97acefa224945
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 20 11:25:20 2016 -0700
s3: smbd: Change lp_set_posix_pathnames() to take a newval parameter and return the old one.
Currently only used in one place, but we'll need to use it to
temporarily change pathname processing to fix bug 12021.
This (hack) is only needed for 4.4.x and below, it is fixed
correctly in 4.5.x.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12021
Signed-off-by: Jeremy Allison <jra at samba.org>
commit ebcbfe70300895c56f29839a32b50ec5b280038d
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jun 28 15:38:22 2016 -0700
s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.
https://bugzilla.samba.org/show_bug.cgi?id=11838
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1d4b20d4f3829eb3778006397990cd9fee4966a5)
commit f73f9f15906f9596bb60a4d52cf47bd99af21b76
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jul 9 17:36:18 2016 +1200
param: Correct the defaults for "dcerpc endpoint services"
We must not list any services that we skip building, as otherwise all RPC services fail to start.
We now build without the source4 spoolss server in non-developer builds
This fixes commit 0b4c741b9c03d147ee5f56d027bacda75c1b5282
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12025
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 748384992b96c3936d82bc09f39459fb4bd489bd)
commit a47f896b0bee013a9a042b91d762d798dd14d1f5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jul 9 17:34:39 2016 +1200
build: Always build eventlog6. This is not a duplicate of eventlog
The eventlog6 pipe is not a duplicate with the source3 code, so should be built even
for the default build with smbd for file serving
This fixes commit 0b4c741b9c03d147ee5f56d027bacda75c1b5282
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12026
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit d183261e6844724394d618912403cd0217401741)
commit 1139c8fa22481efcc9dc602b7497c6aa5362c060
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 6 12:44:11 2016 +0200
libads: ensure the right ccache is used during spnego bind
When doing spnego sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)
commit 0bbf381c992d184063f8c9bd3d9fafa952654eaf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 6 12:48:11 2016 +0200
libads: ensure the right ccache is used during gssapi bind
When doing gssapi sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
(cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655)
-----------------------------------------------------------------------
Summary of changes:
ctdb/common/system_linux.c | 6 +-
.../smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
nsswitch/tests/test_idmap_nss.sh | 41 ++++++++
selftest/target/Samba3.pm | 3 +
source3/include/proto.h | 2 +-
source3/libads/sasl.c | 52 +++++++---
source3/modules/vfs_acl_common.c | 74 ++++++++++++++
source3/param/loadparm.c | 11 ++-
source3/rpc_server/mdssd.c | 4 +-
source3/rpc_server/mdssvc/mdssvc.c | 5 +-
source3/selftest/tests.py | 4 +-
source3/smbd/close.c | 10 ++
source3/smbd/open.c | 10 ++
source3/smbd/posix_acls.c | 110 ---------------------
source3/smbd/proto.h | 4 -
source3/smbd/server.c | 2 +-
source3/smbd/trans2.c | 2 +-
source3/winbindd/idmap_rfc2307.c | 4 +-
source3/winbindd/wb_lookupsids.c | 30 +++++-
source4/dsdb/samdb/ldb_modules/ranged_results.c | 8 +-
source4/rpc_server/wscript_build | 3 +-
22 files changed, 232 insertions(+), 157 deletions(-)
create mode 100755 nsswitch/tests/test_idmap_nss.sh
Changeset truncated at 500 lines:
diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c
index 2e58853..9872070 100644
--- a/ctdb/common/system_linux.c
+++ b/ctdb/common/system_linux.c
@@ -93,7 +93,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface)
switch (addr->ip.sin_family) {
case AF_INET:
- s = socket(AF_PACKET, SOCK_RAW, ETHERTYPE_ARP);
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
return -1;
@@ -187,7 +187,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface)
close(s);
break;
case AF_INET6:
- s = socket(AF_PACKET, SOCK_RAW, ETHERTYPE_ARP);
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
return -1;
@@ -447,7 +447,7 @@ int ctdb_sys_open_capture_socket(const char *iface, void **private_data)
int s;
/* Open a socket to capture all traffic */
- s = socket(AF_PACKET, SOCK_RAW, ETH_P_ALL);
+ s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
return -1;
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 7fc172b..7b32d03 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index dac0f00..95d1fd7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2469,7 +2469,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "false");
/* the winbind method for domain controllers is for both RODC
diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh
new file mode 100755
index 0000000..999bccb
--- /dev/null
+++ b/nsswitch/tests/test_idmap_nss.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Test id mapping with unknown SID and non-allocating idmap backend
+if [ $# -lt 1 ]; then
+ echo Usage: $0 DOMAIN
+ exit 1
+fi
+
+DOMAIN="$1"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+
+failed=0
+
+. `dirname $0`/../../testprogs/blackbox/subunit.sh
+
+testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1
+DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+echo "Domain $DOMAIN has SID $DOMAIN_SID"
+
+# Find an unused uid and SID
+RID=66666
+while true ; do
+ id $RID
+ if [ $? -ne 0 ] ; then
+ $wbinfo -s $DOMAIN_SID\\$RID
+ if [ $? -ne 0 ] ; then
+ break
+ fi
+ fi
+ RID=$(expr $RID + 1)
+done
+
+echo "Using non-existing SID $DOMAIN_SID-$RID to check no id allocation is done by the backend"
+
+out="$($wbinfo --sids-to-unix-ids=$DOMAIN_SID-$RID)"
+echo "wbinfo returned: $out"
+test "$out" = "$DOMAIN_SID-$RID -> unmapped"
+ret=$?
+testit "wbinfo SID to xid returns unmapped for unknown SID" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9e5d699..319d00b 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -460,6 +460,9 @@ sub setup_admember_rfc2307($$$$)
server signing = on
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+ idmap config * : rangesize = 100000
idmap config $dcvars->{DOMAIN} : backend = rfc2307
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
idmap config $dcvars->{DOMAIN} : ldap_server = ad
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 88be15a..afa43d2 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1054,7 +1054,7 @@ bool lp_use_sendfile(int snum, struct smb_signing_state *signing_state);
void set_use_sendfile(int snum, bool val);
void lp_set_mangling_method(const char *new_method);
bool lp_posix_pathnames(void);
-void lp_set_posix_pathnames(void);
+bool lp_set_posix_pathnames(bool newval);
enum brl_flavour lp_posix_cifsu_locktype(files_struct *fsp);
void lp_set_posix_default_cifsx_readwrite_locktype(enum brl_flavour val);
int lp_min_receive_file_size(void);
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index d76d872..85a2eb0 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -26,6 +26,7 @@
#include "smb_krb5.h"
#include "system/gssapi.h"
#include "lib/param/loadparm.h"
+#include "krb5_env.h"
#ifdef HAVE_LDAP
@@ -748,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_MUST_USE_KERBEROS,
- p.service, p.hostname,
- blob);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- goto done;
+ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+ if (ads->auth.ccache_name != NULL) {
+ ccache_name = ads->auth.ccache_name;
}
- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ {
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_MUST_USE_KERBEROS,
+ p.service, p.hostname,
+ blob);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ goto done;
+ }
+
+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+
+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
@@ -1015,21 +1027,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
ADS_STATUS status;
struct ads_service_principal p;
+ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
return status;
}
- status = ads_sasl_gssapi_do_bind(ads, p.name);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- return status;
- }
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0') {
+ status = ads_sasl_gssapi_do_bind(ads, p.name);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ return status;
+ }
- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+ if (ads->auth.ccache_name != NULL) {
+ ccache_name = ads->auth.ccache_name;
+ }
+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 76ac598..f5af666 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -24,6 +24,7 @@
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../lib/util/bitmap.h"
+#include "passdb/lookup_sid.h"
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
DATA_BLOB *pblob,
@@ -358,6 +359,79 @@ static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
return NT_STATUS_OK;
}
+static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+ name, (int)mode ));
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide 2 ACEs:
+ * - Owner
+ * - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
/*******************************************************************
Pull a DATA_BLOB from an xattr given a pathname.
If the hash doesn't match, or doesn't exist - return the underlying
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0f2d99a..62186e5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -873,7 +873,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
@@ -4344,13 +4344,14 @@ bool lp_posix_pathnames(void)
}
/*******************************************************************
- Change everything needed to ensure POSIX pathname processing (currently
- not much).
+ Set posix pathnames to new value. Returns old value.
********************************************************************/
-void lp_set_posix_pathnames(void)
+bool lp_set_posix_pathnames(bool newval)
{
- posix_pathnames = true;
+ bool oldval = posix_pathnames;
+ posix_pathnames = newval;
+ return oldval;
}
/*******************************************************************
diff --git a/source3/rpc_server/mdssd.c b/source3/rpc_server/mdssd.c
index fac386b..d826447 100644
--- a/source3/rpc_server/mdssd.c
+++ b/source3/rpc_server/mdssd.c
@@ -671,9 +671,7 @@ void start_mdssd(struct tevent_context *ev_ctx,
return;
}
- status = reinit_after_fork(msg_ctx,
- ev_ctx,
- true);
+ status = smbd_reinit_after_fork(msg_ctx, ev_ctx, true);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("reinit_after_fork() failed\n"));
smb_panic("reinit_after_fork() failed");
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index abfea43..44d7703 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -1783,10 +1783,13 @@ done:
}
/**
- * Init callbacks at startup, nothing to do here really
+ * Init callbacks at startup
**/
bool mds_init(struct messaging_context *msg_ctx)
{
+#if (GLIB_MAJOR_VERSION < 3) && (GLIB_MINOR_VERSION < 36)
+ g_type_init();
+#endif
return true;
}
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f2babb1..850ee69 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -298,7 +298,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
local = ["local.nss", "local.ndr"]
-idmap = [ "idmap.rfc2307" ]
+idmap = ["idmap.rfc2307", "idmap.alloc"]
rap = ["rap.basic", "rap.rpc", "rap.printing", "rap.sam"]
@@ -363,6 +363,8 @@ for t in tests:
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
elif t == "idmap.rfc2307":
plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rfc2307.sh"), '$DOMAIN', 'Administrator', '2000000', 'Guest', '2000001', '"Domain Users"', '2000002', 'DnsAdmins', '2000003', 'ou=idmap,dc=samba,dc=example,dc=com', '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD'])
+ elif t == "idmap.alloc":
+ plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_nss.sh"), '$DOMAIN'])
elif t == "raw.acls":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/nfs4acl_simple -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple')
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 1cb5460..66840ae 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -168,6 +168,7 @@ NTSTATUS delete_all_streams(connection_struct *conn, const char *fname)
unsigned int num_streams = 0;
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
+ bool saved_posix_pathnames;
status = vfs_streaminfo(conn, NULL, fname, talloc_tos(),
&num_streams, &stream_info);
@@ -192,6 +193,13 @@ NTSTATUS delete_all_streams(connection_struct *conn, const char *fname)
return NT_STATUS_OK;
}
+ /*
+ * Any stream names *must* be treated as Windows
+ * pathnames, even if we're using UNIX extensions.
+ */
+
+ saved_posix_pathnames = lp_set_posix_pathnames(false);
+
for (i=0; i<num_streams; i++) {
int res;
struct smb_filename *smb_fname_stream;
@@ -223,6 +231,8 @@ NTSTATUS delete_all_streams(connection_struct *conn, const char *fname)
}
fail:
+
+ (void)lp_set_posix_pathnames(saved_posix_pathnames);
TALLOC_FREE(frame);
return status;
}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 0a6ec0d..590561e 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3867,6 +3867,7 @@ NTSTATUS open_streams_for_delete(connection_struct *conn,
unsigned int num_streams = 0;
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
+ bool saved_posix_pathnames;
status = vfs_streaminfo(conn, NULL, fname, talloc_tos(),
&num_streams, &stream_info);
@@ -3899,6 +3900,13 @@ NTSTATUS open_streams_for_delete(connection_struct *conn,
goto fail;
}
+ /*
+ * Any stream names *must* be treated as Windows
+ * pathnames, even if we're using UNIX extensions.
+ */
+
+ saved_posix_pathnames = lp_set_posix_pathnames(false);
+
for (i=0; i<num_streams; i++) {
struct smb_filename *smb_fname;
@@ -3966,6 +3974,8 @@ NTSTATUS open_streams_for_delete(connection_struct *conn,
}
fail:
+
+ (void)lp_set_posix_pathnames(saved_posix_pathnames);
TALLOC_FREE(frame);
return status;
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 80d4fea..8770fdb 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4662,116 +4662,6 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
return status;
}
-/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
-
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- struct dom_sid owner_sid, group_sid;
- size_t size = 0;
- struct security_ace aces[4];
- uint32_t access_mask = 0;
- mode_t mode = psbuf->st_ex_mode;
- struct security_acl *new_dacl = NULL;
- int idx = 0;
-
- DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
- name, (int)mode ));
-
- uid_to_sid(&owner_sid, psbuf->st_ex_uid);
- gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
- /*
- We provide up to 4 ACEs
- - Owner
--
Samba Shared Repository
More information about the samba-cvs
mailing list