[SCM] Samba Shared Repository - branch v4-4-test updated

Karolin Seeger kseeger at samba.org
Thu Aug 4 12:50:14 UTC 2016


The branch, v4-4-test has been updated
       via  d6639d7 vfs_acl_xattr: objects without NT ACL xattr
       via  10e1023 s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
       via  5bf53f0 s3-rpc_server/mdssd: use smbd_reinit_after_fork()
       via  234dec5 smbd/notifyd: use smbd_reinit_after_fork()
       via  7f7e9d7 smbd/cleanupd: use smbd_reinit_after_fork()
       via  965e6ed selftest: test idmap backend id allocation for unknown SIDS
       via  036a6bd selftest: make autorid the default idmap backend in admember_rfc2307
       via  d5af3f3 winbindd: in wb_lookupsids return domain name if we have it
       via  01632a8 winbindd/idmap_rfc2307: fix a crash
       via  5437525 s3:mdssvc: older glib2 versions require g_type_init()
      from  34f5dc7 s3: smbd: Fix delete operations enumerating streams inside a file. This must always be done as a Windows operation.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test


- Log -----------------------------------------------------------------
commit d6639d7f7ef787ca6cf06e8aab9bcb0d580bc9ab
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jul 15 17:48:19 2016 +0200

    vfs_acl_xattr: objects without NT ACL xattr
    
    Even with "ignore system acls" set to "yes", for objects without NT ACL
    xattr we use the underlying filesystem permissions to construct an NT
    ACL. This can result in *very* unexpected permissions, eg:
    
    - a directory with the following ACL:
    
    $ ./bin/smbcacls -Uslow%pass //localhost/normal ""
    REVISION:1
    CONTROL:SR|DP
    OWNER:SLOW\slow
    GROUP:Unix Group\root
    ACL:SLOW\slow:ALLOWED/0x0/FULL
    
    So only one non-inheritable(!) ACE.
    
    - creating a subdirectory:
    
    $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"
    
    - checking whether there's an ACL xattr:
    
    $ getfattr -m "" /Volumes/normal/dir1
    getfattr: Removing leading '/' from absolute path names
    system.posix_acl_access
    system.posix_acl_default
    user.DOSATTRIB
    
    So there isn't an ACL xattr, because there where no inheritable ACEs on
    the parent folder.
    
    - reading the new subdirectories ACL:
    
    $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
    REVISION:1
    CONTROL:SR|DP
    OWNER:SLOW\slow
    GROUP:Unix Group\slow
    ACL:SLOW\slow:ALLOWED/0x0/FULL
    ACL:Unix Group\slow:ALLOWED/0x0/READ
    ACL:Everyone:ALLOWED/0x0/READ
    ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
    
    The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
    from the underlying filesystem. This is the problem.
    
    - Windows assigns the following ACL in this situation:
    
    $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
    REVISION:1
    CONTROL:SR|PD|DI|DP
    OWNER:VORDEFINIERT\Administratoren
    GROUP:WIN2008R2\Domänen-Benutzer
    ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL
    
    $ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"
    
    $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
    REVISION:1
    CONTROL:SR|DI|DP
    OWNER:VORDEFINIERT\Administratoren
    GROUP:WIN2008R2\Domänen-Benutzer
    ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
    ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL
    
    By changing make_default_filesystem_acl() to only adds user and system
    ACE to the ACL of objects that lack an ACL xattr, we match Windows
    behaviour:
    
    $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"
    
    $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
    REVISION:1
    CONTROL:SR|DP
    OWNER:SLOW\slow
    GROUP:Unix Group\slow
    ACL:SLOW\slow:ALLOWED/0x0/FULL
    ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
    
    (cherry picked from commit 961c4b591bb102751079d9cc92d7aa1c37f1958c)
    
    Autobuild-User(v4-4-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-4-test): Thu Aug  4 14:49:18 CEST 2016 on sn-devel-144

commit 10e102352042aa02daac5a9761c0cf16b90f9650
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jul 15 17:56:02 2016 +0200

    s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
    
    This function is only used in vfs_acl_common.c and will be modified in
    the next commit.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit afc2417b107af572081974ff9d013ddec890d31f)

commit 5bf53f0f2e7868f86c4e7866fb7215cc73a6b5b8
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 5 15:38:31 2016 +0200

    s3-rpc_server/mdssd: use smbd_reinit_after_fork()
    
    Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
    am_parent is reset to NULL. Otherwise, when exiting for some reason, the
    inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
    our whole process group including the main smbd.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Mon Jul 11 02:02:33 CEST 2016 on sn-devel-144
    
    (cherry picked from commit 6efd0af5e8d8ee81b5f53afb126d87950088b7cd)

commit 234dec52493a4932afb4968136f3240c2bcdbfae
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 5 15:37:53 2016 +0200

    smbd/notifyd: use smbd_reinit_after_fork()
    
    Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
    am_parent is reset to NULL. Otherwise, when exiting for some reason, the
    inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
    our whole process group including the main smbd.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit bb90a8484a734b76ddd4d270f31fcdb4ae6cc48d)

commit 7f7e9d737d332da6bac6105cec688948f52aa484
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 5 15:20:53 2016 +0200

    smbd/cleanupd: use smbd_reinit_after_fork()
    
    Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
    am_parent is reset to NULL. Otherwise, when exiting for some reason, the
    inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
    our whole process group including the main smbd.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 3a0c16b08c7dcfe389fbc429aae734ff52c84166)

commit 965e6ed51a07b5645cd66f5bdcfa32afb0515d30
Author: Ralph Boehme <slow at samba.org>
Date:   Sun Jun 12 19:03:11 2016 +0200

    selftest: test idmap backend id allocation for unknown SIDS
    
    If an SID is is not found becaues the RID doesn't exist in a domain and
    the domain is configured to use a non-allocating idmap backend like
    idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
    SID.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 2a322a7671c9ffd0dd600142dd76b5b51a67e185)

commit 036a6bd2bb759776f050f4533ac01a8cef17f7f0
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jun 24 18:33:01 2016 +0200

    selftest: make autorid the default idmap backend in admember_rfc2307
    
    This is needed for a new test in the next commit. Exisiting tests aren't
    affected by this, at least a private autobuild passed with this
    change.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit aa54fa4e88cc80bc7841beba3a5561ad2c83dc80)

commit d5af3f3b6565da624fe6f6e4cbea818392c0c68f
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jun 24 15:16:42 2016 +0200

    winbindd: in wb_lookupsids return domain name if we have it
    
    When doing a SID to xid mapping for an unknown SID, the idmap child gets
    passed a lsa_RefDomainList with an empty domain name (ie ""). This is
    coming from LsaLookupSids() and causes the mapping request to end up in
    the default idmap domain.
    
    Example request with domain name "":
    
      wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
         in: struct wbint_Sids2UnixIDs
             domains                  : *
                 domains: struct lsa_RefDomainList
                     count                    : 0x00000001 (1)
                     domains                  : *
                         domains: ARRAY(1)
                             domains: struct lsa_DomainInfo
                                 name: struct lsa_StringLarge
                                     length                   : 0x0000 (0)
                                     size                     : 0x0002 (2)
                                     string                   : *
                                         string                   : ''
                                 sid                      : *
                                     sid                      : S-1-5-21-3152989960-574718769-2188965058
                     max_size                 : 0x00000020 (32)
             ids                      : *
                 ids: struct wbint_TransIDArray
                     num_ids                  : 0x00000001 (1)
                     ids: ARRAY(1)
                         ids: struct wbint_TransID
                             type                     : ID_TYPE_NOT_SPECIFIED (0)
                             domain_index             : 0x00000000 (0)
                             rid                      : 0x000029aa (66666)
                             xid: struct unixid
                                 id                       : 0xffffffff (4294967295)
                                 type                     : ID_TYPE_NOT_SPECIFIED (0)
    
    In _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with the
    domain name "" and this triggers use of the default idmap domain which
    in case of idmap_autorid will allocate an id from a idmap_autorid range.
    
    If we know the domain, ensure we return it for SIDs were the SID was not
    found but the domain of the SID was found. Callers like sids2xids depend
    on the domain name and returning an empty string "" for valid domain can
    trigger unwanted idmap range allocations.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 9be918116e356c358ef77cc2933e471090088293)

commit 01632a8ffcfb475131b63ee43a40001b006bb0d3
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jun 24 18:31:45 2016 +0200

    winbindd/idmap_rfc2307: fix a crash
    
    map->map is NULL if lookupsid failed.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 5e346af078847512e86755a4634583a8a5178c0e)

commit 5437525a1b0b5839ea0e45550905aca016b88713
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Mar 17 14:05:58 2016 +0100

    s3:mdssvc: older glib2 versions require g_type_init()
    
    Older glib2 versions will crash if g_type_init is not called:
    
    (process:6712): GLib-GObject-CRITICAL **: ... ./gobject/gtype.c:2722:
    You forgot to call g_type_init()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11801
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Mar 18 03:52:55 CET 2016 on sn-devel-144
    
    (cherry picked from commit 3563d79a8cb625ae78523cb32330c9f61c6c3a2f)

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/tests/test_idmap_nss.sh   |  41 ++++++++++++++
 selftest/target/Samba3.pm          |   3 +
 source3/modules/vfs_acl_common.c   |  74 +++++++++++++++++++++++++
 source3/rpc_server/mdssd.c         |   2 +-
 source3/rpc_server/mdssvc/mdssvc.c |   5 +-
 source3/selftest/tests.py          |   4 +-
 source3/smbd/posix_acls.c          | 110 -------------------------------------
 source3/smbd/proto.h               |   4 --
 source3/smbd/server.c              |   4 +-
 source3/winbindd/idmap_rfc2307.c   |   4 +-
 source3/winbindd/wb_lookupsids.c   |  30 +++++++++-
 11 files changed, 158 insertions(+), 123 deletions(-)
 create mode 100755 nsswitch/tests/test_idmap_nss.sh


Changeset truncated at 500 lines:

diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh
new file mode 100755
index 0000000..999bccb
--- /dev/null
+++ b/nsswitch/tests/test_idmap_nss.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Test id mapping with unknown SID and non-allocating idmap backend
+if [ $# -lt 1 ]; then
+	echo Usage: $0 DOMAIN
+	exit 1
+fi
+
+DOMAIN="$1"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+
+failed=0
+
+. `dirname $0`/../../testprogs/blackbox/subunit.sh
+
+testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1
+DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+echo "Domain $DOMAIN has SID $DOMAIN_SID"
+
+# Find an unused uid and SID
+RID=66666
+while true ; do
+    id $RID
+    if [ $? -ne 0 ] ; then
+	$wbinfo -s $DOMAIN_SID\\$RID
+	if [ $? -ne 0 ] ; then
+	    break
+	fi
+    fi
+    RID=$(expr $RID + 1)
+done
+
+echo "Using non-existing SID $DOMAIN_SID-$RID to check no id allocation is done by the backend"
+
+out="$($wbinfo --sids-to-unix-ids=$DOMAIN_SID-$RID)"
+echo "wbinfo returned: $out"
+test "$out" = "$DOMAIN_SID-$RID -> unmapped"
+ret=$?
+testit "wbinfo SID to xid returns unmapped for unknown SID" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index b278dfa..65b3a83 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -460,6 +460,9 @@ sub setup_admember_rfc2307($$$$)
 	server signing = on
         workgroup = $dcvars->{DOMAIN}
         realm = $dcvars->{REALM}
+        idmap config * : backend = autorid
+        idmap config * : range = 1000000-1999999
+        idmap config * : rangesize = 100000
         idmap config $dcvars->{DOMAIN} : backend = rfc2307
         idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
         idmap config $dcvars->{DOMAIN} : ldap_server = ad
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 76ac598..f5af666 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -24,6 +24,7 @@
 #include "../libcli/security/security.h"
 #include "../librpc/gen_ndr/ndr_security.h"
 #include "../lib/util/bitmap.h"
+#include "passdb/lookup_sid.h"
 
 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
 			DATA_BLOB *pblob,
@@ -358,6 +359,79 @@ static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+					    const char *name,
+					    SMB_STRUCT_STAT *psbuf,
+					    struct security_descriptor **ppdesc)
+{
+	struct dom_sid owner_sid, group_sid;
+	size_t size = 0;
+	struct security_ace aces[4];
+	uint32_t access_mask = 0;
+	mode_t mode = psbuf->st_ex_mode;
+	struct security_acl *new_dacl = NULL;
+	int idx = 0;
+
+	DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+		name, (int)mode ));
+
+	uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+	gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+	/*
+	 * We provide 2 ACEs:
+	 * - Owner
+	 * - NT System
+	 */
+
+	if (mode & S_IRUSR) {
+		if (mode & S_IWUSR) {
+			access_mask |= SEC_RIGHTS_FILE_ALL;
+		} else {
+			access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+		}
+	}
+	if (mode & S_IWUSR) {
+		access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+	}
+
+	init_sec_ace(&aces[idx],
+			&owner_sid,
+			SEC_ACE_TYPE_ACCESS_ALLOWED,
+			access_mask,
+			0);
+	idx++;
+
+	init_sec_ace(&aces[idx],
+			&global_sid_System,
+			SEC_ACE_TYPE_ACCESS_ALLOWED,
+			SEC_RIGHTS_FILE_ALL,
+			0);
+	idx++;
+
+	new_dacl = make_sec_acl(ctx,
+			NT4_ACL_REVISION,
+			idx,
+			aces);
+
+	if (!new_dacl) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	*ppdesc = make_sec_desc(ctx,
+			SECURITY_DESCRIPTOR_REVISION_1,
+			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+			&owner_sid,
+			&group_sid,
+			NULL,
+			new_dacl,
+			&size);
+	if (!*ppdesc) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	return NT_STATUS_OK;
+}
+
 /*******************************************************************
  Pull a DATA_BLOB from an xattr given a pathname.
  If the hash doesn't match, or doesn't exist - return the underlying
diff --git a/source3/rpc_server/mdssd.c b/source3/rpc_server/mdssd.c
index f76d13e..710b377 100644
--- a/source3/rpc_server/mdssd.c
+++ b/source3/rpc_server/mdssd.c
@@ -667,7 +667,7 @@ void start_mdssd(struct tevent_context *ev_ctx,
 		return;
 	}
 
-	status = reinit_after_fork(msg_ctx, ev_ctx, true, "mdssd-master");
+	status = smbd_reinit_after_fork(msg_ctx, ev_ctx, true, "mdssd-master");
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("reinit_after_fork() failed\n"));
 		smb_panic("reinit_after_fork() failed");
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index abfea43..44d7703 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -1783,10 +1783,13 @@ done:
 }
 
 /**
- * Init callbacks at startup, nothing to do here really
+ * Init callbacks at startup
  **/
 bool mds_init(struct messaging_context *msg_ctx)
 {
+#if (GLIB_MAJOR_VERSION < 3) && (GLIB_MINOR_VERSION < 36)
+	g_type_init();
+#endif
 	return true;
 }
 
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d35a2a3..72eaa53 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -303,7 +303,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
 
 local = ["local.nss", "local.ndr"]
 
-idmap = [ "idmap.rfc2307" ]
+idmap = ["idmap.rfc2307", "idmap.alloc"]
 
 rap = ["rap.basic", "rap.rpc", "rap.printing", "rap.sam"]
 
@@ -368,6 +368,8 @@ for t in tests:
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
     elif t == "idmap.rfc2307":
         plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rfc2307.sh"), '$DOMAIN', 'Administrator', '2000000', 'Guest', '2000001', '"Domain Users"', '2000002', 'DnsAdmins', '2000003', 'ou=idmap,dc=samba,dc=example,dc=com', '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD'])
+    elif t == "idmap.alloc":
+        plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_nss.sh"), '$DOMAIN'])
     elif t == "raw.acls":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/nfs4acl_simple -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple')
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0c9c749..d87253d 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4662,116 +4662,6 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
 	return status;
 }
 
-/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
-
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
-					const char *name,
-					SMB_STRUCT_STAT *psbuf,
-					struct security_descriptor **ppdesc)
-{
-	struct dom_sid owner_sid, group_sid;
-	size_t size = 0;
-	struct security_ace aces[4];
-	uint32_t access_mask = 0;
-	mode_t mode = psbuf->st_ex_mode;
-	struct security_acl *new_dacl = NULL;
-	int idx = 0;
-
-	DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
-		name, (int)mode ));
-
-	uid_to_sid(&owner_sid, psbuf->st_ex_uid);
-	gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
-	/*
-	 We provide up to 4 ACEs
-		- Owner
-		- Group
-		- Everyone
-		- NT System
-	*/
-
-	if (mode & S_IRUSR) {
-		if (mode & S_IWUSR) {
-			access_mask |= SEC_RIGHTS_FILE_ALL;
-		} else {
-			access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
-		}
-	}
-	if (mode & S_IWUSR) {
-		access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
-	}
-
-	init_sec_ace(&aces[idx],
-			&owner_sid,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			access_mask,
-			0);
-	idx++;
-
-	access_mask = 0;
-	if (mode & S_IRGRP) {
-		access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
-	}
-	if (mode & S_IWGRP) {
-		/* note that delete is not granted - this matches posix behaviour */
-		access_mask |= SEC_RIGHTS_FILE_WRITE;
-	}
-	if (access_mask) {
-		init_sec_ace(&aces[idx],
-			&group_sid,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			access_mask,
-			0);
-		idx++;
-	}
-
-	access_mask = 0;
-	if (mode & S_IROTH) {
-		access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
-	}
-	if (mode & S_IWOTH) {
-		access_mask |= SEC_RIGHTS_FILE_WRITE;
-	}
-	if (access_mask) {
-		init_sec_ace(&aces[idx],
-			&global_sid_World,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			access_mask,
-			0);
-		idx++;
-	}
-
-	init_sec_ace(&aces[idx],
-			&global_sid_System,
-			SEC_ACE_TYPE_ACCESS_ALLOWED,
-			SEC_RIGHTS_FILE_ALL,
-			0);
-	idx++;
-
-	new_dacl = make_sec_acl(ctx,
-			NT4_ACL_REVISION,
-			idx,
-			aces);
-
-	if (!new_dacl) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	*ppdesc = make_sec_desc(ctx,
-			SECURITY_DESCRIPTOR_REVISION_1,
-			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
-			&owner_sid,
-			&group_sid,
-			NULL,
-			new_dacl,
-			&size);
-	if (!*ppdesc) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	return NT_STATUS_OK;
-}
-
 int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
 				const char *path_p,
 				TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 914951e..1ef84a0 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -764,10 +764,6 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
 NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname,
 			     uint32_t security_info_wanted,
 			     struct security_descriptor **sd);
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
-					const char *name,
-					SMB_STRUCT_STAT *psbuf,
-					struct security_descriptor **ppdesc);
 int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
 				const char *path_p,
 				TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index b7948b4..e6c6c33 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -396,7 +396,7 @@ static bool smbd_notifyd_init(struct messaging_context *msg, bool interactive)
 		return true;
 	}
 
-	status = reinit_after_fork(msg, ev, true, "smbd-notifyd");
+	status = smbd_reinit_after_fork(msg, ev, true, "smbd-notifyd");
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("%s: reinit_after_fork failed: %s\n",
 			  __func__, nt_errstr(status)));
@@ -478,7 +478,7 @@ static bool cleanupd_init(struct messaging_context *msg, bool interactive,
 
 	close(up_pipe[0]);
 
-	status = reinit_after_fork(msg, ev, true, "cleanupd");
+	status = smbd_reinit_after_fork(msg, ev, true, "cleanupd");
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_WARNING("reinit_after_fork failed: %s\n",
 			    nt_errstr(status));
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 3ef10f6..19a5711 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -670,9 +670,7 @@ again:
 			break;
 
 		default:
-			DEBUG(10, ("Nothing to do for SID %s, "
-				   "previous name lookup failed\n",
-				   sid_string_dbg(map->map->sid)));
+			break;
 		}
 
 		if (!fltr_usr || !fltr_grp) {
diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index 8c5f9db..2480547 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -72,6 +72,8 @@ struct wb_lookupsids_state {
 	 * wbint_LookupSid. Preallocated with num_sids.
 	 */
 	uint32_t *single_sids;
+	/* Pointer into the "domains" array above*/
+	struct wb_lookupsids_domain **single_domains;
 	uint32_t num_single_sids;
 	uint32_t single_sids_done;
 
@@ -127,6 +129,12 @@ struct tevent_req *wb_lookupsids_send(TALLOC_CTX *mem_ctx,
 	if (tevent_req_nomem(state->single_sids, req)) {
 		return tevent_req_post(req, ev);
 	}
+	state->single_domains = talloc_zero_array(state,
+						  struct wb_lookupsids_domain *,
+						  num_sids);
+	if (tevent_req_nomem(state->single_domains, req)) {
+		return tevent_req_post(req, ev);
+	}
 
 	state->res_domains = talloc_zero(state, struct lsa_RefDomainList);
 	if (tevent_req_nomem(state->res_domains, req)) {
@@ -455,6 +463,7 @@ static void wb_lookupsids_done(struct tevent_req *subreq)
 
 			state->single_sids[state->num_single_sids] =
 				res_sid_index;
+			state->single_domains[state->num_single_sids] = d;
 			state->num_single_sids += 1;
 		}
 		state->domains_done += 1;
@@ -514,9 +523,28 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq)
 				   &domain_name, &name);
 	TALLOC_FREE(subreq);
 	if (!NT_STATUS_IS_OK(status)) {
+		struct wb_lookupsids_domain *wb_domain;
+		const char *tmpname;
+
 		type = SID_NAME_UNKNOWN;
 
-		domain_name = talloc_strdup(talloc_tos(), "");
+		wb_domain = state->single_domains[state->single_sids_done];
+		if (wb_domain != NULL) {
+			/*
+			 * If the lookupsid failed because the rid not
+			 * found in a domain and we have a reference
+			 * to the lookup domain, use the name from
+			 * there.
+			 *
+			 * Callers like sid2xid will use the domain
+			 * name in the idmap backend to figure out
+			 * which domain to use in processing.
+			 */
+			tmpname = wb_domain->domain->name;
+		} else {
+			tmpname = "";
+		}
+		domain_name = talloc_strdup(talloc_tos(), tmpname);
 		if (tevent_req_nomem(domain_name, req)) {
 			return;
 		}


-- 
Samba Shared Repository



More information about the samba-cvs mailing list