[SCM] Samba Shared Repository - branch v4-4-test updated
Karolin Seeger
kseeger at samba.org
Thu Aug 4 12:50:14 UTC 2016
The branch, v4-4-test has been updated
via d6639d7 vfs_acl_xattr: objects without NT ACL xattr
via 10e1023 s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
via 5bf53f0 s3-rpc_server/mdssd: use smbd_reinit_after_fork()
via 234dec5 smbd/notifyd: use smbd_reinit_after_fork()
via 7f7e9d7 smbd/cleanupd: use smbd_reinit_after_fork()
via 965e6ed selftest: test idmap backend id allocation for unknown SIDS
via 036a6bd selftest: make autorid the default idmap backend in admember_rfc2307
via d5af3f3 winbindd: in wb_lookupsids return domain name if we have it
via 01632a8 winbindd/idmap_rfc2307: fix a crash
via 5437525 s3:mdssvc: older glib2 versions require g_type_init()
from 34f5dc7 s3: smbd: Fix delete operations enumerating streams inside a file. This must always be done as a Windows operation.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit d6639d7f7ef787ca6cf06e8aab9bcb0d580bc9ab
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:48:19 2016 +0200
vfs_acl_xattr: objects without NT ACL xattr
Even with "ignore system acls" set to "yes", for objects without NT ACL
xattr we use the underlying filesystem permissions to construct an NT
ACL. This can result in *very* unexpected permissions, eg:
- a directory with the following ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL
So only one non-inheritable(!) ACE.
- creating a subdirectory:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"
- checking whether there's an ACL xattr:
$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB
So there isn't an ACL xattr, because there where no inheritable ACEs on
the parent folder.
- reading the new subdirectories ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
from the underlying filesystem. This is the problem.
- Windows assigns the following ACL in this situation:
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL
$ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
REVISION:1
CONTROL:SR|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL
By changing make_default_filesystem_acl() to only adds user and system
ACE to the ACL of objects that lack an ACL xattr, we match Windows
behaviour:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
(cherry picked from commit 961c4b591bb102751079d9cc92d7aa1c37f1958c)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-4-test): Thu Aug 4 14:49:18 CEST 2016 on sn-devel-144
commit 10e102352042aa02daac5a9761c0cf16b90f9650
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:56:02 2016 +0200
s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
This function is only used in vfs_acl_common.c and will be modified in
the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit afc2417b107af572081974ff9d013ddec890d31f)
commit 5bf53f0f2e7868f86c4e7866fb7215cc73a6b5b8
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jul 5 15:38:31 2016 +0200
s3-rpc_server/mdssd: use smbd_reinit_after_fork()
Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
am_parent is reset to NULL. Otherwise, when exiting for some reason, the
inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
our whole process group including the main smbd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jul 11 02:02:33 CEST 2016 on sn-devel-144
(cherry picked from commit 6efd0af5e8d8ee81b5f53afb126d87950088b7cd)
commit 234dec52493a4932afb4968136f3240c2bcdbfae
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jul 5 15:37:53 2016 +0200
smbd/notifyd: use smbd_reinit_after_fork()
Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
am_parent is reset to NULL. Otherwise, when exiting for some reason, the
inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
our whole process group including the main smbd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit bb90a8484a734b76ddd4d270f31fcdb4ae6cc48d)
commit 7f7e9d737d332da6bac6105cec688948f52aa484
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jul 5 15:20:53 2016 +0200
smbd/cleanupd: use smbd_reinit_after_fork()
Using smbd_reinit_after_fork() rather then reinit_after_fork() ensures
am_parent is reset to NULL. Otherwise, when exiting for some reason, the
inherited atexit handler killkids() calls kill(0,SIGTERM) terminating
our whole process group including the main smbd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12016
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 3a0c16b08c7dcfe389fbc429aae734ff52c84166)
commit 965e6ed51a07b5645cd66f5bdcfa32afb0515d30
Author: Ralph Boehme <slow at samba.org>
Date: Sun Jun 12 19:03:11 2016 +0200
selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2a322a7671c9ffd0dd600142dd76b5b51a67e185)
commit 036a6bd2bb759776f050f4533ac01a8cef17f7f0
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 18:33:01 2016 +0200
selftest: make autorid the default idmap backend in admember_rfc2307
This is needed for a new test in the next commit. Exisiting tests aren't
affected by this, at least a private autobuild passed with this
change.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aa54fa4e88cc80bc7841beba3a5561ad2c83dc80)
commit d5af3f3b6565da624fe6f6e4cbea818392c0c68f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 15:16:42 2016 +0200
winbindd: in wb_lookupsids return domain name if we have it
When doing a SID to xid mapping for an unknown SID, the idmap child gets
passed a lsa_RefDomainList with an empty domain name (ie ""). This is
coming from LsaLookupSids() and causes the mapping request to end up in
the default idmap domain.
Example request with domain name "":
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
in: struct wbint_Sids2UnixIDs
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0002 (2)
string : *
string : ''
sid : *
sid : S-1-5-21-3152989960-574718769-2188965058
max_size : 0x00000020 (32)
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_NOT_SPECIFIED (0)
domain_index : 0x00000000 (0)
rid : 0x000029aa (66666)
xid: struct unixid
id : 0xffffffff (4294967295)
type : ID_TYPE_NOT_SPECIFIED (0)
In _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with the
domain name "" and this triggers use of the default idmap domain which
in case of idmap_autorid will allocate an id from a idmap_autorid range.
If we know the domain, ensure we return it for SIDs were the SID was not
found but the domain of the SID was found. Callers like sids2xids depend
on the domain name and returning an empty string "" for valid domain can
trigger unwanted idmap range allocations.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 9be918116e356c358ef77cc2933e471090088293)
commit 01632a8ffcfb475131b63ee43a40001b006bb0d3
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 24 18:31:45 2016 +0200
winbindd/idmap_rfc2307: fix a crash
map->map is NULL if lookupsid failed.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5e346af078847512e86755a4634583a8a5178c0e)
commit 5437525a1b0b5839ea0e45550905aca016b88713
Author: Ralph Boehme <slow at samba.org>
Date: Thu Mar 17 14:05:58 2016 +0100
s3:mdssvc: older glib2 versions require g_type_init()
Older glib2 versions will crash if g_type_init is not called:
(process:6712): GLib-GObject-CRITICAL **: ... ./gobject/gtype.c:2722:
You forgot to call g_type_init()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11801
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Mar 18 03:52:55 CET 2016 on sn-devel-144
(cherry picked from commit 3563d79a8cb625ae78523cb32330c9f61c6c3a2f)
-----------------------------------------------------------------------
Summary of changes:
nsswitch/tests/test_idmap_nss.sh | 41 ++++++++++++++
selftest/target/Samba3.pm | 3 +
source3/modules/vfs_acl_common.c | 74 +++++++++++++++++++++++++
source3/rpc_server/mdssd.c | 2 +-
source3/rpc_server/mdssvc/mdssvc.c | 5 +-
source3/selftest/tests.py | 4 +-
source3/smbd/posix_acls.c | 110 -------------------------------------
source3/smbd/proto.h | 4 --
source3/smbd/server.c | 4 +-
source3/winbindd/idmap_rfc2307.c | 4 +-
source3/winbindd/wb_lookupsids.c | 30 +++++++++-
11 files changed, 158 insertions(+), 123 deletions(-)
create mode 100755 nsswitch/tests/test_idmap_nss.sh
Changeset truncated at 500 lines:
diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh
new file mode 100755
index 0000000..999bccb
--- /dev/null
+++ b/nsswitch/tests/test_idmap_nss.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Test id mapping with unknown SID and non-allocating idmap backend
+if [ $# -lt 1 ]; then
+ echo Usage: $0 DOMAIN
+ exit 1
+fi
+
+DOMAIN="$1"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+
+failed=0
+
+. `dirname $0`/../../testprogs/blackbox/subunit.sh
+
+testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1
+DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+echo "Domain $DOMAIN has SID $DOMAIN_SID"
+
+# Find an unused uid and SID
+RID=66666
+while true ; do
+ id $RID
+ if [ $? -ne 0 ] ; then
+ $wbinfo -s $DOMAIN_SID\\$RID
+ if [ $? -ne 0 ] ; then
+ break
+ fi
+ fi
+ RID=$(expr $RID + 1)
+done
+
+echo "Using non-existing SID $DOMAIN_SID-$RID to check no id allocation is done by the backend"
+
+out="$($wbinfo --sids-to-unix-ids=$DOMAIN_SID-$RID)"
+echo "wbinfo returned: $out"
+test "$out" = "$DOMAIN_SID-$RID -> unmapped"
+ret=$?
+testit "wbinfo SID to xid returns unmapped for unknown SID" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index b278dfa..65b3a83 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -460,6 +460,9 @@ sub setup_admember_rfc2307($$$$)
server signing = on
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+ idmap config * : rangesize = 100000
idmap config $dcvars->{DOMAIN} : backend = rfc2307
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
idmap config $dcvars->{DOMAIN} : ldap_server = ad
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 76ac598..f5af666 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -24,6 +24,7 @@
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../lib/util/bitmap.h"
+#include "passdb/lookup_sid.h"
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
DATA_BLOB *pblob,
@@ -358,6 +359,79 @@ static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
return NT_STATUS_OK;
}
+static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+ name, (int)mode ));
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide 2 ACEs:
+ * - Owner
+ * - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
/*******************************************************************
Pull a DATA_BLOB from an xattr given a pathname.
If the hash doesn't match, or doesn't exist - return the underlying
diff --git a/source3/rpc_server/mdssd.c b/source3/rpc_server/mdssd.c
index f76d13e..710b377 100644
--- a/source3/rpc_server/mdssd.c
+++ b/source3/rpc_server/mdssd.c
@@ -667,7 +667,7 @@ void start_mdssd(struct tevent_context *ev_ctx,
return;
}
- status = reinit_after_fork(msg_ctx, ev_ctx, true, "mdssd-master");
+ status = smbd_reinit_after_fork(msg_ctx, ev_ctx, true, "mdssd-master");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("reinit_after_fork() failed\n"));
smb_panic("reinit_after_fork() failed");
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index abfea43..44d7703 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -1783,10 +1783,13 @@ done:
}
/**
- * Init callbacks at startup, nothing to do here really
+ * Init callbacks at startup
**/
bool mds_init(struct messaging_context *msg_ctx)
{
+#if (GLIB_MAJOR_VERSION < 3) && (GLIB_MINOR_VERSION < 36)
+ g_type_init();
+#endif
return true;
}
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d35a2a3..72eaa53 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -303,7 +303,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
local = ["local.nss", "local.ndr"]
-idmap = [ "idmap.rfc2307" ]
+idmap = ["idmap.rfc2307", "idmap.alloc"]
rap = ["rap.basic", "rap.rpc", "rap.printing", "rap.sam"]
@@ -368,6 +368,8 @@ for t in tests:
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
elif t == "idmap.rfc2307":
plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rfc2307.sh"), '$DOMAIN', 'Administrator', '2000000', 'Guest', '2000001', '"Domain Users"', '2000002', 'DnsAdmins', '2000003', 'ou=idmap,dc=samba,dc=example,dc=com', '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD'])
+ elif t == "idmap.alloc":
+ plantestsuite(t, "ad_member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_nss.sh"), '$DOMAIN'])
elif t == "raw.acls":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/nfs4acl_simple -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple')
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0c9c749..d87253d 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4662,116 +4662,6 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
return status;
}
-/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
-
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- struct dom_sid owner_sid, group_sid;
- size_t size = 0;
- struct security_ace aces[4];
- uint32_t access_mask = 0;
- mode_t mode = psbuf->st_ex_mode;
- struct security_acl *new_dacl = NULL;
- int idx = 0;
-
- DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
- name, (int)mode ));
-
- uid_to_sid(&owner_sid, psbuf->st_ex_uid);
- gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
- /*
- We provide up to 4 ACEs
- - Owner
- - Group
- - Everyone
- - NT System
- */
-
- if (mode & S_IRUSR) {
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_ALL;
- } else {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- }
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
- }
-
- init_sec_ace(&aces[idx],
- &owner_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
-
- access_mask = 0;
- if (mode & S_IRGRP) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWGRP) {
- /* note that delete is not granted - this matches posix behaviour */
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &group_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- access_mask = 0;
- if (mode & S_IROTH) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWOTH) {
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &global_sid_World,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- init_sec_ace(&aces[idx],
- &global_sid_System,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- SEC_RIGHTS_FILE_ALL,
- 0);
- idx++;
-
- new_dacl = make_sec_acl(ctx,
- NT4_ACL_REVISION,
- idx,
- aces);
-
- if (!new_dacl) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *ppdesc = make_sec_desc(ctx,
- SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
- &owner_sid,
- &group_sid,
- NULL,
- new_dacl,
- &size);
- if (!*ppdesc) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
const char *path_p,
TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 914951e..1ef84a0 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -764,10 +764,6 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname,
uint32_t security_info_wanted,
struct security_descriptor **sd);
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc);
int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
const char *path_p,
TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index b7948b4..e6c6c33 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -396,7 +396,7 @@ static bool smbd_notifyd_init(struct messaging_context *msg, bool interactive)
return true;
}
- status = reinit_after_fork(msg, ev, true, "smbd-notifyd");
+ status = smbd_reinit_after_fork(msg, ev, true, "smbd-notifyd");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("%s: reinit_after_fork failed: %s\n",
__func__, nt_errstr(status)));
@@ -478,7 +478,7 @@ static bool cleanupd_init(struct messaging_context *msg, bool interactive,
close(up_pipe[0]);
- status = reinit_after_fork(msg, ev, true, "cleanupd");
+ status = smbd_reinit_after_fork(msg, ev, true, "cleanupd");
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("reinit_after_fork failed: %s\n",
nt_errstr(status));
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 3ef10f6..19a5711 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -670,9 +670,7 @@ again:
break;
default:
- DEBUG(10, ("Nothing to do for SID %s, "
- "previous name lookup failed\n",
- sid_string_dbg(map->map->sid)));
+ break;
}
if (!fltr_usr || !fltr_grp) {
diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index 8c5f9db..2480547 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -72,6 +72,8 @@ struct wb_lookupsids_state {
* wbint_LookupSid. Preallocated with num_sids.
*/
uint32_t *single_sids;
+ /* Pointer into the "domains" array above*/
+ struct wb_lookupsids_domain **single_domains;
uint32_t num_single_sids;
uint32_t single_sids_done;
@@ -127,6 +129,12 @@ struct tevent_req *wb_lookupsids_send(TALLOC_CTX *mem_ctx,
if (tevent_req_nomem(state->single_sids, req)) {
return tevent_req_post(req, ev);
}
+ state->single_domains = talloc_zero_array(state,
+ struct wb_lookupsids_domain *,
+ num_sids);
+ if (tevent_req_nomem(state->single_domains, req)) {
+ return tevent_req_post(req, ev);
+ }
state->res_domains = talloc_zero(state, struct lsa_RefDomainList);
if (tevent_req_nomem(state->res_domains, req)) {
@@ -455,6 +463,7 @@ static void wb_lookupsids_done(struct tevent_req *subreq)
state->single_sids[state->num_single_sids] =
res_sid_index;
+ state->single_domains[state->num_single_sids] = d;
state->num_single_sids += 1;
}
state->domains_done += 1;
@@ -514,9 +523,28 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq)
&domain_name, &name);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) {
+ struct wb_lookupsids_domain *wb_domain;
+ const char *tmpname;
+
type = SID_NAME_UNKNOWN;
- domain_name = talloc_strdup(talloc_tos(), "");
+ wb_domain = state->single_domains[state->single_sids_done];
+ if (wb_domain != NULL) {
+ /*
+ * If the lookupsid failed because the rid not
+ * found in a domain and we have a reference
+ * to the lookup domain, use the name from
+ * there.
+ *
+ * Callers like sid2xid will use the domain
+ * name in the idmap backend to figure out
+ * which domain to use in processing.
+ */
+ tmpname = wb_domain->domain->name;
+ } else {
+ tmpname = "";
+ }
+ domain_name = talloc_strdup(talloc_tos(), tmpname);
if (tevent_req_nomem(domain_name, req)) {
return;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list