[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Mon Dec 12 23:15:04 UTC 2016
The branch, master has been updated
via d43d0a1 smb.conf: add identity mapping section
via 831d60a s3:winbind: Do not start with an invalid default idmap backend
via 74c2c46 s3-testparm: Print an error if we have overlapping idmap config
via 3de634d s3-testparm: Print error if the default backend is incorrect
via 46337ce s3-testparm: Fix trailing whitespaces
via 5927c82 libsmb: Correctly report error for rename failure
from 5f5ba89 tests/dns: Check you cannot add empty CNAME
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d43d0a116fa7ecc54db04ec833f9412c2375d31c
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu Dec 8 10:21:53 2016 +0200
smb.conf: add identity mapping section
Add a generic identity mapping section that points out to the other
resources in Samba documentation about idmap modules and their
configuration.
This should help users to discover corresponding documentation easily.
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andrea Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 13 00:14:04 CET 2016 on sn-devel-144
commit 831d60a5dfff2da63e7118c590c0c92479f72ddb
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 12 10:05:39 2016 +0100
s3:winbind: Do not start with an invalid default idmap backend
Pair-Programmed-With: Michael Adam <obnox at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
commit 74c2c4647e0a837aaa77d74bb6e892652a10687d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 7 18:19:53 2016 +0100
s3-testparm: Print an error if we have overlapping idmap config
Except if both backends are 'ad'.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 3de634d7a04f9e1cb8fda9dfb50b3675ab88b4fc
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 7 17:44:25 2016 +0100
s3-testparm: Print error if the default backend is incorrect
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 46337ce43c84a9cbedb6310a6291040a5e252b84
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 7 17:03:22 2016 +0100
s3-testparm: Fix trailing whitespaces
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5927c821782dc94117582ca63aae53b0a3b2a037
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 12 16:20:29 2016 +0100
libsmb: Correctly report error for rename failure
This prevents renaming a file over an existing one with SMB2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12468
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/smb.conf.5.xml | 60 +++++++++++++
source3/libsmb/cli_smb2_fnum.c | 4 +
source3/utils/testparm.c | 188 +++++++++++++++++++++++++++++++++++++--
source3/winbindd/winbindd.c | 19 ++++
4 files changed, 263 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/smb.conf.5.xml b/docs-xml/manpages/smb.conf.5.xml
index 10c1fb4..d67b8f1 100644
--- a/docs-xml/manpages/smb.conf.5.xml
+++ b/docs-xml/manpages/smb.conf.5.xml
@@ -754,6 +754,66 @@ chmod 1770 /usr/local/samba/lib/usershares
</refsect1>
+<refsect1 ID="IDMAPCONSIDERATIONS">
+ <title>IDENTITY MAPPING CONSIDERATIONS</title>
+
+ <para>
+ In the SMB protocol, users, groups, and machines are represented by their security identifiers (SIDs).
+ On POSIX system Samba processes need to run under corresponding POSIX user identities and
+ with supplemental POSIX groups to allow access to the files owned by those users and groups.
+ The process of mapping SIDs to POSIX users and groups is called <emphasis>IDENTITY MAPPING</emphasis>
+ or, in short, <emphasis>ID MAPPING</emphasis>.
+ </para>
+
+ <para>
+ Samba supports multiple ways to map SIDs to POSIX users and groups. The configuration is driven by
+ the <smbconfoption name="idmap config DOMAIN : OPTION"/> option which allows one to specify identity
+ mapping (idmap) options for each domain separately.
+ </para>
+
+ <para>
+ Identity mapping modules implement different strategies for mapping of SIDs to POSIX user and group
+ identities. They are applicable to different use cases and scenarios. It is advised to read the documentation
+ of the individual identity mapping modules before choosing a specific scenario to use. Each identity
+ management module is documented in a separate manual page. The standard idmap backends are
+ tdb (<citerefentry><refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ tdb2 (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ rid (<citerefentry><refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ hash (<citerefentry><refentrytitle>idmap_hash</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ autorid (<citerefentry><refentrytitle>idmap_autorid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
+ ad (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+ nss (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), and
+ rfc2307 (<citerefentry><refentrytitle>idmap_rfc2307</refentrytitle> <manvolnum>8</manvolnum></citerefentry>).
+ </para>
+
+ <para>
+ Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping
+ configuration may create the risk of losing access to the data or disclosing the data to the wrong parties.
+ </para>
+
+ <para>
+ This example shows how to configure two domains with <citerefentry><refentrytitle>idmap_rid</refentrytitle>
+ <manvolnum>8</manvolnum> </citerefentry>, the principal domain and a trusted domain,
+ leaving the default id mapping scheme at tdb.
+ </para>
+
+ <programlisting>
+ [global]
+ security = domain
+ workgroup = MAIN
+
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+
+ idmap config MAIN : backend = rid
+ idmap config MAIN : range = 5000000-5999999
+
+ idmap config TRUSTED : backend = rid
+ idmap config TRUSTED : range = 6000000-6999999
+ </programlisting>
+</refsect1>
+
<refsect1>
<title>EXPLANATION OF EACH PARAMETER</title>
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 325ae78..5a96b05 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1829,6 +1829,10 @@ fail:
cli_smb2_close_fnum(cli, fnum);
}
+ if (!NT_STATUS_IS_OK(status)) {
+ cli->raw_status = status;
+ }
+
TALLOC_FREE(frame);
return status;
}
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e1d66ce..3e80c39 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
Test validity of smb.conf
Copyright (C) Karl Auer 1993, 1994-1998
Extensively modified by Andrew Tridgell, 1995
Converted to popt by Jelmer Vernooij (jelmer at nl.linux.org), 2002
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -36,6 +36,8 @@
#include "popt_common.h"
#include "lib/param/loadparm.h"
+#include <regex.h>
+
/*******************************************************************
Check if a directory exists.
********************************************************************/
@@ -57,6 +59,145 @@ static bool directory_exist_stat(const char *dname,SMB_STRUCT_STAT *st)
return ret;
}
+struct idmap_config {
+ const char *domain_name;
+ const char *backend;
+ uint32_t high;
+ uint32_t low;
+};
+
+struct idmap_domains {
+ struct idmap_config *c;
+ uint32_t count;
+ uint32_t size;
+};
+
+static bool lp_scan_idmap_found_domain(const char *string,
+ regmatch_t matches[],
+ void *private_data)
+{
+ bool ok = false;
+
+ if (matches[1].rm_so == -1) {
+ fprintf(stderr, "Found match, but no name - invalid idmap config");
+ return false;
+ }
+ if (matches[1].rm_eo <= matches[1].rm_so) {
+ fprintf(stderr, "Invalid match - invalid idmap config");
+ return false;
+ }
+
+ {
+ struct idmap_domains *d = private_data;
+ struct idmap_config *c = &d->c[d->count];
+ regoff_t len = matches[1].rm_eo - matches[1].rm_so;
+ char domname[len + 1];
+
+ if (d->count >= d->size) {
+ return false;
+ }
+
+ memcpy(domname, string + matches[1].rm_so, len);
+ domname[len] = '\0';
+
+ c->domain_name = talloc_strdup_upper(d->c, domname);
+ if (c->domain_name == NULL) {
+ return false;
+ }
+ c->backend = talloc_strdup(d->c, lp_idmap_backend(domname));
+ if (c->backend == NULL) {
+ return false;
+ }
+
+ ok = lp_idmap_range(domname, &c->low, &c->high);
+ if (!ok) {
+ fprintf(stderr,
+ "ERROR: Invalid idmap range for domain "
+ "%s!\n\n",
+ c->domain_name);
+ return false;
+ }
+
+ d->count++;
+ }
+
+ return false; /* Keep scanning */
+}
+
+static bool do_idmap_check(void)
+{
+ struct idmap_domains *d;
+ uint32_t i;
+ bool ok = false;
+ int rc;
+
+ d = talloc_zero(talloc_tos(), struct idmap_domains);
+ if (d == NULL) {
+ return false;
+ }
+ d->count = 0;
+ d->size = 32;
+
+ d->c = talloc_array(d, struct idmap_config, d->size);
+ if (d->c == NULL) {
+ goto done;
+ }
+
+ rc = lp_wi_scan_global_parametrics("idmapconfig\\(.*\\):backend",
+ 2,
+ lp_scan_idmap_found_domain,
+ d);
+ if (rc != 0) {
+ fprintf(stderr,
+ "FATAL: wi_scan_global_parametrics failed: %d",
+ rc);
+ }
+
+ for (i = 0; i < d->count; i++) {
+ struct idmap_config *c = &d->c[i];
+ uint32_t j;
+
+ for (j = 0; j < d->count && j != i; j++) {
+ struct idmap_config *x = &d->c[j];
+
+ if ((c->low >= x->low && c->low <= x->high) ||
+ (c->high >= x->low && c->high <= x->high)) {
+ /* Allow overlapping ranges for idmap_ad */
+ ok = strequal(c->backend, x->backend);
+ if (ok) {
+ ok = strequal(c->backend, "ad");
+ if (ok) {
+ fprintf(stderr,
+ "NOTE: The idmap_ad "
+ "range for the domain "
+ "%s overlaps with the "
+ "range of %s.\n\n",
+ c->domain_name,
+ x->domain_name);
+ continue;
+ }
+ }
+
+ fprintf(stderr,
+ "ERROR: The idmap range for the domain "
+ "%s (%s) overlaps with the range of "
+ "%s (%s)!\n\n",
+ c->domain_name,
+ c->backend,
+ x->domain_name,
+ x->backend);
+ ok = false;
+ goto done;
+ }
+ }
+ }
+
+ ok = true;
+done:
+ TALLOC_FREE(d);
+ return ok;
+}
+
/***********************************************
Here we do a set of 'hard coded' checks for bad
configuration settings.
@@ -313,6 +454,37 @@ static int do_global_checks(void)
fprintf(stderr, "'algorithmic rid base' must be even.\n\n");
}
+ if (lp_server_role() != ROLE_STANDALONE) {
+ const char *default_backends[] = {
+ "tdb", "tdb2", "ldap", "autorid", "hash"
+ };
+ const char *idmap_backend;
+ bool valid_backend = false;
+ uint32_t i;
+ bool ok;
+
+ idmap_backend = lp_idmap_default_backend();
+
+ for (i = 0; i < ARRAY_SIZE(default_backends); i++) {
+ ok = strequal(idmap_backend, default_backends[i]);
+ if (ok) {
+ valid_backend = true;
+ }
+ }
+
+ if (!valid_backend) {
+ ret = 1;
+ fprintf(stderr, "ERROR: Do not use the '%s' backend "
+ "as the default idmap backend!\n\n",
+ idmap_backend);
+ }
+
+ ok = do_idmap_check();
+ if (!ok) {
+ ret = 1;
+ }
+ }
+
#ifndef HAVE_DLOPEN
if (lp_preload_modules()) {
fprintf(stderr, "WARNING: 'preload modules = ' set while loading "
@@ -324,7 +496,7 @@ static int do_global_checks(void)
fprintf(stderr, "ERROR: passdb backend must have a value or be "
"left out\n\n");
}
-
+
if (lp_os_level() > 255) {
fprintf(stderr, "WARNING: Maximum value for 'os level' is "
"255!\n\n");
@@ -336,7 +508,7 @@ static int do_global_checks(void)
}
return ret;
-}
+}
/**
* per-share logic tests
@@ -491,7 +663,7 @@ static void do_per_share_checks(int s)
*/
lp_set_cmdline("log level", "2");
- pc = poptGetContext(NULL, argc, argv, long_options,
+ pc = poptGetContext(NULL, argc, argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
poptSetOtherOptionHelp(pc, "[OPTION...] <config-file> [host-name] [host-ip]");
@@ -504,7 +676,7 @@ static void do_per_share_checks(int s)
setup_logging(poptGetArg(pc), DEBUG_STDERR);
- if (poptPeekArg(pc))
+ if (poptPeekArg(pc))
config_file = poptGetArg(pc);
cname = poptGetArg(pc);
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 778ee80..2cd2001 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1689,6 +1689,25 @@ int main(int argc, const char **argv)
exit(1);
}
+ {
+ size_t i;
+ const char *idmap_backend;
+ const char *invalid_backends[] = {
+ "ad", "rfc2307", "rid",
+ };
+
+ idmap_backend = lp_idmap_default_backend();
+ for (i = 0; i < ARRAY_SIZE(invalid_backends); i++) {
+ ok = strequal(idmap_backend, invalid_backends[i]);
+ if (ok) {
+ DBG_ERR("FATAL: Invalid idmap backend %s "
+ "configured as the default backend!\n",
+ idmap_backend);
+ exit(1);
+ }
+ }
+ }
+
ok = directory_create_or_exist(lp_lock_directory(), 0755);
if (!ok) {
DEBUG(0, ("Failed to create directory %s for lock files - %s\n",
--
Samba Shared Repository
More information about the samba-cvs
mailing list