[SCM] Samba Shared Repository - branch v4-3-test updated
Karolin Seeger
kseeger at samba.org
Fri Mar 4 13:44:05 UTC 2016
The branch, v4-3-test has been updated
via 162efbf passdb: add linefeed to debug message
via 3137519 smbd: ignore SVHDX create context
via 9e9bc07 winbindd: return trust parameters when listing trusts
via 708fe69 winbindd: initialize foreign domain as AD based on trust
via 22aa4d9 winbindd: introduce add_trusted_domain_from_tdc()
via 7fd2e7f access based share enum: handle permission set in configuration files
from e42cd66 s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit 162efbfbd4e447a5c590281d42873a8daade348a
Author: Uri Simchoni <uri at samba.org>
Date: Tue Mar 1 10:36:35 2016 +0200
passdb: add linefeed to debug message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11763
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Mar 1 15:24:35 CET 2016 on sn-devel-144
(cherry picked from commit fb4778f4e9834af556bd5aac177fc04e7f09f152)
Autobuild-User(v4-3-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-3-test): Fri Mar 4 14:43:29 CET 2016 on sn-devel-104
commit 3137519ebcb4c80bbc1a489457276d6e6fcdf475
Author: Uri Simchoni <uri at samba.org>
Date: Thu Feb 25 07:08:06 2016 +0200
smbd: ignore SVHDX create context
According to discussions with dochelp at microsoft.com, an SMB
server should ignore an SVHDX_OPEN_DEVICE_CONTEXT or
SVHDX_OPEN_DEVICE_CONTEXT_V2 create context if it does not
support the RSVD protocol. This is contrary to [MS-SMB2] rev 48.0
which states (3.3.5.9.14) that the open should fail in this case.
Failing the create fails Windows backup if the SMB dialect is
SMB3.0.2 or higher.
Hopefully a new revision of MS-SMB2 will clear this up in the future.
Meanwhile, this patch modifies smbd to ignore the
SVHDX_OPEN_DEVICE_CONTEXT by default. This can be overriden by a VFS
module if a VFS module adds support for RSVD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11753
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9e9bc07254cb9885ced5c1d85987fbe7d68c8888
Author: Uri Simchoni <uri at samba.org>
Date: Wed Feb 10 00:38:11 2016 +0200
winbindd: return trust parameters when listing trusts
When asking a child domain process to list trusts on that domain,
return (along with trust domain names and SID) the trust properties -
flags, type, and attributes.
Use those attributes to initialize domain object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144
(cherry picked from commit 7b4dfd939f417c7d8c4c2c1e8c77f4af9bcd28d7)
commit 708fe69b2a5d70153de1321b8ecbdccf5d4de5f9
Author: Uri Simchoni <uri at samba.org>
Date: Wed Feb 10 00:32:23 2016 +0200
winbindd: initialize foreign domain as AD based on trust
Based on trust parameters, initialize the active_directory
member of domain object to true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d0aa5d057497022aeefffa9882d3ac2b7e18a682)
commit 22aa4d997fccfc1669c7f9a8cf01dcdbad736de3
Author: Uri Simchoni <uri at samba.org>
Date: Wed Feb 10 00:26:45 2016 +0200
winbindd: introduce add_trusted_domain_from_tdc()
This is purely a refactoring patch -
Add a routine that adds a winbindd domain object based on
domain trust cache entry. add_trusted_domain() becomes
a wrapper for this new routine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c65841a3bd737b61251603a916a315043703c832)
commit 7fd2e7f4d8f20a5b1810e949db37bbb5d8900e51
Author: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
Date: Tue Feb 23 18:22:10 2016 +0100
access based share enum: handle permission set in configuration files
change function is_enumeration_allowed to check permissions set by
fields: valid users, invalid users, only user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8093
Signed-off-by: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5036a0922b7890005bcc8b77368a6635c8ebeb4b)
-----------------------------------------------------------------------
Summary of changes:
source3/passdb/passdb.c | 3 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 +++-
source3/smbd/smb2_create.c | 15 ---
source3/winbindd/winbindd_misc.c | 11 ++-
source3/winbindd/winbindd_util.c | 153 +++++++++++++++++++++---------
5 files changed, 128 insertions(+), 71 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index f071027..5873c54 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -658,7 +658,8 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
/* BUILTIN groups are looked up elsewhere */
if (!sid_check_is_in_our_sam(&map->sid)) {
DEBUG(10, ("Found group %s (%s) not in our domain -- "
- "ignoring.", name, sid_string_dbg(&map->sid)));
+ "ignoring.\n",
+ name, sid_string_dbg(&map->sid)));
TALLOC_FREE(map);
return False;
}
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 96c022b..cfb5dac 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -477,12 +477,19 @@ static bool is_hidden_share(int snum)
static bool is_enumeration_allowed(struct pipes_struct *p,
int snum)
{
- if (!lp_access_based_share_enum(snum))
- return true;
+ if (!lp_access_based_share_enum(snum)) {
+ return true;
+ }
+
+ if (!user_ok_token(p->session_info->unix_info->unix_name,
+ p->session_info->info->domain_name,
+ p->session_info->security_token, snum)) {
+ return false;
+ }
- return share_access_check(p->session_info->security_token,
- lp_servicename(talloc_tos(), snum),
- FILE_READ_DATA, NULL);
+ return share_access_check(p->session_info->security_token,
+ lp_servicename(talloc_tos(), snum),
+ FILE_READ_DATA, NULL);
}
/****************************************************************************
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 76d6d69..f77a9f0 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -675,7 +675,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
struct smb2_lease lease;
struct smb2_lease *lease_ptr = NULL;
ssize_t lease_len = -1;
- struct smb2_create_blob *svhdx = NULL;
exta = smb2_create_blob_find(&in_context_blobs,
SMB2_CREATE_TAG_EXTA);
@@ -689,13 +688,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
SMB2_CREATE_TAG_TWRP);
qfid = smb2_create_blob_find(&in_context_blobs,
SMB2_CREATE_TAG_QFID);
- if (smb2req->xconn->protocol >= PROTOCOL_SMB3_02) {
- /*
- * This was introduced with SMB3_02
- */
- svhdx = smb2_create_blob_find(&in_context_blobs,
- SVHDX_OPEN_DEVICE_CONTEXT);
- }
fname = talloc_strdup(state, in_name);
if (tevent_req_nomem(fname, req)) {
@@ -916,13 +908,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
}
}
- if (svhdx != NULL) {
- /* SharedVHD is not yet supported */
- tevent_req_nterror(
- req, NT_STATUS_INVALID_DEVICE_REQUEST);
- return tevent_req_post(req, ev);
- }
-
/* these are ignored for SMB2 */
in_create_options &= ~(0x10);/* NTCREATEX_OPTIONS_SYNC_ALERT */
in_create_options &= ~(0x20);/* NTCREATEX_OPTIONS_ASYNC_ALERT */
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index 29831aa..d32a71e 100644
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -181,11 +181,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *
}
extra_data = talloc_asprintf_append_buffer(
- extra_data, "%s\\%s\\%s\n",
- trusts.array[i].netbios_name,
- trusts.array[i].dns_name,
- sid_string_talloc(state->mem_ctx,
- trusts.array[i].sid));
+ extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n",
+ trusts.array[i].netbios_name, trusts.array[i].dns_name,
+ sid_string_talloc(state->mem_ctx, trusts.array[i].sid),
+ trusts.array[i].trust_flags,
+ (uint32_t)trusts.array[i].trust_type,
+ trusts.array[i].trust_attributes);
}
/* add our primary domain */
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 57ee40c..23c32de 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -34,6 +34,10 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ struct winbindd_methods *methods);
+
extern struct winbindd_methods cache_methods;
/**
@@ -119,14 +123,40 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
If the domain already exists in the list,
return it and don't re-initialize. */
-static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
- struct winbindd_methods *methods,
- const struct dom_sid *sid)
+static struct winbindd_domain *
+add_trusted_domain(const char *domain_name, const char *alt_name,
+ struct winbindd_methods *methods, const struct dom_sid *sid)
+{
+ struct winbindd_tdc_domain tdc;
+
+ ZERO_STRUCT(tdc);
+
+ tdc.domain_name = domain_name;
+ tdc.dns_name = alt_name;
+ if (sid) {
+ sid_copy(&tdc.sid, sid);
+ }
+
+ return add_trusted_domain_from_tdc(&tdc, methods);
+}
+
+/* Add a trusted domain out of a trusted domain cache
+ entry
+*/
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ struct winbindd_methods *methods)
{
struct winbindd_domain *domain;
const char *alternative_name = NULL;
const char **ignored_domains, **dom;
int role = lp_server_role();
+ const char *domain_name = tdc->domain_name;
+ const struct dom_sid *sid = &tdc->sid;
+
+ if (is_null_sid(sid)) {
+ sid = NULL;
+ }
ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
for (dom=ignored_domains; dom && *dom; dom++) {
@@ -138,8 +168,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
/* use alt_name if available to allow DNS lookups */
- if (alt_name && *alt_name) {
- alternative_name = alt_name;
+ if (tdc->dns_name && *tdc->dns_name) {
+ alternative_name = tdc->dns_name;
}
/* We can't call domain_list() as this function is called from
@@ -151,8 +181,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
break;
}
- if (alternative_name && *alternative_name)
- {
+ if (alternative_name) {
if (strequal(alternative_name, domain->name) ||
strequal(alternative_name, domain->alt_name))
{
@@ -160,12 +189,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
}
}
- if (sid)
- {
- if (is_null_sid(sid)) {
- continue;
- }
-
+ if (sid != NULL) {
if (dom_sid_equal(sid, &domain->sid)) {
break;
}
@@ -219,13 +243,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
domain->internal = is_internal_domain(sid);
domain->sequence_number = DOM_SEQUENCE_NONE;
domain->last_seq_check = 0;
- domain->initialized = False;
+ domain->initialized = false;
domain->online = is_internal_domain(sid);
domain->check_online_timeout = 0;
domain->dc_probe_pid = (pid_t)-1;
- if (sid) {
+ if (sid != NULL) {
sid_copy(&domain->sid, sid);
}
+ domain->domain_flags = tdc->trust_flags;
+ domain->domain_type = tdc->trust_type;
+ domain->domain_trust_attribs = tdc->trust_attribs;
/* Is this our primary domain ? */
if (strequal(domain_name, get_global_sam_name()) &&
@@ -243,6 +270,10 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
if (lp_security() == SEC_ADS) {
domain->active_directory = true;
}
+ } else if (!domain->internal) {
+ if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
}
/* Link to domain list */
@@ -252,9 +283,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
setup_domain_child(domain);
- DEBUG(2,("Added domain %s %s %s\n",
- domain->name, domain->alt_name,
- &domain->sid?sid_string_dbg(&domain->sid):""));
+ DEBUG(2,
+ ("Added domain %s %s %s\n", domain->name, domain->alt_name,
+ !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
return domain;
}
@@ -312,24 +343,37 @@ static void trustdom_list_done(struct tevent_req *req)
struct winbindd_response *response;
int res, err;
char *p;
+ struct winbindd_tdc_domain trust_params = {0};
+ ptrdiff_t extra_len;
res = wb_domain_request_recv(req, state, &response, &err);
if ((res == -1) || (response->result != WINBINDD_OK)) {
- DEBUG(1, ("Could not receive trustdoms\n"));
+ DBG_WARNING("Could not receive trustdoms\n");
+ TALLOC_FREE(state);
+ return;
+ }
+
+ if (response->length < sizeof(struct winbindd_response)) {
+ DBG_ERR("ill-formed trustdom response - short length\n");
TALLOC_FREE(state);
return;
}
+ extra_len = response->length - sizeof(struct winbindd_response);
+
p = (char *)response->extra_data.data;
- while ((p != NULL) && (*p != '\0')) {
+ while ((p - (char *)response->extra_data.data) < extra_len) {
char *q, *sidstr, *alt_name;
- struct dom_sid sid;
- char *alternate_name = NULL;
+
+ DBG_DEBUG("parsing response line '%s'\n", p);
+
+ ZERO_STRUCT(trust_params);
+ trust_params.domain_name = p;
alt_name = strchr(p, '\\');
if (alt_name == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DBG_ERR("Got invalid trustdom response\n");
break;
}
@@ -338,26 +382,52 @@ static void trustdom_list_done(struct tevent_req *req)
sidstr = strchr(alt_name, '\\');
if (sidstr == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DBG_ERR("Got invalid trustdom response\n");
break;
}
*sidstr = '\0';
sidstr += 1;
- q = strchr(sidstr, '\n');
- if (q != NULL)
- *q = '\0';
+ /* use the real alt_name if we have one, else pass in NULL */
+ if (!strequal(alt_name, "(null)")) {
+ trust_params.dns_name = alt_name;
+ }
+
+ q = strtok(sidstr, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
- if (!string_to_sid(&sid, sidstr)) {
+ if (!string_to_sid(&trust_params.sid, sidstr)) {
DEBUG(0, ("Got invalid trustdom response\n"));
break;
}
- /* use the real alt_name if we have one, else pass in NULL */
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
+
+ trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
+
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
+
+ trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
+
+ q = strtok(NULL, "\n");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
- if ( !strequal( alt_name, "(null)" ) )
- alternate_name = alt_name;
+ trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
/*
* We always call add_trusted_domain() cause on an existing
@@ -365,13 +435,10 @@ static void trustdom_list_done(struct tevent_req *req)
* This is important because we need the SID for sibling
* domains.
*/
- (void)add_trusted_domain(p, alternate_name,
- &cache_methods,
- &sid);
+ (void)add_trusted_domain_from_tdc(&trust_params,
+ &cache_methods);
- p=q;
- if (p != NULL)
- p += 1;
+ p = q + strlen(q) + 1;
}
/*
@@ -438,10 +505,8 @@ static void rescan_forest_root_trusts( void )
d = find_domain_from_name_noinit( dom_list[i].domain_name );
if ( !d ) {
- d = add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
+ d = add_trusted_domain_from_tdc(&dom_list[i],
+ &cache_methods);
}
if (d == NULL) {
@@ -507,10 +572,8 @@ static void rescan_forest_trusts( void )
about it */
if ( !d ) {
- d = add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
+ d = add_trusted_domain_from_tdc(&dom_list[i],
+ &cache_methods);
}
if (d == NULL) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list