[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Mon Aug 26 13:27:02 UTC 2019
The branch, v4-9-test has been updated
via dcff563d0ff vfs_glusterfs: Enable profiling for file system operations
via 0cb08a2309c vfs_gpfs: Implement special case for denying owner access to ACL
via fe990205ac8 vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
via bba26e385b3 docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
via b3560baaf99 vfs_gpfs: Remove merge_writeappend parameter
via 548cc5183e4 nfs4_acls: Use correct owner information for ACL after owner change
via c5d4691183f nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
via 1f10af9fb98 nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
via b4b61724550 nfs4_acls: Rename smbacl4_fill_ace4 function
via 657f79f8594 nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
via d297f347dd1 nfs4_acls: Remove redundant pointer variable
via 596a4e4d0a1 nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
via 7555f121757 nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
via 02a5fbd007a nfs4_acls: Move smbacl4_MergeIgnoreReject function
via 8c8f09c32f8 nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
via 966916dafec nfs4_acls: Add missing braces in smbacl4_win2nfs4
via ff1cee15494 nfs4_acls: Add helper function for checking INHERIT flags.
via 1026680518d nfs4_acls: Use correct type when checking ownerGID
via 2493a9f81b9 nfs4_acls: Use switch/case for checking idmap type
via d50b5fc5fc5 nfs4_acls: Use sids_to_unixids to lookup uid or gid
via 9ba27632b29 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
via 8ad87b9ab42 test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
via c5da1d665a9 test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
via f64276397e2 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
via 92d2e243c30 test_nfs4_acls: Add test for matching DACL entries for acedup
via 5b130cc4d10 test_nfs4_acls: Add test for acedup settings
via b21c3f38871 test_nfs4_acls: Add test for 'map full control' option
via 79f9a5013a6 test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
via e8f8c4c8257 test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
via f0581b94b24 test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
via f900a6e1252 test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
via c9650274538 test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
via f431a1b7de7 test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
via 0aadba938c9 test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
via d142e46acdf test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
via 7f1c567af71 test_nfs4_acls: Add tests for mapping of ACL types
via ee47f743a9b test_nfs4_acls: Add tests for mapping of empty ACLs
via c84bdb31826 selftest: Start implementing unit test for nfs4_acls
via 1db5a29088b nfs4_acls: Remove fsp from smbacl4_win2nfs4
via 0af50d85f6d Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
via d2b711ae9bf vfs: Use dom_sid_str_buf
via 1784a664892 Add PrimaryGroupId to group array in DC response
via c20f77fe0fb selftest: check for PrimaryGroupId in DC returned group array
via 1c43f6b1afb selftest: remote_pac: s/s2u4self/s4u2self/g
via 3aa131b5558 vfs:glusterfs_fuse: build only if we have setmntent()
via c7e98332192 vfs:glusterfs_fuse: ensure fileids are constant across nodes
from bf5ac945151 smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit dcff563d0ff3fd0e99c40a52da24c67ee022d1ae
Author: Anoop C S <anoopcs at redhat.com>
Date: Mon Aug 5 10:45:01 2019 +0530
vfs_glusterfs: Enable profiling for file system operations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093
Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 20 19:25:28 UTC 2019 on sn-devel-184
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Mon Aug 26 13:26:08 UTC 2019 on sn-devel-144
commit 0cb08a2309cf2a3410ca9c0aae9ae11769f71fd6
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 9 13:39:55 2019 -0700
vfs_gpfs: Implement special case for denying owner access to ACL
In GPFS, it is not possible to deny ACL or attribute access through a
SPECIAL_OWNER entry. The best that can be done is mapping this to a
named user entry, as this one can at least be stored in an ACL. The same
cannot be done for inheriting SPECIAL_OWNER entries, as these represent
CREATOR OWNER entries, and the limitation of not being able to deny
owner access to ACL or attributes remains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c1770ed96fd3137f45d584ba9328333d5505e3af)
commit fe990205ac8ce0edee4f94b632d0d7411805648c
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 9 13:08:35 2019 -0700
vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
This is not functional change. It cleans up the code a bit and makes
expanding this codepath in a later patch easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit fbf3a090a9ec94262b2924461cc1d6336af9919c)
commit bba26e385b3e38152299fd221d6fb8665acddcdc
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jul 10 11:06:19 2019 -0700
docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8bd79ecc37376dbaa35606f9c2777653eb3d55e3)
commit b3560baaf99886fcd55c5a03489ca03d82573099
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 9 12:04:35 2019 -0700
vfs_gpfs: Remove merge_writeappend parameter
All supported GPFS versions now support setting WRITE and APPEND in the
ACLs independently. Remove this now unused parameter to simplify the
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0aca678fcf1788a76cf0ff11399211c795aa7d2f)
commit 548cc5183e471cb648ba7975e16f2a15ea78919e
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jul 17 15:29:06 2019 -0700
nfs4_acls: Use correct owner information for ACL after owner change
After a chown, the cached stat data is obviously no longer valid. The
code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
a local buffer for the stat data. So later checks of the stat buffer
under the fsp->fsp_name->st would still see the old information.
Fix this by removing the local stat buffer and always update the one
under fsp->fsp_name->st.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 86f7af84f04b06ed96b30f936ace92aa0937be06)
commit c5d4691183fc64c38462cff9b9d715e8eea2ff04
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jul 10 13:14:32 2019 -0700
nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
The previous patch introduced merging of duplicates on the mapping path
from NFS4 ACL entries to DACL entries. Add a testcase to verify the
expected behavior of this codepath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1a137a2f20c2f159c5feaef230a2b85bb9fb23b5)
commit 1f10af9fb98c4e6c8565fb46161acd643c42acee
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 15:08:11 2019 -0700
nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
mapping back to a DACL, there should be no additional entry. Add a loop
that will check and remove entries that are exact duplicates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9c88602128592ddad537bf70cbe3c51f0b2cebe5)
commit b4b61724550c2022ebb0e212aff4c844a2862f22
Author: Christof Schmitt <cs at samba.org>
Date: Thu Jul 18 11:49:29 2019 -0700
nfs4_acls: Rename smbacl4_fill_ace4 function
As this function now maps the ACE and also adds it to the NFSv4 ACE,
change the name to better describe its behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 169812943de23cf2752289c63331d786b0b063bd)
commit 657f79f859492be9f9b21481cb9326fc2c9914a7
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jul 17 10:49:47 2019 -0700
nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
In order to have the file system reflect the owner permissions in the
POSIX modebits, create a second entry for the user. This will be mapped
to the "special owner" entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b796119e2df38d1935064556934dd10da6f3d339)
commit d297f347dd15407cee0e2d18a27a54caaa4047ab
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 16 15:56:12 2019 -0700
nfs4_acls: Remove redundant pointer variable
The previous patch introduced a pointer to a local variable to reduce
the amount of lines changed. Remove that pointer and adjust all usage
accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit aa4644193635d846c2e08e8c1e7b512e8009c2ef)
commit 596a4e4d0a1769802f5e02016221df0185230f84
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 16 15:50:36 2019 -0700
nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
Logging flags in case they do not match seems unnecessary. Other log
messages should show the flags as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ab0003ffc098247c3ee3962d7061f2af5a2d00e)
commit 7555f12175773f95db1ecf26a842c629f73450b2
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 16 15:30:36 2019 -0700
nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit abb58b17599bd3f9a06037e208dcc5033c7fdd8b)
commit 02a5fbd007aa29834765c5d5a21fdb8ca493f552
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 16 15:20:25 2019 -0700
nfs4_acls: Move smbacl4_MergeIgnoreReject function
This static function will be called earlier in later patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3499d97463110f042415d917160bc2743805a544)
commit 8c8f09c32f80667286b3790feb5adf3dcf926581
Author: Christof Schmitt <cs at samba.org>
Date: Mon Jul 15 14:43:01 2019 -0700
nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
This is only used for logging of a rejected ACL, but does not provide
additional useful information. Remove it to simplify the function a bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 44790721e4f2c6ee6f46de7ac88123ce1a9f6e39)
commit 966916dafec9b3e4aacd042dec2c36fd5cec3f53
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 13:20:44 2019 -0700
nfs4_acls: Add missing braces in smbacl4_win2nfs4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ba73d2363d93a376ba4947963c9de45a7e683f02)
commit ff1cee15494121bd41c69dd9c02086660e25f160
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jun 26 13:20:17 2019 -0700
nfs4_acls: Add helper function for checking INHERIT flags.
This avoids some code duplication. Do not make this static, as it will
be used in a later patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmit <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 336e8668c1cc3682cb3c198eb6dc49baf522a79a)
commit 1026680518de4cf66f7c202536d0e555ec608e1d
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jun 25 15:21:06 2019 -0700
nfs4_acls: Use correct type when checking ownerGID
uid and gid are members of the same union so this makes no difference,
but for type correctness and readability use the gid to check for
ownerGID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3b3d722ce579c19c7b08d06a3adea275537545dc)
commit 2493a9f81b92df55c5e4c4f71c3635e3fedd445e
Author: Christof Schmitt <cs at samba.org>
Date: Mon Jul 15 13:15:32 2019 -0700
nfs4_acls: Use switch/case for checking idmap type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f198a0867e71f248d4887ab0b6f2832123b16d11)
commit d50b5fc5fc5bbcd4ad88b3f0efdedf1fc106f682
Author: Christof Schmitt <cs at samba.org>
Date: Wed Jun 26 13:24:16 2019 -0700
nfs4_acls: Use sids_to_unixids to lookup uid or gid
This is the newer API to lookup id mappings and will make it easier to
add to the IDMAP_TYPE_BOTH case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d9a2ff559e1ad953141b1118a9e370496f1f61fa)
commit 9ba27632b29f843a2bd0a8663ee6256a17a6e89d
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 13:04:44 2019 -0700
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from DACLS to NFSv4 ACL
entries with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 38331b00521ef764893a74add01758f14567d901)
commit 8ad87b9ab4279173f487c1aeb0e4d8c990845fba
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:50:42 2019 -0700
test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from NFSv4 ACL entries to
DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 86480410aec1d2331c65826a13f909492165a291)
commit c5da1d665a9022e57b859cbb1ad6652fac481329
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:23:02 2019 -0700
test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the
DACL in the security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 829c5ea99685c0629fd67ed0528897534ff35b36)
commit f64276397e2c7307048bc2f76a771468ab8c7079
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:16:08 2019 -0700
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the DACL in the
security descriptor to the NFSv4 ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ae06d96eb59722154d30e21949f9dba4f2f0bc6)
commit 92d2e243c308e8417ac76661d1351eafbd782fb8
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:09:04 2019 -0700
test_nfs4_acls: Add test for matching DACL entries for acedup
The NFSv4 mapping code has a config option nfs4:acedup for the mapping
path from DACLs to NFSv4 ACLs. Part of this codepath is detecting
duplicate ACL entries. Add a testcase with different ACL entries and
verify that only exactly matching entries are detected as duplicates and
treated accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f55cdf42a14f314102f2e13cb06d4db48c08ad4b)
commit 5b130cc4d10c50fbdb088bead23c89938991d1b4
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:07:36 2019 -0700
test_nfs4_acls: Add test for acedup settings
The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
are either merged, ignored or rejected. Add a testcase that has
duplicate ACL entries and verify the expected behavior for all possible
settings of the nfs4:acedup option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9671bf2b9f055012057620207624aa2f4ea6833e)
commit b21c3f388711628ef4ba5b85c6913bafa3a7de89
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 12:02:58 2019 -0700
test_nfs4_acls: Add test for 'map full control' option
"map full control" when enabled adds the DELETE_CHILD permission, when
all other permissions are present. This allows Windows clients to
display the "FULL CONTROL" permissions.
Add a testcase that verifies this mapping when mapping from NFSv4 ACL to
the DACL in the security descriptor. Also verify that switching the
option off disables this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 30677df4dac4ebfcf4e3198db33f14be37948197)
commit 79f9a5013a6eda4991221400ccbc8911b7787fba
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:57:45 2019 -0700
test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
Add testcase for mapping from NFSv4 ACL entries for "special owner" and
"special group" to DACL entries in the security descriptor. Each NFSv4
entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR
GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR
entry and an additional explicit entry granting permission on the
current object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1)
commit e8f8c4c8257025ea639e31b04d1deaebb34e029e
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:55:59 2019 -0700
test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
with inheritance flag in the security descriptor to NFSv4 "special
owner" and "special group" entries. This is the correct mapping for
these entries as inheriting "special owner" and "special group" grants
permissions to the actual owner and owning group of the new file or
directory, similar to what CREATOR entries do.
The other side is that CREATOR entries without any inheritance flags do
not make sense, so these are not mapped to NFSv4 ACL entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)
commit f0581b94b24f2ba615593bfc046b705c99357007
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:53:15 2019 -0700
test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
Add testcase for mapping from entries in the DACL security descriptor to
"special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
ignored, as there is no meaningful mapping for this entry. Verify that
SID entries matching the owner or group are mapped to "special owner"
or "special group", but only if no inheritance flags are used. "special
owner" and "special group" with inheritance flags have the meaning of
CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1f1fa5bde2c76636c1beec39c21067b252ea10be)
commit f900a6e12523a3fc28c10e5ac637ed7f4aeeaba1
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:46:23 2019 -0700
test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
In addition to entries for users and groups, NFSv4 ACLs have the concept
of entries for "special" entries. Only the "owner", "group" and
"everyone" entries are currently used in the ACL mapping.
Add a testcase that verifies the mapping from NFSv4 "special" entries to
the DACL in the security descriptor. Verify that only "owner", "group"
and "everyone" are mapped and all other "special" entries are ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f86148948c7f89307a34e31f6ddede6923149d34)
commit c9650274538985b55a535021e94dd20a429abc21
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:35:34 2019 -0700
test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
Add testcase for mapping the permission flags from the DACL in the
Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as
the same permission bits exist for Security Descriptors and NFSv4 ACLs.
In addition, the code also maps from the generic DACL permissions to a
set of NFSv4 permissions, also verify this mapping.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e4840e680744bd860beedeb5123704c3c0d6a4d7)
commit f431a1b7de7b044ed550c35f30e0a8646eed25d5
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:33:29 2019 -0700
test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
security descriptor. The mapping is simple as each permission bit exists
on both sides.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6)
commit 0aadba938c9f2f60e6d625b2e5c15e3b33105105
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:30:12 2019 -0700
test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
Add testcase for the mapping of inheritance flags from the DACL in the
security descriptor to the NFSv4 ACL. The mapping is different for files
and directories as some inheritance flags should not be present for
files. Also other flags are not mapped at all, verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bccd2612761e26ee2514935d56927b2c0c000859)
commit d142e46acdf80a631d1648719c28dd5f8a2a3f16
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:28:31 2019 -0700
test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
Add testcase for the mapping of inheritance flags when mapping from a
NFSv4 ACL to a DACL in the security descriptor. The mapping is different
between files and directories, as some inheritance flags should never be
present for files. Some defined flags like SUCCESSFUL_ACCESS are also
not mapped at this point, also verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 16eb61a900c6749c2554d635ce2dd903f5de1704)
commit 7f1c567af71a03ebd4dde8c5b071bb96c71cf678
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:25:33 2019 -0700
test_nfs4_acls: Add tests for mapping of ACL types
Add testcases for mapping the type field (ALLOW or DENY) between NFSv4
ACLs and security descriptors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit dd5934797526ebb4c6f3027a809401dad3abf701)
commit ee47f743a9b8f51e418bed5367e5725de011dbe3
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:23:40 2019 -0700
test_nfs4_acls: Add tests for mapping of empty ACLs
This is a fairly simple test that ensures the mapping of empty ACLs
(without any ACL entries) is always done the same way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 00f494b25f4e1d1aecf6191523e30f20a90b1e4f)
commit c84bdb31826596542799579907345925abff3f27
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 2 11:22:13 2019 -0700
selftest: Start implementing unit test for nfs4_acls
Existing smbtorture tests set and query ACLs through SMB, only working
with the DACLs in the Security Descriptors, but never check the NFSv4
ACL representation. This patch introduces a unit test to verify the
mapping between between Security Descriptors and NFSv4 ACLs. As the
mapping code queries id mappings, the id mapping cache is first primed
with the mappings used by the tests and those mappings are removed again
during teardown.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8fb906a1860452a320c79ac87917a97303729c19)
commit 1db5a29088b09b86cc7be37bf2e7080c239f0544
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jun 11 16:15:10 2019 -0700
nfs4_acls: Remove fsp from smbacl4_win2nfs4
Only the information whether the ACL is for a file or a directory is
required. Replacing the fsp with a flag is clearer and allows for unit
testing of the mapping functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a06486bb110d04a90b66a0bca4b1b600ef3c0ebf)
commit 0af50d85f6dd20324cf3a3f75a01a5bcd0c8c715
Author: Christof Schmitt <cs at samba.org>
Date: Fri Jun 7 12:55:32 2019 -0700
Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
This reverts commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7.
That patch broke the case with ID_TYPE_BOTH where a file is owned by a
group (e.g. using autorid and having a file owned by
BUILTIN\Administrators). In this case, the ACE entry for the group gets
mapped a to a user ACL entry and the group no longer has access (as in
the user's token the group is not mapped to a uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 42bd3a72a2525aa8a918f4bf7067b30ce8e0e197)
commit d2b711ae9bfa83a1f30cc9ca85d8c9cd33e565e4
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 11 17:17:46 2018 +0100
vfs: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 59f29acb2cd947d2f594a5af3d73d0cbe8298d92)
commit 1784a6648924b4a7274f249133ca1b1530ad5b07
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Apr 3 19:45:02 2019 +0300
Add PrimaryGroupId to group array in DC response
This is a simplified version of the original patch by:
Felix Botner <botner at univention.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
(cherry picked from commit 2ae75184fcb5dc90602aeef113d4c13540073324)
commit c20f77fe0fb9625072a4866a16a9e6a7138a94a4
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri May 31 17:22:50 2019 +0300
selftest: check for PrimaryGroupId in DC returned group array
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa)
commit 1c43f6b1afbf40e5a3172be30152c0a6881895dc
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri May 31 20:02:30 2019 +0300
selftest: remote_pac: s/s2u4self/s4u2self/g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 60afe949c3e664f81c9b0db9c54f701aa2874a5e)
commit 3aa131b55589c0b3327d70cae8c038bf72d20f27
Author: Michael Adam <obnox at samba.org>
Date: Thu Aug 1 00:47:29 2019 +0200
vfs:glusterfs_fuse: build only if we have setmntent()
FreeBSD and other platforms that don't have setmntent() and friends can
not compile this module. This patch lets changes the build to only
compile this module if the setmntent() function is found.
This is the a follow-up fix to the actual fix for bug #13972.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Thu Aug 1 09:49:04 UTC 2019 on sn-devel-184
commit c7e983321921e4b39e3e63d2a89112ab35263092
Author: Michael Adam <obnox at samba.org>
Date: Sat May 18 11:28:54 2019 +0200
vfs:glusterfs_fuse: ensure fileids are constant across nodes
Instead of adding a new gluster-specific mode to the fileid module,
this patches provides a fileid algorithm as part of the glusterfs_fuse
vfs module. This can not be configured further, simply adding the
glusterfs_fuse vfs module to the vfs objects configuration will enable
the new fileid mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Sat Jul 13 22:54:56 UTC 2019 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.c | 8 +-
docs-xml/manpages/vfs_glusterfs_fuse.8.xml | 8 +
docs-xml/manpages/vfs_gpfs.8.xml | 20 -
source3/modules/nfs4_acls.c | 365 ++++--
source3/modules/nfs4_acls.h | 2 +
source3/modules/test_nfs4_acls.c | 1898 ++++++++++++++++++++++++++++
source3/modules/vfs_afsacl.c | 6 +-
source3/modules/vfs_default.c | 6 +-
source3/modules/vfs_glusterfs.c | 344 ++++-
source3/modules/vfs_glusterfs_fuse.c | 193 ++-
source3/modules/vfs_gpfs.c | 121 +-
source3/modules/wscript_build | 5 +
source3/selftest/tests.py | 4 +
source3/wscript | 4 +-
source4/torture/rpc/remote_pac.c | 114 +-
15 files changed, 2797 insertions(+), 301 deletions(-)
create mode 100644 source3/modules/test_nfs4_acls.c
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index bd695151dc0..b5b6362dc93 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -89,7 +89,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->groups.count = 0;
sam->groups.rids = NULL;
- if (user_info_dc->num_sids > 2) {
+ if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
size_t i;
sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
user_info_dc->num_sids);
@@ -97,7 +97,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
- for (i=2; i<user_info_dc->num_sids; i++) {
+ for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
struct dom_sid *group_sid = &user_info_dc->sids[i];
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
/* We handle this elsewhere */
@@ -451,6 +451,10 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
}
for (i = 0; i < base->groups.count; i++) {
+ /* Skip primary group, already added above */
+ if (base->groups.rids[i].rid == base->primary_gid) {
+ continue;
+ }
user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
diff --git a/docs-xml/manpages/vfs_glusterfs_fuse.8.xml b/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
index b9f7f42c6f2..f2aa624353e 100644
--- a/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
+++ b/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
@@ -48,6 +48,14 @@
case of an exisiting filename.
</para>
+ <para>
+ Furthermore, this module implements a substitute file-id
+ mechanism. The default file-id mechanism is not working
+ correctly for gluster fuse mount re-exports, so in order to
+ avoid data loss, users exporting gluster fuse mounts with
+ Samba should enable this module.
+ </para>
+
<para>
This module can be combined with other modules, but it
should be the last module in the <command>vfs objects</command>
diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index 428f48a6bf0..f854d8900b2 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -204,26 +204,6 @@
</varlistentry>
<varlistentry>
- <term>gpfs:merge_writeappend = [ yes | no ]</term>
- <listitem>
- <para>
- GPFS ACLs doesn't know about the 'APPEND' right.
- This option lets Samba map the 'APPEND' right to 'WRITE'.
- </para>
-
- <itemizedlist>
- <listitem><para>
- <command>yes(default)</command> - map 'APPEND' to 'WRITE'.
- </para></listitem>
- <listitem><para>
- <command>no</command> - do not map 'APPEND' to 'WRITE'.
- </para></listitem>
- </itemizedlist>
- </listitem>
-
- </varlistentry>
- <varlistentry>
-
<term>gpfs:acl = [ yes | no ]</term>
<listitem>
<para>
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 19f0fefdb98..eb76696948b 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -21,6 +21,7 @@
#include "smbd/smbd.h"
#include "nfs4_acls.h"
#include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/idmap.h"
#include "../libcli/security/dom_sid.h"
#include "../libcli/security/security.h"
#include "dbwrap/dbwrap.h"
@@ -254,6 +255,13 @@ bool smbacl4_set_controlflags(struct SMB4ACL_T *acl, uint16_t controlflags)
return true;
}
+bool nfs_ace_is_inherit(SMB_ACE4PROP_T *ace)
+{
+ return ace->aceFlags & (SMB_ACE4_INHERIT_ONLY_ACE|
+ SMB_ACE4_FILE_INHERIT_ACE|
+ SMB_ACE4_DIRECTORY_INHERIT_ACE);
+}
+
static int smbacl4_GetFileOwner(struct connection_struct *conn,
const struct smb_filename *smb_fname,
SMB_STRUCT_STAT *psbuf)
@@ -289,6 +297,35 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
return 0;
}
+static void check_for_duplicate_sec_ace(struct security_ace *nt_ace_list,
+ int *good_aces)
+{
+ struct security_ace *last = NULL;
+ int i;
+
+ if (*good_aces < 2) {
+ return;
+ }
+
+ last = &nt_ace_list[(*good_aces) - 1];
+
+ for (i = 0; i < (*good_aces) - 1; i++) {
+ struct security_ace *cur = &nt_ace_list[i];
+
+ if (cur->type == last->type &&
+ cur->flags == last->flags &&
+ cur->access_mask == last->access_mask &&
+ dom_sid_equal(&cur->trustee, &last->trustee))
+ {
+ struct dom_sid_buf sid_buf;
+
+ DBG_INFO("Removing duplicate entry for SID %s.\n",
+ dom_sid_str_buf(&last->trustee, &sid_buf));
+ (*good_aces)--;
+ }
+ }
+}
+
static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
const struct smbacl4_vfs_params *params,
struct SMB4ACL_T *acl, /* in */
@@ -317,6 +354,7 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
for (aceint = acl->first; aceint != NULL; aceint = aceint->next) {
uint32_t mask;
struct dom_sid sid;
+ struct dom_sid_buf buf;
SMB_ACE4PROP_T *ace = &aceint->prop;
uint32_t win_ace_flags;
@@ -349,7 +387,7 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
}
}
DEBUG(10, ("mapped %d to %s\n", ace->who.id,
- sid_string_dbg(&sid)));
+ dom_sid_str_buf(&sid, &buf)));
if (!is_directory && params->map_full_control) {
/*
@@ -429,6 +467,8 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
ace->aceType, mask,
win_ace_flags);
}
+
+ check_for_duplicate_sec_ace(nt_ace_list, &good_aces);
}
nt_ace_list = talloc_realloc(mem_ctx, nt_ace_list, struct security_ace,
@@ -645,139 +685,191 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
return NULL;
}
+static int smbacl4_MergeIgnoreReject(enum smbacl4_acedup_enum acedup,
+ struct SMB4ACL_T *theacl,
+ SMB_ACE4PROP_T *ace,
+ bool *paddNewACE)
+{
+ int result = 0;
+ SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace);
+ if (ace4found)
+ {
+ switch(acedup)
+ {
+ case e_merge: /* "merge" flags */
+ *paddNewACE = false;
+ ace4found->aceFlags |= ace->aceFlags;
+ ace4found->aceMask |= ace->aceMask;
+ break;
+ case e_ignore: /* leave out this record */
+ *paddNewACE = false;
+ break;
+ case e_reject: /* do an error */
+ DBG_INFO("ACL rejected by duplicate nt ace.\n");
+ errno = EINVAL; /* SHOULD be set on any _real_ error */
+ result = -1;
+ break;
+ default:
+ break;
+ }
+ }
+ return result;
+}
-static bool smbacl4_fill_ace4(
- const struct smb_filename *filename,
- const struct smbacl4_vfs_params *params,
- uid_t ownerUID,
- gid_t ownerGID,
- const struct security_ace *ace_nt, /* input */
- SMB_ACE4PROP_T *ace_v4 /* output */
-)
+static int nfs4_acl_add_ace(enum smbacl4_acedup_enum acedup,
+ struct SMB4ACL_T *nfs4_acl,
+ SMB_ACE4PROP_T *nfs4_ace)
{
- DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee)));
+ bool add_ace = true;
+
+ if (acedup != e_dontcare) {
+ int ret;
+
+ ret = smbacl4_MergeIgnoreReject(acedup, nfs4_acl,
+ nfs4_ace, &add_ace);
+ if (ret == -1) {
+ return -1;
+ }
+ }
- ZERO_STRUCTP(ace_v4);
+ if (add_ace) {
+ smb_add_ace4(nfs4_acl, nfs4_ace);
+ }
+
+ return 0;
+}
+
+static int nfs4_acl_add_sec_ace(bool is_directory,
+ const struct smbacl4_vfs_params *params,
+ uid_t ownerUID,
+ gid_t ownerGID,
+ const struct security_ace *ace_nt,
+ struct SMB4ACL_T *nfs4_acl)
+{
+ struct dom_sid_buf buf;
+ SMB_ACE4PROP_T nfs4_ace = { 0 };
+ SMB_ACE4PROP_T nfs4_ace_2 = { 0 };
+ bool add_ace2 = false;
+ int ret;
+
+ DEBUG(10, ("got ace for %s\n",
+ dom_sid_str_buf(&ace_nt->trustee, &buf)));
/* only ACCESS|DENY supported right now */
- ace_v4->aceType = ace_nt->type;
+ nfs4_ace.aceType = ace_nt->type;
- ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(
- ace_nt->flags);
+ nfs4_ace.aceFlags =
+ map_windows_ace_flags_to_nfs4_ace_flags(ace_nt->flags);
/* remove inheritance flags on files */
- if (VALID_STAT(filename->st) &&
- !S_ISDIR(filename->st.st_ex_mode)) {
+ if (!is_directory) {
DEBUG(10, ("Removing inheritance flags from a file\n"));
- ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE|
- SMB_ACE4_DIRECTORY_INHERIT_ACE|
- SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
- SMB_ACE4_INHERIT_ONLY_ACE);
+ nfs4_ace.aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE|
+ SMB_ACE4_DIRECTORY_INHERIT_ACE|
+ SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
+ SMB_ACE4_INHERIT_ONLY_ACE);
}
- ace_v4->aceMask = ace_nt->access_mask &
- (SEC_STD_ALL | SEC_FILE_ALL);
+ nfs4_ace.aceMask = ace_nt->access_mask & (SEC_STD_ALL | SEC_FILE_ALL);
- se_map_generic(&ace_v4->aceMask, &file_generic_mapping);
-
- if (ace_v4->aceFlags!=ace_nt->flags)
- DEBUG(9, ("ace_v4->aceFlags(0x%x)!=ace_nt->flags(0x%x)\n",
- ace_v4->aceFlags, ace_nt->flags));
-
- if (ace_v4->aceMask!=ace_nt->access_mask)
- DEBUG(9, ("ace_v4->aceMask(0x%x)!=ace_nt->access_mask(0x%x)\n",
- ace_v4->aceMask, ace_nt->access_mask));
+ se_map_generic(&nfs4_ace.aceMask, &file_generic_mapping);
if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) {
- ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+ nfs4_ace.who.special_id = SMB_ACE4_WHO_EVERYONE;
+ nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL;
} else if (params->mode!=e_special &&
dom_sid_equal(&ace_nt->trustee,
&global_sid_Creator_Owner)) {
DEBUG(10, ("Map creator owner\n"));
- ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+ nfs4_ace.who.special_id = SMB_ACE4_WHO_OWNER;
+ nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL;
/* A non inheriting creator owner entry has no effect. */
- ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
- if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
- && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
- return false;
+ nfs4_ace.aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
+ if (!(nfs4_ace.aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
+ && !(nfs4_ace.aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
+ return 0;
}
} else if (params->mode!=e_special &&
dom_sid_equal(&ace_nt->trustee,
&global_sid_Creator_Group)) {
DEBUG(10, ("Map creator owner group\n"));
- ace_v4->who.special_id = SMB_ACE4_WHO_GROUP;
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+ nfs4_ace.who.special_id = SMB_ACE4_WHO_GROUP;
+ nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL;
/* A non inheriting creator group entry has no effect. */
- ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
- if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
- && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
- return false;
+ nfs4_ace.aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
+ if (!(nfs4_ace.aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
+ && !(nfs4_ace.aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
+ return 0;
}
} else {
- uid_t uid;
- gid_t gid;
-
- /*
- * ID_TYPE_BOTH returns both uid and gid. Explicitly
- * check for ownerUID to allow the mapping of the
- * owner to a special entry in this idmap config.
- */
- if (sid_to_uid(&ace_nt->trustee, &uid) && uid == ownerUID) {
- ace_v4->who.uid = uid;
- } else if (sid_to_gid(&ace_nt->trustee, &gid)) {
- ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
- ace_v4->who.gid = gid;
- } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
- ace_v4->who.uid = uid;
- } else if (dom_sid_compare_domain(&ace_nt->trustee,
- &global_sid_Unix_NFS) == 0) {
- return false;
- } else {
- DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
- "convert %s to uid or gid\n",
- filename->base_name,
- sid_string_dbg(&ace_nt->trustee)));
- return false;
+ struct unixid unixid;
+ bool ok;
+
+ ok = sids_to_unixids(&ace_nt->trustee, 1, &unixid);
+ if (!ok) {
+ DBG_WARNING("Could not convert %s to uid or gid.\n",
+ dom_sid_str_buf(&ace_nt->trustee, &buf));
+ return 0;
}
- }
- return true; /* OK */
-}
+ if (dom_sid_compare_domain(&ace_nt->trustee,
+ &global_sid_Unix_NFS) == 0) {
+ return 0;
+ }
-static int smbacl4_MergeIgnoreReject(
- enum smbacl4_acedup_enum acedup,
- struct SMB4ACL_T *theacl, /* may modify it */
- SMB_ACE4PROP_T *ace, /* the "new" ACE */
- bool *paddNewACE,
- int i
-)
-{
- int result = 0;
- SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace);
- if (ace4found)
- {
- switch(acedup)
- {
- case e_merge: /* "merge" flags */
- *paddNewACE = false;
- ace4found->aceFlags |= ace->aceFlags;
- ace4found->aceMask |= ace->aceMask;
+ switch (unixid.type) {
+ case ID_TYPE_BOTH:
+ nfs4_ace.aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
+ nfs4_ace.who.gid = unixid.id;
+
+ if (ownerUID == unixid.id &&
+ !nfs_ace_is_inherit(&nfs4_ace))
+ {
+ /*
+ * IDMAP_TYPE_BOTH for owner. Add
+ * additional user entry, which can be
+ * mapped to special:owner to reflect
+ * the permissions in the modebits.
+ *
+ * This only applies to non-inheriting
+ * entries as only these are replaced
+ * with SPECIAL_OWNER in nfs4:mode=simple.
+ */
+ nfs4_ace_2 = (SMB_ACE4PROP_T) {
+ .who.uid = unixid.id,
+ .aceFlags = (nfs4_ace.aceFlags &
+ ~SMB_ACE4_IDENTIFIER_GROUP),
+ .aceMask = nfs4_ace.aceMask,
+ .aceType = nfs4_ace.aceType,
+ };
+ add_ace2 = true;
+ }
break;
- case e_ignore: /* leave out this record */
- *paddNewACE = false;
+ case ID_TYPE_GID:
+ nfs4_ace.aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
+ nfs4_ace.who.gid = unixid.id;
break;
- case e_reject: /* do an error */
- DEBUG(8, ("ACL rejected by duplicate nt ace#%d\n", i));
- errno = EINVAL; /* SHOULD be set on any _real_ error */
- result = -1;
+ case ID_TYPE_UID:
+ nfs4_ace.who.uid = unixid.id;
break;
+ case ID_TYPE_NOT_SPECIFIED:
default:
- break;
+ DBG_WARNING("Could not convert %s to uid or gid.\n",
+ dom_sid_str_buf(&ace_nt->trustee, &buf));
+ return 0;
}
}
- return result;
+
+ ret = nfs4_acl_add_ace(params->acedup, nfs4_acl, &nfs4_ace);
+ if (ret != 0) {
+ return -1;
+ }
+
+ if (!add_ace2) {
+ return 0;
+ }
+
+ return nfs4_acl_add_ace(params->acedup, nfs4_acl, &nfs4_ace_2);
}
static int smbacl4_substitute_special(
@@ -834,9 +926,7 @@ static int smbacl4_substitute_simple(
if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
!(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) &&
ace->who.uid == ownerUID &&
- !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) &&
- !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) &&
- !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) {
+ !nfs_ace_is_inherit(ace)) {
ace->flags |= SMB_ACE4_ID_SPECIAL;
ace->who.special_id = SMB_ACE4_WHO_OWNER;
DEBUG(10,("replaced with special owner ace\n"));
@@ -844,10 +934,8 @@ static int smbacl4_substitute_simple(
if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP &&
- ace->who.uid == ownerGID &&
- !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) &&
- !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) &&
- !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) {
+ ace->who.gid == ownerGID &&
+ !nfs_ace_is_inherit(ace)) {
ace->flags |= SMB_ACE4_ID_SPECIAL;
ace->who.special_id = SMB_ACE4_WHO_GROUP;
DEBUG(10,("replaced with special group ace\n"));
@@ -858,7 +946,7 @@ static int smbacl4_substitute_simple(
static struct SMB4ACL_T *smbacl4_win2nfs4(
TALLOC_CTX *mem_ctx,
- const files_struct *fsp,
+ bool is_directory,
const struct security_acl *dacl,
const struct smbacl4_vfs_params *pparams,
uid_t ownerUID,
@@ -867,7 +955,6 @@ static struct SMB4ACL_T *smbacl4_win2nfs4(
{
struct SMB4ACL_T *theacl;
uint32_t i;
- const char *filename = fsp->fsp_name->base_name;
DEBUG(10, ("smbacl4_win2nfs4 invoked\n"));
--
Samba Shared Repository
More information about the samba-cvs
mailing list