Alexander Bokovoy [Sat, 8 Dec 2012 15:57:20 +0000 (17:57 +0200)]
wafsamba: replace try:except: case with explicit comment about FIPS mode
Since exceptions will be caught be outer try:except: pair anyway, mark
the test of MD5 code by the comment that explains why we need to really
test it.
Do it for both hashlib.md5 and md5 modules.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Dec 8 18:41:07 CET 2012 on sn-devel-104
Alexander Bokovoy [Fri, 7 Dec 2012 15:36:02 +0000 (17:36 +0200)]
wafsamba: Make sure md5 is really work before using it or overriding the hash function
In FIPS mode importing md5 Python module will not cause any error but calling md5.md5()
function will throw ValueError since md5 is not available.
Make sure md5.md5() actually works and if not, fall back to use hash replacement that
we already have in wafsamba.
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Dec 8 13:30:07 CET 2012 on sn-devel-104
Ricky Nance [Sat, 8 Dec 2012 00:43:16 +0000 (18:43 -0600)]
samba-tool processes: Make the output a bit neater
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sat Dec 8 03:34:29 CET 2012 on sn-devel-104
Andreas Schneider [Thu, 6 Dec 2012 13:31:45 +0000 (14:31 +0100)]
winbind: Make the code more readable in trustdom_list_done().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Fri Dec 7 22:38:43 CET 2012 on sn-devel-104
Tsukasa Hamano [Thu, 6 Dec 2012 21:01:33 +0000 (13:01 -0800)]
Fix bug #9471 - SEGV when using second vfs module.
Don't use default_classname_table when we obviously shoud be using
classname_table.
Reviewed by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Dec 7 17:51:50 CET 2012 on sn-devel-104
Stefan Metzmacher [Fri, 7 Dec 2012 12:56:21 +0000 (12:56 +0000)]
s4:dsdb/descriptor: fix replication of NC heads
The sub NC heads maybe replicated with the parent partition,
if we don't need to recalculate the nTSecurityDescriptor attribute in that
case, the replication of the of the sub partition should handle that.
This fixes error messages like this:
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 12:39:31 +0000 (13:39 +0100)]
s4:dsdb/acl_read: improve debugging for fatal error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 10:02:49 +0000 (11:02 +0100)]
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
Some modules might not allocate values on the correct memory context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 10:08:14 +0000 (10:08 +0000)]
s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
We should keep the talloc hierarchy sane.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 09:34:58 +0000 (10:34 +0100)]
s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
We should always update the ts_last_change.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Thu, 6 Dec 2012 14:51:55 +0000 (15:51 +0100)]
s3: Fix clear_if_first for the async echo handler
A worker smbd is as not long-lived as the main smbd, but as the async
echo handler exits when the worker smbd does, passing "true" here is the
right thing to do and fixes our clear_if_first handling when the async
echo handler is active.
Reviewed-by: Christian Ambach <ambi@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Dec 7 11:29:36 CET 2012 on sn-devel-104
Stefan Metzmacher [Fri, 23 Nov 2012 10:49:05 +0000 (11:49 +0100)]
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 6 05:11:43 CET 2012 on sn-devel-104
Andrew Bartlett [Wed, 5 Dec 2012 01:52:22 +0000 (12:52 +1100)]
build: Install .po files for SWAT intl support
Andrew Bartlett [Tue, 4 Dec 2012 23:35:50 +0000 (10:35 +1100)]
scripting: Handle missing LDAP entries in samba-tool domain classicupgrade
Reported-by: Thomas Simmons <twsnnva@gmail.com>
Scott Lovenberg [Tue, 4 Dec 2012 14:15:38 +0000 (09:15 -0500)]
Clean up client timeout definitions [rev. 2]
The definitions for default client timeout values have been moved to client.h. When initializing a client struct we use this value instead of the old hardcoded value. The timeout value remains 20 seconds.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 6 03:25:58 CET 2012 on sn-devel-104
Michael Adam [Tue, 4 Dec 2012 15:26:36 +0000 (16:26 +0100)]
s3:smbd: fix a cut and paste error in a debug message
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 4 Dec 2012 23:47:06 +0000 (15:47 -0800)]
Documentation fixes for bug #9462 - Users can not be given write permissions any more by default
Ensure we don't apply the masks + force modes on security setting
changes, only on create.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Wed, 5 Dec 2012 14:04:01 +0000 (15:04 +0100)]
s3:smbd: don't apply create/directory mask and modes in apply_default_perms()
The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.
This fixes bug #9462: Users can not be given write permissions any more by default
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
Richard Sharpe [Wed, 5 Dec 2012 01:21:29 +0000 (17:21 -0800)]
Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
Ensure we check the buffer size correctly.
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 6 01:31:08 CET 2012 on sn-devel-104
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:23 +0000 (20:44 +0100)]
wsgi: Serve '500 Internal Server Error' page when errors occur.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Dec 5 18:40:25 CET 2012 on sn-devel-104
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:08 +0000 (20:44 +0100)]
web_server: Make second argument to websrv_output const.
Jelmer Vernooij [Sat, 24 Nov 2012 18:35:33 +0000 (19:35 +0100)]
wsgi: When encountering error in Python code, print traceback to logs.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Tue, 4 Dec 2012 14:03:40 +0000 (15:03 +0100)]
BUG 9459: Install manpages only if we install the target.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 4 18:07:47 CET 2012 on sn-devel-104
Jeremy Allison [Mon, 3 Dec 2012 23:07:16 +0000 (15:07 -0800)]
Remove unused append_parent_acl().
Get rid of a large chunk of unused code.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Dec 4 11:59:30 CET 2012 on sn-devel-104
Michael Adam [Tue, 4 Dec 2012 01:02:07 +0000 (02:02 +0100)]
s3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIED
Omission to free the talloc frame causes a panic (at least in developer mode)
in the next main event loop due to "Frame not freed in order."
(Freed frame ../source3/smbd/process.c:3617, expected ../source3/modules/vfs_acl_common.c:534.)
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 4 09:03:25 CET 2012 on sn-devel-104
Michael Adam [Mon, 3 Dec 2012 15:52:12 +0000 (16:52 +0100)]
s3:passdb: fix building pdb_ldap as shared module
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 3 19:12:29 CET 2012 on sn-devel-104
Karolin Seeger [Fri, 30 Nov 2012 10:33:04 +0000 (11:33 +0100)]
docs: Merge both samba.8 manpages.
Remove source4/smbd/samba.8.xml and add the additional content to
docs-xml/samba.8.xml to be able to build this manpage with the autoconf build
also.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 3 16:28:32 CET 2012 on sn-devel-104
Karolin Seeger [Fri, 30 Nov 2012 09:39:06 +0000 (10:39 +0100)]
docs: Add samba.8 and samba-tool manpage to waf build.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Karolin Seeger [Fri, 30 Nov 2012 10:37:33 +0000 (11:37 +0100)]
docs: Update man 7 samba.
Update man 7 samba. Still incomplete, but at least a bit more up to date.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Karolin Seeger [Fri, 30 Nov 2012 08:43:33 +0000 (09:43 +0100)]
lib/talloc: Move manpage to man/.
Trying to be more consistent.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Karolin Seeger [Fri, 30 Nov 2012 08:39:22 +0000 (09:39 +0100)]
lib/tdb: Rename manpages/ to man/.
Trying to be more consistent.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:58:38 +0000 (14:58 +0100)]
replace: Remove deprecated getpass() support.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:55:48 +0000 (14:55 +0100)]
ntlm_auth4: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:48:00 +0000 (14:48 +0100)]
cmdline: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:38:14 +0000 (14:38 +0100)]
smbget: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:34:39 +0000 (14:34 +0100)]
util: Use new samba_getpass() function for passwd util.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 13:29:38 +0000 (14:29 +0100)]
ntlm_auth: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 12:17:13 +0000 (13:17 +0100)]
net: Use samba_getpass() function in net util.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Fri, 23 Nov 2012 14:05:51 +0000 (15:05 +0100)]
net: Use new samba_getpass() function for 'net rpc'.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:51:33 +0000 (15:51 +0100)]
net: Use new samba_getpass() function for 'net ads'.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:46:20 +0000 (15:46 +0100)]
torture: Use new samba_getpass() in masktest.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:46:06 +0000 (15:46 +0100)]
torture: Use new samba_getpass() in smbtorture3.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:39:34 +0000 (15:39 +0100)]
torture: Use new samba_getpass() in locktest2.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:34:06 +0000 (15:34 +0100)]
util: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:33:52 +0000 (15:33 +0100)]
smbclient: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:33:10 +0000 (15:33 +0100)]
wbinfo: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Thu, 22 Nov 2012 14:22:40 +0000 (15:22 +0100)]
util: Add a UNIX platform independent samba_getpass().
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Karolin Seeger [Mon, 3 Dec 2012 08:08:47 +0000 (09:08 +0100)]
docs: Fix typo in the howto collection.
Thanks to Hermann Gausterer <git-samba-2012@mrq1.org> for reporting!
Karolin
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 3 12:36:14 CET 2012 on sn-devel-104
Michael Adam [Mon, 3 Dec 2012 01:25:40 +0000 (02:25 +0100)]
s3:selftest: extend sids2xids test script to cope with "ID_TYPE_BOTH mappings
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Dec 3 10:47:17 CET 2012 on sn-devel-104
Michael Adam [Mon, 3 Dec 2012 07:34:43 +0000 (08:34 +0100)]
s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
The backends (tdbsam and ldapsam) do this.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 3 Dec 2012 00:44:49 +0000 (01:44 +0100)]
s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 3 Dec 2012 00:42:38 +0000 (01:42 +0100)]
s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
wellknown sids and "Unix User" and "Unix Group" domains.
This broadens up the check moved here in commit
02e25b2a43ae02205a3412f862a1482d24b70aa4.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 3 Dec 2012 00:40:37 +0000 (01:40 +0100)]
s3:passdb: add sid_check_object_is_for_passdb()
Variant of sid_check_is_for_passdb() that only checks for objects
in the various domains, not for the domain sids themselves.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 3 Dec 2012 00:34:32 +0000 (01:34 +0100)]
s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
The special treatment of the "Unix User" and "Unix Group" pseudo domains
can be reused.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 22:12:19 +0000 (23:12 +0100)]
s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
This code treats the own sam, builtin, wellknown, and sids from the
"Unix User" and "Unix Group" pseudo-domains.
This reverts part of commit
02e25b2a43ae02205a3412f862a1482d24b70aa4.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 30 Nov 2012 15:27:59 +0000 (16:27 +0100)]
s3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()
This is more correct than the original one:
It also hands the wellknown and "Unix Users" and "Unix Groups" sids to passdb
for id mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 30 Nov 2012 15:26:28 +0000 (16:26 +0100)]
build the new sid_check_is_for_passdb() function into passdb
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 30 Nov 2012 11:27:00 +0000 (12:27 +0100)]
s3:lib: add utility function sid_check_is_for_passdb()
This function checks whether the given sid should be treated
by passdb (e.g. for id mapping).
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 30 Nov 2012 14:27:15 +0000 (15:27 +0100)]
s3:winbindd: remove unused function idmap_backends_sid_to_unixid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 27 Nov 2012 11:08:33 +0000 (12:08 +0100)]
s3:test:wbinfo_sids2xids: test the results with singular calls with filled and with empty cache
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 27 Nov 2012 21:43:04 +0000 (22:43 +0100)]
s3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 15 Oct 2012 14:34:02 +0000 (16:34 +0200)]
s3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
This is to remove problems with the same unix-id being used both
as a uid and a gid.
The autorid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.
This patch lets the autorid backend always create sid->id mappings of type both.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Mon, 15 Oct 2012 14:32:25 +0000 (16:32 +0200)]
s3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
This is to remove problems with the same unix-id being used both
as a uid and a gid.
The rid backend will map a given number to the same SID, no matter whether this
is a uid or a gid. This will prime the idmap cache with mappings.
The sid-to-u/gid mapping, when not going through the cache, instead checks for
the type of the sid and only allows unix ids of the corresponding type.
Hence the rid backend will give different results, depending on whether the
cache is filled or not.
This patch lets the rid backend always create sid->id mappings of type both.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:53:39 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_gid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:53:04 +0000 (17:53 +0100)]
s3:winbindd: remove unused idmap_sid_to_uid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:50:50 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Gid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:50:11 +0000 (17:50 +0100)]
s3:winbindd: remove unused server implementation of wbint_Sid2Uid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:49:09 +0000 (17:49 +0100)]
s3:winbindd: remove wbint_Sid2Gid from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:48:36 +0000 (17:48 +0100)]
s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 16:05:01 +0000 (17:05 +0100)]
s3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 15:54:36 +0000 (16:54 +0100)]
s3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 15:44:41 +0000 (16:44 +0100)]
s3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 15:40:48 +0000 (16:40 +0100)]
s3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id
We can optimize this later and just do one wb_sids2xids_send/recv call.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 23 Nov 2012 00:35:30 +0000 (01:35 +0100)]
selftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd
Note that in order to create a local group (alias), the id-allocator of
id-mapping is needed, so this can only work if winbindd is running.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 23:18:44 +0000 (00:18 +0100)]
selftest:Samba3: add "wbinfo -p" test to wait_for_start()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 23:09:43 +0000 (00:09 +0100)]
selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
to make checks conditional
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 23:02:33 +0000 (00:02 +0100)]
selftest:Samba3: call wait_for_start() from check_or_start()
...instead of calling the two one after another each time.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 27 Nov 2012 00:11:16 +0000 (01:11 +0100)]
s3:winbindd: make idmap_find_domain() static.
idmap_find_domain_with_sid() should be used instead
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sun, 25 Nov 2012 01:13:15 +0000 (02:13 +0100)]
s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
This is the way the singular calls work and how they should (currently) work.
The two code paths need to give the same results. It is important to use
the passdb backend, otherwise groups don't work.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 17:16:31 +0000 (18:16 +0100)]
s3:winbindd: add idmap_find_domain_with_sid()
This will return the passdb domain if the given sid is in our sam or builtin
or is the domain sid of those domains. Otherwise it returns the idmap domain
that results from the idmap configuration.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Thu, 22 Nov 2012 15:21:53 +0000 (16:21 +0100)]
s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 20 Nov 2012 15:48:23 +0000 (16:48 +0100)]
selftest:Samba3: provision the domain adminstrators group in the s3 environments
I discovered that this sid / mapping is missing by working with the Sids2Uids
code and test. I do even wonder why this test could succeed prior to my pending
changes to the winbindd sids-to-xids code, for example against the s3:local
environment, since the test tries to map the sid <domsid>-512.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sun, 18 Nov 2012 12:51:13 +0000 (13:51 +0100)]
s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sun, 18 Nov 2012 18:58:07 +0000 (19:58 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sun, 18 Nov 2012 18:29:37 +0000 (19:29 +0100)]
s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sat, 17 Nov 2012 12:10:26 +0000 (13:10 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.
Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sat, 17 Nov 2012 12:04:41 +0000 (13:04 +0100)]
s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.
Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Sat, 17 Nov 2012 01:30:07 +0000 (02:30 +0100)]
s3:winbindd: factor winbindd_sids_to_xids into external and internal part
- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists
The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.
The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 16 Nov 2012 16:49:25 +0000 (17:49 +0100)]
s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 9 Nov 2012 15:09:59 +0000 (16:09 +0100)]
s3:winbindd: add explaining comment winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 9 Nov 2012 13:09:10 +0000 (14:09 +0100)]
s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()
for readability
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 9 Nov 2012 12:54:20 +0000 (13:54 +0100)]
s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Fri, 9 Nov 2012 10:32:47 +0000 (11:32 +0100)]
s3:winbindd:util: add a comment explaining the function parse_sidlist()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Nov 2012 08:57:44 +0000 (09:57 +0100)]
s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 29 Nov 2012 08:28:23 +0000 (09:28 +0100)]
s4:python/ntacl: allow string or objects for sd/sid in setntacl()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: fix the operation order when creating gpos
We should do it like the windows GUI.
1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 29 Nov 2012 08:31:12 +0000 (09:31 +0100)]
s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Sat, 1 Dec 2012 08:14:19 +0000 (09:14 +0100)]
s4:libcli/finddcs_cldap: allow io->in.server_address as hostname
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Sat, 1 Dec 2012 07:56:57 +0000 (08:56 +0100)]
s4:libcli/finddcs_cldap: try all NBT#1C addresses
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>