Andrew Bartlett [Mon, 24 May 2010 05:00:20 +0000 (15:00 +1000)]
s3:s3compat Allow replacement of lp_idmap_backend() and lp_idmap_alloc_backend
Andrew Bartlett [Sun, 23 May 2010 15:13:54 +0000 (01:13 +1000)]
s3:param Allow lp_security() and lp_passdb_backend to be omited for s3compat
When we build s3compat into the source4 code, we will provide a
replacement for both these functions.
Andrew Bartlett
Andrew Bartlett [Fri, 14 May 2010 14:10:56 +0000 (00:10 +1000)]
s3:winbindd Add hooks for s3compat into source3/winbindd
These extra pointers help the s3compat code do it's job
Andrew Bartlett [Tue, 18 May 2010 03:00:53 +0000 (13:00 +1000)]
s3:auth Improve make_auth_context_text_list API - add const
Andrew Bartlett [Mon, 17 May 2010 10:47:59 +0000 (20:47 +1000)]
s3:auth Enable make_auth_context_subsystem to be replaced in s3compat
This allows s3compat to replace this with a function that only directs
authentication to the source4 auth subsystem.
Andrew Bartlett
Andrew Bartlett [Tue, 4 May 2010 13:44:50 +0000 (23:44 +1000)]
s3:auth Add error paths for invalid password_state values
Andrew Bartlett [Mon, 17 May 2010 09:04:31 +0000 (19:04 +1000)]
s3:auth Change winbindd -> auth interface to more standard structures
This removes conversions to and from the source3 varient of the
server_info structure when replaced in s3compat, and presents a tidier
interface to winbindd in any case.
Andrew Bartlett
Andrew Bartlett [Mon, 17 May 2010 03:38:08 +0000 (13:38 +1000)]
auth/common_auth.h Add a few more 'common' functions
This helps ensure that we don't have different prototypes for the
different implementaitons of these functions.
Andrew Bartlett
Andrew Bartlett [Tue, 18 May 2010 03:11:46 +0000 (13:11 +1000)]
auth Add kerberos_return_pac() to common_auth.h
Andrew Bartlett [Tue, 18 May 2010 03:09:39 +0000 (13:09 +1000)]
auth Add ads_verify_ticket() to common_auth.h
Andrew Bartlett [Mon, 17 May 2010 08:10:13 +0000 (18:10 +1000)]
s3:auth Change 'make_user_info' to be talloc based
This is an ideal candidate, as it already uses a free function. It
now uses talloc destructors to clear the passwords if required.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 11:53:42 +0000 (21:53 +1000)]
s3:auth Whitespace fixes after auth merge
Andrew Bartlett [Tue, 1 Jun 2010 11:52:01 +0000 (21:52 +1000)]
s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Andrew Bartlett [Tue, 4 May 2010 06:44:08 +0000 (16:44 +1000)]
s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
Jeremy Allison [Mon, 7 Jun 2010 23:26:30 +0000 (16:26 -0700)]
Make aio_ex owned by a talloc context, not neccessarily on the null context.
Jeremy Allison [Mon, 7 Jun 2010 23:25:18 +0000 (16:25 -0700)]
Move "write_though" into aio_ex struct.
Simo Sorce [Mon, 7 Jun 2010 18:08:05 +0000 (14:08 -0400)]
s3:smbd add utility function to check if there are open pipes
Simo Sorce [Mon, 7 Jun 2010 20:02:14 +0000 (16:02 -0400)]
s3:rpc make num_pipe_handles get an actual pipe as argument
Let the function abstract out how handles are counted
Simo Sorce [Sun, 6 Jun 2010 20:33:28 +0000 (16:33 -0400)]
s3:rpc handles are used by all pipes, use better name
Simo Sorce [Mon, 7 Jun 2010 19:07:38 +0000 (15:07 -0400)]
s3:rpc fix potential out of bound memory access
memcpy copies memory unconditionally, we are passing "" in some cases here.
Use strncpy which will stop reading from src if the null byte is found and
will fill with nulls the destination.
Björn Jacke [Mon, 7 Jun 2010 21:06:28 +0000 (23:06 +0200)]
s3: fix build on platforms without st_blocks and st_blksize stat struct members
This fixes bug 7474.
Matthias Dieter Wallnöfer [Mon, 7 Jun 2010 19:26:33 +0000 (21:26 +0200)]
ldb:pyldb.c - we cannot use "ldb_dn_compare" if both message DNs are NULL in "py_ldb_msg_compare"
Discovered by the testcase.
Matthieu Patou [Fri, 7 May 2010 00:16:11 +0000 (04:16 +0400)]
s4 python: add more unit tests to verify the compare tests
Matthias Dieter Wallnöfer [Mon, 7 Jun 2010 18:46:59 +0000 (20:46 +0200)]
s4:objectclass_attrs LDB module - move the single-valued attribute check into this module
It seems to me more consistent (and also to keep the same behaviour on all
backends).
Also the DRS hack should therefore not be needed anymore since the
"repl_meta_data" module launches requests behind "objectclass_attrs".
Matthias Dieter Wallnöfer [Mon, 7 Jun 2010 18:31:22 +0000 (20:31 +0200)]
s4:rdn_name LDB module - move the "distinguishedName" write prevent check here
In my eyes it fits better here than in the TDB backend code.
Andrew Bartlett [Wed, 2 Jun 2010 12:52:56 +0000 (22:52 +1000)]
s3:auth add hooks to indicate if signing or sealing is desired with NTLMSSP
This allows the right hooks to be called in GENSEC when s3compat
implements the auth_ntlmssp interface. Otherwise, we can't do the
signing or sealing as we have not negoitated it's use.
Andrew Bartlett
Andrew Bartlett [Wed, 2 Jun 2010 12:35:53 +0000 (22:35 +1000)]
s3:auth Change auth_ntlmssp_server_info API to return NTSTATUS
It's nicer to have an NTSTATUS return, and in s3compat there may be a
reason other than 'no memory' why this can fail.
Andrew Bartlett
Andrew Bartlett [Thu, 3 Jun 2010 11:05:57 +0000 (21:05 +1000)]
s3:named pipe proxy Improve error messages when named pipes fail to forward
I hope this helps the next person who needs to debug this.
Andrew Bartlett
Andrew Bartlett [Thu, 3 Jun 2010 11:15:33 +0000 (21:15 +1000)]
s3:smbd Give the kerberos session key a parent
I can't see what would free this, so this should prevent a memory leak.
Andrew Bartlett
Andrew Bartlett [Thu, 3 Jun 2010 10:59:25 +0000 (20:59 +1000)]
named_pipe_auth Always lower case the incoming pipe name
Windows connects to an upper case NETLOGON pipe, and we can't find the
socket to connect to until we lower case the name.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 09:19:01 +0000 (19:19 +1000)]
s3:smbd Fix segfault if register_existing_vuid() fails
The register_existing_vuid() call will handle both the ntlmssp_end and
vuid invalidation internally, so we don't want to do it again.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 11:11:14 +0000 (21:11 +1000)]
s3:auth Rename user_info->domain -> user_info->mapped.domain_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 11:08:38 +0000 (21:08 +1000)]
s3:auth Rename user_info->client_domain -> user_info->client.domain_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 11:01:23 +0000 (21:01 +1000)]
s3:auth fix header comment for internal_username -> mapped.account_name
Andrew Bartlett [Tue, 1 Jun 2010 10:30:56 +0000 (20:30 +1000)]
s3:auth Rename user_info->internal_username -> user_info->mapped.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Jun 2010 10:27:03 +0000 (20:27 +1000)]
s3:auth Rename user_info->smb_name -> user_info->client.account_name
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
Matthias Dieter Wallnöfer [Mon, 7 Jun 2010 13:02:38 +0000 (15:02 +0200)]
s4:samba_dsdb LDB module - fix typos
Matthias Dieter Wallnöfer [Mon, 7 Jun 2010 12:58:30 +0000 (14:58 +0200)]
s4:samba_dsdb LDB module - enhance/fix module rule comments
Simo Sorce [Sat, 29 May 2010 15:29:29 +0000 (11:29 -0400)]
s3:auth make sure the primary group sid is usable
This function was previously performed under the cover by converting
back and forth from info3 to samu and then later from samu to info3.
Since we now shortcircuit that in some cases, check explicitly using
get_primary_group_sid()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Sat, 29 May 2010 15:02:47 +0000 (11:02 -0400)]
s3:auth return the full passwd struct from check_account
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Sat, 29 May 2010 14:51:40 +0000 (10:51 -0400)]
s3:passdb Export function to calculate the proper primary group sid
Don't keep it buried in passdb, this function need to be available
for use in places where we do not want to construct an artificial
samu struct just to play tricks.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 21:03:18 +0000 (17:03 -0400)]
s3:auth remove unused structure member
sids are now completely handled using info3, remove dead code that fills
server info sids and the structure members themselves
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 20:16:53 +0000 (16:16 -0400)]
s3:auth create nt token from info3 directly
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 17:18:13 +0000 (13:18 -0400)]
s3:auth handle unix domain sids in samu
When we generate a user out of thin air we may end up adding sids
that are not part of the sam domain (unix domain sids).
Handle the case and preserve these sids as extra sids.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 17:22:41 +0000 (13:22 -0400)]
s3:auth set the resolved user sid in the fake sam account
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 15:14:01 +0000 (11:14 -0400)]
s3:auth check the user is valid first
It makes no sense to go through all the hoops to build samu and
convert it to info3, just to discard them later if the user was
not valid.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Simo Sorce [Fri, 28 May 2010 15:07:49 +0000 (11:07 -0400)]
s3:auth make sure we set the right username
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 18:58:43 +0000 (20:58 +0200)]
s4:ldap.py - add some "objectclass" behaviour tests
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 21:02:25 +0000 (23:02 +0200)]
s4:objectclass LDB module - rework the code which handles the objectclasses modification
Before it has been very incomplete. We try now to match the Windows Server
behaviour as close as possible.
Matthias Dieter Wallnöfer [Sun, 6 Jun 2010 21:09:28 +0000 (23:09 +0200)]
s4:ldap.py - enhance the attributes testcase to demonstrate how the attributes are checked against the schema and the specified objectclasses
This demonstrates the bew "objectclass_attrs" LDB module behaviour.
Matthias Dieter Wallnöfer [Sun, 6 Jun 2010 17:06:58 +0000 (19:06 +0200)]
s4:acl LDB module - LDB attribute names should be compared using "ldb_attr_cmp" or "strcasecmp"
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 18:19:31 +0000 (20:19 +0200)]
s4:acl LDB module - adaption for "objectclass_attrs" module
Since the attribute schema checking code moved back we need to give here the
"LDB_ERR_NO_SUCH_ATTRIBUTE" error.
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 17:11:25 +0000 (19:11 +0200)]
s4:objectclass LDB module - remove "fix_check_attributes"
Also this task is now performed by the "objectclass_attrs" LDB module.
Matthias Dieter Wallnöfer [Sun, 6 Jun 2010 17:53:33 +0000 (19:53 +0200)]
s4:samldb LDB module - adjust the module to set always a "defaultObjectCategory" on objectclass add operations
This is needed to make the "objectclass_attrs" LDB module happy. The search
check and case adjustment are done as it was using a second modify operation.
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 17:09:51 +0000 (19:09 +0200)]
s4:remove the "validate_update" LDB module - the task is now handled by the far more complete "objectclass_attrs" LDB module
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 15:34:35 +0000 (17:34 +0200)]
s4:dsdb - introduce a new "objectclass_attrs" LDB module which performs the objectclass attributes checking
Until now we had no real consistent mechanism which allowed us to check if
attributes belong to the specified objectclasses.
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 17:17:16 +0000 (19:17 +0200)]
s4:objectclass LDB module - instanciate the schema variable centrally on the "ac" context creation
This unifies the position when the schema is read and prevents multiple
instanciations (eg on a modification operation).
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 20:13:03 +0000 (22:13 +0200)]
s4:samldb LDB module - finally we can remove the RDN check
This is now dynamically always done by the objectclass LDB module
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 20:06:39 +0000 (22:06 +0200)]
s4:ldap.py - enhance the rename tests to demonstrate the functionality
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 19:55:08 +0000 (21:55 +0200)]
s4:objectclass LDB module - finally implement the correct entry rename protections
Only the "systemFlags" check is still missing.
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 19:43:55 +0000 (21:43 +0200)]
s4:objectclass LDB module - cosmetic change
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 19:42:06 +0000 (21:42 +0200)]
s4:objectclass LDB module - remove duplicated code
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 19:24:49 +0000 (21:24 +0200)]
s4:objectclass LDB module - fix counter variable types
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 19:23:34 +0000 (21:23 +0200)]
s4:objectclass LDB module - explain why the search can return with an empty return
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 17:44:22 +0000 (19:44 +0200)]
s4:objectclass LDB module - this "talloc_steal" is not necessary
The "parent_dn" was created on the "ac" context which lives anyway longer
than this child request.
Matthias Dieter Wallnöfer [Fri, 4 Jun 2010 18:48:52 +0000 (20:48 +0200)]
s4:objectclass LDB module - fix error result if an entry doesn't contain a structural objectclass
We need to return LDB_ERR_UNWILLING_TO_PERFORM (not LDB_ERR_NAMING_VIOLATION).
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 11:06:54 +0000 (13:06 +0200)]
s4:objectclass LDB module - use "ldb_oom" for expressing out of memory
Matthias Dieter Wallnöfer [Wed, 2 Jun 2010 20:42:59 +0000 (22:42 +0200)]
s4:objectclass LDB module - fix header and add my copyright
Andreas Schneider [Thu, 27 May 2010 07:07:03 +0000 (09:07 +0200)]
s3-waf: Build rpc_server/srv_spoolss_util.c too.
Signed-off-by: Günther Deschner <gd@samba.org>
Günther Deschner [Mon, 7 Jun 2010 10:55:43 +0000 (12:55 +0200)]
s3-lsa: Fix static list of luids in our privileges implementation.
The high/low order changed while moving to LSA defines. Found by torture test.
Guenther
Günther Deschner [Mon, 7 Jun 2010 10:41:39 +0000 (12:41 +0200)]
s4-smbtorture: test workstation auth as well in RPC-SPOOLSS-ACCESS.
Guenther
Matthieu Patou [Fri, 7 May 2010 00:15:28 +0000 (04:15 +0400)]
s4:ldb python bindings - implement comparison on Python LDB Message objects
Coauthors: Jelmer Vernooij, Matthias Dieter Wallnöfer
Matthieu Patou [Sat, 5 Jun 2010 15:25:18 +0000 (19:25 +0400)]
s4: Remove an uselessly exposed control
Günther Deschner [Mon, 7 Jun 2010 09:21:26 +0000 (11:21 +0200)]
s4-smbtorture: handle printservers w/o printers in RPC-SPOOLSS-ACCESS.
Guenther
Günther Deschner [Sat, 5 Jun 2010 00:39:11 +0000 (02:39 +0200)]
s3-privileges: use LUID defines from lsa IDL.
Guenther
Matthew McGillis [Sat, 5 Jun 2010 00:48:40 +0000 (17:48 -0700)]
Fix bug with incorrect flag values for inherited ace in some cases.
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 16:35:00 +0000 (18:35 +0200)]
s4:password_hash LDB module - adapt the module to the new "ldb_msg_remove_attr" behaviour
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 16:22:10 +0000 (18:22 +0200)]
ldb:ldb_msg_remove_attr - provide a better implementation
We can have some special (bad) messages which contain multiple message elements
for the same attribute. The AD password change ones are such an example.
Matthias Dieter Wallnöfer [Sun, 6 Jun 2010 17:12:48 +0000 (19:12 +0200)]
s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module
When a "computer" entry will be added, also the inherited "user" objectclass is
going to be specified.
Matthias Dieter Wallnöfer [Fri, 4 Jun 2010 19:10:41 +0000 (21:10 +0200)]
s4:get_last_structural_class - only real structural classes can be candidates for fetching the last one
Classes with objectCategory = 1 are always structural, these with
objectCategory = 0 also (as we can see in our Windows 2008 R2 schema file where
class "Person" has 0 but is structural).
Abstract classes and auxiliary ones cannot be considered (objectCategory = 2, 3)
http://msdn.microsoft.com/en-us/library/ms677964(VS.85).aspx
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 16:05:52 +0000 (18:05 +0200)]
s4:ldap.py - enhance the RDN name test to show that invalid "name" attributes are allowed on add operations
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 16:25:43 +0000 (18:25 +0200)]
s4:rdn_name LDB module - use "ldb_msg_remove_attr" for deleting attributes
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 15:56:09 +0000 (17:56 +0200)]
s4:rdn_name LDB module - remove "rdn_name_find_attribute"
It does exactly the same as "ldb_msg_find_element".
Matthias Dieter Wallnöfer [Mon, 31 May 2010 12:52:46 +0000 (14:52 +0200)]
s4:dsdb/common/util.c - provide a better implementation of the "samdb_msg_add_(add/del)val" calls
This supports now also coexisting add and delete message elements with the
same attribute name.
Matthias Dieter Wallnöfer [Thu, 3 Jun 2010 16:37:15 +0000 (18:37 +0200)]
ldb:ltdb_filter_attrs - fix a counter variable type
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 12:33:52 +0000 (14:33 +0200)]
s4:ldap_server/ldap_backend.c - send back also the extended error message if it exists
This message often contains suggestions how to fix issues.
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 15:45:51 +0000 (17:45 +0200)]
s4:ridalloc LDB module - add more "talloc_free"s where useful
Some were missing on failure return branches.
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 18:08:45 +0000 (20:08 +0200)]
s4:acl LDB module - fix counter types where appropriate
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 17:58:28 +0000 (19:58 +0200)]
s4:descriptor LDB module - cosmetic fixup
Matthias Dieter Wallnöfer [Sun, 6 Jun 2010 18:23:42 +0000 (20:23 +0200)]
s4:urgent_replication.py - specify the "dnsRoot" attribute which is requested on "crossRef" entries
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 20:19:58 +0000 (22:19 +0200)]
s4:ldap.py - make sure that also the "posixuser" will be deleted on test breakages
Matthias Dieter Wallnöfer [Sat, 5 Jun 2010 22:11:16 +0000 (00:11 +0200)]
s4:provision - fix typo in substitution variable
Jeremy Allison [Sat, 5 Jun 2010 04:00:24 +0000 (21:00 -0700)]
Fix a long-standing bug with async io that would only be triggered by SMB2.
On normal or shutdown close, ensure we wait for any pending IO to
complete before returning. Implement a blocking aio_suspend inside
vfs_aio_fork.c. These changes pass make test when the aio_fork module
is used by default on the test shares.
Jeremy.
Björn Jacke [Sat, 5 Jun 2010 00:13:21 +0000 (02:13 +0200)]
s3:build: add shared lib flag for HP-UX compiler
Björn Jacke [Sat, 5 Jun 2010 00:12:02 +0000 (02:12 +0200)]
s3: fix build on Heimdal based systems like NetBSD5
Günther Deschner [Fri, 4 Jun 2010 23:26:49 +0000 (01:26 +0200)]
s4-smbtorture: make RPC-SPOOLSS-ACCESS more compatible with older samba releases.
Guenther
Günther Deschner [Fri, 4 Jun 2010 23:25:05 +0000 (01:25 +0200)]
s4-smbtorture: remove another incarnation of test_ClosePrinter.
This should fix the build; why waf didn't catch that durint make bin/smbtorture4 ?
Guenther
Günther Deschner [Fri, 4 Jun 2010 17:03:11 +0000 (19:03 +0200)]
s4-smbtorture: add RPC-SPOOLSS-ACCESS.
This test creates
- a user
- a user with BUILTIN\Administrators membership
- a user with BUILTIN\Print Operators membership
- a user with SePrintOperatorPrivilege (if available)
- a user with full access in security descriptor
and checks what access rights are granted in spoolss_OpenPrinterEx.
Guenther
Günther Deschner [Fri, 4 Jun 2010 17:02:17 +0000 (19:02 +0200)]
s4-smbtorture: share test_ClosePrinter between RPC-SPOOLSS and RPC-SPOOLSS-WIN.
Guenther
Günther Deschner [Fri, 4 Jun 2010 14:55:07 +0000 (16:55 +0200)]
s3-rpcclient: allow to add access_mask in cmd_spoolss_open_printer_ex().
Guenther