1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1989 Commits

Author SHA1 Message Date
Stefan Metzmacher
06f026368e s4:python/ntacl: allow string or objects for sd/sid in setntacl()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:46 +01:00
Stefan Metzmacher
d48d0c5bbf s4:samba-tool/gpo: fix the operation order when creating gpos
We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
dde7eb0d82 s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
a1a525e2a9 s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:25 +01:00
Stefan Metzmacher
118db4ca11 s4:provision: add get_empty_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:20 +01:00
Michael Adam
4970d3cacb s4:tests/samba_tool/gpo.py: fix accidential line break
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a581242080 s4:tests/samba_tool/gpo.py: add test_show_as_admin()
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
325e921908 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
67799962b8 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6bffad67d2 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
f843c04b0f s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Jelmer Vernooij
0d9bdcf834 web_server: Load SWAT if it is available.
Reviewed-by: Matthieu Patou <mat@matws.net>

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Fri Nov 23 01:39:38 CET 2012 on sn-devel-104
2012-11-23 01:39:38 +01:00
Jelmer Vernooij
831a9f8f6d s4/web_server: Fix typo in URL.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Nov 22 01:37:02 CET 2012 on sn-devel-104
2012-11-22 01:37:02 +01:00
Kai Blin
10b6cceb1f samba-tool dns: Don't use "localhost" to connect to local host
Calling "samba-tool dns <cmd> localhost" provokes a stacktrace.

This just makes 'samba-tool dns <cmd> localhost' work and doesn't fix
the underlying issue, but I don't see it causing any harm (unless you
don't have an ipv4 localhost, I guess).

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 16 13:18:14 CET 2012 on sn-devel-104
2012-11-16 13:18:14 +01:00
Arvid Requate
ace0909b88 s4:samba-tool: Fix samba-tool fsmo --role=schema
Fix traceback:
samba-tool fsmo --role=schema --force
ERROR(<type 'exceptions.TypeError'>): uncaught exception - argument 2 must be string, not ldb.Dn
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 160, in run
    self.seize_role(role, samdb, force)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 119, in seize_role
    m.dn = ldb.Dn(samdb, self.schema_dn)

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 16 00:40:24 CET 2012 on sn-devel-104
2012-11-16 00:40:24 +01:00
Andrew Bartlett
256391c0fa samba-tool: Add new samba-tool gpo aclcheck and test
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-16 08:59:00 +11:00
Andrew Bartlett
a390a5878d scripting ntacls: Do not place a SACL in the GPO filesystem ACL
On a new GPO created on windows, the SACL is not used.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 14 00:34:50 CET 2012 on sn-devel-104
2012-11-14 00:34:50 +01:00
Andrew Bartlett
d6c7e9b1ed smbd: Remove NT4 compatability handling in posix -> NT ACL conversion
NT4 is long dead, and we should not change which ACL we return based
on what we think the client is.  The reason we should not do this, is
that if we are using vfs_acl_xattr then the hash will break if we do.
Additionally, it would require that the python VFS interface set the
global remote_arch to fake up being a modern client.

This instead seems cleaner and removes untested code (the tests are
updated to then handle the results of the modern codepath).

The supporting 'acl compatability' parameter is also removed.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-13 22:48:19 +01:00
Stefan Metzmacher
11f5d54cbb s4:samba-tool/testparm: report a CommandError if loading of the config file fails
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-13 22:14:14 +11:00
Andrew Bartlett
095c7627df selftest: Add --tmpdir to 'samba-tool gpo create' test
This was the cause of the flakey test, and was only noticed when
multiple different users ran autobuild at the same time on the same
server.

We use shutil.rmtree to wipe the directory before the tests finishes
as required by the TestCaseInTempDir class.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 13 10:50:56 CET 2012 on sn-devel-104
2012-11-13 10:50:56 +01:00
Andrew Bartlett
4d6d6e446c selftest: Avoid returning errors (rather than failures) in gpo test
This should help find the real cause of the flakey test, if it ever returns.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-13 00:00:25 +01:00
Andrew Bartlett
94649e46b4 selftest: Avoid test cross-contamination in samba.tests.posixacl
This creates a new xattr.tdb per unit test, which avoids once and for all
the issue of dev/inode reuse.

For test_setposixacl_dir_getntacl_smbd the file ownership also set specifically.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-12 09:39:54 +11:00
Andrew Bartlett
1d81e52bba selftest: Add tests for expected behaviour on directories as well as files
This is important because it covers the codepath which had the talloc
error fixed by commit 60cf4cb5a6
(vfs_acl_common: In add_directory_inheritable_components allocate on
psd as parent)

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Nov 11 15:48:10 CET 2012 on sn-devel-104
2012-11-11 15:48:10 +01:00
Andrew Bartlett
a6a01552ef pysmbd: Add SMB_ACL_EXECUTE to the mask set by make_simple_acl()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12 00:05:12 +11:00
Andrew Bartlett
312f8ddae2 selftest: Make samba.tests.ntacl also use TestCaseInTempDir
This follows on from the successful conversion of samba.tests.posixacl.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12 00:05:12 +11:00
Andrew Bartlett
b4d8629f51 samba-tool: Rework ldap attribute fetch in classicupgrade for missing attributes
Is is not required that these additional attributes be filled in, so
catch KeyError in both the nsswitch and ldap backend case.

We rework get_posix_attr_from_ldap_backend() so it raises KeyError
rather than trying to return None, and does not ignore other errors.

Andrew Bartlett

Tested-by: Chirana Gheorghita Eugeniu Theodor <office@adaptcom.ro>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-12 00:05:08 +11:00
Karolin Seeger
76fa5ee5d4 samba-tool: Fix typo in --help output.
Signed-off-by: Karolin Seeger <kseeger@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov  9 11:04:50 CET 2012 on sn-devel-104
2012-11-09 11:04:50 +01:00
Andrew Bartlett
ab30a8bf0f provision: Make dsacl2fsacl() take a security.dom_sid, not str
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov  6 00:12:43 CET 2012 on sn-devel-104
2012-11-06 00:12:43 +01:00
Andrew Bartlett
033451587d provision: Also walk directories checking ACLs
The directory walk was missed due to a cut-and-paste error.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06 08:27:44 +11:00
Andrew Bartlett
0b7bb774ce selftest: check that samba-tool gpo works for basic operations
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06 08:27:44 +11:00
Andrew Tridgell
538dd046f1 samba-tool: "drs options" does not need a samdb connection
this gives us a handy pure RPC client test for use in blackbox testing

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01 15:40:41 +11:00
Andrew Bartlett
42c379f0df samba-tool: Add samba-tool processes subcommand
This will allow administrators to inspect the process list in a
similar way to what running on a platform with setproctitle might
permit.

--pid= returns the registered server names for a PID (eg kdc, cldap_server)
--name= returns the pids registered with a particular name.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Andrew Bartlett
a732f2a621 pymessaging: Add irpc_servers_byname() and irpc_all_servers()
This will allow python scripts to inspect the process list.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Andrew Bartlett
76b7348299 pymessaging: Use the server_id IDL structure rather than a tuple
This will make it easier to pass this structure in and out.  The tuple is still
accepted as input.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Jelmer Vernooij
8d397b69bb TestCaseInTempDir: Use addCleanup rather than tearDown. 2012-10-27 05:16:19 -08:00
Andrew Bartlett
3180a1082a sefltest: use TestCaseInTempDir and setUp/tearDown for posixacl.py temp file
This manages the temp file more reliably, and reduces the repeated
code in each test case.

Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 27 04:37:58 CEST 2012 on sn-devel-104
2012-10-27 04:37:58 +02:00
Andrew Bartlett
7e90a06443 provision: Fix comments in checksysvolacl 2012-10-27 11:55:08 +11:00
Andrew Bartlett
e107c6ace7 pysmbd: Add hook for unlink() so python scripts can remove xattr.tdb entries
If we do not provide a way to remove files from xattr.tdb, we can re-use the inode.

Andrew Bartlett
2012-10-26 17:26:20 +11:00
Andrew Bartlett
a2d53262e8 python-ntacls: Cope with ACL revision 4
This is the new revision with the hash of the posix or system ACL.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 25 15:04:39 CEST 2012 on sn-devel-104
2012-10-25 15:04:39 +02:00
Andrew Bartlett
1008f6fbf4 selftest: Always unlink the tempf in posixacl test 2012-10-25 22:18:50 +11:00
Andrew Bartlett
117d5f4c37 selftest: Cover the important non-Samba invalidation of the NT ACL
This covers the case where we have a valid hash of the posix ACL (or the NT ACL from the
POSIX ACL) and we notice it no longer matches.

Andrew Bartlett
2012-10-25 22:18:50 +11:00
Andrew Bartlett
53244c9151 selftest: Cover one more NT ACL invalidation case and improve comments
This tries to show the difference between the cases where we trap
the POSIX ACL change and where we actually detect an OS-level change.

Andrew Bartlett
2012-10-25 20:24:36 +11:00
Andrew Bartlett
e9b6b23fbd selftest: Add many more tests for our posix ACL handling
This tests the mapping of posix ACLs to NT ACLs, the invalidation of
NT ACLs stored as an xattr and ensures this security-critical code
continues to work in the long term.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 25 10:05:16 CEST 2012 on sn-devel-104
2012-10-25 10:05:16 +02:00
Jelmer Vernooij
13bbd3b3b1 pyglue: Make all_interfaces argumen to interface_ips() optional.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sun Oct 21 21:26:01 CEST 2012 on sn-devel-104
2012-10-21 21:26:01 +02:00
Jelmer Vernooij
f67c0a28cf pyglue: Mention parameters in interface_ips() docstring. 2012-10-21 10:42:40 -07:00
Jelmer Vernooij
e3a48bb5f6 samba-tool user test: Fix expected output.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Fri Oct 19 11:37:44 CEST 2012 on sn-devel-104
2012-10-19 11:37:44 +02:00
Jelmer Vernooij
364ed82d22 samba.tests.docs: Ignore removed parameters. 2012-10-19 09:21:01 +02:00
Jelmer Vernooij
ed37b8ad14 samba.tests.docs: Assume docs are generated by waf. 2012-10-19 09:16:55 +02:00
Jelmer Vernooij
cfa72bcc5e samba.tests.docs: Write error output from xsltproc to standard out. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
8412b57f5c samba.tests.docs: Skip tests if xsltproc is not present. 2012-10-19 09:10:14 +02:00