sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
83,647 Commits 60 Branches 1,145 Tags 452 MiB
0c2c00e4b9
Commit Graph

29630 Commits

Author SHA1 Message Date
Stefan Metzmacher
0c2c00e4b9 s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX 
See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:21 +01:00
Stefan Metzmacher
b54d268e20 s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes 
The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
f67f469ce1 s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
5aa7dbe546 s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
4ef36fda68 s4:dsdb/descriptor: remove some nesting from descriptor_modify 
If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
8d60ac19ed s4:dsdb/descriptor: remove some unnecessary nesting 
sd == NULL is checked before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
813492676c s4:dsdb/descriptor: add some error checks to descriptor_{add,modify} 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
b3486f4e1a s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
74e3f0ea0a s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename} 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
4136d969ca s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd 
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
118db4ca11 s4:provision: add get_empty_descriptor() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
7a3e4d04c7 s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
c2c715f9c9 s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
990448b499 s4:dsdb/acl_read: enable acl checking on search by default (bug #8620) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
fa676769e0 s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor 
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
ca3c0e28ef s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
53b100bb59 s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor 
The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
95b480fd98 s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set 
In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
3d57f17db9 s4:dsdb/acl: remove unused "acl:perform" option 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
329afc1a20 s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
42898590bb s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add 
See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
f018772e0c s4:dsdb/descriptor: make use of dsdb_request_sd_flags() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
67045fafe8 s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor 
If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
690b5e1161 s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
2916313f80 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
1cdecf1234 s4:dsdb/acl_util: do helper searches AS_SYSTEM 
The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
8d900d06ff s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
659277a89d s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
844b736a1d s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a882b41d44 s4:dsdb/rootdse: do helper searches AS_SYSTEM 
As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
964d96d2c3 s4:dsdb/rootdse: remove unused variable 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Michael Adam
4970d3cacb s4:tests/samba_tool/gpo.py: fix accidential line break 
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a581242080 s4:tests/samba_tool/gpo.py: add test_show_as_admin() 
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
325e921908 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
67799962b8 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6bffad67d2 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
f843c04b0f s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
8563348a01 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF 
A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6991fb385e s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
7fe1e61ab9 s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
ac9bd1e63a s4:dsdb/schema_data: fix debug message in schema_data_modify() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Michael Adam
06e1fca044 libnet: Fix a typo in dbsync error message. 
Signed-off-by: Michael Adam <obnox@samba.org>
 2012-11-30 14:02:54 +01:00
Andreas Schneider
7a429367a9 libnet: Fix copy and paste error in dbsync error message. 2012-11-30 14:02:53 +01:00
Andreas Schneider
f3d5d14906 torture: Fix copy and paste error in debug message. 
Found by Coverity.
 2012-11-30 14:02:53 +01:00
Andreas Schneider
1b170c29bc torture: Fix copy and paste error. 
Found by Coverity.
 2012-11-30 14:02:53 +01:00
Karolin Seeger
26a0ee5a0d docs: man oLschema2ldif: Add missing meta data. 
This avoids warnings during the waf build and removes "FIXME" entries from the
manpage.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 29 15:27:45 CET 2012 on sn-devel-104
 2012-11-29 15:27:45 +01:00
Karolin Seeger
e9e9661b23 docs: man ntlm_auth4: Add missing meta data. 
This avoids warnings during the waf build and removes "FIXME" entries from the
manpage.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-29 13:42:31 +01:00
Karolin Seeger
6ba7a6686c docs: man smbtorture: Add missing meta data. 
This avoids warnings during the waf build and removes "FIXME" entries from the
manpage.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-29 13:42:28 +01:00
Karolin Seeger
122cc5b023 docs: man masktest: Add missing meta data. 
This avoids warnings during the waf build and removes "FIXME" entries from the
manpage.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-29 13:42:24 +01:00
Karolin Seeger
cb501f99d2 docs: man locktest: Add missing meta data. 
This avoids warnings during the waf build and removes "FIXME" entries from the
manpage.

Karolin

Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-29 13:42:20 +01:00