1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

83698 Commits

Author SHA1 Message Date
Michael Adam
5b975ce78c selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
to make checks conditional

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:24 +01:00
Michael Adam
f7dca55224 selftest:Samba3: call wait_for_start() from check_or_start()
...instead of calling the two one after another each time.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:24 +01:00
Michael Adam
4210e08109 s3:winbindd: make idmap_find_domain() static.
idmap_find_domain_with_sid() should be used instead

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:24 +01:00
Michael Adam
27f88ba2de s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
This is the way the singular calls work and how they should (currently) work.
The two code paths need to give the same results. It is important to use
the passdb backend, otherwise groups don't work.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:23 +01:00
Michael Adam
370d62578d s3:winbindd: add idmap_find_domain_with_sid()
This will return the passdb domain if the given sid is in our sam or builtin
or is the domain sid of those domains. Otherwise it returns the idmap domain
that results from the idmap configuration.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:23 +01:00
Michael Adam
150cfb4b97 s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:23 +01:00
Michael Adam
ee17a516c8 selftest:Samba3: provision the domain adminstrators group in the s3 environments
I discovered that this sid / mapping is missing by working with the Sids2Uids
code and test. I do even wonder why this test could succeed prior to my pending
changes to the winbindd sids-to-xids code, for example against the s3:local
environment, since the test tries to map the sid <domsid>-512.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:23 +01:00
Michael Adam
28e7d73bdc s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:22 +01:00
Michael Adam
da8d026380 s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:22 +01:00
Michael Adam
75a752473f s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:22 +01:00
Michael Adam
3e7f04b70f s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.

Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:22 +01:00
Michael Adam
7637c93472 s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.

Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.

We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.

This is a step towards using only one codepath to id_mapping.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:21 +01:00
Michael Adam
8e5ce1e2d5 s3:winbindd: factor winbindd_sids_to_xids into external and internal part
- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists

The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.

The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:21 +01:00
Michael Adam
c58c68d5ba s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:21 +01:00
Michael Adam
349b9ac052 s3:winbindd: add explaining comment winbindd_sids_to_xids_send()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:21 +01:00
Michael Adam
be033a1d16 s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()
for readability

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:20 +01:00
Michael Adam
b435e668aa s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:20 +01:00
Michael Adam
3f0c31fbd3 s3:winbindd:util: add a comment explaining the function parse_sidlist()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:20 +01:00
Stefan Metzmacher
6f71071381 s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:46 +01:00
Stefan Metzmacher
06f026368e s4:python/ntacl: allow string or objects for sd/sid in setntacl()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:46 +01:00
Stefan Metzmacher
d48d0c5bbf s4:samba-tool/gpo: fix the operation order when creating gpos
We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
dde7eb0d82 s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
a1a525e2a9 s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:25 +01:00
Stefan Metzmacher
a42c49c93a s4:libcli/finddcs_cldap: allow io->in.server_address as hostname
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 23:24:58 +01:00
Stefan Metzmacher
c4d51d8d17 s4:libcli/finddcs_cldap: try all NBT#1C addresses
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 23:19:28 +01:00
Stefan Metzmacher
0e2e3ff5e8 s3:smbcacls: add --query-security-info and --set-security-info options
This allows the caller to specify the security_information flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 23:08:23 +01:00
Stefan Metzmacher
9afba14417 s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags
In order to set and get security_descriptors it's important to specify
the sec_info flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 22:53:32 +01:00
Stefan Metzmacher
cf60338ada libcli/security: remove duplicate aces in se_create_child_secdesc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 22:42:20 +01:00
Stefan Metzmacher
8fbe39d513 s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 18:32:36 +01:00
Stefan Metzmacher
139232656a s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 18:32:04 +01:00
Stefan Metzmacher
0a3396b536 s3:smbd/open: use Builtin_Administrators as owner of files (if possible)
We do this if the idmap layer resolves Builtin_Administrators
as ID_TYPE_BOTH and if the current token has the
Builtin_Administrators SID or it's SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 18:31:00 +01:00
Stefan Metzmacher
8ababf4367 s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
A client can send a full security_descriptor while just passing
sd_flags of SECINFO_DACL.

We need to NULL out elements which will be ignored depending on
the sd_flags and may set the old owner/group sids. Otherwise
the calculation of the DACL/SACL can replace CREATOR_OWNER with
the wrong sid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02 18:30:47 +01:00
Stefan Metzmacher
057c56ac24 s4:dsdb/tests: add SdAutoInheritTests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
2012-11-30 18:59:50 +01:00
Stefan Metzmacher
d31742641f s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes
We only do so if the replicated object is not deleted.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
fb2a41d945 s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
f8c0ad65ad s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
dae1b0d852 s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
d6962f40ca s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
2101400af2 s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
ddea856490 s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
This can only be triggered by ourself, that's why we expect
control->data == module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
1be4dbc0ca s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
7f42a8b7b6 s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
cb9c7ee79b s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60f0e172e3 s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
7f88ad3efc s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
5dd4555f39 s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)
Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60192fd100 s4:dsdb/subtree_delete: do an early return and avoid some nesting
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
ff274bafeb s4:dsdb/objectclass: do not pass the callers controls on helper searches
We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.

This also fixes a problem when the caller also specified AS_SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
5838637b42 s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00
Stefan Metzmacher
60c29a51a0 s4:dsdb/dirsync: remove unused 'deletedattr' variable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:21 +01:00