IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
This is used by at patch to the NTP project to supply authenticated
time as required by MS-SNTP. (ie, to keep windows clients in time sync
in the domain)
Andrew Bartlett
During the creation of the 3 RPC pipes in winbind we try to steal the
RPC binding structure to be a child of the pipe once the pipe is
established. This fails with a talloc warning as the rpc connection
code already holds a reference to the binding.
The fix is to use talloc_reparent() instead.
Previously we relied on process groups and SIGTERM to ensure that
child tasks died in the standard process model when the parent task
died. This doesn't work when the server is run in interactive mode, as
in that case we don't call become_daemon() and don't get a separate
process group.
The fix is to have a pipe held open by the parent server process, and
inherited by child tasks. If the parent exits then the write side of
the pipe is implicitly closed, which causes an event in the child
tasks that causes them to exit
While testing the use of the standard process model with 'make test' I
found that testing was much slower (by several times) with the
standard model than with the single model. The primary problem was
that each SMB connection would open a new sam ldb context, and all of
those would reload the full AD schema.
The fix is to pre-open the SAM during server startup, before any child
processes are forked. This sets up the global schema context which is
inherited by all connections.
The standard model is still slower at make test than the single model,
but not by nearly as much. I am working on further reducing the gap.
Before this change, the first opener of the sam ldb context would
become the owner of the global schema, then the autofree context got a
reference to the schema. Any subsequent opens of the sam ldb also got
a reference. This meant that the talloc hierarchy was inconsistent
between the first sam ldb open and subsequent opens. With this change
the autofree context becomes the owner of the global schema, and all
ldb contexts get a reference.
These references were triggering the ambiguous talloc_free errors from
the recent talloc changes when the server is run using the 'standard'
process model instead of the 'single' process model. I am aiming to
move the build farm to use the 'standard' process model soon, as part
of an effort to make our test environment better match the real
deployment of Samba4.
The references are not needed as the way that the event context is
used is as the 'top parent', so when the event context is freed then
all of the structures that were taking a reference to the event
context were actually freed as well, thus making the references
redundent.
The existing test was only covering files opened underneath the
directory that was being renamed. It is not uncommon for windows
clients to actually hold a read-only handle to a directory open across
the rename, which it turns out doesn't return NT_STATUS_ACCESS_DENIED.
Additionally, holding a handle open to a stream on the directory is
also allowed.
This removes some of the portability changes made to code under
heimdal/
If these are still required, then we will re-add them with code under
heimdal_build/ (so that we can simply 'drop in' future heimdal
releases).
Andrew Bartlett
see bug #6610
The MacOSX SMB client sets the BCC value in SMBwriteX calls to zero
instead of the correct size. Checking against WindowsXP, I've found
that Windows uses the maximum of the computed buffer size and the
given BCC value. I've changed Samba4 to do the same to allow MacOSX to
work.
I've limited this change to non-chained packets to ensure we don't get
the possibility of exploits based on overlapping chained requests
This bug was caused by two things:
1) in the unix ACL mapping, we were not taking into account group
write permssions for the SEC_STD_DELETE flag
2) when a file is created using OVERWRITE mode, a fchmod() would
fail if the user is not the file owner. We resolve that by only
doing the fchmod() if the mapped file attribute does not match the
desired file attribute
This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.
(Very reasonable, but not required for Samba4's use).
Andrew Bartlett
This fixes two issues pointed out by Andrew. It adds a runtime
uwrap_enabled() call that wraps the skips needed for uid emulation. It
also makes the skip in the directory_create_or_exist() function only
change the uid checking code, not the permissions code
This library intercepts seteuid and related calls, and simulates them
in a manner similar to the nss_wrapper and socket_wrapper
libraries. This allows us to enable the vfs_unixuid NTVFS module in
the build farm, which means we are more likely to catch errors in the
token manipulation.
The simulation is not complete, but it is enough for Samba4 for
now. The major areas of incompleteness are:
- no emulation of setreuid, setresuid or saved uids. These would be
needed for use in Samba3
- no emulation of ruid changing. That would also be needed for Samba3
- no attempt to emulate file ownership changing, so code that (for
example) tests whether st.st_uid matches geteuid() needs special
handling
This removes a number of cases where we did a cast into a const char *
of an ldb_val. While convention is to alway have an extra \0 at
data[length] in the ldb_val, this is not required, and does not occour
at least on build farm host 'svart'.
Andrew Bartlett
The original patch didn't cope with a NULL target server name - we now key off that to decide it isn't worth checking against LDAP for this host.
I still can't get this to pass against Windows 2008, but mdw was
testing against Windows 2008R2. at least 'make test' is happy, and
the rest should not be too hard...
Andrew Bartlett
Also allow a SDDL security descriptor, using the domain SID attached
to the session (it will search for it during the LDIF parse if need
be).
Andrew Bartlett
- Correctly use samdb_search_string to do a 'base' search
(this needs a NULL, not a "" argument for the format string)
- There is no need (and it caused a security hole) to use
talloc_asprintf() with the only argument being the string to
duplicate.
Andrew Bartlett
