sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-18 17:57:55 +03:00
Code
83,640 Commits 62 Branches 1,152 Tags
Commit Graph

83640 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
b3486f4e1a s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
74e3f0ea0a s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename} 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
4136d969ca s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd 
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
118db4ca11 s4:provision: add get_empty_descriptor() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
7a3e4d04c7 s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
c2c715f9c9 s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
990448b499 s4:dsdb/acl_read: enable acl checking on search by default (bug #8620) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
fa676769e0 s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor 
We need to base the access mask on the given SD Flags.
Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY,
which could lead to INSUFFICIENT_RIGHTS when we should
have been allowed to read.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
ca3c0e28ef s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
53b100bb59 s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor 
The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
95b480fd98 s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" is set 
In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
3d57f17db9 s4:dsdb/acl: remove unused "acl:perform" option 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
329afc1a20 s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
42898590bb s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add 
See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
f018772e0c s4:dsdb/descriptor: make use of dsdb_request_sd_flags() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
67045fafe8 s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor 
If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
690b5e1161 s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
2916313f80 s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
1cdecf1234 s4:dsdb/acl_util: do helper searches AS_SYSTEM 
The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
8d900d06ff s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:20 +01:00
Stefan Metzmacher
659277a89d s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
844b736a1d s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED 
Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a882b41d44 s4:dsdb/rootdse: do helper searches AS_SYSTEM 
As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
964d96d2c3 s4:dsdb/rootdse: remove unused variable 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Michael Adam
4970d3cacb s4:tests/samba_tool/gpo.py: fix accidential line break 
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a581242080 s4:tests/samba_tool/gpo.py: add test_show_as_admin() 
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
325e921908 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
67799962b8 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6bffad67d2 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
f843c04b0f s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
8563348a01 s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF 
A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6991fb385e s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
7fe1e61ab9 s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_root 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Stefan Metzmacher
ac9bd1e63a s4:dsdb/schema_data: fix debug message in schema_data_modify() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2012-11-30 17:17:19 +01:00
Michael Adam
8f3f38ece4 ldb: fix a typo in the comment for ldb_req_is_untrusted() 
Signed-off-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov 30 15:44:46 CET 2012 on sn-devel-104
 2012-11-30 15:44:46 +01:00
Michael Adam
06e1fca044 libnet: Fix a typo in dbsync error message. 
Signed-off-by: Michael Adam <obnox@samba.org>
 2012-11-30 14:02:54 +01:00
Andreas Schneider
7a429367a9 libnet: Fix copy and paste error in dbsync error message. 2012-11-30 14:02:53 +01:00
Andreas Schneider
f3d5d14906 torture: Fix copy and paste error in debug message. 
Found by Coverity.
 2012-11-30 14:02:53 +01:00
Andreas Schneider
1b170c29bc torture: Fix copy and paste error. 
Found by Coverity.
 2012-11-30 14:02:53 +01:00
Andreas Schneider
aa7f406317 s3-reg: Fix copy and paste error in debug message. 
Found by coverity.
 2012-11-30 14:02:53 +01:00
Stefan Metzmacher
234f9365b9 s3:popt_common: Fix password processing. 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 30 14:01:08 CET 2012 on sn-devel-104
 2012-11-30 14:01:07 +01:00
Stefan Metzmacher
3101fcccff s3:util: fix usage of popt_burn_cmdline_password() 
We should only call popt_burn_cmdline_password() after poptFreeContext(),
otherwise we remove the password to early.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:50:03 +01:00
Günther Deschner
4a73adf6e5 s3-winbind: use new reconnect logic in rpc_lookup_sids() also. 
Volker, please check.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:56 +01:00
Günther Deschner
7a49c96693 s3-winbindd: rework reconnect logic in winbindd_lookup_names(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:53 +01:00
Günther Deschner
cd51774316 s3-winbindd: rework reconnect logic in winbindd_lookup_sids(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:50 +01:00
Günther Deschner
82ace10492 s3-winbindd: remove lookup_sids_fn_t. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:47 +01:00
Günther Deschner
d9243815b4 s3-winbindd: remove lookup_names_fn_t. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:44 +01:00
Günther Deschner
3c486dfee4 s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:41 +01:00
Günther Deschner
2d38154f91 s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:38 +01:00
Günther Deschner
7bd9a3b86f s3-winbindd: add cm_connect_lsat(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2012-11-30 11:49:34 +01:00