IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This allows us to pass the new tests we just added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If there were two consecutive occurrences of an ACL to be deleted, we
would miss the second one.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This means that encoding an ACE in string form will now match Windows.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224
In future we need to pass in 3 sids to sddl_encode()
Once we pass in a machine_sid from the caller we need to
have a test on a Windows member if the .machine_rid values
really belong to the local machine sid.
At least [MS-DTYP] 2.4.2.4 Well-Known SID Structures
pretents "LA" and "LG" are relative to the local machine sid.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 20 10:53:41 UTC 2023 on atb-devel-224
We should walk the sid_codes array just once.
This makes further changes easier...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In future we'll need more than 'domain_sid' in order
to do the correct transition of SDDL to/from security_descriptor.
In the end we most likely add an
sddl_transition_{create,encode,decode}() api in order
to allow the caller to create an sddl_transition_state
once and then pass it to multiple calls to encode/decode.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This made sense before we used dom_sid_str_buf() in the DEBUG
statements.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
No need to recompile the world when only a few files need this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
To be used in smbXsrv_open.c, for this we need a lower bound.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Looks larger than it is, this just adds a parameter and while there
adapts long lines to README.Coding
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This is needed to pass up the "unparsed" part of the smb2 symlink
error response in unix charset form.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
[MS-FSCC] 2.1.2.4 Symbolic Link Reparse Data Buffer lists this field
as reserved, but [MS-SMB2] 2.2.2.2.1 Symbolic Link Error Response is
the exact same format with the reserved field as UnparsedPathLength.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This saves 70 bytes of .text, we don't need this on the stack.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Instead of checking protocol correctness in every highlevel routine,
we should rely on the lowerlevel one in smbXcli_base.c to give the
INVALID_PARAMETER error return when running on SMB1
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We don't return NULL if tevent_req_create() succeeded, and elsewhere
in this function we already pass tevent_req_nterror or
tevent_req_nomem (via set_endtime).
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Removed static flag from sddl_encode_ace and added to headers.
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Christian Merten <christian@merten.dev>
Fixed security_ace_equal returning true, despite differing object type, by checking (inherited) object type
of both ACEs is equal.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The server will only return this if the client requested in via
smbXcli_negprot_send()'s in_ctx parameter. This adds knowledge about
SMB2_CREATE_TAG_POSIX to smbXcli_base.c with a function to query
it. The alternative would have been to detect this in the caller, but
this would have meant that we also would need a
smbXcli_conn_set_have_posix() function or something similar.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>