IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is not required any more now that they are the same structure,
and shows the value in having a common structure across the codebase.
In particular, now any additional state that needs to be added to the
auth_session_info will be transparently available across the named
pipe proxy, without a need to modify the mapping layer.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This makes auth3_session_info identical to auth_session_info
The logic to convert the info3 to a struct auth_user_info is
essentially moved up the stack from the named pipe proxy in
source3/rpc_server to create_local_token().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This ensures that the exact same token is used on both sides of the
pipe, when a full token is passed (ie, source3 to source3, but not yet
source4 to to source3 as the unix info isn't calculated there yet).
If we do not have unix_token, we fall back to the old behaviour and go
via create_local_token(). (However, in this case the security_token
is now overwritten, as it is better to have it match the rest of the
session_info create_local_token() builds).
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
As auth_util.c is linked several times the static variables have
different address on different calls. This leads to segfaults.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Thu Jul 7 16:50:05 CEST 2011 on sn-devel-104
The previous behaviour was to attempt to do a reverse hostname lookup,
where enabled. This new behaviour matches the new behaviour in the
modules called by auth stack.
Andrew Bartlett
The only users I can find of this on the internet involve confused
users, and our own documentation recommends never setting this. Don't
confuse our users any longer.
Andrew Bartlett
These are in/out values and need to be initialized.
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Jun 21 18:58:30 CEST 2011 on sn-devel-104
TDB2 returns a negative error number on failure. This is compatible
if we always check for < 0 instead of == -1.
Also, there's no tdb_traverse_read in TDB2: we don't try to make
traverse reliable any more, so there are no write locks anyway.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
r->out.buffer needs to stay in its size, as it will be marshalled completely.
As it's preallocated and initialized with zeros, we just need to copy
the payload into it, even if it's smaller than the offered buffer size.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jun 16 14:15:47 CEST 2011 on sn-devel-104
r->out.buffer needs to stay in its size, as it will be marshalled completely.
As it's preallocated and initialized with zeros, we just need to copy
the payload into it.
If we always marshall the return buffer, we already have the needed
buffer size and don't need to call ndr_size_* functions.
metze
And always initialize the whole return structure.
This caused samba3.posix_s3.rpc.svcctl to be flakey.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jun 16 11:34:34 CEST 2011 on sn-devel-104
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.
Andrew Bartlett
For me this fixes
==1950== Invalid read of size 4
==1950== at 0x81EBED5: GUID_equal (uuid.c:239)
==1950== by 0x81E51AB: ndr_syntax_id_equal (ndr_misc.c:35)
==1950== by 0x82EB0D1: get_iface_from_syntax (rpc_common.c:160)
==1950== by 0x82EB25E: get_pipe_name_from_syntax (rpc_common.c:179)
==1950== by 0x8509E4F: close_policy_by_pipe (rpc_handles.c:322)
==1950== by 0x8507941: close_internal_rpc_pipe_hnd (rpc_ncacn_np.c:109)
==1950== by 0x468270: _talloc_free_internal (talloc.c:826)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x80E6487: sam_trusted_domains (winbindd_samr.c:406)
==1950== Address 0x687ea4 is 20 bytes inside a block of size 40 free'd
==1950== at 0x58CDC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-x86-freebsd.so)
==1950== by 0x8507812: free_pipe_rpc_context_internal (rpc_ncacn_np.c:74)
==1950== by 0x8507936: close_internal_rpc_pipe_hnd (rpc_ncacn_np.c:106)
==1950== by 0x468270: _talloc_free_internal (talloc.c:826)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x467EE0: _talloc_free_internal (talloc.c:1268)
==1950== by 0x80E6487: sam_trusted_domains (winbindd_samr.c:406)
==1950== by 0x80C2F85: trusted_domains (winbindd_cache.c:2820)
==1950== by 0x80D5188: winbindd_dual_list_trusted_domains (winbindd_misc.c:162)
==1950== by 0x80E987F: wb_child_request_trigger (winbindd_dual.c:437)
==1950==
Andreas, Guenther, please check!
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Jun 5 13:19:39 CEST 2011 on sn-devel-104
The client tell us in the rpc bind to which rpc service it wants to
connect. We did set the p->syntax earlier by guessing to which pipe name
it connects, but we don't know to which rpc service it wants to bind
until we read the first packet.
This provides the 'sconn' parameter to this key functions, that
is currently duplicated in dummysmbd.c, which causes duplicate symbol
issues in the waf build.
This has natrually caused a number of consequential changes across the
codebase, includning not passing a messaging context into initial
reload_services():
This causes problems because the global smbd_server_connection isn't
yet set up, as there isn't a connection here, just the initial
process.
Andrew Bartlett
With the recent consolidation of code between s3 and s4, a number of new
dependencies have been implicitly introduced. For example, previous s3
code gained an implicit dependency on talloc after the charset related
consolidation (lib/util/charset/charset.h now includes talloc.h). When
building against the embedded version of talloc this isn't a problem
since the paths are automatically added to the search path, but when
building against the external libraries build failures will occur for
all components that don't directly or indirectly include talloc as
a dependency.
Since charset.h is included from util.h, which in turn is included from
includes.h, this means most of the codebase (s3 and s4) has such an
undeclared dependency.
Therefore, samba-util-common and samba-util have been added as
dependencies to the s3 and s4 code respectively, for all cases where
the source would otherwise fail to build. Additionally, a few other
dependencies are added in specific wscript_build files to address
similar dependency-related problems.
https://bugzilla.samba.org/show_bug.cgi?id=8128
Signed-off-by: Sean Finney <seanius@seanius.net>
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed May 25 19:22:13 CEST 2011 on sn-devel-104
Don't allow pass_last_set_time to be set to zero (which means
"user must change password on next logon") if user object doesn't
allow password change.
Don't automatically allow user object password change if
"user must change password on next logon" is set.
Jim please check.
Jeremy.
This completes aae9353ecf.
directory_create_or_exist() is not needed cause create_pipe_sock() takes
care of setting up the directory correctly.
Andrew please check!
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Mon May 16 17:54:20 CEST 2011 on sn-devel-104
This way we can configure which rpc service we actually want to connect to.
By default it uses an "embedded" interface and calls rpc_pipe_open_internal()
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri May 13 14:40:26 CEST 2011 on sn-devel-104
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.
We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.
Andrew Bartlett
This Heimdal function does not set the global state, and allows the
GSSAPI server to progress further when compiled against Heimdal (such
as in the top level build).
The ability to specify a keytab has been removed from the API as it is
unused, and and the Heimdal function (avoiding setting global
variables) works with an open keytab.
Andrew Bartlett
This makes the startup of smbd in make test much quicker and thus more reliable
(cherry picked from commit f1aa38b414e97d8687d0bebf65baa384f75301b4)
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Apr 11 22:09:58 CEST 2011 on sn-devel-104
This changes auth_session_info_transport to just be a wrapper, rather
than a copy that has to be kept in sync.
As auth_session_info was already wrapped in python, this required
changes to the existing pyauth wrapper and it's users.
Andrew Bartlett
Before a auth_serversupplied_info struct can be used for
authorization, the local groups and privileges must be calculated.
create_local_token() now copies the server_info, and then sets the
calulated token and unix groups.
Soon, it will also transform the result into an expanded struct
auth_session_info. Until then, the variable name (server_info vs
session_info provides a clue to the developer about what information
has been entered in the structure).
By moving the calls to create_local_token within the codebase, we
remove duplication, and ensure that the session key (where modified)
is consistently copied into the new structure.
Andrew Bartlett
Properly initialize variables at each cycle.
Convert to the right error when returning EPMAPPER ones.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Thu Mar 24 20:43:49 CET 2011 on sn-devel-104
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104