1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

21 Commits

Author SHA1 Message Date
Andrew Tridgell
cc55aef7c1 r4547: - added talloc_new(ctx) macro that is a neater form of the common talloc(ctx, 0) call.
- cleaned up some talloc usage in various files

I'd like to get to the point that we have no calls to talloc(), at
which point we will rename talloc_p() to talloc(), to encourage
everyone to use the typesafe functions.
(This used to be commit e6c81d7c9f)
2007-10-10 13:08:20 -05:00
Stefan Metzmacher
b5b1c52a98 r4419: move security_token stuff to the libcli/security/
and debug privileges

metze
(This used to be commit c981808ed4)
2007-10-10 13:07:47 -05:00
Andrew Tridgell
6ca874f71a r4147: converted from NT_USER_TOKEN to struct security_token
this is mostly just a tidyup, but also adds the privilege_mask, which
I will be using shortly in ACL checking.

note that I had to move the definition of struct security_token out of
security.idl as pidl doesn't yet handle arrays of pointers, and the
usual workaround (to use a intermediate structure) would make things
too cumbersome for this structure, especially given we never encode it
to NDR.
(This used to be commit 7b446af09b)
2007-10-10 13:06:31 -05:00
Andrew Tridgell
6895228b5c r3982: split out the sid -> uid/gid mapping routines into a ntvfs_sidmap
subsystem. This is in preparation for adding better default ACL
generation in pvfs, which will require uid/gid -> sid mapping.
(This used to be commit b31108e492)
2007-10-10 13:06:11 -05:00
Andrew Tridgell
bc7b4abc3a r3832: added NT ACL query/set to the posix NTVFS backend. The default ACL is
based on the current nttoken, which is completely wrong, but works as a start.

The ACL is stored in the xattr system.DosAcl, using a NDR encoded IDL
union with a version number to allow for future expansion.

pvfs does not yet check the ACL for file access. At the moment the ACL
is just query/set.

We also need to do some RPC work to allow the windows ACL editor to be
used. At the moment is queries the ACL fine, but displays an error
when it fails to map the SIDs via rpc.
(This used to be commit 3a1f20d874)
2007-10-10 13:05:57 -05:00
Jelmer Vernooij
31ded4901b r3737: - Get rid of the register_subsystem() and register_backend() functions.
- Re-disable tdbtool (it was building fine on my Debian box but other
					machines were having problems)
(This used to be commit 0d7bb2c40b)
2007-10-10 13:05:48 -05:00
Jelmer Vernooij
8e16d8a76f r3733: More build system fixes/features:
- Use .mk files directly (no need for a SMB_*_MK() macro when adding a new SUBSYSTEM, MODULE or BINARY). This allows addition of new modules and subsystems without running configure
 - Add support for generating .dot files with the Samba4 dependency tree (as used by the graphviz and springgraph utilities)
(This used to be commit 64826da834)
2007-10-10 13:05:47 -05:00
Jelmer Vernooij
71db46ea66 r3586: Fix some of the issues with the module init functions.
Both subsystems and modules can now have init functions, which can be
specified in .mk files (INIT_FUNCTION = ...)

The build system will define :
 - SUBSYSTEM_init_static_modules that calls the init functions of all statically compiled modules. Failing to load will generate an error which is not fatal
 - BINARY_init_subsystems that calls the init functions (if defined) for the subsystems the binary depends on

This removes the hack with the "static bool Initialised = " and the
"lazy_init" functions
(This used to be commit 7a8244761b)
2007-10-10 13:05:36 -05:00
Andrew Tridgell
c870ae8b89 r3528: added support for the SMBntcancel() operation, which cancels any
outstanding async operation (triggering an immediate timeout).

pvfs now passes the RAW-MUX test
(This used to be commit 3423e2f414)
2007-10-10 13:05:28 -05:00
Andrew Tridgell
aa34fcebf8 r3466: split out request.h, signing.h, and smb_server.h
(This used to be commit 7c4e6ebf05)
2007-10-10 13:05:17 -05:00
Andrew Tridgell
2df2d1b67f r3461: another place where "open" was used as a structure element
(This used to be commit 1087ea830e)
2007-10-10 13:05:16 -05:00
Andrew Tridgell
edbfc0f6e7 r3453: - split out the auth and popt includes
- tidied up some of the system includes

- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
  knows about inter-IDL dependencies
(This used to be commit 7b7477ac42)
2007-10-10 13:05:13 -05:00
Stefan Metzmacher
fbb44e9616 r3290: allow SID_ANONYMOUS ( "S-1-5-7" ) to be the users sid
metze
(This used to be commit 177afd4855)
2007-10-10 13:04:51 -05:00
Andrew Bartlett
f7c6a9438d r3185: Machines can login with krb5, so we need to allow them to map to a unix account.
Andrew Bartlett
(This used to be commit fbe932ddd4)
2007-10-10 13:04:38 -05:00
Andrew Tridgell
142d295aa8 r3039: This solves the problem of async handlers in ntvfs backends not being
in the right state when called. For example, when we use the unixuid
handler in the chain of handlers, and a backend decides to continue a
call asynchronously then we need to ensure that the continuation
happens with the right security context.

The solution is to add a new ntvfs operation ntvfs_async_setup(),
which calls all the way down through the layers, setting up anything
that is required, and takes a private pointer. The backend wanting to
make a async calls can use ntvfs_async_setup() to ensure that the
modules above it are called when doing async processing.
(This used to be commit a256e71029)
2007-10-10 13:00:01 -05:00
Andrew Tridgell
e81230df4b r3024: run the *_connect() NTVFS initialisation operation as root, to allow
backends to open databases and perform any other privileged
operations that might be needed.
(This used to be commit 54fd395025)
2007-10-10 12:59:59 -05:00
Andrew Tridgell
59d3259171 r2934: - changed the unixuid module to use the nt_user_token instead of the server supplied info structure.
- added SID_WORLD and SID_NETWORK to the foreign sids in the
  provisioning, as these are auto-added to the nt_user_token (why is
  that done? Andrew?)
(This used to be commit 1dff12fba8)
2007-10-10 12:59:49 -05:00
Andrew Tridgell
ca23572f70 r2930: added a security context cache to the unixuid module. The module
doesn't actually leave us in the requested sec context between
requests yet, but it does prevent us from doing the samdb lookup on
every packet.

This change speeds up the BASE-MANGLE test against Samba4 with 5000
operations from 61 seconds to 16 seconds. For reference, Samba3 takes
27 seconds for the same test (the string and filename handling in
Samba4 is much more efficient than Samba3)
(This used to be commit da0481ac75)
2007-10-10 12:59:49 -05:00
Andrew Tridgell
fe3294f7f0 r2803: allow unixuid module to work with foreign security principles
(This used to be commit f522728728)
2007-10-10 12:59:35 -05:00
Andrew Tridgell
c5722fb81b r2796: - changed ldap attributes "UnixID" to "unixID" and "UnixName" to "unixName" to be more ldap traditional
- register the unixuid module as all 3 ntvfs backend types, as it doesn't care what type of backend
  it filters
(This used to be commit cd43def6ce)
2007-10-10 12:59:34 -05:00
Andrew Tridgell
5a872512b0 r2794: a very simple version of the unixuid NTVFS pass-thru module. In
conjunction with the posix backend this gives us a way to correctly
setup the unix security context in Samba4.

I chose the following method to determine the unix uid's and gid's to
use given the list of SIDs from the login process

 - look for a "UnixID" field in the sam record. If present, then use it
   (check if the record is of the right type as well)

 - if UnixID is not present, then look for the "UnixName" sam
   field. If it is present then use getpwnam() or getgrnam() to find
   the unix id.

 - if UnixID and UnixName are not present, then look for a unix
   account of the right type called by the same name as the sAMAccountName field.

 - if none of the above work then fail the operation with NT_STATUS_ACCESS_DENIED

obviously these steps only work well with a local SAM. It will need to
be more sophisticated in future.

I did not put any cache in place at all. That will need to be added
for decent performance.
(This used to be commit 78b67d19b9)
2007-10-10 12:59:34 -05:00