IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We have already dereferenced call->conn in a variable, use that.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Avoid a malloc, we allocate PATH_MAX chars on the stack elsewhere too
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
idmap_hash used to bounce back the requested type,
which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED
before as the winbindd parent always used a lookupsids.
When the lookupsids failed because of an unknown domain,
the idmap child weren't requested at all and the caller
sees ID_TYPE_NOT_SPECIFIED.
This module should have supported ID_TYPE_BOTH since
samba-4.1.0, similar to idmap_rid and idmap_autorid.
Now that the winbindd parent will pass ID_TYPE_BOTH in order to
indicate that the domain exists, it's better to always return
ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID
or ID_TYPE_BOTH. In order to request a type_hint it will return
ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that
the parent at least assures that the domain sid exists.
And the caller still gets ID_TYPE_NOT_SPECIFIED if the
domain doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184
Some very old NT4 DCs might have not returned the account flags filled in. This
shouldn't be a problem anymore. Additionally, on a typical domain member server,
this request is (and can only be) send to the primary domain, so this will not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
Under the following conditions a user from an ignored domain might be able to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).
All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lp_load_global() will overwrite whatever we've set with lp_set_logfile().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
For some reason the join fails to register the DNS records when provisioning the
member env:
Using short domain name -- SAMBA2008R2
Joined 'IDMAPADMEMBER' to dns domain 'samba2008r2.example.com'
DNS Update for idmapadmember.samba.example.com failed: ERROR_DNS_UPDATE_FAILED
At the same time the hosts file used by the wrappers contains the wrong fqdn. As
a result the test that the next commit is going do add fails due do the broken
DNS resolution:
...
UNEXPECTED(failure): samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_ok_krb5(ad_member_idmap_ad:local)
REASON: Exception: Exception: do_connect: Connection to idmapadmember.samba2008r2.example.com failed (Error NT_STATUS_UNSUCCESSFUL)
...
Checking DNS in the testenv, first the working record for the main DC:
testenv$ dig @10.53.57.64 dc7.samba2008r2.example.com +short
10.53.57.27
testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com dc7 A -U Administrator%locDCpass7
Name=, Records=1, Children=0
A: 10.53.57.27 (flags=f0, serial=1, ttl=900)
Now the failing idmapadmember:
testenv$ dig @10.53.57.64 idmapadmember.samba2008r2.example.com +short
testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com idmapadmember A -U Administrator%locDCpass7
ERROR: Record or zone does not exist.
Fixing the hosts file lets the tests work, fixing the broken DNS record
registration is a task for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Remove the temp solution added to syncops_mkdirat()
as we now have a generic fix.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
The key is that we return a fake_fd to the caller and only open
the '._' file in the background.
The next vfs backend should only see the fsp from
adouble_open_from_base_fsp, while the vfs backends above
should only see the fake_fd.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jan 21 14:47:53 UTC 2021 on sn-devel-184
This will make it easier to hide some fsp extension later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
That hopefully makes the check that ':AFP_Resource' can't
be created on directories.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
For now we only support ADOUBLE_RSRC, but that might change in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Up to now we only passed in stream fsp, but that will change shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This situation should never happen!
The known trigger is fixed with the change to adouble_open_rsrc_fsp()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
"._" AppleDouble files are hidden by vfs_fruit by default, so there's no
need to go through a full SMB_VFS_CREATE_FILE() for them.
They don't need an smbXsrv_open_global.tdb entry nor a locking.tdb
entry, so we just open them with fd_openat().
This avoids a recursion deadlock in get_share_mode_lock() when closing
the ':AFP_Resource' stream.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 19 16:15:21 UTC 2021 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jan 17 05:48:14 UTC 2021 on sn-devel-184
