summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-12-03s3:winbindd: add idmap_find_domain_with_sid()Michael Adam2-0/+18
This will return the passdb domain if the given sid is in our sam or builtin or is the domain sid of those domains. Otherwise it returns the idmap domain that results from the idmap configuration. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()Michael Adam1-3/+3
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03selftest:Samba3: provision the domain adminstrators group in the s3 environmentsMichael Adam1-1/+7
I discovered that this sid / mapping is missing by working with the Sids2Uids code and test. I do even wonder why this test could succeed prior to my pending changes to the winbindd sids-to-xids code, for example against the s3:local environment, since the test tries to map the sid <domsid>-512. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->childMichael Adam3-5/+8
This implicitly also hands the type of the resulting unix-id that the idmap backend has created back to the caller. This is important for backends that would set a broader type than the requested one, e.g. rid backend returning BOTH instead of UID or GID. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()Michael Adam1-0/+3
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()Michael Adam1-0/+5
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gidMichael Adam1-2/+16
The main purpose of the change is to hand the sid into the idmap backend and handle responsiblity for handling the sid-type correctly to the idmap backend instead of failing directly when the sid is not of group type. Hence backends like rid who are sid-type agnostic, can return gids also for sids of other types. This is an important fix to make sid_to_gid behave the consistently with and without the presence of cache entries. We need to additionally filter the result for id type GID or more general (BOTH) to keep the behaviour. This is a step towards using only one codepath to id_mapping. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uidMichael Adam1-2/+16
The main purpose of the change is to hand the sid into the idmap backend and handle responsiblity for handling the sid-type correctly to the idmap backend instead of failing directly when the sid is not of type user. Hence backends like rid who are sid-type agnostic, can return uids also for sids of other types. This is an important fix to make sid_to_uid behave the consistently with and without the presence of cache entries. We need to additionally filter the result for id type UID or more general (BOTH) to keep the behaviour. This is a step towards using only one codepath to id_mapping. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: factor winbindd_sids_to_xids into external and internal partMichael Adam5-165/+286
- external part takes winbindd request/reponse structs (with sid strings) - internal part takes sid lists The new internal part implements functions wb_sids2xids_* that are moved into the new module wb_sids2xids.c. The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid. We should just have one code path into id mapping and not several that behave differently. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()Michael Adam1-4/+4
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: add explaining comment winbindd_sids_to_xids_send()Michael Adam1-0/+5
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: factor lsa_SidType_to_id_type() out of ↵Michael Adam1-14/+25
winbindd_sids_to_xids_lookupsids_done() for readability Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.Michael Adam1-40/+25
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s3:winbindd:util: add a comment explaining the function parse_sidlist()Michael Adam1-0/+9
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()Stefan Metzmacher1-1/+4
This allows the caller to ask for a security.descriptor instead of sddl by passing 'as_sddl=False'. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03s4:python/ntacl: allow string or objects for sd/sid in setntacl()Stefan Metzmacher1-3/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03s4:samba-tool/gpo: fix the operation order when creating gposStefan Metzmacher1-13/+20
We should do it like the windows GUI. 1. create the LDAP objects 2. query the security_descriptor of the groupPolicyContainer 3. create the gPCFileSysPath via smb 4. set the security_descriptor of gPCFileSysPath 5. copy the files and directories into gPCFileSysPath 6. modify the groupPolicyContainer and link gPCFileSysPath Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gposStefan Metzmacher1-4/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03s4:samba-tool/gpo: use the dns_domain from the server when creating gposStefan Metzmacher1-2/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s4:libcli/finddcs_cldap: allow io->in.server_address as hostnameStefan Metzmacher1-3/+58
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s4:libcli/finddcs_cldap: try all NBT#1C addressesStefan Metzmacher1-12/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s3:smbcacls: add --query-security-info and --set-security-info optionsStefan Metzmacher1-10/+55
This allows the caller to specify the security_information flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flagsStefan Metzmacher2-16/+49
In order to set and get security_descriptors it's important to specify the sec_info flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02libcli/security: remove duplicate aces in se_create_child_secdesc()Stefan Metzmacher1-0/+34
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a ↵Stefan Metzmacher1-0/+54
group Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s3:smbd/open: try the primary sid (user) as group_sid if the token has just ↵Stefan Metzmacher1-1/+5
one sid Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s3:smbd/open: use Builtin_Administrators as owner of files (if possible)Stefan Metzmacher1-4/+41
We do this if the idmap layer resolves Builtin_Administrators as ID_TYPE_BOTH and if the current token has the Builtin_Administrators SID or it's SYSTEM. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-02s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flagsStefan Metzmacher1-0/+44
A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/tests: add SdAutoInheritTestsStefan Metzmacher1-1/+83
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
2012-11-30s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for ↵Stefan Metzmacher1-2/+70
replicated changes We only do so if the replicated object is not deleted. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)Stefan Metzmacher1-3/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)Stefan Metzmacher1-1/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()Stefan Metzmacher1-0/+29
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-8/+395
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2-0/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher1-5/+67
This can only be triggered by ourself, that's why we expect control->data == module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+16
The propagation of nTSecurityDescriptor doesn't change the replProperyMetaData. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher1-0/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2-0/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)Stefan Metzmacher1-0/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)Stefan Metzmacher1-3/+11
Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/subtree_delete: do an early return and avoid some nestingStefan Metzmacher1-24/+28
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass: do not pass the callers controls on helper searchesStefan Metzmacher1-1/+1
We add AS_SYSTEM and SHOW_RECYCLED to the helper search, don't let the caller specify additional controls. This also fixes a problem when the caller also specified AS_SYSTEM. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given ↵Stefan Metzmacher1-0/+12
(bug #7711) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: remove unused 'deletedattr' variableStefan Metzmacher1-2/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACLStefan Metzmacher1-0/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher1-0/+2
DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributesStefan Metzmacher1-5/+36
The @KLUDGEACL record might not be uptodate. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on ↵Stefan Metzmacher1-0/+3
modify Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>