summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-11-12s3:winbind: BUG 9386: Failover if netlogon pipe is not available.Andreas Schneider1-13/+39
Samba continues to query a broken DC while the DC did not finish to rebuild Sysvol (after a Windows crash, for example). It causes end users to received strange codes while trying to authenticate, even if there is a secondary DC available. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
2012-11-12Use work around for 'winbind use default domain' only if it is setSumit Bose1-1/+2
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator character is always added to the user name returned by Get_Pwnam_alloc() if it does not contain the winbind separator character. As comments in the code indicates this is done as a work around if 'winbind use default domain' is set to yes in the samba configuration. This make sense if the option is set because otherwise the domain information is lost from the user name. But it causes errors if other services than winbind are used for user lookup, e.g. sssd. sssd can handle different kind of fully qualified user names as input, e.g. user@domain.name or DOM\user, but returns a canonical name, by default user@domain.name. While it would be possible to get around this issue with a special configuration either on the sssd or samba side I think the cleaner solution is to use the work around only if 'winbind use default domain' is set to yes which is what this patch does. Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
2012-11-12ntp_signd: Only allow group access to the ntp signd directory.Andrew Bartlett1-1/+1
Existing installations running ntp as group 'ntp' will need to change the permissions on the ntp_signd socket directory (eg PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd) The reason is that allowing other users on the host access to this directory would allow them to potentially spoof time on the network, or attack the password database with a chosen plaintext attack. Permissions should be changed to: ownership root:ntp (if ntp runs as gid ntp) mode 0750 (this is what it will be created as) If the permissions are not changed, Samba will refuse to start the ntp_signd server, and NTP operations will not be signed. As the error is declared fatal, in the future, Samba may totally refused to start. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Nov 12 12:36:30 CET 2012 on sn-devel-104
2012-11-12ntp_signd: move socket directory to var/lib not var/run for permissions changeAndrew Bartlett1-2/+2
With the next patch, this becomes a socket directory on which we must maintain administrator-specified permissions we will need to move it away from directories that wipe at boot. This means the ntp.conf will need to change from (eg) ntpsigndsocket /usr/local/samba/var/run/ntp_signd/ to ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-12s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS ↵Stefan Metzmacher1-0/+4
(bug #8620) Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: fix whitespace formatting errorsStefan Metzmacher1-124/+128
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Avoid test cross-contamination in samba.tests.posixaclAndrew Bartlett1-81/+59
This creates a new xattr.tdb per unit test, which avoids once and for all the issue of dev/inode reuse. For test_setposixacl_dir_getntacl_smbd the file ownership also set specifically. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-11selftest: Add tests for expected behaviour on directories as well as filesAndrew Bartlett1-0/+197
This is important because it covers the codepath which had the talloc error fixed by commit 60cf4cb5a630506747431ecbf00d890509baf2f3 (vfs_acl_common: In add_directory_inheritable_components allocate on psd as parent) Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Nov 11 15:48:10 CET 2012 on sn-devel-104
2012-11-12pysmbd: Add SMB_ACL_EXECUTE to the mask set by make_simple_acl()Andrew Bartlett2-3/+3
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Make samba.tests.ntacl also use TestCaseInTempDirAndrew Bartlett1-37/+31
This follows on from the successful conversion of samba.tests.posixacl. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12samba-tool: Rework ldap attribute fetch in classicupgrade for missing attributesAndrew Bartlett1-17/+24
Is is not required that these additional attributes be filled in, so catch KeyError in both the nsswitch and ldap backend case. We rework get_posix_attr_from_ldap_backend() so it raises KeyError rather than trying to return None, and does not ignore other errors. Andrew Bartlett Tested-by: Chirana Gheorghita Eugeniu Theodor <office@adaptcom.ro> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-10s3:smbd: Fix typo in got_duplicate_group checkArvid Requate1-1/+1
Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Nov 10 20:25:48 CET 2012 on sn-devel-104
2012-11-09build: add DMAPI configure option and checksChristian Ambach2-1/+65
the waf build was missing the --with-dmapi option and configure checks that are necessary to build the source3 parts that need DMAPI (e.g. vfs_tsmsm) Bug: https://bugzilla.samba.org/show_bug.cgi?id=9178 Signed-off-by: Christian Ambach <ambi@samba.org> Autobuild-User(master): Christian Ambach <ambi@samba.org> Autobuild-Date(master): Fri Nov 9 20:57:31 CET 2012 on sn-devel-104
2012-11-09build(waf): support AIX 6.1Christian Ambach1-1/+1
on AIX6.1, we need to define _ALL_SOURCE as well, otherwise system headers with BSD types like u_int cannot be used
2012-11-09doc: list arguments for rpcclient FSRVP commandsDavid Disseldorp1-8/+15
Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Nov 9 18:21:39 CET 2012 on sn-devel-104
2012-11-09doc: describe samlogon cache caveat for winbindd -nDavid Disseldorp1-2/+4
The samlogon cache is never bypassed, even when winbindd is run with the -n argument. See https://bugzilla.samba.org/show_bug.cgi?id=9125 Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-09Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache ↵David Disseldorp4-13/+3
access." This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b. Bug 9125 analysis from Volker: The problem is that there are no network calls possible at all that would do what the samlogon cache does for us. There is just no way to retrieve the group membership in a complex trusted environment. If you have just a single domain with Samba as domain controller it might be possible, but even within a single domain it is not possible to correctly retrieve all group memberships using LDAP calls due to ACLs on directory objects. The call to get that is called NetSamLogon on the NETLOGON pipe. But this call requires user credentials and might trigger updating counts on the server. So to correctly implement wbinfo -r after a user has logged in, you have two alternatives: Save the info3 struct or the PAC in the netsamlogon cache. If you insist on doing network calls, you need to cache the user credentials somewhere to re-do the NetSamLogon call every time the wbinfo -r is requested. Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-09Makefile: Allow specifying PYTHON environment variable.Jelmer Vernooij1-1/+2
This is required for Minix, where python is named "python2.X". Reviewed-by: Simo Sorce <idra@samba.org> Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Fri Nov 9 16:39:09 CET 2012 on sn-devel-104
2012-11-09configure: Support specifying PYTHON environment variable to run waf.Jelmer Vernooij1-1/+1
This is necessary to run configure on Minix, where python is named "python2.X". Reviewed-by: Simo Sorce <idra@samba.org> Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-09torture: Fix smb2.create.blob test.Andreas Schneider1-1/+4
Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Nov 9 14:53:27 CET 2012 on sn-devel-104
2012-11-09samba-tool: Fix typo in --help output.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Nov 9 11:04:50 CET 2012 on sn-devel-104
2012-11-09s4-drs: Remove unused varMatthieu Patou1-3/+0
Signed-off-by: Matthieu Patou <mat@matws.net>
2012-11-08s3fs-client: Burn commandline password of client utils.Andreas Schneider6-0/+10
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Nov 8 21:24:21 CET 2012 on sn-devel-104
2012-11-08s3fs-popt: Add function to burn the commandline password.Andreas Schneider2-0/+48
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-07Remove two unused variablesVolker Lendecke1-1/+0
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Wed Nov 7 17:18:06 CET 2012 on sn-devel-104
2012-11-07lib/util: Simplify bitmap.c a bitVolker Lendecke1-7/+6
This avoids the double-talloc for bitmaps Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-07lib/util: Make "struct bitmap" abstractVolker Lendecke2-4/+6
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-06heimdal_build: Fix finding of system heimdal.Jelmer Vernooij1-26/+29
When checking for Heimdal headers, make sure HAVE_CONFIG_H is not defined, as config.h will not be available. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Tue Nov 6 16:27:03 CET 2012 on sn-devel-104
2012-11-06heimdal_build: HEIMDAL_LIBRARY(): Remove unused cflags argument.Jelmer Vernooij1-2/+1
2012-11-06selftest/skip: add samba.tests.samba_tool.gpo until it's stableStefan Metzmacher1-0/+1
See: https://git.samba.org/autobuild.flakey/2012-11-06-0314/samba.stdout https://git.samba.org/autobuild.flakey/2012-11-06-0514/samba.stdout https://git.samba.org/autobuild.flakey/2012-11-06-0713/samba.stdout Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Nov 6 14:24:08 CET 2012 on sn-devel-104
2012-11-06ldb_secrets_tdb_sync: Add dependency on gssapi.Jelmer Vernooij1-1/+1
This is required when building with the system heimdal, as gssapi/gssapi_spnego.h is included. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 05:12:28 CET 2012 on sn-devel-104
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06provision: Make dsacl2fsacl() take a security.dom_sid, not strAndrew Bartlett3-6/+5
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 00:12:43 CET 2012 on sn-devel-104
2012-11-06provision: Also walk directories checking ACLsAndrew Bartlett1-1/+1
The directory walk was missed due to a cut-and-paste error. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06wintest: Try harder to recover from apparent failure to dcpromoAndrew Bartlett1-1/+12
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06selftest: check that samba-tool gpo works for basic operationsAndrew Bartlett3-1/+65
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06dsdb: Simplify DsCrackNameOneFilter a bitVolker Lendecke1-1/+4
For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06wafsamba.abi: Fix abi_match with both excludes and includes.Jelmer Vernooij2-3/+20
This fixes a regression introduced by 9c3e294400234ebdf9b98031bae583524fd0b0ac which caused internal symbols in libldb to be exposed. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9357 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
2012-11-06wafsamba.samba_abi: Add basic unit tests.Jelmer Vernooij2-1/+51
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
2012-11-06buildtools: Remove extra space from global: lineAndrew Bartlett1-1/+1
This makes it easier to put the expected values in a file as we will not have trailing whitespace that is against git style. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06wafsamba.samba_abi: Refactor abi_write_vscript to take file argument.Jelmer Vernooij1-9/+13
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
2012-11-05s3:smbd: pass the current time to make_connection[_smb1]()Stefan Metzmacher3-6/+9
Otherwise smbstatus reports the wrong time for tree connects. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org> Autobuild-User(master): Christian Ambach <ambi@samba.org> Autobuild-Date(master): Mon Nov 5 20:43:23 CET 2012 on sn-devel-104
2012-11-05s3:utils fix a whitespace errorChristian Ambach1-1/+1
2012-11-05s3:vfs_default: optimize vfswrap_asys_finished() and read as much as we canStefan Metzmacher1-16/+33
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Nov 5 19:01:13 CET 2012 on sn-devel-104
2012-11-05lib/tsocket: optimize syscalls in tstream_readv_pdu_send()Stefan Metzmacher1-0/+29
Once we've got the first part of a pdu we try to optimize readv calls for the rest of the pdu. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-11-05lib/tsocket: disable the syscall optimization for recvfrom/readv by defaultStefan Metzmacher2-6/+109
We only do the optimization on recvfrom/readv if the caller asked for it. This is needed because in most cases we preferr to flush send buffers before receiving incoming requests. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-11-05libads: Always free the talloc_stackframe() on error pathAndrew Bartlett1-0/+1
Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 5 03:33:32 CET 2012 on sn-devel-104