summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-01-17selftest: also skip raw.search as it also spinsAndrew Bartlett1-0/+1
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17drs-fsmo: Improve handling of FSMO role takeover.Andrew Bartlett3-5/+14
This needs to be more async, and give less scary errors. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"Stefan Metzmacher1-3/+11
acl_check_access_on_attribute should never be called with attr=NULL because we don't check access on an attribute in that case Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104
2013-01-17dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffectiveStefan Metzmacher1-1/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17libcli/security: don't look at the inherited type in get_ace_object_type()Stefan Metzmacher1-2/+0
The inherited_type is only used to decide if aces should be inherited effectively or not (INHERIT_ONLY) for the specified object. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: fix the order of special and system checksStefan Metzmacher1-22/+61
First we check for a special dn, then for system access. All allocations happen after this checks in order to avoid allocations we won't use. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user ↵Matthieu Patou1-0/+4
shouldn't see This fix frequent reindexing when using python script with a user that is not system. The reindexing is caused by ACL module hidding (removing) attributes in the search request for all attributes in dn=@ATTRIBUTES and because dsdb_schema_set_indices_and_attributes checks that the list of attributes that it just calculated from the schema is the same as the list written in @ATTRIBUTES, if not the list is replaced and a reindexing is triggered. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17dsdb-acl: talloc_free the private context when we pass to the next moduleStefan Metzmacher1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: don't call dsdb_user_password_support() if we don't use the resultStefan Metzmacher1-2/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17smb2_ioctl: copychunk request max output validationDavid Disseldorp1-0/+12
Check that the copychunk ioctl request maximum output specified by the client is large enough to hold copychunk response data. Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 17 00:59:44 CET 2013 on sn-devel-104
2013-01-16smb2_ioctl: track copychunk response output stateDavid Disseldorp1-16/+38
Treat the response data independent to the status. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: copychunk CHECK_READ and CHECK_WRITEDavid Disseldorp1-0/+25
[MS-SMB2] 3.3.5.15.6 Handling a Server-Side Data Copy Request, specifies that the copychunk destination file handle be granted FILE_WRITE_DATA and FILE_READ_DATA access. FILE_READ_DATA access must also be granted on the copychunk source file, which may be done implicitly with execute permission. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16torture: copychunk test suite improvementsDavid Disseldorp1-8/+719
Allow for large files in test_setup_copy_chunk(): Write test data in 1M IOs, rather than attempting to do the whole thing in one go. Add copychunk bad resume key test: Send a copy chunk request with an intentionally bogus resume key (source key handle). Add copychunk src=dest test: Test copychunk requests where the source and destination handles refer to the same file. Add copychunk src=dest overlap test. Add desired access args to test_setup_copy_chunk(). Add copychunk_bad_access test: Open the copychunk source and destination files with differing desired_access values. Confirm copychunk response matches 2k8 and 2k12 behaviour. Add copy_chunk_src_exceed test: Attempts to copy more data than is present in the copychunk source file. Add copy_chunk_src_exceed_multi test: Test whether the first chunk in a multi-chunk copychunk request is written to disk, where the second chunk is invalid due to src file overrun. Add copy_chunk_sparse_dest test: Issue a request where the target offset exceeds the file size, resulting in a sparse region. Add copy_chunk_max_output_sz test. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: only pass through to VFS on a valid fspDavid Disseldorp1-13/+17
A null fsp is dereferenced on VFS call. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16torture: replace ioctl failure returns with helper callsDavid Disseldorp1-33/+25
Also change test_ioctl_get_shadow_copy() to use torture_skip(), and clean up test output. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16torture: add locking tests for copychunkDavid Disseldorp1-0/+228
Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: perform locking around copychunk requestsDavid Disseldorp1-17/+137
For each chunk in a copychunk request, take a read and write lock on the source and destination files respectively. Also change the resume key format to use a combination of the persistent and volatile handles. Thanks to Metze for his help on this. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smbd: split out file_fsp_get from file_fsp_smb2David Disseldorp2-10/+27
Obtain the files_struct from smb2req, persistent_id and volatile_id. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16torture: skip FSCTL_SRV_ENUM_SNAPS test when not supportedDavid Disseldorp2-1/+6
If FSCTL_SRV_ENUM_SNAPS fails with NT_STATUS_NOT_SUPPORTED then skip the test, this means we can run the full ioctl test suite as part of autobuild. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16selftest: enable samba3.smb2.ioctl tests against s3fsDavid Disseldorp1-7/+2
These tests are now expected to pass with copy-chunk support now implemented. This effectively reverts 632b1042aed94a71d810613fcdbbfecf615a25fa. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: remove ioctl error response assumptionsDavid Disseldorp3-20/+149
MS-SMB2 3.3.4.4 documents cases where a ntstatus indicating an error should not be considered a failure. In such a case the output data buffer should be sent to the client rather than an error response packet. Add a new fsctl copy_chunk test to confirm field limits are sent back in response to an oversize chunk request. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: add support for FSCTL_SRV_COPYCHUNKDavid Disseldorp1-4/+231
SMB2 clients can issue FSCTL_SRV_COPYCHUNK requests in order to copy data between files on the server side only, rather than reading data then writing back from the client. FSCTL_SRV_COPYCHUNK is used by default for Explorer SMB2 file copies on Windows Server 2012. 2.2.32.1 SRV_COPYCHUNK_RESPONSE in [MS-SMB2] describes the requirement for the server to provide maximum copychunk request size limits in ioctl responses carrying STATUS_INVALID_PARAMETER. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16s3-vfs: add copy_chunk vfs hooksDavid Disseldorp9-3/+411
copy_chunk copies n bytes from a source file at a specific offset to a destination file at a given offset. This interface will be used in handling smb2 FSCTL_SRV_COPYCHUNK ioctl requests. Use a pread/pwrite loop in vfs_default, so that requests referring to the same src and dest file are possible. Provide send and receive hooks for copy chunk VFS interface, allowing asynchronous behaviour. Check whether the request source offset + length exceeds the current size. Return STATUS_INVALID_VIEW_SIZE under such a condition, matching Windows server behaviour. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: add FSCTL_SRV_REQUEST_RESUME_KEY supportDavid Disseldorp3-2/+49
Use existing ioctl IDL infrastructure for marshalling. Support for this ioctl is a prerequisite for FSCTL_SRV_COPYCHUNK handling. The client-opaque resume key is constructed using the server side dev/inode file identifier. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: split ioctl handler code on device typeDavid Disseldorp9-355/+686
Add per device type ioctl handler source files for FSCTL_DFS, FSCTL_FILESYSTEM, FSCTL_NAMED_PIPE and FSCTL_NETWORK_FILESYSTEM. Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16smb2_ioctl: split ioctl handlers into separate funtionsDavid Disseldorp1-154/+173
Reviewed by: Jeremy Allison <jra@samba.org>
2013-01-16build(waf): fix the abi_match for the pdb libraryMichael Adam1-1/+1
The global wildcard match is automatically added by the parsing code if the global match list is empty. Specifying an explicit '*' as the only global match lets the parsing code add a second '*' to the local list, which is an error tolerated on my linux by ld (the GNU linker), but not by the stricter GNU ELF linker "gold". Pair-Programmed-With: Gregor Beck <gbeck@sernet.de> Signed-off-by: Gregor Beck <gbeck@sernet.de> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Jan 16 21:31:00 CET 2013 on sn-devel-104
2013-01-16s4-torture: add ndr64 spoolss openprinterex to ndr test.Günther Deschner1-0/+28
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jan 16 13:26:53 CET 2013 on sn-devel-104
2013-01-16s4-torture: allow to do ndr tests with flags, not only ndr_flags.Günther Deschner2-3/+14
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2013-01-16spoolss: Make OpenPrinterEx work with NDR64 by using UserInfo Container.Günther Deschner8-43/+42
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2013-01-15test: dbwrap_tool requires --persistent for the registry nowVolker Lendecke2-2/+2
Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Jan 15 16:31:35 CET 2013 on sn-devel-104
2013-01-15docs: document the "--persistent" option in dbwrap_tool(1)Michael Adam1-5/+13
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15s3:dbwrap_tool: add --persistent switch and mode for non-persistent DBsMichael Adam1-12/+45
This changes the default for dbwrap_tool to open a DB as non-persistent. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15dbwrap: add dbwrap_is_persistent()Michael Adam2-0/+6
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: document the command line options in dbwrap_tool(1)Michael Adam1-3/+7
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: use the popt.common.samba.client entity in samba-tool(8)Michael Adam1-27/+1
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: use the entities popt.common.samba.server and stdarg.help in samba(8)Michael Adam1-31/+2
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: add popt.common.samba.server and popt.common.samba.client entitiesMichael Adam1-0/+11
These are comprised by the popt.common.samba entity and the stdarg.server.debug or the stdarg.client.debut entity, respectively. The difference is only in the default value of the debug level setting. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: fix the stdarg.configfile entity to print a "=" sign after the long optionMichael Adam1-1/+1
This makes the appearance equal to the other options like --debuglevel or --log-basename. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: use the stdarg.option entity in the popt.common.samba entityMichael Adam1-0/+1
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs: add an entity stdarg.option for the "--option" command line parameterMichael Adam1-0/+12
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15wafsamba: use additional xml catalog file (bug #9512)Björn Baumbach1-1/+2
Add additional "/usr/local/share/xml/catalog" catalog file platforms (used by freebsd). Fix manual page build on freebsd. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15smb.conf(5): client min protocol: add hint at list of available protocolsBjörn Baumbach2-10/+13
And fix the format. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15smb.conf(5): server min protocol: add hint at list of available protocolsBjörn Baumbach1-7/+10
And fix the format. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15build(waf)-libreplace: remove redundant check for flistea functionBjörn Baumbach1-1/+1
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15ntlm_auth(1): fix many format issues and and make examples visibleBjörn Baumbach1-87/+108
"<example>" is no child of "<para>". So these examples were not visible. Using a varlist instead may be not the best way but it does look nice. Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15build(waf): docs-xml: build new dbwrap_tool.8 manual pageBjörn Baumbach1-0/+1
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15docs-xml: add dbwrap_tool.1 manual pageBjörn Baumbach1-0/+160
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2013-01-15dsdb: Add test for modification of two attributes, one permitted, one denied ↵Andrew Bartlett1-0/+15
(bug #9554 - CVE-2013-0172) Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 8bafe0871526cd5d5e7fdbe123ab661379f64cb1) Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jan 15 14:03:47 CET 2013 on sn-devel-104
2013-01-15dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug ↵Andrew Bartlett1-28/+27
#9554 - CVE-2013-0172) This seems inefficient, but is needed for correctness. The alternative might be to have the sec_access_check_ds code confirm that *all* of the nodes in the object tree have been cleared to node->remaining_bits == 0. Otherwise, I fear that write access to one attribute will become write access to all attributes. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d776fd807e0c9a62f428ce666ff812655f98bc47)