Age | Commit message (Collapse) | Author | Files | Lines |
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
1. Finally work with cascaded modules with private data storage per module
2. Convert VFS API to macro calls to simplify cascading
3. Add quota support to VFS layer (prepare to NT quota support)
Patch by Stefan (metze) Metzemacher, with review of Jelmer and me
Tested in past few weeks. Documentation to new VFS API for third-party developers to follow
(This used to be commit 91984ef5caa2d13c5d52e1f535bd3bbbae1ec978)
|
|
(This used to be commit a369c2ff2637dc808035217eaada4cf923c5cf6d)
|
|
"changed the order of checking whether a SID is a UID or a GID in posix
acls. This is needed because sid_to_uid always claims that the sid is
a user, due ot a change I made some months back.
This change was suggested by Chere Zhou, but is really an interim
measure. Chere is looking at a longer term solution."
REMEMBER - 3.0 is the one we will SHIP !
Jeremy.
(This used to be commit a4d7496994b740e074398d98c999a803afff4404)
|
|
Jeremy.
(This used to be commit 7f8d3a49b2cebab4b94db3cda54b3923442378c8)
|
|
-------------------------------------------------------------------------
I think there are basically two problem:
1. Windows clients do not always send ACEs for SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ,
and SMB_ACL_OTHER.
The function ensure_canon_entry_valid() is prepared for that, but tries
to "guess" values from group or other permissions, respectively, otherwise
falling back to minimum r-- for the owner. Even if the owner had full
permissions before setting ACL. This is the problem with W2k clients.
2. Function set_nt_acl() always chowns *before* attempting to set POSIX ACLs.
This is ok in a take-ownership situation, but must fail if the file is
to be given away. This is the problem with XP clients, trying to transfer
ownership of the original file to the temp file.
The problem with NT4 clients (no ACEs are transferred to the temp file, thus
are lost after moving the temp file to the original name) is a client problem.
It simply doesn't attempt to.
I have played around with that using posic_acls.c from 3.0 merged into 2.2.
As a result I can now present two patches, one for each branch. They
basically modify:
1. Interpret missing SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, or SMB_ACL_OTHER
as "preserve current value" instead of attempting to build one ourself.
The original code is still in, but only as fallback in case current values
can't be retrieved.
2. Rearrange set_nt_acl() such that chown is only done before setting
ACLs if there is either no change of owning user, or change of owning
user is towards the current user. Otherwise chown is done after setting
ACLs.
It now seems to produce reasonable results. (Well, as far as it can. If
NT4 doesn't even try to transfer ACEs, only deliberate use of named default
ACEs and/or "force group" or the crystal ball can help :)
-------------------------------------------------------------------------
Jeremy.
(This used to be commit 1d3b8c528bebfa1971d1affe454a03453335786e)
|
|
- user_ok() and user_in_group() now take a list of groups, instead of
looking for the user in the members of all groups.
- The 'server_info' returned from the authentication is now kept around
- in future we won't copy the sesion key, username etc, we will just
referece them directly.
- rhosts upgraded to use the SAM if possible, otherwise fake up based on
getpwnam().
- auth_util code to deal with groups upgraded to deal with non-winbind domain
members again.
Andrew Bartlett
(This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
|
|
must not be freed afterwards.
Jeremy.
(This used to be commit 4015e39d3666dbe240808c9007a8b8faca012a3d)
|
|
perms.
Jeremy.
(This used to be commit 793609cbc2f657b91a59aec4a3f403bf826c7156)
|
|
(This used to be commit 299233fbf2328d08546b3b03dceca67083b68493)
|
|
This is not 100% the same as what SuSE shipped in their Samba, there is
a crash bug fix, a race condition fix, and a few logic changes I'd like to
discuss with Andreas. Added Andreas to (C) notices for posix_acls.c
Jeremy.
(This used to be commit 40eafb9dde113af9f7f1808fda22908953f7e8c3)
|
|
Jeremy.
(This used to be commit 3343efaaa8b80d5bc549afebbc06e02e125a6af9)
|
|
share.
Jeremy.
(This used to be commit 9b8f362abc5abf25f02718774a8aa1f4574f19ff)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 42615b945e2e48e53a21ea47f2e45407913a6a1e)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
Jeremy.
(This used to be commit 7d59445b6962547a8938928a9371651a09e26516)
|
|
Based on code donated by Olaf Frączyk <olaf@cbk.poznan.pl>. Further commit
will change to sending via vfs interface.
Jeremy.
(This used to be commit d85133e2697eb22f1573c78447b57791ae63dd6b)
|
|
(This used to be commit c55737fb25dfed4697b93a600e3bd770f84bf464)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
(This used to be commit 7dc1c34145d66f4bbc5c6ce0bca4b224088366af)
|
|
when we free curr_ace_outer we need to not try to use it again :)
(This used to be commit 1c5e19a418136c0ae524e62a4907501212ebac3d)
|
|
Jeremy.
(This used to be commit 2d7b81e692ac2bcfd6e31223d3f8545c255cb47c)
|
|
a group name.
Jeremy.
(This used to be commit b926660e73d4c94c30ec5a365027770acdafe25e)
|
|
definitions.
(This used to be commit 9712d3f15a47155f558d0034ef71fd06afb11301)
|
|
Jeremy.
(This used to be commit 4a54a633c59a18b387427e89266e294bdddf8574)
|
|
Jeremy.
(This used to be commit bc7963bd643422cce081b6284e3bdd49ae3a02ab)
|
|
(This used to be commit a95943fde0ad89ae3f2deca2f7ba9cb5ab612b74)
|
|
Jeremy.
(This used to be commit 9961c4c1a3b2dbf8d1062bc1fa103488c0d0ba79)
|
|
on files that do not have an ACL
(This used to be commit 65ea13420c78cf0a8c01f14c08815e4b44ca4abc)
|
|
Digital UNIX).
Jeremy.
(This used to be commit 324ba0512ec84bb173c72be3dfd2447e0dc30e26)
|
|
This commit gets rid of all our old codepage handling and replaces it with
iconv. All internal strings in Samba are now in "unix" charset, which may
be multi-byte. See internals.doc and my posting to samba-technical for
a more complete explanation.
(This used to be commit debb471267960e56005a741817ebd227ecfc512a)
|
|
smbd/posix_acls.c: Attempt to fix the "lose default acl" problem in Solaris.
Needs testing.
lib/sysacls.c: Typo fix.
Jeremy.
(This used to be commit d989f8bd3e1524183a24fb67be1af05b3289f648)
|
|
cleaned on clients abending connections. Thanks Andrew !
Jeremy.
(This used to be commit 1b3977c5367a0b713b194f369abd9872ae01ac2a)
|
|
bits before checking if we should change them on non-acl systems.
Jeremy.
(This used to be commit aba243ca0867a0787f9f7c7b2cda6143bcc53087)
|
|
Removed "restrict acl with mask" - redundent.
Jeremy.
(This used to be commit 0db8a61d71f25ffa0e5c585e02e2fce973867156)
|
|
Jeremy.
(This used to be commit f100e091abc57a9ba983e7c3cf84bfda2dbc2e18)
|
|
and using autoconf tests.
Added "restrict acl with mask" parameter.
Jeremy.
(This used to be commit 7792e32ba7fd734cc68b354f31c382ac11521fe8)
|
|
Jeremy.
(This used to be commit a60ecb4e53a6c8a3a6a37a89042ae943202263fe)
|
|
Jeremy.
(This used to be commit f02e67a096b3bcf84615c4a6949c5e6283e07af0)
|
|
return a malloced area so added sys_acl_free_qualifier() calls to all supported
ACL interfaces to code with this (only Linux needs actual free call).
Jeremy.
(This used to be commit 5870e6019b82d2088b99acdc0f84e9e4847a1fa5)
|
|
Jeremy.
(This used to be commit fe38692643ad7c163c30d9c031a8bd3dec81ffee)
|
|
when copying to a full disk problem, I discovered that we were not allowing
the delete on close flag to be set properly, this led to other things, and
after investigation of the proper delete on close semantics and their relationship
to the file_share_delete flag I discovered there were some cases where we
weren't doing the deny modes properly. And this after only 5 years working
on them..... :-) :-).
So here's the latest attempt. I realised the delete on close flag needs to
be set across all smbds with a dev/ino pair open - in addition, the delete
on close flag, allow share delete and delete access requested all need to
be stored in the share mode tdb.
The "delete_on_close" entry in the fsp struct is now redundant and should
really be removed. This may also mean we can get rid of the "iterate_fsp"
calls that I didn't like adding in the first place. Whilst doing this patch,
I also discovered we needed to do the se_map_generic() call for file opens
and POSIX ACL mapping, so I added that also.
This code, although ugly, now passes the deny mode torture tests plus the
delete on close tests I added. I do need to add one more multiple connection
delete on close test to make sure I got the semantics exactly right, plus we
should also (as Andrew suggested) move to random testing here.
The good news is that NT should now correctly delete the file on disk
full error when copying to a disk :-).
Jeremy.
(This used to be commit 51987684bd231c744da2e5f3705fd236d5616173)
|
|
reporting imaginary "default" inheritable ACLs on directories, otherwise,
when you add an entry and click on apply without noticing there's no
default entry associated with it, it applies a null acl on the files
within the directory (hey, that's what you told NT you wanted, right ! :-).
Also ensure that minimum permissions for a directory are r-x for owner,
not just r--.
Jeremy.
(This used to be commit 4fa8cf68c3921f93a27d290d6dd1ed4423dfcf1c)
|
|
to the places where [f]chmod_acl is called instead.
Jeremy.
(This used to be commit 641ada44ae6429761c1fd0dbcafabc69f897fac7)
|
|
smbd/vfs.c: Don't call [f]chmod_acl if no acl support.
Jeremy.
(This used to be commit 83f52394e688b4be3ac4cef67d8980a5b8ed3192)
|
|
Jeremy.
(This used to be commit 38b19fad2851a65268b31c7e0240ed36a8407be4)
|
|
include/proto.h: Fix missing (void) in proto.
rpc_server/srv_samr_nt.c: Fix user private group problem by filtering out groups that
clash with users.
smbd/posix_acls.c: Ensure default ACE's are sensible.
utils/pdbedit.c: Fix from Simo Sorce.
Jeremy.
(This used to be commit 29414fe0d6665642d9b5f88a35e712426376c47f)
|
|
Jeremy.
(This used to be commit 5b9a88c2d0da3479f91131f66ff741e88f9760ee)
|
|
with real ACLs...
Jeremy.
(This used to be commit 852b9e15ac245a593460cfff3f629d0333372e41)
|