Age | Commit message (Collapse) | Author | Files | Lines |
|
GID list
This presents a potential security problem when ACLs contain DENY ACEs.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
in case of ID_TYPE_BOTH
This is important for acl checks on the unix level where only a group ace
has been added to the ACL for the user sid, e.g. when accessing Files with
nfs or local unix processes.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
We initialize everything later anyway
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994
Thanks to David Woodhouse <dwmw2@infradead.org>.
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 2 23:26:24 CEST 2013 on sn-devel-104
|
|
Fix this - we already control tightly what permissions are
on the files we create. Ensure we don't get surprised.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jun 27 02:02:24 CEST 2013 on sn-devel-104
|
|
"EOF on stdin"
Only install the stdin handler if it's a pipe or fifo.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
For debugging, it is useful to include the error code in the message.
Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat May 25 23:11:23 CEST 2013 on sn-devel-104
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue May 7 14:49:07 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
To make it more intutive.
rid = reduced_rid + domain_range_index * range_size
where
reduced_rid = (id - id_low) % range_size
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
idmap_autorid_get_domainrange()
This way, the calculation needs to be don only in one central place and
the formulas get simpler.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
This is my attempt to make the sid->unix-id calculation much more obvious.
Especially with the introduction of the multi-range support an the originally
named "multiplier", the calculation
id = low_id + range_size * domain_number + rid - range_size * multiplier
was rather opaque to me.
What really happens here is this:
The rid is split into a reduced_rid part that is < rangesize and
a multiple of rangesize. This is given by the formula
rid = rid % range_size + (rid / range_size) * range_size
We define
reduced_rid := rid % range_size
and
domain_range_index := rid / range_size ( == the original multiplier)
and the original formula is equivalent to:
id = reduced_rid + low_id + range_number * range_size;
and reads
id = reduced_rid + range_minvalue
if we set range_minvalue := low_id + range_number * range_size.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
The name multiplier is very confusing (at least for me).
This is an index that is used to reference the various
per-domain ranges.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
instances
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
instances to "range"
This describes it better with the new support for multiple ranges for domains.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
Now ranges don't correspond to domains any more, but
multiple ranges are associated to a domain. So the name
is misleading.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
when a mapping request for a RID comes in that is larger
than the rangesize, allocate an extension range to be able
to map this one
This is especially important for large installations which
might have large RIDs being used in a trusted domain that
the administrator was not aware of when planning for autorid
usage and so those objects could not be mapped up to now.
As it is not possible to change the rangesize after the first
start of autorid, this would lead to big trouble.
Signed-off-by: Abhidnya Joshi <achirmul@in.ibm.com>
Reviewed-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
This changes the behaviour for out-of-range queries: The tdb backend
(probably all backends) returns NT_STATUS_NONE_MAPPED and does not set the
map.status value to ID_UNMAPPED. This means that we did an early error
exit, not setting a negative cache value. This makes smbd ask winbind
over and over again for out-of-range gids, which can be a performance
problem in certain scenarios.
The new code makes us fall through to the code setting the negative
cache entry in all cases.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri May 3 14:48:35 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Apr 9 20:27:27 CEST 2013 on sn-devel-104
|
|
If there is no domain_name specified we still need to set to for
caching else we will not find the entry later if we lookup the entry
with the domain_name.
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Apr 9 16:32:44 CEST 2013 on sn-devel-104
|
|
This module allows querying id mappings from LDAP servers as described
in RFC 2307. The LDAP records can be queried from an Active Directory
Server or from a stand-alone LDAP server.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Having this in a common place allows reuse by other idmap modules.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
idmap_ad and idmap_ldap use the same helper functions and the same
maximum query size. Move the code to idmap_utils so that it can be
shared by every module issuing LDAP queries.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
It is not an error to be logged at level 1 when a
domain has no explicitly configured idmap backend.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 8 03:16:54 CET 2013 on sn-devel-104
|
|
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
(bug #9653)
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 13 09:51:53 CET 2013 on sn-devel-104
|