Age | Commit message (Collapse) | Author | Files | Lines |
|
WINBINDD_LIST_GROUPS
This allows to test if there's something wrong with the group list in
extra_data or if there's simply no groups in the database.
Volker, please check.
|
|
WINBINDD_CHECK_MACHACC used to report an NTSTATUS error and appropriate error
strings. Make this work again.
|
|
See bug #6157 for more details.
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 25806f43ddee7e2653e907eea2c6fcc075960fa1)
|
|
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c992127f8a96c37940a6d298c7c6859c47f83d9b)
|
|
We have to initialize domain->backend by calling "get_cache" before doing a
query
Thanks to Christian Ambach to find this :-)
|
|
|
|
setting socket name.
Jeremy.
|
|
Jeremy.
|
|
a directory.
Argh. Missed the second (and essential) part of the fix for the above :-(.
Jeremy
|
|
a directory.
There is a codepath missing to propagate back error returns from the rmdir
POSIX call inside close_directory when delete on close is set. This means doing
an rmdir on a Windows command line will always report success, even when the
directory was not deleted. This fix adds that codepath back into Samba.
Jeremy.
|
|
rights fails even if the delete right is set on the object.
Final fix for the vfs_acl_xattr and vfs_acl_tdb code.
Ensure we can delete a file even if the underlying POSIX
permissions don't allow it, if the Windows permissions do.
Jeremy.
|
|
This is no longer used for anything.
|
|
|
|
|
|
Adding this comment makes me think, I could also
have changed make_server_info_sam() talloc_move
instead of talloc_steal, but that would have
changed the signature... Well the comment is a
first step. :-)
Michael
|
|
|
|
Windows seems to allow this
http://lists.samba.org/archive/samba-technical/2009-November/068116.html
has a dump of this.
|
|
When setting an ACL without any of the user/group/other entries, ZFS
automatically creates them. This can at times confuse users a lot. This
parameter denies setting such an acl, users explicitly have to for example set
an ACE with everyone allowing nothing. Users need to be educated about this,
but this helps avoid a lot of confusion.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means
with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob
after the ntlmssp_end().
|
|
This bug re-occurred for 3.3.x and above.
The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.
Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.
Jeremy.
|
|
Bjoern, please check.
Guenther
|
|
with security=share
|
|
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
This is supposed to fixes Bug #4347 .
Michael
|
|
incrementation
This is a preparatory patch for the last part in fixing bug #4347 .
Michael
|
|
This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...
The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.
This is part of the fix for bug #4347 .
Michael
|
|
This is to introduce a new format of the password history, maintaining backwards
compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash).
The new format is 16 zero bytes and 16 bytes nt hash.
This will allow us to respect the last X entries of the nt password history
when deciding whether to increment the bad password count.
This is part of the fix for bug #4347 .
Michael
|
|
The code I just removed was checked in with e5466fffc286a99f as a bug fix for
https://bugzilla.samba.org/show_bug.cgi?id=3319. With the changes to
is_visible_file made with 9e8b8f8c16612 these lines have become unnecessary,
even with "hide unreadable = yes" dead msdfs symlinks show. This is because we
can not stat(2) them and default to showing them.
Why this change? I have a user who wants to use "hide unreadable" on msdfs
links. Because you can't edit acls on symlinks themselves, the user created the
targets as bogus, empty files that just exist as acl placeholders. With the
code in place that this patch removes, we never allow this to work.
Jeremy, please check! :-)
Thanks,
Volker
|
|
|
|
pdb_update_sam_account
Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.
Michael
|
|
Michael
|
|
for use after sam_password_ok() has been called.
Michael
|
|
So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.
Michael
|
|
This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.
Michael
|
|
This way it is more explicit that there is no allocated data here
that may leak.
Michael
|
|
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.
Michael
|
|
and removing bool variables and several checks.
Michael
|
|
Michael
|
|
|