summaryrefslogtreecommitdiff
path: root/source4/ntvfs/unixuid/vfs_unixuid.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4419: move security_token stuff to the libcli/security/Stefan Metzmacher1-0/+1
and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2007-10-10r4147: converted from NT_USER_TOKEN to struct security_tokenAndrew Tridgell1-9/+9
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2007-10-10r3982: split out the sid -> uid/gid mapping routines into a ntvfs_sidmapAndrew Tridgell1-156/+10
subsystem. This is in preparation for adding better default ACL generation in pvfs, which will require uid/gid -> sid mapping. (This used to be commit b31108e49247495d98cf7c12ee303b12a9e44e92)
2007-10-10r3832: added NT ACL query/set to the posix NTVFS backend. The default ACL isAndrew Tridgell1-0/+4
based on the current nttoken, which is completely wrong, but works as a start. The ACL is stored in the xattr system.DosAcl, using a NDR encoded IDL union with a version number to allow for future expansion. pvfs does not yet check the ACL for file access. At the moment the ACL is just query/set. We also need to do some RPC work to allow the windows ACL editor to be used. At the moment is queries the ACL fine, but displays an error when it fails to map the SIDs via rpc. (This used to be commit 3a1f20d874ab2d8b2a2f2485b7a705847abf1263)
2007-10-10r3737: - Get rid of the register_subsystem() and register_backend() functions.Jelmer Vernooij1-3/+3
- Re-disable tdbtool (it was building fine on my Debian box but other machines were having problems) (This used to be commit 0d7bb2c40b7a9ed59df3f8944133ea562697e814)
2007-10-10r3528: added support for the SMBntcancel() operation, which cancels anyAndrew Tridgell1-0/+14
outstanding async operation (triggering an immediate timeout). pvfs now passes the RAW-MUX test (This used to be commit 3423e2f41461d054067ef168b9b986f62cc8f77c)
2007-10-10r3466: split out request.h, signing.h, and smb_server.hAndrew Tridgell1-0/+1
(This used to be commit 7c4e6ebf05790dd6e29896dd316db0fff613aa4e)
2007-10-10r3461: another place where "open" was used as a structure elementAndrew Tridgell1-4/+4
(This used to be commit 1087ea830e7aead86d54a1836512e88554afc919)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3290: allow SID_ANONYMOUS ( "S-1-5-7" ) to be the users sidStefan Metzmacher1-1/+1
metze (This used to be commit 177afd4855c66f46c82899b46f030803be63d52a)
2007-10-10r3185: Machines can login with krb5, so we need to allow them to map to a ↵Andrew Bartlett1-2/+2
unix account. Andrew Bartlett (This used to be commit fbe932ddd4282c3d8af8a28fdd0cee83d0c8f4f3)
2007-10-10r3039: This solves the problem of async handlers in ntvfs backends not beingAndrew Tridgell1-0/+15
in the right state when called. For example, when we use the unixuid handler in the chain of handlers, and a backend decides to continue a call asynchronously then we need to ensure that the continuation happens with the right security context. The solution is to add a new ntvfs operation ntvfs_async_setup(), which calls all the way down through the layers, setting up anything that is required, and takes a private pointer. The backend wanting to make a async calls can use ntvfs_async_setup() to ensure that the modules above it are called when doing async processing. (This used to be commit a256e71029727fa1659ade6257085df537308c7d)
2007-10-10r3024: run the *_connect() NTVFS initialisation operation as root, to allowAndrew Tridgell1-1/+4
backends to open databases and perform any other privileged operations that might be needed. (This used to be commit 54fd395025656d9b264ba1c1fab6e3ce8ca3d357)
2007-10-10r2934: - changed the unixuid module to use the nt_user_token instead of the ↵Andrew Tridgell1-14/+19
server supplied info structure. - added SID_WORLD and SID_NETWORK to the foreign sids in the provisioning, as these are auto-added to the nt_user_token (why is that done? Andrew?) (This used to be commit 1dff12fba88827660a2647457867bf4ff6bc8d3d)
2007-10-10r2930: added a security context cache to the unixuid module. The moduleAndrew Tridgell1-4/+22
doesn't actually leave us in the requested sec context between requests yet, but it does prevent us from doing the samdb lookup on every packet. This change speeds up the BASE-MANGLE test against Samba4 with 5000 operations from 61 seconds to 16 seconds. For reference, Samba3 takes 27 seconds for the same test (the string and filename handling in Samba4 is much more efficient than Samba3) (This used to be commit da0481ac75a01270897da5aa24dbb2b431928b30)
2007-10-10r2803: allow unixuid module to work with foreign security principlesAndrew Tridgell1-4/+8
(This used to be commit f522728728fa523ce7d9e73c93b27e71f3757d50)
2007-10-10r2796: - changed ldap attributes "UnixID" to "unixID" and "UnixName" to ↵Andrew Tridgell1-18/+23
"unixName" to be more ldap traditional - register the unixuid module as all 3 ntvfs backend types, as it doesn't care what type of backend it filters (This used to be commit cd43def6ce280442306f14ca61508b4f7eb92cb6)
2007-10-10r2794: a very simple version of the unixuid NTVFS pass-thru module. InAndrew Tridgell1-0/+753
conjunction with the posix backend this gives us a way to correctly setup the unix security context in Samba4. I chose the following method to determine the unix uid's and gid's to use given the list of SIDs from the login process - look for a "UnixID" field in the sam record. If present, then use it (check if the record is of the right type as well) - if UnixID is not present, then look for the "UnixName" sam field. If it is present then use getpwnam() or getgrnam() to find the unix id. - if UnixID and UnixName are not present, then look for a unix account of the right type called by the same name as the sAMAccountName field. - if none of the above work then fail the operation with NT_STATUS_ACCESS_DENIED obviously these steps only work well with a local SAM. It will need to be more sophisticated in future. I did not put any cache in place at all. That will need to be added for decent performance. (This used to be commit 78b67d19b9766131f0270e451089ee5bb1aa8bd9)