summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-08-23s4-selftest: Add test for samba-tool ntacl sysvolcheckAndrew Bartlett1-0/+26
2012-08-23s4-samba-tool: Add samba-tool ntacl sysvolcheck commandAndrew Bartlett2-1/+143
This command verifies that the current on-disk ACLs match the directory and the defaults from provision. Unlike sysvolreset, this does not change any of the permissions. Andrew Bartlett
2012-08-23s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snumAndrew Bartlett1-1/+1
I need to get at the owner, group, DACL and SACL when testing correct ACL storage. Andrew Bartlett
2012-08-23s4-selftest: Add testing of samba-tool ntacl sysvolresetAndrew Bartlett2-0/+45
2012-08-23param: Add startup checks for valid server role/binary combinationsAndrew Bartlett1-0/+11
This should eliminate confusion from our users about what they can expect to successfully run. Andrew Bartlett
2012-08-23s4-provision: Fix internal documentationAndrew Bartlett1-0/+1
2012-08-23s3-pysmbd: Allow a mode to be specified for the simple ACLAndrew Bartlett1-1/+1
The additional group for the ACL is now optional. Andrew Bartlett
2012-08-23s4-samba-tool: Add 'samba-tool ntacl sysvolreset' toolAndrew Bartlett1-1/+73
This will reset the NT ACL on the sysvol share to the default from provision, with GPO objects matching the LDAP ACL (as required). Andrew Bartlett
2012-08-23selftest: Add a test of the NT ACL -> posix ACL mapping layer to selftestAndrew Bartlett1-0/+1
2012-08-23selftest: Cope with the multiple possible representations of -1 in posixacl.pyAndrew Bartlett1-28/+29
2012-08-23selftest: Extend posixacl test to check the actual ACLAndrew Bartlett1-2/+274
Needing to be able to write this test is the primary reason I have been reworking the VFS and posix ACL layer over the past few weeks. By exposing the POSIX ACL as a IDL object we can eaisly manipulate it in python, and then verify that the ACL was handled correctly. This ensures the when we write an ACL in provision, that it will indeed allow that access at the FS layer. We need to extend this beyond just the critical two ACLs set during provision, to also include some special (hard) cases involving the merging of ACE entries, as this is the most delicate part of the ACL transfomation. A similar test should also be written to read the posix ACL and the mapped NT ACL on a file that has never had an NT ACL set. Andrew Bartlett
2012-08-23selftest: Add a test of the NT ACL -> posix ACL mapping layerAndrew Bartlett1-0/+131
This is the start of what will be a series of tests confirming exactly how some NT ACLs are mapped to posix ACLs. Andrew Bartlett
2012-08-23s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directlyAndrew Bartlett2-6/+11
This allows us to write tests that compare the smbd vfs with what is in the DB or xattr. Andrew Bartlett
2012-08-23s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs)Andrew Bartlett2-52/+92
This handles the fact that smbd will rarely override the POSIX ACL enforced by the kernel. This has caused issues with the creation of group policies by other members of the Domain Admins group. Andrew Bartlett
2012-08-23s4-dsdb: Remove unused variablesAndrew Bartlett1-5/+0
2012-08-23s4-dsdb: Do not use a possibly-old loadparm context in schema reloadAndrew Bartlett3-19/+18
The loadparm context on the schema DB might have gone away already. Pre-cache the schema refresh interval at load time to avoid worrying about this. Andrew Bartlett
2012-08-23s4-upgradeprovision: Use ntvfs in reference provisionAndrew Bartlett1-1/+1
We do not need filesystem ACLs set when creating the reference provision, so it is easier to use the NTVFS backend as it does not cause trouble with make test. Andrew Bartlett
2012-08-23selftest: Specify --use-ntvfs when testing the group codeAndrew Bartlett1-1/+1
We do not need to set filesystem ACLs in this case. Andrew Bartlett
2012-08-23selftest: Specify --use-ntvfs when testing the newuser codeAndrew Bartlett1-1/+1
We do not need to set filesystem ACLs in this case. Andrew Bartlett
2012-08-23selftest: Specify --use-ntvfs when testing the LDAP backend init codeAndrew Bartlett1-5/+5
We do not need to set filesystem ACLs in this case. Andrew Bartlett
2012-08-22s4-python: Complete python bindings for idmap.idlAndrew Bartlett1-0/+6
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 22 03:08:51 CEST 2012 on sn-devel-104
2012-08-22s4-python: complete python bindigns for smb_acls.idlAndrew Bartlett1-0/+6
2012-08-22selftest: Specify --use-ntvfs to provision in test scriptsAndrew Bartlett4-15/+15
Because these run as non-root, we need to avoid doing things that will fail during the provision. The main test of the s3fs provision is the plugin_s4_dc environment with a smb.conf that specifies vfs_fake_acls. Andrew Bartlett
2012-08-22s4-classicupgrade: Add --use-ntvfs optionAndrew Bartlett2-4/+8
This is an odd option, but is needed because I wish to add assertions about ACL setting that will not work in make test without the vfs_fake_acls module loaded. Andrew Bartlett
2012-08-22s4-provision: pass use_ntvfs from C wrappers and set to true in tests/vampireAndrew Bartlett5-3/+7
None of these cases need the complexity of the s3fs backend. Andrew Bartlett
2012-08-22s4:samldb LDB module - remove unused "member" attribute from search filterMatthias Dieter Wallnöfer1-1/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb - always fail if a search filter could not be parsedMatthias Dieter Wallnöfer2-1/+8
A NULL string/expression returns the generic "(objectClass=*)" filter Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - simplify memory context handlingMatthias Dieter Wallnöfer3-37/+23
Do only require the out memory context and build the temporary one in the body of the function. This greatly simplifies the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - use "data_blob_string_const" for setting valuesMatthias Dieter Wallnöfer1-6/+1
As shown in commit c8e6d8b487 this looks easier and in any case we can treat schema context data like global data. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-20s4-torture: Use torture_fail() in the unix.unix_info2 testAndrew Bartlett1-2/+3
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 20 15:36:48 CEST 2012 on sn-devel-104
2012-08-20s4-torture: Show that we cannot list extended attributes on streamsAndrew Bartlett1-0/+11
2012-08-20s4-torture: Show that we cannot have extended attributes on streamsAndrew Bartlett1-2/+17
2012-08-20s4-torture: Improve raw.streams test to cover EAs and to use torture_assert()Andrew Bartlett1-34/+25
The extension of this test is to create an extended attribute, so we can confirm that the easize field on a stream actually refers to the parent file. This has been run against Windows 7. Andrew Bartlett
2012-08-20s4-ntvfs: Add TODO on ea_sizeAndrew Bartlett1-1/+1
This is almost certainly un-important. Andrew Bartlett
2012-08-20s4-ntvfs: Ensure we do not attempt to write EAs on streamsAndrew Bartlett1-0/+6
2012-08-17s4:torture:basic: add more delete test - variants of deltest16 and deltest17Michael Adam1-0/+622
There seems to be a difference if the initial delete_on_close flag was set on a handle that created the file or if the handle if was for a file that already existed. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Aug 17 21:44:24 CEST 2012 on sn-devel-104
2012-08-17s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto ↵Andrew Bartlett1-6/+11
part->dn The confusing use of do_dn as a memory context while legitimate created a bug when it was copied and modified to search on a DN from long-term state. By always using a temporary memory context it is clear what paramter is the memory context. This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104
2012-08-17s4-kcc: Avoid use-after-free of dn and add tmp_ctxAndrew Bartlett1-2/+9
By using a tmp_ctx we are clearer about allocating temporary memory. Andrew Bartlett
2012-08-17s4:libcli/smb2: reset trsnport->compound.related when a compound chain is ↵Stefan Metzmacher1-0/+1
finished metze
2012-08-17s4-dsdb: Ensure we always free tmp_ctx in schema refresh checkAndrew Bartlett1-0/+2
This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! In that log, over 2.5 days this particular allocation was repeated: 1715099 talloc_new: ../source4/dsdb/samdb/ldb_modules/schema_load.c:120 contains 0 bytes in 1 blocks Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 17 06:21:18 CEST 2012 on sn-devel-104
2012-08-17s4: Fix returns in py_check_dcerpc_typeVolker Lendecke1-2/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-16s4:cldap_server: only return DS_SERVER_*TIMESERV if "ntp_signd" is usedStefan Metzmacher1-4/+6
metze
2012-08-16s4:cldap_server: set DS_SERVER_SELECT_SECRET_DOMAIN_6 if we're a RODCStefan Metzmacher1-5/+9
metze
2012-08-16s3-libsmb: Add a simple test for python bindingsVolker Lendecke2-0/+80
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Aug 16 22:49:06 CEST 2012 on sn-devel-104
2012-08-15s4-selftest: Fix test name for samba.tests.dcerpc.bareAndrew Bartlett1-1/+1
2012-08-14s4:dsdb/repl: fix the usage of 'GC/' prefixed principal namesStefan Metzmacher1-21/+6
The "serverReference" attribute is available on the "server" object not on the "nTDSA" object. This allows connections to RODCs, as they don't have a E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN} principal. Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Aug 14 18:57:41 CEST 2012 on sn-devel-104
2012-08-14s4:samba-tool/drs: print the dns name of the server belonging to a connectionStefan Metzmacher1-1/+4
Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze
2012-08-14s4:ntp_signd: fix SEGV if SID cannot be foundArvid Requate1-1/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 14 17:16:54 CEST 2012 on sn-devel-104
2012-08-14s4-dsdb: Use samdb_dn_is_our_ntdsa()Andrew Bartlett5-37/+61
This uses a GUID based comparison, and avoids re-fetching the samdb_ntds_settings_dn each time. Andrew Bartlett
2012-08-14s4-dsdb: Add samdb_dn_is_our_ntdsa()Andrew Bartlett1-0/+25
This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference. Andrew Bartlett