summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-11-14scripting ntacls: Do not place a SACL in the GPO filesystem ACLAndrew Bartlett1-1/+0
On a new GPO created on windows, the SACL is not used. Andrew Bartlett Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Nov 14 00:34:50 CET 2012 on sn-devel-104
2012-11-13ntvfs: Fill in sd->type based on the new ACL being addedAndrew Bartlett1-0/+21
Previously we would not change the type field, and just relied on what was in the original ACL based on the default SD. This is required to ensure the SEC_DESC_DACL_PROTECTED is set which is in turn required for GPOs to be set correctly to match what windows does. Andrew Bartlett Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-13smbd: Remove NT4 compatability handling in posix -> NT ACL conversionAndrew Bartlett2-9/+10
NT4 is long dead, and we should not change which ACL we return based on what we think the client is. The reason we should not do this, is that if we are using vfs_acl_xattr then the hash will break if we do. Additionally, it would require that the python VFS interface set the global remote_arch to fake up being a modern client. This instead seems cleaner and removes untested code (the tests are updated to then handle the results of the modern codepath). The supporting 'acl compatability' parameter is also removed. Andrew Bartlett Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-13s4:samba-tool/testparm: report a CommandError if loading of the config file ↵Stefan Metzmacher1-1/+4
fails Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-13selftest: Add --tmpdir to 'samba-tool gpo create' testAndrew Bartlett2-3/+9
This was the cause of the flakey test, and was only noticed when multiple different users ran autobuild at the same time on the same server. We use shutil.rmtree to wipe the directory before the tests finishes as required by the TestCaseInTempDir class. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Nov 13 10:50:56 CET 2012 on sn-devel-104
2012-11-13selftest: Avoid returning errors (rather than failures) in gpo testAndrew Bartlett1-2/+4
This should help find the real cause of the flakey test, if it ever returns. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-12ntp_signd: Only allow group access to the ntp signd directory.Andrew Bartlett1-1/+1
Existing installations running ntp as group 'ntp' will need to change the permissions on the ntp_signd socket directory (eg PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd) The reason is that allowing other users on the host access to this directory would allow them to potentially spoof time on the network, or attack the password database with a chosen plaintext attack. Permissions should be changed to: ownership root:ntp (if ntp runs as gid ntp) mode 0750 (this is what it will be created as) If the permissions are not changed, Samba will refuse to start the ntp_signd server, and NTP operations will not be signed. As the error is declared fatal, in the future, Samba may totally refused to start. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Nov 12 12:36:30 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS ↵Stefan Metzmacher1-0/+4
(bug #8620) Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: fix whitespace formatting errorsStefan Metzmacher1-124/+128
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Avoid test cross-contamination in samba.tests.posixaclAndrew Bartlett1-81/+59
This creates a new xattr.tdb per unit test, which avoids once and for all the issue of dev/inode reuse. For test_setposixacl_dir_getntacl_smbd the file ownership also set specifically. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-11selftest: Add tests for expected behaviour on directories as well as filesAndrew Bartlett1-0/+197
This is important because it covers the codepath which had the talloc error fixed by commit 60cf4cb5a630506747431ecbf00d890509baf2f3 (vfs_acl_common: In add_directory_inheritable_components allocate on psd as parent) Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Nov 11 15:48:10 CET 2012 on sn-devel-104
2012-11-12pysmbd: Add SMB_ACL_EXECUTE to the mask set by make_simple_acl()Andrew Bartlett1-2/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Make samba.tests.ntacl also use TestCaseInTempDirAndrew Bartlett1-37/+31
This follows on from the successful conversion of samba.tests.posixacl. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12samba-tool: Rework ldap attribute fetch in classicupgrade for missing attributesAndrew Bartlett1-17/+24
Is is not required that these additional attributes be filled in, so catch KeyError in both the nsswitch and ldap backend case. We rework get_posix_attr_from_ldap_backend() so it raises KeyError rather than trying to return None, and does not ignore other errors. Andrew Bartlett Tested-by: Chirana Gheorghita Eugeniu Theodor <office@adaptcom.ro> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-09torture: Fix smb2.create.blob test.Andreas Schneider1-1/+4
Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Nov 9 14:53:27 CET 2012 on sn-devel-104
2012-11-09samba-tool: Fix typo in --help output.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Nov 9 11:04:50 CET 2012 on sn-devel-104
2012-11-09s4-drs: Remove unused varMatthieu Patou1-3/+0
Signed-off-by: Matthieu Patou <mat@matws.net>
2012-11-06heimdal_build: Fix finding of system heimdal.Jelmer Vernooij1-26/+29
When checking for Heimdal headers, make sure HAVE_CONFIG_H is not defined, as config.h will not be available. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Tue Nov 6 16:27:03 CET 2012 on sn-devel-104
2012-11-06heimdal_build: HEIMDAL_LIBRARY(): Remove unused cflags argument.Jelmer Vernooij1-2/+1
2012-11-06ldb_secrets_tdb_sync: Add dependency on gssapi.Jelmer Vernooij1-1/+1
This is required when building with the system heimdal, as gssapi/gssapi_spnego.h is included. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 05:12:28 CET 2012 on sn-devel-104
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06provision: Make dsacl2fsacl() take a security.dom_sid, not strAndrew Bartlett3-6/+5
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 00:12:43 CET 2012 on sn-devel-104
2012-11-06provision: Also walk directories checking ACLsAndrew Bartlett1-1/+1
The directory walk was missed due to a cut-and-paste error. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06selftest: check that samba-tool gpo works for basic operationsAndrew Bartlett2-0/+64
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06dsdb: Simplify DsCrackNameOneFilter a bitVolker Lendecke1-1/+4
For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-04s4-dns: Fix format string vulnerability in an error message (bug #9354)Amitay Isaacs1-4/+5
Also, fixes few comments. Thanks to Bruno Rohée <bruno@rohee.org> for reporting and patch fix. Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-By: Kai Blin <kai@samba.org> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Sun Nov 4 16:58:13 CET 2012 on sn-devel-104
2012-11-01s4-ldapclient: cope with logon failure retry in LDAPAndrew Tridgell1-37/+79
similar to what was done for rpc and cifs, we now retry once on logon failure for ldap, allowing for a new ticket to be fetched when a server password changes while we have a valid ticket for the old password Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: set error code to LOGON_FAILURE on RPC fault with access deniedAndrew Tridgell1-2/+7
this allows the client code to trigger a retry with a new password callback for NTLM connections Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01samba-tool: "drs options" does not need a samdb connectionAndrew Tridgell1-1/+0
this gives us a handy pure RPC client test for use in blackbox testing Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: try a 2nd logon for more error casesAndrew Tridgell1-3/+10
not all servers give LOGON_FAILURE on authentication failures, so we need to do the retry with a new ticket on a wider range of error types Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale ticketsAndrew Tridgell1-1/+15
This allows our RPC client code to cope with a kerberos server changing password while we have a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01libcli: use cli_credentials_failed_kerberos_login() to cope with server changesAndrew Tridgell1-2/+15
if a server changes while we have a valid ticket we want to retry after removing the ccache entry. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-10-31samba-tool: Add samba-tool processes subcommandAndrew Bartlett4-0/+116
This will allow administrators to inspect the process list in a similar way to what running on a platform with setproctitle might permit. --pid= returns the registered server names for a PID (eg kdc, cldap_server) --name= returns the pids registered with a particular name. Andrew Bartlett
2012-10-31pymessaging: Add irpc_servers_byname() and irpc_all_servers()Andrew Bartlett2-0/+108
This will allow python scripts to inspect the process list. Andrew Bartlett
2012-10-31pymessaging: Use the server_id IDL structure rather than a tupleAndrew Bartlett3-7/+28
This will make it easier to pass this structure in and out. The tuple is still accepted as input. Andrew Bartlett
2012-10-31imessaging: Add irpc_all_servers() to list all available serversAndrew Bartlett3-1/+85
This is implemented with a tdb_traverse_read(), and will allow a tool to disover the name and server_id of all Samba processes, as each process registers itself to recieve messages. Andrew Bartlett
2012-10-27TestCaseInTempDir: Use addCleanup rather than tearDown.Jelmer Vernooij1-2/+3
2012-10-27source4.selftest.tests: Add FIXME about database verification.Jelmer Vernooij1-0/+2
2012-10-27source4.selftest.tests: Add suffix for smbclient4/nmblookup4.Jelmer Vernooij1-16/+16
2012-10-27selftesthelpers: Add function for printing smbtorture4 version.Jelmer Vernooij1-2/+1
2012-10-27selftest: Move determining of smbtorture4 options to selftesthelpers.Jelmer Vernooij1-10/+7
2012-10-27selftest/selftesthelpers: Share environment handling for extra smbtorture ↵Jelmer Vernooij1-6/+6
options.
2012-10-27selftesthelpers: Share code for listing smbtorture4 tests.Jelmer Vernooij1-13/+0
2012-10-27source4.selftest.tests: Rename plansmbtorturesuite() to plansmbtorture4suite().Jelmer Vernooij1-60/+60
2012-10-27source4.selftest.tests: Consistent naming of smbtorture binary.Jelmer Vernooij1-25/+25
2012-10-27sefltest: use TestCaseInTempDir and setUp/tearDown for posixacl.py temp fileAndrew Bartlett1-170/+62
This manages the temp file more reliably, and reduces the repeated code in each test case. Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Oct 27 04:37:58 CEST 2012 on sn-devel-104
2012-10-27provision: Fix comments in checksysvolaclAndrew Bartlett1-1/+2