summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-11-12ntp_signd: Only allow group access to the ntp signd directory.Andrew Bartlett1-1/+1
Existing installations running ntp as group 'ntp' will need to change the permissions on the ntp_signd socket directory (eg PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd) The reason is that allowing other users on the host access to this directory would allow them to potentially spoof time on the network, or attack the password database with a chosen plaintext attack. Permissions should be changed to: ownership root:ntp (if ntp runs as gid ntp) mode 0750 (this is what it will be created as) If the permissions are not changed, Samba will refuse to start the ntp_signd server, and NTP operations will not be signed. As the error is declared fatal, in the future, Samba may totally refused to start. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Nov 12 12:36:30 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS ↵Stefan Metzmacher1-0/+4
(bug #8620) Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: fix whitespace formatting errorsStefan Metzmacher1-124/+128
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Avoid test cross-contamination in samba.tests.posixaclAndrew Bartlett1-81/+59
This creates a new xattr.tdb per unit test, which avoids once and for all the issue of dev/inode reuse. For test_setposixacl_dir_getntacl_smbd the file ownership also set specifically. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-11selftest: Add tests for expected behaviour on directories as well as filesAndrew Bartlett1-0/+197
This is important because it covers the codepath which had the talloc error fixed by commit 60cf4cb5a630506747431ecbf00d890509baf2f3 (vfs_acl_common: In add_directory_inheritable_components allocate on psd as parent) Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Nov 11 15:48:10 CET 2012 on sn-devel-104
2012-11-12pysmbd: Add SMB_ACL_EXECUTE to the mask set by make_simple_acl()Andrew Bartlett1-2/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12selftest: Make samba.tests.ntacl also use TestCaseInTempDirAndrew Bartlett1-37/+31
This follows on from the successful conversion of samba.tests.posixacl. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12samba-tool: Rework ldap attribute fetch in classicupgrade for missing attributesAndrew Bartlett1-17/+24
Is is not required that these additional attributes be filled in, so catch KeyError in both the nsswitch and ldap backend case. We rework get_posix_attr_from_ldap_backend() so it raises KeyError rather than trying to return None, and does not ignore other errors. Andrew Bartlett Tested-by: Chirana Gheorghita Eugeniu Theodor <office@adaptcom.ro> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-09torture: Fix smb2.create.blob test.Andreas Schneider1-1/+4
Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Nov 9 14:53:27 CET 2012 on sn-devel-104
2012-11-09samba-tool: Fix typo in --help output.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Nov 9 11:04:50 CET 2012 on sn-devel-104
2012-11-09s4-drs: Remove unused varMatthieu Patou1-3/+0
Signed-off-by: Matthieu Patou <mat@matws.net>
2012-11-06heimdal_build: Fix finding of system heimdal.Jelmer Vernooij1-26/+29
When checking for Heimdal headers, make sure HAVE_CONFIG_H is not defined, as config.h will not be available. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Tue Nov 6 16:27:03 CET 2012 on sn-devel-104
2012-11-06heimdal_build: HEIMDAL_LIBRARY(): Remove unused cflags argument.Jelmer Vernooij1-2/+1
2012-11-06ldb_secrets_tdb_sync: Add dependency on gssapi.Jelmer Vernooij1-1/+1
This is required when building with the system heimdal, as gssapi/gssapi_spnego.h is included. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 05:12:28 CET 2012 on sn-devel-104
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06provision: Make dsacl2fsacl() take a security.dom_sid, not strAndrew Bartlett3-6/+5
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 00:12:43 CET 2012 on sn-devel-104
2012-11-06provision: Also walk directories checking ACLsAndrew Bartlett1-1/+1
The directory walk was missed due to a cut-and-paste error. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06selftest: check that samba-tool gpo works for basic operationsAndrew Bartlett2-0/+64
Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06dsdb: Simplify DsCrackNameOneFilter a bitVolker Lendecke1-1/+4
For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-04s4-dns: Fix format string vulnerability in an error message (bug #9354)Amitay Isaacs1-4/+5
Also, fixes few comments. Thanks to Bruno Rohée <bruno@rohee.org> for reporting and patch fix. Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-By: Kai Blin <kai@samba.org> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Sun Nov 4 16:58:13 CET 2012 on sn-devel-104
2012-11-01s4-ldapclient: cope with logon failure retry in LDAPAndrew Tridgell1-37/+79
similar to what was done for rpc and cifs, we now retry once on logon failure for ldap, allowing for a new ticket to be fetched when a server password changes while we have a valid ticket for the old password Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: set error code to LOGON_FAILURE on RPC fault with access deniedAndrew Tridgell1-2/+7
this allows the client code to trigger a retry with a new password callback for NTLM connections Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01samba-tool: "drs options" does not need a samdb connectionAndrew Tridgell1-1/+0
this gives us a handy pure RPC client test for use in blackbox testing Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: try a 2nd logon for more error casesAndrew Tridgell1-3/+10
not all servers give LOGON_FAILURE on authentication failures, so we need to do the retry with a new ticket on a wider range of error types Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale ticketsAndrew Tridgell1-1/+15
This allows our RPC client code to cope with a kerberos server changing password while we have a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01libcli: use cli_credentials_failed_kerberos_login() to cope with server changesAndrew Tridgell1-2/+15
if a server changes while we have a valid ticket we want to retry after removing the ccache entry. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-10-31samba-tool: Add samba-tool processes subcommandAndrew Bartlett4-0/+116
This will allow administrators to inspect the process list in a similar way to what running on a platform with setproctitle might permit. --pid= returns the registered server names for a PID (eg kdc, cldap_server) --name= returns the pids registered with a particular name. Andrew Bartlett
2012-10-31pymessaging: Add irpc_servers_byname() and irpc_all_servers()Andrew Bartlett2-0/+108
This will allow python scripts to inspect the process list. Andrew Bartlett
2012-10-31pymessaging: Use the server_id IDL structure rather than a tupleAndrew Bartlett3-7/+28
This will make it easier to pass this structure in and out. The tuple is still accepted as input. Andrew Bartlett
2012-10-31imessaging: Add irpc_all_servers() to list all available serversAndrew Bartlett3-1/+85
This is implemented with a tdb_traverse_read(), and will allow a tool to disover the name and server_id of all Samba processes, as each process registers itself to recieve messages. Andrew Bartlett
2012-10-27TestCaseInTempDir: Use addCleanup rather than tearDown.Jelmer Vernooij1-2/+3
2012-10-27source4.selftest.tests: Add FIXME about database verification.Jelmer Vernooij1-0/+2
2012-10-27source4.selftest.tests: Add suffix for smbclient4/nmblookup4.Jelmer Vernooij1-16/+16
2012-10-27selftesthelpers: Add function for printing smbtorture4 version.Jelmer Vernooij1-2/+1
2012-10-27selftest: Move determining of smbtorture4 options to selftesthelpers.Jelmer Vernooij1-10/+7
2012-10-27selftest/selftesthelpers: Share environment handling for extra smbtorture ↵Jelmer Vernooij1-6/+6
options.
2012-10-27selftesthelpers: Share code for listing smbtorture4 tests.Jelmer Vernooij1-13/+0
2012-10-27source4.selftest.tests: Rename plansmbtorturesuite() to plansmbtorture4suite().Jelmer Vernooij1-60/+60
2012-10-27source4.selftest.tests: Consistent naming of smbtorture binary.Jelmer Vernooij1-25/+25
2012-10-27sefltest: use TestCaseInTempDir and setUp/tearDown for posixacl.py temp fileAndrew Bartlett1-170/+62
This manages the temp file more reliably, and reduces the repeated code in each test case. Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Oct 27 04:37:58 CEST 2012 on sn-devel-104
2012-10-27provision: Fix comments in checksysvolaclAndrew Bartlett1-1/+2
2012-10-26pysmbd: Add hook for unlink() so python scripts can remove xattr.tdb entriesAndrew Bartlett1-20/+20
If we do not provide a way to remove files from xattr.tdb, we can re-use the inode. Andrew Bartlett
2012-10-25python-ntacls: Cope with ACL revision 4Andrew Bartlett1-0/+2
This is the new revision with the hash of the posix or system ACL. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 25 15:04:39 CEST 2012 on sn-devel-104
2012-10-25selftest: Always unlink the tempf in posixacl testAndrew Bartlett1-1/+4
2012-10-25selftest: Cover the important non-Samba invalidation of the NT ACLAndrew Bartlett1-0/+23
This covers the case where we have a valid hash of the posix ACL (or the NT ACL from the POSIX ACL) and we notice it no longer matches. Andrew Bartlett
2012-10-25selftest: Cover one more NT ACL invalidation case and improve commentsAndrew Bartlett1-8/+7
This tries to show the difference between the cases where we trap the POSIX ACL change and where we actually detect an OS-level change. Andrew Bartlett
2012-10-25selftest: Add many more tests for our posix ACL handlingAndrew Bartlett1-1/+236
This tests the mapping of posix ACLs to NT ACLs, the invalidation of NT ACLs stored as an xattr and ensures this security-critical code continues to work in the long term. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 25 10:05:16 CEST 2012 on sn-devel-104
generated by cgit (git 2.34.1) at 2024-06-30 18:34:48 +0000