summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-11-30s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)Stefan Metzmacher2-2/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptorStefan Metzmacher1-1/+19
We need to base the access mask on the given SD Flags. Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY, which could lead to INSUFFICIENT_RIGHTS when we should have been allowed to read. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-1/+3
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: calculate the correct access_mask when modifying ↵Stefan Metzmacher1-1/+14
nTSecurityDescriptor The access_mask depends on the SD Flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" ↵Stefan Metzmacher1-0/+11
is set In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: remove unused "acl:perform" optionStefan Metzmacher1-3/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-5/+15
The searches are done in order to do access checks and the results are not directly exposed to the client. Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make it clear that the SD Flags are ignored on addStefan Metzmacher1-1/+7
See [MS-ADTS] 6.1.3.2 SD Flags Control: ... When performing an LDAP add operation, the client can supply an SD flags control with the operation; however, it will be ignored by the server. ... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make use of dsdb_request_sd_flags()Stefan Metzmacher1-47/+15
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: always use descriptor_search_callback if we return ↵Stefan Metzmacher1-1/+12
nTSecurityDescriptor If the nTSecurityDescriptor is explicitly specified without the SD Flags control we should go through descriptor_search_callback(). This is not strictly needed at the moment, but makes the code clearer and might avoid surprises in the future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with ↵Stefan Metzmacher1-11/+12
SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_request_sd_flags() helper functionStefan Metzmacher1-0/+37
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: do helper searches AS_SYSTEMStefan Metzmacher1-0/+1
The search is done in order to do access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_store: do helper searches AS_SYSTEMStefan Metzmacher1-1/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-12/+13
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-3/+31
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: do helper searches AS_SYSTEMStefan Metzmacher1-7/+29
As anonymous users can read all rootdse attributes, we should do helper searches with DSDB_FLAG_AS_SYSTEM in order to avoid unnecessary access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: remove unused variableStefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:tests/samba_tool/gpo.py: fix accidential line breakMichael Adam1-2/+1
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-11-30s4:tests/samba_tool/gpo.py: add test_show_as_admin()Stefan Metzmacher1-0/+5
This calls samba-tool gpo show as admin (which should be able to see the full nTSecurityDescriptor. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ↵Stefan Metzmacher1-2/+4
ntSecurityDescriptor Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the ↵Stefan Metzmacher1-5/+6
nTSecurityDescriptor Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the ↵Stefan Metzmacher1-3/+7
current user Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptorStefan Metzmacher1-5/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xFStefan Metzmacher1-2/+2
A value of 0 is mapped to 0xF. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVectorStefan Metzmacher1-3/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_rootStefan Metzmacher1-0/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/schema_data: fix debug message in schema_data_modify()Stefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30libnet: Fix a typo in dbsync error message.Michael Adam1-1/+1
Signed-off-by: Michael Adam <obnox@samba.org>
2012-11-30libnet: Fix copy and paste error in dbsync error message.Andreas Schneider1-1/+1
2012-11-30torture: Fix copy and paste error in debug message.Andreas Schneider1-1/+1
Found by Coverity.
2012-11-30torture: Fix copy and paste error.Andreas Schneider1-1/+1
Found by Coverity.
2012-11-29docs: man oLschema2ldif: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Nov 29 15:27:45 CET 2012 on sn-devel-104
2012-11-29docs: man ntlm_auth4: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man smbtorture: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man masktest: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man locktest: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man gentest: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man 8 samba: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man regtree: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man regshell: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man regpatch: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-29docs: man regdiff: Add missing meta data.Karolin Seeger1-0/+3
This avoids warnings during the waf build and removes "FIXME" entries from the manpage. Karolin Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-28docs: Rename man ntlm_auth.Karolin Seeger2-38/+38
Rename man ntlm_auth to ntlm_auth4. Karolin Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Nov 28 20:41:48 CET 2012 on sn-devel-104
2012-11-26s4:torture/rpc/handles: try to make all assoc_group tests less flakeyStefan Metzmacher1-0/+5
Just incrementing the assoc_group_id makes it too likely to hit a number that is already in use. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Nov 26 13:53:22 CET 2012 on sn-devel-104
2012-11-23web_server: Load SWAT if it is available.Jelmer Vernooij1-3/+31
Reviewed-by: Matthieu Patou <mat@matws.net> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Fri Nov 23 01:39:38 CET 2012 on sn-devel-104
2012-11-22web_server: the web server is not multi-process, indicate so in WSGI.Jelmer Vernooij1-1/+1
This is a requirement for some of the paster middleware used by SWAT2. Reviewed-by: Matthieu Patou <mat@matws.net>
2012-11-22web_server: Properly decrement reference counters for python objects in wsgi.Jelmer Vernooij1-29/+81
Reviewed-by: Matthieu Patou <mat@matws.net>
2012-11-22web_server: Properly set SCRIPT_NAME and PATH_INFO.Jelmer Vernooij1-2/+5
Reviewed-by: Matthieu Patou <mat@matws.net>
2012-11-22web_server: Create a string object for SERVER_PORT variable.Jelmer Vernooij1-1/+1
This matches the behaviour of other wsgi server implementations. Reviewed-by: Matthieu Patou <mat@matws.net>