Steven Danneman [Mon, 1 Dec 2008 19:12:59 +0000 (11:12 -0800)]
Set PRESENT flag when returning NULL [SD]ACL like Windows does.
This could also be handled inside each ACL VFS module, by setting the PRESENT
flag when a NULL [SD]ACL is created.
(cherry picked from commit efaac8049e43279266b5ea35dab8a866a96205b4)
Michael Adam [Mon, 1 Dec 2008 01:01:44 +0000 (02:01 +0100)]
winbindd/nss_info: fix default backend handling for ad backends.
This fixes "winbind nss info = rfc2307" (or sfu or sfu20).
Originally, only explicitly configured domains (like "rfc2307:domain")
worked with the ad module, since the domain name was not passed
backe to the module. This is fixed by recording the first backend
listed without domain in the "winbind nss info" parameter as the
default backend, and creating new nss_domain entries (using this default
backend) on the fly as requests for domains which are not explicitly
configured are encountered.
Michael Adam [Wed, 26 Nov 2008 22:09:49 +0000 (23:09 +0100)]
winbindd/idmap_ad: add support for trusted domains to idmap_ad (bug #3661)
This initial fix does at least work for explicitly configured domains.
The patch has a few disadvantages:
1. It does work only for explicitly configured domains, not with
the default backend (idmap backend = ad), since it relies on the
domain name being passed in via the idmap_domain. One workaround
for this would be to create clones of the default idmap_domain
for domains not explicitly configured.
2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
The problem here is that only the NetBIOS domain name (workgroup
name) is passed in via the idmap_domain struct, and the module
has to establish a connection to the domain based on that information.
find_domain_from_name_noinit() has the disadvantage that it uses the state
of the domain list at fork time (unless used from the main winbindd).
But this should be ok as long as the primary domain was reachable at
start time.
For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.
Dan Sledz [Mon, 17 Nov 2008 01:40:03 +0000 (17:40 -0800)]
[PATCH] Allow SYSLOG_FACILITY to be modified with a new configure option called --with-syslog-facility
(cherry picked from commit 9e74113ecdad2df46b3a77d195e37a38c7e77d3d)
Jeremy Allison [Mon, 24 Nov 2008 23:28:53 +0000 (15:28 -0800)]
Fix bug #5873 - ACL inheritance cannot be broken. This regresses #4308, but that will have to
be fixed another way.
Jeremy.
(cherry picked from commit fa7a8f051debefa4e061b167a6906785d90deada)
If no DACL/SACL is present in the packet, the SEC_INFO field should still be
passed down as is to the VFS layer to signal the creation of a NULL DACL/SACL.
As seen in metze RAW-ACL test_nttrans_create_null_dacl(), a NULL DACL is set
regardless of the SEC_DESC_DACL_PRESENT bit being set.
(cherry picked from commit fc064837fbf84726ad66b16ef6e1f8c67d47a1fe)
Mathias Dietz [Wed, 12 Nov 2008 13:32:45 +0000 (14:32 +0100)]
Search for gpfs functions in both libgpfs_gpl.so an libgpfs.so
As of GPFS 3.2.1 PTF8 libgpfs will be available as GPL, so we don't need the
special libgpfs_gpl lib anymore. For backwards compatibility with pre-PTF8 GPFS
installations, still look there.
(cherry picked from commit 61468186cece7370576a2d13992f9a523067e4be)
Jeremy Allison [Sat, 22 Nov 2008 06:46:37 +0000 (22:46 -0800)]
Revert f268d75f5ed1258b08c5571780ea3be6724daed4 - "Fix the logic bug that caused us to
run into kernel oplocks on an open for a stream inside a file with stream_xattr module. On
opening the base_fsp we must break existing oplocks." as it broke make test.
Jeremy
(cherry picked from commit 11c4962cf6b6e6f66f5ce5788b331d43bd743248)
Jeremy Allison [Sat, 22 Nov 2008 02:20:55 +0000 (18:20 -0800)]
Fix the logic bug that caused us to run into kernel oplocks on an open for a stream inside a file with stream_xattr module. On opening the base_fsp we must break existing oplocks.
Jeremy.
(cherry picked from commit f268d75f5ed1258b08c5571780ea3be6724daed4)
Jeremy Allison [Sat, 22 Nov 2008 00:03:35 +0000 (16:03 -0800)]
Use fxattr calls whenever possible (trying to work around the strange Linux kernel oplock bug).
Jeremy.
(cherry picked from commit e8eabd9275389799f7ec9fcf62ff864aeea6312c)
Michael Adam [Fri, 21 Nov 2008 01:26:50 +0000 (02:26 +0100)]
s3-winbindd_ads: use the reconnect methods instead of the rpc methods directly
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Michael Adam [Thu, 20 Nov 2008 15:57:44 +0000 (16:57 +0100)]
winbindd_ads: prevent negative GM/ cache entries due to broken connections
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids
to names. This is tried only once. So in case the connection was broken,
e.g. closed by the server (without a reset packet), there will be an empty
GM/ cache entry for the requested group which will prevent proper working
of access checks among other checks for the expiry period.
This patch works around this problem by retrying once if the lsa_lookupsids
call fails, re-establishing the dc-connection, as we already do in many other
places (e.g. the winbindd retry methods for the rpc layer).
Jeremy Allison [Fri, 21 Nov 2008 20:53:53 +0000 (12:53 -0800)]
Second part of the fix for bug #5903 - vfs_streams_xattr breaks contents of the file
Jeremy.
(cherry picked from commit 019dcf49572404b1cb3c12aca4e7eaa052aeeedd)
Jeremy Allison [Fri, 21 Nov 2008 18:57:20 +0000 (10:57 -0800)]
First part of fix for bug #5903 - vfs_streams_xattr breaks contents of the file.
Restructures parts of open code so that fsp must be allocated before calling
open_file_ntcreate(_internal). Also fix up file ref-counting inside files.c.
Jeremy.
(cherry picked from commit b2626032626dcccd660c047f91130e81e380ae17)
Create a function out of pam_sm_close_session to delete the credentials.
This is the way the creds should be deleted. Now we have back a
close_session function which can be used for other things.
(cherry picked from commit e451daf4c2e1a6de6c109e88243b535d7e15cb35)
projects / thirdparty / samba.git / log
