Andrew Tridgell [Wed, 5 Aug 2009 01:21:06 +0000 (11:21 +1000)]
make the UID_WRAPPER skip checks at runtime
This fixes two issues pointed out by Andrew. It adds a runtime
uwrap_enabled() call that wraps the skips needed for uid emulation. It
also makes the skip in the directory_create_or_exist() function only
change the uid checking code, not the permissions code
Andrew Tridgell [Wed, 5 Aug 2009 00:50:03 +0000 (10:50 +1000)]
added a uid_wrapper library
This library intercepts seteuid and related calls, and simulates them
in a manner similar to the nss_wrapper and socket_wrapper
libraries. This allows us to enable the vfs_unixuid NTVFS module in
the build farm, which means we are more likely to catch errors in the
token manipulation.
The simulation is not complete, but it is enough for Samba4 for
now. The major areas of incompleteness are:
- no emulation of setreuid, setresuid or saved uids. These would be
needed for use in Samba3
- no emulation of ruid changing. That would also be needed for Samba3
- no attempt to emulate file ownership changing, so code that (for
example) tests whether st.st_uid matches geteuid() needs special
handling
Andrew Bartlett [Tue, 4 Aug 2009 22:53:11 +0000 (08:53 +1000)]
s4:dsdb Don't cast an ldb_val into a const char * for schema lookups
This removes a number of cases where we did a cast into a const char *
of an ldb_val. While convention is to alway have an extra \0 at
data[length] in the ldb_val, this is not required, and does not occour
at least on build farm host 'svart'.
Gerald Carter [Mon, 3 Aug 2009 21:18:10 +0000 (16:18 -0500)]
idmap_adex: Fix usage of talloc_stackframe().
Pass an explicit TALLOC_CTX* to build_id_filter() and build_alias_filter()
rather than relying upon the talloc_stackframe() behavior that
allows a caller access to stackframe ctx for called functions.
We should always return a local path so that users are not forced to setup a
[prnproc$] share on the server. This restores pre-3.4.0 spoolss behaviour.
Andrew Bartlett [Tue, 4 Aug 2009 08:24:37 +0000 (18:24 +1000)]
s4:torture Make RPC-NETLOGON pass against ncaclrpc servers
The original patch didn't cope with a NULL target server name - we now key off that to decide it isn't worth checking against LDAP for this host.
I still can't get this to pass against Windows 2008, but mdw was
testing against Windows 2008R2. at least 'make test' is happy, and
the rest should not be too hard...
Andrew Bartlett [Tue, 4 Aug 2009 02:52:11 +0000 (12:52 +1000)]
s4:torture rework LDAP sort test
This reworks the test to be part of the LDAP tests, to make better use
of the torture API and the ldb API (in particular around adding
controls), and a general cleanup.
s4: Enhancements in the "netr_LogonGetDomainInformations" call
This addresses bug #4888 and #6596 in SAMBA 4 Bugzilla
- It implements the call in the complete form as specified in the MSPP/WSPP docs
and on the discussion on the "cifs-protocol" list
- Therefore client informations (OS name, OS version, "servicePrincipalName"...)
are now saved in the AD each time the client invokes the call
netlogon.idl: Removes the form "str[]" for string declarations
In this file two different forms are used to explain the same datatype ("str[]" and "*str").
I didn't find this very nice and unified the occurrences to always use "*str".
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
Jeremy Allison [Fri, 31 Jul 2009 18:19:19 +0000 (11:19 -0700)]
We're not changing last write, but setting this to be FILE_NOTIFY_CHANGE_CREATION
doesn't work. So use FILE_NOTIFY_CHANGE_LAST_WRITE (now seems to reliably fix
bug #6529 - Offline files conflict with Vista and Office 2003.
Jeremy.
s4: Patch to implement nested group and privileges
This patch adds a function "authsam_expand_nested_groups" (calculation of rights
through expanding groups of a certain SID) which basically collects all
memberships through "memberOf" attributes. It works with either user or group SIDs.
For avoiding loops it tests on each call if the SID hasn't been added yet (through
the helper function "sids_contains_sid").
The function itself is called by "authsam_make_server_info".
Rusty Russell [Thu, 30 Jul 2009 02:22:08 +0000 (11:52 +0930)]
tdb: Reimplementation of Metze's "lib/tdb: if we know pwrite and pread are thread/fork safe tdb_reopen_all() should be a noop".
This version just wraps the reopen code, so we still re-grab the lock and do
the normal sanity checks.
The reason we do this at all is to avoid global fd limits, see:
http://forums.fedoraforum.org/showthread.php?t=210393
Note also that this whole reopen concept is fundamentally racy: if the parent
goes away before the child calls tdb_reopen_all, the database can be left
without an active lock and another TDB_CLEAR_IF_FIRST opener will clear it.
A fork_with_tdbs() wrapper could use a pipe to solve this, but it's hardly
elegant (what if there are other independent things which have similar needs?).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Stefan Metzmacher <metze@samba.org>
projects / thirdparty / samba.git / log
