The branch, master has been updated via 2ae02ef s3:vfs/shadow_copy2 fix some compiler warnings via 617b636 s3:vfs/shadow_copy2 make descending sort order the default via a7df061 docs:autorid document ignore builtin parameter via 0bedec7 s3:winbindd/autorid add ignore builtin parameter via da97234 docs:autorid document read-only parameter via 2997f2f s3:winbindd/autorid add support for read-only mode via 6bda0f6 docs:autorid document how well-known SIDs will be mapped via 920e3e3 s3:winbindd/autorid preallocate well-known SIDs from e8e5afd krb5samba: Add smb_krb5_make_pac_checksum.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2ae02efabd5151c849ea079851607e7f45cf7a6f Author: Christian Ambach <a...@samba.org> Date: Tue May 8 09:15:12 2012 +0200 s3:vfs/shadow_copy2 fix some compiler warnings about unused variables Autobuild-User: Christian Ambach <a...@samba.org> Autobuild-Date: Tue May 8 11:15:07 CEST 2012 on sn-devel-104 commit 617b63658b02957422359a76fd8b8e4748d228ee Author: Christian Ambach <a...@samba.org> Date: Tue May 8 09:11:36 2012 +0200 s3:vfs/shadow_copy2 make descending sort order the default otherwise Explorer won't work correctly when trying to restore a folder commit a7df061ddfc9cdb8ea41cf770ce9c28523246d45 Author: Christian Ambach <a...@samba.org> Date: Mon May 7 19:17:18 2012 +0200 docs:autorid document ignore builtin parameter commit 0bedec7abea5f8dea5d6bd1fbb600f7beebabef9 Author: Christian Ambach <a...@samba.org> Date: Mon May 7 19:14:56 2012 +0200 s3:winbindd/autorid add ignore builtin parameter BUILTIN should be handled by passdb, however if passdb does not know about a SID, autorid creates a range for BUILTIN and does deterministic mapping make it possible to turn off this behavior commit da9723478321565fc552cced964d3e72c69f634b Author: Christian Ambach <a...@samba.org> Date: Mon May 7 19:02:23 2012 +0200 docs:autorid document read-only parameter commit 2997f2fe807cde8d22eaf4f253f9a64a8aca833a Author: Christian Ambach <a...@samba.org> Date: Mon May 7 14:19:26 2012 +0200 s3:winbindd/autorid add support for read-only mode make it possible to set read-only = yes for the backend so users can replicate an autorid.tdb to another server to use the same mappings without risking that updates are done on both sides commit 6bda0f6f88d381c93d1a46b46ad7fce7bed2d2de Author: Christian Ambach <a...@samba.org> Date: Mon May 7 19:08:10 2012 +0200 docs:autorid document how well-known SIDs will be mapped they consume space of the allocation pool and a list of most known well-known SIDs is preallocated to create a deterministic mapping commit 920e3e301d066d1307f2ca7f21248891e484842e Author: Christian Ambach <a...@samba.org> Date: Fri May 4 17:56:26 2012 +0200 s3:winbindd/autorid preallocate well-known SIDs preallocate the list of well-known SIDs that Win2008R2 reports to be groups and that are on the list in KB243330 This will allow for deterministic mapping of these SIDs, even if they are stored in the allocation pool as this is the first thing that autorid will allocate from the pool during module initialization ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages-3/idmap_autorid.8.xml | 18 +++++- source3/modules/vfs_shadow_copy2.c | 9 +-- source3/winbindd/idmap_autorid.c | 99 +++++++++++++++++++++++++++++-- 3 files changed, 114 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/idmap_autorid.8.xml b/docs-xml/manpages-3/idmap_autorid.8.xml index e563cdd..498ef68 100644 --- a/docs-xml/manpages-3/idmap_autorid.8.xml +++ b/docs-xml/manpages-3/idmap_autorid.8.xml @@ -52,7 +52,11 @@ plan accordingly for your expected number of users in a domain with safety margins. </para> - <para>One range will be used for local users and groups. + <para>One range will be used for local users and groups and for + non-domain well-known SIDs like Everyone (S-1-1-0) or Creator Owner (S-1-3-0). + A chosen list of well-known SIDs will be preallocated on first start + to create deterministic mappings for those.</para> + <para> Thus the number of local users and groups that can be created is limited by this option as well. If you plan to create a large amount of local users or groups, you will need set this parameter accordingly. @@ -60,6 +64,18 @@ <para>The default value is 100000.</para> </listitem> </varlistentry> + <varlistentry> + <term>read only = [ yes | no ]</term> + <listitem><para>Turn the module into read-only mode. No new ranges will be allocated + nor will new mappings be created in the idmap pool. Defaults to no.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>ignore builtin = [ yes | no ]</term> + <listitem><para>Ignore any mapping requests for the BUILTIN domain. + Defaults to no.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c index 24356ec..0e6e14f 100644 --- a/source3/modules/vfs_shadow_copy2.c +++ b/source3/modules/vfs_shadow_copy2.c @@ -159,7 +159,7 @@ static char *shadow_copy2_insert_string(TALLOC_CTX *mem_ctx, DEBUG(10, ("strftime failed\n")); return NULL; } - return talloc_asprintf(talloc_tos(), "/%s/%s", + return talloc_asprintf(mem_ctx, "/%s/%s", lp_parm_const_string( SNUM(handle->conn), "shadow", "snapdir", ".snapshots"), @@ -997,8 +997,7 @@ static char *shadow_copy2_find_snapdir(TALLOC_CTX *mem_ctx, return NULL; } -static bool shadow_copy2_snapshot_to_gmt(TALLOC_CTX *mem_ctx, - vfs_handle_struct *handle, +static bool shadow_copy2_snapshot_to_gmt(vfs_handle_struct *handle, const char *name, char *gmt, size_t gmt_len) { @@ -1047,7 +1046,7 @@ static void shadow_copy2_sort_data(vfs_handle_struct *handle, const char *sort; sort = lp_parm_const_string(SNUM(handle->conn), "shadow", - "sort", NULL); + "sort", "desc"); if (sort == NULL) { return; } @@ -1112,7 +1111,7 @@ static int shadow_copy2_get_shadow_copy_data( * directory */ if (!shadow_copy2_snapshot_to_gmt( - tmp_ctx, handle, d->d_name, + handle, d->d_name, snapshot, sizeof(snapshot))) { DEBUG(6, ("shadow_copy2_get_shadow_copy_data: " diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c index ab84104..08dcc65 100644 --- a/source3/winbindd/idmap_autorid.c +++ b/source3/winbindd/idmap_autorid.c @@ -46,6 +46,7 @@ struct autorid_global_config { uint32_t minvalue; uint32_t rangesize; uint32_t maxranges; + bool ignore_builtin; }; struct autorid_domain_config { @@ -135,17 +136,22 @@ error: } -static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom) +static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom, + bool read_only) { NTSTATUS ret; /* * try to find mapping without locking the database, - * if it is not found create a mapping in a transaction + * if it is not found create a mapping in a transaction unless + * read-only mode has been set */ ret = dbwrap_fetch_uint32(autorid_db, dom->sid, &(dom->domainnum)); - if (!NT_STATUS_IS_OK(ret)) {; + if (!NT_STATUS_IS_OK(ret)) { + if (read_only) { + return NT_STATUS_NOT_FOUND; + } ret = dbwrap_trans_do(autorid_db, idmap_autorid_get_domainrange_action, dom); } @@ -171,6 +177,12 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom, globalcfg = talloc_get_type(commoncfg->private_data, struct autorid_global_config); + if (dom->read_only) { + DEBUG(3, ("Backend is read-only, refusing " + "new allocation request\n")); + return NT_STATUS_UNSUCCESSFUL; + } + /* fetch the range for the allocation pool */ ZERO_STRUCT(domaincfg); @@ -178,7 +190,7 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom, domaincfg.globalcfg = globalcfg; fstrcpy(domaincfg.sid, ALLOC_RANGE); - ret = idmap_autorid_get_domainrange(&domaincfg); + ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only); if (!NT_STATUS_IS_OK(ret)) { DEBUG(3, ("Could not determine range for allocation pool, " @@ -413,6 +425,12 @@ static NTSTATUS idmap_autorid_map_sid_to_id(struct idmap_domain *dom, return ret; } + if (dom->read_only) { + DEBUG(3, ("Not allocating new mapping for %s, because backend " + "is read-only\n", sid_string_dbg(map->sid))); + return NT_STATUS_NONE_MAPPED; + } + DEBUG(10, ("Creating new mapping in pool for %s\n", sid_string_dbg(map->sid))); @@ -475,6 +493,8 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom, ZERO_STRUCT(domaincfg); + DEBUG(10, ("Trying to map %s\n", sid_string_dbg(ids[i]->sid))); + sid_copy(&domainsid, ids[i]->sid); if (!sid_split_rid(&domainsid, &rid)) { DEBUG(4, ("Could not determine domain SID from %s, " @@ -501,11 +521,20 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom, goto failure; } - num_mapped++; + if (ids[i]->status == ID_MAPPED) { + num_mapped++; + } continue; } + /* BUILTIN is passdb's job */ + if (dom_sid_equal(&domainsid, &global_sid_Builtin) && + global->ignore_builtin) { + DEBUG(10, ("Ignoring request for BUILTIN domain\n")); + continue; + } + /* * Check if the domain is around */ @@ -521,7 +550,16 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom, domaincfg.globalcfg = global; sid_to_fstring(domaincfg.sid, &domainsid); - ret = idmap_autorid_get_domainrange(&domaincfg); + ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only); + + /* read-only mode and a new domain range would be required? */ + if (NT_STATUS_EQUAL(ret, NT_STATUS_NOT_FOUND) && + dom->read_only) { + DEBUG(10, ("read-only is enabled, did not allocate " + "new range for domain %s\n", + sid_string_dbg(&domainsid))); + continue; + } if (!NT_STATUS_IS_OK(ret)) { DEBUG(3, ("Could not determine range for domain, " @@ -684,6 +722,49 @@ static NTSTATUS idmap_autorid_saveconfig(struct autorid_global_config *cfg) return status; } +static NTSTATUS idmap_autorid_preallocate_wellknown(struct idmap_domain *dom) +{ + const char *groups[] = { "S-1-1-0", "S-1-2-0", "S-1-2-1", + "S-1-3-0", "S-1-3-1", "S-1-3-2", "S-1-3-3", "S-1-3-4", + "S-1-5-1", "S-1-5-2", "S-1-5-3", "S-1-5-4", "S-1-5-6", + "S-1-5-7", "S-1-5-8", "S-1-5-9", "S-1-5-10", "S-1-5-11", + "S-1-5-12", "S-1-5-13", "S-1-5-14", "S-1-5-15", + "S-1-5-17", "S-1-5-18", "S-1-5-19", "S-1-5-20" + }; + + struct id_map **maps; + int i, num; + NTSTATUS status; + + if (dom->read_only) { + return NT_STATUS_OK; + } + + num = sizeof(groups)/sizeof(char*); + + maps = talloc_zero_array(talloc_tos(), struct id_map*, num+1); + if (!maps) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num; i++) { + maps[i] = talloc(maps, struct id_map); + maps[i]->xid.type = ID_TYPE_GID; + maps[i]->sid = dom_sid_parse_talloc(maps, groups[i]); + } + + maps[num] = NULL; + + status = idmap_autorid_sids_to_unixids(dom, maps); + + DEBUG(10,("Preallocation run finished with status %s\n", + nt_errstr(status))); + + talloc_free(maps); + + return NT_STATUS_IS_OK(status)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL; +} + static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) { struct idmap_tdb_common_context *commonconfig; @@ -798,6 +879,9 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) DEBUG(5, ("%d domain ranges with a size of %d are available\n", config->maxranges, config->rangesize)); + config->ignore_builtin = lp_parm_bool(-1, "idmap config *", + "ignore builtin", false); + /* fill the TDB common configuration */ commonconfig->private_data = config; @@ -810,6 +894,9 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) dom->private_data = commonconfig; + /* preallocate well-known SIDs in the pool */ + status = idmap_autorid_preallocate_wellknown(dom); + goto done; error: -- Samba Shared Repository