The branch, master has been updated via e14bf39 s4-selftest: Always set vfs objects in selftest smb.conf via 123ee7f s4-selftest: Add test for samba-tool ntacl sysvolcheck via ebcdc4a s4-samba-tool: Add samba-tool ntacl sysvolcheck command via 0aed291 s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snum via e058dfb s3-pysmbd: Fix return type of smbd.get_nt_acl via e8e24a2 s3-smbd: Add talloc_stackframe() to get_nt_acl_no_snum() via 7cf50b9 s4-selftest: Add testing of samba-tool ntacl sysvolreset via 8c71dc3 param: Add startup checks for valid server role/binary combinations via 332efe1 s3-pysmbd: Fix error message via 7e7ed72 s4-provision: Fix internal documentation via 51e3547 s3-pysmbd: Allow a mode to be specified for the simple ACL via 8f90919 s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool via 56fd072 selftest: Add a test of the NT ACL -> posix ACL mapping layer to selftest via 4fe344e selftest: Cope with the multiple possible representations of -1 in posixacl.py via bd00c92 selftest: Extend posixacl test to check the actual ACL via 318b8cb selftest: Add a test of the NT ACL -> posix ACL mapping layer via b1825c6 s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directly via a778662 s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs) via 8518dd6 file_server: Move default VFS module settings to loadparm.c via be9a8cf s4-dsdb: Remove unused variables via d1eac79 s4-dsdb: Do not use a possibly-old loadparm context in schema reload via a58ac39 s4-upgradeprovision: Use ntvfs in reference provision via ccac50c selftest: Set --use-ntvfs for rodc, vampire_dc, promoted_vampire_dc and subdom_dc via c1012c6 selftest: Specify --use-ntvfs when testing the group code via b2ff365 selftest: Specify --use-ntvfs when testing the newuser code via 2fc6760 selftest: Specify --use-ntvfs when testing the LDAP backend init code via 8c7f4f0 selftest: Specify --use-ntvfs for the chdcpass environment from 069db9b s3:smb2_break: encrypt OPLOCK BREAK notifications
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e14bf399cfa767ffa065a1f50df07b3cf446b375 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 20:13:45 2012 +1000 s4-selftest: Always set vfs objects in selftest smb.conf This sets it for all enviornments, as it is harmless if ntvfs is used and critical if the provision script runs in s3fs mode. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Aug 23 16:42:41 CEST 2012 on sn-devel-104 commit 123ee7f9b5e5ccac6740e5fdfff2a8a24f98087d Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 10:38:06 2012 +1000 s4-selftest: Add test for samba-tool ntacl sysvolcheck commit ebcdc4a36be9b79325b11ec0c44a43db93e29519 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 10:37:46 2012 +1000 s4-samba-tool: Add samba-tool ntacl sysvolcheck command This command verifies that the current on-disk ACLs match the directory and the defaults from provision. Unlike sysvolreset, this does not change any of the permissions. Andrew Bartlett commit 0aed29105e9d8ddcd27a70d7af820da8813ca47b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 09:45:07 2012 +1000 s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snum I need to get at the owner, group, DACL and SACL when testing correct ACL storage. Andrew Bartlett commit e058dfb3b0714da229d1bddf96c72611af7b1fab Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 09:39:32 2012 +1000 s3-pysmbd: Fix return type of smbd.get_nt_acl The security_ prefix is stripped off in the python bindings. Andrew Bartlett commit e8e24a251b7625647352764298f108769bbad922 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 09:38:54 2012 +1000 s3-smbd: Add talloc_stackframe() to get_nt_acl_no_snum() This is required because the functions it calls use talloc_tos(). Andrew Bartlett commit 7cf50b9f305d6c2cdc57f38c9b4e5f8b73301f8a Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 21:19:41 2012 +1000 s4-selftest: Add testing of samba-tool ntacl sysvolreset commit 8c71dc3505ab83ce95ab40a56f77313c4448be16 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 21:01:16 2012 +1000 param: Add startup checks for valid server role/binary combinations This should eliminate confusion from our users about what they can expect to successfully run. Andrew Bartlett commit 332efe1539d83c0971f151f902f234e5a8bf0690 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 21:00:17 2012 +1000 s3-pysmbd: Fix error message commit 7e7ed72bbe8949b828000049a87f87d29f4587c2 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 18:35:52 2012 +1000 s4-provision: Fix internal documentation commit 51e3547426bcfe9ae086c12bff95dfc31aba5e24 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 18:35:01 2012 +1000 s3-pysmbd: Allow a mode to be specified for the simple ACL The additional group for the ACL is now optional. Andrew Bartlett commit 8f909199c4964a4f501520bb687d88471daf6af6 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 18:32:18 2012 +1000 s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool This will reset the NT ACL on the sysvol share to the default from provision, with GPO objects matching the LDAP ACL (as required). Andrew Bartlett commit 56fd072fdd0761d485571d9f9dcfea675bd282e4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 15:52:04 2012 +1000 selftest: Add a test of the NT ACL -> posix ACL mapping layer to selftest commit 4fe344ef054e22b3c7ed5ff167a6713e59820a40 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 15:50:20 2012 +1000 selftest: Cope with the multiple possible representations of -1 in posixacl.py commit bd00c9286556aacb45fcd457751ccb43ef605329 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 21 23:21:58 2012 +1000 selftest: Extend posixacl test to check the actual ACL Needing to be able to write this test is the primary reason I have been reworking the VFS and posix ACL layer over the past few weeks. By exposing the POSIX ACL as a IDL object we can eaisly manipulate it in python, and then verify that the ACL was handled correctly. This ensures the when we write an ACL in provision, that it will indeed allow that access at the FS layer. We need to extend this beyond just the critical two ACLs set during provision, to also include some special (hard) cases involving the merging of ACE entries, as this is the most delicate part of the ACL transfomation. A similar test should also be written to read the posix ACL and the mapped NT ACL on a file that has never had an NT ACL set. Andrew Bartlett commit 318b8cb4fafcc48bb0f8266171d667a6316f66d4 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 21 22:42:54 2012 +1000 selftest: Add a test of the NT ACL -> posix ACL mapping layer This is the start of what will be a series of tests confirming exactly how some NT ACLs are mapped to posix ACLs. Andrew Bartlett commit b1825c64215ac304eff8fcd3555e9f5943f3ba63 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 7 16:54:28 2012 +1000 s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directly This allows us to write tests that compare the smbd vfs with what is in the DB or xattr. Andrew Bartlett commit a778662da8b1dfc65bde55644703f2a3146ef7a8 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 2 16:15:27 2012 +1000 s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs) This handles the fact that smbd will rarely override the POSIX ACL enforced by the kernel. This has caused issues with the creation of group policies by other members of the Domain Admins group. Andrew Bartlett commit 8518dd6406c0132dfd8c44e084c2b39792974f2c Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 23:34:24 2012 +1000 file_server: Move default VFS module settings to loadparm.c This means that any utility that calls into the VFS layer will get the right modules. Because we use the fake_acls backend we need to override this whole list in Samba4.pm however. Andrew Bartlett commit be9a8cf4caaec26180c732041aeeb1b1bbda8e9e Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 22:13:25 2012 +1000 s4-dsdb: Remove unused variables commit d1eac79690d0fe8f8a5a78bcb83a6b4783279e27 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Aug 22 22:08:36 2012 +1000 s4-dsdb: Do not use a possibly-old loadparm context in schema reload The loadparm context on the schema DB might have gone away already. Pre-cache the schema refresh interval at load time to avoid worrying about this. Andrew Bartlett commit a58ac39a5ae97b3aebfde10466798b41baccaacf Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 17:27:50 2012 +1000 s4-upgradeprovision: Use ntvfs in reference provision We do not need filesystem ACLs set when creating the reference provision, so it is easier to use the NTVFS backend as it does not cause trouble with make test. Andrew Bartlett commit ccac50c7c45034b0daf6e0fb098b14b0ec01573b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 20:17:57 2012 +1000 selftest: Set --use-ntvfs for rodc, vampire_dc, promoted_vampire_dc and subdom_dc commit c1012c6817d7ce378af5e88da12d84f99720bdab Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 21:09:39 2012 +1000 selftest: Specify --use-ntvfs when testing the group code We do not need to set filesystem ACLs in this case. Andrew Bartlett commit b2ff36566b51e99ba224298bf52b4802aa875c15 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 19:35:41 2012 +1000 selftest: Specify --use-ntvfs when testing the newuser code We do not need to set filesystem ACLs in this case. Andrew Bartlett commit 2fc6760d5ab9864486fe3e16fff3963e9d6b63f1 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 18:03:45 2012 +1000 selftest: Specify --use-ntvfs when testing the LDAP backend init code We do not need to set filesystem ACLs in this case. Andrew Bartlett commit 8c7f4f05f2e9ee9d1adf4c784dcad813f603af97 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 13:27:35 2012 +1000 selftest: Specify --use-ntvfs for the chdcpass environment ----------------------------------------------------------------------- Summary of changes: file_server/file_server.c | 13 +- selftest/target/Samba4.pm | 17 +- source3/nmbd/nmbd.c | 10 + source3/param/loadparm.c | 13 + source3/rpc_server/eventlog/srv_eventlog_nt.c | 2 +- source3/smbd/posix_acls.c | 15 +- source3/smbd/proto.h | 2 +- source3/smbd/pysmbd.c | 71 ++-- source3/smbd/server.c | 7 + source3/winbindd/winbindd.c | 6 + source4/dsdb/samdb/ldb_modules/schema_load.c | 15 +- source4/dsdb/schema/schema.h | 1 + source4/dsdb/schema/schema_init.c | 26 +- source4/scripting/python/samba/netcmd/ntacl.py | 108 +++++- source4/scripting/python/samba/ntacls.py | 77 +++-- .../scripting/python/samba/provision/__init__.py | 187 ++++++++-- source4/scripting/python/samba/tests/ntacls.py | 4 +- source4/scripting/python/samba/tests/posixacl.py | 404 ++++++++++++++++++++ .../python/samba/tests/samba_tool/ntacl.py | 70 ++++ source4/scripting/python/samba/upgradehelpers.py | 2 +- source4/selftest/tests.py | 2 + source4/setup/tests/blackbox_group.sh | 2 +- source4/setup/tests/blackbox_newuser.sh | 2 +- source4/setup/tests/blackbox_provision-backend.sh | 10 +- source4/smbd/server.c | 11 + 25 files changed, 927 insertions(+), 150 deletions(-) create mode 100644 source4/scripting/python/samba/tests/posixacl.py create mode 100644 source4/scripting/python/samba/tests/samba_tool/ntacl.py Changeset truncated at 500 lines: diff --git a/file_server/file_server.c b/file_server/file_server.c index 2b9e48a..b6f7382 100644 --- a/file_server/file_server.c +++ b/file_server/file_server.c @@ -50,6 +50,7 @@ static const char *generate_smb_conf(struct task_server *task) fdprintf(fd, "[globals]\n"); fdprintf(fd, "# auto-generated config for fileserver\n"); + fdprintf(fd, "server role check:inhibit=yes\n"); fdprintf(fd, "passdb backend = samba4\n"); fdprintf(fd, "rpc_server:default = external\n"); fdprintf(fd, "rpc_server:svcctl = embedded\n"); @@ -61,15 +62,6 @@ static const char *generate_smb_conf(struct task_server *task) fdprintf(fd, "rpc_daemon:spoolssd = disabled\n"); fdprintf(fd, "rpc_server:tcpip = no\n"); - /* If we are using xattr_tdb:file or posix:eadb then we need to load another VFS object */ - if (lpcfg_parm_string(lp_ctx, NULL, "xattr_tdb", "file")) { - fdprintf(fd, "vfs objects = acl_xattr xattr_tdb\n"); - } else if (lpcfg_parm_string(lp_ctx, NULL, "posix", "eadb")) { - fdprintf(fd, "vfs objects = acl_xattr posix_eadb\n"); - } else { - fdprintf(fd, "vfs objects = acl_xattr\n"); - } - fdprintf(fd, "map hidden = no\n"); fdprintf(fd, "map system = no\n"); fdprintf(fd, "map readonly = no\n"); @@ -77,9 +69,6 @@ static const char *generate_smb_conf(struct task_server *task) fdprintf(fd, "include = %s\n", lpcfg_configfile(lp_ctx)); - fdprintf(fd, "[IPC$]\n"); - fdprintf(fd, " vfs objects = dfs_samba4\n"); - close(fd); return path; } diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index b8d245c..5442281 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -534,6 +534,7 @@ sub provision_raw_prepare($$$$$$$$$$) push (@provision_options, "--server-role=\"$ctx->{server_role}\""); push (@provision_options, "--function-level=\"$ctx->{functional_level}\""); push (@provision_options, "--dns-backend=BIND9_DLZ"); + if ($use_ntvfs) { push (@provision_options, "--use-ntvfs"); } @@ -598,6 +599,8 @@ sub provision_raw_step1($$) passdb backend = samba4 + vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot + # remove this again, when our smb2 client library # supports signin on compound related requests server signing = on @@ -1020,7 +1023,7 @@ sub provision_promoted_vampire_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1079,7 +1082,7 @@ sub provision_vampire_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1142,7 +1145,7 @@ sub provision_subdom_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain "; $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1205,7 +1208,7 @@ sub provision_fl2000dc($$) "samba2000.example.com", "2000", "locDCpass5", - undef, "", 1); + undef, "", "", 1); unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); @@ -1312,7 +1315,7 @@ sub provision_rodc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --server=$dcvars->{DC_SERVER}"; + $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs"; unless (system($cmd) == 0) { warn("RODC join failed\n$cmd"); @@ -1367,8 +1370,6 @@ sub provision_plugin_s4_dc($$) create mask = 755 dos filemode = yes - vfs objects = acl_xattr fake_acls xattr_tdb streams_depot - dcerpc endpoint servers = -winreg -srvsvc printcap name = /dev/null @@ -1442,7 +1443,7 @@ sub provision_chgdcpass($$) "chgdcpassword.samba.example.com", "2008", "chgDCpass1", - undef, 1); + undef, "", "", 1); return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c index 1728bb9..d4df202 100644 --- a/source3/nmbd/nmbd.c +++ b/source3/nmbd/nmbd.c @@ -888,6 +888,16 @@ static bool open_sockets(bool isdaemon, int port) exit(1); } + if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC + && !lp_parm_bool(-1, "server role check", "inhibit", false)) { + /* TODO: when we have a merged set of defaults for + * loadparm, we could possibly check if the internal + * nbt server is in the list, and allow a startup if disabled */ + DEBUG(0, ("server role = 'active directory domain controller' not compatible with running nmbd standalone. \n")); + DEBUGADD(0, ("You should start 'samba' instead, and it will control starting the internal nbt server\n")); + exit(1); + } + msg = messaging_init(NULL, server_event_context()); if (msg == NULL) { return 1; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 0b5a0e8..d9ce4b4 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -4902,6 +4902,19 @@ static bool lp_load_ex(const char *pszFname, fault_configure(smb_panic_s3); + if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { + const char **vfs_objects = lp_vfs_objects(-1); + if (!vfs_objects || !vfs_objects[0]) { + if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) { + lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb"); + } else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) { + lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb"); + } else { + lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr"); + } + } + } + bAllowIncludeRegistry = true; return (bRetval); diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c index 67ab471..a05ea3f 100644 --- a/source3/rpc_server/eventlog/srv_eventlog_nt.c +++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c @@ -91,7 +91,7 @@ static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token /* get the security descriptor for the file */ - sec_desc = get_nt_acl_no_snum( info, tdbname ); + sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL); TALLOC_FREE( tdbname ); if ( !sec_desc ) { diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 7e1bab5..c5dea9c 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -4842,15 +4842,16 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char * Assume we are dealing with files (for now) ********************************************************************/ -struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname) +struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted) { struct security_descriptor *psd, *ret_sd; connection_struct *conn; files_struct finfo; struct fd_handle fh; NTSTATUS status; + TALLOC_CTX *frame = talloc_stackframe(); - conn = talloc_zero(ctx, connection_struct); + conn = talloc_zero(frame, connection_struct); if (conn == NULL) { DEBUG(0, ("talloc failed\n")); return NULL; @@ -4858,7 +4859,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna if (!(conn->params = talloc(conn, struct share_params))) { DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n")); - TALLOC_FREE(conn); + TALLOC_FREE(frame); return NULL; } @@ -4869,6 +4870,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna if (!smbd_vfs_init(conn)) { DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n")); conn_free(conn); + TALLOC_FREE(frame); return NULL; } @@ -4880,17 +4882,19 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna finfo.fh = &fh; finfo.fh->fd = -1; - status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL, + status = create_synthetic_smb_fname(frame, fname, NULL, NULL, &finfo.fsp_name); if (!NT_STATUS_IS_OK(status)) { conn_free(conn); + TALLOC_FREE(frame); return NULL; } - if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) { + if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, security_info_wanted, &psd))) { DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n")); TALLOC_FREE(finfo.fsp_name); conn_free(conn); + TALLOC_FREE(frame); return NULL; } @@ -4898,6 +4902,7 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna TALLOC_FREE(finfo.fsp_name); conn_free(conn); + TALLOC_FREE(frame); return ret_sd; } diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index aa79688..5a38474 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -729,7 +729,7 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, const SMB_STRUCT_STAT *psbuf, uint16 num_def_acls, const char *pdata); bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata); -struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname); +struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted); NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, const char *name, SMB_STRUCT_STAT *psbuf, diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 6456797..74acc01 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -151,10 +151,13 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname, } -static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid) +static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) { mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE; - mode_t mode0 = 0; + + mode_t mode_user = (chmod_mode & 0700) >> 16; + mode_t mode_group = (chmod_mode & 070) >> 8; + mode_t mode_other = chmod_mode & 07; SMB_ACL_ENTRY_T entry; SMB_ACL_T acl = sys_acl_init(4); @@ -173,7 +176,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid) return NULL; } - if (sys_acl_set_permset(entry, &mode) != 0) { + if (sys_acl_set_permset(entry, &mode_user) != 0) { TALLOC_FREE(acl); return NULL; } @@ -188,7 +191,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid) return NULL; } - if (sys_acl_set_permset(entry, &mode) != 0) { + if (sys_acl_set_permset(entry, &mode_group) != 0) { TALLOC_FREE(acl); return NULL; } @@ -203,29 +206,31 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid) return NULL; } - if (sys_acl_set_permset(entry, &mode0) != 0) { + if (sys_acl_set_permset(entry, &mode_other) != 0) { TALLOC_FREE(acl); return NULL; } - if (sys_acl_create_entry(&acl, &entry) != 0) { - TALLOC_FREE(acl); - return NULL; - } - - if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) { - TALLOC_FREE(acl); - return NULL; - } - - if (sys_acl_set_qualifier(entry, &gid) != 0) { - TALLOC_FREE(acl); - return NULL; - } - - if (sys_acl_set_permset(entry, &mode) != 0) { - TALLOC_FREE(acl); - return NULL; + if (gid != -1) { + if (sys_acl_create_entry(&acl, &entry) != 0) { + TALLOC_FREE(acl); + return NULL; + } + + if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) { + TALLOC_FREE(acl); + return NULL; + } + + if (sys_acl_set_qualifier(entry, &gid) != 0) { + TALLOC_FREE(acl); + return NULL; + } + + if (sys_acl_set_permset(entry, &mode_group) != 0) { + TALLOC_FREE(acl); + return NULL; + } } if (sys_acl_create_entry(&acl, &entry) != 0) { @@ -238,7 +243,7 @@ static SMB_ACL_T make_simple_acl(uid_t uid, gid_t gid) return NULL; } - if (sys_acl_set_permset(entry, &mode0) != 0) { + if (sys_acl_set_permset(entry, &mode) != 0) { TALLOC_FREE(acl); return NULL; } @@ -252,14 +257,14 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args) { NTSTATUS status; char *fname; - int uid, gid; + int mode, gid = -1; SMB_ACL_T acl; TALLOC_CTX *frame; - if (!PyArg_ParseTuple(args, "sii", &fname, &uid, &gid)) + if (!PyArg_ParseTuple(args, "si|i", &fname, &mode, &gid)) return NULL; - acl = make_simple_acl(uid, gid); + acl = make_simple_acl(gid, mode); frame = talloc_stackframe(); @@ -310,8 +315,8 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args) ret = SMB_VFS_CHOWN( conn, fname, uid, gid); if (ret != 0) { - status = map_nt_error_from_unix_common(ret); - DEBUG(0,("chwon returned failure: %s\n", strerror(ret))); + status = map_nt_error_from_unix_common(errno); + DEBUG(0,("chown returned failure: %s\n", strerror(errno))); } conn_free(conn); @@ -367,17 +372,17 @@ static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args) static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args) { char *fname; - int security_info_sent; + int security_info_wanted; PyObject *py_sd; struct security_descriptor *sd; TALLOC_CTX *tmp_ctx = talloc_new(NULL); - if (!PyArg_ParseTuple(args, "si", &fname, &security_info_sent)) + if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted)) return NULL; - sd = get_nt_acl_no_snum(tmp_ctx, fname); + sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted); - py_sd = py_return_ndr_struct("samba.dcerpc.security", "security_descriptor", sd, sd); + py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd); talloc_free(tmp_ctx); diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 6abf8cc..d53b19a 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -1227,6 +1227,13 @@ extern void build_options(bool screen); exit(1); } + if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC + && !lp_parm_bool(-1, "server role check", "inhibit", false)) { + DEBUG(0, ("server role = 'active directory domain controller' not compatible with running smbd standalone. \n")); + DEBUGADD(0, ("You should start 'samba' instead, and it will control starting smbd if required\n")); + exit(1); + } + /* ...NOTE... Log files are working from this point! */ DEBUG(3,("loaded services\n")); diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index c43b585..eab62a7 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -1406,6 +1406,12 @@ int main(int argc, char **argv, char **envp) */ dump_core_setup("winbindd", lp_logfile(talloc_tos())); + if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { + DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the winbindd binary. \n")); + DEBUGADD(0, ("You should start 'samba' instead, and it will control starting the internal AD DC winbindd implementation, which is not the same as this one\n")); + exit(1); + } + /* Initialise messaging system */ if (winbind_messaging_context() == NULL) { diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c index be7915e..faaf3f2 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_load.c +++ b/source4/dsdb/samdb/ldb_modules/schema_load.c @@ -159,17 +159,9 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct { uint64_t current_usn, value; int ret; - struct ldb_result *res; - struct ldb_request *treq; - struct ldb_seqnum_request *tseq; - struct ldb_seqnum_result *tseqr; - struct dsdb_control_current_partition *ctrl; struct ldb_context *ldb = ldb_module_get_ctx(module); struct dsdb_schema *new_schema; - int interval; - time_t ts, lastts; - struct loadparm_context *lp_ctx = - (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"); + time_t ts, lastts; struct schema_load_private_data *private_data = talloc_get_type(ldb_module_get_private(module), struct schema_load_private_data); if (!private_data) { @@ -184,9 +176,8 @@ static struct dsdb_schema *dsdb_schema_refresh(struct ldb_module *module, struct lastts = schema->last_refresh; ts = time(NULL); - interval = lpcfg_parm_int(lp_ctx, NULL, "dsdb", "schema_reload_interval", 120); - if (lastts > (ts - interval)) { - DEBUG(11, ("Less than %d seconds since last reload, returning cached version ts = %d\n", interval, (int)lastts)); + if (lastts > (ts - schema->refresh_interval)) { + DEBUG(11, ("Less than %d seconds since last reload, returning cached version ts = %d\n", (int)schema->refresh_interval, (int)lastts)); return schema; } diff --git a/source4/dsdb/schema/schema.h b/source4/dsdb/schema/schema.h index 81ac129..eb288e6 100644 --- a/source4/dsdb/schema/schema.h +++ b/source4/dsdb/schema/schema.h @@ -247,6 +247,7 @@ struct dsdb_schema { bool refresh_in_progress; time_t ts_last_change; time_t last_refresh; + time_t refresh_interval; /* This 'opaque' is stored in the metadata and is used to check if the currently * loaded schema needs a reload because another process has signaled that it has been * requested to reload the schema (either due through DRS or via the schemaUpdateNow). diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index 8385ac2..752d4f5 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -39,6 +39,7 @@ struct dsdb_schema *dsdb_new_schema(TALLOC_CTX *mem_ctx) if (!schema) { -- Samba Shared Repository