The branch, master has been updated
via 9e75484 smbd: Remove unused "share_mode_data->id"
via 698f7f2 smbd: Keep "the_lock"s file id separately
via ede6f44 smbd: Avoid checking the_lock->id for fresh locks
via c416b34 smbd: Explicitly pass "file_id" to rename_share_filename
via b27c5ca smbd: Use fsp->file_id in open_file_ntcreate
via a5cd8a5 smbd: Explicitly pass "file_id" to schedule_defer_open
via a699f0e smbd: Explicitly pass "file_id" to rename_open_files
via cfa6fe8 dfs_server: randomize the server redirect set
via 6034ab5 s3: smbd: Ensure we always go via getgroups_unix_user()
when creating an NT token.
from efad13a build: Exclude source4/selftest/provisions/release-4-1-0rc3
from the tarball
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9e754840deea6e098abc2b05589f73a37d042693
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:58:19 2014 +0100
smbd: Remove unused "share_mode_data->id"
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Fri Mar 21 21:22:24 CET 2014 on sn-devel-104
commit 698f7f21c2dd3a8eaaccee32bf8dd7d36e8c794e
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:57:19 2014 +0100
smbd: Keep "the_lock"s file id separately
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit ede6f448215a4ee81a1c7701c1cead2cc0a33198
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:53:14 2014 +0100
smbd: Avoid checking the_lock->id for fresh locks
If we just fetched the lock, this check will always be true.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit c416b34648b6734b7b612d51fa9e151a201768da
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:36:11 2014 +0100
smbd: Explicitly pass "file_id" to rename_share_filename
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit b27c5caae39c1724178830adf1df65afff8d46df
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:45:42 2014 +0100
smbd: Use fsp->file_id in open_file_ntcreate
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit a5cd8a513f18336c3ab84867806631628a656f49
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:36:11 2014 +0100
smbd: Explicitly pass "file_id" to schedule_defer_open
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit a699f0e0a6d1c3582a5d8f5361e5c32b46629451
Author: Volker Lendecke <v...@samba.org>
Date: Thu Mar 20 14:36:11 2014 +0100
smbd: Explicitly pass "file_id" to rename_open_files
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit cfa6fe8d6974c35cc50aef2f6cdbbbd9b513e483
Author: Arvid Requate <requ...@univention.de>
Date: Thu Mar 20 22:49:08 2014 +0100
dfs_server: randomize the server redirect set
comply with [MS-DFSC] section 3.2.1.1
Signed-off-by: Arvid Requate <requ...@univention.de>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6034ab521c47fc5f4732398652c9c6847ff92035
Author: Jeremy Allison <j...@samba.org>
Date: Thu Mar 20 12:39:10 2014 -0700
s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT
token.
This has to be done in every code path that creates
an NT token, as remote users may have been added to
the local /etc/group database. Tokens created merely
from the info3 structs (via the DC or via the krb5 PAC)
won't have these local groups.
https://bugzilla.samba.org/show_bug.cgi?id=10508
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Simo Sorce <i...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
dfs_server/dfs_server_ad.c | 20 ++++++++++++
source3/auth/token_util.c | 61 +++++++++++++++++++++++++++++++++++++
source3/librpc/idl/open_files.idl | 1 -
source3/locking/locking.c | 5 ++-
source3/locking/proto.h | 1 +
source3/locking/share_mode_lock.c | 13 +++++---
source3/smbd/open.c | 9 +++--
source3/smbd/reply.c | 10 ++++--
8 files changed, 104 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/dfs_server/dfs_server_ad.c b/dfs_server/dfs_server_ad.c
index 504ab79..5e2634f 100644
--- a/dfs_server/dfs_server_ad.c
+++ b/dfs_server/dfs_server_ad.c
@@ -38,6 +38,24 @@ struct dc_set {
uint32_t count;
};
+static void shuffle_dc_set(struct dc_set *list)
+{
+ uint32_t i;
+
+ srandom(time(NULL));
+
+ for (i = list->count; i > 1; i--) {
+ uint32_t r;
+ const char *tmp;
+
+ r = random() % i;
+
+ tmp = list->names[i - 1];
+ list->names[i - 1] = list->names[r];
+ list->names[r] = tmp;
+ }
+}
+
/*
fill a referral type structure
*/
@@ -265,6 +283,8 @@ static NTSTATUS get_dcs_insite(TALLOC_CTX *ctx, struct
ldb_context *ldb,
talloc_free(msg);
}
+ shuffle_dc_set(list);
+
talloc_free(r);
return NT_STATUS_OK;
}
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 936846c..bccf1db 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -394,8 +394,69 @@ static NTSTATUS finalize_local_nt_token(struct
security_token *result,
{
struct dom_sid dom_sid;
gid_t gid;
+ uid_t uid;
NTSTATUS status;
+ /* result->sids[0] is always the user sid. */
+ if (sid_to_uid(&result->sids[0], &uid)) {
+ /*
+ * Now we must get any groups this user has been
+ * added to in /etc/group and merge them in.
+ * This has to be done in every code path
+ * that creates an NT token, as remote users
+ * may have been added to the local /etc/group
+ * database. Tokens created merely from the
+ * info3 structs (via the DC or via the krb5 PAC)
+ * won't have these local groups. Note the
+ * groups added here will only be UNIX groups
+ * (S-1-22-2-XXXX groups) as getgroups_unix_user()
+ * turns off winbindd before calling getgroups().
+ *
+ * NB. This is duplicating work already
+ * done in the 'unix_user:' case of
+ * create_token_from_sid() but won't
+ * do anything other than be inefficient
+ * in that case.
+ */
+ struct passwd *pass = NULL;
+ gid_t *gids = NULL;
+ uint32_t getgroups_num_group_sids = 0;
+ int i;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ pass = getpwuid_alloc(tmp_ctx, uid);
+ if (pass == NULL) {
+ DEBUG(1, ("getpwuid(%u) failed\n",
+ (unsigned int)uid));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
+ &gids, &getgroups_num_group_sids)) {
+ DEBUG(1, ("getgroups_unix_user for user %s failed\n",
+ pass->pw_name));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ for (i=0; i<getgroups_num_group_sids; i++) {
+ struct dom_sid grp_sid;
+ gid_to_sid(&grp_sid, gids[i]);
+
+ status = add_sid_to_array_unique(result,
+ &grp_sid,
+ &result->sids,
+ &result->num_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Failed to add UNIX SID to nt
token\n"));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+ }
+ TALLOC_FREE(tmp_ctx);
+ }
+
/* Add in BUILTIN sids */
status = add_sid_to_array(result, &global_sid_World,
diff --git a/source3/librpc/idl/open_files.idl
b/source3/librpc/idl/open_files.idl
index 686bc02..0ebc819 100644
--- a/source3/librpc/idl/open_files.idl
+++ b/source3/librpc/idl/open_files.idl
@@ -41,7 +41,6 @@ interface open_files
[string,charset(UTF8)] char *servicepath;
[string,charset(UTF8)] char *base_name;
[string,charset(UTF8)] char *stream_name;
- file_id id;
uint32 num_share_modes;
[size_is(num_share_modes)] share_mode_entry share_modes[];
uint32 num_delete_tokens;
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index 54c92b1..4ef6b89 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -468,6 +468,7 @@ struct share_mode_lock
*get_existing_share_mode_lock(TALLOC_CTX *mem_ctx,
bool rename_share_filename(struct messaging_context *msg_ctx,
struct share_mode_lock *lck,
+ struct file_id id,
const char *servicepath,
uint32_t orig_name_hash,
uint32_t new_name_hash,
@@ -523,7 +524,7 @@ bool rename_share_filename(struct messaging_context
*msg_ctx,
return False;
}
- push_file_id_24(frm, &d->id);
+ push_file_id_24(frm, &id);
DEBUG(10,("rename_share_filename: msg_len = %u\n", (unsigned
int)msg_len ));
@@ -565,7 +566,7 @@ bool rename_share_filename(struct messaging_context
*msg_ctx,
"pid %s file_id %s sharepath %s base_name %s "
"stream_name %s\n",
procid_str_static(&se->pid),
- file_id_string_tos(&d->id),
+ file_id_string_tos(&id),
d->servicepath, d->base_name,
has_stream ? d->stream_name : ""));
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
index a897fea..dc115e1 100644
--- a/source3/locking/proto.h
+++ b/source3/locking/proto.h
@@ -164,6 +164,7 @@ struct share_mode_lock
*fetch_share_mode_unlocked(TALLOC_CTX *mem_ctx,
struct file_id id);
bool rename_share_filename(struct messaging_context *msg_ctx,
struct share_mode_lock *lck,
+ struct file_id id,
const char *servicepath,
uint32_t orig_name_hash,
uint32_t new_name_hash,
diff --git a/source3/locking/share_mode_lock.c
b/source3/locking/share_mode_lock.c
index 5d0874c..5e25404 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -331,7 +331,6 @@ static struct share_mode_lock *get_share_mode_lock_internal(
TALLOC_FREE(rec);
return NULL;
}
- d->id = id;
d->record = talloc_move(d, &rec);
talloc_set_destructor(d, share_mode_data_destructor);
@@ -351,10 +350,12 @@ static struct share_mode_lock
*get_share_mode_lock_internal(
* talloc_reference.
*/
static struct share_mode_lock *the_lock;
+static struct file_id the_lock_id;
static int the_lock_destructor(struct share_mode_lock *l)
{
the_lock = NULL;
+ ZERO_STRUCT(the_lock_id);
return 0;
}
@@ -384,16 +385,18 @@ struct share_mode_lock *get_share_mode_lock(
goto fail;
}
talloc_set_destructor(the_lock, the_lock_destructor);
+ the_lock_id = id;
} else {
+ if (!file_id_equal(&the_lock_id, &id)) {
+ DEBUG(1, ("Can not lock two share modes "
+ "simultaneously\n"));
+ goto fail;
+ }
if (talloc_reference(lck, the_lock) == NULL) {
DEBUG(1, ("talloc_reference failed\n"));
goto fail;
}
}
- if (!file_id_equal(&the_lock->data->id, &id)) {
- DEBUG(1, ("Can not lock two share modes simultaneously\n"));
- goto fail;
- }
lck->data = the_lock->data;
return lck;
fail:
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index f995c0b..d05c9ec 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1738,6 +1738,7 @@ static NTSTATUS fcb_or_dos_open(struct smb_request *req,
}
static void schedule_defer_open(struct share_mode_lock *lck,
+ struct file_id id,
struct timeval request_time,
struct smb_request *req)
{
@@ -1768,7 +1769,7 @@ static void schedule_defer_open(struct share_mode_lock
*lck,
state.delayed_for_oplocks = True;
state.async_open = false;
- state.id = lck->data->id;
+ state.id = id;
if (!request_timed_out(request_time, timeout)) {
defer_open(lck, request_time, timeout, req, &state);
@@ -2412,7 +2413,7 @@ static NTSTATUS open_file_ntcreate(connection_struct
*conn,
}
if (delay_for_oplock(fsp, 0, lck, false, create_disposition)) {
- schedule_defer_open(lck, request_time, req);
+ schedule_defer_open(lck, fsp->file_id, request_time,
req);
TALLOC_FREE(lck);
DEBUG(10, ("Sent oplock break request to kernel "
"oplock holder\n"));
@@ -2425,7 +2426,7 @@ static NTSTATUS open_file_ntcreate(connection_struct
*conn,
*/
state.delayed_for_oplocks = false;
state.async_open = false;
- state.id = lck->data->id;
+ state.id = fsp->file_id;
defer_open(lck, request_time, timeval_set(0, 0), req, &state);
TALLOC_FREE(lck);
DEBUG(10, ("No Samba oplock around after EWOULDBLOCK. "
@@ -2525,7 +2526,7 @@ static NTSTATUS open_file_ntcreate(connection_struct
*conn,
fsp, oplock_request, lck,
NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION),
create_disposition)) {
- schedule_defer_open(lck, request_time, req);
+ schedule_defer_open(lck, fsp->file_id, request_time, req);
TALLOC_FREE(lck);
fd_close(fsp);
return NT_STATUS_SHARING_VIOLATION;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b189d66..9603975 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6101,6 +6101,7 @@ static bool resolve_wildcards(TALLOC_CTX *ctx,
static void rename_open_files(connection_struct *conn,
struct share_mode_lock *lck,
+ struct file_id id,
uint32_t orig_name_hash,
const struct smb_filename *smb_fname_dst)
{
@@ -6109,7 +6110,7 @@ static void rename_open_files(connection_struct *conn,
NTSTATUS status;
uint32_t new_name_hash = 0;
- for(fsp = file_find_di_first(conn->sconn, lck->data->id); fsp;
+ for(fsp = file_find_di_first(conn->sconn, id); fsp;
fsp = file_find_di_next(fsp)) {
/* fsp_name is a relative path under the fsp. To change this
for other
sharepaths we need to manipulate relative paths. */
@@ -6135,12 +6136,12 @@ static void rename_open_files(connection_struct *conn,
if (!did_rename) {
DEBUG(10, ("rename_open_files: no open files on file_id %s "
- "for %s\n", file_id_string_tos(&lck->data->id),
+ "for %s\n", file_id_string_tos(&id),
smb_fname_str_dbg(smb_fname_dst)));
}
/* Send messages to all smbd's (not ourself) that the name has changed.
*/
- rename_share_filename(conn->sconn->msg_ctx, lck, conn->connectpath,
+ rename_share_filename(conn->sconn->msg_ctx, lck, id, conn->connectpath,
orig_name_hash, new_name_hash,
smb_fname_dst);
@@ -6498,7 +6499,8 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
notify_rename(conn, fsp->is_directory, fsp->fsp_name,
smb_fname_dst);
- rename_open_files(conn, lck, fsp->name_hash, smb_fname_dst);
+ rename_open_files(conn, lck, fsp->file_id, fsp->name_hash,
+ smb_fname_dst);
/*
* A rename acts as a new file create w.r.t. allowing an
initial delete
--
Samba Shared Repository
