The branch, master has been updated
via 6a4957d35d50e6508917aca62b282ae4904187c8 (commit)
via afbfbd7f4c656fa4ed036314837024be8cd634c9 (commit)
via bf04324592695fd6e711ba25a89d47e1b61fa33e (commit)
from 9d2c2a7a0e9e69c8fa2ce81af79007da0e32605b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6a4957d35d50e6508917aca62b282ae4904187c8
Author: Michael Adam <[EMAIL PROTECTED]>
Date: Sun Nov 23 22:59:40 2008 +0100
UNFINISHED - s3:idmap_ad: multi-domain
Michael
commit afbfbd7f4c656fa4ed036314837024be8cd634c9
Author: Michael Adam <[EMAIL PROTECTED]>
Date: Mon Nov 17 10:29:41 2008 +0100
[s3]zfsacl: "return" is not a function.
Michael
commit bf04324592695fd6e711ba25a89d47e1b61fa33e
Author: Nils Goroll <[EMAIL PROTECTED]>
Date: Mon Nov 17 00:55:16 2008 +0100
[s3]zfsacl: Prevent calling POSIX ACL vfs methods on zfs share.
This is a proposed fix for Bugs #5135 and #5446.
Signed-off-by: Michael Adam <[EMAIL PROTECTED]>
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_zfsacl.c | 83 +++++++++++++++++++++++
source3/winbindd/idmap_ad.c | 152 +++++++++++++++++++++++-------------------
2 files changed, 166 insertions(+), 69 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index 3688b23..a5b0490 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -212,9 +212,92 @@ static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct
*handle,
return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
}
+/* [EMAIL PROTECTED] 2008-06-16 :
+
+ See also
+ - https://bugzilla.samba.org/show_bug.cgi?id=5446
+ - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240
+
+ Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2)
+ with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for
+ use by samba in this module.
+
+ As the acl(2) interface is identical for ZFS and for NFS, this module,
+ vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4
+ mounts on Solaris.
+
+ But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL
+ / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client
+ implemets a compatibility wrapper, which will make calls to
+ traditional ACL calls though vfs_solarisacl succeed. As the
+ compatibility wrapper's implementation is (by design) incomplete,
+ we want to make sure that it is never being called.
+
+ As long as Samba does not support an exiplicit method for a module
+ to define conflicting vfs methods, we should override all conflicting
+ methods here.
+
+ For this to work, we need to make sure that this module is initialised
+ *after* vfs_solarisacl
+
+ Function declarations taken from vfs_solarisacl
+*/
+
+SMB_ACL_T zfsacl_fail__sys_acl_get_file(vfs_handle_struct *handle,
+ const char *path_p,
+ SMB_ACL_TYPE_T type)
+{
+ return (SMB_ACL_T)NULL;
+}
+SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle,
+ files_struct *fsp,
+ int fd)
+{
+ return (SMB_ACL_T)NULL;
+}
+
+int zfsacl_fail__sys_acl_set_file(vfs_handle_struct *handle,
+ const char *name,
+ SMB_ACL_TYPE_T type,
+ SMB_ACL_T theacl)
+{
+ return -1;
+}
+
+int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle,
+ files_struct *fsp,
+ int fd, SMB_ACL_T theacl)
+{
+ return -1;
+}
+
+int zfsacl_fail__sys_acl_delete_def_file(vfs_handle_struct *handle,
+ const char *path)
+{
+ return -1;
+}
+
/* VFS operations structure */
static vfs_op_tuple zfsacl_ops[] = {
+ /* invalidate conflicting VFS methods */
+ {SMB_VFS_OP(zfsacl_fail__sys_acl_get_file),
+ SMB_VFS_OP_SYS_ACL_GET_FILE,
+ SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(zfsacl_fail__sys_acl_get_fd),
+ SMB_VFS_OP_SYS_ACL_GET_FD,
+ SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(zfsacl_fail__sys_acl_set_file),
+ SMB_VFS_OP_SYS_ACL_SET_FILE,
+ SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(zfsacl_fail__sys_acl_set_fd),
+ SMB_VFS_OP_SYS_ACL_SET_FD,
+ SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(zfsacl_fail__sys_acl_delete_def_file),
+ SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,
+ SMB_VFS_LAYER_OPAQUE},
+
+ /* actual methods */
{SMB_VFS_OP(zfsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL,
SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(zfsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL,
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 60a2d86..5904b4f 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -43,31 +43,33 @@
struct idmap_ad_context {
uint32_t filter_low_id;
uint32_t filter_high_id;
+ ADS_STRUCT *ad_idmap_ads;
+ struct posix_schema *ad_schema;
+ enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN;
};
NTSTATUS init_module(void);
-static ADS_STRUCT *ad_idmap_ads = NULL;
-static struct posix_schema *ad_schema = NULL;
-static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN;
-
/************************************************************************
***********************************************************************/
-static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
+static ADS_STRUCT *ad_idmap_cached_connection_internal(struct idmap_domain
*dom)
{
ADS_STRUCT *ads;
ADS_STATUS status;
bool local = False;
fstring dc_name;
struct sockaddr_storage dc_ip;
+ struct idmap_ad_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
- if (ad_idmap_ads != NULL) {
+ if (ctx->ad_idmap_ads != NULL) {
time_t expire;
time_t now = time(NULL);
- ads = ad_idmap_ads;
+ ads = ctx->ad_idmap_ads;
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
@@ -83,8 +85,8 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
ads->is_mine = True;
ads_destroy( &ads );
ads_kdestroy(WINBIND_CCACHE_NAME);
- ad_idmap_ads = NULL;
- TALLOC_FREE( ad_schema );
+ ctx->ad_idmap_ads = NULL;
+ TALLOC_FREE(ctx->ad_schema);
}
}
@@ -118,7 +120,7 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
ads->is_mine = False;
- ad_idmap_ads = ads;
+ ctx->ad_idmap_ads = ads;
return ads;
}
@@ -126,28 +128,31 @@ static ADS_STRUCT
*ad_idmap_cached_connection_internal(void)
/************************************************************************
***********************************************************************/
-static ADS_STRUCT *ad_idmap_cached_connection(void)
+static ADS_STRUCT *ad_idmap_cached_connection(struct idmap_domain *dom)
{
- ADS_STRUCT *ads = ad_idmap_cached_connection_internal();
-
+ ADS_STRUCT *ads = ad_idmap_cached_connection_internal(dom);
+ struct idmap_ad_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
+
if ( !ads )
return NULL;
/* if we have a valid ADS_STRUCT and the schema model is
defined, then we can return here. */
- if ( ad_schema )
+ if ( ctx->ad_schema )
return ads;
/* Otherwise, set the schema model */
- if ( (ad_map_type == WB_POSIX_MAP_SFU) ||
- (ad_map_type == WB_POSIX_MAP_SFU20) ||
- (ad_map_type == WB_POSIX_MAP_RFC2307) )
+ if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
+ (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
+ (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
{
ADS_STATUS schema_status;
- schema_status = ads_check_posix_schema_mapping( NULL, ads,
ad_map_type, &ad_schema);
+ schema_status = ads_check_posix_schema_mapping( NULL, ads,
ctx->ad_map_type, &ctx->ad_schema);
if ( !ADS_ERR_OK(schema_status) ) {
DEBUG(2,("ad_idmap_cached_connection: Failed to obtain
schema details!\n"));
return NULL;
@@ -191,16 +196,16 @@ static NTSTATUS idmap_ad_initialize(struct idmap_domain
*dom,
}
/* schema mode */
- if ( ad_map_type == WB_POSIX_MAP_UNKNOWN )
- ad_map_type = WB_POSIX_MAP_RFC2307;
+ if ( ctx->ad_map_type == WB_POSIX_MAP_UNKNOWN )
+ ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
schema_mode = lp_parm_const_string(-1, config_option, "schema_mode",
NULL);
if ( schema_mode && schema_mode[0] ) {
if ( strequal(schema_mode, "sfu") )
- ad_map_type = WB_POSIX_MAP_SFU;
+ ctx->ad_map_type = WB_POSIX_MAP_SFU;
else if ( strequal(schema_mode, "sfu20" ) )
- ad_map_type = WB_POSIX_MAP_SFU20;
+ ctx->ad_map_type = WB_POSIX_MAP_SFU20;
else if ( strequal(schema_mode, "rfc2307" ) )
- ad_map_type = WB_POSIX_MAP_RFC2307;
+ ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
else
DEBUG(0,("idmap_ad_initialize: Unknown schema_mode
(%s)\n",
schema_mode));
@@ -284,14 +289,14 @@ static NTSTATUS idmap_ad_unixids_to_sids(struct
idmap_domain *dom, struct id_map
return NT_STATUS_NO_MEMORY;
}
- if ( (ads = ad_idmap_cached_connection()) == NULL ) {
+ if ( (ads = ad_idmap_cached_connection(dom)) == NULL ) {
DEBUG(1, ("ADS uninitialized\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
- attrs[2] = ad_schema->posix_uidnumber_attr;
- attrs[3] = ad_schema->posix_gidnumber_attr;
+ attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
+ attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
again:
bidx = idx;
@@ -308,7 +313,7 @@ again:
ATYPE_INTERDOMAIN_TRUST);
}
u_filter = talloc_asprintf_append_buffer(u_filter,
"(%s=%lu)",
-
ad_schema->posix_uidnumber_attr,
+
ctx->ad_schema->posix_uidnumber_attr,
(unsigned
long)ids[idx]->xid.id);
CHECK_ALLOC_DONE(u_filter);
break;
@@ -322,7 +327,7 @@ again:
ATYPE_SECURITY_LOCAL_GROUP);
}
g_filter = talloc_asprintf_append_buffer(g_filter,
"(%s=%lu)",
-
ad_schema->posix_gidnumber_attr,
+
ctx->ad_schema->posix_gidnumber_attr,
(unsigned
long)ids[idx]->xid.id);
CHECK_ALLOC_DONE(g_filter);
break;
@@ -405,10 +410,10 @@ again:
continue;
}
- if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
-
ad_schema->posix_uidnumber_attr :
-
ad_schema->posix_gidnumber_attr,
- &id))
+ if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
+
ctx->ad_schema->posix_uidnumber_attr :
+
ctx->ad_schema->posix_gidnumber_attr,
+ &id))
{
DEBUG(1, ("Could not get unix ID\n"));
continue;
@@ -495,14 +500,14 @@ static NTSTATUS idmap_ad_sids_to_unixids(struct
idmap_domain *dom, struct id_map
return NT_STATUS_NO_MEMORY;
}
- if ( (ads = ad_idmap_cached_connection()) == NULL ) {
+ if ( (ads = ad_idmap_cached_connection(dom)) == NULL ) {
DEBUG(1, ("ADS uninitialized\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
- attrs[2] = ad_schema->posix_uidnumber_attr;
- attrs[3] = ad_schema->posix_gidnumber_attr;
+ attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
+ attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
again:
filter = talloc_asprintf(memctx, "(&(|"
@@ -592,10 +597,10 @@ again:
continue;
}
- if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
-
ad_schema->posix_uidnumber_attr :
-
ad_schema->posix_gidnumber_attr,
- &id))
+ if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
+
ctx->ad_schema->posix_uidnumber_attr :
+
ctx->ad_schema->posix_gidnumber_attr,
+ &id))
{
DEBUG(1, ("Could not get unix ID\n"));
continue;
@@ -653,7 +658,7 @@ static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
ad_idmap_ads = NULL;
}
- TALLOC_FREE( ad_schema );
+ TALLOC_FREE( ctx->ad_schema );
return NT_STATUS_OK;
}
@@ -671,15 +676,15 @@ static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
/* Sanity check if we have previously been called with a
different schema model */
- if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
- (ad_map_type != WB_POSIX_MAP_SFU) )
+ if ( (ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ctx->ad_map_type != WB_POSIX_MAP_SFU) )
{
DEBUG(0,("nss_sfu_init: Posix Map type has already been set. "
"Mixed schema models not supported!\n"));
return NT_STATUS_NOT_SUPPORTED;
}
- ad_map_type = WB_POSIX_MAP_SFU;
+ ctx->ad_map_type = WB_POSIX_MAP_SFU;
return NT_STATUS_OK;
}
@@ -689,15 +694,15 @@ static NTSTATUS nss_sfu20_init( struct nss_domain_entry
*e )
/* Sanity check if we have previously been called with a
different schema model */
- if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
- (ad_map_type != WB_POSIX_MAP_SFU20) )
+ if ( (ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ctx->ad_map_type != WB_POSIX_MAP_SFU20) )
{
DEBUG(0,("nss_sfu20_init: Posix Map type has already been set.
"
"Mixed schema models not supported!\n"));
return NT_STATUS_NOT_SUPPORTED;
}
- ad_map_type = WB_POSIX_MAP_SFU20;
+ ctx->ad_map_type = WB_POSIX_MAP_SFU20;
return NT_STATUS_OK;
}
@@ -707,15 +712,15 @@ static NTSTATUS nss_rfc2307_init( struct nss_domain_entry
*e )
/* Sanity check if we have previously been called with a
different schema model */
- if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
- (ad_map_type != WB_POSIX_MAP_RFC2307) )
+ if ( (ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ctx->ad_map_type != WB_POSIX_MAP_RFC2307) )
{
DEBUG(0,("nss_rfc2307_init: Posix Map type has already been
set. "
"Mixed schema models not supported!\n"));
return NT_STATUS_NOT_SUPPORTED;
}
- ad_map_type = WB_POSIX_MAP_RFC2307;
+ ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
return NT_STATUS_OK;
}
@@ -725,7 +730,7 @@ static NTSTATUS nss_rfc2307_init( struct nss_domain_entry
*e )
***********************************************************************/
static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
const DOM_SID *sid,
- TALLOC_CTX *ctx,
+ TALLOC_CTX *mem_ctx,
ADS_STRUCT *ads,
LDAPMessage *msg,
char **homedir,
@@ -744,6 +749,9 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
char *sidstr = NULL;
+ struct idmap_ad_context *ctx;
+
+ ctx = talloc_get_type(e->state, struct idmap_ad_context);
/* Only do query if we are online */
if (idmap_is_offline()) {
@@ -755,7 +763,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
ads_internal = ad_idmap_cached_connection();
- if ( !ads_internal || !ad_schema ) {
+ if ( !ads_internal || !ctx->ad_schema ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
@@ -766,12 +774,12 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry
*e,
/* See if we can use the ADS connection struct swe were given */
if (ads) {
- *homedir = ads_pull_string( ads, ctx, msg,
ad_schema->posix_homedir_attr );
- *shell = ads_pull_string( ads, ctx, msg,
ad_schema->posix_shell_attr );
- *gecos = ads_pull_string( ads, ctx, msg,
ad_schema->posix_gecos_attr );
+ *homedir = ads_pull_string( ads, mem_ctx, msg,
ctx->ad_schema->posix_homedir_attr );
+ *shell = ads_pull_string( ads, mem_ctx, msg,
ctx->ad_schema->posix_shell_attr );
+ *gecos = ads_pull_string( ads, mem_ctx, msg,
ctx->ad_schema->posix_gecos_attr );
if (gid) {
- if ( !ads_pull_uint32(ads, msg,
ad_schema->posix_gidnumber_attr, gid ) )
+ if ( !ads_pull_uint32(ads, msg,
ctx->ad_schema->posix_gidnumber_attr, gid ) )
*gid = (uint32)-1;
}
@@ -781,13 +789,13 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry
*e,
/* Have to do our own query */
- attrs[0] = ad_schema->posix_homedir_attr;
- attrs[1] = ad_schema->posix_shell_attr;
- attrs[2] = ad_schema->posix_gecos_attr;
- attrs[3] = ad_schema->posix_gidnumber_attr;
+ attrs[0] = ctx->ad_schema->posix_homedir_attr;
+ attrs[1] = ctx->ad_schema->posix_shell_attr;
+ attrs[2] = ctx->ad_schema->posix_gecos_attr;
+ attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
sidstr = sid_binstring(sid);
- filter = talloc_asprintf(ctx, "(objectSid=%s)", sidstr);
+ filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
SAFE_FREE(sidstr);
if (!filter) {
@@ -801,12 +809,12 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry
*e,
goto done;
}
- *homedir = ads_pull_string(ads_internal, ctx, msg_internal,
ad_schema->posix_homedir_attr);
- *shell = ads_pull_string(ads_internal, ctx, msg_internal,
ad_schema->posix_shell_attr);
- *gecos = ads_pull_string(ads_internal, ctx, msg_internal,
ad_schema->posix_gecos_attr);
+ *homedir = ads_pull_string(ads_internal, mem_ctx, msg_internal,
ctx->ad_schema->posix_homedir_attr);
+ *shell = ads_pull_string(ads_internal, mem_ctx, msg_internal,
ctx->ad_schema->posix_shell_attr);
+ *gecos = ads_pull_string(ads_internal, mem_ctx, msg_internal,
ctx->ad_schema->posix_gecos_attr);
if (gid) {
- if (!ads_pull_uint32(ads_internal, msg_internal,
ad_schema->posix_gidnumber_attr, gid))
+ if (!ads_pull_uint32(ads_internal, msg_internal,
ctx->ad_schema->posix_gidnumber_attr, gid))
*gid = (uint32)-1;
}
@@ -835,6 +843,9 @@ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
LDAPMessage *msg = NULL;
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct idmap_ad_context *ctx;
+
+ ctx = talloc_get_type(e->state, struct idmap_ad_context);
/* Check incoming parameters */
@@ -852,12 +863,12 @@ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
ads_internal = ad_idmap_cached_connection();
- if (!ads_internal || !ad_schema) {
+ if (!ads_internal || !ctx->ad_schema) {
nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
goto done;
}
- attrs[0] = ad_schema->posix_uid_attr;
+ attrs[0] = ctx->ad_schema->posix_uid_attr;
filter = talloc_asprintf(mem_ctx,
"(sAMAccountName=%s)",
@@ -873,7 +884,7 @@ static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
goto done;
}
- *alias = ads_pull_string(ads_internal, mem_ctx, msg,
ad_schema->posix_uid_attr );
+ *alias = ads_pull_string(ads_internal, mem_ctx, msg,
ctx->ad_schema->posix_uid_attr );
if (!*alias) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -908,6 +919,9 @@ static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
char *username;
+ struct idmap_ad_context *ctx;
+
+ ctx = talloc_get_type(e->state, struct idmap_ad_context);
/* Check incoming parameters */
@@ -925,14 +939,14 @@ static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX
*mem_ctx,
--
Samba Shared Repository
