diff options
| author | Gerald Carter <jerry@samba.org> | 2005-02-03 15:28:51 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2005-02-03 15:28:51 +0000 |
| commit | af3843f9378df672c2f691b5ad5990c0bb8db9c7 (patch) | |
| tree | 3ca5c261fb9099454ecd515e6af3abacaee77331 | |
| parent | 28fb3e15f353a79f4c98b5b0c7cbc901c9a802b1 (diff) | |
| download | samba-af3843f9378df672c2f691b5ad5990c0bb8db9c7.tar.gz | |
r5204: More merges for 3.0.11-final...
svn merge -r5176:5179 $SVNURL/branches/SAMBA_3_0
svn merge -r5179:5180 $SVNURL/branches/SAMBA_3_0
svn merge -r5183:5191 $SVNURL/branches/SAMBA_3_0
svn merge -r5191:5192 $SVNURL/branches/SAMBA_3_0
svn merge -r5192:5203 $SVNURL/branches/SAMBA_3_0
| -rw-r--r-- | WHATSNEW.txt | 16 | ||||
| -rw-r--r-- | packaging/Fedora/samba.log | 2 | ||||
| -rw-r--r-- | packaging/Fedora/smb.conf | 2 | ||||
| -rw-r--r-- | packaging/RedHat/samba.log | 14 | ||||
| -rw-r--r-- | packaging/RedHat/smb.conf | 4 | ||||
| -rw-r--r-- | source/include/privileges.h | 2 | ||||
| -rw-r--r-- | source/include/smb.h | 2 | ||||
| -rw-r--r-- | source/lib/privileges.c | 2 | ||||
| -rw-r--r-- | source/rpc_server/srv_samr_nt.c | 26 | ||||
| -rw-r--r-- | source/utils/net_rpc_join.c | 2 | ||||
| -rw-r--r-- | source/web/swat.c | 5 |
11 files changed, 49 insertions, 28 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index bc16df439b0..4300b91178d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -69,9 +69,6 @@ Changes since 3.0.11rc1 commits ------- -o Jeremy Allison <jra@samba.org> - - o Timur Bakeyev <timur@com.bat.ru> * BUG 2263: Guard base64_encode_data_blob() against empty blobs. @@ -87,12 +84,23 @@ o Gerald (Jerry) Carter <jerry@samba.org> * Fix bug enumerating domain trusts in security = ads. * Fix segv in rpcclient's dsenumdomtrusts. * Fix bug in expansion of %U and %G in included filesnames. + * BUG 2291: Restrict creation of server trust and domain trust + accounts to members of the "Domain Admins" group. o Guenther Deschner <gd@samba.org> + * BUG 2291: Call the 'add machine script' for server trust and + domain trust accounts as well as workstation accounts. -o Volker Lendecke <vl@samba.org> +o Levente Farkas <lfarkas@lfarkas.org> + * BUG 2299: Better logrotate scripts for RedHat and Fedora + packages. + + +o Deryck Hodge <deryck@samba.org> + * Add -P (--password-only-menu) to SWAT for displaying only the + password change page to non-root users. o Jason Mader <jason@ncac.gwu.edu> diff --git a/packaging/Fedora/samba.log b/packaging/Fedora/samba.log index 04106239fb1..a3c000ea788 100644 --- a/packaging/Fedora/samba.log +++ b/packaging/Fedora/samba.log @@ -1,4 +1,4 @@ -/var/log/samba/*.log { +/var/log/samba/*.log /var/log/samba/log.smbd /var/log/samba/log.nmbd { notifempty missingok sharedscripts diff --git a/packaging/Fedora/smb.conf b/packaging/Fedora/smb.conf index 5c06c445b31..133e442b1e7 100644 --- a/packaging/Fedora/smb.conf +++ b/packaging/Fedora/smb.conf @@ -43,7 +43,7 @@ # this tells Samba to use a separate log file for each machine # that connects - #log file = /var/log/samba/log.%m + #log file = /var/log/samba/%m.log # all information in one file log file = /var/log/samba/log.smbd diff --git a/packaging/RedHat/samba.log b/packaging/RedHat/samba.log index 4b244099c4f..a3c000ea788 100644 --- a/packaging/RedHat/samba.log +++ b/packaging/RedHat/samba.log @@ -1,11 +1,9 @@ -/var/log/samba/log.nmbd { +/var/log/samba/*.log /var/log/samba/log.smbd /var/log/samba/log.nmbd { + notifempty + missingok + sharedscripts + copytruncate postrotate - /usr/bin/killall -HUP nmbd - endscript -} - -/var/log/samba/log.smbd { - postrotate - /usr/bin/killall -HUP smbd + /bin/kill -HUP `cat /var/run/smbd.pid /var/run/nmbd.pid /var/run/winbindd.pid 2> /dev/null` 2> /dev/null || true endscript } diff --git a/packaging/RedHat/smb.conf b/packaging/RedHat/smb.conf index cdc958bc0e0..ba64dad729c 100644 --- a/packaging/RedHat/smb.conf +++ b/packaging/RedHat/smb.conf @@ -43,9 +43,9 @@ # this tells Samba to use a separate log file for each machine # that connects - # log file = /var/log/samba/log.%m + # log file = /var/log/samba/%m.log # all log information in one file - log file = /var/log/samba/smbd.log + log file = /var/log/samba/log.smbd # Put a capping on the size of the log files (in Kb). max log size = 50 diff --git a/source/include/privileges.h b/source/include/privileges.h index 76cabf3ba90..5266e46e3a3 100644 --- a/source/include/privileges.h +++ b/source/include/privileges.h @@ -1,3 +1,4 @@ + /* Unix SMB/CIFS implementation. SMB parameters and setup @@ -59,6 +60,7 @@ typedef struct { /* defined in lib/privilegs.c */ +extern const SE_PRIV se_priv_none; extern const SE_PRIV se_machine_account; extern const SE_PRIV se_print_operator; extern const SE_PRIV se_add_users; diff --git a/source/include/smb.h b/source/include/smb.h index c8946953785..eb7214ecbfe 100644 --- a/source/include/smb.h +++ b/source/include/smb.h @@ -226,7 +226,7 @@ typedef struct nttime_info #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ -#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ +#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account (BDC) */ #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ diff --git a/source/lib/privileges.c b/source/lib/privileges.c index 4feb730feeb..3960faecaa9 100644 --- a/source/lib/privileges.c +++ b/source/lib/privileges.c @@ -29,11 +29,11 @@ static SE_PRIV se_priv_all = SE_ALL_PRIVS; static SE_PRIV se_priv_end = SE_END; -static SE_PRIV se_priv_none = SE_NONE; /* Define variables for all privileges so we can use the SE_PRIV* in the various se_priv_XXX() functions */ +const SE_PRIV se_priv_none = SE_NONE; const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT; const SE_PRIV se_print_operator = SE_PRINT_OPERATOR; const SE_PRIV se_add_users = SE_ADD_USERS; diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index 7a1c7b79e38..164321cb872 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -2333,17 +2333,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ - if ( acb_info == ACB_WSTRUST ) { - se_priv_copy( &se_rights, &se_machine_account ); + + if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST ) + { pstrcpy(add_script, lp_addmachine_script()); - } - else { - se_priv_copy( &se_rights, &se_add_users ); + se_priv_copy( &se_rights, &se_machine_account ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL ) + { pstrcpy(add_script, lp_adduser_script()); + se_priv_copy( &se_rights, &se_add_users ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) ) + { + pstrcpy(add_script, lp_addmachine_script()); + /* only Domain Admins can add a BDC or domain trust */ + se_priv_copy( &se_rights, &se_priv_none ); + can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", p->pipe_user_name, can_add_account ? "True":"False" )); diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c index f1a41c7c99c..ed196de6c1f 100644 --- a/source/utils/net_rpc_join.c +++ b/source/utils/net_rpc_join.c @@ -212,7 +212,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - d_printf("Create of workstation account failed\n"); + d_printf("Creation of workstation account failed\n"); /* If NT_STATUS_ACCESS_DENIED then we have a valid username/password combo but the user does not have diff --git a/source/web/swat.c b/source/web/swat.c index 7bd9837c371..e7402e0a0f6 100644 --- a/source/web/swat.c +++ b/source/web/swat.c @@ -32,6 +32,7 @@ #include "web/swat_proto.h" static BOOL demo_mode = False; +static BOOL passwd_only = False; static BOOL have_write_access = False; static BOOL have_read_access = False; static int iNumNonAutoPrintServices = 0; @@ -530,7 +531,8 @@ static void show_main_buttons(void) image_link(_("Printers"), "printers", "images/printers.gif"); image_link(_("Wizard"), "wizard", "images/wizard.gif"); } - if (have_read_access) { + /* root always gets all buttons, otherwise look for -P */ + if ( have_write_access || (!passwd_only && have_read_access) ) { image_link(_("Status"), "status", "images/status.gif"); image_link(_("View Config"), "viewconfig", "images/viewconfig.gif"); } @@ -1315,6 +1317,7 @@ static void printers_page(void) struct poptOption long_options[] = { POPT_AUTOHELP { "disable-authentication", 'a', POPT_ARG_VAL, &demo_mode, True, "Disable authentication (demo mode)" }, + { "password-menu-only", 'P', POPT_ARG_VAL, &passwd_only, True, "Show only change password menu" }, POPT_COMMON_SAMBA POPT_TABLEEND }; |