Discussion:
[SCM] Samba Shared Repository - branch master updated
(too old to reply)
Volker Lendecke
2017-12-28 01:23:04 UTC
Permalink
The branch, master has been updated
via dcfa6c0 torture: Fix CID 1426987 Incorrect expression (UNUSED_VALUE)
from 8a42954 samba-tool test: ensure `samba-tool help` works

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dcfa6c021fa74a3e8e380ea99e768af3c5e37e0c
Author: Volker Lendecke <***@samba.org>
Date: Wed Dec 27 13:19:06 2017 +0100

torture: Fix CID 1426987 Incorrect expression (UNUSED_VALUE)

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Thu Dec 28 02:22:04 CET 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/torture/smb2/session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index aad8610..15a11e2 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1387,7 +1387,7 @@ static bool test_session_expire2(struct torture_context *tctx)
ZERO_STRUCT(lack);
lack.in.lease.lease_version = 1;
lack.in.lease.lease_key.data[0] = 1;
- lack.in.lease.lease_key.data[0] = 2;
+ lack.in.lease.lease_key.data[1] = 2;
status = smb2_lease_break_ack(tree, &lack);
torture_assert_ntstatus_equal_goto(tctx, status,
NT_STATUS_NETWORK_SESSION_EXPIRED,
--
Samba Shared Repository
Stefan Metzmacher
2017-12-29 01:50:04 UTC
Permalink
The branch, master has been updated
via a0f810e selftest: allow more time for tests
from dcfa6c0 torture: Fix CID 1426987 Incorrect expression (UNUSED_VALUE)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a0f810e7e39cde003c9c5e0cb701846472e80a74
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Dec 28 11:45:49 2017 +1300

selftest: allow more time for tests

Maybe make test *should* run in under 4 hours, but it currently
doesn't.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Fri Dec 29 02:48:59 CET 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
selftest/selftest.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 2316f9f..ff19d59 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -441,8 +441,8 @@ if ($opt_testenv) {
# 1 year should be enough :-)
$server_maxtime = 365 * 24 * 60 * 60;
} else {
- # make test should run under 4 hours
- $server_maxtime = 4 * 60 * 60;
+ # make test should run under 5 hours
+ $server_maxtime = 5 * 60 * 60;
}

if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {
--
Samba Shared Repository
Stefan Metzmacher
2018-01-01 18:20:02 UTC
Permalink
The branch, master has been updated
via d8d21ec Happy New Year 2018!
from a0f810e selftest: allow more time for tests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d8d21ec437b40506b000cafd046295f0c5e0c8dd
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 1 00:14:13 2018 +0100

Happy New Year 2018!

Signed-off-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Mon Jan 1 19:19:22 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/include/smb.h | 2 +-
source4/smbd/server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 0e79cb8..3316f09 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -30,7 +30,7 @@
#include "libds/common/roles.h"

/* logged when starting the various Samba daemons */
-#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2017"
+#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2018"

#define SAFETY_MARGIN 1024
#define LARGE_WRITEX_HDR_SIZE 65
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 85dea26..f650d80 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -470,7 +470,7 @@ static int binary_smbd_main(const char *binary_name,
binary_name,
SAMBA_VERSION_STRING));
DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team"
- " 1992-2017\n"));
+ " 1992-2018\n"));

if (sizeof(uint16_t) < 2 ||
sizeof(uint32_t) < 4 ||
--
Samba Shared Repository
Björn Jacke
2018-01-02 17:02:02 UTC
Permalink
The branch, master has been updated
via 7277590 smbldap: don't try start tls on ldaps:// connections
via e29d31f doc-xml: fix dependency as the xml targets depend on Makefile.settings
from d8d21ec Happy New Year 2018!

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7277590f6d746113ff347c7fce3d8ef4d01cc715
Author: Bjoern Jacke <***@samba.org>
Date: Thu Dec 7 16:06:38 2017 +0100

smbldap: don't try start tls on ldaps:// connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6079

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Tue Jan 2 18:01:17 CET 2018 on sn-devel-144

commit e29d31f74f4c2a0f1127d9fb92118b6e42763bf1
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 13 13:39:10 2017 +0100

doc-xml: fix dependency as the xml targets depend on Makefile.settings

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/Makefile | 2 +-
source3/lib/smbldap.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/Makefile b/docs-xml/Makefile
index 6a33b17..d69238b 100644
--- a/docs-xml/Makefile
+++ b/docs-xml/Makefile
@@ -92,7 +92,7 @@ $(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl
@mkdir -p $(@D)
@$(XSLTPROC) --stringparam latex.imagebasedir "$*/" --stringparam noreference 0 --xinclude --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl
+$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings
@mkdir -p $(@D)
$(XSLTPROC) --xinclude --stringparam noreference 0 --output $@ xslt/expand-sambadoc.xsl $<

diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 71166f6..5a67ab7 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -604,7 +604,7 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
int smbldap_start_tls(LDAP *ldap_struct, int version)
{
#ifdef LDAP_OPT_X_TLS
- int rc;
+ int rc,tls;
#endif

if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
@@ -612,6 +612,12 @@ int smbldap_start_tls(LDAP *ldap_struct, int version)
}

#ifdef LDAP_OPT_X_TLS
+ /* check if we use ldaps already */
+ ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
+ if (tls == LDAP_OPT_X_TLS_HARD) {
+ return LDAP_SUCCESS;
+ }
+
if (version != LDAP_VERSION3) {
DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
return LDAP_OPERATIONS_ERROR;
--
Samba Shared Repository
Volker Lendecke
2018-01-03 13:38:02 UTC
Permalink
The branch, master has been updated
via 11239f0 credentials: Simplify cli_credentials_get_server_gss_creds()
from 7277590 smbldap: don't try start tls on ldaps:// connections

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 11239f0759601a9db22dfe1e99d3de7f2348a1e5
Author: Andreas Schneider <***@samba.org>
Date: Tue Dec 13 11:38:13 2016 +0100

credentials: Simplify cli_credentials_get_server_gss_creds()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
auth/credentials/credentials_krb5.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index b88497d..585203a 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1151,16 +1151,17 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
}

if (ktc->password_based || obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
- maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
- NULL, NULL, ktc->keytab,
- &gcc->creds);
- } else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
- maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
- NULL, princ, ktc->keytab,
- &gcc->creds);
+ /*
+ * This creates a GSSAPI cred_id_t for match-by-key with only
+ * the keytab set
+ */
+ princ = NULL;
}
+ maj_stat = smb_gss_krb5_import_cred(&min_stat,
+ smb_krb5_context->krb5_context,
+ NULL, princ,
+ ktc->keytab,
+ &gcc->creds);
if (maj_stat) {
if (min_stat) {
ret = min_stat;
--
Samba Shared Repository
Jeremy Allison
2018-01-04 04:09:02 UTC
Permalink
The branch, master has been updated
via 36ab213 dns_server: Remove "max_payload" from dns_server
via 35683a6 dns_server: Remove unused "dns_generate_options"
via cc3f9c2 dns_server: Remove unused "dns" parameter from ask_forwarder_send
via 15748c3 ndr_dns: fix pushing unknown resource records
via 300821b dns_server: Use dns_cli_request instead of direct udp
via 0bb92d7 libdns: Add dns_cli_request
via 6238830 libdns: dns/tcp client
via 507c9b6 dsdb: Fix the build on 32-bit FreeBSD
via d8e30cb libdns: Fix a typo
via f7f15c2 tsocket: Fix typos
from 11239f0 credentials: Simplify cli_credentials_get_server_gss_creds()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 36ab213ae66bbbdc95569452e409f50bc866e2f1
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 11:02:45 2017 +0100

dns_server: Remove "max_payload" from dns_server

This would have to be retrieved from the interface type we have I guess.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Thu Jan 4 05:08:02 CET 2018 on sn-devel-144

commit 35683a60e73f0544b4ee7e6853d09d0568d1c1ee
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 11:00:01 2017 +0100

dns_server: Remove unused "dns_generate_options"

This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit cc3f9c26ec05abb38d024c2a9f27f85f2cc92055
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 10:59:40 2017 +0100

dns_server: Remove unused "dns" parameter from ask_forwarder_send

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 15748c325c35c5e63ccff8cfcc4f3f555ebda77a
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 13:09:15 2017 +0100

ndr_dns: fix pushing unknown resource records

When pulling for example an RRSIG record, we end up with length!=0 *and*
unexpected.length != 0, but with an unknown rrec. We should be able to
marshall what we retrieved from the wire.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 300821b7934084f06b44b7a63a63db7cb544e8fa
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 11:11:59 2017 +0100

dns_server: Use dns_cli_request instead of direct udp

This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 0bb92d7f377caffb2425cc7757b370bcf671e598
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 11:01:29 2017 +0100

libdns: Add dns_cli_request

First UDP, then TCP if truncation happened

Signed-off-by: Volker Lendecke <***@samba.org>

commit 623883083b5f9b5f07466fee99080c0c7f588551
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 28 22:35:46 2017 +0100

libdns: dns/tcp client

Same signature as the UDP client in the same file. This opens and closes
the socket per request. In the future, we might want to create a
persistent TCP connection for our internal DNS server's forwarder. That
will require proper handling of in-flight requests. Something for
another day.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 507c9b6906ace462692eb499b1e217b5ea131c04
Author: Volker Lendecke <***@samba.org>
Date: Wed Dec 27 12:50:07 2017 +0100

dsdb: Fix the build on 32-bit FreeBSD

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit d8e30cb0aa3e014561fa5488e1cf30344cffe599
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 09:36:31 2017 +0100

libdns: Fix a typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit f7f15c25d2ce6e9f856e48c92009394222714d03
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 28 21:41:33 2017 +0100

tsocket: Fix typos

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
lib/tsocket/tsocket.h | 4 +-
libcli/dns/dns.c | 410 ++++++++++++++++++++-
libcli/dns/libdns.h | 30 +-
libcli/dns/wscript_build | 2 +-
librpc/ndr/ndr_dns.c | 11 +-
source4/dns_server/dns_query.c | 69 +---
source4/dns_server/dns_server.c | 2 -
source4/dns_server/dns_server.h | 4 -
source4/dns_server/dns_utils.c | 20 -
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 12 +-
10 files changed, 466 insertions(+), 98 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/tsocket/tsocket.h b/lib/tsocket/tsocket.h
index f52b746..dd0bd98 100644
--- a/lib/tsocket/tsocket.h
+++ b/lib/tsocket/tsocket.h
@@ -805,7 +805,7 @@ bool tstream_bsd_optimize_readv(struct tstream_context *stream,
* @brief Connect async to a TCP endpoint and create a tstream_context for the
* stream based communication.
*
- * Use this function to connenct asynchronously to a remote ipv4 or ipv6 TCP
+ * Use this function to connect asynchronously to a remote ipv4 or ipv6 TCP
* endpoint and create a tstream_context for the stream based communication.
*
* @param[in] mem_ctx The talloc memory context to use.
@@ -961,7 +961,7 @@ struct sockaddr;
*
* @param[in] sa The sockaddr structure to convert.
*
- * @param[in] sa_socklen The lenth of the sockaddr sturucte.
+ * @param[in] sa_socklen The length of the sockaddr structure.
*
* @param[out] addr The tsocket pointer to allocate and fill.
*
diff --git a/libcli/dns/dns.c b/libcli/dns/dns.c
index 7d066d8..6404cb8 100644
--- a/libcli/dns/dns.c
+++ b/libcli/dns/dns.c
@@ -26,8 +26,10 @@
#include "libcli/dns/libdns.h"
#include "lib/util/tevent_unix.h"
#include "lib/util/samba_util.h"
+#include "lib/util/debug.h"
#include "libcli/util/error.h"
-#include "librpc/gen_ndr/dns.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_dns.h"

struct dns_udp_request_state {
struct tevent_context *ev;
@@ -176,3 +178,409 @@ int dns_udp_request_recv(struct tevent_req *req,

return 0;
}
+
+struct dns_tcp_request_state {
+ struct tevent_context *ev;
+ struct tstream_context *stream;
+ const uint8_t *query;
+ size_t query_len;
+
+ uint8_t dns_msglen_hdr[2];
+ struct iovec iov[2];
+
+ size_t nread;
+ uint8_t *reply;
+};
+
+static void dns_tcp_request_connected(struct tevent_req *subreq);
+static void dns_tcp_request_sent(struct tevent_req *subreq);
+static int dns_tcp_request_next_vector(struct tstream_context *stream,
+ void *private_data,
+ TALLOC_CTX *mem_ctx,
+ struct iovec **_vector,
+ size_t *_count);
+static void dns_tcp_request_received(struct tevent_req *subreq);
+
+struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
+{
+ struct tevent_req *req, *subreq;
+ struct dns_tcp_request_state *state;
+ struct tsocket_address *local, *remote;
+ int ret;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct dns_tcp_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->query = query;
+ state->query_len = query_len;
+
+ if (query_len > UINT16_MAX) {
+ tevent_req_error(req, EMSGSIZE);
+ return tevent_req_post(req, ev);
+ }
+
+ ret = tsocket_address_inet_from_strings(state, "ip", NULL, 0, &local);
+ if (ret != 0) {
+ tevent_req_error(req, errno);
+ return tevent_req_post(req, ev);
+ }
+
+ ret = tsocket_address_inet_from_strings(
+ state, "ip", server_addr_string, DNS_SERVICE_PORT, &remote);
+ if (ret != 0) {
+ tevent_req_error(req, errno);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = tstream_inet_tcp_connect_send(state, state->ev,
+ local, remote);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_connected, req);
+
+ return req;
+}
+
+static void dns_tcp_request_connected(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int ret, err;
+
+ ret = tstream_inet_tcp_connect_recv(subreq, &err, state,
+ &state->stream, NULL);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ RSSVAL(state->dns_msglen_hdr, 0, state->query_len);
+ state->iov[0] = (struct iovec) {
+ .iov_base = state->dns_msglen_hdr,
+ .iov_len = sizeof(state->dns_msglen_hdr)
+ };
+ state->iov[1] = (struct iovec) {
+ .iov_base = discard_const_p(void, state->query),
+ .iov_len = state->query_len
+ };
+
+ subreq = tstream_writev_send(state, state->ev, state->stream,
+ state->iov, ARRAY_SIZE(state->iov));
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_sent, req);
+}
+
+static void dns_tcp_request_sent(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int ret, err;
+
+ ret = tstream_writev_recv(subreq, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ subreq = tstream_readv_pdu_send(state, state->ev, state->stream,
+ dns_tcp_request_next_vector, state);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_received, req);
+}
+
+static int dns_tcp_request_next_vector(struct tstream_context *stream,
+ void *private_data,
+ TALLOC_CTX *mem_ctx,
+ struct iovec **_vector,
+ size_t *_count)
+{
+ struct dns_tcp_request_state *state = talloc_get_type_abort(
+ private_data, struct dns_tcp_request_state);
+ struct iovec *vector;
+ uint16_t msglen;
+
+ if (state->nread == 0) {
+ vector = talloc_array(mem_ctx, struct iovec, 1);
+ if (vector == NULL) {
+ return -1;
+ }
+ vector[0] = (struct iovec) {
+ .iov_base = state->dns_msglen_hdr,
+ .iov_len = sizeof(state->dns_msglen_hdr)
+ };
+ state->nread = sizeof(state->dns_msglen_hdr);
+
+ *_vector = vector;
+ *_count = 1;
+ return 0;
+ }
+
+ if (state->nread == sizeof(state->dns_msglen_hdr)) {
+ msglen = RSVAL(state->dns_msglen_hdr, 0);
+
+ state->reply = talloc_array(state, uint8_t, msglen);
+ if (state->reply == NULL) {
+ return -1;
+ }
+
+ vector = talloc_array(mem_ctx, struct iovec, 1);
+ if (vector == NULL) {
+ return -1;
+ }
+ vector[0] = (struct iovec) {
+ .iov_base = state->reply,
+ .iov_len = msglen
+ };
+ state->nread += msglen;
+
+ *_vector = vector;
+ *_count = 1;
+ return 0;
+ }
+
+ *_vector = NULL;
+ *_count = 0;
+ return 0;
+}
+
+static void dns_tcp_request_received(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ int ret, err;
+
+ ret = tstream_readv_pdu_recv(subreq, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
+{
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ tevent_req_received(req);
+ return err;
+ }
+
+ *reply_len = talloc_array_length(state->reply);
+ *reply = talloc_move(mem_ctx, &state->reply);
+ tevent_req_received(req);
+
+ return 0;
+}
+
+struct dns_cli_request_state {
+ struct tevent_context *ev;
+ const char *nameserver;
+
+ uint16_t req_id;
+
+ DATA_BLOB query;
+
+ struct dns_name_packet *reply;
+};
+
+static void dns_cli_request_udp_done(struct tevent_req *subreq);
+static void dns_cli_request_tcp_done(struct tevent_req *subreq);
+
+struct tevent_req *dns_cli_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *nameserver,
+ const char *name,
+ enum dns_qclass qclass,
+ enum dns_qtype qtype)
+{
+ struct tevent_req *req, *subreq;
+ struct dns_cli_request_state *state;
+ struct dns_name_question question;
+ struct dns_name_packet out_packet;
+ enum ndr_err_code ndr_err;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct dns_cli_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->nameserver = nameserver;
+
+ DBG_DEBUG("Asking %s for %s/%d/%d via UDP\n", nameserver,
+ name, (int)qclass, (int)qtype);
+
+ generate_random_buffer((uint8_t *)&state->req_id,
+ sizeof(state->req_id));
+
+ question = (struct dns_name_question) {
+ .name = discard_const_p(char, name),
+ .question_type = qtype, .question_class = qclass
+ };
+
+ out_packet = (struct dns_name_packet) {
+ .id = state->req_id,
+ .operation = DNS_OPCODE_QUERY | DNS_FLAG_RECURSION_DESIRED,
+ .qdcount = 1,
+ .questions = &question
+ };
+
+ ndr_err = ndr_push_struct_blob(
+ &state->query, state, &out_packet,
+ (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dns_udp_request_send(state, state->ev, state->nameserver,
+ state->query.data, state->query.length);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, dns_cli_request_udp_done, req);
+ return req;
+}
+
+static void dns_cli_request_udp_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ DATA_BLOB reply;
+ enum ndr_err_code ndr_err;
+ int ret;
+
+ ret = dns_udp_request_recv(subreq, state, &reply.data, &reply.length);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ state->reply = talloc(state, struct dns_name_packet);
+ if (tevent_req_nomem(state->reply, req)) {
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob(
+ &reply, state->reply, state->reply,
+ (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return;
+ }
+ TALLOC_FREE(reply.data);
+
+ if (state->reply->id != state->req_id) {
+ DBG_DEBUG("Got id %"PRIu16", expected %"PRIu16"\n",
+ state->reply->id, state->req_id);
+ tevent_req_error(req, ENOMSG);
+ return;
+ }
+
+ if ((state->reply->operation & DNS_FLAG_TRUNCATION) == 0) {
+ DBG_DEBUG("Got op=%x %"PRIu16"/%"PRIu16"/%"PRIu16"/%"PRIu16
+ " recs\n", (int)state->reply->operation,
+ state->reply->qdcount, state->reply->ancount,
+ state->reply->nscount, state->reply->nscount);
+ tevent_req_done(req);
+ return;
+ }
+
+ DBG_DEBUG("Reply was truncated, retrying TCP\n");
+
+ TALLOC_FREE(state->reply);
+
+ subreq = dns_tcp_request_send(state, state->ev, state->nameserver,
+ state->query.data, state->query.length);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_cli_request_tcp_done, req);
+}
+
+static void dns_cli_request_tcp_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ DATA_BLOB reply;
+ enum ndr_err_code ndr_err;
+ int ret;
+
+ ret = dns_tcp_request_recv(subreq, state, &reply.data, &reply.length);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ state->reply = talloc(state, struct dns_name_packet);
+ if (tevent_req_nomem(state->reply, req)) {
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob(
+ &reply, state->reply, state->reply,
+ (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return;
+ }
+ TALLOC_FREE(reply.data);
+
+ if (state->reply->id != state->req_id) {
+ DBG_DEBUG("Got id %"PRIu16", expected %"PRIu16"\n",
+ state->reply->id, state->req_id);
+ tevent_req_error(req, ENOMSG);
+ return;
+ }
+
+ DBG_DEBUG("Got op=%x %"PRIu16"/%"PRIu16"/%"PRIu16"/%"PRIu16
+ " recs\n", (int)state->reply->operation,
+ state->reply->qdcount, state->reply->ancount,
+ state->reply->nscount, state->reply->nscount);
+
+ tevent_req_done(req);
+}
+
+int dns_cli_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dns_name_packet **reply)
+{
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ return err;
+ }
+ *reply = talloc_move(mem_ctx, &state->reply);
+ return 0;
+}
diff --git a/libcli/dns/libdns.h b/libcli/dns/libdns.h
index 7ea2eb6..1b7c404 100644
--- a/libcli/dns/libdns.h
+++ b/libcli/dns/libdns.h
@@ -22,6 +22,10 @@
#ifndef __LIBDNS_H__
#define __LIBDNS_H__

+#include "lib/util/data_blob.h"
+#include "lib/util/time.h"
+#include "librpc/gen_ndr/dns.h"
+
/** Send an dns request to a dns server using UDP
*
*@param mem_ctx talloc memory context to use
@@ -39,7 +43,7 @@ struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,

/** Get the dns response from a dns server via UDP
*
- *@param req tevent_req struct returned from dns_request_send
+ *@param req tevent_req struct returned from dns_udp_request_send
*@param mem_ctx talloc memory context to use for the reply string
*@param reply buffer that will be allocated and filled with the dns reply
*@param reply_len length of the reply buffer
@@ -50,4 +54,28 @@ int dns_udp_request_recv(struct tevent_req *req,
uint8_t **reply,
size_t *reply_len);

+struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len);
+int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len);
+
+/*
+ * DNS request with fallback to TCP on truncation
+ */
+
+struct tevent_req *dns_cli_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *nameserver,
+ const char *name,
+ enum dns_qclass qclass,
+ enum dns_qtype qtype);
+int dns_cli_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dns_name_packet **reply);
+
+
--
Samba Shared Repository
Volker Lendecke
2018-01-04 15:04:02 UTC
Permalink
The branch, master has been updated
via 114f5da s3: smbd: Use identical logic to test for kernel oplocks on a share.
from 36ab213 dns_server: Remove "max_payload" from dns_server

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 114f5da2fab6f587de77e792274b396fb3d7ce71
Author: Jeremy Allison <***@samba.org>
Date: Wed Jan 3 09:52:33 2018 -0800

s3: smbd: Use identical logic to test for kernel oplocks on a share.

Due to inconsistent use of lp_kernel_oplocks() we could miss kernel
oplocks being on/off in some of our oplock handling code, and thus
use the wrong logic.

Ensure all logic around koplocks and lp_kernel_oplocks() is consistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13193

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Thu Jan 4 16:03:38 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/smbd/oplock.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index 1b2a87b..e848b5e 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -56,7 +56,8 @@ NTSTATUS set_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
- bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if (fsp->oplock_type == LEVEL_II_OPLOCK) {
if (use_kernel &&
@@ -98,7 +99,8 @@ static void release_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
- bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if ((fsp->oplock_type != NO_OPLOCK) &&
use_kernel) {
@@ -131,13 +133,15 @@ static void downgrade_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if (!EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
DEBUG(0, ("trying to downgrade an already-downgraded oplock!\n"));
return;
}

- if (koplocks) {
+ if (use_kernel) {
koplocks->ops->release_oplock(koplocks, fsp, LEVEL_II_OPLOCK);
}
fsp->oplock_type = LEVEL_II_OPLOCK;
@@ -729,12 +733,14 @@ static void add_oplock_timeout_handler(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

/*
* If kernel oplocks already notifies smbds when an oplock break times
* out, just return.
*/
- if (koplocks &&
+ if (use_kernel &&
(koplocks->flags & KOPLOCKS_TIMEOUT_NOTIFICATION)) {
return;
}
@@ -845,7 +851,8 @@ static void process_oplock_break_message(struct messaging_context *msg_ctx,
break_to &= ~SMB2_LEASE_READ;
}

- use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);
if (use_kernel && !(koplocks->flags & KOPLOCKS_LEVEL2_SUPPORTED)) {
DEBUG(10, ("Kernel oplocks don't allow level2\n"));
break_to &= ~SMB2_LEASE_READ;
@@ -1255,8 +1262,10 @@ void smbd_contend_level2_oplocks_begin(files_struct *fsp,
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

- if (koplocks && koplocks->ops->contend_level2_oplocks_begin) {
+ if (use_kernel && koplocks->ops->contend_level2_oplocks_begin) {
koplocks->ops->contend_level2_oplocks_begin(fsp, type);
return;
}
@@ -1269,9 +1278,11 @@ void smbd_contend_level2_oplocks_end(files_struct *fsp,
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

/* Only kernel oplocks implement this so far */
- if (koplocks && koplocks->ops->contend_level2_oplocks_end) {
+ if (use_kernel && koplocks->ops->contend_level2_oplocks_end) {
koplocks->ops->contend_level2_oplocks_end(fsp, type);
}
}
--
Samba Shared Repository
Björn Jacke
2018-01-04 19:33:03 UTC
Permalink
The branch, master has been updated
via 7a0a765 docs-xml: plain file URIs need three slashes
via 03f0ba7 docs-xml: figure out samba version for the docs automatically
from 114f5da s3: smbd: Use identical logic to test for kernel oplocks on a share.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7a0a765d535abdd76d86ea88251489d2839ec59b
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 12:55:26 2018 +0100

docs-xml: plain file URIs need three slashes

Signed-off-by: Bjoern Jacke <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Thu Jan 4 20:32:21 CET 2018 on sn-devel-144

commit 03f0ba71953b2738261e897074e7d91c6022c1b7
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 10:38:05 2018 +0100

docs-xml: figure out samba version for the docs automatically

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/build/catalog.xml.in | 8 ++++----
docs-xml/configure.ac | 8 +++++++-
2 files changed, 11 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/build/catalog.xml.in b/docs-xml/build/catalog.xml.in
index 77bf87e..77ec4f2 100644
--- a/docs-xml/build/catalog.xml.in
+++ b/docs-xml/build/catalog.xml.in
@@ -6,16 +6,16 @@

<rewriteURI
uriStartString="http://www.samba.org/samba/DTD/"
- rewritePrefix="file://@abs_top_srcdir@/build/DTD/"/>
+ rewritePrefix="file:///@abs_top_srcdir@/build/DTD/"/>

<rewriteURI
uriStartString="http://www.samba.org/samba/LOCAL.BUILDDIR.DTD/"
- rewritePrefix="file://@abs_top_builddir@/build/DTD/"/>
+ rewritePrefix="file:///@abs_top_builddir@/build/DTD/"/>

<rewriteURI
uriStartString="http://www.gnu.org/licenses/"
- rewritePrefix="file://@abs_top_srcdir@/Samba3-ByExample/"/>
+ rewritePrefix="file:///@abs_top_srcdir@/Samba3-ByExample/"/>
<rewriteURI
uriStartString="http://www.samba.org/samba/smbdotconf/"
- rewritePrefix="file://@abs_top_builddir@/smbdotconf/"/>
+ rewritePrefix="file:///@abs_top_builddir@/smbdotconf/"/>
</catalog>
diff --git a/docs-xml/configure.ac b/docs-xml/configure.ac
index 8c26692..9a7f9ce 100644
--- a/docs-xml/configure.ac
+++ b/docs-xml/configure.ac
@@ -55,8 +55,14 @@ fi

AC_SUBST(TARGETS)

+. ../VERSION
if test x"$DOC_VERSION" = x; then
- AC_MSG_ERROR([Please export DOC_VERSION variable])
+ #AC_MSG_ERROR([Please export DOC_VERSION variable])
+ VERSION_SUFFIX=""
+ if test x"$SAMBA_VERSION_PRE_RELEASE" != x; then
+ VERSION_SUFFIX=pre
+ fi
+ DOC_VERSION=${SAMBA_VERSION_MAJOR}.${SAMBA_VERSION_MINOR}.${SAMBA_VERSION_RELEASE}${VERSION_SUFFIX}
else
AC_MSG_RESULT([DOC_VERSION: ${DOC_VERSION}])
fi
--
Samba Shared Repository
Douglas Bagnall
2018-01-05 01:52:03 UTC
Permalink
The branch, master has been updated
via 2245a4b autobuild: fix quoting of --restrict-tests
via 523bd03 source4/tests: typo in env name
from 7a0a765 docs-xml: plain file URIs need three slashes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2245a4bf9ac0a5b561a3cc5c4c35c4ecb3485ea6
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Tue Dec 19 13:14:41 2017 +1300

autobuild: fix quoting of --restrict-tests

Currently, passing multiple tests causes those other than the first to be
passed to make, causing failures.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Douglas Bagnall <***@samba.org>
Autobuild-Date(master): Fri Jan 5 02:51:09 CET 2018 on sn-devel-144

commit 523bd03fd6d077a05ed4c60168d8511b5ad18ed6
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Wed Jan 3 03:59:24 2018 +0000

source4/tests: typo in env name

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
script/autobuild.py | 2 +-
source4/selftest/tests.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/script/autobuild.py b/script/autobuild.py
index a4ad544..40bace5 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -83,7 +83,7 @@ tasks = {

"samba-test-only" : [ ("configure", "./configure.developer --with-selftest-prefix=./bin/ab --abi-check-disable" + samba_configure_params, "text/plain"),
("make", "make -j", "text/plain"),
- ("test", "make test FAIL_IMMEDIATELY=1 TESTS=${TESTS}", "text/plain") ],
+ ("test", 'make test FAIL_IMMEDIATELY=1 TESTS="${TESTS}"',"text/plain") ],

# Test cross-compile infrastructure
"samba-xc" : [ ("configure-native", "./configure.developer --with-selftest-prefix=./bin/ab" + samba_configure_params, "text/plain"),
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 755f0c9..91f8a5c 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -726,7 +726,7 @@ planoldpythontestsuite("ad_dc_ntvfs",
# Want a selection of environments across the process models
#
for env in ["ad_dc_ntvfs:local", "ad_dc:local",
- "fl2003dc:local", "fl2008rdc:local",
+ "fl2003dc:local", "fl2008r2dc:local",
"promoted_dc:local"]:
planoldpythontestsuite(env, "samba.tests.blackbox.smbcontrol")
--
Samba Shared Repository
Björn Jacke
2018-01-05 18:56:02 UTC
Permalink
The branch, master has been updated
via 3cbeaf4 docs-xml: add basic Makefile dependencies for targets that use xsltproc
via 9b27948 docs-xml: set a reasonable XML_CATALOG_FILES in Makefile
via a2f5b3b docs-xml: generate build/catalog.xml via Makefile target
from 2245a4b autobuild: fix quoting of --restrict-tests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3cbeaf40937082bd7072d715ae02aa0989835432
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:35:12 2018 +0100

docs-xml: add basic Makefile dependencies for targets that use xsltproc

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Fri Jan 5 19:55:29 CET 2018 on sn-devel-144

commit 9b27948d6540b17d99bed3e39e75b2508f05a489
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:19:13 2018 +0100

docs-xml: set a reasonable XML_CATALOG_FILES in Makefile

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

commit a2f5b3b8e12bfc3d7182a406526b0d7edaf58a31
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:12:28 2018 +0100

docs-xml: generate build/catalog.xml via Makefile target

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/Makefile | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/Makefile b/docs-xml/Makefile
index d69238b..ba49eae 100644
--- a/docs-xml/Makefile
+++ b/docs-xml/Makefile
@@ -6,6 +6,8 @@
# Jelmer Vernooij <***@samba.org>
include Makefile.settings

+export XML_CATALOG_FILES := $(XML_CATALOG_FILES) /etc/xml/catalog $(shell pwd)/build/catalog.xml
+
# Docs to build
MAIN_DOCS = $(patsubst %/index.xml,%,$(wildcard */index.xml))
MANPAGES = $(sort $(wildcard $(MANPAGEDIR)/*.?.xml))
@@ -16,6 +18,8 @@ DBLATEX_OPTIONS = -p xslt/latex.xsl -i xslt/latex

DATETIME := $(shell date +%Y%m%d%H%M%S)

+XSLTPROC_DEPS = build/catalog.xml build/DTD/samba.build.version
+
ifeq ($(PROFILE), Y)
XSLTPROC += --profile --load-trace --timing
endif
@@ -87,16 +91,16 @@ check:: validate

# Intermediate docbook docs
#
-$(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl
+$(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl $(XSLTPROC_DEPS)
@echo "Converting Samba-specific tags for $*..."
@mkdir -p $(@D)
@$(XSLTPROC) --stringparam latex.imagebasedir "$*/" --stringparam noreference 0 --xinclude --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings
+$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings $(XSLTPROC_DEPS)
@mkdir -p $(@D)
$(XSLTPROC) --xinclude --stringparam noreference 0 --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/index.xml: $(MANPAGES) xslt/manpage-summary.xsl
+$(DOCBOOKDIR)/manpages/index.xml: $(MANPAGES) xslt/manpage-summary.xsl $(XSLTPROC_DEPS)
@mkdir -p $(@D)
echo "<article><variablelist>" > $@
$(XSLTPROC) xslt/manpage-summary.xsl $(MANPAGES) >> $@
@@ -107,22 +111,22 @@ $(HTMLDIR)/index.html: htmldocs.html
@mkdir -p $(@D)
cp $< $@

-$(HTMLDIR)/%/index.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/%/samba.css xslt/html-chunk.xsl %-images-html-chunks
+$(HTMLDIR)/%/index.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/%/samba.css xslt/html-chunk.xsl %-images-html-chunks $(XSLTPROC_DEPS)
@mkdir -p $(@D)
$(XSLTPROC) --stringparam base.dir "$(HTMLDIR)/$*/" xslt/html-chunk.xsl $<

# Single large HTML files
-$(OUTPUTDIR)/%/samba.css: xslt/html/samba.css
+$(OUTPUTDIR)/%/samba.css: xslt/html/samba.css $(XSLTPROC_DEPS)
@mkdir -p $(@D)
cp $< $@

$(patsubst %,$(HTMLDIR)/%.html,$(MAIN_DOCS)): $(HTMLDIR)/%.html: %-images-html-single

-$(HTMLDIR)/%.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/samba.css xslt/html.xsl
+$(HTMLDIR)/%.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/samba.css xslt/html.xsl $(XSLTPROC_DEPS)
$(XSLTPROC) --output $@ xslt/html.xsl $<

# Attributions
-%-attributions.xml:
+%-attributions.xml: $(XSLTPROC_DEPS)
@echo "Generating attributions file $@ from $*/"
@cp -f templates/attributions.xml $@
@$(XSLTPROC) --xinclude -o $@ xslt/generate-attributions.xsl $*/index.xml
@@ -139,7 +143,7 @@ $(TXTDIR)/%.txt: $(HTMLDIR)/%.html
@$(DBLATEX) $(DBLATEX_OPTIONS) -t tex -o $@ $<

# Dependency files
-%.d: $(DOCBOOKDIR)/%.xml xslt/generate-dependencies.xsl
+%.d: $(DOCBOOKDIR)/%.xml xslt/generate-dependencies.xsl $(XSLTPROC_DEPS)
@echo "Generating dependency file for $*"
@$(XSLTPROC) --novalid \
--stringparam txtbasedir "$(TXTDIR)/$*/" \
@@ -193,7 +197,7 @@ $(PSDIR)/%.ps: %/index.xml $(PSDIR) xslt/latex.xsl %-images-latex-eps
%.pdf: %.svg
$(INKSCAPE) -z -f $(abspath $<) --export-pdf=$(abspath $@)

-$(HTMLHELPDIR)/%: $(DOCBOOKDIR)/%.xml %-images-htmlhelp
+$(HTMLHELPDIR)/%: $(DOCBOOKDIR)/%.xml %-images-htmlhelp $(XSLTPROC_DEPS)
$(XSLTPROC) --stringparam htmlhelp.chm $*.chm \
--stringparam manifest.in.base.dir "$@/" \
--stringparam base.dir "$@/" \
@@ -253,6 +257,9 @@ $(PEARSONDIR)/%.report.html: $(PEARSONDIR)/%.xml
%-validate: %/index.xml
cd $(<D) && $(XMLLINT) --xinclude --noent --postvalid --noout $(<F)

+build/catalog.xml: build/catalog.xml.in
+ sed -e "s|@abs_top_srcdir@|`pwd`|g;s|@abs_top_builddir@|`pwd`|g" < build/catalog.xml.in > build/catalog.xml
+
samples: $(DOCBOOKDIR)/Samba3-HOWTO.xml xslt/extract-examples.xsl scripts/indent-smb.conf.pl
@mkdir -p examples
$(XSLTPROC) --xinclude xslt/extract-examples.xsl $< > /dev/null 2> examples/README
--
Samba Shared Repository
Jeremy Allison
2018-01-06 03:42:03 UTC
Permalink
The branch, master has been updated
via debf8ba vfs_fileid: add fileid:algorithm = fsname_norootdir
via 1468dd2 vfs_fileid: add fileid:nolockinode parameter
via b599cb2 vfs_fileid: add fileid:algorithm = fsname_nodirs
via 495c646 vfs_fileid: add fileid:algorithm = hostname
via 6a8764e vfs_fileid: convert dev argument of the device_mapping_fn to SMB_STRUCT_STAT
via 9962495 vfs_fileid: add "fstype/mntdir deny/allow list" option
via 326df16 vfs_fileid: preserve errno in an error code path
via 5cce620 vfs_fileid: add a DEBUG message to log dev and inode
via d0def3b tests: The pthreadpooltests do not need a full environment
via 74dbeba dnscli: Make a few functions static
via 361ea74 samba: Only use async signal-safe functions in signal handler
via e1fb902 s4/torture: test vfs_fruit "fruit:time machine max size" option
via 74eebac vfs_fruit: add "time machine max size" option
from 3cbeaf4 docs-xml: add basic Makefile dependencies for targets that use xsltproc

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit debf8ba799ea7a4535e29c20a5f9377932c81938
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:22:16 2018 +0100

vfs_fileid: add fileid:algorithm = fsname_norootdir

Based-on-a-patch-by: Ralph Wuerthner <***@de.ibm.com>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Sat Jan 6 04:41:24 CET 2018 on sn-devel-144

commit 1468dd21c37445cff044583229b107254d53b2b9
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:09:21 2018 +0100

vfs_fileid: add fileid:nolockinode parameter

Based-on-a-patch-by: Ralph Wuerthner <***@de.ibm.com>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit b599cb216815415a63504ec69be3f70f08ea58d5
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:02:53 2018 +0100

vfs_fileid: add fileid:algorithm = fsname_nodirs

Enabling fileid:algorithm = fsname_nodirs uses the hostname algorithm
for directories and thus breaks cluster lock coherence for directories.

Based-on-a-patch-by: Christian Ambach <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 495c646ec5cbd61539f6c547cd6048d7ff167d30
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 16:59:54 2018 +0100

vfs_fileid: add fileid:algorithm = hostname

Using fileid:algorithm = hostname makes fileid generate
fileids based on the hostname. This breaks cluster lock coherence.

Based-on-a-patch-by: Christian Ambach <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 6a8764ebcc0de57e7dd0dc22eaf4a9d201c0dca9
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 16:35:38 2018 +0100

vfs_fileid: convert dev argument of the device_mapping_fn to SMB_STRUCT_STAT

This is in preperation of adding an additional mapping function that
acts differently depending of the file type. No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 996249571d0e8f9285d1b714b1c36d66e7649271
Author: Ralph Wuerthner <***@de.ibm.com>
Date: Tue Jan 12 16:00:24 2016 +0100

vfs_fileid: add "fstype/mntdir deny/allow list" option

When using the fsname or fsid algorithm a stat() and statfs() call is
required for all mounted file systems to generate the file_id. If e.g.
an NFS file system is unresponsive such a call might block and the smbd
process will become unresponsive. Add "fileid:fstype deny",
"fileid:fstype allow", "fileid:mntdir deny", and "fileid:mntdir allow"
options to ignore potentially unresponsive file systems.

See also https://lists.samba.org/archive/samba-technical/2016-January/111553.html
for a discussion about why this is useful.

Signed-off-by: Ralph Wuerthner <***@de.ibm.com>
Reviewed-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 326df161736abc16fb3bd35a18a3e55a44fb3c5d
Author: Ralph Boehme <***@samba.org>
Date: Fri Jan 5 10:23:30 2018 +0100

vfs_fileid: preserve errno in an error code path

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 5cce620bc1eac9a3f0bbf58084b7df2acde6bb15
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:25:07 2018 +0100

vfs_fileid: add a DEBUG message to log dev and inode

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit d0def3b2179cfbfca6f35237f2bb23d226a72814
Author: Volker Lendecke <***@samba.org>
Date: Fri Jan 5 10:45:41 2018 +0100

tests: The pthreadpooltests do not need a full environment

Makes "make test TESTS=pthreadpool" faster

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 74dbeba723c642bd207dad9d6881e8aa803b7509
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 4 21:26:58 2018 +0100

dnscli: Make a few functions static

We might want to use the tcp flavor in the future in the forwarder for a
single, persistent TCP connection. Then we can easily re-publish it.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 361ea743576cf125d7957a97ed78a0446dab1a19
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 4 21:06:02 2018 +0100

samba: Only use async signal-safe functions in signal handler

Otherwise shutdown can hang

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit e1fb902ca408aeecf26ecfd1926ca7824b25a3e7
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 2 19:09:04 2018 +0100

s4/torture: test vfs_fruit "fruit:time machine max size" option

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 74eebac975ee913e49c95b29c13a329edb0744e5
Author: Ralph Boehme <***@samba.org>
Date: Fri Nov 3 10:56:29 2017 +0100

vfs_fruit: add "time machine max size" option

This can be used to configure a per client filesystem size limit on
TimeMachine shares.

It's a nasty hack but it was reportedly working well in Netatalk where
it's taken from.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/vfs_fileid.8.xml | 77 ++++++-
docs-xml/manpages/vfs_fruit.8.xml | 18 ++
libcli/dns/dns.c | 36 ++--
libcli/dns/libdns.h | 38 ----
selftest/target/Samba3.pm | 8 +
source3/modules/vfs_fileid.c | 235 +++++++++++++++++++-
source3/modules/vfs_fruit.c | 428 +++++++++++++++++++++++++++++++++++++
source3/selftest/tests.py | 8 +-
source4/smbd/server.c | 4 +-
source4/torture/vfs/fruit.c | 102 +++++++++
source4/torture/vfs/vfs.c | 1 +
11 files changed, 881 insertions(+), 74 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/vfs_fileid.8.xml b/docs-xml/manpages/vfs_fileid.8.xml
index 5a3a70e..edfdef2 100644
--- a/docs-xml/manpages/vfs_fileid.8.xml
+++ b/docs-xml/manpages/vfs_fileid.8.xml
@@ -40,6 +40,15 @@
generates the device number based on the configured algorithm
(see the "fileid:algorithm" option).
</para>
+
+ <para>When using the fsname or fsid algorithm a
+ <command>stat()</command> and <command>statfs()</command> call is
+ required for all mounted file systems to generate the file_id. If e.g.
+ an NFS file system is unresponsive such a call might block and the smbd
+ process will become unresponsive. Use the "fileid:fstype deny",
+ "fileid:fstype allow", "fileid:mntdir deny", or "fileid:mntdir allow"
+ options to ignore potentially unresponsive file systems.
+ </para>
</refsect1>


@@ -51,17 +60,33 @@
<varlistentry>
<term>fileid:algorithm = ALGORITHM</term>
<listitem>
- <para>Available algorithms are <command>fsname</command>
- and <command>fsid</command>. The default value is
+ <para>Available algorithms are <command>fsname</command>,
+ <command>fsname_nodirs</command>, <command>fsid</command> and
+ <command>hostname</command>. The default value is
<command>fsname</command>.
</para>
<para>The <command>fsname</command> algorithm generates
device id by hashing the kernel device name.
</para>
+ <para>The <command>fsname_nodirs</command> algorithm generates
+ device id by hashing the kernel device name for files and by hashing
+ the hostname for directories. This can be used to deliberately
+ break lock coherency for directories in a cluster.
+ </para>
<para>The <command>fsid</command> algorithm generates
the device id from the <command>f_fsid</command> returned
from the <command>statfs()</command> syscall.
</para>
+ <para>The <command>hostname</command> algorithm generates device
+ id by hashing the hostname. This can be used to deliberately
+ break lock coherency in a cluster.
+ </para>
+ <para>The <command>fsname_norootdir</command> algorithm
+ generates device ids by hashing the kernel device name, except
+ for the root directory of shares where it will use the hostname
+ algorithm. This can be used to deliberately break lock coherency
+ in a cluster for the root directory of a share.
+ </para>
</listitem>
</varlistentry>

@@ -75,6 +100,54 @@
</listitem>
</varlistentry>

+ <varlistentry>
+ <term>fileid:fstype deny = LIST</term>
+ <listitem>
+ <para>List of file system types to be ignored for file_id
+ generation.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:fstype allow = LIST</term>
+ <listitem>
+ <para>List of file system types to be allowed for file_id
+ generation. If this option is set, file system types not listed
+ here are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:mntdir deny = LIST</term>
+ <listitem>
+ <para>List of file system mount points to be ignored for
+ file_id generation.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:mntdir allow = LIST</term>
+ <listitem>
+ <para>List of file system mount points to be allowed for file_id
+ generation. If this option is set, file system mount points
+ not listed here are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:nolockinode</term>
+ <listitem>
+ <para>This option triggers use of the fileid hostname algorithm
+ for the configured inode which can be used to deliberately break
+ lock coherency for the corresponding file or directory in a
+ cluster.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index fcaf173..7f6a0e7 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -242,6 +242,24 @@
</varlistentry>

<varlistentry>
+ <term>fruit:time machine max size = SIZE [K|M|G|T|P]</term>
+ <listitem>
+ <para>Useful for Time Machine: limits the reported disksize, thus
+ preventing Time Machine from using the whole real disk space for
+ backup. The option takes a number plus an optional unit.</para>
+ <para><emphasis>IMPORTANT</emphasis>: This is an approximated
+ calculation that only takes into account the contents of Time
+ Machine sparsebundle images. Therefor you <emphasis>MUST
+ NOT</emphasis> use this volume to store other content when using
+ this option, because it would NOT be accounted.</para>
+ <para>The calculation works by reading the band size from the
+ Info.plist XML file of the sparsebundle, reading the bands/
+ directory counting the number of band files, and then multiplying
+ one with the other.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>fruit:metadata = [ stream | netatalk ]</term>
<listitem>
<para>Controls where the OS X metadata stream is stored:</para>
diff --git a/libcli/dns/dns.c b/libcli/dns/dns.c
index 6404cb8..c30de2d 100644
--- a/libcli/dns/dns.c
+++ b/libcli/dns/dns.c
@@ -45,11 +45,11 @@ struct dns_udp_request_state {
static void dns_udp_request_get_reply(struct tevent_req *subreq);
static void dns_udp_request_done(struct tevent_req *subreq);

-struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len)
+static struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
{
struct tevent_req *req, *subreq;
struct dns_udp_request_state *state;
@@ -158,10 +158,10 @@ static void dns_udp_request_done(struct tevent_req *subreq)
tevent_req_done(req);
}

-int dns_udp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len)
+static int dns_udp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
{
struct dns_udp_request_state *state = tevent_req_data(req,
struct dns_udp_request_state);
@@ -201,11 +201,11 @@ static int dns_tcp_request_next_vector(struct tstream_context *stream,
size_t *_count);
static void dns_tcp_request_received(struct tevent_req *subreq);

-struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len)
+static struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
{
struct tevent_req *req, *subreq;
struct dns_tcp_request_state *state;
@@ -377,10 +377,10 @@ static void dns_tcp_request_received(struct tevent_req *subreq)
tevent_req_done(req);
}

-int dns_tcp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len)
+static int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
{
struct dns_tcp_request_state *state = tevent_req_data(
req, struct dns_tcp_request_state);
diff --git a/libcli/dns/libdns.h b/libcli/dns/libdns.h
index 1b7c404..15ca257 100644
--- a/libcli/dns/libdns.h
+++ b/libcli/dns/libdns.h
@@ -26,44 +26,6 @@
#include "lib/util/time.h"
#include "librpc/gen_ndr/dns.h"

-/** Send an dns request to a dns server using UDP
- *
- *@param mem_ctx talloc memory context to use
- *@param ev tevent context to use
- *@param server_address address of the server as a string
- *@param query dns query to send
- *@param query_len length of the query
- *@return tevent_req with the active request or NULL on out-of-memory
- */
-struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_address,
- const uint8_t *query,
- size_t query_len);
-
-/** Get the dns response from a dns server via UDP
- *
- *@param req tevent_req struct returned from dns_udp_request_send
- *@param mem_ctx talloc memory context to use for the reply string
- *@param reply buffer that will be allocated and filled with the dns reply
- *@param reply_len length of the reply buffer
- *@return 0/errno
- */
-int dns_udp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len);
-
-struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len);
-int dns_tcp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len);
-
/*
* DNS request with fallback to TCP on truncation
*/
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index c9888c2..1e652d8e 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1957,6 +1957,14 @@ sub provision($$$$$$$$$)
path = $shrdir
vfs objects = streams_depot acl_xattr

+[vfs_fruit_timemachine]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:time machine = yes
+ fruit:time machine max size = 32K
+
[badname-tmp]
path = $badnames_shrdir
guest ok = yes
diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
index a7c4a49..98cc32d 100644
--- a/source3/modules/vfs_fileid.c
+++ b/source3/modules/vfs_fileid.c
@@ -37,11 +37,64 @@ struct fileid_mount_entry {

struct fileid_handle_data {
uint64_t (*device_mapping_fn)(struct fileid_handle_data *data,
- SMB_DEV_T dev);
+ const SMB_STRUCT_STAT *sbuf);
+ char **fstype_deny_list;
+ char **fstype_allow_list;
+ char **mntdir_deny_list;
+ char **mntdir_allow_list;
unsigned num_mount_entries;
struct fileid_mount_entry *mount_entries;
+ ino_t nolockinode;
};

+/* check if a mount entry is allowed based on fstype and mount directory */
+static bool fileid_mount_entry_allowed(struct fileid_handle_data *data,
+ struct mntent *m)
+{
+ int i;
+ char **fstype_deny = data->fstype_deny_list;
+ char **fstype_allow = data->fstype_allow_list;
+ char **mntdir_deny = data->mntdir_deny_list;
+ char **mntdir_allow = data->mntdir_allow_list;
+
+ if (fstype_deny != NULL) {
+ for (i = 0; fstype_deny[i] != NULL; i++) {
+ if (strcmp(m->mnt_type, fstype_deny[i]) == 0) {
+ return false;
+ }
+ }
+ }
+ if (fstype_allow != NULL) {
+ for (i = 0; fstype_allow[i] != NULL; i++) {
+ if (strcmp(m->mnt_type, fstype_allow[i]) == 0) {
+ break;
+ }
+ }
+ if (fstype_allow[i] == NULL) {
+ return false;
+ }
+ }
+ if (mntdir_deny != NULL) {
+ for (i=0; mntdir_deny[i] != NULL; i++) {
+ if (strcmp(m->mnt_dir, mntdir_deny[i]) == 0) {
+ return false;
+ }
+ }
+ }
+ if (mntdir_allow != NULL) {
+ for (i=0; mntdir_allow[i] != NULL; i++) {
+ if (strcmp(m->mnt_dir, mntdir_allow[i]) == 0) {
+ break;
+ }
+ }
+ if (mntdir_allow[i] == NULL) {
+ return false;
+ }
+ }
+ return true;
+}
+
+
/* load all the mount entries from the mtab */
static void fileid_load_mount_entries(struct fileid_handle_data *data)
{
@@ -58,7 +111,13 @@ static void fileid_load_mount_entries(struct fileid_handle_data *data)
struct stat st;
struct statfs sfs;
struct fileid_mount_entry *cur;
+ bool allowed;

+ allowed = fileid_mount_entry_allowed(data, m);
+ if (!allowed) {
+ DBG_DEBUG("skipping mount entry %s\n", m->mnt_dir);
+ continue;
+ }
if (stat(m->mnt_dir, &st) != 0) continue;
if (statfs(m->mnt_dir, &sfs) != 0) continue;

@@ -136,12 +195,12 @@ static uint64_t fileid_uint64_hash(const uint8_t *s, size_t len)

/* a device mapping using a fsname */
static uint64_t fileid_device_mapping_fsname(struct fileid_handle_data *data,
- SMB_DEV_T dev)
+ const SMB_STRUCT_STAT *sbuf)
{
struct fileid_mount_entry *m;

- m = fileid_find_mount_entry(data, dev);
- if (!m) return dev;
+ m = fileid_find_mount_entry(data, sbuf->st_ex_dev);
+ if (!m) return sbuf->st_ex_dev;

if (m->devid == (uint64_t)-1) {
m->devid = fileid_uint64_hash((const uint8_t *)m->mnt_fsname,
@@ -151,14 +210,55 @@ static uint64_t fileid_device_mapping_fsname(struct fileid_handle_data *data,
return m->devid;
}

+/* a device mapping using a hostname */
+static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
+ const SMB_STRUCT_STAT *sbuf)
+{
+ char hostname[HOST_NAME_MAX+1];
+ char *devname = NULL;
+ uint64_t id;
+ size_t devname_len;
+ int rc;
+
+ rc = gethostname(hostname, HOST_NAME_MAX+1);
+ if (rc != 0) {
+ DBG_ERR("gethostname failed\n");
+ return UINT64_MAX;
+ }
+
+ devname = talloc_asprintf(talloc_tos(), "%s%lu",
+ hostname, sbuf->st_ex_dev);
+ if (devname == NULL) {
+ DBG_ERR("talloc_asprintf failed\n");
+ return UINT64_MAX;
+ }
+ devname_len = talloc_array_length(devname) - 1;
+ TALLOC_FREE(devname);
+
+ id = fileid_uint64_hash((uint8_t *)devname, devname_len);
+ return id;
+}
+
+/* a device mapping using a fsname for files and hostname for dirs */
+static uint64_t fileid_device_mapping_fsname_nodirs(
+ struct fileid_handle_data *data,
+ const SMB_STRUCT_STAT *sbuf)
+{
+ if (S_ISDIR(sbuf->st_ex_mode)) {
+ return fileid_device_mapping_hostname(data, sbuf);
+ }
+
+ return fileid_device_mapping_fsname(data, sbuf);
+}
+
/* device mapping functions using a fsid */
static uint64_t fileid_device_mapping_fsid(struct fileid_handle_data *data,
- SMB_DEV_T dev)
+ const SMB_STRUCT_STAT *sbuf)
{
struct fileid_mount_entry *m;

- m = fileid_find_mount_entry(data, dev);
- if (!m) return dev;
+ m = fileid_find_mount_entry(data, sbuf->st_ex_dev);
+ if (!m) return sbuf->st_ex_dev;

if (m->devid == (uint64_t)-1) {
if (sizeof(fsid_t) > sizeof(uint64_t)) {
@@ -178,11 +278,43 @@ static uint64_t fileid_device_mapping_fsid(struct fileid_handle_data *data,
return m->devid;
}

+static int get_connectpath_ino(struct vfs_handle_struct *handle,
+ ino_t *ino)
+{
+ struct smb_filename *fname = NULL;
+ int ret;
+
+ fname = synthetic_smb_fname(talloc_tos(),
+ handle->conn->connectpath,
+ NULL,
+ NULL,
+ 0);
+ if (fname == NULL) {
+ DBG_ERR("synthetic_smb_fname failed\n");
+ return -1;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, fname);
+ TALLOC_FREE(fname);
+ if (ret != 0) {
+ DBG_ERR("stat failed for %s with %s\n",
+ handle->conn->connectpath, strerror(errno));
+ return -1;
+ }
+
+ return 0;
+}
+
static int fileid_connect(struct vfs_handle_struct *handle,
const char *service, const char *user)
{
struct fileid_handle_data *data;
const char *algorithm;
+ const char **fstype_deny_list = NULL;
+ const char **fstype_allow_list = NULL;
+ const char **mntdir_deny_list = NULL;
+ const char **mntdir_allow_list = NULL;
+ int saved_errno;
int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);

if (ret < 0) {
@@ -191,11 +323,15 @@ static int fileid_connect(struct vfs_handle_struct *handle,

data = talloc_zero(handle->conn, struct fileid_handle_data);
if (!data) {
+ saved_errno = errno;
SMB_VFS_NEXT_DISCONNECT(handle);
DEBUG(0, ("talloc_zero() failed\n"));
+ errno = saved_errno;
return -1;
}

+ data->nolockinode = 0;
+
/*
* "fileid:mapping" is only here as fallback for old setups
* "fileid:algorithm" is the option new setups should use
@@ -208,20 +344,89 @@ static int fileid_connect(struct vfs_handle_struct *handle,
algorithm);
if (strcmp("fsname", algorithm) == 0) {
data->device_mapping_fn = fileid_device_mapping_fsname;
+ } else if (strcmp("fsname_nodirs", algorithm) == 0) {
--
Samba Shared Repository
Ralph Böhme
2018-01-08 02:17:02 UTC
Permalink
The branch, master has been updated
via 7bc329f vfs_fileid: fix a use after free
from debf8ba vfs_fileid: add fileid:algorithm = fsname_norootdir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7bc329fcc9776312081f21f6aabd2a3171533287
Author: Ralph Boehme <***@samba.org>
Date: Sat Jan 6 16:13:52 2018 +0100

vfs_fileid: fix a use after free

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Mon Jan 8 03:16:30 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_fileid.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
index 98cc32d..c890876 100644
--- a/source3/modules/vfs_fileid.c
+++ b/source3/modules/vfs_fileid.c
@@ -233,9 +233,11 @@ static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
return UINT64_MAX;
}
devname_len = talloc_array_length(devname) - 1;
- TALLOC_FREE(devname);

id = fileid_uint64_hash((uint8_t *)devname, devname_len);
+
+ TALLOC_FREE(devname);
+
return id;
}
--
Samba Shared Repository
Andrew Bartlett
2018-01-08 07:03:03 UTC
Permalink
The branch, master has been updated
via fe164a0 selftest: close connections after tests in samba4.ldap.secdesc.python
via babf0a7 selftest: close connections after tests in samba4.ldap.acl.python
via eae6d76 docs-xml: mention that the man pages are "part of" version x
via 5621139 doc: document wins server's smb.conf parameters
via e3cc2af tests:docs: remove explicit exceptions for parametric options
via ece75ea tests:docs: don't try to test parametric option defaults
via 080d590 packaging: add configure option to preprocess and install systemd files
via 3089a56 crypto: Update the REQUIREMENTS
via ca66efc Add substitutions %t, %j, and %J as path-safe variants of %T, %i, and %I.
via d39664f define DBGC_AUTH class
via ce2ca7f Update util.c to include DBGC_AUTH class
via 9010d54 travis-ci: Update package list to match the wiki
from 7bc329f vfs_fileid: fix a use after free

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fe164a08ddfee8efd802ed27a90f24e8afe2789a
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 13:56:03 2018 +1300

selftest: close connections after tests in samba4.ldap.secdesc.python

This test suite had a memory impact of around 2.2GB, from LDAP connection
handlers under the standard process model.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Jan 8 08:02:15 CET 2018 on sn-devel-144

commit babf0a7bef893873af35751b7a8c081d86d2ff6b
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 13:24:25 2018 +1300

selftest: close connections after tests in samba4.ldap.acl.python

Over the length of a run of this suite (which runs under the standard process
model), memory usage from LDAP connection handlers reaches 4GB. This patch
reduces it to a manageable amount.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit eae6d76a366fdd7cfa65a5cf804759a1889976c8
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 13 01:38:25 2017 +0100

docs-xml: mention that the man pages are "part of" version x

writing that they are correct for version x is not always precise. But we're
working on that also :-)

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 5621139fca76d8f52d203fda9f146e942cc1b624
Author: Bjoern Jacke <***@samba.org>
Date: Fri Dec 8 14:52:24 2017 +0100

doc: document wins server's smb.conf parameters

this is from the WINS server, which was released earlier as samba4wins.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit e3cc2af011640eb1077014f820c6fb60da204d92
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 20 21:35:54 2017 +0100

tests:docs: remove explicit exceptions for parametric options

we don't need to list them all as special cases because we exclude parametric
options generally now from the default value test.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit ece75ea9a6f1fd0b86593287a22993482c7b2cc5
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 20 21:23:24 2017 +0100

tests:docs: don't try to test parametric option defaults

we don't get the values of the parametric options.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 080d590de1ff9f8ebc55aeffaea8d41991466549
Author: Aurelien Aptel <***@suse.com>
Date: Thu Dec 14 16:47:49 2017 +0100

packaging: add configure option to preprocess and install systemd files

Turn the systemd service files under packaging into template (.in) files
with @VAR@ substitutions and add configure options to install and tweak
them.

Signed-off-by: Aurelien Aptel <***@suse.com>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 3089a5660dd75e1396cd29dfb202a1d4ff1b7cfe
Author: Andreas Schneider <***@samba.org>
Date: Wed Jan 3 11:23:51 2018 +0100

crypto: Update the REQUIREMENTS

Update after call with the GnuTLS maintainer to see what is supported in
GnuTLS, what is working in FIPS mode or not, and what features we require
to move to GnuTLS in future. The benefit will be FIPS certification and
more hardware accelerated crypto.

Bugs have been opened against GnuTLS to implment the missing features or
add functions to declare use of old crypto functions as non-crypto use.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit ca66efc24181ba6a7a4c13397af514b0972b4855
Author: Dr. Thomas Orgis <***@uni-hamburg.de>
Date: Thu Jul 27 12:54:28 2017 +0200

Add substitutions %t, %j, and %J as path-safe variants of %T, %i, and %I.

Rationale: Using the existing substitutions in construction of paths
(dynamic shares, created on client connect) results in directory names with
colons and dots in them. Those can be hard to use when accessed from a
different share, as Windows does not allow : in paths and has some ideas about
dots.

Signed-off-by: Dr. Thomas Orgis <***@uni-hamburg.de>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit d39664fc66dafaf5cce2b830033df52da4d81695
Author: kkplein <***@merit.unu.edu>
Date: Tue Dec 19 10:49:10 2017 +0100

define DBGC_AUTH class

Signed-off-by: Mourik Jan C Heupink <***@merit.unu.edu>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ce2ca7fa89921a4ccdac018558025a9d650b0154
Author: kkplein <***@merit.unu.edu>
Date: Mon Dec 18 20:14:31 2017 +0100

Update util.c to include DBGC_AUTH class

Signed-off-by: Mourik Jan C Heupink <***@merit.unu.edu>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 9010d54d6c5c0087f3a14f56e3907461d560a7f5
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 10:31:50 2018 +1300

travis-ci: Update package list to match the wiki

This in turn is based on what we use at Catalyst minus some helpful packages like editors

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
.travis.yml | 2 +-
auth/credentials/credentials_krb5.c | 3 +
auth/credentials/credentials_ntlm.c | 3 +
auth/credentials/credentials_secrets.c | 3 +
auth/gensec/external.c | 3 +
auth/gensec/gensec.c | 3 +
auth/gensec/gensec_start.c | 3 +
auth/gensec/gensec_util.c | 3 +
auth/gensec/ncalrpc.c | 3 +
auth/gensec/schannel.c | 3 +
auth/gensec/spnego.c | 3 +
auth/kerberos/gssapi_helper.c | 3 +
auth/kerberos/gssapi_pac.c | 4 ++
auth/kerberos/kerberos_pac.c | 4 ++
auth/ntlmssp/gensec_ntlmssp_server.c | 3 +
auth/ntlmssp/ntlmssp.c | 3 +
auth/ntlmssp/ntlmssp_client.c | 3 +
auth/ntlmssp/ntlmssp_server.c | 3 +
auth/ntlmssp/ntlmssp_sign.c | 3 +
auth/ntlmssp/ntlmssp_util.c | 3 +
docs-xml/manpages/dbwrap_tool.1.xml | 2 +-
docs-xml/manpages/eventlogadm.8.xml | 2 +-
docs-xml/manpages/findsmb.1.xml | 2 +-
docs-xml/manpages/libsmbclient.7.xml | 2 +-
docs-xml/manpages/lmhosts.5.xml | 2 +-
docs-xml/manpages/log2pcap.1.xml | 2 +-
docs-xml/manpages/mvxattr.1.xml | 2 +-
docs-xml/manpages/nmbd.8.xml | 2 +-
docs-xml/manpages/nmblookup.1.xml | 2 +-
docs-xml/manpages/ntlm_auth.1.xml | 2 +-
docs-xml/manpages/pam_winbind.8.xml | 2 +-
docs-xml/manpages/pam_winbind.conf.5.xml | 2 +-
docs-xml/manpages/pdbedit.8.xml | 2 +-
docs-xml/manpages/profiles.1.xml | 2 +-
docs-xml/manpages/rpcclient.1.xml | 2 +-
docs-xml/manpages/samba-regedit.8.xml | 2 +-
docs-xml/manpages/samba.7.xml | 2 +-
docs-xml/manpages/samba.8.xml | 2 +-
docs-xml/manpages/sharesec.1.xml | 2 +-
docs-xml/manpages/smb.conf.5.xml | 21 ++++++-
docs-xml/manpages/smbcacls.1.xml | 2 +-
docs-xml/manpages/smbclient.1.xml | 2 +-
docs-xml/manpages/smbcontrol.1.xml | 2 +-
docs-xml/manpages/smbcquotas.1.xml | 2 +-
docs-xml/manpages/smbd.8.xml | 2 +-
docs-xml/manpages/smbget.1.xml | 2 +-
docs-xml/manpages/smbgetrc.5.xml | 2 +-
docs-xml/manpages/smbpasswd.5.xml | 2 +-
docs-xml/manpages/smbpasswd.8.xml | 2 +-
docs-xml/manpages/smbspool.8.xml | 2 +-
docs-xml/manpages/smbstatus.1.xml | 2 +-
docs-xml/manpages/smbtar.1.xml | 2 +-
docs-xml/manpages/smbtree.1.xml | 2 +-
docs-xml/manpages/testparm.1.xml | 2 +-
docs-xml/manpages/vfs_aio_fork.8.xml | 2 +-
docs-xml/manpages/vfs_aio_pthread.8.xml | 2 +-
docs-xml/manpages/vfs_audit.8.xml | 2 +-
docs-xml/manpages/vfs_btrfs.8.xml | 2 +-
docs-xml/manpages/vfs_cacheprime.8.xml | 2 +-
docs-xml/manpages/vfs_cap.8.xml | 2 +-
docs-xml/manpages/vfs_catia.8.xml | 2 +-
docs-xml/manpages/vfs_ceph.8.xml | 2 +-
docs-xml/manpages/vfs_commit.8.xml | 2 +-
docs-xml/manpages/vfs_crossrename.8.xml | 2 +-
docs-xml/manpages/vfs_default_quota.8.xml | 2 +-
docs-xml/manpages/vfs_dirsort.8.xml | 2 +-
docs-xml/manpages/vfs_extd_audit.8.xml | 2 +-
docs-xml/manpages/vfs_fake_perms.8.xml | 2 +-
docs-xml/manpages/vfs_fileid.8.xml | 2 +-
docs-xml/manpages/vfs_full_audit.8.xml | 2 +-
docs-xml/manpages/vfs_glusterfs.8.xml | 2 +-
docs-xml/manpages/vfs_gpfs.8.xml | 2 +-
docs-xml/manpages/vfs_linux_xfs_sgid.8.xml | 2 +-
docs-xml/manpages/vfs_media_harmony.8.xml | 2 +-
docs-xml/manpages/vfs_netatalk.8.xml | 2 +-
docs-xml/manpages/vfs_offline.8.xml | 2 +-
docs-xml/manpages/vfs_prealloc.8.xml | 2 +-
docs-xml/manpages/vfs_preopen.8.xml | 2 +-
docs-xml/manpages/vfs_readahead.8.xml | 2 +-
docs-xml/manpages/vfs_readonly.8.xml | 2 +-
docs-xml/manpages/vfs_recycle.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy2.8.xml | 2 +-
docs-xml/manpages/vfs_shell_snap.8.xml | 2 +-
docs-xml/manpages/vfs_snapper.8.xml | 2 +-
docs-xml/manpages/vfs_syncops.8.xml | 2 +-
docs-xml/manpages/vfs_time_audit.8.xml | 2 +-
docs-xml/manpages/vfs_tsmsm.8.xml | 2 +-
docs-xml/manpages/vfs_unityed_media.8.xml | 2 +-
docs-xml/manpages/vfs_worm.8.xml | 2 +-
docs-xml/manpages/vfs_zfsacl.8.xml | 2 +-
docs-xml/manpages/vfstest.1.xml | 2 +-
docs-xml/manpages/wbinfo.1.xml | 2 +-
docs-xml/manpages/winbind_krb5_locator.7.xml | 2 +-
docs-xml/manpages/winbindd.8.xml | 2 +-
.../wins/nbtd-wins_prepend1bto1cqueries.xml | 16 +++++
.../smbdotconf/wins/nbtd-wins_randomize1clist.xml | 19 ++++++
.../wins/nbtd-wins_randomize1clist_mask.xml | 16 +++++
docs-xml/smbdotconf/wins/winsdb-localowner.xml | 12 ++++
docs-xml/smbdotconf/wins/winsdb-nosync.xml | 11 ++++
.../smbdotconf/wins/wreplsrv-periodic_interval.xml | 14 +++++
.../wins/wreplsrv-propagate_name_releases.xml | 23 +++++++
.../wins/wreplsrv-scavenging_interval.xml | 11 ++++
.../wins/wreplsrv-tombstone_extra_timeout.xml | 12 ++++
.../wins/wreplsrv-tombstone_interval.xml | 12 ++++
.../smbdotconf/wins/wreplsrv-tombstone_timeout.xml | 12 ++++
.../smbdotconf/wins/wreplsrv-verify_interval.xml | 13 ++++
lib/crypto/REQUIREMENTS | 70 +++++++++++++++-------
lib/util/time.c | 51 ++++++++++++++++
lib/util/time.h | 15 +++++
packaging/systemd/{nmb.service => nmb.service.in} | 7 ++-
.../systemd/{samba.service => samba.service.in} | 7 ++-
packaging/systemd/{smb.service => smb.service.in} | 7 ++-
.../{winbind.service => winbind.service.in} | 7 ++-
packaging/wscript | 50 ++++++++++++++++
packaging/wscript_build | 16 +++++
python/samba/tests/docs.py | 11 ++--
source3/lib/substitute.c | 32 ++++++++++
source3/torture/torture.c | 53 ++++++++++++++++
source4/dsdb/common/util.c | 4 +-
source4/dsdb/tests/python/acl.py | 32 ++++++++++
source4/dsdb/tests/python/sec_descriptor.py | 5 ++
wscript | 4 ++
wscript_build | 1 +
124 files changed, 655 insertions(+), 118 deletions(-)
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_prepend1bto1cqueries.xml
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_randomize1clist.xml
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_randomize1clist_mask.xml
create mode 100644 docs-xml/smbdotconf/wins/winsdb-localowner.xml
create mode 100644 docs-xml/smbdotconf/wins/winsdb-nosync.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-propagate_name_releases.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-scavenging_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_extra_timeout.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_timeout.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-verify_interval.xml
rename packaging/systemd/{nmb.service => nmb.service.in} (62%)
rename packaging/systemd/{samba.service => samba.service.in} (62%)
rename packaging/systemd/{smb.service => smb.service.in} (62%)
rename packaging/systemd/{winbind.service => winbind.service.in} (59%)
create mode 100644 packaging/wscript
create mode 100644 packaging/wscript_build


Changeset truncated at 500 lines:

diff --git a/.travis.yml b/.travis.yml
index 4c68c72..645658b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,7 +27,7 @@ matrix:

before_install:
- sudo apt-get update -qq
- - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python-gpgme python3-crypto python3-dev python3-dnspython python3-gpgme realpath screen xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown python3-dev xsltproc zlib1g-dev

script:
- git fetch --unshallow
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 585203a..9da1aa0 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -35,6 +35,9 @@
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
static void cli_credentials_invalidate_client_gss_creds(
struct cli_credentials *cred,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index e6859bf..eed8924 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -28,6 +28,9 @@
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index ed148fd..beb2928 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -41,6 +41,9 @@
#include "lib/util/util_tdb.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
diff --git a/auth/gensec/external.c b/auth/gensec/external.c
index 0158045..300ce6b 100644
--- a/auth/gensec/external.c
+++ b/auth/gensec/external.c
@@ -28,6 +28,9 @@
#include "auth/gensec/gensec_proto.h"
#include "auth/gensec/gensec_toplevel_proto.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
* layer is already mutually authenticated.
*/
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 61bff22..e021d0c 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -31,6 +31,9 @@
#include "librpc/gen_ndr/dcerpc.h"
#include "auth/common_auth.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
{
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 4276620..50f4de7 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -33,6 +33,9 @@
#include "lib/util/samba_modules.h"
#include "lib/util/base64.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/* the list of currently registered GENSEC backends */
static const struct gensec_security_ops **generic_security_ops;
static int gensec_num_backends;
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index ca5e581..20c9c2a 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -26,6 +26,9 @@
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
index 70b3bb5..7474b6a 100644
--- a/auth/gensec/ncalrpc.c
+++ b/auth/gensec/ncalrpc.c
@@ -30,6 +30,9 @@
#include "lib/param/param.h"
#include "tsocket.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(TALLOC_CTX *ctx);

struct gensec_ncalrpc_state {
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8e58e73..71e9afd 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -36,6 +36,9 @@
#include "lib/crypto/crypto.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
struct schannel_state {
struct gensec_security *gensec;
uint64_t seq_num;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 9857e78..56f9be4 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -34,6 +34,9 @@
#include "lib/util/asn1.h"
#include "lib/util/base64.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#undef strcasecmp

_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
diff --git a/auth/kerberos/gssapi_helper.c b/auth/kerberos/gssapi_helper.c
index b7ffb6c..52c953c 100644
--- a/auth/kerberos/gssapi_helper.c
+++ b/auth/kerberos/gssapi_helper.c
@@ -23,6 +23,9 @@
#include "auth/kerberos/pac_utils.h"
#include "auth/kerberos/gssapi_helper.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context,
const gss_OID mech,
uint32_t gss_want_flags,
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 253976a..b695671 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -19,6 +19,10 @@
*/

#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#ifdef HAVE_KRB5

#include "auth/kerberos/pac_utils.h"
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 7b6efdc..0ab0e9a 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -23,6 +23,10 @@
*/

#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#ifdef HAVE_KRB5

#include "librpc/gen_ndr/ndr_krb5pac.h"
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 561c7cf..c0e6cff 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -37,6 +37,9 @@
#include "param/loadparm.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Return the credentials of a logged on user, including session keys
* etc.
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 36e7052..37434fb 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -33,6 +33,9 @@ struct auth_session_info;
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Callbacks for NTLMSSP - for both client and server operating modes
*
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 5edd5f4..db2003f 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -36,6 +36,9 @@ struct auth_session_info;
#include "../auth/ntlmssp/ntlmssp_ndr.h"
#include "../nsswitch/libwbclient/wbclient.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/*********************************************************************
Client side NTLMSSP
*********************************************************************/
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 417352b..37ed2bc 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -37,6 +37,9 @@
#include "param/loadparm.h"
#include "libcli/security/session.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Determine correct target name flags for reply, given server role
* and negotiated flags
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index ad0f9e9..09b7e5a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -26,6 +26,9 @@
#include "../lib/crypto/crc32.h"
#include "../auth/ntlmssp/ntlmssp_private.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#define CLI_SIGN "session key to client-to-server signing key magic constant"
#define CLI_SEAL "session key to client-to-server sealing key magic constant"
#define SRV_SIGN "session key to server-to-client signing key magic constant"
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 9c7325a..6f3b474 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -25,6 +25,9 @@
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
static void debug_ntlmssp_flags_raw(int level, uint32_t flags)
{
#define _PRINT_FLAG_LINE(v) do { \
diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
index 91b49bb..c2d9c30 100644
--- a/docs-xml/manpages/dbwrap_tool.1.xml
+++ b/docs-xml/manpages/dbwrap_tool.1.xml
@@ -169,7 +169,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/eventlogadm.8.xml b/docs-xml/manpages/eventlogadm.8.xml
index 69e90c1..f567d92 100644
--- a/docs-xml/manpages/eventlogadm.8.xml
+++ b/docs-xml/manpages/eventlogadm.8.xml
@@ -276,7 +276,7 @@

<refsect1>
<title>VERSION</title>
- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/findsmb.1.xml b/docs-xml/manpages/findsmb.1.xml
index aa8e572..63233e2 100644
--- a/docs-xml/manpages/findsmb.1.xml
+++ b/docs-xml/manpages/findsmb.1.xml
@@ -118,7 +118,7 @@ IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/libsmbclient.7.xml b/docs-xml/manpages/libsmbclient.7.xml
index 9c33523..8dab4d0 100644
--- a/docs-xml/manpages/libsmbclient.7.xml
+++ b/docs-xml/manpages/libsmbclient.7.xml
@@ -120,7 +120,7 @@
<title>VERSION</title>

<para>
- This man page is correct for version &doc.version; of the Samba suite.
+ This man page is part of version &doc.version; of the Samba suite.
</para>
</refsect1>

diff --git a/docs-xml/manpages/lmhosts.5.xml b/docs-xml/manpages/lmhosts.5.xml
index a332706..39bfcf8 100644
--- a/docs-xml/manpages/lmhosts.5.xml
+++ b/docs-xml/manpages/lmhosts.5.xml
@@ -93,7 +93,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/log2pcap.1.xml b/docs-xml/manpages/log2pcap.1.xml
index 2cb7ed1..fafe6de 100644
--- a/docs-xml/manpages/log2pcap.1.xml
+++ b/docs-xml/manpages/log2pcap.1.xml
@@ -103,7 +103,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/mvxattr.1.xml b/docs-xml/manpages/mvxattr.1.xml
index 977db9f..59048ce 100644
--- a/docs-xml/manpages/mvxattr.1.xml
+++ b/docs-xml/manpages/mvxattr.1.xml
@@ -83,7 +83,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
index 7fe7f9f..c145e82 100644
--- a/docs-xml/manpages/nmbd.8.xml
+++ b/docs-xml/manpages/nmbd.8.xml
@@ -258,7 +258,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml
index 55a4cc6..c633e07 100644
--- a/docs-xml/manpages/nmblookup.1.xml
+++ b/docs-xml/manpages/nmblookup.1.xml
@@ -190,7 +190,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
index e84b081..4f900d5 100644
--- a/docs-xml/manpages/ntlm_auth.1.xml
+++ b/docs-xml/manpages/ntlm_auth.1.xml
@@ -450,7 +450,7 @@ auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-m
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index fdda333..f57a928 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -253,7 +253,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of Samba.</para>
+ <para>This man page is part of version &doc.version; of Samba.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 4ba9fe2..537007b 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -201,7 +201,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of Samba.</para>
+ <para>This man page is part of version &doc.version; of Samba.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml
index 8766bf0..1cabc0b 100644
--- a/docs-xml/manpages/pdbedit.8.xml
+++ b/docs-xml/manpages/pdbedit.8.xml
@@ -537,7 +537,7 @@ account policy value for bad lockout attempt is now 3
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml
index 151d2f2..012f843 100644
--- a/docs-xml/manpages/profiles.1.xml
+++ b/docs-xml/manpages/profiles.1.xml
@@ -72,7 +72,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
index b53b46e..1e167f8 100644
--- a/docs-xml/manpages/rpcclient.1.xml
+++ b/docs-xml/manpages/rpcclient.1.xml
@@ -534,7 +534,7 @@ Comma Separated list of Files
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml
index 8a81ee3..719b5e1 100644
--- a/docs-xml/manpages/samba-regedit.8.xml
+++ b/docs-xml/manpages/samba-regedit.8.xml
@@ -71,7 +71,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/samba.7.xml b/docs-xml/manpages/samba.7.xml
index df1d5a5..761c8d3 100644
--- a/docs-xml/manpages/samba.7.xml
+++ b/docs-xml/manpages/samba.7.xml
@@ -294,7 +294,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the
+ <para>This man page is part of version &doc.version; of the
Samba suite. </para>
--
Samba Shared Repository
Andrew Bartlett
2018-01-08 14:23:03 UTC
Permalink
The branch, master has been updated
via 778d5fd selftest: use net rpc join when joining NT4-style domains
from fe164a0 selftest: close connections after tests in samba4.ldap.secdesc.python

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 778d5fd00a69a6d29c9bf755864d32e737ac924d
Author: Ralph Boehme <***@samba.org>
Date: Sat Jan 6 12:27:27 2018 +0100

selftest: use net rpc join when joining NT4-style domains

Otherwise net join when failing at the CLDAP ping stage will put a
negative entry for the DC in the conncache which can trigger *hard* to
debug problems later in winbindd.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Jan 8 15:22:10 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1e652d8e..f5e6472 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -347,7 +347,7 @@ sub setup_nt4_member($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
- $cmd .= "$net join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
+ $cmd .= "$net rpc join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
$cmd .= " -U$nt4_dc_vars->{USERNAME}\%$nt4_dc_vars->{PASSWORD}";

if (system($cmd) != 0) {
--
Samba Shared Repository
Andreas Schneider
2018-01-08 20:05:02 UTC
Permalink
The branch, master has been updated
via c5fb651 pwrap: Build libpamtest as a subsystem to avoid issues
from 778d5fd selftest: use net rpc join when joining NT4-style domains

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c5fb65121d8b26932eb9fb90474a2e5129c3f178
Author: Andreas Schneider <***@samba.org>
Date: Mon Nov 27 19:37:49 2017 +0100

pwrap: Build libpamtest as a subsystem to avoid issues

Making it a subsystem adds the correct include directory for
libpamtest.h.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Mon Jan 8 21:04:16 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
third_party/pam_wrapper/wscript | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/third_party/pam_wrapper/wscript b/third_party/pam_wrapper/wscript
index 75b4eec..b9acf1b 100644
--- a/third_party/pam_wrapper/wscript
+++ b/third_party/pam_wrapper/wscript
@@ -109,9 +109,13 @@ def build(bld):
install=False,
realname='libpam-wrapper.so')

+ bld.SAMBA_SUBSYSTEM('libpamtest',
+ source='libpamtest.c',
+ deps='dl pam')
+
# Can be used to write pam tests in python
for env in bld.gen_python_environments():
bld.SAMBA_PYTHON('pypamtest',
- source='python/pypamtest.c libpamtest.c',
- deps='dl pam',
+ source='python/pypamtest.c',
+ deps='libpamtest',
install=False)
--
Samba Shared Repository
Andrew Bartlett
2018-01-09 07:23:02 UTC
Permalink
The branch, master has been updated
via 7901f7c selftest: close connections after tests in samba4.ldap.rodc_rwdc.python
from c5fb651 pwrap: Build libpamtest as a subsystem to avoid issues

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7901f7c3baad974d3126c767cb4ef513f88564cd
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 19:18:34 2018 +1300

selftest: close connections after tests in samba4.ldap.rodc_rwdc.python

This test suite had a memory impact of around 2.5GB, from built-up LDAP
connection handlers under the standard process model.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue Jan 9 08:22:27 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/dsdb/tests/python/password_lockout_base.py | 7 +++++++
source4/dsdb/tests/python/rodc_rwdc.py | 10 ++++++++++
2 files changed, 17 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py
index 992f51d..5f720ef 100644
--- a/source4/dsdb/tests/python/password_lockout_base.py
+++ b/source4/dsdb/tests/python/password_lockout_base.py
@@ -351,6 +351,8 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)

+ self.addCleanup(self.delete_ldb_connections)
+
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(self.template_creds,
username="lockout1krb5",
@@ -363,6 +365,11 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)

+ def delete_ldb_connections(self):
+ del self.lockout1krb5_ldb
+ del self.lockout1ntlm_ldb
+ del self.ldb
+
def tearDown(self):
super(BasePasswordTestCase, self).tearDown()

diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py
index 371ff74..8c6dd4c 100644
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -224,6 +224,11 @@ class RodcRwdcCachedTests(password_lockout_base.BasePasswordTestCase):
# make sure DCs are synchronized before the test
self.force_replication()

+ def delete_ldb_connections(self):
+ super(RodcRwdcCachedTests, self).delete_ldb_connections()
+ del self.rwdc_db
+ del self.rodc_db
+
def test_cache_and_flush_password(self):
username = self.lockout1krb5_creds.get_username()
userpass = self.lockout1krb5_creds.get_password()
@@ -767,6 +772,11 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase):
self.rwdc_dn = get_server_ref_from_samdb(self.rwdc_db)
self.rodc_dn = get_server_ref_from_samdb(self.rodc_db)

+ def delete_ldb_connections(self):
+ super(RodcRwdcTests, self).delete_ldb_connections()
+ del self.rwdc_db
+ del self.rodc_db
+
def assertReferral(self, fn, *args, **kwargs):
try:
fn(*args, **kwargs)
--
Samba Shared Repository
Ralph Böhme
2018-01-09 16:10:02 UTC
Permalink
The branch, master has been updated
via e61e9e9 vfs_fruit: set delete-on-close for empty finderinfo
via 70d8f7c vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close
via c41e1ea vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream()
via df31e94 s4/torture/fruit: enhance zero AFP_AfpInfo stream test
via a22833c s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized
from 7901f7c selftest: close connections after tests in samba4.ldap.rodc_rwdc.python

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e61e9e98e9ff461055daae2fe78f0202f7ed8663
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 6 22:09:52 2017 +0100

vfs_fruit: set delete-on-close for empty finderinfo

We previously removed the stream from the underlying filesystem stream
backing store when the client zeroes out FinderInfo in the AFP_AfpInfo
stream, but this causes certain operations to fail (eg stat) when trying
to access the stream over any file-handle open on that stream.

So instead of deleting, set delete-on-close on the stream. The previous
commit already implemented not to list list streams with delete-on-close
set which is necessary to implemenent correct macOS semantics for this
particular stream.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Tue Jan 9 17:09:12 CET 2018 on sn-devel-144

commit 70d8f7c5d25f35b58620c2db8f57c7c0758267b3
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 17:32:35 2017 +0100

vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close

This is in preperation of fixing the implementation of removing the
AFP_AfpInfo stream by zeroing the FinderInfo out.

We currently remove the stream blob from the underyling filesystem
backing store, but that results in certain operations to fail on any
still open file-handle.

The fix comes in the next commit which will convert to backing store
delete operation to a set delete-on-close on the stream.

This commit adds filtering on streams that have the delete-on-close
set. It is only needed for the fruit:metadata=stream case, as with
fruit:metadata=netatalk the filtering is already done in
fruit_streaminfo_meta_netatalk().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit c41e1ea9247611473d30184efd953c61955ead15
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 14:56:36 2017 +0100

vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream()

No change in behaviour, just some refactoring before adding more code to
fruit_streaminfo_meta_stream() in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit df31e94eb6241f5e5594f6fd0ec1ad7896e02e27
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 13:43:02 2017 +0100

s4/torture/fruit: enhance zero AFP_AfpInfo stream test

This test more operations in the zeroed out FinderInfo test, ensuring
after zeroing out FinderInfo, operations on the filehandle still work
and that enumerating streams doesn't return the stream anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit a22833c2971dc7234b32741305f40ed62e232e0b
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 6 22:05:23 2017 +0100

s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_fruit.c | 173 ++++++++++++++++++++++++++++++++++----------
source4/torture/vfs/fruit.c | 89 ++++++++++++++++++++++-
2 files changed, 218 insertions(+), 44 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index dfc0dcc..9533da4 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -4166,26 +4166,35 @@ static ssize_t fruit_pwrite_meta_stream(vfs_handle_struct *handle,
size_t n, off_t offset)
{
AfpInfo *ai = NULL;
- int ret;
+ size_t nwritten;
+ bool ok;

ai = afpinfo_unpack(talloc_tos(), data);
if (ai == NULL) {
return -1;
}

- if (ai_empty_finderinfo(ai)) {
- ret = SMB_VFS_NEXT_UNLINK(handle, fsp->fsp_name);
- if (ret != 0 && errno != ENOENT && errno != ENOATTR) {
- DBG_ERR("Can't delete metadata for %s: %s\n",
- fsp_str_dbg(fsp), strerror(errno));
- TALLOC_FREE(ai);
- return -1;
- }
+ nwritten = SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset);
+ if (nwritten != n) {
+ return -1;
+ }

+ if (!ai_empty_finderinfo(ai)) {
return n;
}

- return SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset);
+ ok = set_delete_on_close(
+ fsp,
+ true,
+ handle->conn->session_info->security_token,
+ handle->conn->session_info->unix_token);
+ if (!ok) {
+ DBG_ERR("set_delete_on_close on [%s] failed\n",
+ fsp_str_dbg(fsp));
+ return -1;
+ }
+
+ return n;
}

static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
@@ -4196,26 +4205,13 @@ static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
AfpInfo *ai = NULL;
char *p = NULL;
int ret;
+ bool ok;

ai = afpinfo_unpack(talloc_tos(), data);
if (ai == NULL) {
return -1;
}

- if (ai_empty_finderinfo(ai)) {
- ret = SMB_VFS_REMOVEXATTR(handle->conn,
- fsp->fsp_name,
- AFPINFO_EA_NETATALK);
-
- if (ret != 0 && errno != ENOENT && errno != ENOATTR) {
- DBG_ERR("Can't delete metadata for %s: %s\n",
- fsp_str_dbg(fsp), strerror(errno));
- return -1;
- }
-
- return n;
- }
-
ad = ad_fget(talloc_tos(), handle, fsp, ADOUBLE_META);
if (ad == NULL) {
ad = ad_init(talloc_tos(), handle, ADOUBLE_META);
@@ -4240,6 +4236,22 @@ static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
}

TALLOC_FREE(ad);
+
+ if (!ai_empty_finderinfo(ai)) {
+ return n;
+ }
+
+ ok = set_delete_on_close(
+ fsp,
+ true,
+ handle->conn->session_info->security_token,
+ handle->conn->session_info->unix_token);
+ if (!ok) {
+ DBG_ERR("set_delete_on_close on [%s] failed\n",
+ fsp_str_dbg(fsp));
+ return -1;
+ }
+
return n;
}

@@ -4896,6 +4908,40 @@ static int fruit_fstat(vfs_handle_struct *handle, files_struct *fsp,
return rc;
}

+static NTSTATUS delete_invalid_meta_stream(
+ vfs_handle_struct *handle,
+ const struct smb_filename *smb_fname,
+ TALLOC_CTX *mem_ctx,
+ unsigned int *pnum_streams,
+ struct stream_struct **pstreams)
+{
+ struct smb_filename *sname = NULL;
+ int ret;
+ bool ok;
+
+ ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, AFPINFO_STREAM);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ sname = synthetic_smb_fname(talloc_tos(),
+ smb_fname->base_name,
+ AFPINFO_STREAM_NAME,
+ NULL, 0);
+ if (sname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = SMB_VFS_NEXT_UNLINK(handle, sname);
+ TALLOC_FREE(sname);
+ if (ret != 0) {
+ DBG_ERR("Removing [%s] failed\n", smb_fname_str_dbg(sname));
+ return map_nt_error_from_unix(errno);
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS fruit_streaminfo_meta_stream(
vfs_handle_struct *handle,
struct files_struct *fsp,
@@ -4907,8 +4953,14 @@ static NTSTATUS fruit_streaminfo_meta_stream(
struct stream_struct *stream = *pstreams;
unsigned int num_streams = *pnum_streams;
struct smb_filename *sname = NULL;
+ char *full_name = NULL;
+ uint32_t name_hash;
+ struct share_mode_lock *lck = NULL;
+ struct file_id id = {0};
+ bool delete_on_close_set;
int i;
int ret;
+ NTSTATUS status;
bool ok;

for (i = 0; i < num_streams; i++) {
@@ -4921,35 +4973,76 @@ static NTSTATUS fruit_streaminfo_meta_stream(
return NT_STATUS_OK;
}

- if (stream[i].size == AFP_INFO_SIZE) {
- return NT_STATUS_OK;
- }
-
- DBG_ERR("Removing invalid AFPINFO_STREAM size [%"PRIdMAX"] "
- "from [%s]\n", (intmax_t)stream[i].size,
- smb_fname_str_dbg(smb_fname));
+ if (stream[i].size != AFP_INFO_SIZE) {
+ DBG_ERR("Removing invalid AFPINFO_STREAM size [%jd] from [%s]\n",
+ (intmax_t)stream[i].size, smb_fname_str_dbg(smb_fname));

- ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, AFPINFO_STREAM);
- if (!ok) {
- return NT_STATUS_INTERNAL_ERROR;
+ return delete_invalid_meta_stream(handle, smb_fname, mem_ctx,
+ pnum_streams, pstreams);
}

+ /*
+ * Now check if there's a delete-on-close pending on the stream. If so,
+ * hide the stream. This behaviour was verified against a macOS 10.12
+ * SMB server.
+ */
+
sname = synthetic_smb_fname(talloc_tos(),
smb_fname->base_name,
AFPINFO_STREAM_NAME,
NULL, 0);
if (sname == NULL) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}

- ret = SMB_VFS_NEXT_UNLINK(handle, sname);
- TALLOC_FREE(sname);
+ ret = SMB_VFS_NEXT_STAT(handle, sname);
if (ret != 0) {
- DBG_ERR("Removing [%s] failed\n", smb_fname_str_dbg(sname));
- return map_nt_error_from_unix(errno);
+ status = map_nt_error_from_unix(errno);
+ goto out;
}

- return NT_STATUS_OK;
+ id = SMB_VFS_NEXT_FILE_ID_CREATE(handle, &sname->st);
+
+ lck = get_existing_share_mode_lock(talloc_tos(), id);
+ if (lck == NULL) {
+ status = NT_STATUS_OK;
+ goto out;
+ }
+
+ full_name = talloc_asprintf(talloc_tos(),
+ "%s%s",
+ sname->base_name,
+ AFPINFO_STREAM);
+ if (full_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ status = file_name_hash(handle->conn, full_name, &name_hash);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ delete_on_close_set = is_delete_on_close_set(lck, name_hash);
+ if (delete_on_close_set) {
+ ok = del_fruit_stream(mem_ctx,
+ pnum_streams,
+ pstreams,
+ AFPINFO_STREAM);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+ }
+
+ status = NT_STATUS_OK;
+
+out:
+ TALLOC_FREE(sname);
+ TALLOC_FREE(lck);
+ TALLOC_FREE(full_name);
+ return status;
}

static NTSTATUS fruit_streaminfo_meta_netatalk(
diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c
index 476e920..d071cf6 100644
--- a/source4/torture/vfs/fruit.c
+++ b/source4/torture/vfs/fruit.c
@@ -909,7 +909,7 @@ static char *torture_afpinfo_pack(TALLOC_CTX *mem_ctx,
{
char *buf;

- buf = talloc_array(mem_ctx, char, AFP_INFO_SIZE);
+ buf = talloc_zero_array(mem_ctx, char, AFP_INFO_SIZE);
if (buf == NULL) {
return NULL;
}
@@ -3346,11 +3346,17 @@ static bool test_afpinfo_all0(struct torture_context *tctx,
{
bool ret = true;
NTSTATUS status;
- struct smb2_handle h1;
+ struct smb2_create create;
+ struct smb2_handle h1 = {{0}};
+ struct smb2_handle baseh = {{0}};
+ union smb_setfileinfo setfinfo;
+ union smb_fileinfo getfinfo;
TALLOC_CTX *mem_ctx = talloc_new(tctx);
const char *fname = BASEDIR "\\file";
+ const char *sname = BASEDIR "\\file" AFPINFO_STREAM;
const char *type_creator = "SMB,OLE!";
AfpInfo *info = NULL;
+ char *infobuf = NULL;
const char *streams_basic[] = {
"::$DATA"
};
@@ -3381,13 +3387,88 @@ static bool test_afpinfo_all0(struct torture_context *tctx,

/* Write all 0 to AFP_AfpInfo */
memset(info->afpi_FinderInfo, 0, AFP_FinderSize);
- ret = torture_write_afpinfo(tree, tctx, mem_ctx, fname, info);
- torture_assert_goto(tctx, ret == true, ret, done, "torture_write_afpinfo failed");
+ infobuf = torture_afpinfo_pack(mem_ctx, info);
+ torture_assert_not_null_goto(tctx, infobuf, ret, done,
+ "torture_afpinfo_pack failed\n");
+
+ ZERO_STRUCT(create);
+ create.in.desired_access = SEC_FILE_ALL;
+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+ create.in.create_disposition = NTCREATEX_DISP_OPEN;
+ create.in.share_access = NTCREATEX_SHARE_ACCESS_MASK;
+ create.in.fname = fname;
+
+ status = smb2_create(tree, mem_ctx, &create);
+ torture_assert_goto(tctx, ret == true, ret, done,
+ "smb2_create failed\n");
+ baseh = create.out.file.handle;
+
+ ZERO_STRUCT(create);
+ create.in.desired_access = SEC_FILE_ALL;
+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+ create.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
+ create.in.fname = sname;
+
+ status = smb2_create(tree, mem_ctx, &create);
+ torture_assert_goto(tctx, ret == true, ret, done,
+ "smb2_create failed\n");
+ h1 = create.out.file.handle;
+
+ status = smb2_util_write(tree, h1, infobuf, 0, AFP_INFO_SIZE);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_util_write failed\n");
+
+ /*
+ * Get stream information on open handle, must return only default
+ * stream, the AFP_AfpInfo stream must not be returned.
+ */
+
+ ZERO_STRUCT(getfinfo);
+ getfinfo.generic.level = RAW_FILEINFO_STREAM_INFORMATION;
+ getfinfo.generic.in.file.handle = baseh;
+
+ status = smb2_getinfo_file(tree, tctx, &getfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "get stream info\n");
+
+ torture_assert_int_equal_goto(tctx, getfinfo.stream_info.out.num_streams,
+ 1, ret, done, "stream count");
+
+ smb2_util_close(tree, baseh);
+ ZERO_STRUCT(baseh);
+
+ /*
+ * Try to set some file-basic-info (time) on the stream. This catches
+ * naive implementation mistakes that simply deleted the backing store
+ * from the filesystem in the zero-out step.
+ */
+
+ ZERO_STRUCT(setfinfo);
+ unix_to_nt_time(&setfinfo.basic_info.in.write_time, time(NULL));
+ setfinfo.basic_info.in.attrib = 0x20;
+ setfinfo.generic.level = RAW_SFILEINFO_BASIC_INFORMATION;
+ setfinfo.generic.in.file.handle = h1;
+
+ status = smb2_setinfo_file(tree, &setfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed\n");
+
+ ret = check_stream_list(tree, tctx, fname, 1, streams_basic, false);
+ torture_assert_goto(tctx, ret == true, ret, done, "check_stream_list");
+
+ smb2_util_close(tree, h1);
+ ZERO_STRUCT(h1);

ret = check_stream_list(tree, tctx, fname, 1, streams_basic, false);
torture_assert_goto(tctx, ret == true, ret, done, "Bad streams");

done:
+ if (!smb2_util_handle_empty(h1)) {
+ smb2_util_close(tree, h1);
+ }
+ if (!smb2_util_handle_empty(baseh)) {
+ smb2_util_close(tree, baseh);
+ }
smb2_util_unlink(tree, fname);
smb2_util_rmdir(tree, BASEDIR);
return ret;
--
Samba Shared Repository
Volker Lendecke
2018-01-09 21:42:02 UTC
Permalink
The branch, master has been updated
via 977b3f6 python: Print the finddcs error message
via 3022da1 libnet: Add NULL checks to py_net_finddc
from e61e9e9 vfs_fruit: set delete-on-close for empty finderinfo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 977b3f60cf0f504728f9b63343b9af1e8d6c359d
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 9 12:41:01 2018 +0100

python: Print the finddcs error message

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Tue Jan 9 22:41:28 CET 2018 on sn-devel-144

commit 3022da1a7267f9038f1f0de98d8d54baabd9c567
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 9 10:23:35 2018 +0100

libnet: Add NULL checks to py_net_finddc

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/join.py | 3 +++
python/samba/netcmd/domain.py | 3 +++
source4/libnet/py_net.c | 10 ++++++++++
3 files changed, 16 insertions(+)


Changeset truncated at 500 lines:

diff --git a/python/samba/join.py b/python/samba/join.py
index 63e9b90..9782f53 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -336,6 +336,9 @@ class dc_join(object):
"""find a writeable DC for the given domain"""
try:
ctx.cldap_ret = ctx.net.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
+ except NTSTATUSError as error:
+ raise Exception("Failed to find a writeable DC for domain '%s': %s" %
+ (domain, error[1]))
except Exception:
raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
if ctx.cldap_ret.client_site is not None and ctx.cldap_ret.client_site != "":
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index ada7d6b..2cb14f1 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -1771,6 +1771,9 @@ class DomainTrustCommand(Command):
if require_pdc:
remote_flags |= nbt.NBT_SERVER_PDC
remote_info = remote_net.finddc(flags=remote_flags, domain=domain, address=remote_server)
+ except NTSTATUSError as error:
+ raise CommandError("Failed to find a writeable DC for domain '%s': %s" %
+ (domain, error[1]))
except Exception:
raise CommandError("Failed to find a writeable DC for domain '%s'" % domain)
flag_map = {
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index 7ddee2d..0567dbd 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -697,8 +697,18 @@ static PyObject *py_net_finddc(py_net_Object *self, PyObject *args, PyObject *kw
}

mem_ctx = talloc_new(self->mem_ctx);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }

io = talloc_zero(mem_ctx, struct finddcs);
+ if (io == NULL) {
+ TALLOC_FREE(mem_ctx);
+ PyErr_NoMemory();
+ return NULL;
+ }
+
if (domain != NULL) {
io->in.domain_name = domain;
}
--
Samba Shared Repository
Ralph Böhme
2018-01-10 04:20:03 UTC
Permalink
The branch, master has been updated
via a078042 selftest: split a large system invocation line
via ee6e0b1 selftest: split a large system invocation line
via 584a8ac selftest: split a large system invocation line
via 686fc41 selftest: set wrapper env variables when running net groupmap
via 53f709d selftest: remove second loop waiting for winbindd from wait_for_start()
via 0f5b1bd selftest: fix creation of builtin users in wait_for_start
via a206cf2 s4:dns_server: avoid debug noise on successful updates
via 09da62f s4:lib/tls: fix the developer build without gnutls support
via b1c88c0 WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'
via 0341e83 docs-xml: deprecate "server schannel" and change the default to "yes"
via 3a7d931 selftest: explicitly configure some dcs with 'server schannel = auto'
via c7acae9 docs-xml: deprecate "client schannel" and change the default to "yes"
via 1f91cdc WHATSNEW: document removal of 'use spnego" option
via cb5e192 docs-xml: remove deprecated 'use spnego" option
via 343b0e0 s4:smb_server: remove deprecated 'use spnego = no" handling
via 502aa78 s3:smbd: remove deprecated 'use spnego = no" handling
via b6d55ee s4:selftest: replace --option=usespnego= with --option=clientusespnego=
via bb3944c WHATSNEW: document removal 'winbind trusted domains only' option
via c465990 docs-xml: remove deprecated of 'winbind trusted domains only' option
via 6d339b4 winbindd: remove 'winbind trusted domains only' handling
via 22e309e s3:g_lock: keep old mylock on error and don't store new mylock on error
via da3f60b winbindd: use setproctitle
via 502ab53 vfs_fruit: initialise bandsize to please a compiler
from 977b3f6 python: Print the finddcs error message

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a07804278533e8e6d946c51447d940a8d0ed9e4d
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:46:40 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Wed Jan 10 05:19:26 CET 2018 on sn-devel-144

commit ee6e0b19f670f370b5643699a194dec774494f74
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:45:59 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 584a8ac4aa90707cf353975be0f2ddfe65fb065a
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:40:41 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 686fc4126dc5b69d34e71f7d014c3c17ba0f649e
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 14:28:40 2018 +0100

selftest: set wrapper env variables when running net groupmap

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 53f709d6e0c9370eaf97554a9377e6d51a3b0e6b
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 18:45:01 2018 +0100

selftest: remove second loop waiting for winbindd from wait_for_start()

A few lines above we already checked that winbindd is running.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 0f5b1bd9e2d16702a7be674fcd4ba4328d6befc1
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 18:38:08 2018 +0100

selftest: fix creation of builtin users in wait_for_start

If "BUILTIN\Users" already exists, attempting to create it would fail,
so we should check for the existence prior to the creation.

It is unclear *why* the mapping sometimes already exist and sometime
not. There are two places where they would have been created:

1. libnet_join_add_dom_rids_to_builtins tries to add the mapping when
joining a domain, but at that point winbindd isn't running

2. when a user is authenticated in smbd, which clearly can't have
happended when in the function wait_for_start

Go figure...

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit a206cf2dc11159b0e9ebe4d1d1d23e4365bd2a8c
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Nov 11 08:48:04 2016 +0100

s4:dns_server: avoid debug noise on successful updates

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 09da62f1a34b85f2cbd1d6a95ec1a04d4d7e389e
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Mar 14 17:11:19 2017 +0100

s4:lib/tls: fix the developer build without gnutls support

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b1c88c01a6138bf29104facc960798f3c1e6b0ee
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:42:06 2017 +0100

WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 0341e83d40dc42fbb1f1e467626418a9e4dedf40
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100

docs-xml: deprecate "server schannel" and change the default to "yes"

No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 3a7d931127a8c739208ae6ca8124cd18fec6b7bb
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 13 13:09:47 2017 +0100

selftest: explicitly configure some dcs with 'server schannel = auto'

This is required for some tests.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c7acae904301cfc6a281d63f4e7d3cc6f4fff938
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100

docs-xml: deprecate "client schannel" and change the default to "yes"

This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 1f91cdc8bd2a50498a9e0293a75d4e41a3618f64
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

WHATSNEW: document removal of 'use spnego" option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit cb5e19271db1967ed28e08e8969fc438f5942995
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

docs-xml: remove deprecated 'use spnego" option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 343b0e0af9f336233650c34cc1e4baf62c04989c
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

s4:smb_server: remove deprecated 'use spnego = no" handling

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 502aa787044d7215c4c509ee6305931a6eedcc44
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

s3:smbd: remove deprecated 'use spnego = no" handling

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b6d55eefa21c548f962a0c5f290eb23c219f3bff
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:00:10 2017 +0100

s4:selftest: replace --option=usespnego= with --option=clientusespnego=

I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.

The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit bb3944c6083456b1de4fd88fda8b8186106687d5
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:17:20 2017 +0100

WHATSNEW: document removal 'winbind trusted domains only' option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c4659908abf01941148682eaa55b01cfa8c3f290
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:10:42 2017 +0100

docs-xml: remove deprecated of 'winbind trusted domains only' option

This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6d339b480051b5efc80b895e97c2eaaf8dea6893
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 10:54:21 2017 +0100

winbindd: remove 'winbind trusted domains only' handling

This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 22e309e541a1352a2a250d92a72434bb71c2bf45
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 20 08:41:09 2017 +0100

s3:g_lock: keep old mylock on error and don't store new mylock on error

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

commit da3f60b1e5c6420210d14c9924b3551d83e2f70c
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 20 17:42:45 2017 +0100

winbindd: use setproctitle

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 502ab53d4a543c0d12072727fbfe7313e0acb26e
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Jan 10 00:08:01 2018 +1300

vfs_fruit: initialise bandsize to please a compiler

GCC on a Ubuntu 16.04 instance said:

[3174/4240] Compiling source3/modules/vfs_cap.c
In file included from ../source3/include/includes.h:301:0,
from ../source3/modules/vfs_fruit.c:20:
../source3/modules/vfs_fruit.c: In function
‘fruit_disk_free’:
../source3/../lib/util/debug.h:217:7: error: ‘bandsize’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
&& (dbgtext body) )
^
../source3/modules/vfs_fruit.c:6302:9: note: ‘bandsize’ was
declared here
size_t bandsize;
^
[3175/4240] Compiling source3/modules/vfs_expand_msdfs.c
[3176/4240] Compiling source3/modules/vfs_shadow_copy.c
[3177/4240] Compiling source3/modules/vfs_shadow_copy2.c
cc1: all warnings being treated as errors
Waf: Leaving directory
/home/ubuntu/autobuild/b17854/samba-o3/bin'
Build failed: -> task failed (err #1):
{task: cc vfs_fruit.c -> vfs_fruit_25.o}
make: *** [all] Error 1

As far as I can tell, it is wrong, and the bandsize variable never
gets passed uninititalised to DEBUG.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 6 ++
docs-xml/manpages/idmap_nss.8.xml | 3 +-
docs-xml/smbdotconf/protocol/usespnego.xml | 19 -----
docs-xml/smbdotconf/security/clientschannel.xml | 11 ++-
docs-xml/smbdotconf/security/serverschannel.xml | 13 +++-
.../winbind/winbindtrusteddomainsonly.xml | 22 ------
lib/param/loadparm.c | 6 +-
selftest/knownfail.d/ntlmv2-restrictions | 2 +
selftest/target/Samba3.pm | 80 ++++++++++++++++------
selftest/target/Samba4.pm | 4 ++
source3/lib/g_lock.c | 19 ++++-
source3/modules/vfs_fruit.c | 2 +-
source3/param/loadparm.c | 6 +-
source3/smbd/negprot.c | 1 -
source3/winbindd/wb_getgrsid.c | 11 ---
source3/winbindd/wb_queryuser.c | 12 ----
source3/winbindd/winbindd.c | 4 ++
source3/winbindd/winbindd_cm.c | 2 +
source3/winbindd/winbindd_dual.c | 6 ++
source3/winbindd/winbindd_getpwnam.c | 9 ---
source3/winbindd/winbindd_util.c | 5 +-
source4/dns_server/dns_query.c | 2 +-
source4/dns_server/dns_update.c | 2 +-
source4/lib/tls/tlscert.c | 1 +
source4/selftest/tests.py | 28 ++++----
source4/smb_server/smb/negprot.c | 1 -
26 files changed, 143 insertions(+), 134 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/usespnego.xml
delete mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
create mode 100644 selftest/knownfail.d/ntlmv2-restrictions


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9bcd03c..94278b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -92,6 +92,8 @@ smb.conf changes
-------------- ----------- -------
auth methods Removed
binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
gpo update command New
map untrusted to domain Removed
oplock contention limit Removed
@@ -99,6 +101,10 @@ smb.conf changes
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ winbind trusted domains only Removed


NT4-style replication based net commands removed
diff --git a/docs-xml/manpages/idmap_nss.8.xml b/docs-xml/manpages/idmap_nss.8.xml
index b7c5977..fa8a208 100644
--- a/docs-xml/manpages/idmap_nss.8.xml
+++ b/docs-xml/manpages/idmap_nss.8.xml
@@ -20,8 +20,7 @@
<title>DESCRIPTION</title>

<para>The idmap_nss plugin provides a means to map Unix users and groups
- to Windows accounts and obsoletes the &quot;winbind trusted domains only&quot;
- smb.conf option. This provides a simple means of ensuring that the SID
+ to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml
deleted file mode 100644
index 0c9ffbf..0000000
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<samba:parameter name="use spnego"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This deprecated variable controls whether samba will try
- to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
-</para>
-
-<para>
- Unless further issues are discovered with our SPNEGO
- implementation, there is no reason this should ever be
- disabled.</para>
-</description>
-
-<value type="default">yes</value>
-</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

<para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future.
+ </para>
+
+ <para>
This controls whether the client offers or even demands the use of the netlogon schannel.
<smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel,
<smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@

<para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+
+ <para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future. If you have the need for the behavior of "auto"
+ to be kept, please file a bug at https://bugzilla.samba.org.
+ </para>
+
<para>
This controls whether the server offers or even demands the use of the netlogon schannel.
<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
</para>
</description>

-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
deleted file mode 100644
index 3d420c7..0000000
--- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="winbind trusted domains only"
- context="G"
- type="boolean"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This parameter is designed to allow Samba servers that are members
- of a Samba controlled domain to use UNIX accounts distributed via NIS,
- rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
- Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
- the account user1 in /etc/passwd instead of allocating a new uid for him or her.
- </para>
-
- <para>
- This parameter is now deprecated in favor of the newer idmap_nss backend.
- Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> man page for more information.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddb4507..a18407d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2749,8 +2749,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");

- lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
-
lpcfg_do_global_parameter(lp_ctx, "use mmap", "True");

lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
@@ -2786,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");

- lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");

lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");

@@ -2840,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);

- lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+ lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");

lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");

diff --git a/selftest/knownfail.d/ntlmv2-restrictions b/selftest/knownfail.d/ntlmv2-restrictions
new file mode 100644
index 0000000..eb50b13
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv2-restrictions
@@ -0,0 +1,2 @@
+# 'raw NTLMv2 auth' is not enabled on ad_member
+^samba4.smb.signing.disabled.on.with.-k.no.--option=clientusespnego=no.--signing=off.domain-creds.xcopy\(ad_member\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5e6472..f4ae0f3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -216,6 +216,7 @@ sub setup_nt4_dc($$)
lanman auth = yes
ntlm auth = yes
raw NTLMv2 auth = yes
+ server schannel = auto

rpc_server:epmapper = external
rpc_server:spoolss = external
@@ -2332,6 +2333,8 @@ force_user:x:$gid_force_user:
sub wait_for_start($$$$$)
{
my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+ my $cmd;
+ my $netcmd;
my $ret;

if ($nmbd eq "yes") {
@@ -2365,8 +2368,7 @@ sub wait_for_start($$$$$)
if ($winbindd eq "yes") {
print "checking for winbindd\n";
my $count = 0;
- my $cmd = "";
- $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
$cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
$cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
$cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
@@ -2405,38 +2407,72 @@ sub wait_for_start($$$$$)
}

# Ensure we have domain users mapped.
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
+ $netcmd = "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} ";
+
+ $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=512 unixgroup=domadmins type=domain");
+
+ $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin");
+
+ $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}

+ # note: creating builtin groups requires winbindd for the
+ # unix id allocator
+ my $create_builtin_users = "no";
if ($winbindd eq "yes") {
- # note: creating builtin groups requires winbindd for the
- # unix id allocator
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} sam createbuiltingroup Users");
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ my $wbinfo_out = qx($cmd 2>&1);
+ if ($? != 0) {
+ # wbinfo doesn't give us a better error code then
+ # WBC_ERR_DOMAIN_NOT_FOUND, but at least that's
+ # different then WBC_ERR_WINBIND_NOT_AVAILABLE
+ if ($wbinfo_out !~ /WBC_ERR_DOMAIN_NOT_FOUND/) {
+ print("Failed to run \"wbinfo --sid-to-gid=S-1-5-32-545\": $wbinfo_out");
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ $create_builtin_users = "yes";
+ }
+ }
+ if ($create_builtin_users eq "yes") {
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "sam createbuiltingroup Users";
+ $ret = system($cmd);
if ($ret != 0) {
print "Failed to create BUILTIN\\Users group\n";
+ teardown_env($self, $envvars);
return 0;
}
- my $count = 0;
- do {
- system(Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} cache del IDMAP/SID2XID/S-1-5-32-545");
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545");
- if ($ret != 0) {
- sleep(2);
- }
- $count++;
- } while ($ret != 0 && $count < 10);
- if ($count == 10) {
- print "WINBINDD not reachable after 20 seconds\n";
+
+ $cmd = Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "cache del IDMAP/SID2XID/S-1-5-32-545";
+ system($cmd);
+
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print "Missing \"BUILTIN\\Users\", did net sam createbuiltingroup Users fail?\n";
teardown_env($self, $envvars);
return 0;
}
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e2e78ab..e6bc3bb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1031,6 +1031,7 @@ winbindd:use external pipes = true

# the source4 smb server doesn't allow signing by default
server signing = enabled
+raw NTLMv2 auth = yes

rpc_server:default = external
rpc_server:svcctl = embedded
@@ -1461,9 +1462,11 @@ sub provision_ad_dc_ntvfs($$)
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
+ server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
@@ -1831,6 +1834,7 @@ sub provision_ad_dc($$$$$$)
lpq cache time = 0
print notify backchannel = yes

+ server schannel = auto
auth event notification = true
$smbconf_args
";
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 68a9ab3..4c42fb0 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -200,6 +200,8 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
TDB_DATA data;
size_t i;
struct g_lock lck;
+ struct g_lock_rec _mylock;
+ struct g_lock_rec *mylock = NULL;
NTSTATUS status;
bool modified = false;
bool ok;
@@ -242,11 +244,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
status = NT_STATUS_WAS_LOCKED;
goto done;
}
+ if (mylock != NULL) {
+ status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ goto done;
+ }
+ _mylock = lock;
+ mylock = &_mylock;
/*
* Remove "our" lock entry. Re-add it later
* with our new lock type.
*/
g_lock_rec_del(&lck, i);
+ modified = true;
continue;
}

@@ -278,12 +287,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,

modified = true;

+ _mylock = (struct g_lock_rec) {
+ .pid = self,
+ .lock_type = type
+ };
+ mylock = &_mylock;
+
status = NT_STATUS_OK;
done:
if (modified) {
- struct g_lock_rec mylock = { .pid = self, .lock_type = type };
NTSTATUS store_status;
- store_status = g_lock_store(rec, &lck, &mylock);
+
+ store_status = g_lock_store(rec, &lck, mylock);
if (!NT_STATUS_IS_OK(store_status)) {
DBG_WARNING("g_lock_record_store failed: %s\n",
nt_errstr(store_status));
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 9533da4..40ee255 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -6392,7 +6392,7 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct *handle,
bool ok;
char *p = NULL;
size_t sparsebundle_strlen = strlen("sparsebundle");
- size_t bandsize;
+ size_t bandsize = 0;
size_t nbands;
double tm_size;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a2fcc42..582c875 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,10 +651,10 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
- Globals.server_schannel = Auto;
+ Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
@@ -817,7 +817,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
@@ -831,7 +830,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)

Globals.name_cache_timeout = 660; /* In seconds */

- Globals.use_spnego = true;
Globals.client_use_spnego = true;

Globals.client_signing = SMB_SIGNING_DEFAULT;
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdbc2c4..3a9363d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -282,7 +282,6 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
supports it and we can do encrypted passwords */

if (xconn->smb1.negprot.encrypted_passwords &&
- lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index b210645..fa26ea8 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -60,17 +60,6 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}

- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
- }
-
subreq = wb_lookupsid_send(state, ev, &state->sid);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 1c91949..17170c3 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -50,18 +50,6 @@ struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;

- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(user_sid, &our_domain->sid) == 0) {
- char buf[DOM_SID_STR_BUFLEN];
- dom_sid_string_buf(user_sid, buf, sizeof(buf));
- DBG_NOTICE("My domain -- rejecting %s\n", buf);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
- }
--
Samba Shared Repository
Andreas Schneider
2018-01-10 17:31:03 UTC
Permalink
The branch, master has been updated
via 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools
via 79cb5cf selftest: Use the ad_dc with smbfs for ad_member env
from a078042 selftest: split a large system invocation line

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4519134ef72511c1d6a7321a6641dd869b4f2759
Author: Andreas Schneider <***@samba.org>
Date: Wed Jan 10 09:32:49 2018 +0100

s3:tests: Fix test_net_tdb.sh with system tdb-tools

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Wed Jan 10 18:30:56 CET 2018 on sn-devel-144

commit 79cb5cfa49abb6f928a6b95895c3c7f063b45472
Author: Andreas Schneider <***@samba.org>
Date: Thu Apr 6 08:50:06 2017 +0200

selftest: Use the ad_dc with smbfs for ad_member env

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
selftest/target/Samba4.pm | 6 +++---
source3/script/tests/test_net_tdb.sh | 9 +++++++--
2 files changed, 10 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e6bc3bb..628f4f1 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2133,10 +2133,10 @@ sub setup_env($$$)
} elsif ($envname eq "chgdcpass") {
return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
} elsif ($envname eq "ad_member") {
- if (not defined($self->{vars}->{ad_dc_ntvfs})) {
- $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
}
- return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+ return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc}, 29);
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
diff --git a/source3/script/tests/test_net_tdb.sh b/source3/script/tests/test_net_tdb.sh
index 731cad3..61b1976 100755
--- a/source3/script/tests/test_net_tdb.sh
+++ b/source3/script/tests/test_net_tdb.sh
@@ -27,6 +27,11 @@ LOCKDIR=$8

FILENAME=net_tdb_testfile

+samba_tdbtool=tdbtool
+if test -x $BINDIR/tdbtool; then
+ samba_tdbtool=$BINDIR/tdbtool
+fi
+
failed=0

incdir=`dirname $0`/../../../testprogs/blackbox
@@ -42,7 +47,7 @@ SMBCLIENTPID=$!
sleep 1

testit "Looking for record key of open file" \
- $BINDIR/tdbtool $LOCKDIR/locking.tdb hexkeys || \
+ $samba_tdbtool $LOCKDIR/locking.tdb hexkeys || \
failed=$(expr $failed + 1)

# The assumption here is that only one file is open, so only one
@@ -52,7 +57,7 @@ testit "Looking for record key of open file" \
#[000] 01 FD 00 00 00 00 00 00 56 02 5C 00 00 00 00 00 ....... V.\....
#[010] 00 00 00 00 00 00 00 00 .......
# Select only the hex data, remove space and join every thing together
-key=0x$($BINDIR/tdbtool $LOCKDIR/locking.tdb hexkeys | \
+key=0x$($samba_tdbtool $LOCKDIR/locking.tdb hexkeys | \
grep '\[' | cut -c 7-56 | sed -e 's/ //g' | tr -d '\n')

testit "Looking for open file in locking.tdb" \
--
Samba Shared Repository
Stefan Metzmacher
2018-01-13 02:02:02 UTC
Permalink
The branch, master has been updated
via 3297f4c Mark wbinfo test flapping
via 6b09ab2 Mark whoami test flapping
via 23ec73e Mark rfc2307 test flapping
via bf19b6c ldb: version 1.3.1
via 6dd0a8c tevent: version 0.9.35
via efe317c talloc: version 2.1.11
via 0623097 talloc: Do not disclose the random talloc magic in free()'ed memory
via e2497b2 talloc: Add tests to require use-after-free to give the correct talloc_abort() string
via 00ee9da talloc: Remove talloc_abort_magic()
from 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3297f4c9bfeb8c9f20829c6a096ea1cebf3772c4
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:39:49 2018 +1300

Mark wbinfo test flapping

please fix and revert

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sat Jan 13 03:01:10 CET 2018 on sn-devel-144

commit 6b09ab2139751637dc773f6ef7fb7f0dd99605e0
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:39:28 2018 +1300

Mark whoami test flapping

please fix and revert!

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 23ec73e0e04975c93863b6f37617cef9b99306ef
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:38:45 2018 +1300

Mark rfc2307 test flapping

Please fix and revert

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit bf19b6ccdcd66dfafcc60d290878550f835316eb
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 23:43:05 2018 +0100

ldb: version 1.3.1

* Intersect the index from SCOPE_ONELEVEL with the index for the search expression
(bug #13191)
* smaller/greater comparison tests
* Show the last successful DN when failing to parse LDIF
* ldb_index: Add an attriubute flag to require a unique value.
* silence some clang warnings in picky developer mode

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6dd0a8c1a67922d1f893d5ef500861ec5e7c5a36
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 15:08:14 2018 +0100

tevent: version 0.9.35

* Minor cleanup. wakeup_fd can always be gotten from the event context.
* Use smb_set_close_on_exec() in example code.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit efe317c59204af076bb500ad904d2a5f6a961509
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 07:45:09 2018 +0100

talloc: version 2.1.11

* disable-python - fix talloc wscript if bundling disabled
* Do not disclose the random talloc magic in free()'ed memory

Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 062309755888349afaa05dff7ac48ea8867110e0
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 17:34:31 2018 +1300

talloc: Do not disclose the random talloc magic in free()'ed memory

This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit e2497b26b2ec8a9ae4401d0380431c897959c627
Author: Andrew Bartlett <***@samba.org>
Date: Fri Jan 12 11:17:09 2018 +1300

talloc: Add tests to require use-after-free to give the correct talloc_abort() string

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 00ee9da50b289a68621f2af755d4283fe6cb3bc7
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 17:29:19 2018 +1300

talloc: Remove talloc_abort_magic()

The check required for talloc_abort_magic() prevents the 'access after free error'
from being printed.

It is also no longer possible to determine the difference between invalid memory
and a talloc version mismatch as the magic is now random on many platforms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} | 0
lib/ldb/wscript | 2 +-
...-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} | 0
...3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} | 0
.../ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} | 0
lib/talloc/talloc.c | 128 ++++++++++++++-------
lib/talloc/testsuite.c | 68 +++++++++++
lib/talloc/wscript | 2 +-
.../ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} | 0
lib/tevent/wscript | 2 +-
selftest/flapping.d/rfc2307 | 1 +
selftest/flapping.d/wbinfo | 1 +
selftest/flapping.d/whoami | 1 +
15 files changed, 162 insertions(+), 43 deletions(-)
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util.py3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} (100%)
copy lib/tevent/ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} (100%)
create mode 100644 selftest/flapping.d/rfc2307
create mode 100644 selftest/flapping.d/wbinfo
create mode 100644 selftest/flapping.d/whoami


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/ldb-1.3.0.sigs b/lib/ldb/ABI/ldb-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.0.sigs
copy to lib/ldb/ABI/ldb-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0b8ba26..8ae5be3 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'ldb'
-VERSION = '1.3.0'
+VERSION = '1.3.1'

blddir = 'bin'

diff --git a/lib/talloc/ABI/pytalloc-util-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.11.sigs
diff --git a/lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs b/lib/talloc/ABI/talloc-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.10.sigs
copy to lib/talloc/ABI/talloc-2.1.11.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7721fa4..cd159ef 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -75,12 +75,13 @@
#define TALLOC_MAGIC_REFERENCE ((const char *)1)

#define TALLOC_MAGIC_BASE 0xe814ec70
-static unsigned int talloc_magic = (
- ~TALLOC_FLAG_MASK & (
- TALLOC_MAGIC_BASE +
- (TALLOC_BUILD_VERSION_MAJOR << 24) +
- (TALLOC_BUILD_VERSION_MINOR << 16) +
- (TALLOC_BUILD_VERSION_RELEASE << 8)));
+#define TALLOC_MAGIC_NON_RANDOM ( \
+ ~TALLOC_FLAG_MASK & ( \
+ TALLOC_MAGIC_BASE + \
+ (TALLOC_BUILD_VERSION_MAJOR << 24) + \
+ (TALLOC_BUILD_VERSION_MINOR << 16) + \
+ (TALLOC_BUILD_VERSION_RELEASE << 8)))
+static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM;

/* by default we abort when given a bad pointer (such as when talloc_free() is called
on a pointer that came from malloc() */
@@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void)
return talloc_magic;
}

+static inline void _talloc_chunk_set_free(struct talloc_chunk *tc,
+ const char *location)
+{
+ /*
+ * Mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ */
+ tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE
+ | (tc->flags & TALLOC_FLAG_MASK);
+
+ /* we mark the freed memory with where we called the free
+ * from. This means on a double free error we can report where
+ * the first free came from
+ */
+ if (location) {
+ tc->name = location;
+ }
+}
+
+static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc)
+{
+ /*
+ * Mark this memory as not free.
+ *
+ * Why? This is memory either in a pool (and so available for
+ * talloc's re-use or after the realloc(). We need to mark
+ * the memory as free() before any realloc() call as we can't
+ * write to the memory after that.
+ *
+ * We put back the normal magic instead of the 'not random'
+ * magic.
+ */
+
+ tc->flags = talloc_magic |
+ ((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE);
+}
+
static void (*talloc_log_fn)(const char *message);

_PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message))
@@ -429,11 +472,6 @@ static void talloc_abort(const char *reason)
talloc_abort_fn(reason);
}

-static void talloc_abort_magic(unsigned magic)
-{
- talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
-}
-
static void talloc_abort_access_after_free(void)
{
talloc_abort("Bad talloc magic value - access after free");
@@ -450,19 +488,15 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
const char *pp = (const char *)ptr;
struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
- if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) {
- talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK));
- return NULL;
- }
-
- if (tc->flags & TALLOC_FLAG_FREE) {
+ if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
+ == (TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE)) {
talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
talloc_abort_access_after_free();
return NULL;
- } else {
- talloc_abort_unknown_value();
- return NULL;
}
+
+ talloc_abort_unknown_value();
+ return NULL;
}
return tc;
}
@@ -947,13 +981,7 @@ static inline void _tc_free_poolmem(struct talloc_chunk *tc,
pool_tc = talloc_chunk_from_pool(pool);
next_tc = tc_next_chunk(tc);

- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);

TC_INVALIDATE_FULL_CHUNK(tc);

@@ -1103,13 +1131,7 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,

_tc_free_children_internal(tc, ptr, location);

- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);

if (tc->flags & TALLOC_FLAG_POOL) {
struct talloc_pool_hdr *pool;
@@ -1806,8 +1828,22 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
}
#endif

- /* by resetting magic we catch users of the old memory */
- tc->flags |= TALLOC_FLAG_FREE;
+ /*
+ * by resetting magic we catch users of the old memory
+ *
+ * We mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ * What else? We have to re-stamp back a valid normal magic
+ * on this memory once realloc() is done, as it will have done
+ * a memcpy() into the new valid memory. We can't do this in
+ * reverse as that would be a real use-after-free.
+ */
+ _talloc_chunk_set_free(tc, NULL);

#if ALWAYS_REALLOC
if (pool_hdr) {
@@ -1906,7 +1942,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons

if (new_chunk_size == old_chunk_size) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
return ptr;
}
@@ -1921,7 +1957,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons

if (space_left >= space_needed) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
pool_hdr->end = tc_next_chunk(tc);
return ptr;
@@ -1951,12 +1987,24 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
got_new_ptr:
#endif
if (unlikely(!new_ptr)) {
- tc->flags &= ~TALLOC_FLAG_FREE;
+ /*
+ * Ok, this is a strange spot. We have to put back
+ * the old talloc_magic and any flags, except the
+ * TALLOC_FLAG_FREE as this was not free'ed by the
+ * realloc() call after all
+ */
+ _talloc_chunk_set_not_free(tc);
return NULL;
}

+ /*
+ * tc is now the new value from realloc(), the old memory we
+ * can't access any more and was preemptively marked as
+ * TALLOC_FLAG_FREE before the call. Now we mark it as not
+ * free again
+ */
tc = (struct talloc_chunk *)new_ptr;
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
if (malloced) {
tc->flags &= ~TALLOC_FLAG_POOLMEM;
}
diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index dfaeec1..35309e2 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -2006,6 +2006,72 @@ static bool test_magic_protection(void)
return true;
}

+static void test_magic_free_protection_abort(const char *reason)
+{
+ /* exit with errcode 42 to communicate successful test to the parent process */
+ if (strcmp(reason, "Bad talloc magic value - access after free") == 0) {
+ _exit(42);
+ }
+ /* not 42 */
+ _exit(404);
+}
+
+static bool test_magic_free_protection(void)
+{
+ void *pool = talloc_pool(NULL, 1024);
+ int *p1, *p2, *p3;
+ pid_t pid;
+ int exit_status;
+
+ printf("test: magic_free_protection\n");
+ p1 = talloc(pool, int);
+ p2 = talloc(pool, int);
+
+ /* To avoid complaints from the compiler assign values to the p1 & p2. */
+ *p1 = 6;
+ *p2 = 9;
+
+ p3 = talloc_realloc(pool, p2, int, 2048);
+ torture_assert("pool realloc 2048",
+ p3 != p2,
+ "failed: pointer not changed");
+
+ /*
+ * Now access the memory in the pool after the realloc(). It
+ * should be marked as free, so use of the old pointer should
+ * trigger the abort function
+ */
+ pid = fork();
+ if (pid == 0) {
+ talloc_set_abort_fn(test_magic_free_protection_abort);
+
+ talloc_get_name(p2);
+
+ /* Never reached. Make compilers happy */
+ return true;
+ }
+
+ while (wait(&exit_status) != pid);
+
+ if (!WIFEXITED(exit_status)) {
+ printf("Child exited through unexpected abnormal means\n");
+ return false;
+ }
+ if (WEXITSTATUS(exit_status) != 42) {
+ printf("Child exited with wrong exit status\n");
+ return false;
+ }
+ if (WIFSIGNALED(exit_status)) {
+ printf("Child recieved unexpected signal\n");
+ return false;
+ }
+
+ talloc_free(pool);
+
+ printf("success: magic_free_protection\n");
+ return true;
+}
+
static void test_reset(void)
{
talloc_set_log_fn(test_log_stdout);
@@ -2092,6 +2158,8 @@ bool torture_local_talloc(struct torture_context *tctx)
ret &= test_autofree();
test_reset();
ret &= test_magic_protection();
+ test_reset();
+ ret &= test_magic_free_protection();

test_reset();
talloc_disable_null_tracking();
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index ab74e72..0afa162 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'talloc'
-VERSION = '2.1.10'
+VERSION = '2.1.11'


blddir = 'bin'
diff --git a/lib/tevent/ABI/tevent-0.9.31.sigs b/lib/tevent/ABI/tevent-0.9.35.sigs
similarity index 100%
copy from lib/tevent/ABI/tevent-0.9.31.sigs
copy to lib/tevent/ABI/tevent-0.9.35.sigs
diff --git a/lib/tevent/wscript b/lib/tevent/wscript
index 31f7ee7..2c67f1f 100644
--- a/lib/tevent/wscript
+++ b/lib/tevent/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'tevent'
-VERSION = '0.9.34'
+VERSION = '0.9.35'

blddir = 'bin'

diff --git a/selftest/flapping.d/rfc2307 b/selftest/flapping.d/rfc2307
new file mode 100644
index 0000000..2e37edc
--- /dev/null
+++ b/selftest/flapping.d/rfc2307
@@ -0,0 +1 @@
+^idmap.rfc2307.Testing for expected group memberships
diff --git a/selftest/flapping.d/wbinfo b/selftest/flapping.d/wbinfo
new file mode 100644
index 0000000..8ccf2cb
--- /dev/null
+++ b/selftest/flapping.d/wbinfo
@@ -0,0 +1 @@
+^samba.blackbox.wbinfo\(ad_member:local\).confirm
diff --git a/selftest/flapping.d/whoami b/selftest/flapping.d/whoami
new file mode 100644
index 0000000..82f6356
--- /dev/null
+++ b/selftest/flapping.d/whoami
@@ -0,0 +1 @@
+^samba3.unix.whoami machine account.whoami\(nt4_member:local\)
--
Samba Shared Repository
Jeremy Allison
2018-01-13 06:26:02 UTC
Permalink
The branch, master has been updated
via f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests
via ce884ee s3/smbd: Add new file information classes
via 4b25c9f vfs_default: use VFS statvfs macro in fs_capabilities
via 2724e0c vfs_ceph: add fs_capabilities hook to avoid local statvfs
from 3297f4c Mark wbinfo test flapping

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f1befc5d5371d531e9aa2b0df73c119b78c2b4cc
Author: Justin Maggard via samba-technical <samba-***@lists.samba.org>
Date: Tue Jan 9 12:04:16 2018 -0800

s3/smbd: Fix error code for unsupported SET_INFO requests

FileValidDataLengthInformation and FileShortNameInformation are both
valid FileInfoClasses that we don't support. According to [MS-SMB2]
3.3.5.21.1, we should be returning STATUS_NOT_SUPPORTED instead of
NT_STATUS_INVALID_LEVEL for these.

Signed-off-by: Justin Maggard <***@netgear.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Sat Jan 13 07:25:42 CET 2018 on sn-devel-144

commit ce884eeb491e53aab6feb4cb5f49fc61ed89c394
Author: Justin Maggard via samba-technical <samba-***@lists.samba.org>
Date: Tue Jan 9 12:04:15 2018 -0800

s3/smbd: Add new file information classes

Add definitions for missing file information classes documented in
[MS-FSCC] section 2.4.

Signed-off-by: Justin Maggard <***@netgear.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 4b25c9f4a4d336a16894452862ea059701b025de
Author: David Disseldorp <***@samba.org>
Date: Wed Jan 10 14:03:09 2018 +0100

vfs_default: use VFS statvfs macro in fs_capabilities

Currently the vfs_default fs_capabilities handler calls statvfs
directly, rather than calling the vfs macro. This behaviour may cause
issues for VFS modules that delegate fs_capabilities handling to
vfs_default but offer their own statvfs hook.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 2724e0cac29cd1632ea28075a740fcc888affb36
Author: David Disseldorp <***@samba.org>
Date: Wed Jan 10 01:37:14 2018 +0100

vfs_ceph: add fs_capabilities hook to avoid local statvfs

Adding the fs_capabilities() hook to the CephFS VFS module avoids
fallback to the vfs_default code-path, which calls statvfs() against the
share path on the *local* filesystem.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/include/trans2.h | 12 +++++++++++-
source3/modules/vfs_ceph.c | 15 +++++++++++++++
source3/modules/vfs_default.c | 14 +++++++-------
source3/smbd/trans2.c | 5 +++++
4 files changed, 38 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/trans2.h b/source3/include/trans2.h
index 3085344..ece436a 100644
--- a/source3/include/trans2.h
+++ b/source3/include/trans2.h
@@ -329,7 +329,17 @@ Byte offset Type name description
#define SMB_FILE_NETWORK_OPEN_INFORMATION 1034
#define SMB_FILE_ATTRIBUTE_TAG_INFORMATION 1035
#define SMB_FILE_TRACKING_INFORMATION 1036
-#define SMB_FILE_MAXIMUM_INFORMATION 1037
+#define SMB_FILE_ID_BOTH_DIRECTORY_INFORMATION 1037
+#define SMB_FILE_ID_FULL_DIRECTORY_INFORMATION 1038
+#define SMB_FILE_VALID_DATA_LENGTH_INFORMATION 1039
+#define SMB_FILE_SHORT_NAME_INFORMATION 1040
+#define SMB_FILE_SFIO_RESERVE_INFORMATION 1044
+#define SMB_FILE_SFIO_VOLUME_INFORMATION 1045
+#define SMB_FILE_HARD_LINK_INFORMATION 1046
+#define SMB_FILE_NORMALIZED_NAME_INFORMATION 1048
+#define SMB_FILE_ID_GLOBAL_TX_DIRECTORY_INFORMATION 1050
+#define SMB_FILE_STANDARD_LINK_INFORMATION 1054
+#define SMB_FILE_MAXIMUM_INFORMATION 1055

/* NT passthough levels for qfsinfo. */

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index b4a7cee..d612131 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -270,6 +270,20 @@ static int cephwrap_statvfs(struct vfs_handle_struct *handle,
return ret;
}

+static uint32_t cephwrap_fs_capabilities(struct vfs_handle_struct *handle,
+ enum timestamp_set_resolution *p_ts_res)
+{
+ uint32_t caps = FILE_CASE_SENSITIVE_SEARCH | FILE_CASE_PRESERVED_NAMES;
+
+#ifdef HAVE_CEPH_STATX
+ *p_ts_res = TIMESTAMP_SET_NT_OR_BETTER;
+#else
+ *p_ts_res = TIMESTAMP_SET_MSEC;
+#endif
+
+ return caps;
+}
+
/* Directory operations */

static DIR *cephwrap_opendir(struct vfs_handle_struct *handle,
@@ -1399,6 +1413,7 @@ static struct vfs_fn_pointers ceph_fns = {
.get_quota_fn = cephwrap_get_quota,
.set_quota_fn = cephwrap_set_quota,
.statvfs_fn = cephwrap_statvfs,
+ .fs_capabilities_fn = cephwrap_fs_capabilities,

/* Directory operations */

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 073c790..a26bec4 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -129,8 +129,14 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle,
struct vfs_statvfs_struct statbuf;
int ret;

+ smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath,
+ NULL, NULL, 0);
+ if (smb_fname_cpath == NULL) {
+ return caps;
+ }
+
ZERO_STRUCT(statbuf);
- ret = sys_statvfs(conn->connectpath, &statbuf);
+ ret = SMB_VFS_STATVFS(conn, smb_fname_cpath, &statbuf);
if (ret == 0) {
caps = statbuf.FsCapabilities;
}
@@ -140,12 +146,6 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle,
/* Work out what timestamp resolution we can
* use when setting a timestamp. */

- smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath,
- NULL, NULL, 0);
- if (smb_fname_cpath == NULL) {
- return caps;
- }
-
ret = SMB_VFS_STAT(conn, smb_fname_cpath);
if (ret == -1) {
TALLOC_FREE(smb_fname_cpath);
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index dbad71b..512918e 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -8541,6 +8541,11 @@ NTSTATUS smbd_do_setfilepathinfo(connection_struct *conn,
break;
}

+ /* [MS-SMB2] 3.3.5.21.1 states we MUST fail with STATUS_NOT_SUPPORTED. */
+ case SMB_FILE_VALID_DATA_LENGTH_INFORMATION:
+ case SMB_FILE_SHORT_NAME_INFORMATION:
+ return NT_STATUS_NOT_SUPPORTED;
+
/*
* CIFS UNIX extensions.
*/
--
Samba Shared Repository
Ralph Böhme
2018-01-13 11:54:02 UTC
Permalink
The branch, master has been updated
via e43ee33 winbindd: set info6 data in append_info3_as_txt
via c8f76bf nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
via 59cb1f6 nsswitch: add "validation_level" and "info6" to winbindd_response
via 7290b5c winbindd: pass validation in append_info3_as_txt
via 194a9e4 winbindd: pass down validation to append_auth_data()
via 7b30f69 winbindd: simplify an if condition in winbindd_dual_pam_auth
via f153c95 winbindd: let winbind_dual_SamLogon return validation
via 1337104 winbindd: remove a space in winbind_dual_SamLogon
via 13d0d52 winbindd: let winbindd_dual_pam_auth_samlogon() return validation info
via cc3ee55 winbindd: let winbind_samlogon_retry_loop return validation info
via aae75d1 winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
via 489e942 s3/rpc_client: return validation from rpccli_netlogon functions
via 7082ebb s3/rpc_client: add map_info3_to_validation()
via 7eed166 s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon
via a001f4b s3/rpc_client: in map_validation_to_info3() make a deep copy
via 158c890 s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
via a1a9feb winbindd: prevent long lines in a later commit
via e9a9a94 winbindd: simplify if condition in find_domain_from_name_noinit()
via 751fa04 winbindd: remove an else branch
via ca4d5ea winbindd: remove a space
via 5812c7c winbindd: fix overly long lines
via ef27942 s3/rpc_client: fix overly long lines
via dcb45d5 s3/torture: fix an error message
via 561a3b7 s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes
via 98ba88a params: mark "ldap ssl ads" as deprecated
via a79df4e7 params: mark "unicode" parameter as deprecated
from f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e43ee33a1b715bbf4026a35ca9b400f8b8b6fec3
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:34:28 2017 +0100

winbindd: set info6 data in append_info3_as_txt

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Sat Jan 13 12:53:59 CET 2018 on sn-devel-144

commit c8f76bfd7223512074d38379593969595642a0f8
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 23:26:33 2017 +0100

nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 59cb1f6f9c3817bc436746e6f29fd44855451838
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 10 10:20:46 2018 +0100

nsswitch: add "validation_level" and "info6" to winbindd_response

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7290b5cf67e7008cc14ce37a77ea163f47b2183f
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:34:15 2017 +0100

winbindd: pass validation in append_info3_as_txt

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 194a9e4907ade9558e3bf8ebc29d147b5385a3ed
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:27:12 2017 +0100

winbindd: pass down validation to append_auth_data()

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7b30f698334e2fc7bc237a45057246c122ede826
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 18:57:53 2018 +0100

winbindd: simplify an if condition in winbindd_dual_pam_auth

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit f153c95176b7759e10996b24b66d9917945372ed
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 16:25:35 2017 +0100

winbindd: let winbind_dual_SamLogon return validation

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 1337104caa26cd3c2155557ae137a7753b15dd83
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 23:11:44 2017 +0100

winbindd: remove a space in winbind_dual_SamLogon

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 13d0d524c46cc3ec61b73d1e74323b403c8eb040
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 15:54:36 2017 +0100

winbindd: let winbindd_dual_pam_auth_samlogon() return validation info

Pass up validation info instead of info3. No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit cc3ee55ae7f9dd3d16a7f580048295559c3c58f1
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 23:26:38 2017 +0100

winbindd: let winbind_samlogon_retry_loop return validation info

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <***@samba.org>

commit aae75d124a5555f1cb5bb1b3f081a9f09b51beb3
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 16:58:06 2018 +0100

winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon

result is already checked a few lines above.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 489e942aa99d8f8a37ce2286923d8c97e97a4181
Author: Ralph Boehme <***@samba.org>
Date: Thu Nov 30 23:35:40 2017 +0100

s3/rpc_client: return validation from rpccli_netlogon functions

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7082ebbbfb6db036655b63f84c39b6406b963a23
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 15:18:58 2017 +0100

s3/rpc_client: add map_info3_to_validation()

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7eed1661f61bdd946457fc1b3a968dbdf827956b
Author: Ralph Boehme <***@samba.org>
Date: Thu Nov 30 23:19:07 2017 +0100

s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon

Will be needed in the next commit.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a001f4b5090e391479565e89d16dabe036c54cf0
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 22:04:47 2017 +0100

s3/rpc_client: in map_validation_to_info3() make a deep copy

In later commits we want to map a validation to info3 without modifying
the validation data. Otherwise no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 158c89068b5f0ebd10e41f578530e3210fc1d8b3
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 22:35:36 2017 +0100

s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon

The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a1a9feb72001e9107d339555d2d7593c8be637ca
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 08:26:59 2017 +0100

winbindd: prevent long lines in a later commit

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit e9a9a94d84d5ca038c95666da831ea04260b1d17
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 12:23:50 2017 +0100

winbindd: simplify if condition in find_domain_from_name_noinit()

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 751fa043f35bf165662267c87a81342f282b04f0
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 11:40:47 2017 +0100

winbindd: remove an else branch

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ca4d5ea362bc8b0f1d348f465831c77922437171
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 10:32:41 2017 +0100

winbindd: remove a space

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 5812c7cb5cb5aef919302806b871869161d5100e
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 07:59:50 2017 +0100

winbindd: fix overly long lines

Just another long lines cleanup. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ef27942146a078733b157e64521d98b5499fd837
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 07:58:07 2017 +0100

s3/rpc_client: fix overly long lines

Just long lines cleanup, no further changes. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit dcb45d5c2071ef4d5c7da1534c9e23805a22bc3b
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 9 19:27:22 2017 +0100

s3/torture: fix an error message

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 561a3b7e70f7d6840a89ad9757722eb5435eb062
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Dec 4 15:21:50 2017 +0100

s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 98ba88a7e4dc4c5d5f5bddfc2dd0340b2e4efe78
Author: Björn Jacke <***@samba.org>
Date: Wed Jan 10 16:17:30 2018 +0100

params: mark "ldap ssl ads" as deprecated

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a79df4e7ce8d893a17185aac63f185892f45ab62
Author: Björn Jacke <***@samba.org>
Date: Wed Jan 10 16:05:39 2018 +0100

params: mark "unicode" parameter as deprecated

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/smbdotconf/ldap/ldapsslads.xml | 1 +
docs-xml/smbdotconf/protocol/unicode.xml | 1 +
nsswitch/libwbclient/wbc_pam.c | 14 +-
nsswitch/winbind_struct_protocol.h | 10 +-
source3/auth/auth_util.c | 1 +
source3/auth/proto.h | 2 -
source3/auth/server_info.c | 42 ---
source3/include/vfs.h | 5 -
source3/rpc_client/cli_netlogon.c | 74 +-----
source3/rpc_client/cli_netlogon.h | 54 ++--
source3/rpc_client/util_netlogon.c | 141 +++++++++++
source3/rpc_client/util_netlogon.h | 10 +
source3/rpcclient/cmd_netlogon.c | 14 +-
source3/torture/pdbtest.c | 2 +-
source3/winbindd/winbindd_dual_srv.c | 20 +-
source3/winbindd/winbindd_pam.c | 407 +++++++++++++++++++++++-------
source3/winbindd/winbindd_pam_auth_crap.c | 23 +-
source3/winbindd/winbindd_proto.h | 6 +-
source3/winbindd/winbindd_util.c | 10 +-
19 files changed, 587 insertions(+), 250 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 4fdf4dc..98c3965 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -1,6 +1,7 @@
<samba:parameter name="ldap ssl ads"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option is used to define whether or not Samba should
diff --git a/docs-xml/smbdotconf/protocol/unicode.xml b/docs-xml/smbdotconf/protocol/unicode.xml
index 86fb06c..25810cd 100644
--- a/docs-xml/smbdotconf/protocol/unicode.xml
+++ b/docs-xml/smbdotconf/protocol/unicode.xml
@@ -1,6 +1,7 @@
<samba:parameter name="unicode"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies whether the server and client should support unicode.</para>
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index c31220a..e4cd296 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -100,12 +100,22 @@ static wbcErr wbc_create_auth_info(const struct winbindd_response *resp,

i->account_name = strdup(resp->data.auth.info3.user_name);
BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
- i->user_principal= NULL;
+ if (resp->data.auth.validation_level == 6) {
+ i->user_principal = strdup(resp->data.auth.info6.principal_name);
+ BAIL_ON_PTR_ERROR(i->user_principal, wbc_status);
+ } else {
+ i->user_principal = NULL;
+ }
i->full_name = strdup(resp->data.auth.info3.full_name);
BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
i->domain_name = strdup(resp->data.auth.info3.logon_dom);
BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
- i->dns_domain_name= NULL;
+ if (resp->data.auth.validation_level == 6) {
+ i->dns_domain_name = strdup(resp->data.auth.info6.dns_domainname);
+ BAIL_ON_PTR_ERROR(i->dns_domain_name, wbc_status);
+ } else {
+ i->dns_domain_name = NULL;
+ }

i->acct_flags = resp->data.auth.info3.acct_flags;
memcpy(i->user_session_key,
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index 9100dbc..3f3ebd0 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -59,8 +59,9 @@ typedef char fstring[FSTRING_LEN];
* removed WINBINDD_GID_TO_SID
* removed WINBINDD_UID_TO_SID
* 29: added "authoritative" to response.data.auth
+ * 30: added "validation_level" and "info6" to response.data.auth
*/
-#define WINBIND_INTERFACE_VERSION 29
+#define WINBIND_INTERFACE_VERSION 30

/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
On a 64bit Linux box, we have to support a constant structure size
@@ -434,7 +435,8 @@ struct winbindd_response {
fstring krb5ccname;
uint32_t reject_reason;
uint8_t authoritative;
- uint8_t padding[3];
+ uint8_t padding[1];
+ uint16_t validation_level;
struct policy_settings {
uint32_t min_length_password;
uint32_t password_history;
@@ -468,6 +470,10 @@ struct winbindd_response {
fstring logon_srv;
fstring logon_dom;
} info3;
+ struct info6_text {
+ fstring dns_domainname;
+ fstring principal_name;
+ } info6;
fstring unix_username;
} auth;
struct {
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 464fe25..5bb5a69 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -36,6 +36,7 @@
#include "../librpc/gen_ndr/idmap.h"
#include "lib/param/loadparm.h"
#include "../lib/tsocket/tsocket.h"
+#include "rpc_client/util_netlogon.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 996b432..e774670 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -322,8 +322,6 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3,
struct extra_auth_info *extra);
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig);

/* The following definitions come from auth/pampass.c */

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 8461d20..20d43d2 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -711,45 +711,3 @@ done:

return status;
}
-
-#undef RET_NOMEM
-
-#define RET_NOMEM(ptr) do { \
- if (!ptr) { \
- TALLOC_FREE(info3); \
- return NULL; \
- } } while(0)
-
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig)
-{
- struct netr_SamInfo3 *info3;
- unsigned int i;
- NTSTATUS status;
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (!info3) return NULL;
-
- status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return NULL;
- }
-
- if (orig->sidcount) {
- info3->sidcount = orig->sidcount;
- info3->sids = talloc_array(info3, struct netr_SidAttr,
- orig->sidcount);
- RET_NOMEM(info3->sids);
- for (i = 0; i < orig->sidcount; i++) {
- info3->sids[i].sid = dom_sid_dup(info3->sids,
- orig->sids[i].sid);
- RET_NOMEM(info3->sids[i].sid);
- info3->sids[i].attributes =
- orig->sids[i].attributes;
- }
- }
-
- return info3;
-}
-
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index a201749..bb4a135 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -1474,11 +1474,6 @@ int smb_vfs_call_fsetxattr(struct vfs_handle_struct *handle,
const void *value, size_t size, int flags);
bool smb_vfs_call_aio_force(struct vfs_handle_struct *handle,
struct files_struct *fsp);
-bool smb_vfs_call_is_offline(struct vfs_handle_struct *handle,
- const struct smb_filename *fname,
- SMB_STRUCT_STAT *sbuf);
-int smb_vfs_call_set_offline(struct vfs_handle_struct *handle,
- const struct smb_filename *fname);
NTSTATUS smb_vfs_call_durable_cookie(struct vfs_handle_struct *handle,
struct files_struct *fsp,
TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a67b692..800b995 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -447,53 +447,6 @@ fail:
return status;
}

-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
- uint16_t validation_level,
- union netr_Validation *validation,
- struct netr_SamInfo3 **info3_p)
-{
- struct netr_SamInfo3 *info3;
- NTSTATUS status;
-
- if (validation == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- switch (validation_level) {
- case 3:
- if (validation->sam3 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_move(mem_ctx, &validation->sam3);
- break;
- case 6:
- if (validation->sam6 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (info3 == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return status;
- }
-
- info3->sidcount = validation->sam6->sidcount;
- info3->sids = talloc_move(info3, &validation->sam6->sids);
- break;
- default:
- return NT_STATUS_BAD_VALIDATION_CLASS;
- }
-
- *info3_p = info3;
-
- return NT_STATUS_OK;
-}
-
/* Logon domain user */

NTSTATUS rpccli_netlogon_password_logon(
@@ -508,7 +461,8 @@ NTSTATUS rpccli_netlogon_password_logon(
enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
- struct netr_SamInfo3 **info3)
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
@@ -619,7 +573,7 @@ NTSTATUS rpccli_netlogon_password_logon(
binding_handle,
logon_type,
logon,
- frame,
+ mem_ctx,
&validation_level,
&validation,
authoritative,
@@ -629,14 +583,9 @@ NTSTATUS rpccli_netlogon_password_logon(
return status;
}

- status = map_validation_to_info3(mem_ctx,
- validation_level, validation,
- info3);
TALLOC_FREE(frame);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
+ *_validation_level = validation_level;
+ *_validation = validation;

return NT_STATUS_OK;
}
@@ -661,7 +610,8 @@ NTSTATUS rpccli_netlogon_network_logon(
DATA_BLOB nt_response,
uint8_t *authoritative,
uint32_t *flags,
- struct netr_SamInfo3 **info3)
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
{
NTSTATUS status;
const char *workstation_name_slash;
@@ -672,7 +622,7 @@ NTSTATUS rpccli_netlogon_network_logon(
struct netr_ChallengeResponse lm;
struct netr_ChallengeResponse nt;

- *info3 = NULL;
+ *_validation = NULL;

ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
@@ -733,12 +683,8 @@ NTSTATUS rpccli_netlogon_network_logon(
return status;
}

- status = map_validation_to_info3(mem_ctx,
- validation_level, validation,
- info3);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ *_validation_level = validation_level;
+ *_validation = validation;

return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index da562e0..d31bdee 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -59,30 +59,34 @@ NTSTATUS rpccli_connect_netlogon(
bool force_reauth,
struct cli_credentials *trust_creds,
struct rpc_pipe_client **_rpccli);
-NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *domain,
- const char *username,
- const char *password,
- const char *workstation,
- enum netr_LogonInfoClass logon_type,
- uint8_t *authoritative,
- uint32_t *flags,
- struct netr_SamInfo3 **info3);
-NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *username,
- const char *domain,
- const char *workstation,
- const uint8_t chal[8],
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
- uint8_t *authoritative,
- uint32_t *flags,
- struct netr_SamInfo3 **info3);
+NTSTATUS rpccli_netlogon_password_logon(
+ struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ const char *workstation,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);
+NTSTATUS rpccli_netlogon_network_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8_t chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);

#endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index d22078b..ac804f8 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -61,3 +61,144 @@ NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,

return NT_STATUS_OK;
}
+
+#undef RET_NOMEM
+
+#define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+ return NULL; \
+ } } while(0)
+
+struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo3 *orig)
+{
+ struct netr_SamInfo3 *info3;
+ unsigned int i;
+ NTSTATUS status;
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (!info3) return NULL;
+
+ status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return NULL;
+ }
+
+ if (orig->sidcount) {
+ info3->sidcount = orig->sidcount;
+ info3->sids = talloc_array(info3, struct netr_SidAttr,
+ orig->sidcount);
+ RET_NOMEM(info3->sids);
+ for (i = 0; i < orig->sidcount; i++) {
+ info3->sids[i].sid = dom_sid_dup(info3->sids,
+ orig->sids[i].sid);
+ RET_NOMEM(info3->sids[i].sid);
+ info3->sids[i].attributes =
+ orig->sids[i].attributes;
+ }
+ }
+
+ return info3;
+}
+
+NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ struct netr_SamInfo3 **info3_p)
+{
+ struct netr_SamInfo3 *info3;
+ struct netr_SamInfo6 *info6 = NULL;
+ NTSTATUS status;
+
+ if (validation == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (validation_level) {
+ case 3:
+ if (validation->sam3 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ info3 = copy_netr_SamInfo3(mem_ctx, validation->sam3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ break;
+ case 6:
+ if (validation->sam6 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ info6 = validation->sam6;
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = copy_netr_SamBaseInfo(info3,
+ &info6->base,
+ &info3->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+
+ if (validation->sam6->sidcount > 0) {
+ int i;
+
+ info3->sidcount = info6->sidcount;
+
+ info3->sids = talloc_array(info3,
+ struct netr_SidAttr,
+ info3->sidcount);
+ if (info3->sids == NULL) {
+ TALLOC_FREE(info3);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < info3->sidcount; i++) {
+ info3->sids[i].sid = dom_sid_dup(
+ info3->sids, info6->sids[i].sid);
+ if (info3->sids[i].sid == NULL) {
+ TALLOC_FREE(info3);
+ return NT_STATUS_NO_MEMORY;
+ }
+ info3->sids[i].attributes =
+ info6->sids[i].attributes;
+ }
+ }
+ break;
+ default:
+ return NT_STATUS_BAD_VALIDATION_CLASS;
+ }
+
+ *info3_p = info3;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS map_info3_to_validation(TALLOC_CTX *mem_ctx,
--
Samba Shared Repository
Karolin Seeger
2018-01-13 16:13:02 UTC
Permalink
The branch, master has been updated
via 4b17d36 WHATSNEW: document some more new options
via b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
via 9fb3637 winbindd: add more trust types to get_trust_type_string
via 95e3307 libwbclient: add more trust types
via 05558dd wbinfo: support for local, workstation and routed trust types
via ec85579 libwbclient: add trust routing and more trust-types
via f12a43f winbindd: fix trust_is_oubound()
via 09021f9 winbindd: fix trust_is_inbound()
via a39cf19 winbindd: transitive trust logic in trust_is_transitive()
via 939592c winbindd: use add_trusted_domain_from_auth
via f4d27f2 winbindd: add add_trusted_domain_from_auth
via b2ea360 winbindd: add set_routing_domain()
via 2e644af winbindd: add find_default_route_domain()
via 40c9115 winbindd: avoid automatic enumerating trusts on DCs
via 29e6d55 winbindd: load the trusted domains on a DC already in init_domain_list()
via fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
via f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
via a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
via 3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
via 6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
via f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
via 8fde1c6 s3/torture/pdbtest: delete trusted domain at test end
via f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a valid SID
via 4b0641b winbindd: use find_trust_from_name_noinit when we require a direct trust
via 2385e71 winbindd: add find_trust_from_{name,sid}_noinit()
via b724e01 winbindd: remember the secure_channel_type in winbindd_domain
via 5bf2979 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
via 8587445 winbindd: initialize some stack pointers to NULL
via 126d6ce winbindd: rename alternative_name to dns_name
via 5ffade7 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
via c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc()
from e43ee33 winbindd: set info6 data in append_info3_as_txt

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4b17d365bc8df7860ee28b5b0e1f53a9acf2b69d
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Jan 11 12:46:24 2018 +0100

WHATSNEW: document some more new options

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144

commit b4e1e3019a1475cb8c1e3ab9314693d6ed130923
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100

winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 9fb36370a57904770e1c9ca96279a1854481d3f3
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 08:53:16 2017 +0100

winbindd: add more trust types to get_trust_type_string

Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".

Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 95e3307917b5731ab883ee5fce530c5b559b4934
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 16:01:50 2017 +0100

libwbclient: add more trust types

Prepare libwbclient for additional trust types and trust routing.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 05558ddd7e91643c9b8bca92271252e6f5494b69
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 16:02:22 2017 +0100

wbinfo: support for local, workstation and routed trust types

Prepare wbinfo for additional trust types and trust routing.

This also modifies the output line for a "None" trust type by skipping
the transitivity and direction -- that just doesn't make sense without a
trust.

Signed-off-by: Ralph Boehme <***@samba.org>

commit ec85579d87aafba3a78ddd326cf125909007c349
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 19 17:26:46 2017 +0100

libwbclient: add trust routing and more trust-types

This adds the struct member and the defines, the implementation comes
later.

Signed-off-by: Ralph Boehme <***@samba.org>

commit f12a43f4876b4a6bf556ea760ffe8e21f2acacf8
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:46:03 2017 +0100

winbindd: fix trust_is_oubound()

A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 09021f920faba4dc4d2b2e1c0d3d4432e1a759d5
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:44:41 2017 +0100

winbindd: fix trust_is_inbound()

A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <***@samba.org>

commit a39cf19c2514d8f249951b77078683dd6a53504e
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:32:59 2017 +0100

winbindd: transitive trust logic in trust_is_transitive()

trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <***@samba.org>

commit 939592c660263b6f9969c30e4c6a1903fcc75831
Author: Ralph Boehme <***@samba.org>
Date: Wed Nov 29 10:55:25 2017 +0100

winbindd: use add_trusted_domain_from_auth

After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <***@samba.org>

commit f4d27f2bf9a32fec02da01351fa5af3867f4b1f7
Author: Ralph Boehme <***@samba.org>
Date: Wed Nov 29 10:10:38 2017 +0100

winbindd: add add_trusted_domain_from_auth

Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <***@samba.org>

commit b2ea3606a7f7325b0e2f5fae46346f8fbf489177
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 17:11:25 2017 +0100

winbindd: add set_routing_domain()

commit 2e644af16428ff6421459020a54cf20c296bc4df
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 17:08:10 2017 +0100

winbindd: add find_default_route_domain()

On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 40c91150e36e5818d4a4f25429ed600762cfd49b
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100

winbindd: avoid automatic enumerating trusts on DCs

We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 29e6d55909be1f17ffc140481a90000c1475e92e
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:55:12 2017 +0100

winbindd: load the trusted domains on a DC already in init_domain_list()

We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit fa3b81b21c99093c531181acaac375b99c0816c6
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 19 23:44:00 2017 +0100

pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX

Signed-off-by: Ralph Boehme <***@samba.org>

commit f8bcd37058579ed435daebefd47efe374e9084d2
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:57:27 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain

Signed-off-by: Ralph Boehme <***@samba.org>

commit a55643701b7d1c8c51ef15484af9bf8bebce065d
Author: Ralph Boehme <***@samba.org>
Date: Sun Dec 10 20:03:37 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain

Signed-off-by: Ralph Boehme <***@samba.org>

commit 3091ea3b7a4f19f81b9a545ccc64f80e382e04ef
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 08:41:29 2017 +0100

pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6f9232e26c8b4d4595c339d95977c9b1ca94a601
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 07:59:59 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f362387352645c2252bd2412b0a25f7b085c8bc7
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 08:33:51 2017 +0100

s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 8fde1c641da4ba23342bf36226ab9291a79acbad
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:56:40 2017 +0100

s3/torture/pdbtest: delete trusted domain at test end

Signed-off-by: Ralph Boehme <***@samba.org>

commit f1bd7c8bb48abc8fabb8374f549b888fbdd3036c
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:56:02 2017 +0100

s3/torture/pdbtest: creating a trusted domain requires a valid SID

Signed-off-by: Ralph Boehme <***@samba.org>

commit 4b0641bf10f7561771cee2581e1d7fc4e183c826
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 30 13:04:56 2017 +0100

winbindd: use find_trust_from_name_noinit when we require a direct trust

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 2385e719ba4835ca254eedbdfeffdd875912ec27
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:23:36 2017 +0100

winbindd: add find_trust_from_{name,sid}_noinit()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b724e01ec767caebbfa3723d8346d640a511ded1
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:10:38 2017 +0100

winbindd: remember the secure_channel_type in winbindd_domain

This way we have an indication of non direct trusts with
SEC_CHAN_NULL.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5bf2979bb6e22c6d3f7565c13329aa60fdce4e0f
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 16 11:34:23 2017 +0100

winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()

This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.

add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.

Pair-programmed-with: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 85874458852697df8f7c45fb9e7f848367d07a07
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100

winbindd: initialize some stack pointers to NULL

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 126d6ceecfc4371187eec3497a5bae09ec0d159a
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100

winbindd: rename alternative_name to dns_name

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5ffade7b29292c671aca51bd82e25de8723d6852
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 15 21:13:52 2017 +0100

winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()

Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit c7c06fd23813a61fdb10745e3ee2838206319bdd
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 15 21:09:15 2017 +0100

winbindd: enforce valid SID in add_trusted_domain_from_tdc()

It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 21 +-
.../winbind/winbindscantrusteddomains.xml | 29 +
lib/param/loadparm.c | 1 +
nsswitch/libwbclient/wbc_util.c | 16 +-
nsswitch/libwbclient/wbclient.h | 7 +
nsswitch/wbinfo.c | 21 +-
source3/param/loadparm.c | 1 +
source3/passdb/pdb_samba_dsdb.c | 877 ++++++++++++++++++++-
source3/torture/pdbtest.c | 13 +
source3/winbindd/winbindd.c | 15 +-
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_irpc.c | 2 +-
source3/winbindd/winbindd_misc.c | 211 ++++-
source3/winbindd/winbindd_pam_auth.c | 15 +
source3/winbindd/winbindd_pam_auth_crap.c | 24 +-
source3/winbindd/winbindd_ping_dc.c | 2 +-
source3/winbindd/winbindd_proto.h | 8 +
source3/winbindd/winbindd_util.c | 711 +++++++++++++----
source4/dsdb/common/util_trusts.c | 65 ++
19 files changed, 1853 insertions(+), 188 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94278b3..f1e43f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -95,15 +95,18 @@ smb.conf changes
client schannel Default changed/ yes
Deprecated
gpo update command New
+ ldap ssl ads Deprecated
map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
use spnego Removed
server schannel Default changed/ yes
Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
winbind trusted domains only Removed


@@ -150,6 +153,22 @@ reversed to match the parameter ordering of the UNIX extensions
'symlink' command. The usage message for this command has also
been improved to remove confusion.

+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
REMOVED FEATURES
================

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
+ <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to yes (the default), winbindd periodically tries to scan for new
+ trusted domains and adds them to a global list inside of winbindd.
+ The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+ This matches the behaviour of Samba 4.7 and older.</para>
+
+ <para>The construction of that global list is not reliable and often
+ incomplete in complex trust setups. In most situations the list is
+ not needed any more for winbindd to operate correctly.
+ E.g. for plain file serving via SMB using a simple idmap setup
+ with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+ However some more complex setups require the list, e.g.
+ if you specify idmap backends for specific domains.
+ Some pam_winbind setups may also require the global list.</para>
+
+ <para>If you have a setup that doesn't require the global list, you should set
+ <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d..f265459 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index 3dab0a2..ecfcaa0 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -455,8 +455,22 @@ static wbcErr process_domain_info_string(struct wbcDomainInfo *info,
*s = '\0';
s++;

- if (strcmp(r, "None") == 0) {
+ if (strcmp(r, "Local") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ } else if (strncmp(r, "Routed", strlen("Routed")) == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ info->trust_routing = strdup(r);
+ BAIL_ON_PTR_ERROR(info->trust_routing, wbc_status);
+ } else if (strcmp(r, "Local") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_LOCAL;
+ } else if (strcmp(r, "Workstation") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_WKSTA;
+ } else if (strcmp(r, "RWDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RWDC;
+ } else if (strcmp(r, "RODC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RODC;
+ } else if (strcmp(r, "PDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_PDC;
} else if (strcmp(r, "External") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_EXTERNAL;
} else if (strcmp(r, "Forest") == 0) {
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index ed97a67..81a6a6a 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -187,6 +187,7 @@ struct wbcDomainInfo {
uint32_t domain_flags;
uint32_t trust_flags;
uint32_t trust_type;
+ char *trust_routing;
};

/* wbcDomainInfo->domain_flags */
@@ -209,6 +210,12 @@ struct wbcDomainInfo {
#define WBC_DOMINFO_TRUSTTYPE_FOREST 0x00000001
#define WBC_DOMINFO_TRUSTTYPE_IN_FOREST 0x00000002
#define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003
+#define WBC_DOMINFO_TRUSTTYPE_LOCAL 0x00000004
+#define WBC_DOMINFO_TRUSTTYPE_WKSTA 0x00000005
+#define WBC_DOMINFO_TRUSTTYPE_RWDC 0x00000006
+#define WBC_DOMINFO_TRUSTTYPE_RODC 0x00000007
+#define WBC_DOMINFO_TRUSTTYPE_PDC 0x00000008
+

/**
* @brief Generic Blob
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9cd299a..54d5758 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -536,7 +536,26 @@ static bool wbinfo_list_domains(bool list_all_domains, bool verbose)

switch(domain_list[i].trust_type) {
case WBC_DOMINFO_TRUSTTYPE_NONE:
- d_printf("None ");
+ if (domain_list[i].trust_routing != NULL) {
+ d_printf("%s\n", domain_list[i].trust_routing);
+ } else {
+ d_printf("None\n");
+ }
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_LOCAL:
+ d_printf("Local\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RWDC:
+ d_printf("RWDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RODC:
+ d_printf("RODC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_PDC:
+ d_printf("PDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_WKSTA:
+ d_printf("Workstation ");
break;
case WBC_DOMINFO_TRUSTTYPE_FOREST:
d_printf("Forest ");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 582c875..f1f453e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
+ Globals.winbind_scan_trusted_domains = true;

Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 58168d8..16a7a85 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -40,6 +40,8 @@
#include "source4/auth/auth_sam.h"
#include "auth/credentials/credentials.h"
#include "lib/util/base64.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "lib/util/util_ldb.h"

struct pdb_samba_dsdb_state {
struct tevent_context *ev;
@@ -2132,7 +2134,7 @@ static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid

static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
{
- return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
+ return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
}

static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
@@ -2878,11 +2880,871 @@ static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,

static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
TALLOC_CTX *mem_ctx,
- uint32_t *num_domains,
- struct trustdom_info ***domains)
+ uint32_t *_num_domains,
+ struct trustdom_info ***_domains)
{
- *num_domains = 0;
- *domains = NULL;
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustDirection",
+ NULL
+ };
+ struct ldb_result *res = NULL;
+ unsigned int i;
+ struct trustdom_info **domains = NULL;
+ NTSTATUS status;
+ uint32_t di = 0;
+
+ *_num_domains = 0;
+ *_domains = NULL;
+
+ status = dsdb_trust_search_tdos(state->ldb, NULL,
+ attrs, tmp_ctx, &res);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ if (res->count == 0) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
+ res->count);
+ if (domains == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < res->count; i++) {
+ struct ldb_message *msg = res->msgs[i];
+ struct trustdom_info *d = NULL;
+ const char *name = NULL;
+ struct dom_sid *sid = NULL;
+ uint32_t direction;
+
+ d = talloc_zero(domains, struct trustdom_info);
+ if (d == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
+ if (sid == NULL) {
+ continue;
+ }
+
+ direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+ if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ continue;
+ }
+
+ d->name = talloc_strdup(d, name);
+ if (d->name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ d->sid = *sid;
+
+ domains[di++] = d;
+ }
+
+ talloc_realloc(domains, domains, struct trustdom_info *, di);
+ *_domains = talloc_move(mem_ctx, &domains);
+ *_num_domains = di;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message *msg,
+ TALLOC_CTX *mem_ctx,
+ struct pdb_trusted_domain **_d)
+{
+ struct pdb_trusted_domain *d = NULL;
+ const char *str = NULL;
+ struct dom_sid *sid = NULL;
+ const struct ldb_val *val = NULL;
+ uint64_t val64;
+
+ *_d = NULL;
+
+ d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
+ if (d == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (str == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ d->netbios_name = talloc_strdup(d, str);
+ if (d->netbios_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+ if (str != NULL) {
+ d->domain_name = talloc_strdup(d, str);
+ if (d->domain_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
+ if (sid != NULL) {
+ d->security_identifier = *sid;
+ TALLOC_FREE(sid);
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+ if (val != NULL) {
+ d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_outgoing.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+ if (val != NULL) {
+ d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_incoming.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+ d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
+ d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes", 0);
+
+ val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset", UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->trust_posix_offset = talloc(d, uint32_t);
+ if (d->trust_posix_offset == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->trust_posix_offset = (uint32_t)val64;
+ }
+
+ val64 = ldb_msg_find_attr_as_uint64(msg, "msDS-SupportedEncryptionTypes", UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->supported_enc_type = talloc(d, uint32_t);
+ if (d->supported_enc_type == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->supported_enc_type = (uint32_t)val64;
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
+ if (val != NULL) {
+ d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
+ if (d->trust_forest_trust_info.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *_d = d;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
--
Samba Shared Repository
Karolin Seeger
2018-01-13 21:02:02 UTC
Permalink
The branch, master has been updated
via 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc
via a00312d samba_kcc: simplify NCReplica.set_instantiated_flags()
via 81484f3 samba_kcc: simplify NCReplica constructor
via 315f445 samba_kcc: clarify readonly logging, removing now unused function
via d3f4429 samba_kcc: remove unused functions
via d3c5420 samba_kcc: fix dot_file_dir documentation
via a090d7e samba_kcc: remove an unused function
via c6294c3 samba-tool visualize for understanding AD DC behaviour
via ba2306f samba_kcc: use new graph module for writing dot files
via cebad22 python/graph: module for generating ASCII and graphviz visualisations
via b4a90a6 samba_kcc: respect kcc.read_only flag on RODC
via e579d5b samba_kcc: kcc.debug module defers to samba.colour
via a46c4a3 python: module containing ANSI colour sequences
via f2762d0 python tests: assert string equality, with diff
via 3f2762d samba_kcc: documentation fix
via 6678f33 s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()
from 4b17d36 WHATSNEW: document some more new options

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 08651a08ac10d472a8b170c2f33496192d7faa66
Author: Andrej Gessel <***@janztec.com>
Date: Mon Nov 13 11:07:43 2017 +0100

samba_kcc: do not commit new nTDSConnection, if we are rodc

Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc: attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc: all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc: all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc: part, True)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc: partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc: lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc: connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc: (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

Signed-off-by: Andrej Gessel <***@janztec.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Sat Jan 13 22:01:49 CET 2018 on sn-devel-144

commit a00312df7d5a9a2394b41111608c4d988ff4e3f2
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Dec 15 15:58:46 2017 +1300

samba_kcc: simplify NCReplica.set_instantiated_flags()

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 81484f32f4dfe4aeb5624430575fe791a9063246
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 17:50:56 2017 +1300

samba_kcc: simplify NCReplica constructor

There is nothing to be gained from setting the dn and guid separately
except subtle bugs.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 315f445a0256b0b63a344286debb6a27053c4d69
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 17:35:29 2017 +1300

samba_kcc: clarify readonly logging, removing now unused function

The unused function was somewhat misnamed.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d3f4429cd6e8a58926753651c015e683b92995ae
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 16:04:19 2017 +1300

samba_kcc: remove unused functions

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d3c542051fb19559c5699001da8d9da6c7e66712
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Nov 30 09:24:05 2017 +1300

samba_kcc: fix dot_file_dir documentation

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a090d7ef52cfd2bbc8bdf7028db0e2237def1f3e
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Nov 16 16:47:32 2017 +1300

samba_kcc: remove an unused function

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit c6294c3c7b6c97f15daad7d463bda267726245c7
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Aug 10 11:57:24 2017 +1200

samba-tool visualize for understanding AD DC behaviour

To work out what is happening in a replication graph, it is sometimes
helpful to use visualisations. We introduce a samba-tool subcommand to
write Graphviz dot output and generate text-based heatmaps of the
distance in hops between DCs.

There are two subcommands, two graphical modes, and (roughly) two modes of
operation with respect to the location of authority.

`samba-tool visualize ntdsconn` looks at NTDS Connections.
`samba-tool visualize reps` looks at repsTo and repsFrom objects.

In '--distance' mode (default), the distances between DCs are shown in
a matrix in the terminal. With '--color=yes', this is depicted as a
heatmap. With '--utf8' it is a lttle prettier.

In '--dot' mode, Graphviz dot output is generated. When viewed using
dot or xdot, this shows the network as a graph with DCs as vertices
and connections edges. Certain types of degenerate edges are shown in
different colours or line-styles.

Normally samba-tool talks to one database; with the '-r' (a.k.a.
'--talk-to-remote') option attempts are made to contact all the DCs
known to the first database. This is necessary to get sensible results
from `samba-tool visualize reps` because the repsFrom/To objects are
not replicated, and it can reveal replication issues in other modes.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ba2306f00d32d2fc55685b388e03e28fd7d97fd7
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Aug 10 15:29:43 2017 +1200

samba_kcc: use new graph module for writing dot files

We avoid changing the (annoying) signature of write_dot_file().

Using samba_kcc to write dot files may be deprecated.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit cebad22ce021ce9051fbe664bc699677796e0fb3
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Jan 10 15:25:22 2018 +1300

python/graph: module for generating ASCII and graphviz visualisations

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit b4a90a650e969cd65b5104d37e9c57275909b336
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Jan 11 21:56:40 2018 +1300

samba_kcc: respect kcc.read_only flag on RODC

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit e579d5bd48dfc7bc93ecc126d42fd4389ded0e28
Author: Douglas Bagnall <***@halo.gen.nz>
Date: Wed Jan 3 09:20:09 2018 +1300

samba_kcc: kcc.debug module defers to samba.colour

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a46c4a39c4d3be88f76c295b0719c025a1c39c3b
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Sun Jan 7 23:17:38 2018 +1300

python: module containing ANSI colour sequences

This is going to be used by `samba-tool visualize` and samba_kcc.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit f2762d088001408a706e88e0fe6f46181c01fc3f
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 5 16:45:37 2018 +1300

python tests: assert string equality, with diff

In the success case this works just like self.assertEqual(),
but when things fail you get a better representation of where it went
wrong (a unified diff).

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 3f2762d0b716e8a440cefeb1867caa303e21af40
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 07:32:59 2018 +1300

samba_kcc: documentation fix

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 6678f33274d4f1784635cd11fc63d9d32a9f9b16
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 14:52:45 2018 +0100

s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()

Otherwise this taints other tests which might follow.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/colour.py | 50 ++
python/samba/graph.py | 621 +++++++++++++++++++++++++
python/samba/kcc/__init__.py | 21 +-
python/samba/kcc/debug.py | 24 +-
python/samba/kcc/graph_utils.py | 37 +-
python/samba/kcc/kcc_utils.py | 39 +-
python/samba/netcmd/main.py | 1 +
python/samba/netcmd/visualize.py | 574 +++++++++++++++++++++++
python/samba/tests/__init__.py | 23 +
python/samba/tests/graph.py | 152 ++++++
python/samba/tests/samba_tool/visualize.py | 466 +++++++++++++++++++
python/samba/tests/samba_tool/visualize_drs.py | 110 +++++
selftest/tests.py | 1 +
source4/selftest/tests.py | 6 +-
source4/torture/drs/python/samba_tool_drs.py | 3 +
15 files changed, 2037 insertions(+), 91 deletions(-)
create mode 100644 python/samba/colour.py
create mode 100644 python/samba/graph.py
create mode 100644 python/samba/netcmd/visualize.py
create mode 100644 python/samba/tests/graph.py
create mode 100644 python/samba/tests/samba_tool/visualize.py
create mode 100644 python/samba/tests/samba_tool/visualize_drs.py


Changeset truncated at 500 lines:

diff --git a/python/samba/colour.py b/python/samba/colour.py
new file mode 100644
index 0000000..b3d9a71
--- /dev/null
+++ b/python/samba/colour.py
@@ -0,0 +1,50 @@
+# ANSI codes for 4 bit and xterm-256color
+#
+# Copyright (C) Andrew Bartlett 2018
+#
+# Originally written by Douglas Bagnall
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# The 4 bit colours are available as global variables with names like
+# RED, DARK_RED, REV_RED (for red background), and REV_DARK_RED.
+#
+# The 256-colour codes are obtained using xterm_256_color(n), where n
+# is the number of the desired colour.
+
+# C_NORMAL resets to normal, whatever that is
+C_NORMAL = "\033[0m"
+
+UNDERLINE = "\033[4m"
+
+def _gen_ansi_colours():
+ g = globals()
+ for i, name in enumerate(('BLACK', 'RED', 'GREEN', 'YELLOW', 'BLUE',
+ 'MAGENTA', 'CYAN', 'WHITE')):
+ g[name] = "\033[1;3%dm" % i
+ g['DARK_' + name] = "\033[3%dm" % i
+ g['REV_' + name] = "\033[1;4%dm" % i
+ g['REV_DARK_' + name] = "\033[4%dm" % i
+
+_gen_ansi_colours()
+
+# kcc.debug uses these aliases (which make visual sense)
+PURPLE = DARK_MAGENTA
+GREY = DARK_WHITE
+
+def xterm_256_colour(n, bg=False, bold=False):
+ weight = '01;' if bold else ''
+ target = '48' if bg else '38'
+
+ return "\033[%s%s;5;%dm" % (weight, target, int(n))
diff --git a/python/samba/graph.py b/python/samba/graph.py
new file mode 100644
index 0000000..f626287
--- /dev/null
+++ b/python/samba/graph.py
@@ -0,0 +1,621 @@
+# -*- coding: utf-8 -*-
+# Graph topology utilities and dot file generation
+#
+# Copyright (C) Andrew Bartlett 2018.
+#
+# Written by Douglas Bagnall <***@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import print_function
+from samba import colour
+import sys
+
+FONT_SIZE = 10
+
+
+def reformat_graph_label(s):
+ """Break DNs over multiple lines, for better shaped and arguably more
+ readable nodes. We try to split after commas, and if necessary
+ after hyphens or failing that in arbitrary places."""
+ if len(s) < 12:
+ return s
+
+ s = s.replace(',', ',\n')
+ pieces = []
+ for p in s.split('\n'):
+ while len(p) > 20:
+ if '-' in p[2:20]:
+ q, p = p.split('-', 1)
+ else:
+ n = len(p) / 12
+ b = len(p) / n
+ q, p = p[:b], p[b:]
+ pieces.append(q + '-')
+ if p:
+ pieces.append(p)
+
+ return '\\n'.join(pieces)
+
+
+def quote_graph_label(s, reformat=False):
+ """Escape a string as graphvis requires."""
+ # escaping inside quotes is simple in dot, because only " is escaped.
+ # there is no need to count backslashes in sequences like \\\\"
+ s = s.replace('"', '\"')
+ if reformat:
+ s = reformat_graph_label(s)
+ return "%s" % s
+
+
+def shorten_vertex_names(edges, vertices, suffix=',...', aggressive=False):
+ """Replace the common suffix (in practice, the base DN) of a number of
+ vertices with a short string (default ",..."). If this seems
+ pointless because the replaced string is very short or the results
+ seem strange, the original vertices are retained.
+
+ :param edges: a sequence of vertex pairs to shorten
+ :param vertices: a sequence of vertices to shorten
+ :param suffix: the replacement string [",..."]
+
+ :return: tuple of (edges, vertices, replacement)
+
+ If no change is made, the returned edges and vertices will be the
+ original lists and replacement will be None.
+
+ If a change is made, replacement will be a tuple (new, original)
+ indicating the new suffix that replaces the old.
+ """
+ vlist = list(set(x[0] for x in edges) |
+ set(x[1] for x in edges) |
+ set(vertices))
+
+ if len(vlist) < 2:
+ return edges, vertices, None
+
+ # walk backwards along all the strings until we meet a character
+ # that is not shared by all.
+ i = -1
+ try:
+ while True:
+ c = set(x[i] for x in vlist)
+ if len(c) > 1:
+ break
+ i -= 1
+ except IndexError:
+ # We have indexed beyond the start of a string, which should
+ # only happen if one node is a strict suffix of all others.
+ return edges, vertices, None
+
+ # add one to get to the last unanimous character.
+ i += 1
+
+ # now, we actually really want to split on a comma. So we walk
+ # back to a comma.
+ x = vlist[0]
+ while i < len(x) and x[i] != ',':
+ i += 1
+
+ if i >= -len(suffix):
+ # there is nothing to gain here
+ return edges, vertices, None
+
+ edges2 = []
+ vertices2 = []
+
+ for a, b in edges:
+ edges2.append((a[:i] + suffix, b[:i] + suffix))
+ for a in vertices:
+ vertices2.append(a[:i] + suffix)
+
+ replacements = [(suffix, a[i:])]
+
+ if aggressive:
+ # Remove known common annoying strings
+ map = dict((v, v) for v in vertices2)
+ for v in vertices2:
+ if ',CN=Servers,' not in v:
+ break
+ else:
+ map = dict((k, v.replace(',CN=Servers,', ',**,'))
+ for k, v in map.iteritems())
+ replacements.append(('**', 'CN=Servers'))
+
+ for v in vertices2:
+ if not v.startswith('CN=NTDS Settings,'):
+ break
+ else:
+ map = dict((k, v.replace('CN=NTDS Settings,', '*,'))
+ for k, v in map.iteritems())
+ replacements.append(('*', 'CN=NTDS Settings'))
+
+ edges2 = [(map.get(a, a), map.get(b, b)) for a, b in edges2]
+ vertices2 = [map.get(a, a) for a in vertices2]
+
+ return edges2, vertices2, replacements
+
+
+def compile_graph_key(key_items, nodes_above=[], elisions=None,
+ prefix='key_', width=2):
+ """Generate a dot file snippet that acts as a legend for a graph.
+
+ :param key_items: sequence of items (is_vertex, style, label)
+ :param nodes_above: list of vertices (pushes key into right position)
+ :param elision: tuple (short, full) indicating suffix replacement
+ :param prefix: string used to generate key node names ["key_"]
+ :param width: default width of node lines
+
+ Each item in key_items is a tuple of (is_vertex, style, label).
+ is_vertex is a boolean indicating whether the item is a vertex
+ (True) or edge (False). Style is a dot style string for the edge
+ or vertex. label is the text associated with the key item.
+ """
+ edge_lines = []
+ edge_names = []
+ vertex_lines = []
+ vertex_names = []
+ order_lines = []
+ for i, item in enumerate(key_items):
+ is_vertex, style, label = item
+ tag = '%s%d_' % (prefix, i)
+ label = quote_graph_label(label)
+ name = '%s_label' % tag
+
+ if is_vertex:
+ order_lines.append(name)
+ vertex_names.append(name)
+ vertex_lines.append('%s[label="%s"; %s]' %
+ (name, label, style))
+ else:
+ edge_names.append(name)
+ e1 = '%se1' % tag
+ e2 = '%se2' % tag
+ order_lines.append(name)
+ edge_lines.append('subgraph cluster_%s {' % tag)
+ edge_lines.append('%s[label=src; color="#000000"; group="%s_g"]' %
+ (e1, tag))
+ edge_lines.append('%s[label=dest; color="#000000"; group="%s_g"]' %
+ (e2, tag))
+ edge_lines.append('%s -> %s [constraint = false; %s]' % (e1, e2,
+ style))
+ edge_lines.append(('%s[shape=plaintext; style=solid; width=%f; '
+ 'label="%s\\r"]') %
+ (name, width, label))
+ edge_lines.append('}')
+
+ elision_str = ''
+ if elisions:
+ for i, elision in enumerate(reversed(elisions)):
+ order_lines.append('elision%d' % i)
+ short, long = elision
+ if short[0] == ',' and long[0] == ',':
+ short = short[1:]
+ long = long[1:]
+ elision_str += ('\nelision%d[shape=plaintext; style=solid; '
+ 'label="\“%s” means “%s”\\r"]\n'
+ % ((i, short, long)))
+
+ above_lines = []
+ if order_lines:
+ for n in nodes_above:
+ above_lines.append('"%s" -> %s [style=invis]' %
+ (n, order_lines[0]))
+
+ s = ('subgraph cluster_key {\n'
+ 'label="Key";\n'
+ 'subgraph cluster_key_nodes {\n'
+ 'label="";\n'
+ 'color = "invis";\n'
+ '%s\n'
+ '}\n'
+ 'subgraph cluster_key_edges {\n'
+ 'label="";\n'
+ 'color = "invis";\n'
+ '%s\n'
+ '{%s}\n'
+ '}\n'
+ '%s\n'
+ '}\n'
+ '%s\n'
+ '%s [style=invis; weight=9]'
+ '\n'
+ % (';\n'.join(vertex_lines),
+ '\n'.join(edge_lines),
+ ' '.join(edge_names),
+ elision_str,
+ ';\n'.join(above_lines),
+ ' -> '.join(order_lines),
+ ))
+
+ return s
+
+
+def dot_graph(vertices, edges,
+ directed=False,
+ title=None,
+ reformat_labels=True,
+ vertex_colors=None,
+ edge_colors=None,
+ edge_labels=None,
+ vertex_styles=None,
+ edge_styles=None,
+ graph_name=None,
+ shorten_names=False,
+ key_items=None,
+ vertex_clusters=None):
+ """Generate a Graphviz representation of a list of vertices and edges.
+
+ :param vertices: list of vertex names (optional).
+ :param edges: list of (vertex, vertex) pairs
+ :param directed: bool: whether the graph is directed
+ :param title: optional title for the graph
+ :param reformat_labels: whether to wrap long vertex labels
+ :param vertex_colors: if not None, a sequence of colours for the vertices
+ :param edge_colors: if not None, colours for the edges
+ :param edge_labels: if not None, labels for the edges
+ :param vertex_styles: if not None, DOT style strings for vertices
+ :param edge_styles: if not None, DOT style strings for edges
+ :param graph_name: if not None, name of graph
+ :param shorten_names: if True, remove common DN suffixes
+ :param key: (is_vertex, style, description) tuples
+ :param vertex_clusters: list of subgraph cluster names
+
+ Colour, style, and label lists must be the same length as the
+ corresponding list of edges or vertices (or None).
+
+ Colours can be HTML RGB strings ("#FF0000") or common names
+ ("red"), or some other formats you don't want to think about.
+
+ If `vertices` is None, only the vertices mentioned in the edges
+ are shown, and their appearance can be modified using the
+ vertex_colors and vertex_styles arguments. Vertices appearing in
+ the edges but not in the `vertices` list will be shown but their
+ styles can not be modified.
+ """
+ out = []
+ write = out.append
+
+ if vertices is None:
+ vertices = set(x[0] for x in edges) | set(x[1] for x in edges)
+
+ if shorten_names:
+ edges, vertices, elisions = shorten_vertex_names(edges, vertices)
+ else:
+ elisions = None
+
+ if graph_name is None:
+ graph_name = 'A_samba_tool_production'
+
+ if directed:
+ graph_type = 'digraph'
+ connector = '->'
+ else:
+ graph_type = 'graph'
+ connector = '--'
+
+ write('/* generated by samba */')
+ write('%s %s {' % (graph_type, graph_name))
+ if title is not None:
+ write('label="%s";' % (title,))
+ write('fontsize=%s;\n' % (FONT_SIZE))
+ write('node[fontname=Helvetica; fontsize=%s];\n' % (FONT_SIZE))
+
+ prev_cluster = None
+ cluster_n = 0
+ quoted_vertices = []
+ for i, v in enumerate(vertices):
+ v = quote_graph_label(v, reformat_labels)
+ quoted_vertices.append(v)
+ attrs = []
+ if vertex_clusters and vertex_clusters[i]:
+ cluster = vertex_clusters[i]
+ if cluster != prev_cluster:
+ if prev_cluster is not None:
+ write("}")
+ prev_cluster = cluster
+ n = quote_graph_label(cluster)
+ if cluster:
+ write('subgraph cluster_%d {' % cluster_n)
+ cluster_n += 1
+ write('style = "rounded,dotted";')
+ write('node [style="filled"; fillcolor=white];')
+ write('label = "%s";' % n)
+
+ if vertex_styles and vertex_styles[i]:
+ attrs.append(vertex_styles[i])
+ if vertex_colors and vertex_colors[i]:
+ attrs.append('color="%s"' % quote_graph_label(vertex_colors[i]))
+ if attrs:
+ write('"%s" [%s];' % (v, ', '.join(attrs)))
+ else:
+ write('"%s";' % (v,))
+
+ if prev_cluster:
+ write("}")
+
+ for i, edge in enumerate(edges):
+ a, b = edge
+ if a is None:
+ a = "Missing source value"
+ if b is None:
+ b = "Missing destination value"
+
+ a = quote_graph_label(a, reformat_labels)
+ b = quote_graph_label(b, reformat_labels)
+
+ attrs = []
+ if edge_labels:
+ label = quote_graph_label(edge_labels[i])
+ attrs.append('label="%s"' % label)
+ if edge_colors:
+ attrs.append('color="%s"' % quote_graph_label(edge_colors[i]))
+ if edge_styles:
+ attrs.append(edge_styles[i]) # no quoting
+ if attrs:
+ write('"%s" %s "%s" [%s];' % (a, connector, b, ', '.join(attrs)))
+ else:
+ write('"%s" %s "%s";' % (a, connector, b))
+
+ if key_items:
+ key = compile_graph_key(key_items, nodes_above=quoted_vertices,
+ elisions=elisions)
+ write(key)
+
+ write('}\n')
+ return '\n'.join(out)
+
+
+COLOUR_SETS = {
+ 'ansi': {
+ 'alternate rows': (colour.DARK_WHITE, colour.BLACK),
+ 'disconnected': colour.RED,
+ 'connected': colour.GREEN,
+ 'transitive': colour.DARK_YELLOW,
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'ansi-heatmap': {
+ 'alternate rows': (colour.DARK_WHITE, colour.BLACK),
+ 'disconnected': colour.REV_RED,
+ 'connected': colour.REV_GREEN,
+ 'transitive': colour.REV_DARK_YELLOW,
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'xterm-256color': {
+ 'alternate rows': (colour.xterm_256_colour(39),
+ colour.xterm_256_colour(45)),
+ #'alternate rows': (colour.xterm_256_colour(246),
+ # colour.xterm_256_colour(247)),
+ 'disconnected': colour.xterm_256_colour(124, bg=True),
+ 'connected': colour.xterm_256_colour(112),
+ 'transitive': colour.xterm_256_colour(214),
+ 'transitive scale': (colour.xterm_256_colour(190),
+ colour.xterm_256_colour(226),
+ colour.xterm_256_colour(220),
+ colour.xterm_256_colour(214),
+ colour.xterm_256_colour(208),
+ ),
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'xterm-256color-heatmap': {
+ 'alternate rows': (colour.xterm_256_colour(171),
+ colour.xterm_256_colour(207)),
+ #'alternate rows': (colour.xterm_256_colour(246),
+ # colour.xterm_256_colour(247)),
+ 'disconnected': colour.xterm_256_colour(124, bg=True),
+ 'connected': colour.xterm_256_colour(112, bg=True),
+ 'transitive': colour.xterm_256_colour(214, bg=True),
+ 'transitive scale': (colour.xterm_256_colour(190, bg=True),
+ colour.xterm_256_colour(226, bg=True),
+ colour.xterm_256_colour(220, bg=True),
+ colour.xterm_256_colour(214, bg=True),
+ colour.xterm_256_colour(208, bg=True),
+ ),
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ None: {
+ 'alternate rows': ('',),
+ 'disconnected': '',
+ 'connected': '',
+ 'transitive': '',
+ 'header': '',
+ 'reset': '',
+ }
+}
--
Samba Shared Repository
Stefan Metzmacher
2018-01-14 02:09:02 UTC
Permalink
The branch, master has been updated
via 0eec2b6 docs: Remove reference to environment variables for now
via 2ca73cb gpo: Add the winbind call to gpupdate
via fb5241a Revert "gpo: Create the gpo update service"
via 88152ad gpo: Continue parsing GPOs even if one fails
via ef49d0b gpo: Fix crashes in gpo unapply
from 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0eec2b6e049ae0acf62a5d704697fe31956ec5b7
Author: Garming Sam <***@catalyst.net.nz>
Date: Tue Jan 9 16:28:36 2018 +1300

docs: Remove reference to environment variables for now

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sun Jan 14 03:08:01 CET 2018 on sn-devel-144

commit 2ca73cba53621c6db79f769f625316535fbfdbc9
Author: David Mulder <***@suse.com>
Date: Tue Nov 21 03:44:12 2017 -0700

gpo: Add the winbind call to gpupdate

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit fb5241aa9d3fe8319ff5232b8a3d1987d03ba7bf
Author: David Mulder <***@suse.com>
Date: Wed Dec 6 12:51:22 2017 -0700

Revert "gpo: Create the gpo update service"

This reverts commit 5662e49b49f6557c80f216f510f224bbf800f40a.

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 88152adeca704bb49574802b280142164a899e31
Author: David Mulder <***@suse.com>
Date: Mon Jan 8 09:19:13 2018 -0700

gpo: Continue parsing GPOs even if one fails

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ef49d0b9eff9b90fa5533d50a0fc26405f44d449
Author: David Mulder <***@suse.com>
Date: Mon Jan 8 09:16:11 2018 -0700

gpo: Fix crashes in gpo unapply

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 10 +-
docs-xml/smbdotconf/winbind/applygrouppolicies.xml | 19 ++
lib/param/loadparm.c | 1 +
python/samba/gpclass.py | 24 +--
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +
source3/winbindd/winbindd.c | 2 +
source3/winbindd/winbindd_gpupdate.c | 116 +++++++++++++
source3/winbindd/winbindd_proto.h | 3 +
source3/winbindd/wscript_build | 3 +-
source4/dsdb/gpo/gpo_update.c | 193 ---------------------
source4/dsdb/wscript_build | 9 -
source4/scripting/bin/samba_gpoupdate | 35 +++-
source4/scripting/bin/wscript_build | 2 +-
source4/scripting/wscript_build | 7 +-
15 files changed, 196 insertions(+), 232 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/applygrouppolicies.xml
create mode 100644 source3/winbindd/winbindd_gpupdate.c
delete mode 100644 source4/dsdb/gpo/gpo_update.c


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
index 22a4216..147751b 100644
--- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -5,10 +5,12 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option sets the command that is called to apply GPO policies.
- The samba_gpoupdate script applies System Access and Kerberos Policies.
- System Access policies set minPwdAge, maxPwdAge, minPwdLength, and
- pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime,
- kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf.
+ The samba_gpoupdate script applies System Access and Kerberos Policies
+ to the KDC, or Environment Variable policies to client machines. System
+ Access policies set minPwdAge, maxPwdAge, minPwdLength, and
+ pwdProperties in the samdb. Kerberos Policies set kdc:service ticket
+ lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in
+ smb.conf.
</para>
</description>

diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
new file mode 100644
index 0000000..67baa0d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="apply group policies"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This option controls whether winbind will execute the gpupdate
+ command defined in <smbconfoption name="gpo update command"/> on the
+ Group Policy update interval. The Group Policy update interval is
+ defined as every 90 minutes, plus a random offset between 0 and 30
+ minutes. This applies Group Policy Machine polices to the client or
+ KDC and machine policies to a server.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f265459..7854f57 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2734,6 +2734,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
+ lpcfg_do_global_parameter_var(lp_ctx, "apply group policies", "False");
lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 00330eb..33c9001 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -19,19 +19,12 @@ import sys
import os
import tdb
sys.path.insert(0, "bin/python")
-import samba.gpo as gpo
-import optparse
-import ldb
-from samba.auth import system_session
-import samba.getopt as options
-from samba.samdb import SamDB
-from samba.netcmd import gpo as gpo_user
-import codecs
from samba import NTSTATUSError
from ConfigParser import ConfigParser
from StringIO import StringIO
from abc import ABCMeta, abstractmethod
import xml.etree.ElementTree as etree
+import re

try:
from enum import Enum
@@ -217,12 +210,19 @@ class gp_log:
exts = guid_obj.findall('gp_ext')
if exts is not None:
for ext in exts:
- ext_map = {val[0]: val[1] for (key, val) in \
- data_maps[ext.attrib['name']].items()}
attrs = ext.findall('attribute')
for attr in attrs:
- ret.append((attr.attrib['name'], attr.text,
- ext_map[attr.attrib['name']]))
+ func = None
+ if attr.attrib['name'] in data_maps[ext.attrib['name']]:
+ func = data_maps[ext.attrib['name']]\
+ [attr.attrib['name']][-1]
+ else:
+ for dmap in data_maps[ext.attrib['name']].keys():
+ if data_maps[ext.attrib['name']][dmap][0] == \
+ attr.attrib['name']:
+ func = data_maps[ext.attrib['name']][dmap][-1]
+ break
+ ret.append((attr.attrib['name'], attr.text, func))
return ret

def delete(self, gp_ext_name, attribute):
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 628f4f1..c161ee0 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -616,7 +616,7 @@ sub provision_raw_step1($$)
rndc command = true
dns update command = $ctx->{samba_dnsupdate}
spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
- gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb
+ gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --machine
dreplsrv:periodic_startup_interval = 0
dsdb:schema update allowed = yes

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f1f453e..096c23f 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -923,6 +923,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.gpo_update_command = str_list_make_v3_const(NULL, s, NULL);
TALLOC_FREE(s);

+ Globals.apply_group_policies = false;
+
s = talloc_asprintf(talloc_tos(), "%s/samba_spnupdate", get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 5326737..0a8d146 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1790,6 +1790,8 @@ int main(int argc, const char **argv)
daemon_ready("winbindd");
}

+ gpupdate_init();
+
/* Loop waiting for requests */
while (1) {
frame = talloc_stackframe();
diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c
new file mode 100644
index 0000000..48ebb55
--- /dev/null
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -0,0 +1,116 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Update event for winbindd
+ * Copyright (C) David Mulder 2017
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "winbindd.h"
+
+/*
+ * gpupdate_interval()
+ * return Random integer between 5400 and 7200, the group policy update
+ * interval in seconds
+ *
+ * Group Policy should be updated every 90 minutes in the background,
+ * with a random offset between 0 and 30 minutes. This ensures mutiple
+ * clients will not update at the same time.
+ */
+#define GPUPDATE_INTERVAL (90*60)
+#define GPUPDATE_RAND_OFFSET (30*60)
+static uint32_t gpupdate_interval(void)
+{
+ int rand_int_offset = rand() % GPUPDATE_RAND_OFFSET;
+ return GPUPDATE_INTERVAL+rand_int_offset;
+}
+
+struct gpupdate_state {
+ TALLOC_CTX *ctx;
+ struct loadparm_context *lp_ctx;
+};
+
+static void gpupdate_callback(struct tevent_context *ev,
+ struct tevent_timer *tim,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ struct tevent_req *req = NULL;
+ struct gpupdate_state *data =
+ talloc_get_type_abort(private_data, struct gpupdate_state);
+ const char *const *gpupdate_cmd =
+ lpcfg_gpo_update_command(data->lp_ctx);
+ const char *smbconf = lp_default_path();
+
+ /* Execute gpupdate */
+ req = samba_runcmd_send(data->ctx, ev, timeval_zero(), 2, 0,
+ gpupdate_cmd,
+ "-s",
+ smbconf,
+ "--machine",
+ "--machine-pass",
+ NULL);
+ if (req == NULL) {
+ DEBUG(0, ("Failed to execute the gpupdate command\n"));
+ return;
+ }
+
+ /* Schedule the next event */
+ schedule = tevent_timeval_current_ofs(gpupdate_interval(), 0);
+ time_event = tevent_add_timer(ev, data->ctx, schedule,
+ gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the next gpupdate event\n"));
+ }
+}
+
+void gpupdate_init(void)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ TALLOC_CTX * ctx = talloc_new(server_event_context());
+ struct gpupdate_state *data = talloc(ctx, struct gpupdate_state);
+ struct loadparm_context *lp_ctx =
+ loadparm_init_s3(NULL, loadparm_s3_helpers());
+
+ /*
+ * Check if gpupdate is enabled for winbind, if not
+ * return without scheduling any events.
+ */
+ if (!lpcfg_apply_group_policies(lp_ctx)) {
+ return;
+ }
+
+ /*
+ * Execute the first event immediately, future events
+ * will execute on the gpupdate interval, which is every
+ * 90 to 120 minutes (at random).
+ */
+ schedule = tevent_timeval_current_ofs(0, 0);
+ data->ctx = ctx;
+ data->lp_ctx = lp_ctx;
+ if (data->lp_ctx == NULL) {
+ smb_panic("Could not load smb.conf\n");
+ }
+ time_event = tevent_add_timer(server_event_context(), data->ctx,
+ schedule, gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the gpupdate event\n"));
+ }
+}
+
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 39cdef5..9a52f6a 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -942,4 +942,7 @@ NTSTATUS wb_irpc_register(void);
/* The following definitions come from winbindd/winbindd_reconnect.c */
bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);

+/* The following definitions come from winbindd/winbindd_gpupdate.c */
+void gpupdate_init(void);
+
#endif /* _WINBINDD_PROTO_H_ */
diff --git a/source3/winbindd/wscript_build b/source3/winbindd/wscript_build
index 51264e9..48250ea 100644
--- a/source3/winbindd/wscript_build
+++ b/source3/winbindd/wscript_build
@@ -254,7 +254,8 @@ bld.SAMBA3_BINARY('winbindd',
winbindd_pam_logoff.c
winbindd_pam_chauthtok.c
winbindd_pam_auth_crap.c
- winbindd_pam_chng_pswd_auth_crap.c''',
+ winbindd_pam_chng_pswd_auth_crap.c
+ winbindd_gpupdate.c''',
deps='''
talloc
tevent
diff --git a/source4/dsdb/gpo/gpo_update.c b/source4/dsdb/gpo/gpo_update.c
deleted file mode 100644
index 997e97e..0000000
--- a/source4/dsdb/gpo/gpo_update.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- Unix SMB/CIFS mplementation.
- GPO update service
-
- Copyright (C) Luke Morrison 2013
-
- Inspired by dns_updates.c written by Andrew Trigell 2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/
-
-*/
-
-#include "includes.h"
-#include "dsdb/samdb/samdb.h"
-#include "auth/auth.h"
-#include "smbd/service.h"
-#include "lib/messaging/irpc.h"
-#include "param/param.h"
-#include "system/filesys.h"
-#include "dsdb/common/util.h"
-#include "libcli/composite/composite.h"
-#include "libcli/security/dom_sid.h"
-#include "librpc/gen_ndr/ndr_irpc.h"
-#include "libds/common/roles.h"
-
-struct gpoupdate_service {
- struct auth_session_info *system_session_info;
- struct task_server *task;
-
- /* status for periodic sysvol/GPO scan update - >sysvscan */
- struct {
- uint32_t interval;
- struct tevent_timer *te;
- struct tevent_req *subreq;
- NTSTATUS status;
- } sysvscan;
-};
-
-/*
-Called when the sysvol scan has finished
-*/
-static void gpoupdate_sysvscan_done(struct tevent_req *subreq)
-{
- struct gpoupdate_service *service = tevent_req_callback_data(subreq,
- struct
- gpoupdate_service);
- int ret;
- int sys_errno;
-
- service->sysvscan.subreq = NULL;
-
- ret = samba_runcmd_recv(subreq, &sys_errno);
- TALLOC_FREE(subreq);
- if (ret != 0) {
- service->sysvscan.status =
- map_nt_error_from_unix_common(sys_errno);
- } else {
- service->sysvscan.status = NT_STATUS_OK;
- }
-
- if (!NT_STATUS_IS_OK(service->sysvscan.status)) {
- DEBUG(0, (__location__ ": Failed GPO update - %s\n",
- nt_errstr(service->sysvscan.status)));
- } else {
- DEBUG(3, ("Completed GPO update check OK\n"));
- }
-}
-
-static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service);
-
-static void gpoupdate_scan_apply(struct gpoupdate_service *service);
-
-static void gpoupdate_sysvscan_handler_te(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- struct gpoupdate_service *service =
- talloc_get_type(ptr, struct gpoupdate_service);
-
- gpoupdate_scan_apply(service);
- gpoupdate_sysvscan_schedule(service);
-}
-
-static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service)
-{
- /*
- * This is configured, default to 900 sec (15 mins) in
- * gpoupdate_task_init via gpoupdate:config interval
- */
- service->sysvscan.te =
- tevent_add_timer(service->task->event_ctx, service,
- timeval_current_ofs(service->sysvscan.interval, 0),
- gpoupdate_sysvscan_handler_te, service);
- NT_STATUS_HAVE_NO_MEMORY(service->sysvscan.te);
- return NT_STATUS_OK;
-}
-
-static void gpoupdate_scan_apply(struct gpoupdate_service *service)
-{
- const char *const *gpo_update_command =
- lpcfg_gpo_update_command(service->task->lp_ctx);
- const char *smbconf = lpcfg_configfile(service->task->lp_ctx);
- TALLOC_FREE(service->sysvscan.subreq);
- DEBUG(3, ("Calling GPO update script\n"));
- service->sysvscan.subreq = samba_runcmd_send(service,
- service->task->event_ctx,
- timeval_current_ofs(20, 0),
- 2, 0,
- gpo_update_command,
- smbconf, NULL);
- if (service->sysvscan.subreq == NULL) {
- DEBUG(0,
- (__location__
- ": samba_runcmd_send() failed with no memory\n"));
- return;
- }
- tevent_req_set_callback(service->sysvscan.subreq,
- gpoupdate_sysvscan_done, service);
-}
-
-static void gpoupdate_task_init(struct task_server *task)
-{
- NTSTATUS status;
- struct gpoupdate_service *service;
-
- if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
- /* not useful for non-DC */
- return;
- }
-
- task_server_set_title(task, "task[gpoupdate]");
-
- service = talloc_zero(task, struct gpoupdate_service);
- if (!service) {
- task_server_terminate(task,
- "gpoupdate_task_init: out of memory",
- true);
- return;
- }
- service->task = task;
- task->private_data = service;
-
- service->system_session_info = system_session(service->task->lp_ctx);
- if (!service->system_session_info) {
- task_server_terminate(task,
- "gpoupdate: Failed to obtain server "
- "credentials\n",
- true);
- return;
- }
-
- service->sysvscan.interval = lpcfg_parm_int(task->lp_ctx, NULL,
- "gpoupdate",
- "config interval",
- 900); /* in seconds */
- status = gpoupdate_sysvscan_schedule(service);
- if (!NT_STATUS_IS_OK(status)) {
- task_server_terminate(task,
- talloc_asprintf(task,
- "gpoupdate: Failed to update "
- "sysvol scan schedule: %s\n",
- nt_errstr(status)),
- true);
- return;
- }
-}
-
-NTSTATUS server_service_gpoupdate_init(TALLOC_CTX *ctx);
-
-/*
- register ourselves as a available server
-*/
-NTSTATUS server_service_gpoupdate_init(TALLOC_CTX *ctx)
-{
- struct service_details details = {
- .inhibit_fork_on_accept = true,
- .inhibit_pre_fork = true
- };
- return register_server_service(ctx, "gpoupdate",
- gpoupdate_task_init,
- &details);
-}
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index 328497c..29c6f0e 100644
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -62,15 +62,6 @@ bld.SAMBA_MODULE('service_dns_update',
enabled=bld.AD_DC_BUILD_IS_ENABLED()
)
--
Samba Shared Repository
Stefan Metzmacher
2018-01-14 13:48:02 UTC
Permalink
The branch, master has been updated
via 0abe16a torture: Add test for channel sequence number handling
via cd288a0 smbXcli: Add "force_channel_sequence"
via 0b57434 smbd: Fix channel sequence number checks for long-running requests
via 03f65a7 smbd: Remove a "!" from an if-condition for easier readability
via 71cee27 torture4: Fix typos
via e8636e7 smbd: Fix a typo
via 9b423fe winbindd: set routing_domain when enumerating trusts
from 0eec2b6 docs: Remove reference to environment variables for now

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0abe16a5343de9a69bb5cccbad9809b28b642f45
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 11 11:55:39 2018 +0100

torture: Add test for channel sequence number handling

We run into an assert when the csn wraps

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sun Jan 14 14:47:15 CET 2018 on sn-devel-144

commit cd288a08500b1cc38ef26e5cb8ef754b4da658b6
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 11 11:25:49 2018 +0100

smbXcli: Add "force_channel_sequence"

This enables use of the channel sequence number even for
non-multi-channel servers. This makes our client invalid, but we need to
protect against broken clients with tests.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 0b57434151a8334a6e9b9b7542824ce4915421a2
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 11 15:34:45 2018 +0100

smbd: Fix channel sequence number checks for long-running requests

When the client's supplied csn overflows and hits a pending, long-running
request's csn, we panic. Fix this by counting the overflows in
smbXsrv_open_global0->channel_generation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Volker Lendecke <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 03f65a7cdc91091a171269cfebc9916f2f678388
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 10 14:59:08 2018 +0100

smbd: Remove a "!" from an if-condition for easier readability

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 71cee27962cba53da3249bd3f5ece32a1d10071d
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 10 15:51:56 2018 +0100

torture4: Fix typos

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit e8636e7ab75f89e89ef054b5d4aa6c07fddcbe2a
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 10 14:29:01 2018 +0100

smbd: Fix a typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 9b423fe804dc6a451629d30b73d72635d3598dd4
Author: Ralph Boehme <***@samba.org>
Date: Sun Jan 14 09:58:13 2018 +0100

winbindd: set routing_domain when enumerating trusts

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
libcli/smb/smbXcli_base.c | 15 ++++-
libcli/smb/smbXcli_base.h | 4 ++
source3/librpc/idl/smbXsrv.idl | 3 +-
source3/smbd/globals.h | 1 +
source3/smbd/smb2_server.c | 27 ++++++---
source3/winbindd/winbindd_util.c | 26 +++++++++
source4/torture/smb2/replay.c | 117 +++++++++++++++++++++++++++++++++++----
7 files changed, 174 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 6335ce0..e9fdc1d 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -138,6 +138,8 @@ struct smbXcli_conn {

uint8_t io_priority;

+ bool force_channel_sequence;
+
uint8_t preauth_sha512[64];
} smb2;

@@ -549,6 +551,17 @@ const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
return &conn->smb1.server.guid;
}

+bool smbXcli_conn_get_force_channel_sequence(struct smbXcli_conn *conn)
+{
+ return conn->smb2.force_channel_sequence;
+}
+
+void smbXcli_conn_set_force_channel_sequence(struct smbXcli_conn *conn,
+ bool v)
+{
+ conn->smb2.force_channel_sequence = v;
+}
+
struct smbXcli_conn_samba_suicide_state {
struct smbXcli_conn *conn;
struct iovec iov;
@@ -2899,7 +2912,7 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
uint32_t flags = 0;
uint32_t tid = 0;
uint64_t uid = 0;
- bool use_channel_sequence = false;
+ bool use_channel_sequence = conn->smb2.force_channel_sequence;
uint16_t channel_sequence = 0;
bool use_replay_flag = false;

diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index d0ee04f..20ef26e 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -59,6 +59,10 @@ uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn);
NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn);
const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn);
const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn);
+bool smbXcli_conn_get_force_channel_sequence(struct smbXcli_conn *conn);
+void smbXcli_conn_set_force_channel_sequence(struct smbXcli_conn *conn,
+ bool v);
+

struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 1bfa51e..d3f8d30 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -430,7 +430,8 @@ interface smbXsrv
uint32 durable_timeout_msec;
boolean8 durable;
DATA_BLOB backend_cookie;
- hyper channel_sequence;
+ uint16 channel_sequence;
+ hyper channel_generation;
} smbXsrv_open_global0;

typedef union {
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 78f1260..69db07a 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -744,6 +744,7 @@ struct smbd_smb2_request {
* adapted again in reply.
*/
bool request_counters_updated;
+ uint64_t channel_generation;

/*
* The sub request for async backend calls.
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 5290c05..a731880 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2158,6 +2158,7 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts(
struct smbXsrv_connection *xconn = req->xconn;
const uint8_t *inhdr;
uint16_t channel_sequence;
+ uint8_t generation_wrap = 0;
uint32_t flags;
int cmp;
struct smbXsrv_open *op;
@@ -2184,6 +2185,14 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts(
channel_sequence = SVAL(inhdr, SMB2_HDR_CHANNEL_SEQUENCE);

cmp = channel_sequence - op->global->channel_sequence;
+ if (cmp < 0) {
+ /*
+ * csn wrap. We need to watch out for long-running
+ * requests that are still sitting on a previously
+ * used csn. SMB2_OP_NOTIFY can take VERY long.
+ */
+ generation_wrap += 1;
+ }

if (abs(cmp) > INT16_MAX) {
/*
@@ -2220,7 +2229,7 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts(
* a 16 bit overflow of the client-submitted sequence
* number:
*
- * If the stored channel squence number is more than
+ * If the stored channel sequence number is more than
* 0x7FFF larger than the one from the request, then
* the client-provided sequence number has likely
* overflown. We treat this case as valid instead
@@ -2231,33 +2240,36 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts(
cmp *= -1;
}

- if (!(flags & SMB2_HDR_FLAG_REPLAY_OPERATION)) {
- if (cmp == 0) {
+ if (flags & SMB2_HDR_FLAG_REPLAY_OPERATION) {
+ if (cmp == 0 && op->pre_request_count == 0) {
op->request_count += 1;
req->request_counters_updated = true;
- } else if (cmp > 0) {
+ } else if (cmp > 0 && op->pre_request_count == 0) {
op->pre_request_count += op->request_count;
op->request_count = 1;
op->global->channel_sequence = channel_sequence;
+ op->global->channel_generation += generation_wrap;
update_open = true;
req->request_counters_updated = true;
} else if (modify_call) {
return NT_STATUS_FILE_NOT_AVAILABLE;
}
} else {
- if (cmp == 0 && op->pre_request_count == 0) {
+ if (cmp == 0) {
op->request_count += 1;
req->request_counters_updated = true;
- } else if (cmp > 0 && op->pre_request_count == 0) {
+ } else if (cmp > 0) {
op->pre_request_count += op->request_count;
op->request_count = 1;
op->global->channel_sequence = channel_sequence;
+ op->global->channel_generation += generation_wrap;
update_open = true;
req->request_counters_updated = true;
} else if (modify_call) {
return NT_STATUS_FILE_NOT_AVAILABLE;
}
}
+ req->channel_generation = op->global->channel_generation;

if (update_open) {
status = smbXsrv_open_update(op);
@@ -2744,7 +2756,8 @@ static void smbd_smb2_request_reply_update_counts(struct smbd_smb2_request *req)
inhdr = SMBD_SMB2_IN_HDR_PTR(req);
channel_sequence = SVAL(inhdr, SMB2_HDR_CHANNEL_SEQUENCE);

- if (op->global->channel_sequence == channel_sequence) {
+ if ((op->global->channel_sequence == channel_sequence) &&
+ (op->global->channel_generation == req->channel_generation)) {
SMB_ASSERT(op->request_count > 0);
op->request_count -= 1;
} else {
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2a97522..4d66571 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -414,6 +414,7 @@ static void trustdom_list_done(struct tevent_req *req)
ptrdiff_t extra_len;
bool within_forest = false;
NTSTATUS status;
+ bool ok;

/*
* Only when we enumerate our primary domain
@@ -546,6 +547,12 @@ static void trustdom_list_done(struct tevent_req *req)
return;
}

+ ok = set_routing_domain(domain, find_default_route_domain());
+ if (!ok) {
+ DBG_ERR("set_routing_domain failed\n");
+ return;
+ }
+
p = q + strlen(q) + 1;
}

@@ -588,6 +595,7 @@ static void rescan_forest_root_trusts( void )
size_t num_trusts = 0;
int i;
NTSTATUS status;
+ bool ok;

/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
@@ -629,6 +637,11 @@ static void rescan_forest_root_trusts( void )
nt_errstr(status));
return;
}
+ ok = set_routing_domain(d, find_default_route_domain());
+ if (!ok) {
+ DBG_ERR("set_routing_domain failed\n");
+ return;
+ }
}
if (d == NULL) {
continue;
@@ -664,6 +677,7 @@ static void rescan_forest_trusts( void )
size_t num_trusts = 0;
int i;
NTSTATUS status;
+ bool ok;

/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
@@ -711,6 +725,12 @@ static void rescan_forest_trusts( void )
nt_errstr(status));
return;
}
+ ok = set_routing_domain(
+ d, find_default_route_domain());
+ if (!ok) {
+ DBG_ERR("set_routing_domain failed\n");
+ return;
+ }
}

if (d == NULL) {
@@ -817,6 +837,7 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
struct winbindd_domain *d = NULL;
uint32_t trust_flags = 0;
NTSTATUS status;
+ bool ok;

DEBUG(5, ("wb_imsg_new_trusted_domain\n"));

@@ -867,6 +888,11 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
TALLOC_FREE(frame);
return;
}
+ ok = set_routing_domain(d, find_default_route_domain());
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return;
+ }
TALLOC_FREE(frame);
}

diff --git a/source4/torture/smb2/replay.c b/source4/torture/smb2/replay.c
index f15fc84..2ef4044 100644
--- a/source4/torture/smb2/replay.c
+++ b/source4/torture/smb2/replay.c
@@ -473,7 +473,7 @@ done:
}

/**
- * Test Durablity V2 Create Replay Detection on Single Channel.
+ * Test Durability V2 Create Replay Detection on Single Channel.
*/
static bool test_replay_dhv2_oplock1(struct torture_context *tctx,
struct smb2_tree *tree)
@@ -560,7 +560,7 @@ done:
}

/**
- * Test Durablity V2 Create Replay Detection on Single Channel.
+ * Test Durability V2 Create Replay Detection on Single Channel.
* Hand in a different oplock level in the replay.
* Server responds with the handed in oplock level and
* corresponding durable status, but does not change the
@@ -697,7 +697,7 @@ done:
}

/**
- * Test Durablity V2 Create Replay Detection on Single Channel.
+ * Test Durability V2 Create Replay Detection on Single Channel.
* Replay with a different share mode. The share mode of
* the opened file is not changed by this.
*/
@@ -823,7 +823,7 @@ done:
}

/**
- * Test Durablity V2 Create Replay Detection on Single Channel.
+ * Test Durability V2 Create Replay Detection on Single Channel.
* Create with an oplock, and replay with a lease.
*/
static bool test_replay_dhv2_oplock_lease(struct torture_context *tctx,
@@ -927,7 +927,7 @@ done:


/**
- * Test durablity v2 create replay detection on single channel.
+ * Test durability v2 create replay detection on single channel.
* Variant with leases instead of oplocks:
* - open a file with a rh lease
* - upgrade to a rwh lease with a second create
@@ -1065,7 +1065,7 @@ done:
}

/**
- * Test durablity v2 create replay detection on single channel.
+ * Test durability v2 create replay detection on single channel.
* Variant with leases instead of oplocks, where the
* replay does not specify the original lease level but
* just a "R" lease. This still gives the upgraded lease
@@ -1216,7 +1216,7 @@ done:
}

/**
- * Test durablity v2 create replay detection on single channel.
+ * Test durability v2 create replay detection on single channel.
* create with a lease, and replay with a different lease key
*/
static bool test_replay_dhv2_lease3(struct torture_context *tctx,
@@ -1349,7 +1349,7 @@ done:
}

/**
- * Test durablity v2 create replay detection on single channel.
+ * Test durability v2 create replay detection on single channel.
* Do the original create with a lease, and do the replay
* with an oplock.
*/
@@ -1758,7 +1758,7 @@ done:
}

/**
- * Test Durablity V2 Create Replay Detection on Multi Channel
+ * Test Durability V2 Create Replay Detection on Multi Channel
*/
static bool test_replay3(struct torture_context *tctx, struct smb2_tree *tree1)
{
@@ -2162,7 +2162,7 @@ done:
}

/**
- * Test Durablity V2 Persistent Create Replay on a Single Channel
+ * Test Durability V2 Persistent Create Replay on a Single Channel
*/
static bool test_replay5(struct torture_context *tctx, struct smb2_tree *tree)
{
@@ -2425,6 +2425,102 @@ done:
return ret;
}

+static bool test_replay7(struct torture_context *tctx, struct smb2_tree *tree)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(tctx);
+ struct smb2_transport *transport = tree->session->transport;
+ NTSTATUS status;
+ struct smb2_handle _dh;
+ struct smb2_handle *dh = NULL;
+ struct smb2_notify notify;
+ struct smb2_request *req;
+ union smb_fileinfo qfinfo;
+ bool ret = false;
+
+ if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+ torture_skip(tctx, "SMB 3.X Dialect family required for "
+ "replay tests\n");
+ }
+
+ torture_comment(tctx, "Notify across increment/decrement of csn\n");
+
+ smbXcli_conn_set_force_channel_sequence(transport->conn, true);
+
+ status = torture_smb2_testdir(tree, BASEDIR, &_dh);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ dh = &_dh;
+
+ notify.in.recursive = 0x0000;
+ notify.in.buffer_size = 0xffff;
+ notify.in.file.handle = _dh;
+ notify.in.completion_filter = FILE_NOTIFY_CHANGE_FILE_NAME;
+ notify.in.unknown = 0x00000000;
+
+ /*
+ * This posts a long-running request with csn==0 to "dh". Now
+ * op->request_count==1 in smb2_server.c.
+ */
+ smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 0);
+ req = smb2_notify_send(tree, &notify);
+
+ qfinfo = (union smb_fileinfo) {
+ .generic.level = RAW_FILEINFO_POSITION_INFORMATION,
+ .generic.in.file.handle = _dh
+ };
+
+ /*
+ * This sequence of 2 dummy requests moves
+ * op->request_count==1 to op->pre_request_count. The numbers
+ * used avoid int16 overflow.
+ */
+
+ smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 30000);
+ status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 60000);
+ status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ /*
+ * This final request turns the op->global->channel_sequence
+ * to the same as we had when sending the notify above. The
+ * notify's request count has in the meantime moved to
+ * op->pre_request_count.
+ */
+
+ smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 0);
+ status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ /*
+ * At this point op->request_count==0.
+ *
+ * The next cancel makes us reply to the notify. Because the
+ * csn we currently use is the same as we used when sending
+ * the notify, smbd thinks it must decrement op->request_count
+ * and not op->pre_request_count.
+ */
+
+ status = smb2_cancel(req);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
+ status = smb2_notify_recv(req, mem_ctx, &notify);
+ CHECK_STATUS(status, NT_STATUS_CANCELLED);
+
+ ret = true;
+
+done:
+ if (dh != NULL) {
+ smb2_util_close(tree, _dh);
+ }
+ smb2_deltree(tree, BASEDIR);
+ talloc_free(tree);
+ talloc_free(mem_ctx);
+
+ return ret;
+}
+
struct torture_suite *torture_smb2_replay_init(TALLOC_CTX *ctx)
{
struct torture_suite *suite =
@@ -2445,6 +2541,7 @@ struct torture_suite *torture_smb2_replay_init(TALLOC_CTX *ctx)
torture_suite_add_1smb2_test(suite, "replay4", test_replay4);
torture_suite_add_1smb2_test(suite, "replay5", test_replay5);
torture_suite_add_1smb2_test(suite, "replay6", test_replay6);
+ torture_suite_add_1smb2_test(suite, "replay7", test_replay7);

suite->description = talloc_strdup(suite, "SMB2 REPLAY tests");
--
Samba Shared Repository
Andreas Schneider
2018-01-14 21:10:02 UTC
Permalink
The branch, master has been updated
via 0580a23 s4:torture: Improve error message in whoami test
via 8d90f2a s3:test: Always validate the join after changing the secret
via e131ce4 waf: Remove build system info (uname -a)
via c69938e systemd: Fix kill path
via a653b62 systemd: Add documentation to Unit files
via df68af9 systemd: syslog.target is obsolete
from 0abe16a torture: Add test for channel sequence number handling

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0580a23d64be346e4526056c695249de4241cfa6
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 12 13:45:33 2018 +0100

s4:torture: Improve error message in whoami test

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Sun Jan 14 22:09:24 CET 2018 on sn-devel-144

commit 8d90f2a03e58f34f36d345d31c5ca6090d37ff54
Author: Andreas Schneider <***@samba.org>
Date: Thu Jan 11 11:00:43 2018 +0100

s3:test: Always validate the join after changing the secret

Signed-off-by: Andreas Schneider <***@samba.org>
Signed-off-by: Ralph Boehme <***@samba.org>
Pair-Programmed-With: Ralph Boehme <***@samba.org>

commit e131ce4ddc074dc146c81edb99a203d1dd2883b8
Author: Mathieu Parent <***@gmail.com>
Date: Thu Jan 11 21:18:46 2018 +0100

waf: Remove build system info (uname -a)

Preventing reproducible builds while adding minor benefit.

More information at <https://reproducible-builds.org/>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Mathieu Parent <***@gmail.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlet <***@samba.org>

commit c69938ef5cb9ee49565fae834a25541f6a5da0a8
Author: Mathieu Parent <***@gmail.com>
Date: Thu May 12 22:16:24 2016 +0200

systemd: Fix kill path

Bug-Debian: https://bugs.debian.org/828730

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <***@gmail.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit a653b62ad71b65c280ee4ba6bfbb560ac3b1f90e
Author: Mathieu Parent <***@gmail.com>
Date: Thu May 12 22:16:24 2016 +0200

systemd: Add documentation to Unit files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <***@gmail.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit df68af9fa5900b5f7b22a972666fd213fef17106
Author: Mathieu Parent <***@gmail.com>
Date: Thu Jan 11 10:07:17 2018 +0100

systemd: syslog.target is obsolete

After=syslog.target is unnecessary by now because syslog is
socket-activated and will therefore be started when needed.

Ref: https://lintian.debian.org/tags/systemd-service-file-refers-to-obsolete-target.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <***@gmail.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
buildtools/wafsamba/wscript | 4 ----
ctdb/config/ctdb.service | 1 +
packaging/systemd/nmb.service.in | 5 +++--
packaging/systemd/samba.service.in | 5 +++--
packaging/systemd/smb.service.in | 5 +++--
packaging/systemd/winbind.service.in | 5 +++--
source3/script/tests/test_net_cred_change.sh | 7 ++++---
source4/smbd/server.c | 3 ---
source4/torture/unix/whoami.c | 9 +++++++--
9 files changed, 24 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 430d164..3b36b57 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -313,10 +313,6 @@ def configure(conf):

conf.env.GIT_LOCAL_CHANGES = Options.options.GIT_LOCAL_CHANGES

- conf.CHECK_COMMAND(['uname', '-a'],
- msg='Checking build system',
- define='BUILD_SYSTEM',
- on_target=False)
conf.CHECK_UNAME()

# see if we can compile and run a simple C program
diff --git a/ctdb/config/ctdb.service b/ctdb/config/ctdb.service
index 63cdfa9..189f2f4 100644
--- a/ctdb/config/ctdb.service
+++ b/ctdb/config/ctdb.service
@@ -1,5 +1,6 @@
[Unit]
Description=CTDB
+Documentation=man:ctdbd(1) man:ctdb(7)
After=network-online.target time-sync.target

[Service]
diff --git a/packaging/systemd/nmb.service.in b/packaging/systemd/nmb.service.in
index b0ba92f..a308123 100644
--- a/packaging/systemd/nmb.service.in
+++ b/packaging/systemd/nmb.service.in
@@ -1,7 +1,8 @@
[Unit]
Description=Samba NMB Daemon
+Documentation=man:nmbd(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
-After=syslog.target network.target network-online.target
+After=network.target network-online.target

[Service]
Type=notify
@@ -9,7 +10,7 @@ NotifyAccess=all
PIDFile=@PIDDIR@/nmbd.pid
EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
ExecStart=@SBINDIR@/nmbd --foreground --no-process-group $NMBDOPTIONS
-ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity
@systemd_nmb_extra@

diff --git a/packaging/systemd/samba.service.in b/packaging/systemd/samba.service.in
index c418150..f8ea527 100644
--- a/packaging/systemd/samba.service.in
+++ b/packaging/systemd/samba.service.in
@@ -1,7 +1,8 @@
[Unit]
Description=Samba AD Daemon
+Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
-After=syslog.target network.target network-online.target
+After=network.target network-online.target

[Service]
Type=notify
@@ -10,7 +11,7 @@ PIDFile=@PIDDIR@/samba.pid
LimitNOFILE=16384
EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
ExecStart=@SBINDIR@/samba --foreground --no-process-group $SAMBAOPTIONS
-ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecReload=/bin/kill -HUP $MAINPID
@systemd_samba_extra@

[Install]
diff --git a/packaging/systemd/smb.service.in b/packaging/systemd/smb.service.in
index f829bcb..dcaf7ef 100644
--- a/packaging/systemd/smb.service.in
+++ b/packaging/systemd/smb.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=Samba SMB Daemon
-After=syslog.target network.target nmb.service winbind.service
+Documentation=man:smbd(8) man:samba(7) man:smb.conf(5)
+After=network.target nmb.service winbind.service

[Service]
Type=notify
@@ -9,7 +10,7 @@ PIDFile=@PIDDIR@/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
ExecStart=@SBINDIR@/smbd --foreground --no-process-group $SMBDOPTIONS
-ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity
@systemd_smb_extra@

diff --git a/packaging/systemd/winbind.service.in b/packaging/systemd/winbind.service.in
index 5ac5adc..c28d94c 100644
--- a/packaging/systemd/winbind.service.in
+++ b/packaging/systemd/winbind.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=Samba Winbind Daemon
-After=syslog.target network.target nmb.service
+Documentation=man:winbindd(8) man:samba(7) man:smb.conf(5)
+After=network.target nmb.service

[Service]
Type=notify
@@ -8,7 +9,7 @@ NotifyAccess=all
PIDFile=@PIDDIR@/winbindd.pid
EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
ExecStart=@SBINDIR@/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
-ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity
@systemd_winbind_extra@

diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
index de56be5..794b054 100755
--- a/source3/script/tests/test_net_cred_change.sh
+++ b/source3/script/tests/test_net_cred_change.sh
@@ -9,8 +9,9 @@ fi

incdir=`dirname $0`/../../../testprogs/blackbox
. $incdir/subunit.sh
-testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed=`expr $failed + 1`
-testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed=`expr $failed + 1`
-testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed=`expr $failed + 1`
+testit "1: change machine secret" $VALGRIND $BINDIR/wbinfo --change-secret || failed=`expr $failed + 1`
+testit "1: validate secret" $VALGRIND $BINDIR/net rpc testjoin $@ || failed=`expr $failed + 1`
+testit "2: change machine secret" $VALGRIND $BINDIR/wbinfo --change-secret || failed=`expr $failed + 1`
+testit "2: validate secret" $VALGRIND $BINDIR/net rpc testjoin $@ || failed=`expr $failed + 1`

testok $0 $failed
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index adee388..431fbad 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -323,9 +323,6 @@ static void show_build(void)

printf("Samba version: %s\n", SAMBA_VERSION_STRING);
printf("Build environment:\n");
-#ifdef BUILD_SYSTEM
- printf(" Build host: %s\n", BUILD_SYSTEM);
-#endif

printf("Paths:\n");
for (i=0; config_options[i].name; i++) {
diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c
index bb70e47..efd9efa 100644
--- a/source4/torture/unix/whoami.c
+++ b/source4/torture/unix/whoami.c
@@ -91,8 +91,13 @@ static struct smbcli_state *connect_to_server(struct torture_context *tctx,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));

if (!NT_STATUS_IS_OK(status)) {
- printf("failed to connect to //%s/%s: %s\n",
- host, share, nt_errstr(status));
+ torture_comment(tctx,
+ "FATAL: Failed to connect to //%s/%s "
+ "with %s - %s\n",
+ host,
+ share,
+ cli_credentials_get_username(creds),
+ nt_errstr(status));
return NULL;
}
--
Samba Shared Repository
Karolin Seeger
2018-01-15 01:52:02 UTC
Permalink
The branch, master has been updated
via 0d62579 VERSION: Bump version up to 4.9.0pre1...
via e5f4aff VERSION: Bump version up to 4.8.0rc1...
via 59a07e3 WHATSNEW: Add release notes for Samba 4.8.0rc1.
from 0580a23 s4:torture: Improve error message in whoami test

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0d62579a41fc4a04c299ec8a3537bf5db149149b
Author: Karolin Seeger <***@samba.org>
Date: Thu Jan 11 11:11:56 2018 +0100

VERSION: Bump version up to 4.9.0pre1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Mon Jan 15 02:51:51 CET 2018 on sn-devel-144

commit e5f4aff68507cdfcacc551235e4a6f2edbb9da45
Author: Karolin Seeger <***@samba.org>
Date: Thu Jan 11 11:01:57 2018 +0100

VERSION: Bump version up to 4.8.0rc1...

and disable GIT_SNAPSHOT for the release.

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 59a07e3fc78c859b96aa148e37ecda481c2393cd
Author: Karolin Seeger <***@samba.org>
Date: Thu Jan 11 10:02:33 2018 +0100

WHATSNEW: Add release notes for Samba 4.8.0rc1.

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 83 ++++++++++++++++++++++++++++++++----------------------------
2 files changed, 45 insertions(+), 40 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b60d783..df13d4c 100644
--- a/VERSION
+++ b/VERSION
@@ -24,7 +24,7 @@
# -> "3.0.0" #
########################################################
SAMBA_VERSION_MAJOR=4
-SAMBA_VERSION_MINOR=8
+SAMBA_VERSION_MINOR=9
SAMBA_VERSION_RELEASE=0

########################################################
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f1e43f4..f2da373 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================

-This is the first preview release of Samba 4.8. This is *not*
+This is the first release candidate of Samba 4.8. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -19,7 +19,7 @@ NEW FEATURES/CHANGES
KDC GPO application
-------------------

-Adds Group Policy support for the samba kdc. Applies password policies
+Adds Group Policy support for the Samba kdc. Applies password policies
(minimum/maximum password age, minimum password length, and password
complexity) and kerberos policies (user/service ticket lifetime and
renew lifetime).
@@ -30,7 +30,8 @@ policy. Can be applied automatically by setting
'server services = +gpoupdate'.

Time Machine Support with vfs_fruit
-===================================
+-----------------------------------
+
Samba can be configured as a Time Machine target for Apple Mac devices
through the vfs_fruit module. When enabling a share for Time Machine
support the relevant Avahi records to support discovery will be published
@@ -41,7 +42,8 @@ Shares can be designated as a Time Machine share with the following setting:
'fruit:time machine = yes'

Support for lower casing the MDNS Name
-======================================
+--------------------------------------
+
Allows the server name that is advertised through MDNS to be set to the
hostname rather than the Samba NETBIOS name. This allows an administrator
to make Samba registered MDNS records match the case of the hostname
@@ -52,7 +54,8 @@ This can be set with the following settings:
'mdns name = mdns'

Encrypted secrets
-=================
+-----------------
+
Attributes deemed to be sensitive are now encrypted on disk. The sensitive
values are currently:
pekList
@@ -72,46 +75,21 @@ values are currently:

This encryption is enabled by default on a new provision or join, it
can be disabled at provision or join time with the new option
---plaintext-secrets.
+'--plaintext-secrets'.

However, an in-place upgrade will not encrypt the database.

Once encrypted, it is not possible to do an in-place downgrade (eg to
4.7) of the database. To obtain an unencrypted copy of the database a
-new DC join should be performed, specifying the --plaintext-secrets
+new DC join should be performed, specifying the '--plaintext-secrets'
option.

The key file "encrypted_secrets.key" is created in the same directory
as the database and should NEVER be disclosed. It is included by the
samba_backup script.

-smb.conf changes
-================
-
- Parameter Name Description Default
- -------------- ----------- -------
- auth methods Removed
- binddns dir New
- client schannel Default changed/ yes
- Deprecated
- gpo update command New
- ldap ssl ads Deprecated
- map untrusted to domain Removed
- oplock contention limit Removed
- prefork children New 1
- mdns name Added netbios
- fruit:time machine Added false
- profile acls Removed
- use spnego Removed
- server schannel Default changed/ yes
- Deprecated
- unicode Deprecated
- winbind scan trusted domains New yes
- winbind trusted domains only Removed
-
-
NT4-style replication based net commands removed
-================================================
+------------------------------------------------

The following commands and sub-commands have been removed from the
"net" utility:
@@ -134,7 +112,7 @@ commands have been removed from rpcclient.
supported.

vfs_aio_linux module removed
-============================
+----------------------------

The current Linux kernel aio does not match what Samba would
do. Shipping code that uses it leads people to false
@@ -143,7 +121,7 @@ there is no special module required to see benefits of read and write
request being sent do the disk in parallel.

smbclient reparse point symlink parameters reversed
-===================================================
+---------------------------------------------------

A bug in smbclient caused the 'symlink' command to reverse the
meaning of the new name and link target parameters when creating a
@@ -169,23 +147,50 @@ domains. Some pam_winbind setups may also require the global list.
If you have a setup that doesn't require the global list, you should set
"winbind scan trusted domains = no".

+
REMOVED FEATURES
================

-The two commands "net serverid list" and "net serverid wipe" have been
+The two commands 'net serverid list' and 'net serverid wipe' have been
removed, because the file serverid.tdb is not used anymore.

-"net serverid list" can be replaced by listing all files in the
+'net serverid list' can be replaced by listing all files in the
subdirectory "msg.lock" of Samba's "lock directory". The unique id
-listed by "net serverid list" is stored in every process' lockfile in
+listed by 'net serverid list' is stored in every process' lockfile in
"msg.lock".

-"net serverid wipe" is not necessary anymore. It was meant primarily
+'net serverid wipe' is not necessary anymore. It was meant primarily
for clustered environments, where the serverid.tdb file was not
properly cleaned up after single node crashes. Nowadays smbd and
winbind take care of cleaning up the msg.lock and msg.sock directories
automatically.

+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ auth methods Removed
+ binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
+ gpo update command New
+ ldap ssl ads Deprecated
+ map untrusted to domain Removed
+ oplock contention limit Removed
+ prefork children New 1
+ mdns name Added netbios
+ fruit:time machine Added false
+ profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
+ winbind trusted domains only Removed
+
+
KNOWN ISSUES
============
--
Samba Shared Repository
Andreas Schneider
2018-01-15 21:17:02 UTC
Permalink
The branch, master has been updated
via 05ebafd s3:rpc_client: Clenup copy_netr_SamInfo3() code
via bfc727f s3:winbind: Use a stackframe and cleanup when leaving
via 00d176c s3:winbind: Use a goto for cleaning up at the end
via 264249d s3:winbindd: Improve logic so it is easier to understand
from 0d62579 VERSION: Bump version up to 4.9.0pre1...

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 05ebafd91ee2dd511372ce63d656e9fc6735ee28
Author: Andreas Schneider <***@samba.org>
Date: Thu Jan 11 09:06:31 2018 +0100

s3:rpc_client: Clenup copy_netr_SamInfo3() code

This gets rid of some strange macro and makes sure we clenaup at the
end.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Mon Jan 15 22:16:13 CET 2018 on sn-devel-144

commit bfc727f0b2d837a97fc9eb94a8811f23a656c4e4
Author: Andreas Schneider <***@samba.org>
Date: Thu Jan 11 09:37:22 2018 +0100

s3:winbind: Use a stackframe and cleanup when leaving

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 00d176c6c592af59cc14271de4af1614578090a3
Author: Andreas Schneider <***@samba.org>
Date: Thu Jan 11 09:27:50 2018 +0100

s3:winbind: Use a goto for cleaning up at the end

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 264249db0f5515d8333d16218f1553ae9f0e7193
Author: Andreas Schneider <***@samba.org>
Date: Thu Jan 11 09:23:05 2018 +0100

s3:winbindd: Improve logic so it is easier to understand

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/auth/auth_util.c | 14 +++---
source3/auth/server_info.c | 45 ++++++++++++-------
source3/rpc_client/util_netlogon.c | 80 +++++++++++++++++++--------------
source3/rpc_client/util_netlogon.h | 5 ++-
source3/winbindd/winbindd_pam.c | 90 +++++++++++++++++++-------------------
5 files changed, 133 insertions(+), 101 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 5bb5a69..f543b33 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1008,6 +1008,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
struct auth_serversupplied_info *server_info)
{
struct auth_serversupplied_info *dst;
+ NTSTATUS status;

dst = make_server_info(mem_ctx);
if (dst == NULL) {
@@ -1055,8 +1056,10 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
dst->lm_session_key = data_blob_talloc(dst, src->session_key.data,
src->session_key.length);

- dst->info3 = copy_netr_SamInfo3(dst, server_info->info3);
- if (!dst->info3) {
+ status = copy_netr_SamInfo3(dst,
+ server_info->info3,
+ &dst->info3);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(dst);
return NULL;
}
@@ -1433,9 +1436,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
result->unix_name = talloc_strdup(result, found_username);

/* copy in the info3 */
- result->info3 = copy_netr_SamInfo3(result, info3);
- if (result->info3 == NULL) {
- nt_status = NT_STATUS_NO_MEMORY;
+ nt_status = copy_netr_SamInfo3(result,
+ info3,
+ &result->info3);
+ if (!NT_STATUS_IS_OK(nt_status)) {
goto out;
}

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 20d43d2..7898175 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -63,11 +63,14 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
struct netr_SamInfo2 *sam2)
{
- struct netr_SamInfo3 *info3;
+ struct netr_SamInfo3 *info3 = NULL;
+ NTSTATUS status;

- info3 = copy_netr_SamInfo3(sam2, server_info->info3);
- if (!info3) {
- return NT_STATUS_NO_MEMORY;
+ status = copy_netr_SamInfo3(sam2,
+ server_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

if (server_info->session_key.length) {
@@ -96,11 +99,14 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
struct netr_SamInfo3 *sam3)
{
- struct netr_SamInfo3 *info3;
+ struct netr_SamInfo3 *info3 = NULL;
+ NTSTATUS status;

- info3 = copy_netr_SamInfo3(sam3, server_info->info3);
- if (!info3) {
- return NT_STATUS_NO_MEMORY;
+ status = copy_netr_SamInfo3(sam3,
+ server_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

if (server_info->session_key.length) {
@@ -133,7 +139,8 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
struct netr_SamInfo6 *sam6)
{
struct pdb_domain_info *dominfo;
- struct netr_SamInfo3 *info3;
+ struct netr_SamInfo3 *info3 = NULL;
+ NTSTATUS status;

if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
DEBUG(10,("Not adding validation info level 6 "
@@ -146,9 +153,11 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
return NT_STATUS_NO_MEMORY;
}

- info3 = copy_netr_SamInfo3(sam6, server_info->info3);
- if (!info3) {
- return NT_STATUS_NO_MEMORY;
+ status = copy_netr_SamInfo3(sam6,
+ server_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

if (server_info->session_key.length) {
@@ -335,11 +344,15 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 **pp_info3)
{
NTSTATUS status;
- struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
- &logon_info->info3);
- if (info3 == NULL) {
- return NT_STATUS_NO_MEMORY;
+ struct netr_SamInfo3 *info3 = NULL;
+
+ status = copy_netr_SamInfo3(mem_ctx,
+ &logon_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+
status = merge_resource_sids(logon_info, info3);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index ac804f8..15c769f 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -62,45 +62,52 @@ NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}

-#undef RET_NOMEM
-
-#define RET_NOMEM(ptr) do { \
- if (!ptr) { \
- TALLOC_FREE(info3); \
- return NULL; \
- } } while(0)
-
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig)
+NTSTATUS copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo3 *in,
+ struct netr_SamInfo3 **pout)
{
- struct netr_SamInfo3 *info3;
+ struct netr_SamInfo3 *info3 = NULL;
unsigned int i;
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;

info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (!info3) return NULL;
+ if (info3 == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }

- status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
+ status = copy_netr_SamBaseInfo(info3, &in->base, &info3->base);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return NULL;
+ goto out;
}

- if (orig->sidcount) {
- info3->sidcount = orig->sidcount;
+ if (in->sidcount) {
+ info3->sidcount = in->sidcount;
info3->sids = talloc_array(info3, struct netr_SidAttr,
- orig->sidcount);
- RET_NOMEM(info3->sids);
- for (i = 0; i < orig->sidcount; i++) {
+ in->sidcount);
+ if (info3->sids == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ for (i = 0; i < in->sidcount; i++) {
info3->sids[i].sid = dom_sid_dup(info3->sids,
- orig->sids[i].sid);
- RET_NOMEM(info3->sids[i].sid);
- info3->sids[i].attributes =
- orig->sids[i].attributes;
+ in->sids[i].sid);
+ if (info3->sids[i].sid == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ info3->sids[i].attributes = in->sids[i].attributes;
}
}

- return info3;
+ *pout = info3;
+ info3 = NULL;
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(info3);
+ return status;
}

NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
@@ -108,7 +115,7 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
union netr_Validation *validation,
struct netr_SamInfo3 **info3_p)
{
- struct netr_SamInfo3 *info3;
+ struct netr_SamInfo3 *info3 = NULL;
struct netr_SamInfo6 *info6 = NULL;
NTSTATUS status;

@@ -122,10 +129,13 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}

- info3 = copy_netr_SamInfo3(mem_ctx, validation->sam3);
- if (info3 == NULL) {
- return NT_STATUS_NO_MEMORY;
+ status = copy_netr_SamInfo3(mem_ctx,
+ validation->sam3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+
break;
case 6:
if (validation->sam6 == NULL) {
@@ -186,16 +196,18 @@ NTSTATUS map_info3_to_validation(TALLOC_CTX *mem_ctx,
union netr_Validation **_validation)
{
union netr_Validation *validation = NULL;
+ NTSTATUS status;

validation = talloc_zero(mem_ctx, union netr_Validation);
if (validation == NULL) {
return NT_STATUS_NO_MEMORY;
}

- validation->sam3 = copy_netr_SamInfo3(mem_ctx, info3);
- if (validation->sam3 == NULL) {
- TALLOC_FREE(validation);
- return NT_STATUS_NO_MEMORY;
+ status = copy_netr_SamInfo3(mem_ctx,
+ info3,
+ &validation->sam3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

* _validation_level = 3;
diff --git a/source3/rpc_client/util_netlogon.h b/source3/rpc_client/util_netlogon.h
index 80c7bff..8b3a372 100644
--- a/source3/rpc_client/util_netlogon.h
+++ b/source3/rpc_client/util_netlogon.h
@@ -25,8 +25,9 @@
NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,
const struct netr_SamBaseInfo *in,
struct netr_SamBaseInfo *out);
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig);
+NTSTATUS copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo3 *in,
+ struct netr_SamInfo3 **pout);
NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
uint16_t validation_level,
union netr_Validation *validation,
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index de3e3f5..9a61cd3 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -56,16 +56,17 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
union netr_Validation *validation)
{
struct netr_SamInfo3 *info3 = NULL;
- char *ex;
+ char *ex = NULL;
uint32_t i;
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ TALLOC_CTX *frame = talloc_stackframe();

- status = map_validation_to_info3(talloc_tos(),
+ status = map_validation_to_info3(frame,
validation_level,
validation,
&info3);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto out;
}

resp->data.auth.info3.logon_time =
@@ -120,10 +121,10 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
validation->sam6->principal_name.string);
}

- ex = talloc_strdup(mem_ctx, "");
+ ex = talloc_strdup(frame, "");
if (ex == NULL) {
- TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}

for (i=0; i < info3->base.groups.count; i++) {
@@ -131,36 +132,36 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
info3->base.groups.rids[i].rid,
info3->base.groups.rids[i].attributes);
if (ex == NULL) {
- TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
}

for (i=0; i < info3->sidcount; i++) {
char *sid;

- sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
+ sid = dom_sid_string(frame, info3->sids[i].sid);
if (sid == NULL) {
- TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}

ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
sid,
info3->sids[i].attributes);
if (ex == NULL) {
- TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
-
- talloc_free(sid);
}

- resp->extra_data.data = ex;
resp->length += talloc_get_size(ex);
+ resp->extra_data.data = talloc_move(mem_ctx, &ex);

- TALLOC_FREE(info3);
- return NT_STATUS_OK;
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(frame);
+ return status;
}

static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
@@ -889,14 +890,14 @@ NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
const char *name_user)
{
struct netr_SamInfo3 *info3 = NULL;
- NTSTATUS result;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;

result = map_validation_to_info3(talloc_tos(),
validation_level,
validation,
&info3);
if (!NT_STATUS_IS_OK(result)) {
- return result;
+ goto out;
}

if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
@@ -919,8 +920,7 @@ NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to append Unix Username: %s\n",
nt_errstr(result)));
- TALLOC_FREE(info3);
- return result;
+ goto out;
}
}

@@ -931,8 +931,7 @@ NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
nt_errstr(result)));
- TALLOC_FREE(info3);
- return result;
+ goto out;
}
}

@@ -943,8 +942,7 @@ NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
nt_errstr(result)));
- TALLOC_FREE(info3);
- return result;
+ goto out;
}
}

@@ -954,13 +952,14 @@ NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to append AFS token: %s\n",
nt_errstr(result)));
- TALLOC_FREE(info3);
- return result;
+ goto out;
}
}

+ result = NT_STATUS_OK;
+out:
TALLOC_FREE(info3);
- return NT_STATUS_OK;
+ return result;
}

static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
@@ -1683,22 +1682,24 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
true, /* interactive */
&authoritative,
&info3);
- if (NT_STATUS_IS_OK(result)) {
- result = map_info3_to_validation(mem_ctx,
- info3,
- &validation_level,
- &validation);
- TALLOC_FREE(info3);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
- }

/*
* We need to try the remote NETLOGON server if this is
* not authoritative (for example on the RODC).
*/
if (authoritative != 0) {
+ if (NT_STATUS_IS_OK(result)) {
+ result = map_info3_to_validation(
+ mem_ctx,
+ info3,
+ &validation_level,
+ &validation);
+ TALLOC_FREE(info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+ }
+
goto done;
}
}
@@ -2915,10 +2916,11 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
* returning a copy talloc'ed off
* the state->mem_ctx.
*/
- info3_copy = copy_netr_SamInfo3(state->mem_ctx,
- &logon_info->info3);
- if (info3_copy == NULL) {
- return NT_STATUS_NO_MEMORY;
+ result = copy_netr_SamInfo3(state->mem_ctx,
+ &logon_info->info3,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
}
}
}
--
Samba Shared Repository
Jeremy Allison
2018-01-16 01:44:02 UTC
Permalink
The branch, master has been updated
via a63aafb srcctl3: Improve debug messages
via 6aa0cc2 rpc_server: Improve a debug message
from 05ebafd s3:rpc_client: Clenup copy_netr_SamInfo3() code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a63aafb05d4d975aa9898b8a2dcbbf5d4f41938d
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 15 11:42:29 2018 +0100

srcctl3: Improve debug messages

A customer's syslog was filled with

_svcctl_OpenServiceW: Failed to get a valid security descriptor

messages. This improves the messages to give info about which service failed
with which error code. Also, it makes OpenServiceW fail with the same error
message Windows fails with for unknown services.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Tue Jan 16 02:43:03 CET 2018 on sn-devel-144

commit 6aa0cc2570f9c86e76086bebf16234988107384e
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 15 10:47:51 2018 +0100

rpc_server: Improve a debug message

A client sending us a bind with an unknown interface should not spam
syslog by default. Also, show what interface the client tried to connect
to.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/rpc_server/srv_pipe.c | 5 +++-
source3/rpc_server/svcctl/srv_svcctl_nt.c | 42 ++++++++++++++++++++-----------
source3/services/svc_winreg_glue.c | 25 ++++++++++--------
source3/services/svc_winreg_glue.h | 9 ++++---
4 files changed, 52 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 4534200..7a1c615 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -738,7 +738,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,

table = ndr_table_by_uuid(&id.uuid);
if (table == NULL) {
- DEBUG(0,("unknown interface\n"));
+ char *iface = ndr_syntax_id_to_string(talloc_tos(), &id);
+ DBG_NOTICE("unknown interface %s\n",
+ iface ? iface : "<null>");
+ TALLOC_FREE(iface);
return false;
}

diff --git a/source3/rpc_server/svcctl/srv_svcctl_nt.c b/source3/rpc_server/svcctl/srv_svcctl_nt.c
index d4bf2e7..8eaedfb 100644
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -301,6 +301,7 @@ WERROR _svcctl_OpenServiceW(struct pipes_struct *p,
uint32_t access_granted = 0;
NTSTATUS status;
const char *service = NULL;
+ WERROR err;

service = r->in.ServiceName;
if (!service) {
@@ -317,14 +318,19 @@ WERROR _svcctl_OpenServiceW(struct pipes_struct *p,
* Perform access checks. Use the system session_info in order to ensure
* that we retrieve the security descriptor
*/
- sec_desc = svcctl_get_secdesc(p->mem_ctx,
- p->msg_ctx,
- get_session_info_system(),
- service);
- if (sec_desc == NULL) {
- DEBUG(0, ("_svcctl_OpenServiceW: Failed to get a valid security "
- "descriptor"));
- return WERR_NOT_ENOUGH_MEMORY;
+ err = svcctl_get_secdesc(p->msg_ctx,
+ get_session_info_system(),
+ service,
+ p->mem_ctx,
+ &sec_desc);
+ if (W_ERROR_EQUAL(err, WERR_FILE_NOT_FOUND)) {
+ DBG_NOTICE("service %s does not exist\n", service);
+ return WERR_SERVICE_DOES_NOT_EXIST;
+ }
+ if (!W_ERROR_IS_OK(err)) {
+ DBG_NOTICE("Failed to get a valid secdesc for %s: %s\n",
+ service, win_errstr(err));
+ return err;
}

se_map_generic( &r->in.access_mask, &svc_generic_map );
@@ -899,6 +905,7 @@ WERROR _svcctl_QueryServiceObjectSecurity(struct pipes_struct *p,
NTSTATUS status;
uint8_t *buffer = NULL;
size_t len = 0;
+ WERROR err;


/* only support the SCM and individual services */
@@ -917,12 +924,19 @@ WERROR _svcctl_QueryServiceObjectSecurity(struct pipes_struct *p,
return WERR_INVALID_PARAMETER;

/* Lookup the security descriptor and marshall it up for a reply */
- sec_desc = svcctl_get_secdesc(p->mem_ctx,
- p->msg_ctx,
- get_session_info_system(),
- info->name);
- if (sec_desc == NULL) {
- return WERR_NOT_ENOUGH_MEMORY;
+ err = svcctl_get_secdesc(p->msg_ctx,
+ get_session_info_system(),
+ info->name,
+ p->mem_ctx,
+ &sec_desc);
+ if (W_ERROR_EQUAL(err, WERR_FILE_NOT_FOUND)) {
+ DBG_NOTICE("service %s does not exist\n", info->name);
+ return WERR_SERVICE_DOES_NOT_EXIST;
+ }
+ if (!W_ERROR_IS_OK(err)) {
+ DBG_NOTICE("Failed to get a valid secdesc for %s: %s\n",
+ info->name, win_errstr(err));
+ return err;
}

*r->out.needed = ndr_size_security_descriptor(sec_desc, 0);
diff --git a/source3/services/svc_winreg_glue.c b/source3/services/svc_winreg_glue.c
index 7d7871d..50b9897 100644
--- a/source3/services/svc_winreg_glue.c
+++ b/source3/services/svc_winreg_glue.c
@@ -75,10 +75,11 @@ struct security_descriptor* svcctl_gen_service_sd(TALLOC_CTX *mem_ctx)
return sd;
}

-struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
- struct messaging_context *msg_ctx,
- const struct auth_session_info *session_info,
- const char *name)
+WERROR svcctl_get_secdesc(struct messaging_context *msg_ctx,
+ const struct auth_session_info *session_info,
+ const char *name,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor **psd)
{
struct dcerpc_binding_handle *h = NULL;
uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -92,7 +93,7 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
"%s\\%s\\Security",
TOP_LEVEL_SERVICES_KEY, name);
if (key == NULL) {
- return NULL;
+ return WERR_NOT_ENOUGH_MEMORY;
}

status = dcerpc_winreg_int_hklm_openkey(mem_ctx,
@@ -108,12 +109,12 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
key, nt_errstr(status)));
- return NULL;
+ return WERR_INTERNAL_ERROR;
}
if (!W_ERROR_IS_OK(result)) {
DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
key, win_errstr(result)));
- return NULL;
+ return result;
}

status = dcerpc_winreg_query_sd(mem_ctx,
@@ -125,14 +126,14 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
"%s\n", nt_errstr(status)));
- return NULL;
+ return WERR_INTERNAL_ERROR;
}
if (W_ERROR_EQUAL(result, WERR_FILE_NOT_FOUND)) {
goto fallback_to_default_sd;
} else if (!W_ERROR_IS_OK(result)) {
DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
"%s\n", win_errstr(result)));
- return NULL;
+ return result;
}

goto done;
@@ -141,9 +142,13 @@ fallback_to_default_sd:
DEBUG(6, ("svcctl_get_secdesc: constructing default secdesc for "
"service [%s]\n", name));
sd = svcctl_gen_service_sd(mem_ctx);
+ if (sd == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }

done:
- return sd;
+ *psd = sd;
+ return WERR_OK;
}

bool svcctl_set_secdesc(struct messaging_context *msg_ctx,
diff --git a/source3/services/svc_winreg_glue.h b/source3/services/svc_winreg_glue.h
index c9366b3..e013f8d 100644
--- a/source3/services/svc_winreg_glue.h
+++ b/source3/services/svc_winreg_glue.h
@@ -28,10 +28,11 @@ struct auth_session_info;

struct security_descriptor* svcctl_gen_service_sd(TALLOC_CTX *mem_ctx);

-struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
- struct messaging_context *msg_ctx,
- const struct auth_session_info *session_info,
- const char *name);
+WERROR svcctl_get_secdesc(struct messaging_context *msg_ctx,
+ const struct auth_session_info *session_info,
+ const char *name,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor **result);

bool svcctl_set_secdesc(struct messaging_context *msg_ctx,
const struct auth_session_info *session_info,
--
Samba Shared Repository
Garming Sam
2018-01-16 06:13:01 UTC
Permalink
The branch, master has been updated
via 7a3f97f selftest: fix envvars for creation of default user in wait_for_start
from a63aafb srcctl3: Improve debug messages

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7a3f97f2662c6197913aeb50e5e3c0c09ff8307f
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 15 15:25:10 2018 +1300

selftest: fix envvars for creation of default user in wait_for_start

Resolves failure of ad_member to start up under ad_dc (if
the user is determined to be needed).

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andreas Schneider <***@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13225

Autobuild-User(master): Garming Sam <***@samba.org>
Autobuild-Date(master): Tue Jan 16 07:12:01 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
selftest/target/Samba3.pm | 4 ++++
1 file changed, 4 insertions(+)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f4ae0f3..f2dcdd1 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2455,6 +2455,8 @@ sub wait_for_start($$$$$)
}
if ($create_builtin_users eq "yes") {
$cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
$cmd .= Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
$cmd .= "sam createbuiltingroup Users";
$ret = system($cmd);
@@ -2469,6 +2471,8 @@ sub wait_for_start($$$$$)
system($cmd);

$cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
$cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
$ret = system($cmd);
if ($ret != 0) {
--
Samba Shared Repository
GÃŒnther Deschner
2018-01-16 20:03:02 UTC
Permalink
The branch, master has been updated
via 8224a3d packaging: fix default systemd-dir path.
via 1129388 python: fix the build with python3.
from 7a3f97f selftest: fix envvars for creation of default user in wait_for_start

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8224a3d6a03aeb4648bb624f775b139115567a8f
Author: Günther Deschner <***@samba.org>
Date: Tue Jan 16 16:25:01 2018 +0100

packaging: fix default systemd-dir path.

https://bugzilla.samba.org/show_bug.cgi?id=13227

By default we should not end up with a
/usr/usr/lib/systemd/system path.

Guenther

Signed-off-by: Guenther Deschner <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Günther Deschner <***@samba.org>
Autobuild-Date(master): Tue Jan 16 21:02:28 CET 2018 on sn-devel-144

commit 112938879f9e04a9a4f3d2ed69efacf2bce83799
Author: Günther Deschner <***@samba.org>
Date: Mon Jan 15 21:56:22 2018 +0100

python: fix the build with python3.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13221

Guenther

Signed-off-by: Guenther Deschner <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
packaging/wscript | 4 ++--
python/samba/emulate/traffic_packets.py | 2 +-
python/samba/forest_update.py | 4 ++--
python/samba/tests/blackbox/traffic_summary.py | 2 +-
python/samba/tests/samba_tool/visualize.py | 6 +++---
5 files changed, 9 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/packaging/wscript b/packaging/wscript
index 76158e9..6cee6b9 100644
--- a/packaging/wscript
+++ b/packaging/wscript
@@ -10,9 +10,9 @@ def set_options(opt):
action="store_true", dest="systemd_install_services", default=False)

gr.add_option('--with-systemddir',
- help=("systemd service directory [PREFIX/usr/lib/systemd/system]"),
+ help=("systemd service directory [PREFIX/lib/systemd/system]"),
action="store", dest="SYSTEMDDIR",
- default="${PREFIX}/usr/lib/systemd/system")
+ default="${PREFIX}/lib/systemd/system")
#
# extra service directives
#
diff --git a/python/samba/emulate/traffic_packets.py b/python/samba/emulate/traffic_packets.py
index 1df21f9..185d1d5 100644
--- a/python/samba/emulate/traffic_packets.py
+++ b/python/samba/emulate/traffic_packets.py
@@ -84,7 +84,7 @@ name_formats = [


def warning(message):
- print "\033[37;41;1m" "Warning: %s" "\033[00m" % (message)
+ print("\033[37;41;1m" "Warning: %s" "\033[00m" % (message))

###############################################################################
#
diff --git a/python/samba/forest_update.py b/python/samba/forest_update.py
index 9f6ddf6..ba6f859 100644
--- a/python/samba/forest_update.py
+++ b/python/samba/forest_update.py
@@ -300,8 +300,8 @@ objectClass: container
"SCHEMA_DN":
str(self.schema_dn)})
if self.verbose:
- print "UPDATE (LDIF) ------ OPERATION %d" % op
- print sub_ldif
+ print("UPDATE (LDIF) ------ OPERATION %d" % op)
+ print(sub_ldif)

self.samdb.modify_ldif(sub_ldif)
if self.add_update_container:
diff --git a/python/samba/tests/blackbox/traffic_summary.py b/python/samba/tests/blackbox/traffic_summary.py
index b2bbc2c..99fe6b8 100644
--- a/python/samba/tests/blackbox/traffic_summary.py
+++ b/python/samba/tests/blackbox/traffic_summary.py
@@ -59,7 +59,7 @@ class TrafficSummaryTests(BlackboxTestCase):

with temp_file(self.tempdir) as output:
command = "%s %s >%s" % (SCRIPT, INPUT, output)
- print command
+ print(command)
self.check_run(command)
expected = open(EXPECTED_FN).readlines()
actual = open(output).readlines()
diff --git a/python/samba/tests/samba_tool/visualize.py b/python/samba/tests/samba_tool/visualize.py
index 292d496..c00c6ea 100644
--- a/python/samba/tests/samba_tool/visualize.py
+++ b/python/samba/tests/samba_tool/visualize.py
@@ -284,7 +284,7 @@ class SambaToolVisualizeLdif(SambaToolCmdTest):
self.tempdir,
self.lp, tag='disconnected')
dburl = 'tdb://' + dbfile
- print dbfile
+ print(dbfile)
result, output, err = self.runsubcmd("visualize", "ntdsconn",
'-H', dburl,
'--color=no', '-S')
@@ -314,7 +314,7 @@ class SambaToolVisualizeLdif(SambaToolCmdTest):
'-o', '-')
self.assertCmdSuccess(result, dot, err)
self.remove_files(dbfile)
- print dot
+ print(dot)

self.assertStringsEqual(EXPECTED_DOT_NTDSCONN_DISCONNECTED, dot,
strip=True)
@@ -338,7 +338,7 @@ class SambaToolVisualizeLdif(SambaToolCmdTest):
self.assertStringsEqual(EXPECTED_DOT_NTDSCONN_DISCONNECTED, dot)

self.remove_files(dbfile, dot_file)
- print dot
+ print(dot)

EXPECTED_DOT_MULTISITE_NO_KEY = r"""/* generated by samba */
digraph A_samba_tool_production {
--
Samba Shared Repository
Christof Schmitt
2018-01-17 00:32:02 UTC
Permalink
The branch, master has been updated
via e77f8e4 Remove file system sharemode before calling unlink
from 8224a3d packaging: fix default systemd-dir path.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e77f8e4628ba868f09cbcf2970caac6c69fe080c
Author: Christof Schmitt <***@samba.org>
Date: Wed Jan 10 15:56:08 2018 -0700

Remove file system sharemode before calling unlink

GPFS implements the DENY_DELETE sharemode, which prevents unlink() from
deleting the file.. This causes the problem that deleting a file through
"delete on close" fails, as the code in close.c first calls unlink() and
only later removes the file system sharemode.

Fix this by removing the file system sharemode before calling unlink().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13217

Signed-off-by: Christof Schmitt <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Christof Schmitt <***@samba.org>
Autobuild-Date(master): Wed Jan 17 01:31:53 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/smbd/close.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 095feec..2f6cc4f 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -446,6 +446,22 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
}
}

+ if (fsp->kernel_share_modes_taken) {
+ int ret_flock;
+
+ /*
+ * A file system sharemode could block the unlink;
+ * remove filesystem sharemodes first.
+ */
+ ret_flock = SMB_VFS_KERNEL_FLOCK(fsp, 0, 0);
+ if (ret_flock == -1) {
+ DBG_INFO("removing kernel flock for %s failed: %s\n",
+ fsp_str_dbg(fsp), strerror(errno));
+ }
+
+ fsp->kernel_share_modes_taken = false;
+ }
+

if (SMB_VFS_UNLINK(conn, fsp->fsp_name) != 0) {
/*
--
Samba Shared Repository
Jeremy Allison
2018-01-17 05:10:02 UTC
Permalink
The branch, master has been updated
via 0edce86 vfs_glusterfs: Add fallocate support for vfs_glusterfs
from e77f8e4 Remove file system sharemode before calling unlink

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0edce86e97a49f4bd79f4431015ac2b788105e46
Author: Sachin Prabhu <***@redhat.com>
Date: Tue Nov 14 15:51:44 2017 +0530

vfs_glusterfs: Add fallocate support for vfs_glusterfs

Adds fallocate support to the vfs glusterfs plugin.

v2: Add check for glusterfs-api version.
RHBZ: 1478875
Signed-off-by: Sachin Prabhu <***@redhat.com>
Reviewed-by: David Disseldorp <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Wed Jan 17 06:09:29 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_glusterfs.c | 28 +++++++++++++++++++++++++++-
source3/wscript | 4 ++++
2 files changed, 31 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index 953c46a..f9a96fa 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -464,6 +464,10 @@ static uint32_t vfs_gluster_fs_capabilities(struct vfs_handle_struct *handle,
{
uint32_t caps = FILE_CASE_SENSITIVE_SEARCH | FILE_CASE_PRESERVED_NAMES;

+#ifdef HAVE_GFAPI_VER_6
+ caps |= FILE_SUPPORTS_SPARSE_FILES;
+#endif
+
#ifdef STAT_HAVE_NSEC
*p_ts_res = TIMESTAMP_SET_NT_OR_BETTER;
#endif
@@ -1148,9 +1152,31 @@ static int vfs_gluster_fallocate(struct vfs_handle_struct *handle,
uint32_t mode,
off_t offset, off_t len)
{
- /* TODO: add support using glfs_fallocate() and glfs_zerofill() */
+#ifdef HAVE_GFAPI_VER_6
+ int keep_size, punch_hole;
+
+ keep_size = mode & VFS_FALLOCATE_FL_KEEP_SIZE;
+ punch_hole = mode & VFS_FALLOCATE_FL_PUNCH_HOLE;
+
+ mode &= ~(VFS_FALLOCATE_FL_KEEP_SIZE|VFS_FALLOCATE_FL_PUNCH_HOLE);
+ if (mode != 0) {
+ errno = ENOTSUP;
+ return -1;
+ }
+
+ if (punch_hole) {
+ return glfs_discard(*(glfs_fd_t **)
+ VFS_FETCH_FSP_EXTENSION(handle, fsp),
+ offset, len);
+ }
+
+ return glfs_fallocate(*(glfs_fd_t **)
+ VFS_FETCH_FSP_EXTENSION(handle, fsp),
+ keep_size, offset, len);
+#else
errno = ENOTSUP;
return -1;
+#endif
}

static struct smb_filename *vfs_gluster_realpath(struct vfs_handle_struct *handle,
diff --git a/source3/wscript b/source3/wscript
index 0f8fe54..e81a212 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -1568,6 +1568,10 @@ main() {
conf.undefine('HAVE_GLUSTERFS')
else:
conf.undefine('HAVE_GLUSTERFS')
+
+ conf.CHECK_CFG(package='glusterfs-api', args='"glusterfs-api >= 6" --cflags --libs',
+ msg='Checking for glusterfs-api >= 6',
+ uselib_store="GFAPI_VER_6")
else:
conf.SET_TARGET_TYPE('gfapi', 'EMPTY')
conf.undefine('HAVE_GLUSTERFS')
--
Samba Shared Repository
Ralph Böhme
2018-01-17 22:59:02 UTC
Permalink
The branch, master has been updated
via 3be1e68 winbind: Fix CID 1427626 Uninitialized scalar variable
via 4e5c942 pdb: Fix CID 1427620 Resource leak
via 92131d0 winbind: Fix CID 1427626 Uninitialized scalar variable
via e4f62d4 pdb: Fix CID 1427624 Resource leak
from 0edce86 vfs_glusterfs: Add fallocate support for vfs_glusterfs

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3be1e68ce69f7ab8ac2cac97920c0e7f65b5ed6f
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 17 14:45:49 2018 +0100

winbind: Fix CID 1427626 Uninitialized scalar variable

Likely a false positive, but Coverity can't follow all the paths leading
to line 1598.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Wed Jan 17 23:58:34 CET 2018 on sn-devel-144

commit 4e5c9427085f001941adaf761b18740a2e169240
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 17 14:38:41 2018 +0100

pdb: Fix CID 1427620 Resource leak

It's not exactly a resource leak (we only really realloc if we shrink
dramatically), but assigning the result from tdb_realloc looks nicer.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 92131d08987ac7c2fb219bf2e8300f3bc7b702f9
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 17 14:42:31 2018 +0100

winbind: Fix CID 1427626 Uninitialized scalar variable

Likely a false positive, but Coverity can't follow all the paths leading
to line 2030

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit e4f62d4e4b91395d46c99c2a5313b0536793cca7
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 17 14:38:41 2018 +0100

pdb: Fix CID 1427624 Resource leak

It's not exactly a resource leak (we only really realloc if we shrink
dramatically), but assigning the result from tdb_realloc looks nicer.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/passdb/pdb_samba_dsdb.c | 5 +++--
source3/winbindd/winbindd_pam.c | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 16a7a85..4e55a15 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -2959,7 +2959,7 @@ static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
domains[di++] = d;
}

- talloc_realloc(domains, domains, struct trustdom_info *, di);
+ domains = talloc_realloc(domains, domains, struct trustdom_info *, di);
*_domains = talloc_move(mem_ctx, &domains);
*_num_domains = di;
TALLOC_FREE(tmp_ctx);
@@ -3741,7 +3741,8 @@ static NTSTATUS pdb_samba_dsdb_enum_trusted_domains(struct pdb_methods *m,
domains[di++] = d;
}

- talloc_realloc(domains, domains, struct pdb_trusted_domain *, di);
+ domains = talloc_realloc(domains, domains, struct pdb_trusted_domain *,
+ di);
*_domains = talloc_move(mem_ctx, &domains);
*_num_domains = di;
TALLOC_FREE(tmp_ctx);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9a61cd3..97425e8 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1428,7 +1428,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
int netr_attempts = 0;
bool retry = false;
NTSTATUS result;
- uint16_t validation_level;
+ uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;

do {
@@ -1823,7 +1823,7 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
fstring name_domain, name_user;
char *mapped_user;
fstring domain_user;
- uint16_t validation_level;
+ uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;
NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
--
Samba Shared Repository
Andreas Schneider
2018-01-19 00:37:04 UTC
Permalink
The branch, master has been updated
via 7c1c8c6 mit-kdb: support MIT Kerberos 1.16 KDB API changes
from 3be1e68 winbind: Fix CID 1427626 Uninitialized scalar variable

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7c1c8c68174ed484fe86a0d9e429daad3a47a57d
Author: Alexander Bokovoy <***@samba.org>
Date: Tue Oct 24 12:01:39 2017 +0300

mit-kdb: support MIT Kerberos 1.16 KDB API changes

MIT Kerberos 1.16 adds ability to audit local and remote addresses
during AS_REQ processing. As result, audit_as_req callback signature
was changed to include the addresses and KDB API version was increased.

Change mit-kdb code to properly expose audit_as_req signature KDC
expects in 1.16 version. Also update #ifdefs to account for the new
KDB API version.

This commit does not add actual audit of the local and remote IP
addresses, it only makes it possible to compile against MIT Kerberos
1.16.

Signed-off-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/kdc/mit-kdb/kdb_samba.h | 13 ++++++++-
source4/kdc/mit-kdb/kdb_samba_policies.c | 42 +++++++++++++++++++++---------
source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +-
3 files changed, 42 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index abca2c1..b9c571f 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -78,7 +78,7 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context,
krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
krb5_const_principal princ);

-#if KRB5_KDB_API_VERSION == 8
+#if KRB5_KDB_API_VERSION >= 8
krb5_error_code kdb_samba_db_iterate(krb5_context context,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
@@ -148,12 +148,23 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
const krb5_db_entry *server,
krb5_const_principal proxy);

+#if KRB5_KDB_API_VERSION >= 9
void kdb_samba_db_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_timestamp authtime,
krb5_error_code error_code);
+#else
+void kdb_samba_db_audit_as_req(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code);
+#endif

/* from kdb_samba_change_pwd.c */

diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 81140ab..de5813b 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -432,20 +432,10 @@ done:
return code;
}

-void kdb_samba_db_audit_as_req(krb5_context context,
- krb5_kdc_req *request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_timestamp authtime,
- krb5_error_code error_code)
-{
- struct mit_samba_context *mit_ctx;
-
- mit_ctx = ks_get_context(context);
- if (mit_ctx == NULL) {
- return;
- }

+static void samba_bad_password_count(krb5_db_entry *client,
+ krb5_error_code error_code)
+{
switch (error_code) {
case 0:
mit_samba_zero_bad_password_count(client);
@@ -456,3 +446,29 @@ void kdb_samba_db_audit_as_req(krb5_context context,
break;
}
}
+
+#if KRB5_KDB_API_VERSION >= 9
+void kdb_samba_db_audit_as_req(krb5_context context,
+ krb5_kdc_req *request,
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code)
+{
+ samba_bad_password_count(client, error_code);
+
+ /* TODO: perform proper audit logging for addresses */
+}
+#else
+void kdb_samba_db_audit_as_req(krb5_context context,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code)
+{
+ samba_bad_password_count(client, error_code);
+}
+#endif
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index 1dbb69b..8b67436 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -308,7 +308,7 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
return KRB5_KDB_DB_INUSE;
}

-#if KRB5_KDB_API_VERSION == 8
+#if KRB5_KDB_API_VERSION >= 8
krb5_error_code kdb_samba_db_iterate(krb5_context context,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
--
Samba Shared Repository
Martin Schwenke
2018-01-21 10:49:01 UTC
Permalink
The branch, master has been updated
via ac9d528 docs: Remove prog_guide4.txt
via c6999a2 vfs_fileid: Fix the 32-bit build
via 3904c26 Added smbc_SetConfiguration which lets the user set the smb.conf for libsmbclient code
from 7c1c8c6 mit-kdb: support MIT Kerberos 1.16 KDB API changes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ac9d528b823aa89b3f3144f9377cc540f4b692e4
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 18 10:57:23 2018 +0100

docs: Remove prog_guide4.txt

Move the still relevant parts elsewhere

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Martin Schwenke <***@samba.org>
Autobuild-Date(master): Sun Jan 21 11:48:01 CET 2018 on sn-devel-144

commit c6999a248ad78f75cbfcc0f461298021b20905b4
Author: Volker Lendecke <***@samba.org>
Date: Fri Jan 19 12:15:58 2018 +0000

vfs_fileid: Fix the 32-bit build

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 3904c26ac860038518d4ffae781ddbbf23746715
Author: Puran Chand <***@vmware.com>
Date: Wed Jan 10 13:13:44 2018 +0530

Added smbc_SetConfiguration which lets the user set the smb.conf for libsmbclient code

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13229

Signed-off-by: Puran Chand <***@vmware.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
librpc/binding-strings.txt | 55 ++
prog_guide4.txt | 777 ---------------------
source3/include/libsmbclient.h | 4 +
.../{smbclient-0.3.1.sigs => smbclient-0.3.2.sigs} | 1 +
source3/libsmb/libsmb_setget.c | 15 +
source3/libsmb/wscript | 2 +-
source3/modules/vfs_fileid.c | 4 +-
source3/selftest/tests.py | 3 +
source4/rpc_server/dcerpc_server.h | 26 +
source4/selftest/tests.py | 3 +-
source4/torture/libsmbclient/libsmbclient.c | 65 ++
testdata/samba3/smb_new.conf | 7 +
12 files changed, 181 insertions(+), 781 deletions(-)
create mode 100644 librpc/binding-strings.txt
delete mode 100644 prog_guide4.txt
copy source3/libsmb/ABI/{smbclient-0.3.1.sigs => smbclient-0.3.2.sigs} (99%)
create mode 100644 testdata/samba3/smb_new.conf


Changeset truncated at 500 lines:

diff --git a/librpc/binding-strings.txt b/librpc/binding-strings.txt
new file mode 100644
index 0000000..5503da1
--- /dev/null
+++ b/librpc/binding-strings.txt
@@ -0,0 +1,55 @@
+DCERPC binding strings
+----------------------
+
+When connecting to a dcerpc service you need to specify a binding
+string.
+
+The format is:
+
+ TRANSPORT:host[flags]
+
+where TRANSPORT is either ncacn_np for SMB or ncacn_ip_tcp for RPC/TCP
+
+"host" is an IP or hostname or netbios name. If the binding string
+identifies the server side of an endpoint, "host" may be an empty
+string.
+
+"flags" can include a SMB pipe name if using the ncacn_np transport or
+a TCP port number if using the ncacn_ip_tcp transport, otherwise they
+will be auto-determined.
+
+other recognised flags are:
+
+ sign : enable ntlmssp signing
+ seal : enable ntlmssp sealing
+ spnego : use SPNEGO instead of NTLMSSP authentication
+ krb5 : use KRB5 instead of NTLMSSP authentication
+ connect : enable rpc connect level auth (auth, but no sign or seal)
+ validate : enable the NDR validator
+ print : enable debugging of the packets
+ bigendian : use bigendian RPC
+ padcheck : check reply data for non-zero pad bytes
+
+
+Here are some examples:
+
+ ncacn_np:myserver
+ ncacn_np:myserver[samr]
+ ncacn_np:myserver[\pipe\samr]
+ ncacn_np:myserver[/pipe/samr]
+ ncacn_np:myserver[samr,sign,print]
+ ncacn_np:myserver[sign,spnego]
+ ncacn_np:myserver[\pipe\samr,sign,seal,bigendian]
+ ncacn_np:myserver[/pipe/samr,seal,validate]
+ ncacn_np:
+ ncacn_np:[/pipe/samr]
+ ncacn_ip_tcp:myserver
+ ncacn_ip_tcp:myserver[1024]
+ ncacn_ip_tcp:myserver[sign,seal]
+ ncacn_ip_tcp:myserver[spnego,seal]
+
+
+IDEA: Maybe extend UNC names like this?
+
+ smbclient //server/share
+ smbclient //server/share[sign,seal,spnego]
diff --git a/prog_guide4.txt b/prog_guide4.txt
deleted file mode 100644
index 0a33284..0000000
--- a/prog_guide4.txt
+++ /dev/null
@@ -1,777 +0,0 @@
-
-
-THIS IS INCOMPLETE! I'M ONLY COMMITING IT IN ORDER TO SOLICIT COMMENTS
-FROM A FEW PEOPLE. DON'T TAKE THIS AS THE FINAL VERSION YET.
-
-
-Samba4 Programming Guide
-========================
-
-.. contents::
-
-The internals of Samba4 are quite different from previous versions of
-Samba, so even if you are an experienced Samba developer please take
-the time to read through this document.
-
-This document will explain both the broad structure of Samba4, and
-some of the common coding elements such as memory management and
-dealing with macros.
-
-
-Coding Style
-------------
-
-In past versions of Samba we have basically let each programmer choose
-their own programming style. Unfortunately the result has often been
-that code that other members of the team find difficult to read. For
-Samba version 4 I would like to standardise on a common coding style
-to make the whole tree more readable. For those of you who are
-horrified at the idea of having to learn a new style, I can assure you
-that it isn't as painful as you might think. I was forced to adopt a
-new style when I started working on the Linux kernel, and after some
-initial pain found it quite easy.
-
-That said, I don't want to invent a new style, instead I would like to
-adopt the style used by the Linux kernel. It is a widely used style
-with plenty of support tools available. See Documentation/CodingStyle
-in the Linux source tree. This is the style that I have used to write
-all of the core infrastructure for Samba4 and I think that we should
-continue with that style.
-
-I also think that we should most definately *not* adopt an automatic
-reformatting system in cvs (or whatever other source code system we
-end up using in the future). Such automatic formatters are, in my
-experience, incredibly error prone and don't understand the necessary
-exceptions. I don't mind if people use automated tools to reformat
-their own code before they commit it, but please do not run such
-automated tools on large slabs of existing code without being willing
-to spend a *lot* of time hand checking the results.
-
-Finally, I think that for code that is parsing or formatting protocol
-packets the code layout should strongly reflect the packet
-format. That means ordring the code so that it parses in the same
-order as the packet is stored on the wire (where possible) and using
-white space to align packet offsets so that a reader can immediately
-map any line of the code to the corresponding place in the packet.
-
-
-Static and Global Data
-----------------------
-
-The basic rule is "avoid static and global data like the plague". What
-do I mean by static data? The way to tell if you have static data in a
-file is to use the "size" utility in Linux. For example if we run::
-
- size libcli/raw/*.o
-
-in Samba4 then you get the following::
-
- text data bss dec hex filename
- 2015 0 0 2015 7df libcli/raw/clikrb5.o
- 202 0 0 202 ca libcli/raw/clioplock.o
- 35 0 0 35 23 libcli/raw/clirewrite.o
- 3891 0 0 3891 f33 libcli/raw/clisession.o
- 869 0 0 869 365 libcli/raw/clisocket.o
- 4962 0 0 4962 1362 libcli/raw/clispnego.o
- 1223 0 0 1223 4c7 libcli/raw/clitransport.o
- 2294 0 0 2294 8f6 libcli/raw/clitree.o
- 1081 0 0 1081 439 libcli/raw/raweas.o
- 6765 0 0 6765 1a6d libcli/raw/rawfile.o
- 6824 0 0 6824 1aa8 libcli/raw/rawfileinfo.o
- 2944 0 0 2944 b80 libcli/raw/rawfsinfo.o
- 541 0 0 541 21d libcli/raw/rawioctl.o
- 1728 0 0 1728 6c0 libcli/raw/rawnegotiate.o
- 723 0 0 723 2d3 libcli/raw/rawnotify.o
- 3779 0 0 3779 ec3 libcli/raw/rawreadwrite.o
- 6597 0 0 6597 19c5 libcli/raw/rawrequest.o
- 5580 0 0 5580 15cc libcli/raw/rawsearch.o
- 3034 0 0 3034 bda libcli/raw/rawsetfileinfo.o
- 5187 0 0 5187 1443 libcli/raw/rawtrans.o
- 2033 0 0 2033 7f1 libcli/raw/smb_signing.o
-
-notice that the "data" and "bss" columns are all zero? That is
-good. If there are any non-zero values in data or bss then that
-indicates static data and is bad (as a rule of thumb).
-
-Lets compare that result to the equivalent in Samba3::
-
- text data bss dec hex filename
- 3978 0 0 3978 f8a libsmb/asn1.o
- 18963 0 288 19251 4b33 libsmb/cliconnect.o
- 2815 0 1024 3839 eff libsmb/clidgram.o
- 4038 0 0 4038 fc6 libsmb/clientgen.o
- 3337 664 256 4257 10a1 libsmb/clierror.o
- 10043 0 0 10043 273b libsmb/clifile.o
- 332 0 0 332 14c libsmb/clifsinfo.o
- 166 0 0 166 a6 libsmb/clikrb5.o
- 5212 0 0 5212 145c libsmb/clilist.o
- 1367 0 0 1367 557 libsmb/climessage.o
- 259 0 0 259 103 libsmb/clioplock.o
- 1584 0 0 1584 630 libsmb/cliprint.o
- 7565 0 256 7821 1e8d libsmb/cliquota.o
- 7694 0 0 7694 1e0e libsmb/clirap.o
- 27440 0 0 27440 6b30 libsmb/clirap2.o
- 2905 0 0 2905 b59 libsmb/clireadwrite.o
- 1698 0 0 1698 6a2 libsmb/clisecdesc.o
- 5517 0 0 5517 158d libsmb/clispnego.o
- 485 0 0 485 1e5 libsmb/clistr.o
- 8449 0 0 8449 2101 libsmb/clitrans.o
- 2053 0 4 2057 809 libsmb/conncache.o
- 3041 0 256 3297 ce1 libsmb/credentials.o
- 1261 0 1024 2285 8ed libsmb/doserr.o
- 14560 0 0 14560 38e0 libsmb/errormap.o
- 3645 0 0 3645 e3d libsmb/namecache.o
- 16815 0 8 16823 41b7 libsmb/namequery.o
- 1626 0 0 1626 65a libsmb/namequery_dc.o
- 14301 0 1076 15377 3c11 libsmb/nmblib.o
- 24516 0 2048 26564 67c4 libsmb/nterr.o
- 8661 0 8 8669 21dd libsmb/ntlmssp.o
- 3188 0 0 3188 c74 libsmb/ntlmssp_parse.o
- 4945 0 0 4945 1351 libsmb/ntlmssp_sign.o
- 1303 0 0 1303 517 libsmb/passchange.o
- 1221 0 0 1221 4c5 libsmb/pwd_cache.o
- 2475 0 4 2479 9af libsmb/samlogon_cache.o
- 10768 32 0 10800 2a30 libsmb/smb_signing.o
- 4524 0 16 4540 11bc libsmb/smbdes.o
- 5708 0 0 5708 164c libsmb/smbencrypt.o
- 7049 0 3072 10121 2789 libsmb/smberr.o
- 2995 0 0 2995 bb3 libsmb/spnego.o
- 3186 0 0 3186 c72 libsmb/trustdom_cache.o
- 1742 0 0 1742 6ce libsmb/trusts_util.o
- 918 0 28 946 3b2 libsmb/unexpected.o
-
-notice all of the non-zero data and bss elements? Every bit of that
-data is a bug waiting to happen.
-
-Static data is evil as it has the following consequences:
-- it makes code much less likely to be thread-safe
-- it makes code much less likely to be recursion-safe
-- it leads to subtle side effects when the same code is called from multiple places
-- doesn't play well with shared libraries or plugins
-
-Static data is particularly evil in library code (such as our internal
-smb and rpc libraries). If you can get rid of all static data in
-libraries then you can make some fairly strong guarantees about the
-behaviour of functions in that library, which really helps.
-
-Of course, it is possible to write code that uses static data and is
-safe, it's just much harder to do that than just avoid static data in
-the first place. We have been tripped up countless times by subtle
-bugs in Samba due to the use of static data, so I think it is time to
-start avoiding it in new code. Much of the core infrastructure of
-Samba4 was specifically written to avoid static data, so I'm going to
-be really annoyed if everyone starts adding lots of static data back
-in.
-
-So, how do we avoid static data? The basic method is to use context
-pointers. When reading the Samba4 code you will notice that just about
-every function takes a pointer to a context structure as its first
-argument. Any data that the function needs that isn't an explicit
-argument to the function can be found by traversing that context.
-
-Note that this includes all of the little caches that we have lying
-all over the code in Samba3. I'm referring to the ones that generally
-have a "static int initialised" and then some static string or integer
-that remembers the last return value of the function. Get rid of them!
-If you are *REALLY* absolutely completely certain that your personal
-favourite mini-cache is needed then you should do it properly by
-putting it into the appropriate context rather than doing it the lazy
-way by putting it inside the target function. I would suggest however
-that the vast majority of those little caches are useless - don't
-stick it in unless you have really firm benchmarking results that show
-that it is needed and helps by a significant amount.
-
-Note that Samba4 is not yet completely clean of static data like
-this. I've gotten the smbd/ directory down to 24 bytes of static data,
-and libcli/raw/ down to zero. I've also gotten the ntvfs layer and all
-backends down to just 8 bytes in ntvfs_base.c. The rest still needs
-some more work.
-
-Also note that truly constant data is OK, and will not in fact show up
-in the data and bss columns in "size" anyway (it will be included in
-"text"). So you can have constant tables of protocol data.
-
-
-How to use talloc
------------------
-
-Please see the separate document, lib/talloc/talloc_guide.txt
-You _must_ read this if you want to program in Samba4.
-
-
-Interface Structures
---------------------
-
-One of the biggest changes in Samba4 is the universal use of interface
-structures. Go take a look through libcli/raw/interfaces.h now to get
-an idea of what I am talking about.
-
-In Samba3 many of the core wire structures in the SMB protocol were
-never explicitly defined in Samba. Instead, our parse and generation
-functions just worked directly with wire buffers. The biggest problem
-with this is that is tied our parse code with our "business logic"
-much too closely, which meant the code got extremely confusing to
-read.
-
-In Samba4 we have explicitly defined interface structures for
-everything in the protocol. When we receive a buffer we always parse
-it completely into one of these structures, then we pass a pointer to
-that structure to a backend handler. What we must *not* do is make any
-decisions about the data inside the parse functions. That is critical
-as different backends will need different portions of the data. This
-leads to a golden rule for Samba4:
-
- "don't design interfaces that lose information"
-
-In Samba3 our backends often received "condensed" versions of the
-information sent from clients, but this inevitably meant that some
-backends could not get at the data they needed to do what they wanted,
-so from now on we should expose the backends to all of the available
-information and let them choose which bits they want.
-
-Ok, so now some of you will be thinking "this sounds just like our
-msrpc code from Samba3", and while to some extent this is true there
-are extremely important differences in the approach that are worth
-pointing out.
-
-In the Samba3 msrpc code we used explicit parse structures for all
-msrpc functions. The problem is that we didn't just put all of the
-real variables in these structures, we also put in all the artifacts
-as well. A good example is the security descriptor strucrure that
-looks like this in Samba3::
-
- typedef struct security_descriptor_info
- {
- uint16 revision;
- uint16 type;
-
- uint32 off_owner_sid;
- uint32 off_grp_sid;
- uint32 off_sacl;
- uint32 off_dacl;
-
- SEC_ACL *dacl;
- SEC_ACL *sacl;
- DOM_SID *owner_sid;
- DOM_SID *grp_sid;
- } SEC_DESC;
-
-The problem with this structure is all the off_* variables. Those are
-not part of the interface, and do not appear in any real descriptions
-of Microsoft security descriptors. They are parsing artifacts
-generated by the IDL compiler that Microsoft use. That doesn't mean
-they aren't needed on the wire - indeed they are as they tell the
-parser where to find the following four variables, but they should
-*NOT* be in the interface structure.
-
-In Samba3 there were unwritten rules about which variables in a
-structure a high level caller has to fill in and which ones are filled
-in by the marshalling code. In Samba4 those rules are gone, because
-the redundant artifact variables are gone. The high level caller just
-sets up the real variables and the marshalling code worries about
-generating the right offsets.
-
-The same rule applies to strings. In many places in the SMB and MSRPC
-protocols complex strings are used on the wire, with complex rules
-about padding, format, alighment, termination etc. None of that
-information is useful to a high level calling routine or to a backend - its
-all just so much wire fluff. So, in Samba4 these strings are
-just "char \*" and are always in our internal multi-byte format (which
-is usually UTF8). It is up to the parse functions to worry about
-translating the format and getting the padding right.
-
-The one exception to this is the use of the WIRE_STRING type, but that
-has a very good justification in terms of regression testing. Go and
-read the comment in smb_interfaces.h about that now.
-
-So, here is another rule to code by. When writing an interface
-structure think carefully about what variables in the structure can be
-left out as they are redundant. If some length is effectively defined
-twice on the wire then only put it once in the packet. If a length can
-be inferred from a null termination then do that and leave the length
-out of the structure completely. Don't put redundant stuff in
-structures!
-
-
-Async Design
-------------
-
-Samba4 has an asynchronous design. That affects *lots* of the code,
-and the implications of the asynchronous design needs to be considered
-just about everywhere.
-
-The first aspect of the async design to look at is the SMB client
-library. Lets take a look at the following three functions in
-libcli/raw/rawfile.c::
-
- struct cli_request *smb_raw_seek_send(struct cli_tree *tree, struct smb_seek *parms);
- NTSTATUS smb_raw_seek_recv(struct cli_request *req, struct smb_seek *parms);
- NTSTATUS smb_raw_seek(struct cli_tree *tree, struct smb_seek *parms);
-
-Go and read them now then come back.
-
-Ok, first notice there there are 3 separate functions, whereas the
-equivalent code in Samba3 had just one. Also note that the 3rd
-function is extremely simple - its just a wrapper around calling the
-first two in order.
-
-The three separate functions are needed because we need to be able to
-generate SMB calls asynchronously. The first call, which for smb calls
-is always called smb_raw_XXXX_send(), constructs and sends a SMB
-request and returns a "struct cli_request" which acts as a handle for
-the request. The caller is then free to do lots of other calls if it
-wants to, then when it is ready it can call the smb_raw_XXX_recv()
-function to receive the reply.
-
-If all you want is a synchronous call then call the 3rd interface, the
-one called smb_raw_XXXX(). That just calls the first two in order, and
-blocks waiting for the reply.
-
-But what if you want to be called when the reply comes in? Yes, thats
-possible. You can do things like this::
-
- struct cli_request *req;
-
- req = smb_raw_XXX_send(tree, params);
-
- req->async.fn = my_callback;
- req->async.private = my_private_data;
-
-then in your callback function you can call the smb_raw_XXXX_recv()
-function to receive the reply. Your callback will receive the "req"
-pointer, which you can use to retrieve your private data from
-req->async.private.
-
-Then all you need to do is ensure that the main loop in the client
-library gets called. You can either do that by polling the connection
-using cli_transport_pending() and cli_request_receive_next() or you
-can use transport->idle.func to setup an idle function handler to call
-back to your main code. Either way, you can build a fully async
-application.
-
-In order to support all of this we have to make sure that when we
-write a piece of library code (SMB, MSRPC etc) that we build the
-separate _send() and _recv() functions. It really is worth the effort.
-
-Now about async in smbd, a much more complex topic.
-
-The SMB protocol is inherently async. Some functions (such as change
-notify) often don't return for hours, while hundreds of other
-functions pass through the socket. Take a look at the RAW-MUX test in
-the Samba4 smbtorture to see some really extreme examples of the sort
-of async operations that Windows supports. I particularly like the
-open/open/close sequence where the 2nd open (which conflicts with the
-first) succeeds because the subsequent close is answered out of order.
-
-In Samba3 we handled this stuff very badly. We had awful "pending
-request" queues that allocated full 128k packet buffers, and even with
-all that crap we got the semantics wrong. In Samba4 I intend to make
-sure we get this stuff right.
-
-So, how do we do this? We now have an async interface between smbd and
-the NTVFS backends. Whenever smbd calls into a backend the backend has
-an option of answer the request in a synchronous fashion if it wants
-to just like in Samba3, but it also has the option of answering the
-request asynchronously. The only backend that currently does this is
-the CIFS backend, but I hope the other backends will soon do this to.
-
-To make this work you need to do things like this in the backend::
-
- req->control_flags |= REQ_CONTROL_ASYNC;
-
-that tells smbd that the backend has elected to reply later rather
-than replying immediately. The backend must *only* do this if
-req->async.send_fn is not NULL. If send_fn is NULL then it means that
-the smbd front end cannot handle this function being replied to in an
-async fashion.
-
-If the backend does this then it is up to the backend to call
-req->async.send_fn() when it is ready to reply. It the meantime smbd
-puts the call on hold and goes back to answering other requests on the
-socket.
-
-Inside smbd you will find that there is code to support this. The most
-obvious change is that smbd splits each SMB reply function into two
-parts - just like the client library has a _send() and _recv()
-function, so smbd has a _send() function and the parse function for
-each SMB.
-
-As an example go and have a look at reply_getatr_send() and
-reply_getatr() in smb_server/smb/reply.c. Read them? Good.
-
-Notice that reply_getatr() sets up the req->async structure to contain
-the send function. Thats how the backend gets to do an async reply, it
-calls this function when it is ready. Also notice that reply_getatr()
-only does the parsing of the request, and does not do the reply
-generation. That is done by the _send() function.
-
-
-NTVFS
------
-
-One of the most noticeable changes in Samba4 is the introduction of
-the NTVFS layer. This provided the initial motivation for the design
-of Samba4 and in many ways lies at the heart of the design.
-
-In Samba3 the main file serving process (smbd) combined the handling
-of the SMB protocol with the mapping to POSIX semantics in the same
-code. If you look in smbd/reply.c in Samba3 you see numerous places
-where POSIX assumptions are mixed tightly with SMB parsing code. We
-did have a VFS layer in Samba3, but it was a POSIX-like VFS layer, so
-no matter how you wrote a plugin you could not bypass the POSIX
-mapping decisions that had already been made before the VFS layer was
-called.
-
-In Samba4 things are quite different. All SMB parsing is performed in
-the smbd front end, then fully parsed requests are passed to the NTVFS
-backend. That backend makes any semantic mapping decisions and fills
-in the 'out' portion of the request. The front end is then responsible
-for putting those results into wire format and sending them to the
-client.
-
-Lets have a look at one of those request structures. Go and read the
-definition of "union smb_write" and "enum write_level" in
--
Samba Shared Repository
Martin Schwenke
2018-01-22 10:12:02 UTC
Permalink
The branch, master has been updated
via 9daf40c talloc: Fix documentation typo
via 33c0f55 ctdb-tests: Avoid race condition in sock_daemon test 5
from ac9d528 docs: Remove prog_guide4.txt

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9daf40c55af61081abca663c7250f103d5b2a0df
Author: Martin Schwenke <***@meltin.net>
Date: Thu Jan 18 16:08:15 2018 +1100

talloc: Fix documentation typo

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

Autobuild-User(master): Martin Schwenke <***@samba.org>
Autobuild-Date(master): Mon Jan 22 11:11:38 CET 2018 on sn-devel-144

commit 33c0f5599d93a34619c8f37945f79a6e399a1b5e
Author: Amitay Isaacs <***@gmail.com>
Date: Mon Jan 22 12:54:49 2018 +1100

ctdb-tests: Avoid race condition in sock_daemon test 5

This test fails when it takes more than 10s to run. This can occur
when the system is loaded and socket-wrapper is used.

Signed-off-by: Amitay Isaacs <***@gmail.com>
Reviewed-by: Martin Schwenke <***@meltin.net>

-----------------------------------------------------------------------

Summary of changes:
ctdb/tests/src/sock_daemon_test.c | 26 +++++++++++++++++---------
lib/talloc/talloc.h | 2 +-
2 files changed, 18 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/tests/src/sock_daemon_test.c b/ctdb/tests/src/sock_daemon_test.c
index 5641d37..ebc0b85 100644
--- a/ctdb/tests/src/sock_daemon_test.c
+++ b/ctdb/tests/src/sock_daemon_test.c
@@ -668,7 +668,8 @@ static void test4(TALLOC_CTX *mem_ctx, const char *pidfile,
* Start daemon, multiple client connects, requests, disconnects
*/

-#define TEST5_MAX_CLIENTS 10
+#define TEST5_VALID_CLIENTS 10
+#define TEST5_MAX_CLIENTS 100

struct test5_pkt {
uint32_t len;
@@ -710,7 +711,8 @@ static void test5_client_callback(uint8_t *buf, size_t buflen,
state->done = true;
}

-static int test5_client(const char *sockpath, int id)
+static int test5_client(const char *sockpath, int id, pid_t pid_server,
+ pid_t *client_pid)
{
pid_t pid;
int fd[2];
@@ -760,7 +762,9 @@ static int test5_client(const char *sockpath, int id)
close(fd[0]);
state.fd = -1;

- sleep(10);
+ while (kill(pid_server, 0) == 0 || errno != ESRCH) {
+ sleep(1);
+ }
exit(0);
}

@@ -775,6 +779,7 @@ static int test5_client(const char *sockpath, int id)

close(fd[0]);

+ *client_pid = pid;
return ret;
}

@@ -788,12 +793,12 @@ static bool test5_connect(struct sock_client_context *client,
struct test5_server_state *state =
(struct test5_server_state *)private_data;

- if (state->num_clients == TEST5_MAX_CLIENTS) {
+ if (state->num_clients == TEST5_VALID_CLIENTS) {
return false;
}

state->num_clients += 1;
- assert(state->num_clients <= TEST5_MAX_CLIENTS);
+ assert(state->num_clients <= TEST5_VALID_CLIENTS);
return true;
}

@@ -925,6 +930,7 @@ static void test5(TALLOC_CTX *mem_ctx, const char *pidfile,
pid_t pid_server, pid;
int fd[2], ret, i;
ssize_t n;
+ pid_t client_pid[TEST5_MAX_CLIENTS];

pid = getpid();

@@ -968,16 +974,18 @@ static void test5(TALLOC_CTX *mem_ctx, const char *pidfile,

close(fd[0]);

- for (i=0; i<100; i++) {
- ret = test5_client(sockpath, i);
- if (i < TEST5_MAX_CLIENTS) {
+ for (i=0; i<TEST5_MAX_CLIENTS; i++) {
+ ret = test5_client(sockpath, i, pid_server, &client_pid[i]);
+ if (i < TEST5_VALID_CLIENTS) {
assert(ret == i+1);
} else {
assert(ret == 0);
}
}

- for (i=0; i<100; i++) {
+ for (i=TEST5_MAX_CLIENTS-1; i>=0; i--) {
+ kill(client_pid[i], SIGKILL);
+
pid = wait(&ret);
assert(pid != -1);
}
diff --git a/lib/talloc/talloc.h b/lib/talloc/talloc.h
index 618430a..dda308d 100644
--- a/lib/talloc/talloc.h
+++ b/lib/talloc/talloc.h
@@ -1226,7 +1226,7 @@ size_t talloc_array_length(const void *ctx);
*
* @code
* ptr = talloc_array(ctx, type, count);
- * if (ptr) memset(ptr, sizeof(type) * count);
+ * if (ptr) memset(ptr, 0, sizeof(type) * count);
* @endcode
*/
void *talloc_zero_array(const void *ctx, #type, unsigned count);
--
Samba Shared Repository
Andreas Schneider
2018-01-22 16:27:02 UTC
Permalink
The branch, master has been updated
via 39a6ea7 waf: Fix NFS quota support with libtirpc
via 87f105d wafsamba: Allow passing 'lib' to CHECK_STRUCTURE_MEMBER
via ee0be7e build: deal with recent glibc sunrpc header removal
via c29d087 include: Create system/nis.h in libreplace
via ca5eaf0 s3:waf: Move HAVE_NETGROUP to wscript
via 850a802 dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links
via a25c99c repl_meta_data: fix linked attribute corruption on databases with unsorted links on expunge
via c34c2dd testprogs:blackbox: add regression test for unsorted links in tombstones-expunge.sh
from 9daf40c talloc: Fix documentation typo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 39a6ea766dfe55d84ab2284b8d5ed01d66da11dd
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 19 14:30:20 2018 +0100

waf: Fix NFS quota support with libtirpc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Mon Jan 22 17:26:52 CET 2018 on sn-devel-144

commit 87f105d76ce074bff08fd507d72568be88d48d00
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 19 15:34:32 2018 +0100

wafsamba: Allow passing 'lib' to CHECK_STRUCTURE_MEMBER

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

We need to be able to point it to the right header location, so we need
to be able to pass the 'lib' that it gets set.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit ee0be7eb723be1420fd601ea1abe0af748562953
Author: Günther Deschner <***@samba.org>
Date: Tue Jan 16 17:48:10 2018 +0100

build: deal with recent glibc sunrpc header removal

We need to rely on libtirpc or libntirpc to be around in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10976

Guenther

Pair-Programmed-With: Andreas Schneider <***@samba.org>

Signed-off-by: Guenther Deschner <***@samba.org>
Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit c29d087e1ea4c92717ef86e372fe80f410580fdc
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 19 09:33:21 2018 +0100

include: Create system/nis.h in libreplace

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Pair-Programmed-With: Guenther Deschner <***@samba.org>

Signed-off-by: Andreas Schneider <***@samba.org>
Signed-off-by: Guenther Deschner <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit ca5eaf0cdcf8257ac52786aa7439c8f081a2fe0d
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 19 09:32:49 2018 +0100

s3:waf: Move HAVE_NETGROUP to wscript

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Pair-Programmed-With: Guenther Deschner <***@samba.org>

Signed-off-by: Andreas Schneider <***@samba.org>
Signed-off-by: Guenther Deschner <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>

commit 850a8027f32185e523614231cca76505134bb5e4
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 19 11:50:55 2018 +0100

dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit a25c99c9f1fd1814c56c21848c748cd0e038eed7
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 17 08:07:03 2018 +0100

repl_meta_data: fix linked attribute corruption on databases with unsorted links on expunge

This is really critical bug, it removes valid linked attributes.

When a DC was provisioned/joined with a Samba version older than 4.7
is upgraded to 4.7 (or later), it can happen that the garbage collection
(dsdb_garbage_collect_tombstones()), triggered periodically by the 'kcc' task
of 'samba' or my 'samba-tool domain tombstones expunge' corrupt the linked attributes.

This is similar to Bug #13095 - Broken linked attribute handling,
but it's not triggered by an originating change.

The bug happens in replmd_modify_la_delete()
were get_parsed_dns_trusted() generates a sorted array of
struct parsed_dn based on the values in old_el->values.

If the database doesn't support the sortedLinks compatibleFeatures
in the @SAMBA_DSDB record, it's very likely that
the array of old_dns is sorted differently than the values
in old_el->values.

The problem is that struct parsed_dn has just a pointer
'struct ldb_val *v' that points to the corresponding
value in old_el->values.

Now if vanish_links is true the damage happens here:

if (vanish_links) {
unsigned j = 0;
for (i = 0; i < old_el->num_values; i++) {
if (old_dns[i].v != NULL) {
old_el->values[j] = *old_dns[i].v;
j++;
}
}
old_el->num_values = j;
}

old_el->values[0] = *old_dns[0].v;
can change the value old_dns[1].v is pointing at!
That means that some values can get lost while others
are stored twice, because the LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK
allows it to be stored.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c34c2dd55545b99fba46cf374a1653bad96cea9e
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Jan 18 14:54:04 2018 +0100

testprogs:blackbox: add regression test for unsorted links in tombstones-expunge.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
buildtools/wafsamba/samba_autoconf.py | 4 +-
ctdb/wscript | 2 +-
lib/replace/system/nis.h | 83 ++++++++++++++++++++++
lib/replace/wscript | 38 ++++++++--
lib/util/access.c | 10 ++-
lib/util/wscript_build | 2 +-
python/samba/dbchecker.py | 22 +++++-
selftest/knownfail.d/dbcheck_duplicate_member | 5 ++
source3/auth/user_util.c | 13 ++++
source3/auth/wscript_build | 2 +-
source3/include/includes.h | 49 -------------
source3/lib/sysquotas_nfs.c | 11 ++-
source3/lib/util.c | 11 +++
source3/modules/nfs4acl_xattr_xdr.c | 9 +++
source3/wscript | 35 +++++----
source3/wscript_build | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 18 ++++-
.../add-unsorted-links-step1.ldif | 72 +++++++++++++++++++
.../add-unsorted-links-step2.ldif | 12 ++++
.../release-4-5-0-pre1/expected-expunge-output.txt | 2 +-
.../expected-unsorted-links-after-expunge.ldif | 23 ++++++
testprogs/blackbox/tombstones-expunge.sh | 24 +++++++
22 files changed, 365 insertions(+), 84 deletions(-)
create mode 100644 lib/replace/system/nis.h
create mode 100644 selftest/knownfail.d/dbcheck_duplicate_member
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-unsorted-links-step1.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-unsorted-links-step2.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-unsorted-links-after-expunge.ldif


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 7940a7d..cc08e0d 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -454,7 +454,8 @@ def CHECK_CODE(conf, code, define,

@conf
def CHECK_STRUCTURE_MEMBER(conf, structname, member,
- always=False, define=None, headers=None):
+ always=False, define=None, headers=None,
+ lib=None):
'''check for a structure member'''
if define is None:
define = 'HAVE_%s' % member.upper()
@@ -463,6 +464,7 @@ def CHECK_STRUCTURE_MEMBER(conf, structname, member,
define,
execute=False,
link=False,
+ lib=lib,
always=always,
headers=headers,
local_include=False,
diff --git a/ctdb/wscript b/ctdb/wscript
index 8774b99..715ecb1 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -559,7 +559,7 @@ def build(bld):
bld.SAMBA_BINARY('smnotify',
source=bld.SUBDIR('utils/smnotify',
'smnotify.c gen_smnotify.c gen_xdr.c'),
- deps='ctdb-smnotify-h ctdb-smnotify-c ctdb-smnotify-x popt',
+ deps='ctdb-smnotify-h ctdb-smnotify-c ctdb-smnotify-x popt tirpc',
includes='utils utils/smnotify',
install_path='${CTDB_HELPER_BINDIR}')

diff --git a/lib/replace/system/nis.h b/lib/replace/system/nis.h
new file mode 100644
index 0000000..068595a
--- /dev/null
+++ b/lib/replace/system/nis.h
@@ -0,0 +1,83 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ nis system include wrappers
+
+ Copyright (C) Andrew Tridgell 2004
+
+ ** NOTE! The following LGPL license applies to the replace
+ ** library. This does NOT imply that all of Samba is released
+ ** under the LGPL
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _nis_passwd_h
+#define _nis_passwd_h
+
+#if defined(HAVE_RPC_RPC_H)
+/*
+ * Check for AUTH_ERROR define conflict with rpc/rpc.h in prot.h.
+ */
+#if defined(HAVE_SYS_SECURITY_H) && defined(HAVE_RPC_AUTH_ERROR_CONFLICT)
+#undef AUTH_ERROR
+#endif /* HAVE_SYS_SECURITY_H && HAVE_RPC_AUTH_ERROR_CONFLICT */
+/*
+ * HP-UX 11.X has TCP_NODELAY and TCP_MAXSEG defined in <netinet/tcp.h> which
+ * was included above. However <rpc/rpc.h> includes <sys/xti.h> which defines
+ * them again without checking if they already exsist. This generates
+ * two "Redefinition of macro" warnings for every single .c file that is
+ * compiled.
+ */
+#if defined(HPUX) && defined(TCP_NODELAY)
+#undef TCP_NODELAY
+#endif /* HPUX && TCP_NODELAY */
+
+#if defined(HPUX) && defined(TCP_MAXSEG)
+#undef TCP_MAXSEG
+#endif /* HPUX && TCP_MAXSEG */
+
+#include <rpc/rpc.h>
+#endif /* HAVE_RPC_RPC_H */
+
+
+#if defined (HAVE_NETGROUP)
+
+#if defined(HAVE_RPCSVC_YP_PROT_H)
+/*
+ * HP-UX 11.X has TCP_NODELAY and TCP_MAXSEG defined in <netinet/tcp.h> which
+ * was included above. However <rpc/rpc.h> includes <sys/xti.h> which defines
+ * them again without checking if they already exsist. This generates
+ * two "Redefinition of macro" warnings for every single .c file that is
+ * compiled.
+ */
+#if defined(HPUX) && defined(TCP_NODELAY)
+#undef TCP_NODELAY
+#endif /* HPUX && TCP_MAXSEG */
+
+#if defined(HPUX) && defined(TCP_MAXSEG)
+#undef TCP_MAXSEG
+#endif /* HPUX && TCP_MAXSEG */
+
+#include <rpcsvc/yp_prot.h>
+
+#endif /* HAVE_RPCSVC_YP_PROT_H */
+
+#if defined(HAVE_RPCSVC_YPCLNT_H)
+#include <rpcsvc/ypclnt.h>
+#endif /* HAVE_RPCSVC_YPCLNT_H */
+
+#endif /* HAVE_NETGROUP */
+
+#endif /* _nis_passwd_h */
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 2f94d49..2c638b7 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -5,7 +5,7 @@ VERSION = '1.2.1'

blddir = 'bin'

-import sys, os
+import Logs, sys, os

# find the buildtools directory
srcdir = '.'
@@ -65,14 +65,42 @@ def configure(conf):
headers='sys/inotify.h')

conf.CHECK_HEADERS('security/pam_appl.h zlib.h asm/unistd.h')
- conf.CHECK_HEADERS('aio.h sys/unistd.h rpc/rpc.h rpc/nettype.h alloca.h float.h')
+ conf.CHECK_HEADERS('aio.h sys/unistd.h alloca.h float.h')
+
+ conf.SET_TARGET_TYPE('tirpc', 'EMPTY')
+ conf.CHECK_HEADERS('rpc/rpc.h rpc/nettype.h')
+ if not conf.CONFIG_SET('HAVE_RPC_RPC_H'):
+ if conf.CHECK_CFG(package='libtirpc', args='--cflags --libs',
+ msg='Checking for libtirpc headers',
+ uselib_store='TIRPC'):
+ conf.CHECK_HEADERS('rpc/rpc.h rpc/nettype.h', lib='tirpc', together=True)
+ conf.SET_TARGET_TYPE('tirpc', 'SYSLIB')
+ if not conf.CONFIG_SET('HAVE_RPC_RPC_H'):
+ if conf.CHECK_CFG(package='libntirpc', args='--cflags',
+ msg='Checking for libntirpc headers',
+ uselib_store='TIRPC'):
+ conf.CHECK_HEADERS('rpc/rpc.h rpc/nettype.h', lib='tirpc', together=True)
+ conf.SET_TARGET_TYPE('tirpc', 'SYSLIB')
+ if not conf.CONFIG_SET('HAVE_RPC_RPC_H'):
+ Logs.error('ERROR: No rpc/rpc.h header found, tirpc or libntirpc missing?')
+ sys.exit(1)
+
+ conf.SET_TARGET_TYPE('nsl', 'EMPTY')
+ conf.CHECK_HEADERS('rpc/rpc.h rpcsvc/yp_prot.h', lib='tirpc')
+ if not conf.CONFIG_SET('HAVE_RPCSVC_YP_PROT_H'):
+ if conf.CHECK_CFG(package='libnsl', args='--cflags --libs',
+ msg='Checking for libnsl',
+ uselib_store='NSL'):
+ conf.SET_TARGET_TYPE('nsl', 'SYSLIB')
+ conf.CHECK_HEADERS('rpc/rpc.h rpcsvc/yp_prot.h', lib='tirpc nsl')
+ else:
+ conf.SET_TARGET_TYPE('nsl', 'SYSLIB')
+ conf.CHECK_HEADERS('rpcsvc/nis.h rpcsvc/ypclnt.h', lib='tirpc nsl')

- conf.CHECK_HEADERS('rpcsvc/nis.h rpcsvc/ypclnt.h sys/sysctl.h')
+ conf.CHECK_HEADERS('sys/sysctl.h')
conf.CHECK_HEADERS('sys/fileio.h sys/filesys.h sys/dustat.h sys/sysmacros.h')
conf.CHECK_HEADERS('xfs/libxfs.h netgroup.h')

- conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H')
-
conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h')
conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h')
diff --git a/lib/util/access.c b/lib/util/access.c
index 6d04a5f..7da0573 100644
--- a/lib/util/access.c
+++ b/lib/util/access.c
@@ -22,6 +22,10 @@
#include "lib/util/access.h"
#include "lib/util/unix_match.h"

+#if defined(HAVE_NETGROUP)
+#include "system/nis.h"
+#endif
+
#define NAME_INDEX 0
#define ADDR_INDEX 1

@@ -143,11 +147,11 @@ static bool string_match(const char *tok,const char *s)

netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);

- DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
+ DBG_INFO("%s %s of domain %s in netgroup %s\n",
+ netgroup_ok ? "Found" : "Could not find",
hostname,
mydomain?mydomain:"(ANY)",
- tok+1,
- BOOLSTR(netgroup_ok)));
+ tok+1);

SAFE_FREE(hostname);

diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index 0b16b6f..30face3 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -204,7 +204,7 @@ else:

bld.SAMBA_SUBSYSTEM('access',
source='access.c',
- deps='interfaces samba-util',
+ deps='interfaces samba-util tirpc nsl',
local_include=False)

bld.SAMBA_SUBSYSTEM('util_str_escape',
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 1933740..6e4c440 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -708,9 +708,15 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to fix incorrect RMD_FLAGS %u" % rmd_flags):
self.report("Fixed incorrect RMD_FLAGS %u" % (rmd_flags))

- def err_orphaned_backlink(self, obj, attrname, val, link_name, target_dn):
+ def err_orphaned_backlink(self, obj, attrname, val, link_name, target_dn, duplicate_links):
'''handle a orphaned backlink value'''
self.report("ERROR: orphaned backlink attribute '%s' in %s for link %s in %s" % (attrname, obj.dn, link_name, target_dn))
+ if duplicate_links:
+ self.report("ERROR: FATAL! Most likely the corresponding forward link got lost!")
+ self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
+ self.report("Recovery handling will be implemented in a future version")
+ self.report("Not removing orphaned backlink %s" % attrname)
+ return
if not self.confirm_all('Remove orphaned backlink %s' % attrname, 'fix_all_orphaned_backlinks'):
self.report("Not removing orphaned backlink %s" % attrname)
return
@@ -724,6 +730,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
def err_duplicate_links(self, obj, attrname, vals):
'''handle a duplicate links value'''

+ self.report("ERROR: FATAL! Most likely some forward link values for attribute '%s' in '%s' got lost!" % (attrname, obj.dn))
+ self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
+ self.report("Recovery handling will be implemented in a future version")
+ self.report("Not removing duplicate links in attribute '%s'" % attrname)
+ return
if not self.confirm_all("Remove duplicate links in attribute '%s'" % attrname, 'fix_all_duplicate_links'):
self.report("Not removing duplicate links in attribute '%s'" % attrname)
return
@@ -896,6 +907,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
else:
reverse_syntax_oid = None

+ duplicate_links = False
duplicate_dict = dict()
duplicate_list = list()
unique_dict = dict()
@@ -950,6 +962,10 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
unique_dict[keystr] = dsdb_dn

if len(duplicate_list) != 0:
+ duplicate_links = True
+ self.report("ERROR: FATAL! Most likely some forward link values for attribute '%s' in '%s' got lost!" % (attrname, obj.dn))
+ self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
+
self.report("ERROR: Duplicate link values for attribute '%s' in '%s'" % (attrname, obj.dn))
for keystr in duplicate_list:
d = duplicate_dict[keystr]
@@ -1148,7 +1164,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
self.err_orphaned_backlink(obj, attrname,
val, reverse_link_name,
- dsdb_dn.dn)
+ dsdb_dn.dn, duplicate_links)
continue
# Only warn here and let the forward link logic fix it.
self.report("WARNING: Link (back) mismatch for '%s' (%d) on '%s' to '%s' (%d) on '%s'" % (
@@ -1180,7 +1196,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
else:
self.err_orphaned_backlink(res[0], reverse_link_name,
obj.dn.extended_str(), attrname,
- obj.dn)
+ obj.dn, duplicate_links)
diff_count += 1


diff --git a/selftest/knownfail.d/dbcheck_duplicate_member b/selftest/knownfail.d/dbcheck_duplicate_member
new file mode 100644
index 0000000..7ebb82b
--- /dev/null
+++ b/selftest/knownfail.d/dbcheck_duplicate_member
@@ -0,0 +1,5 @@
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_duplicate_member
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.check_expected_after_duplicate_links
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.duplicate_clean
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_clean2
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_clean3
diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
index 1ddb738..63841a1 100644
--- a/source3/auth/user_util.c
+++ b/source3/auth/user_util.c
@@ -23,6 +23,19 @@
#include "system/filesys.h"
#include "auth.h"

+#ifdef HAVE_NETGROUP
+/* rpc/xdr.h uses TRUE and FALSE */
+#ifdef TRUE
+#undef TRUE
+#endif
+
+#ifdef FALSE
+#undef FALSE
+#endif
+
+#include "system/nis.h"
+#endif
+
/*******************************************************************
Map a username from a dos name to a unix name by looking in the username
map. Note that this modifies the name in place.
diff --git a/source3/auth/wscript_build b/source3/auth/wscript_build
index 83b5ad1..8fd7dcd 100644
--- a/source3/auth/wscript_build
+++ b/source3/auth/wscript_build
@@ -6,7 +6,7 @@ bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL',

bld.SAMBA3_SUBSYSTEM('USER_UTIL',
source='user_util.c',
- deps='TOKEN_UTIL')
+ deps='TOKEN_UTIL tirpc nsl')

bld.SAMBA3_SUBSYSTEM('AUTH_COMMON',
source='''auth_util.c
diff --git a/source3/include/includes.h b/source3/include/includes.h
index e82bfad..d822c3f 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -68,55 +68,6 @@
#include "system/time.h"
#include "system/wait.h"

-#if defined(HAVE_RPC_RPC_H)
-/*
- * Check for AUTH_ERROR define conflict with rpc/rpc.h in prot.h.
- */
-#if defined(HAVE_SYS_SECURITY_H) && defined(HAVE_RPC_AUTH_ERROR_CONFLICT)
-#undef AUTH_ERROR
-#endif
-/*
- * HP-UX 11.X has TCP_NODELAY and TCP_MAXSEG defined in <netinet/tcp.h> which
- * was included above. However <rpc/rpc.h> includes <sys/xti.h> which defines
- * them again without checking if they already exsist. This generates
- * two "Redefinition of macro" warnings for every single .c file that is
- * compiled.
- */
-#if defined(HPUX) && defined(TCP_NODELAY)
-#undef TCP_NODELAY
-#endif
-#if defined(HPUX) && defined(TCP_MAXSEG)
-#undef TCP_MAXSEG
-#endif
-#include <rpc/rpc.h>
-#endif
-
-#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined(HAVE_SETNETGRENT) && defined(HAVE_ENDNETGRENT) && defined(HAVE_GETNETGRENT)
-#define HAVE_NETGROUP 1
-#endif
-
-#if defined (HAVE_NETGROUP)
-#if defined(HAVE_RPCSVC_YP_PROT_H)
-/*
- * HP-UX 11.X has TCP_NODELAY and TCP_MAXSEG defined in <netinet/tcp.h> which
- * was included above. However <rpc/rpc.h> includes <sys/xti.h> which defines
- * them again without checking if they already exsist. This generates
- * two "Redefinition of macro" warnings for every single .c file that is
- * compiled.
- */
-#if defined(HPUX) && defined(TCP_NODELAY)
-#undef TCP_NODELAY
-#endif
-#if defined(HPUX) && defined(TCP_MAXSEG)
-#undef TCP_MAXSEG
-#endif
-#include <rpcsvc/yp_prot.h>
-#endif
-#if defined(HAVE_RPCSVC_YPCLNT_H)
-#include <rpcsvc/ypclnt.h>
-#endif
-#endif /* HAVE_NETGROUP */
-
#ifndef HAVE_KRB5_H
#undef HAVE_KRB5
#endif
diff --git a/source3/lib/sysquotas_nfs.c b/source3/lib/sysquotas_nfs.c
index fe46d3f..dd2b12d 100644
--- a/source3/lib/sysquotas_nfs.c
+++ b/source3/lib/sysquotas_nfs.c
@@ -36,13 +36,22 @@
* This is based on the FreeBSD / SUNOS5 section of quotas.c
*/

+/* <rpc/xdr.h> uses TRUE and FALSE */
+#ifdef TRUE
+#undef TRUE
+#endif
+
+#ifdef FALSE
+#undef FALSE
+#endif
+
#include <rpc/rpc.h>
#include <rpc/types.h>
+#include <rpc/xdr.h>
#include <rpcsvc/rquota.h>
#ifdef HAVE_RPC_NETTYPE_H
#include <rpc/nettype.h>
#endif
-#include <rpc/xdr.h>

#ifndef RQ_PATHLEN
#define RQ_PATHLEN 1024
diff --git a/source3/lib/util.c b/source3/lib/util.c
index fb50884..ae9fe71 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -45,6 +45,17 @@
#define MAX_ALLOC_SIZE (1024*1024*256)

#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
+/* rpc/xdr.h uses TRUE and FALSE */
+#ifdef TRUE
+#undef TRUE
+#endif
+
+#ifdef FALSE
+#undef FALSE
+#endif
+
+#include "system/nis.h"
+
#ifdef WITH_NISPLUS_HOME
#ifdef BROKEN_NISPLUS_INCLUDE_FILES
/*
diff --git a/source3/modules/nfs4acl_xattr_xdr.c b/source3/modules/nfs4acl_xattr_xdr.c
index 524e69c..399c104 100644
--- a/source3/modules/nfs4acl_xattr_xdr.c
+++ b/source3/modules/nfs4acl_xattr_xdr.c
@@ -27,6 +27,15 @@
#define DBGC_CLASS DBGC_VFS

#ifdef HAVE_RPC_XDR_H
+/* <rpc/xdr.h> uses TRUE and FALSE */
+#ifdef TRUE
+#undef TRUE
+#endif
+
+#ifdef FALSE
+#undef FALSE
+#endif
+
#include <rpc/xdr.h>
#include "nfs41acl.h"
#include "nfs4acl_xattr_xdr.h"
diff --git a/source3/wscript b/source3/wscript
index e81a212..8751833 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -119,7 +119,6 @@ def configure(conf):
conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
conf.CHECK_FUNCS('shmget')
conf.CHECK_FUNCS_IN('shm_open', 'rt', checklibc=True)
- #FIXME: for some reason this one still fails
conf.CHECK_FUNCS_IN('yp_get_default_domain', 'nsl')
conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
conf.CHECK_FUNCS_IN('dn_expand', 'inet')
@@ -611,6 +610,11 @@ msg.msg_accrightslen = sizeof(fd);
headers='netdb.h netgroup.h',
cflags=netgrent_cflags)

+ if (conf.CONFIG_SET('HAVE_YP_GET_DEFAULT_DOMAIN') and
+ conf.CONFIG_SET('HAVE_SETNETGRENT') and
+ conf.CONFIG_SET('HAVE_ENDNETGRENT') and
+ conf.CONFIG_SET('HAVE_GETNETGRENT')):
+ conf.DEFINE('HAVE_NETGROUP', '1')

# Look for CUPS
if Options.options.with_cups:
@@ -1441,11 +1445,23 @@ main() {
--
Samba Shared Repository
Jeremy Allison
2018-01-23 05:37:02 UTC
Permalink
The branch, master has been updated
via c57cce1 libcli/resolve: Make functions static
via 30ff05c libcli/resolve: Make functions static
via ca3745d libcli/resolve: Fix typos
via 8993342 dsgetdcname: Fix a signed/unsigned hickup
via 0050d1b libnmb: Fix two signed/unsigned hickups
via e4dc85b libnmb: tsocket_address_unix_from_path deals fine with NULL
via e8e09d7 libnmb: Remove a pointless struct member
via c404d58 libsmb: Give unexpected.c its own header
from 39a6ea7 waf: Fix NFS quota support with libtirpc

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c57cce1b973ec3a6ffd1a230fccaaa02c28c9e04
Author: Volker Lendecke <***@samba.org>
Date: Sat Jan 13 17:41:01 2018 +0100

libcli/resolve: Make functions static

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Tue Jan 23 06:36:36 CET 2018 on sn-devel-144

commit 30ff05c660d07eee0ec4d190734438d068c6337c
Author: Volker Lendecke <***@samba.org>
Date: Sat Jan 13 17:39:24 2018 +0100

libcli/resolve: Make functions static

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit ca3745db305a14713ab2a709968379fbf332d015
Author: Volker Lendecke <***@samba.org>
Date: Sat Jan 13 17:38:16 2018 +0100

libcli/resolve: Fix typos

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 8993342965987c58bc16baf9680c6fb9f2d11286
Author: Volker Lendecke <***@samba.org>
Date: Fri Jan 5 17:11:43 2018 +0100

dsgetdcname: Fix a signed/unsigned hickup

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 0050d1b9a73cdff455d8a93f6aed6dbb964be096
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 18 13:28:30 2018 +0100

libnmb: Fix two signed/unsigned hickups

Two warnings less

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit e4dc85b69c2a57e99156d7cd60e84ff6c550fb52
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 16 15:04:06 2018 +0100

libnmb: tsocket_address_unix_from_path deals fine with NULL

Other callers use NULL instead of "". Streamline it a bit

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit e8e09d72ce780a9462d164d7e97a379bfc951980
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 16 15:07:47 2018 +0100

libnmb: Remove a pointless struct member

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit c404d58830758bde11499bc1771070e76c6eecfe
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 15 16:12:15 2018 +0100

libsmb: Give unexpected.c its own header

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/libsmb/clidgram.c | 1 +
source3/libsmb/dsgetdcname.c | 3 ++-
source3/libsmb/namequery.c | 1 +
source3/libsmb/nmblib.h | 22 ------------------
source3/libsmb/unexpected.c | 19 ++++++++--------
source3/libsmb/unexpected.h | 49 ++++++++++++++++++++++++++++++++++++++++
source3/nmbd/nmbd_packets.c | 1 +
source4/libcli/resolve/bcast.c | 19 ++++++++--------
source4/libcli/resolve/lmhosts.c | 23 ++++++++++---------
9 files changed, 86 insertions(+), 52 deletions(-)
create mode 100644 source3/libsmb/unexpected.h


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c
index d8fa1c6..8f0dba3 100644
--- a/source3/libsmb/clidgram.c
+++ b/source3/libsmb/clidgram.c
@@ -24,6 +24,7 @@
#include "../lib/util/tevent_ntstatus.h"
#include "libsmb/clidgram.h"
#include "libsmb/nmblib.h"
+#include "libsmb/unexpected.h"
#include "messages.h"
#include "librpc/gen_ndr/samr.h"
#include "../lib/util/pidfile.h"
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index ce0cc89..f15456a 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -500,7 +500,8 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
struct ip_service_name **returned_dclist,
int *return_count)
{
- int i, j;
+ int i;
+ size_t j;
NTSTATUS status;
struct dns_rr_srv *dcs = NULL;
int numdcs = 0;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 4b41546..6107e8f 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -26,6 +26,7 @@
#include "lib/async_req/async_sock.h"
#include "lib/tsocket/tsocket.h"
#include "libsmb/nmblib.h"
+#include "libsmb/unexpected.h"
#include "../libcli/nbt/libnbt.h"
#include "libads/kerberos_proto.h"

diff --git a/source3/libsmb/nmblib.h b/source3/libsmb/nmblib.h
index d8290dc..7e1e40c 100644
--- a/source3/libsmb/nmblib.h
+++ b/source3/libsmb/nmblib.h
@@ -27,28 +27,6 @@

#include "nameserv.h"

-struct nb_packet_server;
-struct nb_packet_reader;
-
-NTSTATUS nb_packet_server_create(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- int max_clients,
- struct nb_packet_server **presult);
-void nb_packet_dispatch(struct nb_packet_server *server,
- struct packet_struct *p);
-struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- enum packet_type type,
- int trn_id,
- const char *mailslot_name);
-NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- struct nb_packet_reader **preader);
-struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct nb_packet_reader *reader);
-NTSTATUS nb_packet_read_recv(struct tevent_req *req,
- struct packet_struct **ppacket);
-
/* The following definitions come from libsmb/nmblib.c */

void debug_nmb_packet(struct packet_struct *p);
diff --git a/source3/libsmb/unexpected.c b/source3/libsmb/unexpected.c
index dd9ff7a..16d1f67 100644
--- a/source3/libsmb/unexpected.c
+++ b/source3/libsmb/unexpected.c
@@ -19,10 +19,11 @@
*/

#include "includes.h"
+#include "libsmb/unexpected.h"
#include "../lib/util/tevent_ntstatus.h"
#include "lib/util_tsock.h"
-#include "lib/tsocket/tsocket.h"
#include "libsmb/nmblib.h"
+#include "lib/tsocket/tsocket.h"
#include "lib/util/sys_rw.h"

static const char *nmbd_socket_dir(void)
@@ -256,7 +257,8 @@ static void nb_packet_got_query(struct tevent_req *req)
/* Take care of alignment */
memcpy(&q, buf, sizeof(q));

- if (nread != sizeof(struct nb_packet_query) + q.mailslot_namelen) {
+ if ((size_t)nread !=
+ sizeof(struct nb_packet_query) + q.mailslot_namelen) {
DEBUG(10, ("nb_packet_got_query: Invalid mailslot namelength\n"));
TALLOC_FREE(client);
return;
@@ -480,7 +482,6 @@ struct nb_packet_reader_state {
struct nb_packet_query query;
const char *mailslot_name;
struct iovec iov[2];
- char c;
struct nb_packet_reader *reader;
};

@@ -520,7 +521,7 @@ struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}

- ret = tsocket_address_unix_from_path(state, "", &laddr);
+ ret = tsocket_address_unix_from_path(state, NULL, &laddr);
if (ret != 0) {
tevent_req_nterror(req, map_nt_error_from_unix(errno));
return tevent_req_post(req, ev);
@@ -595,13 +596,14 @@ static void nb_packet_reader_sent_query(struct tevent_req *subreq)
tevent_req_nterror(req, map_nt_error_from_unix(err));
return;
}
- if (written != sizeof(state->query) + state->query.mailslot_namelen) {
+ if ((size_t)written !=
+ sizeof(state->query) + state->query.mailslot_namelen) {
tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
return;
}
subreq = tstream_read_packet_send(state, state->ev,
state->reader->sock,
- sizeof(state->c), NULL, NULL);
+ 1, NULL, NULL);
if (tevent_req_nomem(subreq, req)) {
return;
}
@@ -626,9 +628,8 @@ static void nb_packet_reader_got_ack(struct tevent_req *subreq)
tevent_req_nterror(req, map_nt_error_from_unix(err));
return;
}
- if (nread != sizeof(state->c)) {
- DEBUG(10, ("read = %d, expected %d\n", (int)nread,
- (int)sizeof(state->c)));
+ if (nread != 1) {
+ DBG_DEBUG("read = %zd, expected 1\n", nread);
tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
return;
}
diff --git a/source3/libsmb/unexpected.h b/source3/libsmb/unexpected.h
new file mode 100644
index 0000000..a40a507
--- /dev/null
+++ b/source3/libsmb/unexpected.h
@@ -0,0 +1,49 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Copyright (C) Volker Lendecke 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __LIBSMB_UNEXPECTED_H__
+#define __LIBSMB_UNEXPECTED_H__
+
+#include "replace.h"
+#include <tevent.h>
+#include "libcli/util/ntstatus.h"
+#include "nameserv.h"
+
+struct nb_packet_server;
+struct nb_packet_reader;
+
+NTSTATUS nb_packet_server_create(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ int max_clients,
+ struct nb_packet_server **presult);
+void nb_packet_dispatch(struct nb_packet_server *server,
+ struct packet_struct *p);
+struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ enum packet_type type,
+ int trn_id,
+ const char *mailslot_name);
+NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct nb_packet_reader **preader);
+struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct nb_packet_reader *reader);
+NTSTATUS nb_packet_read_recv(struct tevent_req *req,
+ struct packet_struct **ppacket);
+
+#endif
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index de5ae1e..2b7cc82 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -24,6 +24,7 @@
#include "../lib/util/select.h"
#include "system/select.h"
#include "libsmb/libsmb.h"
+#include "libsmb/unexpected.h"

extern int ClientNMB;
extern int ClientDGRAM;
diff --git a/source4/libcli/resolve/bcast.c b/source4/libcli/resolve/bcast.c
index 787d048..277a82d 100644
--- a/source4/libcli/resolve/bcast.c
+++ b/source4/libcli/resolve/bcast.c
@@ -35,11 +35,12 @@ struct resolve_bcast_data {
/**
broadcast name resolution method - async send
*/
-struct composite_context *resolve_name_bcast_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *event_ctx,
- void *userdata, uint32_t flags,
- uint16_t port,
- struct nbt_name *name)
+static struct composite_context *resolve_name_bcast_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *event_ctx,
+ void *userdata, uint32_t flags,
+ uint16_t port,
+ struct nbt_name *name)
{
int num_interfaces;
const char **address_list;
@@ -85,10 +86,10 @@ struct composite_context *resolve_name_bcast_send(TALLOC_CTX *mem_ctx,
/*
broadcast name resolution method - recv side
*/
-NTSTATUS resolve_name_bcast_recv(struct composite_context *c,
- TALLOC_CTX *mem_ctx,
- struct socket_address ***addrs,
- char ***names)
+static NTSTATUS resolve_name_bcast_recv(struct composite_context *c,
+ TALLOC_CTX *mem_ctx,
+ struct socket_address ***addrs,
+ char ***names)
{
NTSTATUS status = resolve_name_nbtlist_recv(c, mem_ctx, addrs, names);
if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
diff --git a/source4/libcli/resolve/lmhosts.c b/source4/libcli/resolve/lmhosts.c
index 21cc3e4..400cf79 100644
--- a/source4/libcli/resolve/lmhosts.c
+++ b/source4/libcli/resolve/lmhosts.c
@@ -1,7 +1,7 @@
/*
Unix SMB/CIFS implementation.

- broadcast name resolution module
+ lmhosts name resolution module

Copyright (C) Andrew Tridgell 1994-1998,2005
Copyright (C) Jeremy Allison 2007
@@ -38,16 +38,17 @@ struct resolve_lmhosts_state {
};

/**
- broadcast name resolution method - async send
+ lmhosts name resolution method - async send
*/
/*
general name resolution - async send
*/
-struct composite_context *resolve_name_lmhosts_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *event_ctx,
- void *userdata, uint32_t flags,
- uint16_t port,
- struct nbt_name *name)
+static struct composite_context *resolve_name_lmhosts_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *event_ctx,
+ void *userdata, uint32_t flags,
+ uint16_t port,
+ struct nbt_name *name)
{
struct composite_context *c;
struct resolve_lmhosts_state *state;
@@ -101,10 +102,10 @@ struct composite_context *resolve_name_lmhosts_send(TALLOC_CTX *mem_ctx,
/*
general name resolution method - recv side
*/
-NTSTATUS resolve_name_lmhosts_recv(struct composite_context *c,
- TALLOC_CTX *mem_ctx,
- struct socket_address ***addrs,
- char ***names)
+static NTSTATUS resolve_name_lmhosts_recv(struct composite_context *c,
+ TALLOC_CTX *mem_ctx,
+ struct socket_address ***addrs,
+ char ***names)
{
NTSTATUS status;
--
Samba Shared Repository
Jeremy Allison
2018-01-24 04:49:02 UTC
Permalink
The branch, master has been updated
via 7ea5d38 libnmb: Move "read_packet" to nmbd
via 6a60970 libnmb: Make nb_packet_read_recv return a talloc'ed pkt
via 45aec7d libnmb: Add "parse_packet_talloc"
from c57cce1 libcli/resolve: Make functions static

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7ea5d38a69660bf5e086ff03d18b4a4e9eb75cce
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 16 16:21:08 2018 +0100

libnmb: Move "read_packet" to nmbd

It's only used there

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Wed Jan 24 05:48:19 CET 2018 on sn-devel-144

commit 6a60970306df44ff5676c98899069f867ac77d36
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 16 15:50:19 2018 +0100

libnmb: Make nb_packet_read_recv return a talloc'ed pkt

This saves a few explicit destructors only doing free_packet()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 45aec7d3a23645998eb97a86a50345c20a8e14dc
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 23 14:39:21 2018 +0100

libnmb: Add "parse_packet_talloc"

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/libsmb/clidgram.c | 3 +-
source3/libsmb/namequery.c | 72 +++++++------------------------------
source3/libsmb/nmblib.c | 88 +++++++++++++++++++++++++++++++--------------
source3/libsmb/nmblib.h | 6 +++-
source3/libsmb/unexpected.c | 6 ++--
source3/libsmb/unexpected.h | 2 +-
source3/nmbd/nmbd_packets.c | 35 ++++++++++++++++++
7 files changed, 121 insertions(+), 91 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c
index 8f0dba3..4ae57a3 100644
--- a/source3/libsmb/clidgram.c
+++ b/source3/libsmb/clidgram.c
@@ -397,7 +397,7 @@ static void nbt_getdc_got_response(struct tevent_req *subreq)
NTSTATUS status;
bool ret;

- status = nb_packet_read_recv(subreq, &p);
+ status = nb_packet_read_recv(subreq, state, &p);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
@@ -406,7 +406,6 @@ static void nbt_getdc_got_response(struct tevent_req *subreq)
ret = parse_getdc_response(p, state, state->domain_name,
&state->nt_version, &state->dc_name,
&state->samlogon_response);
- free_packet(p);
if (!ret) {
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 6107e8f..b616a64 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -309,7 +309,6 @@ struct sock_packet_read_state {
struct packet_struct *packet;
};

-static int sock_packet_read_state_destructor(struct sock_packet_read_state *s);
static void sock_packet_read_got_packet(struct tevent_req *subreq);
static void sock_packet_read_got_socket(struct tevent_req *subreq);

@@ -331,7 +330,6 @@ static struct tevent_req *sock_packet_read_send(
if (req == NULL) {
return NULL;
}
- talloc_set_destructor(state, sock_packet_read_state_destructor);
state->ev = ev;
state->reader = reader;
state->sock = sock;
@@ -359,15 +357,6 @@ static struct tevent_req *sock_packet_read_send(
return req;
}

-static int sock_packet_read_state_destructor(struct sock_packet_read_state *s)
-{
- if (s->packet != NULL) {
- free_packet(s->packet);
- s->packet = NULL;
- }
- return 0;
-}
-
static void sock_packet_read_got_packet(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
@@ -376,7 +365,7 @@ static void sock_packet_read_got_packet(struct tevent_req *subreq)
req, struct sock_packet_read_state);
NTSTATUS status;

- status = nb_packet_read_recv(subreq, &state->packet);
+ status = nb_packet_read_recv(subreq, state, &state->packet);

TALLOC_FREE(state->reader_req);

@@ -398,8 +387,7 @@ static void sock_packet_read_got_packet(struct tevent_req *subreq)
!state->validator(state->packet, state->private_data)) {
DEBUG(10, ("validator failed\n"));

- free_packet(state->packet);
- state->packet = NULL;
+ TALLOC_FREE(state->packet);

state->reader_req = nb_packet_read_send(state, state->ev,
state->reader);
@@ -460,8 +448,9 @@ static void sock_packet_read_got_socket(struct tevent_req *subreq)
return;
}

- state->packet = parse_packet((char *)state->buf, received, state->type,
- addr.sin.sin_addr, addr.sin.sin_port);
+ state->packet = parse_packet_talloc(
+ state, (char *)state->buf, received, state->type,
+ addr.sin.sin_addr, addr.sin.sin_port);
if (state->packet == NULL) {
DEBUG(10, ("parse_packet failed\n"));
goto retry;
@@ -483,10 +472,7 @@ static void sock_packet_read_got_socket(struct tevent_req *subreq)
return;

retry:
- if (state->packet != NULL) {
- free_packet(state->packet);
- state->packet = NULL;
- }
+ TALLOC_FREE(state->packet);
TALLOC_FREE(state->buf);
TALLOC_FREE(state->addr);

@@ -499,6 +485,7 @@ retry:
}

static NTSTATUS sock_packet_read_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
struct packet_struct **ppacket)
{
struct sock_packet_read_state *state = tevent_req_data(
@@ -508,8 +495,7 @@ static NTSTATUS sock_packet_read_recv(struct tevent_req *req,
if (tevent_req_is_nterror(req, &status)) {
return status;
}
- *ppacket = state->packet;
- state->packet = NULL;
+ *ppacket = talloc_move(mem_ctx, &state->packet);
return NT_STATUS_OK;
}

@@ -532,7 +518,6 @@ struct nb_trans_state {
struct packet_struct *packet;
};

-static int nb_trans_state_destructor(struct nb_trans_state *s);
static void nb_trans_got_reader(struct tevent_req *subreq);
static void nb_trans_done(struct tevent_req *subreq);
static void nb_trans_sent(struct tevent_req *subreq);
@@ -564,7 +549,6 @@ static struct tevent_req *nb_trans_send(
if (req == NULL) {
return NULL;
}
- talloc_set_destructor(state, nb_trans_state_destructor);
state->ev = ev;
state->buf = buf;
state->buflen = buflen;
@@ -604,15 +588,6 @@ static struct tevent_req *nb_trans_send(
return req;
}

-static int nb_trans_state_destructor(struct nb_trans_state *s)
-{
- if (s->packet != NULL) {
- free_packet(s->packet);
- s->packet = NULL;
- }
- return 0;
-}
-
static void nb_trans_got_reader(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
@@ -704,7 +679,7 @@ static void nb_trans_done(struct tevent_req *subreq)
req, struct nb_trans_state);
NTSTATUS status;

- status = sock_packet_read_recv(subreq, &state->packet);
+ status = sock_packet_read_recv(subreq, state, &state->packet);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
@@ -712,7 +687,7 @@ static void nb_trans_done(struct tevent_req *subreq)
tevent_req_done(req);
}

-static NTSTATUS nb_trans_recv(struct tevent_req *req,
+static NTSTATUS nb_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct packet_struct **ppacket)
{
struct nb_trans_state *state = tevent_req_data(
@@ -722,8 +697,7 @@ static NTSTATUS nb_trans_recv(struct tevent_req *req,
if (tevent_req_is_nterror(req, &status)) {
return status;
}
- *ppacket = state->packet;
- state->packet = NULL;
+ *ppacket = talloc_move(mem_ctx, &state->packet);
return NT_STATUS_OK;
}

@@ -740,8 +714,6 @@ struct node_status_query_state {
struct packet_struct *packet;
};

-static int node_status_query_state_destructor(
- struct node_status_query_state *s);
static bool node_status_query_validator(struct packet_struct *p,
void *private_data);
static void node_status_query_done(struct tevent_req *subreq);
@@ -762,7 +734,6 @@ struct tevent_req *node_status_query_send(TALLOC_CTX *mem_ctx,
if (req == NULL) {
return NULL;
}
- talloc_set_destructor(state, node_status_query_state_destructor);

if (addr->ss_family != AF_INET) {
/* Can't do node status to IPv6 */
@@ -837,16 +808,6 @@ static bool node_status_query_validator(struct packet_struct *p,
return true;
}

-static int node_status_query_state_destructor(
- struct node_status_query_state *s)
-{
- if (s->packet != NULL) {
- free_packet(s->packet);
- s->packet = NULL;
- }
- return 0;
-}
-
static void node_status_query_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
@@ -855,7 +816,7 @@ static void node_status_query_done(struct tevent_req *subreq)
req, struct node_status_query_state);
NTSTATUS status;

- status = nb_trans_recv(subreq, &state->packet);
+ status = nb_trans_recv(subreq, state, &state->packet);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
@@ -1501,7 +1462,7 @@ static void name_query_done(struct tevent_req *subreq)
NTSTATUS status;
struct packet_struct *p = NULL;

- status = nb_trans_recv(subreq, &p);
+ status = nb_trans_recv(subreq, state, &p);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
@@ -1510,13 +1471,6 @@ static void name_query_done(struct tevent_req *subreq)
tevent_req_nterror(req, state->validate_error);
return;
}
- if (p != NULL) {
- /*
- * Free the packet here, we've collected the response in the
- * validator
- */
- free_packet(p);
- }
tevent_req_done(req);
}

diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 8feb029..bac4340 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -803,39 +803,75 @@ struct packet_struct *parse_packet(char *buf,int length,
return p;
}

-/*******************************************************************
- Read a packet from a socket and parse it, returning a packet ready
- to be used or put on the queue. This assumes a UDP socket.
-******************************************************************/
-
-struct packet_struct *read_packet(int fd,enum packet_type packet_type)
+static struct packet_struct *copy_packet_talloc(
+ TALLOC_CTX *mem_ctx, const struct packet_struct *src)
{
- struct packet_struct *packet;
- struct sockaddr_storage sa;
- struct sockaddr_in *si = (struct sockaddr_in *)&sa;
- char buf[MAX_DGRAM_SIZE];
- int length;
-
- length = read_udp_v4_socket(fd,buf,sizeof(buf),&sa);
- if (length < MIN_DGRAM_SIZE || sa.ss_family != AF_INET) {
+ struct packet_struct *pkt;
+
+ pkt = talloc_memdup(mem_ctx, src, sizeof(struct packet_struct));
+ if (pkt == NULL) {
return NULL;
}
+ pkt->locked = false;
+ pkt->recv_fd = -1;
+ pkt->send_fd = -1;
+
+ if (src->packet_type == NMB_PACKET) {
+ const struct nmb_packet *nsrc = &src->packet.nmb;
+ struct nmb_packet *ndst = &pkt->packet.nmb;
+
+ if (nsrc->answers != NULL) {
+ ndst->answers = talloc_memdup(
+ pkt, nsrc->answers,
+ sizeof(struct res_rec) * nsrc->header.ancount);
+ if (ndst->answers == NULL) {
+ goto fail;
+ }
+ }
+ if (nsrc->nsrecs != NULL) {
+ ndst->nsrecs = talloc_memdup(
+ pkt, nsrc->nsrecs,
+ sizeof(struct res_rec) * nsrc->header.nscount);
+ if (ndst->nsrecs == NULL) {
+ goto fail;
+ }
+ }
+ if (nsrc->additional != NULL) {
+ ndst->additional = talloc_memdup(
+ pkt, nsrc->additional,
+ sizeof(struct res_rec) * nsrc->header.arcount);
+ if (ndst->nsrecs == NULL) {
+ goto fail;
+ }
+ }
+ }

- packet = parse_packet(buf,
- length,
- packet_type,
- si->sin_addr,
- ntohs(si->sin_port));
- if (!packet)
- return NULL;
+ return pkt;

- packet->recv_fd = fd;
- packet->send_fd = -1;
+ /*
+ * DGRAM packets have no substructures
+ */
+
+fail:
+ TALLOC_FREE(pkt);
+ return NULL;
+}

- DEBUG(5,("Received a packet of len %d from (%s) port %d\n",
- length, inet_ntoa(packet->ip), packet->port ) );
+struct packet_struct *parse_packet_talloc(TALLOC_CTX *mem_ctx,
+ char *buf,int length,
+ enum packet_type packet_type,
+ struct in_addr ip,
+ int port)
+{
+ struct packet_struct *pkt, *result;

- return(packet);
+ pkt = parse_packet(buf, length, packet_type, ip, port);
+ if (pkt == NULL) {
+ return NULL;
+ }
+ result = copy_packet_talloc(mem_ctx, pkt);
+ free_packet(pkt);
+ return result;
}

/*******************************************************************
diff --git a/source3/libsmb/nmblib.h b/source3/libsmb/nmblib.h
index 7e1e40c..a0624ed 100644
--- a/source3/libsmb/nmblib.h
+++ b/source3/libsmb/nmblib.h
@@ -39,7 +39,11 @@ struct packet_struct *parse_packet(char *buf,int length,
enum packet_type packet_type,
struct in_addr ip,
int port);
-struct packet_struct *read_packet(int fd,enum packet_type packet_type);
+struct packet_struct *parse_packet_talloc(TALLOC_CTX *mem_ctx,
+ char *buf,int length,
+ enum packet_type packet_type,
+ struct in_addr ip,
+ int port);
void make_nmb_name( struct nmb_name *n, const char *name, int type);
bool nmb_name_equal(struct nmb_name *n1, struct nmb_name *n2);
int build_packet(char *buf, size_t buflen, struct packet_struct *p);
diff --git a/source3/libsmb/unexpected.c b/source3/libsmb/unexpected.c
index 16d1f67..ac6c1cf 100644
--- a/source3/libsmb/unexpected.c
+++ b/source3/libsmb/unexpected.c
@@ -715,7 +715,7 @@ static void nb_packet_read_done(struct tevent_req *subreq)
tevent_req_done(req);
}

-NTSTATUS nb_packet_read_recv(struct tevent_req *req,
+NTSTATUS nb_packet_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct packet_struct **ppacket)
{
struct nb_packet_read_state *state = tevent_req_data(
@@ -731,7 +731,8 @@ NTSTATUS nb_packet_read_recv(struct tevent_req *req,

memcpy(&hdr, state->buf, sizeof(hdr));

- packet = parse_packet(
+ packet = parse_packet_talloc(
+ mem_ctx,
(char *)state->buf + sizeof(struct nb_packet_client_header),
state->buflen - sizeof(struct nb_packet_client_header),
state->hdr.type, state->hdr.ip, state->hdr.port);
@@ -739,6 +740,7 @@ NTSTATUS nb_packet_read_recv(struct tevent_req *req,
tevent_req_received(req);
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
+
*ppacket = packet;
tevent_req_received(req);
return NT_STATUS_OK;
diff --git a/source3/libsmb/unexpected.h b/source3/libsmb/unexpected.h
index a40a507..270976b 100644
--- a/source3/libsmb/unexpected.h
+++ b/source3/libsmb/unexpected.h
@@ -43,7 +43,7 @@ NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct nb_packet_reader *reader);
-NTSTATUS nb_packet_read_recv(struct tevent_req *req,
+NTSTATUS nb_packet_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct packet_struct **ppacket);

#endif
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index 2b7cc82..bbcb958 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1879,6 +1879,41 @@ static void nmbd_fd_handler(struct tevent_context *ev,
attr->triggered = true;
}

+/*******************************************************************
+ Read a packet from a socket and parse it, returning a packet ready
+ to be used or put on the queue. This assumes a UDP socket.
+******************************************************************/
+
+static struct packet_struct *read_packet(int fd,enum packet_type packet_type)
+{
+ struct packet_struct *packet;
+ struct sockaddr_storage sa;
+ struct sockaddr_in *si = (struct sockaddr_in *)&sa;
+ char buf[MAX_DGRAM_SIZE];
+ int length;
+
+ length = read_udp_v4_socket(fd,buf,sizeof(buf),&sa);
+ if (length < MIN_DGRAM_SIZE || sa.ss_family != AF_INET) {
+ return NULL;
+ }
+
+ packet = parse_packet(buf,
+ length,
+ packet_type,
+ si->sin_addr,
+ ntohs(si->sin_port));
+ if (!packet)
+ return NULL;
+
+ packet->recv_fd = fd;
+ packet->send_fd = -1;
+
+ DEBUG(5,("Received a packet of len %d from (%s) port %d\n",
+ length, inet_ntoa(packet->ip), packet->port ) );
+
+ return(packet);
+}
+
/****************************************************************************
Listens for NMB or DGRAM packets, and queues them.
return True if the socket is dead
--
Samba Shared Repository
Amitay Isaacs
2018-01-24 09:29:03 UTC
Permalink
The branch, master has been updated
via 8b82d10 ctdb-tests: Fix a typo
via 50150d7 ctdb-tests: Add a UNIT pseudo-test-suite
via e17d02d ctdb-tests: Only use socket-wrapper for simple, local daemon tests
via da3aaf9 ctdb-tests: Add timeout for individual tests, default is 10 minutes
from 7ea5d38 libnmb: Move "read_packet" to nmbd

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8b82d10856160d3b3f172bf7d45ac561002dbcac
Author: Martin Schwenke <***@meltin.net>
Date: Tue Jan 23 20:18:54 2018 +1100

ctdb-tests: Fix a typo

This typo causes the script to be run with the default shell. If this
is not bash then the shell will fail to parse integration.bash.

This is a regression caused by commit
c607989d91b64d837253aae794b1a3d6013eb3e0. Clearly nobody has run this
test on Debian for a long time. :-(

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

Autobuild-User(master): Amitay Isaacs <***@samba.org>
Autobuild-Date(master): Wed Jan 24 10:28:52 CET 2018 on sn-devel-144

commit 50150d75814de6a1e2cb28fb7af72caa31d73e3c
Author: Martin Schwenke <***@meltin.net>
Date: Mon Jan 22 19:48:02 2018 +1100

ctdb-tests: Add a UNIT pseudo-test-suite

This runs all of the unit tests.

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

commit e17d02d4039001563d189b33200c30e3906ce845
Author: Martin Schwenke <***@meltin.net>
Date: Mon Jan 22 19:14:48 2018 +1100

ctdb-tests: Only use socket-wrapper for simple, local daemon tests

The run_tests.sh -S option now takes the path to the socker-wrapper
shared library.

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

commit da3aaf972ab5b339b51ba1e802329b69885ccfe4
Author: Martin Schwenke <***@meltin.net>
Date: Sat Jan 20 17:05:37 2018 +1100

ctdb-tests: Add timeout for individual tests, default is 10 minutes

This will cause a hung test to time out and fail rather than letting a
test run hang indefinitely. Some tests can take 5 minutes to run, so
10 minutes should be plenty.

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

-----------------------------------------------------------------------

Summary of changes:
ctdb/tests/run_tests.sh | 52 ++++++++++++++++++++--------
ctdb/tests/simple/14_ctdb_statistics.sh | 1 -
ctdb/tests/simple/scripts/local_daemons.bash | 6 ++++
ctdb/wscript | 3 +-
4 files changed, 44 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/tests/run_tests.sh b/ctdb/tests/run_tests.sh
index ffc81d4..a2a44a1 100755
--- a/ctdb/tests/run_tests.sh
+++ b/ctdb/tests/run_tests.sh
@@ -14,7 +14,7 @@ Options:
-H No headers - for running single test with other wrapper
-N Don't print summary of tests results after running all tests
-q Quiet - don't show tests being run (hint: use with -s)
- -S Enable socket wrapper
+ -S <lib> Use socket wrapper library <lib> for local integration tests
-v Verbose - print test output for non-failures (only some tests)
-V <dir> Use <dir> as TEST_VAR_DIR
-x Trace this script with the -x option
@@ -36,7 +36,6 @@ with_desc=false
quiet=false
exit_on_fail=false
no_header=false
-socket_wrapper=false

export TEST_VERBOSE=false
export TEST_COMMAND_TRACE=false
@@ -46,8 +45,10 @@ export TEST_LOCAL_DAEMONS
[ -n "$TEST_LOCAL_DAEMONS" ] || TEST_LOCAL_DAEMONS=3
export TEST_VAR_DIR=""
export TEST_CLEANUP=false
+export TEST_TIMEOUT=600
+export TEST_SOCKET_WRAPPER_SO_PATH=""

-temp=$(getopt -n "$prog" -o "AcCdDehHNqSvV:xX" -l help -- "$@")
+temp=$(getopt -n "$prog" -o "AcCdDehHNqS:T:vV:xX" -l help -- "$@")

[ $? != 0 ] && usage

@@ -64,7 +65,8 @@ while true ; do
-H) no_header=true ; shift ;;
-N) with_summary=false ; shift ;;
-q) quiet=true ; shift ;;
- -S) socket_wrapper=true ; shift ;;
+ -S) TEST_SOCKET_WRAPPER_SO_PATH="$2" ; shift 2 ;;
+ -T) TEST_TIMEOUT="$2" ; shift 2 ;;
-v) TEST_VERBOSE=true ; shift ;;
-V) TEST_VAR_DIR="$2" ; shift 2 ;;
-x) set -x; shift ;;
@@ -114,6 +116,9 @@ ctdb_test_end ()
interp="PASSED"
statstr=""
echo "ALL OK: $*"
+ elif [ $status -eq 124 ] ; then
+ interp="TIMEOUT"
+ statstr=" (status $status)"
else
interp="FAILED"
statstr=" (status $status)"
@@ -137,7 +142,7 @@ ctdb_test_run ()
$no_header || ctdb_test_begin "$name"

local status=0
- "$@" || status=$?
+ timeout $TEST_TIMEOUT "$@" || status=$?

$no_header || ctdb_test_end "$name" "$status" "$*"

@@ -247,20 +252,25 @@ mkdir -p "$TEST_VAR_DIR"
TEST_VAR_DIR=$(cd "$TEST_VAR_DIR"; echo "$PWD")
echo "TEST_VAR_DIR=$TEST_VAR_DIR"

-if $socket_wrapper ; then
- export SOCKET_WRAPPER_DIR="${TEST_VAR_DIR}/sw"
- mkdir -p "$SOCKET_WRAPPER_DIR"
-fi
-
export TEST_SCRIPTS_DIR="${CTDB_TEST_DIR}/scripts"

+unit_tests="
+ cunit
+ eventd
+ eventscripts
+ onnode
+ shellcheck
+ takeover
+ takeover_helper
+ tool
+"
+
# If no tests specified then run some defaults
if [ -z "$1" ] ; then
- if [ -n "$TEST_LOCAL_DAEMONS" ] ; then
- set -- onnode takeover takeover_helper tool eventscripts \
- cunit eventd shellcheck simple
- else
- set -- simple complex
+ if [ -n "$TEST_LOCAL_DAEMONS" ] ; then
+ set -- UNIT simple
+ else
+ set -- simple complex
fi
fi

@@ -287,7 +297,19 @@ cleanup_handler ()

trap cleanup_handler SIGINT SIGTERM

+declare -a tests
+i=0
for f ; do
+ if [ "$f" = "UNIT" ] ; then
+ for t in $unit_tests ; do
+ tests[i++]="$t"
+ done
+ else
+ tests[i++]="$f"
+ fi
+done
+
+for f in "${tests[@]}" ; do
find_and_run_one_test "$f"

if [ $status -eq 127 ] ; then
diff --git a/ctdb/tests/simple/14_ctdb_statistics.sh b/ctdb/tests/simple/14_ctdb_statistics.sh
index 3dd55e0..5ff22d7 100755
--- a/ctdb/tests/simple/14_ctdb_statistics.sh
+++ b/ctdb/tests/simple/14_ctdb_statistics.sh
@@ -1,4 +1,3 @@
-
#!/bin/bash

test_info()
diff --git a/ctdb/tests/simple/scripts/local_daemons.bash b/ctdb/tests/simple/scripts/local_daemons.bash
index a0c8077..512d11f 100644
--- a/ctdb/tests/simple/scripts/local_daemons.bash
+++ b/ctdb/tests/simple/scripts/local_daemons.bash
@@ -17,6 +17,12 @@ fi

export CTDB_NODES="${TEST_VAR_DIR}/nodes.txt"

+if [ -n "$TEST_SOCKET_WRAPPER_SO_PATH" ] ; then
+ export LD_PRELOAD="$TEST_SOCKET_WRAPPER_SO_PATH"
+ export SOCKET_WRAPPER_DIR="${TEST_VAR_DIR}/sw"
+ mkdir -p "$SOCKET_WRAPPER_DIR"
+fi
+
#######################################

config_from_environment ()
diff --git a/ctdb/wscript b/ctdb/wscript
index 715ecb1..059ce3d 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -986,8 +986,7 @@ def test(ctx):

def autotest(ctx):
env = samba_utils.LOAD_ENVIRONMENT()
- ld = 'LD_PRELOAD=%s' % env.SOCKET_WRAPPER_SO_PATH
- cmd = '%s tests/run_tests.sh -e -S -C' % ld
+ cmd = 'tests/run_tests.sh -e -S %s -C' % env.SOCKET_WRAPPER_SO_PATH
ret = samba_utils.RUN_COMMAND(cmd)
if ret != 0:
print('autotest exited with exit status %d' % ret)
--
Samba Shared Repository
Ralph Böhme
2018-01-24 14:09:02 UTC
Permalink
The branch, master has been updated
via cbf743d Samba-VirusFilter: clamav VFS and man page.
via 5970d68 Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page.
via 0b25089 Samba-VirusFilter: Sophos VFS backend.
via b1e69ed Samba-VirusFilter: common headers and sources.
via 70d7f7d Samba-VirusFilter: memcache changes.
from 8b82d10 ctdb-tests: Fix a typo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cbf743d329730387ede92a9d329893d1c651e97a
Author: Trever L. Adams <***@gmail.com>
Date: Tue Oct 18 13:40:01 2016 -0600

Samba-VirusFilter: clamav VFS and man page.

Signed-off-by: Trever L. Adams <***@gmail.com>
Signed-off-by: SATOH Fumiyasu <***@osstech.co.jp>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Wed Jan 24 15:08:59 CET 2018 on sn-devel-144

commit 5970d68bf651fb8dbf1ac4e79d8f2e9467154870
Author: Trever L. Adams <***@gmail.com>
Date: Tue Oct 18 13:39:20 2016 -0600

Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page.

Signed-off-by: Trever L. Adams <***@gmail.com>
Signed-off-by: SATOH Fumiyasu <***@osstech.co.jp>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 0b25089edd453270e52f2d8e6858a9996bb29a0d
Author: Trever L. Adams <***@gmail.com>
Date: Tue Oct 18 13:38:14 2016 -0600

Samba-VirusFilter: Sophos VFS backend.

Signed-off-by: Trever L. Adams <***@gmail.com>
Signed-off-by: SATOH Fumiyasu <***@osstech.co.jp>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b1e69edd0592d3b4b0f958792826a236dd3466e1
Author: Trever L. Adams <***@gmail.com>
Date: Tue Oct 18 13:34:53 2016 -0600

Samba-VirusFilter: common headers and sources.

Samba-VirusFilter Contributors:

SATOH Fumiyasu @ OSS Technology Corp., Japan
Module creator/maintainer

Luke Dixon ***@zynstra.com
Samba 4 support

Trever L. Adams
Documentation
Code contributions
Samba-master merge work

With many thanks to the Samba Team.

Signed-off-by: Trever L. Adams <***@gmail.com>
Signed-off-by: SATOH Fumiyasu <***@osstech.co.jp>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 70d7f7d03c46c8727833f322bdc03da1b2aad720
Author: Trever L. Adams <***@gmail.com>
Date: Tue Oct 18 13:37:19 2016 -0600

Samba-VirusFilter: memcache changes.

Signed-off-by: Trever L. Adams <***@gmail.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/vfs_virusfilter.8.xml | 369 +++++
docs-xml/wscript_build | 1 +
.../scripts/vfs/virusfilter/virusfilter-notify.ksh | 284 ++++
lib/util/memcache.c | 1 +
lib/util/memcache.h | 3 +-
source3/modules/vfs_virusfilter.c | 1521 ++++++++++++++++++++
source3/modules/vfs_virusfilter_clamav.c | 195 +++
source3/modules/vfs_virusfilter_common.h | 153 ++
source3/modules/vfs_virusfilter_fsav.c | 451 ++++++
source3/modules/vfs_virusfilter_sophos.c | 391 +++++
source3/modules/vfs_virusfilter_utils.c | 1025 +++++++++++++
source3/modules/vfs_virusfilter_utils.h | 177 +++
source3/modules/wscript_build | 18 +
source3/wscript | 2 +-
14 files changed, 4589 insertions(+), 2 deletions(-)
create mode 100644 docs-xml/manpages/vfs_virusfilter.8.xml
create mode 100644 examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
create mode 100644 source3/modules/vfs_virusfilter.c
create mode 100644 source3/modules/vfs_virusfilter_clamav.c
create mode 100644 source3/modules/vfs_virusfilter_common.h
create mode 100644 source3/modules/vfs_virusfilter_fsav.c
create mode 100644 source3/modules/vfs_virusfilter_sophos.c
create mode 100644 source3/modules/vfs_virusfilter_utils.c
create mode 100644 source3/modules/vfs_virusfilter_utils.h


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
new file mode 100644
index 0000000..ee49df1
--- /dev/null
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -0,0 +1,369 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_virusfilter.8">
+
+<refmeta>
+ <refentrytitle>vfs_virusfilter</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">4.8</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>vfs_virusfilter</refname>
+ <refpurpose>On access virus scanner</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>vfs objects = virusfilter</command>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This is a set of various Samba VFS modules to scan and filter
+ virus files on Samba file services with an anti-virus scanner.</para>
+
+ <para>This module is stackable.</para>
+
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>virusfilter:scanner</term>
+ <listitem>
+ <para>The antivirus scan-engine.</para>
+ <itemizedlist>
+ <listitem><para><emphasis>sophos</emphasis>, the Sophos AV
+ scanner</para></listitem>
+ <listitem><para><emphasis>fsav</emphasis>, the F-Secure AV
+ scanner</para></listitem>
+ <listitem><para><emphasis>clamav</emphasis>, the ClamAV
+ scanner</para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:socket path = PATH</term>
+ <listitem>
+ <para>Path of local socket for the virus scanner.
+ </para>
+ <para>If this option is not set, the default path depends on the
+ configured AV scanning engine.
+ </para>
+ <para>For the <emphasis>sophos</emphasis>backend the default is
+ <emphasis>/var/run/savdi/sssp.sock</emphasis>.</para>
+ <para>For the <emphasis>fsav</emphasis> backend the default is
+ <emphasis>/tmp/.fsav-0</emphasis>.</para>
+ <para>For the <emphasis>fsav</emphasis> backend the default is
+ <emphasis>/var/run/clamav/clamd.ctl</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:connect timeout = 30000</term>
+ <listitem>
+ <para>Controls how long to wait on connecting to the virus
+ scanning process before timing out. Value is in milliseconds.
+ </para>
+ <para>If this option is not set, the default is 30000.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:io timeout = 60000</term>
+ <listitem>
+ <para>Controls how long to wait on communications with the virus
+ scanning process before timing out. Value is in milliseconds.
+ </para>
+ <para>If this option is not set, the default is 60000.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan on open = yes</term>
+ <listitem>
+ <para>This option controls whether files are scanned on open.
+ </para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan on close = no</term>
+ <listitem>
+ <para>This option controls whether files are scanned on close.
+ </para>
+ <para>If this option is not set, the default is no.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:max file size = 100000000</term>
+ <listitem>
+ <para>This is the largest sized file, in bytes, which will be scanned.
+ </para>
+ <para>If this option is not set, the default is 100MB.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:min file size = 10</term>
+ <listitem>
+ <para>This is the smallest sized file, in bytes, which will be scanned.
+ </para>
+ <para>If this option is not set, the default is 10.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file action = nothing</term>
+ <listitem>
+ <para>What to do with an infected file. The options are
+ nothing, quarantine, rename, delete.</para>
+ <para>If this option is not set, the default is nothing.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file errno on open = EACCES</term>
+ <listitem>
+ <para>What errno to return on open if the file is infected.
+ </para>
+ <para>If this option is not set, the default is EACCES.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file errno on close = 0</term>
+ <listitem>
+ <para>What errno to return on close if the file is infected.
+ </para>
+ <para>If this option is not set, the default is 0.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine directory = PATH</term>
+ <listitem>
+ <para>Where to move infected files. This path must be an
+ absolute path.</para>
+ <para>If this option is not set, the default is ".quarantine"
+ relative to the share path. </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine prefix = virusfilter.</term>
+ <listitem>
+ <para>Prefix for quarantined files.</para>
+ <para>If this option is not set, the default is "virusfilter.".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine suffix = .infected</term>
+ <listitem>
+ <para>Suffix for quarantined files.
+ This option is only used if keep name is true. Otherwise it is ignored.</para>
+ <para>If this option is not set, the default is ".infected".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:rename prefix = virusfilter.</term>
+ <listitem>
+ <para>Prefix for infected files.</para>
+ <para>If this option is not set, the default is "virusfilter.".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:rename suffix = .infected</term>
+ <listitem>
+ <para>Suffix for infected files.</para>
+ <para>If this option is not set, the default is ".infected".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine keep tree = yes</term>
+ <listitem>
+ <para>If keep tree is set, the directory structure relative
+ to the share is maintained in the quarantine directory.
+ </para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine keep name = yes</term>
+ <listitem>
+ <para>Should the file name be left unmodified other than adding a suffix
+ and/or prefix and a random suffix name as defined in virusfilter:rename prefix
+ and virusfilter:rename suffix.</para>
+ <para>If this option is not set, the default is yes.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:infected file command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to ***@example.com --cc "%***@example.com" --from ***@example.com --subject-prefix "Samba: Infected File: "</term>
+ <listitem>
+ <para>External command to run on an infected file is found.</para>
+ <para>If this option is not set, the default is none.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan archive = true</term>
+ <listitem>
+ <para>This defines whether or not to scan archives.</para>
+ <para>Sophos and F-Secure support this and it defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:max nested scan archive = 1</term>
+ <listitem>
+ <para>This defines the maximum depth to search nested archives.</para>
+ <para>The Sophos and F-Secure support this and it defaults to 1.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan mime = true</term>
+ <listitem>
+ <para>This defines whether or not to scan mime files.</para>
+ <para>Only the <emphasis>fsav</emphasis>scanner supports this
+ option and defaults to false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to ***@example.com --from ***@example.com --subject-prefix "Samba: Scan Error: "</term>
+ <listitem>
+ <para>External command to run on scan error.</para>
+ <para>If this option is not set, the default is none.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:exclude files = empty</term>
+ <listitem>
+ <para>Files to exclude from scanning.</para>
+ <para>If this option is not set, the default is empty.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:block access on error = false</term>
+ <listitem>
+ <para>Controls whether or not access should be blocked on
+ a scanning error.</para>
+ <para>If this option is not set, the default is false.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error errno on open = EACCES</term>
+ <listitem>
+ <para>What errno to return on open if there is an error in
+ scanning the file and block access on error is true.
+ </para>
+ <para>If this option is not set, the default is EACCES.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:scan error errno on close = 0</term>
+ <listitem>
+ <para>What errno to return on close if there is an error in
+ scanning the file and block access on error is true.
+ </para>
+ <para>If this option is not set, the default is 0.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:cache entry limit = 100</term>
+ <listitem>
+ <para>The maximum number of entries in the scanning results
+ cache. Due to how Samba's memcache works, this is approximate.</para>
+ <para>If this option is not set, the default is 100.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:cache time limit = 10</term>
+ <listitem>
+ <para>The maximum number of seconds that a scanning result
+ will stay in the results cache. -1 disables the limit.
+ 0 disables caching.</para>
+ <para>If this option is not set, the default is 10.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:quarantine directory mode = 0755</term>
+ <listitem>
+ <para>This is the octet mode for the quarantine directory and
+ its sub-directories as they are created.</para>
+ <para>If this option is not set, the default is 0755 or
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH |
+ S_IXOTH.</para>
+ <para>Permissions must be such that all users can read and
+ search. I.E. don't mess with this unless you really know what
+ you are doing.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>virusfilter:block suspected file = false</term>
+ <listitem>
+ <para>With this option on, suspected malware will be blocked as
+ well. Only the <emphasis>fsav</emphasis>scanner supports this
+ option.</para>
+ <para>If this option is not set, the default is false.</para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>This module can scan other than default streams, if the
+ alternative datastreams are each backed as separate files, such as with
+ the vfs module streams_depot.</para>
+
+ <para>For proper operation the streams support module must be before
+ the virusfilter module in your vfs objects list (i.e. streams_depot
+ must be called before virusfilter module).</para>
+
+ <para>This module is intended for security in depth by providing
+ virus scanning capability on the server. It is not intended to be used
+ in lieu of proper client based security. Other modules for security may
+ exist and may be desirable for security in depth on the server.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index f586208..954c62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -90,6 +90,7 @@ manpages='''
manpages/vfs_time_audit.8
manpages/vfs_tsmsm.8
manpages/vfs_unityed_media.8
+ manpages/vfs_virusfilter.8
manpages/vfs_worm.8
manpages/vfs_xattr_tdb.8
manpages/vfstest.1
diff --git a/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
new file mode 100644
index 0000000..a07b914
--- /dev/null
+++ b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
@@ -0,0 +1,284 @@
+#!/bin/ksh
+##
+## Samba-VirusFilter VFS modules
+## Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 3 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program. If not, see <http://www.gnu.org/licenses/>.
+##
+
+set -u
+
+pdie() { echo "$0: ERROR: ${1-}" 1>&2; exit "${2-1}"; }
+
+## ======================================================================
+
+sendmail="${VIRUSFILTER_NOTIFY_SENDMAIL_COMMAND:-/usr/sbin/sendmail}"
+sendmail_opts="${VIRUSFILTER_NOTIFY_SENDMAIL_OPTIONS:-}"
+
+smbclient="${VIRUSFILTER_NOTIFY_SMBCLIENT_COMMAND:-@SAMBA_BINDIR@/smbclient}"
+smbclient_opts="${VIRUSFILTER_NOTIFY_SMBCLIENT_OPTIONS:-}"
+
+## ======================================================================
+
+if [ -n "${VIRUSFILTER_RESULT_IS_CACHE-}" ]; then
+ ## Result is cache. Ignore!
+ exit 0
+fi
+
+if [ ! -t 1 ] && [ -z "${VIRUSFILTER_NOTIFY_BG-}" ]; then
+ export VIRUSFILTER_NOTIFY_BG=1
+ "$0" ${1+"$@"} </dev/null >/dev/null &
+ exit 0
+fi
+
+## ----------------------------------------------------------------------
+
+if [ -n "${VIRUSFILTER_INFECTED_FILE_ACTION-}" ]; then
+ report="$VIRUSFILTER_INFECTED_FILE_REPORT"
+else
+ report="$VIRUSFILTER_SCAN_ERROR_REPORT"
+fi
+
+if [ X"$VIRUSFILTER_SERVER_NAME" != X"$VIRUSFILTER_SERVER_IP" ]; then
+ server_name="$VIRUSFILTER_SERVER_NAME"
+else
+ server_name="$VIRUSFILTER_SERVER_NETBIOS_NAME"
+fi
+
+if [ X"$VIRUSFILTER_CLIENT_NAME" != X"$VIRUSFILTER_CLIENT_IP" ]; then
+ client_name="$VIRUSFILTER_CLIENT_NAME"
+else
+ client_name="$VIRUSFILTER_CLIENT_NETBIOS_NAME"
+fi
+
+mail_to=""
+winpopup_to=""
+subject_prefix=""
+sender=""
+from=""
+cc=""
+bcc=""
+content_type="text/plain"
+content_encoding="UTF-8"
+
+cmd_usage="Usage: $0 [OPTIONS]
+
+Options:
+ --mail-to ADDRESS
+ Send a notice message to this e-mail address(es)
+ --winpopup-to NAME
+ Send a \"WinPopup\" message to this NetBIOS name
+ --sender ADDRESS
+ Envelope sender address for mail
+ --from ADDRESS
+ From: e-mail address for mail
+ --cc ADDRESS
+ Cc: e-mail address(es) for mail
+ --bcc ADDRESS
+ Bcc: e-mail address(es) for mail
+ --subject-prefix PREFIX
+ Subject: prefix string for mail
+ --content-type TYPE
+ --content-encoding ENCODING
+ Content-Type: TYPE; charset=\"ENCODING\" for mail [$content_type; charset=\"$content_encoding\"]
+ --header-file FILE
+ Prepend the content of FILE to the message
+ --footer-file FILE
+ Append the content of FILE to the message
+"
+
+## ----------------------------------------------------------------------
+
+getopts_want_arg()
+{
+ if [ "$#" -lt 2 ]; then
+ pdie "Option requires an argument: $1"
+ fi
--
Samba Shared Repository
Volker Lendecke
2018-01-25 00:54:03 UTC
Permalink
The branch, master has been updated
via d4f7d9e libnmb: Fix CID 1428474 Incorrect expression (COPY_PASTE_ERROR)
from cbf743d Samba-VirusFilter: clamav VFS and man page.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d4f7d9e08ca690b8278b35690dfb9e4673c19e00
Author: Volker Lendecke <***@samba.org>
Date: Wed Jan 24 12:57:43 2018 +0100

libnmb: Fix CID 1428474 Incorrect expression (COPY_PASTE_ERROR)

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Thu Jan 25 01:53:53 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/libsmb/nmblib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index bac4340..5bfc129 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -840,7 +840,7 @@ static struct packet_struct *copy_packet_talloc(
ndst->additional = talloc_memdup(
pkt, nsrc->additional,
sizeof(struct res_rec) * nsrc->header.arcount);
- if (ndst->nsrecs == NULL) {
+ if (ndst->additional == NULL) {
goto fail;
}
}
--
Samba Shared Repository
David Disseldorp
2018-01-25 16:20:02 UTC
Permalink
The branch, master has been updated
via 849169a Fix wrong condition for error string assignment
via 89c3a1e libnet: Use talloc_zero instead of ZERO_STRUCTP
via e320c4c Samba-VirusFilter: clean up dir check vfs_close and vfs_open
via c890011 Samba-VirusFilter: fix virusfilter_vfs_close() crash
from d4f7d9e libnmb: Fix CID 1428474 Incorrect expression (COPY_PASTE_ERROR)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 849169a7b6ed0beb78bbddf25537521c1ed2f8e1
Author: Swen Schillig <***@vnet.ibm.com>
Date: Thu Jan 25 11:02:15 2018 +0100

Fix wrong condition for error string assignment

Signed-off-by: Swen Schillig <***@vnet.ibm.com>
Reviewed-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): David Disseldorp <***@samba.org>
Autobuild-Date(master): Thu Jan 25 17:19:12 CET 2018 on sn-devel-144

commit 89c3a1ebbe0f22c03d8958df07da9983fd6fd3b5
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 4 20:37:16 2018 +0100

libnet: Use talloc_zero instead of ZERO_STRUCTP

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit e320c4c9b7426be296b3c311861ba2ddeeacdf9f
Author: Trever L. Adams <***@gmail.com>
Date: Wed Jan 24 11:21:11 2018 -0700

Samba-VirusFilter: clean up dir check vfs_close and vfs_open

Signed-off-by: Trever L. Adams <***@gmail.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit c890011a769b497855748e130fa41e998babc305
Author: Trever L. Adams <***@gmail.com>
Date: Wed Jan 24 10:42:11 2018 -0700

Samba-VirusFilter: fix virusfilter_vfs_close() crash

Signed-off-by: Trever L. Adams <***@gmail.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_virusfilter.c | 10 +++++++---
source4/libnet/libnet_join.c | 10 +++++-----
2 files changed, 12 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 9b29923..ef9dc78 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -1153,6 +1153,11 @@ static int virusfilter_vfs_open(
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct virusfilter_config, return -1);

+ if (fsp->is_directory) {
+ DBG_INFO("Not scanned: Directory: %s/\n", cwd_fname);
+ goto virusfilter_vfs_open_next;
+ }
+
test_prefix = strlen(config->rename_prefix);
test_suffix = strlen(config->rename_suffix);
if (test_prefix > 0) {
@@ -1303,7 +1308,7 @@ static int virusfilter_vfs_close(
const char *cwd_fname = handle->conn->connectpath;

struct virusfilter_config *config = NULL;
- char *fname = fsp->fsp_name->base_name = NULL;
+ char *fname = fsp->fsp_name->base_name;
int close_result = -1;
int close_errno = 0;
virusfilter_result scan_result;
@@ -1338,8 +1343,7 @@ static int virusfilter_vfs_close(
}

if (fsp->is_directory) {
- DBG_INFO("Not scanned: Directory: %s/%s\n", cwd_fname,
- fname);
+ DBG_INFO("Not scanned: Directory: %s/\n", cwd_fname);
return close_result;
}

diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 0c20644..6cd18e0 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -929,7 +929,7 @@ NTSTATUS libnet_Join_member(struct libnet_context *ctx,
uint32_t acct_type = 0;
const char *account_name;
const char *netbios_name;
- const char *error_string;
+ const char *error_string = NULL;

r->out.error_string = NULL;

@@ -982,14 +982,14 @@ NTSTATUS libnet_Join_member(struct libnet_context *ctx,
return status;
}

- set_secrets = talloc(tmp_mem, struct provision_store_self_join_settings);
+ set_secrets = talloc_zero(tmp_mem,
+ struct provision_store_self_join_settings);
if (!set_secrets) {
r->out.error_string = NULL;
talloc_free(tmp_mem);
return NT_STATUS_NO_MEMORY;
}
-
- ZERO_STRUCTP(set_secrets);
+
set_secrets->domain_name = r2->out.domain_name;
set_secrets->realm = r2->out.realm;
set_secrets->netbios_name = netbios_name;
@@ -1000,7 +1000,7 @@ NTSTATUS libnet_Join_member(struct libnet_context *ctx,

status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
if (!NT_STATUS_IS_OK(status)) {
- if (r->out.error_string) {
+ if (error_string) {
r->out.error_string = talloc_steal(mem_ctx, error_string);
} else {
r->out.error_string
--
Samba Shared Repository
Jeremy Allison
2018-01-26 01:26:02 UTC
Permalink
The branch, master has been updated
via e7425bd s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
from 849169a Fix wrong condition for error string assignment

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e7425bd5245ffea68b7e8f794c9b5f864d103769
Author: Jeremy Allison <***@samba.org>
Date: Wed Jan 24 14:09:43 2018 -0800

s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.

Thanks to Isaac Boukris <***@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/libads/ldap_utils.c | 9 +++++++++
1 file changed, 9 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index a4adbc0..0c37b06 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -105,9 +105,18 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
status = ads_connect(ads);

if (!ADS_ERR_OK(status)) {
+ bool orig_is_mine = ads->is_mine;
+
DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
ads_errstr(status)));
+ /*
+ * We need to keep the ads pointer
+ * from being freed here as we don't own it and
+ * callers depend on it being around.
+ */
+ ads->is_mine = false;
ads_destroy(&ads);
+ ads->is_mine = orig_is_mine;
SAFE_FREE(bp);
return status;
}
--
Samba Shared Repository
Andrew Bartlett
2018-01-30 12:28:02 UTC
Permalink
The branch, master has been updated
via 0766f06 libcli: Remove finddcs_nbt.c
from e7425bd s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0766f066af4358c37861fd3c57b58869644a53c0
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 29 12:20:19 2018 +0100

libcli: Remove finddcs_nbt.c

This completes commit 06c90cb6f55701effa4cbafaf189a4de8471949b

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue Jan 30 13:27:51 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/libcli/finddcs_nbt.c | 311 -------------------------------------------
1 file changed, 311 deletions(-)
delete mode 100644 source4/libcli/finddcs_nbt.c


Changeset truncated at 500 lines:

diff --git a/source4/libcli/finddcs_nbt.c b/source4/libcli/finddcs_nbt.c
deleted file mode 100644
index 147efde..0000000
--- a/source4/libcli/finddcs_nbt.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- a composite API for finding a DC and its name
-
- Copyright (C) Volker Lendecke 2005
- Copyright (C) Andrew Bartlett <***@samba.org> 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "include/includes.h"
-#include <tevent.h>
-#include "lib/messaging/irpc.h"
-#include "librpc/gen_ndr/ndr_irpc_c.h"
-#include "libcli/composite/composite.h"
-#include "libcli/libcli.h"
-#include "libcli/resolve/resolve.h"
-#include "lib/util/tevent_ntstatus.h"
-#include "libcli/finddc.h"
-
-struct finddcs_nbt_state {
- struct tevent_context *ev;
- struct tevent_req *req;
- struct imessaging_context *msg_ctx;
-
- const char *my_netbios_name;
- const char *domain_name;
- struct dom_sid *domain_sid;
-
- struct nbtd_getdcname r;
- struct nbt_name_status node_status;
-
- int num_dcs;
- struct nbt_dc_name *dcs;
- uint16_t nbt_port;
-};
-
-static void finddcs_nbt_name_resolved(struct composite_context *ctx);
-static void finddcs_nbt_getdc_replied(struct tevent_req *subreq);
-static void fallback_node_status(struct finddcs_nbt_state *state);
-static void fallback_node_status_replied(struct nbt_name_request *name_req);
-
-/*
- * Setup and send off the a normal name resolution for the target name.
- *
- * The domain_sid parameter is optional, and is used in the subsequent getdc request.
- *
- * This will try a GetDC request, but this may not work. It will try
- * a node status as a fallback, then return no name (but still include
- * the IP)
- */
-
-struct tevent_req *finddcs_nbt_send(TALLOC_CTX *mem_ctx,
- const char *my_netbios_name,
- uint16_t nbt_port,
- const char *domain_name,
- int name_type,
- struct dom_sid *domain_sid,
- struct resolve_context *resolve_ctx,
- struct tevent_context *event_ctx,
- struct imessaging_context *msg_ctx)
-{
- struct finddcs_nbt_state *state;
- struct nbt_name name;
- struct tevent_req *req;
- struct composite_context *creq;
-
- req = tevent_req_create(mem_ctx, &state, struct finddcs_nbt_state);
- if (req == NULL) {
- return NULL;
- }
-
- state->req = req;
- state->ev = event_ctx;
- state->nbt_port = nbt_port;
- state->my_netbios_name = talloc_strdup(state, my_netbios_name);
- if (tevent_req_nomem(state->my_netbios_name, req)) {
- return tevent_req_post(req, event_ctx);
- }
- state->domain_name = talloc_strdup(state, domain_name);
- if (tevent_req_nomem(state->domain_name, req)) {
- return tevent_req_post(req, event_ctx);
- }
-
- if (domain_sid) {
- state->domain_sid = dom_sid_dup(state, domain_sid);
- if (tevent_req_nomem(state->domain_sid, req)) {
- return tevent_req_post(req, event_ctx);
- }
- } else {
- state->domain_sid = NULL;
- }
-
- state->msg_ctx = msg_ctx;
-
- make_nbt_name(&name, state->domain_name, name_type);
- creq = resolve_name_send(resolve_ctx, state, &name, event_ctx);
- if (tevent_req_nomem(creq, req)) {
- return tevent_req_post(req, event_ctx);
- }
- creq->async.fn = finddcs_nbt_name_resolved;
- creq->async.private_data = state;
-
- return req;
-}
-
-/* Having got an name query answer, fire off a GetDC request, so we
- * can find the target's all-important name. (Kerberos and some
- * netlogon operations are quite picky about names)
- *
- * The name is a courtesy, if we don't find it, don't completely fail.
- *
- * However, if the nbt server is down, fall back to a node status
- * request
- */
-static void finddcs_nbt_name_resolved(struct composite_context *ctx)
-{
- struct finddcs_nbt_state *state =
- talloc_get_type(ctx->async.private_data, struct finddcs_nbt_state);
- struct tevent_req *subreq;
- struct dcerpc_binding_handle *irpc_handle;
- const char *address;
- NTSTATUS status;
-
- status = resolve_name_recv(ctx, state, &address);
- if (tevent_req_nterror(state->req, status)) {
- return;
- }
-
- /* TODO: This should try and find all the DCs, and give the
- * caller them in the order they responded */
-
- state->num_dcs = 1;
- state->dcs = talloc_array(state, struct nbt_dc_name, state->num_dcs);
- if (tevent_req_nomem(state->dcs, state->req)) {
- return;
- }
-
- state->dcs[0].address = talloc_steal(state->dcs, address);
-
- /* Try and find the nbt server. Fallback to a node status
- * request if we can't make this happen The nbt server just
- * might not be running, or we may not have a messaging
- * context (not root etc) */
- if (!state->msg_ctx) {
- fallback_node_status(state);
- return;
- }
-
- irpc_handle = irpc_binding_handle_by_name(state, state->msg_ctx,
- "nbt_server", &ndr_table_irpc);
- if (irpc_handle == NULL) {
- fallback_node_status(state);
- return;
- }
-
- state->r.in.domainname = state->domain_name;
- state->r.in.ip_address = state->dcs[0].address;
- state->r.in.my_computername = state->my_netbios_name;
- state->r.in.my_accountname = talloc_asprintf(state, "%s$", state->my_netbios_name);
- if (tevent_req_nomem(state->r.in.my_accountname, state->req)) {
- return;
- }
- state->r.in.account_control = ACB_WSTRUST;
- state->r.in.domain_sid = state->domain_sid;
- if (state->r.in.domain_sid == NULL) {
- state->r.in.domain_sid = talloc_zero(state, struct dom_sid);
- }
-
- subreq = dcerpc_nbtd_getdcname_r_send(state, state->ev,
- irpc_handle, &state->r);
- if (tevent_req_nomem(subreq, state->req)) {
- return;
- }
- tevent_req_set_callback(subreq, finddcs_nbt_getdc_replied, state);
-}
-
-/* Called when the GetDC request returns */
-static void finddcs_nbt_getdc_replied(struct tevent_req *subreq)
-{
- struct finddcs_nbt_state *state =
- tevent_req_callback_data(subreq,
- struct finddcs_nbt_state);
- NTSTATUS status;
-
- status = dcerpc_nbtd_getdcname_r_recv(subreq, state);
- TALLOC_FREE(subreq);
- if (!NT_STATUS_IS_OK(status)) {
- fallback_node_status(state);
- return;
- }
-
- state->dcs[0].name = talloc_steal(state->dcs, state->r.out.dcname);
- tevent_req_done(state->req);
-}
-
-/* The GetDC request might not be available (such as occours when the
- * NBT server is down). Fallback to a node status. It is the best
- * hope we have... */
-static void fallback_node_status(struct finddcs_nbt_state *state)
-{
- struct nbt_name_socket *nbtsock;
- struct nbt_name_request *name_req;
-
- state->node_status.in.name.name = "*";
- state->node_status.in.name.type = NBT_NAME_CLIENT;
- state->node_status.in.name.scope = NULL;
- state->node_status.in.dest_addr = state->dcs[0].address;
- state->node_status.in.dest_port = state->nbt_port;
- state->node_status.in.timeout = 1;
- state->node_status.in.retries = 2;
-
- nbtsock = nbt_name_socket_init(state, state->ev);
- if (tevent_req_nomem(nbtsock, state->req)) {
- return;
- }
-
- name_req = nbt_name_status_send(nbtsock, &state->node_status);
- if (tevent_req_nomem(name_req, state->req)) {
- return;
- }
-
- name_req->async.fn = fallback_node_status_replied;
- name_req->async.private_data = state;
-}
-
-/* We have a node status reply (or perhaps a timeout) */
-static void fallback_node_status_replied(struct nbt_name_request *name_req)
-{
- int i;
- struct finddcs_nbt_state *state = talloc_get_type(name_req->async.private_data, struct finddcs_nbt_state);
- NTSTATUS status;
-
- status = nbt_name_status_recv(name_req, state, &state->node_status);
- if (tevent_req_nterror(state->req, status)) {
- return;
- }
-
- for (i=0; i < state->node_status.out.status.num_names; i++) {
- int j;
- if (state->node_status.out.status.names[i].type == NBT_NAME_SERVER) {
- char *name = talloc_strndup(state->dcs, state->node_status.out.status.names[0].name, 15);
- /* Strip space padding */
- if (name) {
- j = MIN(strlen(name), 15);
- for (; j > 0 && name[j - 1] == ' '; j--) {
- name[j - 1] = '\0';
- }
- }
- state->dcs[0].name = name;
- tevent_req_done(state->req);
- return;
- }
- }
- tevent_req_nterror(state->req, NT_STATUS_NO_LOGON_SERVERS);
-}
-
-NTSTATUS finddcs_nbt_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- int *num_dcs, struct nbt_dc_name **dcs)
-{
- struct finddcs_nbt_state *state = tevent_req_data(req, struct finddcs_nbt_state);
- bool ok;
- NTSTATUS status;
-
- ok = tevent_req_poll(req, state->ev);
- if (!ok) {
- talloc_free(req);
- return NT_STATUS_INTERNAL_ERROR;
- }
- status = tevent_req_simple_recv_ntstatus(req);
- if (NT_STATUS_IS_OK(status)) {
- *num_dcs = state->num_dcs;
- *dcs = talloc_steal(mem_ctx, state->dcs);
- }
- return status;
-}
-
-NTSTATUS finddcs_nbt(TALLOC_CTX *mem_ctx,
- const char *my_netbios_name,
- uint16_t nbt_port,
- const char *domain_name, int name_type,
- struct dom_sid *domain_sid,
- struct resolve_context *resolve_ctx,
- struct tevent_context *event_ctx,
- struct imessaging_context *msg_ctx,
- int *num_dcs, struct nbt_dc_name **dcs)
-{
- NTSTATUS status;
- struct tevent_req *req = finddcs_nbt_send(mem_ctx,
- my_netbios_name,
- nbt_port,
- domain_name, name_type,
- domain_sid,
- resolve_ctx,
- event_ctx, msg_ctx);
- status = finddcs_nbt_recv(req, mem_ctx, num_dcs, dcs);
- talloc_free(req);
- return status;
-}
--
Samba Shared Repository
Martin Schwenke
2018-01-30 17:13:02 UTC
Permalink
The branch, master has been updated
via 32d867c ctdb-common: Optimize sock_queue's memory managament
via eae2d35 ctdb-common: Remove sock_queue_destructor
via f9150c5 ctdb-common: Return if packet size is zero
from 0766f06 libcli: Remove finddcs_nbt.c

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 32d867cf09a15626b991be414ab6440f68953f35
Author: Swen Schillig <***@vnet.ibm.com>
Date: Mon Jan 8 14:55:31 2018 +0100

ctdb-common: Optimize sock_queue's memory managament

Make use of talloc pools for the sock_queue's memory requirements.

Signed-off-by: Swen Schillig <***@vnet.ibm.com>
Reviewed-by: Amitay Isaacs <***@gmail.com>
Reviewed-by: Martin Schwenke <***@meltin.net>

Autobuild-User(master): Martin Schwenke <***@samba.org>
Autobuild-Date(master): Tue Jan 30 18:12:32 CET 2018 on sn-devel-144

commit eae2d35fec071b020f420ba74ac6551c84140a4d
Author: Swen Schillig <***@vnet.ibm.com>
Date: Mon Jan 8 14:13:46 2018 +0100

ctdb-common: Remove sock_queue_destructor

The sock_queue_destructor is not needed.
The performed tasks will be performed automatically.

Signed-off-by: Swen Schillig <***@vnet.ibm.com>
Reviewed-by: Amitay Isaacs <***@gmail.com>
Reviewed-by: Martin Schwenke <***@meltin.net>

commit f9150c5fa0ac81a848dbb6978a73c10170648d5b
Author: Swen Schillig <***@vnet.ibm.com>
Date: Mon Jan 8 14:10:40 2018 +0100

ctdb-common: Return if packet size is zero

Prevent further processing of sock_queue_process
if the received packet size is zero.

Signed-off-by: Swen Schillig <***@vnet.ibm.com>
Reviewed-by: Amitay Isaacs <***@gmail.com>
Reviewed-by: Martin Schwenke <***@meltin.net>

-----------------------------------------------------------------------

Summary of changes:
ctdb/common/sock_io.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/sock_io.c b/ctdb/common/sock_io.c
index 3f7138f..51341ce 100644
--- a/ctdb/common/sock_io.c
+++ b/ctdb/common/sock_io.c
@@ -94,8 +94,18 @@ struct sock_queue {
size_t buflen, begin, end;
};

+/*
+ * The reserved talloc headers, SOCK_QUEUE_OBJ_COUNT,
+ * and the pre-allocated pool-memory SOCK_QUEUE_POOL_SIZE,
+ * are used for the sub-objects queue->im, queue->queue, queue->fde
+ * and queue->buf.
+ * If the memory allocating sub-objects of struct sock_queue change,
+ * those values need to be adjusted.
+ */
+#define SOCK_QUEUE_OBJ_COUNT 4
+#define SOCK_QUEUE_POOL_SIZE 2048
+
static bool sock_queue_set_fd(struct sock_queue *queue, int fd);
-static int sock_queue_destructor(struct sock_queue *queue);
static void sock_queue_handler(struct tevent_context *ev,
struct tevent_fd *fde, uint16_t flags,
void *private_data);
@@ -112,10 +122,12 @@ struct sock_queue *sock_queue_setup(TALLOC_CTX *mem_ctx,
{
struct sock_queue *queue;

- queue = talloc_zero(mem_ctx, struct sock_queue);
+ queue = talloc_pooled_object(mem_ctx, struct sock_queue,
+ SOCK_QUEUE_OBJ_COUNT, SOCK_QUEUE_POOL_SIZE);
if (queue == NULL) {
return NULL;
}
+ memset(queue, 0, sizeof(struct sock_queue));

queue->ev = ev;
queue->callback = callback;
@@ -138,8 +150,6 @@ struct sock_queue *sock_queue_setup(TALLOC_CTX *mem_ctx,
return NULL;
}

- talloc_set_destructor(queue, sock_queue_destructor);
-
return queue;
}

@@ -168,14 +178,6 @@ static bool sock_queue_set_fd(struct sock_queue *queue, int fd)
return true;
}

-static int sock_queue_destructor(struct sock_queue *queue)
-{
- TALLOC_FREE(queue->fde);
- queue->fd = -1;
-
- return 0;
-}
-
static void sock_queue_handler(struct tevent_context *ev,
struct tevent_fd *fde, uint16_t flags,
void *private_data)
@@ -231,6 +233,7 @@ static void sock_queue_process(struct sock_queue *queue)
if (pkt_size == 0) {
D_ERR("Invalid packet of length 0\n");
queue->callback(NULL, 0, queue->private_data);
+ return;
}

if ((queue->end - queue->begin) < pkt_size) {
--
Samba Shared Repository
Andreas Schneider
2018-01-30 23:39:02 UTC
Permalink
The branch, master has been updated
via 9fc4712 s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.
from 32d867c ctdb-common: Optimize sock_queue's memory managament

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9fc471242fac5fec170a3d9ba599d81ed7374954
Author: Jeremy Allison <***@samba.org>
Date: Mon Jan 29 12:52:14 2018 -0800

s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13247

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Wed Jan 31 00:38:09 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/librpc/crypto/gse.c | 3 +++
1 file changed, 3 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index bcda8de..5cb6647 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -526,6 +526,9 @@ init_sec_context_done:
/* Garbage input, possibly from the auto-mech detection */
status = NT_STATUS_INVALID_PARAMETER;
goto done;
+ case (OM_uint32)KRB5KDC_ERR_ETYPE_NOSUPP:
+ status = NT_STATUS_KDC_UNKNOWN_ETYPE;
+ goto done;
default:
DBG_ERR("gss_init_sec_context failed with [%s](%u)\n",
gse_errstr(talloc_tos(), gss_maj, gss_min),
--
Samba Shared Repository
Jeremy Allison
2018-01-31 04:29:02 UTC
Permalink
The branch, master has been updated
via 21eb516 vfs_virusfilter: Fix CID 1428738 Macro compares unsigned to 0
via 734404b vfs_virusfilter: Fix CID 1428740 Macro compares unsigned to 0
via 8a4409c vfs_virusfilter: Fix CID 1428739 Buffer not null terminated
from 9fc4712 s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 21eb5169f46b8d819a5d5d028baff581e4e63de6
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 30 12:37:30 2018 +0100

vfs_virusfilter: Fix CID 1428738 Macro compares unsigned to 0

vsnprintf returns "int" and not "size_t"

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Wed Jan 31 05:28:48 CET 2018 on sn-devel-144

commit 734404bbe911fd4aa6565b2a2aaecab4fbbf3c45
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 30 12:36:14 2018 +0100

vfs_virusfilter: Fix CID 1428740 Macro compares unsigned to 0

vsnprintf returns "int" and not "size_t"

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 8a4409c956bdbe5d928e685b7c219566d467a627
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 30 12:34:11 2018 +0100

vfs_virusfilter: Fix CID 1428739 Buffer not null terminated

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_virusfilter_utils.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_virusfilter_utils.c b/source3/modules/vfs_virusfilter_utils.c
index 628e0ae..90ae427 100644
--- a/source3/modules/vfs_virusfilter_utils.c
+++ b/source3/modules/vfs_virusfilter_utils.c
@@ -148,10 +148,16 @@ bool virusfilter_io_connect_path(
struct sockaddr_un addr;
NTSTATUS status;
int socket, bes_result, flags, ret;
+ size_t len;

ZERO_STRUCT(addr);
addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, path, sizeof(addr.sun_path));
+
+ len = strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
+ if (len >= sizeof(addr.sun_path)) {
+ io_h->stream = NULL;
+ return false;
+ }

status = open_socket_out((struct sockaddr_storage *)&addr, 0,
io_h->connect_timeout,
@@ -389,7 +395,7 @@ bool virusfilter_io_writefl(
{
va_list ap;
char data[VIRUSFILTER_IO_BUFFER_SIZE + VIRUSFILTER_IO_EOL_SIZE];
- size_t data_size;
+ int data_size;

va_start(ap, data_fmt);
data_size = vsnprintf(data, VIRUSFILTER_IO_BUFFER_SIZE, data_fmt, ap);
@@ -411,7 +417,7 @@ bool virusfilter_io_vwritefl(
const char *data_fmt, va_list ap)
{
char data[VIRUSFILTER_IO_BUFFER_SIZE + VIRUSFILTER_IO_EOL_SIZE];
- size_t data_size;
+ int data_size;

data_size = vsnprintf(data, VIRUSFILTER_IO_BUFFER_SIZE, data_fmt, ap);
--
Samba Shared Repository
Jeremy Allison
2018-01-31 23:34:03 UTC
Permalink
The branch, master has been updated
via 925dc87 talloc_zero libnet_context on init
from 21eb516 vfs_virusfilter: Fix CID 1428738 Macro compares unsigned to 0

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 925dc87a2ae47ba67e33d46b059fd9a57772dabf
Author: Swen Schillig <***@vnet.ibm.com>
Date: Fri Jan 26 09:12:12 2018 +0100

talloc_zero libnet_context on init

Zero the libnet_context on initialization
preventing an uninitalized cli_credentials struct.

Signed-off-by: Swen Schillig <***@vnet.ibm.com>
Reviewed-by: Christof Schmitt <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Thu Feb 1 00:33:34 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/libnet/libnet.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/libnet/libnet.c b/source4/libnet/libnet.c
index 32df85d..a590893 100644
--- a/source4/libnet/libnet.c
+++ b/source4/libnet/libnet.c
@@ -33,8 +33,8 @@ struct libnet_context *libnet_context_init(struct tevent_context *ev,
return NULL;
}

- /* create brand new libnet context */
- ctx = talloc(ev, struct libnet_context);
+ /* create brand new libnet context */
+ ctx = talloc_zero(ev, struct libnet_context);
if (!ctx) {
return NULL;
}
@@ -48,14 +48,8 @@ struct libnet_context *libnet_context_init(struct tevent_context *ev,
/* name resolution methods */
ctx->resolve_ctx = lpcfg_resolve_context(lp_ctx);

- /* connected services' params */
- ZERO_STRUCT(ctx->samr);
- ZERO_STRUCT(ctx->lsa);
-
/* default buffer size for various operations requiring specifying a buffer */
ctx->samr.buf_size = 128;

- ctx->server_address = NULL;
-
return ctx;
}
--
Samba Shared Repository
Andrew Bartlett
2018-02-01 06:58:02 UTC
Permalink
The branch, master has been updated
via b367382 WHATSNEW: Mention new option "apply group policies"
via e10de35 gpo: Correct WHATSNEW
via c90cf06 gpo: Correct documentation
via 83d4220 WHATSNEW: Add section for "samba-tool visualize"
from 925dc87 talloc_zero libnet_context on init

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b3673824adc16a2b26c5fd3c661062d95c3c83eb
Author: Andrew Bartlett <***@samba.org>
Date: Tue Jan 16 16:25:38 2018 +1300

WHATSNEW: Mention new option "apply group policies"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13223

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Thu Feb 1 07:57:54 CET 2018 on sn-devel-144

commit e10de35fabd728e0a81ec1d331255d12bef19686
Author: David Mulder <***@suse.com>
Date: Mon Jan 15 08:20:08 2018 -0700

gpo: Correct WHATSNEW

The WHATSNEW incorrectly explains how to enable gpo.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13223

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit c90cf067e6822d742276beee3b73151994f81d8b
Author: David Mulder <***@suse.com>
Date: Mon Jan 15 11:37:47 2018 -0700

gpo: Correct documentation

The doc still contains a reference to env var
policy (which isn't present in this release).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13223

Signed-off-by: David Mulder <***@suse.com>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 83d42203d7d7f7171d44724720fa5cd99590b90b
Author: Andrew Bartlett <***@samba.org>
Date: Tue Jan 16 16:23:39 2018 +1300

WHATSNEW: Add section for "samba-tool visualize"

(text from the commit message by Douglas adding the feature)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13226

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 26 ++++++++++++++++++++++++-
docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 9 ++++-----
2 files changed, 29 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f2da373..6cc362d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -27,7 +27,7 @@ renew lifetime).
Adds the samba_gpoupdate script for applying and unapplying
policy. Can be applied automatically by setting

- 'server services = +gpoupdate'.
+ 'apply group policies = yes'.

Time Machine Support with vfs_fruit
-----------------------------------
@@ -88,6 +88,29 @@ The key file "encrypted_secrets.key" is created in the same directory
as the database and should NEVER be disclosed. It is included by the
samba_backup script.

+Active Directory replication visualisation
+------------------------------------------
+
+To work out what is happening in a replication graph, it is sometimes
+helpful to use visualisations. We introduce a samba-tool subcommand to
+write Graphviz dot output and generate text-based heatmaps of the
+distance in hops between DCs.
+
+There are two subcommands, two graphical modes, and (roughly) two modes of
+operation with respect to the location of authority.
+
+`samba-tool visualize ntdsconn` looks at NTDS Connections.
+`samba-tool visualize reps` looks at repsTo and repsFrom objects.
+
+In '--distance' mode (default), the distances between DCs are shown in
+a matrix in the terminal. With '--color=yes', this is depicted as a
+heatmap. With '--utf8' it is a lttle prettier.
+
+In '--dot' mode, Graphviz dot output is generated. When viewed using
+dot or xdot, this shows the network as a graph with DCs as vertices
+and connections edges. Certain types of degenerate edges are shown in
+different colours or line-styles.
+
NT4-style replication based net commands removed
------------------------------------------------

@@ -171,6 +194,7 @@ smb.conf changes

Parameter Name Description Default
-------------- ----------- -------
+ apply group policies New no
auth methods Removed
binddns dir New
client schannel Default changed/ yes
diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
index 147751b..3ce26d7 100644
--- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -6,11 +6,10 @@
<description>
<para>This option sets the command that is called to apply GPO policies.
The samba_gpoupdate script applies System Access and Kerberos Policies
- to the KDC, or Environment Variable policies to client machines. System
- Access policies set minPwdAge, maxPwdAge, minPwdLength, and
- pwdProperties in the samdb. Kerberos Policies set kdc:service ticket
- lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in
- smb.conf.
+ to the KDC. System Access policies set minPwdAge, maxPwdAge,
+ minPwdLength, and pwdProperties in the samdb. Kerberos Policies set
+ kdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewal
+ lifetime in smb.conf.
</para>
</description>
--
Samba Shared Repository
Ralph Böhme
2018-02-03 22:43:02 UTC
Permalink
The branch, master has been updated
via 84f07a8 s3/smbd: fix handling of delete-on-close on directories
via 4c857e0 selftest: run deltest20 against s3 as well
from b367382 WHATSNEW: Mention new option "apply group policies"

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 84f07a8dcb8ee3a27be96f3baea5313bd0eaa084
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 11 17:52:06 2018 +0100

s3/smbd: fix handling of delete-on-close on directories

This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.

Windows server implement this check, Samba doesn't as it has performance
implications.

This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Sat Feb 3 23:42:16 CET 2018 on sn-devel-144

commit 4c857e08a019174b16155fc9311ad788cdafd4cc
Author: Ralph Boehme <***@samba.org>
Date: Fri Jan 12 17:32:44 2018 +0100

selftest: run deltest20 against s3 as well

This marks the test as knownfail, the next commit fixes it.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
.../tuning/checkparentdirectorydeleteonclose.xml | 13 +++++++
lib/param/loadparm.c | 2 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 1 +
source3/param/loadparm.c | 1 +
source3/smbd/open.c | 45 +++++++++++++++++++++-
source4/torture/basic/delete.c | 4 --
7 files changed, 62 insertions(+), 5 deletions(-)
create mode 100644 docs-xml/smbdotconf/tuning/checkparentdirectorydeleteonclose.xml


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/tuning/checkparentdirectorydeleteonclose.xml b/docs-xml/smbdotconf/tuning/checkparentdirectorydeleteonclose.xml
new file mode 100644
index 0000000..1de0609
--- /dev/null
+++ b/docs-xml/smbdotconf/tuning/checkparentdirectorydeleteonclose.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="check parent directory delete on close"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>A Windows SMB server prevents the client from creating files in a
+ directory that has the delete-on-close flag set. By default Samba doesn't
+ perform this check as this check is a quite expensive operation in Samba.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7854f57..efad4a1 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2998,6 +2998,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "prefork children", "1");

+ lpcfg_do_global_parameter(lp_ctx, "check parent directory delete on close", "no");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f2dcdd1..ee7c3be 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -231,6 +231,7 @@ sub setup_nt4_dc($$)
rpc_daemon:lsasd = fork
rpc_daemon:fssd = fork
fss: sequence timeout = 1
+ check parent directory delete on close = yes
";

my $vars = $self->provision($path, "SAMBA-TEST",
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c161ee0..123bf6c 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1815,6 +1815,7 @@ sub provision_ad_dc($$$$$$)
smbd:writetimeupdatedelay = 500000
create mask = 755
dos filemode = yes
+ check parent directory delete on close = yes

dcerpc endpoint servers = -winreg -srvsvc

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 096c23f..b1b502c 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -244,6 +244,7 @@ static const struct loadparm_service _sDefault =
.smb_encrypt = SMB_SIGNING_DEFAULT,
.kernel_share_modes = true,
.durable_handles = true,
+ .check_parent_directory_delete_on_close = false,
.param_opt = NULL,
.dummy = ""
};
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index e55c394..5817bdb 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -253,6 +253,11 @@ NTSTATUS check_parent_access(struct connection_struct *conn,
struct security_descriptor *parent_sd = NULL;
uint32_t access_granted = 0;
struct smb_filename *parent_smb_fname = NULL;
+ struct share_mode_lock *lck = NULL;
+ struct file_id id = {0};
+ uint32_t name_hash;
+ bool delete_on_close_set;
+ int ret;

if (!parent_dirname(talloc_tos(),
smb_fname->base_name,
@@ -320,7 +325,45 @@ NTSTATUS check_parent_access(struct connection_struct *conn,
return status;
}

- return NT_STATUS_OK;
+ if (!(access_mask & (SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR))) {
+ return NT_STATUS_OK;
+ }
+ if (!lp_check_parent_directory_delete_on_close(SNUM(conn))) {
+ return NT_STATUS_OK;
+ }
+
+ /* Check if the directory has delete-on-close set */
+ ret = SMB_VFS_STAT(conn, parent_smb_fname);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ goto out;
+ }
+
+ id = SMB_VFS_FILE_ID_CREATE(conn, &parent_smb_fname->st);
+
+ status = file_name_hash(conn, parent_smb_fname->base_name, &name_hash);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ lck = get_existing_share_mode_lock(talloc_tos(), id);
+ if (lck == NULL) {
+ status = NT_STATUS_OK;
+ goto out;
+ }
+
+ delete_on_close_set = is_delete_on_close_set(lck, name_hash);
+ if (delete_on_close_set) {
+ status = NT_STATUS_DELETE_PENDING;
+ goto out;
+ }
+
+ status = NT_STATUS_OK;
+
+out:
+ TALLOC_FREE(lck);
+ TALLOC_FREE(parent_smb_fname);
+ return status;
}

/****************************************************************************
diff --git a/source4/torture/basic/delete.c b/source4/torture/basic/delete.c
index d74063c..54815b9 100644
--- a/source4/torture/basic/delete.c
+++ b/source4/torture/basic/delete.c
@@ -1766,10 +1766,6 @@ static bool deltest20(struct torture_context *tctx, struct smbcli_state *cli1, s

/* Test 20 -- non-empty directory hardest to get right... */

- if (torture_setting_bool(tctx, "samba3", false)) {
- return true;
- }
-
smbcli_deltree(cli1->tree, dname);

dnum1 = smbcli_nt_create_full(cli1->tree, dname, 0,
--
Samba Shared Repository
Stefan Metzmacher
2018-02-05 17:33:02 UTC
Permalink
The branch, master has been updated
via 0c3348f dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature
via 5bf823d dbcheck: add support for restoring missing forward links
via d59f201 dbcheck: add find_missing_forward_links_from_backlinks()
via 182fb3c dbcheck: make sure we ask for replPropertyMetaData if we need to process any forward link attributes
via 2059803 dbcheck: make sure we always ask for the objectGUID attribute explicitly
via e258b4f dbcheck: add a helper function that checks is a value has duplicate links
via e4cc062 dbcheck: add a dict where we remember attributes with duplicate links
via 44a8782 dbcheck: split out check_duplicate_links from check_dn
via 7df17c0 dbcheck: store fixed forward link attributes with the correct sorting
via b0bc3f6 dbcheck: remove ldb.FLAG_MOD_REPLACE when replacing search results for forward links
via ec433f8 dbcheck: rename err_duplicate_links() to err_recover_forward_links() and adjust the output message
via dc43d31 dbcheck: add link direction to error message for duplicate links
via a651cc7 dbcheck: rename err_duplicate_links arguments
via 9f47fe6 dbcheck: only pass obj_dn to err_orphaned_backlink()
via 6f77503 dbcheck: add forward_syntax argument to err_orphaned_backlink
via 4a71394 dbcheck: rename and reorder err_orphaned_backlink arguments
via 52bd0b0 selftest/dbcheck: add a test for corrupt forward links restoration
via 8c01acd Revert "dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links"
via 55d4665 python/common: add __cmp__ function to dsdb_Dn similar to parsed_dn_compare()
via c56eb49 python:tests: add test_dsdb_Dn_sorted() to "samba.tests.common"
via 1341780 python:tests: remove test_dsdb_Dn() to test_dsdb_Dn_binary()
via 681e0a1 python:tests: use TestCaseInTempDir for "samba.tests.common"
via 28fcf63 python/netcmd: implement __repr__ for class CommandError
from 84f07a8 s3/smbd: fix handling of delete-on-close on directories

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0c3348feb09f4f0ba85455b8c3ff5c5fa60d139b
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 31 09:50:47 2018 +0100

dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Mon Feb 5 18:32:51 CET 2018 on sn-devel-144

commit 5bf823d68bd33ee3160175a18a3838eff4e3cbb2
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 14:48:55 2018 +0100

dbcheck: add support for restoring missing forward links

This recovers broken databases with duplicate and missing
forward links.

See commit a25c99c9f1fd1814c56c21848c748cd0e038eed7 for
the fix that prevents to problem from happening.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit d59f201388e8a16688adda145734dab8e27b785f
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 14:48:55 2018 +0100

dbcheck: add find_missing_forward_links_from_backlinks()

find_missing_forward_links_from_backlinks() finds and returns missing forward-links by
searching all for all objects that link to the object in the backlink attribute.

This will be used in the next commit to restore forward links in a corrupted
forward link attribute by passing the missing backling objects to
err_recover_forward_links().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 182fb3c4c9db8715d0dbcbc3d1aa0655b5cb29f1
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 12:19:31 2018 +0100

dbcheck: make sure we ask for replPropertyMetaData if we need to process any forward link attributes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 20598033866ca3d0fdad1edf3cb39e4614eae112
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 12:19:31 2018 +0100

dbcheck: make sure we always ask for the objectGUID attribute explicitly

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit e258b4fb281d8577c425e05b35ce05cf128617ea
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 24 22:24:15 2018 +0100

dbcheck: add a helper function that checks is a value has duplicate links

Will be used in a subsequent commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit e4cc062fa98f65369f3bde24a987c2651632cb06
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 10:34:29 2018 +0100

dbcheck: add a dict where we remember attributes with duplicate links

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 44a8782d71676517f0991f279f2472391ecede3b
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 24 20:01:27 2018 +0100

dbcheck: split out check_duplicate_links from check_dn

Refactoring, no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 7df17c0a8dffceb053ca806c9426d493b4837b1a
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 09:55:21 2018 +0100

dbcheck: store fixed forward link attributes with the correct sorting

The corruption we're trying to fix messed up the sorting,
so there's no point in keeping the current order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b0bc3f60084e5998dd34aada2ac7377d390affc6
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 09:39:40 2018 +0100

dbcheck: remove ldb.FLAG_MOD_REPLACE when replacing search results for forward links

Search results don't have an ldb.FLAG_MOD_* flags set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit ec433f8531a822dd40b343fbf3244157a5ecd544
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 14:36:52 2018 +0100

dbcheck: rename err_duplicate_links() to err_recover_forward_links() and adjust the output message

It's really a fatal error to have duplicate values as it's very likely that
some forward links got lost.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit dc43d31cd20fd12d2758b73ec0318215b8fbedfb
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 14:41:58 2018 +0100

dbcheck: add link direction to error message for duplicate links

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit a651cc79d64b9bcc1d5fee9b2ef8800a1579dea1
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 24 19:37:55 2018 +0100

dbcheck: rename err_duplicate_links arguments

In preperation of adding more arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 9f47fe6c4a8bde4abfee3c774d9667e6a3439a45
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 29 22:48:42 2018 +0100

dbcheck: only pass obj_dn to err_orphaned_backlink()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6f77503871fcb815e474cb76d14e22f7a8f083c9
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 10:52:35 2018 +0100

dbcheck: add forward_syntax argument to err_orphaned_backlink

Will be used in a subsequent commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 4a71394c6a30e8a1b5c6553f7410148dbf2e4a80
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 24 19:31:23 2018 +0100

dbcheck: rename and reorder err_orphaned_backlink arguments

In preperation of adding more arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 52bd0b09804621e6de9ee0a377a442a42e07ee05
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 25 21:34:47 2018 +0100

selftest/dbcheck: add a test for corrupt forward links restoration

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 8c01acd56274a5cb5926622cacab997cb62dd5a9
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 24 11:34:43 2018 +0100

Revert "dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links"

This reverts commit 43e3f79d54c5aeaea820865d298d4249cf47af99.

The real fix will follow in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 55d466549a3113f7625acdd6eb42f71cf63719b5
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 09:51:20 2018 +0100

python/common: add __cmp__ function to dsdb_Dn similar to parsed_dn_compare()

Linked attribute values are sorted by objectGUID of the link target.
For C code we have parsed_dn_compare() to implement the logic,
the same is now available on python dsdb_Dn objects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c56eb49119117a1a06afb0a76630ae5c7a1ca30c
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 11:09:55 2018 +0100

python:tests: add test_dsdb_Dn_sorted() to "samba.tests.common"

Failing until dsdb_Dn implements the correct __cmp__() function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 1341780dcf9ec0c5d852fbbb77c5e00db2ad6564
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 11:09:40 2018 +0100

python:tests: remove test_dsdb_Dn() to test_dsdb_Dn_binary()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 681e0a1745b45c6ac22d394b9e78cb67007d7dc4
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 10:39:30 2018 +0100

python:tests: use TestCaseInTempDir for "samba.tests.common"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 28fcf631c8985e8418fdc67cc78053e503f56d50
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 24 19:14:53 2018 +0100

python/netcmd: implement __repr__ for class CommandError

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/common.py | 17 ++
python/samba/dbchecker.py | 332 +++++++++++++++++----
python/samba/netcmd/__init__.py | 3 +
python/samba/tests/common.py | 33 +-
selftest/knownfail.d/dbcheck_duplicate_member | 5 -
...ted-after-dbcheck-forward-link-corruption.ldif} | 8 +-
...dbcheck-link-output-forward-link-corruption.txt | 12 +
...pected-dbcheck-link-output_duplicate_member.txt | 5 +-
testprogs/blackbox/dbcheck-links.sh | 78 +++++
9 files changed, 410 insertions(+), 83 deletions(-)
delete mode 100644 selftest/knownfail.d/dbcheck_duplicate_member
copy source4/selftest/provisions/release-4-5-0-pre1/{expected-duplicates-after-link-dbcheck.ldif => expected-after-dbcheck-forward-link-corruption.ldif} (65%)
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-forward-link-corruption.txt


Changeset truncated at 500 lines:

diff --git a/python/samba/common.py b/python/samba/common.py
index 20f170c..a915934 100644
--- a/python/samba/common.py
+++ b/python/samba/common.py
@@ -19,6 +19,8 @@

import ldb
import dsdb
+from samba.ndr import ndr_pack
+from samba.dcerpc import misc
import binascii


@@ -93,6 +95,21 @@ class dsdb_Dn(object):
def __str__(self):
return self.prefix + str(self.dn.extended_str(mode=1))

+ def __cmp__(self, other):
+ ''' compare dsdb_Dn values similar to parsed_dn_compare()'''
+ dn1 = self
+ dn2 = other
+ guid1 = dn1.dn.get_extended_component("GUID")
+ guid1b = ndr_pack(misc.GUID(guid1))
+ guid2 = dn2.dn.get_extended_component("GUID")
+ guid2b = ndr_pack(misc.GUID(guid2))
+
+ v = cmp(guid1, guid2)
+ if v != 0:
+ return v
+ v = cmp(dn1.binary, dn2.binary)
+ return v
+
def get_binary_integer(self):
'''return binary part of a dsdb_Dn as an integer, or None'''
if self.prefix == '':
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 6e4c440..b2b8b0c 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -65,7 +65,9 @@ class dbcheck(object):
self.fix_undead_linked_attributes = False
self.fix_all_missing_backlinks = False
self.fix_all_orphaned_backlinks = False
- self.fix_all_duplicate_links = False
+ self.fix_all_missing_forward_links = False
+ self.duplicate_link_cache = dict()
+ self.recover_all_forward_links = False
self.fix_rmd_flags = False
self.fix_ntsecuritydescriptor = False
self.fix_ntsecuritydescriptor_owner_group = False
@@ -184,6 +186,23 @@ class dbcheck(object):
else:
self.rid_set_dn = None

+ self.compatibleFeatures = []
+ self.requiredFeatures = []
+
+ try:
+ res = self.samdb.search(scope=ldb.SCOPE_BASE,
+ base="@SAMBA_DSDB",
+ attrs=["compatibleFeatures",
+ "requiredFeatures"])
+ if "compatibleFeatures" in res[0]:
+ self.compatibleFeatures = res[0]["compatibleFeatures"]
+ if "requiredFeatures" in res[0]:
+ self.requiredFeatures = res[0]["requiredFeatures"]
+ except ldb.LdbError as (enum, estr):
+ if enum != ldb.ERR_NO_SUCH_OBJECT:
+ raise
+ pass
+
def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']):
'''perform a database check, returning the number of errors found'''
res = self.samdb.search(base=DN, scope=scope, attrs=['dn'], controls=controls)
@@ -708,42 +727,44 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to fix incorrect RMD_FLAGS %u" % rmd_flags):
self.report("Fixed incorrect RMD_FLAGS %u" % (rmd_flags))

- def err_orphaned_backlink(self, obj, attrname, val, link_name, target_dn, duplicate_links):
+ def err_orphaned_backlink(self, obj_dn, backlink_attr, backlink_val,
+ target_dn, forward_attr, forward_syntax,
+ check_duplicates=True):
'''handle a orphaned backlink value'''
- self.report("ERROR: orphaned backlink attribute '%s' in %s for link %s in %s" % (attrname, obj.dn, link_name, target_dn))
- if duplicate_links:
- self.report("ERROR: FATAL! Most likely the corresponding forward link got lost!")
- self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
- self.report("Recovery handling will be implemented in a future version")
- self.report("Not removing orphaned backlink %s" % attrname)
+ if check_duplicates is True and self.has_duplicate_links(target_dn, forward_attr, forward_syntax):
+ self.report("WARNING: Keep orphaned backlink attribute " + \
+ "'%s' in '%s' for link '%s' in '%s'" % (
+ backlink_attr, obj_dn, forward_attr, target_dn))
return
- if not self.confirm_all('Remove orphaned backlink %s' % attrname, 'fix_all_orphaned_backlinks'):
- self.report("Not removing orphaned backlink %s" % attrname)
+ self.report("ERROR: orphaned backlink attribute '%s' in %s for link %s in %s" % (backlink_attr, obj_dn, forward_attr, target_dn))
+ if not self.confirm_all('Remove orphaned backlink %s' % backlink_attr, 'fix_all_orphaned_backlinks'):
+ self.report("Not removing orphaned backlink %s" % backlink_attr)
return
m = ldb.Message()
- m.dn = obj.dn
- m['value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+ m.dn = obj_dn
+ m['value'] = ldb.MessageElement(backlink_val, ldb.FLAG_MOD_DELETE, backlink_attr)
if self.do_modify(m, ["show_recycled:1", "relax:0"],
- "Failed to fix orphaned backlink %s" % attrname):
- self.report("Fixed orphaned backlink %s" % (attrname))
+ "Failed to fix orphaned backlink %s" % backlink_attr):
+ self.report("Fixed orphaned backlink %s" % (backlink_attr))

- def err_duplicate_links(self, obj, attrname, vals):
+ def err_recover_forward_links(self, obj, forward_attr, forward_vals):
'''handle a duplicate links value'''

- self.report("ERROR: FATAL! Most likely some forward link values for attribute '%s' in '%s' got lost!" % (attrname, obj.dn))
- self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
- self.report("Recovery handling will be implemented in a future version")
- self.report("Not removing duplicate links in attribute '%s'" % attrname)
- return
- if not self.confirm_all("Remove duplicate links in attribute '%s'" % attrname, 'fix_all_duplicate_links'):
- self.report("Not removing duplicate links in attribute '%s'" % attrname)
+ self.report("RECHECK: 'Missing/Duplicate/Correct link' lines above for attribute '%s' in '%s'" % (forward_attr, obj.dn))
+
+ if not self.confirm_all("Commit fixes for (missing/duplicate) forward links in attribute '%s'" % forward_attr, 'recover_all_forward_links'):
+ self.report("Not fixing corrupted (missing/duplicate) forward links in attribute '%s' of '%s'" % (
+ forward_attr, obj.dn))
return
m = ldb.Message()
m.dn = obj.dn
- m['value'] = ldb.MessageElement(vals, ldb.FLAG_MOD_REPLACE, attrname)
+ m['value'] = ldb.MessageElement(forward_vals, ldb.FLAG_MOD_REPLACE, forward_attr)
if self.do_modify(m, ["local_oid:1.3.6.1.4.1.7165.4.3.19.2:1"],
- "Failed to fix duplicate links in attribute '%s'" % attrname):
- self.report("Fixed duplicate links in attribute '%s'" % (attrname))
+ "Failed to fix duplicate links in attribute '%s'" % forward_attr):
+ self.report("Fixed duplicate links in attribute '%s'" % (forward_attr))
+ duplicate_cache_key = "%s:%s" % (str(obj.dn), forward_attr)
+ assert duplicate_cache_key in self.duplicate_link_cache
+ self.duplicate_link_cache[duplicate_cache_key] = False

def err_no_fsmoRoleOwner(self, obj):
'''handle a missing fSMORoleOwner'''
@@ -896,30 +917,27 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
return dsdb_dn
return None

- def check_dn(self, obj, attrname, syntax_oid):
- '''check a DN attribute for correctness'''
+ def check_duplicate_links(self, obj, forward_attr, forward_syntax, forward_linkID, backlink_attr):
+ '''check a linked values for duplicate forward links'''
error_count = 0
- obj_guid = obj['objectGUID'][0]

- linkID, reverse_link_name = self.get_attr_linkID_and_reverse_name(attrname)
- if reverse_link_name is not None:
- reverse_syntax_oid = self.samdb_schema.get_syntax_oid_from_lDAPDisplayName(reverse_link_name)
- else:
- reverse_syntax_oid = None
-
- duplicate_links = False
duplicate_dict = dict()
- duplicate_list = list()
unique_dict = dict()
- unique_list = list()
- for val in obj[attrname]:
- if linkID & 1:
- #
- # Only cleanup forward links here,
- # back links are handled below.
- break

- dsdb_dn = dsdb_Dn(self.samdb, val, syntax_oid)
+ # Only forward links can have this problem
+ if forward_linkID & 1:
+ # If we got the reverse, skip it
+ return (error_count, duplicate_dict, unique_dict)
+
+ if backlink_attr is None:
+ return (error_count, duplicate_dict, unique_dict)
+
+ duplicate_cache_key = "%s:%s" % (str(obj.dn), forward_attr)
+ if duplicate_cache_key not in self.duplicate_link_cache:
+ self.duplicate_link_cache[duplicate_cache_key] = False
+
+ for val in obj[forward_attr]:
+ dsdb_dn = dsdb_Dn(self.samdb, val, forward_syntax)

# all DNs should have a GUID component
guid = dsdb_dn.dn.get_extended_component("GUID")
@@ -929,14 +947,12 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
keystr = guidstr + dsdb_dn.prefix
if keystr not in unique_dict:
unique_dict[keystr] = dsdb_dn
- unique_list.append(keystr)
continue
error_count += 1
if keystr not in duplicate_dict:
duplicate_dict[keystr] = dict()
duplicate_dict[keystr]["keep"] = None
duplicate_dict[keystr]["delete"] = list()
- duplicate_list.append(keystr)

# Now check for the highest RMD_VERSION
v1 = int(unique_dict[keystr].dn.get_extended_component("RMD_VERSION"))
@@ -961,25 +977,197 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
duplicate_dict[keystr]["delete"].append(unique_dict[keystr])
unique_dict[keystr] = dsdb_dn

- if len(duplicate_list) != 0:
- duplicate_links = True
- self.report("ERROR: FATAL! Most likely some forward link values for attribute '%s' in '%s' got lost!" % (attrname, obj.dn))
- self.report("ERROR: FATAL! See https://bugzilla.samba.org/show_bug.cgi?id=13228")
+ if error_count != 0:
+ self.duplicate_link_cache[duplicate_cache_key] = True
+
+ return (error_count, duplicate_dict, unique_dict)
+
+ def has_duplicate_links(self, dn, forward_attr, forward_syntax):
+ '''check a linked values for duplicate forward links'''
+ error_count = 0
+
+ duplicate_cache_key = "%s:%s" % (str(dn), forward_attr)
+ if duplicate_cache_key in self.duplicate_link_cache:
+ return self.duplicate_link_cache[duplicate_cache_key]
+
+ forward_linkID, backlink_attr = self.get_attr_linkID_and_reverse_name(forward_attr)
+
+ attrs = [forward_attr]
+ controls = ["extended_dn:1:1", "reveal_internals:0"]
+
+ # check its the right GUID
+ try:
+ res = self.samdb.search(base=str(dn), scope=ldb.SCOPE_BASE,
+ attrs=attrs, controls=controls)
+ except ldb.LdbError, (enum, estr):
+ if enum != ldb.ERR_NO_SUCH_OBJECT:
+ raise
+
+ return False
+
+ obj = res[0]
+ error_count, duplicate_dict, unique_dict = \
+ self.check_duplicate_links(obj, forward_attr, forward_syntax, forward_linkID, backlink_attr)
+
+ if duplicate_cache_key in self.duplicate_link_cache:
+ return self.duplicate_link_cache[duplicate_cache_key]
+
+ return False
+
+ def find_missing_forward_links_from_backlinks(self, obj,
+ forward_attr,
+ forward_syntax,
+ backlink_attr,
+ forward_unique_dict):
+ '''Find all backlinks linking to obj_guid_str not already in forward_unique_dict'''
+ missing_forward_links = []
+ error_count = 0

- self.report("ERROR: Duplicate link values for attribute '%s' in '%s'" % (attrname, obj.dn))
- for keystr in duplicate_list:
+ if backlink_attr is None:
+ return (missing_forward_links, error_count)
+
+ if forward_syntax != ldb.SYNTAX_DN:
+ self.report("Not checking for missing forward links for syntax: %s",
+ forward_syntax)
+ return (missing_forward_links, error_count)
+
+ if "sortedLinks" in self.compatibleFeatures:
+ self.report("Not checking for missing forward links because the db " + \
+ "has the sortedLinks feature")
+ return (missing_forward_links, error_count)
+
+ try:
+ obj_guid = obj['objectGUID'][0]
+ obj_guid_str = str(ndr_unpack(misc.GUID, obj_guid))
+ filter = "(%s=<GUID=%s>)" % (backlink_attr, obj_guid_str)
+
+ res = self.samdb.search(expression=filter,
+ scope=ldb.SCOPE_SUBTREE, attrs=["objectGUID"],
+ controls=["extended_dn:1:1",
+ "search_options:1:2",
+ "paged_results:1:1000"])
+ except ldb.LdbError, (enum, estr):
+ raise
+
+ for r in res:
+ target_dn = dsdb_Dn(self.samdb, r.dn.extended_str(), forward_syntax)
+
+ guid = target_dn.dn.get_extended_component("GUID")
+ guidstr = str(misc.GUID(guid))
+ if guidstr in forward_unique_dict:
+ continue
+
+ # A valid forward link looks like this:
+ #
+ # <GUID=9f92d30a-fc23-11e4-a5f6-30be15454808>;
+ # <RMD_ADDTIME=131607546230000000>;
+ # <RMD_CHANGETIME=131607546230000000>;
+ # <RMD_FLAGS=0>;
+ # <RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;
+ # <RMD_LOCAL_USN=3765>;
+ # <RMD_ORIGINATING_USN=3765>;
+ # <RMD_VERSION=1>;
+ # <SID=S-1-5-21-4177067393-1453636373-93818738-1124>;
+ # CN=unsorted-u8,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ #
+ # Note that versions older than Samba 4.8 create
+ # links with RMD_VERSION=0.
+ #
+ # Try to get the local_usn and time from objectClass
+ # if possible and fallback to any other one.
+ repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
+ obj['replPropertyMetadata'][0])
+ for o in repl.ctr.array:
+ local_usn = o.local_usn
+ t = o.originating_change_time
+ if o.attid == drsuapi.DRSUAPI_ATTID_objectClass:
+ break
+
+ # We use a magic invocationID for restoring missing
+ # forward links to recover from bug #13228.
+ # This should allow some more future magic to fix the
+ # problem.
+ #
+ # It also means it looses the conflict resolution
+ # against almost every real invocation, if the
+ # version is also 0.
+ originating_invocid = misc.GUID("ffffffff-4700-4700-4700-000000b13228")
+ originating_usn = 1
+
+ rmd_addtime = t
+ rmd_changetime = t
+ rmd_flags = 0
+ rmd_invocid = originating_invocid
+ rmd_originating_usn = originating_usn
+ rmd_local_usn = local_usn
+ rmd_version = 0
+
+ target_dn.dn.set_extended_component("RMD_ADDTIME", str(rmd_addtime))
+ target_dn.dn.set_extended_component("RMD_CHANGETIME", str(rmd_changetime))
+ target_dn.dn.set_extended_component("RMD_FLAGS", str(rmd_flags))
+ target_dn.dn.set_extended_component("RMD_INVOCID", ndr_pack(rmd_invocid))
+ target_dn.dn.set_extended_component("RMD_ORIGINATING_USN", str(rmd_originating_usn))
+ target_dn.dn.set_extended_component("RMD_LOCAL_USN", str(rmd_local_usn))
+ target_dn.dn.set_extended_component("RMD_VERSION", str(rmd_version))
+
+ error_count += 1
+ missing_forward_links.append(target_dn)
+
+ return (missing_forward_links, error_count)
+
+ def check_dn(self, obj, attrname, syntax_oid):
+ '''check a DN attribute for correctness'''
+ error_count = 0
+ obj_guid = obj['objectGUID'][0]
+
+ linkID, reverse_link_name = self.get_attr_linkID_and_reverse_name(attrname)
+ if reverse_link_name is not None:
+ reverse_syntax_oid = self.samdb_schema.get_syntax_oid_from_lDAPDisplayName(reverse_link_name)
+ else:
+ reverse_syntax_oid = None
+
+ error_count, duplicate_dict, unique_dict = \
+ self.check_duplicate_links(obj, attrname, syntax_oid, linkID, reverse_link_name)
+
+ if len(duplicate_dict) != 0:
+
+ missing_forward_links, missing_error_count = \
+ self.find_missing_forward_links_from_backlinks(obj,
+ attrname, syntax_oid,
+ reverse_link_name,
+ unique_dict)
+ error_count += missing_error_count
+
+ forward_links = [dn for dn in unique_dict.values()]
+
+ if missing_error_count != 0:
+ self.report("ERROR: Missing and duplicate forward link values for attribute '%s' in '%s'" % (
+ attrname, obj.dn))
+ else:
+ self.report("ERROR: Duplicate forward link values for attribute '%s' in '%s'" % (attrname, obj.dn))
+ for m in missing_forward_links:
+ self.report("Missing link '%s'" % (m))
+ if not self.confirm_all("Schedule readding missing forward link for attribute %s" % attrname,
+ 'fix_all_missing_forward_links'):
+ self.err_orphaned_backlink(m.dn, reverse_link_name,
+ obj.dn.extended_str(), obj.dn,
+ attrname, syntax_oid,
+ check_duplicates=False)
+ continue
+ forward_links += [m]
+ for keystr in duplicate_dict.keys():
d = duplicate_dict[keystr]
for dd in d["delete"]:
self.report("Duplicate link '%s'" % dd)
self.report("Correct link '%s'" % d["keep"])

- vals = []
- for keystr in unique_list:
- dsdb_dn = unique_dict[keystr]
- vals.append(str(dsdb_dn))
- self.err_duplicate_links(obj, attrname, vals)
+ # We now construct the sorted dn values.
+ # They're sorted by the objectGUID of the target
+ # See dsdb_Dn.__cmp__()
+ vals = [str(dn) for dn in sorted(forward_links)]
+ self.err_recover_forward_links(obj, attrname, vals)
# We should continue with the fixed values
- obj[attrname] = ldb.MessageElement(vals, ldb.FLAG_MOD_REPLACE, attrname)
+ obj[attrname] = ldb.MessageElement(vals, 0, attrname)

for val in obj[attrname]:
dsdb_dn = dsdb_Dn(self.samdb, val, syntax_oid)
@@ -1162,9 +1350,10 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
# UNLESS, there is no forward link detected.
if match_count == 0:
error_count += 1
- self.err_orphaned_backlink(obj, attrname,
- val, reverse_link_name,
- dsdb_dn.dn, duplicate_links)
+ self.err_orphaned_backlink(obj.dn, attrname,
+ val, dsdb_dn.dn,
+ reverse_link_name,
+ reverse_syntax_oid)
continue
# Only warn here and let the forward link logic fix it.
self.report("WARNING: Link (back) mismatch for '%s' (%d) on '%s' to '%s' (%d) on '%s'" % (
@@ -1194,9 +1383,9 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
dsdb_dn.dn)
diff_count -= 1
else:
- self.err_orphaned_backlink(res[0], reverse_link_name,
- obj.dn.extended_str(), attrname,
- obj.dn, duplicate_links)
+ self.err_orphaned_backlink(res[0].dn, reverse_link_name,
+ obj.dn.extended_str(), obj.dn,
+ attrname, syntax_oid)
diff_count += 1


@@ -1774,10 +1963,21 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
attrs.append(dn.get_rdn_name())
attrs.append("isDeleted")
attrs.append("systemFlags")
+ need_replPropertyMetaData = False
if '*' in attrs:
- attrs.append("replPropertyMetaData")
+ need_replPropertyMetaData = True
else:
- attrs.append("objectGUID")
+ for a in attrs:
+ linkID, _ = self.get_attr_linkID_and_reverse_name(a)
+ if linkID == 0:
+ continue
+ if linkID & 1:
+ continue
+ need_replPropertyMetaData = True
+ break
+ if need_replPropertyMetaData:
+ attrs.append("replPropertyMetaData")
+ attrs.append("objectGUID")

try:
sd_flags = 0
diff --git a/python/samba/netcmd/__init__.py b/python/samba/netcmd/__init__.py
index 05ecc43..fcad7f6 100644
--- a/python/samba/netcmd/__init__.py
+++ b/python/samba/netcmd/__init__.py
@@ -243,3 +243,6 @@ class CommandError(Exception):
self.message = message
self.inner_exception = inner_exception
self.exception_info = sys.exc_info()
+
+ def __repr__(self):
+ return "CommandError(%s)" % self.message
diff --git a/python/samba/tests/common.py b/python/samba/tests/common.py
index 8794e9d..49ae2b0 100644
--- a/python/samba/tests/common.py
+++ b/python/samba/tests/common.py
@@ -23,7 +23,7 @@ from samba.common import *
from samba.samdb import SamDB


-class CommonTests(samba.tests.TestCase):
+class CommonTests(samba.tests.TestCaseInTempDir):

def test_normalise_int32(self):
self.assertEquals('17', normalise_int32(17))
@@ -31,10 +31,35 @@ class CommonTests(samba.tests.TestCase):
self.assertEquals('-123', normalise_int32('-123'))
self.assertEquals('-1294967296', normalise_int32('3000000000'))

- def test_dsdb_Dn(self):
- sam = samba.Ldb(url='dntest.ldb')
+ def test_dsdb_Dn_binary(self):
+ url = self.tempdir + "/test_dsdb_Dn_binary.ldb"
+ sam = samba.Ldb(url=url)
dn1 = dsdb_Dn(sam, "DC=foo,DC=bar")
--
Samba Shared Repository
David Disseldorp
2018-02-06 01:48:02 UTC
Permalink
The branch, master has been updated
via 859698d libads: Fix the build --without-ads
from 0c3348f dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 859698d29b547217356851094ed8188236e717b6
Author: Volker Lendecke <***@samba.org>
Date: Sat Feb 3 07:07:24 2018 +0100

libads: Fix the build --without-ads

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): David Disseldorp <***@samba.org>
Autobuild-Date(master): Tue Feb 6 02:47:44 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/libads/kerberos_keytab.c | 4 ++++
1 file changed, 4 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ffd100c..37ac7ba 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -640,7 +640,11 @@ int ads_keytab_list(const char *keytab_name)
}

if (keytab_name == NULL) {
+#ifdef HAVE_ADS
ret = ads_keytab_open(context, &keytab);
+#else
+ ret = ENOENT;
+#endif
} else {
ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
}
--
Samba Shared Repository
David Disseldorp
2018-02-06 14:36:02 UTC
Permalink
The branch, master has been updated
via a222b75 libgpo: Fix the build --without-ads
from 859698d libads: Fix the build --without-ads

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a222b7506b53e689708834237f18877231dca589
Author: Volker Lendecke <***@samba.org>
Date: Sat Feb 3 07:07:55 2018 +0100

libgpo: Fix the build --without-ads

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): David Disseldorp <***@samba.org>
Autobuild-Date(master): Tue Feb 6 15:36:01 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
libgpo/pygpo.c | 5 +++++
1 file changed, 5 insertions(+)


Changeset truncated at 500 lines:

diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index 7a02a0d..b6b53b7 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -319,6 +319,7 @@ static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self,
return result;
}

+#ifdef HAVE_ADS
static ADS_STATUS find_samaccount(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
const char *samaccountname,
uint32_t *uac_ret, const char **dn_ret)
@@ -468,11 +469,15 @@ out:
return ret;
}

+#endif
+
static PyMethodDef ADS_methods[] = {
{ "connect", (PyCFunction)py_ads_connect, METH_NOARGS,
"Connect to the LDAP server" },
+#ifdef HAVE_ADS
{ "get_gpo_list", (PyCFunction)py_ads_get_gpo_list, METH_KEYWORDS,
NULL },
+#endif
{ NULL }
};
--
Samba Shared Repository
Stefan Metzmacher
2018-02-07 16:58:02 UTC
Permalink
The branch, master has been updated
via 701b2ed WHATSNEW: Start release notes for Samba 4.9.
via 0109b59 docs-xml: Add 'samba-tool visualize' to man samba-tool.8.
via 0f577cd selftest: run "samba.tests.common"
from a222b75 libgpo: Fix the build --without-ads

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 701b2ed6cfa27f9638dd5ea5a85e2ddbc44aa5e8
Author: Karolin Seeger <***@samba.org>
Date: Wed Feb 7 10:08:53 2018 +0100

WHATSNEW: Start release notes for Samba 4.9.

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Wed Feb 7 17:57:39 CET 2018 on sn-devel-144

commit 0109b5965f8a5f467aa12aa505be849ae33e1f8e
Author: Karolin Seeger <***@samba.org>
Date: Mon Feb 5 09:37:48 2018 +0100

docs-xml: Add 'samba-tool visualize' to man samba-tool.8.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13226

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 0f577cd9e79e8a93b09d0c5f5b4f6842ed847932
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 30 10:40:36 2018 +0100

selftest: run "samba.tests.common"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 192 +------------------------------------
docs-xml/manpages/samba-tool.8.xml | 57 ++++++++++-
selftest/tests.py | 1 +
3 files changed, 59 insertions(+), 191 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6cc362d..ad045e3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,12 +1,12 @@
Release Announcements
=====================

-This is the first release candidate of Samba 4.8. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

-Samba 4.8 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.


UPGRADING
@@ -16,177 +16,10 @@ UPGRADING
NEW FEATURES/CHANGES
====================

-KDC GPO application
--------------------
-
-Adds Group Policy support for the Samba kdc. Applies password policies
-(minimum/maximum password age, minimum password length, and password
-complexity) and kerberos policies (user/service ticket lifetime and
-renew lifetime).
-
-Adds the samba_gpoupdate script for applying and unapplying
-policy. Can be applied automatically by setting
-
- 'apply group policies = yes'.
-
-Time Machine Support with vfs_fruit
------------------------------------
-
-Samba can be configured as a Time Machine target for Apple Mac devices
-through the vfs_fruit module. When enabling a share for Time Machine
-support the relevant Avahi records to support discovery will be published
-for installations that have been built against the Avahi client library.
-
-Shares can be designated as a Time Machine share with the following setting:
-
- 'fruit:time machine = yes'
-
-Support for lower casing the MDNS Name
---------------------------------------
-
-Allows the server name that is advertised through MDNS to be set to the
-hostname rather than the Samba NETBIOS name. This allows an administrator
-to make Samba registered MDNS records match the case of the hostname
-rather than being in all capitals.
-
-This can be set with the following settings:
-
- 'mdns name = mdns'
-
-Encrypted secrets
------------------
-
-Attributes deemed to be sensitive are now encrypted on disk. The sensitive
-values are currently:
- pekList
- msDS-ExecuteScriptPassword
- currentValue
- dBCSPwd
- initialAuthIncoming
- initialAuthOutgoing
- lmPwdHistory
- ntPwdHistory
- priorValue
- supplementalCredentials
- trustAuthIncoming
- trustAuthOutgoing
- unicodePwd
- clearTextPassword
-
-This encryption is enabled by default on a new provision or join, it
-can be disabled at provision or join time with the new option
-'--plaintext-secrets'.
-
-However, an in-place upgrade will not encrypt the database.
-
-Once encrypted, it is not possible to do an in-place downgrade (eg to
-4.7) of the database. To obtain an unencrypted copy of the database a
-new DC join should be performed, specifying the '--plaintext-secrets'
-option.
-
-The key file "encrypted_secrets.key" is created in the same directory
-as the database and should NEVER be disclosed. It is included by the
-samba_backup script.
-
-Active Directory replication visualisation
-------------------------------------------
-
-To work out what is happening in a replication graph, it is sometimes
-helpful to use visualisations. We introduce a samba-tool subcommand to
-write Graphviz dot output and generate text-based heatmaps of the
-distance in hops between DCs.
-
-There are two subcommands, two graphical modes, and (roughly) two modes of
-operation with respect to the location of authority.
-
-`samba-tool visualize ntdsconn` looks at NTDS Connections.
-`samba-tool visualize reps` looks at repsTo and repsFrom objects.
-
-In '--distance' mode (default), the distances between DCs are shown in
-a matrix in the terminal. With '--color=yes', this is depicted as a
-heatmap. With '--utf8' it is a lttle prettier.
-
-In '--dot' mode, Graphviz dot output is generated. When viewed using
-dot or xdot, this shows the network as a graph with DCs as vertices
-and connections edges. Certain types of degenerate edges are shown in
-different colours or line-styles.
-
-NT4-style replication based net commands removed
-------------------------------------------------
-
-The following commands and sub-commands have been removed from the
-"net" utility:
-
-net rpc samdump
-net rpc vampire ldif
-
-Also, replicating from a real NT4 domain with "net rpc vampire" and
-"net rpc vampire keytab" has been removed.
-
-The NT4-based commands were accidentially broken in 2013, and nobody
-noticed the breakage. So instead of fixing them including tests (which
-would have meant writing a server for the protocols, which we don't
-have) we decided to remove them.
-
-For the same reason, the "samsync", "samdeltas" and "database_redo"
-commands have been removed from rpcclient.
-
-"net rpc vampire keytab" from Active Directory domains continues to be
-supported.
-
-vfs_aio_linux module removed
-----------------------------
-
-The current Linux kernel aio does not match what Samba would
-do. Shipping code that uses it leads people to false
-assumptions. Samba implements async I/O based on threads by default,
-there is no special module required to see benefits of read and write
-request being sent do the disk in parallel.
-
-smbclient reparse point symlink parameters reversed
----------------------------------------------------
-
-A bug in smbclient caused the 'symlink' command to reverse the
-meaning of the new name and link target parameters when creating a
-reparse point symlink against a Windows server. As this is a
-little used feature the ordering of these parameters has been
-reversed to match the parameter ordering of the UNIX extensions
-'symlink' command. The usage message for this command has also
-been improved to remove confusion.
-
-Winbind changes
----------------
-
-The dependency to global list of trusted domains within
-the winbindd processes has been reduced a lot.
-
-The construction of that global list is not reliable and often
-incomplete in complex trust setups. In most situations the list is not needed
-any more for winbindd to operate correctly. E.g. for plain file serving via SMB
-using a simple idmap setup with autorid, tdb or ad. However some more complex
-setups require the list, e.g. if you specify idmap backends for specific
-domains. Some pam_winbind setups may also require the global list.
-
-If you have a setup that doesn't require the global list, you should set
-"winbind scan trusted domains = no".
-

REMOVED FEATURES
================

-The two commands 'net serverid list' and 'net serverid wipe' have been
-removed, because the file serverid.tdb is not used anymore.
-
-'net serverid list' can be replaced by listing all files in the
-subdirectory "msg.lock" of Samba's "lock directory". The unique id
-listed by 'net serverid list' is stored in every process' lockfile in
-"msg.lock".
-
-'net serverid wipe' is not necessary anymore. It was meant primarily
-for clustered environments, where the serverid.tdb file was not
-properly cleaned up after single node crashes. Nowadays smbd and
-winbind take care of cleaning up the msg.lock and msg.sock directories
-automatically.


smb.conf changes
@@ -194,31 +27,12 @@ smb.conf changes

Parameter Name Description Default
-------------- ----------- -------
- apply group policies New no
- auth methods Removed
- binddns dir New
- client schannel Default changed/ yes
- Deprecated
- gpo update command New
- ldap ssl ads Deprecated
- map untrusted to domain Removed
- oplock contention limit Removed
- prefork children New 1
- mdns name Added netbios
- fruit:time machine Added false
- profile acls Removed
- use spnego Removed
- server schannel Default changed/ yes
- Deprecated
- unicode Deprecated
- winbind scan trusted domains New yes
- winbind trusted domains only Removed


KNOWN ISSUES
============

-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs


#######################################
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index ed10d61..1349654 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -607,6 +607,61 @@
</refsect2>

<refsect2>
+ <title>visualize [options] <replaceable>subcommand</replaceable></title>
+ <para>Produce graphical representations of Samba network state.
+ To work out what is happening in a replication graph, it is sometimes
+ helpful to use visualisations.</para>
+
+ <para>
+ There are two subcommands, two graphical modes, and (roughly) two modes
+ of operation with respect to the location of authority.</para>
+
+ <refsect3><title>MODES OF OPERATION</title>
+ <varlistentry>
+ <term>samba-tool visualize ntdsconn</term>
+ <listitem><para>Looks at NTDS connections.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>samba-tool visualize reps</term>
+ <listitem><para>Looks at repsTo and repsFrom objects.
+ </para></listitem>
+ </varlistentry>
+ </refsect3>
+
+ <refsect3><title>GRAPHICAL MODES</title>
+ <varlistentry>
+ <term>--distance</term>
+ <listitem><para>Distances between DCs are shown in a matrix in
+ the terminal.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--dot</term>
+ <listitem><para>Generate Graphviz dot output. When viewed using
+ dot or xdot, this shows the network as a graph with DCs as
+ vertices and connections edges. Certain types of degenerate
+ edges are shown in different colours or line-styles.
+ </para></listitem>
+ </varlistentry>
+ </refsect3>
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem><para>Normally, <command>samba-tool</command> talks
+ to one database; with the <arg choice="opt">-r</arg> option
+ attempts are made to contact all the DCs known to the first
+ database. This is necessary to get sensible results from
+ <command>samba-tool visualize reps</command> because the
+ repsFrom/To objects are not replicated, and it can reveal
+ replication issues in other modes.
+ </para></listitem>
+ </varlistentry>
+</refsect2>
+
+<refsect2>
<title>help</title>
<para>Gives usage information.</para>
</refsect2>
@@ -627,8 +682,6 @@
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
-
- <para>The samba-tool manpage was written by Karolin Seeger.</para>
</refsect1>

</refentry>
diff --git a/selftest/tests.py b/selftest/tests.py
index 126e118..b2d1a67 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -65,6 +65,7 @@ planpythontestsuite("none", "samba.tests.dcerpc.integer")
planpythontestsuite("none", "samba.tests.param", py3_compatible=True)
planpythontestsuite("none", "samba.tests.upgrade")
planpythontestsuite("none", "samba.tests.core", py3_compatible=True)
+planpythontestsuite("none", "samba.tests.common")
planpythontestsuite("none", "samba.tests.provision")
planpythontestsuite("none", "samba.tests.password_quality")
planpythontestsuite("none", "samba.tests.samba3")
--
Samba Shared Repository
Andrew Bartlett
2018-02-08 03:43:02 UTC
Permalink
The branch, master has been updated
via a3485c4 ctdb-tests: Set test timeout to an hour
via 7009479 python SamDB: init default flags to FLG_DONT_CREATE_DB
via 736e438 pyldb: Expose extra flags
via a157091 samdb: Add tests for samdb tdb file creation.
via b96b51f lib/crypto: Update REQUIREMENTS for recent Samba changes
from 701b2ed WHATSNEW: Start release notes for Samba 4.9.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a3485c41b826e307b31a1113abcea9843ca78540
Author: Martin Schwenke <***@meltin.net>
Date: Mon Feb 5 15:45:09 2018 +1100

ctdb-tests: Set test timeout to an hour

The current 10 minute timeout is causing autobuild failures in some
environments.

This timeout is simply meant to stop a test run from hanging
indefinitely due to a broken test. A 1 hour timeout is better than no
timeout.

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Thu Feb 8 04:42:56 CET 2018 on sn-devel-144

commit 7009479b7a91715543e228412435ab2fdb6221ae
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Tue Jan 9 07:43:18 2018 +1300

python SamDB: init default flags to FLG_DONT_CREATE_DB

The current defaults for SamDB are to create the database file if it does not
exist. Most of the uses of SamDB assume the database already exists, and so
auto-creation is not the desired behaviour.

TDB will overwrite an existing non TDB file with a newly created TDB file.
This becomes an issue when using alternate database file formats i.e. lmdb.

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 736e438bf44d84d30d8d5091a3f915ef307a6b45
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Tue Jan 9 07:41:32 2018 +1300

pyldb: Expose extra flags

Expose the SHOW_BINARY, ENABLE_TRACING and DONT_CREATE_DB flag constants
in the python api.

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a157091a22446fd60830d5f352e44c6bad9264ba
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Wed Feb 7 14:59:21 2018 +1300

samdb: Add tests for samdb tdb file creation.

The current defaults for SamDB are to create the database file if it
does not exist. Most of the uses of SamDB assume the database already
exists, and so auto-creation is not the desired behaviour.

Also TDB will overwrite an existing non TDB file with a newly created
TDB file. This becomes an issue when using alternate database file
formats i.e. lmdb.

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit b96b51fa95ca3723dfb0a86d5186f5b8a3485a99
Author: Andrew Bartlett <***@samba.org>
Date: Thu Feb 8 10:49:33 2018 +1300

lib/crypto: Update REQUIREMENTS for recent Samba changes

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
ctdb/tests/run_tests.sh | 2 +-
lib/crypto/REQUIREMENTS | 2 +-
lib/ldb/pyldb.c | 4 +
python/samba/samdb.py | 3 +-
python/samba/tests/samdb_api.py | 158 ++++++++++++++++++++++++++++++++++++++++
python/samba/upgradehelpers.py | 7 +-
selftest/tests.py | 1 +
7 files changed, 173 insertions(+), 4 deletions(-)
create mode 100644 python/samba/tests/samdb_api.py


Changeset truncated at 500 lines:

diff --git a/ctdb/tests/run_tests.sh b/ctdb/tests/run_tests.sh
index a2a44a1..a7ca44e 100755
--- a/ctdb/tests/run_tests.sh
+++ b/ctdb/tests/run_tests.sh
@@ -45,7 +45,7 @@ export TEST_LOCAL_DAEMONS
[ -n "$TEST_LOCAL_DAEMONS" ] || TEST_LOCAL_DAEMONS=3
export TEST_VAR_DIR=""
export TEST_CLEANUP=false
-export TEST_TIMEOUT=600
+export TEST_TIMEOUT=3600
export TEST_SOCKET_WRAPPER_SO_PATH=""

temp=$(getopt -n "$prog" -o "AcCdDehHNqS:T:vV:xX" -l help -- "$@")
diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index 5e02aea..3cd8a15 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -16,7 +16,6 @@ ARCFOUR (RC4)
- Password encryption on SAMR for password set/get
- NETLOGON SamLogon session keys
- Schannel
- - generate_random_data()

# GNUTLS >= 3.0.0
# NETTLE
@@ -60,6 +59,7 @@ AES128 CCM

AES128 GCM
- SMB2 3.10 SMB encryption
+ - encrypted_secrets ldb module (encrypt secrets within sam.ldb)

# GNUTLS >= 3.0.0
# NETTLE (AES-NI available)
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 04b3f1b..4b02edb 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -4226,6 +4226,10 @@ static PyObject* module_init(void)
ADD_LDB_INT(FLG_NOSYNC);
ADD_LDB_INT(FLG_RECONNECT);
ADD_LDB_INT(FLG_NOMMAP);
+ ADD_LDB_INT(FLG_SHOW_BINARY);
+ ADD_LDB_INT(FLG_ENABLE_TRACING);
+ ADD_LDB_INT(FLG_DONT_CREATE_DB);
+

/* Historical misspelling */
PyModule_AddIntConstant(m, "ERR_ALIAS_DEREFERINCING_PROBLEM", LDB_ERR_ALIAS_DEREFERENCING_PROBLEM);
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 4645629..82eb7a4 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -42,7 +42,8 @@ class SamDB(samba.Ldb):
hash_well_known = {}

def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
- credentials=None, flags=0, options=None, global_schema=True,
+ credentials=None, flags=ldb.FLG_DONT_CREATE_DB,
+ options=None, global_schema=True,
auto_connect=True, am_rodc=None):
self.lp = lp
if not auto_connect:
diff --git a/python/samba/tests/samdb_api.py b/python/samba/tests/samdb_api.py
new file mode 100644
index 0000000..81c6266
--- /dev/null
+++ b/python/samba/tests/samdb_api.py
@@ -0,0 +1,158 @@
+# Tests for the samba samdb api
+#
+# Copyright (C) Andrew Bartlett <***@samba.org> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.tests import TestCaseInTempDir
+from samba.samdb import SamDB
+from ldb import LdbError, ERR_OPERATIONS_ERROR
+import os
+import errno
+
+
+class SamDBApiTestCase(TestCaseInTempDir):
+
+ def setUp(self):
+ super(SamDBApiTestCase, self).setUp()
+
+ def tearDown(self):
+ try:
+ os.remove(self.tempdir + "/test.db")
+ except OSError as e:
+ self.assertEquals(e.errno, errno.ENOENT)
+
+ try:
+ os.remove(self.tempdir + "/existing.db")
+ except OSError as e:
+ self.assertEquals(e.errno, errno.ENOENT)
+
+ super(SamDBApiTestCase, self).tearDown()
+
+ # Attempt to open and existing non tdb file as a tdb file.
+ # Don't create new db is set, the default
+ #
+ # Should fail to open
+ # And the existing file should be left intact.
+ #
+ def test_dont_create_db_existing_non_tdb_file(self):
+ existing_name = self.tempdir + "/existing.db"
+ existing = open(existing_name, "w")
+ existing.write("This is not a tdb file!!!!!!\n")
+ existing.close()
+
+ try:
+ SamDB(url="tdb://" + existing_name)
+ self.fail("Exception not thrown ")
+ except LdbError as (err, _):
+ self.assertEquals(err, ERR_OPERATIONS_ERROR)
+
+ existing = open(existing_name, "r")
+ contents = existing.readline()
+ self.assertEquals("This is not a tdb file!!!!!!\n", contents)
+
+ # Attempt to open and existing non tdb file as a tdb file.
+ # Don't create new db is cleared
+ #
+ # Should open as a tdb file
+ # And the existing file should be over written
+ #
+ def test_create_db_existing_file_non_tdb_file(self):
+ existing_name = self.tempdir + "/existing.db"
+ existing = open(existing_name, "w")
+ existing.write("This is not a tdb file!!!!!!")
+ existing.close()
+
+ SamDB(url="tdb://" + existing_name, flags=0)
+
+ existing = open(existing_name, "r")
+ contents = existing.readline()
+ self.assertEquals("TDB file\n", contents)
+
+ #
+ # Attempt to open an existing tdb file as a tdb file.
+ # Don't create new db is set, the default
+ #
+ # Should open successfully
+ # And the existing file should be left intact.
+ #
+ def test_dont_create_db_existing_tdb_file(self):
+ existing_name = self.tempdir + "/existing.db"
+ initial = SamDB(url="tdb://" + existing_name, flags=0)
+ dn = "dn=,cn=test_dont_create_db_existing_tdb_file"
+ initial.add({
+ "dn": dn,
+ "cn": "test_dont_create_db_existing_tdb_file"
+ })
+
+ cn = initial.searchone("cn", dn)
+ self.assertEquals("test_dont_create_db_existing_tdb_file", cn)
+
+ second = SamDB(url="tdb://" + existing_name)
+ cn = second.searchone("cn", dn)
+ self.assertEquals("test_dont_create_db_existing_tdb_file", cn)
+
+ #
+ # Attempt to open an existing tdb file as a tdb file.
+ # Don't create new db is explicitly cleared
+ #
+ # Should open successfully
+ # And the existing file should be left intact.
+ #
+ def test_create_db_existing_file_tdb_file(self):
+ existing_name = self.tempdir + "/existing.db"
+ initial = SamDB(url="tdb://" + existing_name, flags=0)
+ dn = "dn=,cn=test_dont_create_db_existing_tdb_file"
+ initial.add({
+ "dn": dn,
+ "cn": "test_dont_create_db_existing_tdb_file"
+ })
+
+ cn = initial.searchone("cn", dn)
+ self.assertEquals("test_dont_create_db_existing_tdb_file", cn)
+
+ second = SamDB(url="tdb://" + existing_name, flags=0)
+ cn = second.searchone("cn", dn)
+ self.assertEquals("test_dont_create_db_existing_tdb_file", cn)
+
+ # Open a non existent TDB file.
+ # Don't create new db is set, the default
+ #
+ # Should fail
+ # and the database file should not be created
+ def test_dont_create_db_new_file(self):
+ try:
+ SamDB(url="tdb://" + self.tempdir + "/test.db")
+ self.fail("Exception not thrown ")
+ except LdbError as (err, _):
+ self.assertEquals(err, ERR_OPERATIONS_ERROR)
+
+ try:
+ file = open(self.tempdir + "/test.db", "r")
+ self.fail("New database file created")
+ except IOError as e:
+ self.assertEquals(e.errno, errno.ENOENT)
+
+
+ # Open a SamDB with the don't create new DB flag cleared.
+ # The underlying database file does not exist.
+ #
+ # Should successful open the SamDB creating a new database file.
+ #
+ def test_create_db_new_file(self):
+ SamDB(url="tdb://" + self.tempdir + "/test.db", flags=0)
+ existing = open(self.tempdir + "/test.db", "r")
+ contents = existing.readline()
+ self.assertEquals("TDB file\n", contents)
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index e026262..9f017bc 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -138,7 +138,12 @@ def get_ldbs(paths, creds, session, lp):

ldbs = ProvisionLDB()

- ldbs.sam = SamDB(paths.samdb, session_info=session, credentials=creds, lp=lp, options=["modules:samba_dsdb"])
+ ldbs.sam = SamDB(paths.samdb,
+ session_info=session,
+ credentials=creds,
+ lp=lp,
+ options=["modules:samba_dsdb"],
+ flags=0)
ldbs.secrets = Ldb(paths.secrets, session_info=session, credentials=creds, lp=lp)
ldbs.idmap = Ldb(paths.idmapdb, session_info=session, credentials=creds, lp=lp)
ldbs.privilege = Ldb(paths.privilege, session_info=session, credentials=creds, lp=lp)
diff --git a/selftest/tests.py b/selftest/tests.py
index b2d1a67..ec48b03 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -154,6 +154,7 @@ planpythontestsuite("none", "samba.tests.graph")
plantestsuite("wafsamba.duplicate_symbols", "none", [os.path.join(srcdir(), "buildtools/wafsamba/test_duplicate_symbol.sh")])
planpythontestsuite("none", "samba.tests.glue", py3_compatible=True)
planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True)
+planpythontestsuite("none", "samba.tests.samdb_api")

if with_pam:
plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
--
Samba Shared Repository
Andrew Bartlett
2018-02-08 09:01:03 UTC
Permalink
The branch, master has been updated
via c7d0e6f samba-tool/tests: Check that dns cleanup does not spuriously remove entries
via 90e74fc samba-tool/dns: Clarify the cleanup subcommand
via 97de384 tests/samba-tool: dns cleanup should work with a missing name
via d82687e remove_dc: Allow remove_dns_references to ignore missing server names
via 178f868 samba-tool: add dns cleanup cmd
via c4bb546 tests/samba-tool: add tests for samba-tool group move command
via 8466323 docs-xml:samba-tool.8: document "group move" command
via 6a2a5e6 samba-tool group: implement the group move command
via 37b5195 tests/samba-tool: add tests for user move command
via b6b2eb8 docs-xml:samba-tool.8: document "user move" command
via 62a8eec samba-tool user: implement the user move command
via 4c1101d samba-tool user: fix some typos
via 87ddbb6 tests/samba-tool: add test for samba-tool user show command
via 6fbfe84 docs-xml:samba-tool.8: document "user show" command
via dc0fa33 samba-tool: implement user show command to display a user AD object
via dbd29a0 docs-xml:samba-tool.8: document ou management commands
via e3882f8 tests/samba-tool: add tests for new ou management commands
via 2e0f33d samba-tool: implement ou management commands
via f973667 selftest: Add tests for samdb.normalize_dn_in_domain()
via f202b0e python/samdb: Improve function comment on normalize_dn_in_domain()
via 3f022b2 python/samdb: Allow samdb.normalize_dn_in_domain() to take an ldb.Dn()
via 0a88be8 python/samdb: add method normalize_dn_in_domain(): get full dn of an relative dn
via cf338b8 pyldb: extend dn.is_child_of() test: dn is child of itself
from a3485c4 ctdb-tests: Set test timeout to an hour

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c7d0e6f39b15e54264dff2a897256f6bf9736333
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Jan 31 16:13:14 2018 +1300

samba-tool/tests: Check that dns cleanup does not spuriously remove entries

This might happen in the multi-record case.

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Thu Feb 8 10:00:13 CET 2018 on sn-devel-144

commit 90e74fc15a8366c775d12a0817b63b6539f1cdd6
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Jan 31 16:12:05 2018 +1300

samba-tool/dns: Clarify the cleanup subcommand

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 97de384e9a9c44e51954c385a30b113921b4c285
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Jan 31 11:53:40 2018 +1300

tests/samba-tool: dns cleanup should work with a missing name

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit d82687e77fc8467fb7a2c845220dde1f90fd30bf
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Jan 31 11:52:34 2018 +1300

remove_dc: Allow remove_dns_references to ignore missing server names

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 178f86848d15b0a1b59e8a4535649f264a0d12c4
Author: Joe Guo <***@catalyst.net.nz>
Date: Fri Jan 12 14:14:00 2018 +1300

samba-tool: add dns cleanup cmd

1. Add new command to cleanup dns records for a dns host name
2. Add test to verify the command is working

Signed-off-by: Joe Guo <***@catalyst.net.nz>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit c4bb546b21b7ddce5b6f0d023b35c62c98a71d65
Author: Björn Baumbach <***@sernet.de>
Date: Wed Jan 24 17:00:35 2018 +0100

tests/samba-tool: add tests for samba-tool group move command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 8466323c1f1ca69981f0ade14937cf7737ee5549
Author: Björn Baumbach <***@sernet.de>
Date: Wed Jan 24 18:01:42 2018 +0100

docs-xml:samba-tool.8: document "group move" command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 6a2a5e61dc4f397de14320b685acc46de5cc0701
Author: Björn Baumbach <***@sernet.de>
Date: Mon Nov 27 21:00:07 2017 +0100

samba-tool group: implement the group move command

This new command allows to move a a group into an ou or container.

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 37b5195d1c747b5388cb2576cd370b5e2eb7d34a
Author: Björn Baumbach <***@sernet.de>
Date: Mon Dec 18 16:12:13 2017 +0100

tests/samba-tool: add tests for user move command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit b6b2eb8f881e081e80a2a0c1294dc2ec2beda859
Author: Björn Baumbach <***@sernet.de>
Date: Wed Jan 24 17:59:29 2018 +0100

docs-xml:samba-tool.8: document "user move" command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 62a8eecfbbb4b5fb9f37e454e444751ccf16f82f
Author: Björn Baumbach <***@sernet.de>
Date: Mon Nov 27 20:40:49 2017 +0100

samba-tool user: implement the user move command

This new command allows to move an user into an ou or container.

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 4c1101d0335aba4fcede42e84b5058adc854c54a
Author: Björn Baumbach <***@sernet.de>
Date: Fri Dec 8 12:08:18 2017 +0100

samba-tool user: fix some typos

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 87ddbb67201bedaa8f042a2b5175d795eec2cb7e
Author: Björn Baumbach <***@sernet.de>
Date: Wed Nov 29 15:22:20 2017 +0100

tests/samba-tool: add test for samba-tool user show command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 6fbfe84c011adc6a426dbd92e779a8759ba80989
Author: Björn Baumbach <***@sernet.de>
Date: Thu Jan 25 10:49:33 2018 +0100

docs-xml:samba-tool.8: document "user show" command

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit dc0fa33c6817ccbf1a90eea5ea1925d2953dd84d
Author: Björn Baumbach <***@sernet.de>
Date: Thu Jan 25 10:49:17 2018 +0100

samba-tool: implement user show command to display a user AD object

This command displays a user account and it's attributes in the
Active Directory domain.
The username specified on the command is the sAMAccountName.

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit dbd29a0194cebc6bd0d6fe163c82feedbb1b55e5
Author: Björn Baumbach <***@sernet.de>
Date: Wed Jan 24 18:58:11 2018 +0100

docs-xml:samba-tool.8: document ou management commands

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit e3882f80e0940f16e7808f08b28f3a4803a4ea7b
Author: Björn Baumbach <***@sernet.de>
Date: Wed Nov 29 16:51:21 2017 +0100

tests/samba-tool: add tests for new ou management commands

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 2e0f33d8420a4c4beecb28a85576e54a4694046c
Author: Björn Baumbach <***@sernet.de>
Date: Thu Nov 16 12:31:11 2017 +0100

samba-tool: implement ou management commands

Available subcommands:
create - Create an organizational unit.
delete - Delete an organizational unit.
list - List all organizational units
listobjects - List all objects in an organizational unit.
move - Move an organizational unit.
rename - Rename an organizational unit.

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit f973667face7f6f30723d2b7a1cfb86930b05629
Author: Andrew Bartlett <***@samba.org>
Date: Thu Feb 8 16:46:42 2018 +1300

selftest: Add tests for samdb.normalize_dn_in_domain()

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit f202b0ef24ded7e93b986033473bc5cf260be33d
Author: Andrew Bartlett <***@samba.org>
Date: Thu Feb 8 16:46:29 2018 +1300

python/samdb: Improve function comment on normalize_dn_in_domain()

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 3f022b2dd0e0c9a5f1dea35609730ac0ce1bec76
Author: Andrew Bartlett <***@samba.org>
Date: Thu Feb 8 16:27:17 2018 +1300

python/samdb: Allow samdb.normalize_dn_in_domain() to take an ldb.Dn()

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 0a88be836b3b57e0b268d26350be419ef1aa4fdd
Author: Björn Baumbach <***@sernet.de>
Date: Wed Jan 24 17:06:50 2018 +0100

python/samdb: add method normalize_dn_in_domain(): get full dn of an relative dn

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit cf338b8260f5b33df6718e4850eed326c636b7ab
Author: Björn Baumbach <***@sernet.de>
Date: Wed Dec 20 15:55:50 2017 +0100

pyldb: extend dn.is_child_of() test: dn is child of itself

Add this test so ensure that this (unclear) behaviour does
not change silently.

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 117 ++++++++++
lib/ldb/tests/python/api.py | 4 +
python/samba/netcmd/dns.py | 49 ++++
python/samba/netcmd/group.py | 79 +++++++
python/samba/netcmd/main.py | 1 +
python/samba/netcmd/ou.py | 395 ++++++++++++++++++++++++++++++++
python/samba/netcmd/user.py | 165 ++++++++++++-
python/samba/remove_dc.py | 14 +-
python/samba/samdb.py | 18 ++
python/samba/tests/dsdb.py | 49 ++++
python/samba/tests/samba_tool/dnscmd.py | 157 +++++++++++++
python/samba/tests/samba_tool/group.py | 32 +++
python/samba/tests/samba_tool/ou.py | 274 ++++++++++++++++++++++
python/samba/tests/samba_tool/user.py | 54 +++++
source4/selftest/tests.py | 1 +
15 files changed, 1404 insertions(+), 5 deletions(-)
create mode 100644 python/samba/netcmd/ou.py
create mode 100644 python/samba/tests/samba_tool/ou.py


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 1349654..bcdad77 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -445,6 +445,17 @@
</refsect3>

<refsect3>
+ <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+ <para>This command moves a group into the specified organizational unit
+ or container.</para>
+ <para>The groupname specified on the command is the sAMAccountName.
+ </para>
+ <para>The name of the organizational unit or container can be
+ specified as a full DN or without the domainDN component.</para>
+ <para></para>
+</refsect3>
+
+<refsect3>
<title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
<para>Remove members from the specified AD group.</para>
</refsect3>
@@ -479,6 +490,88 @@
<para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
</refsect3>

+<refsect3>
+ <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
+ <para>Create an organizational unit.</para>
+ <para>The name of the organizational unit can be specified as a full DN
+ or without the domainDN component.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>--description=DESCRIPTION</term>
+ <listitem><para>
+ Specify OU's description.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
+ <para>Delete an organizational unit.</para>
+ <para>The name of the organizational unit can be specified as a full DN
+ or without the domainDN component.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>--force-subtree-delete</term>
+ <listitem><para>
+ Delete organizational unit and all children reclusively.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>ou list [options]</title>
+ <para>List all organizational units.</para>
+ <variablelist>
+ <varlistentry>
+ <term>--full-dn</term>
+ <listitem><para>
+ Display DNs including the base DN.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
+ <para>List all objects in an organizational unit.</para>
+ <para>The name of the organizational unit can be specified as a full DN
+ or without the domainDN component.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>--full-dn</term>
+ <listitem><para>
+ Display DNs including the base DN.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r|--recursive</term>
+ <listitem><para>
+ List objects recursively.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+ <para>Move an organizational unit.</para>
+ <para>The name of the organizational units can be specified as a full DN
+ or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+ <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
+ <para>Rename an organizational unit.</para>
+ <para>The name of the organizational units can be specified as a full DN
+ or without the domainDN component.</para>
+</refsect3>
+
<refsect2>
<title>rodc</title>
<para>Manage Read-Only Domain Controller (RODC).</para>
@@ -572,6 +665,30 @@
</refsect3>

<refsect3>
+ <title>user show <replaceable>username</replaceable> [options]</title>
+ <para>Display a user AD object.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>--attributes=USER_ATTRS</term>
+ <listitem><para>
+ Comma separated list of attributes, which will be printed.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+ <para>This command moves a user account into the specified
+ organizational unit or container.</para>
+ <para>The username specified on the command is the
+ sAMAccountName.</para>
+ <para>The name of the organizational unit or container can be
+ specified as a full DN or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
<title>user password [options]</title>
<para>Change password for an user account (the one provided in
authentication).</para>
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index 409f446..85fe1bc 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -1512,9 +1512,11 @@ class DnTests(TestCase):
dn3 = ldb.Dn(self.ldb, "cn=bar,dc=base")
dn4 = ldb.Dn(self.ldb, "cn=baz,cn=bar,dc=base")

+ self.assertTrue(dn1.is_child_of(dn1))
self.assertTrue(dn2.is_child_of(dn1))
self.assertTrue(dn4.is_child_of(dn1))
self.assertTrue(dn4.is_child_of(dn3))
+ self.assertTrue(dn4.is_child_of(dn4))
self.assertFalse(dn3.is_child_of(dn2))
self.assertFalse(dn1.is_child_of(dn4))

@@ -1530,9 +1532,11 @@ class DnTests(TestCase):
dn3 = ldb.Dn(self.ldb, dn3_str)
dn4 = ldb.Dn(self.ldb, dn4_str)

+ self.assertTrue(dn1.is_child_of(dn1_str))
self.assertTrue(dn2.is_child_of(dn1_str))
self.assertTrue(dn4.is_child_of(dn1_str))
self.assertTrue(dn4.is_child_of(dn3_str))
+ self.assertTrue(dn4.is_child_of(dn4_str))
self.assertFalse(dn3.is_child_of(dn2_str))
self.assertFalse(dn1.is_child_of(dn4_str))

diff --git a/python/samba/netcmd/dns.py b/python/samba/netcmd/dns.py
index fd8db93..33f81ee 100644
--- a/python/samba/netcmd/dns.py
+++ b/python/samba/netcmd/dns.py
@@ -15,6 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import logging

import samba.getopt as options
from samba import WERRORError
@@ -26,6 +27,10 @@ from socket import AF_INET
from socket import AF_INET6
import shlex

+from samba import remove_dc
+from samba.samdb import SamDB
+from samba.auth import system_session
+
from samba.netcmd import (
Command,
CommandError,
@@ -1068,6 +1073,49 @@ class cmd_delete_record(Command):
self.outf.write('Record deleted successfully\n')


+class cmd_cleanup_record(Command):
+ """Cleanup DNS records for a DNS host.
+
+ example:
+
+ samba-tool dns cleanup dc1 dc1.samdom.test.site -U USER%PASSWORD
+
+ NOTE: This command in many cases will only mark the `dNSTombstoned` attr
+ as `TRUE` on the DNS records. Querying will no longer return results but
+ there may still be some placeholder entries in the database.
+ """
+
+ synopsis = '%prog <server> <dnshostname>'
+
+ takes_args = ['server', 'dnshostname']
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ def run(self, server, dnshostname, sambaopts=None, credopts=None,
+ versionopts=None, verbose=False, quiet=False):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ logger = self.get_logger()
+ if verbose:
+ logger.setLevel(logging.DEBUG)
+ elif quiet:
+ logger.setLevel(logging.WARNING)
+ else:
+ logger.setLevel(logging.INFO)
+
+ samdb = SamDB(url="ldap://%s" % server,
+ session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ remove_dc.remove_dns_references(samdb, logger, dnshostname,
+ ignore_no_name=True)
+
+
class cmd_dns(SuperCommand):
"""Domain Name Service (DNS) management."""

@@ -1082,3 +1130,4 @@ class cmd_dns(SuperCommand):
subcommands['add'] = cmd_add_record()
subcommands['update'] = cmd_update_record()
subcommands['delete'] = cmd_delete_record()
+ subcommands['cleanup'] = cmd_cleanup_record()
diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
index b9d6add..782a1ef 100644
--- a/python/samba/netcmd/group.py
+++ b/python/samba/netcmd/group.py
@@ -421,6 +421,84 @@ samba-tool group listmembers \"Domain Users\" -H ldap://samba.samdom.example.com
except Exception, e:
raise CommandError('Failed to list members of "%s" group ' % groupname, e)

+class cmd_group_move(Command):
+ """Move a group to an organizational unit/container.
+
+ This command moves a group object into the specified organizational unit
+ or container.
+ The groupname specified on the command is the sAMAccountName.
+ The name of the organizational unit or container can be specified as a
+ full DN or without the domainDN component.
+
+ The command may be run from the root userid or another authorized userid.
+
+ The -H or --URL= option can be used to execute the command against a remote
+ server.
+
+ Example1:
+ samba-tool group move Group1 'OU=OrgUnit,DC=samdom.DC=example,DC=com' \
+ -H ldap://samba.samdom.example.com -U administrator
+
+ Example1 shows how to move a group Group1 into the 'OrgUnit' organizational
+ unit on a remote LDAP server.
+
+ The -H parameter is used to specify the remote target server.
+
+ Example2:
+ samba-tool group move Group1 CN=Users
+
+ Example2 shows how to move a group Group1 back into the CN=Users container
+ on the local server.
+ """
+
+ synopsis = "%prog <groupname> <new_parent_dn> [options]"
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = [ "groupname", "new_parent_dn" ]
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ def run(self, groupname, new_parent_dn, credopts=None, sambaopts=None,
+ versionopts=None, H=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp, fallback_machine=True)
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+ domain_dn = ldb.Dn(samdb, samdb.domain_dn())
+
+ filter = ("(&(sAMAccountName=%s)(objectClass=group))" %
+ groupname)
+ try:
+ res = samdb.search(base=domain_dn,
+ expression=filter,
+ scope=ldb.SCOPE_SUBTREE)
+ group_dn = res[0].dn
+ except IndexError:
+ raise CommandError('Unable to find group "%s"' % (groupname))
+
+ try:
+ full_new_parent_dn = samdb.normalize_dn_in_domain(new_parent_dn)
+ except Exception, e:
+ raise CommandError('Invalid new_parent_dn "%s": %s' %
+ (new_parent_dn, e.message))
+
+ full_new_group_dn = ldb.Dn(samdb, str(group_dn))
+ full_new_group_dn.remove_base_components(len(group_dn)-1)
+ full_new_group_dn.add_base(full_new_parent_dn)
+
+ try:
+ samdb.rename(group_dn, full_new_group_dn)
+ except Exception, e:
+ raise CommandError('Failed to move group "%s"' % groupname, e)
+ self.outf.write('Moved group "%s" into "%s"\n' %
+ (groupname, full_new_parent_dn))

class cmd_group(SuperCommand):
"""Group management."""
@@ -432,3 +510,4 @@ class cmd_group(SuperCommand):
subcommands["removemembers"] = cmd_group_remove_members()
subcommands["list"] = cmd_group_list()
subcommands["listmembers"] = cmd_group_list_members()
+ subcommands["move"] = cmd_group_move()
diff --git a/python/samba/netcmd/main.py b/python/samba/netcmd/main.py
index 7f94f89..a9cf176 100644
--- a/python/samba/netcmd/main.py
+++ b/python/samba/netcmd/main.py
@@ -75,5 +75,6 @@ class cmd_sambatool(SuperCommand):
subcommands["testparm"] = None
subcommands["time"] = None
subcommands["user"] = None
+ subcommands["ou"] = None
subcommands["processes"] = None
subcommands["visualize"] = None
diff --git a/python/samba/netcmd/ou.py b/python/samba/netcmd/ou.py
new file mode 100644
index 0000000..16b7f65
--- /dev/null
+++ b/python/samba/netcmd/ou.py
@@ -0,0 +1,395 @@
+# implement samba_tool ou commands
+#
+# Copyright Bjoern Baumbach <***@sernet.de> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.getopt as options
+import ldb
+
+from samba.auth import system_session
+from samba.netcmd import (
+ Command,
+ CommandError,
+ Option,
+ SuperCommand,
+ )
+from samba.samdb import SamDB
+from samba import dsdb
+from operator import attrgetter
+
+class cmd_rename(Command):
+ """Rename an organizational unit.
+
+ The name of the organizational units can be specified as a full DN
+ or without the domainDN component.
+
+ Examples:
+ samba-tool ou rename 'OU=OrgUnit,DC=samdom,DC=example,DC=com' \
+ 'OU=NewNameOfOrgUnit,DC=samdom,DC=example,DC=com'
+ samba-tool ou rename 'OU=OrgUnit' 'OU=NewNameOfOrgUnit'
+
+ The examples show how an administrator would rename an ou 'OrgUnit'
+ to 'NewNameOfOrgUnit'. The new DN would be
+ 'OU=NewNameOfOrgUnit,DC=samdom,DC=example,DC=com'
+ """
+
+ synopsis = "%prog <old_ou_dn> <new_ou_dn> [options]"
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["old_ou_dn", "new_ou_dn"]
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ def run(self, old_ou_dn, new_ou_dn, credopts=None, sambaopts=None,
+ versionopts=None, H=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp, fallback_machine=True)
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+ domain_dn = ldb.Dn(samdb, samdb.domain_dn())
+
+ try:
+ full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn)
+ except Exception, e:
+ raise CommandError('Invalid old_ou_dn "%s": %s' %
+ (old_ou_dn, e.message))
+ try:
+ full_new_ou_dn = samdb.normalize_dn_in_domain(new_ou_dn)
+ except Exception, e:
+ raise CommandError('Invalid new_ou_dn "%s": %s' %
+ (new_ou_dn, e.message))
+
+ try:
+ res = samdb.search(base=full_old_ou_dn,
+ expression="(objectclass=organizationalUnit)",
+ scope=ldb.SCOPE_BASE, attrs=[])
+ if len(res) == 0:
+ self.outf.write('Unable to find ou "%s"\n' % old_ou_dn)
+ return
+
+ samdb.rename(full_old_ou_dn, full_new_ou_dn)
+ except Exception, e:
+ raise CommandError('Failed to rename ou "%s"' % full_old_ou_dn, e)
+ self.outf.write('Renamed ou "%s" to "%s"\n' % (full_old_ou_dn,
+ full_new_ou_dn))
+
+class cmd_move(Command):
+ """Move an organizational unit.
+
+ The name of the organizational units can be specified as a full DN
+ or without the domainDN component.
+
+ Examples:
+ samba-tool ou move 'OU=OrgUnit,DC=samdom,DC=example,DC=com' \
+ 'OU=NewParentOfOrgUnit,DC=samdom,DC=example,DC=com'
+ samba-tool ou rename 'OU=OrgUnit' 'OU=NewParentOfOrgUnit'
+
+ The examples show how an administrator would move an ou 'OrgUnit'
+ into the ou 'NewParentOfOrgUnit'. The ou 'OrgUnit' would become
+ a child of the 'NewParentOfOrgUnit' ou. The new DN would be
+ 'OU=OrgUnit,OU=NewParentOfOrgUnit,DC=samdom,DC=example,DC=com'
+ """
+
+ synopsis = "%prog <old_ou_dn> <new_parent_dn> [options]"
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["old_ou_dn", "new_parent_dn"]
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ def run(self, old_ou_dn, new_parent_dn, credopts=None, sambaopts=None,
+ versionopts=None, H=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp, fallback_machine=True)
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ domain_dn = ldb.Dn(samdb, samdb.domain_dn())
+ try:
+ full_old_ou_dn = samdb.normalize_dn_in_domain(old_ou_dn)
+ except Exception, e:
+ raise CommandError('Invalid old_ou_dn "%s": %s' %
+ (old_ou_dn, e.message))
+ try:
+ full_new_parent_dn = samdb.normalize_dn_in_domain(new_parent_dn)
--
Samba Shared Repository
Ralph Böhme
2018-02-08 13:51:02 UTC
Permalink
The branch, master has been updated
via be3c8d0 lib: Make g_lock_locks use TDB_DATA
via 67fcc7d lib: Make g_lock_dump use TDB_DATA
via a6c749e lib: Make g_lock_do use TDB_DATA
via ed3521d lib: Make g_lock_write_data use TDB_DATA
via a104e08 lib: Make g_lock_unlock use TDB_DATA
via bdeb7e7 lib: Make g_lock_lock use TDB_DATA
via 3bc87a2 lib: Make g_lock_lock_send use TDB_DATA
from c7d0e6f samba-tool/tests: Check that dns cleanup does not spuriously remove entries

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit be3c8d08ec6331c2d4c1724cb3933c34fb7d7f0f
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_locks use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Thu Feb 8 14:50:49 CET 2018 on sn-devel-144

commit 67fcc7dbb9ad63886c594b1f563b6c1d2060cbd1
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_dump use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit a6c749e76cd4f3be0f3a0db81324491314b949c0
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_do use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit ed3521d1729a7bda1f127f4c5a754bf01b174665
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_write_data use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit a104e08171b50b9e23dc1869049d12e0c6176979
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_unlock use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit bdeb7e7d8185a112064930edbf0cf1ee5b72999e
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_lock use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 3bc87a20e9c6af358749c0b9d17e03a281086d3e
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 3 20:47:02 2017 +0100

lib: Make g_lock_lock_send use TDB_DATA

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
libcli/auth/netlogon_creds_cli.c | 9 ++---
source3/include/g_lock.h | 14 ++++----
source3/lib/dbwrap/dbwrap_ctdb.c | 7 ++--
source3/lib/g_lock.c | 72 +++++++++++++++++++-------------------
source3/libsmb/trusts_util.c | 6 ++--
source3/smbd/server.c | 14 ++++----
source3/torture/test_g_lock.c | 75 ++++++++++++++++++++++++----------------
source3/utils/net_g_lock.c | 14 +++++---
source3/utils/net_registry.c | 5 +--
9 files changed, 123 insertions(+), 93 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index cb3d6a9..fdd1195 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -93,7 +93,7 @@ static int netlogon_creds_cli_locked_state_destructor(

if (state->is_glocked) {
g_lock_unlock(context->db.g_ctx,
- context->db.key_name);
+ string_term_tdb_data(context->db.key_name));
}

return 0;
@@ -765,7 +765,7 @@ struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,

subreq = g_lock_lock_send(state, ev,
context->db.g_ctx,
- context->db.key_name,
+ string_term_tdb_data(context->db.key_name),
G_LOCK_WRITE);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
@@ -978,7 +978,7 @@ struct tevent_req *netlogon_creds_cli_lck_send(

subreq = g_lock_lock_send(state, ev,
context->db.g_ctx,
- context->db.key_name,
+ string_term_tdb_data(context->db.key_name),
gtype);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
@@ -1014,7 +1014,8 @@ static int netlogon_creds_cli_lck_destructor(
struct netlogon_creds_cli_context *ctx = lck->context;
NTSTATUS status;

- status = g_lock_unlock(ctx->db.g_ctx, ctx->db.key_name);
+ status = g_lock_unlock(ctx->db.g_ctx,
+ string_term_tdb_data(ctx->db.key_name));
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("g_lock_unlock failed: %s\n", nt_errstr(status));
smb_panic("g_lock_unlock failed");
diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
index e6d4de1..c3e3a50 100644
--- a/source3/include/g_lock.h
+++ b/source3/include/g_lock.h
@@ -41,24 +41,24 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
struct tevent_req *g_lock_lock_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct g_lock_ctx *ctx,
- const char *name,
+ TDB_DATA key,
enum g_lock_type type);
NTSTATUS g_lock_lock_recv(struct tevent_req *req);
-NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, TDB_DATA key,
enum g_lock_type lock_type, struct timeval timeout);
-NTSTATUS g_lock_unlock(struct g_lock_ctx *ctx, const char *name);
+NTSTATUS g_lock_unlock(struct g_lock_ctx *ctx, TDB_DATA key);

-NTSTATUS g_lock_write_data(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_write_data(struct g_lock_ctx *ctx, TDB_DATA key,
const uint8_t *buf, size_t buflen);

-NTSTATUS g_lock_do(const char *name, enum g_lock_type lock_type,
+NTSTATUS g_lock_do(TDB_DATA key, enum g_lock_type lock_type,
struct timeval timeout,
void (*fn)(void *private_data), void *private_data);

int g_lock_locks(struct g_lock_ctx *ctx,
- int (*fn)(const char *name, void *private_data),
+ int (*fn)(TDB_DATA key, void *private_data),
void *private_data);
-NTSTATUS g_lock_dump(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_dump(struct g_lock_ctx *ctx, TDB_DATA key,
void (*fn)(const struct g_lock_rec *locks,
size_t num_locks,
const uint8_t *data,
diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index 25db140..2885f4e 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -328,7 +328,8 @@ static int db_ctdb_transaction_destructor(struct db_ctdb_transaction_handle *h)
{
NTSTATUS status;

- status = g_lock_unlock(h->ctx->lock_ctx, h->lock_name);
+ status = g_lock_unlock(h->ctx->lock_ctx,
+ string_term_tdb_data(h->lock_name));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("g_lock_unlock failed for %s: %s\n", h->lock_name,
nt_errstr(status)));
@@ -380,8 +381,8 @@ static int db_ctdb_transaction_start(struct db_context *db)
/*
* Wait a day, i.e. forever...
*/
- status = g_lock_lock(ctx->lock_ctx, h->lock_name, G_LOCK_WRITE,
- timeval_set(86400, 0));
+ status = g_lock_lock(ctx->lock_ctx, string_term_tdb_data(h->lock_name),
+ G_LOCK_WRITE, timeval_set(86400, 0));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("g_lock_lock failed: %s\n", nt_errstr(status)));
TALLOC_FREE(h);
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 4c42fb0..9ce0e06 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -311,7 +311,7 @@ done:
struct g_lock_lock_state {
struct tevent_context *ev;
struct g_lock_ctx *ctx;
- const char *name;
+ TDB_DATA key;
enum g_lock_type type;
};

@@ -343,7 +343,7 @@ static void g_lock_lock_fn(struct db_record *rec, void *private_data)
struct tevent_req *g_lock_lock_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct g_lock_ctx *ctx,
- const char *name,
+ TDB_DATA key,
enum g_lock_type type)
{
struct tevent_req *req;
@@ -357,15 +357,14 @@ struct tevent_req *g_lock_lock_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;
state->ctx = ctx;
- state->name = name;
+ state->key = key;
state->type = type;

fn_state = (struct g_lock_lock_fn_state) {
.state = state, .self = messaging_server_id(ctx->msg)
};

- status = dbwrap_do_locked(ctx->db, string_term_tdb_data(name),
- g_lock_lock_fn, &fn_state);
+ status = dbwrap_do_locked(ctx->db, key, g_lock_lock_fn, &fn_state);
if (tevent_req_nterror(req, status)) {
DBG_DEBUG("dbwrap_do_locked failed: %s\n",
nt_errstr(status));
@@ -418,8 +417,7 @@ static void g_lock_lock_retry(struct tevent_req *subreq)
.state = state, .self = messaging_server_id(state->ctx->msg)
};

- status = dbwrap_do_locked(state->ctx->db,
- string_term_tdb_data(state->name),
+ status = dbwrap_do_locked(state->ctx->db, state->key,
g_lock_lock_fn, &fn_state);
if (tevent_req_nterror(req, status)) {
DBG_DEBUG("dbwrap_do_locked failed: %s\n",
@@ -454,7 +452,7 @@ NTSTATUS g_lock_lock_recv(struct tevent_req *req)
return tevent_req_simple_recv_ntstatus(req);
}

-NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, TDB_DATA key,
enum g_lock_type type, struct timeval timeout)
{
TALLOC_CTX *frame = talloc_stackframe();
@@ -467,7 +465,7 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name,
if (ev == NULL) {
goto fail;
}
- req = g_lock_lock_send(frame, ev, ctx, name, type);
+ req = g_lock_lock_send(frame, ev, ctx, key, type);
if (req == NULL) {
goto fail;
}
@@ -485,7 +483,7 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name,
}

struct g_lock_unlock_state {
- const char *name;
+ TDB_DATA key;
struct server_id self;
NTSTATUS status;
};
@@ -503,7 +501,10 @@ static void g_lock_unlock_fn(struct db_record *rec,

ok = g_lock_parse(value.dptr, value.dsize, &lck);
if (!ok) {
- DBG_DEBUG("g_lock_get for %s failed\n", state->name);
+ DBG_DEBUG("g_lock_get for %s failed\n",
+ hex_encode_talloc(talloc_tos(),
+ state->key.dptr,
+ state->key.dsize));
state->status = NT_STATUS_FILE_INVALID;
return;
}
@@ -529,15 +530,14 @@ static void g_lock_unlock_fn(struct db_record *rec,
state->status = g_lock_store(rec, &lck, NULL);
}

-NTSTATUS g_lock_unlock(struct g_lock_ctx *ctx, const char *name)
+NTSTATUS g_lock_unlock(struct g_lock_ctx *ctx, TDB_DATA key)
{
struct g_lock_unlock_state state = {
- .self = messaging_server_id(ctx->msg), .name = name
+ .self = messaging_server_id(ctx->msg), .key = key
};
NTSTATUS status;

- status = dbwrap_do_locked(ctx->db, string_term_tdb_data(name),
- g_lock_unlock_fn, &state);
+ status = dbwrap_do_locked(ctx->db, key, g_lock_unlock_fn, &state);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("dbwrap_do_locked failed: %s\n",
nt_errstr(status));
@@ -553,7 +553,7 @@ NTSTATUS g_lock_unlock(struct g_lock_ctx *ctx, const char *name)
}

struct g_lock_write_data_state {
- const char *name;
+ TDB_DATA key;
struct server_id self;
const uint8_t *data;
size_t datalen;
@@ -573,7 +573,10 @@ static void g_lock_write_data_fn(struct db_record *rec,

ok = g_lock_parse(value.dptr, value.dsize, &lck);
if (!ok) {
- DBG_DEBUG("g_lock_parse for %s failed\n", state->name);
+ DBG_DEBUG("g_lock_parse for %s failed\n",
+ hex_encode_talloc(talloc_tos(),
+ state->key.dptr,
+ state->key.dsize));
state->status = NT_STATUS_INTERNAL_DB_CORRUPTION;
return;
}
@@ -596,16 +599,16 @@ static void g_lock_write_data_fn(struct db_record *rec,
state->status = g_lock_store(rec, &lck, NULL);
}

-NTSTATUS g_lock_write_data(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_write_data(struct g_lock_ctx *ctx, TDB_DATA key,
const uint8_t *buf, size_t buflen)
{
struct g_lock_write_data_state state = {
- .name = name, .self = messaging_server_id(ctx->msg),
+ .key = key, .self = messaging_server_id(ctx->msg),
.data = buf, .datalen = buflen
};
NTSTATUS status;

- status = dbwrap_do_locked(ctx->db, string_term_tdb_data(name),
+ status = dbwrap_do_locked(ctx->db, key,
g_lock_write_data_fn, &state);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("dbwrap_do_locked failed: %s\n",
@@ -622,7 +625,7 @@ NTSTATUS g_lock_write_data(struct g_lock_ctx *ctx, const char *name,
}

struct g_lock_locks_state {
- int (*fn)(const char *name, void *private_data);
+ int (*fn)(TDB_DATA key, void *private_data);
void *private_data;
};

@@ -632,15 +635,11 @@ static int g_lock_locks_fn(struct db_record *rec, void *priv)
struct g_lock_locks_state *state = (struct g_lock_locks_state *)priv;

key = dbwrap_record_get_key(rec);
- if ((key.dsize == 0) || (key.dptr[key.dsize-1] != 0)) {
- DEBUG(1, ("invalid key in g_lock.tdb, ignoring\n"));
- return 0;
- }
- return state->fn((char *)key.dptr, state->private_data);
+ return state->fn(key, state->private_data);
}

int g_lock_locks(struct g_lock_ctx *ctx,
- int (*fn)(const char *name, void *private_data),
+ int (*fn)(TDB_DATA key, void *private_data),
void *private_data)
{
struct g_lock_locks_state state;
@@ -659,7 +658,7 @@ int g_lock_locks(struct g_lock_ctx *ctx,

struct g_lock_dump_state {
TALLOC_CTX *mem_ctx;
- const char *name;
+ TDB_DATA key;
void (*fn)(const struct g_lock_rec *locks,
size_t num_locks,
const uint8_t *data,
@@ -681,7 +680,9 @@ static void g_lock_dump_fn(TDB_DATA key, TDB_DATA data,
ok = g_lock_parse(data.dptr, data.dsize, &lck);
if (!ok) {
DBG_DEBUG("g_lock_parse failed for %s\n",
- state->name);
+ hex_encode_talloc(talloc_tos(),
+ state->key.dptr,
+ state->key.dsize));
state->status = NT_STATUS_INTERNAL_DB_CORRUPTION;
return;
}
@@ -705,7 +706,7 @@ static void g_lock_dump_fn(TDB_DATA key, TDB_DATA data,
state->status = NT_STATUS_OK;
}

-NTSTATUS g_lock_dump(struct g_lock_ctx *ctx, const char *name,
+NTSTATUS g_lock_dump(struct g_lock_ctx *ctx, TDB_DATA key,
void (*fn)(const struct g_lock_rec *locks,
size_t num_locks,
const uint8_t *data,
@@ -714,13 +715,12 @@ NTSTATUS g_lock_dump(struct g_lock_ctx *ctx, const char *name,
void *private_data)
{
struct g_lock_dump_state state = {
- .mem_ctx = ctx, .name = name,
+ .mem_ctx = ctx, .key = key,
.fn = fn, .private_data = private_data
};
NTSTATUS status;

- status = dbwrap_parse_record(ctx->db, string_term_tdb_data(name),
- g_lock_dump_fn, &state);
+ status = dbwrap_parse_record(ctx->db, key, g_lock_dump_fn, &state);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("dbwrap_parse_record returned %s\n",
nt_errstr(status));
@@ -770,7 +770,7 @@ fail:
return false;
}

-NTSTATUS g_lock_do(const char *name, enum g_lock_type lock_type,
+NTSTATUS g_lock_do(TDB_DATA key, enum g_lock_type lock_type,
struct timeval timeout,
void (*fn)(void *private_data), void *private_data)
{
@@ -784,12 +784,12 @@ NTSTATUS g_lock_do(const char *name, enum g_lock_type lock_type,
goto done;
}

- status = g_lock_lock(g_ctx, name, lock_type, timeout);
+ status = g_lock_lock(g_ctx, key, lock_type, timeout);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
fn(private_data);
- g_lock_unlock(g_ctx, name);
+ g_lock_unlock(g_ctx, key);

done:
TALLOC_FREE(g_ctx);
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 27e77e6..fd1b337 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -30,6 +30,7 @@
#include "libsmb/libsmb.h"
#include "source3/include/messages.h"
#include "source3/include/g_lock.h"
+#include "lib/util/util_tdb.h"

/*********************************************************
Change the domain password on the PDC.
@@ -44,7 +45,8 @@ struct trust_pw_change_state {

static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
{
- g_lock_unlock(state->g_ctx, state->g_lock_key);
+ g_lock_unlock(state->g_ctx,
+ string_term_tdb_data(state->g_lock_key));
return 0;
}

@@ -191,7 +193,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,

g_timeout = timeval_current_ofs(10, 0);
status = g_lock_lock(state->g_ctx,
- state->g_lock_key,
+ string_term_tdb_data(state->g_lock_key),
G_LOCK_WRITE, g_timeout);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("could not get g_lock on [%s]!\n",
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 79786d6..99baf9d 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1480,7 +1480,7 @@ static NTSTATUS smbd_claim_version(struct messaging_context *msg,
return NT_STATUS_UNSUCCESSFUL;
}

- status = g_lock_lock(ctx, name, G_LOCK_READ,
+ status = g_lock_lock(ctx, string_term_tdb_data(name), G_LOCK_READ,
(struct timeval) { .tv_sec = 60 });
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("g_lock_lock(G_LOCK_READ) failed: %s\n",
@@ -1491,11 +1491,12 @@ static NTSTATUS smbd_claim_version(struct messaging_context *msg,

state = (struct smbd_claim_version_state) { .mem_ctx = ctx };

- status = g_lock_dump(ctx, name, smbd_claim_version_parser, &state);
+ status = g_lock_dump(ctx, string_term_tdb_data(name),
+ smbd_claim_version_parser, &state);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
DBG_ERR("Could not read samba_version_string\n");
- g_lock_unlock(ctx, name);
+ g_lock_unlock(ctx, string_term_tdb_data(name));
TALLOC_FREE(ctx);
return status;
}
@@ -1509,7 +1510,7 @@ static NTSTATUS smbd_claim_version(struct messaging_context *msg,
return NT_STATUS_OK;
}

- status = g_lock_lock(ctx, name, G_LOCK_WRITE,
+ status = g_lock_lock(ctx, string_term_tdb_data(name), G_LOCK_WRITE,
(struct timeval) { .tv_sec = 60 });
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("g_lock_lock(G_LOCK_WRITE) failed: %s\n",
@@ -1520,7 +1521,8 @@ static NTSTATUS smbd_claim_version(struct messaging_context *msg,
return NT_STATUS_SXS_VERSION_CONFLICT;
}

- status = g_lock_write_data(ctx, name, (const uint8_t *)version,
+ status = g_lock_write_data(ctx, string_term_tdb_data(name),
+ (const uint8_t *)version,
strlen(version)+1);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("g_lock_write_data failed: %s\n",
@@ -1529,7 +1531,7 @@ static NTSTATUS smbd_claim_version(struct messaging_context *msg,
return status;
}

- status = g_lock_lock(ctx, name, G_LOCK_READ,
+ status = g_lock_lock(ctx, string_term_tdb_data(name), G_LOCK_READ,
(struct timeval) { .tv_sec = 60 });
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("g_lock_lock(G_LOCK_READ) failed: %s\n",
diff --git a/source3/torture/test_g_lock.c b/source3/torture/test_g_lock.c
index 718c196..43e699f 100644
--- a/source3/torture/test_g_lock.c
+++ b/source3/torture/test_g_lock.c
@@ -24,6 +24,7 @@
#include "messages.h"
#include "lib/util/server_id.h"
#include "lib/util/sys_rw.h"
+#include "lib/util/util_tdb.h"

static bool get_g_lock_ctx(TALLOC_CTX *mem_ctx,
struct tevent_context **ev,
@@ -67,7 +68,7 @@ bool run_g_lock1(int dummy)
goto fail;
}

- status = g_lock_lock(ctx, lockname, G_LOCK_READ,
+ status = g_lock_lock(ctx, string_term_tdb_data(lockname), G_LOCK_READ,
(struct timeval) { .tv_sec = 1 });
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "g_lock_lock failed: %s\n",
@@ -75,7 +76,7 @@ bool run_g_lock1(int dummy)
goto fail;
}

- status = g_lock_lock(ctx, lockname, G_LOCK_READ,
+ status = g_lock_lock(ctx, string_term_tdb_data(lockname), G_LOCK_READ,
(struct timeval) { .tv_sec = 1 });
if (!NT_STATUS_EQUAL(status, NT_STATUS_WAS_LOCKED)) {
fprintf(stderr, "Double lock got %s\n",
@@ -83,14 +84,14 @@ bool run_g_lock1(int dummy)
goto fail;
}

- status = g_lock_unlock(ctx, lockname);
+ status = g_lock_unlock(ctx, string_term_tdb_data(lockname));
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "g_lock_unlock failed: %s\n",
nt_errstr(status));
goto fail;
}

- status = g_lock_unlock(ctx, lockname);
+ status = g_lock_unlock(ctx, string_term_tdb_data(lockname));
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
fprintf(stderr, "g_lock_unlock returned: %s\n",
nt_errstr(status));
@@ -147,14 +148,15 @@ bool run_g_lock2(int dummy)
goto fail;
}

- status = g_lock_write_data(ctx, lockname, &data, sizeof(data));
+ status = g_lock_write_data(ctx, string_term_tdb_data(lockname),
+ &data, sizeof(data));
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_LOCKED)) {
fprintf(stderr, "unlocked g_lock_write_data returned %s\n",
nt_errstr(status));
goto fail;
}

- status = g_lock_lock(ctx, lockname, G_LOCK_WRITE,
+ status = g_lock_lock(ctx, string_term_tdb_data(lockname), G_LOCK_WRITE,
(struct timeval) { .tv_sec = 1 });
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr, "g_lock_lock returned %s\n",
@@ -162,21 +164,23 @@ bool run_g_lock2(int dummy)
--
Samba Shared Repository
Andrew Bartlett
2018-02-09 11:35:03 UTC
Permalink
The branch, master has been updated
via cefb41b sambatool drs showrepl: prefer self over ctx in python classes
via f6f1929 samba-tool rodc: consistently use self.outf, not stdout
via 055b730 subunit.run: report failure in process return code
via d8aa50b python samdb.newuser(): use user DN not samaccountname to set password
via a43dbb9 tests/samba_tool user virtualCryptSHA: remove unused py3 incompatible import
via 0e912a7 tests/password_hash: avoid py3-incompatible md5 module
via 57784b4 tests/samba-tool user_wdigest: avoid py3-incompatible md5 module
via 5a483bc lib/crypto/REQUIREMENTS: DRSUAPI replication replicated secrets was missing from the RC4 section
from be3c8d0 lib: Make g_lock_locks use TDB_DATA

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cefb41b0edb273a0095e5bda85c9ce5cc3208fa3
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 1 16:08:34 2018 +1300

sambatool drs showrepl: prefer self over ctx in python classes

and the line length too.

(Now only python/samba/join.py uses ctx for self, but at least it does
it consistently. This was the only ctx function in the class).

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Fri Feb 9 12:34:06 CET 2018 on sn-devel-144

commit f6f192934c8d170b1786eb2fd09560b7e02b50d4
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 1 15:28:28 2018 +1300

samba-tool rodc: consistently use self.outf, not stdout

This increases the output of some commands from the point of view of
tests which read the outf, so we also need to change those tests a
bit.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 055b7308d252d3b1501f61884defcd5bbe91049e
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 9 09:51:54 2018 +1300

subunit.run: report failure in process return code

The protocol requires that the TestResult object remembers when it has failed, but
in subclassing unittest.TestResult we forgot to ensure this is true.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d8aa50b217b16b7e809fa5d59b6240a5671e86b8
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 2 10:35:25 2018 +1300

python samdb.newuser(): use user DN not samaccountname to set password

This is noticably faster in cases (e.g. tests) where the same user
is added and deleted many times.

The rreason is samaccountname is retained for deleted objects, so the
search finds multiple objects that need to be filtered out internally.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a43dbb93ffa47c2c39e7bb1d89f3f93941b9e566
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 1 12:02:29 2018 +1300

tests/samba_tool user virtualCryptSHA: remove unused py3 incompatible import

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 0e912a7303bdc859175a6a65106b63d404f85684
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 1 12:01:10 2018 +1300

tests/password_hash: avoid py3-incompatible md5 module

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 57784b41c1245397b1d8eaabdff0553f205b5231
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 1 11:56:06 2018 +1300

tests/samba-tool user_wdigest: avoid py3-incompatible md5 module

In Python3, the md5 and sha modules are gone, but the functions are
available via hashlib (which is also in python 2.5+).

The md5.hexdigest() does what binascii.hexlify(md5.digest()) does.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 5a483bc0d1d1daf68999c397a0094631fadacc40
Author: Andrew Bartlett <***@samba.org>
Date: Fri Feb 9 16:51:22 2018 +1300

lib/crypto/REQUIREMENTS: DRSUAPI replication replicated secrets was missing from the RC4 section

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
lib/crypto/REQUIREMENTS | 1 +
python/samba/netcmd/drs.py | 5 +++--
python/samba/netcmd/rodc.py | 4 ++--
python/samba/samdb.py | 4 +++-
python/samba/subunit/run.py | 7 +++++++
python/samba/tests/password_hash.py | 4 ++--
python/samba/tests/samba_tool/rodc.py | 7 +++++--
python/samba/tests/samba_tool/user_virtualCryptSHA.py | 2 --
python/samba/tests/samba_tool/user_wdigest.py | 6 ++----
9 files changed, 25 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/crypto/REQUIREMENTS b/lib/crypto/REQUIREMENTS
index 3cd8a15..ff91a2f 100644
--- a/lib/crypto/REQUIREMENTS
+++ b/lib/crypto/REQUIREMENTS
@@ -16,6 +16,7 @@ ARCFOUR (RC4)
- Password encryption on SAMR for password set/get
- NETLOGON SamLogon session keys
- Schannel
+ - DRSUAPI replication replicated secrets

# GNUTLS >= 3.0.0
# NETTLE
diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
index e1886b9..0ccbf9a 100644
--- a/python/samba/netcmd/drs.py
+++ b/python/samba/netcmd/drs.py
@@ -112,13 +112,14 @@ class cmd_drs_showrepl(Command):
self.message("\t\tLast success @ %s" % nttime2string(n.last_success))
self.message("")

- def drsuapi_ReplicaInfo(ctx, info_type):
+ def drsuapi_ReplicaInfo(self, info_type):
'''call a DsReplicaInfo'''

req1 = drsuapi.DsReplicaGetInfoRequest1()
req1.info_type = info_type
try:
- (info_type, info) = ctx.drsuapi.DsReplicaGetInfo(ctx.drsuapi_handle, 1, req1)
+ (info_type, info) = self.drsuapi.DsReplicaGetInfo(
+ self.drsuapi_handle, 1, req1)
except Exception, e:
raise CommandError("DsReplicaGetInfo of type %u failed" % info_type, e)
return (info_type, info)
diff --git a/python/samba/netcmd/rodc.py b/python/samba/netcmd/rodc.py
index 41a7a85..533f944 100644
--- a/python/samba/netcmd/rodc.py
+++ b/python/samba/netcmd/rodc.py
@@ -149,9 +149,9 @@ class cmd_rodc_preload(Command):
local_samdb.transaction_commit()

if len(errors) > 0:
- print "\nPreload encountered problematic users:"
+ self.message("\nPreload encountered problematic users:")
for error in errors:
- print " %s" % error
+ self.message(" %s" % error)


class cmd_rodc(SuperCommand):
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index d1048a7..7f52a5e 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -459,7 +459,9 @@ member: %s

# Sets the password for it
if setpassword:
- self.setpassword("(samAccountName=%s)" % ldb.binary_encode(username), password,
+ self.setpassword(("(distinguishedName=%s)" %
+ ldb.binary_encode(user_dn)),
+ password,
force_password_change_at_next_login_req)
except:
self.transaction_cancel()
diff --git a/python/samba/subunit/run.py b/python/samba/subunit/run.py
index efaeef9..bb598b4 100755
--- a/python/samba/subunit/run.py
+++ b/python/samba/subunit/run.py
@@ -94,6 +94,10 @@ class TestProtocolClient(unittest.TestResult):
def __init__(self, stream):
unittest.TestResult.__init__(self)
self._stream = stream
+ self.failed = False
+
+ def wasSuccessful(self):
+ return not self.failed

def addError(self, test, error=None):
"""Report an error in test test.
@@ -102,6 +106,7 @@ class TestProtocolClient(unittest.TestResult):
exc_info tuple.
"""
self._addOutcome("error", test, error=error)
+ self.failed = True

def addExpectedFailure(self, test, error=None):
"""Report an expected failure in test test.
@@ -118,6 +123,7 @@ class TestProtocolClient(unittest.TestResult):
exc_info tuple.
"""
self._addOutcome("failure", test, error=error)
+ self.failed = True

def _addOutcome(self, outcome, test, error=None, error_permitted=True):
"""Report a failure in test test.
@@ -161,6 +167,7 @@ class TestProtocolClient(unittest.TestResult):
"""Report an unexpected success in test test.
"""
self._addOutcome("uxsuccess", test, error_permitted=False)
+ self.failed = True

def startTest(self, test):
"""Mark a test as starting its test run."""
diff --git a/python/samba/tests/password_hash.py b/python/samba/tests/password_hash.py
index 611983e..a3a74aa 100644
--- a/python/samba/tests/password_hash.py
+++ b/python/samba/tests/password_hash.py
@@ -32,7 +32,7 @@ from samba.tests import delete_force
import ldb
import samba
import binascii
-import md5
+from hashlib import md5
import crypt


@@ -60,7 +60,7 @@ def get_package(sc, name):
def calc_digest(user, realm, password):

data = "%s:%s:%s" % (user, realm, password)
- return binascii.hexlify(md5.new(data).digest())
+ return md5(data).hexdigest()


class PassWordHashTests(TestCase):
diff --git a/python/samba/tests/samba_tool/rodc.py b/python/samba/tests/samba_tool/rodc.py
index 4851a53..870b5d4 100644
--- a/python/samba/tests/samba_tool/rodc.py
+++ b/python/samba/tests/samba_tool/rodc.py
@@ -104,7 +104,8 @@ class RodcCmdTestCase(SambaToolCmdTest):
"--server", os.environ["DC_SERVER"],
"--ignore-errors")
self.assertCmdSuccess(result, out, err, "ensuring rodc prefetch ran successfully")
- self.assertEqual(out, "Replicating DN CN=sambatool5,CN=Users,%s\n" % self.base_dn)
+ self.assertTrue(out.startswith("Replicating DN CN=sambatool5,CN=Users,%s\n"
+ % self.base_dn))

def test_multi_with_missing_name_failure(self):
(result, out, err) = self.runsubcmd("rodc", "preload",
@@ -119,7 +120,9 @@ class RodcCmdTestCase(SambaToolCmdTest):
"--server", os.environ["DC_SERVER"],
"--ignore-errors")
self.assertCmdSuccess(result, out, err, "ensuring rodc prefetch ran successfully")
- self.assertEqual(out, "Replicating DN CN=sambatool6,CN=Users,%s\nReplicating DN CN=sambatool5,CN=Users,%s\n" % (self.base_dn, self.base_dn))
+ self.assertTrue(out.startswith("Replicating DN CN=sambatool6,CN=Users,%s\n"
+ "Replicating DN CN=sambatool5,CN=Users,%s\n"
+ % (self.base_dn, self.base_dn)))

def test_multi_without_group_failure(self):
(result, out, err) = self.runsubcmd("rodc", "preload",
diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA.py b/python/samba/tests/samba_tool/user_virtualCryptSHA.py
index 909de37..3edf1a4 100644
--- a/python/samba/tests/samba_tool/user_virtualCryptSHA.py
+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA.py
@@ -28,8 +28,6 @@ from samba.auth import system_session
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs
from samba import dsdb
-import binascii
-import md5
import re
import random
import string
diff --git a/python/samba/tests/samba_tool/user_wdigest.py b/python/samba/tests/samba_tool/user_wdigest.py
index b531ad0..497855c 100644
--- a/python/samba/tests/samba_tool/user_wdigest.py
+++ b/python/samba/tests/samba_tool/user_wdigest.py
@@ -30,8 +30,7 @@ from samba import (
)
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs
-import binascii
-import md5
+from hashlib import md5
import re
import random
import string
@@ -47,8 +46,7 @@ USER_PASS = ''.join(random.choice(string.ascii_uppercase +
#
def calc_digest(user, realm, password):
data = "%s:%s:%s" % (user, realm, password)
- return "%s:%s:%s" % (user, realm, binascii.hexlify(md5.new(data).digest()))
-
+ return "%s:%s:%s" % (user, realm, md5(data).hexdigest())


class UserCmdWdigestTestCase(SambaToolCmdTest):
--
Samba Shared Repository
Ralph Böhme
2018-02-10 12:09:02 UTC
Permalink
The branch, master has been updated
via 597e755 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
via 8422c00 winbindd: rename winbindd_pam_auth_pac_send and let it return validation
via 5444cc4 winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
via 5ce3cb2 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
via 42e4453 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
via 021d75f winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
via 2b01818 s3/rpc_client: add map_info6_to_validation()
via d4ba23f s3/auth: add create_info6_from_pac()
via e1ba819 s4/auth_winbind: ask for validation level 6
via 1a98573 winbindd: allow validation level 6 in winbind_SamLogon
via 60aa5e7 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
via b60c634 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
via d76bcdb winbindd: handle interactive logons in _winbind_SamLogon()
via 8c6c47a winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
via 2268f1c winbindd: add a comment to a parameter in _winbind_SamLogon()
via d1c3676 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
via be26a47 s3/rpc_client: add rpccli_netlogon_interactive_logon()
via 2ee2551 winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
via 8b0e1a7 wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available
via b112cbc winbindd: fix debug message in find_default_route_domain() on a DC
via 6151909 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
via 9f96ede winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
via ffa9eb7 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
via d8e4e7c winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
via 4274ef6 winbindd: move loading of trusted domains on a DC to a seperate function
via 728fb7c winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
via 7fc1974 s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
via 8b7bf6d winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
via af9a37a winbindd: prepare find_auth_domain() transitive trusts on a DC
via c5bd18c winbindd: remove const from set_routing_domain()
via 70bb9c2 winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
via 7329706 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
via fe47041 s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
via 9a613f4 winbindd: add routing_domain as parameter to add_trusted_domain
via 9fef5d1 winbindd: add missing can_do_ncacn_ip_tcp initialisation
via 1918a87 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
via 53484d0 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
from cefb41b sambatool drs showrepl: prefer self over ctx in python classes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 597e755328940fc964b861333b557b0650666b24
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 23:13:12 2018 +0100

winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144

commit 8422c001bec169a73657b1d638ec8ec4c35c243a
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Feb 9 08:38:18 2018 +0100

winbindd: rename winbindd_pam_auth_pac_send and let it return validation

Just a preperational step. The next commit will update the caller to
make use of the validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5444cc4e7ed8ea0c063110f3b78f360d91b0b0a5
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 23:10:42 2018 +0100

winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()

winbindd_pam_auth_crap_recv() should not have any real logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5ce3cb2fb468d8798980b49d84568782becf25ea
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 23:02:26 2018 +0100

winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC

This way we don't loose the DNS info and UPN. A subsequent commit will
let winbindd_pam_auth_pac_send() return the full validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 42e445396881c5b6651a0dde0abde3d6bb0740bf
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 22:00:35 2018 +0100

winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 021d75fb223630d06a256a605659abda9ece853f
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 21:34:46 2018 +0100

winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()

This way we don't loose dns_domain_name and user principal.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 2b0181877806f171eee053c246dcb2eda2300261
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 21:32:53 2018 +0100

s3/rpc_client: add map_info6_to_validation()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit d4ba23fd353ad387a374a5d7f6f6d085a0699d2c
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 21:32:25 2018 +0100

s3/auth: add create_info6_from_pac()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit e1ba81996033e7c2cfeba13124ee7f404ded2031
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 17:58:07 2018 +0100

s4/auth_winbind: ask for validation level 6

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 1a9857369d2fae08fefef613cf6cbd3354092a4a
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 17:57:37 2018 +0100

winbindd: allow validation level 6 in winbind_SamLogon

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 60aa5e7657608c1a5519c03e690cce58efd67abd
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 17:53:49 2018 +0100

s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b60c634123ee00021efc5b5aaa03e1663474d3da
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Feb 2 15:24:00 2018 +0100

winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx

At lot of callers require a valid schannel connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit d76bcdb0854cff9b08010d47469fd48324d902bc
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 17:39:15 2018 +0100

winbindd: handle interactive logons in _winbind_SamLogon()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 8c6c47aec0e91ab3944bea5f6eda8072f5db959d
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 17:37:54 2018 +0100

winbindd: pass 'bool interactive' to winbind_dual_SamLogon()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 2268f1c0dd1e8543c126553f80d94e80a1e32487
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Feb 8 17:23:49 2018 +0100

winbindd: add a comment to a parameter in _winbind_SamLogon()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit d1c3676197032487505e9069c0655427b5fd385c
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 16:36:45 2018 +0100

winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()

We need to handle 4 cases:

plaintext_given=true interactive=true
plaintext_given=false interactive=true
plaintext_given=true interactive=false
plaintext_given=false interactive=false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit be26a472ae082d612f9aec28c932d25e2317f9ba
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Feb 9 16:15:18 2018 +0100

s3/rpc_client: add rpccli_netlogon_interactive_logon()

This will be used in a subsequent commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 2ee2551409e0bd0cd5bf130cc1e3736e58b8c14d
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Jan 23 23:19:32 2018 +0100

winbindd: add_trusted_domain_from_auth() should not use dns_name = ""

Check whether the DNS domain name in the info6 struct is actually more
then just an empty string. If it is we want to call add_trusted_domain()
with NULL as DNS domain name argument.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 8b0e1a77ae5f7ef6d8db9a05718afa8d472a971b
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Feb 4 22:48:01 2018 +0100

wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13256

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b112cbc2462edf810473026c133b0802d1e18468
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 31 08:22:07 2018 +0100

winbindd: fix debug message in find_default_route_domain() on a DC

As we don't support multiple domains in a forest yet,
we don't need to print a warning a log level 0.

This also adds a missing \n.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6151909c823016417f863c22e77c8a136f3fbb95
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 16:35:52 2018 +0100

s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 9f96ede6f500cc1a7c76e67ee785b44a99244d0d
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 16:35:13 2018 +0100

winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS

This reflects the new implementation in winbindd.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ffa9eb7d6453eb6c6f3a50ad72288d3891361752
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 11:32:30 2018 +0100

s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN

winbindd doesn't use that data anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit d8e4e7cae57eb192c6fcab6b9aef95fb10eeb5a8
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 11:30:53 2018 +0100

winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 4274ef681bf3b974ce99b8f21fda3a86a5b305bc
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 11:28:20 2018 +0100

winbindd: move loading of trusted domains on a DC to a seperate function

This allows using the split out function in a subsequent commit in the
MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 728fb7c593230abeb681854d924e4619d6f4cf37
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 13:02:04 2018 +0100

winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 7fc19747ef346df9cc72bb516b45a8309f462dd8
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:57:11 2018 +0100

s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 8b7bf6d4d81cde099d78cd9cc03aa085cec672d4
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:06:50 2018 +0100

winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit af9a37aa1925a18709365ceb93460d8ae0f66f51
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:06:50 2018 +0100

winbindd: prepare find_auth_domain() transitive trusts on a DC

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c5bd18c0021b428c669dbbc35f65a3d436b4add5
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:03:11 2018 +0100

winbindd: remove const from set_routing_domain()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 70bb9c27cf8c464d5af79acbe11a0d2d0e20f5a8
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:02:05 2018 +0100

winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 7329706a037fef75e8ced63bfb7ab93b64482eda
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 12:00:19 2018 +0100

s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit fe47041b4bf8d2ef6f6f9ba15a80038f1c60da3f
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 11:58:31 2018 +0100

s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 9a613f4bccf171c40ede3e6ead9236463fcc5883
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 18 08:38:59 2018 +0100

winbindd: add routing_domain as parameter to add_trusted_domain

This also fixes the following CIDs:

CID 1427622: Null pointer dereferences (REVERSE_INULL)
CID 1427619: Null pointer dereferences (REVERSE_INULL)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 9fef5d1891e6c1aebea29fbfbb90e77631b7836c
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 14:30:48 2018 +0100

winbindd: add missing can_do_ncacn_ip_tcp initialisation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 1918a870c38c29bd3a05cd3f660ffe6623121bf3
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 14:30:12 2018 +0100

winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 53484d0d98475f55ae3bd02e1a86b9c45b20e33d
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 15 14:24:47 2018 +0100

winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
librpc/idl/messaging.idl | 2 +-
nsswitch/wbinfo.c | 13 +-
source3/auth/proto.h | 4 +
source3/auth/server_info.c | 56 +++
source3/rpc_client/cli_lsarpc.c | 10 +-
source3/rpc_client/cli_lsarpc.h | 1 +
source3/rpc_client/cli_netlogon.c | 131 ++++++-
source3/rpc_client/cli_netlogon.h | 16 +
source3/rpc_client/util_netlogon.c | 171 +++++++++
source3/rpc_client/util_netlogon.h | 11 +
source3/winbindd/winbindd.h | 3 +-
source3/winbindd/winbindd_cm.c | 59 ++--
source3/winbindd/winbindd_dual.c | 7 +-
source3/winbindd/winbindd_dual_srv.c | 182 +++++++---
source3/winbindd/winbindd_msrpc.c | 63 +++-
source3/winbindd/winbindd_pam.c | 248 ++++++++-----
source3/winbindd/winbindd_pam_auth_crap.c | 106 +++---
source3/winbindd/winbindd_proto.h | 12 +-
source3/winbindd/winbindd_util.c | 556 ++++++++++++++----------------
source4/auth/ntlm/auth_winbind.c | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 28 +-
21 files changed, 1163 insertions(+), 518 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl
index 37f8fcc..b35f1e1 100644
--- a/librpc/idl/messaging.idl
+++ b/librpc/idl/messaging.idl
@@ -123,7 +123,7 @@ interface messaging
MSG_WINBIND_IP_DROPPED = 0x040A,
MSG_WINBIND_DOMAIN_ONLINE = 0x040B,
MSG_WINBIND_DOMAIN_OFFLINE = 0x040C,
- MSG_WINBIND_NEW_TRUSTED_DOMAIN = 0x040D,
+ MSG_WINBIND_RELOAD_TRUSTED_DOMAINS = 0x040D,

/* event messages */
MSG_DUMP_EVENT_LIST = 0x0500,
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 54d5758..82863c2 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1798,13 +1798,22 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
if (use_ntlmv2) {
DATA_BLOB server_chal;
DATA_BLOB names_blob;
+ const char *netbios_name = NULL;
+ const char *domain = NULL;
+
+ netbios_name = get_winbind_netbios_name(),
+ domain = get_winbind_domain();
+ if (domain == NULL) {
+ d_fprintf(stderr, "Failed to get domain from winbindd\n");
+ return false;
+ }

server_chal = data_blob(params.password.response.challenge, 8);

/* Pretend this is a login to 'us', for blob purposes */
names_blob = NTLMv2_generate_names_blob(NULL,
- get_winbind_netbios_name(),
- get_winbind_domain());
+ netbios_name,
+ domain);

if (pass != NULL &&
!SMBNTLMv2encrypt(NULL, name_user, name_domain, pass,
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index e774670..ca851c2 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -312,6 +312,10 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
const struct PAC_LOGON_INFO *logon_info,
struct netr_SamInfo3 **pp_info3);
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ const struct PAC_UPN_DNS_INFO *upn_dns_info,
+ struct netr_SamInfo6 **pp_info6);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 7898175..339cce6 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -363,6 +363,62 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
}

/*
+ * Create a copy of an info6 struct from the PAC_UPN_DNS_INFO and PAC_LOGON_INFO
+ * then merge resource SIDs, if any, into it. If successful return the created
+ * info6 struct.
+ */
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ const struct PAC_UPN_DNS_INFO *upn_dns_info,
+ struct netr_SamInfo6 **pp_info6)
+{
+ NTSTATUS status;
+ struct netr_SamInfo6 *info6 = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+
+ info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+ if (info6 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = copy_netr_SamInfo3(info6,
+ &logon_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info6);
+ return status;
+ }
+
+ status = merge_resource_sids(logon_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info6);
+ return status;
+ }
+
+ info6->base = info3->base;
+ info6->sids = info3->sids;
+ info6->sidcount = info3->sidcount;
+
+ if (upn_dns_info != NULL) {
+ info6->dns_domainname.string = talloc_strdup(info6,
+ upn_dns_info->dns_domain_name);
+ if (info6->dns_domainname.string == NULL) {
+ TALLOC_FREE(info6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ info6->principal_name.string = talloc_strdup(info6,
+ upn_dns_info->upn_name);
+ if (info6->principal_name.string == NULL) {
+ TALLOC_FREE(info6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *pp_info6 = info6;
+ return NT_STATUS_OK;
+}
+
+/*
* Check if this is a "Unix Users" domain user, or a
* "Unix Groups" domain group, we need to handle it
* in a special way if that's the case.
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 41c1ef4..65c6ca0 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -172,6 +172,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char **domains,
char **names,
enum lsa_SidType *types,
@@ -183,7 +184,6 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
struct lsa_SidArray sid_array;
struct lsa_RefDomainList *ref_domains = NULL;
struct lsa_TransNameArray lsa_names;
- enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
uint32_t count = 0;
int i;

@@ -348,6 +348,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char ***pdomains,
char ***pnames,
enum lsa_SidType **ptypes,
@@ -414,6 +415,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
pol,
hunk_num_sids,
hunk_sids,
+ level,
hunk_domains,
hunk_names,
hunk_types,
@@ -489,11 +491,13 @@ NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h,
enum lsa_SidType **ptypes,
NTSTATUS *result)
{
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
return dcerpc_lsa_lookup_sids_generic(h,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
@@ -512,12 +516,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;

status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
@@ -540,11 +546,13 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h,
enum lsa_SidType **ptypes,
NTSTATUS *result)
{
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
return dcerpc_lsa_lookup_sids_generic(h,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h
index 4f9464d..f716b04 100644
--- a/source3/rpc_client/cli_lsarpc.h
+++ b/source3/rpc_client/cli_lsarpc.h
@@ -130,6 +130,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char ***pdomains,
char ***pnames,
enum lsa_SidType **ptypes,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 800b995..2aa0f5e 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -490,7 +490,8 @@ NTSTATUS rpccli_netlogon_password_logon(
/* Initialise input parameters */

switch (logon_type) {
- case NetlogonInteractiveInformation: {
+ case NetlogonInteractiveInformation:
+ case NetlogonInteractiveTransitiveInformation: {

struct netr_PasswordInfo *password_info;

@@ -519,7 +520,8 @@ NTSTATUS rpccli_netlogon_password_logon(

break;
}
- case NetlogonNetworkInformation: {
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation: {
struct netr_NetworkInfo *network_info;
uint8_t chal[8];
unsigned char local_lm_response[24];
@@ -608,6 +610,7 @@ NTSTATUS rpccli_netlogon_network_logon(
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
uint16_t *_validation_level,
@@ -627,6 +630,16 @@ NTSTATUS rpccli_netlogon_network_logon(
ZERO_STRUCT(lm);
ZERO_STRUCT(nt);

+ switch (logon_type) {
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ break;
+ default:
+ DEBUG(0, ("switch value %d not supported\n",
+ logon_type));
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
logon = talloc_zero(mem_ctx, union netr_LogonLevel);
if (!logon) {
return NT_STATUS_NO_MEMORY;
@@ -672,7 +685,117 @@ NTSTATUS rpccli_netlogon_network_logon(

status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
binding_handle,
- NetlogonNetworkInformation,
+ logon_type,
+ logon,
+ mem_ctx,
+ &validation_level,
+ &validation,
+ authoritative,
+ flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_validation_level = validation_level;
+ *_validation = validation;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS rpccli_netlogon_interactive_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ DATA_BLOB lm_hash,
+ DATA_BLOB nt_hash,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+ const char *workstation_name_slash;
+ union netr_LogonLevel *logon = NULL;
+ struct netr_PasswordInfo *password_info = NULL;
+ uint16_t validation_level = 0;
+ union netr_Validation *validation = NULL;
+ struct netr_ChallengeResponse lm;
+ struct netr_ChallengeResponse nt;
+
+ *_validation = NULL;
+
+ ZERO_STRUCT(lm);
+ ZERO_STRUCT(nt);
+
+ switch (logon_type) {
+ case NetlogonInteractiveInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ break;
+ default:
+ DEBUG(0, ("switch value %d not supported\n",
+ logon_type));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+ if (logon == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ password_info = talloc_zero(logon, struct netr_PasswordInfo);
+ if (password_info == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (workstation[0] != '\\' && workstation[1] != '\\') {
+ workstation_name_slash = talloc_asprintf(frame, "\\\\%s", workstation);
+ } else {
+ workstation_name_slash = workstation;
+ }
+
+ if (workstation_name_slash == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Initialise input parameters */
+
+ password_info->identity_info.domain_name.string = domain;
+ password_info->identity_info.parameter_control = logon_parameters;
+ password_info->identity_info.logon_id_low = 0xdead;
+ password_info->identity_info.logon_id_high = 0xbeef;
+ password_info->identity_info.account_name.string = username;
+ password_info->identity_info.workstation.string = workstation_name_slash;
+
+ if (nt_hash.length != sizeof(password_info->ntpassword.hash)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ memcpy(password_info->ntpassword.hash, nt_hash.data, nt_hash.length);
+ if (lm_hash.length != 0) {
+ if (lm_hash.length != sizeof(password_info->lmpassword.hash)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ memcpy(password_info->lmpassword.hash, lm_hash.data, lm_hash.length);
+ }
+
+ logon->password = password_info;
+
+ /* Marshall data and send request */
+
+ status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
+ binding_handle,
+ logon_type,
logon,
mem_ctx,
&validation_level,
@@ -680,11 +803,13 @@ NTSTATUS rpccli_netlogon_network_logon(
authoritative,
flags);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}

*_validation_level = validation_level;
*_validation = validation;

+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d31bdee..d0232b5 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -84,6 +84,22 @@ NTSTATUS rpccli_netlogon_network_logon(
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);
+NTSTATUS rpccli_netlogon_interactive_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ DATA_BLOB lm_hash,
+ DATA_BLOB nt_hash,
+ enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
uint16_t *_validation_level,
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 15c769f..2d73bc9 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -190,6 +190,152 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}

+NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo6 *in,
+ struct netr_SamInfo6 **pout)
+{
+ struct netr_SamInfo6 *info6 = NULL;
+ unsigned int i;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+ if (info6 == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ status = copy_netr_SamBaseInfo(info6, &in->base, &info6->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ if (in->sidcount) {
+ info6->sidcount = in->sidcount;
+ info6->sids = talloc_array(info6, struct netr_SidAttr,
+ in->sidcount);
+ if (info6->sids == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ for (i = 0; i < in->sidcount; i++) {
+ info6->sids[i].sid = dom_sid_dup(info6->sids,
+ in->sids[i].sid);
+ if (info6->sids[i].sid == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ info6->sids[i].attributes = in->sids[i].attributes;
+ }
+ }
+
+ if (in->dns_domainname.string != NULL) {
+ info6->dns_domainname.string = talloc_strdup(info6,
+ in->dns_domainname.string);
+ if (info6->dns_domainname.string == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ if (in->principal_name.string != NULL) {
+ info6->principal_name.string = talloc_strdup(info6,
+ in->principal_name.string);
+ if (info6->principal_name.string == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ *pout = info6;
+ info6 = NULL;
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(info6);
+ return status;
+}
+
+NTSTATUS map_validation_to_info6(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
--
Samba Shared Repository
Andrew Bartlett
2018-02-12 04:22:02 UTC
Permalink
The branch, master has been updated
via cb920dd tests/samba-tool user wdigest: fix a flapping test
via 72a8152 tests: SambaToolCmdTest.assertMatch() indicates what was asserted
from 597e755 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cb920dd8732af30a7f74d5b492ea6ddfc2adfcbd
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 9 23:09:41 2018 +1300

tests/samba-tool user wdigest: fix a flapping test

The output of something like

samba-tool user getpassword $USER --attributes virtualWDigest01

contains an LDIF section with long strings folded on the 77th column.

To unfold this LDIF we were using:

result = re.sub(r"\n\s*", '', out)

which worked fine EXCEPT when a space in the output happened to land
immediately after the fold and got eaten by the \s*.

Instead we remove just a single space after the line break, because
that is always what fold_string() in lib/ldb/common/ldb_ldif.c
inserts, and for this simple replacement we don't need the re module.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Feb 12 05:21:01 CET 2018 on sn-devel-144

commit 72a81529aa13ac34a6dc1b1cdc37d1329af48ffe
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 9 14:29:43 2018 +1300

tests: SambaToolCmdTest.assertMatch() indicates what was asserted

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/tests/samba_tool/base.py | 12 +++++++++++-
python/samba/tests/samba_tool/user_wdigest.py | 5 ++---
2 files changed, 13 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/samba_tool/base.py b/python/samba/tests/samba_tool/base.py
index c57e9e9..de257e3 100644
--- a/python/samba/tests/samba_tool/base.py
+++ b/python/samba/tests/samba_tool/base.py
@@ -29,6 +29,13 @@ from cStringIO import StringIO
from samba.netcmd.main import cmd_sambatool
import samba.tests

+
+def truncate_string(s, cutoff=100):
+ if len(s) < cutoff + 15:
+ return s
+ return s[:cutoff] + '[%d more characters]' % (len(s) - cutoff)
+
+
class SambaToolCmdTest(samba.tests.BlackboxTestCase):

def getSamDB(self, *argv):
@@ -88,7 +95,10 @@ class SambaToolCmdTest(samba.tests.BlackboxTestCase):
def assertCmdFail(self, val, msg=""):
self.assertIsNotNone(val, msg)

- def assertMatch(self, base, string, msg=""):
+ def assertMatch(self, base, string, msg=None):
+ if msg is None:
+ msg = "%r is not in %r" % (truncate_string(string),
+ truncate_string(base))
self.assertTrue(string in base, msg)

def randomName(self, count=8):
diff --git a/python/samba/tests/samba_tool/user_wdigest.py b/python/samba/tests/samba_tool/user_wdigest.py
index 497855c..35283eb 100644
--- a/python/samba/tests/samba_tool/user_wdigest.py
+++ b/python/samba/tests/samba_tool/user_wdigest.py
@@ -31,7 +31,6 @@ from samba import (
from samba.ndr import ndr_unpack
from samba.dcerpc import drsblobs
from hashlib import md5
-import re
import random
import string

@@ -105,8 +104,8 @@ class UserCmdWdigestTestCase(SambaToolCmdTest):
if missing:
self.assertTrue(attribute not in out)
else:
- result = re.sub(r"\n\s*", '', out)
- self.assertMatch(result, "%s: %s" % (attribute, expected))
+ self.assertMatch(out.replace('\n ', ''),
+ "%s: %s" % (attribute, expected))

def test_Wdigest_no_suffix(self):
attribute = "virtualWDigest"
--
Samba Shared Repository
Volker Lendecke
2018-02-12 18:52:01 UTC
Permalink
The branch, master has been updated
via b4384b7 winbind: Improve child selection
from cb920dd tests/samba-tool user wdigest: fix a flapping test

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b4384b7f0ecf3b47dd60acaf77636b679e3adc05
Author: Volker Lendecke <***@samba.org>
Date: Fri Feb 9 10:27:55 2018 +0100

winbind: Improve child selection

This improves the situation when a client request blocks a winbind
child. This might be a slow samlogon or lookupnames to a domain that's
far away. With random selection of the child for new request coming in
we could end up with a long queue when other, non-blocked children
could serve those new requests. Choose the shortest queue.

This is an immediate and simple fix. Step two will be to have a
per-domain and not a per-child queue. Right now we're pre-selecting
the check-out queue at Fry's randomly without looking at the queue
length. With this change we're picking the shortest queue. The better
change will be what Fry's really does: One central queue and red/green
lights on the busy/free checkout counters.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Mon Feb 12 19:51:35 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/winbindd/winbindd_dual.c | 36 +++++++++++++++++-------------------
1 file changed, 17 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 33f1393..993166d 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -248,33 +248,31 @@ static void wb_child_request_cleanup(struct tevent_req *req,
DLIST_REMOVE(winbindd_children, state->child);
}

-static bool winbindd_child_busy(struct winbindd_child *child)
-{
- return tevent_queue_length(child->queue) > 0;
-}
-
-static struct winbindd_child *find_idle_child(struct winbindd_domain *domain)
+struct winbindd_child *choose_domain_child(struct winbindd_domain *domain)
{
+ struct winbindd_child *shortest = &domain->children[0];
+ struct winbindd_child *current;
int i;

for (i=0; i<lp_winbind_max_domain_connections(); i++) {
- if (!winbindd_child_busy(&domain->children[i])) {
- return &domain->children[i];
- }
- }
+ size_t shortest_len, current_len;

- return NULL;
-}
+ current = &domain->children[i];
+ current_len = tevent_queue_length(current->queue);

-struct winbindd_child *choose_domain_child(struct winbindd_domain *domain)
-{
- struct winbindd_child *result;
+ if (current_len == 0) {
+ /* idle child */
+ return current;
+ }

- result = find_idle_child(domain);
- if (result != NULL) {
- return result;
+ shortest_len = tevent_queue_length(shortest->queue);
+
+ if (current_len < shortest_len) {
+ shortest = current;
+ }
}
- return &domain->children[rand() % lp_winbind_max_domain_connections()];
+
+ return shortest;
}

struct dcerpc_binding_handle *dom_child_handle(struct winbindd_domain *domain)
--
Samba Shared Repository
Andreas Schneider
2018-02-12 23:26:02 UTC
Permalink
The branch, master has been updated
via 1e8ad19 winbindd: Initialize the domain groups member
via 2abf47c winbindd: Free is_parent before we terminate
via a5cd134 winbindd: Free memory before we exit the connect child
from b4384b7 winbind: Improve child selection

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1e8ad19653f11adbcffecde3a5762b28c5e06c8d
Author: Andreas Schneider <***@samba.org>
Date: Fri Feb 9 16:19:53 2018 +0100

winbindd: Initialize the domain groups member

==9405== 4 errors in context 1 of 493:
==9405== Conditional jump or move depends on uninitialised value(s)
==9405== at 0x7507F71: vfprintf (in /lib64/libc-2.12.so)
==9405== by 0x75C515B: __vasprintf_chk (in /lib64/libc-2.12.so)
==9405== by 0x2A8728: dbgtext (stdio2.h:199)
==9405== by 0x22DCBB: winbindd_list_groups_done (winbindd_list_groups.c:127)
==9405== by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405== by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405== by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405== by 0x3CDAE8: dcerpc_binding_handle_call_done (binding_handle.c:445)
==9405== by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405== by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405== by 0x202701: wbint_bh_raw_call_done (winbindd_dual_ndr.c:139)
==9405== by 0x6C82C60: tevent_common_loop_timer_delay (tevent_timed.c:341)
==9405== by 0x6C83CA1: epoll_event_loop_once (tevent_epoll.c:911)
==9405== by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405== by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405== by 0x1D8A03: main (winbindd.c:1490)
==9405== Uninitialised value was created by a heap allocation
==9405== at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==9405== by 0x6A71DCA: _talloc_array (in /usr/lib64/libtalloc.so.2.1.5)
==9405== by 0x22D959: winbindd_list_groups_send (winbindd_list_groups.c:69)
==9405== by 0x1D76BC: winbind_client_request_read (winbindd.c:647)
==9405== by 0x23AF2A: wb_req_read_done (wb_reqtrans.c:126)
==9405== by 0x6C83EA5: epoll_event_loop_once (tevent_epoll.c:728)
==9405== by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405== by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405== by 0x1D8A03: main (winbindd.c:1490)

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Tue Feb 13 00:25:27 CET 2018 on sn-devel-144

commit 2abf47cfb3153108e3b153fee571ab187f9eb755
Author: Andreas Schneider <***@samba.org>
Date: Fri Feb 9 15:33:39 2018 +0100

winbindd: Free is_parent before we terminate

This makes valgrind happy.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

commit a5cd134ed7634328c9d0b64a45a59c04530c7249
Author: Andreas Schneider <***@samba.org>
Date: Fri Feb 9 15:27:42 2018 +0100

winbindd: Free memory before we exit the connect child

This will make valgrind happy.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/winbindd/winbindd.c | 9 ++++++---
source3/winbindd/winbindd_cm.c | 5 ++++-
source3/winbindd/winbindd_list_groups.c | 7 ++++++-
3 files changed, 16 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 0a8d146..6e3df1f 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -233,11 +233,14 @@ static void winbindd_sig_term_handler(struct tevent_context *ev,
void *siginfo,
void *private_data)
{
- bool *is_parent = talloc_get_type_abort(private_data, bool);
+ bool *p = talloc_get_type_abort(private_data, bool);
+ bool is_parent = *p;
+
+ TALLOC_FREE(p);

DEBUG(0,("Got sig[%d] terminate (is_parent=%d)\n",
- signum, (int)*is_parent));
- terminate(*is_parent);
+ signum, is_parent));
+ terminate(is_parent);
}

/*
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 54416e0..4229647 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -199,6 +199,7 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
pid_t parent_pid = getpid();
char *lfile = NULL;
NTSTATUS status;
+ bool ok;

if (domain->dc_probe_pid != (pid_t)-1) {
/*
@@ -269,7 +270,9 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
_exit(1);
}

- if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs, 0)) || (num_dcs == 0)) {
+ ok = get_dcs(mem_ctx, domain, &dcs, &num_dcs, 0);
+ TALLOC_FREE(mem_ctx);
+ if (!ok || (num_dcs == 0)) {
/* Still offline ? Can't find DC's. */
messaging_send_buf(server_messaging_context(),
pid_to_procid(parent_pid),
diff --git a/source3/winbindd/winbindd_list_groups.c b/source3/winbindd/winbindd_list_groups.c
index 3b5c9dd..f593ba2 100644
--- a/source3/winbindd/winbindd_list_groups.c
+++ b/source3/winbindd/winbindd_list_groups.c
@@ -74,6 +74,8 @@ struct tevent_req *winbindd_list_groups_send(TALLOC_CTX *mem_ctx,
}

if (request->domain_name[0] != '\0') {
+ ZERO_STRUCT(state->domains[0].groups);
+
state->domains[0].domain = find_domain_from_name_noinit(
request->domain_name);
if (state->domains[0].domain == NULL) {
@@ -83,7 +85,10 @@ struct tevent_req *winbindd_list_groups_send(TALLOC_CTX *mem_ctx,
} else {
i = 0;
for (domain = domain_list(); domain; domain = domain->next) {
- state->domains[i++].domain = domain;
+ ZERO_STRUCT(state->domains[i].groups);
+
+ state->domains[i].domain = domain;
+ i++;
}
}
--
Samba Shared Repository
Jeremy Allison
2018-02-13 04:02:02 UTC
Permalink
The branch, master has been updated
via 3bbc575 smbd: remove "id" from share_mode_entry
via f7e6571 smbd: Pass "file_id" explicitly to send_break_to_none
via 1e2659e smbd: Pass "file_id" explicitly to send_break_message()
via 9d7701c srvsvc: Avoid a dependency on share_mode_entry->id
via d9e5148 smbd: Avoid a dependency on share_mode_entry->id
via ddb1524 smbd: Avoid a dependency on share_mode_entry->id
via b7e29d0 smbd: Pass "file_id" explicitly to message_to_share_mode_entry()
via fc424b2 smbd: Pass "file_id" explicitly into share_mode_entry_to_message()
via 5fdc62b smbd: Remove a redundant check
via bab8bf7 smbd: Use "share_mode_data->id", not "share_mode_entry->id"
via c1079e3 srvsvc: Use the passed-in file_id
via 3434b32 smbd: Pass in "file_id" into validate_my_share_entries
via 9487510 smbd: Pass in "file_id" into share_mode_str()
via 786e307 srvsvc: Use the passed-in file id, not the one from share_mode_entry
via f519162 smbd: Pass "file_id" through share_entry_forall
via e6187be smbd: Fix a signed/unsigned hickup
from 1e8ad19 winbindd: Initialize the domain groups member

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3bbc57564411b031bf3ce55652c9c899642da045
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 14:32:37 2018 +0100

smbd: remove "id" from share_mode_entry

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144

commit f7e65719a4bc5fa2bede491d40a610b28f873c8a
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 12:28:13 2018 +0100

smbd: Pass "file_id" explicitly to send_break_to_none

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 1e2659e96d4a309e76d1fc2a5a3dabb83a258127
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 12:24:35 2018 +0100

smbd: Pass "file_id" explicitly to send_break_message()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 9d7701c923bce11c05c879ea3f7cdd2322e3d2bd
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 12:16:10 2018 +0100

srvsvc: Avoid a dependency on share_mode_entry->id

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit d9e51484703e7ff510c534c603d30975d87c895c
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 12:11:10 2018 +0100

smbd: Avoid a dependency on share_mode_entry->id

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit ddb1524669681bffc86090432f01a21621d11d2f
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:40:58 2018 +0100

smbd: Avoid a dependency on share_mode_entry->id

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit b7e29d04c6156a6eb5c02b12e53abd1a04d75471
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:39:32 2018 +0100

smbd: Pass "file_id" explicitly to message_to_share_mode_entry()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit fc424b28cd54f4ff5737417db1e1f8059cad80db
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:36:51 2018 +0100

smbd: Pass "file_id" explicitly into share_mode_entry_to_message()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 5fdc62b2369b8463940629dc47c2768f0bcfc29d
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:14:31 2018 +0100

smbd: Remove a redundant check

The file ids in all share modes match the share_mode_data's one

We don't have a paranoia check for this, but the share mode is per inode.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit bab8bf7acb71bc54c258c29e7392927afb8b0709
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:13:40 2018 +0100

smbd: Use "share_mode_data->id", not "share_mode_entry->id"

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit c1079e3d2a9dd10b11e6b7c9b9852518ea637bb5
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:10:14 2018 +0100

srvsvc: Use the passed-in file_id

The one in share_mode_entry will go

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 3434b32b88e656e767a0a1d2fa3988b2fb2311b0
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:09:10 2018 +0100

smbd: Pass in "file_id" into validate_my_share_entries

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 9487510e9e1269e70d4c4fbc44316f0c8758be03
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 11:05:33 2018 +0100

smbd: Pass in "file_id" into share_mode_str()

This used to directly access share_entry->id, which will go

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 786e307fd433065c097915a9d98fc71b4afbab14
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 10:52:23 2018 +0100

srvsvc: Use the passed-in file id, not the one from share_mode_entry

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit f51916265777189eafd7d8d73166fc52287f2878
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 10:43:11 2018 +0100

smbd: Pass "file_id" through share_entry_forall

It's also in the share_entry, but that is redundant and will go

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit e6187be11846239f1a0e6e76aa3812a52406989a
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 10:05:57 2018 +0100

smbd: Fix a signed/unsigned hickup

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/librpc/idl/open_files.idl | 1 -
source3/locking/locking.c | 14 ++++++-------
source3/locking/proto.h | 5 ++++-
source3/locking/share_mode_lock.c | 3 +++
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 15 ++++++++------
source3/smbd/close.c | 7 ++++---
source3/smbd/open.c | 29 +++++++++++++++------------
source3/smbd/oplock.c | 33 +++++++++++++++++++++----------
source3/smbd/proto.h | 12 +++++++----
source3/smbd/smb2_setinfo.c | 3 ++-
source3/utils/status.c | 1 +
11 files changed, 76 insertions(+), 47 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/librpc/idl/open_files.idl b/source3/librpc/idl/open_files.idl
index 1f85f24..8d652a9 100644
--- a/source3/librpc/idl/open_files.idl
+++ b/source3/librpc/idl/open_files.idl
@@ -51,7 +51,6 @@ interface open_files
uint32 share_access;
uint32 private_options;
timeval time;
- file_id id;
udlong share_file_id;
uint32 uid;
uint16 flags;
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index 4e9f1bb..791878c 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -425,7 +425,9 @@ void locking_close_file(struct messaging_context *msg_ctx,
Print out a share mode.
********************************************************************/

-char *share_mode_str(TALLOC_CTX *ctx, int num, const struct share_mode_entry *e)
+char *share_mode_str(TALLOC_CTX *ctx, int num,
+ const struct file_id *id,
+ const struct share_mode_entry *e)
{
struct server_id_buf tmp;

@@ -439,7 +441,7 @@ char *share_mode_str(TALLOC_CTX *ctx, int num, const struct share_mode_entry *e)
e->access_mask, (unsigned long long)e->op_mid,
e->op_type, (unsigned long long)e->share_file_id,
(unsigned int)e->uid, (unsigned int)e->flags,
- file_id_string_tos(&e->id),
+ file_id_string_tos(id),
(unsigned int)e->name_hash);
}

@@ -720,7 +722,7 @@ static void remove_share_mode_lease(struct share_mode_data *d,

status = leases_db_del(&client_guid,
&lease_key,
- &e->id);
+ &d->id);

DEBUG(10, ("%s: leases_db_del returned %s\n", __func__,
nt_errstr(status)));
@@ -845,7 +847,6 @@ bool set_share_mode(struct share_mode_lock *lck, struct files_struct *fsp,
e->lease = lease;
e->time.tv_sec = fsp->open_time.tv_sec;
e->time.tv_usec = fsp->open_time.tv_usec;
- e->id = fsp->file_id;
e->share_file_id = fsp->fh->gen_id;
e->uid = (uint32_t)uid;
e->flags = (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) ?
@@ -860,7 +861,7 @@ struct share_mode_entry *find_share_mode_entry(
{
struct share_mode_data *d = lck->data;
struct server_id pid;
- int i;
+ uint32_t i;

pid = messaging_server_id(fsp->conn->sconn->msg_ctx);

@@ -873,9 +874,6 @@ struct share_mode_entry *find_share_mode_entry(
if (!serverid_equal(&pid, &e->pid)) {
continue;
}
- if (!file_id_equal(&fsp->file_id, &e->id)) {
- continue;
- }
if (fsp->fh->gen_id != e->share_file_id) {
continue;
}
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
index 33184e0..afd5373 100644
--- a/source3/locking/proto.h
+++ b/source3/locking/proto.h
@@ -140,7 +140,9 @@ void locking_close_file(struct messaging_context *msg_ctx,
bool locking_init(void);
bool locking_init_readonly(void);
bool locking_end(void);
-char *share_mode_str(TALLOC_CTX *ctx, int num, const struct share_mode_entry *e);
+char *share_mode_str(TALLOC_CTX *ctx, int num,
+ const struct file_id *id,
+ const struct share_mode_entry *e);
struct share_mode_lock *get_existing_share_mode_lock(TALLOC_CTX *mem_ctx,
struct file_id id);
struct share_mode_lock *get_share_mode_lock(
@@ -210,6 +212,7 @@ int share_mode_forall(int (*fn)(struct file_id fid,
void *private_data),
void *private_data);
int share_entry_forall(int (*fn)(const struct share_mode_entry *,
+ const struct file_id *id,
const char *, const char *,
const char *, void *),
void *private_data);
diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
index cee0045..fce0c33 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -879,6 +879,7 @@ int share_mode_forall(int (*fn)(struct file_id fid,

struct share_entry_forall_state {
int (*fn)(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *service_path,
const char *base_name,
const char *stream_name,
@@ -897,6 +898,7 @@ static int share_entry_traverse_fn(struct file_id fid,
int ret;

ret = state->fn(&data->share_modes[i],
+ &data->id,
data->servicepath,
data->base_name,
data->stream_name,
@@ -915,6 +917,7 @@ static int share_entry_traverse_fn(struct file_id fid,
********************************************************************/

int share_entry_forall(int (*fn)(const struct share_mode_entry *,
+ const struct file_id *id,
const char *, const char *,
const char *, void *),
void *private_data)
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 2ff8e64..6536e3d 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -82,6 +82,7 @@ struct share_conn_stat {
********************************************************************/

static int enum_file_fn(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *sharepath,
const char *fname,
const char *sname,
@@ -123,7 +124,7 @@ static int enum_file_fn(const struct share_mode_entry *e,
/* need to count the number of locks on a file */

ZERO_STRUCT( fsp );
- fsp.file_id = e->id;
+ fsp.file_id = *id;

if ( (brl = brl_get_locks(talloc_tos(), &fsp)) != NULL ) {
num_locks = brl_num_locks(brl);
@@ -173,7 +174,7 @@ static WERROR net_enum_files(TALLOC_CTX *ctx,
f_enum_cnt.username = username;
f_enum_cnt.ctr3 = *ctr3;

- share_entry_forall( enum_file_fn, (void *)&f_enum_cnt );
+ share_entry_forall(enum_file_fn, (void *)&f_enum_cnt );

*ctr3 = f_enum_cnt.ctr3;

@@ -841,6 +842,7 @@ static WERROR init_srv_sess_info_0(struct pipes_struct *p,
**********************************************************************/

static int count_sess_files_fn(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *sharepath,
const char *fname,
const char *sname,
@@ -968,6 +970,7 @@ static WERROR init_srv_sess_info_1(struct pipes_struct *p,
********************************************************************/

static int share_file_fn(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *sharepath,
const char *fname,
const char *sname,
@@ -2699,6 +2702,7 @@ struct enum_file_close_state {
};

static int enum_file_close_fn(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *sharepath,
const char *fname,
const char *sname,
@@ -2718,11 +2722,10 @@ static int enum_file_close_fn(const struct share_mode_entry *e,
}

/* Ok - send the close message. */
- DEBUG(10,("enum_file_close_fn: request to close file %s, %s\n",
- sharepath,
- share_mode_str(talloc_tos(), 0, e) ));
+ DBG_DEBUG("request to close file %s, %s\n", sharepath,
+ share_mode_str(talloc_tos(), 0, id, e));

- share_mode_entry_to_message(msg, e);
+ share_mode_entry_to_message(msg, id, e);

state->r->out.result = ntstatus_to_werror(
messaging_send_buf(state->msg_ctx,
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 2f6cc4f..3324d3e 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -1280,15 +1280,16 @@ void msg_close_file(struct messaging_context *msg_ctx,
DATA_BLOB *data)
{
files_struct *fsp = NULL;
+ struct file_id id;
struct share_mode_entry e;
struct smbd_server_connection *sconn =
talloc_get_type_abort(private_data,
struct smbd_server_connection);

- message_to_share_mode_entry(&e, (char *)data->data);
+ message_to_share_mode_entry(&id, &e, (char *)data->data);

if(DEBUGLVL(10)) {
- char *sm_str = share_mode_str(NULL, 0, &e);
+ char *sm_str = share_mode_str(NULL, 0, &id, &e);
if (!sm_str) {
smb_panic("talloc failed");
}
@@ -1297,7 +1298,7 @@ void msg_close_file(struct messaging_context *msg_ctx,
TALLOC_FREE(sm_str);
}

- fsp = file_find_dif(sconn, e.id, e.share_file_id);
+ fsp = file_find_dif(sconn, id, e.share_file_id);
if (!fsp) {
DEBUG(10,("msg_close_file: failed to find file.\n"));
return;
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5817bdb..be9e601 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1544,6 +1544,7 @@ sa = 0x%x, share = 0x%x\n", (num), (unsigned int)(am), (unsigned int)(right), (u

#if defined(DEVELOPER)
static void validate_my_share_entries(struct smbd_server_connection *sconn,
+ const struct file_id id,
int num,
struct share_mode_entry *share_entry)
{
@@ -1563,11 +1564,11 @@ static void validate_my_share_entries(struct smbd_server_connection *sconn,
return;
}

- fsp = file_find_dif(sconn, share_entry->id,
- share_entry->share_file_id);
+ fsp = file_find_dif(sconn, id, share_entry->share_file_id);
if (!fsp) {
- DEBUG(0,("validate_my_share_entries: PANIC : %s\n",
- share_mode_str(talloc_tos(), num, share_entry) ));
+ DBG_ERR("PANIC : %s\n",
+ share_mode_str(talloc_tos(), num, &id,
+ share_entry));
smb_panic("validate_my_share_entries: Cannot match a "
"share entry with an open file\n");
}
@@ -1581,8 +1582,9 @@ static void validate_my_share_entries(struct smbd_server_connection *sconn,
panic:
{
char *str;
- DEBUG(0,("validate_my_share_entries: PANIC : %s\n",
- share_mode_str(talloc_tos(), num, share_entry) ));
+ DBG_ERR("validate_my_share_entries: PANIC : %s\n",
+ share_mode_str(talloc_tos(), num, &id,
+ share_entry));
str = talloc_asprintf(talloc_tos(),
"validate_my_share_entries: "
"file %s, oplock_type = 0x%x, op_type = 0x%x\n",
@@ -1654,7 +1656,7 @@ static NTSTATUS open_mode_check(connection_struct *conn,

#if defined(DEVELOPER)
for(i = 0; i < lck->data->num_share_modes; i++) {
- validate_my_share_entries(conn->sconn, i,
+ validate_my_share_entries(conn->sconn, lck->data->id, i,
&lck->data->share_modes[i]);
}
#endif
@@ -1688,8 +1690,9 @@ static NTSTATUS open_mode_check(connection_struct *conn,
*/

NTSTATUS send_break_message(struct messaging_context *msg_ctx,
- const struct share_mode_entry *exclusive,
- uint16_t break_to)
+ const struct file_id *id,
+ const struct share_mode_entry *exclusive,
+ uint16_t break_to)
{
NTSTATUS status;
char msg[MSG_SMB_SHARE_MODE_ENTRY_SIZE];
@@ -1699,7 +1702,7 @@ NTSTATUS send_break_message(struct messaging_context *msg_ctx,
server_id_str_buf(exclusive->pid, &tmp)));

/* Create the message. */
- share_mode_entry_to_message(msg, exclusive);
+ share_mode_entry_to_message(msg, id, exclusive);

/* Overload entry->op_type */
/*
@@ -1925,8 +1928,8 @@ static bool delay_for_oplock(files_struct *fsp,

DEBUG(10, ("breaking from %d to %d\n",
(int)e_lease_type, (int)break_to));
- send_break_message(fsp->conn->sconn->msg_ctx, e,
- break_to);
+ send_break_message(fsp->conn->sconn->msg_ctx, &fsp->file_id,
+ e, break_to);
if (e_lease_type & delay_mask) {
delay = true;
}
@@ -4981,7 +4984,7 @@ static NTSTATUS lease_match(connection_struct *conn,
continue;
}

- send_break_message(conn->sconn->msg_ctx, e,
+ send_break_message(conn->sconn->msg_ctx, &d->id, e,
SMB2_LEASE_NONE);

/*
diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index e848b5e..0f95bb0 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -792,6 +792,7 @@ static void process_oplock_break_message(struct messaging_context *msg_ctx,
struct server_id src,
DATA_BLOB *data)
{
+ struct file_id id;
struct share_mode_entry msg;
files_struct *fsp;
bool use_kernel;
@@ -816,15 +817,15 @@ static void process_oplock_break_message(struct messaging_context *msg_ctx,
}

/* De-linearize incoming message. */
- message_to_share_mode_entry(&msg, (char *)data->data);
+ message_to_share_mode_entry(&id, &msg, (char *)data->data);
break_to = msg.op_type;

DEBUG(10, ("Got oplock break to %u message from pid %s: %s/%llu\n",
(unsigned)break_to, server_id_str_buf(src, &tmp),
- file_id_string_tos(&msg.id),
+ file_id_string_tos(&id),
(unsigned long long)msg.share_file_id));

- fsp = initial_break_processing(sconn, msg.id, msg.share_file_id);
+ fsp = initial_break_processing(sconn, id, msg.share_file_id);

if (fsp == NULL) {
/* We hit a race here. Break messages are sent, and before we
@@ -1130,11 +1131,12 @@ static void contend_level2_oplocks_begin_default(files_struct *fsp,
}

static void send_break_to_none(struct messaging_context *msg_ctx,
+ const struct file_id *id,
const struct share_mode_entry *e)
{
char msg[MSG_SMB_SHARE_MODE_ENTRY_SIZE];

- share_mode_entry_to_message(msg, e);
+ share_mode_entry_to_message(msg, id, e);
/* Overload entry->op_type */
SSVAL(msg, OP_BREAK_MSG_OP_TYPE_OFFSET, NO_OPLOCK);

@@ -1202,7 +1204,7 @@ static void do_break_to_none(struct tevent_context *ctx,
DEBUG(10, ("Breaking lease# %"PRIu32" with share_entry# "
"%"PRIu32"\n", i, j));

- send_break_to_none(state->sconn->msg_ctx, e);
+ send_break_to_none(state->sconn->msg_ctx, &state->id, e);
}

for(i = 0; i < d->num_share_modes; i++) {
@@ -1245,7 +1247,7 @@ static void do_break_to_none(struct tevent_context *ctx,
abort();
}

- send_break_to_none(state->sconn->msg_ctx, e);
+ send_break_to_none(state->sconn->msg_ctx, &state->id, e);
}

/* We let the message receivers handle removing the oplock state
@@ -1291,7 +1293,8 @@ void smbd_contend_level2_oplocks_end(files_struct *fsp,
Linearize a share mode entry struct to an internal oplock break message.
****************************************************************************/

-void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e)
+void share_mode_entry_to_message(char *msg, const struct file_id *id,
+ const struct share_mode_entry *e)
{
SIVAL(msg,OP_BREAK_MSG_PID_OFFSET,(uint32_t)e->pid.pid);
SBVAL(msg,OP_BREAK_MSG_MID_OFFSET,e->op_mid);
@@ -1301,7 +1304,11 @@ void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e)
SIVAL(msg,OP_BREAK_MSG_PRIV_OFFSET,e->private_options);
SIVAL(msg,OP_BREAK_MSG_TIME_SEC_OFFSET,(uint32_t)e->time.tv_sec);
SIVAL(msg,OP_BREAK_MSG_TIME_USEC_OFFSET,(uint32_t)e->time.tv_usec);
- push_file_id_24(msg+OP_BREAK_MSG_DEV_OFFSET, &e->id);
+ /*
+ * "id" used to be part of share_mode_entry, thus the strange
+ * place to put this. Feel free to move somewhere else :-)
+ */
+ push_file_id_24(msg+OP_BREAK_MSG_DEV_OFFSET, id);
SIVAL(msg,OP_BREAK_MSG_FILE_ID_OFFSET,e->share_file_id);
SIVAL(msg,OP_BREAK_MSG_UID_OFFSET,e->uid);
SSVAL(msg,OP_BREAK_MSG_FLAGS_OFFSET,e->flags);
@@ -1313,7 +1320,9 @@ void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e)
De-linearize an internal oplock break message to a share mode entry struct.
****************************************************************************/

-void message_to_share_mode_entry(struct share_mode_entry *e, const char *msg)
+void message_to_share_mode_entry(struct file_id *id,
+ struct share_mode_entry *e,
+ const char *msg)
{
e->pid.pid = (pid_t)IVAL(msg,OP_BREAK_MSG_PID_OFFSET);
e->op_mid = BVAL(msg,OP_BREAK_MSG_MID_OFFSET);
@@ -1323,7 +1332,11 @@ void message_to_share_mode_entry(struct share_mode_entry *e, const char *msg)
e->private_options = IVAL(msg,OP_BREAK_MSG_PRIV_OFFSET);
e->time.tv_sec = (time_t)IVAL(msg,OP_BREAK_MSG_TIME_SEC_OFFSET);
e->time.tv_usec = (int)IVAL(msg,OP_BREAK_MSG_TIME_USEC_OFFSET);
- pull_file_id_24(msg+OP_BREAK_MSG_DEV_OFFSET, &e->id);
+ /*
+ * "id" used to be part of share_mode_entry, thus the strange
+ * place to put this. Feel free to move somewhere else :-)
+ */
+ pull_file_id_24(msg+OP_BREAK_MSG_DEV_OFFSET, id);
e->share_file_id = (unsigned long)IVAL(msg,OP_BREAK_MSG_FILE_ID_OFFSET);
e->uid = (uint32_t)IVAL(msg,OP_BREAK_MSG_UID_OFFSET);
e->flags = (uint16_t)SVAL(msg,OP_BREAK_MSG_FLAGS_OFFSET);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index fe37640..4417595 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -651,8 +651,9 @@ void change_file_owner_to_parent(connection_struct *conn,
files_struct *fsp);
bool is_stat_open(uint32_t access_mask);
NTSTATUS send_break_message(struct messaging_context *msg_ctx,
- const struct share_mode_entry *exclusive,
- uint16_t break_to);
+ const struct file_id *id,
+ const struct share_mode_entry *exclusive,
+ uint16_t break_to);
struct deferred_open_record;
bool is_deferred_open_async(const struct deferred_open_record *rec);
NTSTATUS create_directory(connection_struct *conn, struct smb_request *req,
@@ -722,8 +723,11 @@ void smbd_contend_level2_oplocks_begin(files_struct *fsp,
enum level2_contention_type type);
void smbd_contend_level2_oplocks_end(files_struct *fsp,
enum level2_contention_type type);
-void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e);
-void message_to_share_mode_entry(struct share_mode_entry *e, const char *msg);
+void share_mode_entry_to_message(char *msg, const struct file_id *id,
+ const struct share_mode_entry *e);
+void message_to_share_mode_entry(struct file_id *id,
+ struct share_mode_entry *e,
+ const char *msg);
bool init_oplocks(struct smbd_server_connection *sconn);
void init_kernel_oplocks(struct smbd_server_connection *sconn);

diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 0355095..996e4f2 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -226,7 +226,8 @@ static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
delay = true;
break_to = (e_lease_type & ~SMB2_LEASE_HANDLE);

- send_break_message(fsp->conn->sconn->msg_ctx, e, break_to);
+ send_break_message(fsp->conn->sconn->msg_ctx, &fsp->file_id,
+ e, break_to);
}

if (!delay) {
diff --git a/source3/utils/status.c b/source3/utils/status.c
index dfb1d92..beae85c 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -117,6 +117,7 @@ static bool Ucrit_addPid( struct server_id pid )
}

static int print_share_mode(const struct share_mode_entry *e,
+ const struct file_id *id,
const char *sharepath,
const char *fname,
const char *sname,
--
Samba Shared Repository
Volker Lendecke
2018-02-13 15:26:02 UTC
Permalink
The branch, master has been updated
via d09bd97 docs: Fix smbpasswd manpage about password storage
from 3bbc575 smbd: remove "id" from share_mode_entry

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d09bd9767322e5a3cfd060a969b8d3a3144453d9
Author: Andreas Schneider <***@samba.org>
Date: Mon Feb 12 11:24:26 2018 +0100

docs: Fix smbpasswd manpage about password storage

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Tue Feb 13 16:25:33 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/smbpasswd.8.xml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml
index dd7d787..ba0e549 100644
--- a/docs-xml/manpages/smbpasswd.8.xml
+++ b/docs-xml/manpages/smbpasswd.8.xml
@@ -62,8 +62,7 @@
<manvolnum>8</manvolnum></citerefentry>. As a consequence in order for this to
succeed the smbd daemon must be running on the local machine. On a
UNIX machine the encrypted SMB passwords are usually stored in
- the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>5</manvolnum></citerefentry> file. </para>
+ the default passdb backend.</para>

<para>When run by an ordinary user with no options, smbpasswd
will prompt them for their old SMB password and then ask them
--
Samba Shared Repository
Ralph Böhme
2018-02-13 20:08:03 UTC
Permalink
The branch, master has been updated
via 36bb685 libsocket: Avoid an unnecessary else branch
via 46148e6 net: Slightly simplify net_lookup_dsgetdcname()
via 093871d dsgetdcname: Add some const
via 3781dba libsmb: Fix an error path memleak
via aa29a69 libsmb: Fix destructor setup in unexpected.c
via f7cc3db libcli: Fix a cut&paste typo
via 77c1df5 net: Add some {}
via 44dcd5d nbt_server: Fix a typo
via 6f23615 libnbt: Apply some const
via 494dc70 libnbt: Use TALLOC_FREE
from d09bd97 docs: Fix smbpasswd manpage about password storage

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 36bb685abde872f43c3e23150119c3af91dea569
Author: Volker Lendecke <***@samba.org>
Date: Sun Feb 4 15:13:43 2018 +0000

libsocket: Avoid an unnecessary else branch

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Tue Feb 13 21:07:17 CET 2018 on sn-devel-144

commit 46148e657f5d53b0d83dbcead9a8b8d0bd0baf21
Author: Volker Lendecke <***@samba.org>
Date: Sun Feb 4 15:48:23 2018 +0000

net: Slightly simplify net_lookup_dsgetdcname()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 093871d931a9c925f3a858e2963d8f36988282ac
Author: Volker Lendecke <***@samba.org>
Date: Fri Jan 12 22:16:39 2018 +0100

dsgetdcname: Add some const

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 3781dba923fc01ffa32ea1e15adb847bccae44bb
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 30 13:47:35 2018 +0100

libsmb: Fix an error path memleak

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit aa29a695fbd0a1f881a2434fd1ce2bdef1d213ce
Author: Volker Lendecke <***@samba.org>
Date: Wed Feb 7 08:55:03 2018 +0100

libsmb: Fix destructor setup in unexpected.c

The destructor does DLIST_REMOVE, so better make sure "client" is in fact
member of that list when the destructor fires

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f7cc3db3f3ab93bc02a3446ad89a58b8eef00e8b
Author: Volker Lendecke <***@samba.org>
Date: Sun Feb 4 16:41:04 2018 +0000

libcli: Fix a cut&paste typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 77c1df57a87b483c35ca01ede13d40980d3e1a96
Author: Volker Lendecke <***@samba.org>
Date: Sun Feb 4 15:45:57 2018 +0000

net: Add some {}

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 44dcd5d094c5d44d6cc1e94c9be2e5b78f514acf
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 29 10:17:11 2018 +0100

nbt_server: Fix a typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6f23615956fee987f7cce85b724633790c5f64b6
Author: Volker Lendecke <***@samba.org>
Date: Fri Feb 2 13:13:31 2018 +0100

libnbt: Apply some const

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 494dc70f69804e2d703b382a56406d69e984e9f1
Author: Volker Lendecke <***@samba.org>
Date: Sat Feb 3 12:48:35 2018 +0000

libnbt: Use TALLOC_FREE

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
libcli/nbt/libnbt.h | 4 +++-
libcli/nbt/nbtname.c | 4 +++-
libcli/nbt/nbtsocket.c | 5 +----
source3/libsmb/dsgetdcname.c | 22 ++++++++++++----------
source3/libsmb/unexpected.c | 4 +++-
source3/utils/net_lookup.c | 7 ++++---
source4/lib/socket/socket_ip.c | 3 ++-
source4/libcli/dgram/netlogon.c | 2 +-
source4/nbt_server/interfaces.c | 2 +-
9 files changed, 30 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/nbt/libnbt.h b/libcli/nbt/libnbt.h
index d4813b9..f721278 100644
--- a/libcli/nbt/libnbt.h
+++ b/libcli/nbt/libnbt.h
@@ -291,7 +291,9 @@ NTSTATUS nbt_name_status_recv(struct nbt_name_request *req,
NTSTATUS nbt_name_status(struct nbt_name_socket *nbtsock,
TALLOC_CTX *mem_ctx, struct nbt_name_status *io);

-NTSTATUS nbt_name_dup(TALLOC_CTX *mem_ctx, struct nbt_name *name, struct nbt_name *newname);
+NTSTATUS nbt_name_dup(TALLOC_CTX *mem_ctx,
+ const struct nbt_name *name,
+ struct nbt_name *newname);
NTSTATUS nbt_name_to_blob(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct nbt_name *name);
NTSTATUS nbt_name_from_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, struct nbt_name *name);
void nbt_choose_called_name(TALLOC_CTX *mem_ctx, struct nbt_name *n, const char *name, int type);
diff --git a/libcli/nbt/nbtname.c b/libcli/nbt/nbtname.c
index d73dde1..ec2b395 100644
--- a/libcli/nbt/nbtname.c
+++ b/libcli/nbt/nbtname.c
@@ -190,7 +190,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_nbt_name(struct ndr_push *ndr, int ndr_flags
/**
copy a nbt name structure
*/
-_PUBLIC_ NTSTATUS nbt_name_dup(TALLOC_CTX *mem_ctx, struct nbt_name *name, struct nbt_name *newname)
+_PUBLIC_ NTSTATUS nbt_name_dup(TALLOC_CTX *mem_ctx,
+ const struct nbt_name *name,
+ struct nbt_name *newname)
{
*newname = *name;
newname->name = talloc_strdup(mem_ctx, newname->name);
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index dacacae..d7abb1b 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -45,10 +45,7 @@ static int nbt_name_request_destructor(struct nbt_name_request *req)
idr_remove(req->nbtsock->idr, req->name_trn_id);
req->name_trn_id = 0;
}
- if (req->te) {
- talloc_free(req->te);
- req->te = NULL;
- }
+ TALLOC_FREE(req->te);
if (req->nbtsock->send_queue == NULL) {
TEVENT_FD_NOT_WRITEABLE(req->nbtsock->fde);
}
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index f15456a..2fb9842 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -35,11 +35,12 @@ struct ip_service_name {
const char *hostname;
};

-static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx,
- uint32_t flags,
- struct sockaddr_storage *ss,
- struct NETLOGON_SAM_LOGON_RESPONSE_EX *r,
- struct netr_DsRGetDCNameInfo **info);
+static NTSTATUS make_dc_info_from_cldap_reply(
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct sockaddr_storage *ss,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *r,
+ struct netr_DsRGetDCNameInfo **info);

/****************************************************************
****************************************************************/
@@ -735,11 +736,12 @@ static void map_dc_and_domain_names(uint32_t flags,
/****************************************************************
****************************************************************/

-static NTSTATUS make_dc_info_from_cldap_reply(TALLOC_CTX *mem_ctx,
- uint32_t flags,
- struct sockaddr_storage *ss,
- struct NETLOGON_SAM_LOGON_RESPONSE_EX *r,
- struct netr_DsRGetDCNameInfo **info)
+static NTSTATUS make_dc_info_from_cldap_reply(
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct sockaddr_storage *ss,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *r,
+ struct netr_DsRGetDCNameInfo **info)
{
const char *dc_hostname = NULL;
const char *dc_domain_name = NULL;
diff --git a/source3/libsmb/unexpected.c b/source3/libsmb/unexpected.c
index ac6c1cf..ced4696 100644
--- a/source3/libsmb/unexpected.c
+++ b/source3/libsmb/unexpected.c
@@ -170,12 +170,12 @@ static void nb_packet_server_listener(struct tevent_context *ev,
ret = tstream_bsd_existing_socket(client, sock, &client->sock);
if (ret != 0) {
DEBUG(10, ("tstream_bsd_existing_socket failed\n"));
+ TALLOC_FREE(client);
close(sock);
return;
}

client->server = server;
- talloc_set_destructor(client, nb_packet_client_destructor);

client->out_queue = tevent_queue_create(
client, "unexpected packet output");
@@ -198,6 +198,8 @@ static void nb_packet_server_listener(struct tevent_context *ev,
DLIST_ADD(server->clients, client);
server->num_clients += 1;

+ talloc_set_destructor(client, nb_packet_client_destructor);
+
if (server->num_clients > server->max_clients) {
DEBUG(10, ("Too many clients, dropping oldest\n"));

diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c
index 0c019e6..597e098 100644
--- a/source3/utils/net_lookup.c
+++ b/source3/utils/net_lookup.c
@@ -405,11 +405,12 @@ static int net_lookup_dsgetdcname(struct net_context *c, int argc, const char **

domain_name = argv[0];

- if (argc >= 2)
+ if (argc >= 2) {
sscanf(argv[1], "%x", &flags);
+ }

- if (!flags) {
- flags |= DS_DIRECTORY_SERVICE_REQUIRED;
+ if (flags == 0) {
+ flags = DS_DIRECTORY_SERVICE_REQUIRED;
}

if (argc == 3) {
diff --git a/source4/lib/socket/socket_ip.c b/source4/lib/socket/socket_ip.c
index 87b7bf4..e0aa5da 100644
--- a/source4/lib/socket/socket_ip.c
+++ b/source4/lib/socket/socket_ip.c
@@ -316,7 +316,8 @@ static NTSTATUS ipv4_recvfrom(struct socket_context *sock, void *buf,
if (gotlen == 0) {
talloc_free(src);
return NT_STATUS_END_OF_FILE;
- } else if (gotlen == -1) {
+ }
+ if (gotlen == -1) {
talloc_free(src);
return map_nt_error_from_unix_common(errno);
}
diff --git a/source4/libcli/dgram/netlogon.c b/source4/libcli/dgram/netlogon.c
index 0aa6864..a16a3b9 100644
--- a/source4/libcli/dgram/netlogon.c
+++ b/source4/libcli/dgram/netlogon.c
@@ -97,7 +97,7 @@ NTSTATUS dgram_mailslot_netlogon_reply(struct nbt_dgram_socket *dgmsock,


/*
- parse a netlogon response. The packet must be a valid mailslot packet
+ parse a netlogon request. The packet must be a valid mailslot packet
*/
NTSTATUS dgram_mailslot_netlogon_parse_request(struct dgram_mailslot_handler *dgmslot,
TALLOC_CTX *mem_ctx,
diff --git a/source4/nbt_server/interfaces.c b/source4/nbt_server/interfaces.c
index ccbc89a..beafec6 100644
--- a/source4/nbt_server/interfaces.c
+++ b/source4/nbt_server/interfaces.c
@@ -45,7 +45,7 @@ static void nbtd_request_handler(struct nbt_name_socket *nbtsock,

nbtsrv->stats.total_received++;

- /* see if its from one of our own interfaces - if so, then ignore it */
+ /* see if it's from one of our own interfaces - if so, then ignore it */
if (nbtd_self_packet_and_bcast(nbtsock, packet, src)) {
DEBUG(10,("Ignoring bcast self packet from %s:%d\n", src->addr, src->port));
return;
--
Samba Shared Repository
Andreas Schneider
2018-02-14 19:33:02 UTC
Permalink
The branch, master has been updated
via ebd88eb docs: Add a not that 'wbinfo --user-groups' may be incomplete
from 36bb685 libsocket: Avoid an unnecessary else branch

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ebd88eb44192a28341579e4a4515bae479e7368a
Author: Andreas Schneider <***@samba.org>
Date: Wed Feb 14 12:05:16 2018 +0100

docs: Add a not that 'wbinfo --user-groups' may be incomplete

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Wed Feb 14 20:32:18 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/wbinfo.1.xml | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
index c427007..e2042ca 100644
--- a/docs-xml/manpages/wbinfo.1.xml
+++ b/docs-xml/manpages/wbinfo.1.xml
@@ -384,10 +384,35 @@

<varlistentry>
<term>-r|--user-groups <replaceable>username</replaceable></term>
- <listitem><para>Try to obtain the list of UNIX group ids
- to which the user belongs. This only works for users
- defined on a Domain Controller.
- </para></listitem>
+ <listitem>
+ <para>
+ Try to obtain the list of UNIX group ids to which the
+ user belongs. This only works for users defined on a
+ Domain Controller.
+ </para>
+
+ <para>There are two scenaries:</para>
+ <orderedlist>
+ <listitem>
+ <para>
+ User authenticated: When the user has been
+ authenticated, the access token for the user is
+ cached. The correct group memberships are then
+ returned from the cached user token (which can
+ be outdated).
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ User *NOT* authenticated: The information is
+ queries from the domain controller using the
+ machine account credentials which have limited
+ permissions. The result is normally incomplete
+ and can be also incorrect.
+ </para></listitem>
+ </orderedlist>
+ </listitem>
</varlistentry>

<varlistentry>
--
Samba Shared Repository
Andrew Bartlett
2018-02-15 04:41:03 UTC
Permalink
The branch, master has been updated
via 578786c buildtools python: convert 'except X, e' to 'except X as e'
via 5fbb471 scripts/ python: convert 'except X, e' to 'except X as e'
via 16e173a selftest and autrobuild: convert 'except X, e' to 'except X as e'
via bf2086e drs torture python: convert 'except X, e' to 'except X as e'
via f43cb7c source4/scripting python: convert 'except X, e' to 'except X as e'
via 20e38fb dsdb python tests: convert 'except X, e' to 'except X as e'
via 28134d0 samba python tests: convert 'except X, e' to 'except X as e'
via 4885937 samba python libs: convert 'except X, e' to 'except X as e'
via a485ac3 samba-tool: convert 'except X, e' to 'except X as e' for all X
via 278ac39 selftest: Avoid a build started around midnight failing (again)
via 23ec302 smbspool: Initialize empty_str on declaration
via b415f92 selftest: GnuTLS is already mandetory to build the AD DC
via 8e54bc4 selftest: Require jansson support for selftest of the AD DC
via a12925b test samba-tool drs showrepl: test --json output
via ed15a45 samba-tool drs showrepl: add --json option for JSON output
via 90d0c63 samba-tool drs showrepl: restructure in preparation for --json
via 2cd7097 test samba-tool drs showrepl: test expected output more strictly
via 48248b7 test samba-tool drs showrepl: fix formatting and unused imports
via cec3646 tests: move samba-tool drs showrepl into its own suite
via 92ec01d python.subunit: add assertRegexpMatches for Python 2.6
via 70a85c1 python: tests: Make tests of dsdb Python module Python 3 compatible
via dce18a0 python: Port dsdb module to Python 3 compatible form.
via bc7c6c1 python: Port samdb module to Python 3 compatible form
via cb15e32 python: Add `text_type` Python 2/3 compatible function name.
via 7ee74f6 python: Port dsdb_dns module to Python 3 compatible form.
via a45e70b python: Convert base64 encoded password to utf-8
via 298d812 python: Generate random test usernames
from ebd88eb docs: Add a not that 'wbinfo --user-groups' may be incomplete

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 578786c38b65e5c3925ab9f605cfd661d0950cc2
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 11:19:49 2018 +1300

buildtools python: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Thu Feb 15 05:40:55 CET 2018 on sn-devel-144

commit 5fbb47144328b6bd4e52369c904d81633e5fdb02
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:36:22 2018 +1300

scripts/ python: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 16e173ad2e52ed1140fd43cabdeec0bc4553f6d2
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:35:53 2018 +1300

selftest and autrobuild: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit bf2086e137e00414669828991027d9c450fd0bcc
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:34:23 2018 +1300

drs torture python: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit f43cb7c38d1945cdeca259b53a433c68803482d0
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:33:06 2018 +1300

source4/scripting python: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 20e38fbd457a35e90662a284bead44b05393f54b
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:31:33 2018 +1300

dsdb python tests: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 28134d002b632a7fcd52906604412889fc973ef5
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:27:52 2018 +1300

samba python tests: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 4885937bf87e6c37c60cda890dc18d46b5868a91
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:18:36 2018 +1300

samba python libs: convert 'except X, e' to 'except X as e'

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a485ac32438b74315ffd4a7188909f00e175d4fa
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Feb 14 10:07:23 2018 +1300

samba-tool: convert 'except X, e' to 'except X as e' for all X

This is needed for Python 3 and is compatible with python 2.6

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 278ac393844bcbb5df7a2e2d75b878e20fba323e
Author: Andrew Bartlett <***@samba.org>
Date: Wed Feb 14 11:29:54 2018 +1300

selftest: Avoid a build started around midnight failing (again)

This case most likely relates to Daylight Saving changes creating
a 23 hour day.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>

commit 23ec3021224d797ab9d889d8152d8d7774da0226
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 5 10:43:18 2018 +0100

smbspool: Initialize empty_str on declaration

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit b415f9202fcb05eb75513494c596bf30082ca63d
Author: Andrew Bartlett <***@samba.org>
Date: Mon Feb 12 11:06:25 2018 +1300

selftest: GnuTLS is already mandetory to build the AD DC

This change avoids the code behind 'if have_tls_support' becoming untested
if the configure logic changes. We already assert that we have GnuTLS
elsewhere in the AD DC build scripts.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 8e54bc463adcfbc322249ba626e2c503ca13a864
Author: Andrew Bartlett <***@samba.org>
Date: Mon Feb 12 11:03:25 2018 +1300

selftest: Require jansson support for selftest of the AD DC

This avoids this code becoming untested if a package is not installed or
the configure test is accidentially broken.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit a12925b6ed66ca2e0383e8e60e4deeb5894dc3ed
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 8 16:01:41 2018 +1300

test samba-tool drs showrepl: test --json output

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ed15a452e7db6d76e231e5fbd45fa236c57a87f3
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 8 15:52:01 2018 +1300

samba-tool drs showrepl: add --json option for JSON output

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 90d0c638ef1817337a58babd0c02be5c9c4611c6
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 2 15:39:47 2018 +1300

samba-tool drs showrepl: restructure in preparation for --json

Basically we just separate data extraction from printing.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 2cd70978681259713281bd9e89971cf98584b069
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 8 14:22:39 2018 +1300

test samba-tool drs showrepl: test expected output more strictly

We try to ensure the output has all the expected information in the
expected order.

Soon we're going to add a JSON output mode, and we are strengthening
the tests here to ensure we don't break anything.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 48248b7ad15458f2f5a5b1410b1aed1c52cf019b
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 8 14:47:55 2018 +1300

test samba-tool drs showrepl: fix formatting and unused imports

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit cec3646c5d2ac47df129f16f8994c332e2ad06c3
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Feb 2 15:59:38 2018 +1300

tests: move samba-tool drs showrepl into its own suite

This is a simple copy of the sowrepl test to the new file, making room
to expand the test and (soon) to test JSON output.

pep-8 intentionally ignored to show this is a copy.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 92ec01dcf080901eb4c208b208651ae03e77f538
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Sun Feb 11 11:59:40 2018 +1300

python.subunit: add assertRegexpMatches for Python 2.6

This is used in python/samba/tests/samba_tool/provision_password_check.py

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 70a85c163ff7397075bf0cef8a483df4f33799b4
Author: Lumir Balhar <***@redhat.com>
Date: Tue Jan 30 18:55:12 2018 +0100

python: tests: Make tests of dsdb Python module Python 3 compatible

Signed-off-by: Lumir Balhar <***@redhat.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit dce18a079e8c1e259bab4b4da57121d6ab4b7635
Author: Lumir Balhar <***@redhat.com>
Date: Tue Jan 30 18:53:38 2018 +0100

python: Port dsdb module to Python 3 compatible form.

Signed-off-by: Lumir Balhar <***@redhat.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit bc7c6c15da0ba42cd7f4b3551d2ab33f349bae1b
Author: Lumir Balhar <***@redhat.com>
Date: Tue Jan 30 18:52:11 2018 +0100

python: Port samdb module to Python 3 compatible form

Signed-off-by: Lumir Balhar <***@redhat.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit cb15e32f85f7a69dff0e461ec3536a84e95407ca
Author: Lumir Balhar <***@redhat.com>
Date: Fri Feb 9 20:49:36 2018 +0100

python: Add `text_type` Python 2/3 compatible function name.

This compatible function name represents `str` in Python 3
and `unicode` in Python 2.

Signed-off-by: Lumir Balhar <***@redhat.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 7ee74f66a1715b2c88165f025ebc3b661f15c75d
Author: Lumir Balhar <***@redhat.com>
Date: Tue Jan 30 18:47:32 2018 +0100

python: Port dsdb_dns module to Python 3 compatible form.

Signed-off-by: Lumir Balhar <***@redhat.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a45e70bf47cb4b48f69a237298e143f574bf58bb
Author: Andreas Schneider <***@samba.org>
Date: Tue Jan 30 18:09:00 2018 +0100

python: Convert base64 encoded password to utf-8

Pair-Programmed-With: Alexander Bokovoy <***@samba.org>

Signed-off-by: Andreas Schneider <***@samba.org>
Signed-off-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 298d812ca053811a56e5092fb52bffa60d007650
Author: Andreas Schneider <***@samba.org>
Date: Tue Jan 30 16:39:21 2018 +0100

python: Generate random test usernames

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
auth/wscript_configure | 9 ++
buildtools/wafsamba/nothreads.py | 4 +-
buildtools/wafsamba/samba_conftests.py | 2 +-
buildtools/wafsamba/samba_dist.py | 2 +-
buildtools/wafsamba/wafsamba.py | 2 +-
python/samba/common.py | 2 +-
python/samba/compat.py | 2 +
python/samba/dbchecker.py | 10 +-
python/samba/drs_utils.py | 6 +-
python/samba/kcc/__init__.py | 4 +-
python/samba/kcc/graph_utils.py | 2 +-
python/samba/kcc/kcc_utils.py | 6 +-
python/samba/kcc/ldif_import_export.py | 2 +-
python/samba/netcmd/__init__.py | 2 +-
python/samba/netcmd/delegation.py | 8 +-
python/samba/netcmd/dns.py | 2 +-
python/samba/netcmd/domain.py | 14 +-
python/samba/netcmd/drs.py | 170 ++++++++++++++-------
python/samba/netcmd/fsmo.py | 6 +-
python/samba/netcmd/gpo.py | 24 +--
python/samba/netcmd/group.py | 14 +-
python/samba/netcmd/ldapcmp.py | 2 +-
python/samba/netcmd/ntacl.py | 8 +-
python/samba/netcmd/ou.py | 24 +--
python/samba/netcmd/rodc.py | 4 +-
python/samba/netcmd/sites.py | 10 +-
python/samba/netcmd/testparm.py | 2 +-
python/samba/netcmd/user.py | 20 +--
python/samba/provision/backend.py | 2 +-
python/samba/samdb.py | 15 +-
python/samba/tests/__init__.py | 11 +-
python/samba/tests/auth_log_pass_change.py | 6 +-
python/samba/tests/dcerpc/array.py | 4 +-
python/samba/tests/dcerpc/testrpc.py | 8 +-
python/samba/tests/dns_forwarder.py | 2 +-
python/samba/tests/docs.py | 4 +-
python/samba/tests/dsdb.py | 29 ++--
python/samba/tests/netcmd.py | 2 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 +-
python/samba/tests/samba_tool/dnscmd.py | 8 +-
python/samba/tests/source.py | 2 +-
python/samba/upgrade.py | 30 ++--
python/samba/web_server/__init__.py | 2 +-
script/autobuild.py | 2 +-
script/bisect-test.py | 2 +-
script/generate_param.py | 2 +-
selftest/subunithelper.py | 2 +-
source3/client/smbspool.c | 10 +-
source4/dns_server/pydns.c | 19 ++-
source4/dns_server/wscript_build | 8 +-
source4/dsdb/pydsdb.c | 60 +++++---
source4/dsdb/tests/python/dirsync.py | 14 +-
source4/dsdb/tests/python/linked_attributes.py | 2 +-
source4/dsdb/tests/python/rodc.py | 4 +-
source4/dsdb/tests/python/rodc_rwdc.py | 10 +-
source4/dsdb/tests/python/sites.py | 2 +-
source4/dsdb/tests/python/sort.py | 2 +-
source4/dsdb/tests/python/vlv.py | 4 +-
source4/dsdb/wscript_build | 20 ++-
source4/scripting/bin/autoidl | 2 +-
source4/scripting/bin/minschema | 8 +-
source4/scripting/bin/rpcclient | 2 +-
source4/scripting/bin/samba-tool | 4 +-
source4/scripting/bin/samba_dnsupdate | 6 +-
source4/scripting/bin/samba_kcc | 2 +-
source4/scripting/bin/samba_spnupdate | 4 +-
source4/scripting/bin/samba_upgradedns | 2 +-
source4/scripting/bin/samba_upgradeprovision | 8 +-
source4/scripting/bin/w32err_code.py | 2 +-
source4/selftest/tests.py | 86 +++++------
.../torture/drs/python/linked_attributes_drs.py | 4 +-
source4/torture/drs/python/ridalloc_exop.py | 2 +-
source4/torture/drs/python/samba_tool_drs.py | 20 ---
.../torture/drs/python/samba_tool_drs_showrepl.py | 159 +++++++++++++++++++
74 files changed, 611 insertions(+), 356 deletions(-)
create mode 100644 source4/torture/drs/python/samba_tool_drs_showrepl.py


Changeset truncated at 500 lines:

diff --git a/auth/wscript_configure b/auth/wscript_configure
index 47943fa..9d930ba 100644
--- a/auth/wscript_configure
+++ b/auth/wscript_configure
@@ -1,7 +1,16 @@
#!/usr/bin/env python

+import Options, Utils
+
conf.SET_TARGET_TYPE('jansson', 'EMPTY')

if conf.CHECK_CFG(package='jansson', args='--cflags --libs',
msg='Checking for jansson'):
conf.CHECK_FUNCS_IN('json_object', 'jansson')
+
+if not conf.CONFIG_GET('HAVE_JSON_OBJECT') and \
+ conf.CONFIG_GET('ENABLE_SELFTEST') and \
+ (not Options.options.without_ad_dc):
+ raise Utils.WafError('jansson JSON library required for '
+ '--enable-selftest '
+ 'when building the AD DC')
diff --git a/buildtools/wafsamba/nothreads.py b/buildtools/wafsamba/nothreads.py
index d194eb8..9bd33e8 100644
--- a/buildtools/wafsamba/nothreads.py
+++ b/buildtools/wafsamba/nothreads.py
@@ -43,7 +43,7 @@ def process(tsk):
if tsk.__class__.stat: ret = tsk.__class__.stat(tsk)
# actual call to task's run() function
else: ret = tsk.call_run()
- except Exception, e:
+ except Exception as e:
tsk.err_msg = Utils.ex_stack()
tsk.hasrun = EXCEPTION

@@ -177,7 +177,7 @@ class Parallel(object):

try:
st = tsk.runnable_status()
- except Exception, e:
+ except Exception as e:
self.processed += 1
if self.stop and not Options.options.keep:
tsk.hasrun = SKIPPED
diff --git a/buildtools/wafsamba/samba_conftests.py b/buildtools/wafsamba/samba_conftests.py
index 511176d..b52727b 100644
--- a/buildtools/wafsamba/samba_conftests.py
+++ b/buildtools/wafsamba/samba_conftests.py
@@ -50,7 +50,7 @@ def check(self, *k, **kw):
ret = None
try:
ret = self.run_c_code(*k, **kw)
- except Configure.ConfigurationError, e:
+ except Configure.ConfigurationError as e:
self.check_message_2(kw['errmsg'], 'YELLOW')
if 'mandatory' in kw and kw['mandatory']:
if Logs.verbose > 1:
diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py
index 2e52820..8d51632 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -167,7 +167,7 @@ def dist(appname='', version=''):
absdir = os.path.join(srcdir, dir)
try:
files = vcs_dir_contents(absdir)
- except Exception, e:
+ except Exception as e:
Logs.error('unable to get contents of %s: %s' % (absdir, e))
sys.exit(1)
add_files_to_tarball(tar, srcdir, dir, dist_base, destdir, blacklist, files)
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 4bb19d0..1e331e5 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -900,7 +900,7 @@ def INSTALL_DIR(bld, path, chmod=0o755, env=None):
try:
os.makedirs(destpath)
os.chmod(destpath, chmod)
- except OSError, e:
+ except OSError as e:
if not os.path.isdir(destpath):
raise Utils.WafError("Cannot create the folder '%s' (error: %s)" % (path, e))
Build.BuildContext.INSTALL_DIR = INSTALL_DIR
diff --git a/python/samba/common.py b/python/samba/common.py
index a915934..1c410a4 100644
--- a/python/samba/common.py
+++ b/python/samba/common.py
@@ -18,7 +18,7 @@


import ldb
-import dsdb
+from samba import dsdb
from samba.ndr import ndr_pack
from samba.dcerpc import misc
import binascii
diff --git a/python/samba/compat.py b/python/samba/compat.py
index dfdfb7d..667a1a4 100644
--- a/python/samba/compat.py
+++ b/python/samba/compat.py
@@ -23,5 +23,7 @@ PY3 = sys.version_info[0] == 3

if PY3:
integer_types = int,
+ text_type = str
else:
integer_types = (int, long)
+ text_type = unicode
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index b2b8b0c..5e06d1f 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -369,7 +369,7 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
try:
controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
self.samdb.delete(dn, controls=controls)
- except Exception, err:
+ except Exception as err:
if self.in_transaction:
raise CommandError("%s : %s" % (msg, err))
self.report("%s : %s" % (msg, err))
@@ -383,7 +383,7 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
try:
controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
self.samdb.modify(m, controls=controls, validate=validate)
- except Exception, err:
+ except Exception as err:
if self.in_transaction:
raise CommandError("%s : %s" % (msg, err))
self.report("%s : %s" % (msg, err))
@@ -402,7 +402,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
to_dn = to_rdn + to_base
controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
self.samdb.rename(from_dn, to_dn, controls=controls)
- except Exception, err:
+ except Exception as err:
if self.in_transaction:
raise CommandError("%s : %s" % (msg, err))
self.report("%s : %s" % (msg, err))
@@ -1565,7 +1565,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
cls = None
try:
cls = obj["objectClass"][-1]
- except KeyError, e:
+ except KeyError as e:
pass

if cls is None:
@@ -2191,7 +2191,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
# special handling for some specific attribute types
try:
syntax_oid = self.samdb_schema.get_syntax_oid_from_lDAPDisplayName(attrname)
- except Exception, msg:
+ except Exception as msg:
self.err_unknown_attribute(obj, attrname)
error_count += 1
continue
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index ded072c..1940d2d 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -54,7 +54,7 @@ def drsuapi_connect(server, lp, creds):
try:
drsuapiBind = drsuapi.drsuapi(binding_string, lp, creds)
(drsuapiHandle, bindSupportedExtensions) = drs_DsBind(drsuapiBind)
- except Exception, e:
+ except Exception as e:
raise drsException("DRS connection to %s failed: %s" % (server, e))

return (drsuapiBind, drsuapiHandle, bindSupportedExtensions)
@@ -83,7 +83,7 @@ def sendDsReplicaSync(drsuapiBind, drsuapi_handle, source_dsa_guid,

try:
drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
- except Exception, estr:
+ except Exception as estr:
raise drsException("DsReplicaSync failed %s" % estr)


@@ -106,7 +106,7 @@ def sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn, domain):
req1.commit = 1

drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
- except Exception, estr:
+ except Exception as estr:
raise drsException("DsRemoveDSServer failed %s" % estr)


diff --git a/python/samba/kcc/__init__.py b/python/samba/kcc/__init__.py
index 6f8be1c..b9e491a 100644
--- a/python/samba/kcc/__init__.py
+++ b/python/samba/kcc/__init__.py
@@ -2718,7 +2718,7 @@ class KCC(object):
try:
self.samdb = ldif_import_export.ldif_to_samdb(dburl, lp, ldif_file,
forced_local_dsa)
- except ldif_import_export.LdifError, e:
+ except ldif_import_export.LdifError as e:
logger.critical(e)
return 1
return 0
@@ -2743,7 +2743,7 @@ class KCC(object):
try:
ldif_import_export.samdb_to_ldif_file(self.samdb, dburl, lp, creds,
ldif_file)
- except ldif_import_export.LdifError, e:
+ except ldif_import_export.LdifError as e:
logger.critical(e)
return 1
return 0
diff --git a/python/samba/kcc/graph_utils.py b/python/samba/kcc/graph_utils.py
index 5e909f3..a3b5109 100644
--- a/python/samba/kcc/graph_utils.py
+++ b/python/samba/kcc/graph_utils.py
@@ -303,7 +303,7 @@ def verify_graph(title, edges, vertices=None, directed=False, properties=(),
try:
f(edges, vertices, edge_vertices)
debug(" %s%18s:%s verified!" % (DARK_GREEN, p, C_NORMAL))
- except GraphError, e:
+ except GraphError as e:
errors.append((p, e))

if errors:
diff --git a/python/samba/kcc/kcc_utils.py b/python/samba/kcc/kcc_utils.py
index e4b99f4..df5da6d 100644
--- a/python/samba/kcc/kcc_utils.py
+++ b/python/samba/kcc/kcc_utils.py
@@ -373,7 +373,7 @@ class NCReplica(NamingContext):
try:
samdb.modify(m)

- except ldb.LdbError, estr:
+ except ldb.LdbError as estr:
raise KCCError("Could not set repsFrom for (%s) - (%s)" %
(self.nc_dnstr, estr))

@@ -524,7 +524,7 @@ class NCReplica(NamingContext):
try:
samdb.modify(m)

- except ldb.LdbError, estr:
+ except ldb.LdbError as estr:
raise KCCError("Could not set repsTo for (%s) - (%s)" %
(self.nc_dnstr, estr))

@@ -1686,7 +1686,7 @@ class Site(object):
try:
samdb.modify(m)

- except ldb.LdbError, estr:
+ except ldb.LdbError as estr:
raise KCCError(
"Could not set interSiteTopologyGenerator for (%s) - (%s)" %
(ssdn, estr))
diff --git a/python/samba/kcc/ldif_import_export.py b/python/samba/kcc/ldif_import_export.py
index 5e0f337..1cfffa3 100644
--- a/python/samba/kcc/ldif_import_export.py
+++ b/python/samba/kcc/ldif_import_export.py
@@ -77,7 +77,7 @@ dsServiceName: CN=NTDS Settings,%s
-
""")

- except Exception, estr:
+ except Exception as estr:
tmpdb.transaction_cancel()
raise LdifError("Failed to import %s: %s" % (ldif_file, estr))

diff --git a/python/samba/netcmd/__init__.py b/python/samba/netcmd/__init__.py
index fcad7f6..9037d03 100644
--- a/python/samba/netcmd/__init__.py
+++ b/python/samba/netcmd/__init__.py
@@ -174,7 +174,7 @@ class Command(object):

try:
return self.run(*args, **kwargs)
- except Exception, e:
+ except Exception as e:
self.show_command_error(e)
return -1

diff --git a/python/samba/netcmd/delegation.py b/python/samba/netcmd/delegation.py
index 39397bb..49e5957 100644
--- a/python/samba/netcmd/delegation.py
+++ b/python/samba/netcmd/delegation.py
@@ -138,7 +138,7 @@ class cmd_delegation_for_any_service(Command):
sam.toggle_userAccountFlags(search_filter, flag,
flags_str="Trusted-for-Delegation",
on=on, strict=True)
- except Exception, err:
+ except Exception as err:
raise CommandError(err)


@@ -192,7 +192,7 @@ class cmd_delegation_for_any_protocol(Command):
sam.toggle_userAccountFlags(search_filter, flag,
flags_str="Trusted-to-Authenticate-for-Delegation",
on=on, strict=True)
- except Exception, err:
+ except Exception as err:
raise CommandError(err)


@@ -246,7 +246,7 @@ class cmd_delegation_add_service(Command):
"msDS-AllowedToDelegateTo")
try:
sam.modify(msg)
- except Exception, err:
+ except Exception as err:
raise CommandError(err)


@@ -300,7 +300,7 @@ class cmd_delegation_del_service(Command):
"msDS-AllowedToDelegateTo")
try:
sam.modify(msg)
- except Exception, err:
+ except Exception as err:
raise CommandError(err)


diff --git a/python/samba/netcmd/dns.py b/python/samba/netcmd/dns.py
index 33f81ee..8bd6a9b 100644
--- a/python/samba/netcmd/dns.py
+++ b/python/samba/netcmd/dns.py
@@ -47,7 +47,7 @@ def dns_connect(server, lp, creds):
binding_str = "ncacn_ip_tcp:%s[sign]" % server
try:
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
- except RuntimeError, e:
+ except RuntimeError as e:
raise CommandError('Connecting to DNS RPC server %s failed with %s' % (server, e))

return dns_conn
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 2cb14f1..52c70ac 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -499,7 +499,7 @@ class cmd_domain_provision(Command):
base_schema=base_schema,
plaintext_secrets=plaintext_secrets)

- except ProvisioningError, e:
+ except ProvisioningError as e:
raise CommandError("Provision failed", e)

result.report_logger(self.logger)
@@ -865,7 +865,7 @@ class cmd_domain_demote(Command):
dc_dn = res[0].dn
uac = int(str(res[0]["userAccountControl"]))

- except Exception, e:
+ except Exception as e:
if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
self.errf.write(
"Error while demoting, re-enabling inbound replication\n")
@@ -897,7 +897,7 @@ class cmd_domain_demote(Command):
"userAccountControl")
try:
remote_samdb.modify(msg)
- except Exception, e:
+ except Exception as e:
if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
self.errf.write(
"Error while demoting, re-enabling inbound replication")
@@ -952,7 +952,7 @@ class cmd_domain_demote(Command):
try:
newdn = ldb.Dn(remote_samdb, "%s,%s" % (newrdn, str(computer_dn)))
remote_samdb.rename(dc_dn, newdn)
- except Exception, e:
+ except Exception as e:
if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
self.errf.write(
"Error while demoting, re-enabling inbound replication\n")
@@ -1012,7 +1012,7 @@ class cmd_domain_demote(Command):
try:
remote_samdb.delete(ldb.Dn(remote_samdb,
"%s,%s" % (s, str(newdn))))
- except ldb.LdbError, l:
+ except ldb.LdbError as l:
pass

self.errf.write("Demote successful\n")
@@ -1328,7 +1328,7 @@ class cmd_domain_passwordsettings(Command):
else:
cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60)
cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60)
- except Exception, e:
+ except Exception as e:
raise CommandError("Could not retrieve password properties!", e)

if subcommand == "show":
@@ -3853,7 +3853,7 @@ This command expunges tombstones from the database."""
current_time=current_time,
tombstone_lifetime=tombstone_lifetime)

- except Exception, err:
+ except Exception as err:
if started_transaction:
samdb.transaction_cancel()
raise CommandError("Failed to expunge / garbage collect tombstones", err)
diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
index 0ccbf9a..5498f09 100644
--- a/python/samba/netcmd/drs.py
+++ b/python/samba/netcmd/drs.py
@@ -42,7 +42,7 @@ def drsuapi_connect(ctx):
'''make a DRSUAPI connection to the server'''
try:
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
- except Exception, e:
+ except Exception as e:
raise CommandError("DRS connection to %s failed" % ctx.server, e)

def samdb_connect(ctx):
@@ -51,7 +51,7 @@ def samdb_connect(ctx):
ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
session_info=system_session(),
credentials=ctx.creds, lp=ctx.lp)
- except Exception, e:
+ except Exception as e:
raise CommandError("LDAP connection to %s failed" % ctx.server, e)

def drs_errmsg(werr):
@@ -95,21 +95,44 @@ class cmd_drs_showrepl(Command):
"credopts": options.CredentialsOptions,
}

+ takes_options = [
+ Option("--json", help="output in JSON format", action='store_true'),
+ ]
+
takes_args = ["DC?"]

- def print_neighbour(self, n):
- '''print one set of neighbour information'''
- self.message("%s" % n.naming_context_dn)
+ def parse_neighbour(self, n):
+ """Convert an ldb neighbour object into a python dictionary"""
+ d = {
+ 'NC dn': n.naming_context_dn,
+ "DSA objectGUID": str(n.source_dsa_obj_guid),
+ "last attempt time": nttime2string(n.last_attempt),
+ "last attempt message": drs_errmsg(n.result_last_attempt),
+ "consecutive failures": n.consecutive_sync_failures,
+ "last success": nttime2string(n.last_success),
+ "NTDS DN": str(n.source_dsa_obj_dn)
+ }
+
try:
(site, server) = drs_parse_ntds_dn(n.source_dsa_obj_dn)
- self.message("\t%s\%s via RPC" % (site, server))
+ d["DSA"] = "%s\%s" % (site, server)
except RuntimeError:
- self.message("\tNTDS DN: %s" % n.source_dsa_obj_dn)
- self.message("\t\tDSA object GUID: %s" % n.source_dsa_obj_guid)
- self.message("\t\tLast attempt @ %s %s" % (nttime2string(n.last_attempt),
- drs_errmsg(n.result_last_attempt)))
- self.message("\t\t%u consecutive failure(s)." % n.consecutive_sync_failures)
- self.message("\t\tLast success @ %s" % nttime2string(n.last_success))
+ pass
+ return d
+
+ def print_neighbour(self, d):
+ '''print one set of neighbour information'''
+ self.message("%s" % d['NC dn'])
+ if 'DSA' in d:
+ self.message("\t%s via RPC" % d['DSA'])
+ else:
+ self.message("\tNTDS DN: %s" % d['NTDS DN'])
+ self.message("\t\tDSA object GUID: %s" % d['DSA objectGUID'])
+ self.message("\t\tLast attempt @ %s %s" % (d['last attempt time'],
+ d['last attempt message']))
+ self.message("\t\t%u consecutive failure(s)." %
+ d['consecutive failures'])
+ self.message("\t\tLast success @ %s" % d['last success'])
self.message("")

def drsuapi_ReplicaInfo(self, info_type):
@@ -120,12 +143,12 @@ class cmd_drs_showrepl(Command):
try:
(info_type, info) = self.drsuapi.DsReplicaGetInfo(
self.drsuapi_handle, 1, req1)
- except Exception, e:
+ except Exception as e:
raise CommandError("DsReplicaGetInfo of type %u failed" % info_type, e)
return (info_type, info)

def run(self, DC=None, sambaopts=None,
- credopts=None, versionopts=None, server=None):
+ credopts=None, versionopts=None, server=None, json=False):

self.lp = sambaopts.get_loadparm()
if DC is None:
@@ -143,24 +166,75 @@ class cmd_drs_showrepl(Command):
(site, server) = drs_parse_ntds_dn(ntds_dn)
try:
ntds = self.samdb.search(base=ntds_dn, scope=ldb.SCOPE_BASE, attrs=['options', 'objectGUID', 'invocationId'])
- except Exception, e:
+ except Exception as e:
raise CommandError("Failed to search NTDS DN %s" % ntds_dn)
+
+ dsa_details = {
--
Samba Shared Repository
Garming Sam
2018-02-15 09:19:02 UTC
Permalink
The branch, master has been updated
via 9952eda repl_metadata: Avoid silent skipping an object during DRS (due to RODC rename collisions)
via 59fa9e7 repl_metadata: Avoid silent skipping an object during DRS (due to RODC name collisions)
via 45d1916 tests/replica_sync_rodc: Test conflict handling on an RODC
via e694b8a selftest: Add RODC variables to list of those exported
via ff9e63f tests/drs_base: Allow the net drs replicate to try with a single object
via 19fcd87 tests/replica_sync: Add some additional replication in setUp
from 578786c buildtools python: convert 'except X, e' to 'except X as e'

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9952eda7a1923971f77f3183cfa4c505386b30ee
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:32:33 2018 +1300

repl_metadata: Avoid silent skipping an object during DRS (due to RODC rename collisions)

No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Garming Sam <***@samba.org>
Autobuild-Date(master): Thu Feb 15 10:18:42 CET 2018 on sn-devel-144

commit 59fa9e7ecf84bd4c2469e9a6835855769c4f6287
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:32:24 2018 +1300

repl_metadata: Avoid silent skipping an object during DRS (due to RODC name collisions)

No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 45d19167d52e42bd2f9369dbe37a233902cc81b0
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:30:26 2018 +1300

tests/replica_sync_rodc: Test conflict handling on an RODC

There are two cases we are interested in:

1) RODC receives two identical DNs which conflict
2) RODC receives a rename to a DN which already exists

Currently these issues are ignored, but the UDV and HWM are being
updated, leading to objects/updates being skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit e694b8a1b993bf7213b191e1132c5d02e16ab85d
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:27:27 2018 +1300

selftest: Add RODC variables to list of those exported

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ff9e63f976ef76f7f70221d4f6276e221ecd167f
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:27:59 2018 +1300

tests/drs_base: Allow the net drs replicate to try with a single object

This eventually passes down the replicate single object exop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 19fcd872ec76afffbc4952266fdfad9a352c4871
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Feb 14 13:26:35 2018 +1300

tests/replica_sync: Add some additional replication in setUp

This should avoid some failures due to stale objects.

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
selftest/selftest.pl | 6 +
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 2 +
source4/selftest/tests.py | 6 +
source4/torture/drs/python/drs_base.py | 5 +-
source4/torture/drs/python/replica_sync.py | 2 +
source4/torture/drs/python/replica_sync_rodc.py | 156 ++++++++++++++++++++++++
6 files changed, 176 insertions(+), 1 deletion(-)
create mode 100644 source4/torture/drs/python/replica_sync_rodc.py


Changeset truncated at 500 lines:

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index ff19d59..0e56e6a 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -835,6 +835,12 @@ my @exported_envvars = (
"VAMPIRE_DC_NETBIOSNAME",
"VAMPIRE_DC_NETBIOSALIAS",

+ # domain controller stuff for RODC
+ "RODC_DC_SERVER",
+ "RODC_DC_SERVER_IP",
+ "RODC_DC_SERVER_IPV6",
+ "RODC_DC_NETBIOSNAME",
+
# domain controller stuff for FL 2000 Vampired DC
"VAMPIRE_2000_DC_SERVER",
"VAMPIRE_2000_DC_SERVER_IP",
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 7646f94..ead0bd9 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -4932,6 +4932,7 @@ static int replmd_op_possible_conflict_callback(struct ldb_request *req, struct
"Conflict adding object '%s' from incoming replication as we are read only for the partition. \n"
" - We must fail the operation until a master for this partition resolves the conflict",
ldb_dn_get_linearized(conflict_dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
goto failed;
}

@@ -5570,6 +5571,7 @@ static int replmd_replicated_handle_rename(struct replmd_replicated_request *ar,
"Conflict adding object '%s' from incoming replication but we are read only for the partition. \n"
" - We must fail the operation until a master for this partition resolves the conflict",
ldb_dn_get_linearized(conflict_dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
goto failed;
}

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index bfc31c6..4e397a8 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -766,6 +766,12 @@ plantestsuite_loadlist("samba4.ldap.rodc_rwdc.python(rodc)", "rodc:local",
'$SERVER', '$DC_SERVER', '-U"$USERNAME%$PASSWORD"',
'--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])

+planoldpythontestsuite("rodc:local", "replica_sync_rodc",
+ extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
+ name="samba4.drs.replica_sync_rodc.python(rodc)",
+ environ={'DC1': '$DC_SERVER', 'DC2': '$RODC_DC_SERVER'},
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+
for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc"]:
plantestsuite_loadlist("samba4.ldap_schema.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap_schema.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite("samba4.ldap.possibleInferiors.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/samdb/ldb_modules/tests/possibleinferiors.py"), "ldap://$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"])
diff --git a/source4/torture/drs/python/drs_base.py b/source4/torture/drs/python/drs_base.py
index 10f2e63..66a0d8d 100644
--- a/source4/torture/drs/python/drs_base.py
+++ b/source4/torture/drs/python/drs_base.py
@@ -120,7 +120,8 @@ class DrsBaseTestCase(SambaToolCmdTest):
# bin/samba-tool drs <drs_command> <cmdline_auth>
return ["drs", drs_command, cmdline_auth]

- def _net_drs_replicate(self, DC, fromDC, nc_dn=None, forced=True, local=False, full_sync=False):
+ def _net_drs_replicate(self, DC, fromDC, nc_dn=None, forced=True,
+ local=False, full_sync=False, single=False):
if nc_dn is None:
nc_dn = self.domain_dn
# make base command line
@@ -134,6 +135,8 @@ class DrsBaseTestCase(SambaToolCmdTest):
samba_tool_cmdline += ["--local"]
if full_sync:
samba_tool_cmdline += ["--full-sync"]
+ if single:
+ samba_tool_cmdline += ["--single-object"]

(result, out, err) = self.runsubcmd(*samba_tool_cmdline)
self.assertCmdSuccess(result, out, err)
diff --git a/source4/torture/drs/python/replica_sync.py b/source4/torture/drs/python/replica_sync.py
index 93407df..927a085 100644
--- a/source4/torture/drs/python/replica_sync.py
+++ b/source4/torture/drs/python/replica_sync.py
@@ -42,6 +42,8 @@ class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase):

def setUp(self):
super(DrsReplicaSyncTestCase, self).setUp()
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True)
+ self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, forced=True)
self.ou1 = None
self.ou2 = None

diff --git a/source4/torture/drs/python/replica_sync_rodc.py b/source4/torture/drs/python/replica_sync_rodc.py
new file mode 100644
index 0000000..907cef4
--- /dev/null
+++ b/source4/torture/drs/python/replica_sync_rodc.py
@@ -0,0 +1,156 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Test conflict scenarios on the RODC
+#
+# Copyright (C) Kamen Mazdrashki <***@samba.org> 2011
+# Copyright (C) Catalyst.NET Ltd 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+#
+# Usage:
+# export DC1=dc1_dns_name
+# export DC2=dc2_dns_name (RODC)
+# export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun
+# PYTHONPATH="$PYTHONPATH:$samba4srcdir/torture/drs/python" $SUBUNITRUN replica_sync_rodc -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD"
+#
+
+import drs_base
+import samba.tests
+import time
+import ldb
+
+from ldb import (
+ SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT)
+
+class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase):
+ """Intended as a black box test case for DsReplicaSync
+ implementation. It should test the behavior of this
+ case in cases when inbound replication is disabled"""
+
+ def setUp(self):
+ super(DrsReplicaSyncTestCase, self).setUp()
+ self._disable_inbound_repl(self.dnsname_dc1)
+ self._disable_all_repl(self.dnsname_dc1)
+ self.ou1 = None
+ self.ou2 = None
+
+ def tearDown(self):
+ # re-enable replication
+ self._enable_inbound_repl(self.dnsname_dc1)
+ self._enable_all_repl(self.dnsname_dc1)
+
+ super(DrsReplicaSyncTestCase, self).tearDown()
+
+ def _create_ou(self, samdb, name):
+ ldif = """
+dn: %s,%s
+objectClass: organizationalUnit
+""" % (name, self.domain_dn)
+ samdb.add_ldif(ldif)
+ res = samdb.search(base="%s,%s" % (name, self.domain_dn),
+ scope=SCOPE_BASE, attrs=["objectGUID"])
+ return self._GUID_string(res[0]["objectGUID"][0])
+
+ def _check_deleted(self, sam_ldb, guid):
+ # search the user by guid as it may be deleted
+ res = sam_ldb.search(base='<GUID=%s>' % guid,
+ controls=["show_deleted:1"],
+ attrs=["isDeleted", "objectCategory", "ou"])
+ self.assertEquals(len(res), 1)
+ ou_cur = res[0]
+ # Deleted Object base DN
+ dodn = self._deleted_objects_dn(sam_ldb)
+ # now check properties of the user
+ name_cur = ou_cur["ou"][0]
+ self.assertEquals(ou_cur["isDeleted"][0],"TRUE")
+ self.assertTrue(not("objectCategory" in ou_cur))
+ self.assertTrue(dodn in str(ou_cur["dn"]),
+ "OU %s is deleted but it is not located under %s!" % (name_cur, dodn))
+
+
+ def test_ReplConflictsRODC(self):
+ """Tests that objects created in conflict become conflict DNs"""
+ # Replicate all objects to RODC beforehand
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True)
+
+ # Create conflicting objects on DC1 and DC2, with DC1 object created first
+ name = "OU=Test RODC Conflict"
+ self.ou1 = self._create_ou(self.ldb_dc1, name)
+
+ # Replicate single object
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1,
+ nc_dn="%s,%s" % (name, self.domain_dn),
+ local=True, single=True, forced=True)
+
+ # Delete the object, so another can be added
+ self.ldb_dc1.delete('<GUID=%s>' % self.ou1)
+
+ # Create a conflicting DN as it would appear to the RODC
+ self.ou2 = self._create_ou(self.ldb_dc1, name)
+
+ try:
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1,
+ nc_dn="%s,%s" % (name, self.domain_dn),
+ local=True, single=True, forced=True)
+ except:
+ # Cleanup the object
+ self.ldb_dc1.delete('<GUID=%s>' % self.ou2)
+ return
+
+ # Replicate cannot succeed, HWM would be updated incorrectly.
+ self.fail("DRS replicate should have failed.")
+
+ def test_ReplConflictsRODCRename(self):
+ """Tests that objects created in conflict become conflict DNs"""
+ # Replicate all objects to RODC beforehand
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True)
+
+ # Create conflicting objects on DC1 and DC2, with DC1 object created first
+ name = "OU=Test RODC Rename Conflict"
+ self.ou1 = self._create_ou(self.ldb_dc1, name)
+
+ # Replicate single object
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1,
+ nc_dn="%s,%s" % (name, self.domain_dn),
+ local=True, single=True, forced=True)
+
+ # Create a non-conflicting DN to rename as conflicting
+ free_name = "OU=Test RODC Rename No Conflict"
+ self.ou2 = self._create_ou(self.ldb_dc1, free_name)
+
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1,
+ nc_dn="%s,%s" % (free_name, self.domain_dn),
+ local=True, single=True, forced=True)
+
+ # Delete the object, so we can rename freely
+ # DO NOT REPLICATE TO THE RODC
+ self.ldb_dc1.delete('<GUID=%s>' % self.ou1)
+
+ # Collide the name from the RODC perspective
+ self.ldb_dc1.rename("<GUID=%s>" % self.ou2, "%s,%s" % (name, self.domain_dn))
+
+ try:
+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1,
+ nc_dn="%s,%s" % (name, self.domain_dn),
+ local=True, single=True, forced=True)
+ except:
+ # Cleanup the object
+ self.ldb_dc1.delete('<GUID=%s>' % self.ou2)
+ return
+
+ # Replicate cannot succeed, HWM would be updated incorrectly.
+ self.fail("DRS replicate should have failed.")
--
Samba Shared Repository
Jeremy Allison
2018-02-15 23:57:02 UTC
Permalink
The branch, master has been updated
via f8313d7 winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST
via 0e3c2c8 winbind: Don't explicitly send "server_id" for ONLINESTATUS
from 9952eda repl_metadata: Avoid silent skipping an object during DRS (due to RODC rename collisions)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f8313d715b073a36b95c09f40c1f2dfc9bf7d5b6
Author: Volker Lendecke <***@samba.org>
Date: Tue Feb 13 14:05:43 2018 +0100

winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST

messaging already provides the sender id

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Fri Feb 16 00:56:36 CET 2018 on sn-devel-144

commit 0e3c2c8bc66d747e0eb8e7c1736268f7fd0b0d7a
Author: Volker Lendecke <***@samba.org>
Date: Tue Feb 13 14:05:15 2018 +0100

winbind: Don't explicitly send "server_id" for ONLINESTATUS

Messaging already provides the sender id

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/utils/smbcontrol.c | 26 +++-----------------------
source3/winbindd/winbindd_dual.c | 27 +++++----------------------
2 files changed, 8 insertions(+), 45 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
index 0f6dacc..c4b5630 100644
--- a/source3/utils/smbcontrol.c
+++ b/source3/utils/smbcontrol.c
@@ -1160,10 +1160,6 @@ static bool do_winbind_onlinestatus(struct tevent_context *ev_ctx,
const struct server_id pid,
const int argc, const char **argv)
{
- struct server_id myid;
-
- myid = messaging_server_id(msg_ctx);
-
if (argc != 1) {
fprintf(stderr, "Usage: smbcontrol winbindd onlinestatus\n");
return False;
@@ -1172,9 +1168,9 @@ static bool do_winbind_onlinestatus(struct tevent_context *ev_ctx,
messaging_register(msg_ctx, NULL, MSG_WINBIND_ONLINESTATUS,
print_pid_string_cb);

- if (!send_message(msg_ctx, pid, MSG_WINBIND_ONLINESTATUS, &myid,
- sizeof(myid)))
+ if (!send_message(msg_ctx, pid, MSG_WINBIND_ONLINESTATUS, NULL, 0)) {
return False;
+ }

wait_replies(ev_ctx, msg_ctx, procid_to_pid(&pid) == 0);

@@ -1208,11 +1204,6 @@ static bool do_winbind_dump_domain_list(struct tevent_context *ev_ctx,
{
const char *domain = NULL;
int domain_len = 0;
- struct server_id myid;
- uint8_t *buf = NULL;
- int buf_len = 0;
-
- myid = messaging_server_id(msg_ctx);

if (argc < 1 || argc > 2) {
fprintf(stderr, "Usage: smbcontrol <dest> dump-domain-list "
@@ -1228,19 +1219,9 @@ static bool do_winbind_dump_domain_list(struct tevent_context *ev_ctx,
messaging_register(msg_ctx, NULL, MSG_WINBIND_DUMP_DOMAIN_LIST,
print_pid_string_cb);

- buf_len = sizeof(myid)+domain_len;
- buf = SMB_MALLOC_ARRAY(uint8_t, buf_len);
- if (!buf) {
- return false;
- }
-
- memcpy(buf, &myid, sizeof(myid));
- memcpy(&buf[sizeof(myid)], domain, domain_len);
-
if (!send_message(msg_ctx, pid, MSG_WINBIND_DUMP_DOMAIN_LIST,
- buf, buf_len))
+ domain, domain_len))
{
- SAFE_FREE(buf);
return false;
}

@@ -1248,7 +1229,6 @@ static bool do_winbind_dump_domain_list(struct tevent_context *ev_ctx,

/* No replies were received within the timeout period */

- SAFE_FREE(buf);
if (num_replies == 0) {
printf("No replies received\n");
}
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 993166d..7fb5aa8 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -796,16 +796,9 @@ void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
{
TALLOC_CTX *mem_ctx;
const char *message;
- struct server_id *sender;

DEBUG(5,("winbind_msg_onlinestatus received.\n"));

- if (!data->data) {
- return;
- }
-
- sender = (struct server_id *)data->data;
-
mem_ctx = talloc_init("winbind_msg_onlinestatus");
if (mem_ctx == NULL) {
return;
@@ -817,7 +810,7 @@ void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
return;
}

- messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
+ messaging_send_buf(msg_ctx, server_id, MSG_WINBIND_ONLINESTATUS,
(const uint8_t *)message, strlen(message) + 1);

talloc_destroy(mem_ctx);
@@ -855,7 +848,6 @@ void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
{
TALLOC_CTX *mem_ctx;
const char *message = NULL;
- struct server_id *sender = NULL;
const char *domain = NULL;
char *s = NULL;
NTSTATUS status;
@@ -863,22 +855,13 @@ void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,

DEBUG(5,("winbind_msg_dump_domain_list received.\n"));

- if (!data || !data->data) {
- return;
- }
-
- if (data->length < sizeof(struct server_id)) {
- return;
- }
-
mem_ctx = talloc_init("winbind_msg_dump_domain_list");
if (!mem_ctx) {
return;
}

- sender = (struct server_id *)data->data;
- if (data->length > sizeof(struct server_id)) {
- domain = (const char *)data->data+sizeof(struct server_id);
+ if (data->length > 0) {
+ domain = (const char *)data->data;
}

if (domain) {
@@ -893,7 +876,7 @@ void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
return;
}

- messaging_send_buf(msg_ctx, *sender,
+ messaging_send_buf(msg_ctx, server_id,
MSG_WINBIND_DUMP_DOMAIN_LIST,
(const uint8_t *)message, strlen(message) + 1);

@@ -918,7 +901,7 @@ void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
}
}

- status = messaging_send_buf(msg_ctx, *sender,
+ status = messaging_send_buf(msg_ctx, server_id,
MSG_WINBIND_DUMP_DOMAIN_LIST,
(uint8_t *)s, strlen(s) + 1);
if (!NT_STATUS_IS_OK(status)) {
--
Samba Shared Repository
Uri Simchoni
2018-02-19 11:32:04 UTC
Permalink
The branch, master has been updated
via d35a22c Fix incorrect `ldbsearch` invocation
via e2023e8 Remove some bashisms from the test scripts
via 3450dd6 Don't load LDB_MODULESDIR as a module file
from f8313d7 winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d35a22cc445795faf8331b6d4b195e0c35eab99e
Author: Timur I. Bakeyev <***@iXsystems.com>
Date: Mon Dec 11 05:05:19 2017 +0100

Fix incorrect `ldbsearch` invocation

Signed-off-by: Timur I. Bakeyev <***@iXsystems.com>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Björn Jacke <***@samba.org>

Autobuild-User(master): Uri Simchoni <***@samba.org>
Autobuild-Date(master): Mon Feb 19 12:31:38 CET 2018 on sn-devel-144

commit e2023e86d54be86784a18ccbeced4e2a046c710d
Author: Timur I. Bakeyev <***@iXsystems.com>
Date: Mon Dec 11 02:47:21 2017 +0100

Remove some bashisms from the test scripts

Signed-off-by: Timur I. Bakeyev <***@iXsystems.com>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Christof Schmitt <***@samba.org>

commit 3450dd6a50d1d08f49de5ff98f2ce20f31081636
Author: Timur I. Bakeyev <***@iXsystems.com>
Date: Wed Feb 14 02:31:58 2018 +0100

Don't load LDB_MODULESDIR as a module file

We are setting modules directory here(LDB_MODULESDIR) so treat it this
way, no need to attempt to load it as a module file.

Signed-off-by: Timur I. Bakeyev <***@iXsystems.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
lib/ldb/common/ldb_modules.c | 2 +-
source3/script/smbaddshare | 4 ++--
source3/script/smbchangeshare | 8 ++++----
source3/script/smbdeleteshare | 2 +-
source3/script/tests/test_forceuser_validusers.sh | 2 +-
source3/script/tests/test_smbclient_s3.sh | 4 ++--
testprogs/blackbox/dbcheck-oldrelease.sh | 2 +-
testprogs/blackbox/test_wintest.sh | 3 +--
8 files changed, 13 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c
index 25551e1..cc067ab 100644
--- a/lib/ldb/common/ldb_modules.c
+++ b/lib/ldb/common/ldb_modules.c
@@ -1103,7 +1103,7 @@ static int ldb_modules_load_dir(const char *modules_dir, const char *version)
*/
void ldb_set_modules_dir(struct ldb_context *ldb, const char *path)
{
- int ret = ldb_modules_load_path(path, LDB_VERSION);
+ int ret = ldb_modules_load_dir(path, LDB_VERSION);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to load modules from: %s\n", path);
}
diff --git a/source3/script/smbaddshare b/source3/script/smbaddshare
index 62f1bdf..704c9f4 100755
--- a/source3/script/smbaddshare
+++ b/source3/script/smbaddshare
@@ -19,14 +19,14 @@ NETCONF="$BINDIR/net --configfile=$CONF conf"

$NETCONF addshare "$SHARENAME" "$SHAREPATH" writeable=no guest_ok=no "$COMMENT"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during addshare: rc=$RC
exit $RC
fi

$NETCONF setparm "$SHARENAME" 'max connections' "$MAX_CONN"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during setparm for max connections: rc=$RC
exit $RC
fi
diff --git a/source3/script/smbchangeshare b/source3/script/smbchangeshare
index 2f3fa3b..098e968 100755
--- a/source3/script/smbchangeshare
+++ b/source3/script/smbchangeshare
@@ -20,28 +20,28 @@ NETCONF="$BINDIR/net --configfile=$CONF conf"

$NETCONF setparm "$SHARENAME" 'path' "$SHAREPATH"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during setparm for path: rc=$RC
exit $RC
fi

$NETCONF setparm "$SHARENAME" 'comment' "$COMMENT"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failed during setparm for comment: rc=$RC
exit $RC
fi

$NETCONF setparm "$SHARENAME" 'max connections' "$MAX_CONN"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during setparm for max connections: rc=$RC
exit $RC
fi

$NETCONF setparm "$SHARENAME" 'csc policy' "$CSC_POLICY"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during setparm for csc policy: rc=$RC
exit $RC
fi
diff --git a/source3/script/smbdeleteshare b/source3/script/smbdeleteshare
index 8cd8d1f..8f70678 100755
--- a/source3/script/smbdeleteshare
+++ b/source3/script/smbdeleteshare
@@ -15,7 +15,7 @@ SHARENAME="$2"
NETCONF="$BINDIR/net --configfile=$CONF conf"
$NETCONF delshare "$SHARENAME"
RC=$?
-if [[ $RC -ne 0 ]]; then
+if [ $RC -ne 0 ]; then
echo Failure during delshare command: rc=$RC
exit $RC
fi
diff --git a/source3/script/tests/test_forceuser_validusers.sh b/source3/script/tests/test_forceuser_validusers.sh
index 07aa1a5..4b6d66e 100755
--- a/source3/script/tests/test_forceuser_validusers.sh
+++ b/source3/script/tests/test_forceuser_validusers.sh
@@ -29,7 +29,7 @@ incdir=`dirname $0`/../../../testprogs/blackbox
run_cmd_nooutput() {
CMD="$1"

- out=`eval ${CMD} &> TESTOUT`
+ out=`eval ${CMD} > TESTOUT 2>&1`
if [ $? != 0 ] ; then
cat TESTOUT
rm -f TESTOUT
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 8017d19..db77eb1 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -835,7 +835,7 @@ EOF

echo "$out" | grep 'NT_STATUS'
ret=$?
- if [ $ret == 0 ] ; then
+ if [ $ret = 0 ] ; then
echo "$out"
echo "failed - NT_STATUS_XXXX listing \\manglenames_share\\FF4GBY~Q"
return 1
@@ -971,7 +971,7 @@ EOF

echo "$out" | grep 'NT_STATUS'
ret=$?
- if [ $ret == 0 ] ; then
+ if [ $ret = 0 ] ; then
echo "$out"
echo "failed - NT_STATUS_XXXX listing \\widelinks_share\\dot"
return 1
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index a525f54..55e6ddf 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -240,7 +240,7 @@ check_expected_after_values() {
elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then
echo $RELEASE checking after values
tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp
- $BINDIR/ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted > $tmpldif
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted > $tmpldif
diff $tmpldif $release_dir/expected-links-after-dbcheck.ldif
if [ "$?" != "0" ]; then
return 1
diff --git a/testprogs/blackbox/test_wintest.sh b/testprogs/blackbox/test_wintest.sh
index f13e94b..5019900 100755
--- a/testprogs/blackbox/test_wintest.sh
+++ b/testprogs/blackbox/test_wintest.sh
@@ -26,8 +26,7 @@ if [ -z "$WINTEST_CONF_DIR" ]; then
exit 0;
fi

-SOCKET_WRAPPER_DIR=
-export -n SOCKET_WRAPPER_DIR
+unset SOCKET_WRAPPER_DIR

failed=0
--
Samba Shared Repository
Andrew Bartlett
2018-02-19 22:48:02 UTC
Permalink
The branch, master has been updated
via 7573b2a tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings
via 654b767 s3:tldap: Comment code for to LDAP escaping version
via c96dc78 s3:tldap: Fix parsing LDAPv2 escaped strings
via 9c9c275 python/tests/sites: ensure we can't manipulate subnets as non-admin
via 7b45dc6 subnet: Avoid a segfault when renaming subnet objects
from d35a22c Fix incorrect `ldbsearch` invocation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7573b2a960c5bd32ac6d42b10bb46329ff7fa7b7
Author: Andreas Schneider <***@samba.org>
Date: Mon Feb 19 12:08:26 2018 +0100

tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Feb 19 23:47:08 CET 2018 on sn-devel-144

commit 654b76739a72b8ecdf0542c0b9a566b82dcfb1e1
Author: Andreas Schneider <***@samba.org>
Date: Mon Feb 19 12:29:55 2018 +0100

s3:tldap: Comment code for to LDAP escaping version

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit c96dc78aa680d3a1c1d53ea9b18a966025a93e16
Author: Andreas Schneider <***@samba.org>
Date: Wed Jul 26 17:48:34 2017 +0200

s3:tldap: Fix parsing LDAPv2 escaped strings

Yes, this is outdated, but the missing 'break' produces a compiler
warning.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Simo Sorce <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 9c9c2754a950d6cd411d490fa7fb9fad5b194a01
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Feb 15 15:08:03 2018 +1300

python/tests/sites: ensure we can't manipulate subnets as non-admin

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 7b45dc6841ff534e7a0eb481aa4f4149a716824f
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Sep 20 14:55:11 2017 +1200

subnet: Avoid a segfault when renaming subnet objects

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/subnets.py | 33 ++++++++
selftest/tests.py | 3 +
source3/lib/test_tldap.c | 62 +++++++++++++++
source3/lib/tldap.c | 4 +
source3/wscript_build | 10 +++
source4/dsdb/samdb/ldb_modules/samldb.c | 8 +-
source4/dsdb/tests/python/sites.py | 133 +++++++++++++++++++++++++++++++-
7 files changed, 248 insertions(+), 5 deletions(-)
create mode 100644 source3/lib/test_tldap.c


Changeset truncated at 500 lines:

diff --git a/python/samba/subnets.py b/python/samba/subnets.py
index e859f06..72eeb0f 100644
--- a/python/samba/subnets.py
+++ b/python/samba/subnets.py
@@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):

samdb.delete(dnsubnet)

+def rename_subnet(samdb, configDn, subnet_name, new_name):
+ """Rename a subnet.
+
+ :param samdb: A samdb connection
+ :param configDn: The DN of the configuration partition
+ :param subnet_name: Name of the subnet to rename
+ :param new_name: New name for the subnet
+ :return: None
+ :raise SubnetNotFound: if the subnet to be renamed does not exist.
+ :raise SubnetExists: if the subnet to be created already exists.
+ """
+ dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
+ if dnsubnet.add_base(configDn) == False:
+ raise SubnetException("dnsubnet.add_base() failed")
+ if dnsubnet.add_child("CN=X") == False:
+ raise SubnetException("dnsubnet.add_child() failed")
+ dnsubnet.set_component(0, "CN", subnet_name)
+
+ newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
+ newdnsubnet.set_component(0, "CN", new_name)
+ try:
+ samdb.rename(dnsubnet, newdnsubnet)
+ except LdbError as (enum, estr):
+ if enum == ldb.ERR_NO_SUCH_OBJECT:
+ raise SubnetNotFound('Subnet %s does not exist' % subnet)
+ elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
+ raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
+ % new_name)
+ elif enum == ldb.ERR_INVALID_DN_SYNTAX:
+ raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
+ estr))
+ else:
+ raise

def set_subnet_site(samdb, configDn, subnet_name, site_name):
"""Assign a subnet to a site.
diff --git a/selftest/tests.py b/selftest/tests.py
index ec48b03..be1be45 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -180,3 +180,6 @@ if with_cmocka:

plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+
+ plantestsuite("samba.unittests.tldap", "none",
+ [os.path.join(bindir(), "default/source3/test_tldap")])
diff --git a/source3/lib/test_tldap.c b/source3/lib/test_tldap.c
new file mode 100644
index 0000000..a6c2f21
--- /dev/null
+++ b/source3/lib/test_tldap.c
@@ -0,0 +1,62 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Test suite for ldap client
+ *
+ * Copyright (C) 2018 Andreas Schneider <***@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "source3/lib/tldap.c"
+
+static void test_tldap_unescape_ldapv3(void **state)
+{
+ const char *unescaped_dn = "(&(objectclass=group)(cn=Samba*))";
+ char dn[] = "\\28&\\28objectclass=group\\29\\28cn=Samba\\2a\\29\\29";
+ size_t dnlen = sizeof(dn);
+ bool ok;
+
+ ok = tldap_unescape_inplace(dn, &dnlen);
+ assert_true(ok);
+
+ assert_string_equal(dn, unescaped_dn);
+}
+
+static void test_tldap_unescape_ldapv2(void **state)
+{
+ const char *unescaped_dn = "(&(objectclass=group)(cn=Samba*))";
+ char dn[] = "\\(&\\(objectclass=group\\)\\(cn=Samba\\*\\)\\)";
+ size_t dnlen = sizeof(dn);
+ bool ok;
+
+ ok = tldap_unescape_inplace(dn, &dnlen);
+ assert_true(ok);
+
+ assert_string_equal(dn, unescaped_dn);
+}
+
+int main(void) {
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_tldap_unescape_ldapv3),
+ cmocka_unit_test(test_tldap_unescape_ldapv2)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index 40064fd..205a9cf 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1280,6 +1280,7 @@ static bool tldap_unescape_inplace(char *value, size_t *val_len)
}
i++;

+ /* LDAPv3 escaped */
c = tldap_hex2char(&value[i]);
if (c >= 0 && c < 256) {
value[p] = c;
@@ -1288,6 +1289,7 @@ static bool tldap_unescape_inplace(char *value, size_t *val_len)
break;
}

+ /* LDAPv2 escaped */
switch (value[i]) {
case '(':
case ')':
@@ -1295,6 +1297,8 @@ static bool tldap_unescape_inplace(char *value, size_t *val_len)
case '\\':
value[p] = value[i];
p++;
+
+ break;
default:
/* invalid */
return false;
diff --git a/source3/wscript_build b/source3/wscript_build
index 76c5d6e..d5ac7a2 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -106,6 +106,16 @@ bld.SAMBA3_SUBSYSTEM('TLDAP',
samba3util
''')

+bld.SAMBA3_BINARY('test_tldap',
+ source='lib/test_tldap.c',
+ deps='''
+ asn1util
+ LIBTSOCKET
+ samba3util
+ smbconf
+ cmocka
+ ''')
+
# libpdb.so should not expose internal symbols that are only usable
# to the statically linked modules that are merged into libpdb.
# Note that we always filter these symbols out in libpdb, even
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 971048d..3e429e1 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -3351,13 +3351,13 @@ static int verify_cidr(const char *cidr)
}


-static int samldb_verify_subnet(struct samldb_ctx *ac)
+static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
{
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
const char *cidr = NULL;
const struct ldb_val *rdn_value = NULL;

- rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
+ rdn_value = ldb_dn_get_rdn_val(dn);
if (rdn_value == NULL) {
ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
"failed");
@@ -3588,7 +3588,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)

if (samdb_find_attribute(ldb, ac->msg,
"objectclass", "subnet") != NULL) {
- ret = samldb_verify_subnet(ac);
+ ret = samldb_verify_subnet(ac, ac->msg->dn);
if (ret != LDB_SUCCESS) {
talloc_free(ac);
return ret;
@@ -3991,7 +3991,7 @@ static int check_rename_constraints(struct ldb_message *msg,

/* subnet objects */
if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
- ret = samldb_verify_subnet(ac);
+ ret = samldb_verify_subnet(ac, newdn);
if (ret != LDB_SUCCESS) {
talloc_free(ac);
return ret;
diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
index a24f9b5..3bb53d9 100755
--- a/source4/dsdb/tests/python/sites.py
+++ b/source4/dsdb/tests/python/sites.py
@@ -30,9 +30,12 @@ from samba import sites
from samba import subnets
from samba.auth import system_session
from samba.samdb import SamDB
+from samba import gensec
+from samba.credentials import Credentials, DONT_USE_KERBEROS
import samba.tests
+from samba.tests import delete_force
from samba.dcerpc import security
-from ldb import SCOPE_SUBTREE
+from ldb import SCOPE_SUBTREE, LdbError, ERR_INSUFFICIENT_ACCESS_RIGHTS

parser = optparse.OptionParser("sites.py [options] <host>")
sambaopts = options.SambaOptions(parser)
@@ -183,6 +186,134 @@ class SimpleSubnetTests(SitesBaseTests):
self.assertRaises(subnets.SubnetNotFound,
subnets.delete_subnet, self.ldb, basedn, cidr)

+ def get_user_and_ldb(self, username, password, hostname=ldaphost):
+ """Get a connection for a temporarily user that will vanish as soon as
+ the test is over."""
+ user = self.ldb.newuser(username, password)
+ creds_tmp = Credentials()
+ creds_tmp.set_username(username)
+ creds_tmp.set_password(password)
+ creds_tmp.set_domain(creds.get_domain())
+ creds_tmp.set_realm(creds.get_realm())
+ creds_tmp.set_workstation(creds.get_workstation())
+ creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
+ | gensec.FEATURE_SEAL)
+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)
+ ldb_target = SamDB(url=hostname, credentials=creds_tmp, lp=lp)
+ self.addCleanup(delete_force, self.ldb, self.get_user_dn(username))
+ return (user, ldb_target)
+
+ def test_rename_delete_good_subnet_to_good_subnet_other_user(self):
+ """Make sure that we can't rename or delete subnets when we aren't
+ admin."""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.16.0.0/24"
+ new_cidr = "10.16.1.0/24"
+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+ user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@")
+ try:
+ subnets.rename_subnet(non_admin_ldb, basedn, cidr, new_cidr)
+ except LdbError as e:
+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ ("subnet rename by non-admin failed "
+ "in the wrong way: %s" % e))
+ else:
+ self.fail("subnet rename by non-admin succeeded: %s" % e)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 1, ('Subnet %s destroyed or renamed '
+ 'by non-admin' % cidr))
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression=('(&(objectclass=subnet)(cn=%s))'
+ % new_cidr))
+
+ self.assertEqual(len(ret), 0,
+ 'New subnet %s created by non-admin' % cidr)
+
+ try:
+ subnets.delete_subnet(non_admin_ldb, basedn, cidr)
+ except LdbError as e:
+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ ("subnet delete by non-admin failed "
+ "in the wrong way: %s" % e))
+ else:
+ self.fail("subnet delete by non-admin succeeded: %s" % e)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 1, 'Subnet %s deleted non-admin' % cidr)
+
+ subnets.delete_subnet(self.ldb, basedn, cidr)
+
+ def test_create_good_subnet_other_user(self):
+ """Make sure that we can't create subnets when we aren't admin."""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.16.0.0/24"
+ user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@")
+ try:
+ subnets.create_subnet(non_admin_ldb, basedn, cidr, self.sitename)
+ except LdbError as e:
+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ ("subnet create by non-admin failed "
+ "in the wrong way: %s" % e))
+ else:
+ subnets.delete_subnet(self.ldb, basedn, cidr)
+ self.fail("subnet create by non-admin succeeded: %s")
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 0, 'New subnet %s created by non-admin' % cidr)
+
+ def test_rename_good_subnet_to_good_subnet(self):
+ """Make sure that we can rename subnets"""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.16.0.0/24"
+ new_cidr = "10.16.1.0/24"
+
+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+ subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
+
+ self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
+
+ subnets.delete_subnet(self.ldb, basedn, new_cidr)
+
+ def test_rename_good_subnet_to_bad_subnet(self):
+ """Make sure that the CIDR checking runs during rename"""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.17.0.0/24"
+ bad_cidr = "10.11.12.0/14"
+
+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+ self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
+ self.ldb, basedn, cidr, bad_cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
+
+ self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
+
+ subnets.delete_subnet(self.ldb, basedn, cidr)
+
def test_create_bad_ranges(self):
"""These CIDR ranges all have something wrong with them, and they
should all fail."""
--
Samba Shared Repository
Andreas Schneider
2018-02-20 20:47:02 UTC
Permalink
The branch, master has been updated
via a6eac8f smbspool: Improve URI handling code
from 7573b2a tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a6eac8f64989235e7a297c14e349d98a3fc70e47
Author: Andreas Schneider <***@samba.org>
Date: Fri Jan 5 10:50:57 2018 +0100

smbspool: Improve URI handling code

This also checks that the URI given via the environment variables
starts with smb://

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Tue Feb 20 21:46:38 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/client/smbspool.c | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 949cdb4..152492e 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -100,6 +100,8 @@ main(int argc, /* I - Number of command-line arguments */
const char *dev_uri;
const char *config_file = NULL;
TALLOC_CTX *frame = talloc_stackframe();
+ int cmp;
+ int len;

if (argc == 1) {
/*
@@ -153,20 +155,25 @@ main(int argc, /* I - Number of command-line arguments */
}

/*
- * Find the URI...
- */
-
+ * Find the URI ...
+ */
dev_uri = getenv("DEVICE_URI");
- if (dev_uri) {
- strncpy(uri, dev_uri, sizeof(uri) - 1);
- } else if (strncmp(argv[1], "smb://", 6) == 0) {
- strncpy(uri, argv[1], sizeof(uri) - 1);
- } else {
- fputs("ERROR: No device URI found in DEVICE_URI environment variable or arg1 !\n", stderr);
- goto done;
+ if (dev_uri == NULL || strlen(dev_uri) == 0) {
+ dev_uri = argv[1];
}

- uri[sizeof(uri) - 1] = '\0';
+ cmp = strncmp(dev_uri, "smb://", 6);
+ if (cmp != 0) {
+ fprintf(stderr,
+ "ERROR: No valid device URI has been specified\n");
+ goto done;
+ }
+ len = snprintf(uri, sizeof(uri), "%s", dev_uri);
+ if (len >= sizeof(uri)) {
+ fprintf(stderr,
+ "ERROR: The URI is too long.\n");
+ goto done;
+ }

/*
* Extract the destination from the URI...
--
Samba Shared Repository
Jeremy Allison
2018-02-21 01:47:02 UTC
Permalink
The branch, master has been updated
via 6f9c6d3 s3:auth: Pass mem_ctx to init_system_session_info()
via 7f47cec s3:auth: Pass mem_ctx to init_guest_session_info()
via b2aec11 s3:auth: Pass a mem_ctx to make_new_session_info_guest()
via 9abe972 tldap: Dump unnecessary includes
from a6eac8f smbspool: Improve URI handling code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6f9c6d369f4aa4a5c861f51041dd663e81e2ec4e
Author: Andreas Schneider <***@samba.org>
Date: Tue Feb 13 12:12:06 2018 +0100

s3:auth: Pass mem_ctx to init_system_session_info()

We have a stackframe we can use for the lifetime of the session.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Wed Feb 21 02:46:40 CET 2018 on sn-devel-144

commit 7f47cec2343ca7658460cc14fa613fdd2611677a
Author: Andreas Schneider <***@samba.org>
Date: Tue Feb 13 12:09:12 2018 +0100

s3:auth: Pass mem_ctx to init_guest_session_info()

Use a mem_ctx which gets freed if possible.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit b2aec11c76904bf6a8f67f0634cce5e443e77d8b
Author: Andreas Schneider <***@samba.org>
Date: Tue Feb 13 12:05:29 2018 +0100

s3:auth: Pass a mem_ctx to make_new_session_info_guest()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 9abe97285b7e1de25bf1c1f4fde8fd481a31a6bb
Author: Volker Lendecke <***@samba.org>
Date: Thu Feb 15 12:30:23 2018 +0100

tldap: Dump unnecessary includes

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/auth/auth_util.c | 36 +++++++++++++++++++++++-------------
source3/auth/proto.h | 4 ++--
source3/lib/tldap_util.c | 2 --
source3/smbd/server.c | 4 ++--
source3/torture/vfstest.c | 2 +-
source3/winbindd/winbindd.c | 2 +-
6 files changed, 29 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f543b33..4b20261 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -798,8 +798,12 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
left as-is for now.
***************************************************************************/

-static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
+static NTSTATUS make_new_session_info_guest(TALLOC_CTX *mem_ctx,
+ struct auth_session_info **_session_info,
+ struct auth_serversupplied_info **_server_info)
{
+ struct auth_session_info *session_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
const char *guest_account = lp_guest_account();
const char *domain = lp_netbios_name();
struct netr_SamInfo3 info3;
@@ -823,7 +827,7 @@ static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_i
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
- server_info,
+ &server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("make_server_info_info3 failed with %s\n",
@@ -831,25 +835,26 @@ static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_i
goto done;
}

- (*server_info)->guest = true;
+ server_info->guest = true;

/* This should not be done here (we should produce a server
* info, and later construct a session info from it), but for
* now this does not change the previous behavior */
- status = create_local_token(tmp_ctx, *server_info, NULL,
- (*server_info)->info3->base.account_name.string,
- session_info);
+ status = create_local_token(tmp_ctx, server_info, NULL,
+ server_info->info3->base.account_name.string,
+ &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
- talloc_steal(NULL, *session_info);
- talloc_steal(NULL, *server_info);

/* annoying, but the Guest really does have a session key, and it is
all zeros! */
- (*session_info)->session_key = data_blob_talloc_zero(NULL, 16);
+ session_info->session_key = data_blob_talloc_zero(session_info, 16);
+
+ *_session_info = talloc_move(mem_ctx, &session_info);
+ *_server_info = talloc_move(mem_ctx, &server_info);

status = NT_STATUS_OK;
done:
@@ -1131,12 +1136,17 @@ static struct auth_session_info *guest_info = NULL;

static struct auth_serversupplied_info *guest_server_info = NULL;

-bool init_guest_info(void)
+bool init_guest_session_info(TALLOC_CTX *mem_ctx)
{
+ NTSTATUS status;
+
if (guest_info != NULL)
return true;

- return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info));
+ status = make_new_session_info_guest(mem_ctx,
+ &guest_info,
+ &guest_server_info);
+ return NT_STATUS_IS_OK(status);
}

NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
@@ -1159,12 +1169,12 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,

static struct auth_session_info *system_info = NULL;

-NTSTATUS init_system_session_info(void)
+NTSTATUS init_system_session_info(TALLOC_CTX *mem_ctx)
{
if (system_info != NULL)
return NT_STATUS_OK;

- return make_new_session_info_system(NULL, &system_info);
+ return make_new_session_info_system(mem_ctx, &system_info);
}

NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index ca851c2..bdefeaf 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -240,8 +240,8 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info);
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src);
-bool init_guest_info(void);
-NTSTATUS init_system_session_info(void);
+bool init_guest_session_info(TALLOC_CTX *mem_ctx);
+NTSTATUS init_system_session_info(TALLOC_CTX *mem_ctx);
bool session_info_set_session_key(struct auth_session_info *info,
DATA_BLOB session_key);
NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
diff --git a/source3/lib/tldap_util.c b/source3/lib/tldap_util.c
index 89f812b..508c6c0 100644
--- a/source3/lib/tldap_util.c
+++ b/source3/lib/tldap_util.c
@@ -22,8 +22,6 @@
#include "tldap_util.h"
#include "../libcli/security/security.h"
#include "../lib/util/asn1.h"
-#include "../librpc/ndr/libndr.h"
-#include "lib/util/base64.h"

bool tldap_entry_values(struct tldap_message *msg, const char *attribute,
DATA_BLOB **values, int *num_values)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 99baf9d..e7e297f 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1984,14 +1984,14 @@ extern void build_options(bool screen);
exit_daemon("ERROR: failed to load share info db.", EACCES);
}

- status = init_system_session_info();
+ status = init_system_session_info(NULL);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("ERROR: failed to setup system user info: %s.\n",
nt_errstr(status)));
return -1;
}

- if (!init_guest_info()) {
+ if (!init_guest_session_info(NULL)) {
DEBUG(0,("ERROR: failed to setup guest info.\n"));
return -1;
}
diff --git a/source3/torture/vfstest.c b/source3/torture/vfstest.c
index f156def..17c1901 100644
--- a/source3/torture/vfstest.c
+++ b/source3/torture/vfstest.c
@@ -525,7 +525,7 @@ int main(int argc, const char *argv[])

/* some basic initialization stuff */
sec_init();
- init_guest_info();
+ init_guest_session_info(frame);
locking_init();
vfs = talloc_zero(NULL, struct vfs_state);
if (vfs == NULL) {
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 6e3df1f..9611f73 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1768,7 +1768,7 @@ int main(int argc, const char **argv)
exit(1);
}

- status = init_system_session_info();
+ status = init_system_session_info(NULL);
if (!NT_STATUS_IS_OK(status)) {
exit_daemon("Winbindd failed to setup system user info", map_errno_from_nt_status(status));
}
--
Samba Shared Repository
Andrew Bartlett
2018-02-21 06:48:06 UTC
Permalink
The branch, master has been updated
via 0b63f26 selftest: change technique for running specific envs
via 962e8a0 selftest: move to declaratively specifying environments and their dependencies
via 41085ad selftest: remove prototypes from some subroutine templates
from 6f9c6d3 s3:auth: Pass mem_ctx to init_system_session_info()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0b63f26bf72e5f5ce5ab6d052bc899375818a235
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Thu Feb 1 17:46:37 2018 +1300

selftest: change technique for running specific envs

Currently testsuites excluded with --exclude/--include-env are skipped when
encountered in the middle of a run, so they are included in progress reporting,
and the @todo list does not accurately show what will be done.

This change skips them earlier, preventing them from being added to @todo, as is
done with pattern-based including/excluding.

As well as making the progress indicator more accurate, this means that
selftest.pl can use @todo to determine when we are finished with an environment.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Wed Feb 21 07:47:58 CET 2018 on sn-devel-144

commit 962e8a0ea7db79b96dddec06a4bde211eea0d1d6
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Wed Feb 21 13:33:49 2018 +1300

selftest: move to declaratively specifying environments and their dependencies

This removes the tangle of code for starting up dependencies, and allows
selftest.pl to query dependencies (hence it can know when things can be shut
down early and how to order environments for optimal memory usage - that patch
not yet submitted).

It also removes the slightly hacky special-casing of the ad_members, and sets
$target->{vars} centrally (so each setup_ function does not need to).

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 41085ad37de56504467a0014b70f6a708dcde91b
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Thu Feb 8 16:51:23 2018 +1300

selftest: remove prototypes from some subroutine templates
Why do you remove the explicit argument declarations for so many functions?
These declarations help catch usage errors, i.e. wrong number of calling
arguments, especially when you add arguments to functions.
My understanding is that because these are object methods, the prototypes
actually were not providing the checking benefits [see PERLSUB(1) (section
"Prototypes")] -- this is evidenced by the fact that some of the prototypes I
removed actually had the wrong number of arguments!

Now that the subroutines are being dynamically called by function references,
the checking also appears not to apply [see the same source].

There was also a more concrete reason: the setup code will automatically set
up multiple environment dependencies and pass each of their vars as an
individual parameter. Accomplishing this was [seemingly] impossible with the
prototypes in place.

Additionally, there seems t