The branch, master has been updated
via 171750e s3/wscript: remove test, that we do in lib/replace
via 9be8ef1 docs-xml:samba-tool.8: fix wrong default computer container name
via e45b504 samba-tool computer: fix wrong computer container in help message
from d444221 traffic: improve add_short_packet by avoiding dict.get

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 171750e966e040493c8631fcdd65478ab35e6f2e
Author: Björn Jacke <***@samba.org>
Date: Mon Mar 12 19:13:04 2018 +0100

s3/wscript: remove test, that we do in lib/replace

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Björn Baumbach <***@sernet.de>

Autobuild-User(master): Björn Baumbach <***@samba.org>
Autobuild-Date(master): Mon May 14 21:15:21 CEST 2018 on sn-devel-144

commit 9be8ef19553069593c3766177f065d3b9ce06bba
Author: Björn Baumbach <***@sernet.de>
Date: Tue May 8 10:21:10 2018 +0200

docs-xml:samba-tool.8: fix wrong default computer container name

CN=Users --> CN=Computers

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Björn Jacke <***@samba.org>

commit e45b5047b94c3f0c812fe7d4931610bcf45bd437
Author: Björn Baumbach <***@sernet.de>
Date: Mon May 7 15:00:17 2018 +0200

samba-tool computer: fix wrong computer container in help message

CN=Users --> CN=Computers

Signed-off-by: Björn Baumbach <***@sernet.de>
Reviewed-by: Björn Jacke <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 2 +-
python/samba/netcmd/computer.py | 4 ++--
source3/wscript | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 3cde4c5..3173083 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -121,7 +121,7 @@
<term>--computerou=COMPUTEROU</term>
<listitem><para>
DN of alternative location (with or without domainDN counterpart) to
- default CN=Users in which new computer object will be created.
+ default CN=Computers in which new computer object will be created.
E.g. 'OU=OUname'.
</para></listitem>
</varlistentry>
diff --git a/python/samba/netcmd/computer.py b/python/samba/netcmd/computer.py
index 9ca8904..7a913b4 100644
--- a/python/samba/netcmd/computer.py
+++ b/python/samba/netcmd/computer.py
@@ -208,8 +208,8 @@ Example3 shows how to create a new computer in the OrgUnit organizational unit.
type=str, metavar="URL", dest="H"),
Option("--computerou",
help=("DN of alternative location (with or without domainDN "
- "counterpart) to default CN=Users in which new computer "
- "object will be created. E. g. 'OU=<OU name>'"),
+ "counterpart) to default CN=Computers in which new "
+ "computer object will be created. E.g. 'OU=<OU name>'"),
type=str),
Option("--description", help="Computers's description", type=str),
Option("--prepare-oldjoin",
diff --git a/source3/wscript b/source3/wscript
index ab64e80..e6d9936 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -386,7 +386,7 @@ DNSServiceRegister _dup __dup _dup2 __dup2 endmntent execl
_facl __facl _fchdir
__fchdir fchmod fchown _fcntl __fcntl fcvt fcvtl fdatasync
_fork __fork fseeko
-fsetxattr _fstat __fstat fsync
+_fstat __fstat fsync
futimens futimes __fxstat getauthuid
getcwd _getcwd __getcwd getdents __getdents getdirentries
getgrent getgrnam getgrouplist getgrset getmntent getpagesize

The branch, master has been updated
via a0f0350 selftest: Require libarchive for --enable-selftest
via aced401 build: Make --with-gpgme the default
via 78c8e69 build: Make --with-libarchive the default
via 6fda57d build: Make --with-json-audit the default
from 171750e s3/wscript: remove test, that we do in lib/replace

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a0f0350252fb079d9ffec9b7f3589e97872688f9
Author: Andrew Bartlett <***@samba.org>
Date: Thu May 10 14:00:54 2018 +1200

selftest: Require libarchive for --enable-selftest

This avoids one more case where tests can go missing by removing the conditional.

(Yes, this has happend for other tests in the past).

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue May 15 06:31:03 CEST 2018 on sn-devel-144

commit aced4017283e2614e80fb6f20fc85d3a284ad6c1
Author: Andrew Bartlett <***@samba.org>
Date: Thu May 10 13:05:56 2018 +1200

build: Make --with-gpgme the default

Those wishing to build without gpgme support need simply to build --without-gpgme

This In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 78c8e699a8e34ebe69b704b455733050fd195af6
Author: Andrew Bartlett <***@samba.org>
Date: Thu May 10 13:04:35 2018 +1200

build: Make --with-libarchive the default

This means that those not wanting to link to libarchive will just need to
build --without-libarchive.

In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 6fda57d3097e4e02310d7cfdba4f8ee27a69fb93
Author: Andrew Bartlett <***@samba.org>
Date: Thu May 10 13:01:05 2018 +1200

build: Make --with-json-audit the default

Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.

This means that those not wanting to link to libarchive will just need to
build --without-json-audit.

In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
auth/wscript | 12 +++++---
docs-xml/smbdotconf/logging/loglevel.xml | 4 +--
source3/client/clitar.c | 2 +-
source3/selftest/tests.py | 49 +++++++++++++++-----------------
source3/wscript | 16 ++++++++---
source4/dsdb/samdb/ldb_modules/wscript | 17 +++++++----
6 files changed, 57 insertions(+), 43 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/wscript b/auth/wscript
index b81804e..7b2c65e 100644
--- a/auth/wscript
+++ b/auth/wscript
@@ -4,7 +4,7 @@ import Logs, Options, Utils
import samba3

def set_options(opt):
- help = ("Build with JSON auth audit support (default=auto). "
+ help = ("Build with JSON auth audit support (default=True). "
"This requires the jansson devel package.")

opt.SAMBA3_ADD_OPTION('json-audit', default=None, help=(help))
@@ -20,9 +20,13 @@ def configure(conf):
conf.CHECK_FUNCS_IN('json_object', 'jansson')

if not conf.CONFIG_GET('HAVE_JSON_OBJECT'):
- if Options.options.with_json_audit == True:
- conf.fatal('JSON support requested, but no suitable jansson '
- 'library found')
+ if Options.options.with_json_audit != False:
+ conf.fatal("JSON support not found. "
+ "Try installing libjansson-dev or jansson-devel. "
+ "Otherwise, use --without-json-audit to build without "
+ "JSON support. "
+ "JSON support is required for the JSON "
+ "formatted audit log feature")
if conf.CONFIG_GET('ENABLE_SELFTEST') and \
(not Options.options.without_ad_dc):
raise Utils.WafError('jansson JSON library required for '
diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml
index d3b5c45..fae5c7b 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -49,8 +49,8 @@
</itemizedlist>

<para>Authentication and authorization audit information is logged
- under the auth_audit, and if Samba is compiled against the jansson
- JSON library, a JSON representation is logged under
+ under the auth_audit, and if Samba was not compiled with
+ --without-json-audit, a JSON representation is logged under
auth_json_audit.</para>

<para>Support is comprehensive for all authentication and authorisation
diff --git a/source3/client/clitar.c b/source3/client/clitar.c
index b8009c9..b598bde 100644
--- a/source3/client/clitar.c
+++ b/source3/client/clitar.c
@@ -1837,7 +1837,7 @@ static NTSTATUS path_base_name(TALLOC_CTX *ctx, const char *path, char **_base)

#else

-#define NOT_IMPLEMENTED DEBUG(0, ("tar mode not compiled. build with --with-libarchive\n"))
+#define NOT_IMPLEMENTED DEBUG(0, ("tar mode not compiled. build used --without-libarchive\n"))

int cmd_block(void)
{
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 5ebebb5..1e1f97e 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -54,7 +54,6 @@ try:
finally:
f.close()

-have_libarchive = ("HAVE_LIBARCHIVE" in config_hash)
have_linux_kernel_oplocks = ("HAVE_KERNEL_OPLOCKS_LINUX" in config_hash)
have_inotify = ("HAVE_INOTIFY" in config_hash)
have_ldwrap = ("HAVE_LDWRAP" in config_hash)
@@ -295,31 +294,29 @@ for env in ["fileserver"]:
# tar command tests
#

- # tar command enabled only if built with libarchive
- if have_libarchive:
- # Test smbclient/tarmode
- plantestsuite("samba3.blackbox.smbclient_tarmode.NT1", env,
- [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.sh"),
- '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
- '$LOCAL_PATH/tarmode', '$PREFIX', smbclient3, configuration, "-mNT1"])
- plantestsuite("samba3.blackbox.smbclient_tarmode.SMB3", env,
- [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.sh"),
- '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
- '$LOCAL_PATH/tarmode', '$PREFIX', smbclient3, configuration, "-mSMB3"])
-
- # Test suite for new smbclient/tar with libarchive (GSoC 13)
- plantestsuite("samba3.blackbox.smbclient_tar.NT1", env,
- [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.pl"),
- '-n', '$SERVER', '-i', '$SERVER_IP', '-s', 'tmp',
- '-u', '$USERNAME', '-p', '$PASSWORD', '-l', '$LOCAL_PATH/tarmode',
- '-d', '$PREFIX', '-b', smbclient3,
- '--subunit', '--', configuration, '-mNT1'])
- plantestsuite("samba3.blackbox.smbclient_tar.SMB3", env,
- [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.pl"),
- '-n', '$SERVER', '-i', '$SERVER_IP', '-s', 'tmp',
- '-u', '$USERNAME', '-p', '$PASSWORD', '-l', '$LOCAL_PATH/tarmode',
- '-d', '$PREFIX', '-b', smbclient3,
- '--subunit', '--', configuration, '-mSMB3'])
+ # Test smbclient/tarmode
+ plantestsuite("samba3.blackbox.smbclient_tarmode.NT1", env,
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.sh"),
+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
+ '$LOCAL_PATH/tarmode', '$PREFIX', smbclient3, configuration, "-mNT1"])
+ plantestsuite("samba3.blackbox.smbclient_tarmode.SMB3", env,
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.sh"),
+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
+ '$LOCAL_PATH/tarmode', '$PREFIX', smbclient3, configuration, "-mSMB3"])
+
+ # Test suite for new smbclient/tar with libarchive (GSoC 13)
+ plantestsuite("samba3.blackbox.smbclient_tar.NT1", env,
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.pl"),
+ '-n', '$SERVER', '-i', '$SERVER_IP', '-s', 'tmp',
+ '-u', '$USERNAME', '-p', '$PASSWORD', '-l', '$LOCAL_PATH/tarmode',
+ '-d', '$PREFIX', '-b', smbclient3,
+ '--subunit', '--', configuration, '-mNT1'])
+ plantestsuite("samba3.blackbox.smbclient_tar.SMB3", env,
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_tarmode.pl"),
+ '-n', '$SERVER', '-i', '$SERVER_IP', '-s', 'tmp',
+ '-u', '$USERNAME', '-p', '$PASSWORD', '-l', '$LOCAL_PATH/tarmode',
+ '-d', '$PREFIX', '-b', smbclient3,
+ '--subunit', '--', configuration, '-mSMB3'])

plantestsuite("samba3.blackbox.net_usershare", "fileserver:local", [os.path.join(samba3srcdir, "script/tests/test_net_usershare.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbclient3])

diff --git a/source3/wscript b/source3/wscript
index e6d9936..633a365 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -55,7 +55,7 @@ def set_options(opt):
opt.SAMBA3_ADD_OPTION('dmapi', default=None) # None means autodetection
opt.SAMBA3_ADD_OPTION('fam', default=None) # None means autodetection
opt.SAMBA3_ADD_OPTION('profiling-data', default=False)
- opt.SAMBA3_ADD_OPTION('libarchive', default=None)
+ opt.SAMBA3_ADD_OPTION('libarchive', default=True)

opt.SAMBA3_ADD_OPTION('cluster-support', default=False)

@@ -218,12 +218,20 @@ main() {
# None means autodetect, True/False means enable/disable
conf.SET_TARGET_TYPE('archive', 'EMPTY')
if Options.options.with_libarchive is not False:
- libarchive_mandatory = Options.options.with_libarchive == True
Logs.info("Checking for libarchive existence")
if conf.CHECK_HEADERS('archive.h') and conf.CHECK_LIB('archive', shlib=True):
conf.CHECK_FUNCS_IN('archive_read_support_filter_all archive_read_free', 'archive')
- elif libarchive_mandatory:
- conf.fatal('libarchive support requested, but not found')
+ else:
+ conf.fatal("libarchive support not found. "
+ "Try installing libarchive-dev or libarchive-devel. "
+ "Otherwise, use --without-libarchive to "
+ "build without libarchive support. "
+ "libarchive support is required for the smbclient "
+ "tar-file mode")
+ elif conf.CONFIG_GET('ENABLE_SELFTEST'):
+ raise Utils.WafError('libarchive library required for '
+ '--enable-selftest')
+

# check for DMAPI libs
if Options.options.with_dmapi == False:
diff --git a/source4/dsdb/samdb/ldb_modules/wscript b/source4/dsdb/samdb/ldb_modules/wscript
index 91edbcb..bf07982 100644
--- a/source4/dsdb/samdb/ldb_modules/wscript
+++ b/source4/dsdb/samdb/ldb_modules/wscript
@@ -7,7 +7,7 @@ def set_options(opt):
help += "This requires gpgme devel and python packages "
help += "(e.g. libgpgme11-dev, python-gpgme on debian/ubuntu)."

- opt.SAMBA3_ADD_OPTION('gpgme', default=None, help=(help))
+ opt.SAMBA3_ADD_OPTION('gpgme', default=True, help=(help))

return

@@ -24,7 +24,8 @@ def configure(conf):

conf.SET_TARGET_TYPE('gpgme', 'EMPTY')

- if Options.options.with_gpgme != False:
+ if not Options.options.without_ad_dc \
+ and Options.options.with_gpgme != False:
conf.find_program('gpgme-config', var='GPGME_CONFIG')

if conf.env.GPGME_CONFIG:
@@ -36,7 +37,11 @@ def configure(conf):
conf.DEFINE('ENABLE_GPGME', '1')

if not conf.CONFIG_SET('ENABLE_GPGME'):
- if Options.options.with_gpgme == True:
- conf.fatal('GPGME support requested, but no suitable GPGME library found, eg libgpgme11-dev and python-gpgme')
- else:
- Logs.warn('no suitable GPGME library found')
+ conf.fatal("GPGME support not found. "
+ "Try installing libgpgme11-dev or gpgme-devel "
+ "and python-gpgme. "
+ "Otherwise, use --without-gpgme to build without "
+ "GPGME support or --without-ad-dc to build without "
+ "the Samba AD DC. "
+ "GPGME support is required for the GPG encrypted "
+ "password sync feature")

The branch, master has been updated
via 9fbd467 lib: Hold at most 10 outstanding paged result cookies
via 8063995 lib: Put "results_store" into a doubly linked list
from a0f0350 selftest: Require libarchive for --enable-selftest

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9fbd4672b06de5333a9c44fc126b8edac0b9d31a
Author: Volker Lendecke <***@samba.org>
Date: Mon May 7 16:53:00 2018 +0200

lib: Hold at most 10 outstanding paged result cookies

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Tue May 15 09:37:21 CEST 2018 on sn-devel-144

commit 8063995a92fffc93aa9d6d1d92a75bf3f3c9592b
Author: Volker Lendecke <***@samba.org>
Date: Mon May 7 16:41:55 2018 +0200

lib: Put "results_store" into a doubly linked list

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
lib/ldb/modules/paged_results.c | 43 ++++++++++++++++++++++++-----------------
1 file changed, 25 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/modules/paged_results.c b/lib/ldb/modules/paged_results.c
index de014a3..ecb2227 100644
--- a/lib/ldb/modules/paged_results.c
+++ b/lib/ldb/modules/paged_results.c
@@ -35,6 +35,8 @@
#include "replace.h"
#include "system/filesys.h"
#include "system/time.h"
+#include "dlinklist.h"
+#include <assert.h>
#include "ldb_module.h"

struct message_store {
@@ -48,14 +50,13 @@ struct message_store {
struct private_data;

struct results_store {
+ struct results_store *prev, *next;

struct private_data *priv;

char *cookie;
time_t timestamp;

- struct results_store *next;
-
struct message_store *first;
struct message_store *last;
int num_entries;
@@ -68,6 +69,7 @@ struct results_store {

struct private_data {
uint32_t next_free_id;
+ size_t num_stores;
struct results_store *store;

};
@@ -75,22 +77,12 @@ struct private_data {
static int store_destructor(struct results_store *del)
{
struct private_data *priv = del->priv;
- struct results_store *loop;
-
- if (priv->store == del) {
- priv->store = del->next;
- return 0;
- }
+ DLIST_REMOVE(priv->store, del);

- for (loop = priv->store; loop; loop = loop->next) {
- if (loop->next == del) {
- loop->next = del->next;
- return 0;
- }
- }
+ assert(priv->num_stores > 0);
+ priv->num_stores -= 1;

- /* is not in list ? */
- return -1;
+ return 0;
}

static struct results_store *new_store(struct private_data *priv)
@@ -120,11 +112,23 @@ static struct results_store *new_store(struct private_data *priv)
newr->first_ref = NULL;
newr->controls = NULL;

- newr->next = priv->store;
- priv->store = newr;
+ DLIST_ADD(priv->store, newr);
+
+ assert(priv->num_stores < SIZE_MAX);
+ priv->num_stores += 1;

talloc_set_destructor(newr, store_destructor);

+ if (priv->num_stores > 10) {
+ struct results_store *last;
+ /*
+ * 10 is the default for MaxResultSetsPerConn --
+ * possibly need to parameterize it.
+ */
+ last = DLIST_TAIL(priv->store);
+ TALLOC_FREE(last);
+ }
+
return newr;
}

@@ -381,6 +385,8 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_UNWILLING_TO_PERFORM;
}

+ DLIST_PROMOTE(private_data->store, current);
+
ac->store = current;

/* check if it is an abandon */
@@ -412,6 +418,7 @@ static int paged_request_init(struct ldb_module *module)
}

data->next_free_id = 1;
+ data->num_stores = 0;
data->store = NULL;
ldb_module_set_private(module, data);

The branch, master has been updated
via 506c520 smbd: fileserver: Change defaults to work with EA support out of the box.
from 9fbd467 lib: Hold at most 10 outstanding paged result cookies

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 506c520503eacff33064c1c23a068399f7296d86
Author: Jeremy Allison <***@samba.org>
Date: Mon May 14 11:09:53 2018 -0700

smbd: fileserver: Change defaults to work with EA support out of the box.

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Tue May 15 12:40:48 CEST 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 9 ++++++++-
docs-xml/smbdotconf/filename/mapreadonly.xml | 9 ++++++++-
docs-xml/smbdotconf/filename/storedosattributes.xml | 5 ++++-
docs-xml/smbdotconf/protocol/easupport.xml | 5 ++++-
lib/param/loadparm.c | 6 +++++-
source3/param/loadparm.c | 6 +++---
6 files changed, 32 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7bd3792..574e9b2 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -61,9 +61,16 @@ REMOVED FEATURES
smb.conf changes
================

+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
+
Parameter Name Description Default
-------------- ----------- -------
-
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes

KNOWN ISSUES
============
diff --git a/docs-xml/smbdotconf/filename/mapreadonly.xml b/docs-xml/smbdotconf/filename/mapreadonly.xml
index 54a5e01..dae17c2 100644
--- a/docs-xml/smbdotconf/filename/mapreadonly.xml
+++ b/docs-xml/smbdotconf/filename/mapreadonly.xml
@@ -49,6 +49,13 @@
attribute.
</para>

+ <para>
+ The default has changed to no in Samba release 4.9.0 and above to allow better Windows
+ fileserver compatibility in a default install. In addition the default setting of
+ <smbconfoption name="store dos attributes"/> has been changed to <constant>Yes</constant>
+ in Samba release 4.9.0 and above.
+ </para>
+
</description>
-<value type="default">yes</value>
+<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/filename/storedosattributes.xml b/docs-xml/smbdotconf/filename/storedosattributes.xml
index 30665eb..2cdaeef 100644
--- a/docs-xml/smbdotconf/filename/storedosattributes.xml
+++ b/docs-xml/smbdotconf/filename/storedosattributes.xml
@@ -21,7 +21,10 @@
extended attribute by earlier versions of Samba, but they will not be able to read the create
time stored there. Storing the create time separately from the normal filesystem meta-data
allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem.
+
+ The default has changed to yes in Samba release 4.9.0 and above to allow better Windows
+ fileserver compatibility in a default install.
</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/easupport.xml b/docs-xml/smbdotconf/protocol/easupport.xml
index b453b86..403e48f 100644
--- a/docs-xml/smbdotconf/protocol/easupport.xml
+++ b/docs-xml/smbdotconf/protocol/easupport.xml
@@ -24,8 +24,11 @@
access to this tight space via extended attribute support could consume all
of it by unsuspecting client applications, which would prevent changing
system metadata due to lack of space.
+
+ The default has changed to yes in Samba release 4.9.0 and above to allow better Windows
+ fileserver compatibility in a default install.
</para>
</description>

-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index bcb4141..3b7f805 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2880,7 +2880,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "strict sync", "yes");

- lpcfg_do_global_parameter(lp_ctx, "map readonly", "yes");
+ lpcfg_do_global_parameter(lp_ctx, "map readonly", "no");

lpcfg_do_global_parameter(lp_ctx, "allow trusted domains", "yes");

@@ -3000,6 +3000,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "check parent directory delete on close", "no");

+ lpcfg_do_global_parameter(lp_ctx, "ea support", "yes");
+
+ lpcfg_do_global_parameter(lp_ctx, "store dos attributes", "yes");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 520d066..ecff22e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -193,7 +193,7 @@ static const struct loadparm_service _sDefault =
.map_system = false,
.map_hidden = false,
.map_archive = true,
- .store_dos_attributes = false,
+ .store_dos_attributes = true,
.dmapi_support = false,
.locking = true,
.strict_locking = Auto,
@@ -231,7 +231,7 @@ static const struct loadparm_service _sDefault =
._use_sendfile = false,
.map_acl_inherit = false,
.afs_share = false,
- .ea_support = false,
+ .ea_support = true,
.acl_check_permissions = true,
.acl_map_full_control = true,
.acl_group_control = false,
@@ -239,7 +239,7 @@ static const struct loadparm_service _sDefault =
.allocation_roundup_size = SMB_ROUNDUP_ALLOCATION_SIZE,
.aio_read_size = 1,
.aio_write_size = 1,
- .map_readonly = MAP_READONLY_YES,
+ .map_readonly = MAP_READONLY_NO,
.directory_name_cache_size = 100,
.smb_encrypt = SMB_SIGNING_DEFAULT,
.kernel_share_modes = true,

The branch, master has been updated
via 8bd67c5 auth: keytab invalidation fix
via a3d6fdd auth: keytab invalidation test
from 506c520 smbd: fileserver: Change defaults to work with EA support out of the box.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8bd67c593da5525a63a1d596e2c7fe38bc7cee57
Author: Aaron Haslett <***@catalyst.net.nz>
Date: Tue May 1 11:10:50 2018 +1200

auth: keytab invalidation fix

chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415

Signed-off-by: Aaron Haslett <***@catalyst.net.nz>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144

commit a3d6fdd5355d366f3d23915cecc10c6f039daa44
Author: Aaron Haslett <***@catalyst.net.nz>
Date: Tue May 1 11:10:24 2018 +1200

auth: keytab invalidation test

chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415

Signed-off-by: Aaron Haslett <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
.../__init__.py => selftest/knownfail.d/keytab | 0
selftest/tests.py | 2 +
source4/auth/kerberos/kerberos_util.c | 2 +-
source4/auth/tests/kerberos.c | 107 +++++++++++++++++++++
source4/auth/wscript_build | 6 ++
5 files changed, 116 insertions(+), 1 deletion(-)
copy third_party/pep8/testsuite/__init__.py => selftest/knownfail.d/keytab (100%)
create mode 100644 source4/auth/tests/kerberos.c


Changeset truncated at 500 lines:

diff --git a/third_party/pep8/testsuite/__init__.py b/selftest/knownfail.d/keytab
similarity index 100%
copy from third_party/pep8/testsuite/__init__.py
copy to selftest/knownfail.d/keytab
diff --git a/selftest/tests.py b/selftest/tests.py
index 185ad37..f354bb5 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -187,5 +187,7 @@ plantestsuite("samba.unittests.tldap", "none",
[os.path.join(bindir(), "default/source3/test_tldap")])
plantestsuite("samba.unittests.rfc1738", "none",
[os.path.join(bindir(), "default/lib/util/test_rfc1738")])
+plantestsuite("samba.unittests.kerberos", "none",
+ [os.path.join(bindir(), "test_kerberos")])
plantestsuite("samba.unittests.ms_fnmatch", "none",
[os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 618da62..50bf8fe 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
krb5_kt_free_entry(context, &entry);
/* Make sure we do not double free */
ZERO_STRUCT(entry);
- } while (code != 0);
+ } while (code == 0);

krb5_kt_end_seq_get(context, keytab, &cursor);

diff --git a/source4/auth/tests/kerberos.c b/source4/auth/tests/kerberos.c
new file mode 100644
index 0000000..703c806
--- /dev/null
+++ b/source4/auth/tests/kerberos.c
@@ -0,0 +1,107 @@
+#include <time.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <stdint.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_proto.h"
+#include "auth/credentials/credentials_krb5.h"
+#include "auth/kerberos/kerberos_credentials.h"
+#include "auth/kerberos/kerberos_util.h"
+
+static void internal_obsolete_keytab_test(int num_principals, int num_kvnos,
+ krb5_kvno kvno, const char *kt_name)
+{
+ krb5_context krb5_ctx;
+ krb5_keytab keytab;
+ krb5_keytab_entry kt_entry;
+ krb5_kt_cursor cursor;
+ krb5_error_code code;
+
+ int i,j;
+ char princ_name[6] = "user0";
+ char expect_princ_name[23] = "***@samba.example.com";
+ bool found_previous;
+ const char *error_str;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ krb5_principal *principals = talloc_zero_array(tmp_ctx,
+ krb5_principal,
+ num_principals);
+ krb5_init_context(&krb5_ctx);
+ krb5_kt_resolve(krb5_ctx, kt_name, &keytab);
+ ZERO_STRUCT(kt_entry);
+
+ for(i=0; i<num_principals; i++) {
+ princ_name[4] = (char)i+48;
+ smb_krb5_make_principal(krb5_ctx, &(principals[i]),
+ "samba.example.com", princ_name, NULL);
+ kt_entry.principal = principals[i];
+ for (j=0; j<num_kvnos; j++) {
+ kt_entry.vno = j+1;
+ krb5_kt_add_entry(krb5_ctx, keytab, &kt_entry);
+ }
+ }
+
+ code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ assert_int_equal(code, 0);
+ for (i=0; i<num_principals; i++) {
+ expect_princ_name[4] = (char)i+48;
+ for (j=0; j<num_kvnos; j++) {
+ char *unparsed_name;
+ code = krb5_kt_next_entry(krb5_ctx, keytab,
+ &kt_entry, &cursor);
+ assert_int_equal(code, 0);
+ assert_int_equal(kt_entry.vno, j+1);
+ krb5_unparse_name(krb5_ctx, kt_entry.principal,
+ &unparsed_name);
+ assert_string_equal(expect_princ_name, unparsed_name);
+ }
+ }
+
+ smb_krb5_remove_obsolete_keytab_entries(tmp_ctx, krb5_ctx, keytab,
+ num_principals, principals,
+ kvno, &found_previous,
+ &error_str);
+
+ code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+ assert_int_equal(code, 0);
+ for (i=0; i<num_principals; i++) {
+ char *unparsed_name;
+ expect_princ_name[4] = (char)i+48;
+ code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+ assert_int_equal(code, 0);
+ assert_int_equal(kt_entry.vno, kvno-1);
+ krb5_unparse_name(krb5_ctx, kt_entry.principal, &unparsed_name);
+ assert_string_equal(expect_princ_name, unparsed_name);
+ }
+ code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+ assert_int_not_equal(code, 0);
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_many(void **state)
+{
+ internal_obsolete_keytab_test(5, 4, (krb5_kvno)5, "MEMORY:LOL2");
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_one(void **state)
+{
+ internal_obsolete_keytab_test(1, 2, (krb5_kvno)3, "MEMORY:LOL");
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_one),
+ cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_many),
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build
index f750861..d3452d2 100644
--- a/source4/auth/wscript_build
+++ b/source4/auth/wscript_build
@@ -42,6 +42,12 @@ bld.SAMBA_SUBSYSTEM('auth4_sam',
deps=''
)

+bld.SAMBA_BINARY('test_kerberos',
+ source='tests/kerberos.c',
+ deps='cmocka authkrb5 krb5samba com_err CREDENTIALS_KRB5',
+ local_include=False,
+ install=False
+ )

for env in bld.gen_python_environments():
pytalloc_util = bld.pyembed_libname('pytalloc-util')

The branch, master has been updated
via e838d8a winbind: Fix CID 1435598 Error handling issues (CHECKED_RETURN)
from 8bd67c5 auth: keytab invalidation fix

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e838d8a5c2c0f1c91abb21bca908dbb0b2e2fba4
Author: Volker Lendecke <***@samba.org>
Date: Tue May 15 13:40:36 2018 +0200

winbind: Fix CID 1435598 Error handling issues (CHECKED_RETURN)

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Tue May 15 21:12:33 CEST 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/winbindd/winbindd_pam.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index ff40ab5..a7e1681 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -989,6 +989,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
struct netr_SamInfo3 *my_info3;
time_t kickoff_time, must_change_time;
bool password_good = false;
+ bool ok;
#ifdef HAVE_KRB5
struct winbindd_tdc_domain *tdc_domain = NULL;
#endif
@@ -1001,11 +1002,14 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,

/* Parse domain and username */

- parse_domain_user(state->request->data.auth.user,
- name_namespace,
- name_domain,
- name_user);
-
+ ok = parse_domain_user(state->request->data.auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ DBG_DEBUG("parse_domain_user failed\n");
+ return NT_STATUS_NO_SUCH_USER;
+ }

if (!lookup_cached_name(name_namespace,
name_domain,

The branch, master has been updated
via 5ebe318 selftest: Make setexpiry test much more reliable
via 72e18d6 samba-tool domain: Spit out common options between dcpromo and join
via f55eab6 samba-tool domain: Create a common --use-ntvfs option for provision, join, dcpromo and classicupgrade
via d5d8589 samba-tool domain: Extend --backend-store to join and dcpromo by moving to common options
via 53c2ed5 samba-tool domain: Extend --plaintext-secrets to dcpromo by moving to common options
via b2002b6 samba-tool domain: Add --machinepass to common options
via 5ba0f55 samba-tool domain: Add --quiet to common options
via 18aa654 samba-tool domain: Create a common set of options for provision/join/dcpromo
via 28469c0 samba-tool domain provision: Move more OpenLDAP options behind TEST_LDAP
from e838d8a winbind: Fix CID 1435598 Error handling issues (CHECKED_RETURN)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5ebe3183fded1ab060ed60baeedeac859d0c137e
Author: Andrew Bartlett <***@samba.org>
Date: Tue May 15 12:26:03 2018 +1200

selftest: Make setexpiry test much more reliable

Rather than setting all the expiries and expecting that they will be done within 5 seconds,
measure and check the time individually for each record.

This should make this test much less prone to flapping.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue May 15 23:58:17 CEST 2018 on sn-devel-144

commit 72e18d671c48045cbc162e0650926e4038fcbb3f
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:49:23 2018 +1200

samba-tool domain: Spit out common options between dcpromo and join

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit f55eab600fef592204056823ea82d89c11bd0bef
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:30:17 2018 +1200

samba-tool domain: Create a common --use-ntvfs option for provision, join, dcpromo and classicupgrade

The NTVFS fileserver mode is still integral to the selftest system (often simply used to
make the rest of the command run and not fuss with POSIX ACLs and permissions).

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit d5d8589f353974fb63caf71ba1d1fdc6f5b453ab
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:23:24 2018 +1200

samba-tool domain: Extend --backend-store to join and dcpromo by moving to common options

This allows the choice of ldb backend for a domain join as well as a new provision.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 53c2ed566c19a719caa8d302bbca1ef92a88a29f
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:22:23 2018 +1200

samba-tool domain: Extend --plaintext-secrets to dcpromo by moving to common options

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit b2002b67b809e847d78f8d52d0eae041be61e897
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:06:13 2018 +1200

samba-tool domain: Add --machinepass to common options

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 5ba0f55e9a63c035632956dfa5033233b3b83739
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:04:28 2018 +1200

samba-tool domain: Add --quiet to common options

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 18aa6541c980d8a1be254422940a8d40ae5294cd
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 11:02:46 2018 +1200

samba-tool domain: Create a common set of options for provision/join/dcpromo

These commands share much in common, the options should be in common as well.

Start with --targetdir.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 28469c0ad4602a0dd4127792a271d293fdcf6a1f
Author: Andrew Bartlett <***@samba.org>
Date: Mon May 14 10:19:58 2018 +1200

samba-tool domain provision: Move more OpenLDAP options behind TEST_LDAP

These options controlled the historical LDAP backend, they should not be left
to confuse other users.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
python/samba/join.py | 23 ++++--
python/samba/netcmd/domain.py | 140 +++++++++++++++++-----------------
python/samba/tests/samba_tool/user.py | 5 +-
3 files changed, 86 insertions(+), 82 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/join.py b/python/samba/join.py
index e164d9b..dc6d234 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -57,7 +57,7 @@ class dc_join(object):
netbios_name=None, targetdir=None, domain=None,
machinepass=None, use_ntvfs=False, dns_backend=None,
promote_existing=False, clone_only=False,
- plaintext_secrets=False):
+ plaintext_secrets=False, backend_store=None):
if site is None:
site = "Default-First-Site-Name"

@@ -70,6 +70,7 @@ class dc_join(object):
ctx.targetdir = targetdir
ctx.use_ntvfs = use_ntvfs
ctx.plaintext_secrets = plaintext_secrets
+ ctx.backend_store = backend_store

ctx.promote_existing = promote_existing
ctx.promote_from_dn = None
@@ -849,7 +850,9 @@ class dc_join(object):
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
sitename=ctx.site, lp=ctx.lp, ntdsguid=ctx.ntds_guid,
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend,
- plaintext_secrets=ctx.plaintext_secrets)
+ plaintext_secrets=ctx.plaintext_secrets,
+ backend_store=ctx.backend_store
+ )
print("Provision OK for domain DN %s" % presult.domaindn)
ctx.local_samdb = presult.samdb
ctx.lp = presult.lp
@@ -1411,12 +1414,13 @@ class dc_join(object):
def join_RODC(logger=None, server=None, creds=None, lp=None, site=None, netbios_name=None,
targetdir=None, domain=None, domain_critical_only=False,
machinepass=None, use_ntvfs=False, dns_backend=None,
- promote_existing=False, plaintext_secrets=False):
+ promote_existing=False, plaintext_secrets=False,
+ backend_store=None):
"""Join as a RODC."""

ctx = dc_join(logger, server, creds, lp, site, netbios_name, targetdir, domain,
machinepass, use_ntvfs, dns_backend, promote_existing,
- plaintext_secrets)
+ plaintext_secrets, backend_store=backend_store)

lp.set("workgroup", ctx.domain_name)
logger.info("workgroup is %s" % ctx.domain_name)
@@ -1463,11 +1467,12 @@ def join_RODC(logger=None, server=None, creds=None, lp=None, site=None, netbios_
def join_DC(logger=None, server=None, creds=None, lp=None, site=None, netbios_name=None,
targetdir=None, domain=None, domain_critical_only=False,
machinepass=None, use_ntvfs=False, dns_backend=None,
- promote_existing=False, plaintext_secrets=False):
+ promote_existing=False, plaintext_secrets=False,
+ backend_store=None):
"""Join as a DC."""
ctx = dc_join(logger, server, creds, lp, site, netbios_name, targetdir, domain,
machinepass, use_ntvfs, dns_backend, promote_existing,
- plaintext_secrets)
+ plaintext_secrets, backend_store=backend_store)

lp.set("workgroup", ctx.domain_name)
logger.info("workgroup is %s" % ctx.domain_name)
@@ -1513,10 +1518,12 @@ def join_clone(logger=None, server=None, creds=None, lp=None,
def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
netbios_name=None, targetdir=None, parent_domain=None, dnsdomain=None,
netbios_domain=None, machinepass=None, adminpass=None, use_ntvfs=False,
- dns_backend=None, plaintext_secrets=False):
+ dns_backend=None, plaintext_secrets=False,
+ backend_store=None):
"""Join as a DC."""
ctx = dc_join(logger, server, creds, lp, site, netbios_name, targetdir, parent_domain,
- machinepass, use_ntvfs, dns_backend, plaintext_secrets)
+ machinepass, use_ntvfs, dns_backend, plaintext_secrets,
+ backend_store=backend_store)
ctx.subdomain = True
if adminpass is None:
ctx.adminpass = samba.generate_random_password(12, 32)
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index cb2b1cc..24159fc 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -105,6 +105,41 @@ string_version_to_constant = {
"2012_R2": DS_DOMAIN_FUNCTION_2012_R2,
}

+common_provision_join_options = [
+ Option("--machinepass", type="string", metavar="PASSWORD",
+ help="choose machine password (otherwise random)"),
+ Option("--plaintext-secrets", action="store_true",
+ help="Store secret/sensitive values as plain text on disk" +
+ "(default is to encrypt secret/ensitive values)"),
+ Option("--backend-store", type="choice", metavar="BACKENDSTORE",
+ choices=["tdb", "mdb"],
+ help="Specify the database backend to be used "
+ "(default is %s)" % get_default_backend_store()),
+ Option("--targetdir", metavar="DIR",
+ help="Set target directory (where to store provision)", type=str),
+ Option("--quiet", help="Be quiet", action="store_true"),
+]
+
+common_join_options = [
+ Option("--server", help="DC to join", type=str),
+ Option("--site", help="site to join", type=str),
+ Option("--domain-critical-only",
+ help="only replicate critical domain objects",
+ action="store_true"),
+ Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
+ choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
+ help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
+ "BIND9_DLZ uses samba4 AD to store zone information, "
+ "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
+ default="SAMBA_INTERNAL"),
+ Option("--verbose", help="Be verbose", action="store_true")
+]
+
+common_ntvfs_options = [
+ Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
+ action="store_true")
+]
+
def get_testparm_var(testparm, smbconf, varname):
errfile = open(os.devnull, 'w')
p = subprocess.Popen([testparm, '-s', '-l',
@@ -210,8 +245,6 @@ class cmd_domain_provision(Command):
help="choose admin password (otherwise random)"),
Option("--krbtgtpass", type="string", metavar="PASSWORD",
help="choose krbtgt password (otherwise random)"),
- Option("--machinepass", type="string", metavar="PASSWORD",
- help="choose machine password (otherwise random)"),
Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
@@ -221,20 +254,14 @@ class cmd_domain_provision(Command):
default="SAMBA_INTERNAL"),
Option("--dnspass", type="string", metavar="PASSWORD",
help="choose dns password (otherwise random)"),
- Option("--ldapadminpass", type="string", metavar="PASSWORD",
- help="choose password to set between Samba and its LDAP backend (otherwise random)"),
Option("--root", type="string", metavar="USERNAME",
help="choose 'root' unix username"),
Option("--nobody", type="string", metavar="USERNAME",
help="choose 'nobody' user"),
Option("--users", type="string", metavar="GROUPNAME",
help="choose 'users' group"),
- Option("--quiet", help="Be quiet", action="store_true"),
Option("--blank", action="store_true",
help="do not add users or groups, just the structure"),
- Option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
- help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
- choices=["fedora-ds", "openldap"]),
Option("--server-role", type="choice", metavar="ROLE",
choices=["domain controller", "dc", "member server", "member", "standalone"],
help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
@@ -251,21 +278,17 @@ class cmd_domain_provision(Command):
help="The initial nextRid value (only needed for upgrades). Default is 1000."),
Option("--partitions-only",
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true"),
- Option("--targetdir", type="string", metavar="DIR",
- help="Set target directory"),
- Option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
- help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\""),
Option("--use-rfc2307", action="store_true", help="Use AD to store posix attributes (default = no)"),
- Option("--plaintext-secrets", action="store_true",
- help="Store secret/sensitive values as plain text on disk" +
- "(default is to encrypt secret/ensitive values)"),
- Option("--backend-store", type="choice", metavar="BACKENDSTORE",
- choices=["tdb", "mdb"],
- help="Specify the database backend to be used "
- "(default is %s)" % get_default_backend_store()),
]

openldap_options = [
+ Option("--ldapadminpass", type="string", metavar="PASSWORD",
+ help="choose password to set between Samba and its LDAP backend (otherwise random)"),
+ Option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
+ help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
+ choices=["fedora-ds", "openldap"]),
+ Option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
+ help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\""),
Option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE",
action="store_true"),
Option("--slapd-path", type="string", metavar="SLAPD-PATH",
@@ -277,7 +300,6 @@ class cmd_domain_provision(Command):
]

ntvfs_options = [
- Option("--use-ntvfs", action="store_true", help="Use NTVFS for the fileserver (default = no)"),
Option("--use-xattrs", type="choice", choices=["yes","no","auto"],
metavar="[yes|no|auto]",
help="Define if we should use the native fs capabilities or a tdb file for "
@@ -286,11 +308,14 @@ class cmd_domain_provision(Command):
default="auto")
]

+ takes_options.extend(common_provision_join_options)
+
if os.getenv('TEST_LDAP', "no") == "yes":
takes_options.extend(openldap_options)

if samba.is_ntvfs_fileserver_built():
- takes_options.extend(ntvfs_options)
+ takes_options.extend(common_ntvfs_options)
+ takes_options.extend(ntvfs_options)

takes_args = []

@@ -563,31 +588,13 @@ class cmd_domain_dcpromo(Command):
"credopts": options.CredentialsOptions,
}

- takes_options = [
- Option("--server", help="DC to join", type=str),
- Option("--site", help="site to join", type=str),
- Option("--targetdir", help="where to store provision", type=str),
- Option("--domain-critical-only",
- help="only replicate critical domain objects",
- action="store_true"),
- Option("--machinepass", type=str, metavar="PASSWORD",
- help="choose machine password (otherwise random)"),
- Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
- choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
- help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
- "BIND9_DLZ uses samba4 AD to store zone information, "
- "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
- default="SAMBA_INTERNAL"),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true")
- ]
+ takes_options = []
+ takes_options.extend(common_join_options)

- ntvfs_options = [
- Option("--use-ntvfs", action="store_true", help="Use NTVFS for the fileserver (default = no)"),
- ]
+ takes_options.extend(common_provision_join_options)

if samba.is_ntvfs_fileserver_built():
- takes_options.extend(ntvfs_options)
+ takes_options.extend(common_ntvfs_options)


takes_args = ["domain", "role?"]
@@ -596,7 +603,8 @@ class cmd_domain_dcpromo(Command):
versionopts=None, server=None, site=None, targetdir=None,
domain_critical_only=False, parent_domain=None, machinepass=None,
use_ntvfs=False, dns_backend=None,
- quiet=False, verbose=False):
+ quiet=False, verbose=False, plaintext_secrets=False,
+ backend_store=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
net = Net(creds, lp, server=credopts.ipaddress)
@@ -620,13 +628,15 @@ class cmd_domain_dcpromo(Command):
domain_critical_only=domain_critical_only,
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend,
- promote_existing=True)
+ promote_existing=True, plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
elif role == "RODC":
join_RODC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
site=site, netbios_name=netbios_name, targetdir=targetdir,
domain_critical_only=domain_critical_only,
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
- promote_existing=True)
+ promote_existing=True, plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
else:
raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)

@@ -643,34 +653,18 @@ class cmd_domain_join(Command):
}

takes_options = [
- Option("--server", help="DC to join", type=str),
- Option("--site", help="site to join", type=str),
- Option("--targetdir", help="where to store provision", type=str),
Option("--parent-domain", help="parent domain to create subdomain under", type=str),
- Option("--domain-critical-only",
- help="only replicate critical domain objects",
- action="store_true"),
- Option("--machinepass", type=str, metavar="PASSWORD",
- help="choose machine password (otherwise random)"),
Option("--adminpass", type="string", metavar="PASSWORD",
help="choose adminstrator password when joining as a subdomain (otherwise random)"),
- Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
- choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
- help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
- "BIND9_DLZ uses samba4 AD to store zone information, "
- "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
- default="SAMBA_INTERNAL"),
- Option("--plaintext-secrets", action="store_true",
- help="Store secret/sensitive values as plain text on disk" +
- "(default is to encrypt secret/ensitive values)"),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true")
]

ntvfs_options = [
Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
action="store_true")
]
+ takes_options.extend(common_join_options)
+ takes_options.extend(common_provision_join_options)
+
if samba.is_ntvfs_fileserver_built():
takes_options.extend(ntvfs_options)

@@ -680,7 +674,9 @@ class cmd_domain_join(Command):
versionopts=None, server=None, site=None, targetdir=None,
domain_critical_only=False, parent_domain=None, machinepass=None,
use_ntvfs=False, dns_backend=None, adminpass=None,
- quiet=False, verbose=False, plaintext_secrets=False):
+ quiet=False, verbose=False,
+ plaintext_secrets=False,
+ backend_store=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
net = Net(creds, lp, server=credopts.ipaddress)
@@ -713,14 +709,16 @@ class cmd_domain_join(Command):
domain_critical_only=domain_critical_only,
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend,
- plaintext_secrets=plaintext_secrets)
+ plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
elif role == "RODC":
join_RODC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
site=site, netbios_name=netbios_name, targetdir=targetdir,
domain_critical_only=domain_critical_only,
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend,
- plaintext_secrets=plaintext_secrets)
+ plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
elif role == "SUBDOMAIN":
if not adminpass:
logger.info("Administrator password will be set randomly!")
@@ -734,7 +732,8 @@ class cmd_domain_join(Command):
targetdir=targetdir, machinepass=machinepass,
use_ntvfs=use_ntvfs, dns_backend=dns_backend,
adminpass=adminpass,
- plaintext_secrets=plaintext_secrets)
+ plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
else:
raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role)

@@ -1567,8 +1566,6 @@ class cmd_domain_classicupgrade(Command):
]

ntvfs_options = [
- Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
- action="store_true"),
Option("--use-xattrs", type="choice", choices=["yes","no","auto"],
metavar="[yes|no|auto]",
help="Define if we should use the native fs capabilities or a tdb file for "
@@ -1577,6 +1574,7 @@ class cmd_domain_classicupgrade(Command):
default="auto")
]
if samba.is_ntvfs_fileserver_built():
+ takes_options.extend(common_ntvfs_options)
takes_options.extend(ntvfs_options)

takes_args = ["smbconf"]
diff --git a/python/samba/tests/samba_tool/user.py b/python/samba/tests/samba_tool/user.py
index aaeafee..f99288a 100644
--- a/python/samba/tests/samba_tool/user.py
+++ b/python/samba/tests/samba_tool/user.py
@@ -306,9 +306,9 @@ class UserCmdTestCase(SambaToolCmdTest):


def test_setexpiry(self):
- twodays = time.time() + (2 * 24 * 60 * 60)
-
for user in self.users:
+ twodays = time.time() + (2 * 24 * 60 * 60)
+
(result, out, err) = self.runsubcmd("user", "setexpiry", user["name"],
"--days=2",
"-H", "ldap://%s" % os.environ["DC_SERVER"],
@@ -316,7 +316,6 @@ class UserCmdTestCase(SambaToolCmdTest):
self.assertCmdSuccess(result, out, err, "Can we run setexpiry with names")
self.assertIn("Expiry for user '%s' set to 2 days." % user["name"], out)

- for user in self.users:
found = self._find_user(user["name"])

expires = nttime2unix(int("%s" % found.get("accountExpires")))

The branch, master has been updated
via c7a3ce9 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
via fc1c5bd s4:selftest: run test_ldb_simple.sh with more auth options
via 7f2bebf auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
from 5ebe318 selftest: Make setexpiry test much more reliable

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa
Author: Stefan Metzmacher <***@samba.org>
Date: Mon May 7 14:50:27 2018 +0200

auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server

This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.

This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.

We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).

As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144

commit fc1c5bd3be2c3f90eab2f31e43cf053f7ff13782
Author: Stefan Metzmacher <***@samba.org>
Date: Wed May 9 13:33:05 2018 +0200

s4:selftest: run test_ldb_simple.sh with more auth options

This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE
handling in our LDAP server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d
Author: Stefan Metzmacher <***@samba.org>
Date: Wed May 9 13:30:13 2018 +0200

auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option

This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
auth/ntlmssp/gensec_ntlmssp_server.c | 19 -------------------
auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++-------
auth/ntlmssp/ntlmssp_server.c | 8 ++++++++
source4/selftest/tests.py | 7 +++++++
4 files changed, 32 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index c0e6cff..ab92f4d 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;

- if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
- }
- if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-
- if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
- /*
- * We need to handle NTLMSSP_NEGOTIATE_SIGN as
- * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
- * is requested.
- */
- ntlmssp_state->force_wrap_seal = true;
- }
- }
- if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
- }

if (role == ROLE_STANDALONE) {
ntlmssp_state->server.is_standalone = true;
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 7dcf235..ab406a2 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -869,13 +869,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
- /*
- * We want also work against old Samba servers
- * which didn't had GENSEC_FEATURE_LDAP_STYLE
- * we negotiate SEAL too. We may remove this
- * in a few years. As all servers should have
- * GENSEC_FEATURE_LDAP_STYLE by then.
- */
+ }
+ }
+ if (ntlmssp_state->force_wrap_seal) {
+ bool ret;
+
+ /*
+ * We want also work against old Samba servers
+ * which didn't had GENSEC_FEATURE_LDAP_STYLE
+ * we negotiate SEAL too. We may remove this
+ * in a few years. As all servers should have
+ * GENSEC_FEATURE_LDAP_STYLE by then.
+ */
+ ret = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client",
+ "ldap_style_send_seal",
+ true);
+ if (ret) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
}
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 37ed2bc..140e89d 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
data_blob_free(&ntlmssp_state->challenge_blob);

if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+ if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
+ /*
+ * We need to handle NTLMSSP_NEGOTIATE_SIGN as
+ * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
+ * is requested.
+ */
+ ntlmssp_state->force_wrap_seal = true;
+ }
nt_status = ntlmssp_sign_init(ntlmssp_state);
}

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 88af607..9740118 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -113,6 +113,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
'--option=clientldapsaslwrapping=plain',
'--sign',
'--encrypt',
+ '-k yes --option=clientldapsaslwrapping=plain',
+ '-k yes --sign',
+ '-k yes --encrypt',
+ '-k no --option=clientldapsaslwrapping=plain',
+ '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no',
+ '-k no --sign',
+ '-k no --encrypt',
]

for auth_option in auth_options:

The branch, master has been updated
via 472dca2 debug: Add group logging classes
via dfa341c smb.conf: Add dsdb group change notification parameter
via 0c6cb46 messaging idl add group membersip events
via 2d47f9e auth_log: Rename the json variables
via c15fc14 auth_log: tidy up code formatting
via 7509727 auth_log: Use common code from audit_logging
via 36800d0 idl messaging: Add DSDB and Password events and message types
via 5d06812 smb conf: Add DSDB event notification parameter
via 2ba55f8 logging: add ldb audit classes
via 74cf8f5 auth logging: Extract common audit logging code
from c7a3ce9 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 472dca29055e02b97684e1d174e688aba2e83b7d
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Mon Apr 23 12:24:34 2018 +1200

debug: Add group logging classes

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Wed May 16 07:02:20 CEST 2018 on sn-devel-144

commit dfa341c1eb2d952adccce6b8f65d6d2ab02112aa
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Mon Apr 23 09:00:54 2018 +1200

smb.conf: Add dsdb group change notification parameter

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 0c6cb4639aba69262a1ad0d098aadb181035e79b
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Mon Apr 23 08:49:26 2018 +1200

messaging idl add group membersip events

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 2d47f9e160a3982b21293013b2f66999b62deab8
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Mon Apr 16 09:29:04 2018 +1200

auth_log: Rename the json variables

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit c15fc1442bd9fb0bc7753e3d67f88364653e06de
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Tue Apr 10 11:57:41 2018 +1200

auth_log: tidy up code formatting

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 75097275a705dbfa1ff8f75b701e2968c716eaa8
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Tue Apr 10 11:45:32 2018 +1200

auth_log: Use common code from audit_logging

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 36800d0903dcb7a8ebb12a347eb1dbbd038adba8
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Thu Apr 12 13:19:16 2018 +1200

idl messaging: Add DSDB and Password events and message types

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 5d068123f134e7c7f6ad2433720ba94e18d4f8b5
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Thu Apr 12 10:19:16 2018 +1200

smb conf: Add DSDB event notification parameter

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 2ba55f81a9514a9e8adc6904e58d166c98aecaa7
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Wed Apr 4 11:56:30 2018 +1200

logging: add ldb audit classes

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 74cf8f5e3b991292ae592a0786e01914ca162caf
Author: Gary Lockyer <***@catalyst.net.nz>
Date: Tue Apr 10 06:45:47 2018 +1200

auth logging: Extract common audit logging code

Extract the common audit logging code into a library to allow it's
re-use in other logging modules.

Signed-off-by: Gary Lockyer <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
auth/auth_log.c | 663 +++++-------------
auth/wscript_build | 2 +-
docs-xml/smbdotconf/logging/loglevel.xml | 28 +-
.../dsdbeventnotification.xml} | 13 +-
.../dsdbgroupchangenotification.xml} | 13 +-
.../dsdbpasswordeventnotification.xml} | 19 +-
lib/audit_logging/audit_logging.c | 771 +++++++++++++++++++++
lib/audit_logging/audit_logging.h | 89 +++
lib/audit_logging/tests/audit_logging_test.c | 557 +++++++++++++++
lib/audit_logging/wscript_build | 24 +
lib/util/debug.c | 8 +
lib/util/debug.h | 8 +
librpc/idl/messaging.idl | 13 +-
source4/selftest/tests.py | 2 +
wscript_build | 1 +
15 files changed, 1695 insertions(+), 516 deletions(-)
copy docs-xml/smbdotconf/{logon/autheventnotification.xml => misc/dsdbeventnotification.xml} (69%)
copy docs-xml/smbdotconf/{logon/autheventnotification.xml => misc/dsdbgroupchangenotification.xml} (69%)
copy docs-xml/smbdotconf/{logon/autheventnotification.xml => misc/dsdbpasswordeventnotification.xml} (55%)
create mode 100644 lib/audit_logging/audit_logging.c
create mode 100644 lib/audit_logging/audit_logging.h
create mode 100644 lib/audit_logging/tests/audit_logging_test.c
create mode 100644 lib/audit_logging/wscript_build


Changeset truncated at 500 lines:

diff --git a/auth/auth_log.c b/auth/auth_log.c
index 97b6537..87daf2f 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -57,48 +57,7 @@
#include "lib/util/server_id_db.h"
#include "lib/param/param.h"
#include "librpc/ndr/libndr.h"
-
-/*
- * Get a human readable timestamp.
- *
- * Returns the current time formatted as
- * "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
- *
- * The returned string is allocated by talloc in the supplied context.
- * It is the callers responsibility to free it.
- *
- */
-static const char* get_timestamp(TALLOC_CTX *frame)
-{
- char buffer[40]; /* formatted time less usec and timezone */
- char tz[10]; /* formatted time zone */
- struct tm* tm_info; /* current local time */
- struct timeval tv; /* current system time */
- int r; /* response code from gettimeofday */
- const char * ts; /* formatted time stamp */
-
- r = gettimeofday(&tv, NULL);
- if (r) {
- DBG_ERR("Unable to get time of day: (%d) %s\n",
- errno,
- strerror(errno));
- return NULL;
- }
-
- tm_info = localtime(&tv.tv_sec);
- if (tm_info == NULL) {
- DBG_ERR("Unable to determine local time\n");
- return NULL;
- }
-
- strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
- strftime(tz, sizeof(tz)-1, "%Z", tm_info);
- ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
- if (ts == NULL) {
- DBG_ERR("Out of memory formatting time stamp\n");
- }
- return ts;
-}
+#include "lib/audit_logging/audit_logging.h"

/*
* Determine the type of the password supplied for the
@@ -113,115 +72,35 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui);
#include "system/time.h"

/*
- * Context required by the JSON generation
- * routines
- *
- */
-struct json_context {
- json_t *root;
- bool error;
-};
-
-static NTSTATUS get_auth_event_server(struct imessaging_context *msg_ctx,
- struct server_id *auth_event_server)
-{
- NTSTATUS status;
- TALLOC_CTX *frame = talloc_stackframe();
- unsigned num_servers, i;
- struct server_id *servers;
-
- status = irpc_servers_byname(msg_ctx, frame,
- AUTH_EVENT_NAME,
- &num_servers, &servers);
-
- if (!NT_STATUS_IS_OK(status)) {
- DBG_NOTICE("Failed to find 'auth_event' registered on the "
- "message bus to send JSON authentication events to: %s\n",
- nt_errstr(status));
- TALLOC_FREE(frame);
- return status;
- }
-
- /*
- * Select the first server that is listening, because
- * we get connection refused as
- * NT_STATUS_OBJECT_NAME_NOT_FOUND without waiting
- */
- for (i = 0; i < num_servers; i++) {
- status = imessaging_send(msg_ctx, servers[i], MSG_PING,
- &data_blob_null);
- if (NT_STATUS_IS_OK(status)) {
- *auth_event_server = servers[i];
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
- }
- DBG_NOTICE("Failed to find a running 'auth_event' server "
- "registered on the message bus to send JSON "
- "authentication events to\n");
- TALLOC_FREE(frame);
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-}
-
-static void auth_message_send(struct imessaging_context *msg_ctx,
- const char *json)
-{
- struct server_id auth_event_server;
- NTSTATUS status;
- DATA_BLOB json_blob = data_blob_string_const(json);
- if (msg_ctx == NULL) {
- return;
- }
-
- /* Need to refetch the address each time as the destination server may
- * have disconnected and reconnected in the interim, in which case
- * messages may get lost, manifests in the auth_log tests
- */
- status = get_auth_event_server(msg_ctx, &auth_event_server);
- if (!NT_STATUS_IS_OK(status)) {
- return;
- }
-
- status = imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
- &json_blob);
-
- /* If the server crashed, try to find it again */
- if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
- status = get_auth_event_server(msg_ctx, &auth_event_server);
- if (!NT_STATUS_IS_OK(status)) {
- return;
- }
- imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
- &json_blob);
-
- }
-}
-
-/*
* Write the json object to the debug logs.
*
*/
static void log_json(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
- struct json_context *context,
- const char *type, int debug_class, int debug_level)
+ struct json_object *object,
+ const char *type,
+ int debug_class,
+ int debug_level)
{
char* json = NULL;

- if (context->error) {
+ if (object->error) {
return;
}

- json = json_dumps(context->root, 0);
+ json = json_dumps(object->root, 0);
if (json == NULL) {
DBG_ERR("Unable to convert JSON object to string\n");
- context->error = true;
+ object->error = true;
return;
}

DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", type, json));
if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
- auth_message_send(msg_ctx, json);
+ audit_message_send(msg_ctx,
+ AUTH_EVENT_NAME,
+ MSG_AUTH_LOG,
+ json);
}

if (json) {
@@ -231,227 +110,6 @@ static void log_json(struct imessaging_context *msg_ctx,
}

/*
- * Create a new json logging context.
- *
- * Free with a call to free_json_context
- *
- */
-static struct json_context get_json_context(void) {
-
- struct json_context context;
- context.error = false;
-
- context.root = json_object();
- if (context.root == NULL) {
- context.error = true;
- DBG_ERR("Unable to create json_object\n");
- }
- return context;
-}
-
-/*
- * free a previously created json_context
- *
- */
-static void free_json_context(struct json_context *context)
-{
- if (context->root) {
- json_decref(context->root);
- }
-}
-
-/*
- * Output a JSON pair with name name and integer value value
- *
- */
-static void add_int(struct json_context *context,
- const char* name,
- const int value)
-{
- int rc = 0;
-
- if (context->error) {
- return;
- }
-
- rc = json_object_set_new(context->root, name, json_integer(value));
- if (rc) {
- DBG_ERR("Unable to set name [%s] value [%d]\n", name, value);
- context->error = true;
- }
-
-}
-
-/*
- * Output a JSON pair with name name and string value value
- *
- */
-static void add_string(struct json_context *context,
- const char* name,
- const char* value)
-{
- int rc = 0;
-
- if (context->error) {
- return;
- }
-
- if (value) {
- rc = json_object_set_new(context->root, name, json_string(value));
- } else {
- rc = json_object_set_new(context->root, name, json_null());
- }
- if (rc) {
- DBG_ERR("Unable to set name [%s] value [%s]\n", name, value);
- context->error = true;
- }
-}
-
-
-/*
- * Output a JSON pair with name name and object value
- *
- */
-static void add_object(struct json_context *context,
- const char* name,
- struct json_context *value)
-{
- int rc = 0;
-
- if (value->error) {
- context->error = true;
- }
- if (context->error) {
- return;
- }
- rc = json_object_set_new(context->root, name, value->root);
- if (rc) {
- DBG_ERR("Unable to add object [%s]\n", name);
- context->error = true;
- }
-}
-
-/*
- * Output a version object
- *
- * "version":{"major":1,"minor":0}
- *
- */
-static void add_version(struct json_context *context, int major, int minor)
-{
- struct json_context version = get_json_context();
- add_int(&version, "major", major);
- add_int(&version, "minor", minor);
- add_object(context, "version", &version);
-}
-
-/*
- * Output the current date and time as a timestamp in ISO 8601 format
- *
- * "timestamp":"2017-03-06T17:18:04.455081+1300"
- *
- */
-static void add_timestamp(struct json_context *context)
-{
- char buffer[40]; /* formatted time less usec and timezone */
- char timestamp[50]; /* the formatted ISO 8601 time stamp */
- char tz[10]; /* formatted time zone */
- struct tm* tm_info; /* current local time */
- struct timeval tv; /* current system time */
- int r; /* response code from gettimeofday */
-
- if (context->error) {
- return;
- }
-
- r = gettimeofday(&tv, NULL);
- if (r) {
- DBG_ERR("Unable to get time of day: (%d) %s\n",
- errno,
- strerror(errno));
- context->error = true;
- return;
- }
-
- tm_info = localtime(&tv.tv_sec);
- if (tm_info == NULL) {
- DBG_ERR("Unable to determine local time\n");
- context->error = true;
- return;
- }
-
- strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
- strftime(tz, sizeof(tz)-1, "%z", tm_info);
- snprintf(timestamp, sizeof(timestamp),"%s.%06ld%s",
- buffer, tv.tv_usec, tz);
- add_string(context,"timestamp", timestamp);
-}
-
-
-/*
- * Output an address pair, with name name.
- *
- * "localAddress":"ipv6::::0"
- *
- */
-static void add_address(struct json_context *context,
- const char *name,
- const struct tsocket_address *address)
-{
- char *s = NULL;
- TALLOC_CTX *frame = talloc_stackframe();
-
- if (context->error) {
- return;
- }
-
- s = tsocket_address_string(address, frame);
- add_string(context, name, s);
- talloc_free(frame);
-
-}
-
-/*
- * Output a SID with name name
- *
- * "sid":"S-1-5-18"
- *
- */
-static void add_sid(struct json_context *context,
- const char *name,
- const struct dom_sid *sid)
-{
- char sid_buf[DOM_SID_STR_BUFLEN];
-
- if (context->error) {
- return;
- }
-
- dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
- add_string(context, name, sid_buf);
-}
-
-/*
- * Add a formatted string representation of a GUID to a json object.
- *
- */
-static void add_guid(struct json_context *context,
- const char *name,
- struct GUID *guid)
-{
-
- char *guid_str;
- struct GUID_txt_buf guid_buff;
-
- if (context->error) {
- return;
- }
-
- guid_str = GUID_buf_string(guid, &guid_buff);
- add_string(context, name, guid_str);
-}
-
-/*
* Write a machine parsable json formatted authentication log entry.
*
* IF removing or changing the format/meaning of a field please update the
@@ -472,67 +130,81 @@ static void add_guid(struct json_context *context,
* \t\(.Authentication.localAddress)"'
*/
static void log_authentication_event_json(
- struct imessaging_context *msg_ctx,
- struct loadparm_context *lp_ctx,
- const struct auth_usersupplied_info *ui,
- NTSTATUS status,
- const char *domain_name,
- const char *account_name,
- const char *unix_username,
- struct dom_sid *sid,
- int debug_level)
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct auth_usersupplied_info *ui,
+ NTSTATUS status,
+ const char *domain_name,
+ const char *account_name,
+ const char *unix_username,
+ struct dom_sid *sid,
+ int debug_level)
{
- struct json_context context = get_json_context();
- struct json_context authentication;
+ struct json_object wrapper = json_new_object();
+ struct json_object authentication;
char negotiate_flags[11];

- add_timestamp(&context);
- add_string(&context, "type", AUTH_JSON_TYPE);
-
- authentication = get_json_context();
- add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
- add_string(&authentication, "status", nt_errstr(status));
- add_address(&authentication, "localAddress", ui->local_host);
- add_address(&authentication, "remoteAddress", ui->remote_host);
- add_string(&authentication,
- "serviceDescription",
- ui->service_description);
- add_string(&authentication, "authDescription", ui->auth_description);
- add_string(&authentication, "clientDomain", ui->client.domain_name);
- add_string(&authentication, "clientAccount", ui->client.account_name);
- add_string(&authentication, "workstation", ui->workstation_name);
- add_string(&authentication, "becameAccount", account_name);
- add_string(&authentication, "becameDomain", domain_name);
- add_sid(&authentication, "becameSid", sid);
- add_string(&authentication, "mappedAccount", ui->mapped.account_name);
- add_string(&authentication, "mappedDomain", ui->mapped.domain_name);
- add_string(&authentication,
- "netlogonComputer",
- ui->netlogon_trust_account.computer_name);
- add_string(&authentication,
- "netlogonTrustAccount",
- ui->netlogon_trust_account.account_name);
+ json_add_timestamp(&wrapper);
+ json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
+
+ authentication = json_new_object();
+ json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
+ json_add_string(&authentication, "status", nt_errstr(status));
+ json_add_address(&authentication, "localAddress", ui->local_host);
+ json_add_address(&authentication, "remoteAddress", ui->remote_host);
+ json_add_string(&authentication,
+ "serviceDescription",
+ ui->service_description);
+ json_add_string(&authentication,
+ "authDescription",
+ ui->auth_description);
+ json_add_string(&authentication,
+ "clientDomain",
+ ui->client.domain_name);
+ json_add_string(&authentication,
+ "clientAccount",
+ ui->client.account_name);
+ json_add_string(&authentication,
+ "workstation",
+ ui->workstation_name);
+ json_add_string(&authentication, "becameAccount", account_name);
+ json_add_string(&authentication, "becameDomain", domain_name);
+ json_add_sid(&authentication, "becameSid", sid);
+ json_add_string(&authentication,
+ "mappedAccount",
+ ui->mapped.account_name);
+ json_add_string(&authentication,
+ "mappedDomain",
+ ui->mapped.domain_name);
+ json_add_string(&authentication,
+ "netlogonComputer",
+ ui->netlogon_trust_account.computer_name);
+ json_add_string(&authentication,

The branch, master has been updated
via c853a80 ctdb-common: Fix CID 1435600
via 215d844 ctdb-common: Fix CID 1435599
from 472dca2 debug: Add group logging classes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c853a8071a6efafe92e7df608ec636f43aa9d371
Author: Volker Lendecke <***@samba.org>
Date: Tue May 15 13:28:19 2018 +0200

ctdb-common: Fix CID 1435600

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Amitay Isaacs <***@gmail.com>

Autobuild-User(master): Amitay Isaacs <***@samba.org>
Autobuild-Date(master): Wed May 16 09:51:07 CEST 2018 on sn-devel-144

commit 215d8448f0e51c4f5ffdcee6003dcbce4d1440a5
Author: Amitay Isaacs <***@gmail.com>
Date: Tue May 15 19:23:04 2018 +1000

ctdb-common: Fix CID 1435599

Signed-off-by: Amitay Isaacs <***@gmail.com>
Reviewed-by: Volker Lendecke <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
ctdb/common/cmdline.c | 2 +-
ctdb/common/logging.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/cmdline.c b/ctdb/common/cmdline.c
index 2540ce5..ee360d4 100644
--- a/ctdb/common/cmdline.c
+++ b/ctdb/common/cmdline.c
@@ -337,7 +337,7 @@ static int cmdline_match(struct cmdline_context *cmdline)
size_t len;
char *t, *str;
int n = 0;
- bool match;
+ bool match = false;

cmd = &cmdline->commands[i];
len = strlcpy(name, cmd->name, sizeof(name));
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
index 3cc1933..dc8c4f7 100644
--- a/ctdb/common/logging.c
+++ b/ctdb/common/logging.c
@@ -173,13 +173,12 @@ static bool file_log_validate(const char *option)
dir = dirname(t);

ret = stat(dir, &st);
+ free(t);
if (ret != 0) {
- free(t);
return false;
}

if (! S_ISDIR(st.st_mode)) {
- free(t);
return false;
}