Andrew Bartlett [Wed, 8 Dec 2021 01:56:39 +0000 (14:56 +1300)]
selftest: knownfail updates after Heimdal Upgrade
The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.
However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 18 Jun 2021 07:41:10 +0000 (19:41 +1200)]
selftest: Update SimpleKerberosTests now that Samba supports FAST
Heimdal matches Windows in this respect
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 29 Nov 2021 20:47:32 +0000 (09:47 +1300)]
tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:59:42 +0000 (16:59 +1300)]
s4:kdc: Return PA-SUPPORTED-ENCTYPES
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:59:12 +0000 (16:59 +1300)]
s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 22 Dec 2021 04:08:43 +0000 (17:08 +1300)]
s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 14 Dec 2021 23:30:28 +0000 (12:30 +1300)]
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 17 Jun 2021 09:27:06 +0000 (21:27 +1200)]
s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests
test as this always expects the salt, which Windows always provides.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Thu, 21 Sep 2017 22:10:02 +0000 (10:10 +1200)]
s4:kdc: cope with upstream rename of configuration parameters.
This copes with the upstream commit:
commit
c757eb7fb04a9b0ca883ddb72c1bc75bf5d814f3
Author: Nicolas Williams <nico@cryptonector.com>
Date: Fri Nov 25 17:21:04 2011 -0600
Rename and fix as/tgs-use-strongest-key config parameters
Different ticket session key enctype selection options should
distinguish between target principal type (krbtgt vs. not), not
between KDC request types.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
[abartlet@samba.org Researched and updated the commit message]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 18 Sep 2018 01:50:55 +0000 (18:50 -0700)]
s4:kdc: Move calls using the samba4 name to be right after each other
These all need to be in sync
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 18 Sep 2018 01:06:35 +0000 (18:06 -0700)]
s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 20 Sep 2018 02:24:11 +0000 (19:24 -0700)]
s4:kdc/hdb: Store and retrieve a FX-COOKIE value
Note Windows uses the string "MICROSOFT" as cookie,
so it's wrong to have a per DC cookie, but we need to
adjust the Heimdal logic to support that.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 22 Jun 2021 23:35:01 +0000 (11:35 +1200)]
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.
Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 3 Feb 2016 13:58:47 +0000 (14:58 +0100)]
s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 8 Dec 2021 02:30:12 +0000 (15:30 +1300)]
s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdal
In future we need a real configure check for Heimdal 8.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 19 Jan 2022 16:25:00 +0000 (17:25 +0100)]
tests/auth_log: adjust expected authDescription for test_smb_bad_user
With NO_SUCH_USER we don't know if any pre-authentication was requested,
so with the new Heimdal code we now used use "AS-REQ" instead of
assuming ENC-TS Pre-authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Fri, 8 Jan 2016 01:08:18 +0000 (14:08 +1300)]
s4:kdc: Update to match updated Heimdal's new HDB version
Including updates to hook into the improved hdb_auth_status
by Stefan Metzmacher <metze@samba.org> from his Heimdal
upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 1 Dec 2021 22:34:24 +0000 (11:34 +1300)]
s4:kdc: Adapt to use new combined windc interface in lorikeet-heimdal
This interface is as requested by Luke Howard towards possibly merging
this feature.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 23 Jun 2021 00:08:34 +0000 (12:08 +1200)]
s4:kdc: Adapt wamba_wdc_check_client_access() to modern Heimdal
Modern Heimdal falls back to kdc_check_flags() internally
when KRB5_PLUGIN_NO_HANDLE is returned, avoiding the need
to call back into the internal KDC APIs.
Selected from patch by by Stefan Metzmacher <metze@samba.org>
from his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:58:22 +0000 (16:58 +1300)]
s4:kdc: Adapt samba_wdc_check_client_access() to upstream Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 20 May 2015 12:12:59 +0000 (14:12 +0200)]
s4:kdc: Update samba_wdc_check_client_access() to match updated Heimdal
This based on a patch in Debian by Samuel Cabrero <scabrero@zentyal.com> in Debian.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 15 May 2014 07:13:06 +0000 (09:13 +0200)]
s4:kdc: Do not encode the NTSTATUS error into a PA-DATA, just linearlise it
This allows another routine to do the wrapping.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:57:42 +0000 (16:57 +1300)]
s4:kdc: Fix build failure by including <heimbase.h>
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 29 Nov 2021 02:36:37 +0000 (15:36 +1300)]
tests: Update latin1 list and ignored file list for new Heimdal import
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 7 Dec 2021 03:34:54 +0000 (16:34 +1300)]
s4:heimdal_build: changes required to build after import
For libtommath we do this by using the list from makefile.commo
in in libtommath rather than trying to match the list by hand.
This will be easier to maintain over the long term.
Thanks to work over many years by:
- Gary Lockyer <gary@catalyst.net.nz>
- Stefan Metzmacher <metze@samba.org>
- Andrew Bartlett <abartlet@samba.org>
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 24 Dec 2021 00:52:32 +0000 (01:52 +0100)]
s4:heimdal: import lorikeet-heimdal-
202201172009 (commit
5a0b45cd723628b3690ea848548b05771c40f14e)
See
https://git.samba.org/?p=lorikeet-heimdal.git;a=shortlog;h=refs/heads/lorikeet-heimdal-
202201172009
or
https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/tree/lorikeet-heimdal-
202201172009
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Wed, 19 Jan 2022 12:26:41 +0000 (13:26 +0100)]
s4:heimdal_build: include heimdal headers relative to heimdal_build
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Fri, 24 Dec 2021 03:57:00 +0000 (16:57 +1300)]
netlogon.idl: Add FAST support bits
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 18 Jan 2022 09:58:32 +0000 (10:58 +0100)]
gitlab-ci: Use Fedora 34 for Coverity Scan
The Coverity Scan tools are not updated very often and miss support for the
latest gcc build. Lets use Fedora 34 for that and stay behind a bit.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 19 10:49:18 UTC 2022 on sn-devel-184
Volker Lendecke [Sun, 16 Jan 2022 20:50:25 +0000 (21:50 +0100)]
smbd: Remove a duplicate protoype
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 18 21:17:43 UTC 2022 on sn-devel-184
Volker Lendecke [Sun, 16 Jan 2022 20:23:56 +0000 (21:23 +0100)]
lib: Remove unused asprintf_strupper_m()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 16 Jan 2022 20:21:00 +0000 (21:21 +0100)]
winbindd: Replace asprintf() with talloc_asprintf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 16 Jan 2022 20:16:02 +0000 (21:16 +0100)]
libads: Convert sitename_key() to talloc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 16 Jan 2022 19:51:51 +0000 (20:51 +0100)]
net: Align a few integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 16 Jan 2022 19:14:56 +0000 (20:14 +0100)]
libsmb: Avoid a cast
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 2 Jan 2022 18:33:07 +0000 (19:33 +0100)]
smbd: Align a few integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 8 Jan 2022 15:36:51 +0000 (16:36 +0100)]
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 8 Jan 2022 15:29:58 +0000 (16:29 +0100)]
torture3: Align two integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 4 Jan 2022 12:02:25 +0000 (13:02 +0100)]
rpc_host: We have tevent_req_oom() for ENOMEM
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 3 Jan 2022 12:33:22 +0000 (13:33 +0100)]
lib: Remove unused tstream_npa_socketpair()
This was used in the pre samba-dcerpcd source3 rpc server.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 12 Jan 2022 11:19:00 +0000 (12:19 +0100)]
lib: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 12 Jan 2022 11:15:08 +0000 (12:15 +0100)]
lib: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 12 Jan 2022 11:12:50 +0000 (12:12 +0100)]
smbd: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 12 Jan 2022 11:09:51 +0000 (12:09 +0100)]
printing: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 11 Jan 2022 15:54:05 +0000 (10:54 -0500)]
profile3: remove an unused include
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 23 Dec 2021 21:44:10 +0000 (22:44 +0100)]
s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Jan 17 20:55:41 UTC 2022 on sn-devel-184
Stefan Metzmacher [Thu, 23 Dec 2021 21:53:13 +0000 (22:53 +0100)]
s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Fri, 24 Dec 2021 14:21:21 +0000 (15:21 +0100)]
s4:torture: check for pac_blob==NULL in test_generate_session_info_pac() functions
We should return an error instead of crashing for tickets without a PAC.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 23 Dec 2021 18:29:06 +0000 (19:29 +0100)]
s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 30 Dec 2021 03:20:46 +0000 (16:20 +1300)]
kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 23 Dec 2021 02:59:21 +0000 (15:59 +1300)]
tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 29 Dec 2021 04:35:09 +0000 (17:35 +1300)]
tests/krb5: Add AS-REQ PAC tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 29 Nov 2021 20:45:13 +0000 (09:45 +1300)]
tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 29 Nov 2021 20:42:10 +0000 (09:42 +1300)]
tests/krb5: Add FAST enc-pa-rep tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 16 Dec 2021 01:21:18 +0000 (14:21 +1300)]
tests/krb5: Adjust expected error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 15 Dec 2021 21:18:42 +0000 (10:18 +1300)]
tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
This helps to avoid problems with account creation due to UPN uniqueness
constraints.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 22 Dec 2021 03:08:43 +0000 (16:08 +1300)]
s4:torture: Remove netbios realm and lowercase realm tests
Tests for these are already present in
samba.tests.krb5.as_canonicalization_tests. These tests cause problems
with an upgraded Heimdal version, and we want to stop supporting
non-canonical realm names, so this commit removes them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 16 Dec 2021 08:06:55 +0000 (21:06 +1300)]
s4:torture: Make etype list variables static
If they are not made static, these variables end up being used by the
Kerberos libraries after they have gone out of scope.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
David Disseldorp [Fri, 14 Jan 2022 09:38:40 +0000 (10:38 +0100)]
build: reduce printf() calls in generated build_options.c
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit addresses (2), modifying write_build_options_header() and
write_build_options_footer(). write_build_options_section() could also
be collapsed into a single output() call, but this may lead to oversize
string literals, so has been left as is.
I observe no change in smbd --build-options output.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Jan 17 13:17:53 UTC 2022 on sn-devel-184
David Disseldorp [Fri, 14 Jan 2022 09:38:40 +0000 (10:38 +0100)]
build: reduce fp.write calls for build_options.c generation
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit reduces fp.write() calls for (1). I observe no change in the
generated build_options.c .
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Thu, 13 Jan 2022 14:31:33 +0000 (15:31 +0100)]
s3:smbd: handle --build-options without parsing smb.conf
The smb.conf is parsed in post mode of a popt callback. The smbd
--build-options parameter should be handled when first encountered
to avoid requiring smb.conf presence.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14945
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Martin Schwenke [Fri, 14 Jan 2022 02:39:34 +0000 (13:39 +1100)]
WHATSNEW: Document CTDB leader and cluster lock changes
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jan 17 11:16:14 UTC 2022 on sn-devel-184
Martin Schwenke [Mon, 10 Jan 2022 02:41:31 +0000 (13:41 +1100)]
ctdb-doc: Remove documentation for recovery process
This is many years out of date and recent changes make it worse. It
is unlikely that anyone has the time to fix this in the near future,
so remove it because it is misleading.
Database recovery steps are well documented in comments in the
recovery helper. Cluster monitoring documentation can be re-added
when things stop changing.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sun, 16 Jan 2022 22:16:17 +0000 (09:16 +1100)]
ctdb-doc: Update example configuration migration script
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 14 Jan 2022 12:09:38 +0000 (23:09 +1100)]
ctdb-tests: Improve test coverage for leader role yield and elections
Rename test, clean up node selection. Duplicate for for banning and
removing leader capability cases. Repeat all 3 tests without cluster
lock.
All of the standard election triggers are now tested, with and without
cluster lock. Due to test cluster configuration limitations, the
tests without cluster lock are skipped on a real cluster.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 14 Jan 2022 02:59:25 +0000 (13:59 +1100)]
ctdb-tests: Support commenting out local daemons configuration options
Can be used to disable default options, such as cluster lock.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 15 Jan 2022 02:02:02 +0000 (13:02 +1100)]
ctdb-config: Add configuration option [cluster] leader timeout
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 10 Jan 2022 03:15:25 +0000 (14:15 +1100)]
ctdb-config: [legacy] recmaster capability -> [cluster] leader capability
Rename this configuration item and move it into the [cluster]
configuration section.
Update documentation to match.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 10 Jan 2022 08:18:14 +0000 (19:18 +1100)]
ctdb-config: [cluster] recovery lock -> [cluster] cluster lock
Retain "recovery lock" and mark as deprecated for backward
compatibility.
Some documentation is still inconsistent.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 10 Jan 2022 03:18:32 +0000 (14:18 +1100)]
ctdb-doc: Update documentation for leader and cluster lock
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 18 Mar 2020 04:14:39 +0000 (15:14 +1100)]
ctdb-recoverd: Use race for cluster lock as election when lock is enabled
If the cluster is partitioned then nodes in one partition can not take
the lock anyway, so election is pointless. It just introduces
unnecessary corner cases.
Instead just race for the lock.
When a node notices a lack of leader and notifies other nodes of an
election via an unknown leader broadcast, the cluster lock election is
hooked into this broadcast.
The test needs to be updated because losing the cluster lock can now
result in a leadership change.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 14:19:38 +0000 (00:19 +1000)]
ctdb-protocol: Mark {GET,SET}_RECMASTER controls obsolete
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 14:10:22 +0000 (00:10 +1000)]
ctdb-protocol: Drop marshalling for {GET,SET}_RECMASTER controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 14:01:05 +0000 (00:01 +1000)]
ctdb-daemon: Drop implementation of {GET,SET}_RECMASTER controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:58:38 +0000 (23:58 +1000)]
ctdb-protocol: Drop protocol client functions for recmaster controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:56:10 +0000 (23:56 +1000)]
ctdb-client: Drop unused recmaster functions
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:52:05 +0000 (23:52 +1000)]
ctdb-daemon: Drop unused old client recmaster functions
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:26:41 +0000 (23:26 +1000)]
ctdb-recoverd: Drop calls to ctdb_ctrl_setrecmaster()
Nothing fetches this value anymore.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:25:34 +0000 (23:25 +1000)]
ctdb-recoverd: Drop recovery master verification
This doesn't make sense if leader broadcasts are used.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 10 Jan 2022 02:22:19 +0000 (13:22 +1100)]
ctdb-tools: recovery master -> leader
The following command names are changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output changed for the following commands:
status
getcapabilities
Documentation and tests are updated to reflect these changes.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 19 Mar 2020 06:14:10 +0000 (17:14 +1100)]
ctdb-tools: Use leader broadcast in get_leader()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 19 Mar 2020 06:30:24 +0000 (17:30 +1100)]
ctdb-tools: Factor out get_leader()
This seems pointless but it localises a subsequent change and also
starts a terminology change in the tool code.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 May 2020 07:56:22 +0000 (17:56 +1000)]
ctdb-tools: Handle leader broadcasts in ctdb tool
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 18 Mar 2020 23:46:25 +0000 (10:46 +1100)]
ctdb-tools: Print "UNKNOWN" when leader PNN is unknown
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 May 2020 09:01:09 +0000 (19:01 +1000)]
ctdb-client: Factor out function ctdb_client_wait_func_timeout()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 14 Jan 2022 10:47:52 +0000 (21:47 +1100)]
ctdb-tests: Factor out getting leader and waiting for leader change
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 5 May 2020 13:02:03 +0000 (23:02 +1000)]
ctdb-tests: Add leader broadcasts to fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Tue, 5 May 2020 06:53:39 +0000 (16:53 +1000)]
ctdb-tests: Implement srvid_handler for dispatching messages
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Martin Schwenke [Tue, 17 Mar 2020 06:10:20 +0000 (17:10 +1100)]
ctdb-recoverd: Simplify some stopped/banned checks to inactive checks
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 May 2020 07:45:51 +0000 (17:45 +1000)]
ctdb-recoverd: No longer take cluster lock during recovery
Confirm instead that it is already held.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 10 Dec 2021 00:43:10 +0000 (11:43 +1100)]
ctdb-recoverd: Add and use function cluster_lock_enabled()
Now all references to ctdb->recovery_lock are encapsulated in the
cluster lock code.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 10 Dec 2021 00:29:06 +0000 (11:29 +1100)]
ctdb-recoverd: Terminology change: recovery lock -> cluster lock
No functional changes, just name changes for clarity.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 20 Sep 2018 04:13:58 +0000 (14:13 +1000)]
ctdb-recoverd: Take cluster lock when election completes
It is no longer just a recovery lock but is always held by the cluster
leader.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 20 Sep 2018 02:30:58 +0000 (12:30 +1000)]
ctdb-recoverd: Factor out function cluster_lock_take()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 17 Mar 2020 06:58:02 +0000 (17:58 +1100)]
ctdb-tests: Avoid a race
See the comment in the code for details.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 7 Dec 2021 06:00:36 +0000 (17:00 +1100)]
ctdb-tests: Setup cluster with expected arguments
ctdb_test_init() doesn't actually pass arguments to local_daemons.sh.
This needs to be done using ctdb_nodes_start_custom().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 17 Dec 2021 01:54:23 +0000 (12:54 +1100)]
ctdb-recoverd: Drop leader validation
The introduction of the leader broadcast timeout provides an
alternative to the current leader validation. Using the leader
broadcast may not be as fast but it is more correct.
When the leader node is stopped or banned, the only way of triggering
an election is currently to fetch the leader's node map to check
whether the it is still active. This is because the leader will no
longer push the node map to other nodes. However, having all nodes
fetch the node map from an inactive leader may be unreliable.
Most of the other cases are also handled more reliably by the leader
broadcast timeout.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 6 Jan 2022 03:47:45 +0000 (14:47 +1100)]
ctdb-recoverd: Drop special case for elected-before-connected
This no longer occurs at startup due to the leader broadcast timeout.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 17 Dec 2021 03:42:47 +0000 (14:42 +1100)]
ctdb-recoverd: Handle leader broadcast timeout
If no leader broadcasts have been received from the leader for more
than 5s then trigger an election.
Apart from being sane behaviour, this avoids elected-before-connected
bugs at startup, where a node elects itself leader before it is
connected to other nodes.
When a node processes a leader broadcast timeout it sends an unknown
leader broadcast to all nodes. That causes cancellation of the leader
broadcast timeout across the cluster. This is particular important at
startup, since nodes may be started in a staggered fashion. Without
this cluster-wide cancellation, a node might notice the lack of
leader, win an election and complete a recovery before other nodes
notice the lack of leader. When the leader broadcast timeout finally
occurs on the other nodes then they'll put the cluster back into an
unnecessary recovery.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 16 Mar 2020 05:16:44 +0000 (16:16 +1100)]
ctdb-recoverd: Send leader broadcasts
These are triggered on 1 second timer, but are only sent if the node
is the current leader and there is no election underway.
If this node can not be the leader then ensure it releases the
recovery lock.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>