Kamen Mazdrashki [Fri, 23 Oct 2009 21:02:24 +0000 (00:02 +0300)]
s4/drs: Fix memory leek in prefixMap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Kamen Mazdrashki [Fri, 23 Oct 2009 21:02:02 +0000 (00:02 +0300)]
s4/ldb: Fix double allocation for "ldb_url"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 4 Nov 2009 10:12:17 +0000 (11:12 +0100)]
s4:torture/drs: move intern/ => unit/
metze
Günther Deschner [Fri, 6 Nov 2009 12:48:23 +0000 (13:48 +0100)]
Revert "s3-kerberos: add smb_krb5_parse_name_flags()."
This reverts commit
17ef153b68795fec681f9ce17c198236aba2b1c2.
Günther Deschner [Thu, 5 Nov 2009 18:10:55 +0000 (19:10 +0100)]
s3-kerberos: support S4U2SELF impersionation through cli_krb5_get_ticket().
Guenther
Günther Deschner [Thu, 5 Nov 2009 16:49:00 +0000 (17:49 +0100)]
s3-kerberos: use smb_krb5_get_credentials in ads_krb5_mk_req.
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:29:22 +0000 (17:29 +0200)]
s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.
Guenther
Günther Deschner [Fri, 6 Nov 2009 11:51:29 +0000 (12:51 +0100)]
s3-net: better use memory credential cache in net_ads_kerberos_pac().
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:28:39 +0000 (17:28 +0200)]
s3-net: allow to call "net ads kerberos pac <impersonation principal> -P".
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:27:21 +0000 (17:27 +0200)]
s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:25:35 +0000 (17:25 +0200)]
s3-kerberos: add smb_krb5_get_tkt_from_creds().
Guenther
Günther Deschner [Fri, 6 Nov 2009 09:25:53 +0000 (10:25 +0100)]
s3-kerberos: fix some build warnings when building against heimdal.
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:22:37 +0000 (17:22 +0200)]
s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation.
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:27:43 +0000 (17:27 +0200)]
s3-kerberos: remove duplicate prototype.
Guenther
Günther Deschner [Thu, 5 Nov 2009 18:02:55 +0000 (19:02 +0100)]
s3-kerberos: add smb_krb5_parse_name_flags().
Guenther
Günther Deschner [Mon, 13 Oct 2008 15:21:22 +0000 (17:21 +0200)]
s3-kerberos: add configure checks for krb5_get_creds_X api.
Guenther
Jeremy Allison [Fri, 6 Nov 2009 06:58:12 +0000 (22:58 -0800)]
Got the logic simplification worked out so we still pass
BASE-DELAYWRITE and also RAW-CLOSE.
Jeremy.
Jeremy Allison [Fri, 6 Nov 2009 05:27:25 +0000 (21:27 -0800)]
Revert commit "
0551284dc08eb93ef7b2b2227a45e5ec21d482fb" - simplify
the logic. This was incorrect (I'll revisit this tomorrow).
Jeremy.
Jeremy Allison [Fri, 6 Nov 2009 01:43:33 +0000 (17:43 -0800)]
Remove the smbd:writetimeupdatedelay change Metze added. Metze please
explain why you added this. Change --maximum-runtime=900 for smbtorture4
with BASE-DELAYWRITE. Should allow it to successfully complete now.
Jeremy.
Jeremy Allison [Fri, 6 Nov 2009 01:40:01 +0000 (17:40 -0800)]
Simplify the logic - remove extraneous argument and calls to set_close_write_time().
We were treating a file time set on close as a sticky write time set, and I don't
think it is. I will add a torture test later to RAW-CLOSE to confirm this.
Jeremy.
Jeremy Allison [Fri, 6 Nov 2009 01:12:11 +0000 (17:12 -0800)]
Fix explicit set of write time on close.
Jeremy.
Jeremy Allison [Fri, 6 Nov 2009 00:20:11 +0000 (16:20 -0800)]
Get closer to an accurate model of Windows timestamp changes.
"Normal" non truncate writes always cause the timestamp to
be set on close. Once a close is done on a handle this can
reset the sticky write time to current time also.
Updated smbtorture4 confirms this.
Jeremy.
Jeremy Allison [Thu, 5 Nov 2009 23:37:26 +0000 (15:37 -0800)]
Fix up some of the timing constants for DELAYWRITE. Add some extra tests up test_delayed_write_update6
to investigate what happens to a sticky write handle after a second handle close.
Jeremy.
Zahari Zahariev [Thu, 5 Nov 2009 15:40:54 +0000 (17:40 +0200)]
Python tests for the acl module.
Signed-off-by: Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Author: Zahari Zahariev <zahari.zahariev@postpath.com>
Nadezhda Ivanova [Thu, 5 Nov 2009 15:34:12 +0000 (17:34 +0200)]
Version 1.0 of the directory service acls module.
At this point, support for checks on LDAP add, delete, rename and modify.
Old kludge_acl is still there to handle the searches.
This module is synchronous as the async version was impossible to debug,
will be converted to async after some user testing.
Volker Lendecke [Thu, 5 Nov 2009 14:06:21 +0000 (15:06 +0100)]
s3: Fix a crash in notify_remove_onelevel when "change notify = no"
Volker Lendecke [Thu, 5 Nov 2009 13:29:05 +0000 (14:29 +0100)]
s3: Fix the talloc hierarchy in notify_remove_onelevel
We want to free the record early, not when talloc_tos() is free'ed.
Matthias Dieter Wallnöfer [Thu, 5 Nov 2009 11:37:16 +0000 (12:37 +0100)]
s4:torture/rpc/samr - Add a comment for "ValidatePassword" test
Matthias Dieter Wallnöfer [Wed, 4 Nov 2009 11:02:02 +0000 (12:02 +0100)]
s4:dcesrv_samr - Implement "dcesrv_samr_ValidatePassword" using my new check password call
This implements a very basic method for password validation using my new
"samdb_check_password" call.
Matthias Dieter Wallnöfer [Sat, 24 Oct 2009 18:21:04 +0000 (20:21 +0200)]
s4:dsdb/common/util - Add a new utility function "samdb_check_password"
This function performs basic password checks and will be used by the
"samrValidatePassword" call and the "password_hash" module.
Matthias Dieter Wallnöfer [Sat, 24 Oct 2009 17:31:01 +0000 (19:31 +0200)]
s4:samdb_set_password/samdb_set_password_sid - Better comments and cosmetics
Volker Lendecke [Tue, 3 Nov 2009 04:41:02 +0000 (05:41 +0100)]
s3: Add parameter "ctdb timeout"
When something in the cluster blocks, it can happen that we wait indefinitely
long for ctdb, just adding to the blocking condition. In theory, nothing should
block, but as someone said "In practice the difference between theory and
practice is larger than in theory". This adds a timeout parameter in seconds,
after which we stop waiting for ctdb and panic.
Matthias Dieter Wallnöfer [Tue, 27 Oct 2009 22:24:46 +0000 (23:24 +0100)]
s4:samdb python bindings - add a wrapper for "dsdb_make_schema_global"
Matthias Dieter Wallnöfer [Tue, 27 Oct 2009 18:52:21 +0000 (19:52 +0100)]
s4:samdb python bindings - make the python wrap connect more like the C one
Add call for setting the create permissions.
Matthias Dieter Wallnöfer [Tue, 27 Oct 2009 18:50:33 +0000 (19:50 +0100)]
s4:samdb python bindings - Reorder some function bodies to match the order in "ldb_wrap_connect"
Stefan Metzmacher [Wed, 4 Nov 2009 18:22:24 +0000 (19:22 +0100)]
s4:kdc: remove unused struct kpasswd_socket
metze
Bo Yang [Fri, 6 Nov 2009 00:20:25 +0000 (08:20 +0800)]
s3: Fix kerberos refresh chain.
Signed-off-by: Bo Yang <boyang@samba.org>
Jeremy Allison [Thu, 5 Nov 2009 00:04:41 +0000 (16:04 -0800)]
Fix debug comment (brain wasn't working...).
Jeremy.
Jeremy Allison [Wed, 4 Nov 2009 23:25:15 +0000 (15:25 -0800)]
Filter the returned DOS attributes by 0xFF for clients
using older protocols (LANMAN2 or below).
Jeremy.
Jeremy Allison [Wed, 4 Nov 2009 23:15:50 +0000 (15:15 -0800)]
Remove "Protocol" as an extern, and add accessor functions.
Jeremy.
Björn Jacke [Wed, 4 Nov 2009 10:15:31 +0000 (11:15 +0100)]
s3: add support for full windows timestamps resolution on files
setting nanosecond timestamps using utimensat() was first supported by Linux
kernel 2.6.22 and glibc 2.6. It's specified in POSIX.1-2008.
This effectively makes us use Windows' full 100ns timestamp resolution -
actually just an improvement from 10^-6 to 10^-7.
For now Linux CIFS vfs will also just be able to make use of 100ns resolution,
not 1ns.
Nadezhda Ivanova [Wed, 4 Nov 2009 13:58:54 +0000 (15:58 +0200)]
Added security descriptor for the domain NC to provisioning.
Necessary for correct descriptor inheritance. Based on the default state
of a single DC. Will be modified later when we support multiple DCs.
Endi S. Dewata [Wed, 4 Nov 2009 01:45:22 +0000 (19:45 -0600)]
s4:provisioning - Fixed minor bugs in provisioning tool and partition module.
Andrew Bartlett [Tue, 3 Nov 2009 03:15:07 +0000 (14:15 +1100)]
libcli/nbt Move more of lmhosts lookup into common code
This aims to eventually share this with Samba4.
Andrew Bartlett
Andrew Bartlett [Mon, 2 Nov 2009 05:39:31 +0000 (16:39 +1100)]
lib/util Fix comments in rfc1738.c.
The Samba version does not use static buffers
Andrew Bartlett
Günther Deschner [Tue, 3 Nov 2009 23:34:29 +0000 (00:34 +0100)]
s3-netlogon: make sure we protect some function codes in _netr_LogonControl2Ex().
Guenther
Günther Deschner [Mon, 19 Oct 2009 09:28:00 +0000 (11:28 +0200)]
s3-netlogon: let s3 pass against RPC-NETLOGON-S3 again.
Guenther
Günther Deschner [Wed, 7 Oct 2009 22:58:02 +0000 (00:58 +0200)]
s3-netlogon: implement _netr_NETLOGON_INFO_4 in netr_LogonControl2Ex() and friends as well.
Guenther
Günther Deschner [Wed, 7 Oct 2009 22:38:53 +0000 (00:38 +0200)]
s3-netlogon: implement remote trust account changing in netr_LogonControl2Ex() and friends.
Guenther
Günther Deschner [Tue, 3 Nov 2009 22:46:26 +0000 (23:46 +0100)]
security: re-run make samba3-idl after IDL change.
Guenther
Günther Deschner [Tue, 3 Nov 2009 10:45:15 +0000 (11:45 +0100)]
s3-lsa: fill in some more info levels in _lsa_QueryInfoPolicy().
Add dummys (just like s4 does) and fill in some more appropriate error codes.
Guenther
Günther Deschner [Tue, 3 Nov 2009 10:46:07 +0000 (11:46 +0100)]
s4-smbtorture: skip three info levels while testing s3 with RPC-LSA.
These are only supported by s3 when running pdb_ads atm.
Guenther
Günther Deschner [Mon, 2 Nov 2009 19:11:14 +0000 (20:11 +0100)]
s4-smbtorture: skip QueryInfoPolicy2 while running RPC-LSA against s3.
This is only supported by s3 when running pdb_ads atm.
Guenther
Günther Deschner [Mon, 2 Nov 2009 15:51:00 +0000 (16:51 +0100)]
s4-smbtorture: skip QueryDomainInformationPolicy test against s3 in RPC-LSA.
Guenther
Günther Deschner [Mon, 2 Nov 2009 18:59:47 +0000 (19:59 +0100)]
s4-smbtorture: simplify some torture_comments in RPC-LSA.
Guenther
Günther Deschner [Fri, 30 Oct 2009 01:15:45 +0000 (02:15 +0100)]
s3-passdb: cleanup some callers of pdb_get_trusteddom_pw().
Guenther
Jeremy Allison [Tue, 3 Nov 2009 19:22:19 +0000 (11:22 -0800)]
Fix debug statements to use correct function name.
Jeremy.
Jeremy Allison [Tue, 3 Nov 2009 19:21:02 +0000 (11:21 -0800)]
requires_resume_key is a bool not int.
Jeremy.
Jeremy Allison [Tue, 3 Nov 2009 19:19:24 +0000 (11:19 -0800)]
Fix more of the RAW-SEARCH test. Older info levels are
not 4 byte aligned (levels 1 - 3).
Jeremy.
Stefan Metzmacher [Tue, 3 Nov 2009 17:06:17 +0000 (18:06 +0100)]
tsocket: rewrite tsocket_guide.txt to reflect the current APIs
metze
Stefan Metzmacher [Tue, 3 Nov 2009 16:23:07 +0000 (17:23 +0100)]
tsocket_bsd: return -1 and set errno to ENAMETOOLONG if the unix path is too long
metze
Stefan Metzmacher [Tue, 3 Nov 2009 16:22:27 +0000 (17:22 +0100)]
tsocket: remove prototype of non-existing tsocket_address_inet_set_broadcast()
metze
Nadezhda Ivanova [Tue, 3 Nov 2009 11:30:06 +0000 (13:30 +0200)]
Fixed some missing flags and bugs in the security creation.
Also, added some logging. It needs improvement, possibly ability to
turn in on and off via configuration file.
Nadezhda Ivanova [Tue, 3 Nov 2009 10:27:43 +0000 (12:27 +0200)]
Fixed a bug in object specific access checks.
Volker Lendecke [Tue, 3 Nov 2009 09:59:18 +0000 (10:59 +0100)]
s3: Remove debug_ctx()
smbd just crashed on me: In a debug message I called a routine preparing a
string that itself used debug_ctx. The outer routine also used it after the
inner routine had returned. It was still referencing the talloc context
that the outer debug_ctx() had given us, which the inner DEBUG had already
freed.
Nadezhda Ivanova [Tue, 3 Nov 2009 09:21:05 +0000 (11:21 +0200)]
Added some dn to the info in the log messages.
Nadezhda Ivanova [Mon, 2 Nov 2009 14:50:28 +0000 (16:50 +0200)]
Removed the default DACL from token, as we will not be using it.
Jeremy Allison [Tue, 3 Nov 2009 00:17:36 +0000 (16:17 -0800)]
Convert from numbers to correct SMB_FIND_XX constant names.
Jeremy.
Michael Adam [Mon, 2 Nov 2009 23:51:27 +0000 (00:51 +0100)]
s3:registry: add an extra check for dsize==0 to regdb_fetch_keys_internal()
Don't only rely on dptr == NULL.
I stumbled over this one when rewriting some of the dbwrap_ctdb code.
Michael
Michael Adam [Mon, 2 Nov 2009 23:47:37 +0000 (00:47 +0100)]
s3:registry: add safety check for return value of tdb_unpack to regdb_fetch_keys_internal()
Prevents segfaults in some situations.
(For a non existent or empty record, we sometimes rely on the fetch operation
to return dsize==0 and sometimes we rely on dptr==NULL.)
Michael
Michael Adam [Sat, 31 Oct 2009 12:16:34 +0000 (13:16 +0100)]
s3:dbwrap_ctdb: add debug message to transaction_fetch_start()
for the case that another local process has started a transaction
bewteen releasing the transaction_lock record and starting the
transaction.
Michael
Michael Adam [Sat, 31 Oct 2009 12:13:04 +0000 (13:13 +0100)]
s3:dbwrap_ctdb: split combined check in two and add descriptive debug
in db_ctdb_transaction_fetch_start() for error conditions when re-fetching
the transaction_lock record inside the transaction
Michael
Michael Adam [Wed, 28 Oct 2009 23:01:45 +0000 (00:01 +0100)]
s3:dbwrap_ctdb: fix race condition with concurrent transactions on the same node.
In ctdb_transaction_commit(), when the trans2_commit control fails, there
is a race condition in the 1 second sleep between the local transaction_cancel
and the call to ctdb_replay_transaction(): The database is not locked, and
neither is the transaction_lock record. So another client can start and possibly
complete a new transaction in this gap, but only on the same node: The locking
of the transaction_lock record on a different node which involves migration of
the record to the other node has been disabled by introduction of the
transaction_active flag on the db which closes precisely this gap from the start
of the commit until the call to TRANS2_FINISH or TRANS2_ERROR.
But this mechanism does not cover the case where a process on the same node
tries to start a transaction: There is no obstacle to locking the transaction_lock
record because the record does not need to be migrated.
This commit closes this race condition in ctdb_transaction_fetch_start()
by using the new ctdb_ctrl_transaction_active() call to ask the local
ctdb daemon whether it has a transaction running on the database.
If so, the check is repeated until the running transaction is done.
This does introduce an additional call to the local ctdbd when starting
transactions, but it does close the (hopefully) last race condition.
Michael
Michael Adam [Wed, 28 Oct 2009 22:56:59 +0000 (23:56 +0100)]
s3:configure: add a check for the new CTDB_CONTROL_TRANS2_ACTIVE
Michael
Michael Adam [Wed, 28 Oct 2009 22:56:03 +0000 (23:56 +0100)]
s3:dbwrap_ctdb: add new db_ctdb_transaction_active() that calls CTDB_CONTROL_TRANS2_COMMIT
Michael
Michael Adam [Wed, 28 Oct 2009 00:54:04 +0000 (01:54 +0100)]
s3:dbwrap_ctdb: fix a race in starting concurrent transactions on a single node
There are two races in concurrent transactions on a single node.
One in starting a transaction and one with replay during commit.
This commit closes the first race by storing the client pid in the
transaction-lock record and comparing the stored pid against its own
pid after releasing the lock and refetching the record inside the
transaction.
Michael
Michael Adam [Wed, 28 Oct 2009 00:50:15 +0000 (01:50 +0100)]
s3:dbwrap_ctdb: use db_ctdb_ltdb_fetch() inside db_ctdb_transaction_fetch_start
Michael
Michael Adam [Wed, 28 Oct 2009 00:28:38 +0000 (01:28 +0100)]
s3:dbwrap_ctdb: use db_ctdb_ltdb_fetch() inside db_ctdb_transaction_fetch()
Michael
Michael Adam [Mon, 2 Nov 2009 23:55:41 +0000 (00:55 +0100)]
s3:dbwrap_ctdb: add a function db_ctdb_ltdb_fetch()
This fetches a record from the db and splits out the ctdb header.
Michael
Michael Adam [Thu, 22 Oct 2009 14:27:45 +0000 (16:27 +0200)]
s3:dbrwap_ctdb: add a function db_ctdb_ltdb_store()
and use it in db_ctdb_store() and db_ctdb_transaction_store().
Michael
Michael Adam [Thu, 22 Oct 2009 12:37:51 +0000 (14:37 +0200)]
s3:dbwrap_ctdb: reformat a comment slightly to enhance clearness.
Michael
Jeremy Allison [Mon, 2 Nov 2009 20:15:25 +0000 (12:15 -0800)]
Fix bug 6867 - trans2findnext returns reply_nterror(req, ntstatus) In a directory with a lot of files.
Jeremy.
Volker Lendecke [Mon, 2 Nov 2009 15:59:15 +0000 (16:59 +0100)]
s3: Fix a 100% CPU loop when ctdbd dies during a traverse
Günther Deschner [Mon, 2 Nov 2009 12:01:58 +0000 (13:01 +0100)]
s3-gencache: restore gencache_get behavior with NULL args (with torture test).
Without this, we panic in wins_srv_is_dead() and fail to start nmbd with
wins support.
Volker, please check.
Guenther
Volker Lendecke [Mon, 2 Nov 2009 09:05:38 +0000 (10:05 +0100)]
s3: Make "debug hires timestamp" default to true
It does not cost much and can help a lot when debugging
Andrew Bartlett [Fri, 30 Oct 2009 12:45:21 +0000 (23:45 +1100)]
s4:dsdb Fix up after the MAP_ constants became LDB_MAP_
Andrew Bartlett [Fri, 30 Oct 2009 12:42:03 +0000 (23:42 +1100)]
s4:provision Remove LDB backend files in provision
Rather than try and remove the records in the LDB files, make the
provision remove the whole file. This also removes the need to try
and carry forward the old ldb filenames.
Andrew Bartlett
Andrew Bartlett [Fri, 30 Oct 2009 04:18:42 +0000 (15:18 +1100)]
s4:provision Split ProvisionBackend out of the main provision script
This splits the code, while keeping the original behaviour. The
provision.py file had become just too long.
Andrew Bartlett
Andrew Bartlett [Fri, 30 Oct 2009 03:54:21 +0000 (14:54 +1100)]
s4:provision Inline 'ldap_backend_shutdown' for clarity
Andrew Bartlett [Fri, 30 Oct 2009 03:51:57 +0000 (14:51 +1100)]
s4:provision Fix samdb test with new provision code
Andrew Bartlett [Fri, 30 Oct 2009 03:31:25 +0000 (14:31 +1100)]
s4:provision Move 'Schema' into it's own file
Andrew Bartlett [Fri, 30 Oct 2009 03:05:21 +0000 (14:05 +1100)]
s4:provision Make 'linked_attributes' and 'dnsyntax_attributes' a property of the Schema
Andrew Bartlett [Fri, 30 Oct 2009 02:16:10 +0000 (13:16 +1100)]
s4:provision Rework provision to always have a ProvisionBackend
Rather than treat the LDAP backend as a special case, treat all
backends the same, with different callbacks.
Andrew Bartlett
Endi S. Dewata [Wed, 28 Oct 2009 20:28:31 +0000 (15:28 -0500)]
s4 - SID allocation using FDS DNA plugin
Endi S. Dewata [Tue, 27 Oct 2009 19:59:28 +0000 (14:59 -0500)]
s4:dsdb - Removed redundant domain SID filter.
Endi S. Dewata [Sat, 24 Oct 2009 03:59:48 +0000 (22:59 -0500)]
s4:dsdb - Store SID as string in FDS.
Endi S. Dewata [Sat, 24 Oct 2009 01:09:07 +0000 (20:09 -0500)]
s4 - Mapped AD schema to existing FDS schema.
Endi S. Dewata [Wed, 21 Oct 2009 21:02:18 +0000 (16:02 -0500)]
s4:dsdb - Fixed attribute dereferencing for FDS
Andrew Bartlett [Thu, 29 Oct 2009 22:03:10 +0000 (09:03 +1100)]
Remove special case logic in 'samdb_relative_path'.
While this logic (avoiding to prefix a non-filename with a path) is
important in the code this was copied from (private_dir()), none of
the callers of this function need it.
Andrew Bartlett
Andrew Bartlett [Thu, 29 Oct 2009 22:00:13 +0000 (09:00 +1100)]
s4:dsdb Revert back to using DN:filename in the partitions record
This allows us to change the escaping function without breaking
existing installs. The new escaping function (used for new databases)
is RFC1738 URI encoding, except for the trivial cases without special
characters.
The new databases are also placed in a subdirectory, sam.ldb.d per an
earlier suggestion by metze.
Andrew Bartlett