Douglas Bagnall [Wed, 17 May 2017 00:00:55 +0000 (12:00 +1200)]
ldb: fix whitespace in ldb_msg.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 30 May 2017 14:30:33 +0000 (16:30 +0200)]
libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFO
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
Volker Lendecke [Wed, 14 Jun 2017 11:57:56 +0000 (13:57 +0200)]
g_lock: open with LOCK_ORDER_3
xattr_tdb needs g_lock in a clustered environment. Nobody else
uses LOCK_ORDER_3 at this moment, so this looks safe.
The last one to use this was dbwrap_watch.tdb, and that's gone. The only
other one was notify_index.tdb, and that's gone too.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 22 May 2017 14:00:08 +0000 (16:00 +0200)]
smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.
At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 May 2017 08:48:15 +0000 (10:48 +0200)]
torture3: Test heuristic cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 22 May 2017 15:05:57 +0000 (17:05 +0200)]
g_lock: Heuristically check for server existence
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 21 May 2017 06:56:01 +0000 (08:56 +0200)]
torture3: Test lock conflict and cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 15:02:08 +0000 (17:02 +0200)]
torture3: Test lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 14:57:00 +0000 (16:57 +0200)]
g_lock: Allow lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 14:59:06 +0000 (16:59 +0200)]
torture3: Test g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 13:27:46 +0000 (15:27 +0200)]
g_lock: Make g_lock_dump return a complete list of locks
To be honest, it did not really make sense to just pass in
lock holders individually. You could argue that it made sense
with in reality only G_LOCK_WRITE around, but soon we will have
G_LOCK_READ and thus multiple lock holders on a single lock.
Now that we also have userdata, change the g_lock_dump API
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 23 May 2017 10:32:24 +0000 (12:32 +0200)]
g_lock: Add g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 14:22:15 +0000 (16:22 +0200)]
g_lock: Make g_lock_record_store also store userdata
Sequel to the previous commit changing the get/put routines for
the on-disk format
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 11:59:20 +0000 (13:59 +0200)]
g_lock: Reformat to allow userdata
The next patches will make g_locks carry data. This
prepares the on-disk format.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 08:37:30 +0000 (10:37 +0200)]
g_lock: Move parsing routines together
No code change, just shuffling around:
Before this patchset, g_lock_parse was somewhere in the middle. This carries no
real logic, put it on top.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: unparse->put
Make it more in line with server_id_get/put
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: parse->get
Make it more in line with server_id_get/put
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:43:01 +0000 (16:43 +0200)]
g_lock: Remove a pointless "else"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:40:45 +0000 (16:40 +0200)]
g_lock: Remove unused g_lock_get
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 03:52:56 +0000 (05:52 +0200)]
g_lock: Make it endian-neutral
Add explicit parsing
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 03:54:36 +0000 (05:54 +0200)]
g_lock: More correct error msg
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 16 May 2017 13:05:49 +0000 (15:05 +0200)]
torture3: Initial test g_lock
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 24 May 2017 11:27:18 +0000 (13:27 +0200)]
g_lock: Fix two typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 11:15:27 +0000 (13:15 +0200)]
s4:ldap_server: implement async BindSASL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 12 May 2017 10:41:13 +0000 (12:41 +0200)]
s4:ldap_server: set result = LDAP_SUCCESS at the end, when we're really done
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:38:59 +0000 (12:38 +0200)]
s4:ldap_server: avoid using talloc_reference()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:31:25 +0000 (12:31 +0200)]
s4:ldap_server: remove useless NT_STATUS_IS_OK(status) check
We checked a few lines above already, check with:
git show -U10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround ldapsrv_backend_Init()
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround gensec_session_info()
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:26:12 +0000 (12:26 +0200)]
s4:ldap_server: make the gensec_create_tstream() error checking more clear
Check with 'git show -w'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 13:28:53 +0000 (15:28 +0200)]
s4:ldap_server: only touch conn->session_info on success in ldapsrv_BindSASL()
The old conn->session_info (as well as conn->ldb) should only be changed
after a successful Bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:09:38 +0000 (12:09 +0200)]
s4:ldap_server: terminate the connection if talloc_reference fails
talloc_reference will be removed completely in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:07:31 +0000 (12:07 +0200)]
s4:ldap_server: remove pointless (result != LDAP_SUCCESS) check
We set result = LDAP_SUCCESS above and have goto do_reply;
in all cases where we overwrite 'result'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:04:59 +0000 (12:04 +0200)]
s4:ldap_server: do the transport validation before calling gensec_create_tstream()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:18:07 +0000 (21:18 +0200)]
s4:ldap_server: use talloc_zero for ldapsrv_sasl_postprocess_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:17:40 +0000 (21:17 +0200)]
s4:ldap_server: drop the connection if we fail to allocate ldapsrv_sasl_postprocess_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:14:00 +0000 (21:14 +0200)]
s4:ldap_server: only set *resp->SASL.secblob = output for OK or MORE_PROCESSING_REQUIRED
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:11:00 +0000 (21:11 +0200)]
s4:ldap_server: remove indentation level for the valid credential case
Check with git show -w.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:44:05 +0000 (12:44 +0200)]
s4:ldap_server: make sure we destroy the gensec context on error
If the client tries a new bind we need to start with a fresh context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 14:04:02 +0000 (16:04 +0200)]
s4:ldap_server: avoid pointless check arround LDAP_INVALID_CREDENTIALS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:09:08 +0000 (21:09 +0200)]
s4:ldap_server: move invalid credential handling before the success handling.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:13:49 +0000 (19:13 +0200)]
s4:ldap_server: remove an useless indentation level from gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:11:43 +0000 (19:11 +0200)]
s4:ldap_server: always allocate resp->SASL.secblob
The code path with resp->SASL.secblob = NULL was completely untested
(and wrong) as ldapsrv_setup_gensec() is very unlikely to ever fail.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:04:27 +0000 (19:04 +0200)]
s4:ldap_server: add use goto do_reply; to make the logic in ldapsrv_BindSASL() more sane
The following patches will simplify the logic by avoiding else branches
by using early returns.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 16:53:06 +0000 (18:53 +0200)]
s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 16:04:15 +0000 (18:04 +0200)]
s4:ldap_server: implement async BindSimple
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 15:05:02 +0000 (17:05 +0200)]
s4:auth: add authenticate_ldap_simple_bind_send/recv
TODO: we need to make the backend async.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 13:02:41 +0000 (15:02 +0200)]
s4:ldap_server: improve ldapsrv_UnbindRequest implementation
We should abandon outstanding requests and disconnect the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 14:51:15 +0000 (16:51 +0200)]
s4:ldap_server: add call->wait_send/recv infrastructure
If it is set by the dispatch functions, the core server
will use call->wait_send() and wait for it to finally
return frim call->wait_recv() before it asks for the
next incoming pdu.
This can be used to implement bind as async operations.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 13 May 2017 06:20:00 +0000 (08:20 +0200)]
s4:ldap_server: don't log Unbind and Abandon requests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 14:37:21 +0000 (16:37 +0200)]
s4:ldap_server: introduce a ldapsrv_call_destructor()
This makes sure that a call doesn't become an stale
member of the conn->pending_calls list.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:07:04 +0000 (19:07 +0200)]
s4:ldap_server: use talloc_zero() in ldapsrv_init_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 20 Dec 2013 07:52:52 +0000 (08:52 +0100)]
s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.
This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.
This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 16 Nov 2016 01:44:40 +0000 (14:44 +1300)]
repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144
Andrew Bartlett [Wed, 14 Jun 2017 02:13:18 +0000 (14:13 +1200)]
dsdb: Improve debug messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 14 Jun 2017 01:12:32 +0000 (13:12 +1200)]
dsdb: Ensure replication of renames works in schema partition
This caused failures against vampire_dc (on large-dc), likely due to
more frequent replication propagating the record before it was renamed.
The DC ran out of RIDs and RID allocation causes schema replication,
which failed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12841
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Jun 2017 23:20:58 +0000 (11:20 +1200)]
selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
This ensures that object is not cleaned up, triggering a disconnect before we get back
the audit messages. Otherwise they can be lost when the server task calls exit()
while the message thread is still trying to send them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Fri, 9 Jun 2017 02:13:25 +0000 (14:13 +1200)]
stream_terminate_connection: Prevent use-after-free
This sometimes would show up as corrupted bytes during logs. Hammering
the LDAP server enough times managed to trigger an outright segfault.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 12 Jun 2017 02:27:53 +0000 (14:27 +1200)]
selftest: Add test for gss_krb5/ntlmssp -> SPNEGO
These bare mechs are permitted to go direct to SPNEGO, which must cope with them
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Jun 2017 02:12:53 +0000 (14:12 +1200)]
selftest: Add pygensec tests for GSS-SPNEGO and Win2000 emulated SPNEGO
This is to provide some unit testing coverage for these different modes of operation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 6 Jun 2017 23:47:15 +0000 (11:47 +1200)]
selftest: Add a test for @ATTRIBUTES and @INDEXLIST generation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 30 May 2017 22:44:34 +0000 (10:44 +1200)]
ldb: Rename module -> next_module for clarity
This helps make some future commits less confusing
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 31 May 2017 00:22:28 +0000 (12:22 +1200)]
dsdb: Correctly call ldb_module_done in dsdb_notification
If we just call ldb_request_done() then we never call the callback.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Stefan Metzmacher [Tue, 11 Apr 2017 15:21:20 +0000 (17:21 +0200)]
tdb: add run-fcntl-deadlock test
This verifies the F_RDLCK => F_WRLCK upgrade logic in the kernel
for conflicting locks.
This is a standalone test to check the traverse_read vs.
allrecord_lock/prepare_commit interaction.
This is based on the example from
https://lists.samba.org/archive/samba-technical/2017-April/119861.html
from Douglas Bagnall <douglas.bagnall@catalyst.net.nz> and Volker Lendecke <vl@samba.org>.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Jun 2017 02:15:19 +0000 (14:15 +1200)]
ldb_tdb: Improve logging on unique index violation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Jun 2017 02:09:30 +0000 (14:09 +1200)]
ldb_tdb: Remove the idxptr DB before we re-index
We do not want the cache or any of the values in it, we want to read the real DB
@INDEX: records.
This matters if a re-index is tiggered in the same transaction
as the modify of the values in the index. Otherwise we won't see
the old index record (it will not show up in the tdb_traverse)
and so fail to remove it.
That in turn can cause a spurious unqiue index violation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Jun 2017 02:07:40 +0000 (14:07 +1200)]
ldb_tdb: Check for memory allocation failure in ltdb_index_transaction_start()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Jun 2017 00:06:37 +0000 (12:06 +1200)]
dsdb: Provide proper errors when dsdb_schema_set_indices_and_attributes fails
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Stefan Metzmacher [Sat, 10 Jun 2017 10:29:47 +0000 (12:29 +0200)]
selftest: pass the workgroup name to Samba3::provision()
Not all environments should use the samba workgroup name.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 14 02:53:27 CEST 2017 on sn-devel-144
Stefan Metzmacher [Mon, 12 Jun 2017 14:02:32 +0000 (16:02 +0200)]
testprogs/blackbox: don't use hardcoded values in test_net_ads_dns.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 11 Jun 2017 21:40:34 +0000 (23:40 +0200)]
s3:script/tests: don't use hardcoded Domain Name in test_smbclient_s3.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Jun 2017 12:53:40 +0000 (14:53 +0200)]
selftest: don't use hardcoded domain names in Samba3::setup_admember()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Jun 2017 13:45:25 +0000 (15:45 +0200)]
selftest: test pam_winbind with a local user on ad_member
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Jun 2017 13:15:15 +0000 (15:15 +0200)]
selftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the pam_winbind test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Jun 2017 12:52:59 +0000 (14:52 +0200)]
python/samba/tests: don't use hardcoded names in *pam_winbind* tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lumir Balhar [Thu, 20 Apr 2017 13:11:58 +0000 (15:11 +0200)]
python: Port simple libpython module to Python 3 compatible form
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 09:59:30 +0000 (11:59 +0200)]
WHATSNEW: deprecated "profile acls"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 13 22:45:28 CEST 2017 on sn-devel-144
Stefan Metzmacher [Tue, 13 Jun 2017 09:59:30 +0000 (11:59 +0200)]
docs-xml/smbdotconf: deprecated "profile acls"
This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.
Typically something like this seems to work:
[winprofiles]
comment = Users profiles New
path = /data/winprofiles/
browseable = No
read only = No
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
With chmod 1777 on /data/winprofiles/
In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833
It's also useful to something like this in the global
section in order to detect disconnects reliable:
socket options = TCP_KEEPCNT=5 TCP_KEEPIDLE=30 TCP_KEEPINTVL=1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Gary Lockyer [Thu, 1 Jun 2017 01:26:38 +0000 (13:26 +1200)]
strerror_r: provide XSI-compliant strerror_r
Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.
This reverts
18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to
make Heimdal use roken, rather than libreplace for strerror_r.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Amitay Isaacs [Thu, 8 Jun 2017 08:22:17 +0000 (18:22 +1000)]
ctdb-recovery: Log messages at various debug levels
This avoids spamming the logs during recovery at NOTICE level.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 13 13:22:09 CEST 2017 on sn-devel-144
Martin Schwenke [Fri, 9 Jun 2017 04:34:56 +0000 (14:34 +1000)]
ctdb-scripts: Compact server-end TCP connection killing output
When thousands of connections are being killed the logs are flooded
with information about connections that should be killed. When some
connections are not killed then the number not killed is printed.
This is the wrong way around! When debugging "fail-back" problems, it
is important to know details of connections that were *not* killed.
It is almost never important to know the full list of all connections
that were *supposed* to be killed.
Instead, print a summary showing how many connections of the total
were killed. If any were not killed then print a list of remaining
connections.
Update unit tests: infrastructure for fake TCP connections, existing,
test cases, add new test cases.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 1 Jun 2017 11:13:58 +0000 (21:13 +1000)]
ctdb-common: Log a count of dropped messages with non-blocking logging
The non-blocking logging variants can currently silently drop messages
when the socket queue fills.
In this case, count the number of dropped messages and attempt to log
a message about dropped log messages when the next message is logged.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 9 Jun 2017 00:57:28 +0000 (10:57 +1000)]
ctdb-tests: Add more NFS eventscript tests for call-out failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 8 Jun 2017 04:45:43 +0000 (14:45 +1000)]
ctdb-scripts: NFS call-out failures should cause event failure
Failures in startup/shutdown/releaseip/takeip are currently
incorrectly ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Guillaume Xavier Taillon [Mon, 22 Feb 2016 19:46:24 +0000 (14:46 -0500)]
libbreplace: compatibility fix for AIX
Adds macros for preprocessor compares and replaces an incomptatible
compare with one of the new macros.
This fixes a comptability bug on AIX.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11621
Signed-off-by: Guillaume Xavier Taillon <gtaillon@ca.ibm.com>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Jun 13 09:11:56 CEST 2017 on sn-devel-144
Volker Lendecke [Fri, 2 Jun 2017 11:34:39 +0000 (13:34 +0200)]
password_hash: Fix the build on FreeBSD
This ditches a particular aspect of thread safety, but I doubt that
ldb is really thread safe. So in practice, I think we should not
see harm from this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jun 13 05:06:49 CEST 2017 on sn-devel-144
Andrew Bartlett [Fri, 17 Feb 2017 05:23:23 +0000 (18:23 +1300)]
join.py Add DNS records at domain join time
This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully
We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
- We do not want to query another DNS server
- We do not want to obtain a Kerberos ticket for the new DC
(as the KDC we select may not be the DC we just joined,
and so may not be in sync with the password we just set)
- We do not wish to set the _ldap records until we have started
- We do not wish to use NTLM (the --use-samba-tool mode forces
NTLM)
The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries. However this is still better than no
DNS at all.
Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144
Andrew Bartlett [Thu, 8 Jun 2017 03:25:23 +0000 (15:25 +1200)]
selftest: Add test confirming join-created DNS entries can be modified as the DC
This ensures that samba_dnsupdate can run in the long term against the new DNS entries
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 1 Jun 2017 05:11:57 +0000 (17:11 +1200)]
selftest: Test join.py and confirm that the DNS record is created
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 6 Jun 2017 03:22:35 +0000 (15:22 +1200)]
provision: Allow removing an existing account when force=True is set
This allows a practical override for use in test scripts
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 6 Jun 2017 03:21:50 +0000 (15:21 +1200)]
provision: Move default handler for site=None down into dc_join object creation
This makes this code easier to call from a test script
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 1 Jun 2017 03:15:25 +0000 (15:15 +1200)]
selftest: Use TestCaseInTempDir as base class in dns tests
This will help when we add a new join test based on this code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 1 Jun 2017 01:26:37 +0000 (13:26 +1200)]
selftest: Create new common base class for dns.py and dns_tkey.py
This will allow more DNS tests to be written in the future with less
code duplication.
Andrew Bartlett [Thu, 8 Jun 2017 22:00:09 +0000 (10:00 +1200)]
selftest: merge DNSTest boilerplate
This will help unifying dns.py and dns_tkey.py to use common subclasses
The code was originally copied, but has since divereged. This handles
that divergence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 31 May 2017 01:57:25 +0000 (13:57 +1200)]
selftest: move make_txt_record() onto self in samba.tests.dns
This will help unifying dns.py and dns_tkey.py to use common subclasses
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 11 Apr 2017 02:23:49 +0000 (14:23 +1200)]
samba_dnsupdate: fix "samba-tool" fallback error handling
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 11 Apr 2017 02:14:15 +0000 (14:14 +1200)]
samba_dnsupdate: Extend possible server list to all NS servers for the zone
This should eventually be removed, but for now this unblocks samba_dnsupdate operation
in existing domains that have lost the original Samba DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 11 Apr 2017 00:43:22 +0000 (12:43 +1200)]
dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour. AD is multi-master so all RW servers are a master.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 8 Jun 2017 04:20:42 +0000 (16:20 +1200)]
selftest: run dns tests in multiple envs
This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 8 Jun 2017 03:54:22 +0000 (15:54 +1200)]
selftest: confirm we clobber the MNAME in the SOA query in the DNS server
All RW DCs should be their own master DNS server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>