metze/samba/wip.git
21 months agodomain_update: Allow the revision version to be set
Garming Sam [Wed, 13 Dec 2017 00:17:32 +0000 (13:17 +1300)]
domain_update: Allow the revision version to be set

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain_update: Respect the fix=False flag
Garming Sam [Wed, 13 Dec 2017 00:12:01 +0000 (13:12 +1300)]
domain_update: Respect the fix=False flag

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain_update: Create a module to apply domain prep updates
Garming Sam [Tue, 12 Dec 2017 02:53:09 +0000 (15:53 +1300)]
domain_update: Create a module to apply domain prep updates

These updates are referenced in documentation much like our
Forest-Wide-Updates.md file under the same MIT and CC attribution
licenses.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Domain-Wide-Updates.md

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoms_forest_updates_markdown: Write a parser for the forest updates .md
Garming Sam [Fri, 24 Nov 2017 03:26:52 +0000 (16:26 +1300)]
ms_forest_updates_markdown: Write a parser for the forest updates .md

Unlike the schema markdown which appears generally as ldif, these
descriptions are textual.

We are only handling the add cases, with the rest being manually encoded.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoWindowsServerDocs: Update README for clarity
Garming Sam [Thu, 14 Dec 2017 22:30:27 +0000 (11:30 +1300)]
WindowsServerDocs: Update README for clarity

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoForest-Wide-Updates.md: Include the description of forest wide updates
Garming Sam [Fri, 24 Nov 2017 03:26:52 +0000 (16:26 +1300)]
Forest-Wide-Updates.md: Include the description of forest wide updates

This is sourced from the WindowsServerDocs repository on Github under an
MIT/CC 4.0 attribution license. A huge thanks is required for these
being provided and the work done in the process, as they mean a lot less
work for us to repeat.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoWindowsServerDocs: Update README to get rid of the references to ./gen/
Garming Sam [Thu, 14 Dec 2017 03:43:04 +0000 (16:43 +1300)]
WindowsServerDocs: Update README to get rid of the references to ./gen/

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months ago2008R2: Missing operation (77) for ActiveDirectoryUpdate version 5 (FL)
Garming Sam [Thu, 24 Aug 2017 02:10:04 +0000 (14:10 +1200)]
2008R2: Missing operation (77) for ActiveDirectoryUpdate version 5 (FL)

Operation 77: {82112ba0-7e4c-4a44-89d9-d46c9612bf91}

 - Create the CN=PSPs,CN=System object

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months ago2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)
Garming Sam [Thu, 24 Aug 2017 01:59:22 +0000 (13:59 +1200)]
2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)

Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}

 - Create the CN=Managed Service Accounts object

Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}

 - Add otherWellKnownObject link for CN=Managed Service Accounts

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoldapcmp: Add otherWellKnownObjects to ignore when using --two
Garming Sam [Sun, 17 Dec 2017 23:39:52 +0000 (12:39 +1300)]
ldapcmp: Add otherWellKnownObjects to ignore when using --two

wellKnownObjects already exists in this list.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosambadns: Allow functional level 2016 (when added)
Garming Sam [Tue, 14 Nov 2017 01:20:28 +0000 (14:20 +1300)]
sambadns: Allow functional level 2016 (when added)

This is currently just a harmless check anyways.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agowscript: Install missing .ldf files
Garming Sam [Mon, 18 Dec 2017 20:55:09 +0000 (09:55 +1300)]
wscript: Install missing .ldf files

With the update to the newer version of the 2008 R2 schemas, the files
were not available on install.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agog_lock: fix cleanup of stale entries in g_lock_trylock()
Stefan Metzmacher [Wed, 20 Dec 2017 07:25:19 +0000 (08:25 +0100)]
g_lock: fix cleanup of stale entries in g_lock_trylock()

g_lock_trylock() always incremented the counter 'i', even after cleaning a stale
entry at position 'i', which means it skipped checking for a conflict against
the new entry at position 'i'.

As result a process could get a write lock, while there're still
some read lock holders. Once we get into that problem, also more than
one write lock are possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Dec 20 20:31:48 CET 2017 on sn-devel-144

21 months agotorture3: add LOCAL-G-LOCK6 test
Stefan Metzmacher [Wed, 20 Dec 2017 08:44:40 +0000 (09:44 +0100)]
torture3: add LOCAL-G-LOCK6 test

This is a regression test for bug #13195.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
21 months agodsdb: Improve code and directly close fp
Andreas Schneider [Tue, 19 Dec 2017 14:42:14 +0000 (15:42 +0100)]
dsdb: Improve code and directly close fp

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
21 months agodsdb: Fix CID 1426728 Structurally dead code
Volker Lendecke [Tue, 19 Dec 2017 13:13:37 +0000 (14:13 +0100)]
dsdb: Fix CID 1426728 Structurally dead code

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
21 months agodsdb: Fix CID 1426727 Resource leak
Volker Lendecke [Tue, 19 Dec 2017 13:11:24 +0000 (14:11 +0100)]
dsdb: Fix CID 1426727 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
21 months agoselftest: replace global with explicit environment variables
Jamie McClymont [Fri, 8 Dec 2017 02:20:36 +0000 (15:20 +1300)]
selftest: replace global with explicit environment variables

This patch removes setting of NSS_WRAPPER and RESOLV_WRAPPER variables globally
in Samba3.pm (because setting them persistently/globally can create hidden
ordering dependencies). Instead, they are set on subprocesses as required, which
appears to be the following two places (aside from those places where they are
already set explicitly):
* calls to createuser in provision
* calls to wbinfo --ping-dc in wait_for_start

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 20 08:50:26 CET 2017 on sn-devel-144

21 months agoselftest: apply NSS_WRAPPER_HOSTNAME to child processes
Jamie McClymont [Fri, 8 Dec 2017 01:47:09 +0000 (14:47 +1300)]
selftest: apply NSS_WRAPPER_HOSTNAME to child processes

Currently, Samba3.pm returns a value for NSS_WRAPPER_HOSTNAME in provision, but
selftest.pl does not apply it, so Samba3.pm /also/ sets it in its own
environment. This breaks a command like this:

make test TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"

... since samba3.blackbox.smbclient_ntlm.plain runs in an nt4_member env,
thereby setting ENV{NSS_WRAPPER_HOSTNAME} to the value for a member, and
samba3.rpc.samba3.netlogon depended on NSS_WRAPPER_HOSTNAME as a username (until
previous commit).

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoselftest: fix samba3.rpc.samba3.netlogon running after an nt4_member test
Jamie McClymont [Tue, 5 Dec 2017 23:49:48 +0000 (12:49 +1300)]
selftest: fix samba3.rpc.samba3.netlogon running after an nt4_member test

samba3.rpc.samba3.netlogon is using get_myname to find a username with which to
perform a join. This means that the test tries to join with the existing
localnt4dc2 user, which happens to work if get_myname is working
correctly (which it isn't -- see next commit about NSS_WRAPPER_HOSTNAME!)

This commit fixes a test run with, for example:
  TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
(given samba3.blackbox.smbclient_ntlm.plain is in the nt4_member env)

...which previously failed due to the combination of this and the
NSS_WRAPPER_HOSTNAME bug.

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoldb: Intersect the index from SCOPE_ONELEVEL with the index for the search expression
Andrew Bartlett [Mon, 18 Dec 2017 03:22:01 +0000 (16:22 +1300)]
ldb: Intersect the index from SCOPE_ONELEVEL with the index for the search expression

This helps ensure we do not have to scan all objects at this level
which could be very many (one per DNS zone entry).

However, due to the O(n*m) behaviour in list_intersect() for older
databases, we only do this in the GUID index mode, leaving the behaviour
unchanged for existing callers that do not specify the GUID index mode.

NOTE WELL: the behaviour of disallowDNFilter is enforced
in the index code, so this fixes SCOPE_ONELEVEL to also
honour disallowDNFilter, hence the additional tests.

The change to select the SUBTREE index in the absense of
the ONELEVEL index enforces this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoselftest: Do not use dn= filter string
Andrew Bartlett [Wed, 20 Dec 2017 01:55:04 +0000 (14:55 +1300)]
selftest: Do not use dn= filter string

This accidentially worked with SCOPE_ONELEVEL against Samba but dn= filters are
not valid in AD.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agosystemd: Only start samba and nmbd when network interfaces are up
Andreas Schneider [Tue, 12 Dec 2017 07:36:57 +0000 (08:36 +0100)]
systemd: Only start samba and nmbd when network interfaces are up

For samba and nmbd we need to wait till a network interface is up or
they wont be operational.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13184

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 20 04:21:51 CET 2017 on sn-devel-144

21 months agos4:samba: Fix default to be running samba as a deamon
Andrew Bartlett [Tue, 19 Dec 2017 03:30:08 +0000 (16:30 +1300)]
s4:samba: Fix default to be running samba as a deamon

Commit 8736013dc42c5755b75bbb2e843a290bcd545909 got the (confusing) sense of opt_fork
wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144

21 months agodoc/ctdb: fix two typos
Björn Baumbach [Mon, 18 Dec 2017 09:48:54 +0000 (10:48 +0100)]
doc/ctdb: fix two typos

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodns_server: Do the exact match query first, then do the wildcard lookup
Andrew Bartlett [Thu, 14 Dec 2017 23:30:50 +0000 (12:30 +1300)]
dns_server: Do the exact match query first, then do the wildcard lookup

The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute.  This is not as efficient as a base DN lookup, so we try for
that first.

A not-found and wildcard response will still fall back to the ONELEVEL
index.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agodns_server: Do not look for a wildcard for @
Andrew Bartlett [Thu, 14 Dec 2017 22:40:28 +0000 (11:40 +1300)]
dns_server: Do not look for a wildcard for @

This query is made for every record returned via BIND9 DLZ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agodns_server: Use the indexed "name" attribute in wildcard lookup
Andrew Bartlett [Mon, 18 Dec 2017 03:22:23 +0000 (16:22 +1300)]
dns_server: Use the indexed "name" attribute in wildcard lookup

(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agowinbind: Fix backslash in format string
Christof Schmitt [Mon, 18 Dec 2017 19:54:40 +0000 (12:54 -0700)]
winbind: Fix backslash in format string

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Dec 19 07:18:58 CET 2017 on sn-devel-144

21 months agoLDB:test-generic.sh - fix smaller/greater comparison tests
Matthias Dieter Wallnöfer [Tue, 4 Sep 2012 16:27:48 +0000 (18:27 +0200)]
LDB:test-generic.sh - fix smaller/greater comparison tests

The comparison result has been ignored, which is not good. Also remove
the "ldbsearch" command in the error branch which has not much sense.

The scripts needs to be run through test-tdb.sh, test-ldap.sh or
test-sqlite3.sh which I didn't realise before. Hence less changes are needed
and this is a reduced version of the patch published on the mailing list.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Tue Dec 19 03:09:12 CET 2017 on sn-devel-144

21 months agovfs: Use static_decl_vfs in all VFS modules
Christof Schmitt [Fri, 15 Dec 2017 22:32:12 +0000 (15:32 -0700)]
vfs: Use static_decl_vfs in all VFS modules

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 13:32:00 CET 2017 on sn-devel-144

21 months agodocs-xml/manpages: fix some trailing version strings from the doc.version change
Björn Jacke [Wed, 13 Dec 2017 00:32:48 +0000 (01:32 +0100)]
docs-xml/manpages: fix some trailing version strings from the doc.version change

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource4/lib/socket/socket_ip.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 21:03:45 +0000 (10:03 +1300)]
source4/lib/socket/socket_ip.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 08:49:57 CET 2017 on sn-devel-144

21 months agosource3/winbindd/winbindd.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:58:59 +0000 (09:58 +1300)]
source3/winbindd/winbindd.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource3/utils/smbfilter.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:57:04 +0000 (09:57 +1300)]
source3/utils/smbfilter.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource3/libsmb/unexpected.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:54:34 +0000 (09:54 +1300)]
source3/libsmb/unexpected.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource3/smbd/server.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:51:35 +0000 (09:51 +1300)]
source3/smbd/server.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource3/lib/server_prefork.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:46:07 +0000 (09:46 +1300)]
source3/lib/server_prefork.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosource3/rpc_server/rpc_server.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:39:43 +0000 (09:39 +1300)]
source3/rpc_server/rpc_server.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoctdb/tcp/tcp_connect.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:37:28 +0000 (09:37 +1300)]
ctdb/tcp/tcp_connect.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoctdb/server/ctdb_daemon.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:36:08 +0000 (09:36 +1300)]
ctdb/server/ctdb_daemon.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agolib/async_req/async_sock.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:31:33 +0000 (09:31 +1300)]
lib/async_req/async_sock.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agolib/tevent/echo_server.c set socket close on exec
Gary Lockyer [Sun, 10 Dec 2017 20:17:49 +0000 (09:17 +1300)]
lib/tevent/echo_server.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoWHATSNEW: Encrypted secrets
Gary Lockyer [Mon, 11 Dec 2017 21:49:05 +0000 (10:49 +1300)]
WHATSNEW: Encrypted secrets

Document the encrypted secrets feature in WHATSNEW.txt

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 04:36:19 CET 2017 on sn-devel-144

21 months agoselftest fl2000dc provision with --plaintext-secrets
Gary Lockyer [Thu, 14 Dec 2017 18:27:10 +0000 (07:27 +1300)]
selftest fl2000dc provision with --plaintext-secrets

Provision fl2000dc provision with --plaintext-secrets to test that the
--plaintext-secrets option functions correctly.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoprovision: Changes to support encrypted_secrets module
Gary Lockyer [Thu, 14 Dec 2017 18:24:14 +0000 (07:24 +1300)]
provision: Changes to support encrypted_secrets module

Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.

Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodsdb encrypted secrets module
Gary Lockyer [Thu, 14 Dec 2017 18:21:10 +0000 (07:21 +1300)]
dsdb encrypted secrets module

Encrypt the samba secret attributes on disk.  This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.

Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.

Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agotests dsdb encrypted secrets module
Gary Lockyer [Thu, 14 Dec 2017 18:17:54 +0000 (07:17 +1300)]
tests dsdb encrypted secrets module

Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.

This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agopyglue: Add function to generate a random byte string
Gary Lockyer [Wed, 1 Nov 2017 21:15:29 +0000 (10:15 +1300)]
pyglue: Add function to generate a random byte string

Adds a function to generate a random byte string using the samba random
routines.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agosmbd: Fix coredump on failing chdir during logoff
Christof Schmitt [Wed, 13 Dec 2017 18:34:23 +0000 (11:34 -0700)]
smbd: Fix coredump on failing chdir during logoff

server_exit does an internal tree disconnect which requires a chdir to
the share directory. In case the file system encountered a problem and
the chdir call returns an error, this triggers a SERVER_EXIT_ABNORMAL
which in turn results in a panic and a coredump. As the log already
indicates the problem (chdir returned an error), avoid the
SERVER_EXIT_ABNORMAL in this case and not trigger a coredump.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 16 01:56:06 CET 2017 on sn-devel-144

21 months agoselftest: Add test for failing chdir call in smbd
Christof Schmitt [Wed, 13 Dec 2017 19:58:18 +0000 (12:58 -0700)]
selftest: Add test for failing chdir call in smbd

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agoselftest: Make location of log file available in tests
Christof Schmitt [Wed, 13 Dec 2017 19:47:31 +0000 (12:47 -0700)]
selftest: Make location of log file available in tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agoselftest: Add share for error injection testing
Christof Schmitt [Wed, 13 Dec 2017 18:34:05 +0000 (11:34 -0700)]
selftest: Add share for error injection testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agovfs_error_inject: Add new module
Christof Schmitt [Fri, 8 Dec 2017 22:29:07 +0000 (15:29 -0700)]
vfs_error_inject: Add new module

This module allow injecting errors in vfs calls. It only implements one
case (return ESTALE from chdir), but the idea is to extend this to more
vfs functions and more errors when needed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agogpo: Test that unapply works
David Mulder [Wed, 6 Dec 2017 17:16:11 +0000 (10:16 -0700)]
gpo: Test that unapply works

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agogpo: Only commit the earliest change to the log
David Mulder [Fri, 1 Dec 2017 18:18:55 +0000 (11:18 -0700)]
gpo: Only commit the earliest change to the log

Otherwise we overwrite the original value,
leaving the setting tattooed on unapplied

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agogpo: Fix the empty apply log
David Mulder [Mon, 20 Nov 2017 13:41:19 +0000 (06:41 -0700)]
gpo: Fix the empty apply log

The apply log wasn't being saved, apparently the pointers to elements
of the tree were getting lost.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agolibgpo: Remedy some longer lines
Garming Sam [Tue, 21 Nov 2017 22:00:56 +0000 (11:00 +1300)]
libgpo: Remedy some longer lines

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agolibgpo: Tidy up some if statements
Garming Sam [Tue, 21 Nov 2017 22:00:35 +0000 (11:00 +1300)]
libgpo: Tidy up some if statements

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agolibgpo: typo credentaials -> credentials
Garming Sam [Tue, 21 Nov 2017 21:58:55 +0000 (10:58 +1300)]
libgpo: typo credentaials -> credentials

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agolibgpo: Always check for ldap_server argument
Garming Sam [Tue, 21 Nov 2017 21:57:18 +0000 (10:57 +1300)]
libgpo: Always check for ldap_server argument

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
21 months agomarkdown: Rename ms_markdown.py -> ms_schema_markdown.py
Garming Sam [Thu, 23 Nov 2017 04:06:53 +0000 (17:06 +1300)]
markdown: Rename ms_markdown.py -> ms_schema_markdown.py

We also reduce the scope of the import so that python-markdown is only
required if interacting with 2012 code.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 12:34:04 CET 2017 on sn-devel-144

21 months agoprovision: Use the official MS 2008R2 schema by default
Andrew Bartlett [Mon, 20 Nov 2017 04:10:25 +0000 (17:10 +1300)]
provision: Use the official MS 2008R2 schema by default

This fixes us to have the official adminDescription etc.  While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoschema: 2008R2 AD schema attributes and classes
Andrew Bartlett [Mon, 20 Nov 2017 02:45:41 +0000 (15:45 +1300)]
schema: 2008R2 AD schema attributes and classes

Obtained under the Open Protocols Specifications licence from
https://www.microsoft.com/en-us/download/details.aspx?id=23782

These are more complete than the version we have had in the tree until now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoschema: 2016 AD schema attributes and classes
Andrew Bartlett [Mon, 20 Nov 2017 02:18:41 +0000 (15:18 +1300)]
schema: 2016 AD schema attributes and classes

Obtained under the Open Protocols Specifications licence from
https://www.microsoft.com/en-us/download/details.aspx?id=23782

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: RODC revision level should be at 2
Garming Sam [Wed, 16 Aug 2017 04:02:32 +0000 (16:02 +1200)]
provision: RODC revision level should be at 2

This number had been mistakenly updated alongside the standard forest
updates revision. This version number appears to be independent of the
other revision levels.

Also add the change to a new .ldf file, which can be used to apply
the schema change to an existing Samba 4.7 (or earlier) instance.
Update the provision/upgrade test to do just this (otherwise it
complains about differences between a new provision and an older Samba
4.0.0 instance).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoselftest: Add basic test for schema upgrade
Tim Beale [Fri, 6 Oct 2017 03:30:40 +0000 (16:30 +1300)]
selftest: Add basic test for schema upgrade

This tests that we can provision using both the 2008 and 2012 schema,
that we can upgrade a 2008 Samba instance to use the 2012 schema, and
that when we do that the result (more or less) matches a straight
2012 provision.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain.py: Auto-patch the diffs for the adprep schemaupgrade
Garming Sam [Tue, 31 Oct 2017 22:53:29 +0000 (11:53 +1300)]
domain.py: Auto-patch the diffs for the adprep schemaupgrade

This creates a temporary directory where the markdown is parsed and the
diffs are then applied.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain.py: Add a base dir option for schema upgrades
Garming Sam [Tue, 31 Oct 2017 21:48:36 +0000 (10:48 +1300)]
domain.py: Add a base dir option for schema upgrades

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoschema: Some 2012 objects were missing systemflags
Garming Sam [Wed, 27 Sep 2017 01:51:25 +0000 (14:51 +1300)]
schema: Some 2012 objects were missing systemflags

The adprep LDIF files were adding the systemFlags, but they weren't
present in the 2012 schema files. This is not just a Microsoft
documentation problem - the difference was present when doing a provision
of a 2012 Windows server vs using Adprep.exe to upgrade an older Windows
server.

Samba might as well use the correct systemFlags right from the start.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoupgradeprovision: Change test to always use 2008 R2 schema
Tim Beale [Wed, 4 Oct 2017 21:01:27 +0000 (10:01 +1300)]
upgradeprovision: Change test to always use 2008 R2 schema

This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).

Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.

It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain.py: Add base-schema option to samba-tool provision
Tim Beale [Wed, 4 Oct 2017 20:53:28 +0000 (09:53 +1300)]
domain.py: Add base-schema option to samba-tool provision

Allow a different base-schema to be used when provisioning a new domain.
This allows us to test the new 2012 schema without committing Samba to
using it by default.

If, in future, we change the default to use the 2012 schema, some
existing Samba tests (like upgradeprovision) rely on the 2012 schema.
So making the base-schema optional allows these tests to continue using
the older schema.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoschema: Add option of specifying the base schema for a provision
Tim Beale [Tue, 3 Oct 2017 23:30:59 +0000 (12:30 +1300)]
schema: Add option of specifying the base schema for a provision

Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoselftest: Fix upgradeprovision test by importing new objects for schema 45
Andrew Bartlett [Tue, 12 Dec 2017 02:26:35 +0000 (15:26 +1300)]
selftest: Fix upgradeprovision test by importing new objects for schema 45

The recent schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months ago2008R2: Missing flags on optional features container for objectVersion 45
Andrew Bartlett [Tue, 12 Dec 2017 02:20:26 +0000 (15:20 +1300)]
2008R2: Missing flags on optional features container for objectVersion 45

To match Windows 2008R2, this should have the same flags as the
recycle bin enabled feature.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
21 months ago2008R2: Missing extended rights for objectVersion 45
Andrew Bartlett [Wed, 13 Dec 2017 02:03:57 +0000 (15:03 +1300)]
2008R2: Missing extended rights for objectVersion 45

We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif

On Windows this was in Sch45.ldf (triggered by adprep schema updates).

We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.

This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.

Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
21 months agoschema: Re-work extended rights handling in provision (prep for 2012R2)
Andrew Bartlett [Mon, 11 Dec 2017 01:42:55 +0000 (14:42 +1300)]
schema: Re-work extended rights handling in provision (prep for 2012R2)

Add the changes needed to provision a 2012 DC (mostly this just affects
the Extended Rights objects) by moving to the new extended-rights.ldif

The localizationDisplayId is not documented in MS-ATDS so these values
are moved to provision_configuation_modify.ldif and applied after the
display-specifiers.ldif

We don't enable the 2012R2 mode yet. The ${INC2012} variable
just gets replaced with '#' so the lines get commented out and not
applied.

This approach allows us to support provisioning both a 2008R2 DC or
a 2012R2 DC (so that we can test we can upgrade a 2008 DC to 2012).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Make clarifying header an LDIF comment in extended-rights.ldif
Andrew Bartlett [Mon, 11 Dec 2017 01:50:39 +0000 (14:50 +1300)]
provision: Make clarifying header an LDIF comment in extended-rights.ldif

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Align displayName of Property Sets with MS-ADTS 3.1.1.2.3.3
Andrew Bartlett [Mon, 11 Dec 2017 00:35:25 +0000 (13:35 +1300)]
provision: Align displayName of Property Sets with MS-ADTS 3.1.1.2.3.3

This gives some better names than what the CN of the object was.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Fill in a nicer displayName for Extended Rights
Andrew Bartlett [Mon, 11 Dec 2017 00:26:53 +0000 (13:26 +1300)]
provision: Fill in a nicer displayName for Extended Rights

We replace all the hyphens with a space.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Fill in validAccesses in extended-rights.ldif for Property Sets
Andrew Bartlett [Sun, 10 Dec 2017 23:35:45 +0000 (12:35 +1300)]
provision: Fill in validAccesses in extended-rights.ldif for Property Sets

A Property Right has the value of RIGHT_DS_READ_PROPERTY|RIGHT_DS_WRITE_PROPERTY which is
48 (0x30) per 5.1.3.2 Access Rights.

The property Sets are listed in MS-ATDS 3.1.1.2.3.3 and can also be found by looking
at the attributeSecurityGuid on the schema objects.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Fill in validAccesses in extended-rights.ldif for Validated Writes
Andrew Bartlett [Sun, 10 Dec 2017 23:26:04 +0000 (12:26 +1300)]
provision: Fill in validAccesses in extended-rights.ldif for Validated Writes

MS-ATDS 5.1.3.2.2 Validated Writes specifies the value of RIGHT_DS_WRITE_PROPERTY_EXTENDED which is
8 (0x08) per 5.1.3.2 Access Rights.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Fill in validAccesses in extended-rights.ldif for Control Access Rights
Andrew Bartlett [Sun, 10 Dec 2017 23:22:05 +0000 (12:22 +1300)]
provision: Fill in validAccesses in extended-rights.ldif for Control Access Rights

MS-ATDS 5.1.3.2.1 Control Access Rights specifies the value of RIGHT_DS_CONTROL_ACCESS which is
256 (0x100) per 5.1.3.2 Access Rights.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Align extended-rights.ldif with the adprep LDIF for 2012R2
Andrew Bartlett [Sun, 10 Dec 2017 22:57:35 +0000 (11:57 +1300)]
provision: Align extended-rights.ldif with the adprep LDIF for 2012R2

This removes the additional rights for 2016 and flags the 2012R2 changes to allow
the same file to be used to produce a 2008R2 or 2012R2 domain

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Reformat appliesTo in Extended Rights into LDIF
Andrew Bartlett [Sun, 10 Dec 2017 22:09:51 +0000 (11:09 +1300)]
provision: Reformat appliesTo in Extended Rights into LDIF

We remove comments about Schema 45 and earlier as this is the base
level that Samba supports.  A future commit will move to a
machine-parsable flag for the 2012 schema and remove the 2016 elements.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Remove section numbers from extended rights, replace with dn
Andrew Bartlett [Sun, 10 Dec 2017 21:51:32 +0000 (10:51 +1300)]
provision: Remove section numbers from extended rights, replace with dn

This makes this file more like LDIF so we can process it automatically as well as
use it as a text document.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoprovision: Import extended rights schema from MS-ADTS v47.0
Andrew Bartlett [Sun, 10 Dec 2017 21:09:55 +0000 (10:09 +1300)]
provision: Import extended rights schema from MS-ADTS v47.0

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agodomain.py: Add a schemaupgrade option to apply missing 2008R2 schema
Tim Beale [Thu, 5 Oct 2017 03:16:30 +0000 (16:16 +1300)]
domain.py: Add a schemaupgrade option to apply missing 2008R2 schema

We've identified some cases where we've gotten our implementation of the
2008R2 schema wrong. We can fix these up for new provisions going
forward, but it'd be nice to have some way of fixing up the schema on
existing DCs.

A lot of what we're missing is already documented in Microsoft's
Sch45.ldf file:
https://technet.microsoft.com/en-us/library/dd378890(v=ws.10).aspx

Unfortunately we can't just apply the Sch45.ldf file using the existing
'samba-tool domain schema-upgrade' option because:
- We have got some of the Sch45.ldf changes, just not all of them.
- We already say the Samba schema objectVersion is 47 (2008R2), so
  there's no way to tell if the Samba instance does or doesn't have the
  missing changes (apart from querying each change).

We may want to add this to dbcheck eventually, but the simplest
implementation option for now is to extend the new schemaupgrade command
to allow us to specify a particular .LDF file to apply.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain.py: Make schemaupgrade option work regardless of config
Tim Beale [Thu, 5 Oct 2017 02:43:53 +0000 (15:43 +1300)]
domain.py: Make schemaupgrade option work regardless of config

Currently the 'samba-tool domain schemaupgrade' command will only work
if the Samba config has the non-default option 'dsdb:schema update
allowed = yes'. The whole point of running this samba-tool option is to
upgrade the schema, so it would seem to make sense to bypass the setting
temporarily, in order to apply the schema updates successfully.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agodomain.py: Add schema upgrade option to samba-tool
Tim Beale [Tue, 3 Oct 2017 23:30:59 +0000 (12:30 +1300)]
domain.py: Add schema upgrade option to samba-tool

Microsoft has published the Schema updates that its Adprep.exe tool
applies when it upgrades a 2008R2 schema to 2012R2.

This patch adds an option to samba-tool to go through these update files
and apply each change one by one. Along the way we need to make a few
changes to the LDIF operations, e.g. change 'ntdsschemaadd' to 'add' and
so on.

The bulk of the changes involve parsing the .ldif file and separating
out each update into a separate operation.

There are a couple of errors that we've chosen to ignore:
- Trying to set isDefunct for an object we don't know about.
- Trying to set a value for an attribute OID that we don't know about
  (we may need to fix this in future, but it'll require some help from
   Microsoft about what the OIDs actually are).

To try to make life easier, I've added a ldif_schema_update helper
class. This provides convenient access of the DN the change applies to
and other such details (whether it's setting isDefunct, etc).

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoschema: Allow schemaUpdateNow to refresh schema during a transaction
Garming Sam [Fri, 18 Aug 2017 01:59:30 +0000 (13:59 +1200)]
schema: Allow schemaUpdateNow to refresh schema during a transaction

When we upgrade a schema from 2008R2 to 2012R2, we want to apply all the
changes in a single transaction - if we can't apply all the updates then
we don't want to be left with a schema halfway in between the two.

However, as we apply each LDIF update, we also want to refresh the
schema. There are 2 reasons for this:
1. The adprep .LDIF files provided by Microsoft have some writes to
schemaUpdateNow in them.
2. Microsoft uses attribute OIDs in their adprep .LDIF files, which
Samba doesn't handle so well. However, we can replace the OIDs with the
attribute's ldapDisplayName and they work fine. But to do this, we need
to query the schema to map the OID to attribute name. And to query the
schema successfully, the schema needs to be refreshed after the new
attribute object has been added.

Basically this patch avoids bailing out during the dsdb_schema_refresh()
if we are writing schemaUpdateNow as part of a larger transaction.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoadprep: Add the LDF data needed to upgrade to 2012R2 schema
Garming Sam [Mon, 2 Oct 2017 21:01:30 +0000 (10:01 +1300)]
adprep: Add the LDF data needed to upgrade to 2012R2 schema

This patch adds the LDF files corresponding to the changes that the
Windows Adprep.exe tool makes when upgrading a AD schema to Windows
2012R2.

This is based on information Microsoft has made public on github
(Schema-Updates.md - see the README.txt for more details).

The LDF files 48-56 are for upgrading to Windows Server 2012, and 57-69
are for Windows Server 2012 R2.

Unfortunately, the raw LDF information from Microsoft wasn't enough to
get the schema working. The .diff files contain changes we needed to
make on top of the raw LDF content from Microsoft.

The basic steps to regenerate the .LDF files are documented in the
README.txt file. The files used to generate the .LDF files are in the
WindowsServerDocs/ sub-directory. (The .LDF generation is done at runtime
during provision).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoobjectclass: Ensure that backlinks are not replicated
Garming Sam [Tue, 5 Sep 2017 04:03:04 +0000 (16:03 +1200)]
objectclass: Ensure that backlinks are not replicated

Adprep schema adds backlinks, but they do not have the NOT_REPLICATED
bit. We need to force this in locally to ensure we have it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoms_schema: Properly handle base64 encoded attributes
Garming Sam [Fri, 18 Aug 2017 01:46:57 +0000 (13:46 +1200)]
ms_schema: Properly handle base64 encoded attributes

There used to be a special case for omobjectclass, but now there is just
generic handling for such attributes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoschema: 2012 and 2012 R2 AD schema attributes and classes
Garming Sam [Mon, 12 Sep 2016 05:07:02 +0000 (17:07 +1200)]
schema: 2012 and 2012 R2 AD schema attributes and classes

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoms_schema: Allow for CN=X and DC=X replacements
Garming Sam [Mon, 19 Sep 2016 01:52:54 +0000 (13:52 +1200)]
ms_schema: Allow for CN=X and DC=X replacements

These occur in the newer 2012 and 2016 schemas.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agotypo: Change case to match DN
Garming Sam [Wed, 2 Aug 2017 00:52:22 +0000 (12:52 +1200)]
typo: Change case to match DN

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoflags.h: Introduce the 2016 function level constant
Garming Sam [Tue, 15 Aug 2017 03:17:34 +0000 (15:17 +1200)]
flags.h: Introduce the 2016 function level constant

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21 months agoldb: Show the last successful DN when failing to parse LDIF
Andrew Bartlett [Mon, 11 Dec 2017 02:57:30 +0000 (15:57 +1300)]
ldb: Show the last successful DN when failing to parse LDIF

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
21 months agoWHATSNEW: document the removal of 'auth methods', 'map untrusted to domain' and ...
Stefan Metzmacher [Mon, 7 Aug 2017 15:32:09 +0000 (17:32 +0200)]
WHATSNEW: document the removal of 'auth methods', 'map untrusted to domain' and 'profile acls'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 00:40:31 CET 2017 on sn-devel-144