Andrew Bartlett [Sun, 7 Jan 2018 21:31:50 +0000 (10:31 +1300)]
travis-ci: Update package list to match the wiki
This in turn is based on what we use at Catalyst minus some helpful packages like editors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Ralph Boehme [Sat, 6 Jan 2018 15:13:52 +0000 (16:13 +0100)]
vfs_fileid: fix a use after free
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 8 03:16:30 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 4 Jan 2018 16:22:16 +0000 (17:22 +0100)]
vfs_fileid: add fileid:algorithm = fsname_norootdir
Based-on-a-patch-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 6 04:41:24 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 4 Jan 2018 16:09:21 +0000 (17:09 +0100)]
vfs_fileid: add fileid:nolockinode parameter
Based-on-a-patch-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 4 Jan 2018 16:02:53 +0000 (17:02 +0100)]
vfs_fileid: add fileid:algorithm = fsname_nodirs
Enabling fileid:algorithm = fsname_nodirs uses the hostname algorithm
for directories and thus breaks cluster lock coherence for directories.
Based-on-a-patch-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 4 Jan 2018 15:59:54 +0000 (16:59 +0100)]
vfs_fileid: add fileid:algorithm = hostname
Using fileid:algorithm = hostname makes fileid generate
fileids based on the hostname. This breaks cluster lock coherence.
Based-on-a-patch-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 4 Jan 2018 15:35:38 +0000 (16:35 +0100)]
vfs_fileid: convert dev argument of the device_mapping_fn to SMB_STRUCT_STAT
This is in preperation of adding an additional mapping function that
acts differently depending of the file type. No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Wuerthner [Tue, 12 Jan 2016 15:00:24 +0000 (16:00 +0100)]
vfs_fileid: add "fstype/mntdir deny/allow list" option
When using the fsname or fsid algorithm a stat() and statfs() call is
required for all mounted file systems to generate the file_id. If e.g.
an NFS file system is unresponsive such a call might block and the smbd
process will become unresponsive. Add "fileid:fstype deny",
"fileid:fstype allow", "fileid:mntdir deny", and "fileid:mntdir allow"
options to ignore potentially unresponsive file systems.
See also https://lists.samba.org/archive/samba-technical/2016-January/111553.html
for a discussion about why this is useful.
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 5 Jan 2018 09:23:30 +0000 (10:23 +0100)]
vfs_fileid: preserve errno in an error code path
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 4 Jan 2018 16:25:07 +0000 (17:25 +0100)]
vfs_fileid: add a DEBUG message to log dev and inode
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 5 Jan 2018 09:45:41 +0000 (10:45 +0100)]
tests: The pthreadpooltests do not need a full environment
Makes "make test TESTS=pthreadpool" faster
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 4 Jan 2018 20:26:58 +0000 (21:26 +0100)]
dnscli: Make a few functions static
We might want to use the tcp flavor in the future in the forwarder for a
single, persistent TCP connection. Then we can easily re-publish it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 4 Jan 2018 20:06:02 +0000 (21:06 +0100)]
samba: Only use async signal-safe functions in signal handler
Otherwise shutdown can hang
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Tue, 2 Jan 2018 18:09:04 +0000 (19:09 +0100)]
s4/torture: test vfs_fruit "fruit:time machine max size" option
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 3 Nov 2017 09:56:29 +0000 (10:56 +0100)]
vfs_fruit: add "time machine max size" option
This can be used to configure a per client filesystem size limit on
TimeMachine shares.
It's a nasty hack but it was reportedly working well in Netatalk where
it's taken from.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Björn Jacke [Thu, 4 Jan 2018 15:35:12 +0000 (16:35 +0100)]
docs-xml: add basic Makefile dependencies for targets that use xsltproc
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Jan 5 19:55:29 CET 2018 on sn-devel-144
Björn Jacke [Thu, 4 Jan 2018 15:19:13 +0000 (16:19 +0100)]
docs-xml: set a reasonable XML_CATALOG_FILES in Makefile
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Björn Jacke [Thu, 4 Jan 2018 15:12:28 +0000 (16:12 +0100)]
docs-xml: generate build/catalog.xml via Makefile target
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Jamie McClymont [Tue, 19 Dec 2017 00:14:41 +0000 (13:14 +1300)]
autobuild: fix quoting of --restrict-tests
Currently, passing multiple tests causes those other than the first to be
passed to make, causing failures.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jan 5 02:51:09 CET 2018 on sn-devel-144
Jamie McClymont [Wed, 3 Jan 2018 03:59:24 +0000 (03:59 +0000)]
source4/tests: typo in env name
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Björn Jacke [Thu, 4 Jan 2018 11:55:26 +0000 (12:55 +0100)]
docs-xml: plain file URIs need three slashes
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Thu Jan 4 20:32:21 CET 2018 on sn-devel-144
Björn Jacke [Thu, 4 Jan 2018 09:38:05 +0000 (10:38 +0100)]
docs-xml: figure out samba version for the docs automatically
Signed-off-by: Bjoern Jacke <bjoern@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Wed, 3 Jan 2018 17:52:33 +0000 (09:52 -0800)]
s3: smbd: Use identical logic to test for kernel oplocks on a share.
Due to inconsistent use of lp_kernel_oplocks() we could miss kernel
oplocks being on/off in some of our oplock handling code, and thus
use the wrong logic.
Ensure all logic around koplocks and lp_kernel_oplocks() is consistent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13193
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 4 16:03:38 CET 2018 on sn-devel-144
Volker Lendecke [Sun, 31 Dec 2017 10:02:45 +0000 (11:02 +0100)]
dns_server: Remove "max_payload" from dns_server
This would have to be retrieved from the interface type we have I guess.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 4 05:08:02 CET 2018 on sn-devel-144
Volker Lendecke [Sun, 31 Dec 2017 10:00:01 +0000 (11:00 +0100)]
dns_server: Remove unused "dns_generate_options"
This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 31 Dec 2017 09:59:40 +0000 (10:59 +0100)]
dns_server: Remove unused "dns" parameter from ask_forwarder_send
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 29 Dec 2017 12:09:15 +0000 (13:09 +0100)]
ndr_dns: fix pushing unknown resource records
When pulling for example an RRSIG record, we end up with length!=0 *and*
unexpected.length != 0, but with an unknown rrec. We should be able to
marshall what we retrieved from the wire.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 29 Dec 2017 10:11:59 +0000 (11:11 +0100)]
dns_server: Use dns_cli_request instead of direct udp
This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 29 Dec 2017 10:01:29 +0000 (11:01 +0100)]
libdns: Add dns_cli_request
First UDP, then TCP if truncation happened
Signed-off-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Thu, 28 Dec 2017 21:35:46 +0000 (22:35 +0100)]
libdns: dns/tcp client
Same signature as the UDP client in the same file. This opens and closes
the socket per request. In the future, we might want to create a
persistent TCP connection for our internal DNS server's forwarder. That
will require proper handling of in-flight requests. Something for
another day.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 27 Dec 2017 11:50:07 +0000 (12:50 +0100)]
dsdb: Fix the build on 32-bit FreeBSD
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 29 Dec 2017 08:36:31 +0000 (09:36 +0100)]
libdns: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 28 Dec 2017 20:41:33 +0000 (21:41 +0100)]
tsocket: Fix typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 13 Dec 2016 10:38:13 +0000 (11:38 +0100)]
credentials: Simplify cli_credentials_get_server_gss_creds()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144
Bjoern Jacke [Thu, 7 Dec 2017 15:06:38 +0000 (16:06 +0100)]
smbldap: don't try start tls on ldaps:// connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6079
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Jan 2 18:01:17 CET 2018 on sn-devel-144
Björn Jacke [Wed, 13 Dec 2017 12:39:10 +0000 (13:39 +0100)]
doc-xml: fix dependency as the xml targets depend on Makefile.settings
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sun, 31 Dec 2017 23:14:13 +0000 (00:14 +0100)]
Happy New Year 2018!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 1 19:19:22 CET 2018 on sn-devel-144
Douglas Bagnall [Wed, 27 Dec 2017 22:45:49 +0000 (11:45 +1300)]
selftest: allow more time for tests
Maybe make test *should* run in under 4 hours, but it currently
doesn't.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 29 02:48:59 CET 2017 on sn-devel-144
Volker Lendecke [Wed, 27 Dec 2017 12:19:06 +0000 (13:19 +0100)]
torture: Fix CID
1426987 Incorrect expression (UNUSED_VALUE)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Dec 28 02:22:04 CET 2017 on sn-devel-144
Douglas Bagnall [Mon, 18 Dec 2017 04:06:07 +0000 (17:06 +1300)]
samba-tool test: ensure `samba-tool help` works
We make sure the output is identical to `samba-tool --help` for the same
subcommands.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 07:50:21 CET 2017 on sn-devel-144
Douglas Bagnall [Fri, 11 Aug 2017 04:39:33 +0000 (16:39 +1200)]
samba-tool: treat 'samba-tool help foo' as 'samba-tool foo --help'
Vaguely keeping up with the modern style.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 20 Dec 2017 22:30:24 +0000 (11:30 +1300)]
samba-tool: give cache_loader pseudo-dict a .get() method
This makes it more dict-like, and makes the next patch (adding
samba-tool help) simpler.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 18 Dec 2017 03:54:07 +0000 (16:54 +1300)]
samba-tool: --help test, ensuring help tree coverage
`samba-tool [COMMAND] --help` will list sub-commands of COMMAND
(or top-level commands if COMMAND is omitted). This ensures that
`samba-tool COMMAND SUBCOMMAND --help` works for all the commands
found in the help tree.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Uri Simchoni [Thu, 21 Dec 2017 17:49:39 +0000 (19:49 +0200)]
selftest: pass location of perl executable from waf to test-envs
Many perl scripts in the codebase are executables with a
"/usr/bin/perl" shebang. Running them as executables is not
portable as some OS's have a different location for the perl
interpreter.
During the configuration process, waf finds the location of the perl
interpreter. Some or all invocations of perl scripts from within
test environment setup code are actually "$PERL <script>",
but since PERL env var is typically not set, this amounts to the
unportable "<script>", which invokes /usr/bin/perl.
This patch exports the location of perl as found by the configuration
process to the test environment, causing "$PERL <script>" to be
"<correct place of perl interpreter> <script>".
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 20 Dec 2017 13:05:54 +0000 (14:05 +0100)]
s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions
Windows client at least doesn't have code to replay
a SMB2 Close after getting NETWORK_SESSION_EXPIRED,
which locks out a the client and generates an endless
loop around NT_STATUS_SHARING_VIOLATION.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 21 23:28:42 CET 2017 on sn-devel-144
Stefan Metzmacher [Thu, 21 Dec 2017 13:47:06 +0000 (14:47 +0100)]
s3:smbd: return the correct error for cancelled SMB2 notifies on expired sessions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 21 Dec 2017 11:53:02 +0000 (12:53 +0100)]
s4:torture: add smb2.session.expire2 test
This demonstrates the interaction of NT_STATUS_NETWORK_SESSION_EXPIRED
and various SMB2 opcodes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 21 Dec 2017 10:01:18 +0000 (11:01 +0100)]
torture: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Uri Simchoni [Tue, 5 Dec 2017 18:56:49 +0000 (20:56 +0200)]
sysacls: change datatypes to 32 bits
The SMB_ACL_PERMSET_T and SMB_ACL_PERM_T were defined as
mode_t, which is 16-bits on some (non-Linux) systems. However,
pidl *always* encodes mode_t as uint32_t. That created a bug on
big-endian systems as sys_acl_get_permset() returns a SMB_ACL_PERMSET_T
pointer to an internal a_perm structure member defined in IDL as a mode_t,
which pidl turns into a uin32_t in the emitted header file.
Changing to 32 bits fixes that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 5 Dec 2017 18:49:03 +0000 (20:49 +0200)]
pysmbd: fix use of sysacl API
Fix pysmbd to use the sysacl (POSIX ACL support) as intended, and
not assume too much about the inner structure and implementation
of the permissions in the sysacl API.
This will allow the inner structure to change in a following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Wed, 20 Dec 2017 23:07:46 +0000 (12:07 +1300)]
samba-tool domain schemaupgrade: Avoid reindex after every hunk
This takes advantage of the fact that a single LDB operation is atomic
even inside our transaction and so we can retry it after updating the
schema.
This makes the smaba-tool domain schemaupgrade take 1m30s compared with 4m4s.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 08:28:51 CET 2017 on sn-devel-144
Garming Sam [Sun, 17 Dec 2017 23:45:02 +0000 (12:45 +1300)]
ldapcmp: Improve the difference checker of ldapcmp for 2012 R2
There are a number of new attributes which may be considered DNs.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 03:41:19 CET 2017 on sn-devel-144
Garming Sam [Sun, 17 Dec 2017 23:30:44 +0000 (12:30 +1300)]
upgradeprovision: Mark tests as passing again (using functional prep)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 17 Dec 2017 23:30:15 +0000 (12:30 +1300)]
functionalprep.sh: Add a test to show that functional prep works on old databases
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 15 Dec 2017 02:43:32 +0000 (15:43 +1300)]
functionalprep.sh: New test for ensuring that the prep works correctly
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 15 Dec 2017 01:33:45 +0000 (14:33 +1300)]
release-4-8-0-pre1: New database dump for checking that functional prep works
Next will be a test which compares the current run of the script against
this reference provision.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 6 Dec 2017 01:12:30 +0000 (14:12 +1300)]
domain.py: Command for prepping the domain for higher functional levels
Currently we support the 2012 and 2012 R2 prep levels.
Forest prep requires use of the schema master role.
Domain prep requires use of the infrastructure master role.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 13 Dec 2017 02:27:20 +0000 (15:27 +1300)]
domain.py: Force schema upgrade to be used only on the schema master
While this may be enforced at lower levels, it would be better to warn
earlier rather than later.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 12 Dec 2017 23:09:02 +0000 (12:09 +1300)]
forest_update: Allow the script to add the missing forest containers
Before we set the prep level higher in default provisions, we should add
these objects to the initial ldif (so that our initial ldif represents a
full 2008R2 domain which we build consistently on).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 6 Dec 2017 01:23:04 +0000 (14:23 +1300)]
forest_update: Create a module to apply forest prep updates
This module uses information sourced from the Forest-Wide-Updates.md
file from one of Microsoft's Github repos to generate the operation
information.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 13 Dec 2017 00:37:08 +0000 (13:37 +1300)]
domain_update: Add a new docstring for the main entry point
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 13 Dec 2017 00:35:14 +0000 (13:35 +1300)]
domain_update: Add an additional error with revision
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 13 Dec 2017 00:17:32 +0000 (13:17 +1300)]
domain_update: Allow the revision version to be set
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 13 Dec 2017 00:12:01 +0000 (13:12 +1300)]
domain_update: Respect the fix=False flag
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 12 Dec 2017 02:53:09 +0000 (15:53 +1300)]
domain_update: Create a module to apply domain prep updates
These updates are referenced in documentation much like our
Forest-Wide-Updates.md file under the same MIT and CC attribution
licenses.
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Domain-Wide-Updates.md
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 24 Nov 2017 03:26:52 +0000 (16:26 +1300)]
ms_forest_updates_markdown: Write a parser for the forest updates .md
Unlike the schema markdown which appears generally as ldif, these
descriptions are textual.
We are only handling the add cases, with the rest being manually encoded.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 14 Dec 2017 22:30:27 +0000 (11:30 +1300)]
WindowsServerDocs: Update README for clarity
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 24 Nov 2017 03:26:52 +0000 (16:26 +1300)]
Forest-Wide-Updates.md: Include the description of forest wide updates
This is sourced from the WindowsServerDocs repository on Github under an
MIT/CC 4.0 attribution license. A huge thanks is required for these
being provided and the work done in the process, as they mean a lot less
work for us to repeat.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 14 Dec 2017 03:43:04 +0000 (16:43 +1300)]
WindowsServerDocs: Update README to get rid of the references to ./gen/
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 24 Aug 2017 02:10:04 +0000 (14:10 +1200)]
2008R2: Missing operation (77) for ActiveDirectoryUpdate version 5 (FL)
Operation 77: {
82112ba0-7e4c-4a44-89d9-
d46c9612bf91}
- Create the CN=PSPs,CN=System object
Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/
dd378973(v=ws.10).aspx
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 24 Aug 2017 01:59:22 +0000 (13:59 +1200)]
2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)
Operation 75 {
5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}
- Create the CN=Managed Service Accounts object
Operation 76 {
d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}
- Add otherWellKnownObject link for CN=Managed Service Accounts
Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/
dd378973(v=ws.10).aspx
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 17 Dec 2017 23:39:52 +0000 (12:39 +1300)]
ldapcmp: Add otherWellKnownObjects to ignore when using --two
wellKnownObjects already exists in this list.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 14 Nov 2017 01:20:28 +0000 (14:20 +1300)]
sambadns: Allow functional level 2016 (when added)
This is currently just a harmless check anyways.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 18 Dec 2017 20:55:09 +0000 (09:55 +1300)]
wscript: Install missing .ldf files
With the update to the newer version of the 2008 R2 schemas, the files
were not available on install.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 20 Dec 2017 07:25:19 +0000 (08:25 +0100)]
g_lock: fix cleanup of stale entries in g_lock_trylock()
g_lock_trylock() always incremented the counter 'i', even after cleaning a stale
entry at position 'i', which means it skipped checking for a conflict against
the new entry at position 'i'.
As result a process could get a write lock, while there're still
some read lock holders. Once we get into that problem, also more than
one write lock are possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Dec 20 20:31:48 CET 2017 on sn-devel-144
Stefan Metzmacher [Wed, 20 Dec 2017 08:44:40 +0000 (09:44 +0100)]
torture3: add LOCAL-G-LOCK6 test
This is a regression test for bug #13195.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Tue, 19 Dec 2017 14:42:14 +0000 (15:42 +0100)]
dsdb: Improve code and directly close fp
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Tue, 19 Dec 2017 13:13:37 +0000 (14:13 +0100)]
dsdb: Fix CID
1426728 Structurally dead code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 19 Dec 2017 13:11:24 +0000 (14:11 +0100)]
dsdb: Fix CID
1426727 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jamie McClymont [Fri, 8 Dec 2017 02:20:36 +0000 (15:20 +1300)]
selftest: replace global with explicit environment variables
This patch removes setting of NSS_WRAPPER and RESOLV_WRAPPER variables globally
in Samba3.pm (because setting them persistently/globally can create hidden
ordering dependencies). Instead, they are set on subprocesses as required, which
appears to be the following two places (aside from those places where they are
already set explicitly):
* calls to createuser in provision
* calls to wbinfo --ping-dc in wait_for_start
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 20 08:50:26 CET 2017 on sn-devel-144
Jamie McClymont [Fri, 8 Dec 2017 01:47:09 +0000 (14:47 +1300)]
selftest: apply NSS_WRAPPER_HOSTNAME to child processes
Currently, Samba3.pm returns a value for NSS_WRAPPER_HOSTNAME in provision, but
selftest.pl does not apply it, so Samba3.pm /also/ sets it in its own
environment. This breaks a command like this:
make test TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
... since samba3.blackbox.smbclient_ntlm.plain runs in an nt4_member env,
thereby setting ENV{NSS_WRAPPER_HOSTNAME} to the value for a member, and
samba3.rpc.samba3.netlogon depended on NSS_WRAPPER_HOSTNAME as a username (until
previous commit).
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jamie McClymont [Tue, 5 Dec 2017 23:49:48 +0000 (12:49 +1300)]
selftest: fix samba3.rpc.samba3.netlogon running after an nt4_member test
samba3.rpc.samba3.netlogon is using get_myname to find a username with which to
perform a join. This means that the test tries to join with the existing
localnt4dc2 user, which happens to work if get_myname is working
correctly (which it isn't -- see next commit about NSS_WRAPPER_HOSTNAME!)
This commit fixes a test run with, for example:
TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
(given samba3.blackbox.smbclient_ntlm.plain is in the nt4_member env)
...which previously failed due to the combination of this and the
NSS_WRAPPER_HOSTNAME bug.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 18 Dec 2017 03:22:01 +0000 (16:22 +1300)]
ldb: Intersect the index from SCOPE_ONELEVEL with the index for the search expression
This helps ensure we do not have to scan all objects at this level
which could be very many (one per DNS zone entry).
However, due to the O(n*m) behaviour in list_intersect() for older
databases, we only do this in the GUID index mode, leaving the behaviour
unchanged for existing callers that do not specify the GUID index mode.
NOTE WELL: the behaviour of disallowDNFilter is enforced
in the index code, so this fixes SCOPE_ONELEVEL to also
honour disallowDNFilter, hence the additional tests.
The change to select the SUBTREE index in the absense of
the ONELEVEL index enforces this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Dec 2017 01:55:04 +0000 (14:55 +1300)]
selftest: Do not use dn= filter string
This accidentially worked with SCOPE_ONELEVEL against Samba but dn= filters are
not valid in AD.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andreas Schneider [Tue, 12 Dec 2017 07:36:57 +0000 (08:36 +0100)]
systemd: Only start samba and nmbd when network interfaces are up
For samba and nmbd we need to wait till a network interface is up or
they wont be operational.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13184
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 20 04:21:51 CET 2017 on sn-devel-144
Andrew Bartlett [Tue, 19 Dec 2017 03:30:08 +0000 (16:30 +1300)]
s4:samba: Fix default to be running samba as a deamon
Commit
8736013dc42c5755b75bbb2e843a290bcd545909 got the (confusing) sense of opt_fork
wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144
Björn Baumbach [Mon, 18 Dec 2017 09:48:54 +0000 (10:48 +0100)]
doc/ctdb: fix two typos
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 14 Dec 2017 23:30:50 +0000 (12:30 +1300)]
dns_server: Do the exact match query first, then do the wildcard lookup
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute. This is not as efficient as a base DN lookup, so we try for
that first.
A not-found and wildcard response will still fall back to the ONELEVEL
index.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 14 Dec 2017 22:40:28 +0000 (11:40 +1300)]
dns_server: Do not look for a wildcard for @
This query is made for every record returned via BIND9 DLZ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 18 Dec 2017 03:22:23 +0000 (16:22 +1300)]
dns_server: Use the indexed "name" attribute in wildcard lookup
(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Christof Schmitt [Mon, 18 Dec 2017 19:54:40 +0000 (12:54 -0700)]
winbind: Fix backslash in format string
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Dec 19 07:18:58 CET 2017 on sn-devel-144
Matthias Dieter Wallnöfer [Tue, 4 Sep 2012 16:27:48 +0000 (18:27 +0200)]
LDB:test-generic.sh - fix smaller/greater comparison tests
The comparison result has been ignored, which is not good. Also remove
the "ldbsearch" command in the error branch which has not much sense.
The scripts needs to be run through test-tdb.sh, test-ldap.sh or
test-sqlite3.sh which I didn't realise before. Hence less changes are needed
and this is a reduced version of the patch published on the mailing list.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Tue Dec 19 03:09:12 CET 2017 on sn-devel-144
Christof Schmitt [Fri, 15 Dec 2017 22:32:12 +0000 (15:32 -0700)]
vfs: Use static_decl_vfs in all VFS modules
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 13:32:00 CET 2017 on sn-devel-144
Björn Jacke [Wed, 13 Dec 2017 00:32:48 +0000 (01:32 +0100)]
docs-xml/manpages: fix some trailing version strings from the doc.version change
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 21:03:45 +0000 (10:03 +1300)]
source4/lib/socket/socket_ip.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 08:49:57 CET 2017 on sn-devel-144
Gary Lockyer [Sun, 10 Dec 2017 20:58:59 +0000 (09:58 +1300)]
source3/winbindd/winbindd.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:57:04 +0000 (09:57 +1300)]
source3/utils/smbfilter.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:54:34 +0000 (09:54 +1300)]
source3/libsmb/unexpected.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:51:35 +0000 (09:51 +1300)]
source3/smbd/server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:46:07 +0000 (09:46 +1300)]
source3/lib/server_prefork.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>