samba.git
29 hours agotdb: Fix compatibility of wscript with older python master
Lukas Slebodnik [Fri, 18 Jan 2019 15:38:03 +0000 (16:38 +0100)]
tdb: Fix compatibility of wscript with older python

Traceback (most recent call last):
  File "tdb-1.3.17/third_party/waf/waflib/Scripting.py", line 158, in waf_entry_point
    run_commands()
  File "tdb-1.3.17/third_party/waf/waflib/Scripting.py", line 251, in run_commands
    ctx = run_command(cmd_name)
  File "tdb-1.3.17/third_party/waf/waflib/Scripting.py", line 235, in run_command
    ctx.execute()
  File "tdb-1.3.17/third_party/waf/waflib/Context.py", line 204, in execute
    self.recurse([os.path.dirname(g_module.root_path)])
  File "tdb-1.3.17/third_party/waf/waflib/Context.py", line 286, in recurse
    user_function(self)
  File "tdb-1.3.17/wscript", line 225, in testonly
    cmd = "BINDIR={} {}".format(blddir, sh_test)
ValueError: zero length field name in format

Signed-off-by: Lukas Slebodnik <lslebodn@fedoraproject.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jan 20 03:49:59 CET 2019 on sn-devel-144

33 hours agos4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so
Anoop C S [Thu, 27 Dec 2018 12:49:42 +0000 (18:19 +0530)]
s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so

Early check for DEVELOPER or ENABLE_SELFTEST configure options inside
messaging_handlers.c leaves us with the following undefined reference
linkage error:

[1315/3712] Linking bin/default/source4/lib/messaging/libMESSAGING-samba4.so
/usr/bin/ld: source4/lib/messaging/messaging.c.4.o: in function
`imessaging_init_internal':
/root/samba.git/bin/default/../../source4/lib/messaging/messaging.c:472:
undefined reference to `imessaging_register_extra_handlers'
collect2: error: ld returned 1 exit status

This happened due to failure in including "includes.h" before checking
the above mentioned configure options.

Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
35 hours agogroup_audit: error handling in group change
Gary Lockyer [Tue, 8 Jan 2019 01:24:06 +0000 (14:24 +1300)]
group_audit: error handling in group change

Generate an appropriate log message in the event of an error
log_group_membership_changes.  As the changes have not been applied to
the database, there is no easy way to determine the intended changes.
This information is available in the "dsdbChange" audit messages, to
avoid replicating this logic for what should be a very rare occurrence
we simply log it as a "Failure"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jan 19 22:32:05 CET 2019 on sn-devel-144

38 hours agogroup_audit: Tests for error handling in group change
Gary Lockyer [Tue, 8 Jan 2019 01:23:38 +0000 (14:23 +1300)]
group_audit: Tests for error handling in group change

Add tests to exercise the error handling in
log_group_membership_changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
38 hours agos4/py_dsdb: catch/handle alloc failures in py_dsdb_normalise_attributes()
Douglas Bagnall [Wed, 2 May 2018 21:47:18 +0000 (09:47 +1200)]
s4/py_dsdb: catch/handle alloc failures in py_dsdb_normalise_attributes()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
38 hours agopython/kcc lib: cope with differently formed repsToFrom
Douglas Bagnall [Thu, 20 Dec 2018 03:01:24 +0000 (16:01 +1300)]
python/kcc lib: cope with differently formed repsToFrom

samba-tool visualise reuses these libraries to parse reps from other DCs, and Windows sometimes sends
more data than we are expecting

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
38 hours agopython/uptodateness: cope with unknown invocation ID
Douglas Bagnall [Thu, 20 Dec 2018 02:57:35 +0000 (15:57 +1300)]
python/uptodateness: cope with unknown invocation ID

This can happen if a server has been replaced

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
38 hours agopython: dns_hub: do not crash if a socket fails
Douglas Bagnall [Fri, 18 Jan 2019 20:14:28 +0000 (09:14 +1300)]
python: dns_hub: do not crash if a socket fails

We print the error and keep going.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
42 hours agos4:kdc: Fix size type for num_bind in kdc-heimdal
Andreas Schneider [Fri, 18 Jan 2019 18:09:12 +0000 (19:09 +0100)]
s4:kdc: Fix size type for num_bind in kdc-heimdal

This fixes a compile error on sn-devel184.

Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144

45 hours agos4:dsdb: Fix size type for num_of_attrs in acl_read
Andreas Schneider [Fri, 18 Jan 2019 16:50:56 +0000 (17:50 +0100)]
s4:dsdb: Fix size type for num_of_attrs in acl_read

This fixes a compile error on sn-devel184.

Signed-off-by: Andreas Schneider <asn@samba.org>
45 hours agos4:dsdb: Fix size types in audit_log
Andreas Schneider [Fri, 18 Jan 2019 15:16:05 +0000 (16:16 +0100)]
s4:dsdb: Fix size types in audit_log

audit_log.c:878:7: error: assuming signed overflow does not occur when
simplifying conditional to constant [-Werror=strict-overflow]

Signed-off-by: Andreas Schneider <asn@samba.org>
45 hours agolib:mscat: Use size_t for len value to fix build issue
Andreas Schneider [Fri, 18 Jan 2019 14:28:54 +0000 (15:28 +0100)]
lib:mscat: Use size_t for len value to fix build issue

asn1_read_value_type() only uses it as an unsigned it, a negative value
isn't assinged.

Signed-off-by: Andreas Schneider <asn@samba.org>
45 hours agolib:mscat: Fix may be used uninitialized warnings
Andreas Schneider [Fri, 18 Jan 2019 12:11:38 +0000 (13:11 +0100)]
lib:mscat: Fix may be used uninitialized warnings

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
45 hours agos3:lib: Fix the debug message for adding cache entries.
Andreas Schneider [Thu, 17 Jan 2019 12:58:14 +0000 (13:58 +0100)]
s3:lib: Fix the debug message for adding cache entries.

To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2 days agopython: dsal: Fix possibility of identical ACE's being added.
Martin Krämer [Wed, 9 Jan 2019 13:17:02 +0000 (13:17 +0000)]
python: dsal: Fix possibility of identical ACE's being added.

Currently it is possible to add the same ace multiple times if
the case sensitivity does not match the existing one using "--sddl" parameter.
As an example while an ace

"OA;CIIO;RPWP;3e978925-8c01-11d0-afda-00c04fd930c9;bf967a86-0de6-11d0-a285-00aa003049e2;PS"

already exists a sddl

"OA;CIIO;RPWP;3E978925-8C01-11D0-AFDA-00C04FD930C9;BF967A86-0DE6-11D0-A285-00AA003049E2;PS"

can be added without detection (and can be added multiple times). As an end result
after a high number of addings (in my tests it was about 1600-1800 aces for one
object) no further changes on that object are possible.

Signed-off-by: Martin Krämer <mk.maddin@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 18 23:19:13 CET 2019 on sn-devel-144

2 days agos3:libsmb: Store file allocation size in struct file_info.
Jeremy Allison [Fri, 18 Jan 2019 00:59:08 +0000 (16:59 -0800)]
s3:libsmb: Store file allocation size in struct file_info.

We get this already, from SMB2_FIND_ID_BOTH_DIRECTORY_INFO
so return it.

For SMB1 leave this as zero so callers know it hasn't
been initialized.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 days agos3:libsmb: parse_finfo_id_both_directory_info capture FileID in SMB2_FIND_ID_BOTH_DIR...
Puran Chand [Fri, 18 Jan 2019 00:13:23 +0000 (16:13 -0800)]
s3:libsmb: parse_finfo_id_both_directory_info capture FileID in SMB2_FIND_ID_BOTH_DIRECTORY_INFO response

This captures the FileID in struct file_info while parsing SMB2_FIND_ID_BOTH_DIRECTORY_INFO
response

Refered MS doc for spec:- https://msdn.microsoft.com/en-us/library/cc246290.aspx

Signed-off-by: Puran Chand <pchand@vmware.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 days agolib: Use gpfs.h from third_party on Linux
Christof Schmitt [Tue, 19 Dec 2017 22:13:50 +0000 (15:13 -0700)]
lib: Use gpfs.h from third_party on Linux

Update the logic for finding the gpfs.h header file: Look for the header
file in the default location under /usr/lpp/mmfs/include. If it is not
available there, default to the file in third_party/gpfs/ on Linux (AIX
could be added if there is demand).

The configure option --with-gpfs=GPFS_HEADERS_DIR can always be used to
overwrite the default behavior with a specific location.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 18 17:21:02 CET 2019 on sn-devel-144

2 days agothird_party: Add gpfs.h header file
Christof Schmitt [Tue, 19 Dec 2017 22:11:43 +0000 (15:11 -0700)]
third_party: Add gpfs.h header file

This is the only requirement for building the vfs_gpfs module; the
corresponding library is opened through dlopen at runtime. The intent
here is to always build the vfs_gpfs module to easily detect breakage
e.g. due to vfs interface changes.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2 days agowscript: Make non_posix_acls a subsystem
Christof Schmitt [Fri, 11 Jan 2019 22:02:03 +0000 (15:02 -0700)]
wscript: Make non_posix_acls a subsystem

This fixes build error when building vfs_gpfs as static module:

ERROR: circular library dependency between smbd_base and non_posix_acls

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 days agodns_hub: Rename variable to avoid naming collision in exception handler
Tim Beale [Thu, 17 Jan 2019 04:36:50 +0000 (17:36 +1300)]
dns_hub: Rename variable to avoid naming collision in exception handler

In dns_hup.py, we are both importing the socket module and declaring a
variable called socket. When we try to catch a socket.error exception
(defined by the module), Python thinks we're referring to the variable.
As the variable has no attribute called 'error', Python throws an
exception, e.g.:

  File "./bin/python/samba/tests/dns_forwarder_helpers/dns_hub.py", line
123, in handle
    except socket.error as err:
AttributeError: 'socket' object has no attribute 'error'

We can avoid this problem by calling the variable 'sock' instead.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 17 15:23:23 CET 2019 on sn-devel-144

3 days agos4:librpc: Use C99 initializer for PyGetSetDef in py_auth
Andreas Schneider [Thu, 13 Dec 2018 10:40:09 +0000 (11:40 +0100)]
s4:librpc: Use C99 initializer for PyGetSetDef in py_auth

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
3 days agogenerate_param.py: Use C99 initializer for last element in param table
Andreas Schneider [Wed, 12 Dec 2018 20:30:44 +0000 (21:30 +0100)]
generate_param.py: Use C99 initializer for last element in param table

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
4 days agotests: Switchover auth_log from s4 SMB client bindings to s4
Tim Beale [Wed, 16 Jan 2019 00:34:29 +0000 (13:34 +1300)]
tests: Switchover auth_log from s4 SMB client bindings to s4

The main changes required are:
- we need to use an s3 loadparm instead of the standard s4 lp.
- the s3 SMB bindings don't support the use_spnego/ntlmv2_auth params,
  however, we can set these in the loadparm instead, which will get the
  SMB client code to do what we want. Instead of passing in boolean
  parameters, we need to use yes/no strings that the lp will accept.
  (We always set these values because the underlying lp context is
  actually global, and setting a value is 'sticky' and will persist
  across test cases. These conf settings are only used by the SMB client
  code, and so will only affect the SMB test cases).
- For the no_spnego_no_ntlmv2 test cases, we now explicitly force it to
  an SMBv1 connection. The s4 bindings only ever supported SMBv1
  connections, so this is the same behaviour. The other test cases will
  now try to negotiate SMBv2 connections, however, the no_ntlmv2 test
  cases are explicitly checking for bare-NTLM (with the s3 bindings, it
  now ends up as NTLMSSP by default).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 17 04:47:56 CET 2019 on sn-devel-144

4 days agotests: Refactor auth_log SMB connection to be in a single place
Tim Beale [Wed, 16 Jan 2019 00:20:12 +0000 (13:20 +1300)]
tests: Refactor auth_log SMB connection to be in a single place

This should not alter the behaviour of the tests at all. It just makes
it easier to switch over the underlying SMB client bindings.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agotests: Use MUST_USE_KERBEROS over AUTO_USE_KERBEROS in auth_log tests
Tim Beale [Tue, 15 Jan 2019 23:12:16 +0000 (12:12 +1300)]
tests: Use MUST_USE_KERBEROS over AUTO_USE_KERBEROS in auth_log tests

The s3 SMB client bindings seem slightly different to s4, in that they
default to setting the CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS flag.
This seems to fallback to finding a valid KRB TGT (from a previous
successful test), which results in the connection succeeding rather than
failing.

Setting MUST_USE_KERBEROS explicitly avoids this behaviour.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agotests: Relax auth_log SMB assertions to cover v1 *or* v2
Tim Beale [Tue, 15 Jan 2019 22:18:27 +0000 (11:18 +1300)]
tests: Relax auth_log SMB assertions to cover v1 *or* v2

The s4 Python bindings currently only support SMBv1 connections.
If we change the bindings to support *either* v1 or v2, they'll
end up negotiating v2. In which case the server is "SMB2", not "SMB",
and these assertions fail.

Long-term we want to get rid of SMBv1, so it makes sense to write the
tests so that they pass against either v1 or v2.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agotests: Run ntacls_backup tests against testenv with SMBv1 disabled
Tim Beale [Tue, 15 Jan 2019 21:02:07 +0000 (10:02 +1300)]
tests: Run ntacls_backup tests against testenv with SMBv1 disabled

Just to prove that the NTACL backup works over SMBv2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=1367

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agoselftest: Give the backup testenvs a 'test1' share
Tim Beale [Thu, 13 Dec 2018 03:29:33 +0000 (16:29 +1300)]
selftest: Give the backup testenvs a 'test1' share

The ntacls_backup tests use the test1 share, and we want to run them
against the restoredc (which has SMBv1 disabled).

The xattr.tdb file is needed for the backend_obj.wrap_getxattr() call
(in ntacls.py) to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agotests: Run GPO commands against testenv with SMBv1 disabled
Tim Beale [Tue, 15 Jan 2019 04:12:20 +0000 (17:12 +1300)]
tests: Run GPO commands against testenv with SMBv1 disabled

Just to prove that they work across SMBv2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agontacls: Pass correct use_ntvfs through to setntacl()
Tim Beale [Tue, 15 Jan 2019 01:09:15 +0000 (14:09 +1300)]
ntacls: Pass correct use_ntvfs through to setntacl()

We were already checking the smb.conf to see if it uses the NTVFS file
server or the default smbd server. However, we weren't passing this
through to the setntacl() call.

This fixes the problem we noticed with 'samba-tool gpo aclcheck' failing
after a restore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agotests: Run samba_tool.gpo tests against backup testenvs
Tim Beale [Fri, 11 Jan 2019 02:09:48 +0000 (15:09 +1300)]
tests: Run samba_tool.gpo tests against backup testenvs

Run the GPO tests against the backup/restore testenvs.

Because the backup/restore preserves the NTACLs of the sysvol files,
running the GPO tests against the backup testenvs is a good sanity-
check. If fact it highlights that there is currently a problem with
restoring the GPO files - this shows up in 'samba-tool gpo aclcheck',
but we never noticed it until now.

NTACL backup works slightly different for offline backups, and rename
backups end up with more sysvol files, so run the tests against both
these envs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agos4:pysmb: Add error log that the s4 bindings are deprecated
Tim Beale [Fri, 11 Jan 2019 02:57:21 +0000 (15:57 +1300)]
s4:pysmb: Add error log that the s4 bindings are deprecated

We plan to delete the s4 SMB Python bindings in the next Samba release
after v4.10, but first give external consumers a heads-up, just in case
they are currently using the s4 bindings.

Note the auth_log tests still use the s4 bindings, but all user-facing
tools should now be updated to use the s3 bindings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agonetcmd: Change GPO commands to use s3 SMB Py bindings
Tim Beale [Fri, 11 Jan 2019 01:53:16 +0000 (14:53 +1300)]
netcmd: Change GPO commands to use s3 SMB Py bindings

This means we can now use GPO commands on a DC that has SMBv1 disabled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agos3:pylibsmb: Add FILE_READ_ATTRIBUTES access to .loadfile() API
Tim Beale [Fri, 11 Jan 2019 01:25:32 +0000 (14:25 +1300)]
s3:pylibsmb: Add FILE_READ_ATTRIBUTES access to .loadfile() API

Add FILE_READ_ATTRIBUTES when opening the file handle, as we need to
read the file's size.

The .loadfile() API can end up calling cli_qfileinfo_basic() to get the
file size. This can end up doing a 'FILE_ALL_INFORMATION' SMBv2 request
underneath, which the MS-SMB2 spec (section 3.3.5.20.1 Handling
SMB2_0_INFO_FILE) says the file handle must have FILE_READ_ATTRIBUTES
access granted.

I noticed this problem when running .loadfile() against the NTVFS
server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agonetcmd: Change SMB flags from s4 Py bindings to s3
Tim Beale [Tue, 8 Jan 2019 02:10:46 +0000 (15:10 +1300)]
netcmd: Change SMB flags from s4 Py bindings to s3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agos3:pylibsmb: Add .set_acl API to SMB py bindings
Tim Beale [Tue, 8 Jan 2019 01:42:05 +0000 (14:42 +1300)]
s3:pylibsmb: Add .set_acl API to SMB py bindings

This is pretty similar code to py_smb_getacl(), except it's calling
cli_set_security_descriptor() instead of cli_query_security_descriptor()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agopython/gpclass: Convert gpclass to use s3 SMB Python bindings
Tim Beale [Thu, 13 Dec 2018 21:37:11 +0000 (10:37 +1300)]
python/gpclass: Convert gpclass to use s3 SMB Python bindings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 days agovfs_fileid: fix fsname_norootdir algorithm
Ralph Wuerthner [Tue, 15 Jan 2019 08:55:50 +0000 (09:55 +0100)]
vfs_fileid: fix fsname_norootdir algorithm

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13744

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 17 01:36:54 CET 2019 on sn-devel-144

4 days agojoin: Throw CommandError instead of Exception for simple errors
Tim Beale [Wed, 16 Jan 2019 02:37:00 +0000 (15:37 +1300)]
join: Throw CommandError instead of Exception for simple errors

Throwing an exception here still dumps out the Python stack trace, which
can be a little disconcerting for users.

In this case, the stack trace isn't going to really help at all (the
problem is pretty obvious), and it obscures the useful message
explaining what went wrong.

Throw a CommandError instead, which samba-tool will catch and display
more nicely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <rpenny@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 16 22:11:04 CET 2019 on sn-devel-144

4 days agojoin: Fix TypeError when handling exception
Tim Beale [Wed, 16 Jan 2019 02:17:38 +0000 (15:17 +1300)]
join: Fix TypeError when handling exception

When we can't resolve a domain name, we were inadvertently throwing a
TypeError whilst trying to output a helpful message. E.g.

ERROR(<class 'TypeError'>): uncaught exception - 'NTSTATUSError' object
does not support indexing

Instead of indexing the object, we want to index the Exception.args so
that we just display the string portion of the exception error.

The same problem is also present for the domain trust commands.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <rpenny@samba.org>
4 days agolibcli: remove declaration of nt_errstr_const
Philipp Gesang [Wed, 16 Jan 2019 09:01:28 +0000 (10:01 +0100)]
libcli: remove declaration of nt_errstr_const

nt_errstr_const was renamed nt_errstr in 2011, rendering the
declaration useless.

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
5 days agos3:libsmb: Honor disable_netbios option in smbsock_connect_send
Justin Stephenson [Mon, 14 Jan 2019 15:36:47 +0000 (10:36 -0500)]
s3:libsmb: Honor disable_netbios option in smbsock_connect_send

If disable_netbios is set, return before the tevent timer is triggered
to prevent outgoing netbios connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727

Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 16 08:54:23 CET 2019 on sn-devel-144

5 days agoctdb: Print locks latency in machinereadable stats
Volker Lendecke [Mon, 14 Jan 2019 14:04:59 +0000 (15:04 +0100)]
ctdb: Print locks latency in machinereadable stats

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13742
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 16 05:34:17 CET 2019 on sn-devel-144

5 days agoprofiling: stop smbprofile from growing unnecessarily
Dylan Stephano-Shachter [Mon, 14 Jan 2019 18:42:03 +0000 (13:42 -0500)]
profiling: stop smbprofile from growing unnecessarily

Signed-off-by: Dylan Stephano-Shachter <dshachter@nasuni.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 16 02:01:55 CET 2019 on sn-devel-144

5 days agopython: dns_hub: Fix indentation of 'raise' on error.
Jeremy Allison [Tue, 15 Jan 2019 16:45:26 +0000 (08:45 -0800)]
python: dns_hub: Fix indentation of 'raise' on error.

Remove second socket.sendto().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agos3-smbd: use fruit:model string for mDNS registration
Günther Deschner [Tue, 15 Jan 2019 13:26:17 +0000 (14:26 +0100)]
s3-smbd: use fruit:model string for mDNS registration

With this change we now allow to modify the icon to represent Samba in
Finder. Possible values are at least:

fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve
fruit:model = RackMac

Prior to this change we only displayed the correct icon when a mac
client negotiated the apple create context over SMB.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13746

Based on proposed patch from Rouven WEILER <Rouven_Weiler@gmx.net>

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 15 21:27:20 CET 2019 on sn-devel-144

5 days agoWHATSNEW: Start release notes for Samba 4.11.0pre1.
Karolin Seeger [Tue, 15 Jan 2019 10:40:06 +0000 (11:40 +0100)]
WHATSNEW: Start release notes for Samba 4.11.0pre1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
5 days agoVERSION: Bump version up to 4.11.0pre1
Karolin Seeger [Tue, 15 Jan 2019 10:37:30 +0000 (11:37 +0100)]
VERSION: Bump version up to 4.11.0pre1

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
5 days agoVERSION: Bump version up to 4.10.0rc1... v4-10-stable samba-4.10.0rc1
Karolin Seeger [Tue, 15 Jan 2019 10:01:07 +0000 (11:01 +0100)]
VERSION: Bump version up to 4.10.0rc1...

and disable GIT_SNAPSHOT for the release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(replaces commit 9537e5d2a14a35bcba659d679d2d156de6c678cc)

5 days agoWHATSNEW: Add release note for Samba 4.10.0rc1.
Karolin Seeger [Tue, 15 Jan 2019 09:59:52 +0000 (10:59 +0100)]
WHATSNEW: Add release note for Samba 4.10.0rc1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(replaces commit 3f4bd61b8408f8d97817023f07de20746ce54f90)

5 days agoldb: version 1.5.2 ldb-1.5.2
Stefan Metzmacher [Mon, 14 Jan 2019 22:41:49 +0000 (23:41 +0100)]
ldb: version 1.5.2

* Build fixes
* dirsync: Allow arbitrary length cookies
  (bug #13686)
* The build uses python3 by default:
* --extra-python would take python2 now
* To build with python2 only use:
  PYTHON=python2 ./configure
  PYTHON=python2 make
  PYTHON=python2 make install

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
5 days agotevent: version 0.9.38 tevent-0.9.38
Stefan Metzmacher [Mon, 14 Jan 2019 22:40:36 +0000 (23:40 +0100)]
tevent: version 0.9.38

* Deprecate tevent wrapper api again
* Build fixes
* The build uses python3 by default:
* --extra-python would take python2 now
* To build with python2 only use:
  PYTHON=python2 ./configure
  PYTHON=python2 make
  PYTHON=python2 make install

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
5 days agotalloc: version 2.1.15 talloc-2.1.15
Stefan Metzmacher [Mon, 14 Jan 2019 22:40:05 +0000 (23:40 +0100)]
talloc: version 2.1.15

* Deprecate talloc_set_memlimit() and talloc_autofree_context()
* Fix undefined behavior in talloc_memdup
* The build uses python3 by default:
* --extra-python would take python2 now
* To build with python2 only use:
  PYTHON=python2 ./configure
  PYTHON=python2 make
  PYTHON=python2 make install

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
5 days agoMerge remote-tracking branch 'origin/v4-10-test' into HEAD
Stefan Metzmacher [Tue, 15 Jan 2019 10:23:20 +0000 (11:23 +0100)]
Merge remote-tracking branch 'origin/v4-10-test' into HEAD

This is a noop just to get the history of origin/v4-10-test
inline with master before the real 4.10.0rc1.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
5 days agoRevert "WHATSNEW: Add release note for Samba 4.10.0rc1."
Karolin Seeger [Tue, 15 Jan 2019 10:19:46 +0000 (11:19 +0100)]
Revert "WHATSNEW: Add release note for Samba 4.10.0rc1."

This reverts commit 3f4bd61b8408f8d97817023f07de20746ce54f90.

5 days agoRevert "VERSION: Bump version up to 4.10.0rc1..."
Karolin Seeger [Tue, 15 Jan 2019 10:19:43 +0000 (11:19 +0100)]
Revert "VERSION: Bump version up to 4.10.0rc1..."

This reverts commit 9537e5d2a14a35bcba659d679d2d156de6c678cc.

5 days agoRevert "VERSION: Bump version up to 4.10.0rc2..."
Karolin Seeger [Tue, 15 Jan 2019 10:19:40 +0000 (11:19 +0100)]
Revert "VERSION: Bump version up to 4.10.0rc2..."

This reverts commit 75106e05b42e5d4629aacfa941213745d9d6e819.

5 days agoaddns: Async ads_dns_lookup_ns
Volker Lendecke [Wed, 3 Jan 2018 15:22:24 +0000 (16:22 +0100)]
addns: Async ads_dns_lookup_ns

Use dns_lookup_send/recv to get NS records

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 15 11:16:00 CET 2019 on sn-devel-144

5 days agoVERSION: Bump version up to 4.10.0rc2...
Karolin Seeger [Tue, 15 Jan 2019 10:02:10 +0000 (11:02 +0100)]
VERSION: Bump version up to 4.10.0rc2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
5 days agoVERSION: Bump version up to 4.10.0rc1...
Karolin Seeger [Tue, 15 Jan 2019 10:01:07 +0000 (11:01 +0100)]
VERSION: Bump version up to 4.10.0rc1...

and disable GIT_SNAPSHOT for the release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
5 days agoWHATSNEW: Add release note for Samba 4.10.0rc1.
Karolin Seeger [Tue, 15 Jan 2019 09:59:52 +0000 (10:59 +0100)]
WHATSNEW: Add release note for Samba 4.10.0rc1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
6 days agoaddns: Async ads_dns_lookup_srv
Volker Lendecke [Wed, 3 Jan 2018 12:26:54 +0000 (13:26 +0100)]
addns: Async ads_dns_lookup_srv

Use dns_lookup_send/recv to get SRV records. This avoids synchronous libresolv
calls and provides the infrastructure to get dsgetdcname async.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agosamba_dnsupdate: With dns_hub, we don't need resolv_wrap
Volker Lendecke [Thu, 3 Jan 2019 15:44:45 +0000 (16:44 +0100)]
samba_dnsupdate: With dns_hub, we don't need resolv_wrap

Best viewed with git show -b

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agoselftest: Use dns_hub's resolv.conf
Volker Lendecke [Wed, 2 Jan 2019 20:24:34 +0000 (21:24 +0100)]
selftest: Use dns_hub's resolv.conf

Pass it as RESOLV_CONF envvar everywhere

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agoselftest: Add dns_hub deps
Volker Lendecke [Wed, 2 Jan 2019 13:18:44 +0000 (14:18 +0100)]
selftest: Add dns_hub deps

All the DCs want the dns forwarder

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agoselftest: setup_dns_hub
Stefan Metzmacher [Tue, 6 Feb 2018 08:46:41 +0000 (09:46 +0100)]
selftest: setup_dns_hub

Start the central dns forwarder on interface 64

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agoselftest: add central dns forwarder
Volker Lendecke [Fri, 12 Jan 2018 14:53:03 +0000 (15:53 +0100)]
selftest: add central dns forwarder

This is a small DNS server that has hard redirects to the different domain
controllers based on domain names. This is required because future commits will
avoid calling into libresolv's code which resolv_wrapper takes care of.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agolibcli/dns: Add dns_res_rec_get_sockaddr
Volker Lendecke [Thu, 10 Jan 2019 15:54:41 +0000 (16:54 +0100)]
libcli/dns: Add dns_res_rec_get_sockaddr

Pull the address from a res_rec if it's there

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agolibcli/dns: clidns must depend on ndr_standard, not on NDR_DNS
Volker Lendecke [Thu, 4 Jan 2018 15:05:35 +0000 (16:05 +0100)]
libcli/dns: clidns must depend on ndr_standard, not on NDR_DNS

Otherwise we can't link this into other libraries

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agolibcli/dns: Make "clidns" a library
Volker Lendecke [Thu, 4 Jan 2018 16:06:53 +0000 (17:06 +0100)]
libcli/dns: Make "clidns" a library

This will be linked into the SAMBA_LIBRARY "addns" in the next step. Because
the other user, "dnsserver_common", is also a library, we can't link this as a
subsystem anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agodns_lookup: Let make test override the resolv.conf location
Volker Lendecke [Thu, 4 Jan 2018 19:58:05 +0000 (20:58 +0100)]
dns_lookup: Let make test override the resolv.conf location

Make this a separate commit: That is the feature that libc unfortunately does
not give us.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agolibcli/dns: Add dns_lookup
Volker Lendecke [Tue, 2 Jan 2018 12:56:56 +0000 (13:56 +0100)]
libcli/dns: Add dns_lookup

Wrapper function to parse resolv.conf and talk to multiple nameservers. This is
the code where we might want to add a "working nameserver" cache. glibc always
looks at the first configured nameserver. If that's dead, glibc runs into a
timeout and only then asks the second one that might succeed. When more than
one dns query is to be performed, these timeouts add up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agolibcli/dns: Add resolv.conf parsing
Volker Lendecke [Mon, 1 Jan 2018 18:35:46 +0000 (19:35 +0100)]
libcli/dns: Add resolv.conf parsing

Right now this only looks at the nameserver setting. It is initally made for
asynchronous AD DC lookup routines, where we don't need the "search", "domain"
and other settings. When we convert general "net", "smbclient" and others to
use this, we might either add "domain" handling to this code or look at
something like c-ares which already does it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agodns_update: samba_dnsupdate's exit code is not an errno
Volker Lendecke [Wed, 19 Dec 2018 13:16:38 +0000 (14:16 +0100)]
dns_update: samba_dnsupdate's exit code is not an errno

This avoids confusing messages, samba_dnsupdate returns the number of
failed updates

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agoaddns: Centralize siteless lookup fallback
Volker Lendecke [Fri, 11 Jan 2019 13:18:53 +0000 (14:18 +0100)]
addns: Centralize siteless lookup fallback

We had the same logic 3 times, coalesce into one

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs_fileid: fix get_connectpath_ino
Ralph Wuerthner [Thu, 10 Jan 2019 13:28:14 +0000 (14:28 +0100)]
vfs_fileid: fix get_connectpath_ino

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13741

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 15 04:13:15 CET 2019 on sn-devel-144

6 days agos3:smbd: perform impersonation in smb2_query_directory_fetch_write_time_done()
Ralph Boehme [Mon, 14 Jan 2019 12:51:23 +0000 (13:51 +0100)]
s3:smbd: perform impersonation in smb2_query_directory_fetch_write_time_done()

This is not strictly required, as we ne never trigger additional VFS
requests via this codepath. But for safety reasons ensure we're running
in the correct impersonation state.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 14 22:30:24 CET 2019 on sn-devel-144

6 days agos3:smbd: perform impersonation in smb2_query_directory_dos_mode_done()
Ralph Boehme [Mon, 14 Jan 2019 12:51:23 +0000 (13:51 +0100)]
s3:smbd: perform impersonation in smb2_query_directory_dos_mode_done()

This is needed as the callback might be called in an arbitrary
impersonation state.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agos3:smbd: perform impersonation in dos_mode_at_vfs_get_dosmode_done()
Ralph Boehme [Mon, 14 Jan 2019 12:51:23 +0000 (13:51 +0100)]
s3:smbd: perform impersonation in dos_mode_at_vfs_get_dosmode_done()

This is needed as the callback might be called in an arbitrary
impersonation state.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs_default: use change_to_user_by_fsp() instead of change_to_user()
Ralph Boehme [Mon, 14 Jan 2019 12:54:29 +0000 (13:54 +0100)]
vfs_default: use change_to_user_by_fsp() instead of change_to_user()

Cosmetic change.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs: perform impersonation in smb_vfs_call_getxattrat_done()
Ralph Boehme [Mon, 14 Jan 2019 12:51:23 +0000 (13:51 +0100)]
vfs: perform impersonation in smb_vfs_call_getxattrat_done()

This is needed as the callback might be called in an arbitrary
impersonation state.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs: use struct initializer in smb_vfs_call_getxattrat_send()
Ralph Boehme [Mon, 14 Jan 2019 12:52:51 +0000 (13:52 +0100)]
vfs: use struct initializer in smb_vfs_call_getxattrat_send()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs: perform impersonation in smb_vfs_call_get_dos_attributes_done()
Ralph Boehme [Mon, 14 Jan 2019 12:51:23 +0000 (13:51 +0100)]
vfs: perform impersonation in smb_vfs_call_get_dos_attributes_done()

This is needed as the callback might be called in an arbitrary
impersonation state.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
6 days agovfs: use struct initializer in smb_vfs_call_get_dos_attributes_send
Ralph Boehme [Mon, 14 Jan 2019 12:50:31 +0000 (13:50 +0100)]
vfs: use struct initializer in smb_vfs_call_get_dos_attributes_send

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 days agonetcmd: Change domain backup commands to use s3 SMB Py bindings
Tim Beale [Thu, 13 Dec 2018 04:31:23 +0000 (17:31 +1300)]
netcmd: Change domain backup commands to use s3 SMB Py bindings

This means we can now backup a DC that has SMBv1 disabled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Tim Beale <timbeale@samba.org>
Autobuild-Date(master): Mon Jan 14 06:49:09 CET 2019 on sn-devel-144

7 days agotests: Change ntaclsbackup tests over to use s3 Py bindings
Tim Beale [Thu, 13 Dec 2018 03:05:36 +0000 (16:05 +1300)]
tests: Change ntaclsbackup tests over to use s3 Py bindings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
7 days agos3:pylibsmb: Add .get_acl() API to SMB py bindings
Tim Beale [Wed, 12 Dec 2018 03:14:43 +0000 (16:14 +1300)]
s3:pylibsmb: Add .get_acl() API to SMB py bindings

There is no obvious async-equivalent of cli_query_security_descriptor(),
so it will throw an error if anyone tries to use it in multi-threaded
mode. Currently only samba-tool and tests use the (s4) .get_acl() API,
both of which will be fine using the synchronous API.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agolib/ldb: Use new PYARG_ES format for parseTuple
Noel Power [Mon, 12 Nov 2018 16:06:10 +0000 (16:06 +0000)]
lib/ldb: Use new PYARG_ES format for parseTuple

While 'es' format works great for unicode (in python2) and
str (in python3) The behaviour with str (in python2) is unexpected.
In python2 the str type is (re-encoded) with the specified encoding.
In python2 the 'et' type would be a better match, that ensures 'str'
type is treated like it was with 's' (no reencoding) and unicode is
encoded with the specified encoding. However in python3 'et' allows
byte (or bytearray) params to be accepted (with no reencoding), we
don't want this. This patch adds a new PYARG_STR_UNI format code which
is a hybrid, in python2 it evaluates to 'et' and in python3 'es' and
so gives the desired behaviour for each python version.

Additionally remove the associated known fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sun Jan 13 03:53:00 CET 2019 on sn-devel-144

8 days agoselftest: Enable ldb.python for PY3
Noel Power [Mon, 12 Nov 2018 17:56:46 +0000 (17:56 +0000)]
selftest: Enable ldb.python for PY3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agolib/ldb/tests/python: Add test to pass utf8 encoded bytes to ldb.Dn
Noel Power [Mon, 12 Nov 2018 17:42:51 +0000 (17:42 +0000)]
lib/ldb/tests/python: Add test to pass utf8 encoded bytes to ldb.Dn

This test should demonstrate an error with the 'es' format in python
where a 'str' byte-string is passed (containing utf8 encoded bytes)
with some characters that cannot be decoded as ascii. The same
code if run in python3 should generate an error (needs string not
bytes)

Also Add knownfail for ldb.Dn passed utf8 encoded byte string
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agos4/libnet: use 'et' as format for ParseTuple with python2
Noel Power [Tue, 11 Dec 2018 15:58:44 +0000 (15:58 +0000)]
s4/libnet: use 'et' as format for ParseTuple with python2

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agopython: use 'et' as format for ParseTuple with python2
Noel Power [Tue, 11 Dec 2018 15:58:07 +0000 (15:58 +0000)]
python: use 'et' as format for ParseTuple with python2

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agoauth/credentials: use 'et' as format for ParseTuple with python2
Noel Power [Tue, 11 Dec 2018 15:32:11 +0000 (15:32 +0000)]
auth/credentials: use 'et' as format for ParseTuple with python2

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agopython: Add new compat PYARG_STR_UNI format
Noel Power [Tue, 11 Dec 2018 15:18:10 +0000 (15:18 +0000)]
python: Add new compat PYARG_STR_UNI format

In python2 PYARG_STR_UNI evaluates to et which allows str type
(e.g bytes) pass through unencoded and accepts unicode objects
encoded as utf8
In python3 PYARG_STR_UNI evaluates to es which allows str type
encoded as named/specified encoding

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
8 days agopython: Fix memory leak with ParseTuple (using 'es' format)
Noel Power [Fri, 9 Nov 2018 16:47:00 +0000 (16:47 +0000)]
python: Fix memory leak with ParseTuple (using 'es' format)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
9 days agoselftest:Samba4: run fl2003dc without security context multiplexing
Stefan Metzmacher [Fri, 14 Dec 2018 12:36:39 +0000 (13:36 +0100)]
selftest:Samba4: run fl2003dc without security context multiplexing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 12 06:25:37 CET 2019 on sn-devel-144

9 days agoselftest:Samba4: run the raw_protocol test with a limit of 8 auth contexts
Stefan Metzmacher [Fri, 14 Dec 2018 12:51:27 +0000 (13:51 +0100)]
selftest:Samba4: run the raw_protocol test with a limit of 8 auth contexts

This is much faster than exploring the limit of 2049 during autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
9 days agos4:rpc_server: implement security context multiplexing
Stefan Metzmacher [Thu, 8 Nov 2018 13:59:58 +0000 (14:59 +0100)]
s4:rpc_server: implement security context multiplexing

There're some systems like Cisco ISE use security multiplexing
without checking (via bind time feature negotiation)
the server supports it.

Others like VMWare View, fallback to NT4 style netlogon
connections without using netlogon secure channel,
which then triggers an error, with "server schannel = yes",
see https://bugzilla.samba.org/show_bug.cgi?id=13464.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
9 days agopy:dcerpc/raw_protocol: add tests to demonstrate how security context multiplexing...
Stefan Metzmacher [Wed, 21 Nov 2018 10:01:55 +0000 (11:01 +0100)]
py:dcerpc/raw_protocol: add tests to demonstrate how security context multiplexing works

Important things are this:
- It's not required to use the bind time feature negotiation in order
  to use it, it's only a hint for the client, but nothing is really
  negotiated, unlike the request multiplexing with the
  DCERPC_PFC_FLAG_CONC_MPX.
- There's special handling related to AUTH_LEVEL_CONNECT
  and requests without auth trailer
- An security context is identified by the unique
  tuple of auth_type, auth_level and auth_context_id (all together!),
  not just the auth_context_id.
- There's a limit of 2049 explicit authentication contexts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>