samba.git
2 years agoWHATSNEW: CTDB updates
Martin Schwenke [Tue, 20 Dec 2016 11:40:36 +0000 (22:40 +1100)]
WHATSNEW: CTDB updates

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Dec 21 08:36:32 CET 2016 on sn-devel-144

2 years agogetncchanges: use the uptodateness_vector to filter links to replicate
Garming Sam [Wed, 14 Dec 2016 03:05:05 +0000 (16:05 +1300)]
getncchanges: use the uptodateness_vector to filter links to replicate

This is to mirror the check in get_nc_changes_build_object.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144

2 years agotorture/drs: test link replication with hwm and utdv
Bob Campbell [Sun, 18 Dec 2016 23:27:31 +0000 (12:27 +1300)]
torture/drs: test link replication with hwm and utdv

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agotorture/drs: move ExopBaseTest into DrsBaseTest and extend
Bob Campbell [Thu, 15 Dec 2016 01:23:58 +0000 (14:23 +1300)]
torture/drs: move ExopBaseTest into DrsBaseTest and extend

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3-rpc_client: Pass NULL as no password
Andreas Schneider [Mon, 19 Sep 2016 12:40:42 +0000 (14:40 +0200)]
s3-rpc_client: Pass NULL as no password

GENSEC expects NULL as no password.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144

2 years agoauth/credentials: Add NULL check to free_dccache()
Andreas Schneider [Sat, 1 Oct 2016 09:27:54 +0000 (11:27 +0200)]
auth/credentials: Add NULL check to free_dccache()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoauth/credentials: Add NULL check in free_mccache()
Andreas Schneider [Sat, 1 Oct 2016 09:25:44 +0000 (11:25 +0200)]
auth/credentials: Add NULL check in free_mccache()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoauth/credentials: Move function to free ccaches to the top
Andreas Schneider [Thu, 6 Oct 2016 07:22:29 +0000 (09:22 +0200)]
auth/credentials: Move function to free ccaches to the top

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoauth/credentials: Add talloc NULL check in cli_credentials_set_principal()
Andreas Schneider [Thu, 6 Oct 2016 06:16:57 +0000 (08:16 +0200)]
auth/credentials: Add talloc NULL check in cli_credentials_set_principal()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoWHATSNEW: Add some information about ID mapping
Andreas Schneider [Wed, 14 Dec 2016 10:23:10 +0000 (11:23 +0100)]
WHATSNEW: Add some information about ID mapping

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144

2 years agoWHATSNEW: Add Printing changes
Andreas Schneider [Wed, 14 Dec 2016 07:25:45 +0000 (08:25 +0100)]
WHATSNEW: Add Printing changes

Signed-off-by: Andreas Schneider <asn@samba.org>
2 years agoWHATSNEW: Use capital K for Kerberos
Andreas Schneider [Wed, 14 Dec 2016 07:15:38 +0000 (08:15 +0100)]
WHATSNEW: Use capital K for Kerberos

Signed-off-by: Andreas Schneider <asn@samba.org>
2 years agoHEIMDAL:lib/krb5: Harden _krb5_derive_key()
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden _krb5_derive_key()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoHEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoHEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
Stefan Metzmacher [Tue, 22 Nov 2016 12:53:53 +0000 (13:53 +0100)]
HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()

This allows the optimized checksum->verify() function to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoHEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Stefan Metzmacher [Tue, 22 Nov 2016 12:42:31 +0000 (13:42 +0100)]
HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoCVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
Stefan Metzmacher [Tue, 22 Nov 2016 16:08:46 +0000 (17:08 +0100)]
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()

aes based checksums can only be checked with the
corresponding aes based keytype.

Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agoCVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
Stefan Metzmacher [Wed, 23 Nov 2016 10:44:22 +0000 (11:44 +0100)]
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default

This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2 years agoCVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
Stefan Metzmacher [Wed, 23 Nov 2016 10:42:59 +0000 (11:42 +0100)]
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG

We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2 years agoCVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
Stefan Metzmacher [Wed, 23 Nov 2016 10:41:10 +0000 (11:41 +0100)]
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss

This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2 years agoCVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Volker Lendecke [Sat, 5 Nov 2016 20:22:46 +0000 (21:22 +0100)]
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.

Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409

2 years agos3:user_auth_info: let struct user_auth_info use struct cli_credentials internally
Stefan Metzmacher [Fri, 28 Oct 2016 10:14:37 +0000 (12:14 +0200)]
s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally

This way we can have a very simple get_cmdline_auth_info_creds() function,
which can be used pass cli_credentials down the stack instead of
constantly translating from user_auth_info to cli_credentials, while
loosing information.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 20 04:57:05 CET 2016 on sn-devel-144

2 years agos3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading
Stefan Metzmacher [Fri, 9 Dec 2016 15:04:38 +0000 (16:04 +0100)]
s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading

All users of POPT_COMMON_CREDENTIALS basically need the same logic,
while some ignore a broken smb.conf and some complain about it.

This will allow the future usage of config options in the
credential post processing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: demonstrate the last 'username' line of creds.parse_file()...
Stefan Metzmacher [Thu, 15 Dec 2016 14:30:28 +0000 (15:30 +0100)]
tests/credentials.py: demonstrate the last 'username' line of creds.parse_file() beats other lines

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: change the parsing order of cli_credentials_parse_file()
Stefan Metzmacher [Thu, 15 Dec 2016 11:41:58 +0000 (12:41 +0100)]
auth/credentials: change the parsing order of cli_credentials_parse_file()

We now first just remember the domain, realm, username, password values
(the last value wins).

At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.

It means the last 'username' line beats the domain, realm or password lines, e.g.:

 username=USERDOMAIN\username
 domain=DOMAIN

will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing
Stefan Metzmacher [Thu, 15 Dec 2016 13:01:35 +0000 (14:01 +0100)]
tests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credent...
Stefan Metzmacher [Sun, 11 Dec 2016 21:50:53 +0000 (22:50 +0100)]
auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()

Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:

  username=DOMAIN/username
  password=password
  domain=DOMAIN

This change allows us to parse the same.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: add tests to verify realm/principal behaviour of cli_credential...
Stefan Metzmacher [Thu, 15 Dec 2016 13:12:31 +0000 (14:12 +0100)]
tests/credentials.py: add tests to verify realm/principal behaviour of cli_credentials_parse_string()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: let cli_credentials_parse_string() always reset principal and realm
Stefan Metzmacher [Wed, 14 Dec 2016 15:47:57 +0000 (16:47 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset principal and realm

If we reset username we need to reset principal if it was set at the same level.

If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: let cli_credentials_parse_string() always reset username and domain
Stefan Metzmacher [Fri, 9 Dec 2016 11:20:19 +0000 (12:20 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset username and domain

If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: add tests with a realm from smb.conf
Stefan Metzmacher [Thu, 15 Dec 2016 13:49:18 +0000 (14:49 +0100)]
tests/credentials.py: add tests with a realm from smb.conf

As we don't want to create a new smb.conf file
we just simulate it with "creds.set_realm(realm, credentials.UNINITIALISED)".

That's basically the same as the cli_credentials_set_conf() behaviour
if a realm is specified in the configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: handle situations without a configured (default) realm
Stefan Metzmacher [Thu, 15 Dec 2016 10:04:02 +0000 (11:04 +0100)]
auth/credentials: handle situations without a configured (default) realm

We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.

At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".

If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
username@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: add python bindings for enum credentials_obtained
Stefan Metzmacher [Thu, 15 Dec 2016 10:37:33 +0000 (11:37 +0100)]
auth/credentials: add python bindings for enum credentials_obtained

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: add very simple test for py_creds_parse_file
Stefan Metzmacher [Thu, 15 Dec 2016 09:30:29 +0000 (10:30 +0100)]
tests/credentials.py: add very simple test for py_creds_parse_file

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: add py_creds_parse_file()
Stefan Metzmacher [Thu, 15 Dec 2016 09:06:25 +0000 (10:06 +0100)]
auth/credentials: add py_creds_parse_file()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: verify the difference of parse_string("someone") and parse_stri...
Stefan Metzmacher [Thu, 15 Dec 2016 08:42:20 +0000 (09:42 +0100)]
tests/credentials.py: verify the difference of parse_string("someone") and parse_string("someone%")

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/credentials.py: add test for cli_credentials_set_password_will_be_nt_hash()
Stefan Metzmacher [Thu, 15 Dec 2016 08:34:45 +0000 (09:34 +0100)]
tests/credentials.py: add test for cli_credentials_set_password_will_be_nt_hash()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related...
Stefan Metzmacher [Wed, 14 Dec 2016 09:02:10 +0000 (10:02 +0100)]
auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related logic

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails
Stefan Metzmacher [Wed, 14 Dec 2016 07:52:12 +0000 (08:52 +0100)]
auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/credentials: make use of talloc_zero() in cli_credentials_init()
Stefan Metzmacher [Wed, 14 Dec 2016 07:50:51 +0000 (08:50 +0100)]
auth/credentials: make use of talloc_zero() in cli_credentials_init()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4-rpc_server: Add braces to better follow coding style
Andrew Bartlett [Tue, 13 Dec 2016 22:58:48 +0000 (11:58 +1300)]
s4-rpc_server: Add braces to better follow coding style

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos4-netlogon: Push the netlogon server in the AD DC into multiple processes
Andrew Bartlett [Mon, 21 Nov 2016 00:31:39 +0000 (13:31 +1300)]
s4-netlogon: Push the netlogon server in the AD DC into multiple processes

This allows the NETLOGON server to scale better, as it is often a bottleneck

What we are doing here is keeping the forced single process only for
other servers that declare they use DCE/RPC handles.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoselftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option
Andrew Bartlett [Sun, 13 Nov 2016 21:15:39 +0000 (10:15 +1300)]
selftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option

We need this because once we make NETLOGON run in multiple processes,
it will need its own port, and socket_wrapper can not currently allocate
and ephemeral port.  It also tests the option, which others have asked be
made available to firewall drsuapi.

Likewise the 'rpc server port' option is used to confirm it
functions for the default port'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@samba.org>
2 years agos4-rpc_server: Do not check association groups for NETLOGON
Andrew Bartlett [Sun, 13 Nov 2016 21:11:05 +0000 (10:11 +1300)]
s4-rpc_server: Do not check association groups for NETLOGON

If this RPC server is not going to use handles (actually a generic
flag) then do not check the assocation group provided.  This in turn
allows us to easily make NETLOGON run in multiple processes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos4-rpc_server: Allow listener for RPC servers to use multiple processes
Andrew Bartlett [Mon, 17 Oct 2016 21:36:51 +0000 (10:36 +1300)]
s4-rpc_server: Allow listener for RPC servers to use multiple processes

To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.

The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos4-rpc_server: Allow each interface to declare if it uses handles
Andrew Bartlett [Sun, 13 Nov 2016 22:24:03 +0000 (11:24 +1300)]
s4-rpc_server: Allow each interface to declare if it uses handles

This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos4-rpc_server: Add comments explaining the control flow around dcesrv_bind()
Andrew Bartlett [Tue, 13 Dec 2016 20:38:28 +0000 (09:38 +1300)]
s4-rpc_server: Add comments explaining the control flow around dcesrv_bind()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()
Stefan Metzmacher [Thu, 3 Nov 2016 14:11:29 +0000 (15:11 +0100)]
s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()

This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 19 13:41:15 CET 2016 on sn-devel-144

2 years agos3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()
Stefan Metzmacher [Thu, 3 Nov 2016 14:11:29 +0000 (15:11 +0100)]
s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()

This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
Stefan Metzmacher [Fri, 16 Dec 2016 00:26:29 +0000 (01:26 +0100)]
s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:libsmb: split out a cli_session_creds_prepare_krb5() function
Stefan Metzmacher [Thu, 8 Dec 2016 11:11:45 +0000 (12:11 +0100)]
s3:libsmb: split out a cli_session_creds_prepare_krb5() function

This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.

In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:torture/masktest: masktest only works with SMB1 currently
Stefan Metzmacher [Fri, 9 Dec 2016 08:49:17 +0000 (09:49 +0100)]
s3:torture/masktest: masktest only works with SMB1 currently

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:torture/masktest: Use cli_tree_connect_creds()
Stefan Metzmacher [Fri, 9 Dec 2016 08:49:17 +0000 (09:49 +0100)]
s3:torture/masktest: Use cli_tree_connect_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:torture: Use cli_tree_connect_creds() where we may use share level auth
Stefan Metzmacher [Fri, 9 Dec 2016 08:06:21 +0000 (09:06 +0100)]
s3:torture: Use cli_tree_connect_creds() where we may use share level auth

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
Stefan Metzmacher [Fri, 9 Dec 2016 08:48:06 +0000 (09:48 +0100)]
s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoctdb-tests: Remove the python LCP2 simulation
Martin Schwenke [Sat, 10 Dec 2016 22:09:44 +0000 (09:09 +1100)]
ctdb-tests: Remove the python LCP2 simulation

It isn't used anywhere and doesn't contain some of the optimisations
that have since gone into the C code.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Dec 19 07:58:45 CET 2016 on sn-devel-144

2 years agoctdb-takeover: Drop unused ctdb_takeover_run() and related code
Martin Schwenke [Fri, 9 Dec 2016 08:19:49 +0000 (19:19 +1100)]
ctdb-takeover: Drop unused ctdb_takeover_run() and related code

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-recoverd: Integrate takeover helper
Martin Schwenke [Fri, 9 Dec 2016 05:21:39 +0000 (16:21 +1100)]
ctdb-recoverd: Integrate takeover helper

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-recoverd: Generalise helper state, handler and launching
Martin Schwenke [Fri, 9 Dec 2016 04:04:03 +0000 (15:04 +1100)]
ctdb-recoverd: Generalise helper state, handler and launching

These can also be used for takeover handler.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add tests for takeover helper
Martin Schwenke [Tue, 6 Dec 2016 22:42:46 +0000 (09:42 +1100)]
ctdb-tests: Add tests for takeover helper

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: New function unit_test_notrace()
Martin Schwenke [Tue, 13 Dec 2016 20:18:57 +0000 (07:18 +1100)]
ctdb-tests: New function unit_test_notrace()

Avoids valgrind and such, so a function can be passed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-takeover: Add takeover helper
Martin Schwenke [Thu, 10 Nov 2016 05:47:38 +0000 (16:47 +1100)]
ctdb-takeover: Add takeover helper

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-takeover: IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
Martin Schwenke [Thu, 15 Dec 2016 03:09:16 +0000 (14:09 +1100)]
ctdb-takeover: IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs

Introduce a single new tunable IPAllocAlgorithm to set the IP
allocation algorithm.  This defaults to 2 for LCP2 IP address
allocation.

Tunables LCP2PublicIPs and DeterministicIPs are obsolete.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-takeover: NoIPHostOnAllDisabled is global across cluster
Martin Schwenke [Sat, 10 Dec 2016 09:03:38 +0000 (20:03 +1100)]
ctdb-takeover: NoIPHostOnAllDisabled is global across cluster

Instead of gathering the value from all nodes, just use the value on
the recovery master and have it affect all nodes.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-takeover: NoIPTakeover is global across cluster
Martin Schwenke [Sat, 10 Dec 2016 08:39:11 +0000 (19:39 +1100)]
ctdb-takeover: NoIPTakeover is global across cluster

Instead of gathering the value from all nodes, just use the value on
the recovery master and have it affect all nodes.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-docs: Document that tunables should be set the same on all nodes
Martin Schwenke [Sat, 10 Dec 2016 03:50:21 +0000 (14:50 +1100)]
ctdb-docs: Document that tunables should be set the same on all nodes

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add faking of control failures/timeouts to fake_ctdbd
Martin Schwenke [Wed, 7 Dec 2016 00:52:30 +0000 (11:52 +1100)]
ctdb-tests: Add faking of control failures/timeouts to fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add IPREALLOCATED control to fake_ctdbd
Martin Schwenke [Mon, 5 Dec 2016 08:11:13 +0000 (19:11 +1100)]
ctdb-tests: Add IPREALLOCATED control to fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add TAKEOVER_IP control to fake_ctdbd
Martin Schwenke [Mon, 5 Dec 2016 01:58:08 +0000 (12:58 +1100)]
ctdb-tests: Add TAKEOVER_IP control to fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add RELEASE_IP control to fake_ctdbd
Martin Schwenke [Mon, 5 Dec 2016 01:53:53 +0000 (12:53 +1100)]
ctdb-tests: Add RELEASE_IP control to fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add tool tests for "ctdb ip"
Martin Schwenke [Sat, 3 Dec 2016 14:04:39 +0000 (01:04 +1100)]
ctdb-tests: Add tool tests for "ctdb ip"

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Implement GET_PUBLIC_IPS control in fake_ctdbd
Martin Schwenke [Sat, 3 Dec 2016 14:01:48 +0000 (01:01 +1100)]
ctdb-tests: Implement GET_PUBLIC_IPS control in fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add tool tests for "ctdb ipinfo"
Martin Schwenke [Mon, 5 Dec 2016 00:08:39 +0000 (11:08 +1100)]
ctdb-tests: Add tool tests for "ctdb ipinfo"

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Implement GET_PUBLIC_IP_INFO control in fake_ctdbd
Martin Schwenke [Sat, 3 Dec 2016 14:02:24 +0000 (01:02 +1100)]
ctdb-tests: Implement GET_PUBLIC_IP_INFO control in fake_ctdbd

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Factor out get_ctdb_iface_list()
Martin Schwenke [Sat, 3 Dec 2016 13:59:29 +0000 (00:59 +1100)]
ctdb-tests: Factor out get_ctdb_iface_list()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add public IP state to fake_ctdbd
Martin Schwenke [Sat, 3 Dec 2016 06:11:25 +0000 (17:11 +1100)]
ctdb-tests: Add public IP state to fake_ctdbd

Read it via a PUBLICIPS section.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Factor out reading of known public IP addresses
Martin Schwenke [Sat, 3 Dec 2016 05:20:01 +0000 (16:20 +1100)]
ctdb-tests: Factor out reading of known public IP addresses

One change in behaviour is to actually copy the known IPs per node
instead of just assigning the pointer.  When this is used by
fake_ctdbd the resulting structure will be used to keep state for
individual nodes, so data for nodes needs to be independent.

Also, drop some asserts in the factored code and do (slightly) better
error handling.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Allow FAKE_CTDBD_DEBUGLEVEL to be specified
Martin Schwenke [Thu, 8 Dec 2016 00:41:31 +0000 (11:41 +1100)]
ctdb-tests: Allow FAKE_CTDBD_DEBUGLEVEL to be specified

This is useful for debugging when doing developer testing.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Make fake_ctdbd use logging_init()
Martin Schwenke [Mon, 12 Dec 2016 05:43:43 +0000 (16:43 +1100)]
ctdb-tests: Make fake_ctdbd use logging_init()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-client: Add available-only option public IP fetching
Martin Schwenke [Thu, 10 Nov 2016 05:11:12 +0000 (16:11 +1100)]
ctdb-client: Add available-only option public IP fetching

Update tool accordingly.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-protocol: Move CTDB_PUBLIC_IP_FLAGS_ONLY_AVAILABLE to protocol.h
Martin Schwenke [Thu, 10 Nov 2016 05:09:24 +0000 (16:09 +1100)]
ctdb-protocol: Move CTDB_PUBLIC_IP_FLAGS_ONLY_AVAILABLE to protocol.h

The protocol code needs it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-daemon: Remove ctdb_event_helper
Amitay Isaacs [Sat, 17 Sep 2016 14:24:47 +0000 (00:24 +1000)]
ctdb-daemon: Remove ctdb_event_helper

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sun Dec 18 18:10:50 CET 2016 on sn-devel-144

2 years agoctdb-daemon: Switch to using event daemon
Amitay Isaacs [Fri, 16 Sep 2016 10:06:07 +0000 (20:06 +1000)]
ctdb-daemon: Switch to using event daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add functions to talk to event daemon
Amitay Isaacs [Sat, 27 Aug 2016 07:26:28 +0000 (17:26 +1000)]
ctdb-daemon: Add functions to talk to event daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Refactor check for valid events during recovery
Amitay Isaacs [Fri, 16 Sep 2016 08:44:37 +0000 (18:44 +1000)]
ctdb-daemon: Refactor check for valid events during recovery

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Deprecate eventscript controls
Amitay Isaacs [Mon, 12 Sep 2016 01:33:02 +0000 (11:33 +1000)]
ctdb-protocol: Deprecate eventscript controls

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Drop marshaling for eventscript controls
Amitay Isaacs [Wed, 23 Nov 2016 01:28:24 +0000 (12:28 +1100)]
ctdb-protocol: Drop marshaling for eventscript controls

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-client: Drop client code for eventscript controls
Amitay Isaacs [Mon, 12 Sep 2016 01:32:20 +0000 (11:32 +1000)]
ctdb-client: Drop client code for eventscript controls

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Drop implementation of eventscript controls
Amitay Isaacs [Mon, 12 Sep 2016 01:25:11 +0000 (11:25 +1000)]
ctdb-daemon: Drop implementation of eventscript controls

Following controls are now implemented by event daemon
 - RUN_EVENTSCRIPTS
 - GET_EVENT_SCRIPT_STATUS
 - ENABLE_SCRIPT
 - DISABLE_SCRIPT

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tool: Drop disablescript, enablescript and eventscript commands
Amitay Isaacs [Mon, 12 Sep 2016 01:31:35 +0000 (11:31 +1000)]
ctdb-tool: Drop disablescript, enablescript and eventscript commands

These commands are now replaced with ctdb event ...

ctdb scriptstatus is maintained for backward compatibility.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tool: Add new command "event" to ctdb tool
Amitay Isaacs [Mon, 21 Nov 2016 03:52:41 +0000 (14:52 +1100)]
ctdb-tool: Add new command "event" to ctdb tool

This command covers all the commands to event daemon.

  ctdb event run <event>
  ctdb event status [<event>] [lastrun|lastfail|lastpass]
  ctdb event script list
  ctdb event script enable <script>
  ctdb event script disable <script>

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tests: Add tests for event daemon
Amitay Isaacs [Tue, 6 Sep 2016 08:53:02 +0000 (18:53 +1000)]
ctdb-tests: Add tests for event daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tool: Add helper for talking to event daemon
Amitay Isaacs [Mon, 21 Nov 2016 06:39:02 +0000 (17:39 +1100)]
ctdb-tool: Add helper for talking to event daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-client: Add client api for eventd communication
Amitay Isaacs [Wed, 31 Aug 2016 15:07:47 +0000 (01:07 +1000)]
ctdb-client: Add client api for eventd communication

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-eventd: Add event script handling daemon
Amitay Isaacs [Sat, 27 Aug 2016 07:26:52 +0000 (17:26 +1000)]
ctdb-eventd: Add event script handling daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add marshalling for eventd protocol
Amitay Isaacs [Wed, 31 Aug 2016 07:02:55 +0000 (17:02 +1000)]
ctdb-protocol: Add marshalling for eventd protocol

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add data types for eventd communication
Amitay Isaacs [Wed, 31 Aug 2016 05:49:27 +0000 (15:49 +1000)]
ctdb-protocol: Add data types for eventd communication

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add sock_daemon abstraction
Amitay Isaacs [Sat, 3 Sep 2016 13:27:23 +0000 (23:27 +1000)]
ctdb-common: Add sock_daemon abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add generic socket I/O
Amitay Isaacs [Fri, 16 Sep 2016 06:13:18 +0000 (16:13 +1000)]
ctdb-common: Add generic socket I/O

This is a generic socket read/write to be used in the ctdb daemon.
It is based on ctdb_io.c and comm.c.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add run_proc abstraction
Amitay Isaacs [Tue, 30 Aug 2016 07:33:42 +0000 (17:33 +1000)]
ctdb-common: Add run_proc abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>