Gary Lockyer [Sun, 15 Apr 2018 21:29:04 +0000 (09:29 +1200)]
auth_log: Rename the json variables
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 9 Apr 2018 23:57:41 +0000 (11:57 +1200)]
auth_log: tidy up code formatting
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 9 Apr 2018 23:45:32 +0000 (11:45 +1200)]
auth_log: Use common code from audit_logging
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 12 Apr 2018 01:19:16 +0000 (13:19 +1200)]
idl messaging: Add DSDB and Password events and message types
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Wed, 11 Apr 2018 22:19:16 +0000 (10:19 +1200)]
smb conf: Add DSDB event notification parameter
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 3 Apr 2018 23:56:30 +0000 (11:56 +1200)]
logging: add ldb audit classes
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 9 Apr 2018 18:45:47 +0000 (06:45 +1200)]
auth logging: Extract common audit logging code
Extract the common audit logging code into a library to allow it's
re-use in other logging modules.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 7 May 2018 12:50:27 +0000 (14:50 +0200)]
auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.
This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.
We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).
As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
Stefan Metzmacher [Wed, 9 May 2018 11:33:05 +0000 (13:33 +0200)]
s4:selftest: run test_ldb_simple.sh with more auth options
This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE
handling in our LDAP server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 May 2018 11:30:13 +0000 (13:30 +0200)]
auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 15 May 2018 00:26:03 +0000 (12:26 +1200)]
selftest: Make setexpiry test much more reliable
Rather than setting all the expiries and expecting that they will be done within 5 seconds,
measure and check the time individually for each record.
This should make this test much less prone to flapping.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 15 23:58:17 CEST 2018 on sn-devel-144
Andrew Bartlett [Sun, 13 May 2018 23:49:23 +0000 (11:49 +1200)]
samba-tool domain: Spit out common options between dcpromo and join
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:30:17 +0000 (11:30 +1200)]
samba-tool domain: Create a common --use-ntvfs option for provision, join, dcpromo and classicupgrade
The NTVFS fileserver mode is still integral to the selftest system (often simply used to
make the rest of the command run and not fuss with POSIX ACLs and permissions).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:23:24 +0000 (11:23 +1200)]
samba-tool domain: Extend --backend-store to join and dcpromo by moving to common options
This allows the choice of ldb backend for a domain join as well as a new provision.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:22:23 +0000 (11:22 +1200)]
samba-tool domain: Extend --plaintext-secrets to dcpromo by moving to common options
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:06:13 +0000 (11:06 +1200)]
samba-tool domain: Add --machinepass to common options
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:04:28 +0000 (11:04 +1200)]
samba-tool domain: Add --quiet to common options
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 23:02:46 +0000 (11:02 +1200)]
samba-tool domain: Create a common set of options for provision/join/dcpromo
These commands share much in common, the options should be in common as well.
Start with --targetdir.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 13 May 2018 22:19:58 +0000 (10:19 +1200)]
samba-tool domain provision: Move more OpenLDAP options behind TEST_LDAP
These options controlled the historical LDAP backend, they should not be left
to confuse other users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Volker Lendecke [Tue, 15 May 2018 11:40:36 +0000 (13:40 +0200)]
winbind: Fix CID
1435598 Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 21:12:33 CEST 2018 on sn-devel-144
Aaron Haslett [Mon, 30 Apr 2018 23:10:50 +0000 (11:10 +1200)]
auth: keytab invalidation fix
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
Aaron Haslett [Mon, 30 Apr 2018 23:10:24 +0000 (11:10 +1200)]
auth: keytab invalidation test
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Mon, 14 May 2018 18:09:53 +0000 (11:09 -0700)]
smbd: fileserver: Change defaults to work with EA support out of the box.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 15 12:40:48 CEST 2018 on sn-devel-144
Volker Lendecke [Mon, 7 May 2018 14:53:00 +0000 (16:53 +0200)]
lib: Hold at most 10 outstanding paged result cookies
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 15 09:37:21 CEST 2018 on sn-devel-144
Volker Lendecke [Mon, 7 May 2018 14:41:55 +0000 (16:41 +0200)]
lib: Put "results_store" into a doubly linked list
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Thu, 10 May 2018 02:00:54 +0000 (14:00 +1200)]
selftest: Require libarchive for --enable-selftest
This avoids one more case where tests can go missing by removing the conditional.
(Yes, this has happend for other tests in the past).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 15 06:31:03 CEST 2018 on sn-devel-144
Andrew Bartlett [Thu, 10 May 2018 01:05:56 +0000 (13:05 +1200)]
build: Make --with-gpgme the default
Those wishing to build without gpgme support need simply to build --without-gpgme
This In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 10 May 2018 01:04:35 +0000 (13:04 +1200)]
build: Make --with-libarchive the default
This means that those not wanting to link to libarchive will just need to
build --without-libarchive.
In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 10 May 2018 01:01:05 +0000 (13:01 +1200)]
build: Make --with-json-audit the default
Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.
This means that those not wanting to link to libarchive will just need to
build --without-json-audit.
In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Björn Jacke [Mon, 12 Mar 2018 18:13:04 +0000 (19:13 +0100)]
s3/wscript: remove test, that we do in lib/replace
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Mon May 14 21:15:21 CEST 2018 on sn-devel-144
Björn Baumbach [Tue, 8 May 2018 08:21:10 +0000 (10:21 +0200)]
docs-xml:samba-tool.8: fix wrong default computer container name
CN=Users --> CN=Computers
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Björn Baumbach [Mon, 7 May 2018 13:00:17 +0000 (15:00 +0200)]
samba-tool computer: fix wrong computer container in help message
CN=Users --> CN=Computers
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Joe Guo [Thu, 10 May 2018 05:23:02 +0000 (17:23 +1200)]
traffic: improve add_short_packet by avoiding dict.get
dict.get is slower than [].
Avoid get to improve performance.
(For
3989418 calls, total time decease from 9.395 to 8.573)
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon May 14 05:38:06 CEST 2018 on sn-devel-144
Joe Guo [Thu, 10 May 2018 02:53:55 +0000 (14:53 +1200)]
traffic: optimize packet init for better performance
When we run traffic_replay, we are creating millions of Packet objects.
So small change in Packet.__init__ will make big difference.
By initializing packet with converted values without parsing string, the time
cost for
3961148 calls of Packet.__init__ dcrease from 17s to 4s, according
to cProfile.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 2 May 2018 22:22:52 +0000 (22:22 +0000)]
traffic: fix userAccountControl for machine account
change userAccountControl from
UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
to
UF_TRUSTED_FOR_DELEGATION | UF_SERVER_TRUST_ACCOUNT
This will fix NetrServerPasswordSet2 failure in packet_rpc_netlogon_30
while testing against windows.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 2 May 2018 22:12:51 +0000 (22:12 +0000)]
traffic: change machine creds secure channel type
SEC_CHAN_WKSTA --> SEC_CHAN_BDC
This will fix netlogon failure against windows.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Volker Lendecke [Mon, 26 Mar 2018 09:36:25 +0000 (04:36 -0500)]
smbd: Fix "reset on zero vc"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13340
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun May 13 23:43:56 CEST 2018 on sn-devel-144
Stefan Metzmacher [Fri, 11 May 2018 04:43:14 +0000 (06:43 +0200)]
s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls
This completes the regression fix of commit
7e091e505156381e385235ab4518b4d133a98497.
There might be strings allocated on state, which are part of the
result.
The reason for the TALLOC_FREE(state) was to cleanup the possible
irpc_handle before leaving the function. Now we call
TALLOC_FREE(state->wb.irpc_handle) explicitly in
dcesrv_lsa_Lookup{Names,Sids}_base_done() instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13420
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 10:27:28 CEST 2018 on sn-devel-144
Noel Power [Fri, 4 May 2018 14:30:22 +0000 (15:30 +0100)]
auth/credentials/test: py2/py3 compat always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
Noel Power [Fri, 4 May 2018 14:29:59 +0000 (15:29 +0100)]
python/samba: py2/py3 compatability always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 14:27:12 +0000 (15:27 +0100)]
s4/dsdb/tests: py2/py3 compatability always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 14:26:39 +0000 (15:26 +0100)]
s4/scripting/devel: py2/py3 compatability always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 14:25:22 +0000 (15:25 +0100)]
s4/scripting/bin: py2/py3 compatability always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 12:33:03 +0000 (13:33 +0100)]
Bulk: enclose .keys() method with list where list (from python2) expected
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 11:19:57 +0000 (12:19 +0100)]
samba_tool: replace xrange -> range
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 11:18:59 +0000 (12:18 +0100)]
s4/dsdb/tests: py2/py3 compatability replace xrange with range
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 11:16:38 +0000 (12:16 +0100)]
python/samba/tests: py2/py3 compatability replace xrange with range
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 11:05:27 +0000 (12:05 +0100)]
python/samba: Ensure md5 always provided with bytes
To allow code run in both python3 and python2 we have to ensure
that md5 always receives bytes
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 10:41:11 +0000 (11:41 +0100)]
python/samba/provision: Fix urllib.quote usage for py2/py3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 10:31:33 +0000 (11:31 +0100)]
samba_tool: make exception handling statements py2/py3 compatible
Fix some missed conversions of
except Exception, e:
to
except Exception as e:
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 10:28:46 +0000 (11:28 +0100)]
samba_tool: Py2/Py3 compatability fix tuple assigment
replace
(foo, bar) = e
with
(foo, bar) = e.args
while will run in with both python2 and python3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 4 May 2018 10:22:43 +0000 (11:22 +0100)]
python/samba: Bulk replace of '.next()' method with function 'next()'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Amitay Isaacs [Tue, 17 Apr 2018 12:15:41 +0000 (22:15 +1000)]
ctdb-tools: Add logging config options to config tool
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat May 12 15:01:32 CEST 2018 on sn-devel-144
Martin Schwenke [Fri, 15 Dec 2017 07:38:40 +0000 (18:38 +1100)]
ctdb-common: Add config options for logging
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Wed, 18 Apr 2018 01:53:57 +0000 (11:53 +1000)]
ctdb-common: Add a function to validate logging specification
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 18 Apr 2018 01:52:05 +0000 (11:52 +1000)]
ctdb-common: Refactor log backend parsing code
This will allow to add a validator for logging specification.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 27 Apr 2018 07:21:00 +0000 (17:21 +1000)]
ctdb-common: Add config options tool
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 13 Dec 2017 08:41:16 +0000 (19:41 +1100)]
ctdb-common: Add config file parsing code
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 26 Mar 2018 04:04:12 +0000 (15:04 +1100)]
util: Add tini to samba-util-core
So it can be used by CTDB.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 08:09:46 +0000 (18:09 +1000)]
ctdb-tests: Setup $CTDB_BASE/{run,var} directories
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 03:23:15 +0000 (13:23 +1000)]
ctdb-common: Add path tool
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 03:02:33 +0000 (13:02 +1000)]
ctdb-common: Add utility code to get various paths
This will construct correct paths when running with CTDB_TEST_MODE.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 24 Apr 2018 13:17:18 +0000 (23:17 +1000)]
ctdb-common: Add command line processing abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 06:03:54 +0000 (16:03 +1000)]
ctdb-packaging: Package all helpers using wildcard
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Aaron Haslett [Tue, 1 May 2018 03:54:07 +0000 (15:54 +1200)]
devel: removing unused code from chgkrbtgtpass
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 12:05:31 CEST 2018 on sn-devel-144
Aaron Haslett [Tue, 1 May 2018 03:51:10 +0000 (15:51 +1200)]
samdb rid: clear cache to prevent old ntds_guid
During the new samba-tool domain backup restore the NTDS GUID changes
as the server is taken over by the new DC record.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Aaron Haslett [Mon, 30 Apr 2018 23:10:40 +0000 (11:10 +1200)]
ldb: removing prior secret from logs
priorSecret, like secret, can contain a machine account password
(for secrets.ldb) and so should not be printed in a debug
trace.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13353
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Martin Schwenke [Tue, 24 Apr 2018 04:13:35 +0000 (14:13 +1000)]
ctdb-scripts: Drop CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES options
These should be done using features provided by the operating system.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sat May 12 09:13:28 CEST 2018 on sn-devel-144
Martin Schwenke [Tue, 24 Apr 2018 06:35:16 +0000 (16:35 +1000)]
ctdb-config: Add default ctdb.sysconfig file, update ctdb.service
Install ctdb.sysconfig in RPM.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 24 Apr 2018 04:11:23 +0000 (14:11 +1000)]
ctdb-docs: Document system options and resource controls
The existing configuration file is disappearing so these configuration
options need a new home that is not handled by ctdbd_wrapper.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 24 Apr 2018 06:33:20 +0000 (16:33 +1000)]
ctdb-config: Add a default script.options file
Include it in the RPM.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:17:59 +0000 (19:17 +1000)]
ctdb-docs: Document script.options
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:16:57 +0000 (19:16 +1000)]
ctdb-scripts: Use load_script_options() in miscellaneous scripts
Some of these just aim to load the generic script.options file while
others target more specific files.
For NFS configuration, always use 60.nfs.options - even for 06.nfs.
This could be carefully documented but will change a lot before
release so there is no need.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:06:13 +0000 (19:06 +1000)]
ctdb-scripts: Allow load_script_options() to specify an event script
This allows other scripts to use the given options for a particular
event script. One interesting example is that the ctdb_natgw tool
should look for configuration in events.d/11.natgw.options.
In the future this will be something like
events/failover/11.natgw.options, so require the component to be
specified even though it isn't yet used.
Test support is also updated.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 08:52:36 +0000 (18:52 +1000)]
ctdb-scripts: Add global script.options configuration file
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 6 Apr 2018 00:30:23 +0000 (10:30 +1000)]
ctdb-tests: Separate support script for 06.nfs
Including 60.nfs was too simple a hack, since we will want to do some
magic to use the configuration from 60.nfs for 06.nfs.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 5 Apr 2018 00:54:00 +0000 (10:54 +1000)]
ctdb-scripts: Don't check for CTDB_PARTIALLY_ONLINE_INTERFACES clash
Just document that NAT gateway and LVS are not compatible with this
option. Update the documentation to make it clear that this is a
10.interface option.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 5 Apr 2018 06:19:23 +0000 (16:19 +1000)]
ctdb-scripts: Don't load CTDB configuration in onnode
onnode does not use any configuration options.
Drop sourcing of functions file since the only function used was
loadconfig().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:14:16 +0000 (19:14 +1000)]
ctdb-scripts: Don't load CTDB configuration in statd-callout
The only configuration options used by statd-callout are NFS_HOSTNAME,
which comes from the NFS system configuration file, and
CTDB_NFS_CALLOUT, which is exported by the 60.nfs event script.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 11 Jan 2018 05:17:19 +0000 (16:17 +1100)]
ctdb-tests: Continue running if a testcase is not executable
At the moment the whole test run aborts without printing a summary of
results but inexplicably succeeds. Instead, generate a clear failure
for a non-executable testcase.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Garming Sam [Wed, 9 May 2018 03:39:09 +0000 (15:39 +1200)]
pysmb: Add some more documentation for conn.list
There are two options which are undocumented.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 04:57:29 CEST 2018 on sn-devel-144
Garming Sam [Wed, 9 May 2018 03:24:38 +0000 (15:24 +1200)]
gpo: Ensure all files are retrieved in fetch
.ini files are normally set as hidden, and will not be found over SMB.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 8 May 2018 05:09:53 +0000 (17:09 +1200)]
Fix spelling s/woks/works
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joe Guo [Thu, 10 May 2018 05:11:29 +0000 (17:11 +1200)]
traffic: improve is_really_a_packet
This function will repeat on each packet.
Avoid exception for getattr, which is expensive for performance.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 05:04:50 +0000 (17:04 +1200)]
traffic: improve add_short_packet by avoiding str.split
Avoid str.split, which will repeat for each packet.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 05:01:19 +0000 (17:01 +1200)]
traffic: simplify forget_packets_outside_window
Make code compact, and improve performance a little bit.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 04:43:04 +0000 (16:43 +1200)]
traffic: grant user write permission
Some packets need user to have write permission, e.g.: writeaccountspn
Grant user write permission then we can send packets successfully.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Sun, 6 May 2018 22:18:42 +0000 (10:18 +1200)]
traffic_replay: fetch domain from creds other than opts
For traffic_replay script, when user provides `--workgroup` or `-W` option,
it will be set on the creds option group, not the default opts one.
The previous code will not work properly when smb.conf file is missing.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 2 May 2018 05:04:03 +0000 (05:04 +0000)]
traffic: set domain on user_creds and machine_creds
The domain is missing in traffic user and machine credential, this will cause
some packet tests fail against windows.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Tue, 1 May 2018 04:58:01 +0000 (16:58 +1200)]
traffic_packets: provision request data for packet_drsuapi_13
The `drsuapi.DsWriteAccountSpnRequest1` struct in this packet was empty before.
Samba lets it go but Windows will report an invalid parameter error.
Provision the request with proper data, and give user permission to
write account SPN.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Tue, 1 May 2018 05:15:09 +0000 (17:15 +1200)]
traffic_packets: add trailing $ to fix packet_rpc_netlogon_30
For `NetrServerPasswordSet2`, the 2nd arg `account_name` must end with a
$, otherwise windows will return an `Access Denied` error.
Use `creds.get_username()` instead of `creds.get_workstation()` to
include the trailing $.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Fri, 27 Apr 2018 02:51:11 +0000 (14:51 +1200)]
traffic_packets: add windows instructions for ldap 0 simple bind
To run packet_ldap_0 simple bind test against Windows, we need to
install CA on Windows with following PowerShell commands:
Install-windowsfeature ADCS-Cert-Authority
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Restart-Computer
Otherwise we will get `NT_STATUS_CONNECTION_RESET` error.
Didn't change any code, just add above instructions in comment.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Fri, 27 Apr 2018 00:07:16 +0000 (12:07 +1200)]
traffic_packets: replace share_name from netlogon to IPC$ for packet_srvsvc_16
Sharename list for Windows:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
For Samba:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
While test packet_srvsvc_16 with share_name `netlogon`,
it passed Samba, and got a WERR_NERR_NETNAMENOTFOUND error for Windows.
Change share name to `IPC$` so Samba and Windows have it in common.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 26 Apr 2018 23:27:59 +0000 (11:27 +1200)]
traffic_packets: replace level 102 to 101 for packet_srvsvc_21
Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:
> If the level is 102 or 502, the Windows implementation checks whether
> the caller is a member of one of the groups previously mentioned or
> is a member of the Power Users local group.
It passed against Samba since this check is not implemented by Samba yet.
refer to:
https://msdn.microsoft.com/en-us/library/
cc247297.aspx#Appendix_A_80
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 26 Apr 2018 00:15:10 +0000 (12:15 +1200)]
traffic: add credentials to samr
lp and creds are missing in SamrContext and samr connection.
While run traffic_replay against windows, this will cause
`Access Denied` error.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:45:10 +0000 (15:45 +1200)]
traffic_packets: support NT_STATUS_NO_SUCH_DOMAIN in packet_lsarpc_39
For packet_lsarpc_39, samba will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
however, windows will return NT_STATUS_NO_SUCH_DOMAIN.
Allow both status for now to keep compatiable with both samba and
windows DC.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:40:18 +0000 (15:40 +1200)]
traffic_replay: fix typo in message string
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:31:12 +0000 (15:31 +1200)]
traffic_replay: set gensec features to encrypt credentials
While running traffic_replay script against windows dc, it will fail
with a `LDAP_UNWILLING_TO_PERFORM` error for adding user.
Windows requires the credentials to be encrypted before sending.
`set_gensec_features` will fix it.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:36:02 +0000 (15:36 +1200)]
traffic: add paged_results control for ldb search
While there are more then 1000 records in the search result from Windows,
a `LDAP_SIZE_LIMIT_EXCEEDED` error will be returned.
Add paged_results control to fix.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 11 May 2018 01:18:43 +0000 (13:18 +1200)]
selftest: Add a test for creds.{get,set}_secure_channel_type()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
git.samba.org / samba.git / log