Lumir Balhar [Mon, 23 Jan 2017 20:03:17 +0000 (21:03 +0100)]
python: pidl: Port Python interface generator
Port PIDL generator of Python interfaces to generate interfaces in
Python 3 compatible form.
Python 2.7 is now required, so we can use PyCapsule in both versions.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Lumir Balhar [Sat, 10 Dec 2016 14:11:14 +0000 (15:11 +0100)]
python: samba.tests: Enable Python 3 tests for ported modules
Enable tests with Python 3 for Python 3 compatible modules.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 9 Feb 2017 02:07:39 +0000 (15:07 +1300)]
buildtools: Work around a . being in the target name when building python3 helpers
The pyparam_util module becomes pyparam_util.cpython_35m_x86_64_linux_gnu but
the command line parser for -D stops at the first .
That we even set -DSTATIC_subsystem_MODULES_PROTO for these subsystems without
any modules ever declared is left for another time
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Sat, 10 Dec 2016 14:01:17 +0000 (15:01 +0100)]
python: wscript_build: Build some modules for Python 3
Update a few wscript_build files to build Python 3-compatible modules
for Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Tue, 13 Dec 2016 10:26:53 +0000 (11:26 +0100)]
python: Make top-level samba modules Python 3 compatible
New file compat.py will help with porting to Python 3. For now, it
contains only PY3 variable based on six.PY3 which simplifies
condition mentioned below.
The added `if not PY3` conditions enable us to bootstrap running
tests with Python 3 even if most modules are not ported yet.
The plan is to move modules outside this condition as they are ported.
The `PY3` condition is currently used only in tests and for
the samba._ldb module which is not ported yet and has a lot of
dependencies.
The other changes are related to differences between Python 2 and 3.
Python 2.6 introduced the `0o` prefix for octal literals as an
alternative to plain `0`. In Python 3, support for plain `0` is
dropped and octal literals have to start with `0o` prefix.
Python 2.6 introduced a clearer `except` syntax:
`except ExceptionType as target:` instead of
`except ExceptionType, target:`. In Python 3, the old syntax
is no longer allowed.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Thu, 8 Sep 2016 07:05:22 +0000 (09:05 +0200)]
python: samba.tests.dcerpc: Move Class RawDCERPCTest to separated file.
The class is quite big, used in only one place, and it complicates
situation around bootstrapping of Python 3 port.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Tue, 13 Dec 2016 10:20:42 +0000 (11:20 +0100)]
python: samba.tests.glue: Add new tests for samba._glue.
Add new file with tests of samba._glue module.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Mon, 5 Dec 2016 11:14:28 +0000 (12:14 +0100)]
python: samba._glue: Port samba._glue module to Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Sat, 10 Dec 2016 13:11:04 +0000 (14:11 +0100)]
python: samba.tests.param: Add missing tests
Add some new tests of samba.param Python bindings.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Sat, 10 Dec 2016 12:55:43 +0000 (13:55 +0100)]
python: samba.param: Port param module to Python 3
Port Python bindings of samba.param module to
Python3-compatible form.
Because native Python file objects are officially
no longer backed by FILE*, API of some _dump()
functions is changed. File argument is now
optional and contains only name of file. Stdout
is default if no file name is specified. Otherwise
opening and closing files is done on C layer
instead of Python.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Wed, 18 Jan 2017 10:28:08 +0000 (11:28 +0100)]
python: samba.tests.credentials: Python 3 compatible tests
Port test of pycredentials to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Lumir Balhar [Mon, 17 Oct 2016 14:07:31 +0000 (16:07 +0200)]
python: samba.credentials: Port pycredentials.c to Python3-compatible form.
Port Python bindings of samba.credentials module to
Python3-compatible form using macros from py3compat.h.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 6 Mar 2017 09:23:35 +0000 (22:23 +1300)]
lib/ldb: Enable use of a python3 pyldb-util system library
To do this, we have to install a .pc file for the python3 pyldb-util
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Incorportaing fixes by Petr Viktorin <pviktori@redhat.com>
Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Andrew Bartlett [Mon, 6 Mar 2017 06:25:13 +0000 (19:25 +1300)]
talloc: use the system pytalloc-util for python3 as well
This involves installing a .pc file for the python3 library as well
To get the .pc file generated and installed is quite a mission, we
have to rework the talloc build system to ensure that the second 'env'
created for EXTRA_PYTHON has everything set up on it, the
TALLOC_VERSION in particular.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Incorportaing fixes by Petr Viktorin <pviktori@redhat.com>
Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Douglas Bagnall [Wed, 1 Mar 2017 04:33:09 +0000 (17:33 +1300)]
scripts/traffic_summary: documentation typo
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 02:13:32 +0000 (15:13 +1300)]
./examples/scripts/SambaConfig.py: fix typo in "continue"
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 02:11:08 +0000 (15:11 +1300)]
python/examples/winreg: two variable name typos on a single line
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:55:32 +0000 (14:55 +1300)]
python sites/subnets: correctly spell variable name
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:54:58 +0000 (14:54 +1300)]
python provision: FDSBackend takes forced uri
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:53:46 +0000 (14:53 +1300)]
python/remove_dc: avoid using non-existent variable
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:51:27 +0000 (14:51 +1300)]
samba-tool domain: correctly spell variable name
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:50:14 +0000 (14:50 +1300)]
python/join: correct spelling of "ctx.del_noerror"
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 01:47:50 +0000 (14:47 +1300)]
selftest: remove unused broken client.py
Nothing uses this, and pyflakes points out it is unusable:
./selftest/client.py:60: undefined name 'prefix_abs'
./selftest/client.py:69: undefined name 'opts'
./selftest/client.py:70: undefined name 'interfaces'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 8 Mar 2017 04:04:55 +0000 (17:04 +1300)]
gitignore: add some hidden files
.gdb_history is generated by gdb,
.emacs* are generated by emacs, and
.clang* by clang.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Mar 2017 22:14:48 +0000 (11:14 +1300)]
perftests/ad_dc_search: do less work in expensive member searches
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 10 Jan 2017 23:18:15 +0000 (12:18 +1300)]
pyldb: p3k readiness: allow single unicode string in msg element
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Uri Simchoni [Thu, 9 Mar 2017 12:40:54 +0000 (14:40 +0200)]
talloc: fix doxygen of talloc_move
talloc_move cannot fail.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 10 07:30:40 CET 2017 on sn-devel-144
Volker Lendecke [Sun, 12 Feb 2017 18:20:07 +0000 (19:20 +0100)]
auth_ntdomain3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sat, 25 Feb 2017 09:55:28 +0000 (09:55 +0000)]
auth_winbind4: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 09:25:44 +0000 (10:25 +0100)]
auth_winbind3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 18:24:45 +0000 (19:24 +0100)]
s3/smbd: add my copyright to open.c
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 1 Mar 2017 17:13:35 +0000 (18:13 +0100)]
s4/torture: some tests for kernel oplocks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 8 Mar 2017 06:18:36 +0000 (07:18 +0100)]
s3/selftest: adopt config.h check from source4
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 15:27:39 +0000 (16:27 +0100)]
s3/smbd: fix deferred open with streams and kernel oplocks
I noticed smbd can get stuck in an open() call with kernel oplocks
enabled and named streams (provided by vfs_streams_xattr):
- client opens a file and with an exclusive oplock
- client starts writing to the file
- client opens an existing stream of the file
- the smbd process gets stuck in an open()
What happens is:
we had setup a locking.tdb record watch in defer_open(), the watch was
triggered, we reattempted the open and got stuck in a blocking open
because the oplock holder (ourselves) hadn't given up the oplock yet.
Cf
e576bf5310bc9de9686a71539e9a1b60b4fba5cc for the commit that added
the kernel oplock retry logic. tldr: with kernel oplocks the first open
is non-blocking, but the second one is blocking.
Detailed analysis follows.
When opening a named stream of a file, Samba internally opens the
underlying "base" file first. This internal open of the basefile suceeds
and does *not* trigger an oplock break (because it is an internal open
that doesn't call open() at all) but it is added as an entry to the
locking.tdb record of the file.
Next, the stream open ends up in streams_xattr where a non-blocking
open() on the base file is called. This open fails with EWOULDBLOCK
because we have another fd with a kernel oplock on the file.
So we call defer_open() which sets up a watch on the locking.tdb record.
In the subsequent error unwinding code in open_file_ntcreate() and
callers we close the internal open file handle of the basefile which
also removes the entry from the locking.tdb record and so *changes the
record*.
This fires the record watch and in the callback defer_open_done() we
don't check whether the condition (oplock gone) we're interested in is
actually met. The callback blindly reschedules the open request with
schedule_deferred_open_message_smb().
schedule_deferred_open_message_smb() schedules an immediate tevent event
which has precedence over the IPC fd events in messaging, so the open is
always (!) reattempted before processing the oplock break message.
As explained above, this second open will be a blocking one so we get
stuck in a blocking open.
It doesn't help to make all opens non-blocking, that would just result
in a busy loop failing the open, as we never process the oplock break
message (remember, schedule_deferred_open_message_smb() used immediate
tevent events).
To fix this we must add some logic to the record watch callback to check
whether the record watch was done for a kernel oplock file and if yes,
check if the oplock state changed. If not, simply reschedule the
deferred open and keep waiting.
This logic is only needed for kernel oplocks, not for Samba-level
oplocks, because there's no risk of deadlocking, the worst that can
happen is a rescheduled open that fails again in the oplock checks and
gets deferred again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 14:48:05 +0000 (15:48 +0100)]
s3/smbd: all callers of defer_open() pass a lck
No change in behaviour. Update the function comment explaining how it
works and relies on lck for a record watch.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 18:11:20 +0000 (19:11 +0100)]
s3/smbd: remove async_open arg from defer_open()
All remaining callers pass false.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 14:33:55 +0000 (15:33 +0100)]
s3/smbd: fix schedule_async_open() timer
schedule_async_open() was calling defer_open with sharemode lock = NULL,
as a result there was never an active 20 s timeout.
This has been broken since the commits in
$ git log --reverse -p -10
8283fd0e0090ed12b0b12d5acb550642d621b026
Just roll our own deferred record instead of calling defer_open() and
also set up timer that, as a last resort, catches stuck opens and just
exits for now.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 14:03:12 +0000 (15:03 +0100)]
s3/smbd: add and use retry_open() instead of defer_open() in two places
Add a new function that does an immediate open rescheduling.
The first deferred open this commit changes was never scheduled, as the
scheduling relies on a timeout of the watch on the sharemode lock.
This has been broken since the commits in
$ git log --reverse -p -10
8283fd0e0090ed12b0b12d5acb550642d621b026
That patchset added the dbwrap watch record logic to defer_open() and
removed the timers.
I'm doing this mainly to untangle the defer_open() logic which is
complicated by the lck arg.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 13:37:54 +0000 (14:37 +0100)]
s3/smbd: simplify defer_open()
Add a helper function deferred_open_record_create() that creates a
deferred_open_record and let all callers pass all needed arguments
individually.
While we're at it, enhance the debug message in defer_open() to print
all variables.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 7 Mar 2017 13:10:39 +0000 (14:10 +0100)]
s3/smbd: req is already validated at the beginning of open_file_ntcreate()
req can't be NULL because the if condition surrounding this code checks
!(oplock_request & INTERNAL_OPEN_ONLY).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 6 Mar 2017 10:43:08 +0000 (11:43 +0100)]
s3/smbd: add comments and some reformatting to open_file_ntcreate()
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 4 Mar 2017 12:55:55 +0000 (13:55 +0100)]
s3/smbd: add const to get_lease_type() args
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 6 Mar 2017 11:09:53 +0000 (12:09 +0100)]
s3/wscript: fix Linux kernel oplock detection
Fix a copy/paste error, the Linux kernel oplocks check was copied from
the change notify support check.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 8 Mar 2017 09:26:38 +0000 (10:26 +0100)]
winbindd: Remove an unused #define
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Fri Mar 10 00:00:15 CET 2017 on sn-devel-144
Volker Lendecke [Wed, 8 Mar 2017 09:17:16 +0000 (10:17 +0100)]
winbind: Use talloc_strdup_upper where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 7 Mar 2017 14:29:18 +0000 (15:29 +0100)]
ldap_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Mon, 6 Mar 2017 20:33:28 +0000 (20:33 +0000)]
winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Stefan Metzmacher [Fri, 24 Feb 2017 14:34:33 +0000 (15:34 +0100)]
ldb: add LDB_FLG_DONT_CREATE_DB
This avoids creating an new tdb files on ldbsearch
or other callers which use LDB_FLG_DONT_CREATE_DB.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 9 16:02:21 CET 2017 on sn-devel-144
Volker Lendecke [Sat, 11 Feb 2017 10:38:56 +0000 (11:38 +0100)]
auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic
Best viewed with "git show -b"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 9 02:01:35 CET 2017 on sn-devel-144
Volker Lendecke [Sat, 11 Feb 2017 10:38:56 +0000 (11:38 +0100)]
auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic
Best viewed with "git show -b" :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 10:34:58 +0000 (11:34 +0100)]
auth3: Simplify auth_check_ntlm_password server_info handling
Instead of directly assigning (*pserver_info), work on a local copy
first and assign it once when successful
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 10:26:09 +0000 (11:26 +0100)]
auth3: Simplify auth_check_ntlm_password talloc handling
Use talloc_stackframe and talloc_tos. Don't bother to talloc_free
within the loop, we don't have many iterations.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 19 Feb 2017 13:23:58 +0000 (14:23 +0100)]
auth3: Use talloc_move instead of _steal
That's the more "modern" way to steal
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 10:24:22 +0000 (11:24 +0100)]
auth3: Centralize auth_check_ntlm_password failure handling
Preparation for simplified talloc handling. Slight behaviour change:
We now ZERO_STRUCTP(pserver_info) in all failure cases.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Alexander Bokovoy [Wed, 8 Mar 2017 10:38:49 +0000 (12:38 +0200)]
s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is
bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
Alexander Bokovoy [Fri, 3 Mar 2017 14:58:14 +0000 (16:58 +0200)]
s3-gse: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Fri, 3 Mar 2017 14:57:50 +0000 (16:57 +0200)]
libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Fri, 3 Mar 2017 14:57:13 +0000 (16:57 +0200)]
credentials_krb5: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Fri, 3 Mar 2017 14:14:57 +0000 (16:14 +0200)]
lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
Wrap gss_krb5_import_cred() to allow re-implementing it with
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
works fine with GSSAPI interposer (GSS-proxy) while
gss_krb5_import_cred() is not interposed yet.
The wrapper has additional parameter, krb5_context handle, to facilitate
with credentials cache name discovery. All our callers to
gss_krb5_import_cred() already have krb5 context handy.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Fri, 3 Mar 2017 15:08:09 +0000 (17:08 +0200)]
gssapi: check for gss_acquire_cred_from
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Oct 2016 08:33:26 +0000 (10:33 +0200)]
s3-libads: Do not leak the msg on error
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 8 14:59:35 CET 2017 on sn-devel-144
Stefan Metzmacher [Mon, 6 Mar 2017 11:53:09 +0000 (11:53 +0000)]
idmap_autorid: allocate new domain range if the callers knows the sid is valid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12613
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 8 04:06:59 CET 2017 on sn-devel-144
Ralph Boehme [Tue, 7 Mar 2017 17:10:56 +0000 (18:10 +0100)]
manpages/vfs_fruit: document global options
Some options MUST be set in the global section, better document that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12615
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 7 Mar 2017 13:06:52 +0000 (14:06 +0100)]
winbind: Add a debug message for out-of-range IDs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 21 Feb 2017 17:41:59 +0000 (18:41 +0100)]
winbind: Remove unused wcache_tdc_fetch_domainbysid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 4 Mar 2017 17:40:09 +0000 (18:40 +0100)]
winbind: Correcly pass !authoritative from wb_irpc_SamLogon
Returning an error at this level gives a RPC level error without the chance to
provide !authoritative flag to the caller. At the RPC level we're fine, but not
finding the domain to authenticate means that we don't know the domain and thus
have to return !authoritative.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar 7 13:16:00 CET 2017 on sn-devel-144
Volker Lendecke [Sun, 29 Jan 2017 16:51:53 +0000 (16:51 +0000)]
libwbclient: Add "authoritative" to wbcAuthErrorInfo
smbd needs to react to "authoritative"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 09:04:29 +0000 (10:04 +0100)]
winbind: Set "authoritative" in response to auth_crap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sun, 29 Jan 2017 16:46:12 +0000 (16:46 +0000)]
winbind: Add "authoritative" to winbindd_response
This is a relevant piece of info in the samlogon response,
smbd and netlogond need to be able to react to it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 28 Jan 2017 20:20:59 +0000 (20:20 +0000)]
winbind: Pass up args from winbind_dual_SamLogon
We'll need to pass "authoritative" back to the winbind client
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 28 Jan 2017 20:20:59 +0000 (20:20 +0000)]
winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 28 Jan 2017 11:36:11 +0000 (11:36 +0000)]
cli_netlogon: Add return parms to rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 28 Jan 2017 11:31:09 +0000 (11:31 +0000)]
cli_netlogon: Remove a fallback for flags=NULL
The two callers of rpccli_netlogon_network_logon have flags set !=NULL
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 28 Jan 2017 11:27:21 +0000 (11:27 +0000)]
cli_netlogon: Remove a fallback for authoritative=NULL
The two callers of rpccli_netlogon_network_logon have authoritative
set !=NULL
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Mon, 27 Feb 2017 13:35:59 +0000 (13:35 +0000)]
winbind: Fix a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar 6 23:18:46 CET 2017 on sn-devel-144
Volker Lendecke [Sun, 26 Feb 2017 16:27:05 +0000 (17:27 +0100)]
auth4: Remove an unused struct declaration
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 3 Mar 2017 05:03:31 +0000 (06:03 +0100)]
auth4: Move a variable closer to its use
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 14:14:51 +0000 (15:14 +0100)]
Re-enable token groups fallback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 6 19:18:31 CET 2017 on sn-devel-144
Stefan Metzmacher [Mon, 6 Mar 2017 09:30:52 +0000 (10:30 +0100)]
winbindd: find the domain based on the sid within wb_lookupusergroups_send()
That simplifies the potential caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:56:09 +0000 (14:56 +0100)]
Revert "winbind: Remove wb_lookupusergroups"
This reverts commit
c0570e6ae8f8f0057ece48d764580897ff2b6f62.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:55:15 +0000 (14:55 +0100)]
Revert "winbind: Remove wbint_LookupUserGroups"
This reverts commit
256632ed3cc724bab0fc22132ca6b52faf680ab2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:54:46 +0000 (14:54 +0100)]
Revert "winbind: Remove wb_cache_lookup_usergroups"
This reverts commit
f83863b4d1510a9519d15934c960fd1675235812.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:54:23 +0000 (14:54 +0100)]
Revert "winbind: Remove wcache_lookup_usergroups"
This reverts commit
876dc28b9cf13343a2962b1a1b035fe78c1858a6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:54:09 +0000 (14:54 +0100)]
Revert "winbind: Remove validate_ug"
This reverts commit
3f58a8cabab75a594cff9088d5dd8ea439b36178.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:53:47 +0000 (14:53 +0100)]
Revert "winbind: Remove "lookup_usergroups" winbind method"
This reverts commit
b231814c6b0ad17255139bc8934f269610348b2b.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 13:52:49 +0000 (14:52 +0100)]
Revert "winbind: Remove rpc_lookup_usergroups"
This reverts commit
91b73b1e93bb8fb38e2f1cea6c1cbd012c952542.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 3 Mar 2017 11:56:24 +0000 (12:56 +0100)]
s3:libads: remove unused fallback to gss_acquire_cred()
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 6 11:44:54 CET 2017 on sn-devel-144
Ralph Boehme [Mon, 27 Feb 2017 11:55:04 +0000 (12:55 +0100)]
s4/torture: add a creditting test skipping a SMB2 MID
This tests that skipping a SMB2 MID the client's usable MID window is
[unused mid, unused mid + 8192]
The test currently fails against Samba as we only grant up to 512
credits. It passes against Windows 2016 as that grants up to 8192
credits by default.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 4 01:54:07 CET 2017 on sn-devel-144
Ralph Boehme [Sun, 26 Feb 2017 08:28:12 +0000 (09:28 +0100)]
libcli/smb: add smb2cli_conn_get_mid and smb2cli_conn_set_mid
This will be needed for a torture test in the next commit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 27 Feb 2017 06:12:09 +0000 (07:12 +0100)]
s4/torture: add some SMB2 crediting tests
These tests verify that a server grants at least 8192 credits in a
successfull session setup and in a single SMB2 request. Both tests pass
against Windows 2016 Server but currently fail against Samba.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 27 Feb 2017 11:29:25 +0000 (12:29 +0100)]
libcli/smb: add smb2cli_conn_get_cur_credits
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 27 Feb 2017 15:14:39 +0000 (16:14 +0100)]
libcli/smb: add max_credits arg to smbXcli_negprot_send()
This allows source4/torture code to set the option for tests by
preparing a struct smbcli_options with max_credits set to some value and
pass that to a torture_smb2_connection_ext().
This will be used in subsequent smbtorture test for SMB2 creditting.
Behaviour of existing upper layers is unchanged, they simply pass the
wanted max credits value to smbXcli_negprot_send() instead of
retrofitting it with a call to smb2cli_conn_set_max_credits().
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 6 Feb 2017 16:10:40 +0000 (17:10 +0100)]
lib: Make gencache hash size configurable, default to 10000
For large deployments with many users, we put a lot of idmapping
entries into gencache. Increase the hash size from our default 131.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Andreas Schneider [Tue, 21 Feb 2017 13:51:08 +0000 (14:51 +0100)]
idmap_hash: Add a deprecation message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 3 16:54:34 CET 2017 on sn-devel-144
Andreas Schneider [Wed, 15 Feb 2017 07:55:24 +0000 (08:55 +0100)]
docs: Improve the idmap_hash manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 2 Mar 2017 16:34:22 +0000 (17:34 +0100)]
s4:selftest: run samba4.sam.python also against fl2008r2dc
fl2008r2dc uses "ldap server require strong auth = no", which
is required to test the simple bind error messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 3 12:57:06 CET 2017 on sn-devel-144
Stefan Metzmacher [Thu, 2 Mar 2017 15:41:20 +0000 (16:41 +0100)]
dsdb/tests: add test_ldap_bind_must_change_pwd()
This tests the error messages for failing LDAP Bind responses.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 24 Feb 2017 17:30:56 +0000 (18:30 +0100)]
s4:ldap_server: match windows in the error messages of failing LDAP Bind requests
This is important for some applications to detect the
NT_STATUS_PASSWORD_MUST_CHANGE condition correctly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 2 Mar 2017 16:19:21 +0000 (17:19 +0100)]
ldb-samba: remember the error string of a failing bind in ildb_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 2 Mar 2017 15:00:01 +0000 (16:00 +0100)]
dsdb/tests: remove duplicate test_smartcard_required3() from sam.py
The function was 100% the same...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>