git.samba.org - samba.git/log

s3: Fix max indentation and max column

Minor cleanup reducing the max indentation level and max column length.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

ctdb-tests: Don't use nc -d or -w options

nmap-ncat is used in some distributions to replace netcat.  It has a
different meaning for these options.

We can get the same effect as the current combination of -d and -w by
piping a sleep process to nc.  Subsequent use of $! works because it
gets the last process in pipeline.

Note that redirecting from /dev/null doesn't work with some versions
of nc.  They just exit when they get EOF.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar  9 12:24:13 CET 2018 on sn-devel-144

Revert "ctdb-doc: Fix monitoring bug in example NFS Ganesha call-out"

The check action should be there. It is used by 20.nfs_ganesha.check.

This reverts commit 4fa9026bbd9f67348d3203e0205c59ff4fb51d2d.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Depend on setup_ctdb_base() to install events.d/

This directory is only used by simple tests when running against local
daemons. Moving it to simple/etc-ctdb/events.d/ means that it is
automatically copied by setup_ctdb_base().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Make fake ssh script set CTDB_BASE

The local daemons code puts the socket in the CTDB_BASE directory.
This means CTDB_NODES_SOCKETS can be replaced by CTDB_BASES, a list of
base directories. The fake ssh script can first determine the correct
CTDB_BASE directory and then use it to set CTDB_SOCKET and
CTDB_PIDFILE.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Use setup_ctdb_base() for simple tests

The comment in local.bash is incorrect. CTDB_BASE will never be set
here because this script is not run under onnode. Instead, this where
CTDB_BASE needs to be set when running against a real cluster.

For local daemons, the check for CTDB_BASE being inconsistent with
node_dir is temporary.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Reindent setup_ctdb() function

This could have been done earlier but previous movement of lines out
to new functions has made the job easier.

Best viewed with show/diff -w.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Clean up nodes and public address file setup

Untangle a single loop into two separate, clear functions. Create a
separate, empty file for the node with no public IPs instead of
pointing the configuration at /dev/null.

Leave the indentation in setup_ctdb() in the old style to make this
commit comprehensible.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Use SIMPLE_TESTS_VAR_DIR for data for local daemons tests

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: New directory for simple test state

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Use setup_ctdb_base() for onnode unit tests

The nodes file is now in the CTDB_BASE directory so no CTDB_NODES_FILE
variable is needed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Use setup_ctdb_base() for eventscript unit tests

There is currently a directory of symlinks that are copied during test
setup. These symlinks are updated during installation so they point
to the right place when copied.

Instead, use setup_ctdb_base() during test setup.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Factor out setup of fake CTDB_BASE

Several test suites need the CTDB_BASE directory to contain a subset
of the regular contents of that subdirectory.  In some cases there are
symbolic links in the test directory (or a subdirectory) and these
symbolic links need to be fixed at installation time.

Instead, add new function setup_ctdb_base() to set CTDB_BASE, create
the directory and populate it as specified.  This relies on
script_install_paths.sh so it can copy the specified targets.  It also
copies any files from the test directory's etc-ctdb/ subdirectory.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop PID file argument from wrapper

Use the default compile-time PID file.

Use a CTDB_PIDFILE environment variable when testing.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-daemon: CTDB_PIDFILE environment variable overrides default

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-daemon: Provide default location for ctdbd PID file

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop init script PID directory backward compatibility

This tries to be backward compatible with very old versions of CTDB,
so don't bother.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Don't create directory for PID file

This is already created by installation and/or packaging.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-packaging: Package up relevant /var subdirectories

They're already created at installation time. This way they don't
need to be created at startup.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop unnecessary complexity from wrapper

All of this logic was necessary when ctdbd did poor PID file and
socket handling. Those things are now solid, so remove this
unnecessary logic.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop broken wrapper code that uses PID

The code has been broken since commit
4b652c1527afe7eff4075c95946abfa114d74015.

If ctdbd isn't all the way up in time just make a basic attempt to
shut it down.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Rework simple tests daemon start/stop

Separate stopping and starting of daemons during restart

This allows actions to be taken after stopping and allows the init
testcase to be clearer about what it is doing.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-packaging: Use RPM's local state directory

Instead of fixed /var.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Simplify the names of NFS fail counter files

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Move failure counters to the service state directory

Scripts that use these counters must call ctdb_setup_state_dir().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Move the reconfigure flag to the script state directory

Scripts that use these functions must call ctdb_setup_state_dir().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop unused function ctdb_setup_service_state_dir()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Use ctdb_setup_state_dir()

Replace all uses of ctdb_setup_service_state_dir() by
ctdb_setup_state_dir().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Factor out function ctdb_setup_state_dir()

This allows state directories for scripts other than services.
ctdb_setup_state_dir() takes 2 mandatory arguments.

Unlike ctdb_setup_service_state_dir(), this does not print the
directory name but sets a global variable.  The intention is to go
back to a more sensible style of usage.

This will require a shellcheck directive before the first use, such
as:

  # Set by ctdb_setup_state_dir
  # shellcheck disable=SC2154
  foo="${script_state_dir}/bar"

An alternative would be something like the following, which tricks
shellcheck into believing the variable is set:

  ctdb_setup_state_dir "service" "foo"
  # Shellcheck
  script_state_dir="$script_state_dir"

However, this is more cryptic.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Move script state to its own directory

Don't use the same directory as temporary databases.

Make associated test consistent.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: Fix documentation for ctdb ping command

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tools: Event script commands cannot be run without daemon

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Drop unused function ctdb_sys_find_ifname()

The ioctl SIOCGIFCONF does not return IPv6 addresses, so this function
does not work for IPv6 addresses.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tools: Drop ipiface command from ctdb tool

This command is not used anywhere and also does not work for IPv6
addresses.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tools: Wait for ctdb daemon to go away in shutdown

This can only be done on the local node. For remote node, exit as
soon as the control returns.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-client: Client code should never free the client context

This should never have been done.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-ib: Avoid fall through case statements

This is clearly unintended. Noticed with gcc 7.3.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ldb_tdb: Remove unnecessary call to tdb_get_seqnum

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 8 14:14:37 CET 2018 on sn-devel-144

s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().

Ensures they don't get stored in the underlying ACL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144

s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.

This will allow us to modify it in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ldb_mod_op_test: Make sure that closing the database frees locks

Without the destructor firing, this test used to pass, but now we show
that we must be able to open a new ldb handle.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 7 04:38:02 CET 2018 on sn-devel-144

ldb_mod_op_test: Add new nested transactions test

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Change name to sam.ldb to align with new partition module assumptions

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Remove python warning in tests/python/index.py

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Build a key value operation library

This allows sharing of the originally ldb_tdb operations to the new
ldb_mdb backend.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 6 01:39:16 CET 2018 on sn-devel-144

partition: Allow a different backend store from @PARTITION

By default, use tdb, but otherwise read the value from backendStore.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Implement a traversal function in key value ops

This can handle both read-only and writable traverses.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Use key value ops for fetch command

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: factor out the (to be) common init code

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Add errorstr to the key value ops

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Remove tdb_get_seqnum and use a generic 'has_changed'

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Add lock_read and unlock_read to key value ops

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Replace tdb transaction code with generic key value ones

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Replace exists, name and error_map with key value ops

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Begin abstracting out the base key value operations

This will allow us to change the backend from tdb to lmdb.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb: The schema should be reloaded during the transaction

Reload the schema just after getting the tranaction lock
but before the transaction counter is bumped.

This ensures we reload the schema exactly once but with
the DB locked.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samdb/schema_load: do schema loading with one search

It appears that there was a race condition between searching for the
attribute & class definitions, and searching for the schema object, if
the schema was changed in-between the two searches.

This is likely the cause of ldap_schema being flapping.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12889

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

schema_set: Add a missing newline between functions

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

remove_dc.py: Abort transaction before throwing an exception

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_mod_op_test: Fix core dump on ldb_case_attrs_index_test_teardown

With no schema syntax, this would occasionally crash as it dereferenced
some possibly NULL sequence of memory.

Note: Removing all tests except this one, made it crash reliably.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

partition: Leave metadata.tdb unlocking until last

With the lmdb patches, I have cleanly observed the database being read
in between the commit of the metadata.tdb and the eventual commits of
the individual partitions.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

schema: Do not read different schema sequence values during a read transaction

During a read lock, we find ourselves seeing an unchanged schema, but
reading any updates to the metadata.tdb (in the case of lmdb, where
reads do not block writes).

The alternative is to read-lock the entire metadata.tdb, however, this
allows more concurrency by allowing reads not to block writes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

partition: Use a transaction to write and a read lock to read the LDB_METADATA_SEQ_NUM

This is critical as otherwise we can read a sequence number in advance
of the data that it represents and so have a false cache.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

build: fix standalone ctdb build --with-systemd

For standalone ctdb builds, a samba-util-core dependency is added,
without corresponding systemd libraries, which are needed when
become_daemon.c is built --with-systemd. This results in:
  default/lib/util/become_daemon_20.o: In function `daemon_status':
  become_daemon.c:(.text+0x456): undefined reference to `sd_notifyf'
  collect2: error: ld returned 1 exit status

Fix this by moving the systemd library dependencies from samba-util to
samba-util-core, the become_daemon.c base build target.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar  5 20:49:51 CET 2018 on sn-devel-144

ctdb/pmda: fix num_recoveries metric store

The num_recoveries metric is declared as PM_TYPE_U32, so should be
used accordingly.

Suggested-by: Nathan Scott <nathans@redhat.com>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ldb: Directly return an error and do not fall through

Detected by -Wimplicit-fallthrough.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

tests/smbcontrol: reduce ping test false positive rate

The ping test was failing when a transient ldap_server process died
between the time it was listed and the time it was pinged. We stop
treating that as failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 5 01:33:46 CET 2018 on sn-devel-144

ldb_tdb: Add tests for truncated index keys

Tests for the index truncation code as well as the GUID index
format in general.

Covers truncation of both the DN and equality search keys.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 3 09:58:40 CET 2018 on sn-devel-144

ldb_tdb: Combine identical not GUID index and special DN cases

Fold together two identical cases to simplify the code.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Refuse to store a value in a unique index that is too long

Rather than add many special cases, over-long unique values are simply banned.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Do not give the warning of duplicate attributes in truncation

In the truncation case a duplicate is perfectly expected.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Cope with key truncation

Modify the indexing code to handle a maximum key length, index keys
greater than the maximum length will be truncated to the maximum length.
And the unuque index code has been altered to handle multiple records
for the same index key.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Do not fail in GUID index mode if there is a duplicate attribute

It is not the job of the index code to enforce this, but do give a
a warning given it has been detected.

However, now that we do allow it, we must never return the same
object twice to the caller, so filter for it in ltdb_index_filter().

The GUID list is sorted, which makes this cheap to handle, thankfully.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Add support for an option to restrict the key length

Allow the setting of the maximum key length, this allows the testing of
index key truncation code. Index key truncation is required to allow
the samba indexing scheme to be used with backends that enforce a
maximum key length.

This will allow emulation of a length-limited key DB for testing.

This is a testing-only feature, as the index format changes
based on this value.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Impove test names for samba.wbinfo_simple

This simplifies selecting a specific test to run.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar 3 05:19:38 CET 2018 on sn-devel-144

testprogs: Return the correct error status code

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

s3:tests: Skip smbd error test if we do not log to stdout

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Replace NT_STATUS_HAVE_NO_MEMORY macro

Replaced NT_STATUS_HAVE_NO_MEMORY macro and fixed
memory leaking error-path.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Sat Mar 3 00:00:34 CET 2018 on sn-devel-144

Minor cleanup of libnet_LookupName_recv

Reduce indentation level and comply with 80 column rule.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Zero libnet_LookupName out struct before using

Zero libnet_LookupName out struct before setting results,
preventing false result interpretation.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

WHATSNEW: Add info for 'net ads keytab' and 'net ads setspn' changes

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 2 19:12:08 CET 2018 on sn-devel-144

docs: Add manpage for new 'net ads setspn' subcommand

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs: Add manpage for 'net ads keytab' subcommand

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs: 'net ads keytab create' expected failures should now pass

Following the commit to change the behaviour of 'net ads keytab create'
some tests previously failing should now pass.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: 'net ads keytab create' shouldn't write SPN(s)

Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs: Switch expected failure tests to expected pass

Following the commit to change the behaviour of 'net ads keytab add' and
new 'keytab add_update_ads' some tests previously failing should now
pass.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: Modify default behaviour of 'net ads keytab add'

This change modifies the behaviour of 'net ads keytab add' such
that only the keytab file is modified.

A new command 'net ads keytab add_update_ads' has been added that
preserves the legacy behaviour which can update the AD computer
object with Winows SPN(s) as appropriate. Alternatively the new
command 'net ads setspn add' can be used to manually add the
windows SPN(s) that previously would have been added.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add param to prevent writing spn(s) to ads

'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs:: Add blackbox tests for 'net ads keytab add'

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 2

This patch addresses how the windows SPN is written to the AD.

If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'

If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 1

This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.

Before this change 'net ads keytab add' handled three scenarios

a) 'net ads keytab add param' is passed a fully qualified kerberos principal
   (identified by the presence of '@' in param) In this scenario the keytab
   file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
   the paramater ending with '$'). In this case the machine name
   is converted to a kerberos principal with according to the recipe
   'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
   In this scenario the param containing the service is first converted to
   into 2 kerberos principals (long and short forms) according to the
   following recipe
      i) long form:  'param/fully_qualified_dns@realm'
     ii) short form: 'param/netbios_name@realm'
     where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
     'this' machines computer account on the AD.
     The principals are written to the keytab file
   Secondly 2 windows SPNs are generated from 'param' as follows
      i) long form 'param/full_qualified_dns'
     ii) short form 'param/netbios_name'
   These SPNs are written to the AD computer account object

After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
  i) 'param' will get converted to a kerberos principal (just a single one)
     with the following recipe: 'serviceclass/host@realm' which will
     be written to the keytab file. The SPN written to the AD is created
     as before and the legacy behaviour is preserved.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprocs/blackbox: Add tests for net ads setspn (add|delete|list)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: add new 'net ads setspn delete' subcommand

This patch adds 'delete' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

net ads setspn delete <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: add new 'net ads setspn add' subcommand

This patch adds 'add' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

net ads setspn add <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: add new 'net ads setspn list' subcommand

This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Only the basic list operation (that corresponds to the -l
switch for setspn.exe is implemented)

Usage:

net ads setspn list <computer>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: change ads_add_service_principal_name implementation

Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally client
code now needs to construct the SPNs to be passed into the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Add a basic Windows SPN parser.

(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Clean up code a little rename 'ads_get_samaccountname()'

Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>