samba.git
2 years agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()
Stefan Metzmacher [Fri, 7 Jul 2017 06:00:00 +0000 (08:00 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenI...
Stefan Metzmacher [Fri, 7 Jul 2017 05:58:51 +0000 (07:58 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()
Stefan Metzmacher [Wed, 28 Jun 2017 12:53:49 +0000 (14:53 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 05:53:29 +0000 (07:53 +0200)]
auth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()

We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.

Check with git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_updat...
Stefan Metzmacher [Thu, 6 Jul 2017 13:36:36 +0000 (15:36 +0200)]
auth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_update_send()

This simplifies further refactoring.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: do parse the incoming blob already in gensec_spnego_update_send()
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()

It's easier to have this in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()

In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()

In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spneg...
Stefan Metzmacher [Fri, 30 Dec 2016 11:59:01 +0000 (12:59 +0100)]
auth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spnego_update_server()

This matches the flow already used in the client case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()

This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()
Andreas Schneider [Wed, 19 Jul 2017 08:47:37 +0000 (10:47 +0200)]
auth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:tests: Add tests for smbspool_krb5_wrapper
Andreas Schneider [Tue, 11 Jul 2017 08:59:59 +0000 (10:59 +0200)]
s3:tests: Add tests for smbspool_krb5_wrapper

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 25 13:17:13 CEST 2017 on sn-devel-144

2 years agos3:client: Use KRB5CCNAME in smbspool_krb5_wrapper if set
Andreas Schneider [Wed, 12 Jul 2017 14:07:25 +0000 (16:07 +0200)]
s3:client: Use KRB5CCNAME in smbspool_krb5_wrapper if set

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:tests: Add test for smbspool
Andreas Schneider [Tue, 11 Jul 2017 08:58:11 +0000 (10:58 +0200)]
s3:tests: Add test for smbspool

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:client: Only use kerberos if credential cache exists in smbspool
Andreas Schneider [Tue, 11 Jul 2017 07:41:08 +0000 (09:41 +0200)]
s3:client: Only use kerberos if credential cache exists in smbspool

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:client: Make it possible use smbspool in selftest
Andreas Schneider [Mon, 24 Jul 2017 10:27:50 +0000 (12:27 +0200)]
s3:client: Make it possible use smbspool in selftest

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:client: Fix the usage of argv in smbspool
Andreas Schneider [Tue, 11 Jul 2017 08:40:39 +0000 (10:40 +0200)]
s3:client: Fix the usage of argv in smbspool

We use argv[0] to print the name of the binary, but have shifted it
away. Do not do that.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:printing: Fix setting the first jobnum
Andreas Schneider [Wed, 12 Jul 2017 11:14:08 +0000 (13:14 +0200)]
s3:printing: Fix setting the first jobnum

This is just something logical. The define is called first jobnum but
the first one was always 101.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3:printing: Do not segfault in vlp if no command has been specified
Andreas Schneider [Wed, 12 Jul 2017 11:07:08 +0000 (13:07 +0200)]
s3:printing: Do not segfault in vlp if no command has been specified

We should just print the usage() and return

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agouwrap: Update to version 1.2.4
Andreas Schneider [Thu, 13 Jul 2017 06:57:13 +0000 (08:57 +0200)]
uwrap: Update to version 1.2.4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoselftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Andrew Bartlett [Mon, 17 Jul 2017 21:03:17 +0000 (09:03 +1200)]
selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144

2 years agos4-netlogon: Use log_escape to protect against un-validated strings
Andrew Bartlett [Mon, 17 Jul 2017 20:57:03 +0000 (08:57 +1200)]
s4-netlogon: Use log_escape to protect against un-validated strings

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agos4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
Andrew Bartlett [Mon, 17 Jul 2017 20:46:08 +0000 (08:46 +1200)]
s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms

This splits out the username into the input, mapped and obtained
just as we do elsewhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agosource4 netlogon: Add authentication logging for ServerAuthenticate3
Gary Lockyer [Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)]
source4 netlogon: Add authentication logging for ServerAuthenticate3

Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agotests auth_log: Add new tests for NETLOGON
Gary Lockyer [Sun, 9 Jul 2017 19:46:26 +0000 (07:46 +1200)]
tests auth_log: Add new tests for NETLOGON

Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing

Test code based on the existing auth_log tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agotests auth_log: Modify existing tests to handle NETLOGON messages
Gary Lockyer [Sun, 9 Jul 2017 19:45:16 +0000 (07:45 +1200)]
tests auth_log: Modify existing tests to handle NETLOGON messages

Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately.  Ignoring it in these tests avoids order dependencies.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agoauth_log: use symbolic constant to replace /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 22:59:18 +0000 (10:59 +1200)]
auth_log: use symbolic constant to replace /root/ncalrpc_as_system

Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agorpc: use symbolic constant to replace /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 23:00:45 +0000 (11:00 +1200)]
rpc: use symbolic constant to replace /root/ncalrpc_as_system

Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agodcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 22:55:48 +0000 (10:55 +1200)]
dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system

This is string is used several places in the code and tests, so it
should be a constant.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2 years agomit-kdb: Fix NULL pointer check after malloc
Andreas Schneider [Mon, 24 Jul 2017 10:19:27 +0000 (12:19 +0200)]
mit-kdb: Fix NULL pointer check after malloc

This fixes building with GCC 7.1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144

2 years agos4:kcc: Add a NULL check before qsort()
Andreas Schneider [Mon, 24 Jul 2017 10:13:50 +0000 (12:13 +0200)]
s4:kcc: Add a NULL check before qsort()

This fixes building with GCC 7.1.1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agosmb.conf: Explain that "ntlm auth" is a per-passdb setting
Andrew Bartlett [Mon, 24 Jul 2017 02:09:19 +0000 (14:09 +1200)]
smb.conf: Explain that "ntlm auth" is a per-passdb setting

This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamdb/cracknames: support user and service principal as desired format
Bob Campbell [Wed, 5 Jul 2017 04:08:11 +0000 (16:08 +1200)]
samdb/cracknames: support user and service principal as desired format

This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.

This also causes the test in cracknames.py to no longer fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144

2 years agosamdb/cracknames: do not show recycled when a guid is desired
Bob Campbell [Tue, 4 Jul 2017 23:15:04 +0000 (11:15 +1200)]
samdb/cracknames: do not show recycled when a guid is desired

Previously, when a GUID was desired to
cracknames, it would include recycled objects as well. This would
sometimes result in two objects being returned from a query which is
supposed to return a unique GUID. For example, if a deleted user had
the same sAMAccountName as a non-deleted user and cracknames was used to
find the GUID of this account, it would return two GUIDs, and so would
fail with DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agopython/tests: add python test for cracknames
Bob Campbell [Tue, 4 Jul 2017 23:08:45 +0000 (11:08 +1200)]
python/tests: add python test for cracknames

This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Make --include-env and --exclude-env use the base env name
Andrew Bartlett [Fri, 21 Jul 2017 08:10:43 +0000 (20:10 +1200)]
selftest: Make --include-env and --exclude-env use the base env name

The code as deployed would have required (eg) '--include-env=ktest
--include-env=ktest:local' which was not done in autobuild, causing
tests to be skipped.  This patch restores the intended behaviour.

This causes 33 testsuites to run, one more test (the newly added
samba.tests.ntlmauth) than the old regex provided (before
602772159dfd1213385f42ecbf31136f57693b63).

(The regression dropped us down to matching only 7 tests).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144

2 years agoctdb-tests: Add event script startup/shutdown tests
Martin Schwenke [Tue, 18 Jul 2017 20:09:15 +0000 (06:09 +1000)]
ctdb-tests: Add event script startup/shutdown tests

For vsftpd, httpd, winbind.  These should help to catch typo
regressions.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sun Jul 23 19:31:08 CEST 2017 on sn-devel-144

2 years agoctdb-scripts: Fix a typo
Martin Schwenke [Mon, 17 Jul 2017 05:36:42 +0000 (15:36 +1000)]
ctdb-scripts: Fix a typo

This is a regression introduced in commit
e847ec3ae24cc6c8c69284c7fe0791a319cf7142

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agos4-drepl: Block GetNCChanges during a DsReplicaSync
Andrew Bartlett [Sat, 22 Jul 2017 10:00:59 +0000 (22:00 +1200)]
s4-drepl: Block GetNCChanges during a DsReplicaSync

If we do not block these, we can get RPC faults
(DCERPC_NCA_S_PROTO_ERROR) which gives WERR_WRITE_FAULT back to the
DsReplicaSync call as there are two outstanding requests on the wire
at the one time.

We will get to the next operation as soon as this is finished
when we call run_pending_ops().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12926

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jul 23 12:32:49 CEST 2017 on sn-devel-144

2 years agos3: libsmb: Fix use-after-free when accessing pointer *p.
Thomas Jarosch [Sat, 22 Jul 2017 16:36:18 +0000 (09:36 -0700)]
s3: libsmb: Fix use-after-free when accessing pointer *p.

talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

2 years agos4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler
Andrew Bartlett [Fri, 21 Jul 2017 05:52:04 +0000 (17:52 +1200)]
s4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler

When we are sent a DsReplicaSync() we should work on inbound replication
(ideally from the requested source, but so far we just start the whole queue)
right away, not after 1 second.

We should also target inbound replication, not any outbound replication
notification that may happen to be due.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12921

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 22 07:45:31 CEST 2017 on sn-devel-144

2 years agoldb: version 1.2.1 ldb-1.2.1
Stefan Metzmacher [Fri, 21 Jul 2017 12:36:08 +0000 (14:36 +0200)]
ldb: version 1.2.1

* Bug #12882: Do not install _ldb_text.py if we have system libldb
* Use libraries from build dir for testsuite
* Bug #12900: Fix index out of bound in ldb_msg_find_common_values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jul 22 03:46:25 CEST 2017 on sn-devel-144

2 years agotevent: version 0.9.33 tevent-0.9.33
Stefan Metzmacher [Fri, 21 Jul 2017 12:34:59 +0000 (14:34 +0200)]
tevent: version 0.9.33

* make tevent_req_print() more robust against crashes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agotevent: handle passing req = NULL to tevent_req_print()
Stefan Metzmacher [Thu, 20 Jul 2017 12:20:03 +0000 (14:20 +0200)]
tevent: handle passing req = NULL to tevent_req_print()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agotevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print()
Stefan Metzmacher [Thu, 20 Jul 2017 12:16:44 +0000 (14:16 +0200)]
tevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print()

We have the same information available under req->internal.private_type.

This way it's possible to call tevent_req_print() after
tevent_req_received() was called.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agotalloc: version 2.1.10 talloc-2.1.10
Stefan Metzmacher [Fri, 21 Jul 2017 12:33:57 +0000 (14:33 +0200)]
talloc: version 2.1.10

* build, documentation and python3 improvements

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done()
Stefan Metzmacher [Thu, 20 Jul 2017 09:56:21 +0000 (11:56 +0200)]
s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done()

This was missing in commit d718e92d5e145dccd492c46febc249e462ce50c6.

Sadly we can't have automated tests for this as we only implement
the client side for this protocol.

I've tested with using:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \
  rpc.epmapper.epmapper.Lookup_simple \

and:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \
  rpc.epmapper.epmapper.Lookup_simple \

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12919

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 21 23:29:39 CEST 2017 on sn-devel-144

2 years agowinbindd: avoid refreshing sequence number when domain is offline
Uri Simchoni [Wed, 7 Jun 2017 17:34:33 +0000 (20:34 +0300)]
winbindd: avoid refreshing sequence number when domain is offline

When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: queryuser - only get group name if needed
Uri Simchoni [Wed, 7 Jun 2017 17:33:57 +0000 (20:33 +0300)]
winbindd: queryuser - only get group name if needed

When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).

Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: cache name-to-sid from PAC based on lookup domain
Uri Simchoni [Wed, 7 Jun 2017 17:33:24 +0000 (20:33 +0300)]
winbindd: cache name-to-sid from PAC based on lookup domain

The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agovfs_ceph: fix cephwrap_chdir()
David Disseldorp [Fri, 14 Jul 2017 21:55:29 +0000 (23:55 +0200)]
vfs_ceph: fix cephwrap_chdir()

When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144

2 years agoselftest: Add test for password change when NTLM is disabled
Tim Beale [Tue, 4 Jul 2017 05:27:27 +0000 (17:27 +1200)]
selftest: Add test for password change when NTLM is disabled

When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144

2 years agogetncchanges: Do not segfault if somehow we get 0 results from an ldb_search with...
Andrew Bartlett [Thu, 20 Apr 2017 02:00:21 +0000 (14:00 +1200)]
getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE

This should not happen, but we have seen this happen in autobuild
before the whole-DB locking issues were resolved by
https://bugzilla.samba.org/show_bug.cgi?id=12858

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agobuild: fix ceph_statx check when configured with libcephfs_dir
David Disseldorp [Thu, 20 Jul 2017 09:10:57 +0000 (11:10 +0200)]
build: fix ceph_statx check when configured with libcephfs_dir

When configured with a custom libcephfs_dir, the ceph_statx check fails
to link. This is due to the location of the ceph-common dependency,
which is installed under a ceph subdirectory.

ceph/build > make DESTDIR=./inst install
...
ceph/build > find inst/|grep -e /libcephfs -e /libceph-common
inst/usr/local/lib64/ceph/libceph-common.so.0
inst/usr/local/lib64/ceph/libceph-common.so
inst/usr/local/lib64/libcephfs.so.2.0.0
inst/usr/local/lib64/libcephfs.so.2
inst/usr/local/lib64/libcephfs.so
inst/usr/local/include/cephfs/libcephfs.h

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Jeff Layton <jlayton@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Jul 20 23:02:27 CEST 2017 on sn-devel-144

2 years agos3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)
Noel Power [Thu, 20 Jul 2017 12:01:50 +0000 (13:01 +0100)]
s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)

uint16_t get_fileinfo(...) returns file attributes, this function
called

     cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL,
                     NULL, NULL, NULL);

which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above
was obtained via (when using protocol > SMB). Note: This only seems to be
an issue when run against a windows server, with smbd SMB1 & SMB2 work fine.

    status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
                  0, FILE_SHARE_READ|FILE_SHARE_WRITE,
                  FILE_OPEN, 0x0, 0x0, &fnum, NULL);

The failing cli_qfileinfo_basic call above is unnecessary as we can already
obtain the required information from the cli_ntcreate call

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2 years agos4-torture: point out why we cannot validate MSZIP compressed files
Günther Deschner [Tue, 23 May 2017 13:50:55 +0000 (15:50 +0200)]
s4-torture: point out why we cannot validate MSZIP compressed files

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 20 01:38:02 CEST 2017 on sn-devel-144

2 years agolibrpc/ndr: add MSZIP compression for cabinet files
Aurelien Aptel [Tue, 23 May 2017 10:09:28 +0000 (12:09 +0200)]
librpc/ndr: add MSZIP compression for cabinet files

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: simplify cabinet file size calculation
Aurelien Aptel [Tue, 23 May 2017 13:41:24 +0000 (15:41 +0200)]
librpc/ndr: simplify cabinet file size calculation

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: Use correct value for max compression size
Andreas Schneider [Wed, 21 Jun 2017 15:01:43 +0000 (17:01 +0200)]
librpc/ndr: Use correct value for max compression size

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: Use MAX_WBITS zlib define and change memLevel in MSZIP code
Günther Deschner [Tue, 23 May 2017 13:48:42 +0000 (15:48 +0200)]
librpc/ndr: Use MAX_WBITS zlib define and change memLevel in MSZIP code

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: remove unused ndr_cab_get_compression() function
Aurelien Aptel [Tue, 23 May 2017 13:37:13 +0000 (15:37 +0200)]
librpc/ndr: remove unused ndr_cab_get_compression() function

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc: use DATA_BLOB in CFDATA structure
Aurelien Aptel [Tue, 23 May 2017 13:31:44 +0000 (15:31 +0200)]
librpc: use DATA_BLOB in CFDATA structure

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: add helper functions to setup and free compression states.
Aurelien Aptel [Tue, 23 May 2017 10:02:33 +0000 (12:02 +0200)]
librpc/ndr: add helper functions to setup and free compression states.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: add new MSZIP compression type for cabinet files
Günther Deschner [Tue, 23 May 2017 10:02:10 +0000 (12:02 +0200)]
librpc/ndr: add new MSZIP compression type for cabinet files

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: add new ndr_compression_state
Aurelien Aptel [Tue, 23 May 2017 09:59:59 +0000 (11:59 +0200)]
librpc/ndr: add new ndr_compression_state

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibndr/compression: pass down compressed length in ndr_pull_compression_start
Günther Deschner [Mon, 19 Sep 2016 22:18:43 +0000 (00:18 +0200)]
libndr/compression: pass down compressed length in ndr_pull_compression_start

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc/ndr: remove trailing whitespace from compression file.
Aurelien Aptel [Tue, 24 Jan 2017 18:00:53 +0000 (19:00 +0100)]
librpc/ndr: remove trailing whitespace from compression file.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibrpc:ndr_cab: Cast data pointer correctly
Andreas Schneider [Tue, 9 May 2017 14:51:43 +0000 (16:51 +0200)]
librpc:ndr_cab: Cast data pointer correctly

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agondr_compression: use MAX_WBITS constant
Aurelien Aptel [Fri, 30 Jun 2017 13:07:31 +0000 (15:07 +0200)]
ndr_compression: use MAX_WBITS constant

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agosmbd: Fix a connection run-down race condition
Volker Lendecke [Wed, 19 Jul 2017 12:51:33 +0000 (14:51 +0200)]
smbd: Fix a connection run-down race condition

When we do a server exit with active aio jobs, we need to keep the
aio state active for the helper thread. Right now I don't see another
chance than to leak memory in this case. And, I don't really oversee
how cancelling requests works in this case, but this does fix crashes
seen at a customer site.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoexamples: add winbindd.stp and a shell script to generate it
Ralph Boehme [Fri, 30 Jun 2017 17:37:03 +0000 (19:37 +0200)]
examples: add winbindd.stp and a shell script to generate it

Usage:

  Instrument all winbindd processes:
  # stap winbindd.stp

  Instrument a specific winbindd process:
  # stap -x PID winbindd.stp

Example output:

  # stap winbindd.stp
  Collecting data, press ctrl-C to stop... ^C

  Winbind request service time
  ============================
  winbindd_getpwnam_send                   count:    99, sum:   6229 ms (min:   2669 us, avg:  62921 us, max: 157907 us)

  Winbind request runtime
  =======================
  winbindd_getpwnam_send                   count:    99, sum:      3 ms (min:     21 us, avg:     36 us, max:     77 us)

  Winbind domain-child request service time
  =========================================
  _wbint_LookupName                        count:    99, sum:   1403 ms (min:    619 us, avg:  14181 us, max: 136613 us)
  _wbint_GetNssInfo                        count:    99, sum:      0 ms (min:      2 us, avg:      3 us, max:      6 us)
  _wbint_LookupSid                         count:   102, sum:     49 ms (min:     13 us, avg:    481 us, max:   6315 us)
  _wbint_Sids2UnixIDs                      count:   101, sum:      2 ms (min:     18 us, avg:     29 us, max:     49 us)
  _wbint_LookupSids                        count:   101, sum:     84 ms (min:    411 us, avg:    838 us, max:   3524 us)

  Winbind domain-child AD-backend service time
  ============================================
  sid_to_name                              count:    56, sum:     45 ms (min:    431 us, avg:    816 us, max:   6275 us)
  sequence_number                          count:    12, sum:   1209 ms (min:  46618 us, avg: 100803 us, max: 131439 us)
  name_to_sid                              count:    99, sum:    176 ms (min:    547 us, avg:   1781 us, max:   9866 us)

  ...

Regenerate winbindd.stp:

  $ examples/systemtap/generate-winbindd.stp.sh

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 19 16:20:56 CEST 2017 on sn-devel-144

2 years agoexamples: add gencache.stp
Ralph Boehme [Fri, 30 Jun 2017 10:59:37 +0000 (12:59 +0200)]
examples: add gencache.stp

Add a Systemtap script to profile gencache.

Usage:

- profile a single smbd process:
  # stap -x 22225 gencache.stp smbd

- profile all winbindd proceses:
  # stap gencache.stp winbindd

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agodbwrap_ctdb: Fix calculation of persistent flag
Amitay Isaacs [Wed, 19 Jul 2017 02:04:35 +0000 (12:04 +1000)]
dbwrap_ctdb: Fix calculation of persistent flag

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:tests: Fix directory creation and deletion of test_nosymlinks()
Andreas Schneider [Tue, 18 Jul 2017 10:29:16 +0000 (12:29 +0200)]
s3:tests: Fix directory creation and deletion of test_nosymlinks()

This should fix flakey autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 19 11:59:52 CEST 2017 on sn-devel-144

2 years agos3:tests: Fix directory creation and deletion of test_local_symlinks()
Andreas Schneider [Tue, 18 Jul 2017 10:03:32 +0000 (12:03 +0200)]
s3:tests: Fix directory creation and deletion of test_local_symlinks()

This should fix flakey autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agodocs: Fix a typo in cifsdd.8
Samba-JP oota [Tue, 18 Jul 2017 09:06:58 +0000 (11:06 +0200)]
docs: Fix a typo in cifsdd.8

Signed-off-by: Samba-JP oota <ribbon@samba.gr.jp>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 18 18:35:16 CEST 2017 on sn-devel-144

2 years agos3: smbclient: Add a test for the setmode command.
Jeremy Allison [Fri, 14 Jul 2017 23:09:50 +0000 (16:09 -0700)]
s3: smbclient: Add a test for the setmode command.

Tested over SMB1 and SMB2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12899

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 18 14:05:18 CEST 2017 on sn-devel-144

2 years agos3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2...
Jeremy Allison [Mon, 17 Jul 2017 17:37:15 +0000 (10:37 -0700)]
s3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2 to match SMB1.

SMB1 uses attr == 0 to clear all attributes
on a file (end up with FILE_ATTRIBUTE_NORMAL),
and attr == FILE_ATTRIBUTE_NORMAL to mean ignore
request attribute change.

SMB2 uses exactly the reverse. Unfortunately as the
cli_setatr() ABI is exposed inside libsmbclient,
we must make the SMB2 cli_smb2_setatr() call
export the same ABI as the SMB1 cli_setatr()
which calls it. This means reversing the sense
of the requested attr argument if it's zero
or FILE_ATTRIBUTE_NORMAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12899

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2 years agoRevert "s3:smbclient: Allow last dos attribute to be cleared"
Jeremy Allison [Mon, 17 Jul 2017 17:38:36 +0000 (10:38 -0700)]
Revert "s3:smbclient: Allow last dos attribute to be cleared"

Incorrect fix - this must be fixed inside cli_setatr(), not
the callers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12899

This reverts commit a4c3ee6767d768365a47bfda32a26cb7994b3787.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2 years agos3:client: The smbspool krb5 wrapper needs negotiate for authentication
Andreas Schneider [Fri, 7 Jul 2017 12:08:49 +0000 (14:08 +0200)]
s3:client: The smbspool krb5 wrapper needs negotiate for authentication

If you create a new printer it doesn't have AuthInfoRequired set and so
cups calls the backend with:

  AUTH_INFO_REQUIRED=none

In this case we need to return:

  ATTR: auth-info-required=negotiate

and return an error that we require authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12886

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 15 06:43:47 CEST 2017 on sn-devel-144

2 years agos3: smbd: Fix a read after free if a chained SMB1 call goes async.
Jeremy Allison [Thu, 13 Jul 2017 19:06:58 +0000 (12:06 -0700)]
s3: smbd: Fix a read after free if a chained SMB1 call goes async.

Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!

smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init
Ralph Boehme [Fri, 14 Jul 2017 14:38:36 +0000 (16:38 +0200)]
s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12910

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3: drop build_env
Bernhard M. Wiedemann [Mon, 10 Jul 2017 16:29:41 +0000 (18:29 +0200)]
s3: drop build_env

As a follow up to eedebe2ef1b ("docs-xml: Sort input file list"), this
change enables reproducible builds, without the added complexity of
https://lists.samba.org/archive/samba-technical/2017-June/121302.html

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12906

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 14 18:48:08 CEST 2017 on sn-devel-144

2 years agoBuild py3 versions of other rpc modules
Alexander Bokovoy [Thu, 13 Jul 2017 11:49:12 +0000 (14:49 +0300)]
Build py3 versions of other rpc modules

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12905

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Jul 14 11:36:53 CEST 2017 on sn-devel-144

2 years agopy3: Make sure to specify METH_VARARGS together with METH_KEYWORDS
Alexander Bokovoy [Thu, 13 Jul 2017 12:37:47 +0000 (15:37 +0300)]
py3: Make sure to specify METH_VARARGS together with METH_KEYWORDS

A Python 3 bug https://bugs.python.org/issue15657 explains that one should
always use METH_VARARGS|METH_KEYWORDS when defining a function rather
than a lonely METH_KEYWORDS. We had only one definition like this in
Samba and it was the one that affects FreeIPA when running in Python 3
mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12905

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:smbclient: Allow last dos attribute to be cleared
Steve French [Thu, 13 Jul 2017 18:57:53 +0000 (13:57 -0500)]
s3:smbclient: Allow last dos attribute to be cleared

With the upgrade to SMB3.1.1 from cifs for smbclient,
setmode no longer works when removing attributes,
if the resultant attribute is 0 it is skipped
(unlike for the old cifs setpathinfo).

When clearing the final attribute, pass in ATTRIBUTE_NORMAL
instead of zero.

This also removes a redundant cli_setatr call
when clearing attributes (cli_setatr was being called
twice).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12899

Signed-off-by: Steve French <sfrench@samba.org>
Reviewed-by: Anne Marie Merritt <annemarie.merritt@primarydata.com>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 14 02:43:47 CEST 2017 on sn-devel-144

2 years agovfs_fruit: don't use MS NFS ACEs with Windows clients
Ralph Boehme [Wed, 12 Jul 2017 07:33:59 +0000 (09:33 +0200)]
vfs_fruit: don't use MS NFS ACEs with Windows clients

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12897

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jul 13 22:21:08 CEST 2017 on sn-devel-144

2 years agoctdb-docs: Update documentation of ipreallocated event
Martin Schwenke [Wed, 12 Jul 2017 02:22:10 +0000 (12:22 +1000)]
ctdb-docs: Update documentation of ipreallocated event

This was out of date due to the removal of service_check_reconfigure()
and similar.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Jul 13 17:57:11 CEST 2017 on sn-devel-144

2 years agoctdb-common: Set close-on-exec when creating PID file
Martin Schwenke [Wed, 12 Jul 2017 03:41:17 +0000 (13:41 +1000)]
ctdb-common: Set close-on-exec when creating PID file

Otherwise, for example, the file descriptor for the main PID file will
leak all the way down to event scripts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12898

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agolibwbclient: Fix CID 1414781 Dereference null return value
Volker Lendecke [Tue, 11 Jul 2017 14:04:01 +0000 (16:04 +0200)]
libwbclient: Fix CID 1414781 Dereference null return value

Basically a cut&paste error from somewhere else

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jul 12 22:12:22 CEST 2017 on sn-devel-144

2 years agospoolss: Fix CID 1414784 Uninitialized scalar variable
Volker Lendecke [Tue, 11 Jul 2017 11:50:09 +0000 (13:50 +0200)]
spoolss: Fix CID 1414784 Uninitialized scalar variable

"struct tm" can contain more members than we explicitly initialize.

Initialize them all.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoCVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
Jeffrey Altman [Wed, 12 Apr 2017 19:40:42 +0000 (15:40 -0400)]
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
(based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 12 17:44:50 CEST 2017 on sn-devel-144

2 years agodbwrap: Ask CTDB for local tdb open flags
Ralph Boehme [Tue, 11 Jul 2017 19:35:17 +0000 (21:35 +0200)]
dbwrap: Ask CTDB for local tdb open flags

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 12 13:25:11 CEST 2017 on sn-devel-144

2 years agoctdbd_conn: pass persistent bool instead of tdb_flags
Ralph Boehme [Tue, 11 Jul 2017 18:41:43 +0000 (20:41 +0200)]
ctdbd_conn: pass persistent bool instead of tdb_flags

ctdbd_db_attach() only needs to know the ctdb database model, not the
rest of the flags.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdbd_conn: move CTDB_CONTROL_ENABLE_SEQNUM control to db_open_ctdb
Ralph Boehme [Tue, 11 Jul 2017 18:36:35 +0000 (20:36 +0200)]
ctdbd_conn: move CTDB_CONTROL_ENABLE_SEQNUM control to db_open_ctdb

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agodbwrap: CTDB ignores tdb_flags passed to db attach controls
Amitay Isaacs [Mon, 10 Jul 2017 14:38:59 +0000 (00:38 +1000)]
dbwrap: CTDB ignores tdb_flags passed to db attach controls

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agodbwrap: enable mutexes by default for volatile TDBs
Ralph Boehme [Sun, 9 Jul 2017 14:23:20 +0000 (16:23 +0200)]
dbwrap: enable mutexes by default for volatile TDBs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb: enable mutexes for volatile TDBs by default
Ralph Boehme [Sun, 9 Jul 2017 14:20:11 +0000 (16:20 +0200)]
ctdb: enable mutexes for volatile TDBs by default

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoidmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
Dustin L. Howett via samba-technical [Fri, 30 Jun 2017 23:10:01 +0000 (16:10 -0700)]
idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN

All other ldap-querying methods in idmap_ad make a single retry attempt if they get
TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design.

This fixes the symptom described in 12720 at the cost of an additional reconnect per
failed lookup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720

Signed-off-by: Dustin L. Howett <dustin@howett.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agoselftest: add some basic tests for idmap_ad
Ralph Boehme [Mon, 10 Jul 2017 14:20:23 +0000 (16:20 +0200)]
selftest: add some basic tests for idmap_ad

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>