samba.git
7 months agomodules: Add dependency on tirpc to vfs_nfs4acl_xattr
Andrew Bartlett [Fri, 8 Mar 2019 04:35:39 +0000 (04:35 +0000)]
modules: Add dependency on tirpc to vfs_nfs4acl_xattr

This is done as a new subsystem (either filled or empty) rather than via string
manipulation.

This will fix compile error on fedora.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
7 months agolibsmb: Use sid_parse()
Volker Lendecke [Mon, 11 Mar 2019 16:16:34 +0000 (17:16 +0100)]
libsmb: Use sid_parse()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agolib: Remove "struct sid_parse_ret" again
Volker Lendecke [Mon, 11 Mar 2019 16:11:06 +0000 (17:11 +0100)]
lib: Remove "struct sid_parse_ret" again

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agolib: Make sid_parse return the parsed length
Volker Lendecke [Mon, 11 Mar 2019 15:55:57 +0000 (16:55 +0100)]
lib: Make sid_parse return the parsed length

Use a temporary struct as a return value to make the compiler catch all
callers. If we just changed bool->ssize_t, this would just generate a
warning. struct sid_parse_ret will go away in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoAvoid NULL pointer dereference in SMBsendend handler
Michael Hanselmann [Wed, 6 Mar 2019 22:44:23 +0000 (23:44 +0100)]
Avoid NULL pointer dereference in SMBsendend handler

The "reply_sendend" function wouldn't check whether the connection had
any pending message state. A client sending an out-of-order SMBsendend
message would trigger a NULL pointer dereference.

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4/scripting/autoidl: p3 exception syntax
Douglas Bagnall [Sat, 9 Mar 2019 01:40:50 +0000 (14:40 +1300)]
s4/scripting/autoidl: p3 exception syntax

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotest/blackbox: py3 compatible print in documentation.
Douglas Bagnall [Sat, 9 Mar 2019 00:49:13 +0000 (13:49 +1300)]
test/blackbox: py3 compatible print in documentation.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4/scripting: MORE py3 compatible print functions
Douglas Bagnall [Sat, 9 Mar 2019 00:48:29 +0000 (13:48 +1300)]
s4/scripting: MORE py3 compatible print functions

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest/filter-subunit: use py3 print
Douglas Bagnall [Sat, 9 Mar 2019 00:27:16 +0000 (13:27 +1300)]
selftest/filter-subunit: use py3 print

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest/format-subunit-json: remove useless py2 print
Douglas Bagnall [Fri, 8 Mar 2019 08:06:26 +0000 (21:06 +1300)]
selftest/format-subunit-json: remove useless py2 print

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agopidl/s4/python: call export "export" in py exceptions
Douglas Bagnall [Sun, 24 Feb 2019 09:49:10 +0000 (22:49 +1300)]
pidl/s4/python: call export "export" in py exceptions

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agolibsmb: Use tevent_req_simple_finish_ntstatus
Volker Lendecke [Sat, 2 Mar 2019 19:01:10 +0000 (20:01 +0100)]
libsmb: Use tevent_req_simple_finish_ntstatus

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar  8 19:16:18 UTC 2019 on sn-devel-144

7 months agolibsmb: Add "in_cblobs" to cli_smb2_unlink
Volker Lendecke [Mon, 4 Mar 2019 19:40:14 +0000 (20:40 +0100)]
libsmb: Add "in_cblobs" to cli_smb2_unlink

This reveals the fact that unlink is an open/close in smb2 through the
API. This is not nice, but it's an internal API with currently only
one user. And it enables posix semantics for the open easily.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolibsmb: Add "in_cblobs" to cli_smb2_rmdir
Volker Lendecke [Mon, 4 Mar 2019 19:40:14 +0000 (20:40 +0100)]
libsmb: Add "in_cblobs" to cli_smb2_rmdir

This reveals the fact that rmdir is an open/close in smb2 through the
API. This is not nice, but it's an internal API with currently only
one user. And it enables posix semantics for the open easily.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolibsmb: Make cli_smb2_unlink async
Volker Lendecke [Mon, 4 Mar 2019 19:38:24 +0000 (20:38 +0100)]
libsmb: Make cli_smb2_unlink async

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolibsmb: Simplify cli_smb2_mxac
Volker Lendecke [Mon, 4 Mar 2019 20:21:57 +0000 (21:21 +0100)]
libsmb: Simplify cli_smb2_mxac

smb2_create_blob_find() can search for a create blob for us

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolib:util: Move debug message for mkdir failing to log level 1
Andreas Schneider [Thu, 7 Mar 2019 11:31:42 +0000 (12:31 +0100)]
lib:util: Move debug message for mkdir failing to log level 1

If you connnect to a host with smbclient this gets always printed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13823

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  8 01:41:27 UTC 2019 on sn-devel-144

7 months agosamba-o3: fix -Werror=maybe-uninitialized in lib/mscat/mscat_pks7.c
Joe Guo [Fri, 21 Dec 2018 00:47:45 +0000 (13:47 +1300)]
samba-o3: fix -Werror=maybe-uninitialized in lib/mscat/mscat_pks7.c

samba-o3 test failed in ubuntu:1804 image with:

    ../../lib/mscat/mscat_pkcs7.c: In function ‘mscat_pkcs7_import_catfile’:
    ../../lib/mscat/mscat_pkcs7.c:143:18: error: ‘blob.length’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
      mscat_data.size = blob.length;
      ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
    ../../lib/mscat/mscat_pkcs7.c:142:18: error: ‘blob.data’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
      mscat_data.data = blob.data;
      ~~~~~~~~~~~~~~~~^~~~~~~~~~~
    ../../lib/mscat/mscat_pkcs7.c: In function ‘mscat_pkcs7_verify’:
    ../../lib/mscat/mscat_pkcs7.c:225:16: error: ‘blob.length’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
       ca_data.size = blob.length;
       ~~~~~~~~~~~~~^~~~~~~~~~~~~
    ../../lib/mscat/mscat_pkcs7.c:224:16: error: ‘blob.data’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
       ca_data.data = blob.data;
       ~~~~~~~~~~~~~^~~~~~~~~~~
    cc1: all warnings being treated as errors

Since in `mscat_read_file`, it may still return rc = 0 while goto error,
ends up with blob uninitialized.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agosamba-o3: fix -Werror=strict-overflow error in s4/torture/raw/eas module
Joe Guo [Wed, 19 Dec 2018 01:37:33 +0000 (14:37 +1300)]
samba-o3: fix -Werror=strict-overflow error in s4/torture/raw/eas module

samba-o3 test failed in ubuntu:16.04 docker container:

    ==> /home/samba/samba/samba-o3.stderr <==
    ../../source4/torture/raw/eas.c: In function ‘test_max_eas’:
    ../../source4/torture/raw/eas.c:286:12: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
     static bool test_max_eas(struct smbcli_state *cli, struct torture_context *tctx)
                ^
    cc1: all warnings being treated as errors

`total += j` may overflow. Change total type to `size_t` to mute error.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agosamba-o3: fix -Werror=strict-overflow error in lib/ldb-samba/ldb_ildap module
Joe Guo [Wed, 19 Dec 2018 01:25:12 +0000 (14:25 +1300)]
samba-o3: fix -Werror=strict-overflow error in lib/ldb-samba/ldb_ildap module

samba-o3 test failed in ubuntu:16.04 docker container:

    ==> /home/samba/samba/samba-o3.stderr <==
    ../../lib/ldb-samba/ldb_ildap.c: In function ‘ildb_handle_request’:
    ../../lib/ldb-samba/ldb_ildap.c:535:2: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
      for (i = 0; i < n; i++) {
      ^
    ../../lib/ldb-samba/ldb_ildap.c:579:2: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
      for (i = 0; i < n; i++) {
      ^
    cc1: all warnings being treated as errors

Change type to mute errors.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agopygpo: take ownership of password pointer
Kristján Valur [Thu, 28 Feb 2019 15:15:14 +0000 (15:15 +0000)]
pygpo: take ownership of password pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Mar  7 15:08:19 UTC 2019 on sn-devel-144

7 months agopygpo: Safer handling of memory for ads_ptr.
Kristján Valur [Thu, 28 Feb 2019 11:34:47 +0000 (11:34 +0000)]
pygpo: Safer handling of memory for ads_ptr.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: Fix module initialization.
Kristján Valur [Wed, 27 Feb 2019 16:48:39 +0000 (16:48 +0000)]
pygpo: Fix module initialization.

* Add reference count to type.

* Add error checking.

* Remove unnecessary tp_new method.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: keep a reference to python credentials in the ADS struct to keep the internal...
Kristján Valur [Wed, 27 Feb 2019 16:36:32 +0000 (16:36 +0000)]
pygpo: keep a reference to python credentials in the ADS struct to keep the internal pointer valid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: More python exception cleanup.
Kristján Valur [Wed, 27 Feb 2019 16:32:14 +0000 (16:32 +0000)]
pygpo: More python exception cleanup.

* Don't override existing exceptions.

* Careful with talloc contexts.

* Return NULL on error.

* Add more information to exception messages from internal functions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: Fix error handing when getting gpo unix path.
Kristján Valur [Wed, 27 Feb 2019 16:03:16 +0000 (16:03 +0000)]
pygpo: Fix error handing when getting gpo unix path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: Proper exception exit in py_ads_connect().
Kristján Valur [Wed, 27 Feb 2019 14:12:43 +0000 (14:12 +0000)]
pygpo: Proper exception exit in py_ads_connect().

connect() now succeeds or raises an exception.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agopygpo: Replace the use of SystemError with RuntimeError.
Kristján Valur [Wed, 27 Feb 2019 13:36:03 +0000 (13:36 +0000)]
pygpo: Replace the use of SystemError with RuntimeError.

SystemError is reserved for internal errors in the interpreter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13822
Signed-off-by: Kristján Valur Jónsson <kristjan@rvx.is>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agosubunit/run.py: change shebang to python3
Joe Guo [Wed, 6 Mar 2019 23:12:00 +0000 (12:12 +1300)]
subunit/run.py: change shebang to python3

always use explicit python version at current stage.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Mar  7 13:03:56 UTC 2019 on sn-devel-144

7 months agotests/auto_log_pass_change.py: only care about the last expected message other than...
Joe Guo [Thu, 7 Mar 2019 03:10:27 +0000 (16:10 +1300)]
tests/auto_log_pass_change.py: only care about the last expected message other than exact messages count

The messages count could be different because of racing condition.
And we should only care about the last expected one.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett abartlet@samba.org
Reviewed-by: Noel Power npower@samba.org
7 months agosubunit/run.py: make iso8601 UTC usage python 2/3 compatible
Joe Guo [Wed, 6 Mar 2019 23:34:15 +0000 (12:34 +1300)]
subunit/run.py: make iso8601 UTC usage python 2/3 compatible

In `iso8601/iso8601.py`:

    if sys.version_info >= (3, 2, 0):
        UTC = datetime.timezone.utc
        ...
    else:
        class Utc(datetime.tzinfo):
            ...

        UTC = Utc()

The class `Utc` is only available for python < 3.2.0.
Use `UTC` instance instead, which is python 2/3 compatible.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
7 months agos4-server: Open and close a transaction on sam.ldb at startup
Andrew Bartlett [Tue, 5 Mar 2019 01:38:41 +0000 (01:38 +0000)]
s4-server: Open and close a transaction on sam.ldb at startup

This fixes upgrading from 4.7 and earlier releases, and makes the DB
reindexing more transparent. It should also make it easier to handle
future normalisation rule changes, e.g. if we change the pack-format
of integer indexes in a future release.

Without this change, the  should have still handled reindexing the
database. We don't know why exactly this wasn't happening correctly,
but opening a transaction early in the samba process startup should
now guarantee that the DB is correctly reindexed by the time the main
samba code runs.

An alternative fix would have been to open a transaction in the the
DSDB module stack every time we connect to the database. However, this
would add an extra write lock every time we open the DB, whereas
starting samba happens much more infrequently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13760

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar  7 04:58:42 UTC 2019 on sn-devel-144

7 months agodsdb: Provide better error strings in rootdse GUID attribute handling
Andrew Bartlett [Mon, 4 Mar 2019 02:15:43 +0000 (15:15 +1300)]
dsdb: Provide better error strings in rootdse GUID attribute handling

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7 months agokcc: Give a better error message when samdb_ntds_objectGUID fails
Andrew Bartlett [Mon, 4 Mar 2019 02:15:08 +0000 (15:15 +1300)]
kcc: Give a better error message when samdb_ntds_objectGUID fails

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb: Unify samdb_{get,set}_ntds_{objectGUID,invocation_id}
Andrew Bartlett [Mon, 4 Mar 2019 02:13:55 +0000 (15:13 +1300)]
dsdb: Unify samdb_{get,set}_ntds_{objectGUID,invocation_id}

The new unified versions have better debugging and ensure
that both functions continue to have the same control flow.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
7 months agoWHATSNEW: Add the removal of the web server
Garming Sam [Wed, 6 Mar 2019 01:21:43 +0000 (14:21 +1300)]
WHATSNEW: Add the removal of the web server

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Mar  7 03:17:52 UTC 2019 on sn-devel-144

7 months agopaged_results: Remove C++ commment and unneeded TODO
Garming Sam [Tue, 5 Mar 2019 22:10:47 +0000 (11:10 +1300)]
paged_results: Remove C++ commment and unneeded TODO

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>
7 months agopassdb: Increase ABI version to 0.28.0
Christof Schmitt [Thu, 7 Mar 2019 00:18:51 +0000 (16:18 -0800)]
passdb: Increase ABI version to 0.28.0

The change from c906153cc lib: Remove some unused code
removed functions, but only updated the minor version
of the ABI. Update the passdb version to 0.28.0
to reflect this change.
file.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  7 01:30:49 UTC 2019 on sn-devel-144

7 months agoweb_server: Remove the web port smb.conf parameter
Garming Sam [Wed, 6 Mar 2019 00:21:55 +0000 (13:21 +1300)]
web_server: Remove the web port smb.conf parameter

With the removal of the web server, there are not any users of this
parameter and so should just be removed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agoweb_server: Remove the unused Python WSGI web server
Garming Sam [Wed, 6 Mar 2019 00:06:50 +0000 (13:06 +1300)]
web_server: Remove the unused Python WSGI web server

SWAT was removed in Samba 4.1 and there isn't any reason to keep a web
server in our codebase. The web server was not turned on by default.

The web server plainly does not hold up to modern web server standards
and allows for resource exhaustion (and probably generally has bugs).
Credit goes to Michael Hanselmann for prompting us to remove this
service entirely.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agosam.c: allocate account_sid on tmp_ctx
Isaac Boukris [Sun, 20 Jan 2019 12:56:30 +0000 (14:56 +0200)]
sam.c: allocate account_sid on tmp_ctx

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar  6 04:30:22 UTC 2019 on sn-devel-144

7 months agosam.c: fix incorrect check of talloc_new() allocation
Isaac Boukris [Tue, 15 Jan 2019 11:58:52 +0000 (13:58 +0200)]
sam.c: fix incorrect check of talloc_new() allocation

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
7 months agondr_spoolss_buf: fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT()
Stefan Metzmacher [Fri, 1 Mar 2019 14:48:18 +0000 (15:48 +0100)]
ndr_spoolss_buf: fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13818

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
7 months agoEnable make test even without lmdb
Mathieu Parent [Wed, 3 Oct 2018 20:18:55 +0000 (20:18 +0000)]
Enable make test even without lmdb

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13630

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
7 months agolib/winbind_util: Add winbind_xid_to_sid for --without-winbind
Christof Schmitt [Tue, 5 Mar 2019 18:56:49 +0000 (11:56 -0700)]
lib/winbind_util: Add winbind_xid_to_sid for --without-winbind

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13813

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar  6 01:53:16 UTC 2019 on sn-devel-144

7 months agolib/winbind_util: Remove winbind_[gu]id_to_sid
Christof Schmitt [Tue, 5 Mar 2019 18:52:38 +0000 (11:52 -0700)]
lib/winbind_util: Remove winbind_[gu]id_to_sid

Commit c906153cc7 removed these functions, now also remove them for the
--without-winbind case.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolib/winbind_util: Move include out of ifdef
Christof Schmitt [Tue, 5 Mar 2019 18:50:48 +0000 (11:50 -0700)]
lib/winbind_util: Move include out of ifdef

This fixes compile errors about missing prototypes with
--picky-developer and --without-winbind

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agodns_hub: Add some debug as to what DNS proxying is happening
Tim Beale [Wed, 20 Feb 2019 03:51:14 +0000 (16:51 +1300)]
dns_hub: Add some debug as to what DNS proxying is happening

This should make it clear at run-time how dns_hub is actually proxying
DNS requests, which will hopefully aid in debugging problems (i.e.
forgetting to add a mapping when adding a new DNS realm).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar  6 00:48:43 UTC 2019 on sn-devel-144

7 months agodns_hub: Minor variable rename
Tim Beale [Wed, 20 Feb 2019 03:41:47 +0000 (16:41 +1300)]
dns_hub: Minor variable rename

We've dropped the iface logic now - this dictionary maps from
realm-to-IP.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Map realm to IP address (instead of iface)
Tim Beale [Wed, 20 Feb 2019 03:34:23 +0000 (16:34 +1300)]
selftest: Map realm to IP address (instead of iface)

The code is more readable if the hashmap translates between realm and
DC-name, rather than realm-to-iface. We already have a function to map
between DC-name and iface (and since we're doing this, we might as well
map straight to IP address).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Pass realm-to-IP mapping to dns_hub as an argument
Tim Beale [Wed, 20 Feb 2019 03:09:54 +0000 (16:09 +1300)]
selftest: Pass realm-to-IP mapping to dns_hub as an argument

Instead of storing hashmaps in 2 different files, we can just convert a
perl hashmap into a string, pass it to dns_hub, and convert it back into
a python dictionary.

The main reason for doing this is the IP-to-testenv mapping now all
lives in a single file (Samba.pm). All this logic is right next to each
other rather than being split across multiple files. Hopefully this will
make it easier to keep it up to date as we add new testenvs.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Split out dns_hub's testenv realm-to-IP logic
Tim Beale [Thu, 14 Feb 2019 04:36:40 +0000 (17:36 +1300)]
selftest: Split out dns_hub's testenv realm-to-IP logic

Add a separate helper function, as the realm-to-IPv4-addr logic is
fairly self-contained.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Try to tie dns_hub IP mapping to Samba.pm better
Tim Beale [Thu, 14 Feb 2019 02:38:54 +0000 (15:38 +1300)]
selftest: Try to tie dns_hub IP mapping to Samba.pm better

dns_hub.py maps the testenv realm to an IP and Samba.pm maps the testenv
NetBIOS name to an IP. We need to keep the two places consistent, as we
add or remove testenvs.

This patch changes dns_hub.py so that it uses a similar hashmap to
Samba.pm. We now have a hashmap with the same name in 2 different
places, so hopefully that's easier to tie them together and keep them in
sync.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Cleanup Samba.pm iface mapping
Tim Beale [Thu, 14 Feb 2019 03:19:50 +0000 (16:19 +1300)]
selftest: Cleanup Samba.pm iface mapping

It looks a bit cleaner if we declare the hash-map in one go, rather than
adding each entry one at a time. Also added a comment explaining what
the hash-map is for, and fixed up tab vs spaces inconsistencies.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Avoid hard-coding client IP address
Tim Beale [Thu, 14 Feb 2019 01:37:16 +0000 (14:37 +1300)]
selftest: Avoid hard-coding client IP address

We implicitly assume the client IP used by selftest is always
127.0.0.11. Add an iface entry for the client to make this a little more
explicit.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: dns_hub doesn't need to store $swiface
Tim Beale [Wed, 13 Feb 2019 01:21:16 +0000 (14:21 +1300)]
selftest: dns_hub doesn't need to store $swiface

dns_hub doesn't need to store $ctx->{swiface}. Other testenvs store this
and export it as SOCKET_WRAPPER_DEFAULT_IFACE (i.e. for the tests to
use), but dns_hub doesn't need to do this.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoselftest: Add helper functions to get IP addresses
Tim Beale [Tue, 19 Feb 2019 03:18:11 +0000 (16:18 +1300)]
selftest: Add helper functions to get IP addresses

Let's centralize these assumptions in one place.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: Reduce likelihood of auth_log test locking up during CI
Aaron Haslett [Thu, 28 Feb 2019 03:55:31 +0000 (16:55 +1300)]
tests: Reduce likelihood of auth_log test locking up during CI

We would sometimes see the auth_log test hang during a CI run. The CI
job would eventually fail after consuming a costly 10 hours of CI
runtime.

We believe the problem is around the test creating multiple instances of
the Messaging() context. This is a similar race condition to what was
seen in 19f34b2161dee26.

Currently a new Messaging() context is created for every test case. By
using classmethods instead, the Messaging context is only created once
per python test file execution (i.e. creation of the python class,
rather than initialization of the python object, which happens for every
test-case).

This means the test will only create one Messaging() context, which
should avoid any race conditions.

Changes:
+ removed msg_ctxs - this wasn't actually used for anything.
+ use classmethods to setup and tear-down the Messaging() context (and
tweak lp initialization accordingly).
+ fix discardMessages() - the loop wasn't actually discarding any
messages previously (this may also have been the cause of the test
hanging).

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Mar  5 13:10:43 UTC 2019 on sn-devel-144

7 months agopidl/Python: initialise a datablob
Douglas Bagnall [Sun, 24 Feb 2019 06:31:07 +0000 (19:31 +1300)]
pidl/Python: initialise a datablob

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar  4 22:41:01 UTC 2019 on sn-devel-144

7 months agodsdb pytsts: reduce scale of subtree rename speed test
Douglas Bagnall [Thu, 21 Feb 2019 03:47:55 +0000 (16:47 +1300)]
dsdb pytsts: reduce scale of subtree rename speed test

The speed test, when it was introduced a few patches ago, was
deliberately slow so that we could see how much better the changes
were. It used 500 users, 50 groups, and 27 computers.

Before the changes, it took this long:

rename ou took 64.373s
rename group took 0.160s
rename user took 0.004s
rename computer took 0.123s

After using the sorted links, it took this long:

rename ou took 12.984s
rename group took 0.161s
rename user took 0.004s
rename computer took 0.122s

And with the final patch to stop the linear search early on success:

rename ou took 11.680s
rename group took 0.089s
rename user took 0.004s
rename computer took 0.128s

"rename ou" is the one we were aiming at. Now that we have done that,
we reduce the size of the test so as not to slow down everyone's
autobuilds.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb/linked_attributes: shortcut exit for backlink fix
Douglas Bagnall [Wed, 20 Feb 2019 04:55:39 +0000 (17:55 +1300)]
dsdb/linked_attributes: shortcut exit for backlink fix

In most cases there can only be one link for each GUID. If we assume
that is true, we can skip half the search, on average.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb/linked_attributes: improve formatting in some places
Douglas Bagnall [Tue, 26 Feb 2019 23:18:11 +0000 (12:18 +1300)]
dsdb/linked_attributes: improve formatting in some places

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb/linked_attributes: initialise more pointers to NULL
Douglas Bagnall [Tue, 26 Feb 2019 23:17:58 +0000 (12:17 +1300)]
dsdb/linked_attributes: initialise more pointers to NULL

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb linked attributes: fix forward links faster
Douglas Bagnall [Wed, 9 Jan 2019 04:57:15 +0000 (17:57 +1300)]
dsdb linked attributes: fix forward links faster

Rename operations can be very slow in large database with many group
memberships, because the linked attributes need to be found and
rewritten for each moved object and the way we did that was naive.

For a while now Samba has kept forward links in sorted order, so
finding group memberships can be an O(log n) rather than O(n)
operation. This patch makes use of that.

The backlinks are not sorted, nor are forward links in old databases,
so we have to use a linear search in those cases.

There is a little bit of extra work to handle the few kinds of forward
links (e.g. msDS-RevealedUsers) that have DN+Binary values.

Tim and Garming came up with the basic idea and a prototype.

Pair-programmed-with: Tim Beale <timbeale@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb: linked_attributes module knows about sorted links
Douglas Bagnall [Thu, 14 Feb 2019 21:27:14 +0000 (10:27 +1300)]
dsdb: linked_attributes module knows about sorted links

Until now the linked attrbutes module has allocated its private data
on a per transaction basis, but we prefer to check the sorted links
feature less often than that. So the private data struct is given
module life time and a transaction member to carry out the old role.

In coming patches, the sorted links flag will be used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb:replmd: add compatible feature helper function
Douglas Bagnall [Thu, 14 Feb 2019 21:29:33 +0000 (10:29 +1300)]
dsdb:replmd: add compatible feature helper function

repl_meta_data.c uses the compatible features attribute of the
"@SAMBA_DSDB" special object to record that linked attributes are
being stored in the database in a sorted order. Soon the
linked_attributes module is going to want to know the same thing, and
in time other modules will want to know about other compatible
features, so we introduce a helper function.

Error checking is slightly improved.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb/pytests: sanity checks for links under subtree renames
Douglas Bagnall [Wed, 30 Jan 2019 23:18:59 +0000 (12:18 +1300)]
dsdb/pytests: sanity checks for links under subtree renames

These tests will ensure that linked attributes continue to be handled
correctly under forthcoming changes. The la_move_ou_tree_big() test
will show that the changes make this much faster, after which it can
perhaps be removed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agoreplmd/la: disambiguate error messages a bit
Douglas Bagnall [Tue, 19 Feb 2019 00:54:57 +0000 (13:54 +1300)]
replmd/la: disambiguate error messages a bit

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb/group_audit: use common get_parsed_dns_trusted()
Douglas Bagnall [Fri, 15 Feb 2019 00:12:09 +0000 (13:12 +1300)]
dsdb/group_audit: use common get_parsed_dns_trusted()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodsdb:util_links: count el->values with unsigned int
Douglas Bagnall [Fri, 15 Feb 2019 00:09:09 +0000 (13:09 +1300)]
dsdb:util_links: count el->values with unsigned int

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests/rodc_rwdc: p.communicate() gives bytes, not str
Douglas Bagnall [Fri, 15 Feb 2019 21:48:00 +0000 (10:48 +1300)]
tests/rodc_rwdc: p.communicate() gives bytes, not str

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agodns_hub: use python 3 shebang
Douglas Bagnall [Fri, 15 Feb 2019 09:56:07 +0000 (22:56 +1300)]
dns_hub: use python 3 shebang

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4/auth/krb: fix spelling of entries
Douglas Bagnall [Tue, 19 Feb 2019 00:53:24 +0000 (13:53 +1300)]
s4/auth/krb: fix spelling of entries

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4:torture: Make sure we do not create a shadow 'struct params'
Andreas Schneider [Mon, 4 Mar 2019 15:59:18 +0000 (16:59 +0100)]
s4:torture: Make sure we do not create a shadow 'struct params'

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: Work auth_log CLIENT_IP out from config instead of env var
Tim Beale [Mon, 25 Feb 2019 22:10:46 +0000 (11:10 +1300)]
tests: Work auth_log CLIENT_IP out from config instead of env var

Instead of passing the CLIENT_IP to the auth_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.

This only works for auth_log_pass_change, but not auth_log.py - the
latter still needs to be run on the :local testenv for other reasons, so
it doesn't use the client.conf. However, we can still update the base
code to use the client.conf IP, as auth_log.py overrides
self.remoteAddress anyway.

The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: Work audit_log CLIENT_IP out from config instead of env var
Tim Beale [Mon, 25 Feb 2019 22:06:52 +0000 (11:06 +1300)]
tests: Work audit_log CLIENT_IP out from config instead of env var

Instead of passing the CLIENT_IP to the audit_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.
Because the audit_log tests are all run on the non-local testenv,
they'll already use the client.conf and the 127.0.0.11 address.

The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: Remove explicit SOCKET_WRAPPER usage from auth_log tests
Tim Beale [Mon, 25 Feb 2019 21:53:43 +0000 (10:53 +1300)]
tests: Remove explicit SOCKET_WRAPPER usage from auth_log tests

The auth-logging tests are an odd combination of server and client
behaviour. On the one hand we want a IRPC connection to see the auth
events being logged on the server. On the other hand, we want the auth
events to appear to be happening on a client. Currently we hardcode in
the use of a SOCKET_WRAPPER interface to make this happen.

We can avoid this explicit socket wrapper usage by using the server
smb.conf instead in the one place we actually want to act like the
server (creating the IRPC connection). Then we can switch from using
the 'ad_dc*:local' testenvs to use 'ad_dc*', in order to act like a
client by default. The SERVERCONFFILE environment variable has already
been added for the few cases where a test needs explicit access to the
server's smb.conf.

However, for samba.tests.auth_log, the samlogon test cases are still
reliant on being run on the :local testenv, and so we can't switch them
over just yet. This is because the samlogon is using the DC's machine
creds underneath, which will fail on the non-local testenv. We could
create separate machine creds for the client and use those, but this is
a non-trivial rework of the test code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4:tests: Remove unused DC_ENV variable
Tim Beale [Mon, 25 Feb 2019 21:21:37 +0000 (10:21 +1300)]
s4:tests: Remove unused DC_ENV variable

I believe this was a leftover remnant from an earlier patch revision -
it's now been replaced by the DC_SERVERCONFFILE variable.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4:tests: Move duplicated test cases into loop
Tim Beale [Mon, 25 Feb 2019 21:19:06 +0000 (10:19 +1300)]
s4:tests: Move duplicated test cases into loop

This is more consistent with how we run tests elsewhere.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agos4:tests: Avoid passing unnecessary env variables to auth_log tests
Tim Beale [Mon, 25 Feb 2019 21:17:21 +0000 (10:17 +1300)]
s4:tests: Avoid passing unnecessary env variables to auth_log tests

These tests all use the ncalrpc connection, so they're always testing a
connection that's local to the server-side. Therefore passing in the
CLIENT_IP and SOCKET_WRAPPER_DEFAULT_IFACE variables (in order to try to
simulate a client connecting) is unnecessary.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: Remove redundant credentials from auth_log tests
Tim Beale [Mon, 28 Jan 2019 01:11:09 +0000 (14:11 +1300)]
tests: Remove redundant credentials from auth_log tests

The LDB connection in these tests is to the direct sam.ldb file on disk,
so the credentials are not actually needed (and in fact, weren't event
initialized correctly). These tests always need to run on the DC itself
(i.e. :local testenv) because they use ncalrpc connections.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7 months agotests: add a simple test for smbcacls -x
Ralph Boehme [Sat, 2 Mar 2019 14:37:38 +0000 (15:37 +0100)]
tests: add a simple test for smbcacls -x

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar  4 19:11:06 UTC 2019 on sn-devel-144

7 months agosmbcacls: add -x argument, prints maximum access
Ralph Boehme [Wed, 27 Feb 2019 15:45:07 +0000 (16:45 +0100)]
smbcacls: add -x argument, prints maximum access

Signed-off-by: Ralph Boehme <slow@samba.org>
7 months agos3:libsmb: add cli_query_mxac()
Ralph Boehme [Fri, 1 Mar 2019 08:49:17 +0000 (09:49 +0100)]
s3:libsmb: add cli_query_mxac()

Works only for SMB2.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agos3:libsmb: add cli_smb2_query_mxac()
Ralph Boehme [Fri, 1 Mar 2019 08:48:25 +0000 (09:48 +0100)]
s3:libsmb: add cli_smb2_query_mxac()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agos4:torture: add a test with additional bits in SEC_FLAG_MAXIMUM_ALLOWED
Ralph Boehme [Fri, 1 Mar 2019 17:06:48 +0000 (18:06 +0100)]
s4:torture: add a test with additional bits in SEC_FLAG_MAXIMUM_ALLOWED

When access_mask contains SEC_FLAG_MAXIMUM_ALLOWED, the server must still
proces other bits from access_mask. Eg if access_mask contains a right that
the requester doesn't have, the function must validate that against the
effective permissions.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolibcli/security: fix handling of deny type ACEs in access_check_max_allowed()
Ralph Boehme [Fri, 1 Mar 2019 17:57:23 +0000 (18:57 +0100)]
libcli/security: fix handling of deny type ACEs in access_check_max_allowed()

Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agos4:torture: Add test_deny1().
Ralph Boehme [Sun, 3 Mar 2019 07:33:51 +0000 (08:33 +0100)]
s4:torture: Add test_deny1().

Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agos4:torture: Add test_owner_rights_deny1().
Jeremy Allison [Thu, 28 Feb 2019 22:59:01 +0000 (14:59 -0800)]
s4:torture: Add test_owner_rights_deny1().

Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when
calculating maximum access already seen allow bits are not removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
7 months agolibcli/security: correct access check and maximum access calculation for Owner Rights...
Ralph Boehme [Fri, 1 Mar 2019 17:20:35 +0000 (18:20 +0100)]
libcli/security: correct access check and maximum access calculation for Owner Rights ACEs

We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.

We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:

-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
   IF DACL does not contain ACEs from object owner THEN
       Remove READ_CONTROL and WRITE_DAC from RemainingAccess
       Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
   END IF
END IF

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agos4:torture: Add test_owner_rights_deny().
Jeremy Allison [Thu, 28 Feb 2019 22:37:09 +0000 (14:37 -0800)]
s4:torture: Add test_owner_rights_deny().

Shows that owner and SID_OWNER_RIGHTS ACE
entries interact in max permissions requests.

Tested against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
7 months agos4:torture: Fix the test_owner_rights() test to show permissions are additive.
Jeremy Allison [Thu, 28 Feb 2019 21:55:31 +0000 (13:55 -0800)]
s4:torture: Fix the test_owner_rights() test to show permissions are additive.

Tested against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
7 months agovfs: drop lseek stat-open checks
David Disseldorp [Mon, 4 Mar 2019 10:35:45 +0000 (11:35 +0100)]
vfs: drop lseek stat-open checks

b9e91d2a8e41a43d7ebb7d7eed807a7d8de9b329 added fd==-1 checks to the
lseek() path to handle "stat opens". Current reply.c and
smb2_ioctl_filesys.c callers do not invoke SMB_VFS_LSEEK() with
stat-open fsp structs, so the fd==-1 checks can be removed from the
VFS.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agoCI: don't use swap
Ralph Boehme [Sun, 3 Mar 2019 21:09:26 +0000 (22:09 +0100)]
CI: don't use swap

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar  4 13:59:42 UTC 2019 on sn-devel-144

7 months agolibsmb: Make cli_posix_unlink/rmdir proper tevent_req/subreq pairs
Volker Lendecke [Thu, 28 Feb 2019 20:47:51 +0000 (21:47 +0100)]
libsmb: Make cli_posix_unlink/rmdir proper tevent_req/subreq pairs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  2 00:55:56 UTC 2019 on sn-devel-144

7 months agolibsmb: Use tevent_req_simple_finish_ntstatus()
Volker Lendecke [Thu, 28 Feb 2019 20:18:06 +0000 (21:18 +0100)]
libsmb: Use tevent_req_simple_finish_ntstatus()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agolibsmb: Use tevent_req_simple_finish_ntstatus()
Volker Lendecke [Thu, 28 Feb 2019 20:18:06 +0000 (21:18 +0100)]
libsmb: Use tevent_req_simple_finish_ntstatus()

Less lines... Just rediscovered this function :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agoctdb_mutex_ceph_rados_helper: revert strtoull_err() usage
David Disseldorp [Fri, 1 Mar 2019 15:40:50 +0000 (16:40 +0100)]
ctdb_mutex_ceph_rados_helper: revert strtoull_err() usage

Compilation currently fails, as ctdb_mutex_ceph_rados_helper doesn't
include or link against the samba-util library. Revert back to the
previous strtoull() behaviour, which works fine.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar  1 18:34:18 UTC 2019 on sn-devel-144

7 months agoctdb-daemon: Fix maybe-uninitialized error with picky developer
Amitay Isaacs [Fri, 1 Mar 2019 03:18:31 +0000 (14:18 +1100)]
ctdb-daemon: Fix maybe-uninitialized error with picky developer

263/386] Compiling ctdb/server/ctdb_recovery_helper.c
In file included from ../../server/ctdb_recovery_helper.c:24:0:
../../server/ctdb_recovery_helper.c: In function ‘main’:
../../../lib/talloc/talloc.h:911:34: error: ‘mem_ctx’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
 #define TALLOC_FREE(ctx) do { if (ctx != NULL) { talloc_free(ctx); ctx=NULL; } } while(0)

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
7 months agowafbuild: create missing private library symlinks on platforms without soname support...
Björn Jacke [Thu, 28 Feb 2019 16:31:31 +0000 (17:31 +0100)]
wafbuild: create missing private library symlinks on platforms without soname support for shared libs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9557

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Fri Mar  1 17:05:19 UTC 2019 on sn-devel-144