samba.git
19 months agowaf: Remove build system info (uname -a)
Mathieu Parent [Thu, 11 Jan 2018 20:18:46 +0000 (21:18 +0100)]
waf: Remove build system info (uname -a)

Preventing reproducible builds while adding minor benefit.

More information at <https://reproducible-builds.org/>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
19 months agosystemd: Fix kill path
Mathieu Parent [Thu, 12 May 2016 20:16:24 +0000 (22:16 +0200)]
systemd: Fix kill path

Bug-Debian: https://bugs.debian.org/828730

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
19 months agosystemd: Add documentation to Unit files
Mathieu Parent [Thu, 12 May 2016 20:16:24 +0000 (22:16 +0200)]
systemd: Add documentation to Unit files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
19 months agosystemd: syslog.target is obsolete
Mathieu Parent [Thu, 11 Jan 2018 09:07:17 +0000 (10:07 +0100)]
systemd: syslog.target is obsolete

After=syslog.target is unnecessary by now because syslog is
socket-activated and will therefore be started when needed.

Ref: https://lintian.debian.org/tags/systemd-service-file-refers-to-obsolete-target.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12402

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
19 months agotorture: Add test for channel sequence number handling
Volker Lendecke [Thu, 11 Jan 2018 10:55:39 +0000 (11:55 +0100)]
torture: Add test for channel sequence number handling

We run into an assert when the csn wraps

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 14 14:47:15 CET 2018 on sn-devel-144

19 months agosmbXcli: Add "force_channel_sequence"
Volker Lendecke [Thu, 11 Jan 2018 10:25:49 +0000 (11:25 +0100)]
smbXcli: Add "force_channel_sequence"

This enables use of the channel sequence number even for
non-multi-channel servers. This makes our client invalid, but we need to
protect against broken clients with tests.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agosmbd: Fix channel sequence number checks for long-running requests
Volker Lendecke [Thu, 11 Jan 2018 14:34:45 +0000 (15:34 +0100)]
smbd: Fix channel sequence number checks for long-running requests

When the client's supplied csn overflows and hits a pending, long-running
request's csn, we panic. Fix this by counting the overflows in
smbXsrv_open_global0->channel_generation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
19 months agosmbd: Remove a "!" from an if-condition for easier readability
Volker Lendecke [Wed, 10 Jan 2018 13:59:08 +0000 (14:59 +0100)]
smbd: Remove a "!" from an if-condition for easier readability

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agotorture4: Fix typos
Volker Lendecke [Wed, 10 Jan 2018 14:51:56 +0000 (15:51 +0100)]
torture4: Fix typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agosmbd: Fix a typo
Volker Lendecke [Wed, 10 Jan 2018 13:29:01 +0000 (14:29 +0100)]
smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: set routing_domain when enumerating trusts
Ralph Boehme [Sun, 14 Jan 2018 08:58:13 +0000 (09:58 +0100)]
winbindd: set routing_domain when enumerating trusts

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agodocs: Remove reference to environment variables for now
Garming Sam [Tue, 9 Jan 2018 03:28:36 +0000 (16:28 +1300)]
docs: Remove reference to environment variables for now

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 14 03:08:01 CET 2018 on sn-devel-144

19 months agogpo: Add the winbind call to gpupdate
David Mulder [Tue, 21 Nov 2017 10:44:12 +0000 (03:44 -0700)]
gpo: Add the winbind call to gpupdate

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agoRevert "gpo: Create the gpo update service"
David Mulder [Wed, 6 Dec 2017 19:51:22 +0000 (12:51 -0700)]
Revert "gpo: Create the gpo update service"

This reverts commit 5662e49b49f6557c80f216f510f224bbf800f40a.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agogpo: Continue parsing GPOs even if one fails
David Mulder [Mon, 8 Jan 2018 16:19:13 +0000 (09:19 -0700)]
gpo: Continue parsing GPOs even if one fails

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agogpo: Fix crashes in gpo unapply
David Mulder [Mon, 8 Jan 2018 16:16:11 +0000 (09:16 -0700)]
gpo: Fix crashes in gpo unapply

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: do not commit new nTDSConnection, if we are rodc
Andrej Gessel [Mon, 13 Nov 2017 10:07:43 +0000 (11:07 +0100)]
samba_kcc: do not commit new nTDSConnection, if we are rodc

Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc:     part, True)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Sat Jan 13 22:01:49 CET 2018 on sn-devel-144

19 months agosamba_kcc: simplify NCReplica.set_instantiated_flags()
Douglas Bagnall [Fri, 15 Dec 2017 02:58:46 +0000 (15:58 +1300)]
samba_kcc: simplify NCReplica.set_instantiated_flags()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: simplify NCReplica constructor
Douglas Bagnall [Wed, 13 Dec 2017 04:50:56 +0000 (17:50 +1300)]
samba_kcc: simplify NCReplica constructor

There is nothing to be gained from setting the dn and guid separately
except subtle bugs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: clarify readonly logging, removing now unused function
Douglas Bagnall [Wed, 13 Dec 2017 04:35:29 +0000 (17:35 +1300)]
samba_kcc: clarify readonly logging, removing now unused function

The unused function was somewhat misnamed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: remove unused functions
Douglas Bagnall [Wed, 13 Dec 2017 03:04:19 +0000 (16:04 +1300)]
samba_kcc: remove unused functions

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: fix dot_file_dir documentation
Douglas Bagnall [Wed, 29 Nov 2017 20:24:05 +0000 (09:24 +1300)]
samba_kcc: fix dot_file_dir documentation

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: remove an unused function
Douglas Bagnall [Thu, 16 Nov 2017 03:47:32 +0000 (16:47 +1300)]
samba_kcc: remove an unused function

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba-tool visualize for understanding AD DC behaviour
Douglas Bagnall [Wed, 9 Aug 2017 23:57:24 +0000 (11:57 +1200)]
samba-tool visualize for understanding AD DC behaviour

To work out what is happening in a replication graph, it is sometimes
helpful to use visualisations. We introduce a samba-tool subcommand to
write Graphviz dot output and generate text-based heatmaps of the
distance in hops between DCs.

There are two subcommands, two graphical modes, and (roughly) two modes of
operation with respect to the location of authority.

`samba-tool visualize ntdsconn` looks at NTDS Connections.
`samba-tool visualize reps` looks at repsTo and repsFrom objects.

In '--distance' mode (default), the distances between DCs are shown in
a matrix in the terminal. With '--color=yes', this is depicted as a
heatmap. With '--utf8' it is a lttle prettier.

In '--dot' mode, Graphviz dot output is generated. When viewed using
dot or xdot, this shows the network as a graph with DCs as vertices
and connections edges. Certain types of degenerate edges are shown in
different colours or line-styles.

Normally samba-tool talks to one database; with the '-r' (a.k.a.
'--talk-to-remote') option attempts are made to contact all the DCs
known to the first database. This is necessary to get sensible results
from `samba-tool visualize reps` because the repsFrom/To objects are
not replicated, and it can reveal replication issues in other modes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: use new graph module for writing dot files
Douglas Bagnall [Thu, 10 Aug 2017 03:29:43 +0000 (15:29 +1200)]
samba_kcc: use new graph module for writing dot files

We avoid changing the (annoying) signature of write_dot_file().

Using samba_kcc to write dot files may be deprecated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agopython/graph: module for generating ASCII and graphviz visualisations
Douglas Bagnall [Wed, 10 Jan 2018 02:25:22 +0000 (15:25 +1300)]
python/graph: module for generating ASCII and graphviz visualisations

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: respect kcc.read_only flag on RODC
Douglas Bagnall [Thu, 11 Jan 2018 08:56:40 +0000 (21:56 +1300)]
samba_kcc: respect kcc.read_only flag on RODC

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: kcc.debug module defers to samba.colour
Douglas Bagnall [Tue, 2 Jan 2018 20:20:09 +0000 (09:20 +1300)]
samba_kcc: kcc.debug module defers to samba.colour

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agopython: module containing ANSI colour sequences
Douglas Bagnall [Sun, 7 Jan 2018 10:17:38 +0000 (23:17 +1300)]
python: module containing ANSI colour sequences

This is going to be used by `samba-tool visualize` and samba_kcc.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agopython tests: assert string equality, with diff
Douglas Bagnall [Fri, 5 Jan 2018 03:45:37 +0000 (16:45 +1300)]
python tests: assert string equality, with diff

In the success case this works just like self.assertEqual(),
but when things fail you get a better representation of where it went
wrong (a unified diff).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agosamba_kcc: documentation fix
Douglas Bagnall [Thu, 11 Jan 2018 18:32:59 +0000 (07:32 +1300)]
samba_kcc: documentation fix

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agos4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate...
Stefan Metzmacher [Fri, 12 Jan 2018 13:52:45 +0000 (14:52 +0100)]
s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()

Otherwise this taints other tests which might follow.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agoWHATSNEW: document some more new options
Stefan Metzmacher [Thu, 11 Jan 2018 11:46:24 +0000 (12:46 +0100)]
WHATSNEW: document some more new options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144

19 months agowinbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Stefan Metzmacher [Wed, 29 Nov 2017 15:02:28 +0000 (16:02 +0100)]
winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: add more trust types to get_trust_type_string
Ralph Boehme [Wed, 13 Dec 2017 07:53:16 +0000 (08:53 +0100)]
winbindd: add more trust types to get_trust_type_string

Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".

Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agolibwbclient: add more trust types
Ralph Boehme [Wed, 13 Dec 2017 15:01:50 +0000 (16:01 +0100)]
libwbclient: add more trust types

Prepare libwbclient for additional trust types and trust routing.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowbinfo: support for local, workstation and routed trust types
Ralph Boehme [Wed, 13 Dec 2017 15:02:22 +0000 (16:02 +0100)]
wbinfo: support for local, workstation and routed trust types

Prepare wbinfo for additional trust types and trust routing.

This also modifies the output line for a "None" trust type by skipping
the transitivity and direction -- that just doesn't make sense without a
trust.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agolibwbclient: add trust routing and more trust-types
Ralph Boehme [Tue, 19 Dec 2017 16:26:46 +0000 (17:26 +0100)]
libwbclient: add trust routing and more trust-types

This adds the struct member and the defines, the implementation comes
later.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: fix trust_is_oubound()
Ralph Boehme [Tue, 28 Nov 2017 16:46:03 +0000 (17:46 +0100)]
winbindd: fix trust_is_oubound()

A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: fix trust_is_inbound()
Ralph Boehme [Tue, 28 Nov 2017 16:44:41 +0000 (17:44 +0100)]
winbindd: fix trust_is_inbound()

A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: transitive trust logic in trust_is_transitive()
Ralph Boehme [Tue, 28 Nov 2017 16:32:59 +0000 (17:32 +0100)]
winbindd: transitive trust logic in trust_is_transitive()

trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: use add_trusted_domain_from_auth
Ralph Boehme [Wed, 29 Nov 2017 09:55:25 +0000 (10:55 +0100)]
winbindd: use add_trusted_domain_from_auth

After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: add add_trusted_domain_from_auth
Ralph Boehme [Wed, 29 Nov 2017 09:10:38 +0000 (10:10 +0100)]
winbindd: add add_trusted_domain_from_auth

Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: add set_routing_domain()
Ralph Boehme [Wed, 13 Dec 2017 16:11:25 +0000 (17:11 +0100)]
winbindd: add set_routing_domain()

19 months agowinbindd: add find_default_route_domain()
Ralph Boehme [Wed, 13 Dec 2017 16:08:10 +0000 (17:08 +0100)]
winbindd: add find_default_route_domain()

On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: avoid automatic enumerating trusts on DCs
Stefan Metzmacher [Wed, 29 Nov 2017 15:02:28 +0000 (16:02 +0100)]
winbindd: avoid automatic enumerating trusts on DCs

We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: load the trusted domains on a DC already in init_domain_list()
Stefan Metzmacher [Wed, 29 Nov 2017 14:55:12 +0000 (15:55 +0100)]
winbindd: load the trusted domains on a DC already in init_domain_list()

We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agopdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
Ralph Boehme [Tue, 19 Dec 2017 22:44:00 +0000 (23:44 +0100)]
pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agopdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
Ralph Boehme [Mon, 11 Dec 2017 06:57:27 +0000 (07:57 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agopdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
Ralph Boehme [Sun, 10 Dec 2017 19:03:37 +0000 (20:03 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agopdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
Stefan Metzmacher [Fri, 1 Dec 2017 07:41:29 +0000 (08:41 +0100)]
pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agopdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
Stefan Metzmacher [Fri, 1 Dec 2017 06:59:59 +0000 (07:59 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agos4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
Stefan Metzmacher [Fri, 1 Dec 2017 07:33:51 +0000 (08:33 +0100)]
s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agos3/torture/pdbtest: delete trusted domain at test end
Ralph Boehme [Mon, 11 Dec 2017 06:56:40 +0000 (07:56 +0100)]
s3/torture/pdbtest: delete trusted domain at test end

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agos3/torture/pdbtest: creating a trusted domain requires a valid SID
Ralph Boehme [Mon, 11 Dec 2017 06:56:02 +0000 (07:56 +0100)]
s3/torture/pdbtest: creating a trusted domain requires a valid SID

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: use find_trust_from_name_noinit when we require a direct trust
Stefan Metzmacher [Thu, 30 Nov 2017 12:04:56 +0000 (13:04 +0100)]
winbindd: use find_trust_from_name_noinit when we require a direct trust

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: add find_trust_from_{name,sid}_noinit()
Stefan Metzmacher [Wed, 29 Nov 2017 14:23:36 +0000 (15:23 +0100)]
winbindd: add find_trust_from_{name,sid}_noinit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: remember the secure_channel_type in winbindd_domain
Stefan Metzmacher [Wed, 29 Nov 2017 14:10:38 +0000 (15:10 +0100)]
winbindd: remember the secure_channel_type in winbindd_domain

This way we have an indication of non direct trusts with
SEC_CHAN_NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
Ralph Boehme [Sat, 16 Dec 2017 10:34:23 +0000 (11:34 +0100)]
winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()

This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.

add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: initialize some stack pointers to NULL
Stefan Metzmacher [Wed, 10 Jan 2018 11:14:57 +0000 (12:14 +0100)]
winbindd: initialize some stack pointers to NULL

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: rename alternative_name to dns_name
Stefan Metzmacher [Wed, 10 Jan 2018 11:14:57 +0000 (12:14 +0100)]
winbindd: rename alternative_name to dns_name

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from...
Ralph Boehme [Fri, 15 Dec 2017 20:13:52 +0000 (21:13 +0100)]
winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()

Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: enforce valid SID in add_trusted_domain_from_tdc()
Ralph Boehme [Fri, 15 Dec 2017 20:09:15 +0000 (21:09 +0100)]
winbindd: enforce valid SID in add_trusted_domain_from_tdc()

It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: set info6 data in append_info3_as_txt
Ralph Boehme [Sat, 2 Dec 2017 09:34:28 +0000 (10:34 +0100)]
winbindd: set info6 data in append_info3_as_txt

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jan 13 12:53:59 CET 2018 on sn-devel-144

19 months agonsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
Ralph Boehme [Fri, 1 Dec 2017 22:26:33 +0000 (23:26 +0100)]
nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agonsswitch: add "validation_level" and "info6" to winbindd_response
Ralph Boehme [Wed, 10 Jan 2018 09:20:46 +0000 (10:20 +0100)]
nsswitch: add "validation_level" and "info6" to winbindd_response

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: pass validation in append_info3_as_txt
Ralph Boehme [Sat, 2 Dec 2017 09:34:15 +0000 (10:34 +0100)]
winbindd: pass validation in append_info3_as_txt

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: pass down validation to append_auth_data()
Ralph Boehme [Sat, 2 Dec 2017 09:27:12 +0000 (10:27 +0100)]
winbindd: pass down validation to append_auth_data()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: simplify an if condition in winbindd_dual_pam_auth
Ralph Boehme [Tue, 9 Jan 2018 17:57:53 +0000 (18:57 +0100)]
winbindd: simplify an if condition in winbindd_dual_pam_auth

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: let winbind_dual_SamLogon return validation
Ralph Boehme [Mon, 11 Dec 2017 15:25:35 +0000 (16:25 +0100)]
winbindd: let winbind_dual_SamLogon return validation

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: remove a space in winbind_dual_SamLogon
Ralph Boehme [Fri, 1 Dec 2017 22:11:44 +0000 (23:11 +0100)]
winbindd: remove a space in winbind_dual_SamLogon

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: let winbindd_dual_pam_auth_samlogon() return validation info
Ralph Boehme [Mon, 11 Dec 2017 14:54:36 +0000 (15:54 +0100)]
winbindd: let winbindd_dual_pam_auth_samlogon() return validation info

Pass up validation info instead of info3. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: let winbind_samlogon_retry_loop return validation info
Ralph Boehme [Mon, 11 Dec 2017 22:26:38 +0000 (23:26 +0100)]
winbindd: let winbind_samlogon_retry_loop return validation info

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <slow@samba.org>
19 months agowinbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
Ralph Boehme [Tue, 9 Jan 2018 15:58:06 +0000 (16:58 +0100)]
winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon

result is already checked a few lines above.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: return validation from rpccli_netlogon functions
Ralph Boehme [Thu, 30 Nov 2017 22:35:40 +0000 (23:35 +0100)]
s3/rpc_client: return validation from rpccli_netlogon functions

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: add map_info3_to_validation()
Ralph Boehme [Mon, 11 Dec 2017 14:18:58 +0000 (15:18 +0100)]
s3/rpc_client: add map_info3_to_validation()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: make map_validation_to_info3() public and move to util_netlogon
Ralph Boehme [Thu, 30 Nov 2017 22:19:07 +0000 (23:19 +0100)]
s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon

Will be needed in the next commit.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: in map_validation_to_info3() make a deep copy
Ralph Boehme [Sat, 2 Dec 2017 21:04:47 +0000 (22:04 +0100)]
s3/rpc_client: in map_validation_to_info3() make a deep copy

In later commits we want to map a validation to info3 without modifying
the validation data. Otherwise no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
Ralph Boehme [Sat, 2 Dec 2017 21:35:36 +0000 (22:35 +0100)]
s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon

The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: prevent long lines in a later commit
Ralph Boehme [Fri, 1 Dec 2017 07:26:59 +0000 (08:26 +0100)]
winbindd: prevent long lines in a later commit

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: simplify if condition in find_domain_from_name_noinit()
Ralph Boehme [Fri, 1 Dec 2017 11:23:50 +0000 (12:23 +0100)]
winbindd: simplify if condition in find_domain_from_name_noinit()

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: remove an else branch
Ralph Boehme [Fri, 1 Dec 2017 10:40:47 +0000 (11:40 +0100)]
winbindd: remove an else branch

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: remove a space
Ralph Boehme [Fri, 1 Dec 2017 09:32:41 +0000 (10:32 +0100)]
winbindd: remove a space

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agowinbindd: fix overly long lines
Ralph Boehme [Fri, 1 Dec 2017 06:59:50 +0000 (07:59 +0100)]
winbindd: fix overly long lines

Just another long lines cleanup. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/rpc_client: fix overly long lines
Ralph Boehme [Fri, 1 Dec 2017 06:58:07 +0000 (07:58 +0100)]
s3/rpc_client: fix overly long lines

Just long lines cleanup, no further changes. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/torture: fix an error message
Ralph Boehme [Sat, 9 Dec 2017 18:27:22 +0000 (19:27 +0100)]
s3/torture: fix an error message

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes
Stefan Metzmacher [Mon, 4 Dec 2017 14:21:50 +0000 (15:21 +0100)]
s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agoparams: mark "ldap ssl ads" as deprecated
Björn Jacke [Wed, 10 Jan 2018 15:17:30 +0000 (16:17 +0100)]
params: mark "ldap ssl ads" as deprecated

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agoparams: mark "unicode" parameter as deprecated
Björn Jacke [Wed, 10 Jan 2018 15:05:39 +0000 (16:05 +0100)]
params: mark "unicode" parameter as deprecated

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
19 months agos3/smbd: Fix error code for unsupported SET_INFO requests
Justin Maggard via samba-technical [Tue, 9 Jan 2018 20:04:16 +0000 (12:04 -0800)]
s3/smbd: Fix error code for unsupported SET_INFO requests

FileValidDataLengthInformation and FileShortNameInformation are both
valid FileInfoClasses that we don't support.  According to [MS-SMB2]
3.3.5.21.1, we should be returning STATUS_NOT_SUPPORTED instead of
NT_STATUS_INVALID_LEVEL for these.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 13 07:25:42 CET 2018 on sn-devel-144

19 months agos3/smbd: Add new file information classes
Justin Maggard via samba-technical [Tue, 9 Jan 2018 20:04:15 +0000 (12:04 -0800)]
s3/smbd: Add new file information classes

Add definitions for missing file information classes documented in
[MS-FSCC] section 2.4.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
19 months agovfs_default: use VFS statvfs macro in fs_capabilities
David Disseldorp [Wed, 10 Jan 2018 13:03:09 +0000 (14:03 +0100)]
vfs_default: use VFS statvfs macro in fs_capabilities

Currently the vfs_default fs_capabilities handler calls statvfs
directly, rather than calling the vfs macro. This behaviour may cause
issues for VFS modules that delegate fs_capabilities handling to
vfs_default but offer their own statvfs hook.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
19 months agovfs_ceph: add fs_capabilities hook to avoid local statvfs
David Disseldorp [Wed, 10 Jan 2018 00:37:14 +0000 (01:37 +0100)]
vfs_ceph: add fs_capabilities hook to avoid local statvfs

Adding the fs_capabilities() hook to the CephFS VFS module avoids
fallback to the vfs_default code-path, which calls statvfs() against the
share path on the *local* filesystem.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
19 months agoMark wbinfo test flapping
Douglas Bagnall [Fri, 12 Jan 2018 01:39:49 +0000 (14:39 +1300)]
Mark wbinfo test flapping

please fix and revert

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 13 03:01:10 CET 2018 on sn-devel-144

19 months agoMark whoami test flapping
Douglas Bagnall [Fri, 12 Jan 2018 01:39:28 +0000 (14:39 +1300)]
Mark whoami test flapping

please fix and revert!

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agoMark rfc2307 test flapping
Douglas Bagnall [Fri, 12 Jan 2018 01:38:45 +0000 (14:38 +1300)]
Mark rfc2307 test flapping

Please fix and revert

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
19 months agoldb: version 1.3.1 ldb-1.3.1
Stefan Metzmacher [Wed, 10 Jan 2018 22:43:05 +0000 (23:43 +0100)]
ldb: version 1.3.1

* Intersect the index from SCOPE_ONELEVEL with the index for the search expression
  (bug #13191)
* smaller/greater comparison tests
* Show the last successful DN when failing to parse LDIF
* ldb_index: Add an attriubute flag to require a unique value.
* silence some clang warnings in picky developer mode

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agotevent: version 0.9.35 tevent-0.9.35
Stefan Metzmacher [Fri, 12 Jan 2018 14:08:14 +0000 (15:08 +0100)]
tevent: version 0.9.35

* Minor cleanup. wakeup_fd can always be gotten from the event context.
* Use smb_set_close_on_exec() in example code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
19 months agotalloc: version 2.1.11 talloc-2.1.11
Stefan Metzmacher [Fri, 12 Jan 2018 06:45:09 +0000 (07:45 +0100)]
talloc: version 2.1.11

* disable-python - fix talloc wscript if bundling disabled
* Do not disclose the random talloc magic in free()'ed memory

Signed-off-by: Stefan Metzmacher <metze@samba.org>
19 months agotalloc: Do not disclose the random talloc magic in free()'ed memory
Andrew Bartlett [Mon, 8 Jan 2018 04:34:31 +0000 (17:34 +1300)]
talloc: Do not disclose the random talloc magic in free()'ed memory

This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>