samba.git
14 months agoRemove dead code
Simo Sorce [Sun, 18 Mar 2018 18:15:30 +0000 (14:15 -0400)]
Remove dead code

Signed-off-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Simo Sorce <idra@samba.org>
Autobuild-Date(master): Mon Mar 19 20:29:28 CET 2018 on sn-devel-144

14 months agoRevert "Use "localhost" to be ipv6 only friendly"
Simo Sorce [Sat, 17 Mar 2018 18:50:49 +0000 (14:50 -0400)]
Revert "Use "localhost" to be ipv6 only friendly"

This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.

14 months agoUse "localhost" to be ipv6 only friendly
Simo Sorce [Sat, 17 Mar 2018 18:07:37 +0000 (14:07 -0400)]
Use "localhost" to be ipv6 only friendly

Signed-off-by: Simo Sorce <idra@samba.org>
14 months agoUpdate help text for dbcheck
Jonathan Hunter [Mon, 19 Feb 2018 07:38:37 +0000 (07:38 +0000)]
Update help text for dbcheck

Update the help text for dbcheck, to make its behaviour clear (in
particular with reference to the difference between specifying "--yes"
on the command line, and answering "yes"/"all" to each individual
question)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 19 12:39:12 CET 2018 on sn-devel-144

14 months agoauth/kerberos: Fix typo in error message regarding fetching PAC using Heimdal
Matt Selsky [Wed, 28 Feb 2018 06:00:04 +0000 (01:00 -0500)]
auth/kerberos: Fix typo in error message regarding fetching PAC using Heimdal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311

Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14 months agobugfix memory leak. partition_dn is only used to search and compare and is not freed...
Andrej Gessel [Wed, 12 Apr 2017 13:12:49 +0000 (15:12 +0200)]
bugfix memory leak. partition_dn is only used to search and compare and is not freed at the function end.

Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
14 months agoctdb-scripts: Drop CTDBD_CONF internal test variable
Martin Schwenke [Thu, 15 Mar 2018 04:42:57 +0000 (15:42 +1100)]
ctdb-scripts: Drop CTDBD_CONF internal test variable

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Mar 19 07:32:22 CET 2018 on sn-devel-144

14 months agoctdb-tests: Drop unused functions
Martin Schwenke [Tue, 13 Mar 2018 05:43:44 +0000 (16:43 +1100)]
ctdb-tests: Drop unused functions

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Construct values for CTDB_BASES by hand
Martin Schwenke [Tue, 13 Mar 2018 05:56:44 +0000 (16:56 +1100)]
ctdb-tests: Construct values for CTDB_BASES by hand

setup_ctdb_base() and node_dir() duplicate the construction of
CTDB_BASE.  Drop the use of node_dir() and construct the values for
CTDB_BASES by hand.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use CTDB_BASE instead of node_dir
Martin Schwenke [Tue, 6 Mar 2018 01:32:30 +0000 (12:32 +1100)]
ctdb-tests: Use CTDB_BASE instead of node_dir

Simple test configuration is all relative to CTDB_BASE and node_dir is
redundant.  Make this explicit by dropping most uses of node_dir.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use onnode to start/stop local daemons
Martin Schwenke [Tue, 6 Mar 2018 01:29:52 +0000 (12:29 +1100)]
ctdb-tests: Use onnode to start/stop local daemons

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Drop ctdbd --nlist option
Martin Schwenke [Wed, 14 Mar 2018 04:34:57 +0000 (15:34 +1100)]
ctdb-daemon: Drop ctdbd --nlist option

Tests now deviate from the compile-time default by setting CTDB_BASE.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: No longer honour CTDB_NODES environment variable
Martin Schwenke [Wed, 14 Mar 2018 04:31:36 +0000 (15:31 +1100)]
ctdb-tools: No longer honour CTDB_NODES environment variable

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_NODES configuration option
Martin Schwenke [Wed, 14 Mar 2018 04:30:37 +0000 (15:30 +1100)]
ctdb-scripts: Drop CTDB_NODES configuration option

Tests now deviate from the compile-time default by setting CTDB_BASE.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: Drop testing hook from ctdb tool
Martin Schwenke [Wed, 14 Mar 2018 04:25:34 +0000 (15:25 +1100)]
ctdb-tools: Drop testing hook from ctdb tool

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Simplify nodes file handling in tool tests
Martin Schwenke [Wed, 14 Mar 2018 04:10:45 +0000 (15:10 +1100)]
ctdb-tests: Simplify nodes file handling in tool tests

Instead of using an intermediate environment variable for nodes files,
just create "node" or "nodes.<pnn>" in CTDB_BASE.  This makes the
nodes file loading in fake_ctdb slightly repetitive but simplifies the
test scripts a lot.  It also remove several instance of the CTDB_NODES
variable from the code base, so it is no longer found by "git grep".

Use an empty nodes file to indicate that fake_ctdbd should fail to
read it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Put configuration, socket and PID file in CTDB_BASE
Martin Schwenke [Wed, 14 Mar 2018 04:08:44 +0000 (15:08 +1100)]
ctdb-tests: Put configuration, socket and PID file in CTDB_BASE

setup_ctdb_base() makes this a convenient temporary directory.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Improve setting of helper paths
Martin Schwenke [Wed, 14 Mar 2018 04:03:19 +0000 (15:03 +1100)]
ctdb-tests: Improve setting of helper paths

Make use of variables provided by script_install_paths.sh instead of
reinventing the logic.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use setup_base() in tool unit tests
Martin Schwenke [Wed, 14 Mar 2018 04:00:54 +0000 (15:00 +1100)]
ctdb-tests: Use setup_base() in tool unit tests

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Drop an orphaned comment
Martin Schwenke [Wed, 14 Mar 2018 03:00:29 +0000 (14:00 +1100)]
ctdb-tests: Drop an orphaned comment

The relevant code was removed long ago.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: Drop onnode CTDB_NODES_FILE environment variable
Martin Schwenke [Fri, 9 Mar 2018 05:36:39 +0000 (16:36 +1100)]
ctdb-tools: Drop onnode CTDB_NODES_FILE environment variable

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use default location for nodes file
Martin Schwenke [Tue, 6 Mar 2018 01:05:21 +0000 (12:05 +1100)]
ctdb-tests: Use default location for nodes file

Create the file and then copy it to CTDB_BASE for each node.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Drop ctdbd --public-interface option
Martin Schwenke [Tue, 20 Feb 2018 08:06:51 +0000 (19:06 +1100)]
ctdb-daemon: Drop ctdbd --public-interface option

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_PUBLIC_INTERFACE configuration option
Martin Schwenke [Tue, 20 Feb 2018 07:58:48 +0000 (18:58 +1100)]
ctdb-scripts: Drop CTDB_PUBLIC_INTERFACE configuration option

The interface must always be specified in the public addresses file.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Drop ctdbd --public-addresses option
Martin Schwenke [Thu, 8 Mar 2018 04:32:52 +0000 (15:32 +1100)]
ctdb-daemon: Drop ctdbd --public-addresses option

Use the default location.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Remove unused function get_ctdbd_command_line_option()
Martin Schwenke [Thu, 8 Mar 2018 03:33:08 +0000 (14:33 +1100)]
ctdb-tests: Remove unused function get_ctdbd_command_line_option()

This was a bad idea.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_PUBLIC_ADDRESSES configuration option
Martin Schwenke [Thu, 8 Mar 2018 04:11:51 +0000 (15:11 +1100)]
ctdb-scripts: Drop CTDB_PUBLIC_ADDRESSES configuration option

This option adds a lot of unnecessary complexity to scripts.
Configuration should go in $CTDB_BASE, either directly or via a
symlink, so simplify by using the default location.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Allow tests access to CTDB_BASE
Martin Schwenke [Sun, 11 Mar 2018 21:22:57 +0000 (08:22 +1100)]
ctdb-tests: Allow tests access to CTDB_BASE

On the node where the tests are run, CTDB_BASE is always set.  This
applies to local daemons too.  However, when tests are being run
against a real cluster, there may be a need to access configuration
files.  However, CTDB_BASE will not be set in this case.

So, provide a function to get CTDB_BASE, if set, or a real cluster
node's configuration directory, if CTDB_BASE is not set.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop 10.external event script
Martin Schwenke [Fri, 23 Feb 2018 09:15:15 +0000 (20:15 +1100)]
ctdb-scripts: Drop 10.external event script

This was added for a vendor who decided not to use it.  It is almost
certainly unused by anyone.  If anyone really needs it then it is in
the git history.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use default public addresses file for event script tests
Martin Schwenke [Thu, 8 Mar 2018 04:02:38 +0000 (15:02 +1100)]
ctdb-tests: Use default public addresses file for event script tests

Just use the default location in event script tests.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use default public addresses file in local daemon tests
Martin Schwenke [Tue, 6 Mar 2018 00:59:59 +0000 (11:59 +1100)]
ctdb-tests: Use default public addresses file in local daemon tests

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Provide a default location for public addresses file
Martin Schwenke [Tue, 6 Mar 2018 00:30:07 +0000 (11:30 +1100)]
ctdb-daemon: Provide a default location for public addresses file

If the specified file or the default does not exist then log a
warning.

This is done in the takeover code to localise the handling of the
public addresses file.  Soon the daemon command-line option will go
away and the takeover code will be replaced in the not too distant
future.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Don't allow simple tests to use environment for config
Martin Schwenke [Fri, 23 Feb 2018 03:54:51 +0000 (14:54 +1100)]
ctdb-tests: Don't allow simple tests to use environment for config

This was a mistake.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Update some tests to use setup_ctdb() options
Martin Schwenke [Fri, 23 Feb 2018 01:30:49 +0000 (12:30 +1100)]
ctdb-tests: Update some tests to use setup_ctdb() options

Don't use environment variables for test-local configuration
variations.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb_tests: Reconfigure the cluster when restarting CTDB
Martin Schwenke [Fri, 23 Feb 2018 01:21:23 +0000 (12:21 +1100)]
ctdb_tests: Reconfigure the cluster when restarting CTDB

The previous test might have made configuration changes, so call
setup_ctdb() to cause the configuration to be rewritten.  This is only
really useful in local daemons tests.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Add some options to setup_ctdb()
Martin Schwenke [Fri, 23 Feb 2018 01:05:14 +0000 (12:05 +1100)]
ctdb-tests: Add some options to setup_ctdb()

These provide special-purpose setups for particular testcases.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: Drop ctdb --socket option
Martin Schwenke [Wed, 21 Feb 2018 10:33:49 +0000 (21:33 +1100)]
ctdb-tools: Drop ctdb --socket option

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: Move handling of CTDB_SOCKET to process_command()
Martin Schwenke [Wed, 21 Feb 2018 10:31:01 +0000 (21:31 +1100)]
ctdb-tools: Move handling of CTDB_SOCKET to process_command()

options.socket will go away in future.  This moves processing of
CTDB_SOCKET close to where it is used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Drop ctdbd --socket option
Martin Schwenke [Wed, 21 Feb 2018 03:58:04 +0000 (14:58 +1100)]
ctdb-daemon: Drop ctdbd --socket option

Use environment variables for test-only options.

The setenv() can be dropped because the socket location is either the
compile-time default or the already set environment variable.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_SOCKET configuration option
Martin Schwenke [Wed, 21 Feb 2018 03:57:07 +0000 (14:57 +1100)]
ctdb-scripts: Drop CTDB_SOCKET configuration option

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tools: Drop a couple of unnecessary exports of CTDB_SOCKET
Martin Schwenke [Wed, 21 Feb 2018 03:36:52 +0000 (14:36 +1100)]
ctdb-tools: Drop a couple of unnecessary exports of CTDB_SOCKET

These were necessary because CTDB_SOCKET was not already exported via
test setup.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use environment variable for specifying socket
Martin Schwenke [Wed, 21 Feb 2018 03:54:36 +0000 (14:54 +1100)]
ctdb-tests: Use environment variable for specifying socket

Use environment variables for test-only options.  Don't put them in
the configuration file.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Allow CTDB_SOCKET environment variable to be used
Martin Schwenke [Wed, 21 Feb 2018 03:46:39 +0000 (14:46 +1100)]
ctdb-daemon: Allow CTDB_SOCKET environment variable to be used

Use environment variables for test-only options.

Switch to using a local variable.  This simplifies both the logic and
the ability to later drop the command-line option.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Use CTDB_SOCKET environment variable to specify socket
Martin Schwenke [Tue, 20 Feb 2018 11:27:04 +0000 (22:27 +1100)]
ctdb-tests: Use CTDB_SOCKET environment variable to specify socket

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-tests: Drop ctdbd --event-script-dir option
Martin Schwenke [Fri, 9 Mar 2018 05:27:32 +0000 (16:27 +1100)]
ctdb-tests: Drop ctdbd --event-script-dir option

Event scripts live in a standard place.

For testing, CTDB_BASE is modified.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_EVENT_SCRIPT_DIR configuration option
Martin Schwenke [Fri, 9 Mar 2018 05:22:33 +0000 (16:22 +1100)]
ctdb-scripts: Drop CTDB_EVENT_SCRIPT_DIR configuration option

Event scripts live in a standard place.

For testing, CTDB_BASE is modified.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-daemon: Drop ctdbd --pidfile option
Martin Schwenke [Mon, 5 Mar 2018 10:27:22 +0000 (21:27 +1100)]
ctdb-daemon: Drop ctdbd --pidfile option

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-scripts: Drop CTDB_PIDFILE configuration option
Martin Schwenke [Mon, 5 Mar 2018 10:26:07 +0000 (21:26 +1100)]
ctdb-scripts: Drop CTDB_PIDFILE configuration option

Use environment variables for test-only options.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
14 months agoctdb-ib: Drop a bit-rotted test example from the README
Martin Schwenke [Thu, 15 Mar 2018 05:28:17 +0000 (16:28 +1100)]
ctdb-ib: Drop a bit-rotted test example from the README

This hasn't worked as advertised for a long time.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
15 months agos4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries.
Jeremy Allison [Thu, 15 Mar 2018 21:45:06 +0000 (14:45 -0700)]
s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144

15 months agoselftest: vfs.fruit: add xattr_tdb where possible
Ralph Boehme [Fri, 16 Mar 2018 20:57:31 +0000 (21:57 +0100)]
selftest: vfs.fruit: add xattr_tdb where possible

This makes the tests indepent from fs xattr support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
15 months agoselftest: run vfs.fruit_netatalk test against seperate share
Ralph Boehme [Fri, 16 Mar 2018 20:55:26 +0000 (21:55 +0100)]
selftest: run vfs.fruit_netatalk test against seperate share

These tests require a fs with xattr support. This allows adding
xattr_tdb to all other shares in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
15 months agos3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces().
Jeremy Allison [Thu, 15 Mar 2018 16:57:09 +0000 (09:57 -0700)]
s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces().
Jeremy Allison [Thu, 15 Mar 2018 16:54:41 +0000 (09:54 -0700)]
s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover.
Jeremy Allison [Thu, 15 Mar 2018 16:52:30 +0000 (09:52 -0700)]
s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover.

Not yet used, will be used to tidyup existing code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agolibcli/security: fix some SID values in comments
Stefan Metzmacher [Tue, 6 Mar 2018 15:38:30 +0000 (16:38 +0100)]
libcli/security: fix some SID values in comments

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 16 19:47:15 CET 2018 on sn-devel-144

15 months agotest_smbclient_s3.sh: force LANG=C during test_utimes()
Stefan Metzmacher [Wed, 7 Mar 2018 10:19:54 +0000 (11:19 +0100)]
test_smbclient_s3.sh: force LANG=C during test_utimes()

This makes the test independent from the developers environment.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agowbinfo: Improve the wording for --online-status
Andreas Schneider [Thu, 8 Mar 2018 14:40:56 +0000 (15:40 +0100)]
wbinfo: Improve the wording for --online-status

Currently it displays if a domain is online or offline which is wrong.
It tells us if we maintain an active connection to the domain or not.

Users are confused if they read offline because the think winbind is not
functional with that domain.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 16 14:46:43 CET 2018 on sn-devel-144

15 months agoms_schema: fix python2.6 incompatibility
Björn Baumbach [Thu, 15 Mar 2018 17:32:31 +0000 (18:32 +0100)]
ms_schema: fix python2.6 incompatibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13337

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
15 months agos3: gse: use "gensec_gssapi:requested_life_time"
Ralph Boehme [Wed, 7 Mar 2018 11:52:15 +0000 (12:52 +0100)]
s3: gse: use "gensec_gssapi:requested_life_time"

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 16 07:48:37 CET 2018 on sn-devel-144

15 months agos3:smbd: map nterror on smb2_flush errorpath
Anton Nefedov via samba-technical [Thu, 15 Mar 2018 11:38:41 +0000 (14:38 +0300)]
s3:smbd: map nterror on smb2_flush errorpath

smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338

Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
15 months agos3:auth: make use of make_{server,session}_info_anonymous()
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:auth: make use of make_{server,session}_info_anonymous()

It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).

When it's really an anonymous connection, we should reflect that in the
resulting session info.

This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.

We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.

The commit message from a few commit before shows the resulting
auth_session_info change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144

15 months agos3:rpc_server: make use of make_session_info_anonymous()
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:rpc_server: make use of make_session_info_anonymous()

For unauthenticated connections we should default to a
session info with an anonymous nt token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: add make_{server,session}_info_anonymous()
Stefan Metzmacher [Fri, 2 Mar 2018 13:39:44 +0000 (14:39 +0100)]
s3:auth: add make_{server,session}_info_anonymous()

It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).

The following is the difference between guest and anonymous token:

             security_token: struct security_token
-                num_sids                 : 0x0000000a (10)
-                sids: ARRAY(10)
-                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-501
-                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-514
-                    sids                     : S-1-22-2-65534
-                    sids                     : S-1-22-2-65533
+                num_sids                 : 0x00000009 (9)
+                sids: ARRAY(9)
+                    sids                     : S-1-5-7
                     sids                     : S-1-1-0
                     sids                     : S-1-5-2
-                    sids                     : S-1-5-32-546
                     sids                     : S-1-22-1-65533
+                    sids                     : S-1-22-2-65534
+                    sids                     : S-1-22-2-100004
                     sids                     : S-1-22-2-100002
                     sids                     : S-1-22-2-100003
+                    sids                     : S-1-22-2-65533
                 privilege_mask           : 0x0000000000000000 (0)

...

         unix_token               : *
             unix_token: struct security_unix_token
                 uid                      : 0x000000000000fffd (65533)
                 gid                      : 0x000000000000fffe (65534)
-                ngroups                  : 0x00000004 (4)
-                groups: ARRAY(4)
+                ngroups                  : 0x00000005 (5)
+                groups: ARRAY(5)
                     groups                   : 0x000000000000fffe (65534)
-                    groups                   : 0x000000000000fffd (65533)
+                    groups                   : 0x00000000000186a4 (100004)
                     groups                   : 0x00000000000186a2 (100002)
                     groups                   : 0x00000000000186a3 (100003)
+                    groups                   : 0x000000000000fffd (65533)

             info: struct auth_user_info
                 account_name             : *
-                    account_name             : 'nobody'
+                    account_name             : 'ANONYMOUS LOGON'
                 user_principal_name      : NULL
                 user_principal_constructed: 0x00 (0)
                 domain_name              : *
-                    domain_name              : 'SAMBA-TEST'
+                    domain_name              : 'NT AUTHORITY'
                 dns_domain_name          : NULL
-                full_name                : NULL
-                logon_script             : NULL
-                profile_path             : NULL
-                home_directory           : NULL
-                home_drive               : NULL
-                logon_server             : NULL
+                full_name                : *
+                    full_name                : 'Anonymous Logon'
+                logon_script             : *
+                    logon_script             : ''
+                profile_path             : *
+                    profile_path             : ''
+                home_directory           : *
+                    home_directory           : ''
+                home_drive               : *
+                    home_drive               : ''
+                logon_server             : *
+                    logon_server             : 'LOCALNT4DC2'
                 last_logon               : NTTIME(0)
                 last_logoff              : NTTIME(0)
                 acct_expiry              : NTTIME(0)
                 last_password_change     : NTTIME(0)
                 allow_password_change    : NTTIME(0)
                 force_password_change    : NTTIME(0)
                 logon_count              : 0x0000 (0)
                 bad_password_count       : 0x0000 (0)
-                acct_flags               : 0x00000000 (0)
+                acct_flags               : 0x00000010 (16)
                 authenticated            : 0x00 (0)
             security_token: struct security_token
                 num_sids                 : 0x00000006 (6)
                 sids: ARRAY(6)
+                    sids                     : S-1-5-7
+                    sids                     : S-1-1-0
+                    sids                     : S-1-5-2
                     sids                     : S-1-22-1-65533
                     sids                     : S-1-22-2-65534
                     sids                     : S-1-22-2-65533
-                    sids                     : S-1-1-0
-                    sids                     : S-1-5-2
-                    sids                     : S-1-5-32-546
                 privilege_mask           : 0x0000000000000000 (0)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest...
Stefan Metzmacher [Fri, 2 Mar 2018 16:07:11 +0000 (17:07 +0100)]
s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()

We only need to adjust sanitized_username in order to keep the same behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_...
Stefan Metzmacher [Tue, 6 Mar 2018 23:51:51 +0000 (00:51 +0100)]
s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()

The changes in the resulting token look like this:

           unix_token               : *
               unix_token: struct security_unix_token
                   uid                      : 0x0000000000000000 (0)
                   gid                      : 0x0000000000000000 (0)
-                  ngroups                  : 0x00000000 (0)
-                  groups: ARRAY(0)
+                  ngroups                  : 0x00000001 (1)
+                  groups: ARRAY(1)
+                      groups                   : 0x0000000000000000 (0)

...

                   domain_name              : *
                       domain_name              : 'NT AUTHORITY'
                   dns_domain_name          : NULL
-                  full_name                : NULL
-                  logon_script             : NULL
-                  profile_path             : NULL
-                  home_directory           : NULL
-                  home_drive               : NULL
-                  logon_server             : NULL
+                  full_name                : *
+                      full_name                : 'System'
+                  logon_script             : *
+                      logon_script             : ''
+                  profile_path             : *
+                      profile_path             : ''
+                  home_directory           : *
+                      home_directory           : ''
+                  home_drive               : *
+                      home_drive               : ''
+                  logon_server             : *
+                      logon_server             : 'SLOWSERVER'
                   last_logon               : NTTIME(0)
                   last_logoff              : NTTIME(0)
                   acct_expiry              : NTTIME(0)
                   last_password_change     : NTTIME(0)
                   allow_password_change    : NTTIME(0)
                   force_password_change    : NTTIME(0)
                   logon_count              : 0x0000 (0)
                   bad_password_count       : 0x0000 (0)
-                  acct_flags               : 0x00000000 (0)
+                  acct_flags               : 0x00000010 (16)
                   authenticated            : 0x01 (1)
           unix_info                : *

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
Stefan Metzmacher [Tue, 6 Mar 2018 23:21:13 +0000 (00:21 +0100)]
s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()

These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.

This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.

In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:

 - S-1-5-88-1-Y gives the uid=Y
 - S-1-5-88-2-Y gives the gid=Y
 - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*

The currently implemented flags are:

- AUTH3_UNIX_HINT_QUALIFIED_NAME
  unix_name = DOMAIN+ACCOUNT

- AUTH3_UNIX_HINT_ISLOLATED_NAME
  unix_name = ACCOUNT

- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
  Don't translate the nt token SIDS into uid/gids
  using sid mapping.

- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
  Don't translate the unix token uid/gids to S-1-22-X-Y SIDS

- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
  The unix token won't get expanded gid values
  from getgroups_unix_user()

By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.

Note the S-1-5-88-* SIDS never appear in the final security_token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agoauth: add auth_user_info_copy() function
Stefan Metzmacher [Tue, 6 Mar 2018 15:38:10 +0000 (16:38 +0100)]
auth: add auth_user_info_copy() function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: remove static from finalize_local_nt_token()
Stefan Metzmacher [Tue, 6 Mar 2018 22:45:30 +0000 (23:45 +0100)]
s3:auth: remove static from finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
Stefan Metzmacher [Tue, 6 Mar 2018 22:40:10 +0000 (23:40 +0100)]
s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
Stefan Metzmacher [Tue, 6 Mar 2018 22:36:03 +0000 (23:36 +0100)]
s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
Stefan Metzmacher [Tue, 6 Mar 2018 22:26:28 +0000 (23:26 +0100)]
s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()

We should add Builtin_Guests depending on the current token
not based on 'is_guest'. Even authenticated users can be member
a guest related group and therefore get Builtin_Guests.

Sadly we still need to use 'is_guest' within create_local_nt_token()
as we only have S-1-22-* SIDs there and still need to
add Builtin_Guests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
Stefan Metzmacher [Tue, 13 Mar 2018 20:38:27 +0000 (21:38 +0100)]
s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
Stefan Metzmacher [Tue, 13 Mar 2018 20:35:48 +0000 (21:35 +0100)]
s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()

We should not crash if we're called with NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: move add_local_groups() out of finalize_local_nt_token()
Stefan Metzmacher [Tue, 6 Mar 2018 16:14:34 +0000 (17:14 +0100)]
s3:auth: move add_local_groups() out of finalize_local_nt_token()

finalize_local_nt_token() will be used in another place,
were we don't want to add local groups in a following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: add the "Unix Groups" sid for the primary gid
Stefan Metzmacher [Fri, 2 Mar 2018 15:37:58 +0000 (16:37 +0100)]
s3:auth: add the "Unix Groups" sid for the primary gid

The primary gid might not be in the gid array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:auth: remove unused auth_serversupplied_info->system
Stefan Metzmacher [Thu, 1 Mar 2018 17:05:28 +0000 (18:05 +0100)]
s3:auth: remove unused auth_serversupplied_info->system

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agolibcli/security: only announce a session as GUEST if 'Builtin\Guests' is there withou...
Ralph Boehme [Wed, 14 Mar 2018 10:44:49 +0000 (11:44 +0100)]
libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:selftest: run SMB2-ANONYMOUS
Stefan Metzmacher [Thu, 15 Mar 2018 17:04:21 +0000 (18:04 +0100)]
s3:selftest: run SMB2-ANONYMOUS

This fails against a non AD DC smbd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agos3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
Stefan Metzmacher [Thu, 15 Mar 2018 16:40:07 +0000 (17:40 +0100)]
s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agowinbindd: add retry to _winbind_SendToSam
Ralph Boehme [Mon, 12 Mar 2018 18:54:37 +0000 (19:54 +0100)]
winbindd: add retry to _winbind_SendToSam

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144

15 months agowinbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords
Ralph Boehme [Mon, 12 Mar 2018 18:53:53 +0000 (19:53 +0100)]
winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: add retry to _wbint_DsGetDcName
Ralph Boehme [Mon, 12 Mar 2018 18:53:26 +0000 (19:53 +0100)]
winbindd: add retry to _wbint_DsGetDcName

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: add retry to _wbint_LookupSids()
Ralph Boehme [Mon, 12 Mar 2018 16:09:34 +0000 (17:09 +0100)]
winbindd: add retry to _wbint_LookupSids()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_conn...
Ralph Boehme [Mon, 12 Mar 2018 15:53:49 +0000 (16:53 +0100)]
winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected()

This catches more errors and triggers retry as appropriate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: fix logic calling dcerpc_binding_handle_is_connected()
Ralph Boehme [Mon, 12 Mar 2018 15:15:02 +0000 (16:15 +0100)]
winbindd: fix logic calling dcerpc_binding_handle_is_connected()

The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()
Ralph Boehme [Mon, 12 Mar 2018 15:11:37 +0000 (16:11 +0100)]
winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()

To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().

All callers pass NULL for now, so no change in behaviour up to here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
Ralph Boehme [Mon, 12 Mar 2018 12:39:59 +0000 (13:39 +0100)]
winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()

NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
15 months agowinbindd: call reset_cm_connection_on_error() from reconnect_need_retry()
Ralph Boehme [Mon, 12 Mar 2018 11:20:04 +0000 (12:20 +0100)]
winbindd: call reset_cm_connection_on_error() from reconnect_need_retry()

This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.

Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: make reset_cm_connection_on_error() public
Ralph Boehme [Mon, 12 Mar 2018 10:29:22 +0000 (11:29 +0100)]
winbindd: make reset_cm_connection_on_error() public

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()
Ralph Boehme [Mon, 12 Mar 2018 10:12:34 +0000 (11:12 +0100)]
winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()

reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c
Ralph Boehme [Mon, 12 Mar 2018 12:30:01 +0000 (13:30 +0100)]
winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c

ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
15 months agowinbind: Keep "force_reauth" in invalidate_cm_connection
Volker Lendecke [Wed, 28 Feb 2018 15:09:28 +0000 (15:09 +0000)]
winbind: Keep "force_reauth" in invalidate_cm_connection

Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
15 months agowinbind: Add smbcontrol disconnect-dc
Volker Lendecke [Wed, 28 Feb 2018 15:08:44 +0000 (15:08 +0000)]
winbind: Add smbcontrol disconnect-dc

Make a winbind child drop all DC connections

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
15 months agoutils: Add destroy_netlogon_creds_cli
Volker Lendecke [Wed, 28 Feb 2018 07:59:08 +0000 (07:59 +0000)]
utils: Add destroy_netlogon_creds_cli

This is a pure testing utility that will garble the netlogon_creds_cli
session_key. This creates a similar effect to our schannel credentials
as does a domain controller reboot.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
15 months agos4: dsdb/password_hash: use UF_TRUST_ACCOUNT_MASK
Ralph Boehme [Thu, 8 Mar 2018 16:35:15 +0000 (17:35 +0100)]
s4: dsdb/password_hash: use UF_TRUST_ACCOUNT_MASK

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 13 23:48:28 CET 2018 on sn-devel-144

15 months agolibds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK
Ralph Boehme [Thu, 8 Mar 2018 16:34:08 +0000 (17:34 +0100)]
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK

The name UF_TRUST_ACCOUNT_MASK better reflects the use case and it's not
yet used.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15 months agoCVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144

15 months agoCVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
Ralph Boehme [Thu, 15 Feb 2018 22:11:38 +0000 (23:11 +0100)]
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control

This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
15 months agoCVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
Ralph Boehme [Fri, 16 Feb 2018 14:38:19 +0000 (15:38 +0100)]
CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID

This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>