Andrew Bartlett [Thu, 14 Mar 2019 05:20:06 +0000 (18:20 +1300)]
CVE-2019-3870 pysmbd: Move umask manipuations as close as possible to users
Umask manipulation was added to pysmbd with
e146fe5ef96c1522175a8e81db15d1e8879e5652 in 2012
and init_files_struct was split out in
747c3f1fb379bb68cc7479501b85741493c05812 in 2018 for
Samba 4.9. (It was added to assist the smbd.create_file() routine used in the backup and
restore tools, which needed to write files with full metadata).
This in turn avoids leaving init_files_struct() without resetting the umask to
the original, saved, value.
Per umask(2) this is required before open() and mkdir() system calls (along
side other file-like things such as those for Unix domain socks and FIFOs etc).
Therefore for safety and clarify the additional 'belt and braces' umask
manipuations elsewhere are removed.
mkdir() will be protected by a umask() bracket, for correctness, in the next patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Thu, 21 Mar 2019 04:21:58 +0000 (17:21 +1300)]
CVE-2019-3870 pysmbd: Include tests to show the outside umask has no impact
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tim Beale [Fri, 15 Mar 2019 00:52:50 +0000 (13:52 +1300)]
CVE-2019-3870 tests: Add test to check file-permissions are correct after provision
This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tim Beale [Fri, 15 Mar 2019 02:20:21 +0000 (15:20 +1300)]
CVE-2019-3870 tests: Extend smbd tests to check for umask being overwritten
The smbd changes the umask - if the code fails to restore the umask to
what it was, then this is very bad. Add an extra check to every
smbd-related test that the umask at the end of the test is the same as
what it was at the beginning (i.e. if the smbd code changed the umask
then it correctly restored the value afterwards).
As the selftest sets the umask for all tests to zero, it makes it hard
to detect this problem, so the test setUp() needs to set it to something
else first.
This extra checking is added to the setUp()/tearDown() so that it
applies to all test-cases. However, any failure that occur with this
approach will not be able to be known-failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Karolin Seeger [Wed, 3 Apr 2019 08:33:17 +0000 (10:33 +0200)]
VERSION: Bump version up to 4.10.2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
61c4d715a7382047a9a97165256866fe39ebad26)
Karolin Seeger [Wed, 3 Apr 2019 08:32:27 +0000 (10:32 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.1 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 3 Apr 2019 08:31:06 +0000 (10:31 +0200)]
WHATSNEW: Add release notes for Samba 4.10.1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Philipp Gesang [Thu, 14 Feb 2019 09:17:28 +0000 (10:17 +0100)]
libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response
Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES
structures containing DataLength field that includes the padding
[0]. Microsoft has since clarified that only values smaller than
the size are considered invalid [1].
While parsing the NegotiateContext it is ensured that DataLength
does not exceed the message bounds. Also, the value is not
actually used anywhere outside the validation. Thus values
greater than the actual data size are safe to use. This patch
makes Samba fail only on values that are too small for the (fixed
size) payload.
[0] https://lists.samba.org/archive/samba/2019-February/221139.html
[1] https://lists.samba.org/archive/cifs-protocol/2019-March/003210.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13869
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Mar 31 01:11:09 UTC 2019 on sn-devel-144
(cherry picked from commit
865b7b0c7d2ba7fa0a045586d1e83a72028a0864)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Tue Apr 2 13:52:02 UTC 2019 on sn-devel-144
Volker Lendecke [Thu, 21 Feb 2019 17:37:08 +0000 (18:37 +0100)]
lib: Make fd_load work for non-regular files
Follow-up to
https://lists.samba.org/archive/samba/2018-September/217992.html
and following. This also fixes a small and very theoretical race: Between the
fstat and the read call the file size might change. This would make us fail on
potentially legitimate files.
This is more complex and probably slower, but looking at the use cases I don't
think the speed matters.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13859
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 26 04:43:40 UTC 2019 on sn-devel-144
(cherry picked from commit
ac487bf4d04c9771ada1ca7eeb9dac4e5fe34185)
Anoop C S [Thu, 27 Dec 2018 12:49:42 +0000 (18:19 +0530)]
s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so
Early check for DEVELOPER or ENABLE_SELFTEST configure options inside
messaging_handlers.c leaves us with the following undefined reference
linkage error:
[1315/3712] Linking bin/default/source4/lib/messaging/libMESSAGING-samba4.so
/usr/bin/ld: source4/lib/messaging/messaging.c.4.o: in function
`imessaging_init_internal':
/root/samba.git/bin/default/../../source4/lib/messaging/messaging.c:472:
undefined reference to `imessaging_register_extra_handlers'
collect2: error: ld returned 1 exit status
This happened due to failure in including "includes.h" before checking
the above mentioned configure options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13854
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
08ba013a2b8b2cf9fc17fdcb3d107e1434709036)
Michael Saxl [Thu, 21 Mar 2019 17:22:38 +0000 (18:22 +0100)]
s4:dlz make b9_has_soa check dc=@ node
the zone node does not hold the dnsRecord values, so for the zone level
the node dc=@,dc=zonename has to be queried
regression introduced with
28e2a518ff32, BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13841
Signed-off-by: Michael Saxl <mike@mwsys.mine.bz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
526c6d0be53d97beb38f82a3619d8710fefb4091)
Garming Sam [Thu, 21 Mar 2019 03:12:26 +0000 (16:12 +1300)]
dlz: Add test to ensure there are writable zones
This is currently broken since
28e2a518ff32
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13841
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6c62e05466917d9454d67eb2dd77e303e612c8a9)
Andrew Bartlett [Wed, 20 Mar 2019 04:33:46 +0000 (17:33 +1300)]
regfio tests: Update comment style to match README.Coding
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
68c0fc4335d0c3c526a38481538a33290be6d58a)
Andrew Bartlett [Wed, 20 Mar 2019 04:32:39 +0000 (17:32 +1300)]
regfio: Update code near recent changes to match README.Coding
This file long predates our current code conventions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
acbf103fcaa4150a57bfbab2450e36b5b39e399b)
Michael Hanselmann [Sun, 17 Mar 2019 12:49:20 +0000 (13:49 +0100)]
regfio: Improve handling of malformed registry hive files
* next_record: A malformed file can lead to an endless loop.
* regfio_rootkey: Supplying a malformed registry hive file to the
registry hive I/O code can lead to out-of-bounds reads.
Test cases are included. Both issues resolved have been identified using
AddressSanitizer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
601afd690346087fbd53819dba9b1afa81560064)
Michael Hanselmann [Mon, 18 Mar 2019 23:47:52 +0000 (00:47 +0100)]
regfio: Add trivial unit test
An upcoming commit will resolve two cases of insufficient handling of
mangled registry hive files and will include unit tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9b2cb845b23cd1c91ab3b5ea8ad791b18b3ab733)
Michael Hanselmann [Sun, 17 Mar 2019 15:20:47 +0000 (16:20 +0100)]
regfio: Use correct function names in debug information
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
aa6b355858a0d8b77bf49384e5329642add1a5ff)
Michael Hanselmann [Sun, 17 Mar 2019 12:04:52 +0000 (13:04 +0100)]
Fix typos in "valid"
s/vald/valid/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
305346d360d3c13fd315c1af27b037f46fd10650)
Douglas Bagnall [Tue, 26 Mar 2019 20:47:56 +0000 (09:47 +1300)]
py/logger: use python 2.6 compatible arguments
In 2.6 stream is a positional argument; 2.7+ it is also a keyword
argument.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Tue, 19 Mar 2019 23:12:34 +0000 (12:12 +1300)]
py/uptodateness: use 2.6 compatible dictionary construction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Fri, 22 Mar 2019 02:24:47 +0000 (15:24 +1300)]
py/kcc_utils: py2.6 compatibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Tue, 19 Mar 2019 23:02:09 +0000 (12:02 +1300)]
py/graph: use 2.6 compatible check for set membership
It is better this way anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 06:36:05 UTC 2019 on sn-devel-144
(cherry picked from commit
c0aca17a4c9ec06f0127d5c972f3fa979a87a77f)
Garming Sam [Tue, 12 Mar 2019 21:52:19 +0000 (10:52 +1300)]
acl_read: Fix regression caused by
db15fcfa899e1fe4d6994f68ceb299921b8aa6f1 for empty lists
The original code never dereferenced attrs and only added "*" if attrs
was NULL (not if attrs[0] was NULL).
This causes significant performance issues with the new paged_results
module introduced for 4.10 as the initial GUID search requests no
attributes. This GUID search turns into a search for "*" and ends up
allocating memory for the entire database.
This never appears to cause changes in the final result set, only
intermediate processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13836
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 29 18:37:29 UTC 2019 on sn-devel-144
(cherry picked from commit
a2b1970a37836e46d6c9eb6bda9bd20185de96ce)
Aaron Haslett [Mon, 25 Mar 2019 00:13:33 +0000 (13:13 +1300)]
ldb: cmocka test for empty attributes bug
Cmocka test exposing LDB bug where a request with an empty attributes
list returns a response containing all attributes. The bug is in the
ACL module and will be fixed in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13836
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
24efa3ca5399d5cf538c3be504014a954685f1ed)
Stefan Metzmacher [Tue, 19 Mar 2019 12:05:16 +0000 (13:05 +0100)]
dbcheck: use the str() value of the "name" attribute
We do the same with the rdn attribute value
and we need the same logic on both in order to
check they are the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
dd6f0dad218ec1d5aa38ea8aa6848ec81035cb3f)
Stefan Metzmacher [Tue, 12 Mar 2019 10:41:01 +0000 (11:41 +0100)]
dbcheck: don't check expired tombstone objects by default anymore
These will be removed anyway and any change on them risks to
be an originating update that causes replication problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 03:12:27 UTC 2019 on sn-devel-144
(cherry picked from commit
a2c5f8cf41c2dfdc4f122e8427d1dfeabb6ba311)
Stefan Metzmacher [Tue, 12 Mar 2019 10:38:22 +0000 (11:38 +0100)]
blackbox/dbcheck-links.sh: prepare regression test for skipping expired tombstones
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b096a3117ed9249fd6f65f3221a26c88efbba3b8)
Stefan Metzmacher [Tue, 12 Mar 2019 10:04:33 +0000 (11:04 +0100)]
blackbox/dbcheck*.sh: pass --selftest-check-expired-tombstones to dbcheck
These tests operate on provision dumps created long ago, they still
want to run tests on deleted objects, when the next commits remove
processing expired tombstone objects in dbcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5fccc4e9044d2e57be33471f5e6b9be7cc37ac3a)
Stefan Metzmacher [Tue, 12 Mar 2019 10:02:18 +0000 (11:02 +0100)]
dbcheck: add --selftest-check-expired-tombstones cmdline option
This will be used by dbcheck tests which operate on static/old provision
dumps in the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6f9c5ed8de47bb98e21e8064d8e90f963f2f71ca)
Stefan Metzmacher [Tue, 12 Mar 2019 09:25:40 +0000 (10:25 +0100)]
python/samba/netcmd: provide SUPPRESS_HELP via Option class
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b61d580fb7dba8ff94e9e98c958e324865cd2f1d)
Stefan Metzmacher [Thu, 28 Feb 2019 17:22:18 +0000 (18:22 +0100)]
dbcheck: detect the change after deletion bug
Old versions of 'samba-tool dbcheck' could reanimate
deleted objects, when running at the same time as the
tombstone garbage collection.
When the (deleted) parent of a deleted object
(with the DISALLOW_MOVE_ON_DELETE bit in systemFlags),
is removed before the object itself, dbcheck moved
it in the LostAndFound[Config] subtree of the partition
as an originating change. That means that the object
will be in tombstone state again for 180 days on the local
DC. And other DCs fail to replicate the object as
it's already removed completely there and the replication
only gives the name and lastKnownParent attributes, because
all other attributes should already be known to the other DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a1658b306d85452407388b91a745078c9c1f7dc7)
Stefan Metzmacher [Mon, 11 Mar 2019 22:14:02 +0000 (23:14 +0100)]
blackbox/dbcheck-links.sh: add regression test for lost deleted object repair
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1ccc21a34d295be3bb2ab481a5918003eae88bf4)
Stefan Metzmacher [Thu, 28 Feb 2019 17:16:27 +0000 (18:16 +0100)]
dbcheck: add find_repl_attid() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
598e38d2a5e0832429ba65b4e55bf7127618f894)
Stefan Metzmacher [Mon, 25 Feb 2019 14:35:22 +0000 (15:35 +0100)]
dbcheck: don't remove dangling one-way links on already deleted objects
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
In this case the lastKnownParent attributes points a non existing
object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e388e599495b6d7c38b8b6966332e27f8b958783)
Stefan Metzmacher [Mon, 25 Feb 2019 14:35:22 +0000 (15:35 +0100)]
dbcheck: don't move already deleted objects to LostAndFound
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6d50ee74920c39cdb18b427bfaaf200775bf2d73)
Stefan Metzmacher [Mon, 25 Feb 2019 14:09:36 +0000 (15:09 +0100)]
dbcheck: do isDeleted, systemFlags and replPropertyMetaData detection first
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9afcd5331ce567bd80d35175f8e4e21c506e9347)
Stefan Metzmacher [Mon, 11 Mar 2019 21:45:46 +0000 (22:45 +0100)]
dbcheck: use DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME when renaming deleted objects
We should never do originating updates on deleted objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
07a8326746f0c444eedf3860b178fc29d84e8d16)
Stefan Metzmacher [Mon, 11 Mar 2019 21:38:38 +0000 (22:38 +0100)]
dsdb:repl_meta_data: allow CONTROL_DBCHECK_FIX_LINK_DN_NAME to by pass rename
We need a way to rename an object without updating the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3e8a435d27da899d0e3dab7cbc0a1c738067eba3)
Stefan Metzmacher [Mon, 11 Mar 2019 13:52:57 +0000 (14:52 +0100)]
blackbox/dbcheck-links.sh: reproduce lost deleted object problem
When a parent object is removed during the tombstone garbage collection
before a child object and samba-tool dbcheck runs at the same time, the
following can happen:
- If the object child had DISALLOW_MOVE_ON_DELETE in systemFlags,
samba-tool dbcheck moves the object under the LostAndFound[Config]
object (as an originating update!)
- The lastKnownParent attribute is removed (as an originating update!)
These originating updates cause the object to have an extended time
as tombstone. And these changes are replicated to other DCs,
which very likely already removed the object completely!
This means the destination DC of replication has no chance to handle
the object it gets from the source DC with just 2 attributes (name, lastKnownParent).
The destination logs something like:
No objectClass found in replPropertyMetaData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5357f591accffbf8c62335c308b985811b66f0b5)
Stefan Metzmacher [Tue, 12 Mar 2019 09:36:49 +0000 (10:36 +0100)]
blackbox/*.sh: pass -u to 'diff'
This is what we work with every day...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8ba6f1c895ee9b6b592578f21e7f79ed36236bef)
Stefan Metzmacher [Wed, 27 Feb 2019 07:22:09 +0000 (08:22 +0100)]
selftest: force running with TZ=UTC
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 27 11:24:59 UTC 2019 on sn-devel-144
(cherry picked from commit
4f307f2302b0fe8fd0fc6379eb8e6491faf8520c)
Andreas Schneider [Thu, 21 Mar 2019 10:55:46 +0000 (11:55 +0100)]
s3:waf: Fix the detection of makdev() macro on Linux
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13853
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
eace58b539a382c61edd7c2be6fdfab31114719f)
Andreas Schneider [Wed, 13 Mar 2019 11:00:27 +0000 (12:00 +0100)]
s3:tests: Add test for smbstatus and smbstatus --resolve_uids
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 27 14:33:35 UTC 2019 on sn-devel-144
(cherry picked from commit
2e7f4b1d3701b9da32e03dcee1095711945f22b8)
Andreas Schneider [Wed, 13 Mar 2019 11:00:11 +0000 (12:00 +0100)]
selftest: Add smbstatus to testhelper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6106b8a053e06699c332fd1a6d7636f550422cc7)
Andreas Schneider [Mon, 18 Feb 2019 13:11:32 +0000 (14:11 +0100)]
s3:utils: Add 'smbstatus -L --resolve-uids' to show usernames
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ffad76ae260ac33926db87c61aede5b66d9b09e6)
Andreas Schneider [Tue, 8 Jan 2019 11:21:36 +0000 (12:21 +0100)]
s3:utils: Use C99 initializer for poptOption in smbstatus
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
83d25ca9d90897925a4431dd55e68c78244900b3)
Andreas Schneider [Thu, 17 Jan 2019 12:58:14 +0000 (13:58 +0100)]
s3:lib: Fix the debug message for adding cache entries.
To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13848
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
5822449a7340f53987ce4c04851652427f5b49e8)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Fri Mar 22 12:50:24 UTC 2019 on sn-devel-144
Andreas Schneider [Wed, 20 Mar 2019 10:09:21 +0000 (11:09 +0100)]
s4:librpc: Fix installation of Samba
This breaks installation of Samba 4.10 on Fedora.
https://bugzilla.samba.org/show_bug.cgi?id=13847
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
bf469343f577e2d78df0e38d80e7976b351eaf0d)
Martin Schwenke [Thu, 14 Mar 2019 05:32:02 +0000 (16:32 +1100)]
ctdb-tests: Add some testing for IPv4-mapped IPv6 address parsing
ctdb_sock_addr values are hashed in some contexts. This means that
all of the memory used for the ctdb_sock_addr should be consistent
regardless of how parsing is done. The first 2 cases are just sanity
checks but the 3rd case involving an IPv4-mapped IPv6 address is the
real target of this test addition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13839
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@samba.org>
(cherry picked from commit
d9286701cd9253bf3b42cac3d850ae8c23743e6d)
Zhu Shangzhong [Tue, 12 Mar 2019 12:49:48 +0000 (20:49 +0800)]
ctdb: Initialize addr struct to zero before reparsing as IPV4
Failed to kill the tcp connection that using IPv4-mapped IPv6 address
(e.g. ctdb_killtcp eth0 ::ffff:192.168.200.44:2049
::ffff:192.168.200.45:863).
When the ctdb_killtcp is used to kill the tcp connection, the IPs and
ports in the connection will be parsed to conn.client and conn.server
(call stack: main->ctdb_sock_addr_from_string->ip_from_string). In
the ip_from_string, as we are using IPv4-mapped IPv6 addresses, the
ipv6_from_string will be used to parse ip to addr.ip6 first. The next
step the ipv4_from_string will be used to reparse ip to addr.ip.
As a result, the data that dump from conn.server is "2 0 8 1 192 168
200 44 0 0 0 0 0 0 0 0 0 0 255 255 192 168 200 44 0 0 0 0", the data
from conn.client is "2 0 3 95 192 168 200 45 0 0 0 0 0 0 0 0 0 0 255 255
192 168 200 45 0 0 0 0". The connection will be add to conn_list by
ctdb_connection_list_add. Then the reset_connections_send uses conn_list
as parameter to start to reset connections in the conn_list.
In the reset_connections_send, the database "connections" will be
created. The connections from conn_list will be written to the
database(call db_hash_add), and use the data that dump from conn_client
and conn_server as key.
In the reset_connections_capture_tcp_handler, the
ctdb_sys_read_tcp_packet will receive data on the raw socket. And
extract the IPs and ports from the tcp packet. when extracting IP and
port, the tcp4_extract OR tcp6_extract will be used. Then we got the
new conn.client and conn.server. the data that dump from the
conn.server is "2 0 8 1 192 168 200 44 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0", the data from conn.client is "2 0 3 95 192 168 200 45 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0". Finally, we use the data as key to check
if this connection is one being reset(call db_hash_delete). The
db_hash_delete will return ENOENT. Because the two key that being used
by db_hash_delete and db_hash_add are different.
So, the TCP RST will be NOT sent for the connection forever. We should
initialize addr struct to zero before reparsing as IPV4 in the
ip_from_string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13839
Signed-off-by: Zhu Shangzhong <zhu.shangzhong@zte.com.cn>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@samba.org>
(cherry picked from commit
539b5ff32b32b7c75dfaaa119e41f5af6ff1e6fc)
Martin Schwenke [Wed, 6 Mar 2019 08:16:55 +0000 (19:16 +1100)]
ctdb-packaging: Test package requires tcpdump
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13838
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@samba.org>
(cherry picked from commit
957c38b65ca060eabe1e676f8dfb54839d706155)
Martin Schwenke [Wed, 6 Mar 2019 03:36:01 +0000 (14:36 +1100)]
ctdb-packaging: ctdb package should not own system library directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13838
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@samba.org>
(cherry picked from commit
b2b8dce4fc56c27ef0131104b316346565369dd7)
Andreas Schneider [Tue, 12 Mar 2019 10:40:30 +0000 (11:40 +0100)]
s3:client: Fix smbspool device uri handling
If we are executed as a CUPS backend, argv[0] is set to the device uri.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
69d7a496d3bf52eaa10e81132bb61430863fdd8a)
Andreas Schneider [Tue, 12 Mar 2019 09:09:14 +0000 (10:09 +0100)]
s3:client: Make sure we work on a copy of the title
We can't be sure we can write to the input buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
129ae27946318a075e99c9e6d1bacf8963f72282)
Andreas Schneider [Fri, 4 Jan 2019 08:21:24 +0000 (09:21 +0100)]
s3:client: Evaluate the AUTH_INFO_REQUIRED variable set by cups
This should not switch to username,password if cups has been configured
to use negotiate (Kerberos authentication).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
5274b09fbaa5e45cc58f3301818d4e9f6a402845)
Andreas Schneider [Tue, 12 Mar 2019 08:40:58 +0000 (09:40 +0100)]
s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to smbspool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
43160184d254a57f87bb2adeba47f48d8539533a)
Andreas Schneider [Tue, 12 Mar 2019 09:15:05 +0000 (10:15 +0100)]
s3:script: Fix jobid check in test_smbspool.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
Martin Schwenke [Thu, 7 Mar 2019 04:53:31 +0000 (15:53 +1100)]
ctdb-tests: Build cluster mutex path manually
CTDB_CLUSTER_MUTEX_HELPER can't be depended on because it is only set
when the tests are not installed and setting it unconditionally for
this particular use would be wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@samba.org>
(cherry picked from commit
a215d2017f95974913a7e97c25e5fc613bb79c26)
Stefan Metzmacher [Fri, 1 Mar 2019 14:48:18 +0000 (15:48 +0100)]
ndr_spoolss_buf: fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13818
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
6da3664f8a11397fd3fb38e89c2432b8bf321e59)
Amitay Isaacs [Fri, 15 Mar 2019 01:14:27 +0000 (12:14 +1100)]
ctdb-version: Simplify version string usage
There is no need to write SAMBA_VERSION_STRING as CTDB_VERSION_STRING.
Wherever required use SAMBA_VERSION_STRING directly.
Avoids the confusion with two version.h files.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789
Signed-off-by: Amitay Isaacs <amitay@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Mar 15 06:31:50 UTC 2019 on sn-devel-144
(cherry picked from commit
edd4a23d7632af51f4d7b4287917b7fa0dced963)
Martin Schwenke [Thu, 7 Mar 2019 06:53:25 +0000 (17:53 +1100)]
ctdb-build: Drop creation of .distversion in tarball
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
148306674d0e4706adca3e5dcbb779c51a2c03da)
Stefan Metzmacher [Fri, 16 Jun 2017 10:15:25 +0000 (12:15 +0200)]
ctdb-build: use a fixed ctdb_version.h using SAMBA_VERSION_STRING
This way we don't get constant rebuild as SAMBA_VERSION_STRING
is "4.7.0pre1.DEVELOPERBUILD" for the binaries under bin/
instead of "4.7.0pre1.GIT.
59e51f6".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
05c28fee21c0cc986cb8301f4199595cdb13faee)
Karolin Seeger [Tue, 19 Mar 2019 09:57:53 +0000 (10:57 +0100)]
VERSION: Bump version up to 4.10.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 19 Mar 2019 09:57:00 +0000 (10:57 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.0 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 19 Mar 2019 09:55:47 +0000 (10:55 +0100)]
VERSION: Bump version up to 4.10.0.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 19 Mar 2019 09:54:30 +0000 (10:54 +0100)]
WHATSNEW: Add release notes for Samba 4.10.0.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andreas Schneider [Thu, 7 Mar 2019 11:31:42 +0000 (12:31 +0100)]
lib:util: Move debug message for mkdir failing to log level 1
If you connnect to a host with smbclient this gets always printed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13823
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c71334ec0c92e791022a9b7c900aa0dd649226c2)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Mar 13 12:15:10 UTC 2019 on sn-devel-144
Christof Schmitt [Tue, 5 Mar 2019 18:56:49 +0000 (11:56 -0700)]
lib/winbind_util: Add winbind_xid_to_sid for --without-winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13813
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 6 01:53:16 UTC 2019 on sn-devel-144
(cherry picked from commit
4125ff89e44a3e98882cfc38c06e559a6e1e56a5)
Christof Schmitt [Tue, 5 Mar 2019 18:50:48 +0000 (11:50 -0700)]
lib/winbind_util: Move include out of ifdef
This fixes compile errors about missing prototypes with
--picky-developer and --without-winbind
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4b1e4c22128bdefe549a58b181e9b755854f4c3e)
Christof Schmitt [Wed, 6 Mar 2019 19:55:32 +0000 (11:55 -0800)]
passdb: Update ABI to 0.27.2
This change is for the backport only. The change in master increased the
ABI version to 0.28.0 and removed some functions; this should not happen
in a backport.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 26 Feb 2019 14:17:36 +0000 (15:17 +0100)]
passdb: Make [ug]id_to_sid use xid_to_sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
40de67f1fcc46b7a64a7364c91dcedb474826d51)
Volker Lendecke [Tue, 26 Feb 2019 14:10:21 +0000 (15:10 +0100)]
passdb: Introduce xid_to_sid
This explicitly avoids the legacy_[ug]id_to_sid calls, which create
long-term cache entries to S-1-22-x-y if anthing fails. We can't do
this, because this will turn temporary winbind communication failures
into long-term problems: A short hickup in winbind_uid_to_sid will
create a mapping to S-1-22-1-uid for a week. It should be up to the
lower layers to do the caching.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
92f27ebb14c0c18b1d0fd49544ad851aeb14781c)
Volker Lendecke [Tue, 26 Feb 2019 13:45:32 +0000 (14:45 +0100)]
lib: Introduce winbind_xid_to_sid
This does not merge a winbind communication error into
"global_sid_NULL" (S-1-0-0), which by the way non-intuitively does not
go along with is_null_sid(). Instead, this just touches the output sid
when winbind returned success. This success might well be a negative
mapping indicated by S-0-0, which *is* is_null_sid()...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
ef706a3e63b3e25edd27e0f99c3e2d8ff7209cb6)
Volker Lendecke [Tue, 26 Feb 2019 13:34:56 +0000 (14:34 +0100)]
winbind: Use idmap_cache_find_xid2sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
bc9824bd42d9370279819ea0d927e236f6041324)
Volker Lendecke [Wed, 27 Feb 2019 13:54:12 +0000 (14:54 +0100)]
torture: Add tests for idmap cache
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
e5a903bab6eda8f7ff2a7c8149d51022d9d8aede)
Volker Lendecke [Tue, 26 Feb 2019 13:32:52 +0000 (14:32 +0100)]
idmap_cache: Introduce idmap_cache_find_xid2sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
bb8122dd8c53bb307819a79b7888cc0940a7c13b)
Volker Lendecke [Mon, 25 Feb 2019 13:55:00 +0000 (14:55 +0100)]
winbind: Now we explicitly track if we got ids from cache
This now properly makes us use negative cache entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
95d33ca79cc315f1a2e41cd60859ef01d6548c77)
Volker Lendecke [Tue, 26 Feb 2019 11:52:28 +0000 (12:52 +0100)]
winbind: Initialize "expired" parameter to idmap_cache_xid2sid
The code in idmap_cache only touches its output parameters upon success
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
8c28c12702c0935a852c7fed6565987623f09fee)
Volker Lendecke [Tue, 26 Feb 2019 11:46:39 +0000 (12:46 +0100)]
idmap_cache: Only touch "sid" on success in find_xid_to_sid
Why? This makes the negative mapping condition (is_null_sid) more
explicit in the code.
The callers in lookup_sid initialized "psid" anyway before, and the ones
in wb_xids2sids now do as well. This is more in line with other APIs we
have: Only touch output parameters if you have something to say.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
4faf3e9f6da7515fc263d79f77226d105c2f8524)
Volker Lendecke [Mon, 25 Feb 2019 13:38:50 +0000 (14:38 +0100)]
lib: Make idmap_cache return negative mappings
Without this we'd query non-existent mappings over and over
again.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
(cherry picked from commit
d9303e8eb90d48f09f2e2e8bdf01f4a7c3c21d11)
Ralph Boehme [Sun, 3 Mar 2019 21:09:26 +0000 (22:09 +0100)]
CI: don't use swap
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 4 13:59:42 UTC 2019 on sn-devel-144
(adapted from from commit
7798bc14fbdae3461eb30421923d53978b3f781d
by Andrew Bartlett)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Mon Mar 11 11:50:37 UTC 2019 on sn-devel-144
Joe Guo [Wed, 30 Jan 2019 02:52:08 +0000 (15:52 +1300)]
s4/scripting/bin: open unicode files with utf8 encoding and write unicode string
In files like `libcli/util/werror_err_table.txt` and `libcli/util/ntstatus_err_table.txt`,
there were unicode quote symbols at line 6:
...(“this documentation”)...
In `libcli/util/wscript_build`, it will run `gen_werror.py` and `gen_ntstatus.py`
to `open` above files, read content from them and write to other files.
When encoding not specified, `open` in both python 2/3 will guess encoding from locale.
When locale is not set, it defaults to POSIX or C, and then python will use
encoding `ANSI_X3.4-1968`.
So, on a system locale is not set, `make` will fail with encoding error
for both python 2 and 3:
File "/home/ubuntu/samba/source4/scripting/bin/gen_werror.py", line 139, in main
errors = parseErrorDescriptions(input_file, True, transformErrorName)
File "/home/ubuntu/samba/source4/scripting/bin/gen_error_common.py", line 52, in parseErrorDescriptions
for line in file_contents:
File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 318: ordinal not in range(128)
In this case, we have to use `io.open` with `encoding='utf8'`.
However, then we got unicode strs and try to write them with other strs
into new file, which means the new file must also open with utf-8 and
all other strs have to be unicode, too.
Instead of prefix `u` to all strs, a more easier/elegant way is to enable
unicode literals for the python scripts, which we normally didn't do in samba.
Since both `gen_werror.py` and `gen_ntstatus.py` are bin scripts and no
other modules import them, it should be ok for this case.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Feb 8 06:34:47 CET 2019 on sn-devel-144
(cherry picked from commit
87149445af26b8577566dfe5e311b32e3650c6e6)
Ralph Boehme [Fri, 1 Mar 2019 17:57:23 +0000 (18:57 +0100)]
libcli/security: fix handling of deny type ACEs in access_check_max_allowed()
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8d355dd9769e8990ce998b4c9f28977669b43616)
Ralph Boehme [Sun, 3 Mar 2019 07:33:51 +0000 (08:33 +0100)]
s4:torture: Add test_deny1().
Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
b205d695d769e910a91bec87451dec189ec33740)
Jeremy Allison [Thu, 28 Feb 2019 22:59:01 +0000 (14:59 -0800)]
s4:torture: Add test_owner_rights_deny1().
Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when
calculating maximum access already seen allow bits are not removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0ebd8c99aed28a0ba43a22c429837f66f7e94409)
Ralph Boehme [Fri, 1 Mar 2019 17:20:35 +0000 (18:20 +0100)]
libcli/security: correct access check and maximum access calculation for Owner Rights ACEs
We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.
We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:
-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
IF DACL does not contain ACEs from object owner THEN
Remove READ_CONTROL and WRITE_DAC from RemainingAccess
Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
END IF
END IF
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9722f75757c0e38c7f42c7cc310d56aa6eaf6392)
Jeremy Allison [Thu, 28 Feb 2019 22:37:09 +0000 (14:37 -0800)]
s4:torture: Add test_owner_rights_deny().
Shows that owner and SID_OWNER_RIGHTS ACE
entries interact in max permissions requests.
Tested against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
fadc4c1bc5fcc3b2d9daea44ef8daf8a8ae0fbe2)
Jeremy Allison [Thu, 28 Feb 2019 21:55:31 +0000 (13:55 -0800)]
s4:torture: Fix the test_owner_rights() test to show permissions are additive.
Tested against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
2e181e34c48c879235c5dc64bd7ab2b59781810c)
Ralph Boehme [Wed, 27 Feb 2019 17:07:03 +0000 (18:07 +0100)]
libcli/security: add "Owner Rights" calculation to access_check_max_allowed()
This was missing in
44590c1b70c0a24f853c02d5fcdb3c609401e2ca.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
(cherry picked from commit
5cf0764bc4b65dbc59d8626760dbe946a2234833)
Ralph Boehme [Thu, 28 Feb 2019 13:48:02 +0000 (14:48 +0100)]
s4:torture: add a Maximum Access check with an Owner Rights ACE
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit
3ca38d2cd1189a5040e13ddab016063280be2b4d)
Ralph Boehme [Thu, 28 Feb 2019 13:47:18 +0000 (14:47 +0100)]
s4:libcli: remember return code from maximum access
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit
9f4ee05295827c9a607e1f63694a17906f777176)
Andrew Bartlett [Mon, 11 Mar 2019 01:20:55 +0000 (14:20 +1300)]
autobuild: Add -py2 tests for new split backup/restore testenvs
This ensures Python2 coverage for this code while it remains supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13780
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Tue, 5 Feb 2019 02:17:03 +0000 (15:17 +1300)]
autobuild: Split backup/restore testenvs out into separate job
The samba-ad-dc-2 job was reaching its limits with the number of
testenvs and what the resource-limited CI machines can handle.
Samba processes were getting swapped out of memory, causing CI runs
to fail.
This patch splits the backup/restore testenv targets into a separate
autobuild job: samba-ad-dc-backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13780
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb 5 12:23:31 CET 2019 on sn-devel-144
(cherry picked from commit
95b2c9d7751ae1e5a00e1fb096f045dd73c03d72)
Björn Jacke [Wed, 23 Jan 2019 13:01:26 +0000 (14:01 +0100)]
sambaundoguididx: use the right escaped oder unescaped sam ldb files
the correct filename is taken from the partition database before, we should not
unescape that because this can result in a new unescaped ldb file being created
and the script not to work at all.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13759
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
cd1ac3668cd164bd5f7cadf7b59df9541aaef83e)
Andrew Bartlett [Tue, 5 Mar 2019 01:38:41 +0000 (01:38 +0000)]
s4-server: Open and close a transaction on sam.ldb at startup
This fixes upgrading from 4.7 and earlier releases, and makes the DB
reindexing more transparent. It should also make it easier to handle
future normalisation rule changes, e.g. if we change the pack-format
of integer indexes in a future release.
Without this change, the should have still handled reindexing the
database. We don't know why exactly this wasn't happening correctly,
but opening a transaction early in the samba process startup should
now guarantee that the DB is correctly reindexed by the time the main
samba code runs.
An alternative fix would have been to open a transaction in the the
DSDB module stack every time we connect to the database. However, this
would add an extra write lock every time we open the DB, whereas
starting samba happens much more infrequently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13760
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 7 04:58:42 UTC 2019 on sn-devel-144
(cherry picked from commit
8b18da27cf261b0283fe66d2b827cab542488ac7)
Günther Deschner [Fri, 22 Feb 2019 14:44:59 +0000 (15:44 +0100)]
WHATSNEW: mention new vfs_glusterfs_fuse module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Mar 6 14:00:05 UTC 2019 on sn-devel-144
Karolin Seeger [Tue, 5 Mar 2019 10:21:02 +0000 (11:21 +0100)]
VERSION: Bump version up to 4.10.0rc5...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Mar 6 00:34:53 UTC 2019 on sn-devel-144
Karolin Seeger [Tue, 5 Mar 2019 10:20:16 +0000 (11:20 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.0rc4 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 5 Mar 2019 10:19:43 +0000 (11:19 +0100)]
WHATSNEW: Add release notes for Samba 4.10.0rc4.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Garming Sam [Thu, 28 Feb 2019 03:21:57 +0000 (16:21 +1300)]
WHATSNEW: Add some detail on the changes to paged results
Signed-off-by: Garming Sam <garming@catalyst.net.nz>