Douglas Bagnall [Sun, 11 Mar 2018 23:29:28 +0000 (12:29 +1300)]
samba-tool drs replicate: make pseudo-method a real method
This function can't function without a cmd_drs_replicate class, so it might as well be inside
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 8 Mar 2018 04:42:18 +0000 (17:42 +1300)]
samba-tool visualise: --xdot option for instant graphviz visualisation
This is a convenience for people who have xdot (and X11).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 8 Mar 2018 01:29:40 +0000 (14:29 +1300)]
samba-tool viusalize: mark RODCs in distance matrix
RODCs should not be replicating out, which means they look alarming
when they are working properly. We label them as RODCs to reminds users
that no outbound replication is expected.
This results in slightly rejigged output formatting.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 7 Mar 2018 00:55:08 +0000 (13:55 +1300)]
samba-tool visualize ntdsconn: add --importldif option
This visualizes the NTDSConnections in an LDIF file exported via
`samba_kcc --exportldif`. This functionality is already available in a
roundabout way -- you can use `samba_kcc --import_ldif`, and use the
DB that generates. This just shortens the process.
The ldif import/export feature is useful for analysing AD networks
offsite without exposing too much sensitive data.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2018 22:12:53 +0000 (11:12 +1300)]
samba-tool visualize tests: reduce noise on stdout
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2018 22:11:27 +0000 (11:11 +1300)]
samba-tool visualize: group (and colour) DCs by site
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 30 May 2018 15:03:55 +0000 (17:03 +0200)]
selftest: Fix resolv_wrapper config variables
It can't really matter in this case, but it removes confusion
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 30 21:46:53 CEST 2018 on sn-devel-144
Ralph Boehme [Sat, 26 May 2018 16:32:21 +0000 (18:32 +0200)]
s3:smbd: don't allow renaming basefile if streams are open
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 27 May 2018 11:03:25 +0000 (13:03 +0200)]
s3:locking: add file_has_open_streams()
This can be used to check if a file opened by fsp also has stream opens.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 27 May 2018 11:01:50 +0000 (13:01 +0200)]
s3:smbd: add private option NTCREATEX_OPTIONS_PRIVATE_STREAM_BASEOPEN
This will be used to mark basefile opens of streams opens. This is
needed to later implement a function that can determine if a file has
stream opens.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 26 May 2018 16:33:00 +0000 (18:33 +0200)]
s4:torture/vfs/fruit: adjust test testing basefile rename to expect failure
Renaming a basefile that has open streams must fail with
NT_STATUS_ACCESS_DENIED.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 26 May 2018 14:07:14 +0000 (16:07 +0200)]
s4:torture/smb2/streams: try to rename basefile while is has open streams
This tests the following:
- create a file with a stream
- open the the stream and keep it open
- on a second connection, try to rename the basefile, this should fail
with NT_STATUS_ACCESS_DENIED
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 26 May 2018 14:30:47 +0000 (16:30 +0200)]
selftest: run smb2.streams tests against a share with vfs_streams_xattr
The tests are currently only run against streams_depot, where stream IO
is handle based, compared to streams_xattr which is path
based. vfs_streams_xattr is also used much more in real world setups, so
we should run our tests against it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tim Beale [Thu, 24 May 2018 03:27:45 +0000 (15:27 +1200)]
dsdb: Add log when ignoring a replicated object outside of partition
This is probably a note-worthy event for debugging purposes.
(Found while developing the domain rename functionality)
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 30 07:03:51 CEST 2018 on sn-devel-144
Andrew Bartlett [Thu, 24 May 2018 02:35:15 +0000 (14:35 +1200)]
selftest: Use samba.tests.create_test_ou() in replica_sync tests
This may avoid some flapping tests by ensuring that each part of this
test runs in a unique namespace, no matter what may be left behind
or revived via replication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 21:37:27 +0000 (09:37 +1200)]
selftest: Use samba.tests.create_test_ou() in repl_move tests
This may avoid some flapping tests by ensuring that each part of this
test runs in a unique namespace, no matter what may be left behind
or revived via replication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 24 May 2018 08:28:13 +0000 (20:28 +1200)]
selftest: Make create_test_ou() return a ldb.Dn
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Mon, 21 May 2018 02:31:57 +0000 (14:31 +1200)]
dsdb partition.c: Make partition_copy_all aysnc.
partition_copy_all uses ldb_wait to wait for the update to the primary
partition to complete, when updating a special dn. If a module higher
up the chain inserts a callback, the code blocks in ldb_wait and does
not complete. This change replaces the ldb_wait logic with a callback.
Currently there is no code that triggers this bug, however the up coming
audit logging changes do trigger this bug.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 19 Mar 2018 23:58:02 +0000 (12:58 +1300)]
ldb: Release ldb 1.4.0
* New LMDB backend (experimental)
* Comprehensive tests for index behaviour
* Enforce transactions for writes
* Enforce read lock use for all reads
* Fix memory leak in paged_results module.
We hold at most 10 outstanding paged result cookies
(bug #13362)
* Fix compiler warnings
* Python3 improvements
* Restore --disable-python build
* Fix for performance regression on one-level searches
(bug #13448)
* Samba's subtree_rename could fail to rename some entries
(bug #13452)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 23 May 2018 05:31:03 +0000 (17:31 +1200)]
selftest: Add test to show that sam.ldb does not do a full scan in startup
We should add some other more complex operations here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 23 May 2018 05:15:38 +0000 (17:15 +1200)]
ldb: Add tests for when we should expect a full scan
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 22:04:29 +0000 (10:04 +1200)]
ldb: One-level search was incorrectly falling back to full DB scan
When no search filter is specified, the code falls back to using
'(|(objectClass=*)(distinguishedName=*)'. ltdb_index_dn() then failed
because matching against '*' is not indexed. The error return then
caused the code to fallback to a full-scan of the DB, which could have a
considerable performance hit.
Instead, we want to continue on and do the ltdb_index_filter() over the
indexed results that were returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 02:12:52 +0000 (14:12 +1200)]
ldb: Explain why an entry can vanish from the index
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 01:02:16 +0000 (13:02 +1200)]
ldb: Indicate that the ltdb_dn_list_sort() in list_union is a bit subtle.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 01:01:18 +0000 (13:01 +1200)]
ldb: Save a copy of the index result before calling the callbacks.
Otherwise Samba modules like subtree_rename can fail as they modify the
index during the callback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13452
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 27 May 2018 23:17:34 +0000 (11:17 +1200)]
subtree_rename: Correct comments
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 27 May 2018 22:56:21 +0000 (10:56 +1200)]
dsdb: Remove sort from subtree_delete and add comments.
The sort was written back when the module did not operate recursivly
over the tree. Now it is just confusing, so replace with useful
comments.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 27 May 2018 21:28:36 +0000 (09:28 +1200)]
selftest: Lock down the expected parents in BasicTreeDeleteTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 27 May 2018 20:44:51 +0000 (08:44 +1200)]
selftest: Rework BasicDeleteTests.test_all() into setUp() and a test
This will allow running multiple tests against the same tree. This tree
is very similar to the tree produced by the KCC test that simply does a
tree_delete, and I want to lock down the tree_delete behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 22:40:56 +0000 (10:40 +1200)]
samldb: Explain why the odd error code is expected.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 22:39:39 +0000 (10:39 +1200)]
samldb: Add useful error string to explain why a group may not be deleted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Mon, 28 May 2018 22:46:50 +0000 (10:46 +1200)]
tests: Fix intermittent error in PSO test
Deleting a group fails if the primaryGroupID of a user is set to that of
the group. This can happen in the PSO tests, as we don't clear the
primaryGroupID before cleaning up. Normally it seems to work OK, but
this is relying purely on the subtree delete order.
Update the test to clear the primaryGroupID before the tearDown is
called, to make things more robust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 29 May 2018 22:06:54 +0000 (10:06 +1200)]
repl_meta_data: Cope with the strange but unusual case of isDeleted: FALSE in replmd_process_linked_attribute()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 29 May 2018 04:52:14 +0000 (16:52 +1200)]
repl_meta_data: Remove el_count from replmd_delete_internals()
Instead, use the actual found attribute (less error prone).
This is an attempt to fix:
./source4/dsdb/repl/replicated_objects.c:945 Failed to prepare commit of transaction:
attribute isDeleted: invalid modify flags on CN=g1_1527558311141,CN=Users,DC=samba,DC=example,DC=com: 0x0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 29 May 2018 04:50:16 +0000 (16:50 +1200)]
s4-repl: Try to give more information in the error codes for prepare_commit failure.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 29 May 2018 04:14:45 +0000 (16:14 +1200)]
ldb: Reset error string before running prepare_commit() hook
This ensures that the error string returned to the caller reflects a failure in this call.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Ralph Boehme [Thu, 17 May 2018 14:48:09 +0000 (16:48 +0200)]
vfs_fruit: delete 0 byte size streams if AAPL is enabled
macOS SMB server uses xattrs as storage backend for streams, directly
exposing xattr get/set characteristics. Setting EOF on a stream to 0
just deletes the xattr as macOS doesn't support 0-byte sized xattrs.
Note that this does not apply to the AFP_AfpInfo and AFP_Resource
streams, they have even stranger semantics and we have other tests
for those.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 30 02:34:29 CEST 2018 on sn-devel-144
Ralph Boehme [Thu, 17 May 2018 14:43:49 +0000 (16:43 +0200)]
s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensions
macOS SMB server uses xattrs as storage backend for streams, directly
exposing xattr get/set characteristics. Setting EOF on a stream to 0
just deletes the xattr as macOS doesn't support 0-byte sized xattrs.
Note that this does not apply to the AFP_AfpInfo and AFP_Resource
streams, they have even stranger semantics and we have other tests
for those.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 18 May 2018 23:36:21 +0000 (01:36 +0200)]
s4:torture/vfs/fruit: decrease large resource fork size in test from 1 GB to 64 MB
64 MB is a more realistic value and lets the test pass on FreeBSD with
fruit:resource=stream and vfs_streams_xattr.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
William Brown [Sat, 19 May 2018 02:19:58 +0000 (12:19 +1000)]
python/samba/netcmd/schema.py: samdb schema update now
When we change schema values, we should trigger a schema update to refresh
the changes applied. This is called after a change is made. A helper to
samdb is added so that it's easier for other locations to call additionally.
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 29 08:30:52 CEST 2018 on sn-devel-144
William Brown [Mon, 28 May 2018 00:30:39 +0000 (10:30 +1000)]
python/samba/tests/samba_tool/schema.py: Improve schema command testing
Assert the correct stdout content of the schema test commands.
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
William Brown [Sun, 29 Apr 2018 01:28:42 +0000 (13:28 +1200)]
python/samba/netcmd/schema.py: add schema show_oc for attribute
Often administrators need to add a specific attribute to an object, but
it may not be possible with the objectClasses present. This tool allows
searching "what objectclasses must or may?" take an attribute to help hint
to an administrator what objectclasses can be added to objects to achieve
the changes they want.
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
William Brown [Sat, 28 Apr 2018 05:22:29 +0000 (15:22 +1000)]
python/samba/netcmd/schema.py: add schema query and management.
Schema management in active directory is complex and dangerous. Having
a tool that safely wraps administrative tasks as well as allowing query
of the schema will make this complex topic more accessible to administrators.
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
William Brown [Thu, 26 Apr 2018 03:59:06 +0000 (13:59 +1000)]
python/samba/netcmd/group.py: add group show
The samba-tool user command can show the ldif of a user. This is
useful for groups also, especially to determine the objectSID and
objectGUID. Add support for group show to samba-tool.
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
William Brown [Wed, 25 Apr 2018 07:36:17 +0000 (17:36 +1000)]
python/samba/netcmd/{forest.py,main.py}: add configuration controls
With samba-tool we should expose ways to easily administer and control
common configuration options. This adds the base framework for modifying
forest settings, generally stored in cn=configuration partition.
An example is:
samba-tool forest directory_service show
samba-tool forest directory_service dsheuristics X
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 28 May 2018 10:35:20 +0000 (22:35 +1200)]
torture: Cope with WINBINDD_SHOW_SEQUENCE failure for fake trusts
This test has been flapping and we should not be checking the
sequence number of remote trusts in a loop like this. We can write
a test against the trusts we specifically set up if we want to check
remote sequence numbers (and connectivity) against actually working
domains.
When flapping the previous version of the test gave:
WARNING!: ../source4/torture/winbind/struct_based.c:812: WINBINDD_SHOW_SEQUENCE returned 0, expected 1: WINBINDD_SHOW_SEQUENCE
WARNING!: WINBINDD_SHOW_SEQUENCE on domain torturedom failed
Trust list for WINBINDD_SHOW_SEQUENCE was:
BUILTIN
S4MEMBER
SAMBADOMAIN
torturedom
WARNING!: ../source4/torture/winbind/struct_based.c:812: WINBINDD_SHOW_SEQUENCE returned 0, expected 1: WINBINDD_SHOW_SEQUENCE
WARNING!: WINBINDD_SHOW_SEQUENCE on domain TORTURE302 failed
Trust list for WINBINDD_SHOW_SEQUENCE was:
BUILTIN
S4MEMBER
SAMBADOMAIN
TORTURE302
TORTURE306
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 29 02:31:40 CEST 2018 on sn-devel-144
Kai Blin [Sun, 27 May 2018 06:38:19 +0000 (08:38 +0200)]
talloc: Fix some typos in the comments
Now with even more typos fixed. Thanks Rowland.
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Mon May 28 16:16:17 CEST 2018 on sn-devel-144
Christof Schmitt [Tue, 22 May 2018 19:52:58 +0000 (12:52 -0700)]
vfs_gpfs: Use full_path_tos instead of talloc_asprintf
full_path_tos avoids the talloc call for most cases; use that instead of
talloc_asprintf.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat May 26 01:43:09 CEST 2018 on sn-devel-144
Christof Schmitt [Tue, 22 May 2018 19:25:42 +0000 (12:25 -0700)]
vfs_gpfs: Remove get_full_smb_filename from is_offline check
No stream information is required here.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Tue, 22 May 2018 19:22:06 +0000 (12:22 -0700)]
vfs_gpfs: Remove wrong get_full_smb_filename from ntimes function
Updating the timestamps requires the path to the file, but no stream
information.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 23 May 2018 22:04:08 +0000 (15:04 -0700)]
vfs_gpfs: Adjust debug level when get_winattrs returns EBADF
This is returned for a get_winattrs call against a non-gpfs file system.
This can happen for the .. entry when listing a share on the file system
root.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 16 May 2018 20:25:54 +0000 (13:25 -0700)]
smbd: Move dfree_info struct
As the struct is no longer used as part of connection_struct, move it to
dfree.c.
This is not backported, as it would change the VFS ABI.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Sat, 19 May 2018 03:51:58 +0000 (20:51 -0700)]
smbd: Flush dfree memcache on service reload
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 16 May 2018 20:17:52 +0000 (13:17 -0700)]
smbd: Cache dfree information based on query path
Sub directories in a SMB share can have different free space information
(e.g. when a different file system is mounted there). Caching the dfree
information per SMB share will return invalid data. Address this by
switching to memcache and store the cached data based on the query path.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 16 May 2018 20:05:36 +0000 (13:05 -0700)]
memcache: Add new cache type for dfree information
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 23 May 2018 18:25:42 +0000 (11:25 -0700)]
selftest: Add test for 'dfree cache'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 23 May 2018 18:07:54 +0000 (11:07 -0700)]
selftest: Add dfq_cache share with 'dfree cache time' set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 18 May 2018 18:52:23 +0000 (11:52 -0700)]
s3: vfs_fake_acls: Correctly implement the chmod/fchmod algorithm on fake acls.
We now pass samba3hide(nt4_dc), so remove it from knownfail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 25 21:29:32 CEST 2018 on sn-devel-144
Jeremy Allison [Fri, 18 May 2018 18:50:44 +0000 (11:50 -0700)]
s3: smbd: Make map_acl_perms_to_permset() extern.
The vfs_fake_acl module will need it to implement chown/fchown.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 18 May 2018 18:49:09 +0000 (11:49 -0700)]
s3: smbd: Make unix_perms_to_acl_perms() extern.
The vfs_fake_acl module will need it to implement chown/fchown.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 18 May 2018 18:37:22 +0000 (11:37 -0700)]
s3: posix_acls: Remove unused 'connection_struct *conn' parameter to map_acl_perms_to_permset().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:49:55 +0000 (11:49 -0700)]
s3: posix_acls: Remove dead functions fchmod_acl()/chmod_acl().
No longer used.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:48:55 +0000 (11:48 -0700)]
s3: VFS: Remove SMB_VFS_FCHMOD_ACL().
No longer used.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:42:03 +0000 (11:42 -0700)]
s3: torture: Remove cmd_fchmod_acl().
No longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:46:21 +0000 (11:46 -0700)]
s3: modules: vfs_ceph: Remove FCHMOD_ACL in cephwrap_fchmod().
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:45:05 +0000 (11:45 -0700)]
s3: modules: vfs_default: Remove FCHMOD_ACL in fchmod.
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:32:58 +0000 (11:32 -0700)]
s3: VFS: Remove SMB_VFS_CHMOD_ACL().
No longer used.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:21:14 +0000 (11:21 -0700)]
s3: torture: Remove cmd_chmod_acl().
No longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:19:33 +0000 (11:19 -0700)]
s3: modules: vfs_ceph: Remove CHMOD_ACL in cephwrap_chmod().
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:18:12 +0000 (11:18 -0700)]
s3: modules: vfs_ceph: Remove CHMOD_ACL in cephwrap_mkdir().
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:05:20 +0000 (11:05 -0700)]
s3: modules: vfs_default: Remove CHMOD_ACL in chmod.
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 18:03:53 +0000 (11:03 -0700)]
s3: modules: vfs_default: Remove CHMOD_ACL in mkdir.
Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed. If the mkdir
succeeded it's already set the correct mode.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 17:38:34 +0000 (10:38 -0700)]
s3: smbd: Use FCHMOD call, not FCHMOD_ACL call if mode bits reset needed.
This is a behavior change, it will modify the POSIX ACL mask
from a value of rwx instead of modifying the existing ACE
entries to be ANDed with the passed in mode. However it
will have no effect on the underlying permissions, and
better reflects the proper use of POSIX ACLs (i.e. I
didn't understand the use of the mask entry in the
ACL when I first wrote the POSIX ACL code).
In addition, the vfs_acl_common.c module already
filters these calls for all but POSIX opens, which
means the only place this change is exposed to the
client would be a cifsfs unix extensions client doing
posix acl calls (and they would expect the mask to
be set like this on chmod).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 17:35:58 +0000 (10:35 -0700)]
s3: smbd: Optimization. Only do the FCHMOD_ACL call if mode bits not equal.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 17:33:38 +0000 (10:33 -0700)]
s3: smbd: optimization. Only do the FCHMOD call if needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 17:27:11 +0000 (10:27 -0700)]
s3: smbd: Remove use of SMB_VFS_FCHMOD_ACL() in overwrite case.
We have potentially called SMB_VFS_FCHMOD() here in
the file_set_dosmode() call associated with the comment
/* Overwritten files should be initially set as archive */
at line 3755 above, so there is no need to do any POSIX ACL
mask protection.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 17:24:35 +0000 (10:24 -0700)]
s3: smbd: Add clarifying comment on mode change on overwritten files.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 17 May 2018 16:37:23 +0000 (09:37 -0700)]
s3: smbd: Remove existing_unx_mode, an unused parameter to open_match_attributes().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Thu, 24 May 2018 09:37:43 +0000 (11:37 +0200)]
smbd: Call smbXsrv_client_global_init in the parent smbd
Otherwise we're missing the clear-if-first optimization for
smbXsrv_client_global.tdb.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri May 25 16:00:08 CEST 2018 on sn-devel-144
Volker Lendecke [Tue, 22 May 2018 08:57:47 +0000 (10:57 +0200)]
vfs_time_audit: Fix a log message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 May 2018 21:09:56 +0000 (09:09 +1200)]
autobuild: cover the Gentoo case with python disabled all down the stack
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri May 25 13:07:47 CEST 2018 on sn-devel-144
Timur I. Bakeyev [Fri, 18 May 2018 02:10:50 +0000 (10:10 +0800)]
Make ldb configuration --disable-python work as intended
Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 24 May 2018 01:49:11 +0000 (13:49 +1200)]
torture: Give extra information on WINBINDD_SHOW_SEQUENCE failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 23 May 2018 15:35:15 +0000 (17:35 +0200)]
s3:utils: Remove double error check
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu May 24 18:07:03 CEST 2018 on sn-devel-144
Volker Lendecke [Tue, 22 May 2018 15:10:07 +0000 (17:10 +0200)]
ldap_server: Fix CID
1435721 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 24 03:35:00 CEST 2018 on sn-devel-144
Volker Lendecke [Tue, 22 May 2018 15:08:43 +0000 (17:08 +0200)]
kdc: Fix CID
1435720 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 May 2018 11:25:41 +0000 (13:25 +0200)]
ldap_server: Fix CID
1435731 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 May 2018 11:23:33 +0000 (13:23 +0200)]
ctdbd: Fix CID
1435732 Argument cannot be negative
setenv returns its error in "errno"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 May 2018 11:20:17 +0000 (13:20 +0200)]
audit_logging: Fix CID
1435739 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 May 2018 11:17:25 +0000 (13:17 +0200)]
ctdb: Fix CID
1435740 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Fri, 18 May 2018 03:57:39 +0000 (15:57 +1200)]
autobuild: Include information of disk free in system-info.txt
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 24 00:42:48 CEST 2018 on sn-devel-144
Andrew Bartlett [Fri, 18 May 2018 03:53:33 +0000 (15:53 +1200)]
gitlab-ci: Do not hide a possible out-of-space condition by cleaning up the tree
These are VMs anyway and will soon vanish, so a cleanup is totally wasted in any case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Fri, 18 May 2018 03:51:34 +0000 (15:51 +1200)]
gitlab-ci: Include system-info.txt to give info on possible failures
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Tim Beale [Tue, 15 May 2018 21:45:32 +0000 (09:45 +1200)]
dsdb: Avoid calculating the PSO multiple times
In a typical user login query, the code tries to work out the PSO 2-3
times - once for the msDS-ResultantPSO attribute, and then again for the
msDS-User-Account-Control-Computed & msDS-UserPasswordExpiryTimeComputed
constructed attributes.
The PSO calculation is reasonably expensive, mostly due to the nested
groups calculation. If we've already constructed the msDS-ResultantPSO
attribute, then we can save ourselves extra work by just re-fetching the
result directly, rather than expanding the nested groups again from
scratch.
The previous patch improves efficiency when there are no PSOs in the
system. This should improve the case where there are PSOs that apply to
the users. (Unfortunately, it won't help where there are some PSOs in
the system, but no PSO applies to the user being queried).
Also updated sam.c so the msDS-ResultantPSO gets calculated first,
before the other constructed attributes.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed May 23 10:09:11 CEST 2018 on sn-devel-144
Tim Beale [Tue, 15 May 2018 02:02:32 +0000 (14:02 +1200)]
dsdb: Avoid performance hit if PSOs aren't actually used
The new PSO code adds some additional overhead in extra lookups. To
avoid penalizing existing setups, we can short-circuit the PSO
processing and return early if there are no actual PSO objects in the
DB. The one-level search should be very quick, and it avoids the need to
do more complicated PSO processing (i.e. expanding the nested groups).
The longer-term plan is to rework the tokenGroups lookup so that it only
gets done once, and the result can then be reused by the resultant-PSO
code (rather than computing the nested-groups again). However, in the
short-term, a slight decrease in performance is the price for any users
that want to deploy PSOs.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Thu, 10 May 2018 21:29:01 +0000 (09:29 +1200)]
tests: Add tests for domain pwdHistoryLength
This is not related to PSOs at all, but there's a minor discrepancy
between Windows and Samba password-history-length behaviour that I
noticed during PSO testing.
When the pwdHistoryLength changes from zero to non-zero, Windows
includes the user's current password as invalid immediately, whereas
Samba only includes it as invalid *after* it next changes. It's a
fairly obscure corner-case, and we might not care enough about it to
fix it. However, I've added a test case to highlight the difference and
marked it as a known-fail for now.
I also added a general pwdHistoryLength test case to show that the
basics work (this didn't seem to be tested anywhere else).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Thu, 10 May 2018 23:49:23 +0000 (11:49 +1200)]
tests: Extend passwordsettings tests to cover PSO command options
Add test cases for the new PSO samba-tool command options.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Sun, 22 Apr 2018 22:47:21 +0000 (10:47 +1200)]
netcmd: Add samba-tool support for managing PSOs
Add a new command 'samba-tool domain passwordsettings pso', with the
sub-command options: create, delete, set, list, show, show-user, apply,
unapply. The apply and unapply options apply the PSO to a user or group.
The show-user option shows the actual PSO (and its settings) that will
take effect for a given user.
The new commands are pretty self-contained in a new pso.py file. We
decided to add these new commands under the existing 'samba-tool domain
passwordsettings' command, as that's what users would be already
familiar with.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Thu, 19 Apr 2018 01:51:36 +0000 (13:51 +1200)]
dsdb: Use PSO maxPwdAge for operational msDS-PasswordExpiryTimeComputed
When calculating the Password-Expiry-Time, we should use the PSO's
max-password-age setting, if one applies to the user.
This is code may be inefficient, as it may repeat the PSO-lookup work
several times (once for each constructed attribute that tries to use
it). For now, I've gone for the simplest code change, and efficiency can
be addressed in a subsequent patch (once we have a good test to measure
it).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Wed, 18 Apr 2018 22:46:48 +0000 (10:46 +1200)]
dsdb: Update password_hash to use PSO settings for password changes
Honour the settings in the PSO when changing the password, i.e.
msDS-PasswordComplexityEnabled, msDS-PasswordHistoryLength, etc.
The password_hash code populates dsdb_control_password_change_status's
domain_data with the password settings to use - these are currently
based on the settings for the domain.
Now, if the password_hash code has worked out that a PSO applies to the
user, we override the domain settings with the PSO's values.
This change means the password_settings tests now pass.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>