Alexander Bokovoy [Wed, 13 Sep 2017 08:37:34 +0000 (11:37 +0300)]
Install dcerpc/__init__.py for all Python environments
Also fix whitespace. We use tabs, not spaces in Python/waf code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13030
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Sep 14 22:29:39 CEST 2017 on sn-devel-144
Andrew Bartlett [Wed, 30 Aug 2017 03:30:04 +0000 (15:30 +1200)]
s4-provision: Ensure the dummy main-domain DB used for DLZ has an @INDEXLIST
The other databases are created from copies of the main provision, but this one
is not, so did not previously get a valid @INDEXLIST.
This is important as otherwise we will not correctly notice support for
the GUID index or new DSDB features in @SAMBA_DSDB as this is gated
on seeing @SAMBA_FEATURES_SUPPORTED in @INDEXLIST.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 04:24:35 +0000 (16:24 +1200)]
repl_meta_data: Show failing replicated entry in error code
This re-work of our LDIF printing avoids some of the privacy issue from
printing the full LDIF at level 4, while showing the entry that actually fails.
Instead, with
e3988f8f74f4a11e8f26a548e0a33d20f4e863f7 we now print the DN
only at level 4, then the full message at 8.
With this patch on failure, we print the redacted failing message at 5.
While all of the DRS replication data is potentially sensitive
the passwords are most sensitive, and are now not printed unencrypted.
This discourages users from sending the full failing trace, as the
last entry is much more likely the issue.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 12 Sep 2017 02:17:35 +0000 (14:17 +1200)]
selftest: reindex in dbcheck-oldrelease after modifying the backend DB
Modifying the backend DB is not a supported operation, but helps us create test
situations.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 11 Sep 2017 03:22:23 +0000 (15:22 +1200)]
schema: Rework dsdb_schema_set_indices_and_attributes() db operations
Commit
ec9b1e881c3eef503d6b4b311594113acf7d47d8 did not fully fix this.
There is no value in using dsdb_replace(), we are under the read lock
and replace just confuses things further.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13025
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 13 Sep 2017 04:13:06 +0000 (16:13 +1200)]
selftest: Check re-opening sam.ldb corrects the @ATTRIBUTES and @INDEXLIST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Martin Schwenke [Mon, 4 Sep 2017 04:54:47 +0000 (14:54 +1000)]
ctdb-protocol: Drop marshalling for monitor controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Sep 14 18:42:28 CEST 2017 on sn-devel-144
Martin Schwenke [Mon, 4 Sep 2017 04:51:38 +0000 (14:51 +1000)]
ctdb-client: Drop client code for monitor controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:51:02 +0000 (14:51 +1000)]
ctdb-client: Drop old client code for monitor controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 11 Sep 2017 00:54:03 +0000 (10:54 +1000)]
ctdb-daemon: Remove unused function ctdb_stop_monitoring()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:44:16 +0000 (14:44 +1000)]
ctdb-daemon: Drop monitoring mode
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:43:41 +0000 (14:43 +1000)]
ctdb-tests: Drop implementation of monitor controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:33:17 +0000 (14:33 +1000)]
ctdb-daemon: Drop implementation of monitor controls
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:22:44 +0000 (14:22 +1000)]
ctdb-daemon: Mark monitoring controls obsolete
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:19:10 +0000 (14:19 +1000)]
ctdb-docs: Drop mention of unimplemented commands
Some of these are only in a comment but git grep finds them.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:18:49 +0000 (14:18 +1000)]
ctdb-tools: Drop monitoring-related ctdb commands
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 11 Sep 2017 00:48:50 +0000 (10:48 +1000)]
ctdb-daemon: Don't explicitly stop monitoring during shutdown
Monitoring is skipped when not in run state RUNNING, so remove the
dependency on the monitoring code.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 1 Sep 2017 02:12:45 +0000 (12:12 +1000)]
ctdb-daemon: Don't explicitly disable monitoring around recovery
Monitoring can fail during recovery due to databases (e.g. registry)
being unavailable. This has been avoided by explicitly disabling
monitoring around recovery via the START_RECOVERY and END_RECOVERY
controls. With this approach only there is still a window between
enabling recovery mode and START_RECOVERY when monitoring could be
attempted. However, explicitly disabling monitoring is unnecessary
because monitoring is not done when a node is in recovery.
So remove the explicit disable/enable of monitoring and rely on
monitoring being skipped when recovery mode is active.
The only possible change of behaviour with this change is that there
is now a window between setting recovery mode to normal and the
END_RECOVERY control where monitoring is enabled. However, at this
point databases would be available and the "recovered" event will
cancel any in-progress monitoring.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 7 Jul 2015 10:41:05 +0000 (20:41 +1000)]
ctdb-daemon: Don't explicitly disable monitoring when stopping a node
Monitoring is now avoided for inactive nodes anyway.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 04:39:01 +0000 (14:39 +1000)]
ctdb-daemon: Skip monitoring when not in RUNNING runstate
Monitoring does not need to be done in other states.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 6 Jul 2015 05:37:23 +0000 (15:37 +1000)]
ctdb-daemon: Skip monitoring when node is inactive
This is currently handled by explicitly disabling monitoring in
various places. However, those places shouldn't need to know about
monitoring but it is OK for monitoring to know about global node
states.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 4 Sep 2017 05:33:54 +0000 (15:33 +1000)]
ctdb-tests: Drop unused monitoring status support
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Mon, 11 Sep 2017 04:05:17 +0000 (14:05 +1000)]
ctdb-client: Initialize ctdb_ltdb_header completely for empty record
ctdb_ltdb_fetch() only fills in relevant portion of ctdb_ltdb_header
if the record does not exist. This can result in uninitialized writes
to ctdb_rec_buffer.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 11 Sep 2017 05:59:19 +0000 (15:59 +1000)]
ctdb-daemon: Free up record data if a call request is deferred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13029
If a call request for a key (migration request) is in flight, then all
the subsequent call requests for the same key are deferred. In that case,
the data corresponding to key read from the local tdb is useless and there
is no need to keep it around. Once the deferred call is reprocessed,
the data corresponding to that key will be fetched again.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Jeremy Allison [Mon, 11 Sep 2017 23:36:47 +0000 (16:36 -0700)]
libcli: SMB2: NetApps negotiate SMB3_11 but also set the SMB2_CAP_ENCRYPTION flag.
This is a SHOULD not, not a MUST not.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13009
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 14 14:48:20 CEST 2017 on sn-devel-144
Christof Schmitt [Wed, 13 Sep 2017 23:23:53 +0000 (16:23 -0700)]
vfs_streams_xattr: Fix segfault when running with log level 10
This happens when vfs_streams_xattr is loaded, log level is set to 10
and the default stream of a file or directory is accessed. In that case
streams_xattr_open does not allocate the stream_io fsp extension. The
DBG_DEBUG message in streams_xattr_fstat tries to access the stream_io
before checking for a NULL value, resulting in the crash. Fix this by
moving the debug message after the check for a NULL pointer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Sep 14 10:58:12 CEST 2017 on sn-devel-144
Martin Schwenke [Sat, 2 Sep 2017 10:59:32 +0000 (20:59 +1000)]
ctdb-tests: Add 31.clamd eventscript unit tests
These test that ctdb_check_unix_socket() is working.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 12 16:14:12 CEST 2017 on sn-devel-144
Martin Schwenke [Sat, 2 Sep 2017 10:57:56 +0000 (20:57 +1000)]
ctdb-tests: Enhance ss stub to check for listening Unix domain sockets
Generalise command-line parsing, taking hints from old netstat stub,
and use FAKE_NETSTAT_UNIX_LISTEN to specify listening Unix domain
sockets.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 18 Mar 2017 10:55:04 +0000 (21:55 +1100)]
ctdb-scripts: Switch ctdb_check_unix_socket() to use ss
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 18 Mar 2017 10:53:06 +0000 (21:53 +1100)]
ctdb-scripts: Clean up ctdb_check_unix_socket()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Sep 2016 03:38:18 +0000 (13:38 +1000)]
ctdb-daemon: Don't release all IPs before "startup" event
This doesn't belong in the monitoring/startup code and it is already
done in the 10.interface "init" event.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Fri, 8 Sep 2017 01:24:27 +0000 (11:24 +1000)]
ctdb-recoverd: Abort recovery/takeover if recmaster changes
Recovery and takeover are run via helper from recovery daemon. While the
helpers are running, it's possible for the current node to lose election.
If that happens, abort the currently running recovery/takeover helper.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 7 Sep 2017 07:21:03 +0000 (17:21 +1000)]
ctdb-daemon: GET_DB_SEQNUM should read database conditionally
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13021
Once the recovery starts and databases are frozen, then all the record
access is postponed till the recovery is complete except reading the
database sequence number. Database access for reading sequence number
is done via a control which does not check if the databases are frozen
or not.
If the database is frozen and if the freeze transaction is not started
(this can happen when a node is inactive, or during recovery when the
database is frozen but the transaction has not yet started), then trying
to read sequence number will cause ctdb daemon to deadlock.
Before reading the sequence number, check if the database access is
allowed.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 7 Sep 2017 07:18:18 +0000 (17:18 +1000)]
ctdb-daemon: Add a function to check if db access is allowed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13021
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 5 Sep 2017 03:52:47 +0000 (13:52 +1000)]
ctdb-tests: Fix ctdb test binary name in path testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Martin Schwenke [Tue, 12 Sep 2017 01:51:19 +0000 (11:51 +1000)]
ctdb-tests: Wait up to 30 seconds for process to be registered in ctdbd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
This avoids a potential race where the client is not properly
registered before "ctdb process-exists" is called.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Jeremy Allison [Fri, 8 Sep 2017 22:28:39 +0000 (15:28 -0700)]
s3: vfs: catia: compression get/set must act only on base file, and must cope with fsp==NULL.
Correctly do filename conversion.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13003
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Sep 12 10:50:57 CEST 2017 on sn-devel-144
Jeremy Allison [Fri, 8 Sep 2017 22:27:37 +0000 (15:27 -0700)]
s3: VFS: streams_xattr: Compression is only set/get on base filenames.
Can be ignored (pass-through) in streams_xattr VFS module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13003
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Rowland Penny [Wed, 6 Sep 2017 13:38:37 +0000 (14:38 +0100)]
packaging: Remove Solaris directory and contents
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 12 06:46:35 CEST 2017 on sn-devel-144
Rowland Penny [Wed, 6 Sep 2017 13:28:51 +0000 (14:28 +0100)]
packaging: Remove RHEL directory and contents
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Rowland Penny [Wed, 6 Sep 2017 13:33:58 +0000 (14:33 +0100)]
packaging: Remove RHEL-CTDB directory and contents
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Fri, 8 Sep 2017 10:19:03 +0000 (12:19 +0200)]
s3/smbd: sticky write time offset miscalculation causes broken timestamps
The offset calculation for the offset that got passed to
fetch_write_time_send() in the enumeration loop was wrong as it passed
the offset before smbd_dirptr_lanman2_entry() added required padding.
This resulted in broken timestamps in the find response.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13024
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Sep 12 02:45:46 CEST 2017 on sn-devel-144
Amitay Isaacs [Fri, 25 Aug 2017 06:55:34 +0000 (16:55 +1000)]
ctdb-tests: Fix ctdb process-exist tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sat Sep 9 14:44:57 CEST 2017 on sn-devel-144
Amitay Isaacs [Wed, 30 Aug 2017 03:05:32 +0000 (13:05 +1000)]
ctdb-tests: Add a dummy ctdb client for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 25 Aug 2017 06:54:47 +0000 (16:54 +1000)]
ctdb-tests: Fix the implementation of process-exists in fake daemon
Keep track of clients and their pids.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 25 Aug 2017 05:00:59 +0000 (15:00 +1000)]
ctdb-daemon: Fix implementation of process_exists control
Only check processes that are CTDB clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 7 Sep 2017 01:38:41 +0000 (11:38 +1000)]
ctdb-tools: Fix CID
1414746
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 5 Sep 2017 06:42:58 +0000 (16:42 +1000)]
ctdb-tools: Use ssize_t instead of int for checking the status of read()
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Ralph Boehme [Wed, 6 Sep 2017 14:56:47 +0000 (16:56 +0200)]
s3/vfs: move ACE4_ADD_FILE/ACE4_DELETE_CHILD mapping from NFSv4 framework to vfs_zfsacl
This was added in
e6a5f11865a55e9644292ae92e4a4b5ec0662ccd to adopt the
NFSv4 framework to follow ZFS permission rules. But this is the wrong
place, other filesystems like GPFS do not allow deletion when the user
has SEC_DIR_ADD_FILE.
This patch therefor moves the change from the NFS4 framework into the
ZFS module.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=6133
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 9 04:59:51 CEST 2017 on sn-devel-144
Ralph Boehme [Wed, 6 Sep 2017 14:53:23 +0000 (16:53 +0200)]
vfs_zfsacl: ensure zfs_get_nt_acl_common() has access to stat info
We'll need this in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=6133
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 6 Sep 2017 14:44:12 +0000 (16:44 +0200)]
vfs_zfsacl: pass smb_fname to zfs_get_nt_acl_common
This is in preperation of moving SMB_ACE4_ADD_FILE /
SMB_ACE4_DELETE_CHILD mapping from the common NFSv4 framework into this
module excusively.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=6133
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 6 Sep 2017 14:28:10 +0000 (16:28 +0200)]
vfs/nfs4_acls: move special handling of SMB_ACE4_SYNCHRONIZE to vfs_zfsacl
Commit
99a74ff5e6a9f87ad7a650cb44e0f925f834b3a1 added special handling
of SMB_ACE4_SYNCHRONIZE, always setting it in the access_mask when
fabricating an ACL. While at the same time removing it from the
access_mask when setting an ACL, but this is done direclty in
vfs_zfsacl, not it the common code.
Forcing SMB_ACE4_SYNCHRONIZE to be always set is only needed on ZFS, the
other VFS modules using the common NFSv4 infrastructure should not be
made victims of the special ZFS behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7909
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Justin Maggard via samba-technical [Thu, 7 Sep 2017 18:05:45 +0000 (11:05 -0700)]
smbd: add missing newline to debug message in daemon_status()
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 8 06:26:52 CEST 2017 on sn-devel-144
Sachin Prabhu via samba-technical [Thu, 7 Sep 2017 11:49:49 +0000 (12:49 +0100)]
s3-lib: Fix error mapping for EROFS
EROFS is incorrectly mapped to NT_STATUS_ACCESS_DENIED. This should
instead be mapped to NT_STATUS_MEDIA_WRITE_PROTECTED.
This change has already been done for the client in
unix_nt_errmap in libcli/util/errmap_unix.c
commit
9d055846f225 ("r3278: - rewrote the client side rpc...)")
SMB1 specs for SMB_COM_DELETE also specifies this mapping for EROFS
https://msdn.microsoft.com/en-us/library/
ee441772.aspx
RH bz:
1171705
This problem was reported by Red Hat glusterfs QE who encountered
different errors when performing the same operation on a fuse mount and
on a cifs mount of the same underlying gluster filesystem.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Gunther Deschner <gdeschne@redhat.com>
Reported-by: Surabhi Bhalothia <sbhaloth@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Wed, 6 Sep 2017 23:26:04 +0000 (11:26 +1200)]
python: Allow debug classes to be specified on the command line for python tools
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 7 10:43:33 CEST 2017 on sn-devel-144
Andrew Bartlett [Wed, 6 Sep 2017 23:20:27 +0000 (11:20 +1200)]
librpc/dceprc_util.c: Move debug message to DBG_DEBUG()
This message shows up a lot (every packet) at level 6 for the succesful case
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 23:19:01 +0000 (11:19 +1200)]
libcli/security: Move debug message to DBG_DEBUG()
This message shows up a lot at level 6 for no particularly good reason
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 23:13:17 +0000 (11:13 +1200)]
dsdb: Add missing \n to debug
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 04:40:05 +0000 (16:40 +1200)]
drs repl: Only print raw DRS replication traffic at level 9
This can be sensitive even with the passwords still encrypted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 04:37:34 +0000 (16:37 +1200)]
debug: Add new debug class "drs_repl" for DRS replication processing
This is used in the client and in the server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 04:27:07 +0000 (16:27 +1200)]
Use the rpc_parse debug class for PIDL genrated code
This means that the default print binding string qualifier will now go via this debug class
as will explicit calls to ndr_print_debug() and ndr_print_union_debug().
Calls to ndr_print_debugc() are not changed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 04:24:35 +0000 (16:24 +1200)]
repl_meta_data: Re-work printing of replicated entries
This re-work of our LDIF printing avoids some of the privacy issue from
printing the full LDIF at level 4, while showing the entry that actually fails.
Instead, we print the DN only at level 4, then the full message at 8.
While all of the DRS replication data is potentially sensitive
the passwords are most sensitive, and are now not printed unencrypted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 03:56:59 +0000 (15:56 +1200)]
linked_attributes: Use ldb_ldif_message_redacted_string() for consistency
This avoids printing un-encrypted secret values in logs, and while links are not likely
secret, this avoids a future copy and paste using ldb_ldif_message_string() again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 03:38:14 +0000 (15:38 +1200)]
repl_meta_data: Use ldb_ldif_message_redacted_string() to avoid printing secrets in logs
This avoids printing un-encrypted secret values in logs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Sep 2017 02:26:25 +0000 (14:26 +1200)]
ldb: version 1.2.2
* Bug #13017: Add ldb_ldif_message_redacted_string() to allow debug
of redacted log messages, avoiding showing secret values
* Bug #13015: Allow re-index of newer databases with binary GUID TDB keys
(this officially removes support for re-index of the original
pack format 0, rather than simply segfaulting).
* Avoid memory allocation and so make modify of records in ldb_tdb faster
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 5 Sep 2017 02:05:43 +0000 (14:05 +1200)]
ldb: Add new ldb_ldif_message_redacted_string() with tests
This is designed to be a drop in replacement for
ldb_ldif_message_string() while better protecting privacy.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 10 Aug 2017 05:08:54 +0000 (17:08 +1200)]
ldb_tdb: Refuse to re-index very old database with no DN in the record
These are not found on any AD DC, and would segfault previous LDB
versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13015
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 10 Aug 2017 04:09:31 +0000 (16:09 +1200)]
ldb_tdb: Use braces in ltdb_dn_list_find_val()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13015
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 10 Aug 2017 02:44:27 +0000 (14:44 +1200)]
ldb_tdb: Check for talloc_strdup() failure in ltdb_index_add1()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13015
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 23 Aug 2017 03:38:01 +0000 (15:38 +1200)]
ldb_tdb: Check for errors during tdb operations in ltdb_reindex()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13015
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 7 Sep 2017 04:23:43 +0000 (16:23 +1200)]
ldb_tdb: Use memcmp rather than strncmp() in ltdb_key_is_record(), re_key() and re_index()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 1 Sep 2017 02:35:08 +0000 (14:35 +1200)]
ldb_tdb: Create a common ltdb_key_is_record() allowing multiple key forms
If backported, this allows old ldb versions to full-search and re-index newer databases
and in current code allows the transition to and from a GUID or incrementing ID based index
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13016
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 18 Aug 2017 05:01:07 +0000 (17:01 +1200)]
ldb_tdb: Do not trigger the unique index check during a re-index, use another pass
We want to rename the objects, then scan looking for the index values.
This avoids a DB modify during the index scan traverse (the index values
are actually added to an in-memory TDB, written in prepare_commit()).
This allows us to remove the "this might already exist" case in the
index handling, we now know that the entry did not exist in the index
before we add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13015
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 15 Aug 2017 02:25:59 +0000 (14:25 +1200)]
ldb_tdb: Use memcmp() to compare TDB keys in re_index()
The keys may not always be a null terminated string, they could well
be a binary GUID in a future revision, for efficiency..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13016
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sat, 2 Sep 2017 02:07:11 +0000 (14:07 +1200)]
selftest: Avoid a build started just before midnight failing
By allowing 41 or 42 days, we still test the expiry but are less sensitive to the
current time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Volker Lendecke [Wed, 6 Sep 2017 12:05:09 +0000 (14:05 +0200)]
cli_credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 7 05:56:14 CEST 2017 on sn-devel-144
Jeremy Allison [Wed, 6 Sep 2017 19:13:32 +0000 (12:13 -0700)]
WHATSNEW: Add Using x86_64 Accelerated AES Crypto Instructions section.
Describes --accel-aes configure time option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Wed, 6 Sep 2017 18:59:44 +0000 (11:59 -0700)]
lib: crypto: Add the ability to select Intel AESNI instruction set at configure time.
Add --accel-aes=[none|intelaesni] to select.
Default is none.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Wed, 6 Sep 2017 18:40:02 +0000 (11:40 -0700)]
lib: crypto: Plumb in the Intel AES instructions.
Causes:
AES_set_encrypt_key()
AES_set_decrypt_key()
AES_encrypt()
AES_decrypt()
to probe for the Intel AES instructions at runtime (only once)
and then call the hardware implementations if so, otherwise
fall back to the software implementations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Based on original work by Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Thu, 31 Aug 2017 18:41:32 +0000 (11:41 -0700)]
lib: crypt: Prepare the existing code to switch to Intel AES hardware instructions.
Rename the old struct aes_key as an intermediate struct aes_key_rj
and wrap it in a union so we can chose an alternate aes_key struct
when using Intel AES hardware.
Rename the original software implementations of:
AES_set_encrypt_key()
AES_set_decrypt_key()
AES_encrypt()
AES_decrypt()
by adding an _rj on the end, and call them via a wrapper
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Based on original work by Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Wed, 6 Sep 2017 16:58:06 +0000 (09:58 -0700)]
third_party: Add build capability to aesni-intel.
Minor modifications to code to allow building as a Samba
shared library.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Based on original work by Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Wed, 6 Sep 2017 16:44:42 +0000 (09:44 -0700)]
third_party: Add the Intel Add support for AES-NI acceleration.
This commit takes the Linux kernel AES-NI code, and puts it into a
third_party private library. The Linux kernel code is under GPLv2+
so is compatible with Samba.
This can result in massive speed improvements (up to 200% on some
platforms), by using Intel AES-NI instructions.
These are the pristine check-ins of Linux kernel files for Intel AESNI crypto.
git show
8691ccd764f9ecc69a6812dfe76214c86ac9ba06:arch/x86/crypto/aesni-intel_asm.S
git show
2baad6121e2b2fa3428ee6cb2298107be11ab23a:arch/x86/include/asm/inst.h
Show the exact Linux kernel git refspecs we have imported.
These files are not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008
Based on original work by Justin Maggard <jmaggard@netgear.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Lumir Balhar [Tue, 8 Aug 2017 06:50:35 +0000 (08:50 +0200)]
python: Enable execution of samba.tests.security with Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 6 15:29:58 CEST 2017 on sn-devel-144
Lumir Balhar [Wed, 6 Sep 2017 07:27:02 +0000 (09:27 +0200)]
python: Fix bad type in conversion of NTSTATUS.
More info: https://lists.samba.org/archive/samba-technical/2017-August/122574.html
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lumir Balhar [Tue, 8 Aug 2017 06:48:28 +0000 (08:48 +0200)]
python: Add tests for check_access function from samba.security.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lumir Balhar [Mon, 22 May 2017 13:21:08 +0000 (15:21 +0200)]
python: Port samba.security to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 23 Aug 2017 13:36:23 +0000 (15:36 +0200)]
python:samba: Add code to remove obsolete files in the private dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 6 03:54:19 CEST 2017 on sn-devel-144
Andreas Schneider [Thu, 10 Aug 2017 13:37:54 +0000 (15:37 +0200)]
python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
This provisions the bind_dlz files in the 'binddns dir'. If you want to
migrate to the new files strcuture you can run samba_upgradedns!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Tue, 22 Aug 2017 15:10:01 +0000 (17:10 +0200)]
s4:bind_dlz: Use the 'binddns dir' if possible
The code makes sure we are backwards compatible. It will first check if
we still have files in the private directory, if yes it will use those.
If the the file is not in the private directory it will try the binddns
dir.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Thu, 10 Aug 2017 13:04:08 +0000 (15:04 +0200)]
param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Fri, 11 Aug 2017 10:45:14 +0000 (12:45 +0200)]
python:samba: Remove code to change group
This is the wrong place, it will just prepare the ldif. The file is not
created here.
The code is corrently changing the group in:
python/samba/provision/__init__.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Thu, 10 Aug 2017 09:43:11 +0000 (11:43 +0200)]
dynconfig: Change permission of the private dir to 0700
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Volker Lendecke [Tue, 5 Sep 2017 14:43:18 +0000 (16:43 +0200)]
cli_credentials: Fix a return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 5 23:06:42 CEST 2017 on sn-devel-144
Volker Lendecke [Tue, 5 Sep 2017 11:17:54 +0000 (13:17 +0200)]
lib: Fix
1417431 Unchecked return value from library
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Anoop C S [Thu, 31 Aug 2017 12:00:46 +0000 (17:30 +0530)]
Remove misleading entry from vfs_streams_xattr man page
The line which is being removed says that streams_xattr vfs module
cannot be used when kernel oplocks is enabled. But the underlying
bug(#7537) and another dependant bug(#12791) has been resolved
sometime back.
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 30 Aug 2017 15:49:54 +0000 (17:49 +0200)]
messaging: Avoid a socket leak after fork
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13006
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Sep 5 19:12:34 CEST 2017 on sn-devel-144
Amitay Isaacs [Tue, 5 Sep 2017 06:36:16 +0000 (16:36 +1000)]
ctdb-protocol: Fix CID
1417428
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 5 15:16:06 CEST 2017 on sn-devel-144
Amitay Isaacs [Tue, 5 Sep 2017 06:34:27 +0000 (16:34 +1000)]
ctdb-protocol: Fix CID
1417430
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 5 Sep 2017 06:33:58 +0000 (16:33 +1000)]
ctdb-protocol: Fix CID
1417433
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Christof Schmitt [Wed, 23 Aug 2017 19:37:08 +0000 (12:37 -0700)]
vfs_gpfs: Request DENY_DELETE sharemode when possible
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Sep 4 14:08:45 CEST 2017 on sn-devel-144