CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert

The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc

We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options

The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc

This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2112: s3:libads: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function

This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()

The ensures we apply the "server schannel = yes" restrictions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()

This depends on the DCERPC auth level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()

It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)

We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.

If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)

We now include a MsvAvTimestamp in our target info as indication
for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
and require a valid MIC.

This is still disabled if the "map to guest" feature is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()

If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN

It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.

The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

This provides the infrastructure for this feature.

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends

This used to work more or less before, but only for krb5 with the
server finishing first.

With NTLMSSP and new_spnego the client will finish first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade

New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange

Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult

This is defined in http://www.ietf.org/rfc/rfc4178.txt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response

We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2

ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH

man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":

  ...
  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
  logins will be attempted.
  ...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables

We now give an error when required flags are missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS

In future we can do a more fine granted negotiation
and assert specific security features.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Revert "selftest: dbcheck should not be marked flapping"

This reverts commit a7b242aa61429fc41449d2d8f3f96d3b76ff12a1.

tdb mutex check: Fix CID 1358473 Uninitialized scalar variable

This comes via a "goto cleanup" before suspend_mask is initialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Apr 12 11:39:35 CEST 2016 on sn-devel-144

tdb: version 1.3.9

* avoid a race condition when checking for robust mutexes
  (bug #11808)
* Remove use of strcpy in tdb test.
* eliminate deprecation warnings in python tests
* Only set public headers field when installing as a public library.
* Refuse to load a database with hash size 0
* Fix various spelling errors

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 11 18:48:26 CEST 2016 on sn-devel-144

tdb: rework cleanup logic in tdb_runtime_check_for_robust_mutexes()

The cleanup logic used six goto lables, at least I'm not able to make
sane modifications to such a beast.

By using state flags that track which objects are initialized and need
cleanup, we get rid of the goto labels. It comes at a cost though: you
have to be careful to correctly set the cleanup flags.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

vfs_catia: Fix bug 11827, memleak

add_srt should add the mappings to the linked list even if
mappings==NULL (the default)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11827
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 11 14:25:59 CEST 2016 on sn-devel-144

vfs_catia: Align loop index with terminator

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

examples/smb.conf.default: Fix typo in comment line: sever -> server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11823

Signed-off-by: Santiago Vila <sanvila@debian.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  9 02:35:23 CEST 2016 on sn-devel-144

s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.

Reported by Thomas Dvorachek <tdvorachek@yahoo.com> from a Windows 10 server.
Confirmed in MS-CIFS 2.2.8.1.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11822

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr  6 03:46:55 CEST 2016 on sn-devel-144

selftest: Load time_audit and full_audit

This triggers the check for missing VFS functions in these modules.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_time_audit: Assert that all VFS functions are implemented

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_full_audit: Assert that all VFS functions are implemented

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Add helper to check for missing VFS functions

Some VFS modules want to ensure that they implement all VFS functions.
This helper can be used to detect missing functions in the developer
build.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

configure: Don't check for inotify on illumos

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11816
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

nwrap: Fix the build on Solaris

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11816

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr  5 08:57:06 CEST 2016 on sn-devel-144

s3: vfs: time_audit. Add missing audit_file().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: time_audit: Add get/fget/set/fset dos_attributes functions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: time_audit. Add missing fsctl().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: time_audit. Add missing get_dfs_referrals().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: Sort vfs function entries in vfs_time_audit.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: full_audit. Implement missing durable_XXX functions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: full_audit. Add audit_file_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: full_audit. Add missing fsctl_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: full_audit. Add missing get_dfs_referrals_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: vfs: full_audit. Sort vfs fn list and add comments on missing entries.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

lib:replace: Missing semicolon on function definition.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Apr  2 06:04:13 CEST 2016 on sn-devel-144

Bug 11818 : obvious missing word When trying to demote a dc, 'remove_dc.remove_sysvol_references' is sent 'remote_samdb, dc_name' , it expects 'remote_samdb, logger, dc_name'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11818

Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr  1 22:54:22 CEST 2016 on sn-devel-144

vfs_gpfs: Remove xattr functions

The xattr functions intercepted only the calls from dosmode. With the
implementation of the dos_attribute interface, the xattr codepaths never
get called and can be removed.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_gpfs: Implement new dos_attributes vfs functions

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

gpfswrap: Add wrapper for gpfs_set_winattrs

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

ctdb-killtcp: Change default retry interval, batch size and attempts

Testing indicates that these are good reliable defaults that can kill
many connections in a reasonable amount of time.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Apr  1 08:10:54 CEST 2016 on sn-devel-144

ctdb-killtcp: Send tickle ACKs in batches

At the moment the batch size is "all".

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Store retry interval in killtcp structure

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Don't count attempts for individual connections

This made sense when connections were individually queued in the
daemon.  However, they're now done in batch so just keep an overall
count.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Keep track of number of kill attempts and maximum allowed

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Filter out sent packets

When previously killing TCP connections via the daemon there was some
latency due to each kill being sent to the daemon via a separate
control.  This probably meant that when doing a 2-way kill the tickle
ACKs sent to the client end of a connection would not interfere with
listening for the reply ACK from the server end.  Now that there is no
latency, the tickle ACK or RST sent to the client end can be seen as
the reply to the server end tickle ACK, and vice-versa.

To avoid this, throw away packets that look like we sent them.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-system: Return window size and RST bit when reading TCP packets

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Clarify a debug message

The end of the connection in parentheses is not the end being killed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Set debug level via environment variable CTDB_DEBUGLEVEL

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Don't send initial tickle ACK during setup

Since they're being done in batch, just schedule an event to traverse
all the connections.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-killtcp: Drop unnecessary casts

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>