netcmd/domain: fix a typo in message

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ctdb-daemon: CID 1435732: Argument cannot be negative

Negative parameter passed to function which cannot take negative values.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Jun  6 01:13:18 CEST 2018 on sn-devel-144

ctdb-common: Add support to run events through failure

Usually run_event will stop executing event scripts on first failure.
Optionally it can continue to run events even on failure(s).

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Reset running state on failure

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Improve error handling in run_event

If event script directory does not exist, then return ENOTDIR.  If a
directory gets removed at runtime, report error from scandir in
get_script_list().

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Return script_list for zero scripts

When an event script directory is empty, do not return script_list as
NULL.  Instead return empty script_list with zero scripts.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Rename run_event_script_list to run_event_list

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Do not initialize run_proc inside run_event

Allowing run_event_init() to take run_proc_context as an argument allows
to create multiple run_event instances with a single run_proc_context.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-common: Simplify process registration using linked list

The way run_proc abstraction is used in run_event, there can be maximum
of 2 processes active at any given time.  So the memory requirements
can be reduced by using a linked list.

New eventd will have multiple run_event instances but will be limited to
3 or 4.  Even then the total number of processes will be less than 10.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tests: Continue running if a testcase is not executable

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Jun  5 20:37:15 CEST 2018 on sn-devel-144

Revert "ctdb-tests: Continue running if a testcase is not executable"

This reverts commit 36e7043fb16ac996793545022147f696caedee9c.

An recent change broke this and I forgot to test before posting. :-(

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Change directory for notifications to events/notification

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Event scripts must end with ".script" suffix

Preparation for recommending configuration for each script next to the
actual script.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Move event scripts to events/legacy/ directory

This is the initial location that will be used by the new
multi-component aware event daemon.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

dsdb: Honour LDB_FLG_NOSYNC for metadata.tdb

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13462

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun  4 20:58:01 CEST 2018 on sn-devel-144

pyldb-samba: Use the same smb.conf variable name as the C wrapper users for LDB_FLG_NOSYNC

This was never noticed as most wrappers on make test run with TDB_NO_FSYNC

However ldb_mdb has not been told to use this (naturally) and so we rely
on the smb.conf setting to not force an fsync().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13461

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

ctdb-docs: Update reference to lmaster/recmaster capability options

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Jun  4 12:37:39 CEST 2018 on sn-devel-144

s3: VFS: Remove unused enum value.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jun  2 03:03:42 CEST 2018 on sn-devel-144

s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13457

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  1 20:32:03 CEST 2018 on sn-devel-144

s3: torture: Add DELETE-PRINT test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13457

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dns: Check for talloc_memdup failure

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  1 14:05:56 CEST 2018 on sn-devel-144

dns: TALLOC_FREE already checks for !=NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dns: Simplify logic a bit

We don't need a separate boolean variable

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dns: Simplify logic a bit

We've done an early return if (!found_tsig) a few lines before.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dnsupdate: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ldb: Fix memory leak on module context

Introduced in e8cdacc509016d9273d63faf334d9f827585c3eb

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13459

Signed-off-by: Lukas Slebodnik <lslebodn@fedoraproject.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun  1 11:10:24 CEST 2018 on sn-devel-144

lib/audit_logging: Remove #ifdef HAVE_JANSSON from audit_logging_test binary

Instead, we either build or do not build the entire binary.

This is much more likely to raise an error in make test if the build system
changes.  The concern is that HAVE_JANSSON can go away and the tests just vanish.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

lib/audit_logging: Make function prototypes look like the rest of Samba

The previous style is needed sometimes to avoid an 80-col limit, but
is not how most of Samba looks.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

lib audit_logging: re-factor and add functions.

Re-factor the common calls to json_dumps DEBUGC and audit_message_send
into a separate function.
Add functions to retrieve json object and json array elements

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-torture: add test for lease break after file unlink

When deleting a file, all leases granting handle caching lease to the
file should be recalled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13458

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  1 02:57:46 CEST 2018 on sn-devel-144

rpc_server backupkey: pass remote connection data

Ensure that the requesting session data is passed to the audit logging
module for BackupKey requests.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 31 12:35:15 CEST 2018 on sn-devel-144

rpc_server lsa: pass remote connection data

Ensure that the session details of the requesting user are available to
the audit logging module for the CreateSecret and OpenSecret operations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

rpc_server: common routine to open ldb in system session

Add a function to open an ldb connection under the system session and
save the remote users session details in a ldb_opaque.  This will allow
the audit logging to log the original session for operations performed
in the system session.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb acl: Copy dsdb_control_password_acl_validation into reply

Copy the dsdb_control_password_acl_validation into the reply so that it
is available to the audit_logging module.  The audit logging module
uses it to differentiate between password change and reset operations.

We include it in the result for failed request to allow the logging of
failed attempts.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cldap: clear remote address after cldap_dse_fill

Need to clear the remote address as the ldb handle is shared, and
changes made by internal processes would be logged as coming from the
last cldap requester

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth tests: irpc remove "auth_event" name on completion

Remove the "auth_event" name on completion of tests to prevent issues
with tests using messaging.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

sambatool: heuristics to decided whether colour is wanted

The easy cases are --color=yes and --color=no.

With --color=auto, we use color if it seems we're writing to a TTY.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 31 04:34:52 CEST 2018 on sn-devel-144

python/colour: add colourizing and switch functions

When samba.colour is first imported, the function

colour.c_BLUE("samba")

will give you the string "\033[1;34msamba\033[0m", which will show up
as blue on an ANSI terminal. If you then go:

colour.switch_colour_off()
colour.c_BLUE("samba")

the c_BLUE call will return the uncoloured string "samba".

This is so things like samba-tool can do this sort of thing:

    if not os.isatty(self.outf):
        switch_colour_off()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool drs: remove 'server' arg from commands without --server

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool drs showrepl: remove unused search

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: be consistent in accepting -q for --quiet

Not all commands accept --quiet, and not all of those that do use it.
Some already accept -q, and it is not used anywhere for anything else.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: add -v to drs --verbose

Sometimes we accept -v for --verbose, sometimes we don't. Let's be a
bit more consistent.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: add -v to domain --verbose

Sometimes we accept -v for --verbose, sometimes we don't. Let's be a
bit more consistent.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool dns cleanup_record: add missing verbose/quiet options

The code for using them is already there

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python kcc/graph_utils: don't debug in colour

this was somewhat useful during the initial development, but is wrong for a library

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

kcc graph verifiers: improve messages

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

kcc graph verifier: use __doc__ description for error explanation

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

kcc graphs: site edges in colour, labeled with DNs

This makes it easy to see where the site edges objects are, and
what sites they refer too.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ndr_misc: read syntax_id using strict util_str_hex functions

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

util_str_hex: use array syntax in guid functions to document usage

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

util/charset/iconv: use read_hex_bytes rather than sscanf

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb/util: use parse_guid_string, not sscanf()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

kcc.graph_utils: shift debug noise out of verify()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool drs replicate: reformat drs_local_replicate method

line length.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool drs replicate: make pseudo-method a real method

This function can't function without a cmd_drs_replicate class, so it might as well be inside

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool visualise: --xdot option for instant graphviz visualisation

This is a convenience for people who have xdot (and X11).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool viusalize: mark RODCs in distance matrix

RODCs should not be replicating out, which means they look alarming
when they are working properly. We label them as RODCs to reminds users
that no outbound replication is expected.

This results in slightly rejigged output formatting.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool visualize ntdsconn: add --importldif option

This visualizes the NTDSConnections in an LDIF file exported via
`samba_kcc --exportldif`. This functionality is already available in a
roundabout way -- you can use `samba_kcc --import_ldif`, and use the
DB that generates. This just shortens the process.

The ldif import/export feature is useful for analysing AD networks
offsite without exposing too much sensitive data.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool visualize tests: reduce noise on stdout

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool visualize: group (and colour) DCs by site

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Fix resolv_wrapper config variables

It can't really matter in this case, but it removes confusion

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 30 21:46:53 CEST 2018 on sn-devel-144

s3:smbd: don't allow renaming basefile if streams are open

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:locking: add file_has_open_streams()

This can be used to check if a file opened by fsp also has stream opens.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:smbd: add private option NTCREATEX_OPTIONS_PRIVATE_STREAM_BASEOPEN

This will be used to mark basefile opens of streams opens. This is
needed to later implement a function that can determine if a file has
stream opens.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:torture/vfs/fruit: adjust test testing basefile rename to expect failure

Renaming a basefile that has open streams must fail with
NT_STATUS_ACCESS_DENIED.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:torture/smb2/streams: try to rename basefile while is has open streams

This tests the following:

- create a file with a stream
- open the the stream and keep it open
- on a second connection, try to rename the basefile, this should fail
  with NT_STATUS_ACCESS_DENIED

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: run smb2.streams tests against a share with vfs_streams_xattr

The tests are currently only run against streams_depot, where stream IO
is handle based, compared to streams_xattr which is path
based. vfs_streams_xattr is also used much more in real world setups, so
we should run our tests against it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Add log when ignoring a replicated object outside of partition

This is probably a note-worthy event for debugging purposes.

(Found while developing the domain rename functionality)

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 30 07:03:51 CEST 2018 on sn-devel-144

selftest: Use samba.tests.create_test_ou() in replica_sync tests

This may avoid some flapping tests by ensuring that each part of this
test runs in a unique namespace, no matter what may be left behind
or revived via replication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest: Use samba.tests.create_test_ou() in repl_move tests

This may avoid some flapping tests by ensuring that each part of this
test runs in a unique namespace, no matter what may be left behind
or revived via replication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest: Make create_test_ou() return a ldb.Dn

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

dsdb partition.c: Make partition_copy_all aysnc.

partition_copy_all uses ldb_wait to wait for the update to the primary
partition to complete, when updating a special dn.  If a module higher
up the chain inserts a callback, the code blocks in ldb_wait and does
not complete.  This change replaces the ldb_wait logic with a callback.

Currently there is no code that triggers this bug, however the up coming
audit logging changes do trigger this bug.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Release ldb 1.4.0

* New LMDB backend (experimental)
* Comprehensive tests for index behaviour
* Enforce transactions for writes
* Enforce read lock use for all reads
* Fix memory leak in paged_results module.
  We hold at most 10 outstanding paged result cookies
  (bug #13362)
* Fix compiler warnings
* Python3 improvements
* Restore --disable-python build
* Fix for performance regression on one-level searches
  (bug #13448)
* Samba's subtree_rename could fail to rename some entries
  (bug #13452)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest: Add test to show that sam.ldb does not do a full scan in startup

We should add some other more complex operations here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: Add tests for when we should expect a full scan

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: One-level search was incorrectly falling back to full DB scan

When no search filter is specified, the code falls back to using
'(|(objectClass=*)(distinguishedName=*)'. ltdb_index_dn() then failed
because matching against '*' is not indexed. The error return then
caused the code to fallback to a full-scan of the DB, which could have a
considerable performance hit.

Instead, we want to continue on and do the ltdb_index_filter() over the
indexed results that were returned.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: Explain why an entry can vanish from the index

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: Indicate that the ltdb_dn_list_sort() in list_union is a bit subtle.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: Save a copy of the index result before calling the callbacks.

Otherwise Samba modules like subtree_rename can fail as they modify the
index during the callback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13452

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

subtree_rename: Correct comments

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

dsdb: Remove sort from subtree_delete and add comments.

The sort was written back when the module did not operate recursivly
over the tree. Now it is just confusing, so replace with useful
comments.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest: Lock down the expected parents in BasicTreeDeleteTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest: Rework BasicDeleteTests.test_all() into setUp() and a test

This will allow running multiple tests against the same tree.  This tree
is very similar to the tree produced by the KCC test that simply does a
tree_delete, and I want to lock down the tree_delete behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

samldb: Explain why the odd error code is expected.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

samldb: Add useful error string to explain why a group may not be deleted.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

tests: Fix intermittent error in PSO test

Deleting a group fails if the primaryGroupID of a user is set to that of
the group. This can happen in the PSO tests, as we don't clear the
primaryGroupID before cleaning up. Normally it seems to work OK, but
this is relying purely on the subtree delete order.

Update the test to clear the primaryGroupID before the tearDown is
called, to make things more robust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

repl_meta_data: Cope with the strange but unusual case of isDeleted: FALSE in replmd_process_linked_attribute()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13448

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

repl_meta_data: Remove el_count from replmd_delete_internals()

Instead, use the actual found attribute (less error prone).

This is an attempt to fix:

./source4/dsdb/repl/replicated_objects.c:945 Failed to prepare commit of transaction:
attribute isDeleted: invalid modify flags on CN=g1_1527558311141,CN=Users,DC=samba,DC=example,DC=com: 0x0

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

s4-repl: Try to give more information in the error codes for prepare_commit failure.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

ldb: Reset error string before running prepare_commit() hook

This ensures that the error string returned to the caller reflects a failure in this call.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

vfs_fruit: delete 0 byte size streams if AAPL is enabled

macOS SMB server uses xattrs as storage backend for streams, directly
exposing xattr get/set characteristics. Setting EOF on a stream to 0
just deletes the xattr as macOS doesn't support 0-byte sized xattrs.

Note that this does not apply to the AFP_AfpInfo and AFP_Resource
streams, they have even stranger semantics and we have other tests
for those.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 30 02:34:29 CEST 2018 on sn-devel-144

s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensions

macOS SMB server uses xattrs as storage backend for streams, directly
exposing xattr get/set characteristics. Setting EOF on a stream to 0
just deletes the xattr as macOS doesn't support 0-byte sized xattrs.

Note that this does not apply to the AFP_AfpInfo and AFP_Resource
streams, they have even stranger semantics and we have other tests
for those.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:torture/vfs/fruit: decrease large resource fork size in test from 1 GB to 64 MB

64 MB is a more realistic value and lets the test pass on FreeBSD with
fruit:resource=stream and vfs_streams_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

python/samba/netcmd/schema.py: samdb schema update now

When we change schema values, we should trigger a schema update to refresh
the changes applied. This is called after a change is made. A helper to
samdb is added so that it's easier for other locations to call additionally.

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 29 08:30:52 CEST 2018 on sn-devel-144

python/samba/tests/samba_tool/schema.py: Improve schema command testing

Assert the correct stdout content of the schema test commands.

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

python/samba/netcmd/schema.py: add schema show_oc for attribute

Often administrators need to add a specific attribute to an object, but
it may not be possible with the objectClasses present. This tool allows
searching "what objectclasses must or may?" take an attribute to help hint
to an administrator what objectclasses can be added to objects to achieve
the changes they want.

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

python/samba/netcmd/schema.py: add schema query and management.

Schema management in active directory is complex and dangerous. Having
a tool that safely wraps administrative tasks as well as allowing query
of the schema will make this complex topic more accessible to administrators.

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

python/samba/netcmd/group.py: add group show

The samba-tool user command can show the ldif of a user. This is
useful for groups also, especially to determine the objectSID and
objectGUID. Add support for group show to samba-tool.

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

python/samba/netcmd/{forest.py,main.py}: add configuration controls

With samba-tool we should expose ways to easily administer and control
common configuration options. This adds the base framework for modifying
forest settings, generally stored in cn=configuration partition.

An example is:

samba-tool forest directory_service show
samba-tool forest directory_service dsheuristics X

Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

torture: Cope with WINBINDD_SHOW_SEQUENCE failure for fake trusts

This test has been flapping and we should not be checking the
sequence number of remote trusts in a loop like this.  We can write
a test against the trusts we specifically set up if we want to check
remote sequence numbers (and connectivity) against actually working
domains.

When flapping the previous version of the test gave:

 WARNING!: ../source4/torture/winbind/struct_based.c:812: WINBINDD_SHOW_SEQUENCE returned 0, expected 1: WINBINDD_SHOW_SEQUENCE
 WARNING!: WINBINDD_SHOW_SEQUENCE on domain torturedom failed

 Trust list for WINBINDD_SHOW_SEQUENCE was:
 BUILTIN
 S4MEMBER
 SAMBADOMAIN
 torturedom

 WARNING!: ../source4/torture/winbind/struct_based.c:812: WINBINDD_SHOW_SEQUENCE returned 0, expected 1: WINBINDD_SHOW_SEQUENCE
 WARNING!: WINBINDD_SHOW_SEQUENCE on domain TORTURE302 failed

 Trust list for WINBINDD_SHOW_SEQUENCE was:
 BUILTIN
 S4MEMBER
 SAMBADOMAIN
 TORTURE302
 TORTURE306

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 29 02:31:40 CEST 2018 on sn-devel-144