Amitay Isaacs [Fri, 9 Dec 2016 03:38:38 +0000 (14:38 +1100)]
ctdb-tests: Do not remove event script dir before shutting down ctdb
When the test is over, the exit_hook will remove the temporary event
script directory and then CTDB is restarted. Explicitly shutting down
CTDB ensures that event script directory is not removed while CTDB is
still running.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 23 Nov 2016 00:46:18 +0000 (11:46 +1100)]
ctdb-tests: Display filtered output when the test fails
This simplifies comparing the output to the expected output.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 13 Sep 2016 02:50:13 +0000 (12:50 +1000)]
ctdb-daemon: Move function typedef to where it's used
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 14 Dec 2016 04:09:24 +0000 (15:09 +1100)]
ctdb-scripts: Drop ctdb_check_service_reconfigure
This gets rid of implicit check if a service needs to configured. As a
side effect, we also get rid of the monitor "replay" which was
introduced to avoid a collision between a script executed via event and
manually. Event scripts are not expected to be run by hand.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 14 Dec 2016 04:06:45 +0000 (15:06 +1100)]
ctdb-scripts: Add explicit check for service reconfiguration
This will help get rid of implicit ctdb_service_check_reconfigure.
We still need to keep "reconfigure" event in 13.per_ip_routing, so that
the per ip routing can be refreshed if the configuration has changed.
The correct fix for this is to add caching of configuration and checking
of configuration changes in "ipreallocated" event.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Martin Schwenke [Thu, 15 Dec 2016 04:25:14 +0000 (15:25 +1100)]
ctdb-scripts: Drop some tests for "reconfigure" event and monitor replay
These features are going away. There is nothing to reconfigure for
NFS anyway.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Andreas Schneider [Thu, 15 Dec 2016 09:33:59 +0000 (10:33 +0100)]
testsuite: Add cmocka unit test for smb_krb5_kt_open()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 16 05:43:12 CET 2016 on sn-devel-144
Andreas Schneider [Wed, 14 Dec 2016 15:44:10 +0000 (16:44 +0100)]
docs: Update doc to use absolute path for 'dedicated keytab file'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 15:40:23 +0000 (16:40 +0100)]
krb5_wrap: Remove incorrect absolute path checks in smb_krb5_kt_open_relative()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 15:37:17 +0000 (16:37 +0100)]
krb5_wrap: More checks for absolute path in smb_krb5_kt_open()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 15:43:53 +0000 (16:43 +0100)]
s3:crypto: Use smb_krb5_kt_open_relative() for MEMORY keytab
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Mon, 12 Dec 2016 23:25:12 +0000 (12:25 +1300)]
selftest: test new "lsa over netlogon" smb.conf option
This proves we can act like Windows and over lsarpc over netlogon if we want
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 15 12:11:09 CET 2016 on sn-devel-144
Andrew Bartlett [Mon, 12 Dec 2016 20:06:25 +0000 (09:06 +1300)]
s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.
If no such client emerges, it can be deprecated and removed in the normal way.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 13 Nov 2016 21:13:26 +0000 (10:13 +1300)]
idl: Do not listen for lsarpc on \\pipe\netlogon
This prevents making the netlogon process multi-threaded.
This works on Windows becuase NETLOGON is part of lsad
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Wed, 9 Nov 2016 02:17:00 +0000 (15:17 +1300)]
rpc_server:netlogon Move from memcache to a tdb cache
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
Andrew Bartlett [Wed, 14 Dec 2016 02:59:08 +0000 (15:59 +1300)]
torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon
This test ensures that when the per-pipe challenge is used, the tdb cache
is wiped as well
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 15:56:37 CET 2016 on sn-devel-144
Andrew Bartlett [Wed, 14 Dec 2016 02:17:24 +0000 (15:17 +1300)]
torture: Add ServerReqChallengeReuse to rpc.netlogon
This test covers credentials reuse on the same process.
We test with direct re-use, and for the case where the challenge
is reset to zeros.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 14 Dec 2016 02:12:12 +0000 (15:12 +1300)]
torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon
This tests ensures we can not re-use the entries in global challenge table.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 14 Dec 2016 02:09:15 +0000 (15:09 +1300)]
torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS
This allows this test to pass after "allow nt4 crypto" is removed from
the default environment.
We now only set it in ad_dc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 14 Dec 2016 04:45:19 +0000 (17:45 +1300)]
torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test
This allows it to run against modern servers that do not permit NT4 crypto
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 14 Dec 2016 01:50:20 +0000 (14:50 +1300)]
torture: Add credentials downgrade and challenge reuse test to rpc.netlogon
This test confirms that the challenge set up is available
after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED
check.
This is needed for NetApp ONTAP member servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Tue, 6 Dec 2016 22:54:41 +0000 (11:54 +1300)]
librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing
GUID_from_data_blob() was relying on sscanf to parse strings, which was
slow and quite accepting of invalid GUIDs. Instead we directly read a
fixed number of hex bytes for each field.
This now passes the samba4.local.ndr.*.guid_from_string_invalid tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Dec 14 08:55:42 CET 2016 on sn-devel-144
Douglas Bagnall [Wed, 7 Dec 2016 01:35:58 +0000 (14:35 +1300)]
s4-torture: better, failing, tests for GUID_from_string
These tests reveal that the current implementation accepts all kinds
of invalid GUIDs. In particular, we fail on these ones:
"
00000001-0002-0003-0405--
060708090a0"
"-
0000001-0002-0003-0405-
060708090a0b"
"-
0000001-0002-0003-04-5-
060708090a0b"
"
d0000001-0002-0003-0405-
060708090a-b"
"
00000001- -2-0003-0405-
060708090a0b"
"
00000001-0002-0003-0405-
060708090a0"
"0x000001-0002-0003-0405-
060708090a0b"
"
00000001-0x02-0x03-0405-
060708090a0b"
This test is added to selftest/knownfail.
The test for valid string GUIDs is extended to test upper and mixed case
GUIDs.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Uri Simchoni [Tue, 13 Dec 2016 06:10:56 +0000 (08:10 +0200)]
cli-quotas: fix potential memory leak
Fix a memory leak in out-of-memory condition
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 13 22:30:44 CET 2016 on sn-devel-144
Jeremy Allison [Mon, 12 Dec 2016 23:52:11 +0000 (15:52 -0800)]
s3: libsmb: Ensure SMB2 operations correctly set cli->raw_status.
Needs to be done even on success (cli_is_error() checks if
cli->raw_status was NT_STATUS_OK).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12468
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Björn Jacke [Tue, 13 Dec 2016 08:00:58 +0000 (09:00 +0100)]
pam: strip trailing whitespaces in pam_winbind.c
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <ks@sernet.de>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Dec 13 18:01:21 CET 2016 on sn-devel-144
Björn Jacke [Wed, 25 Nov 2015 13:04:24 +0000 (14:04 +0100)]
pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Thu, 24 Nov 2016 00:57:54 +0000 (13:57 +1300)]
talloc: Add tests for talloc destructor behaviour after talloc_realloc()
That this behaved correctly was not clear, so I added tests to prove
it to myself.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 13 06:47:58 CET 2016 on sn-devel-144
Andrew Bartlett [Tue, 13 Dec 2016 01:21:29 +0000 (14:21 +1300)]
selftest: Print the POSIX ACL we got when the posixacl test fails
Knowing we have 11 of 15 ACEs is not very helpful
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Alexander Bokovoy [Thu, 8 Dec 2016 08:21:53 +0000 (10:21 +0200)]
smb.conf: add identity mapping section
Add a generic identity mapping section that points out to the other
resources in Samba documentation about idmap modules and their
configuration.
This should help users to discover corresponding documentation easily.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrea Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 13 00:14:04 CET 2016 on sn-devel-144
Andreas Schneider [Mon, 12 Dec 2016 09:05:39 +0000 (10:05 +0100)]
s3:winbind: Do not start with an invalid default idmap backend
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Wed, 7 Dec 2016 17:19:53 +0000 (18:19 +0100)]
s3-testparm: Print an error if we have overlapping idmap config
Except if both backends are 'ad'.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Wed, 7 Dec 2016 16:44:25 +0000 (17:44 +0100)]
s3-testparm: Print error if the default backend is incorrect
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Wed, 7 Dec 2016 16:03:22 +0000 (17:03 +0100)]
s3-testparm: Fix trailing whitespaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 12 Dec 2016 15:20:29 +0000 (16:20 +0100)]
libsmb: Correctly report error for rename failure
This prevents renaming a file over an existing one with SMB2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12468
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Garming Sam [Wed, 7 Dec 2016 03:42:38 +0000 (16:42 +1300)]
tests/dns: Check you cannot add empty CNAME
This exercises the dns_check_name case in the DNS server. Directly
attempting to add an invalid name with leading . or double .. cannot be
done due to ndr_pull_component forcing the check on the client side
(leading to a CNAME name of NUL and unexpected data of the actual name).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Dec 12 08:46:26 CET 2016 on sn-devel-144
Bob Campbell [Wed, 7 Dec 2016 02:33:06 +0000 (15:33 +1300)]
dnsserver_common: Add name check in name2dn
Fills in the missing TODO. Note that this may also prevent deletion of
existing corrupted records, but should be resolvable through RPC, or at
worst LDAP.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Bob Campbell [Wed, 7 Dec 2016 02:00:25 +0000 (15:00 +1300)]
python/tests: expand samba-tool dns tests
These new tests concern collisions and lock in current Samba behaviour.
They do not pass against Windows Server 2012R2. See dnsserver.py tests
for the tests consistent with Windows behaviour.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 7 Dec 2016 01:25:35 +0000 (14:25 +1300)]
python/tests: fix typo to use correct var
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Tue, 6 Dec 2016 02:34:23 +0000 (15:34 +1300)]
dnsserver: add dns name checking
This may also prevent deletion of existing corrupted records through
DNS, but should be resolvable through RPC, or at worst LDAP.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Garming Sam [Mon, 5 Dec 2016 22:00:17 +0000 (11:00 +1300)]
tests/dnsserver: Check security descriptors
These tests discover that there are some discrepancies between Windows and Samba.
Although there are failures, they do not appear to be critical, however
some of the SD differences will be important for 2012 support.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Sun, 27 Nov 2016 22:12:18 +0000 (11:12 +1300)]
samba-tool/dns: remove use of dns_record_match from add and delete
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Fri, 25 Nov 2016 03:29:31 +0000 (16:29 +1300)]
samba-tool/dns: reword error messages and make error catching specific
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Tue, 29 Nov 2016 20:19:31 +0000 (09:19 +1300)]
python/tests: expand tests for dns server over rpc
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Mon, 21 Nov 2016 03:22:46 +0000 (16:22 +1300)]
python/tests: add tests for samba-tool dns
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Mon, 28 Nov 2016 01:30:43 +0000 (14:30 +1300)]
python/netcmd: print traceback through self.errf
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sat, 26 Nov 2016 14:42:42 +0000 (15:42 +0100)]
lib: Remove xfile
The days of operating systems with a 255 file
descriptor limit on FILE (I'm looking at you
Solaris - Solaris 10 finally fixed this) are
long gone.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Dec 11 15:01:12 CET 2016 on sn-devel-144
Volker Lendecke [Sat, 26 Nov 2016 08:50:33 +0000 (09:50 +0100)]
nmbd: xfile->stdio
Unfortunately this is a larger patch. Doing it in small pieces would
have been pretty difficult, as everybody calls everybody else.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 23 Nov 2016 09:07:48 +0000 (10:07 +0100)]
lib: smbreadline xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 23 Nov 2016 07:55:16 +0000 (08:55 +0100)]
libnbt: lmhosts xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 26 Nov 2016 14:33:06 +0000 (15:33 +0100)]
printing: Convert aix_cache_reload to stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 26 Nov 2016 08:27:19 +0000 (09:27 +0100)]
printing: std_pcap_cache_reload xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:44:48 +0000 (01:44 +0100)]
rpc_server: svcctl xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:42:36 +0000 (01:42 +0100)]
vfs: expand_msdfs xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 19 Nov 2016 09:25:12 +0000 (09:25 +0000)]
ntlm_auth3: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 25 Nov 2016 21:01:38 +0000 (22:01 +0100)]
torture: upload_printer_driver_file xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:38:16 +0000 (01:38 +0100)]
smbd: username map file handling xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 21 Nov 2016 18:20:10 +0000 (19:20 +0100)]
lib: Add fgets_slash
Copy x_fgets_slash with conversion to stdio and talloc.
Probably I'd do this functionality a bit differently, but for simplicity I
chose to make it the same as what is there.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:26:08 +0000 (01:26 +0100)]
lib: popt_common xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:30:29 +0000 (01:30 +0100)]
idmap_hash: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 22 Nov 2016 00:59:22 +0000 (01:59 +0100)]
smbclient: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 23 Nov 2016 09:11:13 +0000 (10:11 +0100)]
smbclient4: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Sat, 10 Dec 2016 21:56:18 +0000 (13:56 -0800)]
s3: ntlm_auth: Don't corrupt the output stream with debug messages.
Calling programs expect to cleanly read from STDOUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Thu, 8 Dec 2016 18:40:27 +0000 (10:40 -0800)]
s3: torture: Adds regression test case for se_access_check() owner rights issue.
This test passes against Win2K12 but fails against smbd
without the previous commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 10 10:11:10 CET 2016 on sn-devel-144
Jeremy Allison [Thu, 8 Dec 2016 18:40:18 +0000 (10:40 -0800)]
lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.
When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.
E.g. The current logic has:
An ACL containining:
[0] SID: S-1-3-4
TYPE: DENY
MASK: WRITE_DATA
[1] SID: S-1-3-4
TYPE: ALLOW
MASK: ALLOW_ALL
prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.
Furthermore a non-canonical ACL containing:
[0] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: READ_DATA
[1] SID: S-1-3-4
TYPE: DENY
MASK: READ_DATA
[2] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: WRITE_DATA
prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Thu, 8 Dec 2016 16:53:43 +0000 (17:53 +0100)]
util: use SCOPE_DELIMITER for the IPv6 scope delimiter
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Dec 9 20:45:15 CET 2016 on sn-devel-144
Björn Jacke [Thu, 8 Dec 2016 16:56:24 +0000 (17:56 +0100)]
replace: make sure we have a SCOPE_DELIMITER define
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Björn Jacke [Thu, 8 Dec 2016 17:45:26 +0000 (18:45 +0100)]
ad/provision: change samba.org to https://samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Fri Dec 9 16:57:31 CET 2016 on sn-devel-144
Björn Jacke [Thu, 8 Dec 2016 17:45:25 +0000 (18:45 +0100)]
man pages: change samba.org to https://samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Björn Jacke [Thu, 8 Dec 2016 17:45:24 +0000 (18:45 +0100)]
docs-xml: change samba.org to https://samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Stefan Metzmacher [Thu, 8 Dec 2016 06:13:57 +0000 (07:13 +0100)]
s3:libsmb: don't pass 'passlen' to cli_tree_connect[_send]() and allow pass=NULL
There're no callers which try to pass a raw lm_response directly anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 9 13:09:37 CET 2016 on sn-devel-144
Stefan Metzmacher [Sun, 30 Oct 2016 15:10:03 +0000 (16:10 +0100)]
s3:libsmb: avoid using cli->{use_kerberos,...} in remote_password_change()
As we pass flags=0 to cli_connect_nb() all values can only be false,
so we can use false directly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:21:31 +0000 (16:21 +0100)]
s3:client: avoid using cli->{use_kerberos,...} for cli_session_creds_init() in smbspool.c
CLI_FULL_CONNECTION_USE_KERBEROS is the only possible flag the
caller of smb_complete_connection() will pass, so we can avoid
use it directly instead of going via cli_start_connection()
to use cli->use_kerberos.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 8 Dec 2016 05:54:29 +0000 (06:54 +0100)]
s3:client: make use of cli_tree_connect_creds() in smbspool.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 7 Dec 2016 16:32:58 +0000 (17:32 +0100)]
s3:libsmb: add cli_tree_connect_creds()
This can be used with a valid creds structure in order
to do a share level authentication or with NULL in the cases
we assume a modern server already.
Later we can change the ordering and implement
cli_tree_connect() on top of cli_tree_connect_creds().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 7 Dec 2016 16:18:01 +0000 (17:18 +0100)]
s3:libsmb: fix 'client lanman auth = no' DEBUG message in cli_session_setup_creds_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 12:49:43 +0000 (13:49 +0100)]
s3:libsmb: fix memory leak in cli_raw_ntlm_smb_encryption_start()
smb_trans_enc_state is a talloc pointer now, so we can talloc_move()
the gensec_security to the correct talloc parent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12408
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 28 Oct 2016 10:44:51 +0000 (12:44 +0200)]
s3:torture: make use of cli_full_connection_creds() in torture.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 7 Dec 2016 16:17:44 +0000 (17:17 +0100)]
auth/credentials: clear all unused blobs in cli_credentials_get_ntlm_response()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 8 Nov 2016 06:19:11 +0000 (07:19 +0100)]
auth/credentials: fix cut'n'paste error in cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 28 Oct 2016 13:55:48 +0000 (15:55 +0200)]
auth/credentials: let cli_credentials_parse_string() handle the "winbind separator"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
David Disseldorp [Tue, 6 Dec 2016 12:03:27 +0000 (13:03 +0100)]
ctdb: add test script for ctdb_mutex_ceph_rados_helper
This standalone test script performs the following:
- using ctdb_mutex_ceph_rados_helper, take a lock on the Ceph RADOS
object a CLUSTER/$POOL/$OBJECT using the Ceph keyring for $USER
+ confirm that lock is obtained, via ctdb_mutex_ceph_rados_helper "0"
output
- check RADOS object lock state, using the "rados lock info" command
- attempt to obtain the lock again, using ctdb_mutex_ceph_rados_helper
+ confirm that the lock is not successfully taken
- tell the first locker to drop the lock and exit, via SIGTERM
- once the first locker has exited, attempt to get the lock again
+ confirm that this attempt succeeds
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Dec 9 07:59:33 CET 2016 on sn-devel-144
David Disseldorp [Thu, 1 Dec 2016 13:22:45 +0000 (14:22 +0100)]
ctdb/doc: man page for Ceph RADOS cluster mutex helper
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
David Disseldorp [Thu, 1 Dec 2016 12:33:22 +0000 (13:33 +0100)]
ctdb: cluster mutex helper using Ceph RADOS
ctdb_mutex_ceph_rados_helper implements the cluster mutex helper API
atop Ceph using the librados rados_lock_exclusive()/rados_unlock()
functionality.
Once configured, split brain avoidance during CTDB recovery will be
handled using locks against an object located in a Ceph RADOS pool.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
David Disseldorp [Tue, 6 Dec 2016 12:52:47 +0000 (13:52 +0100)]
ctdb-build: configure time switch for etcd support
Disable generation/installation of the etcd cluster mutex helper by
default. Support can be explicitly enabled at configure time with
--enable-etcd-reclock.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
David Disseldorp [Tue, 6 Dec 2016 12:38:45 +0000 (13:38 +0100)]
ctdb-build: move ctdb_etcd_lock to utils/etcd
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 8 Dec 2016 05:47:16 +0000 (16:47 +1100)]
ctdb-build: Generate pre-built documentation in wscript itself
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Amitay Isaacs [Thu, 8 Dec 2016 04:38:36 +0000 (15:38 +1100)]
ctdb-build: Avoid duplicate list of man pages
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Anoop C S [Tue, 6 Dec 2016 09:55:46 +0000 (15:25 +0530)]
lib/util: Fix indentation within routine description for dbghdrclass
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Dec 9 02:02:36 CET 2016 on sn-devel-144
Anoop C S [Tue, 6 Dec 2016 09:50:51 +0000 (15:20 +0530)]
lib/util: Fix input arguments description for dbghdrclass() routine
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Lukas Slebodnik [Mon, 5 Dec 2016 13:23:40 +0000 (14:23 +0100)]
tevent: remove shebang from tevent.py
The tevent.py is not a executable python script.
And rpmlint consider it as an error if module file
contians shebang
python2-tevent.x86_64: E: non-executable-script
/usr/lib64/python2.7/site-packages/tevent.py 644 /usr/bin/python
python3-tevent.x86_64: E: non-executable-script
/usr/lib64/python3.5/site-packages/tevent.py 644 /usr/bin/python
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 22:54:44 +0000 (23:54 +0100)]
s4:repl_meta_data: normalize rdn attribute name via the schema
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12399
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 8 17:16:47 CET 2016 on sn-devel-144
Andrew Bartlett [Sun, 20 Nov 2016 22:21:50 +0000 (11:21 +1300)]
pidl: Make dcesrv\_$name\_interface "static const"
This moves it out of the global namespace
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 8 13:25:57 CET 2016 on sn-devel-144
Andrew Bartlett [Sun, 20 Nov 2016 22:31:27 +0000 (11:31 +1300)]
s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy()
Use a typesafe struct-returning function instead
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Mon, 5 Dec 2016 22:34:18 +0000 (14:34 -0800)]
s3: torture: Regression test case for permissions check on rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 7 11:52:03 CET 2016 on sn-devel-144
Jeremy Allison [Mon, 5 Dec 2016 22:32:55 +0000 (14:32 -0800)]
s3: smbd: Add missing permissions check on destination folder.
Based on code from Michael Zeis <mzeis.quantum@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 5 Dec 2016 22:32:03 +0000 (14:32 -0800)]
s3: smbd: Make check_parent_access() available to rename code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 5 Dec 2016 22:13:14 +0000 (14:13 -0800)]
s3: smbd: rename - missing early error exit if source and destination prefixes are different.
Noticed by Michael Zeis <mzeis.quantum@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 1 Dec 2016 16:16:14 +0000 (16:16 +0000)]
winbind: dom_sid_parse_endp always initializes "endp" when ok
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 7 00:11:03 CET 2016 on sn-devel-144
Volker Lendecke [Thu, 1 Dec 2016 16:16:14 +0000 (16:16 +0000)]
idmap_autorid: dom_sid_parse_endp always initializes "endp" when ok
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>