Volker Lendecke [Sun, 8 Jan 2017 17:54:06 +0000 (17:54 +0000)]
lib: Simplify smb_nanosleep
We have the recalculation logic also in sys_poll_intr, don't duplicate it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar 20 16:11:16 CET 2017 on sn-devel-144
Volker Lendecke [Sun, 19 Mar 2017 19:10:29 +0000 (20:10 +0100)]
lib: Make sys_poll_intr available to ctdb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Martin Schwenke [Sat, 18 Mar 2017 09:38:32 +0000 (20:38 +1100)]
ctdb-tests: Catch cases where mktemp fails due to missing TMPDIR
TMPDIR sometimes goes missing during autobuild. When that happens the
error messages produced by CTDB tests are not very helpful. This
should make it clear.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Mar 20 08:53:02 CET 2017 on sn-devel-144
Volker Lendecke [Fri, 17 Mar 2017 12:52:57 +0000 (13:52 +0100)]
s3:winbind: Use the correct talloc context for user information
This fixes the substitution for 'template homedir'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
Andreas Schneider [Fri, 17 Mar 2017 12:35:39 +0000 (13:35 +0100)]
s3:winbind: Remove unused struct getpwent_user
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 18 08:59:01 CET 2017 on sn-devel-144
Andreas Schneider [Fri, 17 Mar 2017 12:24:13 +0000 (13:24 +0100)]
s3:winbind: Use correct struct member for size calculation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Fri, 27 Jan 2017 15:03:03 +0000 (16:03 +0100)]
tldap: Allow dropping messages in tldap_search()
For probing whether a connection is a live a rootdse search might be
interesting where we don't really care for the result, only success or
failure of the operation.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Amitay Isaacs [Tue, 14 Mar 2017 05:12:55 +0000 (16:12 +1100)]
ctdb-readonly: Avoid a tight loop waiting for revoke to complete
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12697
During revoking readonly delegations, if one of the nodes disappears, then
there is no point re-trying revoking readonly delegation. The database
needs to be recovered before the revoke operation can succeed. So retry
only after a grace period.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 17 14:05:57 CET 2017 on sn-devel-144
Ralph Boehme [Thu, 16 Mar 2017 16:52:50 +0000 (17:52 +0100)]
winbindd: remove trailing spaces in get_cache()
Trailing spaces are annoyingly highlighted red in my emacs setup so I'd
like to get rid of them. :)
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 17 00:20:17 CET 2017 on sn-devel-144
Ralph Boehme [Thu, 16 Mar 2017 16:51:29 +0000 (17:51 +0100)]
winbindd: README.Coding fixes for get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 16 Mar 2017 16:45:36 +0000 (17:45 +0100)]
winbindd: fix long lines in get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 16 Mar 2017 09:36:14 +0000 (10:36 +0100)]
winbindd: untangle reconnect_methods vs reconnect_ads_methods
No change in behaviour. The previous logic just seemed a bit clumsy
because of the ifdefs.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Thu, 16 Mar 2017 08:32:55 +0000 (09:32 +0100)]
winbindd: use NULL for pointer check in get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Amitay Isaacs [Thu, 16 Mar 2017 02:29:18 +0000 (13:29 +1100)]
lib/util: Fix initializer
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Amitay Isaacs [Thu, 16 Mar 2017 02:28:57 +0000 (13:28 +1100)]
replace: Fix compiler warning flag
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Mar 2017 10:58:02 +0000 (11:58 +0100)]
docs: Deprecate "auth methods"
Keeping this parameter prevents fixing bug 2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Mar 2017 08:31:10 +0000 (09:31 +0100)]
docs: Deprecate "map untrusted to domain"
The implementation of this parameter depends on Samba to enumerate
trusted domains. In an active directory environment, we don't know of
a good way to enumerate all domains that we have to accept as trusted,
in particular with multiple forests, one-way and external trusts. We
hope to replace this parameter in the future with something that matches
Windows behaviour better, after the deprecation phase of this parameter
is over and we can remove it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 16 Mar 2017 16:17:51 +0000 (09:17 -0700)]
Changes to make the Solaris C compiler happy.
Fix Bug 12693 dbwrap_watch.c syntax error before or at: }
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12693
Signed-off-by: Tom schulz <schulz@adi.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 15 Mar 2017 20:52:05 +0000 (13:52 -0700)]
s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
We expect the following attributes to be present in an LDAP GPO object:
displayName
flags
gPCFileSysPath
name
ntSecurityDescriptor
versionNumber
and fail if a result is returned without them. Change this
to skip results that don't contain these attributes instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12695
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Jeremy Allison [Thu, 16 Mar 2017 16:10:52 +0000 (09:10 -0700)]
Fix for Solaris C compiler.
Inspired by comment 4 in bug 12559.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12559
Signed-off-by: Tom Schulz <schulz@adi.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Aurelien Aptel [Wed, 15 Mar 2017 10:34:20 +0000 (11:34 +0100)]
s3:smbd: exit early if srv_send_smb fails
coverity fix.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Jeremy Allison [Tue, 14 Mar 2017 20:34:07 +0000 (13:34 -0700)]
s3: locking: Update oplock optimization for the leases era !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 15 20:04:32 CET 2017 on sn-devel-144
Jeremy Allison [Tue, 14 Mar 2017 20:23:13 +0000 (13:23 -0700)]
s3: locking: Move two leases functions into a new file.
map_oplock_to_lease_type(), fsp_lease_type().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Sat, 11 Mar 2017 09:16:03 +0000 (10:16 +0100)]
lib: Fix an uninitialized variable warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 15 14:21:43 CET 2017 on sn-devel-144
Volker Lendecke [Wed, 25 Jan 2017 16:44:38 +0000 (17:44 +0100)]
passdb: Remove pdb_ipa
The version used these days can be found under
https://pagure.io/freeipa/blob/master/f/daemons/ipa-sam
Having a stale copy in Samba only confuses things.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 15 09:18:21 CET 2017 on sn-devel-144
Andreas Schneider [Mon, 13 Mar 2017 16:30:37 +0000 (17:30 +0100)]
testprogs: Correctly expand shell parameters
The old behaviour is:
for var in $*
do
echo "$var"
done
And you get this:
$ sh test.sh 1 2 '3 4'
1
2
3
4
Changing it to:
for var in "$@"
do
echo "$var"
done
will correctly expand to:
$ sh test.sh 1 2 '3 4'
1
2
3 4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
Andreas Schneider [Tue, 14 Mar 2017 15:12:20 +0000 (16:12 +0100)]
s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Signed-off-by: Andreas Schneider <asn@samba.org>
Alexander Bokovoy [Fri, 10 Mar 2017 14:20:06 +0000 (16:20 +0200)]
lib/crypto: implement samba.crypto Python module for RC4
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.
Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.
Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
Volker Lendecke [Mon, 13 Mar 2017 18:09:27 +0000 (19:09 +0100)]
examples:clifuse: Add a stub for getattr
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 14 19:15:03 CET 2017 on sn-devel-144
Volker Lendecke [Mon, 13 Mar 2017 16:48:56 +0000 (17:48 +0100)]
examples: Add '-p', '--port' to smb2mount
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 24 Jan 2017 20:42:51 +0000 (21:42 +0100)]
libsmb: Slightly simplify trustdom_cache_fetch
Also adapt to modern coding standards
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 24 Jan 2017 20:40:42 +0000 (21:40 +0100)]
libsmb: Use talloc in trustdom_cache_key
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 24 Jan 2017 20:35:16 +0000 (21:35 +0100)]
libsmb: Simplify trustdom_cache_store
The additional arguments were never used
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 24 Jan 2017 20:30:40 +0000 (21:30 +0100)]
libsmb: Make a few functions static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 20 Jan 2017 12:40:23 +0000 (13:40 +0100)]
libsmb: Remove some stale code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Mon, 13 Mar 2017 14:34:20 +0000 (15:34 +0100)]
krb5_wrap: Fix smb_gss_krb5_import_cred() picky-developer build
This does not build on Fedora 25 with picky-developer turned on.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Mon, 13 Mar 2017 15:34:05 +0000 (16:34 +0100)]
testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2017 16:28:58 +0000 (17:28 +0100)]
param: Allow to specify kerberos method on the commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2017 15:24:52 +0000 (16:24 +0100)]
s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2017 15:11:39 +0000 (16:11 +0100)]
krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Stefan Metzmacher [Mon, 13 Mar 2017 14:59:54 +0000 (15:59 +0100)]
remove historic source3/change-log
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 13 19:45:31 CET 2017 on sn-devel-144
Garming Sam [Sun, 12 Mar 2017 23:18:00 +0000 (12:18 +1300)]
getncchanges: Remove O(n) loop in link parsing
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 13 08:57:24 CET 2017 on sn-devel-144
Garming Sam [Sun, 12 Mar 2017 23:16:13 +0000 (12:16 +1300)]
dsdb: Allow parsed_dn_find to have a prefixed blob match
This allows us to search against binary DN using only the attributeID in
the case of msDS-RevealedUsers (as it appears right at the beginning).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 12 Mar 2017 23:14:23 +0000 (12:14 +1300)]
dsdb: Move parsed_dn_find into a common location
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 7 Mar 2017 02:42:59 +0000 (15:42 +1300)]
tests/dbcheck-links: remove spurious sleeping
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 10 Mar 2017 01:25:21 +0000 (14:25 +1300)]
getncchanges: generalize samdb_result_sid_array_ndr a little
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 10 Mar 2017 01:31:10 +0000 (14:31 +1300)]
getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 6 Mar 2017 23:30:09 +0000 (12:30 +1300)]
objectclass_attrs: Restrict systemOnly attributes
This allows restriction of auditing attributes from being wiped.
Modifications of the RID Set must be done as SYSTEM.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 02:16:49 +0000 (15:16 +1300)]
tests/match_rules: Use system privilege for msDS-RevealedUsers
Must be done before the systemOnly attribute is enforced.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 3 Mar 2017 04:31:46 +0000 (17:31 +1300)]
dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 3 Mar 2017 03:02:40 +0000 (16:02 +1300)]
getncchanges: include object SID in tokenGroups calculation for repl secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 3 Mar 2017 03:05:25 +0000 (16:05 +1300)]
tests/repl_rodc: Test the direct allow/deny attribute works
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 2 Mar 2017 22:18:33 +0000 (11:18 +1300)]
getncchanges: Reorder and comment code for clarity
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 2 Mar 2017 22:14:24 +0000 (11:14 +1300)]
getncchanges: Prevent a small, but possible race condition in build_object
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 2 Mar 2017 22:01:36 +0000 (11:01 +1300)]
getncchanges: Refactor filter_attrs from build_object
This makes it easier to have a transaction around it.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 28 Feb 2017 03:21:25 +0000 (16:21 +1300)]
getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 3 Mar 2017 01:00:39 +0000 (14:00 +1300)]
tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 3 Mar 2017 03:21:12 +0000 (16:21 +1300)]
getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Bob Campbell [Fri, 17 Feb 2017 02:51:36 +0000 (15:51 +1300)]
getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET
This conforms with Windows' behaviour.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Wed, 8 Mar 2017 04:12:32 +0000 (17:12 +1300)]
replmd: Include extra data on DN in search if it exists
This is important for multi-valued DN+Binary (or DN+String) attributes,
as otherwise they will be considered duplicates.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Garming Sam [Fri, 10 Mar 2017 04:29:53 +0000 (17:29 +1300)]
replmd: Ensure that binary blobs in links are ordered in the database
This is required if we are to search them with a binsearch.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:12:27 +0000 (17:12 +1300)]
getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
This correctly passes has_get_all_changes through to repl_secrets.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Bob Campbell [Wed, 15 Feb 2017 21:03:29 +0000 (10:03 +1300)]
drsblobs: Add decode for replPropertyMetaData1
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Fri, 3 Mar 2017 00:33:04 +0000 (13:33 +1300)]
tests/repl_rodc: Duplicate msDS-RevealedUsers test for RODC machine acct
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Mon, 13 Feb 2017 02:46:37 +0000 (15:46 +1300)]
python/tests: Add repl_rodc test
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Mon, 27 Feb 2017 01:40:40 +0000 (14:40 +1300)]
getncchanges: Return correct denied REPL_SECRET error code
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:13:40 +0000 (17:13 +1300)]
drsbase: use credentials if supplied
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:17:27 +0000 (17:17 +1300)]
python/dsdb_dn: Add a generic get_bytes method on DNs
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 03:10:16 +0000 (16:10 +1300)]
ldb_tdb: Add better comments for duplicate attr values
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 02:56:12 +0000 (15:56 +1300)]
ldb_tdb: Do not check for duplicate values during a rename
This is not the time to be pretending to be dbcheck, and there are
exceptions to the single-value rules in Samba. This is needed for
the same reasons as the modify case.
(Note: this error was triggered with the demote of an RODC with links)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:12:21 +0000 (17:12 +1300)]
ldb_tdb: Do not care about duplicates if single value check disabled
This behaviour of ignoring duplicates with the flag
LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK is also used in the replace
case here.
When we add a forward DN+Binary link with a duplicate DN, this prevents
us from not being able to add the backlink because it appears to be a
duplicate here.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Garming Sam [Thu, 9 Mar 2017 03:11:41 +0000 (16:11 +1300)]
samba-tool/domain: Correctly re-enable replication
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 01:40:11 +0000 (14:40 +1300)]
werror: Correct the error code checking
Broken in commit
ea3c3f10edac2b6e7e1900b4e75f4be4d70d369a
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 21:48:38 +0000 (10:48 +1300)]
typo: uppon -> upon
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Chris Lamb [Fri, 17 Feb 2017 19:59:48 +0000 (08:59 +1300)]
Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Uri Simchoni [Fri, 3 Mar 2017 20:00:00 +0000 (22:00 +0200)]
doc: update "ea support" section of the smb.conf manpage
This section was badly outdated.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 12 21:04:11 CET 2017 on sn-devel-144
Stefan Metzmacher [Fri, 10 Mar 2017 15:53:53 +0000 (16:53 +0100)]
winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain
find_lookup_domain_from_sid() returns the same domain for all non local
sids on a domain member. We should not chunk one wb_lookupsids_send/recv
into multiple wbint_LookupSids_send/recv to the same 'lookup' domain,
just because the requested SIDs don't all belong to the same domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Mar 12 00:56:14 CET 2017 on sn-devel-144
Stefan Metzmacher [Fri, 10 Mar 2017 14:23:36 +0000 (15:23 +0100)]
winbindd: remove unused find_root_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Stefan Metzmacher [Fri, 10 Mar 2017 14:23:36 +0000 (15:23 +0100)]
winbindd: remove bogus fallback to the forest root in wb_lookupsid*()
It's the job of the domain controller in our domain
to traverse the trust chain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Stefan Metzmacher [Fri, 10 Mar 2017 14:23:36 +0000 (15:23 +0100)]
winbindd: remove bogus fallback to the forest root in wb_lookupname*()
It's the job of the domain controller in our domain
to traverse the trust chain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Fri, 10 Mar 2017 12:43:12 +0000 (13:43 +0100)]
selftest: Do not plan samba3.base.delaywrite twice
This test is already slow. We should not run it twice!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar 11 04:25:14 CET 2017 on sn-devel-144
Ralph Boehme [Thu, 9 Mar 2017 18:49:56 +0000 (19:49 +0100)]
lib/pthreadpool: fix a memory leak
When copying large files from the server to the client with aio enabled
we noticed that smbd kept growing RSS and VSZ.
valgrind was reporting:
==2503== 4,093,440 bytes in 6,560 blocks are possibly lost in loss record 460 of 460
==2503== at 0x4C299CE: calloc (vg_replace_malloc.c:711)
==2503== by 0x4011C24: _dl_allocate_tls (in /usr/lib64/ld-2.17.so)
==2503== by 0x4E3C960: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.17.so)
==2503== by 0x9B298AE: pthreadpool_add_job (in /usr/lib64/samba/libmessages-dgm-samba4.so)
==2503== by 0x9B29FDC: pthreadpool_tevent_job_send (in /usr/lib64/samba/libmessages-dgm-samba4.so)
==2503== by 0x56A78EF: ??? (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55D86B7: smb_vfs_call_pread_send (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55F7543: schedule_smb2_aio_read (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x5608F57: smbd_smb2_request_process_read (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55FCB6C: smbd_smb2_request_dispatch (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55FD7DC: ??? (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x641B977: ??? (in /usr/lib64/samba/libtevent.so.0.9.31)
The problem seems to be caused by worked threads that are not properly
started in detached state and thus their tls is not reclaimed upon
thread termination.
In pthreadpool.c we prepare a pthread attribute with
PTHREAD_CREATE_DETACHED, but we don't pass it to pthread_create().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12624
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 10 22:06:02 CET 2017 on sn-devel-144
Garming Sam [Wed, 8 Mar 2017 23:22:13 +0000 (12:22 +1300)]
objectclass_attrs: Remove schema copy shallow from attr_handler2
This appears quite expensive (particularly in provision), and also
unnecessary.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 10 15:34:39 CET 2017 on sn-devel-144
Stefan Metzmacher [Sun, 29 Jan 2017 16:20:09 +0000 (17:20 +0100)]
s4:kdc: disable principal based autodetected referral detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 29 Jan 2017 16:19:14 +0000 (17:19 +0100)]
HEIMDAL:kdc: make it possible to disable the principal based referral detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Thu, 9 Mar 2017 07:18:27 +0000 (08:18 +0100)]
s3:gse: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 9 Mar 2017 07:11:07 +0000 (08:11 +0100)]
s3:gse: Check if we have a target_princpal set we should use
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 9 Mar 2017 07:05:26 +0000 (08:05 +0100)]
s3:gse: Move setup of service_principal to update function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 6 Mar 2017 07:16:11 +0000 (08:16 +0100)]
s3:gse: Pass down the gensec_security pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 9 Mar 2017 08:10:12 +0000 (09:10 +0100)]
krb5_wrap: Remove obsolete smb_krb5_get_principal_from_service_hostname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 9 Mar 2017 06:54:29 +0000 (07:54 +0100)]
s3:gse: Use smb_krb5_get_realm_from_hostname()
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from
ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
to
ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.
From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).
MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 12:10:05 +0000 (13:10 +0100)]
s4:gensec_gssapi: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 10:03:17 +0000 (11:03 +0100)]
s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from
ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
to
ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.
From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).
MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 11:34:59 +0000 (12:34 +0100)]
s4:gensec_gssapi: Move setup of service_principal to update function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 6 Mar 2017 08:19:13 +0000 (09:19 +0100)]
s4:gensec-gssapi: Create a helper function to setup server_principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 10:56:30 +0000 (11:56 +0100)]
krb5_wrap: Make smb_krb5_get_realm_from_hostname() public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 10:56:30 +0000 (11:56 +0100)]
krb5_wrap: pass client_realm to smb_krb5_get_realm_from_hostname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 09:48:52 +0000 (10:48 +0100)]
krb5_wrap: Try to guess the correct realm from the service hostname
If we do not get a realm mapping from the krb5.conf or from the Kerberos
library try to guess it from the service hostname. The guessing of the
realm from the service hostname is already implemented in Heimdal. This
makes the behavior of smb_krb5_get_realm_from_hostname() consistent
with both MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 8 Mar 2017 09:40:08 +0000 (10:40 +0100)]
krb5_wrap: Do not return an empty realm from smb_krb5_get_realm_from_hostname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>