Garming Sam [Thu, 21 Jul 2016 22:56:07 +0000 (10:56 +1200)]
AddressSanitizer: Initialize for kcc_topology.c
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Christof Schmitt [Thu, 26 May 2016 05:56:49 +0000 (22:56 -0700)]
vfs_gpfs: Retry getacl with DAC capability if necessary
Samba always tries to read the ACL of a file and checks it internally.
If the READ_ACL permission is missing in GPFS, then then reading the ACL
for Samba internal evaluation will be denied and opening the file or
directory fails. Change this by retrying reading the ACL with the DAC
capability if access was denied.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Mon Jul 25 10:30:02 CEST 2016 on sn-devel-144
Yan, Zheng [Mon, 21 Mar 2016 02:42:21 +0000 (10:42 +0800)]
s3: vfs: ceph: Add posix acl support
Signed-off-by: Yan, Zheng <zyan@redhat.com>
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Sun Jul 24 04:08:23 CEST 2016 on sn-devel-144
Yan, Zheng [Mon, 21 Mar 2016 02:42:20 +0000 (10:42 +0800)]
s3: vfs: generalize functions that set/get posix acl through xattr
Move posix acl related code in vfs_glusterfs.c to a seperate module.
Signed-off-by: Yan, Zheng <zyan@redhat.com>
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Thu, 21 Jul 2016 12:25:56 +0000 (14:25 +0200)]
s4-torture: fix compile of new NDR PAC tests with MIT Kerberos.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 23 09:50:46 CEST 2016 on sn-devel-144
Günther Deschner [Thu, 21 Jul 2016 12:26:45 +0000 (14:26 +0200)]
s4-torture: add new torture_assert_krb5_error_equal macro.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Fri, 22 Jul 2016 18:17:24 +0000 (11:17 -0700)]
s4: messaging: Remove bool auto_remove parameter from imessaging_init().
With modern messaging this doesn't do anything (it's an
empty destructor). Clean up so we can add a proper destructor
in future.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Wed, 20 Jul 2016 23:40:53 +0000 (16:40 -0700)]
s3: smbd: vfs: Remove any stale xattr values during file/directory create in vfs_xattr_tdb()
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 13 Jul 2016 06:17:15 +0000 (08:17 +0200)]
s4:dsdb/replicated_objects: don't skip notifications on resolved conflicts
We should propagate resolved conflicts immediately.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 23 03:18:58 CEST 2016 on sn-devel-144
Stefan Metzmacher [Wed, 13 Jul 2016 06:15:20 +0000 (08:15 +0200)]
s4:dsdb/repl_meta_data: remember originating updates when applying replicated changes
The caller needs to know about them in order to decide about possible
notifications.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 May 2016 22:13:33 +0000 (00:13 +0200)]
s4:kdc: provide a PAC_UPN_DNS_INFO element for logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 7 Jan 2016 13:55:07 +0000 (14:55 +0100)]
auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 22 Jul 2016 10:58:00 +0000 (12:58 +0200)]
WHATSNEW: add SmartCard/PKINIT improvements
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 16 Jan 2016 13:25:18 +0000 (14:25 +0100)]
s4:selftest: run the pkinit test in the ad_dc and ad_dc_ntvfs environment
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 13:35:40 +0000 (15:35 +0200)]
s4:selftest: run test_pkinit_pac_heimdal.sh test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 13:34:50 +0000 (15:34 +0200)]
testprogs/blackbox: add test_pkinit_pac_heimdal.sh
This verifies that we have a PAC_CREDENTIAL_INFO element in the PAC
when using pkinit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 2 Jun 2016 16:24:18 +0000 (18:24 +0200)]
test_pkinit_heimdal.sh: add some more tests regarding the UF_SMARTCARD_REQUIRED behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 3 Jun 2016 19:46:13 +0000 (21:46 +0200)]
selftest/Samba: copy pkinit@$DOMAIN certificates to the environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 3 Jun 2016 19:32:04 +0000 (21:32 +0200)]
selftest/manage-ca: update manage-CA-samba.example.com.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 3 Jun 2016 19:32:04 +0000 (21:32 +0200)]
selftest/manage-ca: add certificates for pkinit@[addom.]samba.example.com
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 3 Jun 2016 19:46:13 +0000 (21:46 +0200)]
selftest/Samba: remove compat admincert* files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 24 May 2016 00:40:00 +0000 (02:40 +0200)]
s4:dsdb/tests: add UF_SMARTCARD_REQUIRED tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 31 May 2016 14:39:06 +0000 (16:39 +0200)]
s4:dsdb/password_hash: add the UF_SMARTCARD_REQUIRED password reset magic
When UF_SMARTCARD_REQUIRED is set to an account we need to remove
the current password and add random NT and LM hashes (without updating
the pwdLastSet field.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 May 2016 21:20:39 +0000 (23:20 +0200)]
s4:kdc: provide a PAC_CREDENTIAL_INFO element for PKINIT logons
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 7 Jan 2016 16:25:26 +0000 (17:25 +0100)]
s4:kdc: correctly update the PAC in samba_wdc_reget_pac()
We need to keep unknown PAC elements and just copy them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 20 May 2016 07:48:41 +0000 (09:48 +0200)]
s4:kdc: hook into heimdal's windc.pac_pk_generate hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 20 May 2016 06:29:30 +0000 (08:29 +0200)]
HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 20 May 2016 12:57:57 +0000 (14:57 +0200)]
HEIMDAL:kdc: reset e_text after successful pre-auth verification
This is already fixed in upstream heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 7 Jan 2016 13:12:14 +0000 (14:12 +0100)]
HEIMDAL:lib/krb5: allow predefined PAC_{LOGON_NAME,PRIVSVR_CHECKSUM,SERVER_CHECKSUM} elements in _krb5_pac_sign()
A caller may want to specify an explicit order of PAC elements,
e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME
element.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is commit
7cd40a610569d5e54ebe323672794fb6415b5dac in heimdal master.
Stefan Metzmacher [Wed, 20 Jul 2016 08:12:45 +0000 (10:12 +0200)]
s4:torture/remote_pac: verify the order of PAC elements
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 13:08:32 +0000 (15:08 +0200)]
auth/credentials: also do a shallow copy of the krb5_ccache.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 22 Jul 2016 14:12:25 +0000 (16:12 +0200)]
tevent: Add overflow protection to tevent_req_create
This adds 40 bytes, but they are needed for correctness :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jul 22 23:33:57 CEST 2016 on sn-devel-144
Volker Lendecke [Fri, 22 Jul 2016 14:06:45 +0000 (16:06 +0200)]
tevent: Save 140 bytes of .text in tevent_req_create
This is one of or hottest code paths, I think every bit counts here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Fri, 22 Jul 2016 14:06:45 +0000 (16:06 +0200)]
tevent: Save 32 bytes of .text in tevent_req_create
This is one of or hottest code paths, I think every bit counts here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 28 Jun 2016 22:35:16 +0000 (10:35 +1200)]
build: Add hints on what libraries to install for gpgme support on failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 22 19:51:09 CEST 2016 on sn-devel-144
Stefan Metzmacher [Mon, 27 Jun 2016 06:25:30 +0000 (08:25 +0200)]
WHATSNEW: recomment python-crypto and python-m2crypto
They're used for some samba-tool commands.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Wed, 17 Feb 2016 09:07:27 +0000 (10:07 +0100)]
WHATSNEW: add 'Password sync as active directory domain controller'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andrew Bartlett [Wed, 20 Jul 2016 04:45:34 +0000 (16:45 +1200)]
s4:torture/ndr: Add supplementalCredentials blob from Samba with the new SambaGPG blob
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 02:19:58 +0000 (03:19 +0100)]
python:samba/tests: use 'samba-tool user {getpassword,syncpasswords}' with --decrypt-samba-gpg
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jan 2016 12:51:00 +0000 (13:51 +0100)]
selftest:Samba4: configure "password hash gpg key ids" for ad_dc (if available)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 09:04:40 +0000 (10:04 +0100)]
s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local
In future ad_dc_ntvfs and ad_dc will differ regarding the Primary:SambaGPG
password feature. So we should test both.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jan 2016 12:51:00 +0000 (13:51 +0100)]
selftest:gnupg: add a gpg key for Samba Selftest <selftest@samba.example.com>
This key doesn't have a passphrase and allows automatic testing
of decryption.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Fri, 22 Jan 2016 20:52:26 +0000 (21:52 +0100)]
samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user syncpasswords'
This get's the cleartext passwords by decrypting
the 'Primary:SambaGPG' value in order to provide the
virtual attributes: virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
The virtual attribute virtualSambaGPG provides the raw
(encrypted) value of the 'Primary:SambaGPG' value.
See the "password hash gpg key ids" option for the encryption part
of this feature.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jan 2016 09:51:38 +0000 (10:51 +0100)]
s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials
It's important that Primary:SambaGPG is added as the last element.
This is the indication that it matches the current password.
When a password change happens on a Windows DC,
it will keep the old Primary:SambaGPG value, but as the first element.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jan 2016 09:51:38 +0000 (10:51 +0100)]
drsblobs.idl: add package_PrimarySambaGPGBlob
This will be used to store the cleartext utf16 password
GPG encrypted in the supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jan 2016 09:51:38 +0000 (10:51 +0100)]
s4:dsdb/samdb: add configure checks for libgpgme
This will be used to store the cleartext utf16 password
GPG encrypted as 'Primary:SambaGPG' in the
supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Mon, 15 Feb 2016 08:56:03 +0000 (09:56 +0100)]
docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Mon, 15 Feb 2016 08:10:54 +0000 (09:10 +0100)]
docs-xml/smbdotconf: add "password hash gpg key ids" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 06:01:18 +0000 (07:01 +0100)]
.travis.yml: install libgpgme11-dev python[3]-gpgme
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Mon, 15 Feb 2016 08:56:03 +0000 (09:56 +0100)]
docs-xml/smbdotconf: reference "unix password sync" with "samba-tool user syncpasswords"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Mon, 15 Feb 2016 08:15:38 +0000 (09:15 +0100)]
docs-xml:samba-tool.8: document "user syncpasswords" command
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 02:19:58 +0000 (03:19 +0100)]
python:samba/tests: add simple 'samba-tool user syncpasswords' test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Fri, 22 Jan 2016 20:52:26 +0000 (21:52 +0100)]
samba-tool: add 'user syncpasswords' command
This provides an easy way to keep passwords in sync with
another account database, e.g. an OpenLDAP server.
It provides a functionality like the "passwd program"
for the "unix password sync" feature of a standalone, member
and classic (NT4) server, but for an active directory domain
controller.
The provided script is called for each account/password related
change.
Like the 'user getpassword' command it allows virtual attributes like:
virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
Note that this command should just run on a single domain controller
(typically the PDC-emulator).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Mon, 15 Feb 2016 08:15:38 +0000 (09:15 +0100)]
docs-xml:samba-tool.8: document "user getpassword" command
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 02:19:58 +0000 (03:19 +0100)]
python:samba/tests: verify the packages order in supplementalCredentials
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 16 Feb 2016 02:19:58 +0000 (03:19 +0100)]
python:samba/tests: add simple 'samba-tool user getpassword' test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 22 Jan 2016 20:52:26 +0000 (21:52 +0100)]
samba-tool: add 'user getpassword' command
This provides an easy way to get the passwords of a user
including the cleartext passwords (if stored) and derived
hashes. This is done by providing virtual attributes like:
virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
This is much easier than using ldbsearch and manually parsing
the supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Tue, 12 Jul 2016 07:57:16 +0000 (09:57 +0200)]
pycredentials: add set_utf16_[old_]password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 12 Jul 2016 06:14:36 +0000 (08:14 +0200)]
pycredentials: add {get,set}_old_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 18:04:10 +0000 (20:04 +0200)]
WHATNEW: the default for "ntlm auth" is "no"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 17:50:36 +0000 (19:50 +0200)]
selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 15 Mar 2016 20:59:42 +0000 (21:59 +0100)]
docs-xml:smbdotconf: default "ntlm auth" to "no"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 07:26:27 +0000 (09:26 +0200)]
selftest: set "ntlm auth = yes" for now as a lot of tests rely on it
In future we should use a mix of environments some which support ntlmv1
and some without.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 17:45:04 +0000 (19:45 +0200)]
s3:selftest: run smbclient_auth with a few more combinations
E.g. we try lanman, ntlmv1 and ntlmv2 authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 21 Jul 2016 17:41:57 +0000 (19:41 +0200)]
s3:tests: add 'as user' to the test names in test_smbclient_auth.sh
We already have 'as anon', having an indication for each case makes it
easier to mark some as knownfail.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 May 2016 21:09:53 +0000 (23:09 +0200)]
s3:ntlm_auth: call fault_setup() in order to get usefull backtraces
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Thu, 21 Jul 2016 23:24:59 +0000 (16:24 -0700)]
WHATSNEW. Add text for Open File Description (OFD) locks.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul 22 14:13:52 CEST 2016 on sn-devel-144
Ralph Boehme [Thu, 21 Jul 2016 19:21:46 +0000 (12:21 -0700)]
WHATSNEW: SMB 2.1 leases enabled by default
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 20 Jul 2016 10:32:58 +0000 (12:32 +0200)]
smbd: Enable leases by default
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 21 Jul 2016 19:49:57 +0000 (12:49 -0700)]
s4: torture: Don't crash if connections fail and treeXX variables are left as NULL.
Correctly log as torture fail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Amitay Isaacs [Wed, 14 Oct 2015 04:49:12 +0000 (15:49 +1100)]
ctdb-pcp-pmda: Reimplement using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Jul 22 10:31:57 CEST 2016 on sn-devel-144
Amitay Isaacs [Thu, 5 May 2016 04:51:07 +0000 (14:51 +1000)]
ctdb-tests: Add torture test for fetch functions
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 08:30:30 +0000 (18:30 +1000)]
ctdb-tests: Remove unused tests code
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 06:14:39 +0000 (16:14 +1000)]
ctdb-tests: Rename ctdb_porting_tests to porting_tests
and create unit test for it.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 06:03:41 +0000 (16:03 +1000)]
ctdb-tests: Rename ctdb_lock_tdb to lock_tdb
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 05:56:13 +0000 (15:56 +1000)]
ctdb-tests: Convert rb_test into a unit test
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 04:29:56 +0000 (14:29 +1000)]
ctdb-tests: Replace ctdb_update_record_persistent with update_record_persistent
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 04:27:40 +0000 (14:27 +1000)]
ctdb-tests: Replace ctdb_update_record with update_record using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 18 Apr 2016 07:11:36 +0000 (17:11 +1000)]
ctdb-tests: Replace ctdb_transaction with transaction_loop using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Sat, 21 Nov 2015 11:50:59 +0000 (22:50 +1100)]
ctdb-tests: Replace ctdb_fetch_readonly_loop with fetch_readonly_loop using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 20 Apr 2016 04:49:47 +0000 (14:49 +1000)]
ctdb-tests: Replace ctdb_fetch_readonly_once with fetch_readonly using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 20 Nov 2015 05:24:34 +0000 (16:24 +1100)]
ctdb-tests: Replace ctdb_fetch_one with fetch_loop using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 17 Nov 2015 21:51:41 +0000 (08:51 +1100)]
ctdb-tests: Replace ctdb_fetch with fetch_ring using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 10 Nov 2015 05:00:07 +0000 (16:00 +1100)]
ctdb-tests: Replace ctdb_bench with message_ring using new client API
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 19 Apr 2016 06:18:54 +0000 (16:18 +1000)]
ctdb-tests: Add torture test for g_lock functions
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 18 Nov 2015 01:46:08 +0000 (12:46 +1100)]
ctdb-tests: Common code to process commandline options
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 18 Nov 2015 01:18:14 +0000 (12:18 +1100)]
ctdb-tests: Common code to wait for synchronization across cluster
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Garming Sam [Thu, 30 Jun 2016 00:19:32 +0000 (12:19 +1200)]
WHATSNEW: Add the update for the samba kcc
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jul 21 10:17:52 CEST 2016 on sn-devel-144
Garming Sam [Wed, 29 Jun 2016 22:54:29 +0000 (10:54 +1200)]
samba_kcc: Enable the python samba_kcc
For any reasonably large domain, the old KCC is impractical as the dense
mesh topology causes replication pulses.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 18 Jul 2016 02:38:40 +0000 (14:38 +1200)]
kcc: correct a typo in the debug messages
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 18 Jul 2016 05:06:57 +0000 (17:06 +1200)]
dbcheck: Add a rule regarding replica locations
This fixes any RW DCs with repsFrom without the corresponding link. On
any RODC, this just reports an error (and doesn't fix it).
(the knownfail entry is also now removed)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 20 Jul 2016 00:47:11 +0000 (12:47 +1200)]
dbcheck/release-4-1-0rc3: Add a check regarding replica locations
This DC has repsFrom for the DNS partitions, but not the corresponding
link. This ensures that dbcheck has fixed them up. This will currently
fail without the actual changes to dbcheck coming in the following
commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jul 2016 04:01:20 +0000 (16:01 +1200)]
join.py: Don't add replica locations without the backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 18 Jul 2016 01:09:59 +0000 (13:09 +1200)]
join.py: Add Replica-Locations for DomainDNS and ForestDNS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 20 Jul 2016 01:37:47 +0000 (13:37 +1200)]
join.py: Ensure that all expressions are escaped
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jul 2016 03:34:13 +0000 (15:34 +1200)]
dbcheck: Replica locations can now be leftover
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jul 2016 01:08:31 +0000 (13:08 +1200)]
kcc: Make more fault tolerant on DC demotion
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 20 Jul 2016 22:42:14 +0000 (10:42 +1200)]
samba_kcc: match translate connection from old KCC for RWDC
This makes it so that repsTo are always regenerated on the target DCs.
This also happens elsewhere in drepl_out, but is to be removed.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 5 Jul 2016 03:57:28 +0000 (15:57 +1200)]
samba_kcc: match translate connection from old KCC for RODC
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 1 Jul 2016 05:02:50 +0000 (17:02 +1200)]
kcc: Prevent the KCC from doing work on the RODC
This should never have done any real work, new code or not. This just removes
the initial KCC calls and bails out in the KCC if we actually ran it.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>