sfrench/samba-autobuild/.git
2 years agosmbd: Claim version in g_lock
Volker Lendecke [Mon, 22 May 2017 14:00:08 +0000 (16:00 +0200)]
smbd: Claim version in g_lock

Protect smbd against version incompatibilities in a cluster.

At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotorture3: Test heuristic cleanup
Volker Lendecke [Thu, 25 May 2017 08:48:15 +0000 (10:48 +0200)]
torture3: Test heuristic cleanup

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Heuristically check for server existence
Volker Lendecke [Mon, 22 May 2017 15:05:57 +0000 (17:05 +0200)]
g_lock: Heuristically check for server existence

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotorture3: Test lock conflict and cleanup
Volker Lendecke [Sun, 21 May 2017 06:56:01 +0000 (08:56 +0200)]
torture3: Test lock conflict and cleanup

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotorture3: Test lock upgrade/downgrade
Volker Lendecke [Fri, 19 May 2017 15:02:08 +0000 (17:02 +0200)]
torture3: Test lock upgrade/downgrade

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Allow lock upgrade/downgrade
Volker Lendecke [Fri, 19 May 2017 14:57:00 +0000 (16:57 +0200)]
g_lock: Allow lock upgrade/downgrade

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotorture3: Test g_lock_write_data
Volker Lendecke [Fri, 19 May 2017 14:59:06 +0000 (16:59 +0200)]
torture3: Test g_lock_write_data

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Make g_lock_dump return a complete list of locks
Volker Lendecke [Thu, 18 May 2017 13:27:46 +0000 (15:27 +0200)]
g_lock: Make g_lock_dump return a complete list of locks

To be honest, it did not really make sense to just pass in
lock holders individually. You could argue that it made sense
with in reality only G_LOCK_WRITE around, but soon we will have
G_LOCK_READ and thus multiple lock holders on a single lock.

Now that we also have userdata, change the g_lock_dump API

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Add g_lock_write_data
Volker Lendecke [Tue, 23 May 2017 10:32:24 +0000 (12:32 +0200)]
g_lock: Add g_lock_write_data

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Make g_lock_record_store also store userdata
Volker Lendecke [Thu, 18 May 2017 14:22:15 +0000 (16:22 +0200)]
g_lock: Make g_lock_record_store also store userdata

Sequel to the previous commit changing the get/put routines for
the on-disk format

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Reformat to allow userdata
Volker Lendecke [Thu, 18 May 2017 11:59:20 +0000 (13:59 +0200)]
g_lock: Reformat to allow userdata

The next patches will make g_locks carry data. This
prepares the on-disk format.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Move parsing routines together
Volker Lendecke [Thu, 18 May 2017 08:37:30 +0000 (10:37 +0200)]
g_lock: Move parsing routines together

No code change, just shuffling around:

Before this patchset, g_lock_parse was somewhere in the middle. This carries no
real logic, put it on top.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: unparse->put
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: unparse->put

Make it more in line with server_id_get/put

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: parse->get
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: parse->get

Make it more in line with server_id_get/put

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Remove a pointless "else"
Volker Lendecke [Wed, 17 May 2017 14:43:01 +0000 (16:43 +0200)]
g_lock: Remove a pointless "else"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Remove unused g_lock_get
Volker Lendecke [Wed, 17 May 2017 14:40:45 +0000 (16:40 +0200)]
g_lock: Remove unused g_lock_get

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Make it endian-neutral
Volker Lendecke [Wed, 17 May 2017 03:52:56 +0000 (05:52 +0200)]
g_lock: Make it endian-neutral

Add explicit parsing

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: More correct error msg
Volker Lendecke [Wed, 17 May 2017 03:54:36 +0000 (05:54 +0200)]
g_lock: More correct error msg

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotorture3: Initial test g_lock
Volker Lendecke [Tue, 16 May 2017 13:05:49 +0000 (15:05 +0200)]
torture3: Initial test g_lock

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agog_lock: Fix two typos
Volker Lendecke [Wed, 24 May 2017 11:27:18 +0000 (13:27 +0200)]
g_lock: Fix two typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos4:ldap_server: implement async BindSASL
Stefan Metzmacher [Fri, 12 May 2017 11:15:27 +0000 (13:15 +0200)]
s4:ldap_server: implement async BindSASL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144

2 years agos4:ldap_server: set result = LDAP_SUCCESS at the end, when we're really done
Stefan Metzmacher [Fri, 12 May 2017 10:41:13 +0000 (12:41 +0200)]
s4:ldap_server: set result = LDAP_SUCCESS at the end, when we're really done

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: avoid using talloc_reference()
Stefan Metzmacher [Fri, 12 May 2017 10:38:59 +0000 (12:38 +0200)]
s4:ldap_server: avoid using talloc_reference()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove useless NT_STATUS_IS_OK(status) check
Stefan Metzmacher [Fri, 12 May 2017 10:31:25 +0000 (12:31 +0200)]
s4:ldap_server: remove useless NT_STATUS_IS_OK(status) check

We checked a few lines above already, check with:
git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove useless indentation level arround ldapsrv_backend_Init()
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround ldapsrv_backend_Init()

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove useless indentation level arround gensec_session_info()
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround gensec_session_info()

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: make the gensec_create_tstream() error checking more clear
Stefan Metzmacher [Fri, 12 May 2017 10:26:12 +0000 (12:26 +0200)]
s4:ldap_server: make the gensec_create_tstream() error checking more clear

Check with 'git show -w'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: only touch conn->session_info on success in ldapsrv_BindSASL()
Stefan Metzmacher [Tue, 13 Jun 2017 13:28:53 +0000 (15:28 +0200)]
s4:ldap_server: only touch conn->session_info on success in ldapsrv_BindSASL()

The old conn->session_info (as well as conn->ldb) should only be changed
after a successful Bind().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: terminate the connection if talloc_reference fails
Stefan Metzmacher [Fri, 12 May 2017 10:09:38 +0000 (12:09 +0200)]
s4:ldap_server: terminate the connection if talloc_reference fails

talloc_reference will be removed completely in the next commits...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove pointless (result != LDAP_SUCCESS) check
Stefan Metzmacher [Fri, 12 May 2017 10:07:31 +0000 (12:07 +0200)]
s4:ldap_server: remove pointless (result != LDAP_SUCCESS) check

We set result = LDAP_SUCCESS above and have goto do_reply;
in all cases where we overwrite 'result'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: do the transport validation before calling gensec_create_tstream()
Stefan Metzmacher [Fri, 12 May 2017 10:04:59 +0000 (12:04 +0200)]
s4:ldap_server: do the transport validation before calling gensec_create_tstream()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: use talloc_zero for ldapsrv_sasl_postprocess_context
Stefan Metzmacher [Thu, 11 May 2017 19:18:07 +0000 (21:18 +0200)]
s4:ldap_server: use talloc_zero for ldapsrv_sasl_postprocess_context

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: drop the connection if we fail to allocate ldapsrv_sasl_postprocess_c...
Stefan Metzmacher [Thu, 11 May 2017 19:17:40 +0000 (21:17 +0200)]
s4:ldap_server: drop the connection if we fail to allocate ldapsrv_sasl_postprocess_context

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: only set *resp->SASL.secblob = output for OK or MORE_PROCESSING_REQUIRED
Stefan Metzmacher [Thu, 11 May 2017 19:14:00 +0000 (21:14 +0200)]
s4:ldap_server: only set *resp->SASL.secblob = output for OK or MORE_PROCESSING_REQUIRED

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove indentation level for the valid credential case
Stefan Metzmacher [Thu, 11 May 2017 19:11:00 +0000 (21:11 +0200)]
s4:ldap_server: remove indentation level for the valid credential case

Check with git show -w.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: make sure we destroy the gensec context on error
Stefan Metzmacher [Fri, 12 May 2017 10:44:05 +0000 (12:44 +0200)]
s4:ldap_server: make sure we destroy the gensec context on error

If the client tries a new bind we need to start with a fresh context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: avoid pointless check arround LDAP_INVALID_CREDENTIALS
Stefan Metzmacher [Fri, 12 May 2017 14:04:02 +0000 (16:04 +0200)]
s4:ldap_server: avoid pointless check arround LDAP_INVALID_CREDENTIALS

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: move invalid credential handling before the success handling.
Stefan Metzmacher [Thu, 11 May 2017 19:09:08 +0000 (21:09 +0200)]
s4:ldap_server: move invalid credential handling before the success handling.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: remove an useless indentation level from gensec_update_ev()
Stefan Metzmacher [Thu, 11 May 2017 17:13:49 +0000 (19:13 +0200)]
s4:ldap_server: remove an useless indentation level from gensec_update_ev()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: always allocate resp->SASL.secblob
Stefan Metzmacher [Thu, 11 May 2017 17:11:43 +0000 (19:11 +0200)]
s4:ldap_server: always allocate resp->SASL.secblob

The code path with resp->SASL.secblob = NULL was completely untested
(and wrong) as ldapsrv_setup_gensec() is very unlikely to ever fail.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: add use goto do_reply; to make the logic in ldapsrv_BindSASL() more...
Stefan Metzmacher [Thu, 11 May 2017 17:04:27 +0000 (19:04 +0200)]
s4:ldap_server: add use goto do_reply; to make the logic in ldapsrv_BindSASL() more sane

The following patches will simplify the logic by avoiding else branches
by using early returns.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv
Stefan Metzmacher [Thu, 11 May 2017 16:53:06 +0000 (18:53 +0200)]
s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: implement async BindSimple
Stefan Metzmacher [Thu, 11 May 2017 16:04:15 +0000 (18:04 +0200)]
s4:ldap_server: implement async BindSimple

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:auth: add authenticate_ldap_simple_bind_send/recv
Stefan Metzmacher [Thu, 11 May 2017 15:05:02 +0000 (17:05 +0200)]
s4:auth: add authenticate_ldap_simple_bind_send/recv

TODO: we need to make the backend async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: improve ldapsrv_UnbindRequest implementation
Stefan Metzmacher [Tue, 13 Jun 2017 13:02:41 +0000 (15:02 +0200)]
s4:ldap_server: improve ldapsrv_UnbindRequest implementation

We should abandon outstanding requests and disconnect the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: add call->wait_send/recv infrastructure
Stefan Metzmacher [Thu, 11 May 2017 14:51:15 +0000 (16:51 +0200)]
s4:ldap_server: add call->wait_send/recv infrastructure

If it is set by the dispatch functions, the core server
will use call->wait_send() and wait for it to finally
return frim call->wait_recv() before it asks for the
next incoming pdu.

This can be used to implement bind as async operations.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: don't log Unbind and Abandon requests.
Stefan Metzmacher [Sat, 13 May 2017 06:20:00 +0000 (08:20 +0200)]
s4:ldap_server: don't log Unbind and Abandon requests.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: introduce a ldapsrv_call_destructor()
Stefan Metzmacher [Thu, 11 May 2017 14:37:21 +0000 (16:37 +0200)]
s4:ldap_server: introduce a ldapsrv_call_destructor()

This makes sure that a call doesn't become an stale
member of the conn->pending_calls list.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:ldap_server: use talloc_zero() in ldapsrv_init_reply()
Stefan Metzmacher [Thu, 11 May 2017 17:07:04 +0000 (19:07 +0200)]
s4:ldap_server: use talloc_zero() in ldapsrv_init_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
Stefan Metzmacher [Fri, 20 Dec 2013 07:52:52 +0000 (08:52 +0100)]
s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG

This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.

This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.

This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorepl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
Garming Sam [Wed, 16 Nov 2016 01:44:40 +0000 (14:44 +1300)]
repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server

Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144

2 years agodsdb: Improve debug messages
Andrew Bartlett [Wed, 14 Jun 2017 02:13:18 +0000 (14:13 +1200)]
dsdb: Improve debug messages

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agodsdb: Ensure replication of renames works in schema partition
Andrew Bartlett [Wed, 14 Jun 2017 01:12:32 +0000 (13:12 +1200)]
dsdb: Ensure replication of renames works in schema partition

This caused failures against vampire_dc (on large-dc), likely due to
more frequent replication propagating the record before it was renamed.
The DC ran out of RIDs and RID allocation causes schema replication,
which failed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12841
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
Andrew Bartlett [Mon, 12 Jun 2017 23:20:58 +0000 (11:20 +1200)]
selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log

This ensures that object is not cleaned up, triggering a disconnect before we get back
the audit messages.  Otherwise they can be lost when the server task calls exit()
while the message thread is still trying to send them.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agostream_terminate_connection: Prevent use-after-free
Garming Sam [Fri, 9 Jun 2017 02:13:25 +0000 (14:13 +1200)]
stream_terminate_connection: Prevent use-after-free

This sometimes would show up as corrupted bytes during logs. Hammering
the LDAP server enough times managed to trigger an outright segfault.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Add test for gss_krb5/ntlmssp -> SPNEGO
Andrew Bartlett [Mon, 12 Jun 2017 02:27:53 +0000 (14:27 +1200)]
selftest: Add test for gss_krb5/ntlmssp -> SPNEGO

These bare mechs are permitted to go direct to SPNEGO, which must cope with them

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Add pygensec tests for GSS-SPNEGO and Win2000 emulated SPNEGO
Andrew Bartlett [Mon, 12 Jun 2017 02:12:53 +0000 (14:12 +1200)]
selftest: Add pygensec tests for GSS-SPNEGO and Win2000 emulated SPNEGO

This is to provide some unit testing coverage for these different modes of operation

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Add a test for @ATTRIBUTES and @INDEXLIST generation
Andrew Bartlett [Tue, 6 Jun 2017 23:47:15 +0000 (11:47 +1200)]
selftest: Add a test for @ATTRIBUTES and @INDEXLIST generation

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Rename module -> next_module for clarity
Andrew Bartlett [Tue, 30 May 2017 22:44:34 +0000 (10:44 +1200)]
ldb: Rename module -> next_module for clarity

This helps make some future commits less confusing

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agodsdb: Correctly call ldb_module_done in dsdb_notification
Andrew Bartlett [Wed, 31 May 2017 00:22:28 +0000 (12:22 +1200)]
dsdb: Correctly call ldb_module_done in dsdb_notification

If we just call ldb_request_done() then we never call the callback.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agotdb: add run-fcntl-deadlock test
Stefan Metzmacher [Tue, 11 Apr 2017 15:21:20 +0000 (17:21 +0200)]
tdb: add run-fcntl-deadlock test

This verifies the F_RDLCK => F_WRLCK upgrade logic in the kernel
for conflicting locks.

This is a standalone test to check the traverse_read vs.
allrecord_lock/prepare_commit interaction.

This is based on the example from
https://lists.samba.org/archive/samba-technical/2017-April/119861.html
from Douglas Bagnall <douglas.bagnall@catalyst.net.nz> and Volker Lendecke <vl@samba.org>.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: Improve logging on unique index violation
Andrew Bartlett [Fri, 9 Jun 2017 02:15:19 +0000 (14:15 +1200)]
ldb_tdb: Improve logging on unique index violation

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: Remove the idxptr DB before we re-index
Andrew Bartlett [Fri, 9 Jun 2017 02:09:30 +0000 (14:09 +1200)]
ldb_tdb: Remove the idxptr DB before we re-index

We do not want the cache or any of the values in it, we want to read the real DB
@INDEX: records.

This matters if a re-index is tiggered in the same transaction
as the modify of the values in the index.  Otherwise we won't see
the old index record (it will not show up in the tdb_traverse)
and so fail to remove it.

That in turn can cause a spurious unqiue index violation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: Check for memory allocation failure in ltdb_index_transaction_start()
Andrew Bartlett [Fri, 9 Jun 2017 02:07:40 +0000 (14:07 +1200)]
ldb_tdb: Check for memory allocation failure in ltdb_index_transaction_start()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agodsdb: Provide proper errors when dsdb_schema_set_indices_and_attributes fails
Andrew Bartlett [Fri, 9 Jun 2017 00:06:37 +0000 (12:06 +1200)]
dsdb: Provide proper errors when dsdb_schema_set_indices_and_attributes fails

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: pass the workgroup name to Samba3::provision()
Stefan Metzmacher [Sat, 10 Jun 2017 10:29:47 +0000 (12:29 +0200)]
selftest: pass the workgroup name to Samba3::provision()

Not all environments should use the samba workgroup name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 14 02:53:27 CEST 2017 on sn-devel-144

2 years agotestprogs/blackbox: don't use hardcoded values in test_net_ads_dns.sh
Stefan Metzmacher [Mon, 12 Jun 2017 14:02:32 +0000 (16:02 +0200)]
testprogs/blackbox: don't use hardcoded values in test_net_ads_dns.sh

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:script/tests: don't use hardcoded Domain Name in test_smbclient_s3.sh
Stefan Metzmacher [Sun, 11 Jun 2017 21:40:34 +0000 (23:40 +0200)]
s3:script/tests: don't use hardcoded Domain Name in test_smbclient_s3.sh

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest: don't use hardcoded domain names in Samba3::setup_admember()
Stefan Metzmacher [Fri, 9 Jun 2017 12:53:40 +0000 (14:53 +0200)]
selftest: don't use hardcoded domain names in Samba3::setup_admember()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest: test pam_winbind with a local user on ad_member
Stefan Metzmacher [Fri, 9 Jun 2017 13:45:25 +0000 (15:45 +0200)]
selftest: test pam_winbind with a local user on ad_member

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the pam_winbind test
Stefan Metzmacher [Fri, 9 Jun 2017 13:15:15 +0000 (15:15 +0200)]
selftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the pam_winbind test

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agopython/samba/tests: don't use hardcoded names in *pam_winbind* tests
Stefan Metzmacher [Fri, 9 Jun 2017 12:52:59 +0000 (14:52 +0200)]
python/samba/tests: don't use hardcoded names in *pam_winbind* tests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agopython: Port simple libpython module to Python 3 compatible form
Lumir Balhar [Thu, 20 Apr 2017 13:11:58 +0000 (15:11 +0200)]
python: Port simple libpython module to Python 3 compatible form

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoWHATSNEW: deprecated "profile acls"
Stefan Metzmacher [Tue, 13 Jun 2017 09:59:30 +0000 (11:59 +0200)]
WHATSNEW: deprecated "profile acls"

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 13 22:45:28 CEST 2017 on sn-devel-144

2 years agodocs-xml/smbdotconf: deprecated "profile acls"
Stefan Metzmacher [Tue, 13 Jun 2017 09:59:30 +0000 (11:59 +0200)]
docs-xml/smbdotconf: deprecated "profile acls"

This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.

Typically something like this seems to work:

[winprofiles]
  comment = Users profiles New
  path = /data/winprofiles/
  browseable = No
  read only = No
  csc policy = disable
  store dos attributes = yes
  vfs objects = acl_xattr

With chmod 1777 on /data/winprofiles/

In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833

It's also useful to something like this in the global
section in order to detect disconnects reliable:

  socket options = TCP_KEEPCNT=5 TCP_KEEPIDLE=30 TCP_KEEPINTVL=1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agostrerror_r: provide XSI-compliant strerror_r
Gary Lockyer [Thu, 1 Jun 2017 01:26:38 +0000 (13:26 +1200)]
strerror_r: provide XSI-compliant strerror_r

Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.

This reverts 18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to
make Heimdal use roken, rather than libreplace for strerror_r.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoctdb-recovery: Log messages at various debug levels
Amitay Isaacs [Thu, 8 Jun 2017 08:22:17 +0000 (18:22 +1000)]
ctdb-recovery: Log messages at various debug levels

This avoids spamming the logs during recovery at NOTICE level.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 13 13:22:09 CEST 2017 on sn-devel-144

2 years agoctdb-scripts: Compact server-end TCP connection killing output
Martin Schwenke [Fri, 9 Jun 2017 04:34:56 +0000 (14:34 +1000)]
ctdb-scripts: Compact server-end TCP connection killing output

When thousands of connections are being killed the logs are flooded
with information about connections that should be killed.  When some
connections are not killed then the number not killed is printed.
This is the wrong way around!  When debugging "fail-back" problems, it
is important to know details of connections that were *not* killed.
It is almost never important to know the full list of all connections
that were *supposed* to be killed.

Instead, print a summary showing how many connections of the total
were killed.  If any were not killed then print a list of remaining
connections.

Update unit tests: infrastructure for fake TCP connections, existing,
test cases, add new test cases.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-common: Log a count of dropped messages with non-blocking logging
Martin Schwenke [Thu, 1 Jun 2017 11:13:58 +0000 (21:13 +1000)]
ctdb-common: Log a count of dropped messages with non-blocking logging

The non-blocking logging variants can currently silently drop messages
when the socket queue fills.

In this case, count the number of dropped messages and attempt to log
a message about dropped log messages when the next message is logged.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tests: Add more NFS eventscript tests for call-out failures
Martin Schwenke [Fri, 9 Jun 2017 00:57:28 +0000 (10:57 +1000)]
ctdb-tests: Add more NFS eventscript tests for call-out failures

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-scripts: NFS call-out failures should cause event failure
Martin Schwenke [Thu, 8 Jun 2017 04:45:43 +0000 (14:45 +1000)]
ctdb-scripts: NFS call-out failures should cause event failure

Failures in startup/shutdown/releaseip/takeip are currently
incorrectly ignored.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agolibbreplace: compatibility fix for AIX
Guillaume Xavier Taillon [Mon, 22 Feb 2016 19:46:24 +0000 (14:46 -0500)]
libbreplace: compatibility fix for AIX

Adds macros for preprocessor compares and replaces an incomptatible
  compare with one of the new macros.
This fixes a comptability bug on AIX.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11621
Signed-off-by: Guillaume Xavier Taillon <gtaillon@ca.ibm.com>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Jun 13 09:11:56 CEST 2017 on sn-devel-144

2 years agopassword_hash: Fix the build on FreeBSD
Volker Lendecke [Fri, 2 Jun 2017 11:34:39 +0000 (13:34 +0200)]
password_hash: Fix the build on FreeBSD

This ditches a particular aspect of thread safety, but I doubt that
ldb is really thread safe. So in practice, I think we should not
see harm from this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jun 13 05:06:49 CEST 2017 on sn-devel-144

2 years agojoin.py Add DNS records at domain join time
Andrew Bartlett [Fri, 17 Feb 2017 05:23:23 +0000 (18:23 +1300)]
join.py Add DNS records at domain join time

This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully

We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
 - We do not want to query another DNS server
 - We do not want to obtain a Kerberos ticket for the new DC
   (as the KDC we select may not be the DC we just joined,
   and so may not be in sync with the password we just set)
 - We do not wish to set the _ldap records until we have started
 - We do not wish to use NTLM (the --use-samba-tool mode forces
   NTLM)

The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries.  However this is still better than no
DNS at all.

Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144

2 years agoselftest: Add test confirming join-created DNS entries can be modified as the DC
Andrew Bartlett [Thu, 8 Jun 2017 03:25:23 +0000 (15:25 +1200)]
selftest: Add test confirming join-created DNS entries can be modified as the DC

This ensures that samba_dnsupdate can run in the long term against the new DNS entries

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Test join.py and confirm that the DNS record is created
Andrew Bartlett [Thu, 1 Jun 2017 05:11:57 +0000 (17:11 +1200)]
selftest: Test join.py and confirm that the DNS record is created

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoprovision: Allow removing an existing account when force=True is set
Andrew Bartlett [Tue, 6 Jun 2017 03:22:35 +0000 (15:22 +1200)]
provision: Allow removing an existing account when force=True is set

This allows a practical override for use in test scripts

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoprovision: Move default handler for site=None down into dc_join object creation
Andrew Bartlett [Tue, 6 Jun 2017 03:21:50 +0000 (15:21 +1200)]
provision: Move default handler for site=None down into dc_join object creation

This makes this code easier to call from a test script

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Use TestCaseInTempDir as base class in dns tests
Andrew Bartlett [Thu, 1 Jun 2017 03:15:25 +0000 (15:15 +1200)]
selftest: Use TestCaseInTempDir as base class in dns tests

This will help when we add a new join test based on this code

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: Create new common base class for dns.py and dns_tkey.py
Andrew Bartlett [Thu, 1 Jun 2017 01:26:37 +0000 (13:26 +1200)]
selftest: Create new common base class for dns.py and dns_tkey.py

This will allow more DNS tests to be written in the future with less
code duplication.

2 years agoselftest: merge DNSTest boilerplate
Andrew Bartlett [Thu, 8 Jun 2017 22:00:09 +0000 (10:00 +1200)]
selftest: merge DNSTest boilerplate

This will help unifying dns.py and dns_tkey.py to use common subclasses

The code was originally copied, but has since divereged.  This handles
that divergence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: move make_txt_record() onto self in samba.tests.dns
Andrew Bartlett [Wed, 31 May 2017 01:57:25 +0000 (13:57 +1200)]
selftest: move make_txt_record() onto self in samba.tests.dns

This will help unifying dns.py and dns_tkey.py to use common subclasses

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agosamba_dnsupdate: fix "samba-tool" fallback error handling
Andrew Bartlett [Tue, 11 Apr 2017 02:23:49 +0000 (14:23 +1200)]
samba_dnsupdate: fix "samba-tool" fallback error handling

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agosamba_dnsupdate: Extend possible server list to all NS servers for the zone
Andrew Bartlett [Tue, 11 Apr 2017 02:14:15 +0000 (14:14 +1200)]
samba_dnsupdate: Extend possible server list to all NS servers for the zone

This should eventually be removed, but for now this unblocks samba_dnsupdate operation
in existing domains that have lost the original Samba DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agodns_server: clobber MNAME in the SOA
Andrew Bartlett [Tue, 11 Apr 2017 00:43:22 +0000 (12:43 +1200)]
dns_server: clobber MNAME in the SOA

Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour.  AD is multi-master so all RW servers are a master.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: run dns tests in multiple envs
Andrew Bartlett [Thu, 8 Jun 2017 04:20:42 +0000 (16:20 +1200)]
selftest: run dns tests in multiple envs

This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest: confirm we clobber the MNAME in the SOA query in the DNS server
Andrew Bartlett [Thu, 8 Jun 2017 03:54:22 +0000 (15:54 +1200)]
selftest: confirm we clobber the MNAME in the SOA query in the DNS server

All RW DCs should be their own master DNS server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agosamba_dnsupate: Try to get ticket to the SOA, not the NS servers
Andrew Bartlett [Mon, 10 Apr 2017 05:13:46 +0000 (17:13 +1200)]
samba_dnsupate: Try to get ticket to the SOA, not the NS servers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agosamba_dnsupdate: Make nsupdate use the server given by the SOA record
Andrew Bartlett [Mon, 10 Apr 2017 05:10:27 +0000 (17:10 +1200)]
samba_dnsupdate: Make nsupdate use the server given by the SOA record

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agojoin.py: Do not expose the old machine password over NTLM if -k yes was set
Andrew Bartlett [Mon, 10 Apr 2017 04:10:00 +0000 (16:10 +1200)]
join.py: Do not expose the old machine password over NTLM if -k yes was set

This makes the test for a valid machine account stricter (as a kerberos error could
cause this to fail and so skip the validation), but we never wish to use NTLM
if the administrator disabled it on the command line

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>