python: samba._glue: Port samba._glue module to Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python: samba.tests.param: Add missing tests

Add some new tests of samba.param Python bindings.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python: samba.param: Port param module to Python 3

Port Python bindings of samba.param module to
Python3-compatible form.

Because native Python file objects are officially
no longer backed by FILE*, API of some _dump()
functions is changed. File argument is now
optional and contains only name of file. Stdout
is default if no file name is specified. Otherwise
opening and closing files is done on C layer
instead of Python.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python: samba.tests.credentials: Python 3 compatible tests

Port test of pycredentials to Python 3 compatible form.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python: samba.credentials: Port pycredentials.c to Python3-compatible form.

Port Python bindings of samba.credentials module to
Python3-compatible form using macros from py3compat.h.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

lib/ldb: Enable use of a python3 pyldb-util system library

To do this, we have to install a .pc file for the python3 pyldb-util

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Incorportaing fixes by Petr Viktorin <pviktori@redhat.com>

Signed-off-by: Petr Viktorin <pviktori@redhat.com>

talloc: use the system pytalloc-util for python3 as well

This involves installing a .pc file for the python3 library as well

To get the .pc file generated and installed is quite a mission, we
have to rework the talloc build system to ensure that the second 'env'
created for EXTRA_PYTHON has everything set up on it, the
TALLOC_VERSION in particular.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Incorportaing fixes by Petr Viktorin <pviktori@redhat.com>

Signed-off-by: Petr Viktorin <pviktori@redhat.com>

scripts/traffic_summary: documentation typo

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

./examples/scripts/SambaConfig.py: fix typo in "continue"

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/examples/winreg: two variable name typos on a single line

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python sites/subnets: correctly spell variable name

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python provision: FDSBackend takes forced uri

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/remove_dc: avoid using non-existent variable

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: correctly spell variable name

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/join: correct spelling of "ctx.del_noerror"

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: remove unused broken client.py

Nothing uses this, and pyflakes points out it is unusable:

./selftest/client.py:60: undefined name 'prefix_abs'
./selftest/client.py:69: undefined name 'opts'
./selftest/client.py:70: undefined name 'interfaces'

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gitignore: add some hidden files

.gdb_history is generated by gdb,
.emacs* are generated by emacs, and
.clang* by clang.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

perftests/ad_dc_search: do less work in expensive member searches

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyldb: p3k readiness: allow single unicode string in msg element

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

talloc: fix doxygen of talloc_move

talloc_move cannot fail.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 10 07:30:40 CET 2017 on sn-devel-144

auth_ntdomain3: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth_winbind4: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth_winbind3: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3/smbd: add my copyright to open.c

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4/torture: some tests for kernel oplocks

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/selftest: adopt config.h check from source4

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: fix deferred open with streams and kernel oplocks

I noticed smbd can get stuck in an open() call with kernel oplocks
enabled and named streams (provided by vfs_streams_xattr):

- client opens a file and with an exclusive oplock

- client starts writing to the file

- client opens an existing stream of the file

- the smbd process gets stuck in an open()

What happens is:

we had setup a locking.tdb record watch in defer_open(), the watch was
triggered, we reattempted the open and got stuck in a blocking open
because the oplock holder (ourselves) hadn't given up the oplock yet.

Cf e576bf5310bc9de9686a71539e9a1b60b4fba5cc for the commit that added
the kernel oplock retry logic. tldr: with kernel oplocks the first open
is non-blocking, but the second one is blocking.

Detailed analysis follows.

When opening a named stream of a file, Samba internally opens the
underlying "base" file first. This internal open of the basefile suceeds
and does *not* trigger an oplock break (because it is an internal open
that doesn't call open() at all) but it is added as an entry to the
locking.tdb record of the file.

Next, the stream open ends up in streams_xattr where a non-blocking
open() on the base file is called. This open fails with EWOULDBLOCK
because we have another fd with a kernel oplock on the file.

So we call defer_open() which sets up a watch on the locking.tdb record.

In the subsequent error unwinding code in open_file_ntcreate() and
callers we close the internal open file handle of the basefile which
also removes the entry from the locking.tdb record and so *changes the
record*.

This fires the record watch and in the callback defer_open_done() we
don't check whether the condition (oplock gone) we're interested in is
actually met. The callback blindly reschedules the open request with
schedule_deferred_open_message_smb().

schedule_deferred_open_message_smb() schedules an immediate tevent event
which has precedence over the IPC fd events in messaging, so the open is
always (!) reattempted before processing the oplock break message.

As explained above, this second open will be a blocking one so we get
stuck in a blocking open.

It doesn't help to make all opens non-blocking, that would just result
in a busy loop failing the open, as we never process the oplock break
message (remember, schedule_deferred_open_message_smb() used immediate
tevent events).

To fix this we must add some logic to the record watch callback to check
whether the record watch was done for a kernel oplock file and if yes,
check if the oplock state changed. If not, simply reschedule the
deferred open and keep waiting.

This logic is only needed for kernel oplocks, not for Samba-level
oplocks, because there's no risk of deadlocking, the worst that can
happen is a rescheduled open that fails again in the oplock checks and
gets deferred again.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: all callers of defer_open() pass a lck

No change in behaviour. Update the function comment explaining how it
works and relies on lck for a record watch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: remove async_open arg from defer_open()

All remaining callers pass false.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: fix schedule_async_open() timer

schedule_async_open() was calling defer_open with sharemode lock = NULL,
as a result there was never an active 20 s timeout.

This has been broken since the commits in

$ git log --reverse -p -10 8283fd0e0090ed12b0b12d5acb550642d621b026

Just roll our own deferred record instead of calling defer_open() and
also set up timer that, as a last resort, catches stuck opens and just
exits for now.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: add and use retry_open() instead of defer_open() in two places

Add a new function that does an immediate open rescheduling.

The first deferred open this commit changes was never scheduled, as the
scheduling relies on a timeout of the watch on the sharemode lock.

This has been broken since the commits in

$ git log --reverse -p -10 8283fd0e0090ed12b0b12d5acb550642d621b026

That patchset added the dbwrap watch record logic to defer_open() and
removed the timers.

I'm doing this mainly to untangle the defer_open() logic which is
complicated by the lck arg.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: simplify defer_open()

Add a helper function deferred_open_record_create() that creates a
deferred_open_record and let all callers pass all needed arguments
individually.

While we're at it, enhance the debug message in defer_open() to print
all variables.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: req is already validated at the beginning of open_file_ntcreate()

req can't be NULL because the if condition surrounding this code checks
!(oplock_request & INTERNAL_OPEN_ONLY).

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: add comments and some reformatting to open_file_ntcreate()

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: add const to get_lease_type() args

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/wscript: fix Linux kernel oplock detection

Fix a copy/paste error, the Linux kernel oplocks check was copied from
the change notify support check.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbindd: Remove an unused #define

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Fri Mar 10 00:00:15 CET 2017 on sn-devel-144

winbind: Use talloc_strdup_upper where appropriate

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

ldap_server: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

winbind: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

ldb: add LDB_FLG_DONT_CREATE_DB

This avoids creating an new tdb files on ldbsearch
or other callers which use LDB_FLG_DONT_CREATE_DB.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar  9 16:02:21 CET 2017 on sn-devel-144

auth3: Simplify auth_check_ntlm_password logic with a "goto fail"

No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  9 02:01:35 CET 2017 on sn-devel-144

auth3: Simplify auth_check_ntlm_password logic with a "goto fail"

No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b" :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth3: Simplify auth_check_ntlm_password server_info handling

Instead of directly assigning (*pserver_info), work on a local copy
first and assign it once when successful

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth3: Simplify auth_check_ntlm_password talloc handling

Use talloc_stackframe and talloc_tos. Don't bother to talloc_free
within the loop, we don't have many iterations.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth3: Use talloc_move instead of _steal

That's the more "modern" way to steal

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth3: Centralize auth_check_ntlm_password failure handling

Preparation for simplified talloc handling. Slight behaviour change:
We now ZERO_STRUCTP(pserver_info) in all failure cases.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper

MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).

Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar  8 22:00:24 CET 2017 on sn-devel-144

s3-gse: convert to use smb_gss_krb5_import_cred

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libads: convert to use smb_gss_krb5_import_cred

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

credentials_krb5: convert to use smb_gss_krb5_import_cred

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper

Wrap gss_krb5_import_cred() to allow re-implementing it with
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
works fine with GSSAPI interposer (GSS-proxy) while
gss_krb5_import_cred() is not interposed yet.

The wrapper has additional parameter, krb5_context handle, to facilitate
with credentials cache name discovery. All our callers to
gss_krb5_import_cred() already have krb5 context handy.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gssapi: check for gss_acquire_cred_from

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3-libads: Do not leak the msg on error

ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar  8 14:59:35 CET 2017 on sn-devel-144

idmap_autorid: allocate new domain range if the callers knows the sid is valid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12613

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar  8 04:06:59 CET 2017 on sn-devel-144

manpages/vfs_fruit: document global options

Some options MUST be set in the global section, better document that.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12615

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbind: Add a debug message for out-of-range IDs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbind: Remove unused wcache_tdc_fetch_domainbysid

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbind: Correcly pass !authoritative from wb_irpc_SamLogon

Returning an error at this level gives a RPC level error without the chance to
provide !authoritative flag to the caller. At the RPC level we're fine, but not
finding the domain to authenticate means that we don't know the domain and thus
have to return !authoritative.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  7 13:16:00 CET 2017 on sn-devel-144

libwbclient: Add "authoritative" to wbcAuthErrorInfo

smbd needs to react to "authoritative"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Set "authoritative" in response to auth_crap

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Add "authoritative" to winbindd_response

This is a relevant piece of info in the samlogon response,
smbd and netlogond need to be able to react to it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Pass up args from winbind_dual_SamLogon

We'll need to pass "authoritative" back to the winbind client

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Pass up args from winbind_samlogon_retry_loop

In particular "authoritative" is useful at the top level

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

cli_netlogon: Add return parms to rpccli_netlogon_password_logon

Just for symmetry with rpccli_netlogon_network_logon()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

cli_netlogon: Remove a fallback for flags=NULL

The two callers of rpccli_netlogon_network_logon have flags set !=NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

cli_netlogon: Remove a fallback for authoritative=NULL

The two callers of rpccli_netlogon_network_logon have authoritative
set !=NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Fix a debug message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar  6 23:18:46 CET 2017 on sn-devel-144

auth4: Remove an unused struct declaration

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

auth4: Move a variable closer to its use

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Re-enable token groups fallback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar  6 19:18:31 CET 2017 on sn-devel-144

winbindd: find the domain based on the sid within wb_lookupusergroups_send()

That simplifies the potential caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove wb_lookupusergroups"

This reverts commit c0570e6ae8f8f0057ece48d764580897ff2b6f62.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove wbint_LookupUserGroups"

This reverts commit 256632ed3cc724bab0fc22132ca6b52faf680ab2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove wb_cache_lookup_usergroups"

This reverts commit f83863b4d1510a9519d15934c960fd1675235812.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove wcache_lookup_usergroups"

This reverts commit 876dc28b9cf13343a2962b1a1b035fe78c1858a6.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove validate_ug"

This reverts commit 3f58a8cabab75a594cff9088d5dd8ea439b36178.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove "lookup_usergroups" winbind method"

This reverts commit b231814c6b0ad17255139bc8934f269610348b2b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "winbind: Remove rpc_lookup_usergroups"

This reverts commit 91b73b1e93bb8fb38e2f1cea6c1cbd012c952542.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:libads: remove unused fallback to gss_acquire_cred()

Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  6 11:44:54 CET 2017 on sn-devel-144

s4/torture: add a creditting test skipping a SMB2 MID

This tests that skipping a SMB2 MID the client's usable MID window is

[unused mid, unused mid + 8192]

The test currently fails against Samba as we only grant up to 512
credits. It passes against Windows 2016 as that grants up to 8192
credits by default.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  4 01:54:07 CET 2017 on sn-devel-144

libcli/smb: add smb2cli_conn_get_mid and smb2cli_conn_set_mid

This will be needed for a torture test in the next commit.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4/torture: add some SMB2 crediting tests

These tests verify that a server grants at least 8192 credits in a
successfull session setup and in a single SMB2 request. Both tests pass
against Windows 2016 Server but currently fail against Samba.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/smb: add smb2cli_conn_get_cur_credits

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/smb: add max_credits arg to smbXcli_negprot_send()

This allows source4/torture code to set the option for tests by
preparing a struct smbcli_options with max_credits set to some value and
pass that to a torture_smb2_connection_ext().

This will be used in subsequent smbtorture test for SMB2 creditting.

Behaviour of existing upper layers is unchanged, they simply pass the
wanted max credits value to smbXcli_negprot_send() instead of
retrofitting it with a call to smb2cli_conn_set_max_credits().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Make gencache hash size configurable, default to 10000

For large deployments with many users, we put a lot of idmapping
entries into gencache. Increase the hash size from our default 131.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

idmap_hash: Add a deprecation message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar  3 16:54:34 CET 2017 on sn-devel-144

docs: Improve the idmap_hash manpage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:selftest: run samba4.sam.python also against fl2008r2dc

fl2008r2dc uses "ldap server require strong auth = no", which
is required to test the simple bind error messages.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  3 12:57:06 CET 2017 on sn-devel-144

dsdb/tests: add test_ldap_bind_must_change_pwd()

This tests the error messages for failing LDAP Bind responses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: match windows in the error messages of failing LDAP Bind requests

This is important for some applications to detect the
NT_STATUS_PASSWORD_MUST_CHANGE condition correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb-samba: remember the error string of a failing bind in ildb_connect()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb/tests: remove duplicate test_smartcard_required3() from sam.py

The function was 100% the same...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

torture3: Add test for smbd crash

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar  3 06:20:50 CET 2017 on sn-devel-144

smbd: Do an early exit on negprot failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained.

When the send queue grows greater than xconn->smb2.credits.max/16,
smbd_smb2_request_next_incoming() doesn't allocate a new request in state->req.

After smbd_smb2_io_handler() is called, it marks the fd not readable as
state->req == NULL, and never marks it readable again.

Fix by calling smbd_smb2_request_next_incoming() to restart
reads inside smbd_smb2_flush_send_queue() which drains the
send queue.

Reported by <chen.yehua@h3c.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12608

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar  3 02:23:20 CET 2017 on sn-devel-144

selftest: remove "ea support" from vfs_fruit-related setups.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

vfs_fruit: drop "ea support" from the manpage

Now that ea support is not required, drop that
comment from the man page.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

testparm: remove check for "ea support" in fruit shares

Now that ea support is not required for vfs_fruit, drop the
check that it's enabled in shares using vfs_fruit.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: remove coupling between get_ea_names_from_file() and "ea support"

The "ea support" configuration variable determines whether smbd
should attempt to manipulate extended attributes via SMB protocol.
It does not pertain to the underlying storage and its support for
extended attributes.

get_ea_names_from_file() is being used also by vfs_streams_xattr -
a module which has nothing to do with client-visible extended
attributes. As such, vfs_streams_xattr should be able to operate
irrespective of the value of "ea support".

This patch moves the check for ea support to the callers.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>