timbeale/samba-autobuild/.git
2 months agowaf: Check for libnscd master
Christof Schmitt [Tue, 12 Feb 2019 19:28:32 +0000 (12:28 -0700)]
waf: Check for libnscd

The check was in the old autoconf, but not in waf. As the code is still
in source3/lib/util_nscd.c, add the check for libnscd to allow building
and using the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13787

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Feb 13 17:58:33 CET 2019 on sn-devel-144

2 months agoMake sure results from GetAttrString are decref'ed where needed
Noel Power [Mon, 28 Jan 2019 16:57:17 +0000 (16:57 +0000)]
Make sure results from GetAttrString are decref'ed where needed

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett abartlet@samba.org
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Feb 13 14:51:12 CET 2019 on sn-devel-144

2 months agoFix instances of PyDict_SetItem to decref the value
Noel Power [Mon, 28 Jan 2019 15:23:59 +0000 (15:23 +0000)]
Fix instances of PyDict_SetItem to decref the value

Although it would be better to use the BuildValue approach to
create the dictionares here, unfortunately the dictionaries created
here have key/values that are created dynamically (based on input params).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett abartlet@samba.org
2 months agoFix mem leak with PyBytes_FromStringAndSize
Noel Power [Mon, 28 Jan 2019 15:23:48 +0000 (15:23 +0000)]
Fix mem leak with PyBytes_FromStringAndSize
Reviewed-by: Andrew Bartlett abartlet@samba.org
2 months agoselftest: Only set clockskew to 5 seconds for MIT Kerberos
Andrew Bartlett [Mon, 11 Feb 2019 20:34:54 +0000 (09:34 +1300)]
selftest: Only set clockskew to 5 seconds for MIT Kerberos

This was added in ac5427c6eba09134411f76a5e6f7e2643fa74eed as part of the MIT KDC
effort, but makes some tests much less reliable under high load.

As the Heimdal build does not need this, only specify for the MIT build.

Tested with an MIT AD DC build with:
 make test TESTS="samba3.raw.session samba3.smb2.session"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 13 05:49:43 CET 2019 on sn-devel-144

2 months agowafsamba/samba_utils.py: override symlink to allow force link
Joe Guo [Tue, 12 Feb 2019 06:16:06 +0000 (19:16 +1300)]
wafsamba/samba_utils.py: override symlink to allow force link

if bin is not empty and I have been sharing the samba tree into
a Vagrant environment and we run make, we get annoying linking error like this:

     File "~/samba/lib/tevent/wscript", line 130, in build
        installdir='python')
      File "./buildtools/wafsamba/wafsamba.py", line 745, in SAMBA_SCRIPT
        os.symlink(link_src, link_dst)
    FileExistsError: [Errno 17] File exists: '~/samba/lib/tevent/tevent.py' -> '~/samba/bin/default/../python/tevent.py'
    Makefile:7: recipe for target 'all' failed

Override the symlink method to allow force linking.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Change backup/restore testenvs to use 1 prefork child
Tim Beale [Mon, 4 Feb 2019 23:23:43 +0000 (12:23 +1300)]
selftest: Change backup/restore testenvs to use 1 prefork child

Recently the gitlab CI jobs were hitting memory resource limits and
using swap, which then caused test failures. The process model used in
the testenvs seemed to be contributing to this problem.

We can reduce the memory overhead of the restore/backup testenvs by
using 1 prefork child process instead of the default of 4 (kudos to
Garming for the idea). The tests run against these testenvs are basic
sanity-checks, rather than heavy-duty stress tests, so the number of
prefork workers shouldn't matter.

This is a bit of a tradeoff between testing the defaults that will
actually be used in production vs using limited resources efficiently on
shared CI runner machines.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Use default 'prefork children' smb.conf setting
Tim Beale [Mon, 4 Feb 2019 23:18:38 +0000 (12:18 +1300)]
selftest: Use default 'prefork children' smb.conf setting

The default setting should be 4, so there should be no need to specify
this in the testenv smb.conf.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoldb_dn: don't free a known NULL pointer
Douglas Bagnall [Fri, 8 Feb 2019 02:49:56 +0000 (15:49 +1300)]
ldb_dn: don't free a known NULL pointer

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoldb_dn: remove unreachable code in dn_explode
Douglas Bagnall [Thu, 7 Feb 2019 00:39:09 +0000 (13:39 +1300)]
ldb_dn: remove unreachable code in dn_explode

Every time I look at this file, I spend a few minutes wondering how
these bits of code are ever run. Never again.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoreplmd: move a if (ret) closer to ret source
Douglas Bagnall [Wed, 16 Jan 2019 04:35:48 +0000 (17:35 +1300)]
replmd: move a if (ret) closer to ret source

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agodsdb: check NULL guid strings in la_fix_links
Douglas Bagnall [Wed, 9 Jan 2019 23:55:19 +0000 (12:55 +1300)]
dsdb: check NULL guid strings in la_fix_links

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agodsdb: linked attrs: check a talloc_new()
Douglas Bagnall [Wed, 9 Jan 2019 04:55:38 +0000 (17:55 +1300)]
dsdb: linked attrs: check a talloc_new()

Also we can defer it past a thing that doesn't need or check for it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agodsdb: make get_parsed_dns_trusted() a common helper function
Douglas Bagnall [Wed, 9 Jan 2019 02:12:43 +0000 (15:12 +1300)]
dsdb: make get_parsed_dns_trusted() a common helper function

We are already using it in two places, and are about to add a third.

The version in repl_meta_data.c did more work in the case that the
parsed_dns can't really be trusted to conform to the expected format;
this is now a wrapper called get_parsed_dns_trusted_fallback().

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agospelling of associated
Douglas Bagnall [Tue, 15 Jan 2019 22:24:34 +0000 (11:24 +1300)]
spelling of associated

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos3:utils: Add missing NULL check in rpc_fetch_domain_aliases()
Andreas Schneider [Mon, 4 Feb 2019 16:23:05 +0000 (17:23 +0100)]
s3:utils: Add missing NULL check in rpc_fetch_domain_aliases()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 13 00:52:25 CET 2019 on sn-devel-144

2 months agos3:locking: Add missing NULL check
Andreas Schneider [Mon, 4 Feb 2019 16:19:55 +0000 (17:19 +0100)]
s3:locking: Add missing NULL check

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 months agoCI: split out "samba-ad-dc-ntvfs[-py2]" test targets
Ralph Boehme [Wed, 23 Jan 2019 08:43:33 +0000 (09:43 +0100)]
CI: split out "samba-ad-dc-ntvfs[-py2]" test targets

Many AD tests currently use the "samba" target. Split out a new target
"samba-ad-dc-ntvfs" and have all tests that use the "ad_dc_ntvfs" env
use the new target. This should greatly speed up the runtime for the "samba"
target and avoid swapping.

This reduces the total CI time by ~ 55%, I got an autobuild and a gitlab
pipeline finished in just ~ 100 mins!

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 11 14:10:12 CET 2019 on sn-devel-144

2 months agodsdb/tests/vlv: use only one toplevel dn that is correctly cleaned up
Stefan Metzmacher [Fri, 8 Feb 2019 09:57:13 +0000 (10:57 +0100)]
dsdb/tests/vlv: use only one toplevel dn that is correctly cleaned up

Before "OU=vlvtestou2,%s" % (self.base_dn) was left behind after the
test.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoblackbox/dbcheck.sh: fix dbcheck_fix_one_way_links cleanup
Stefan Metzmacher [Thu, 7 Feb 2019 23:19:56 +0000 (00:19 +0100)]
blackbox/dbcheck.sh: fix dbcheck_fix_one_way_links cleanup

Commit 35bfc62a31c9ad73449594ddd48f76f50e0abade changed
dbcheck to not regard old one-way-links as errors.

At that time the relavant trigger changed from
fix_all_string_dn_component_mismatch to
fix_all_old_dn_string_component_mismatch.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: improve debugging in dns_hub.py
Stefan Metzmacher [Wed, 23 Jan 2019 08:34:40 +0000 (09:34 +0100)]
selftest: improve debugging in dns_hub.py

We only print debug messages when the response is delayed by more than 2
seconds.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Make dns_hub socket timeout match DNS_REQUEST_TIMEOUT
Tim Beale [Sun, 3 Feb 2019 20:28:07 +0000 (09:28 +1300)]
selftest: Make dns_hub socket timeout match DNS_REQUEST_TIMEOUT

I was hitting the recv_packet = s.recv(2048, 0) exception because
the socket timeout was reached. We've seen it before, but it seemed more
common after changing the default process-model to prefork. This patch
makes the socket timeout used by the python code consistent with the C
code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agodocs-xml/smbdotconf: document export of SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME...
Stefan Metzmacher [Mon, 4 Feb 2019 14:40:16 +0000 (15:40 +0100)]
docs-xml/smbdotconf: document export of SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password script

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 11 11:03:58 CET 2019 on sn-devel-144

2 months agos3:srv_samr_chgpasswd: export SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check...
Stefan Metzmacher [Sat, 2 Feb 2019 12:19:31 +0000 (13:19 +0100)]
s3:srv_samr_chgpasswd: export SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password script

This is keep compatibility with the AD DC usage.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: require SAMBA_CPS_ACCOUNT_NAME in checkpassword_arg1.sh
Stefan Metzmacher [Tue, 5 Feb 2019 15:15:15 +0000 (16:15 +0100)]
selftest: require SAMBA_CPS_ACCOUNT_NAME in checkpassword_arg1.sh

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos4:dsdb:util: export SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password...
Stefan Metzmacher [Tue, 22 Jan 2019 10:33:23 +0000 (11:33 +0100)]
s4:dsdb:util: export SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password script

This allows the check password script to reject the username and other
things.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agotests/user_check_password_script: add a test do disallow the username as password
Stefan Metzmacher [Tue, 22 Jan 2019 09:31:52 +0000 (10:31 +0100)]
tests/user_check_password_script: add a test do disallow the username as password

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: make check password script more portable
Stefan Metzmacher [Tue, 5 Feb 2019 14:30:36 +0000 (15:30 +0100)]
selftest: make check password script more portable

We should not rely on Linux specific sed options.

grep -q also works on FreeBSD (tested on FreeBSD 12).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos3:modules: Fix compilation of nfs41acl_xdr.c when building outside src
Aliaksei Karaliou [Mon, 28 Jan 2019 08:17:07 +0000 (03:17 -0500)]
s3:modules: Fix compilation of nfs41acl_xdr.c when building outside src

If the Samba build directory is outside its source directory, generation
of nfs41acl_xdr.c by rpcgen leads to improper include paths to nfs41acl.h.

This happens because rpcgen is designed to produce its generated file in the
same directory as the input template. If the build directory is not located
under the source directory, this relative path will be invalid and the header
will not be found.

Example:
 src dir is ~/samba-src
 bld dir is ~/samba-bld

rpcgen will use path ../../samba-src/source3/modules/nfs41acl.x
running from ~/samba-bld/default and nfs41acl_xdr.c will contain:
 #include "../../samba-src/source3/modules/nfs41acl.h"

This behaviour is fixed through an intermediate copy of the input file to
the build directory so that rpcgen receives the path as if located in src.

Also now we avoid generation of nfs41acl_xdr.c when HAVE_RPC_XDR_H is
not defined because it will not be used as part of the vfs_nfs4acl_xattr
module.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos3:util: Move static file_pload() function to lib/util
Aliaksei Karaliou [Thu, 27 Dec 2018 09:25:47 +0000 (04:25 -0500)]
s3:util: Move static file_pload() function to lib/util

file_pload() is static private function in Samba3 library, however it
does not have any special dependencies and might be widely used as
common function, so moving it into common samba-util library.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos3:util: Move popen wrappers to lib/util
Aliaksei Karaliou [Thu, 27 Dec 2018 09:18:28 +0000 (04:18 -0500)]
s3:util: Move popen wrappers to lib/util

When linked into Samba3 libraries, sys_popen()/sys_pclose()
cannot be used in lower level libraries because of circular
dependencies.

This patch moves them into common samba-util library.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agobuild: Don't generate kerberos_implementation.py if building without python
Aliaksei Karaliou [Wed, 23 Jan 2019 09:55:58 +0000 (04:55 -0500)]
build: Don't generate kerberos_implementation.py if building without python

It is unnecessary to generate kerberos_implementation.py when python is
disabled.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agobuild: Fixed usage of non-default path to WAFLOCK
Aliaksei Karaliou [Thu, 27 Dec 2018 09:51:41 +0000 (04:51 -0500)]
build: Fixed usage of non-default path to WAFLOCK

If WAFLOCK environment variable is set, use it to override path
to WAF lock file in Samba build scripts.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agodnsserver: Return access denied to the caller if the user was not a DNS admin
Garming Sam [Fri, 1 Feb 2019 01:11:18 +0000 (14:11 +1300)]
dnsserver: Return access denied to the caller if the user was not a DNS admin

This is not a proper fix to match Windows, but at the very least, it
should be more obvious to users (using samba-tool for instance), that
the user needs to be given more access or that they should use the
administrator.

Windows seems to deny access altogether by returning a fault after they
have bound to the pipe and actually sent an operation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13771

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agobuildtools/wafsamba: Avoid decode when using python2
Noel Power [Wed, 6 Feb 2019 15:27:41 +0000 (15:27 +0000)]
buildtools/wafsamba: Avoid decode when using python2

To avoid problematic type checking for 'str' types which fail
when result from str.decode is used.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13777

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agolibsmb,s3/smbd: dump SMB3+ session keys if debug parm is set
Aurelien Aptel [Fri, 8 Feb 2019 11:13:25 +0000 (12:13 +0100)]
libsmb,s3/smbd: dump SMB3+ session keys if debug parm is set

Use of previously added smb.conf global param.

Sample usage:

$ smbclient //localhost/scratch --option='debugencryption=yes' \
                                 -e -mSMB3 -U aaptel%aaptel -c quit
debug encryption: dumping generated session keys
Session Id    [0000] 26 48 BF FD 00 00 00 00                             &H......
Session Key   [0000] 63 D6 CA BC 08 C8 4A D2   45 F6 AE 35 AB 4A B3 3B   c.....J. E..5.J.;
Signing Key   [0000] 4E FE 35 92 AC 13 14 FC   C9 17 62 B1 82 20 A4 12   N.5..... ..b.. ..
App Key       [0000] A5 0F F4 8B 2F FB 0D FF   F2 BF EE 39 E6 6D F5 0A   ..../... ...9.m..
ServerIn Key  [0000] 2A 02 7E E1 D3 58 D8 12   4C 63 76 AE 59 17 5A E4   *.~..X.. Lcv.Y.Z.
ServerOut Key [0000] 59 F2 5B 7F 66 8F 31 A0   A5 E4 A8 D8 2F BA 00 38   Y.[.f.1. ..../..8

We can now simply pass -ouat:smb2_seskey_list:<sesid>,<seskey> to
wireshark or tshark:

$ tshark -ouat:smb2_seskey_list:2648BFFD00000000,63D6CABC08C84AD245F6AE35AB4AB33B \
          -Y smb2 -r capture.pcap -Tfields -e _ws.col.Info
Negotiate Protocol Response
Negotiate Protocol Request
Negotiate Protocol Response
Session Setup Request, NTLMSSP_NEGOTIATE
Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
Session Setup Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel
Session Setup Response
Tree Connect Request Tree: \\localhost\IPC$
Tree Connect Response
Decrypted SMB3;Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \localhost\scratch
Decrypted SMB3;Ioctl Response, Error: STATUS_NOT_FOUND
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response
Decrypted SMB3;Tree Connect Request Tree: \\localhost\scratch
Decrypted SMB3;Tree Connect Response
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response

For more info on Wireshark decryption support see
https://wiki.samba.org/index.php/Wireshark_Decryption

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Sat Feb  9 21:43:25 CET 2019 on sn-devel-144

2 months agodocs-xml: add "debug encryption" global parm
Aurelien Aptel [Fri, 8 Feb 2019 11:04:42 +0000 (12:04 +0100)]
docs-xml: add "debug encryption" global parm

Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2 months agolibcli: add getters for smb2 {signing,encryption,decryption} keys
Aurelien Aptel [Wed, 6 Feb 2019 18:23:35 +0000 (19:23 +0100)]
libcli: add getters for smb2 {signing,encryption,decryption} keys

Adds:
- smb2cli_session_signing_key()
- smb2cli_session_encryption_key()
- smb2cli_session_decryption_key()

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2 months agos3:vfs: Correctly check if OFD locks should be enabled or not
Andreas Schneider [Wed, 30 Jan 2019 17:45:34 +0000 (18:45 +0100)]
s3:vfs: Correctly check if OFD locks should be enabled or not

Also the smb.conf options should only be checked once and a reload of
the config should not switch to a different locking mode.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb  9 03:43:50 CET 2019 on sn-devel-144

2 months agos3:vfs: Initialize pid to 0 in test_netatalk_lock()
Andreas Schneider [Wed, 30 Jan 2019 17:09:52 +0000 (18:09 +0100)]
s3:vfs: Initialize pid to 0 in test_netatalk_lock()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 months agos4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit...
Jeremy Allison [Thu, 7 Feb 2019 02:01:52 +0000 (18:01 -0800)]
s4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit working server code.

Originally added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate a lock order violation, this test
exposed problems in the mapping of SMB1/2 share modes
and open modes to NetATalk modes once we moved to OFD locks.

Change the test slightly (and add comments)
so it demonstrates working NetATalk share modes
on an open file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb  8 23:26:46 CET 2019 on sn-devel-144

2 months agos3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
Jeremy Allison [Thu, 7 Feb 2019 01:49:16 +0000 (17:49 -0800)]
s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.

This exhibited itself as a problem with OFD locks reported
as:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770

However, due to underlying bugs in the vfs_fruit
code the file locks were not being properly applied.

There are two problems in fruit_check_access().

Problem #1:

Inside fruit_check_access() we have:

flags = fcntl(fsp->fh->fd, F_GETFL);
..
if (flags & (O_RDONLY|O_RDWR)) {

We shouldn't be calling fcntl(fsp->fh->fd, ..) directly.
fsp->fh->fd may be a made up number from an underlying
VFS module that has no meaning to a system call.

Secondly, in all POSIX systems - O_RDONLY is defined as
*zero*. O_RDWR = 2.

Which means flags & (O_RDONLY|O_RDWR) becomes (flags & 2),
not what we actually thought.

Problem #2:

deny_mode is *not* a bitmask, it's a set of discrete values.

Inside fruit_check_access() we have:

if (deny_mode & DENY_READ) and also (deny_mode & DENY_WRITE)

However, deny modes are defined as:

/* deny modes */
define DENY_DOS 0
define DENY_ALL 1
define DENY_WRITE 2
define DENY_READ 3
define DENY_NONE 4
define DENY_FCB 7

so if deny_mode = DENY_WRITE, or if deny_mode = DENY_READ
then it's going to trigger both the if (deny_mode & DENY_READ)
*and* the (deny_mode & DENY_WRITE) conditions.

These problems allowed the original test test_netatalk_lock code to
pass (which was added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate the lock order violation).

This patch refactors the fruit_check_access()
code to be much simpler (IMHO) to understand.

Firstly, pass in the SMB1/2 share mode, not old
DOS deny modes.

Secondly, read all the possible NetAtalk locks
into local variables:

netatalk_already_open_for_reading
netatalk_already_open_with_deny_read
netatalk_already_open_for_writing
netatalk_already_open_with_deny_write

Then do the share mode/access mode checks
with the requested values against any stored
netatalk modes/access modes.

Finally add in NetATalk compatible locks
that represent our share modes/access modes
into the file, with an early return if we don't
have FILE_READ_DATA (in which case we can't
write locks anyway).

The patch is easier to understand by looking
at the completed patched fruit_check_access()
function, rather than trying to look at the
diff.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2 months agos4/registry/py: use unsigned ParseTuple format for unsigned value
Douglas Bagnall [Thu, 7 Feb 2019 04:36:02 +0000 (17:36 +1300)]
s4/registry/py: use unsigned ParseTuple format for unsigned value

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb  8 17:09:51 CET 2019 on sn-devel-144

2 months agos4/messaging/py: use better format strings for variable types
Douglas Bagnall [Thu, 7 Feb 2019 04:34:52 +0000 (17:34 +1300)]
s4/messaging/py: use better format strings for variable types

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2 months agos4/librpc/py_misc: ParseTuple format should match actual types
Douglas Bagnall [Thu, 7 Feb 2019 04:11:41 +0000 (17:11 +1300)]
s4/librpc/py_misc: ParseTuple format should match actual types

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2 months agos3/libsmb/py: match input argument types with C types
Douglas Bagnall [Thu, 7 Feb 2019 04:04:43 +0000 (17:04 +1300)]
s3/libsmb/py: match input argument types with C types

If PyArg_ParseTupleAndKeywords() is given, say, an "H" format (meaning
unsigned short int) but the referenced variable is a plain unsigned
int, the top 16 bits of the variable will be left undefined. In that
case we should use an "I" format (and/or initialize the variable).

In many cases the change is fairly innocuous, such as when "i" and "I"
are mixed (for signed and unsigned ints respectively), but the
resulting write is the same size and probably gives the same result in
practice.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2 months agopy_tevent: add_timer takes float argument
Douglas Bagnall [Thu, 7 Feb 2019 04:00:28 +0000 (17:00 +1300)]
py_tevent: add_timer takes float argument

We were already using it that way.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2 months agowinbindd: Enhance xids2sids debugging
Volker Lendecke [Wed, 6 Feb 2019 16:06:28 +0000 (17:06 +0100)]
winbindd: Enhance xids2sids debugging

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Feb  8 13:30:32 CET 2019 on sn-devel-144

2 months agosmbd: Avoid sending S-1-22- to winbind
Volker Lendecke [Wed, 6 Feb 2019 16:02:53 +0000 (17:02 +0100)]
smbd: Avoid sending S-1-22- to winbind

Sending S-1-22-x to a typeless sids2xids call will make winbind prime
the reverse xids2sids cache, which is very likely the wrong mapping. Add
a check that avoids bothering the winbind pipe when it's clear this
can't work anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agowinbind: Enhance xids2sids debugging
Volker Lendecke [Wed, 6 Feb 2019 12:10:08 +0000 (13:10 +0100)]
winbind: Enhance xids2sids debugging

Print what was requested and returned

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agotorture4: Solaris cc can't deal with empty initializers
Volker Lendecke [Thu, 24 Jan 2019 09:39:38 +0000 (10:39 +0100)]
torture4: Solaris cc can't deal with empty initializers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agobuild:docs: Get rid of hardcoded 'bin/default'
Aliaksei Karaliou [Tue, 29 Jan 2019 13:45:26 +0000 (08:45 -0500)]
build:docs: Get rid of hardcoded 'bin/default'

Build scripts for documentation still contain hardcoded path to build
destination rather than use proper final build path variables.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agobuild: Get rid of hardcoded 'bin/default' in includes
Aliaksei Karaliou [Mon, 28 Jan 2019 10:51:49 +0000 (05:51 -0500)]
build: Get rid of hardcoded 'bin/default' in includes

Removed occurrences of bin/default used in #include directive for
auto-generated headers residing in build directory.
Build system is capable of resolving path to such headers by itself
without extra hardcoded path to build directory.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agos4/scripting/bin: open unicode files with utf8 encoding and write unicode string
Joe Guo [Wed, 30 Jan 2019 02:52:08 +0000 (15:52 +1300)]
s4/scripting/bin: open unicode files with utf8 encoding and write unicode string

In files like `libcli/util/werror_err_table.txt` and `libcli/util/ntstatus_err_table.txt`,
there were unicode quote symbols at line 6:

    ...(“this documentation”)...

In `libcli/util/wscript_build`, it will run `gen_werror.py` and `gen_ntstatus.py`
to `open` above files, read content from them and write to other files.

When encoding not specified, `open` in both python 2/3 will guess encoding from locale.

When locale is not set, it defaults to POSIX or C, and then python will use
encoding `ANSI_X3.4-1968`.

So, on a system locale is not set, `make` will fail with encoding error
for both python 2 and 3:

    File "/home/ubuntu/samba/source4/scripting/bin/gen_werror.py", line 139, in main
        errors = parseErrorDescriptions(input_file, True, transformErrorName)
      File "/home/ubuntu/samba/source4/scripting/bin/gen_error_common.py", line 52, in parseErrorDescriptions
        for line in file_contents:
      File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 318: ordinal not in range(128)

In this case, we have to use `io.open` with `encoding='utf8'`.
However, then we got unicode strs and try to write them with other strs
into new file, which means the new file must also open with utf-8 and
all other strs have to be unicode, too.

Instead of prefix `u` to all strs, a more easier/elegant way is to enable
unicode literals for the python scripts, which we normally didn't do in samba.

Since both `gen_werror.py` and `gen_ntstatus.py` are bin scripts and no
other modules import them, it should be ok for this case.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Feb  8 06:34:47 CET 2019 on sn-devel-144

2 months agolib/util: inline lib/util/util_runcmd.h again
Stefan Metzmacher [Sat, 2 Feb 2019 12:09:37 +0000 (13:09 +0100)]
lib/util: inline lib/util/util_runcmd.h again

samba_runcmd_state should not be exposed!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Feb  8 02:54:20 CET 2019 on sn-devel-144

2 months agos4:dsdb:util: make use of samba_runcmd_export_stdin()
Stefan Metzmacher [Sat, 2 Feb 2019 12:00:13 +0000 (13:00 +0100)]
s4:dsdb:util: make use of samba_runcmd_export_stdin()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2 months agolib/util: add samba_runcmd_export_stdin() helper function
Stefan Metzmacher [Sat, 2 Feb 2019 11:58:57 +0000 (12:58 +0100)]
lib/util: add samba_runcmd_export_stdin() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2 months agodocs-xml: "cluster addresses" dns registration
David Disseldorp [Tue, 29 Jan 2019 11:49:28 +0000 (12:49 +0100)]
docs-xml: "cluster addresses" dns registration

Bug 7871 added functionality to register smb.conf "cluster addresses"
when net ads dns register is called with clustering=yes, but the man
page was not updated. Add documentation for this behaviour.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb  7 21:33:15 CET 2019 on sn-devel-144

2 months agodocs-xml: Update documentation for 'restrict anonymous' option
Andreas Schneider [Tue, 5 Feb 2019 15:08:46 +0000 (16:08 +0100)]
docs-xml: Update documentation for 'restrict anonymous' option

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2 months agos3/lib/popt_common: use stack buffer in set_logfile()
David Disseldorp [Wed, 6 Feb 2019 11:01:12 +0000 (12:01 +0100)]
s3/lib/popt_common: use stack buffer in set_logfile()

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agos3/lib/popt_common: don't assume stackframe presence
David Disseldorp [Tue, 5 Feb 2019 23:58:17 +0000 (00:58 +0100)]
s3/lib/popt_common: don't assume stackframe presence

popt_common_callback() should be leak-safe if a talloc stackframe isn't
available, as it's invoked early on.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agolib/debug: retain full string in state.prog_name global
David Disseldorp [Wed, 6 Feb 2019 11:39:03 +0000 (12:39 +0100)]
lib/debug: retain full string in state.prog_name global

setup_logging() retains a global pointer to the provided const string in
state.prog_name, which is later used in the debug_backend->reload()
callback.
Some setup_logging() callers, such as popt_common_callback(),
incorrectly assume that a dynamic buffer is safe to provide as a
prog_name parameter. Fix this by copying the entire string in
setup_logging().

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 months agoClean up reference used with PyDict_Setxxx
Noel Power [Thu, 31 Jan 2019 17:01:26 +0000 (17:01 +0000)]
Clean up reference used with PyDict_Setxxx

PyDictSetxxx methods don't steal reference so if the items added
to the dictionary were created just for the purpose of inserting
into the dict then we need to decref them.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Feb  7 17:17:46 CET 2019 on sn-devel-144

2 months agoCleanup (decref) some objects added to list.
Noel Power [Wed, 23 Jan 2019 18:43:43 +0000 (18:43 +0000)]
Cleanup (decref) some objects added to list.

PyList_Append doesn't steal references, so if the item created is
a temp object, created just to be added to the list we need to
 decref the item appended in order for it to be released.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agodecref results of PyStr_FromString
Noel Power [Wed, 23 Jan 2019 18:08:58 +0000 (18:08 +0000)]
decref results of PyStr_FromString

Where we create temporary objects (which are added to containers)
these objects already get there ref count incremented. In this case
we need to decref those objects to ensure they are released.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agopidl: Fix Generated ndr python code to DECREF imported modules
Noel Power [Wed, 23 Jan 2019 17:10:44 +0000 (17:10 +0000)]
pidl: Fix Generated ndr python code to DECREF imported modules

Generated code calls Py_ImportModule but in all error returns
and also successful exit the code fails to decrement reference to
loaded modules in MODULE_INIT_FUNC function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agoCleanup references to module objects returned from PyImport_ImportModule
Noel Power [Wed, 23 Jan 2019 15:15:07 +0000 (15:15 +0000)]
Cleanup references to module objects returned from PyImport_ImportModule

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agoExamine result of SetList (and prevent sending NULL to PyList_SetItem)
Noel Power [Fri, 25 Jan 2019 12:02:50 +0000 (12:02 +0000)]
Examine result of SetList (and prevent sending NULL to PyList_SetItem)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agoDecrement references to python objects passed to Py_BuildValue
Noel Power [Tue, 22 Jan 2019 18:26:23 +0000 (18:26 +0000)]
Decrement references to python objects passed to Py_BuildValue

Py_BuildValue when processing format 'O' will
  'Pass a Python object untouched (except for its reference count,
   which is incremented by one'

Basically this means if you are using a new reference to a PyObject
to pass to BuildValue (to be used with the 'O' format) the reference
*isn't* stolen so you really do need to DECREF it in order to ensure
it gets cleaned up.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 months agotldap: avoid more use after free errors
Ralph Boehme [Tue, 5 Feb 2019 13:08:56 +0000 (14:08 +0100)]
tldap: avoid more use after free errors

See the previous commit for an explanation. :)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Feb  6 10:19:12 CET 2019 on sn-devel-144

2 months agotldap: avoid a use after free crash
Ralph Boehme [Tue, 5 Feb 2019 12:56:53 +0000 (13:56 +0100)]
tldap: avoid a use after free crash

I saw the following crash in tldap in the winbindd idmap child on a
member server after messing with the LDAP server on the DC:

0  0x00007f77ea9a307a in __GI___waitpid (pid=9815, stat_loc=stat_loc@entry=0x7ffe77569eb0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
1  0x00007f77ea91bfbb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
2  0x00007f77edd8c24b in smb_panic_s3 (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../source3/lib/util.c:828
3  0x00007f77f15afe85 in smb_panic (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/util/fault.c:170
4  0x00007f77f08e2678 in talloc_abort (reason=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:472
5  0x00007f77f08e268b in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:477
6  0x00007f77f08e2710 in talloc_chunk_from_ptr (ptr=0x55da7605a020) at ../lib/talloc/talloc.c:494
7  0x00007f77f08e4a19 in _talloc_free (ptr=0x55da7605a020, location=0x7f77e181474d "../source3/lib/tldap.c:1918") at ../lib/talloc/talloc.c:1716
8  0x00007f77e180b65c in tldap_search_all_done (subreq=0x55da7605a020) at ../source3/lib/tldap.c:1918
9  0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7605a020, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
10 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7605a020, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
11 0x00007f77f0af1113 in _tevent_req_error (req=0x55da7605a020, error=9780923860630110289, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:180
12 0x00007f77e180781a in tevent_req_ldap_error (req=0x55da7605a020, rc=...) at ../source3/lib/tldap.c:47
13 0x00007f77e180b2c4 in tldap_search_done (subreq=0x55da76058280) at ../source3/lib/tldap.c:1813
14 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da76058280, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
15 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da76058280, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
16 0x00007f77f0af11cd in tevent_req_trigger (ev=0x55da760526c0, im=0x55da76058360, private_data=0x55da76058280) at ../lib/tevent/tevent_req.c:219
17 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da760526c0) at ../lib/tevent/tevent_immediate.c:135
18 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_epoll.c:911
19 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_standard.c:114
20 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent.c:725
21 0x00007f77f0af1361 in tevent_req_poll (req=0x55da7605eed0, ev=0x55da760526c0) at ../lib/tevent/tevent_req.c:269
22 0x00007f77e180fec9 in tldap_gensec_bind (ctx=0x55da76051ec0, creds=0x55da76052250, target_service=0x7f77e18164b3 "ldap", target_hostname=0x55da7605d182 "dc1.sdom1.site", target_principal=0x0, lp_ctx=0x55da76052180, gensec_features=6) at ../source3/lib/tldap_gensec_bind.c:358
23 0x00007f77e1810d21 in idmap_ad_get_tldap_ctx (mem_ctx=0x55da76050510, domname=0x55da76051d50 "sdom1", pld=0x55da76050518) at ../source3/winbindd/idmap_ad.c:326
24 0x00007f77e1811056 in idmap_ad_context_create (mem_ctx=0x55da76059c00, dom=0x55da76059c00, domname=0x55da76051d50 "sdom1", pctx=0x7ffe7756a5f8) at ../source3/winbindd/idmap_ad.c:374
25 0x00007f77e18119c0 in idmap_ad_get_context (dom=0x55da76059c00, pctx=0x7ffe7756a640) at ../source3/winbindd/idmap_ad.c:554
26 0x00007f77e181275b in idmap_ad_sids_to_unixids (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:784
27 0x00007f77e1813217 in idmap_ad_sids_to_unixids_retry (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:947
28 0x000055da7459ce05 in _wbint_Sids2UnixIDs (p=0x7ffe7756a870, r=0x55da76050860) at ../source3/winbindd/winbindd_dual_srv.c:202
29 0x000055da7460aa5e in api_wbint_Sids2UnixIDs (p=0x7ffe7756a870) at default/librpc/gen_ndr/srv_winbind.c:391
30 0x000055da7459c7f4 in winbindd_dual_ndrcmd (domain=0x0, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual_ndr.c:369
31 0x000055da7459828c in child_process_request (child=0x55da74874bc0 <static_idmap_child>, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual.c:666
32 0x000055da7459ae58 in child_handler (ev=0x55da7602c2b0, fde=0x55da7603f8a0, flags=1, private_data=0x7ffe7756abb0) at ../source3/winbindd/winbindd_dual.c:1567
33 0x00007f77f0af85f1 in epoll_event_loop (epoll_ev=0x55da76048b00, tvalp=0x7ffe7756aab0) at ../lib/tevent/tevent_epoll.c:728
34 0x00007f77f0af8c29 in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_epoll.c:930
35 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_standard.c:114
36 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent.c:725
37 0x000055da7459b9e9 in fork_domain_child (child=0x55da74874bc0 <static_idmap_child>) at ../source3/winbindd/winbindd_dual.c:1766
38 0x000055da74596e96 in wb_child_request_waited (subreq=0x0) at ../source3/winbindd/winbindd_dual.c:188
39 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:125
40 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7604f820, state=TEVENT_REQ_DONE, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:162
41 0x00007f77f0af10cd in _tevent_req_done (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:168
42 0x00007f77f0af0cc1 in tevent_queue_wait_trigger (req=0x55da7604f820, private_data=0x0) at ../lib/tevent/tevent_queue.c:355
43 0x00007f77f0af06f2 in tevent_queue_immediate_trigger (ev=0x55da7602c2b0, im=0x55da760466a0, private_data=0x55da76046580) at ../lib/tevent/tevent_queue.c:149
44 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da7602c2b0) at ../lib/tevent/tevent_immediate.c:135
45 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_epoll.c:911
46 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_standard.c:114
47 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent.c:725
48 0x000055da74561431 in main (argc=2, argv=0x7ffe7756c968) at ../source3/winbindd/winbindd.c:1803

subreq is a child of the state of req which will already be free by the
callback of req.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2 months agoautobuild: Split backup/restore testenvs out into separate job
Tim Beale [Tue, 5 Feb 2019 02:17:03 +0000 (15:17 +1300)]
autobuild: Split backup/restore testenvs out into separate job

The samba-ad-dc-2 job was reaching its limits with the number of
testenvs and what the resource-limited CI machines can handle.
Samba processes were getting swapped out of memory, causing CI runs
to fail.

This patch splits the backup/restore testenv targets into a separate
autobuild job: samba-ad-dc-backup.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb  5 12:23:31 CET 2019 on sn-devel-144

2 months agodocs: Document DCEPRC binding string for rpcclient
Andreas Schneider [Fri, 1 Feb 2019 17:51:53 +0000 (18:51 +0100)]
docs: Document DCEPRC binding string for rpcclient

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb  4 02:03:56 CET 2019 on sn-devel-144

2 months agovfs_glusterfs: Adapt to changes in libgfapi signatures
Anoop C S [Tue, 20 Mar 2018 06:02:20 +0000 (11:32 +0530)]
vfs_glusterfs: Adapt to changes in libgfapi signatures

VFS module for GlusterFS fails to compile due to recent changes done to
some API signatures. Therefore adding missing arguments to those APIs
adapting to new signatures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13330

Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Feb  3 17:00:33 CET 2019 on sn-devel-144

2 months agolibcli: Solaris cc can't return void values
Volker Lendecke [Thu, 24 Jan 2019 09:38:41 +0000 (10:38 +0100)]
libcli: Solaris cc can't return void values

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 months agolibrpc: Solaris cc does not like unnamed struct members
Volker Lendecke [Thu, 24 Jan 2019 09:37:21 +0000 (10:37 +0100)]
librpc: Solaris cc does not like unnamed struct members

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 months agosysquota_linux: fix querying of group quotas
Björn Jacke [Wed, 30 Jan 2019 16:00:36 +0000 (17:00 +0100)]
sysquota_linux: fix querying of group quotas

for gids we need to get/set the effective gids, same like for the uids already

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13768

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Sun Feb  3 09:54:56 CET 2019 on sn-devel-144

2 months agoabi_gen.sh: ignore gdb customisations when comparing signatures
Douglas Bagnall [Wed, 30 Jan 2019 04:58:11 +0000 (17:58 +1300)]
abi_gen.sh: ignore gdb customisations when comparing signatures

If a .gdbinit file says "set print pretty on", the signatures are printed over
several lines, and the abi_check fails. So let's ignore .gdbinit files.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Feb  2 20:19:05 CET 2019 on sn-devel-144

2 months agoprinting: check lp_load_printers() prior to pcap cache update
David Disseldorp [Tue, 29 Jan 2019 00:55:04 +0000 (01:55 +0100)]
printing: check lp_load_printers() prior to pcap cache update

Avoid explicit and housekeeping timer triggered printcap cache updates
if lp_load_printers() is disabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766

Signed-off-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb  1 19:25:03 CET 2019 on sn-devel-144

2 months agoprinting: drop pcap_cache_loaded() guard around load_printers()
David Disseldorp [Tue, 29 Jan 2019 00:50:15 +0000 (01:50 +0100)]
printing: drop pcap_cache_loaded() guard around load_printers()

Add the pcap_cache_loaded() check to load_printers() and return early
if it returns false. This simplifies callers in preparation for checking
lp_load_printers() in the printcap cache update code-path.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2 months agobuild: replace SAMBA3_ADD_OPTION with samba_add_onoff_option
David Disseldorp via samba-technical [Wed, 30 Jan 2019 16:13:47 +0000 (17:13 +0100)]
build: replace SAMBA3_ADD_OPTION with samba_add_onoff_option

The former is just an alias for the latter. samba_add_onoff_option()
better describes what the function actually does, so use that and
remove the alias.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2 months agoldb: Release ldb 1.6.0
Andrew Bartlett [Fri, 1 Feb 2019 02:09:26 +0000 (15:09 +1300)]
ldb: Release ldb 1.6.0

* pyldb: make ldb.connect() url mandatory
* New version number for master (Samba 4.11 eventually)

The 1.5.x series will be maintained in the v4-10-test branch

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb  1 07:02:56 CET 2019 on sn-devel-144

2 months agopyldb: make ldb.connect() url mandatory
Douglas Bagnall [Wed, 18 Apr 2018 02:37:12 +0000 (14:37 +1200)]
pyldb: make ldb.connect() url mandatory

The call fails without it, so we might as well fail sooner

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agopy_net: fix != None check
Douglas Bagnall [Fri, 20 Apr 2018 12:37:15 +0000 (00:37 +1200)]
py_net: fix != None check

Py_None is not false in C, so this branch was always taken.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos4/param/provision: check samdb argument in provision_bare()
Douglas Bagnall [Tue, 24 Apr 2018 00:40:32 +0000 (12:40 +1200)]
s4/param/provision: check samdb argument in provision_bare()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos4/pyauth: fix memory leak when context_new() has bad arguments
Douglas Bagnall [Tue, 24 Apr 2018 00:38:22 +0000 (12:38 +1200)]
s4/pyauth: fix memory leak when context_new() has bad arguments

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos4/pyauth: insist on proper ldb in context_new()
Douglas Bagnall [Wed, 2 May 2018 22:26:34 +0000 (10:26 +1200)]
s4/pyauth: insist on proper ldb in context_new()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agos4/pyauth: check ldb argument in py_user_session()
Douglas Bagnall [Tue, 24 Apr 2018 00:37:02 +0000 (12:37 +1200)]
s4/pyauth: check ldb argument in py_user_session()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agopygensec: insist on proper AuthContext in start_server
Douglas Bagnall [Wed, 2 May 2018 22:26:26 +0000 (10:26 +1200)]
pygensec: insist on proper AuthContext in start_server

Fixes another segfault.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agopynbt: catch type errors in PyObject_AsNBTName()
Douglas Bagnall [Tue, 24 Apr 2018 00:34:50 +0000 (12:34 +1200)]
pynbt: catch type errors in PyObject_AsNBTName()

This fixes some known segfaults.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoTests for segfaults in python bindings
Douglas Bagnall [Fri, 20 Apr 2018 04:28:29 +0000 (16:28 +1200)]
Tests for segfaults in python bindings

These tests run in a child process and are regarded as succeeding if they
don't die by signal.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agocracknames: Change search filter to use the smaller index
Garming Sam [Wed, 23 Jan 2019 03:16:16 +0000 (16:16 +1300)]
cracknames: Change search filter to use the smaller index

In large domains with many users, '(objectClass=User)' may as well not
be specified because it's iterating over the entire database.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agonetcmd: Improve error handling of gpo aclcheck as non-admin
Tim Beale [Tue, 29 Jan 2019 00:25:55 +0000 (13:25 +1300)]
netcmd: Improve error handling of gpo aclcheck as non-admin

Reading the nTSecurityDescriptor attribute over LDAP requires admin
creds. However, if you don't specify admin creds, then you get an error
like this:

bin/samba-tool gpo aclcheck
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
  File "bin/python/samba/netcmd/__init__.py", line 184, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/gpo.py", line 1536, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

This patch adds an explicit check/error message to make the problem
clearer.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Remove unnecessary tests.py options from proclimit tests
Tim Beale [Tue, 29 Jan 2019 21:07:26 +0000 (10:07 +1300)]
selftest: Remove unnecessary tests.py options from proclimit tests

It seems like these extra options were just copy-n-pasted from another
test. The process_limits test doesn't actually try to use these env
variables at all. All the test is doing is creating LDAP connections to
the DC. The SOCKET_WRAPPER_DEFAULT_IFACE may have perhaps been needed,
but we can avoid this by dropping ':local' from the testenv and running
the test as a "client" instead.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Add comment elaborating on what ENV_DEPS actually does
Tim Beale [Tue, 29 Jan 2019 21:04:28 +0000 (10:04 +1300)]
selftest: Add comment elaborating on what ENV_DEPS actually does

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Reorder ENV_DEPS so similar testenvs are together
Tim Beale [Tue, 29 Jan 2019 20:57:29 +0000 (09:57 +1300)]
selftest: Reorder ENV_DEPS so similar testenvs are together

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Fix running proclimit tests locally
Tim Beale [Tue, 29 Jan 2019 20:51:44 +0000 (09:51 +1300)]
selftest: Fix running proclimit tests locally

The dns_hub changes missed a dependency. Fortunately, during an
autobuild, the dns_hub is always up and running by the time the
proclimitdc tests are run. However, the tests were failing if run
locally just on their own.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoman pages: Add note about standard process model
Tim Beale [Thu, 31 Jan 2019 00:30:07 +0000 (13:30 +1300)]
man pages: Add note about standard process model

Calling this model the 'standard' model made a lot more sense when it
was the default. Add a small note explaining that it has this name for
historical reasons.

(The term 'standard' may have originally been chosen for some other
reason. However, it's hard to find the rationale behind the term from
back in 2005)

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Convert backup/restore testenvs to use default
Tim Beale [Wed, 30 Jan 2019 23:45:31 +0000 (12:45 +1300)]
selftest: Convert backup/restore testenvs to use default

These testenvs shouldn't be dependent on the process model at all, so we
should be able to convert them to the new default without any
repercussions.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 months agoselftest: Make process_model argument optional in check_or_start()
Tim Beale [Thu, 31 Jan 2019 00:12:43 +0000 (13:12 +1300)]
selftest: Make process_model argument optional in check_or_start()

It's more realistic to *not* always specify a process-model, and rely on
the samba code to use the correct default. This patch changes selftest
so we only use the -M process-model option if a particular process_model
was specified. Otherwise the testenv will use whatever the default is.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>