git.samba.org - vlendec/samba-autobuild/.git/log

ctdb-protocol: Add req_tunnel counts to ctdb statistics

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-daemon: Add implementation of tunnel controls

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-protocol: Add controls to register/deregister tunnels

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-protocol: Add REQ_TUNNEL packet type

This allows to tunnel new protocols using ctdb transport.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

wbinfo: return "NOT MAPPED" instead of "S-0-0" for unmapped id-to-sid

Currently wbinfo --unix-ids-to-sids prints "S-0-0" for failed
mappings. Let it print "NOT MAPPED" instead.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 10 02:57:40 CEST 2017 on sn-devel-144

vfs_fake_acls: deny give-ownership

Windows doesn't allow giving ownership away unless the user has
SEC_PRIV_RESTORE privilege.

This follows from MS-FSA 2.1.5.1, so it's a property of the filesystem
layer, not the SMB layer. By implementing this restriction here, we can
now have test for this restriction.

Other filesystems may want to deliberately allow this behaviour --
although I'm not aware of any that does -- therefor I'm putting in this
restriction in the implementation of the chmod VFS function and not into
the caller.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_acl_common: fix take ownership vs give ownership

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_acl_common: factor out a variable declaration

Just some refactoring, no change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd/posix_acls: return correct status in try_chown

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: tests for change ownership on a file

This test verifies that SEC_STD_WRITE_OWNER only effectively grants
take-ownership permissions but NOT give-ownership. The latter requires
SeRestorePrivilege privilege.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix samba3.blackbox.inherit_owner.default test script test_inherit_owner.sh

Grant the test-user SeRestorePrivilege, this is needed for
give-ownership operations. And then granting SeRestorePrivilege requires
`net`, so add that as an additional argument to the script.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix acl_xattr test script test_acl_xattr.sh

The two "nt_affects_chgrp" tests called the wrong function so the
function nt_affects_chgrp() was never run.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix acl_xattr test: sn-devel unreliable gid

The "nt_affects_chgrp" kept failing in a full autobuild on sn-devel
because the actual gid of the created file as returned by smbclient -c
getfacl was reliably the unix gid of my account. It should have been the
mapped domusers group for the primary users "Domain Users"
group. Running the test individually or even the full set of
"samba3.blackbox" tests didn't trigger the error.

Looks like an issue with vfs_fake_acls and vfs_xattr_tdb, but I wasn't
able to track it down. As the test only really want to ensure that
smbcacls -G set the gid to the requested value, just remove the check
for the actual initial gid.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix acl_xattr test: grep ouput before munging

The check of the smbclient getfacl output for presence of a "^# group:"
line must be done before munging the saved output with a sed filter.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix acl_xattr test: group, not user

In nt_affects_chgrp() check for domadmins *group*, not user. This didn't
trigger an error as nt_affects_chgrp() isn't actually called, see next
commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: fix acl_xattr test: changing owner

Don't give ownership to user "force_user" as user "$USERNAME", this
would fail with NT_STATUS_INVALID_OWNER, instead just take ownership as
user "force_user". Adding a corresponding ACE for "force_user" with FULL
rights ensures this works.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: smbd: Currently if getwd() fails after a chdir(), we panic.

Change this to return to the previous $cwd, and return -1 for the chdir().

If the return to the previous $cwd fails, still panic as we
can't return an unknown state.

Also do early return from failing SMB_VFS_CHDIR, reducing indentation level

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13027

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

smbcacls: no need to fetch the sd when changing ownership

Reading the SD may be denied but changing ownership could be allowed. As
we don't really need the server SD for the change ownership request,
don't fetch it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 7 00:04:54 CEST 2017 on sn-devel-144

s3: spoolss: Fix GUID string format on GetPrinter info

Fix regression introduced by commit a4157e7c5d75 which removed the braces
around the printer GUID in the printer info level 7 structure.

MS-RPRN section 2.2 says this protocol uses curly-braced GUIDs so printers
are deleted from the directory by the domain controller's pruning service.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12993

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 6 05:21:25 CEST 2017 on sn-devel-144

ctdb-common: Make parse_ip() and parse_ipv4() static

parse_ip() has interface checking for IPv6 that is still used
indirectly by the IP takeover code via parse_ip_mask(). This will be
removed eventually.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Oct 5 09:19:31 CEST 2017 on sn-devel-144

ctdb-common: Replace parse_ip() -> ctdb_sock_addr_from_string()

... and ctdb_sock_addr_set_port().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Replace parse_ip() -> ctdb_sock_addr_from_string()

... and ctdb_sock_addr_set_port() where required.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: Replace parse_ip() -> ctdb_sock_addr_from_string()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-common: Remove unused function parse_ip_port()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: Replace parse_ip_port() -> ctdb_sock_addr_from_string()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-common: Remove unused function ctdb_parse_connections()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: Use ctdb_connection_list_read()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-common: Do not queue a packet if queue does not have valid fd

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13056

The only time a ctdb_queue is created without valid fd is when CTDB
is trying to establish connections with other nodes in the cluster.
All the other uses always create a ctdb_queue with valid fd.

This avoids queueing up packets for dead nodes or nodes that are not
running in the cluster and stops consuming memory.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tests: Send broadcast to connected nodes, not configured nodes

https://bugzilla.samba.org/show_bug.cgi?id=13056

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-daemon: Send broadcast to connected nodes, not configured nodes

https://bugzilla.samba.org/show_bug.cgi?id=13056

Database recovery takes care of attaching missing databases on all the nodes.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

s3: VFS: Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13068

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Oct 4 14:05:33 CEST 2017 on sn-devel-144

s3: VFS: Protect errno if sys_getwd() fails across free() call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13069

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: VFS: Ensure sys_getwd() doesn't leak memory on error on really old systems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13069

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

vfs_solarisacl: fix build for samba 4.7 and up

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13049

Signed-off-by: Jorge Schrauwen <sjorge@blackdot.be>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3/smbd: register Time Machine shares with Avahi

Adds support for automatically registering the required _adisk._tcp
mDNS record based on the setting of "fruit:time machine".

Signed-off-by: Omri Mor <omri50@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

docs/vfs_fruit: Add Time Machine support

Add the capability to advertise FULLSYNC volume capabilities
to clients that request them. This is mainly used for supporting
Mac OS Time Machine backups from clients. The capability does
not perform any additional action.

Signed-off-by: Kevin Anderson <andersonkw2@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: Add Time Machine support

Add a configuration option to disable/enable Time Machine support via
the FULLSYNC AAPL flag.

Signed-off-by: Kevin Anderson <andersonkw2@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

net: groupmap cleanup should not delete BUILTIN mappings

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13065

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Oct 2 15:17:00 CEST 2017 on sn-devel-144

lib/util/run_cmd: use a cleanup function instead of a destructor

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Sep 30 12:14:57 CEST 2017 on sn-devel-144

lib/util/run_cmd: remove a printf

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

lib/util/run_cmd: ensure fd_stdin gets set to -1 in the destructor

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

lib/util/run_cmd: prevent zombies in samba_runcmd_send on timeout

Ensure the state desctructor calls tfork_destroy to reap the waiter and
worker processes. Otherwise we leave the waiter process as a zombie
behind us as we never call waitpid on it in case of a timeout
or talloc_free() from the caller.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

lib: Fix a signed/unsigned hickup

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib: Remove talloc_dict

Looked like a good idea at its time, but its only user did not need
it anyway

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind: Remove the use of "talloc_dict"

As members we only collect names, indexed by sids. This is served
well by just a simple dbwrap_rbt.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Changes in samba vxfs plugin.

Implemented two VFS operations(set/fset dos attribute) for vxfs plugin.

Trapping set/clear of read-only attribute.

Signed-off-by: Pooja Mahadik <pooja.mahadik@veritas.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 30 06:42:10 CEST 2017 on sn-devel-144

vfs_snapper man page: Fixed typo

This commit corrects a small typo in vfs_snapper manpage.

Signed-off-by: Yvan Masson <yvan@masson-informatique.fr>
Reviewed-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Autobuild-User(master): Marc Muehlfeld <mmuehlfeld@samba.org>
Autobuild-Date(master): Sat Sep 30 02:41:46 CEST 2017 on sn-devel-144

docs: Improve wording around 'winbind expand groups' param

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Fri Sep 29 22:37:08 CEST 2017 on sn-devel-144

s3:winbind: unmapped Unix users must be resolved locally

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Sep 29 18:33:21 CEST 2017 on sn-devel-144

s3:winbind: unmapped Unix groups in getgrgid must be resolved locally

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

notifyd: Broadcast to all connected nodes

CTDB_BROADCAST_VNNMAP includes only the nodes with lmaster roles.
CTDB_BROADCAST_CONNECTED includes all the running nodes.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Sep 29 08:38:10 CEST 2017 on sn-devel-144

source4 smbd: remove global control pipe from process_standard.

The standard model uses a pipe to signal the worker processes spawned on
accept that the controlling process has terminated and that they should
shut down.  This pipe is currently a static global variable in
process_standard.c.

This patch replaces that global pipe with a file descriptor passed into
the process model init functions, giving  a single mechanism across all process
models.  This paves the way for the addition of a pre-fork process model.

Ensuring that the correct file descriptors are closed, is difficult so
it is best do this only once rather than require the process models to
do this individually.

Notes on debugging pipe ownership:

Add code to log the process id and the file descriptor of the writeable
pipe.

run:
   lsof | grep FIFO | grep samba | grep <process id>
   this will produce lines like:

   samba 25624 him 4w FIFO 0,10 0t0 472206 pipe

   where: 4w is the file descriptor and mode and the number to the left
          of "pipe" is the pipe id.
then:
   lsof | grep FIFO | grep samba | grep <pipe id>

   This will display all the processes with the pipe open and the mode
   only the smbd master process should have it open in write mode.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Sep 28 02:08:34 CEST 2017 on sn-devel-144

lib/util: Fix build for lttng libraries that does not support tracef

On a system that has older lttng-ust development headers installed that
do not yet provide the tracef api, configure fails with:

Checking for library lttng-ust : yes
ERROR: Target 'lttng-ust' in directory /samba/lib/util re-defined as EMPTY - was SYSLIB

Fix the initialization order in waf, to not redefine the lttng-ust
target

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb.conf: Update multi-channel warning text

Since Samba 4.4.x is going EOL soon, update the server multi channel
support warning text to reflect the fact that it's still experimental in
4.7, and it won't be getting fixed in a future 4.4.x version.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs/ntvfshandler: remove duplicate value

The "posix" value of option "ntvfs handler" was written two times. This commit
deletes the first occurrence so that the default value is the first seen by
reader.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13053

Signed-off-by: Yvan Masson <yvan@masson-informatique.fr>
Reviewed-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep 27 18:44:45 CEST 2017 on sn-devel-144

lib: Use CTDB_CONTROL_CHECK_PID_SRVID

Also check the unique ID for remote server ids, just like we do for
local server ids

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13042
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Sep 26 13:47:31 CEST 2017 on sn-devel-144

lib: Add "unique_id" to ctdbd_process_exists

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13042
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb: Centralize ctdb_version_string

Whenever the current git hash changes, we recompile ctdb.c and
ctdb_daemon.c. As both have quite a few warnings with -Wall, this
makes it quite difficult to see the real warnings that pop up during
development. Centralize the ctdb_version_string to just a single file
without warnings.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

replmd: RMD_VERSION incorrectly incremented for link conflicts

This problem was noticed when 2 DCs added the same linked attribute at
roughly the same time. One DC would have a later timestamp than the
other, so it would re-apply the same link information. However, when it
did this, replmd_update_la_val() would incorrectly increment the
RMD_VERSION for the attribute. We then end up with one DC having a
higher RMD_VERSION than the others (and it doesn't replicate the new
RMD_VERSION out).

During replication RMD_VERSION is used to determine whether a linked
attribute is old (and should be ignored), or whether the information is
new and should be applied to the DB. This RMD_VERSION discrepancy could
potentially cause a subsequent linked attribute update to be ignored.

Normally when a local DB operation is performed, we just pass in a
version of zero and get replmd_update_la_val() to increment what's
already in the DB. However, we *never* want this to happen during
replication - we should always use the version we receive from the peer
DC.

This patch fixes the problem by separating the API into two:
- replmd_update_la_val(): we're updating a linked attribute in the DB,
  and so as part of this operation we always want to increment the
  version number (the version no longer need to be passed in because
  we can work it out from the existing DB entry).
- replmd_set_la_val(): we want to set a linked attribute to use the
  exact values we're telling it, including the version. This is what
  replication needs to use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13038
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 26 09:36:48 CEST 2017 on sn-devel-144

selftest: Add test for a re-animated object conflict

Added a test to simulate a user accidentally being deleted and 2
different admins trying to resolve the problem simultaneously - one by
re-animating the object and one by just creating a new object with
the same name.

Currently this test fails on Samba because it chooses the higher
version
number as the winner instead of the latest change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13039

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Windows resolves object conflicts differently to Samba

While testing link conflicts I noticed that Windows resolves conflicts
differently to Samba. Samba considers the version number first when
resolving the conflict, whereas Windows always takes the latest change.

The existing object conflict test cases didn't detect this problem
because they were both modifying the object the same number of times (so
they had the same version number).

I've added new tests that highlight the problem. They are basically the
same as the existing rename tests, except that only one DC does the
rename. Samba will always pick the renamed object as the winner, whereas
Windows picks the most recent change.

I've marked this test as a known fail for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13039

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: replica_sync did not fully cleanup if test failed

Normally the replica_sync tests do the cleanup at the end of the test
case, rather than in the tearDown(). However, if the tests don't run to
completion (because they fail), then the objects may not get cleaned up
properly, which causes the tests to fail on the 2nd test-env.

The problem is the object deletion only occurs on DC2 and it relies on
replication to propagate the deletion to DC1. Presumably this
propagation could be missed because the tests are repeatedly turning off
inbound replication on both DCs.

This patch changes the tearDown() so it tries to delete the objects off
both DCs, which appears to fix the problem.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

tfork: set waiter process title

Display a meaningful process title for the waiter process, now that smbd is
calling setproctitle_init() and this value will be displayed in ps
output.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 26 04:38:59 CEST 2017 on sn-devel-144

s4:smbd: set samba root process title

Set the process title in the samba root process to clearly identify it
in ps output.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:smbd: call setproctitle_init

Call setproctitle_init() in main which suppresses the
"samba: setproctitle not initialized, please either call
setproctitle_init() or link against libbsd-ctor."
messages, but more importantly it displays meaningful details in ps
output.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9816

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Use a unique hostname/IP for the no_nss testenv

The ad_dc_no_nss was re-using the ad_dc testenv but changing an
environment variable to disable the NSS wrapper module.

Presumably this would setup a second AD DC server with the same
hostname/IP as another DC (but with NSS disabled). This doesn't seem
like a good thing to be doing in the selftests. This patch changes
it so that the no_nss testenv uses a unique IP/hostname.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Rename ntlmauth tests to ntlmdisabled

There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Add new AD DC testenv with NTLM disabled

This is so that we test the source4 case as well. Currently the only
testenv with NTLM disabled is ktest, and that only exercises the source3
code.

I've tried to support the new test environment with minimal changes to the
Samba4.pm setup code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

rpcclient: Fix "capabilities" command

This used to not properly store the chained credentials back into the
netlogon_creds_cli tdb. This by the way is the bug that all the
routines for the NT4 style sam replication had that just disappeared.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep 25 13:42:19 CEST 2017 on sn-devel-144

netlogon_creds_cli: Pass "capabilities" up from creds_cli_check

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

winbindd: Use rpccli_connect_netlogon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cli_netlogon: rpccli_connect_netlogon

This is the one-stop shop to a working, schannel'ed connection to the
netlogon RPC interface. Jeremy tells me it needs more comments :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cli_netlogon: Return flags from rpccli_setup_netlogon_creds_locked

This will be used in a later commit in the rpcclient "capabilities"
command. Avoids another netlogon_creds_cli_get in the next commit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

rpcclient3: Factor out cli_rpc_pipe_open_bind_schannel()

This will be used for the "fast path" to netlogon when we already have
credentials.

This slightly widens the area of code covered by the netlogon_creds
lock: cli_rpc_pipe_open is now also covered by the lock.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cli_netlogon: Factor out rpccli_setup_netlogon_creds_locked

This does the reqchallenge/serverauth while assuming we have the
netlogon_creds_cli_lck already held. The _locked flavor will be called
from a routine that covers more under one single lock.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Protect netlogon_creds_cli_auth by _lck

This widens the lock range to cover the check for established
credentials. Before this patch it could happen that more than one
winbind finds no credentials and does the auth3. This can pile up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Protect netlogon_creds_cli_check by _lck

netlogon_creds_cli_lck provides the locking around the operation

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Add netlogon_creds_cli_delete_lck

Like netlogon_creds_cli_delete, protected by netlogon_creds_cli_lck
instead of netlogon_creds_cli_lock.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Add netlogon_creds_cli_lck

This adds an external locking scheme to protect our
netlogon_creds_CredentialState. This is needed because the routines
exposed by netlogon_creds_cli.h need a more flexible locking to
set up our credentials in a properly protected way.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds

This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Create cli_credentials from netlogon creds ctx

A netlogon_creds_cli_context holds all information required to do an
schannel bind. Used in the next commit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Factor out netlogon_creds_cli_delete_internal

In a future commit we'll need a version that does not check for
context->db.locked_state

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Factor out netlogon_creds_cli_store_internal

In a future commit we'll need a version that does not check for
context->db.locked_state

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Print netlogon_creds_CredentialState

Add some debugging for the tdb records

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Simplify netlogon_creds_cli_get

netlogon_creds_cli_get_internal almost does everything needed, only
the invalidating for credential chain use is missing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Rename netlogon_creds_cli_lock_fetch->get_internal

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Transfer a comment

This part of from netlogon_creds_cli_get will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Remove tevent_req handling from netlogon_creds_cli_lock_fetch

Disentangle concerns, make netlogon_creds_cli_lock_fetch usable for
other callers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Remove unused code

According to metze this was meant for test code that never materialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Simplify netlogon_creds_cli_delete

Don't implicitly TALLOC_FREE(creds) in the pure delete routine

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Simplify netlogon_creds_cli_store

Don't implicitly TALLOC_FREE(creds) in the pure store routine. This
mixes up responsibilities, and there's not enough callers to justify
the TALLOC_FREE to be centralized.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cli_netlogon: Remove an unnecessary if-condition

We don't need to check this here. rpccli_create_netlogon_creds_ctx via
netlogon_creds_cli_context_global returns NT_STATUS_INVALID_PARAMETER for an
unknown schannel type. Slightly different error code, but we could change the
one in netlogon_creds_cli_context_global if necessary.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

cli_netlogon: Rename "netlogon_creds" to "creds_ctx"

Trying to understand this code it's important for me to name variables
indicating their use: A netlogon_creds_cli_context is a context with access to
credentials, it's not the credentials itself.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Simplify netlogon_creds_cli_context_global

netlogon_creds_cli_open_global_db() already contains the NULL check. Use that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon_creds_cli: Fix talloc_stackframe leaks

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

scripting: Add script (backportable) to undo a GUID index

This script allows the DB to be read, and re-indexed, by an earlier Samba version,
most likely 4.7 with some backported patches.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 23 09:16:31 CEST 2017 on sn-devel-144

Do not re-use the attribute @IDXVERSION for SAMDB_INDEXING_VERSION

Confusing these two concepts is not a good idea, SAMDB_INDEXING_VERSION refers to
a change in a Samba rule to canonicalise one of our attributes, not the
in-DB index format.

As we already change @INDEXLIST in this version, this commit
is at no extra cost.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

dsdb: Set that Samba uses the GUID index in LDB

This is optional, but only to aid the downgrade script (and in case
there is some major issue found with it). We don't support that mode,
as that would require us to test and maintain multiple code paths and
not optimise queries to be GUID centric.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

provision: Add a fixed GUID to the samba4top objectclass definition

This is only used in the OpenLDAP backend and will certainly be removed before this becomes production.

(a production backend will use the real AD top objectclass)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>