IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
ldb_msg_add_empty reallocates the underlying element array, leaving
old_el pointing to freed memory.
This patch takes two defensive copies of the ldb message, and performs
the updates on them rather than the ldb messages in the result.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.
Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Previously if there was a conflict, but the incoming object would still
win, this was not marked as a rename, and so inheritence was not done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
While we have a seperate test (sec_descriptor.py) that confirms inheritance in
general we want to lock in these specific patterns as this test covers
rename.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This test often flaps in Samba 4.9 (where more tests and DCs run in the environment)
with obj_1 being 3. This is quite OK, we just need to see some changes get
replicated, not 0 changes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4ae0f9ce0f5ada99cf1d236377e5a1234c879ae3)
dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.
By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Incremental results are provided by a flag on the dirsync control, not
by changing the attribute name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit 23f72c4d712f8d1fec3d67a66d477709d5b0abe2)
utf8_len represents the number of characters (not bytes) of the
password. If the password includes multi-byte characters it is required
to write the total number of bytes to the check password script.
Otherwise the last bytes of the password string would be ignored.
Therefore we rename utf8_len to be clear what it does and does
not represent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ensure that for file access you can mix any of these
three access methods for directory entries and the
returned names/structs stay in sync across telldir/seekdir
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14094
Back-ported from master 3355601fe8541994cc41f5ed800aab9b6a2294f4.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Thu Sep 19 10:40:56 UTC 2019 on sn-devel-144
This test confirms that running undoguididx causes all GUID keys to be
replaced with DN keys at the KV level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(backported from commits 74d15c9bf76f0a2fb5fa7b7b1d80971d10c4fe45,
ab376a97c972d2d5ebfb912ed90664c787860dc8 and 56400153c8c7052fe319f273c30c6d59556102dc
to avoid changes to TestCaseInTempDir).
ab376a97c972d2d5ebfb912ed90664c787860dc8 was:
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
56400153c8c7052fe319f273c30c6d59556102dc was:
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 09f2a187b3d8c161e2c11588499b3256a9dbcc95)
Quick fix running this script with -s instead of -H. samdb_url() returns
a url with a protocol prefix, which causes issues further down in the
script.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 40ca8ed5a152ae7c5ec039649c09a037a20a4143)
In py3 we need to add an extra str() around the returned ldb value to
enable .split() to be used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed By: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu May 23 14:25:52 UTC 2019 on sn-devel-184
(cherry picked from commit 1a9da378a1505daff498be6d6355debd73526a1a)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 561b654bc5bc2f5e614c5c2ab378193ca94d481a)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>
(cherry picked from commit 78f5b6e3999a0bf4a118df36a2aabcb696049792)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 60afe949c3e664f81c9b0db9c54f701aa2874a5e)
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Aug 16 14:18:35 UTC 2019 on sn-devel-144
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0fbb013bef886e425602fdbbef14a4029719818f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5e000a8487d788dd196980b77ec7299c8be74abf)
The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):
AddrArray: ARRAY(3)
AddrArray: struct dnsp_dns_addr
family : 0x0002 (2)
port : 0x0035 (53)
ipv4 : 172.31.99.33
ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000
[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6fc7cc15048673d109042d7b40684ed63eb4ff9e)
In future we should use ipv4address, but that would result in a much
larger change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6d958af0b4cb6fd45cfda0298243859b3b043c6f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 9a0c3a475f29138c0c49e0d22cf52ab45178d16b)
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
We better print "... remote host [Unknown] SID [S-1-5-18] ..."
in 'dsdb_audit' message, this matches what we print for
'dsdb_json_audit'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 706aba5bf62e674ae12786f6ab275752b8714464)
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
(cherry picked from commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa)
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)
Fix use after free detected by AddressSanitizer
AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
READ of size 8 at 0x60f0002b2738 thread T0
#0 0x7f89b1a213b4 in samldb_rename_search_base_callback
../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
#1 0x7f89d3a0db4a in ldb_module_send_entry
../../lib/ldb/common/ldb_modules.c:793
#2 0x7f89b6f27356 in es_callback
../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13942
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0cc6d217485c317b2138347216fac5d74684328)
Otherwise we may not be able to construct a working schema that's
required to apply the changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12204
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13713
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 661dc4574110b0f13c127c8aa6ed0c385292b77c)
This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.
This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit bb5a457f2872a383b58d62981dade322fca9b283)
This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.
This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c3d28d49be3c7536d1ccfe8d00553ce72843f369)
