IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
So that we don't dereference result->msgs[0] when it doesn't exist.
This can happen when the object has changed in such a way that it no
longer matches the original search query.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Jun 19 08:16:39 UTC 2019 on sn-devel-184
For TDB databases, the new ORDERED_INTEGER type is disabled along with
repacking at format version 1 if GUID indexing is disabled, so all the new
database features are toggled together. This scheme doesn't work with
MDB because GUID indexing is mandatory when using MDB. However, a
downgrade path is still required so in a previous commit we added
a pack_format_override option which allows a downgrade script to force
the database to use an earlier packing format. But, the new
ORDERED_INTEGER type would still be present in MDB databases so this
patch reads the pack_format_override opaque and converts ORDERED_INTEGER
types in @ATTRIBUTES to INTEGER and doesn't write any indexes of that
type to @INDEXLIST. The @INDEXLIST will be refreshed later, on the first
transaction.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
To reduce the number of potential combinations of database features in
ldb, we want to link all new database features since 4.7. GUID indexing,
ordered integers, and pack format changes will all upgrade together.
This patch makes ordered integers only function if GUID indexing is
enabled. If GUID indexing is disabled, ORDERED_INTEGER will not be
written to @ATTRIBUTES and a syntax's index_format_fn will never be
used.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We better print "... remote host [Unknown] SID [S-1-5-18] ..."
in 'dsdb_audit' message, this matches what we print for
'dsdb_json_audit'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
The callers moved to dsdb_class_by_cn_ldb_val() with
43aa546ecc3f05845793b1a7354685d50a77c170 in 2009.
Found by callcatcher
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This made it much harder to watch under wireshark and is not required (no password setting).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
metadata.tdb was being locked during transactions, but not during read, and
we should ensure we take all our locks in order for consistency
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13950
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This changes variables that are not the responsiblity of this function, the unlock
implied by partition_del_trans() needs to be done carefully in the right spot.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This allows metadata.tdb to be locked in the correct place in
in the lock order, as partition_reload_if_required() implicitly
calls partition_lock_read().
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This test is run agianst multiple DCs in the same domain, so there can
be a race with replication. Therefore avoid using the same name twice
by adding a random suffix.
This is an improvement to a demonstrator for this bug in TDB:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13952
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This behaviour is Samba-specific, we have not traditionally cut of responses at 1000
or so as Windows does, and we need to change that behaviour carefully.
This triggers this bug in TDB:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13952
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fix use after free detected by AddressSanitizer
AddressSanitizer: heap-use-after-free on address 0x61400026a4a0
at pc 0x7fd555c52f12 bp 0x7ffed7231180 sp 0x7ffed7231170
READ of size 1 at 0x61400026a4a0 thread T0
#0 0x7fd555c52f11 in ldb_should_b64_encode
../../lib/ldb/common/ldb_ldif.c:197
#1 0x7fd539dc9417 in dsdb_audit_add_ldb_value
../../source4/dsdb/samdb/ldb_modules/audit_util.c:491
#2 0x7fd539dc9417 in dsdb_audit_attributes_json
../../source4/dsdb/samdb/ldb_modules/audit_util.c:651
#3 0x7fd539dc6a7e in operation_json
../../source4/dsdb/samdb/ldb_modules/audit_log.c:305
The problem is that at the successful end of these functions
el->values is overwritten with new_values. However get_parsed_dns()
points p->v at the supplied el and it effectively gets used
as a working area by replmd_build_la_val(). So we must duplicate it
because our caller only called ldb_msg_copy_shallow().
The reason this matters is that the audit_log module is
above repl_meta_data in the stack, and tries to log the
ldb_message it saw after the reply (to include the error code).
If that ldb_message is changed it is not only misleading,
it can point to memory that has since gone away.
In this case the memory for the full extended DN in the
member attribute ended up on 'ac', a context lost by
the time repl_meta_data has finished processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13941
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 15 05:35:47 UTC 2019 on sn-devel-184
Lower down in this function new_values is assigned over el->values and is
filled in with the values of all the parsed DNs. Therefore it is the natural
talloc parent.
This will allow el->values to be allocated on tmp_ctx in the next commit for
a working area during the function call.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Fix use after free detected by AddressSanitizer
AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
READ of size 8 at 0x60f0002b2738 thread T0
#0 0x7f89b1a213b4 in samldb_rename_search_base_callback
../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
#1 0x7f89d3a0db4a in ldb_module_send_entry
../../lib/ldb/common/ldb_modules.c:793
#2 0x7f89b6f27356 in es_callback
../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13942
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When filtering out multiple elements, we end up memmove()ing the same
elements many times over. It is simpler to not do that by keeping track
of how many elements we are keeping.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The bare memmove is not strictly safe at the end of the list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb_msg_new() is currently the same as talloc_zero(), but it might
not always be.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May 9 23:54:35 UTC 2019 on sn-devel-184
The last caller was removed in s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDs
(6a51afcfdbcbce7813fb59c0655e4178268ca70e) by Kamen Mazdrashki in 2010
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Many parts of Samba use an empty attribute list in requests expecting
all attributes to be returned in the response, which is incorrect. This
patch corrects the instances found by current CI tests. Static analysis
and debugging will need to be done before changing ildap to the correct
semantics.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon May 6 05:45:55 UTC 2019 on sn-devel-184
Test for LDAP request with an empty attribute list. LDB responds with
no attributes, but LDAP responds with all attributes. Fix is attached
to the bug below but we can't push it upstream until we've found all
instances of incorrect empty attribute list usage in Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The dsdb module stack can turn a simple search request into a
complicated tree of sub-queries that include attributes not originally
asked for and excluding those that were. The corresponding replies
might contain unrequested attributes or (for good reasons, according
to some module) hide requested ones. The entire stack is there to
meddle and that is what is does. Except *this* module. It just counts.
To understand dsdb performance it helps to have some idea what
requests and replies are flying too and fro. This module, when
inserted anywhere in the stack, counts the requests and replies
passing through and the attributes they contain. This data is stored
in on-disk tdbs in the private/debug directory.
The module is not loaded by default. To load it you need to patch the
source4/dsdb/samdb/ldb_modules/samba_dsdb.c and put "count_attrs"
somewhere in the module lists in the samba_dsdb_init() function. For
example, to examine the traffic between repl_meta_data and
group_audit_log, you would do something like this around line 316:
"subtree_delete",
"repl_meta_data",
+ "count_attrs",
"group_audit_log",
"encrypted_secrets",
and recompile. Samba will then write to a number of tdb files in the
debug directory as requests and replies pass through. A simple script
is included to read these files. Doing this:
./script/attr_count_read st/ad_dc/private/debug/debug/attr_counts_not_found.tdb
will print a table showing how often various attritbutes were
requested but not found (from the point of view of the module).
A more sophisticated version of the script is coming in the next
commit, but this one is included first because in its simplicity it
documents the storage format reasonably well. The tdb keys are
attribute names, and the values are uint32_t in machine native order.
When the module is included in the stack there will be a very small
decrease in performance.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We run the tests again, trying to modify as a normal user rather than
Administrator.
It turns out that we do not always return the same error code as
Windows, but in all these tests both Windows and Samba always return
some kind of error (as you might hope).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Do we interpret these the same way as Windows? In many cases, no.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The test was presumably commented out because we fail it, and
known-failing it would have hidden the attr-too-short tests that it
was bundled with. If we disentangle them we can knwn-fail it, which
serves as a TODO list.
(passes against WIN2012R2).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Found by csbuild.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 1 05:02:22 UTC 2019 on sn-devel-184
When we get here it is very likely that the attribute will not be
preserved, as the preserved ones should have had the flag set, but we
still end up loking through the whole list to confirm. With a binary
search, we end up looking at ~5 attributes to confirm.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Most (perhaps all) attributes that are in the "must not remove" list also
have the PRESERVEONDELETE bit set, and checking bits is much cheaper
than a linear search involving strcasecmp. If we check the bit first
we save work.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
