IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This control will allow inspection of internal ldb values, which would
normally be stripped before being presented to users. The first use
will be stripping linked attribute meta data extended components.
- We should clean up such "helper" objects created in this function to don't
have them around until "mem_ctx" is destroyed
- Remove a from my view pointless comment "This is a password set, not change"
since an external argument "user_change" decides this ("modify" or "(re)set")
The first bug was that setting a component twice could cause it to
appear twice in the DN.
The second bug was that using an existing ldb_val from a previous call
of ldb_dn_get_extended_component() as an argument to
ldb_dn_set_extended_component() would cause a valgrind error (as the
array the val pointed into will change).
This allows us to search below the current module. That
will be important when we start using the results of this
search to get the linked attributes meta data right
The bug is that sometimes 'streams' is parent for 'new_name'.
With this said, 'new_name' must be dupped before 'streams'
pointer is freed.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
It appears some newer versions of windows return
NT_STATUS_OBJECT_NAME_NOT_FOUND on a createfile when access is denied
rather than NT_STATUS_ACCESS_DENIED. I'm not sure how this translates
to directory enumeration yet, but for now make this a parameter that
can be checked in the various torture tests.
This also gets RAW-ACLS and SMB2-CREATE passing against win7.
- The smblsa calls had to be commented out for now and should be fixed
later, but they aren't crucial to the test.
- The first two tests from RAW-ACLS were already ported to
torture_smb2_setinfo() and test_create_acl(). Modifications were
made similar to the RAW-ACLS changes.
- test_sd_get_set() was ported, but does not pass against XP or Vista;
it is not added to the SMB2-ACLS test suite.
- printf -> torture_comment / torture_warning / torture_result
- Change RAW-ACLS test suite so each test can be run individually.
- Add verify_sd() and verify_attrib() helper functions.
- Change test_nttrans_create() to work for both files and directories.
- Fix a segfault in test_inheritance() when the test errors out early.
- test_sd_get_set() does not pass against XP or Vista, so it is no longer added
to the RAW-ACLS test suite.
- Minor fixes to test_inheritance().
- New INHERITFLAGS test, which tests the auto inheritance flags a bit more.
- printf -> torture_comment / torture_warning / torture_result
(as objectClass will always be a case insensitive ascii string, we can
make a much simpler match function here than for the general case).
Andrew Bartlett
This tries to show that the domain object should not have a
primaryGroupToken, for example. (This passes against the old and new
code, as the failure case requires an object with an objectSid, and
exactly one group in it's subtree. Sadly I don't know of a valid structure
that I can construct to test this).
Andrew Bartlett
The original code here would do a subtree search under each object,
attempting to determine if it was a group. This was incorrect, and
inefficient - we just need to ask for the objectClass attribute, and
check that value before returning the group's RID.
(Much of this patch reworks operational.c to allow a search for 2
attributes for this calculation).
Andrew Bartlett
This avoids doing a new search from the top of the module stack.
This also removes the helper function dsdb_find_parentguid_by_dn()
which is now unused.
Andrew Bartlett
The show_deleted module was using a static private ptr in the module
to hold a parse tree to save on parsing. The code caused this
static ptr to change with each search, which caused incorrect
searches and numerous valgrind errors.
This patch replaces it with a hand-built parse tree.
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
Two new samba4 bugs have been filed for the two corresponding known
failures. For the short term raw.sfileinfo had to be removed from
quicktest. It is no longer an individual test, but a test-suite and
quicktest can only run top level tests.
Try a rename with a wide-open share mode on an already open file
and the there is still share mode contention. For the reason why
see:
http://social.msdn.microsoft.com/Forums/en-US/os_fileservices/thread/3ca14dc9-da1f-4786-a8f7-a86e9903db0c
Msft's anser:
After further review, The reason for server to fail with sharing
violation is that the windows server that executes a path-based
rename request opens the file for DELETE access, but only with
FILE_SHARED_READ as ShareAccess . Therefore, the existing
open(frame 76), which has shared read/write/delete , is compatible
with the Windows servers access mode (DELETE), but Windows servers
open is not compatible with access mode in existing open.
Note that it is correct to state that the logic in Windows server
could have been written to allow shared read/write/delete in which
case it would succeed as you mention. The behavior here is
historical based on the existing implementation.
Some servers choose to mark a client as bad if they fail an oplock
break request by timing out (win7 is an example). Once the client is
marked as bad, future oplock requests will timeout instantly. This
causes subsequent runs of this test to fail, so rather than erroring
out as a failure, a warning is printed instead.
There is also a bug in w2k3 where it was incorrectly returning
contending a share mode lock. It worked in XP and has been re-fixed
in win7.
This can also now be run against samba3.
See what happens when we have multiple outstanding lock requests and
we try to cancel both of them within a single LockingAndX.
On Windows, it seems only the first lock in the array is cancelled,
and the second is left pending. Though, this behavior goes against
the MS-CIFS spec.
* test that 2 locks in a single LockAndX are transactional
* test that 1 unlock and 1 lock in a single LockAndX are not
transactional
* test that SMB2 doesn't like mixed lock/unlock in a single
PDU
Abstract the server requirements to pass some BRL tests.
* The new default for >64bit lock tests, is that the server should
return STATUS_INVALID_LOCK_RANGE.
* Add parameter for targets that don't implement DENY_DOS
When windows abandons a DRS sync, it will sometimes re-use the same bind handle for
a new sync. This means we need to check the DN of the sync and blank the getnc_state
if the DN has changed.
This also fixes the UDV to use the highest uSN for the partition, not for
the whole SAM.
In light of the INVALID_LEVEL that is seen for RAW_SFILEINFO_END_OF_FILE_INFO
requests on a path, I'm changing these back to using the passthrough
RAW_SFILEINFO_END_OF_FILE_INFORMATION to test the oplock break behavior as
originally intended
It turns out setting the end-of-file with Trans2SetPathInfo using the
snia spec's info level will attempt to open the file, enforcing share
modes, but then subsequentlys fail the setpathinfo with a dos error of
INVALID_LEVEL. Doing a Trans2SetFileInfo with either end-of-file info
level succeeds as expected.
Revert "Remove RFC's from the release tarballs to make the lives of the Debian"
This reverts commit eda7f35bc8.
These files are essential to the Samba4 build.
Andrew Bartlett
Includes the following verifications for the constructed parentGUID:
- Checks if it returns nothing when there is no parent object
- Ensures that attributes mentioned after the parentGUID
are returned correctly (this avoid a bug pointed out by Tridge
during sync constructed parentGUID development)
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Uses the dsdb_msg_add_guid() to add any kind of GUID attribute
to a ldb_message in several places of samba4 code.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
the nTDSConnection objects that are not needed anymore will be deleted.
the function kccsrv_delete_connection wasn't tested yet.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This reverts commit 7d400715e9.
"convert_string_talloc_convenience" does always add the NULL termination. Didn't
know that. Thanks Jelmer for pointing out!
- Revert change in "ask" - was previously correct
- Readd accidentally removed checks for non-null realm and domainname
- On interactive mode perform only one "ask" call per question
- Inform the user about the unset administrator password
This reverts commit 2175c0ed06.
This reverts commit 6c3e2417a0.
This reverts commit dbb8989e05.
This reverts commit 82adfa39b7.
This reverts commit f299efa8f0.
After a small discussion with Jelmer we agreed that this isn't the right way
to fix the problem. We should wait for a real patch rather to rely on temporal
hacks.
w2k8-r2 sometimes sends empty attributes with completely bogus attrid
values in a DRS replication response. This allows us to continue with
the vampire operation despite these broken elements.
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Both modes weren't possible anymore since 1.) the secrets entry wasn't created,
2.) a lookup in winbindd was done using "lp_workgroup()" rather than
"lp_sam_name()" (since on the mentioned two configurations we use the netbios
name as domainname - and not the workgroup).
s4 returns NETWORK_NAME_DELETED if you attempt to use an invalid tree connection
for a lock. This test (correctly I think) happens before we validate the file handle.
That implies that when you pass both a closed handle and a invalid tree you
should get NT_STATUS_NETWORK_NAME_DELETED.
I think the error/success codes returned by windows for these tests
are quite bogus. The ones s4 gives are much more reasonable. The
locking ones returning NT_STATUS_SUCCESS could lead to data loss, as
an application thinks it has a file locked correctly when it fact it
doesn't, so it could do an unsafe modify.
I was stumped for a while as to why the drs test suite was failing for
me. It turned out that it looked for LDB_URL in the environment, and
used it if set. I had it set in my terminal, and it was happily
munching on my sam.ldb while testing. Quite a cute bug really :-)
We were testing for valid DNs in ldbrename in the command line
tool. This hid a bug in the ldb library where we caught a bad DN in
the objectclass module rather than in the main ldb code. It is better
to do validation of the DNs passed on the command line in the library
code, as this gives us more consistent error handling between the
programming APIs for ldb and the command line.
when we install python scripts we need to fix the internal path used
to find modules. We also need to install the scripts in the right
place. Most of them should go in $SBINDIR not share/setup/
The rework corrects some duplication and errors in the original
script, found when preparing an automated test of the script.
The code to reset the machine account password avoids issues with AES
keys and salting, which may not otherwise be solved by the upgrade.
Andrew Bartlett
* Define a simple upgrade process mode (module storage change, file name change, copy of new file)
* Move the schema, configuration and current object upgrade into full upgrade mode
* Added the --full switch to select the full upgrade mode, and made simple upgrade mode the default
* Make updateprovision works without any switch (update the provision in the default location)
* Cleanup the messages
* Create the reference provision in a subdirectory of the updated provision
The passtrhough version of SET_END_OF_FILE_INFO is tested in
RAW-SFILEINFO-END-OF-FILE.
Additionally, the first opener is changed to use SHARE_WRITE for the
share mode since SET_END_OF_FILE_INFO actually writes data to the file
via truncating/extending.
A side effect of this change is that RAW-SFILEINFO now runs the whole
suite instead of just the first test. I changed the name of the first
test to RAW-SFILEINFO-BASE and changed all of the selftest scripts
that call it.
- define which modules we want to use when loading the ldb
- move partition in sam.ldb.d dir
Changes have been suggested by Andrew Bartlett.
(commit message clarified by Andrew Bartlett)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
- remove some useless comments
- remove hardcoded paths
(commit message clarified by Andrew Bartlett)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This reverts commit 87b6f2e863.
This was the cause of the breakage of the "LogonGetDomainInfo" testsuite. I
think my behaviour is more correct to Windows Server since the test works
against it (at least release 2003 R2).
One problem I discovered is that freshly joined workstations don't get their
DNS name into the directory. Therefore I think also another part (maybe another
RPC call) is able to do this.
Apparently Windows Server (2003) doesn't like the comma delimiter here. I got
always error 16 ("LDB_NO_SUCH_ATTRIBUTE"). With this change the test works
again.
source4/param/param.h has a
param.h is a public header (and parmlist isn't, even if the relative path
could work), so I suggest making it a forward declaration in the header, and
including parmlist.h in the implementation.
(commit message included from e-mail by Andrew Bartlett)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This makes getting the module order correct, the obligation of Samba4
developers, and not system administrators. In particular, once an ldb
is updated to use only the 'samba_dsdb' module, no further changes to the
ldb should be required when upgrading to later Samba4 versions.
(thanks to metze for the suggestion of samba_dsdb as a long-term
stable name for the module)
Andrew Bartlett
This makes the member server much more like the DC, the objectGUID
module replaces the repl_meta_data module.
We also generally rework the construction of the list, building a full
list in python, and then transforming it into a string, rather than
playing string concatonation games
Andrew Bartlett
Test was implemented as a test fixture so that setup/teardown
occurs only once.
This should impact test performace as long as provision_get_schema()
is a slow function (especially when debugging)
Windows displays attribute values with Object(OR-Name) syntax
in plain DN format when queried through LDAP.
Hence, we need to post-process such values specially
in extended_dn_out.c module so they are always shown as plain DN,
no matter what controls are passed for search request.
Some attributes (like ntSecurityDescriptor) are stored in our db, but
should only be displayed if asked for. This also applied to parentGUID
from old installs, which is now generated.
dsdb_find_parentguid_by_dn() returns the parentGUID for a given DN
dsdb_msg_add_guid() adds a GUID value to a given message (either
objectGUID or parentGUID).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
- The outside API contains "DN" string arguments: Bad. Since in this way we
fully rely on the outside calls regarding the right DN format. Solution: Use
always a "struct ldb_dn" entry. Since this one is interchangeable and we can
handle it in our preferred way.
- DN comparison: The function doesn't seem that efficient. I "upgraded" it a bit
to be more powerful (added a second length check and do both before the string
comparison)
When we rename or modify a record, we need to update the indexes at
the same time. It is important that we use the DN of the actual
message that is stored in the database to do this, not the DN that was
passed in by the user. If the two differ in case then the index
records needs to use the 'real' record DN, as index handling is
currently case sensitive.
When ildap created a new message to forward, it only copied controls for ldb_search
requests. This caused controls for add and modify to be lost in transition
and tests for them could not be implemented.
This test randomly fails depending on the timing
(the tests are too strict with the values introduced in
commit 0fca2b078c)
and local filesystem features (timestamp resolution).
metze
* Ported all tests from raw/notify.c to smb2/notify.c
* Parameterized the max_buffer_size so it can be set on a
per-target basis.
* Fixed CHECK macros to use torture_result
* Created a SMB2-NOTIFY test suite
The BRL tests previously based their results off several bugs in the
W2K8 byte range lock code. I've fixed up the tests to pass against
Win7 which has fixed these bugs, and assume that the Win7 behavior
is the default.
I have inverted the test behavior for >63-bit lock requests. The
tests previously expected NT_STATUS_OK as their default in this
case. I've changed that default to expect STATUS_INVALID_LOCK_RANGE.
This may requires some changing of make test to compensate.
I've also removed a few test scenarios from VALID-REQUEST in preparation
of replacing them with separate tests ported from RAW-LOCK.
abartlet suggested me to not use anymore "\n"s in those kind of outputs.
Plus, enhance a search filter to consider also "builtinDomain" objects which
are basically domain objects too.
If a tests needs access to the dc's config, it should run
as "dc:local", then it can also access unix named pipes...
If we pass a hardcoded config file the test fails if you use
a selftest_prefix.
metze
This fixes up connections to Windows 2003, because the previous import
had a broken arcfour-hmac-md5 implementation (fixed in Heimdal
316fc6ff8ffb0cbb1ef3689685e9977c37405bc4)
Andrew Bartlett
I left dumping of decrypted attributes values 'as is'
(using DEBUG and DEBUGADD) as it uses dump_data() function.
dump_data() uses DEBUGADD internally, so I have no way
to redirect its output to torture_context at this point.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The schema needs to be loaded above the extended_dn_out modules as
otherwise we don't get an extended DN in the search results.
The reference split is to ensure we create references after the
objects they reference exist.
Andrew Bartlett
This makes these full extended DNs, so we set the right values into
the database, even before we actually set the schema objects
themselves.
Andrew Bartlett
It is important to always ensure that this attribute has an extended
DN if the rest of the database stores things that way.
The knowlege of what format the DN is stored on disk with is passed
around in an LDB opaque.
Andrew Bartlett
The load of defaultObjectCategory as an extended DN means we need to
use the common parsing functions I just split out, rather than the
GET_DS_DN macro.
The objectGUIDs are loaded so that we can create the extended DN when
we load from LDIF (and are loaded for the other cases for
consistency).
Also adapt callers to API changes needed for common parsing code
Andrew Bartlett
This loads the defaultObjectCategory DN as an extended DN, so we can
apply it, with the associated GUID, when setting this on records in
the objectClass module.
Previously we would not store the extended DN components for
objectCategory.
Andrew Bartlett
This should make it easier to call this function from the DRS schema
load code, rather than duplicate it.
(we may do the same with other functions in future).
Andrew Bartlett
These flags, also on dsdb_module_search_dn() allow us to add commonly
set controls to this pre-packaged blocking search, without rebuilding
the whole function in each caller.
Andrew Bartlett
This reverts commit df95d5c292.
abartlet pointed out in a post on the samba-technical list that this isn't
necessary at all (lDAPDisplayName normalisation algorithm). Rather it breaks
functionality of the replication.
Fixed sd creation not working on LDAP modify.
Fixed incorrect replacement of CO and CG.
Fixed incorrect access check on modify for SD modification.
Fixed failing sec_descriptor test and enabled it.
Fixed failing sd add test in ldap.python
This specifically fixes a problem showing extra bytes of garbage in list and
print in regshell, even though the vk.data_length has the correct size.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Don't add only a new objectclass but also a new attribute. Plus let now the
server itself calculate the "lDAPDisplayName" attribute and compare the result.
The DN escape function was using the form \c where c is any
character. The unescape function was using \XX where XX is a 2 digit
hex number. The asymmetry led to quite a few problems when we start to
deal with DNs containing escape chars, such as CN=foo\0ADEL:XXX. The
result was a DN that was not accessible.
This patch changes the escaping to follow RFC2253 much more
closely. We accept either type of escape, and produce the two types of
escape, depending on the character being escaped
