IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Add a --add-ns option to samba_dnsupdate and use that, but only when --use-file has been specified, to add an NS record to the file produced.
This allows us to make progress in the self tests and is an interim fix.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Rowland Penny <repenny241155@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 21 00:51:02 CEST 2016 on sn-devel-144
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
Passes against Win2k12+, and smbd with the previous patch.
https://bugzilla.samba.org/show_bug.cgi?id=11845
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Jun 18 19:32:22 CEST 2016 on sn-devel-144
The two large stack-based arrays would overflow the stack, this avoids
a duplicate of the struct drsuapi_DsReplicaLinkedAttribute array
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The order of linked attributes depends on comparison of the NDR packed
GUIDs (not its struct GUID form).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
This avoids reparsing the linked attribute and schema refetching.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
Although we attempted to sort by GUID based on DRSR, it is actually
sorted by the ndr packed GUID.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
Assert that linked attributes propagate across DRS and come in a
particular sorted order.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
This can be extended, but already checks the basic functionality
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This allows samba_dnsupdate to be tested without resolv_wrapper.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This avoids treating server errors identically to name-not-present status values
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This allows us to update the stub records as well as the zone itself.
Based on a proposed syntax by metze.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
By reducing the intendation this code is a little clearer
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This should help in deployements beyind NAT.
It will also help in testing.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This mode is more likely to work when we change hostname or IP
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The doio_send() function of bind fails on a short write with sendmsg().
See https://bugzilla.redhat.com/show_bug.cgi?id=1250921
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By reading the SID values from the memberOf links, we avoid an un-indexed search on
the member attribute.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Because of this typo, the primary group ID was returned as 0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
While the DC will eventually get back to the same state, it can take a
while, so try harder not to overwrite our already-working account
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This makes a clear seperation between data and display variables
and improves the tests.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This then makes SambaToolCmdTest based on BlackboxTestCase.
This allows us to use better command output testing in the fsmo tests
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 16 04:07:41 CEST 2016 on sn-devel-144
This final patch enables sending TSIG error records by adding
DNS_RCODE_NOTAUTH to the set of error conditions that are allowed to
trigger sending a full generated response.
See RFC 2845 "4.5.1. KEY check and error handling" and "4.5.3. MAC check
and error handling".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Call dns_verify_tsig() after updating state.flags and assign and use
out_packet for dns_verify_tsig().
We will need the updated flags when sending TSIG error responses when
TSIG request MAC verification fails and dns_verify_tsig() uses the
passed in packet as response, so we have to make sure we copy in_packet
to out_packet before calling out and pass out_packet.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
See RFC 2845 "4.3. TSIG on TSIG Error returns".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
According to RFC 2845 "4.5.3. MAC check and error handling" we must
return NOTAUTH and DNS_RCODE_BADSIG when MAC verification fails.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We need the TKEY name when adding TSIG records to error responses.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Split out function that does the MAC computation from the TSIG record
creating function. This will later simplify the code when creating error
responsed to TSIG requests with bad MACs where we have to add the TSIG
record with an empty MAC.
No functional behaviour change besides hard coding "gss-tsig" algorithm
name: later when sending a TSIG error response for a TKEY request with a
bad keyname, we won't have a tkey to fetch the algorithm name from.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
According to RFC 2845 "4.2 TSIG on Answers", when the request is signed,
the request MAC must be included in the response MAC calculation.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Cf RFC2845, 3.4.2. "TSIG Variables", the request id (original_id) is not
used in the MAC calculation. This also explains the mysterious 2 bytes
padding.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The original schema must live as long as the working_schema
as the working_schema starts as a shallow-copy of schema.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11953
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 7 14:33:39 CEST 2016 on sn-devel-144
This covers renames, addition of attributes, and the delete.
We also confirm the results via DRS.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This matches Windows 2012R2, which both has the RDN not sorted last and has it updated with the local
invocation_id and a local version.
The RDN attribute, unlike name, is not replicated over DRS, so the impact for interopability extends only to
the incorrect RDN values that we were finding with dbcheck (values that did not match the name values).
Finally, we always force the RDN to match the name attribute, which avoids issues
in dbcheck where these diverge. As such, we can finally remove dbcheck as a
flapping test, last re-added in e4bab3a828
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Per tests against Windows 2012R2 the RDN is not sorted last and is
instead sorted normally with all the other elements.
The RDN attribute, unlike name, is not replicated over DRS, so this
has no interopability impact.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This covers a bug where unrelated attribute changes would reverse a rename
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This will allow the test for "name" and the actual DN to be consistent,
and so avoids dbcheck errors when CN and name do not match the DN
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
The previous tests would take 20mins, the new set of tests take around 7 mins and still cover
the important combinations, given that it is the same KDC code in each environment
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 6 20:32:54 CEST 2016 on sn-devel-144
This meant that for ages, the duplicate OID was unnoticed, and when the syntax
was corrected recently, this caused the test to run, and so cause trouble
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This allows us to catch such errors here, rather than just on dbcheck later
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This does not depend on DRSUAPI_DRS_GET_ANC.
This test is not new, but it was not previously being run.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This tests complex rename and modify combinations in a way that
demonstrated a number of replication failures, due to incorrect
handling in Samba when the parent of the record changes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This can help isolate which object this is when the object is involved
in a rename.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The previous behaviour of this code was to overwrite the req->callback of the original, failed request.
This is a problem for many reasons - including that ldb_module_done() may already have been
called on that pointer.
The correct pattern is to create a new request, and to call ldb_module_done() on the parent
request (the one in ar->req) not in this one, in the error case.
We use the passed in new callback either as the callback to call on success, or
as the callback to the ADD request. We overwrite it with replmd_op_name_modify_callback
in the rename remote case, as before, but no longer modify req->callback as
this will not be used again.
This is less tricky and a little simpler to follow, as we also remove the
now unused handling for RENAME, which is in a separate routine now
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This avoids running this code path, originally written for the add case, in
a semi-async manner in the rename case, which caused both bugs and complexity.
This does create a deal of duplicated code, but it is easier to follow because
there are no longer special cases for ADD and RENAME in the "common" code and
the behaviour of ldb_module_done() and the callbacks is well defined and expected
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
The creating of replicated objects without their parent object allows database corruption as they can end up under
the wrong object. We need to re-try the replication with the DRSUAPI_DRS_GET_ANC flag
set to get the objects in tree order.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This avoids re-adding the same code in repl_meta_data or making a shared subroutine
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
This avoids fetching it over and over again
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 6 12:25:14 CEST 2016 on sn-devel-144
This makes us replicate the schema, and then go back to what we asked to replicate
originally, when the schema changes. This should make the replication much more
robust after schema changes
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Older Samba versions could delete this. This patch tries very hard
to put back the original object, with the original GUID, so that
if another replica has the correct container, that we just merge
rather than conflict.
The existing "wrong dn" check can then put any deleted objects
under this container correctly.
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This causes the version number in replPropertyMetaData to be
incorrectly bumped twice, because it is implied by not being in the
list of attributes to be preserved.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This avoids a segfault when we remove the duplication of this value from dsdb_convert_object_ex()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The tests that invoke --local will not pass, naturally, but otherwise it works
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This is needed so that we get parents before children.
We need this to ensure that we always know the correct parent for a
new child object, rather than just trusting the DN string
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We know which NC this is in, so save searching all the backends.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
When we were processing an EXOP, we would pass in a DN specific to that
operation, but this stopped repl_meta_data from finding the parent object
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
On windows, the RDN is not sorted last. Additionally, the check should have been
against dsdb_attribute_get_attid(), not just ->attributeID_id
By including this in earlier versions of Samba, we allow a backport of Samba
databases from Samba 4.5, where this will be sorted in the same way
as Windows 2012R2.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11842
The urgent_replication.py test used the OID of uid, and this caused
other tests to fail
The other random OIDs should have been from under our arc, not under
iso.member-body.us
We split up the range a little to avoid some of the birthday paradox,
in the tests that create multiple OIDs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jun 3 11:02:26 CEST 2016 on sn-devel-144
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We would build, but not use, many components of the NTVFS file server
even when we asked not to. They would then consume disk, but not be
of any use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jun 2 16:35:35 CEST 2016 on sn-devel-144
In case of a wrong realm in a cross forest trust we return early with
just the realm corrected. We need to parse a kdb entry but do not have
all information available. So skip creating the kmod.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
If we return because of a wrong realm in a cross forest trust case, we
do not have a skdc_entry allocated.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
These things are applied by the incoming ticket by the KDC.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This is a preperatory test to add tests for the MIT KDC.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Following from the lesson of subtree_rename, do the rename first,
as this is more likely to fail for some reason
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 1 14:01:36 CEST 2016 on sn-devel-144
Otherwise, we might rename children to be under a different, conflicting, DN.
This would normally be picked up in the transaction rollback, but in replication
the transaction is not aborted for this situation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Our newly run repl_exop tests expect this, matching Windows 2012R2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
samba-too: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles
Signed-off-by: Rowland Penny <rpenny@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
W2K8 Clients ask for DRSUAPI_SUPPORTED_EXTENSION_LH_BETA2 on DsBind. W2K8
expect this to be set (with server fl 2k8) or else they do not call
DsGetDomainControllerInfo.
If DRSUAPI_SUPPORTED_EXTENSION_LH_BETA2 is set, DsGetDomainControllerInfo
must be able to return DCInfo Level 3.
If Samba4 AD ist set to work as 2k8, with >2k8 clients the following
will not work as expected:
* Group Policy Editor Infrastructure Discovery
* nltest /dclist:<domain>
* w32tm /monitor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9971
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9976
Signed-off-by: Dirk Godau <voidswitch@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May 26 06:21:10 CEST 2016 on sn-devel-144
These are marked as known_fail pending the next patch ("Extend DsBind
and DsGetDomainControllerInfo to work with w2k8").
Signed-off-by: Dirk Godau <voidswitch@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The folks at heimdal didn't like the patch in
commit 6379737b7d and insisted
that kvno should remain unsigned internally, even though it is
encoded as signed in packets. This patch reverts some of the
unsigned->signed changes in that commit, and resolves conversion
issues - in order to be aligned with upstream Heimdal.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri May 13 03:50:10 CEST 2016 on sn-devel-144
in run_opentest()
While fixing this, also convert to using talloc_asprintf instead.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>