IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This should make it clear at run-time how dns_hub is actually proxying
DNS requests, which will hopefully aid in debugging problems (i.e.
forgetting to add a mapping when adding a new DNS realm).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 6 00:48:43 UTC 2019 on sn-devel-144
We've dropped the iface logic now - this dictionary maps from
realm-to-IP.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The code is more readable if the hashmap translates between realm and
DC-name, rather than realm-to-iface. We already have a function to map
between DC-name and iface (and since we're doing this, we might as well
map straight to IP address).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Instead of storing hashmaps in 2 different files, we can just convert a
perl hashmap into a string, pass it to dns_hub, and convert it back into
a python dictionary.
The main reason for doing this is the IP-to-testenv mapping now all
lives in a single file (Samba.pm). All this logic is right next to each
other rather than being split across multiple files. Hopefully this will
make it easier to keep it up to date as we add new testenvs.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add a separate helper function, as the realm-to-IPv4-addr logic is
fairly self-contained.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dns_hub.py maps the testenv realm to an IP and Samba.pm maps the testenv
NetBIOS name to an IP. We need to keep the two places consistent, as we
add or remove testenvs.
This patch changes dns_hub.py so that it uses a similar hashmap to
Samba.pm. We now have a hashmap with the same name in 2 different
places, so hopefully that's easier to tie them together and keep them in
sync.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It looks a bit cleaner if we declare the hash-map in one go, rather than
adding each entry one at a time. Also added a comment explaining what
the hash-map is for, and fixed up tab vs spaces inconsistencies.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We implicitly assume the client IP used by selftest is always
127.0.0.11. Add an iface entry for the client to make this a little more
explicit.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dns_hub doesn't need to store $ctx->{swiface}. Other testenvs store this
and export it as SOCKET_WRAPPER_DEFAULT_IFACE (i.e. for the tests to
use), but dns_hub doesn't need to do this.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The auth-logging tests are an odd combination of server and client
behaviour. On the one hand we want a IRPC connection to see the auth
events being logged on the server. On the other hand, we want the auth
events to appear to be happening on a client. Currently we hardcode in
the use of a SOCKET_WRAPPER interface to make this happen.
We can avoid this explicit socket wrapper usage by using the server
smb.conf instead in the one place we actually want to act like the
server (creating the IRPC connection). Then we can switch from using
the 'ad_dc*:local' testenvs to use 'ad_dc*', in order to act like a
client by default. The SERVERCONFFILE environment variable has already
been added for the few cases where a test needs explicit access to the
server's smb.conf.
However, for samba.tests.auth_log, the samlogon test cases are still
reliant on being run on the :local testenv, and so we can't switch them
over just yet. This is because the samlogon is using the DC's machine
creds underneath, which will fail on the non-local testenv. We could
create separate machine creds for the client and use those, but this is
a non-trivial rework of the test code.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when
calculating maximum access already seen allow bits are not removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.
We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:
-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
IF DACL does not contain ACEs from object owner THEN
Remove READ_CONTROL and WRITE_DAC from RemainingAccess
Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
END IF
END IF
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Shows that owner and SID_OWNER_RIGHTS ACE
entries interact in max permissions requests.
Tested against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This was missing in 44590c1b70.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 27 11:24:59 UTC 2019 on sn-devel-144
This will allow us to run really most tests in an isolated
autobuild/ci task later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This will allow us to run really most tests in an isolated
autobuild/ci task later.
This will apply to tests, which may not rely on the ntvfs backend, so
the ad_dc_default alias can point to another environment in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This will allow us to run really slow tests in an isolated
autobuild/ci task later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Using aliases it will be possible to split the large amount
of tests which use ad_dc_ntvfs into multiple autobuild/ci
tasks/jobs later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Previous regression test ensures we still return the correct
error code for POSIX pathname operations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 25 09:33:27 CET 2019 on sn-devel-144
Ensure that if POSIX_foo exists as a file
we return the correct error code NT_STATUS_OBJECT_PATH_NOT_FOUND
if we try and traverse it as a directory.
Also ensure creation/deletion of POSIX_foo/foo fails
for directories and files with NT_STATUS_OBJECT_PATH_NOT_FOUND
if the directory POSIX_foo/ doesn't exist.
knownfail is back :-).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
For posix_pathnames don't blunder into the name_has_wildcard OR
get_real_filename() codepaths as they may be doing case insensitive lookups.
So when creating a new POSIX directory 'Foo' they might
match on name 'foo'.
Remove POSIX-MKDIR from knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Feb 24 14:04:14 CET 2019 on sn-devel-144
Test does:
mkdir POSIX_foo
mkdir POSIX_Foo
mkdir POSIX_foo/Foo
mkdir POSIX_foo/foo
mkdir POSIX_Foo/Foo
mkdir POSIX_Foo/foo
Which should pass a SMB1 POSIX extensions server
as posix mkdir should always be case sensitive
no matter what the share is set to.
Mark as knownfail for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Generate JSON authentication messages for winbind PAM_AUTH and
PAM_AUTH_CRAP requests. The logon_id in these messages can be used to
link them to the SamLogon messages.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tests to validate that winbind generates a random logon_id and passes it
in the netlogon call.
This will allow the linking of the windbind authentication requests and
the SamLogon request on the DC.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Previously we were only checking samba compiled OK with
--disable-python, not that it actually ran.
The main problem is all the make test framework is based around
subunit/smbtorture, neither of which we seem to build with
disable-python. However, for just a simple sanity-check, we can just
bypass all the subunit-filter work and just call the Perl code directly.
This works OK as long as it's just simple shell script tests that we're
running, as we can check the script's exit code directly.
The main thing that we really want to test is that we can start up the
smbd testenv and connect to it (i.e. a simple smbclient test).
This patch adds a new 'make test-nopython' target. This disables the
subunit filtering, and runs a small test-list that was generated manually.
Note that currently this has the limitation that it doesn't support known
failures or flapping tests. However, just checking that smd starts up OK
is probably OK for now.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 20 02:10:00 CET 2019 on sn-devel-144
The --one selftest.pl option means abort when the first test fails.
However, when 'make test' fails to startup a testenv, it'll try to
continue and run other tests by default. When '--one' is used,
selftest.pl can just die() at that point.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's simpler to do setup DC_SERVER/etc in the same place we set
SERVER/etc. (Rather than initializing them for every single testenv,
like we were doing).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 18 07:24:05 CET 2019 on sn-devel-144
For every 2-DC testenv we setup, we copy the $DC_SERVER value of the
dependent testenv (i.e. the PDC) into the env variables for the new
testenv. This means DC_SERVER always points to the PDC (or first DC).
This adds a helper function to avoid repeating this code for every 2-DC
environment we setup.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Same deal as earlier patch - we can use the $SERVER env variable instead
and avoid the need for this extra variable.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We only really want generic environment variables. For 2+ DC
environments, we have the $SERVER and $DC_SERVER (aka PDC) variables.
However, lots of testenvs also export really specific environment
variables, e.g. VAMPIRE_2000_DC_SERVER_IP (despite that testenv being
only used for a single test case).
Previously the <testenv>_SERVER variable was used for DRS tests, but we
can avoid the need to do this now. The other variables are not used at
all.
The RODC and TRUST environment variables are still used by a few tests.
SUBDOM_DC_SERVER is only used within Samba4.pm and not exported.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In a few rare cases, a test needs to assert aspects both client-side and
server-side aspects. A typical example would be the audit logging, which
is exercising client-side behaviour, but also asserting the server-side
logging.
Usually this has involved a kludge in tests.py to either use
socket-wrapper explicitly, or hardcode in the server smb.conf path.
This patch exposes the existing SERVERCONFFILE env variable to the
tests. DC_SERVERCONFFILE has been added for 2 DC testenvs, where we need
the PDC's smb.conf.
The benefit of doing this way is the filepath/testenv-dependency logic
is all self-contained with the Perl code, and it doesn't bleed out into
tests.py as well.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We prefix samba-tool commands with a bunch of WRAPPER/CONF environment
variables, in order for the command to work properly. These variables
are duplicated all over the place in the selftest code. This patch adds
a helper function to return the variables, so we can reduce the required
code down to a single line in a lot of places.
A couple of exceptions I've left alone:
- drs replicate, which omits the RESOLV_WRAPPER_CONF/_HOSTS variables
(I'm not sure whether that's deliberate or not).
- create_backup(), which uses the backupfromdc's krb5.conf rather than
the new testenv.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Use dsdb_domain_count instead of samdb_search_count to determine the
number of users, groups and aliases. This gives a performance gain of
around 10%, reduces the total memory allocated and fixes the incorrect
count returned for aliases.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests for the number of domain users, groups and aliases returned by
QueryDomainInfo.
These tests revealed that the existing code was not checking the
returned elements to ensure they were part of the domain.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We can't reliable start tests without registered dns names.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This only properly covers the small-message nonblocking case. Covering
the large-message and the blocking case is a much larger effort assuming
we want to re-send the failed message if parts of the message has gone
through properly. Don't do that for now.
This was found by sanba_dnsupdate constantly recreating its irpc handle to
winbindd in the RODC case.
The messaging_dgm code cached connected datagram sockets based on the
destination pid for 1 second. Which means the IRPC responses from
winbindd are never delivered to samba_dnsupdate,
which will then hit a timeout.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13786
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Do ping_pong a hundred times, re-initializing the msg_ctx every time.
https://bugzilla.samba.org/show_bug.cgi?id=13786
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This was added in ac5427c6eb as part of the MIT KDC
effort, but makes some tests much less reliable under high load.
As the Heimdal build does not need this, only specify for the MIT build.
Tested with an MIT AD DC build with:
make test TESTS="samba3.raw.session samba3.smb2.session"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 13 05:49:43 CET 2019 on sn-devel-144
Recently the gitlab CI jobs were hitting memory resource limits and
using swap, which then caused test failures. The process model used in
the testenvs seemed to be contributing to this problem.
We can reduce the memory overhead of the restore/backup testenvs by
using 1 prefork child process instead of the default of 4 (kudos to
Garming for the idea). The tests run against these testenvs are basic
sanity-checks, rather than heavy-duty stress tests, so the number of
prefork workers shouldn't matter.
This is a bit of a tradeoff between testing the defaults that will
actually be used in production vs using limited resources efficiently on
shared CI runner machines.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
