1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

4899 Commits

Author SHA1 Message Date
Douglas Bagnall
d827392f2a replmd: slightly clarify a comment
it has been a long time since we introduced "control", so lets remind
ourselves which control it was.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 13 06:50:12 UTC 2020 on sn-devel-184
2020-06-13 06:50:11 +00:00
Douglas Bagnall
0f6c8a75e6 dsdb/mod/acl_util: do not deref NULL sd_flags control
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-13 05:25:31 +00:00
Gary Lockyer
8c17b6f82f Fix clang 9 format-nonliteral warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Andrew Bartlett
906aa7ddb8 CVE-2020-10700: dsdb: Do not permit the ASQ control for the GUID search in paged_results
ASQ is a very strange control and a BASE search can return multiple results
that are NOT the requested DN, but the DNs pointed to by it!

Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon May  4 10:14:28 UTC 2020 on sn-devel-184
2020-05-04 10:14:28 +00:00
Andrew Bartlett
5603d26770 CVE-2020-10700: dsdb: Add test for ASQ and ASQ in combination with paged_results
Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding,
reporting and working with us to diagnose this issue!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-05-04 08:19:41 +00:00
Andreas Schneider
ecdd17c536 s4:samdb: Do not create WDdigests for HTTP if weak crypto is disabled
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2020-04-08 13:02:39 +00:00
Volker Lendecke
e74e85ee66 dsdb: Use ARRAY_DEL_ELEMENT() in dirsync_filter_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-03-26 14:43:31 +00:00
Andrew Bartlett
5c1867ba45 py3: Remove #define PyInt_FromLong PyLong_FromLong
This allows us to end the use of Python 2/3 compatability macros.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power
2020-03-23 19:12:43 +00:00
Andrew Bartlett
a4cdfbd167 dsdb: Allow delete (directly and over DRS) of an object with a link to itself
Previously this would fail with Unsupported critical extension 1.3.6.1.4.1.7165.4.3.2

Reported by Alexander Harm.  Many thanks for helping make Samba better
and for your patience with patches and providing debugging information.

REF: https://lists.samba.org/archive/samba/2020-February/228153.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-22 04:39:36 +00:00
Andrew Bartlett
ad750ed10f dsdb: Add test for the case of a link pointing back at its own object
This type of object was not possible to delete in Samba without first removing
the link.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-22 04:39:36 +00:00
Jonathon Reinhart
a4ed6ada50 Remove unnecessary/incorrect talloc_steal() calls
The talloc_steal() in dsdb_enum_group_mem() is unnecessary, because
members was already allocated from the same mem_ctx.

The talloc_steal() in pdb_samba_dsdb_enum_aliasmem() is also unnecessary
for the same reason, but also incorrect, because it should be
dereferencing pmembers:

    talloc_steal(mem_ctx, *pmembers);

Furthermore, we should only assign to *pnum_members on success; otherwise
num_members is used uninitialized.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14264

Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  5 18:40:16 UTC 2020 on sn-devel-184
2020-03-05 18:40:16 +00:00
Andrew Bartlett
84172ae7cb dsdb: Add debugging for a contrived situation where a non-schema attribute is on the record
I had to modify the backend DB to produce this error, but
I would like a clear error anyway.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar  2 04:14:22 UTC 2020 on sn-devel-184
2020-03-02 04:14:21 +00:00
Andrew Bartlett
1a0d43bbcc dsdb: Add very verbose debugging if a delete fails in repl_meta_data
The modification into a tombstone should be a pretty reliable operation
so if it fails print lots of info for debugging.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-03-02 02:47:30 +00:00
Andrew Bartlett
a3fc18f679 dsdb: Rewrite comment to remove refernece to LDAP backends
This is required despire the demise of the LDAP backend.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 28 04:42:23 UTC 2020 on sn-devel-184
2020-02-28 04:42:23 +00:00
Andrew Bartlett
dc308d1c29 dsdb: Remove dead code in partition_prep_request()
The partition variable is never NULL.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-02-28 03:08:46 +00:00
Andrew Bartlett
01a3cf8e1e dsdb: Do not use ldb_save_controls() in partitions module for domain_scope
The LDAP backend is long-removed so we do not need this workaround
for a confused server any longer.

This avoids references to old (but valid) memory after a new ldb_control array is
allocated in ldb_save_controls() and keeps the controls pointer as
constant as possible given the multiple ldb_request structures it
will appear in.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-02-28 03:08:46 +00:00
Andrew Bartlett
47b6c4b8f5 dsdb: Improve clarity by adding a comment in replmd_delete_internals()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-02-28 03:08:46 +00:00
Andrew Bartlett
7ad56d4174 dsdb: Simplifiy VANISH_LINKS handling: The variable "parent" is always non-NULL
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-02-28 03:08:46 +00:00
Douglas Bagnall
c247afbda0 pytests: heed assertEquals deprecation warning en-masse
TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-02-07 10:37:37 +00:00
Andrew Bartlett
3657bbc211 dsdb: Correctly handle memory in objectclass_attrs
el->values is caller-provided memory that should be thought of as constant,
it should not be assumed to be a talloc context.

Otherwise, if the caller gives constant memory or a stack
pointer we will get an abort() in talloc when it expects
a talloc magic in the memory preceeding the el->values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14258

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-02-06 14:57:42 +00:00
Gary Lockyer
13658324a3 CVE-2019-19344 kcc dns scavenging: Fix use after free in dns_tombstone_records_zone
ldb_msg_add_empty reallocates the underlying element array, leaving
old_el pointing to freed memory.

This patch takes two defensive copies of the ldb message, and performs
the updates on them rather than the ldb messages in the result.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14050

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Jan 21 11:38:38 UTC 2020 on sn-devel-184
2020-01-21 11:38:38 +00:00
Andrew Bartlett
86023642c3 repl_meta_data: Only reset replMetaData entry for name if we made a conflict name here
We previously set it for any rename

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:39 +00:00
Andrew Bartlett
9e126852a6 repl_meta_data: Do not set *rename = true unless there has been a conflict on the incoming DN
The normal case of a partner-sent rename is not a cause for updating the replPropertyMetaData

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:39 +00:00
Andrew Bartlett
512ea17983 repl_meta_data: Add comment explaining what is being renamed after the conflict is resolved
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:39 +00:00
Andrew Bartlett
2b1828276b CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.

Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
b7030f9a8b CVE-2019-14902 repl_meta_data: Set renamed = true (and so do SD inheritance) after any rename
Previously if there was a conflict, but the incoming object would still
win, this was not marked as a rename, and so inheritence was not done.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
4c62210098 CVE-2019-14902 repl_meta_data: Fix issue where inherited Security Descriptors were not replicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
520d2ae187 CVE-2019-14902 repl_meta_data: schedule SD propagation to a renamed DN
We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
3f3791765c CVE-2019-14902 dsdb: Ensure we honour both change->force_self and change->force_children
If we are renaming a DN we can be in a situation where we need to

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
5d714c1cea CVE-2019-14902 dsdb: Add comments explaining why SD propagation needs to be done here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Andrew Bartlett
545d205e5b CVE-2019-14902 dsdb: Explain that descriptor_sd_propagation_recursive() is proctected by a transaction
This means we can trust the DB did not change between the two search
requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-01-21 10:11:38 +00:00
Volker Lendecke
b274bc698e dsdb: Use write_data() to write to the password check script
A simple write() might be interrupted or do short writes. Highly
unlikely, but if it happens, it will be impossible to diagnose.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-19 18:29:39 +00:00
Volker Lendecke
229518ec01 dsdb: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-19 18:29:39 +00:00
Volker Lendecke
fd406528b7 dsdb: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2020-01-03 00:04:43 +00:00
Volker Lendecke
f53c8fbd7f audit_log: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2020-01-03 00:04:43 +00:00
Ralph Boehme
12e97ee3e8 smbdotconf: mark "check password script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:34 +00:00
Andrew Bartlett
6107c79c90 build: Do not build selftest binaries for builds without --enable-selftest
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY()

This allows us to be much more consistent (at least in the core Samba)
and documents clearly why the binary should not be installed.

Not modified are
 - test_lp_load
 - notifyd-tests
 - gendrandperf
 - test* from examples/libsmbclient
 - dbwrap_torture
 - split_tokens
 - locktest2
 - msgtest
 - msg_sink
 - msg_source
 - versiontest
 - rpc_open_tcp
 - test_headers

As these are not tested in selftest so any change would also be
untested.  Of course they probably should be added in a different
MR.

Also not modified (because they are not tests, nor part of the
build system) are:
 - smb2mount
 - notifydd
 - log2pacp
 - debug2html
 - smbfilter
 - destroy_netlogon_creds_cli
 - spotlight2*
 - tevent_glib_tracker

These do however appear to be untested.

For now, the source4 forked client tools are left unchanged:
 - smbclient4
 - nmblookup4

Finally, the heimdal binaries are left as install=False as
they are either part of the build system or end-user tools
that we just don't want to install.  These are however tested.

The motivation is commit like c34ec003b7
and da87fa998a, which are both totally
correct but are not needed if the selftest is not run on MacOS.

There are likely other platforms or build environments where building
our test binaries is more pain than valuable, see for example also
https://lists.samba.org/archive/samba/2019-November/227137.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 11:48:59 +00:00
Isaac Boukris
982aa328f6 password_hash: do not generate single DES keys
Per RFC-6649 single DES enctypes should not be used.

MIT has retired single DES encryption types, see:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html

As a workaround, store random keys instead, making the usage of signle DES
encryption types virtually impossible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-19 14:48:41 +00:00
Andrew Bartlett
dc5788056b build: Only link against libcrypt where needed
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-11-13 08:42:30 +00:00
Andrew Bartlett
03205663b3 CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Oct 31 23:29:15 UTC 2019 on sn-devel-184
2019-10-31 23:29:14 +00:00
Andrew Bartlett
e62c535d5b CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results style attributes and dirsync
Incremental results are provided by a flag on the dirsync control, not
by changing the attribute name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-10-31 22:07:40 +00:00
Björn Jacke
60fcfa506d source4/dsdb/schema/schema_description.c: typo fixes
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2019-10-31 00:43:37 +00:00
Björn Baumbach
ef58222616 CVE-2019-14833 dsdb: send full password to check password script
utf8_len represents the number of characters (not bytes) of the
password. If the password includes multi-byte characters it is required
to write the total number of bytes to the check password script.
Otherwise the last bytes of the password string would be ignored.

Therefore we rename utf8_len to be clear what it does and does
not represent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Oct 29 11:58:45 UTC 2019 on sn-devel-184
2019-10-29 11:58:45 +00:00
Stefan Metzmacher
d0f566c4ad s4:dirsync: fix interaction of dirsync and extended_dn controls
Azure AD connect reports discovery errors:
  reference-value-not-ldap-conformant
for attributes member and manager.
The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
an ExtendedDNRequestValue blob, which means the flag value should
be treated as 0 and the HEX string format should be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153
RN: Prevent azure ad connect from reporting discovery errors:
reference-value-not-ldap-conformant

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 24 11:06:58 UTC 2019 on sn-devel-184
2019-10-24 11:06:58 +00:00
Stefan Metzmacher
6d43d82b49 s4:tests/dirsync: add tests for dirsync with extended_dn
This demonstrates a problems that the extended_dn returned
by the dirsync module always uses the SDDL format for GUID/SID
components.

Azure AD connect reports discovery errors:
  reference-value-not-ldap-conformant
for attributes member and manager.
The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
an ExtendedDNRequestValue blob, which means the flag value should
be treated as 0 and the HEX string format should be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-10-24 09:46:28 +00:00
Andrew Bartlett
7c83b1ade7 dsdb: Change LDB_TYPESAFE_QSORT() to TYPESAFE_QSORT() in operational module
This call does not use the context argument so no additional parameter is needed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 18 10:58:45 UTC 2019 on sn-devel-184
2019-10-18 10:58:44 +00:00
Andrew Bartlett
517342399c dsdb: Change LDB_TYPESAFE_QSORT() to TYPESAFE_QSORT() in repl_meta_data module
This call does not use the context argument so no additional parameter is needed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 09:26:41 +00:00
Stefan Metzmacher
09de6f0618 librpc/idl: change from samr_GroupAttrs in samr.idl to security_GroupAttrs in security.idl
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-20 01:14:42 +00:00
Volker Lendecke
3084928383 messaging4: Pass fds to messaging handlers
Boiler-plate replacement moving the (num_fds!=0) check down

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-18 20:10:24 +00:00
Volker Lendecke
3a0047eaf1 dsdb: Fix CID 1453464: Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-04 17:03:33 +00:00
Volker Lendecke
09946c558f dsdb: Fix CID 1453465: Null pointer dereferences (NULL_RETURNS)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-04 17:03:33 +00:00
Andrew Bartlett
2972981882 dsdb: Remove unused local_password module
This was an idea about how Samba might have worked if passwords were
not safe to be stored in a remote DB (get some kind of LDAP backend).

Nothing ever used this, but it was a nice idea.  But git master is not
the place to preserve history, even interesting ideas like splitting
passwords from the non-password data (possible because, in the same way
we are allowed to encrypt them, we do not allow a search on password
values).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-09-01 23:55:39 +00:00
Andrew Bartlett
72201055f5 dsdb: Remove unused simple_dn module
This became unused with 2b0fc74a09 that
removed the last of the support for the LDAP Backend

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-09-01 23:55:38 +00:00
Andrew Bartlett
af6799bf4f util: Remove unused NS_GUID_string() and NS_GUID_from_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14063
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-09-01 23:55:38 +00:00
Andrew Bartlett
cf3977585d dsdb: Remove unused entryuuid and nsuniqueid modules
These were for the now removed OpenLDAP backend.  Any future work in this area will
not involve this kind of translation, it will be done much more cleanly.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-09-01 23:55:38 +00:00
Mathieu Parent
549a4a82e0 Spelling fixes s/preceeding/preceding/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:28 +00:00
Mathieu Parent
105bb06318 Spelling fixes s/withing/within/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:28 +00:00
Mathieu Parent
d9b50ce7df Spelling fixes s/recieved/received/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:27 +00:00
Mathieu Parent
a03bafbcd5 Spelling fixes s/overriden/overridden/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:26 +00:00
Andrew Bartlett
2b0fc74a09 dsdb: Remove OpenLDAP backend complexity from samba_dsdb module
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 30 09:50:25 UTC 2019 on sn-devel-184
2019-08-30 09:50:25 +00:00
Andrew Bartlett
3da41b51b0 dsdb: Remove OpenLDAP backend complexity from partitions module
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2019-08-30 08:32:30 +00:00
Andrew Bartlett
6d1fe28411 dsdb: Remove LDAP backend specific modules from extended_dn_out
This simplifies the code considerably.  A real attempt at an LDAP backend would need to implement this
module in a similar way to LDB.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2019-08-30 08:32:30 +00:00
Aaron Haslett
b5b6b74b82 paged results: tests without server_sort ctrl
On windows, adding or modifying a record during a paged results search
behaves differently depending on whether or not you supply server_sort
control.  This patch adds tests and documentation.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 30 08:26:21 UTC 2019 on sn-devel-184
2019-08-30 08:26:21 +00:00
Andrew Bartlett
b4816861f2 s4-dns: Deprecate BIND9_FLATFILE and remove "rndc command"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 22 21:24:00 UTC 2019 on sn-devel-184
2019-08-22 21:24:00 +00:00
Andrew Bartlett
85a1c49739 s4-samdb: Remove duplicate encrypted_secrets code using internal Samba AES
We now rely on GnuTLS 3.4.7 or later.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:31 +00:00
Andreas Schneider
d46e538d52 s4:samdb: Only include necessary header files in encrypted_secrets
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
7bf3c5d764 s4:samdb: Remove dual-stack mode from (test_)encrypted_secrets
Now we either build with GnuTLS or Samba crypto. If a modern GnuTLS
version is detected that will be used and Samba crypto wont be
available.

This removes the dual-stack mode that encrypted with one and decrypted
with the other in the testsuite.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Commit message clarified by Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andrew Bartlett
92b9cdf99d encrypted_secrets: Add known and expected value test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
feccdebe15 s4:samdb: Add test_gnutls_value_decryption()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-08-21 09:57:29 +00:00
Andreas Schneider
a3e36dd8f4 s4:samdb: Use generate_nonce_buffer() for AEC GCM nonce
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-08-14 15:07:24 +00:00
Volker Lendecke
d8ae281152 dsdb: Fix the FreeBSD build
My FreeBSD install does not have __compar_fn_t. libreplace has the
QSORT_CAST for systems that do.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-06 21:49:28 +00:00
Andrew Bartlett
1a7f2a230d dsdb: Quiet CID 1452117 1452119 1452114 (STRAY_SEMICOLON)
Try to make clear what is being done here, we are trying to count the partitions so that
we can then walk them in reverse.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-08-01 05:01:15 +00:00
Douglas Bagnall
0c001a7bf6 CID 1452121: dsdb/mod/partition: protect whole function with NULL check
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 31 04:08:48 UTC 2019 on sn-devel-184
2019-07-31 04:08:48 +00:00
Douglas Bagnall
a5ec857abe CID 1452109: dsdb/util: do not check for NULL after deref
This is all strictly unnecessary, as ret is always != LDB_SUCCESS when
res is NULL, but we want to make peace between clang and converity.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-31 02:50:24 +00:00
Douglas Bagnall
e77237bb46 s4/dsdb/replmd: use incoming_dn_should_be_renamed() 2/2
In replmd_replicated_handle_rename().

The helper function was introduced two commits ago and consists of
a large common stretch of this and the function modified in the previous
commit.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 24 11:21:50 UTC 2019 on sn-devel-184
2019-07-24 11:21:50 +00:00
Douglas Bagnall
b9dab848de s4/dsdb/replmd: use incoming_dn_should_be_renamed() 1/2
In replmd_op_possible_conflict_callback().

The helper function was introduced in the previous commit and consists
of a large common stretch of this and replmd_replicated_handle_rename().

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-24 09:35:24 +00:00
Douglas Bagnall
5d75ab3ebf s4/dsdb/replmd: add a helper for common calculations
We currently do exactly this work, in exactly these words (ignoring
formatting) in two different places. The next two commits will make
those places use this helper function. We do this over three commits
so that we can more easily compare the next two and be sure they are
doing the same thing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-24 09:35:24 +00:00
Douglas Bagnall
e7a6c70953 s4/dsdb/replmd: replicated_handle_rename free temp_ctx
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-24 09:35:24 +00:00
Aaron Haslett
6c691bf84e partition: reversing partition unlocking
Unlock partition databases in the reverse order from which they were
acquired. This is separated from the previous commit for future
bisecting purposes, since the last commit was made to fix specific CI
failures, while this one is a speculative fix made based on code
inspection.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-24 05:50:23 +00:00
Aaron Haslett
7f4bc0ea81 partition: correcting lock ordering
A schema reading bug was traced to a lock ordering issue in partition.c.
This patch fixes the problem by:
1. Releasing locks/transactions in the order they were acquired.
2. Always lock/start_trans on metadata.tdb first, before any other
databases, and release it last, after all others. This is so that we are
never exposed to MDB's lock semantics, which we don't support.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-24 05:50:23 +00:00
Noel Power
54af94ff21 s4/source4/common: clang: Fix 'Dereference of undefined pointer value'
Fixes:

source4/dsdb/common/util.c:3131:6: warning: Dereference of undefined pointer value <--[clang]
        if (res->count < 1) {
            ^

/source4/dsdb/common/util.c:3207:6: warning: Dereference of undefined pointer value <--[clang]
        if (res->count < 1) {
            ^~~~~~~~~~
source4/dsdb/common/util.c:4004:39: warning: Dereference of undefined pointer value <--[clang]
        (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
                                             ^
source4/dsdb/common/util.c:4191:35: warning: Dereference of undefined pointer value <--[clang]
        ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");

source4/dsdb/common/util.c:5757:13: warning: 1st function call argument is an uninitialized value <--[clang]
        same_nc = (ldb_dn_compare(source_nc, target_nc) == 0);
                   ^
This fix also fixes the associated 'Access to field 'xyx' results in a
dereference of a null pointer' warnings that also will happen when this
is fixed

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Jul 24 05:49:14 UTC 2019 on sn-devel-184
2019-07-24 05:49:14 +00:00
Noel Power
c7c40e205d s4/dsdb/common: clang: Fix 'Value stored to 'cps_stdin' is never read'
Fixes:

source4/dsdb/common/util.c:2125:4: warning: Value stored to 'cps_stdin' is never read <--[clang]
                        cps_stdin = -1;

                        ^           ~~
source4/dsdb/common/util.c:2132:3: warning: Value stored to 'cps_stdin' is never read <--[clang]
                cps_stdin = -1;

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Noel Power
55f18757aa s4/dsdb/common: clang: Fix 'Access results in a deref of a null pointer'
Fixes:

source4/dsdb/common/util.c:2000:6: warning: Access to field 'count' results in a dereference of a null pointer (loaded from variable 'res') <--[clang]
        if (res->count != 1) {
            ^~~

source4/dsdb/common/util.c:3281:28: warning: Access to field 'msgs' results in a dereference of a null pointer (loaded from variable 'res') <--[clang]
        el = ldb_msg_find_element(res->msgs[0], attr);
                                  ^~~
source4/dsdb/common/util.c:3568:6: warning: Access to field 'count' results in a dereference of a null pointer (loaded from variable 'res') <--[clang]
        if (res->count != 1 || ret != LDB_SUCCESS) {
            ^~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Noel Power
bd86df913b s4/dsdb/common: clang: Fix 'The left operand of '&' is a garbage value'
Fixes:

source4/dsdb/common/util.c:1964:18: warning: The left operand of '&' is a garbage value <--[clang]
        return (options & DS_NTDSDSA_OPT_IS_GC) != 0;
                ~~~~~~~ ^

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Noel Power
79d585689e s4/dsdb/common: clang: Fix 'function call argument is an uninitialized value'
Fixes:

source4/dsdb/common/util.c:1804:8: warning: 3rd function call argument is an uninitialized value <--[clang]
        ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-24 04:19:27 +00:00
Douglas Bagnall
5405f2ad7e s4/py_dsdb: avoid NULL deref in set_domain_sid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:25 +00:00
Aaron Haslett
ee2fe56ba0 drepl: memory leak fix
Fixes a memory leak where schema reference attached to ldb
instance is lost before it can be freed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184
2019-07-17 06:17:10 +00:00
Noel Power
c38a7745b1 s4/dsdb/common: clang: Fix access results in null pointer deref.
Fixes:

source4/dsdb/common/util_trusts.c:2915:21: warning: Access to field 'sid' results in a dereference of a null pointer (loaded from field 'tdo') <--[clang]
        d->di.domain_sid = d->tdo->sid;
                           ^  ~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-11 04:08:13 +00:00
Douglas Bagnall
1d6b472cdc pyldb: rename pyldb_Dn_AsDn() to pyldb_Dn_AS_DN()
Following the python/C convention for checking vs non-checking
convertors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
e075f52a75 pyldb: fork pyldb_Ldb_AsLdbContext macro to reflect unsafeness
In the Python/C API, conversion functions which check the types of their arguments
have names like:

double PyFloat_AsDouble(PyObject *pyfloat);

while conversion macros that don't check have names like:

PyFloat_AS_DOUBLE(pyfloat)

The pyldb_Ldb_AsLdbContext() macro looks like one of the checking functions
but it actually isn't. This has fooled us more than once. Here we fork
the macro into two -- one which performs checks and keeps the camel
case, and one with a shouty name that keeps the check-free behaviour.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Gary Lockyer
063809bc96 dsdb repl_meta_data: Don't print ldif on error
Don't call ldb_ldif_message_redacted_string when linked_attr_modify
fails.  When joining a large domain this takes way to much time, in excess of 3
hours for a join on a 200k domain.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Jul  9 03:03:25 UTC 2019 on sn-devel-184
2019-07-09 03:03:25 +00:00
Noel Power
d54f9aaf81 s4/dsdb/schema: clang: Fix Array access results in null pointer deref
Fixes:
source4/dsdb/schema/schema_query.c:223:15: warning: Array access (from variable 'attr_list') results in a null pointer dereference <--[clang]
        attr_list[i] = NULL;
        ~~~~~~~~~    ^
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-08 09:30:10 +00:00
Noel Power
50a22849ce s4/dsdb/schema: Fix 'Value stored to 'ret' is never read'
Fixes:

source4/dsdb/schema/schema_set.c:274:3: warning: Value stored to 'ret' is never read <--[clang]
                ret = LDB_SUCCESS;
                ^     ~~~~~~~~~~~
source4/dsdb/schema/schema_set.c:327:3: warning: Value stored to 'ret' is never read <--[clang]
                ret = LDB_SUCCESS;
                ^     ~~~~~~~~~~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-08 09:30:10 +00:00
Noel Power
109b438181 s4/dsdb/schema: Fix Access to field results in deference of null pointer
Fixes:

source4/dsdb/schema/schema_info_attr.c:207:38: warning: Access to field 'revision' results in a dereference of a null pointer (loaded from variable 'schema_info') <--[clang]
        if (schema->schema_info->revision > schema_info->revision) {
                                            ^~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-08 09:30:10 +00:00
Gary Lockyer
7d17dbd10e s4 samdb: pass ldb options to ldb_module_connect_backend
Pass the ldb options into ldb_module_connect_backend, to ensure ldb
options such as "batch mode" and "transaction index cache size" get passed
through to the backend modules.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-04 10:02:23 +00:00
Douglas Bagnall
a4cea294d3 s4/tests/dsdb_schema: not usefully executable as script
You could run the script, but it wouldn't do anything.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-02 04:21:36 +00:00
Tim Beale
98848142cd repl_md: Avoid dropping cross-partition links
Cross-partition links could still be dropped if GET_TGT was already
previously set for the replication.

This was due to a slight error in the order of logic. We never want to
ignore cross-partition links (regardless of whether the TARGETS_UPTODATE
/GET_TGT flag is set). We should only be returning early in the
GET_TGT case if the objects are both in the same partition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14022
RN: When the AD domain contained a linked attribute that spanned
partitions, DRS replication could drop the link. This dropped link could
then result in subtle differences in behaviour between DCs, as some DCs
would have the link and others wouldn't. When this issue occurred, the
dropped link would be logged in a warning message:
 "<target-dn> is Unknown but up to date. Ignoring link from <source-dn>"
This issue would not always occur - it depended a lot on the database
contents. Typically, it would only potentially occur when joining a new
DC to the domain (doing an ldapcmp after the join would also highlight
the problem, if it occurred). This issue has now been resolved.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-02 04:21:36 +00:00
Swen Schillig
3bc973c602 source4: Update all consumers of strtoul_err(), strtoull_err() to new API
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-06-30 11:32:18 +00:00
Tim Beale
295bf73e9b dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.

We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.

The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-26 04:12:33 +00:00
Andrew Bartlett
f178daa854 py3: Remove PyStr_AsString() compatability macro
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2019-06-24 17:24:27 +00:00
Andrew Bartlett
34f9a089d8 py3: Remove PyStr_FromString() compatability macro
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2019-06-24 17:24:27 +00:00
Douglas Bagnall
6aa5d1f684 CVE-2019-12436 dsdb/paged_results: ignore successful results without messages
So that we don't dereference result->msgs[0] when it doesn't exist.
This can happen when the object has changed in such a way that it no
longer matches the original search query.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Jun 19 08:16:39 UTC 2019 on sn-devel-184
2019-06-19 08:16:39 +00:00
Gary Lockyer
ae4461dce9 auth auth_log: csbuild unused parm unix_username
Fixes csbuild errors

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’
auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function
‘log_authentication_event_human_readable’
auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-13 07:16:22 +00:00
Aaron Haslett
4eee09a2c1 dsdb: disable ORDERED_INTEGER with MDB pack format v1
For TDB databases, the new ORDERED_INTEGER type is disabled along with
repacking at format version 1 if GUID indexing is disabled, so all the new
database features are toggled together. This scheme doesn't work with
MDB because GUID indexing is mandatory when using MDB. However, a
downgrade path is still required so in a previous commit we added
a pack_format_override option which allows a downgrade script to force
the database to use an earlier packing format. But, the new
ORDERED_INTEGER type would still be present in MDB databases so this
patch reads the pack_format_override opaque and converts ORDERED_INTEGER
types in @ATTRIBUTES to INTEGER and doesn't write any indexes of that
type to @INDEXLIST. The @INDEXLIST will be refreshed later, on the first
transaction.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2019-05-29 04:41:25 +00:00
Aaron Haslett
08b9d204b6 ldb: binding ordered indexes to GUID indexing
To reduce the number of potential combinations of database features in
ldb, we want to link all new database features since 4.7. GUID indexing,
ordered integers, and pack format changes will all upgrade together.
This patch makes ordered integers only function if GUID indexing is
enabled. If GUID indexing is disabled, ORDERED_INTEGER will not be
written to @ATTRIBUTES and a syntax's index_format_fn will never be
used.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-05-29 04:41:24 +00:00
Stefan Metzmacher
706aba5bf6 dsdb:audit_log: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."
We better print "... remote host [Unknown] SID [S-1-5-18] ..."
in 'dsdb_audit' message, this matches what we print for
'dsdb_json_audit'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2019-05-28 07:16:25 +00:00
Gary Lockyer
1958cd8a7f ldap server: generate correct referral schemes
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
2019-05-24 05:12:14 +00:00
Andrew Bartlett
e421c13bbc dsdb: Remove unsued dsdb_class_by_cn()
The callers moved to dsdb_class_by_cn_ldb_val() with
43aa546ecc in 2009.

Found by callcatcher

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-22 05:59:13 +00:00
Andreas Schneider
e6506ddec4 s4:dsdb: Use GnuTLS MD5 in password_hash module
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-21 00:03:22 +00:00
Andrew Bartlett
9822628749 selftest: Remove gensec.FEATURE_SEAL from samba4.ldap.notification
This made it much harder to watch under wireshark and is not required (no password setting).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:11 +00:00
Andrew Bartlett
46185daeb2 dsdb: lock metadata.tdb during lock_read in partitions module
metadata.tdb was being locked during transactions, but not during read, and
we should ensure we take all our locks in order for consistency

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13950

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:10 +00:00
Andrew Bartlett
99867565a5 dsdb/partition: Remove teardown of data->metadata on partition_metadata_set_sequence_number() failure
This changes variables that are not the responsiblity of this function, the unlock
implied by partition_del_trans() needs to be done carefully in the right spot.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:10 +00:00
Andrew Bartlett
bc663a9798 dsdb/partition: Move in_transaction decrement to end of partition_del_trans()
It makes no sense for this to be mid-function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:10 +00:00
Andrew Bartlett
7567f29211 dsdb/partition: Ensure metadata.tdb is opened early in partition_reload_if_required()
This allows metadata.tdb to be locked in the correct place in
in the lock order, as partition_reload_if_required() implicitly
calls partition_lock_read().

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:10 +00:00
Andrew Bartlett
46677b8e1e dsdb: Add random values to names in tests for large LDAP responses
This test is run agianst multiple DCs in the same domain, so there can
be a race with replication.  Therefore avoid using the same name twice
by adding a random suffix.

This is an improvement to a demonstrator for this bug in TDB:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13952

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-20 04:01:10 +00:00
Andrew Bartlett
eafef2bbfd dsdb: Add tests for large LDAP responses
This behaviour is Samba-specific, we have not traditionally cut of responses at 1000
or so as Windows does, and we need to change that behaviour carefully.

This triggers this bug in TDB:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13952

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-05-17 06:48:10 +00:00
Gary Lockyer
0daa0ff921 s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value
Fix use after free detected by AddressSanitizer

AddressSanitizer: heap-use-after-free on address 0x61400026a4a0
                  at pc 0x7fd555c52f12 bp 0x7ffed7231180 sp 0x7ffed7231170
                  READ of size 1 at 0x61400026a4a0 thread T0
    #0 0x7fd555c52f11 in ldb_should_b64_encode
       ../../lib/ldb/common/ldb_ldif.c:197
    #1 0x7fd539dc9417 in dsdb_audit_add_ldb_value
       ../../source4/dsdb/samdb/ldb_modules/audit_util.c:491
    #2 0x7fd539dc9417 in dsdb_audit_attributes_json
       ../../source4/dsdb/samdb/ldb_modules/audit_util.c:651
    #3 0x7fd539dc6a7e in operation_json
       ../../source4/dsdb/samdb/ldb_modules/audit_log.c:305

The problem is that at the successful end of these functions
el->values is overwritten with new_values.  However get_parsed_dns()
points p->v at the supplied el and it effectively gets used
as a working area by replmd_build_la_val().  So we must duplicate it
because our caller only called ldb_msg_copy_shallow().

The reason this matters is that the audit_log module is
above repl_meta_data in the stack, and tries to log the
ldb_message it saw after the reply (to include the error code).
If that ldb_message is changed it is not only misleading,
it can point to memory that has since gone away.

In this case the memory for the full extended DN in the
member attribute ended up on 'ac', a context lost by
the time repl_meta_data has finished processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13941

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 15 05:35:47 UTC 2019 on sn-devel-184
2019-05-15 05:35:47 +00:00
Andrew Bartlett
4aa9924310 s4 dsdb/repl_meta_data: allocate new extended DNs during ADD on a better context
Lower down in this function new_values is assigned over el->values and is
filled in with the values of all the parsed DNs.  Therefore it is the natural
talloc parent.

This will allow el->values to be allocated on tmp_ctx in the next commit for
a working area during the function call.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-05-15 04:03:37 +00:00
Gary Lockyer
b0cc6d2174 s4 dsdb: fix use after free in samldb_rename_search_base_callback
Fix use after free detected by AddressSanitizer

AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
                  at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
                  READ of size 8 at 0x60f0002b2738 thread T0
    #0 0x7f89b1a213b4 in samldb_rename_search_base_callback
        ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
    #1 0x7f89d3a0db4a in ldb_module_send_entry
        ../../lib/ldb/common/ldb_modules.c:793
    #2 0x7f89b6f27356 in es_callback
        ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13942

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-14 06:07:25 +00:00
Douglas Bagnall
93d6307185 dsdb mod/linked_attributes: fix_link_slow(): clarify a comment.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:18 +00:00
Douglas Bagnall
9c254572dd dsdb/mod/extended_dn_out: use faster removal filters
When filtering out multiple elements, we end up memmove()ing the same
elements many times over. It is simpler to not do that by keeping track
of how many elements we are keeping.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:18 +00:00
Douglas Bagnall
4e47d5dfa2 dsdb/replmd: use ldb_msg_remove_element()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:18 +00:00
Douglas Bagnall
14db307243 dsdb mods/extended_dn_out: remove element using ldb_msg api
The bare memmove is not strictly safe at the end of the list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:17 +00:00
Douglas Bagnall
1e61b17106 dsdb/mod/extended_dn_out: zero whole fake_msg struct
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:17 +00:00
Douglas Bagnall
4624957d42 s4: use ldb_msg_new(), not talloc/talloc_zero
ldb_msg_new() is currently the same as talloc_zero(), but it might
not always be.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:17 +00:00
Douglas Bagnall
49048b245d dsdb/util: spell "equivalence"!
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-10 01:15:17 +00:00
Douglas Bagnall
79111dd0d0 dsdb/mod/count_attrs: set ldb var before using it (CID 1444979)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May  9 23:54:35 UTC 2019 on sn-devel-184
2019-05-09 23:54:35 +00:00
Douglas Bagnall
215eef5b6f s4/dsdb/util_samr: check some return codes (CID 1444977)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
b18f0dce38 dsdb/modules/linked_attrs: remove pointless check (CID 240768)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
23f72c4d71 dsdb/modules/dirsync: ensure attrs exist (CID 1107212)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
9a6c0a66d5 dsdb/modules/dirsync: remove useless function call
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
2852dce541 dsdb/modules/dirsync: avoid possible NULL dereference (CID 1034800)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
8ad8f9baf0 dsdb/modules/acl: avoid deref of missing data (CID 1107200)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Garming Sam
a497327042 CID 1363287: Resource leak using str_list_append
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-07 23:22:22 +00:00
Andrew Bartlett
e608a84fa4 torture: Remove unused dsdb_attribute_ldb_to_drsuapi()
The last caller was removed in s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDs
(6a51afcfdb) by Kamen Mazdrashki in 2010

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-06 05:46:11 +00:00
Aaron Haslett
bc1583d368 selftest: correcting empty attribute usage in requests
Many parts of Samba use an empty attribute list in requests expecting
all attributes to be returned in the response, which is incorrect.  This
patch corrects the instances found by current CI tests.  Static analysis
and debugging will need to be done before changing ildap to the correct
semantics.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon May  6 05:45:55 UTC 2019 on sn-devel-184
2019-05-06 05:45:55 +00:00
Aaron Haslett
64bccb9bca ldap: test for empty attributes list
Test for LDAP request with an empty attribute list.  LDB responds with
no attributes, but LDAP responds with all attributes.  Fix is attached
to the bug below but we can't push it upstream until we've found all
instances of incorrect empty attribute list usage in Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-06 04:23:51 +00:00
Douglas Bagnall
60620273db dsdb/modules: a module to count attribute searches and results
The dsdb module stack can turn a simple search request into a
complicated tree of sub-queries that include attributes not originally
asked for and excluding those that were. The corresponding replies
might contain unrequested attributes or (for good reasons, according
to some module) hide requested ones. The entire stack is there to
meddle and that is what is does. Except *this* module. It just counts.
To understand dsdb performance it helps to have some idea what
requests and replies are flying too and fro. This module, when
inserted anywhere in the stack, counts the requests and replies
passing through and the attributes they contain. This data is stored
in on-disk tdbs in the private/debug directory.

The module is not loaded by default. To load it you need to patch the
source4/dsdb/samdb/ldb_modules/samba_dsdb.c and put "count_attrs"
somewhere in the module lists in the samba_dsdb_init() function. For
example, to examine the traffic between repl_meta_data and
group_audit_log, you would do something like this around line 316:

          "subtree_delete",
          "repl_meta_data",
  +       "count_attrs",
          "group_audit_log",
          "encrypted_secrets",

and recompile. Samba will then write to a number of tdb files in the
debug directory as requests and replies pass through. A simple script
is included to read these files. Doing this:

./script/attr_count_read st/ad_dc/private/debug/debug/attr_counts_not_found.tdb

will print a table showing how often various attritbutes were
requested but not found (from the point of view of the module).

A more sophisticated version of the script is coming in the next
commit, but this one is included first because in its simplicity it
documents the storage format reasonably well. The tdb keys are
attribute names, and the values are uint32_t in machine native order.

When the module is included in the stack there will be a very small
decrease in performance.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00
Douglas Bagnall
e5a099482d pytests: try ldap.modify_order with normal user
We run the tests again, trying to modify as a normal user rather than
Administrator.

It turns out that we do not always return the same error code as
Windows, but in all these tests both Windows and Samba always return
some kind of error (as you might hope).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00
Douglas Bagnall
c73888ff6f dsdb pytests: test the effect of reordering modify requests
Do we interpret these the same way as Windows? In many cases, no.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00
Douglas Bagnall
fd9859d407 dsdb/pytest/ldap: use idiomatic 'e' for exceptions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00
Douglas Bagnall
5a0df7aec6 dsdb/pytest/ldap: revive commented out test for attr size range
The test was presumably commented out because we fail it, and
known-failing it would have hidden the attr-too-short tests that it
was bundled with. If we disentangle them we can knwn-fail it, which
serves as a TODO list.

(passes against WIN2012R2).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00
Andreas Schneider
2a5bf72b00 s4:samdb: Make sure value is initialized with 0
Found by csbuild.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May  1 05:02:22 UTC 2019 on sn-devel-184
2019-05-01 05:02:22 +00:00
Douglas Bagnall
c5e387d22a s4/replmd delete: optimise attribute preservation with binary search
When we get here it is very likely that the attribute will not be
preserved, as the preserved ones should have had the flag set, but we
still end up loking through the whole list to confirm. With a binary
search, we end up looking at ~5 attributes to confirm.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 03:12:07 +00:00
Douglas Bagnall
8488651bdd s4/replmd: delete checks flag before laborious search
Most (perhaps all) attributes that are in the "must not remove" list also
have the PRESERVEONDELETE bit set, and checking bits is much cheaper
than a linear search involving strcasecmp. If we check the bit first
we save work.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 03:12:07 +00:00
Andreas Schneider
155f697e87 waf: Move check for gnutls_aead_cipher_init to main gnutls wscript
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-30 23:18:27 +00:00
Andreas Schneider
bbef26860d s4:dsdb: Use C99 initializer in dsdb util_trusts
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2019-04-29 16:04:28 +00:00
Swen Schillig
5ff48f64cd source4: Update error check for new string conversion wrapper
The new string conversion wrappers detect and flag errors
which occured during the string to integer conversion.
Those modifications required an update of the callees
error checks.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-04-11 22:29:27 +00:00
Stefan Metzmacher
661dc45741 dsdb/repl: we need to replicate the whole schema before we can apply it
Otherwise we may not be able to construct a working schema that's
required to apply the changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12204

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-04-11 04:17:10 +00:00