1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

49418 Commits

Author SHA1 Message Date
Volker Lendecke
166e8fb1c1 idmap_ldap: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
c0bea5d081 idmap_ldap: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
9d22e8a99c winbind: Use idmap_config_const_string in idmap_init_domain
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
e78d78a1ff winbind: Use idmap_config_const_string in idmap_script_db_init
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
925335a5d4 winbind: Use idmap_config_const_string in idmap_tdb2_db_init
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
6d33ebd580 winbind: Use idmap_config_const_string in wb_xids2sids_add_dom
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
3f4b391daf winbind: Use idmap_config_const_string in idmap_init_named_domain
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
b8e00f0183 winbind: Use idmap_config_const_string in domain_has_idmap_config
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
1c34166c12 winbind: Add idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:21 +01:00
Volker Lendecke
ece5e67bbc s3:winbind: Use the correct talloc context for user information
This fixes the substitution for 'template homedir'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
2017-03-18 19:47:40 +01:00
Andreas Schneider
f2e1ab5d05 s3:winbind: Remove unused struct getpwent_user
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 18 08:59:01 CET 2017 on sn-devel-144
2017-03-18 08:59:01 +01:00
Andreas Schneider
3605f68cea s3:winbind: Use correct struct member for size calculation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-18 05:05:24 +01:00
Volker Lendecke
649deb63c5 tldap: Allow dropping messages in tldap_search()
For probing whether a connection is a live a rootdse search might be
interesting where we don't really care for the result, only success or
failure of the operation.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-18 05:05:24 +01:00
Ralph Boehme
da5e256b9b winbindd: remove trailing spaces in get_cache()
Trailing spaces are annoyingly highlighted red in my emacs setup so I'd
like to get rid of them. :)

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 17 00:20:17 CET 2017 on sn-devel-144
2017-03-17 00:20:17 +01:00
Ralph Boehme
eab5292bcc winbindd: README.Coding fixes for get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-16 20:30:20 +01:00
Ralph Boehme
63f65607ea winbindd: fix long lines in get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-16 20:30:20 +01:00
Ralph Boehme
1dbb5c3f67 winbindd: untangle reconnect_methods vs reconnect_ads_methods
No change in behaviour. The previous logic just seemed a bit clumsy
because of the ifdefs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-16 20:30:20 +01:00
Ralph Boehme
b11c7f394e winbindd: use NULL for pointer check in get_cache()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-16 20:30:19 +01:00
Jeremy Allison
2780a56d0b Changes to make the Solaris C compiler happy.
Fix Bug 12693 dbwrap_watch.c syntax error before or at: }

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12693

Signed-off-by: Tom schulz <schulz@adi.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-16 20:30:19 +01:00
Jeremy Allison
59229276bc Fix for Solaris C compiler.
Inspired by comment 4 in bug 12559.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12559

Signed-off-by: Tom Schulz <schulz@adi.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-03-16 20:30:19 +01:00
Aurelien Aptel
1eaafead1e s3:smbd: exit early if srv_send_smb fails
coverity fix.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2017-03-16 20:30:19 +01:00
Jeremy Allison
1c4b15aa5f s3: locking: Update oplock optimization for the leases era !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 15 20:04:32 CET 2017 on sn-devel-144
2017-03-15 20:04:32 +01:00
Jeremy Allison
125c78ad0b s3: locking: Move two leases functions into a new file.
map_oplock_to_lease_type(), fsp_lease_type().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-15 16:14:08 +01:00
Volker Lendecke
b59f5b15b2 lib: Fix an uninitialized variable warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 15 14:21:43 CET 2017 on sn-devel-144
2017-03-15 14:21:43 +01:00
Volker Lendecke
c5e101af2b passdb: Remove pdb_ipa
The version used these days can be found under

https://pagure.io/freeipa/blob/master/f/daemons/ipa-sam

Having a stale copy in Samba only confuses things.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 15 09:18:21 CET 2017 on sn-devel-144
2017-03-15 09:18:21 +01:00
Andreas Schneider
1115f152de s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Signed-off-by: Andreas Schneider <asn@samba.org>
2017-03-15 01:31:23 +01:00
Volker Lendecke
455bbf1756 libsmb: Slightly simplify trustdom_cache_fetch
Also adapt to modern coding standards

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-14 15:22:12 +01:00
Volker Lendecke
d6a2893f45 libsmb: Use talloc in trustdom_cache_key
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-14 15:22:12 +01:00
Volker Lendecke
5d763eb6ea libsmb: Simplify trustdom_cache_store
The additional arguments were never used

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-14 15:22:12 +01:00
Volker Lendecke
b9606514d0 libsmb: Make a few functions static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-14 15:22:12 +01:00
Volker Lendecke
92f37420cc libsmb: Remove some stale code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-14 15:22:12 +01:00
Andreas Schneider
ca2d8f3161 s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-03-14 15:22:12 +01:00
Stefan Metzmacher
d05f0a720a remove historic source3/change-log
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 13 19:45:31 CET 2017 on sn-devel-144
2017-03-13 19:45:31 +01:00
Chris Lamb
b2478cdc7d Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Stefan Metzmacher
9eb46d587a winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain
find_lookup_domain_from_sid() returns the same domain for all non local
sids on a domain member. We should not chunk one wb_lookupsids_send/recv
into multiple wbint_LookupSids_send/recv to the same 'lookup' domain,
just because the requested SIDs don't all belong to the same domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Mar 12 00:56:14 CET 2017 on sn-devel-144
2017-03-12 00:56:14 +01:00
Stefan Metzmacher
a860400725 winbindd: remove unused find_root_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-11 21:05:09 +01:00
Stefan Metzmacher
0eb537adb1 winbindd: remove bogus fallback to the forest root in wb_lookupsid*()
It's the job of the domain controller in our domain
to traverse the trust chain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-11 21:05:09 +01:00
Stefan Metzmacher
a29da90059 winbindd: remove bogus fallback to the forest root in wb_lookupname*()
It's the job of the domain controller in our domain
to traverse the trust chain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-03-11 21:05:09 +01:00
Andreas Schneider
424a2aadda selftest: Do not plan samba3.base.delaywrite twice
This test is already slow. We should not run it twice!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar 11 04:25:14 CET 2017 on sn-devel-144
2017-03-11 04:25:14 +01:00
Andreas Schneider
b8bca7d08f s3:gse: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
ada31d65d6 s3:gse: Check if we have a target_princpal set we should use
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
3ba1ad1f8c s3:gse: Move setup of service_principal to update function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
e6b1e58874 s3:gse: Pass down the gensec_security pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Andreas Schneider
a3d95ed903 s3:gse: Use smb_krb5_get_realm_from_hostname()
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from

  ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM

to

  ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM

Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.

The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.

In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.

From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.

With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).

MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-03-10 11:37:22 +01:00
Volker Lendecke
59b580f6c7 auth_ntdomain3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 03:28:26 +01:00
Volker Lendecke
9abc80e0e4 auth_winbind3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
d3e2e41995 s3/smbd: add my copyright to open.c
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
fd03420c4f s4/torture: some tests for kernel oplocks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
6e54d8d2bd s3/selftest: adopt config.h check from source4
No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
b35a296a27 s3/smbd: fix deferred open with streams and kernel oplocks
I noticed smbd can get stuck in an open() call with kernel oplocks
enabled and named streams (provided by vfs_streams_xattr):

- client opens a file and with an exclusive oplock

- client starts writing to the file

- client opens an existing stream of the file

- the smbd process gets stuck in an open()

What happens is:

we had setup a locking.tdb record watch in defer_open(), the watch was
triggered, we reattempted the open and got stuck in a blocking open
because the oplock holder (ourselves) hadn't given up the oplock yet.

Cf e576bf5310 for the commit that added
the kernel oplock retry logic. tldr: with kernel oplocks the first open
is non-blocking, but the second one is blocking.

Detailed analysis follows.

When opening a named stream of a file, Samba internally opens the
underlying "base" file first. This internal open of the basefile suceeds
and does *not* trigger an oplock break (because it is an internal open
that doesn't call open() at all) but it is added as an entry to the
locking.tdb record of the file.

Next, the stream open ends up in streams_xattr where a non-blocking
open() on the base file is called. This open fails with EWOULDBLOCK
because we have another fd with a kernel oplock on the file.

So we call defer_open() which sets up a watch on the locking.tdb record.

In the subsequent error unwinding code in open_file_ntcreate() and
callers we close the internal open file handle of the basefile which
also removes the entry from the locking.tdb record and so *changes the
record*.

This fires the record watch and in the callback defer_open_done() we
don't check whether the condition (oplock gone) we're interested in is
actually met. The callback blindly reschedules the open request with
schedule_deferred_open_message_smb().

schedule_deferred_open_message_smb() schedules an immediate tevent event
which has precedence over the IPC fd events in messaging, so the open is
always (!) reattempted before processing the oplock break message.

As explained above, this second open will be a blocking one so we get
stuck in a blocking open.

It doesn't help to make all opens non-blocking, that would just result
in a busy loop failing the open, as we never process the oplock break
message (remember, schedule_deferred_open_message_smb() used immediate
tevent events).

To fix this we must add some logic to the record watch callback to check
whether the record watch was done for a kernel oplock file and if yes,
check if the oplock state changed. If not, simply reschedule the
deferred open and keep waiting.

This logic is only needed for kernel oplocks, not for Samba-level
oplocks, because there's no risk of deadlocking, the worst that can
happen is a rescheduled open that fails again in the oplock checks and
gets deferred again.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
1a6c82e5d5 s3/smbd: all callers of defer_open() pass a lck
No change in behaviour. Update the function comment explaining how it
works and relies on lck for a record watch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
7fa2f11594 s3/smbd: remove async_open arg from defer_open()
All remaining callers pass false.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
ad8c36125f s3/smbd: fix schedule_async_open() timer
schedule_async_open() was calling defer_open with sharemode lock = NULL,
as a result there was never an active 20 s timeout.

This has been broken since the commits in

$ git log --reverse -p -10 8283fd0e00

Just roll our own deferred record instead of calling defer_open() and
also set up timer that, as a last resort, catches stuck opens and just
exits for now.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
beaba62228 s3/smbd: add and use retry_open() instead of defer_open() in two places
Add a new function that does an immediate open rescheduling.

The first deferred open this commit changes was never scheduled, as the
scheduling relies on a timeout of the watch on the sharemode lock.

This has been broken since the commits in

$ git log --reverse -p -10 8283fd0e00

That patchset added the dbwrap watch record logic to defer_open() and
removed the timers.

I'm doing this mainly to untangle the defer_open() logic which is
complicated by the lck arg.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
b17ff9b181 s3/smbd: simplify defer_open()
Add a helper function deferred_open_record_create() that creates a
deferred_open_record and let all callers pass all needed arguments
individually.

While we're at it, enhance the debug message in defer_open() to print
all variables.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
8580adc1d9 s3/smbd: req is already validated at the beginning of open_file_ntcreate()
req can't be NULL because the if condition surrounding this code checks
!(oplock_request & INTERNAL_OPEN_ONLY).

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
f5631f6b35 s3/smbd: add comments and some reformatting to open_file_ntcreate()
No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
6924e72ade s3/smbd: add const to get_lease_type() args
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Ralph Boehme
fe473f805a s3/wscript: fix Linux kernel oplock detection
Fix a copy/paste error, the Linux kernel oplocks check was copied from
the change notify support check.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:25 +01:00
Volker Lendecke
373e0bdf12 winbindd: Remove an unused #define
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Fri Mar 10 00:00:15 CET 2017 on sn-devel-144
2017-03-10 00:00:15 +01:00
Volker Lendecke
42899d5426 winbind: Use talloc_strdup_upper where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-09 20:04:19 +01:00
Volker Lendecke
eecdc3b1ee winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-09 20:04:19 +01:00
Volker Lendecke
825180bcd2 auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  9 02:01:35 CET 2017 on sn-devel-144
2017-03-09 02:01:35 +01:00
Volker Lendecke
66f94e557e auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic

Best viewed with "git show -b" :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:16 +01:00
Volker Lendecke
56b0303a61 auth3: Simplify auth_check_ntlm_password server_info handling
Instead of directly assigning (*pserver_info), work on a local copy
first and assign it once when successful

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
b19868ce6a auth3: Simplify auth_check_ntlm_password talloc handling
Use talloc_stackframe and talloc_tos. Don't bother to talloc_free
within the loop, we don't have many iterations.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
d31bf0e29d auth3: Use talloc_move instead of _steal
That's the more "modern" way to steal

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Volker Lendecke
1bbbc152d3 auth3: Centralize auth_check_ntlm_password failure handling
Preparation for simplified talloc handling. Slight behaviour change:
We now ZERO_STRUCTP(pserver_info) in all failure cases.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 22:01:15 +01:00
Alexander Bokovoy
57286d5773 s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).

Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar  8 22:00:24 CET 2017 on sn-devel-144
2017-03-08 22:00:24 +01:00
Alexander Bokovoy
3d733d5791 s3-gse: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-08 18:00:12 +01:00
Alexander Bokovoy
520167992b libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-08 18:00:12 +01:00
Andreas Schneider
980eae07f9 s3-libads: Do not leak the msg on error
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar  8 14:59:35 CET 2017 on sn-devel-144
2017-03-08 14:59:35 +01:00
Stefan Metzmacher
e015748657 idmap_autorid: allocate new domain range if the callers knows the sid is valid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12613

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar  8 04:06:59 CET 2017 on sn-devel-144
2017-03-08 04:06:59 +01:00
Volker Lendecke
263a1fdf18 winbind: Add a debug message for out-of-range IDs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 00:04:22 +01:00
Volker Lendecke
431bc966ea winbind: Remove unused wcache_tdc_fetch_domainbysid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-08 00:04:22 +01:00
Volker Lendecke
b7966221c7 winbind: Correcly pass !authoritative from wb_irpc_SamLogon
Returning an error at this level gives a RPC level error without the chance to
provide !authoritative flag to the caller. At the RPC level we're fine, but not
finding the domain to authenticate means that we don't know the domain and thus
have to return !authoritative.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  7 13:16:00 CET 2017 on sn-devel-144
2017-03-07 13:16:00 +01:00
Volker Lendecke
0ff97d969f winbind: Set "authoritative" in response to auth_crap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
3a6a7b53af winbind: Pass up args from winbind_dual_SamLogon
We'll need to pass "authoritative" back to the winbind client

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
5b87e915dc winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
00c25a5080 cli_netlogon: Add return parms to rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
c0875cd883 cli_netlogon: Remove a fallback for flags=NULL
The two callers of rpccli_netlogon_network_logon have flags set !=NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
72b9b62956 cli_netlogon: Remove a fallback for authoritative=NULL
The two callers of rpccli_netlogon_network_logon have authoritative
set !=NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
57b3b12229 winbind: Fix a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar  6 23:18:46 CET 2017 on sn-devel-144
2017-03-06 23:18:45 +01:00
Volker Lendecke
6296c32668 Re-enable token groups fallback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar  6 19:18:31 CET 2017 on sn-devel-144
2017-03-06 19:18:31 +01:00
Stefan Metzmacher
76d9483804 winbindd: find the domain based on the sid within wb_lookupusergroups_send()
That simplifies the potential caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:18 +01:00
Volker Lendecke
1a12cfbf1f Revert "winbind: Remove wb_lookupusergroups"
This reverts commit c0570e6ae8.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:18 +01:00
Volker Lendecke
a34c0a8638 Revert "winbind: Remove wbint_LookupUserGroups"
This reverts commit 256632ed3c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Volker Lendecke
55321a39bb Revert "winbind: Remove wb_cache_lookup_usergroups"
This reverts commit f83863b4d1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Volker Lendecke
52105ebaa8 Revert "winbind: Remove wcache_lookup_usergroups"
This reverts commit 876dc28b9c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Volker Lendecke
174b14b5aa Revert "winbind: Remove validate_ug"
This reverts commit 3f58a8caba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Volker Lendecke
3f5fa7c458 Revert "winbind: Remove "lookup_usergroups" winbind method"
This reverts commit b231814c6b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Volker Lendecke
8fafdada52 Revert "winbind: Remove rpc_lookup_usergroups"
This reverts commit 91b73b1e93.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Stefan Metzmacher
bdce9f5fae s3:libads: remove unused fallback to gss_acquire_cred()
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  6 11:44:54 CET 2017 on sn-devel-144
2017-03-06 11:44:54 +01:00
Ralph Boehme
8cbdc6a6df libcli/smb: add max_credits arg to smbXcli_negprot_send()
This allows source4/torture code to set the option for tests by
preparing a struct smbcli_options with max_credits set to some value and
pass that to a torture_smb2_connection_ext().

This will be used in subsequent smbtorture test for SMB2 creditting.

Behaviour of existing upper layers is unchanged, they simply pass the
wanted max credits value to smbXcli_negprot_send() instead of
retrofitting it with a call to smb2cli_conn_set_max_credits().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-03 21:55:27 +01:00
Volker Lendecke
ac71bb3eb4 lib: Make gencache hash size configurable, default to 10000
For large deployments with many users, we put a lot of idmapping
entries into gencache. Increase the hash size from our default 131.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-03-03 21:55:26 +01:00
Andreas Schneider
1cb99fc6af idmap_hash: Add a deprecation message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12582

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar  3 16:54:34 CET 2017 on sn-devel-144
2017-03-03 16:54:34 +01:00
Volker Lendecke
a52c7f4d52 torture3: Add test for smbd crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar  3 06:20:50 CET 2017 on sn-devel-144
2017-03-03 06:20:50 +01:00
Volker Lendecke
cf9acf9a3d smbd: Do an early exit on negprot failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-03 02:24:09 +01:00
Jeremy Allison
1e0c79ddb3 s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained.
When the send queue grows greater than xconn->smb2.credits.max/16,
smbd_smb2_request_next_incoming() doesn't allocate a new request in state->req.

After smbd_smb2_io_handler() is called, it marks the fd not readable as
state->req == NULL, and never marks it readable again.

Fix by calling smbd_smb2_request_next_incoming() to restart
reads inside smbd_smb2_flush_send_queue() which drains the
send queue.

Reported by <chen.yehua@h3c.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12608

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar  3 02:23:20 CET 2017 on sn-devel-144
2017-03-03 02:23:20 +01:00
Uri Simchoni
5ef7bd3b5b testparm: remove check for "ea support" in fruit shares
Now that ea support is not required for vfs_fruit, drop the
check that it's enabled in shares using vfs_fruit.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-02 22:30:23 +01:00
Uri Simchoni
4bfd27b077 smbd: remove coupling between get_ea_names_from_file() and "ea support"
The "ea support" configuration variable determines whether smbd
should attempt to manipulate extended attributes via SMB protocol.
It does not pertain to the underlying storage and its support for
extended attributes.

get_ea_names_from_file() is being used also by vfs_streams_xattr -
a module which has nothing to do with client-visible extended
attributes. As such, vfs_streams_xattr should be able to operate
irrespective of the value of "ea support".

This patch moves the check for ea support to the callers.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-02 22:30:23 +01:00
Uri Simchoni
fb95985a03 smbd: get_ea_list_from_file_path() - remove a duplicate statement
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-02 22:30:23 +01:00
Uri Simchoni
abd845082e smbd: refuse_symlink() - do not fail if the file does not exist
If the file does not exist, it is not a symlink. Current callers
use this function to see if extended attributes can be set / fetched.
Allow them to try and leave the error code at the discretion of the
VFS.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-02 22:30:23 +01:00
Stefan Metzmacher
f9aaddcdd8 s3:winbindd: fix endless forest trust scan
Commit 0392ebcd1d effectively
disabled the enumeration of trusts in other forests.

The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.

Commit fffefe72fc readded the
ability to enumerate trusts of other forests again, in order to
fix https://bugzilla.samba.org/show_bug.cgi?id=11830

Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar  2 17:53:14 CET 2017 on sn-devel-144
2017-03-02 17:53:14 +01:00
Andreas Schneider
ed42d6e81f s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
This will make sure we correctly fall back to NTLMSSP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  2 12:41:40 CET 2017 on sn-devel-144
2017-03-02 12:41:40 +01:00
Ralph Boehme
41204a4972 vfs_fruit: enabling AAPL extensions must be a global switch
Apple's SMB2 AAPL extension is enabled once per SMB2
connection. Unfortunately the (per se correct) fix for bug #12541
results in vfs_fruit checking a per tcon config state variable to
determine whether AAPL has been negotiated. This variable will be false
for all but the first tcon. We must make it a global variable.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12604

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Mar  2 04:34:10 CET 2017 on sn-devel-144
2017-03-02 04:34:10 +01:00
Ralph Boehme
708767da8c vfs_fruit: only veto AppleDouble files with fruit:resource=file
vfs_fruit only creates AppleDouble files itself when "fruit:resource" is
set to "file" (the default). It is only then the these AppleDouble files
should be treated as an internal representation and should be
inaccessible from clients.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12526>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:23 +01:00
Ralph Boehme
ffa727f33b vfs_fruit: use stat info from base_fsp
This is also supposed to be valid in the VFS stack, so there's no need
to re-stat here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:23 +01:00
Ralph Boehme
a2afd61906 vfs_fruit: ignore or delete invalid AFP_AfpInfo streams
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:23 +01:00
Ralph Boehme
bac79eac09 selftest: add shares without vfs_fruit for the vfs_fruit tests
Not used for now, but the next commit will add a test that makes use of
this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:23 +01:00
Ralph Boehme
9975c7569c selftest: add description to vfs_fruit testsuites
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
f7b0982826 selftest: also run vfs_fruit tests with streams_depot
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
d9ab40e083 selftest: run vfs_fruit tests against share with fruit:metadata=stream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
cc885223d7 selftest: move vfs_fruit tests that require "fruit:metadata=netatalk" to vfs.fruit_netatalk
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
51189bd475 selftest: reenable vfs_fruit tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
cc88132854 vfs_fruit: refactor fruit_ftruncate and use new adouble API
Use struct fio to denote a fsp handle is for a stream we care about.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
b3c0f785d7 vfs_fruit: use fio in fruit_fallocate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
ae6199c5ef vfs_fruit: refactor fruit_fstat and use new adouble API
Use struct fio to denote a fsp handle is for a stream we care about.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
fcb9c840d7 vfs_fruit: refactor fruit_pread and fruit_pwrite and use new adouble API
Use struct fio to denote a fsp handle is for a stream we care about.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
6537c56de5 vfs_fruit: refactor fruit_open and use new adouble API
Use struct fio to denote a fsp handle is for a stream we care about.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
1d12035743 vfs_fruit: rework struct adouble API
o factor out ad_open(), opens an fd to be used with IO on the metadata
  streams

o rename ad_write() to ad_set() as this aligns nicely with the existing
  ad_get. This is the pathname based version used to solely set metadata
  on a file, there's also a handle based version:

o add ad_fset(), a handle based version that can be used to set metadata
  and to update the AppleDouble header in a ._ AppleDouble file

o remove fruit_fsp_recheck(), looking at it more closely, it is not
  needed

This commit *compiles*, but all callers in the VFS ops must now be
updated to use the new semantics, this comes next...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
8703b8ef9d selftest: disable vfs_fruit tests
The next commits will completely change handle based VFS ops. This
couldn't be done in a piecemeal fashion, I had to wipe the slate clean.

Disabling tests in order to not break git bisects.

Tests will be reenabled after a few commits that apply the larger change
in a somewhat digestible fashion.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
41a2b2f5cd vfs_fruit: fix fruit_check_access()
Applying fcntl read locks requires an fd opened for reading. This means
we have to check the open flags of an fd and if the fd is not opened for
reading, we can't use it to set shared fctnl locks.

Iow we won't be applying interop locks with Netatalk for files openend
write-only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
b1223520e3 vfs_fruit: remove base_fsp name translation
This is now nicely done by vfs_catia for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
3e2a7f6227 vfs_fruit: use SMB_VFS_NEXT_OPEN in two places
Using the SMB_VFS_OPEN leads to a logic recursion that is hard to follow
and debug. It may be called twice for the same fsp with two different
smb_fname's.

Changing this here to use the NEXT function instead should have no
change in behaviour otherwise, but it allows adding sane caching to
vfs_catia to handle based VFS ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
ad8a3b6971 vfs_fruit: refactor readdir_attr_macmeta() resource fork size
Move resource fork size calculation to helper functions.

Adds correct handling for the fruit:resource=stream case in
readdir_attr_rfork_size_stream(), this wasn't done previously.

Otherwise no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
a5b060fcd2 vfs_fruit: refactor fruit_ftruncate() and fix stream case
The fruit:metadata=stream case wasn't handled previosly, this is now
done in fruit_ftruncate_rsrc_stream(). The rest is just refactoring and
no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
b0b785b0d4 vfs_fruit: fix fruit_ntimes() for the fruit:metadata!=netatalk case
The following code must only be executed for the fruit:metadata=netatalk
case. Otherwise no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
ef2c81eb9f vfs_fruit: refactor fruit_streaminfo()
Handle all settings of fruit:metadata and fruit:resource in helper
functions.

Resource fork streams of 0 bytes must be filtered out, this wasn't done
previously for the fruit:resource=stream and xattr case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
72325d946a vfs_fruit: add fruit_stat_rsrc_xattr() implementation
This fixes fruit_stat_rsrc for the fruit:resource=xattr case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
cbf87b46c2 vfs_fruit: add fruit_stat_rsrc_stream() implementation
This fixes fruit_stat_rsrc for the fruit:resource=stream case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
5037816d28 vfs_fruit: refactor fruit_stat_rsrc()
Use helper functions for the fruit:resource cases. No change in
behaveour.

The next patch will add the proper helper functions for
fruit:resource=xattr and fruit:resource=stream.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
22da6c82f0 vfs_fruit: refactor fruit_open_rsrc()
This just splits up fruit_open_rsrc() to use helper functions for each
config->rsrc setting. No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
b95d2042e5 vfs_fruit: in fruit_rmdir() check ._ files before deleting them
This ensures we only delete valid AppleDouble files whose names begin
with "._", not just *any* file that matches "^._*".

Also use proper VFS functions instead of direclty calling the C library
functions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
19854072db vfs_fruit: fix fruit_rmdir() for the fruit:resource!=file case
The following code must only be executed for the fruit:resource=file
case. Otherwise no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
09c82a1ce1 vfs_fruit: fix fruit_chown() for the fruit:resource!=file case
The following code must only be executed for the fruit:resource=file
case.

While at it, remove an unnecessary lstat, use the stat info from
smb_fname.

Otherwise no change in behaviour for the fruit:resource=file case (the
default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
22b509f52e vfs_fruit: fix fruit_chmod() for the fruit:resource!=file case
The following code must only be executed for the fruit:resource=file
case.

While at it, remove an unnecessary lstat, use the stat info from
smb_fname.

Otherwise no change in behaviour for the fruit:resource=file case (the
default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
6730e1035b vfs_fruit: refactor fruit_unlink()
Refactor fruit_unlink() addin helper functions for all fruit:metadata
and fruit:resource settings.

No change in behaviour for fruit:metadata=netatalk and
fruit:resource=file (both the default), but fixes behaviour for the
other cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
8a9d0c5418 vfs_fruit: fix fruit_rename() for the fruit:resource!=file case
o fix the config check, we must only run following code for the
  fruit:resource=file

o properly call SMB_VFS_NEXT_RENAME() instead diretly calling rename()

o bail out if we get an invalid stat

Otherwise, no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
604bd6bf80 vfs_fruit: correct readdir_attr_meta_finderi_stream() implementation
This gets correct behaviour in readdir_attr_meta_finderi for the
metadata=stream case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
5a466560b2 vfs_fruit: refactor readdir_attr_meta()
Move the FinderInfo stuff to helper functions, no change in behaviour so
far.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
79159f8dc9 vfs_fruit: update_btime() is only needed for metadata=netatalk
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
cb1121ec32 vfs_fruit: correct fruit_stat_meta_stream() implementation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:21 +01:00
Ralph Boehme
aaf2ae1b2b vfs_fruit: refactor fruit_stat_meta()
Handle config->meta in helper functions. No change in behaviour. The next step
will add the correct implementation of fruit_stat_meta_stream().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
a3be9e69c3 vfs_fruit: correct fruit_open_meta_stream() implementation
This needs to create and write a metadata blob when the stream is
created.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
5a072ca91c vfs_fruit: refactor fruit_open_meta()
Just split out the fruit:metadata=stream case into a helper function, no
change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
3d5bf4b85f vfs_fruit: replace unsafe ad_entry macro with a function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
b121fff156 vfs_fruit: fix fruit_pwrite() with metadata=stream
This makes the test "delete AFP_AfpInfo by writing all 0" pass with
fruit:metadata=stream.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
05d54dd71c vfs_fruit: rename empty_finderinfo() and make it more robust
No change in behaviour, but ad_entry(ad, ADEID_FINDERI) can in theory
return NULL.

The next commit will add the same function for a AfpInfo type, so rename
this function that works on struct adouble to ad_empty_finderinfo().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
04feedb7f6 vfs_fruit: fix fruit_ftruncate with metadata=stream
With this the test "setinfo eof AFP_AfpInfo" passed with
fruit:metadata=stream.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
d0eed8e73f vfs_fruit: fix fruit_pread with metadata=stream
This make the test "fix offset and len handling for AFP_AfpInfo stream"
pass with fruit:metadata=stream.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
633aa1ac10 vfs_catia: add catia_(g|s)et_dos_attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
abe3572c59 vfs_catia: add catia_readdir_attr
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
af3b4ea474 vfs_catia: run translation on all handle based VFS functions
Also run translation of fsp->fsp_name and optionally
fsp->base_fsp->fsp_name if set for all handle based VFS functions.

This is necessary because some modules might use the path for something
in the handle based VFS ops.

An existing example is vfs_fruit. A later commit will remove the
translation that was done there because catia didn't before this commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
4e2c7d0ec4 vfs_streams_xattr: use SMB_VFS_NEXT_OPEN and CLOSE
Using the SMB_VFS_OPEN leads to a recursion in the VFS that is hard to
follow and debug. It's called twice for the same fsp with two different
smb_fname's which makes it at least hard to debug, it may even be an
invalid usage.

Changing this here to use the NEXT function instead should have no
change in behaviour otherwise.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
8035754c28 vfs_streams_xattr: call SMB_VFS_OPEN with smb_fname_base
In case an SMB_VFS_OPEN() on a stream basename fails with EISDIR, we
retry the open as O_RDONLY. The retry should be done with the
smb_fname_base as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
73a0768865 s3/includes: add FinderInfo offset define to MacExtensions.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Ralph Boehme
5e61235222 selftest: don't run vfs_fruit tests against ad_dc env
This is just redundant and didn't add test coverage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:20 +01:00
Volker Lendecke
3d649a073a winbind: Fix a cut&paste debug typo
We're in cm_connect_netlogon_transport, not in cm_connect_sam

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  2 00:31:54 CET 2017 on sn-devel-144
2017-03-02 00:31:54 +01:00
Volker Lendecke
cc3417549c posix_acls: Use talloc_zero_array
This is a slight change in behaviour: We now also zero out
the space for num_profile_acls.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-01 20:33:18 +01:00
Volker Lendecke
2dc369feac posix_acls: Do a *bit* of reformatting
Makes the next commit a bit more obvious to me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-01 20:33:17 +01:00
Volker Lendecke
41827cc812 auth3: Simplify get_system_info3
We have global_sid_System, so we don't need to dom_sid_parse("S-1-5-18");

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 27 11:31:53 CET 2017 on sn-devel-144
2017-02-27 11:31:53 +01:00
Volker Lendecke
e4058d81b3 auth3: Fix some whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-27 07:35:10 +01:00
Aurelien Aptel
73180972db s3/smbd: allow GET_DFS_REFERRAL fsctl on any smb2 connexion
This FSCTL should work on any non-IPC share.

According to [MS-SMB2]
> 3.2.4.20.3 Application Requests DFS Referral Information:
>  The client MUST search for an existing Session and TreeConnect to any
>  share on the server identified by ServerName for the user identified by
>  UserCredentials. If no Session and TreeConnect are found, the client
>  MUST establish a new Session and TreeConnect to IPC$ on the target
>  server as described in section 3.2.4.2 using the supplied ServerName and
>  UserCredentials.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb 25 02:38:28 CET 2017 on sn-devel-144
2017-02-25 02:38:28 +01:00
Stefan Metzmacher
3d7fed0f28 s3:idmap_ad: make use of pdb_get_trust_credentials() to get the machine account creds
This is mostly a cosmetic change currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 24 22:34:48 CET 2017 on sn-devel-144
2017-02-24 22:34:48 +01:00
Stefan Metzmacher
4e9a0894cd s3:winbindd: allow a fallback to NTLMSSP for LDAP connections
This matches the behaviour of pdb_get_trust_credentials() for
our machine account and allows us to fallback to NTLMSSP
when contacting trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:15 +01:00
Stefan Metzmacher
ea0bc12ba5 s3:libads: add more debugging to ads_sasl_spnego_bind()
Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:15 +01:00
Stefan Metzmacher
51caeb7c53 s3:winbindd: rely on the kerberos_state from pdb_get_trust_credentials()
The implementation of pdb_get_trust_credentials() should have all
the details to set the kerberos_state to a useful value.

This should enable the fallback to NTLMSSP again, when using our
machine account against trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:15 +01:00
Stefan Metzmacher
ba9d139ec3 s3:winbindd: add more debugging to cm_prepare_connection()
Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:14 +01:00
Stefan Metzmacher
d961ae9d14 s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials()
Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.

At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.

In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:14 +01:00
Stefan Metzmacher
c97a29bdfd s3:winbindd: fix the valid usage anonymous smb authentication
If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:

  workgroup = NT4DOM
  security = domain
  require strong key = no
  client use spnego = no
  client ipc signing = auto

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:14 +01:00
Stefan Metzmacher
fffefe72fc s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains.
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().

This should fix SMB authentication with a user of a domain
behind a transitive trust.

With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.

The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.

is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().

That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.

A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.

We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.

For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2017-02-24 18:40:14 +01:00
Stefan Metzmacher
0bf1a7492b Revert "s3-winbind: Fix schannel connections against trusted domain DCs"
This reverts commit d2379caa77.

This change doesn't solve the real problem, it just
causes useless network traffic and the following error:

rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT

While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.

A better fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2017-02-24 18:40:14 +01:00
Stefan Metzmacher
fcf5e5a9b8 s3:wscript_build: remove unused bld.RECURSE('lib/pthreadpool')
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-23 23:58:21 +01:00
Jeremy Allison
2e09407c5b s3:winbind: work around coverity false positive.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 23 23:54:48 CET 2017 on sn-devel-144
2017-02-23 23:54:48 +01:00
Andreas Schneider
8ac43e0e6e s3:librpc: Fix OM_uint32 comparsion in if-clause
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:11 +01:00
Andreas Schneider
2f83cfdb90 s3:librpc: Make sure kt_curser and kt_entry are initialized
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Andreas Schneider
9297ac44f7 s3:lib: Do not segfault if username is NULL
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Andreas Schneider
13690569ee s3:torture: Fix uint64_t comparsion in if-clause
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Andreas Schneider
e6105f92cd s3-vfs: Do not deref a NULL pointer in shadow_copy2_snapshot_to_gmt()
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Volker Lendecke
0f2ffb545e winbind: Use EnumDomainUsers in rpc_query_user_list
We changed the parent->child enumusers call so that we only return the
users' RIDs. QueryDisplayInfo tends to return a lot more info which we
throw away. This also aligns the code with the other rpc enumerating
functions.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Feb 23 03:17:41 CET 2017 on sn-devel-144
2017-02-23 03:17:40 +01:00
Chris Lamb
5089e03b1e Correct "Openened" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:24 +01:00
Chris Lamb
43421364ac Correct "allready" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:24 +01:00
Chris Lamb
8de5c2e967 Correct "heirarchy" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
7e20f1e200 Correct "incluing" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
98453b0dbb Correct "succeded" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
1134f4f177 Correct "cleint" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
06df7ae927 Correct "somthing" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
bca0d8ee67 Correct "defered" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
4ff2923d1c Correct "follwing" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
5482e5426e Correct "existence" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
809aa6f993 Correct "descriptior" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
093003e061 Correct "perfom" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
fa6eb442fb Correct "coult" typo.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
1429428caa Correct "errror" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
39f2579a54 Correct "successfuly" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
afa9bb4ac5 Correct "extention" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
edcf56522c Correct "Controler" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
a4ab7c73bd Correct "occured" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00
Chris Lamb
c4feed0b8c Correct "doesnt" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00