1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

139518 Commits

Author SHA1 Message Date
Volker Lendecke
42cafe481d libnet4: Use netlogon_pings() in findsite
Enable LDAPS lookups

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
3ecb665422 libnet: Initialize variables in libnet_FindSite()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
dcc2767185 libnet: Simplify error return in libnet_FindSite()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
ccfbb5c2ed libnet: Save a few lines with talloc_move()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
eb8767a076 libads: Move check_cldap_reply_required_flags() to netlogon_ping.c
netlogon_ping.c depends on it but itself has fewer dependencies than
cldap.c, so we can use it in more places

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
fc7c55c938 libads: Simplify ads_fill_cldap_reply()
Both callers now guarantee via the filter in netlogon_pings() that the
reply contains DCs that have the required flags set. Remove those
checks from ads_fill_cldap_reply()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
759665fcf2 libads: Pass "required_flags" through ads_cldap_netlogon_5()
... down to netlogon_pings(). Passing 0 right now, this will change
for some callers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
808b79b4a9 libads: Pass "required_flags" through ads_cldap_netlogon()
... down to netlogon_pings()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
b802870966 libads: Make ads_cldap_netlogon() static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
523a1c6fa1 libads: remove cldap_multi_netlogon
Replaced by netlogon_pings()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
8bededd1b3 libsmb: Use netlogon_pings() in dsgetdcname
Use parallel requests and req_flags filtering provided by
netlogon_pings()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
cb00b78fa0 kerberos: Use netlogon_pings()
This also makes sure we've got a KDC via DS_KDC_REQUIRED

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
8a88f322db ldap: Use netlogon_pings
This already requests the flags that ads_fill_cldap_reply() will later
check for, so netlogon_pings will only feed sufficient DCs into
ads_fill_cldap_reply.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
df2844ca8f cldap: Use netlogon_pings()
Allow LDAPS for ads_cldap_netlogon()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
cf66ff3d1b libads: Add netlogon_pings()
This encapsulates our logic that we send CLDAP requests on UDP/389,
sending them with 100msec timeouts until someone replies. It also
contains the code to do this over LDAP/389 or LDAPS/636.

It also contains code to filter for domain controller flags like
DS_ONLY_LDAP_NEEDED, this logic exists in several places right now.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
e88db0a6b5 tldap: Add tldap_context_create_from_plain_stream()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
24dc8ef174 param: Add "client netlogon ping protocol"
Allow "net ads join" in environments where UDP/389 is blocked. Code
will follow.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
b3a8f845ec lib: Add a few required includes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
baeedee534 build: Remove the big samba3util dependency from TLDAP
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
469e1ebd71 build: Make util_tsock its own subsystem
One step to strip TLDAP deps

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
527d81fc5e param: Remove parameter "cldap port"
This was not used consistently across all of our code base, and I
don't see a reason why this should ever not be port 389.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
43b2d4104b cldap: Make finddcs.out.netlogon a pointer
struct netlogon_samlogon_response has subpointers, this patch enables
a proper talloc hierarchy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
31d1fc0912 cldap: Make cldap_netlogon.out.netlogon a pointer
struct netlogon_samlogon_response has subpointers, this patch enables
a proper talloc hierarchy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
a3f1cb1597 lib: Fix trailing whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
6edd49c68b cldap: Remove cldap_netlogon->in.map_response
We should not pass booleans down where the caller can do the same
thing with equal effort

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
82d8f345f5 libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
a3eb60e7c8 libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
d41efadde3 libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
fc9810051e libcli4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
b5af90bd5c torture4: Simplifiy [tcp|udp]_ldap_netlogon()
Both callers set "map_response=true", so we don't need that flag here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
e54a4f06b3 tldap_tls: Remove tldap_[gs]et_starttls_needed()
The caller setting up a tldap connection is aware of whether to use
starttls, which is one single ldap extended operation before the tls
crypto starts. There is no complex logic behind this that is
worthwhile to be hidden behind a flag and an API. If there was more to
it than just a simple call to tldap_extended(), I would all be for
passing down that flag, but for this case I would argue the logic
after this patch is simpler.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
2cc41bd6ae tldap_tls: Move creation of tls_params out of tldap_tls_connect()
Soon we will have a tldap user which does not want to verify the
certs. Instead of passing another boolean down, hand in pre-created
tstream_tls_params.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Volker Lendecke
19ab2db59a tstream_tls: Add tstream_tls_params_peer_name()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:03 +00:00
Ralph Boehme
f6d3e1117f smbtorture: use torture_assert_ntstatus_equal_goto() in CHECK_STATUS() in unlink.c
fixup

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Nov 11 14:01:18 UTC 2024 on atb-devel-224
2024-11-11 14:01:18 +00:00
Ralph Boehme
3a32246bf2 smbtorture: move hardlink test in test_ntrename() to its own test
Some filesystems may not support hardlinks.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-11-11 12:53:05 +00:00
Ralph Boehme
83bca29e9d smbtorture: remove more allocation size checks
If the requested allocation size was 0, the resulting allocation size may be
larger due to xattrs and other filesystem dependent factors.

Cf commits fba4b29085 and
55b2f247f9.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-11-11 12:53:05 +00:00
Samuel Thibault
23ddfd3b03 lib/util: Include grp.h for setgroups during autoconf
Otherwise setresuid and friends don't get detected on GNU/Hurd because the
inclusion of <grp.h> is missing for the declaration of setgroups.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 11 12:51:17 UTC 2024 on atb-devel-224
2024-11-11 12:51:17 +00:00
Samuel Thibault
a7071565b0 ctdb: Include replace.h for PATH_MAX
Fixes build on GNU/Hurd.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 11 10:28:24 UTC 2024 on atb-devel-224
2024-11-11 10:28:23 +00:00
Earl Chew
1655413f12 Describe implication of upstream ICU-22610
Add commentary to link commit 86c7688 (MR !3447) to the upstream
fix for ICU-22610 in case there is subsequent breakage.

Signed-off-by: Earl Chew <earl_chew@yahoo.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  8 00:20:38 UTC 2024 on atb-devel-224
2024-11-08 00:20:38 +00:00
Ralph Boehme
7653ae2702 smbd: initialize delete_on_close in smbd_smb2_setinfo_lease_break_fsp_check()
CID 1634488:  Uninitialized variables  (UNINIT)

/source3/smbd/smb2_setinfo.c: 475 in smbd_smb2_setinfo_lease_break_fsp_check()
469     			&delete_on_close);
470     		if (tevent_req_nterror(req, status)) {
471     			return;
472     		}
473     	}
474
>>>     CID 1634488:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "delete_on_close".
475     	if (!rename && !delete_on_close) {
476     		return;
477     	}
478
479     	state->lck = get_existing_share_mode_lock(state, fsp->file_id);
480     	if (state->lck == NULL) {

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Nov  7 17:21:53 UTC 2024 on atb-devel-224
2024-11-07 17:21:53 +00:00
Stefan Metzmacher
f340dce654 libcli/auth: make use of netlogon_creds_cli_check_transport() in more places
This was somehow missing in commit
7a5ad9f64a

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov  7 09:14:33 UTC 2024 on atb-devel-224
2024-11-07 09:14:33 +00:00
Martin Schwenke
4569c65288 ctdb-scripts: Add configuration variable CTDB_KILLTCP_USE_SS_KILL
This allows CTDB to be configured to use "ss -K" to reset TCP
connections on "releaseip".  This is only supported when the kernel is
configured with CONFIG_INET_DIAG_DESTROY enabled.

From the documentation:

   ss -K has been supported in ss since iproute 4.5 in March 2016 and
   in the Linux kernel since 4.4 in December 2015.  However, the
   required kernel configuration item CONFIG_INET_DIAG_DESTROY is
   disabled by default.  Although enabled in Debian kernels since
   ~2017 and in Ubuntu since at least 18.04,, this has only recently
   been enabled in distributions such as RHEL.  There seems to be no
   way, including running ss -K, to determine if this is supported, so
   use of this feature needs to be configurable.  When available, it
   should be the fastest, most reliable way of killing connections.

For RHEL and derivatives, this was enabled as follows:

* RHEL 8 via https://bugzilla.redhat.com/show_bug.cgi?id=2230213,
  arriving in version kernel-4.18.0-513.5.1.el8_9

* RHEL 9 via https://issues.redhat.com/browse/RHEL-212, arriving in
  kernel-5.14.0-360.el9

Enabling this option results in a small behaviour change because ss -K
always does a 2-way kill (i.e. it also sends a RST to the client).
Only a 1-way kill is done for SMB connections when ctdb_killtcp is
used - the reasons for this are shrouded in history and the 2-way kill
seems to work fine.

For the summary that is logged, when CTDB_KILLTCP_USE_SS_KILL is "yes"
or "try", always log the method used, even the fallback to
ctdb_killtcp.  However, when set to "no", maintain the existing
output.

The decision to use -K rather than --kill is because short options are
trivial to implement in test stubs.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Nov  7 00:12:34 UTC 2024 on atb-devel-224
2024-11-07 00:12:34 +00:00
Martin Schwenke
19e65f4012 ctdb-scripts: Factor out function kill_tcp_summarise()
This will be used in a slightly different context in a subsequent
commit.  In that case, the number of killed connections will be passed
instead of the total number of connections, so support this here via
different modes instead of churning later.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00
Martin Schwenke
590a86dbe4 ctdb-scripts: Track connections for all ports for public IPs
Currently TCP ports like NFS lock manager are not tracked.  It is
easier to track all connections than to add a configuration system to
try to track specified ports, so do that.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00
Martin Schwenke
c3695722b6 ctdb-scripts: Get connections after tickle list
Running ss to get current connections before running ctdb gettickles
means the ss output might be out of date when the 2 lists are
compared.  Some tickles might have been added after ss was run by some
other means (e.g. SMB tickles, added internally) and they would be
deleted according to the stale ss output.

This isn't currently a problem because update_tickles() is currently
only called with port 2049, so all tickles are managed by this code.
That will change in a subsequent commit.

Changing the order means the reverse problem can occur, where
update_tickles() attempts to delete an already deleted tickle.  That
may happen occasionally but is harmless because it doesn't result in
missing information.  It (currently) just causes a message to be
logged at DEBUG level.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00
Martin Schwenke
9683bb3ac2 ctdb-scripts: Move connection tracking to 10.interface
This should really be done for all connections to public IP addresses.
Leave the port number there for now - this is just the first step.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00
Martin Schwenke
d39a1cc1d4 ctdb-server: Use ctdb_connection_same() to simplify
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00
Volker Lendecke
1b1fd5c228 ctdb: Don't leak a pointer on talloc_realloc failure
We should not directly overwrite the pointer we are realloc'ing

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-11-06 23:03:42 +00:00
Volker Lendecke
e080add68a ctdb: Save a few lines with talloc_zero()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-11-06 23:03:42 +00:00
Martin Schwenke
762f5f5ca6 ctdb-server: Remove duplicate logic
Initialise the pointer to NULL and fall through to let
talloc_realloc() do the allocation.  talloc_realloc() does the right
thing with a NULL pointer...

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
2024-11-06 23:03:42 +00:00