1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

107843 Commits

Author SHA1 Message Date
Jeremy Allison
854ea4eba8 s3: VFS: Change SMB_VFS_GETXATTR to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun  1 02:58:53 CEST 2017 on sn-devel-144
2017-06-01 02:58:53 +02:00
Jeremy Allison
48956fa4d3 s3: VFS: Change SMB_VFS_SETXATTR to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
12b801d9d7 s3: VFS: Change SMB_VFS_REMOVEXATTR to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
892476b555 s3: VFS: Change SMB_VFS_LISTXATTR to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
aada94885d s3: VFS: Change SMB_VFS_SYS_ACL_SET_FILE to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
f5dd864606 s3: VFS: Change SMB_VFS_SYS_ACL_BLOB_GET_FILE to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
cea8e57eac s3: VFS: Change SMB_VFS_SYS_ACL_GET_FILE to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Requires a few extra cleanups in calling code.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
85c8780581 s3: VFS: Change SMB_VFS_SYS_ACL_DELETE_DEF_FILE to use const struct smb_filename * instead of const char *.
We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:22 +02:00
Jeremy Allison
63d2003ecd s3: lib: Add new utility function cp_smb_filename_nostream().
Will be needed when we migrate lower-level VFS functions to
take an struct smb_filename *, especially the SYS_ACL and
XATTR modification modules, as these must ignore a passed-in
stream name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-31 22:50:21 +02:00
Andrew Bartlett
7259661467 dsdb: Use ldb_handle_use_global_event_context for rootdse modifies
The modify operations on the rootDSE turn into IRPC messages, and these need
to be handled on the global event context, not the per-operation context

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 31 10:47:46 CEST 2017 on sn-devel-144
2017-05-31 10:47:46 +02:00
Andrew Bartlett
e7c36a7142 schema: Use ldb_schema_set_override_indexlist for faster index selection
This allows Samba to provide a binary tree lookup for the existance of an index on the attribute
rather than the O(n) lookup that was being done for each attribute during a search or modify

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
13e09c72cd ldb: Version 1.1.30
* let ldbdump parse the -i option
* don't allow the reveal_internals control for ldbedit
* only allow --show-binary for ldbsearch
* don't let ldbsearch create non-existing files
* fix ldb_tdb search inconsistencies
* add cmocka based tests
* provide an interface for improved indexing for callers
  like Samba, which will allow much better performance.
* Makes ldb access to tdb:// databases use a private event context
  rather than the global event context passed in by the caller.
  This is because running other operations while locks are held
  or a search is being conducted is not safe.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
e001ac9ef5 ldb: Add Doxygen documentation for ldb_handle_use_global_event_context()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
850732ebbb ldb: Add Doxygen docs for ldb_set_require_private_event_context()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
ba3eff930f ldb: Add Doxygen docs for ldb_handle_get_event_context()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
d73d926458 ldb: Add Doxygen docs for ldb_schema_set_override_indexlist()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
bcd891dc3f ldb: Add Doxygen docs for ldb_schema_attribute_set_override_handler
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
cb03b12ac2 ldb: Add Doxygen comments for ldb_req_*trusted() functions
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
02a4915b91 ldb: Add test for ldb_build_search_req()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
6777770d35 ldb: Add tests for new ldb handle and event context behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
c29201d6d3 ldb: Add ldb_handle_use_global_event_context()
This will allow the IRPC to be processed in the main event loop of the
server, not the private event context for this request

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
e67d3568e5 ldb: Use the private event context in ldb_tdb and ldb_wait()
This enables the previous commits, and ensures that ldb_tdb is safe from operations while locks
are held

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:27 +02:00
Andrew Bartlett
25795c3da9 ldb: Force use of a private event context in ldb_tdb
ldb_tdb holds locks while making callbacks, so force the use of a per-request event context

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
cd97f45976 ldb: Create private event contexts in top level requests, chain to children
We must ensure that the ldb_request we call ldb_wait() will share an event context with all
the eventual request that the ldb backend creates events on

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
0f13243f5e ldb: Add ldb_set_require_private_event_context()
This will allow us to force use of the global event context for use when Samba
must make an IRPC call from within the ldb stack, to another part of the same
process

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
a83df55693 ldb: Add ldb_handle_get_event_context()
This will allow us to obtain a private event context for use while we hold
locks in ldb_tdb, that is not shared with the global state of the application.

This will ensure we do not perform other operations while we hold the lock

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
1ba6b9aae8 ldb: Add ldb_build_req_common() helper function
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
aa54ed0365 ldb: Add tests for the schema and index override hooks
Because this uses ldb_private.h we no longer build the
test binary if we are building against a system ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
e903e08027 ldb: Move test_ldb_attrs_case_insensitive closer to setup/teardown functions
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
2335e57a89 ldb_tdb: Avoid reading the index list from the DB if we are already set to override it
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
e584fe85a5 ldb: Allow a caller (in particular Samba) to handle the list of attributes with an index
By doing that, Samba will use a binary search to locate the attributes
rather than an O(n) search, during every search or modify of the database.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
29dc93298a ldb_tdb: consistently use ltdb->cache->attribute_indexes to determine if we have indexes
This is instead of checking the number of elements via ltdb->cache->indexlist->num_elements

In turn, this allows us to avoid fetching ltdb->cache->indexlist in the future

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
e1bc43dca1 ldb_tdb: change the arguments to ldb_is_indexed() to provide the ltdb_private
By doing this, we can be more efficient in locating if we have an index in
the future.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andrew Bartlett
05e8dcb2f9 ldb_tdb: Split index load out into a sub-funciton: ltdb_index_load
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-05-31 06:34:26 +02:00
Andreas Schneider
e530e43d67 s3:smbd: Set up local and remote address for fake connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 31 06:33:00 CEST 2017 on sn-devel-144
2017-05-31 06:33:00 +02:00
Andreas Schneider
cbf67123e0 s3:smbd: Pass down remote and local address to get_referred_path()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-31 02:24:18 +02:00
Volker Lendecke
ccd4f81488 lib: Remove use of MSG_NOSIGNAL
According to susv4 sendmsg, NOSIGAL is effective for stream-oriented sockets.
Datagram sockets won't send SIGPIPE anyway. Looking at Linux kernel sources,
this is only looked at in stream functions. I guess this is a left-over from my
tmsgd attempts, which was based on stream sockets. messaging_dgm still only
uses datagram sockets, so MSG_NOSIGNAL is not needed here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12502

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 30 16:39:12 CEST 2017 on sn-devel-144
2017-05-30 16:39:12 +02:00
Stefan Metzmacher
41981db0d3 s4:lib/com: remove unused pycom binding
This is completely untested and from reading the code it doesn't really
do anything beside always returning None from the get_class_object() method.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 30 12:16:57 CEST 2017 on sn-devel-144
2017-05-30 12:16:57 +02:00
Stefan Metzmacher
50c7112b00 s4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()
As not all gensec backends are fully async yet, we need the
inhibit_timeout_processing workarround in order to protect
against nested event loops.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
27aacf9288 Revert "s4:librpc: simplify dcerpc_connect_timeout_handler() logic"
This reverts commit 2c3e99d169.

As the source4 backends for kerberos still use nested event loops,
we need to restore this for now.

We should reapply this once all backends are fully async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
0382a4068b s4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()
This matches logic of samba_server_gensec_start() and avoids warnings like this:

WARNING: talloc_steal with references at ../source4/auth/samba_server_gensec.c:150
        reference at ../auth/gensec/gensec_start.c:586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
80f92e8338 tests/rodc: Check that new passwords trigger wiping on RODC
This appears to have been working correctly, but we just haven't had a test for it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
4b52f102be getncchanges: Do not filter EXOPs using highwatermark
Prior to this patch, any REPL_SECRETS could be filtered accidentally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
b22387cf85 rpc_server: Move SID helpers into common
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
452170db2c tests/rodc: Check SID restriction for SendToSam
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
7dfe7df6d0 tests/rodc: Add password lockout tests with RODC-auth, RWDC-check
This occurs when the password is preloaded, and the bad logins and
successes must be forwarded the the RWDC.

The password server MUST be localdc.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
e418db6ea1 selftest: Ensure rodc environment uses localdc as winbind partner
This is required for password lockout testing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
8ae968193b netlogon_creds_cli: Do not corrupt authenticator state on application level errors
If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
updates falling off and never continuing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00