IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Old versions of 'samba-tool dbcheck' could reanimate
deleted objects, when running at the same time as the
tombstone garbage collection.
When the (deleted) parent of a deleted object
(with the DISALLOW_MOVE_ON_DELETE bit in systemFlags),
is removed before the object itself, dbcheck moved
it in the LostAndFound[Config] subtree of the partition
as an originating change. That means that the object
will be in tombstone state again for 180 days on the local
DC. And other DCs fail to replicate the object as
it's already removed completely there and the replication
only gives the name and lastKnownParent attributes, because
all other attributes should already be known to the other DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
In this case the lastKnownParent attributes points a non existing
object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need a way to rename an object without updating the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When a parent object is removed during the tombstone garbage collection
before a child object and samba-tool dbcheck runs at the same time, the
following can happen:
- If the object child had DISALLOW_MOVE_ON_DELETE in systemFlags,
samba-tool dbcheck moves the object under the LostAndFound[Config]
object (as an originating update!)
- The lastKnownParent attribute is removed (as an originating update!)
These originating updates cause the object to have an extended time
as tombstone. And these changes are replicated to other DCs,
which very likely already removed the object completely!
This means the destination DC of replication has no chance to handle
the object it gets from the source DC with just 2 attributes (name, lastKnownParent).
The destination logs something like:
No objectClass found in replPropertyMetaData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This has been replaced by gen_werror.py which shares common code with other scripts
(e.g. gen_ntstatus) and is more likely to work with conteporary microsoft HTML.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This test code is not run (and has not been run for about a decade).
Let's remove it - it's there in the git history if we ever want to try
to repurpose it again.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 12 02:56:05 UTC 2019 on sn-devel-144
This script was added in 2010 and has only been sporadically kept
up-to-date since. It doesn't appear to work (I think that selftest
and the testenvs have perhaps grown in complexity since 2010 and it's no
longer possible to try to access a testenv from a different
process-space, due to how we use the cwrap libraries).
There's now an alternative (export_envvars_to_file()) in the selftest
code to regenerate a similar file, if anyone actually needs it.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This doesn't appear to be used anywhere and dates back to 2008.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Use a temporary struct as a return value to make the compiler catch all
callers. If we just changed bool->ssize_t, this would just generate a
warning. struct sid_parse_ret will go away in the next commit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba-o3 test failed in ubuntu:16.04 docker container:
==> /home/samba/samba/samba-o3.stderr <==
../../source4/torture/raw/eas.c: In function ‘test_max_eas’:
../../source4/torture/raw/eas.c:286:12: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
static bool test_max_eas(struct smbcli_state *cli, struct torture_context *tctx)
^
cc1: all warnings being treated as errors
`total += j` may overflow. Change total type to `size_t` to mute error.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This fixes upgrading from 4.7 and earlier releases, and makes the DB
reindexing more transparent. It should also make it easier to handle
future normalisation rule changes, e.g. if we change the pack-format
of integer indexes in a future release.
Without this change, the should have still handled reindexing the
database. We don't know why exactly this wasn't happening correctly,
but opening a transaction early in the samba process startup should
now guarantee that the DB is correctly reindexed by the time the main
samba code runs.
An alternative fix would have been to open a transaction in the the
DSDB module stack every time we connect to the database. However, this
would add an extra write lock every time we open the DB, whereas
starting samba happens much more infrequently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13760
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 7 04:58:42 UTC 2019 on sn-devel-144
The new unified versions have better debugging and ensure
that both functions continue to have the same control flow.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
SWAT was removed in Samba 4.1 and there isn't any reason to keep a web
server in our codebase. The web server was not turned on by default.
The web server plainly does not hold up to modern web server standards
and allows for resource exhaustion (and probably generally has bugs).
Credit goes to Michael Hanselmann for prompting us to remove this
service entirely.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 6 04:30:22 UTC 2019 on sn-devel-144
The speed test, when it was introduced a few patches ago, was
deliberately slow so that we could see how much better the changes
were. It used 500 users, 50 groups, and 27 computers.
Before the changes, it took this long:
rename ou took 64.373s
rename group took 0.160s
rename user took 0.004s
rename computer took 0.123s
After using the sorted links, it took this long:
rename ou took 12.984s
rename group took 0.161s
rename user took 0.004s
rename computer took 0.122s
And with the final patch to stop the linear search early on success:
rename ou took 11.680s
rename group took 0.089s
rename user took 0.004s
rename computer took 0.128s
"rename ou" is the one we were aiming at. Now that we have done that,
we reduce the size of the test so as not to slow down everyone's
autobuilds.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In most cases there can only be one link for each GUID. If we assume
that is true, we can skip half the search, on average.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rename operations can be very slow in large database with many group
memberships, because the linked attributes need to be found and
rewritten for each moved object and the way we did that was naive.
For a while now Samba has kept forward links in sorted order, so
finding group memberships can be an O(log n) rather than O(n)
operation. This patch makes use of that.
The backlinks are not sorted, nor are forward links in old databases,
so we have to use a linear search in those cases.
There is a little bit of extra work to handle the few kinds of forward
links (e.g. msDS-RevealedUsers) that have DN+Binary values.
Tim and Garming came up with the basic idea and a prototype.
Pair-programmed-with: Tim Beale <timbeale@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Until now the linked attrbutes module has allocated its private data
on a per transaction basis, but we prefer to check the sorted links
feature less often than that. So the private data struct is given
module life time and a transaction member to carry out the old role.
In coming patches, the sorted links flag will be used.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
repl_meta_data.c uses the compatible features attribute of the
"@SAMBA_DSDB" special object to record that linked attributes are
being stored in the database in a sorted order. Soon the
linked_attributes module is going to want to know the same thing, and
in time other modules will want to know about other compatible
features, so we introduce a helper function.
Error checking is slightly improved.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests will ensure that linked attributes continue to be handled
correctly under forthcoming changes. The la_move_ou_tree_big() test
will show that the changes make this much faster, after which it can
perhaps be removed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Instead of passing the CLIENT_IP to the auth_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.
This only works for auth_log_pass_change, but not auth_log.py - the
latter still needs to be run on the :local testenv for other reasons, so
it doesn't use the client.conf. However, we can still update the base
code to use the client.conf IP, as auth_log.py overrides
self.remoteAddress anyway.
The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Instead of passing the CLIENT_IP to the audit_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.
Because the audit_log tests are all run on the non-local testenv,
they'll already use the client.conf and the 127.0.0.11 address.
The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The auth-logging tests are an odd combination of server and client
behaviour. On the one hand we want a IRPC connection to see the auth
events being logged on the server. On the other hand, we want the auth
events to appear to be happening on a client. Currently we hardcode in
the use of a SOCKET_WRAPPER interface to make this happen.
We can avoid this explicit socket wrapper usage by using the server
smb.conf instead in the one place we actually want to act like the
server (creating the IRPC connection). Then we can switch from using
the 'ad_dc*:local' testenvs to use 'ad_dc*', in order to act like a
client by default. The SERVERCONFFILE environment variable has already
been added for the few cases where a test needs explicit access to the
server's smb.conf.
However, for samba.tests.auth_log, the samlogon test cases are still
reliant on being run on the :local testenv, and so we can't switch them
over just yet. This is because the samlogon is using the DC's machine
creds underneath, which will fail on the non-local testenv. We could
create separate machine creds for the client and use those, but this is
a non-trivial rework of the test code.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I believe this was a leftover remnant from an earlier patch revision -
it's now been replaced by the DC_SERVERCONFFILE variable.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is more consistent with how we run tests elsewhere.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests all use the ncalrpc connection, so they're always testing a
connection that's local to the server-side. Therefore passing in the
CLIENT_IP and SOCKET_WRAPPER_DEFAULT_IFACE variables (in order to try to
simulate a client connecting) is unnecessary.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When access_mask contains SEC_FLAG_MAXIMUM_ALLOWED, the server must still
proces other bits from access_mask. Eg if access_mask contains a right that
the requester doesn't have, the function must validate that against the
effective permissions.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when
calculating maximum access already seen allow bits are not removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Shows that owner and SID_OWNER_RIGHTS ACE
entries interact in max permissions requests.
Tested against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
