IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Generate an appropriate log message in the event of an error
log_group_membership_changes. As the changes have not been applied to
the database, there is no easy way to determine the intended changes.
This information is available in the "dsdbChange" audit messages, to
avoid replicating this logic for what should be a very rare occurrence
we simply log it as a "Failure"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jan 19 22:32:05 CET 2019 on sn-devel-144
Add tests to exercise the error handling in
log_group_membership_changes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
audit_log.c:878:7: error: assuming signed overflow does not occur when
simplifying conditional to constant [-Werror=strict-overflow]
Signed-off-by: Andreas Schneider <asn@samba.org>
This avoids confusing messages, samba_dnsupdate returns the number of
failed updates
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This restores the previous behaviour. It causes (only) the event ID
to be omitted if status != LDB_SUCCESS or there was a problem getting
the group type.
Errors at this stage are exceedingly rare, because the values have
already been checked by the repl_meta_data module, but this is
cosistent with the rest of the module again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Dec 22 01:58:48 CET 2018 on sn-devel-144
Generate a GroupChange event when a user is created with a PrimaryGroup
membership. Log the windows event id in the JSON GroupChange message.
Event Id's supported are:
4728 A member was added to a security enabled global group
4729 A member was removed from a security enabled global
group
4732 A member was added to a security enabled local group
4733 A member was removed from a security enabled local group
4746 A member was added to a security disabled local group
4747 A member was removed from a security disabled local group
4751 A member was added to a security disabled global group
4752 A member was removed from a security disabled global
group
4756 A member was added to a security enabled universal
group
4757 A member was removed from a security enabled universal
group
4761 A member was added to a security disabled universal
group
4762 A member was removed from a security disabled universal
group
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Testing the new GUID list based paged results module
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Fri Dec 21 11:10:30 CET 2018 on sn-devel-144
Replacing paged results module to use GUID list instead of storing
result list in memory, in order to improve memory performance.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
More vlv testing for cases involving modifying, deleting, and adding records
while observing the effect on already initialised views.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps avoid duplicate values and clearly indicates what value to select next.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 17 04:30:39 CET 2018 on sn-devel-144
This is a hold-over from the LDAP backend project, which has not yet been revived.
There will be bigger issues than what to do if the schema changes if this ever comes back
and our schema code is way to complex at the moment.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Add a new "eventId" element to the PasswordChange JSON log messages.
This contains a Windows Event Code Id either:
4723 Password changed
4724 Password reset
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Feedback from real-world users is that they really want raw JSON
strings in the log.
We can not easily remove the leading " " but the other strings above
and before the JSON are really annoying to strip back off
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
commit: 34ca15fb042e42773854c093ad9f1e67696c90ac changed the
test so embedded NULLs were avoided when python3 was used.
This was due to the fact the string comparison function
'locale.strcoll' cannot handle embedded NULLs. This commit
a) Restores the test data using embedded NULLs which was
not used depending on the python runtime version
b) Removes the problematic calculation of expected sorting order
and instead uses sort order data stored in files.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Currently the test only runs fully under python2. As an interim
measure while we figure out how to get this to work property under
python3 I have converted the test to planoldpythontest so it also
can run under python2
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adjust test data to remove use of embedded NULLs.
We are getting the following exception when running the test
under python3
Exception: Exception: Traceback (most recent call last):
File "source4/dsdb/tests/python/sort.py", line 181, in setUp
key=cmp_to_key_fn(locale.strcoll))
ValueError: embedded null character
Looking at the source code for locale.strcoll the lhs & rhs
params are processed using 'PyUnicode_AsWideCharString(s, NULL)'
Documentation for PyUnicode_AsWideCharString states:
"Convert the Unicode object to a wide character string.
The output string always ends with a null character. If size is
not NULL, write the number of wide characters (excluding the
trailing null termination character) into *size. Note that the
resulting wchar_t string might contain null characters, which
would cause the string to be truncated when used with most C
functions. If size is NULL and the wchar_t* string contains null
characters a ValueError is raised."
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Test still fails after applying the following fixes
a) only decode byte or (py2) str objects
b) fix sorted function no longer use cmp func, use compat
cmp_to_key_fn instead
c) convert ldb.bytes returned from ldb search results
d) convert sort_functions.keys() to list so array slicing works
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix misc ldb.bytes needing to be stringified for tests to succeeed
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
use Exception.args member as exception is no longer supports
indexing.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Make sure samba-tool is called with correct PYTHON version
* Convert ldb.bytes results to string for comparison with expected
results
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Misc changes mostly around use of ldb.bytes, bytes and string to get
the test to work. Additionally results of a range cannot be combined
with a list using the '+' operator (need to enclose the range with
list).
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Convert ldb.bytes object to string for further processing
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix dict_items are not combinable with '+' operator error, need
to convert to list first.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
gensec.Security.update takes bytes as param not string with py3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix various assertTrue/assertEquals so ldb.bytes (PY3)
comparaisons work both in PY3 & PY2
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Fix various assertEquals comparing ldb.bytes with string
when running with PY3
* Fix a couple of tuple assignments to exception (not supported
in PY3)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Misc changes to ensure samba4.sam.python test will run under
python2/python3
* various objectSID values when formatted need to be treated
as strings for tests.
* DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS, DOMAIN_RID_DCS,
DOMAIN_RID_READONLY_DCS are all integers (but attibutes are
ldb.bytes in PY3, need to adust various assertEquals.
* Make sure password is encoded correctly
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.
This patch adds a better default value (the domain default setting of 30
minutes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Nov 28 11:31:14 CET 2018 on sn-devel-144
Fix a remaining place where we were trying to read the
msDS-LockoutObservationWindow as an int instead of an int64.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Commit 442a38c918ae1666b35 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().
ldb_msg_find_attr_as_int() will only work for values up to -2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.
The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).
This highlights a problem currently where the default values don't work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The previous refactor now means we return early if we don't need to
re-apply isDeleted to the object. The 'else' is redundant and we can
remove it to avoid unnecessary indent.
This patch is basically just a whitespace change. It should not alter
functionality.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 23 08:10:41 CET 2018 on sn-devel-144
It's easier to follow the logic involved here when it's split out into a
separate function.
This patch should not alter the existing logic/functionality.
Note the 'else' case is somewhat redundant, but it avoids excessive
whitespace changes to the function. It'll be tidied up in the next
patch.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We can prevent anyone from inadvertently adding/removing msg->elements[]
in replmd_process_linked_attribute() by just not passing msg into the
function. Currently we only actually need the source DN and a memory
context for reallocating old_el->values.
The warning comment has been moved to a more appropriate place.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This patch should not alter functionality - it is just making memory
assumptions used in replmd_process_linked_attribute() clearer.
When adding/removing msg->elements we have to take care, as this will
invalidate things like the parsed-DN array or old ldb_message_element
pointers. This has always been the case (i.e. f6bc4c08b19f5615a49),
however, now we need to take even more care, as the msg being modified
is re-used and split across 2 different functions.
Add more code comments to highlight this. We can also free
pdn_list/old_el to prevent them being incorrectly used after realloc.
It seems appropriate to also add a sanity-check that the tmp_ctx alloc
succeeds (which all the other memory hangs off).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Tim Beale <timbeale@samba.org>
Autobuild-Date(master): Wed Nov 21 05:31:10 CET 2018 on sn-devel-144
Quite a bit of time was spent in dsdb_get_deleted_objects_dn()
processing during either a join (~9%) or a full-sync (~28%).
The problem is we're *always* doing the dsdb_get_deleted_objects_dn()
call for each object, regardless of whether it's actually deleted or
not. i.e. we were doing an expensive query and a lot of the time just
ignoring the query result.
If it's not a deleted object we're dealing with, we can just return
early and skip the unnecessary processing.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When a group has 10,000+ links, get_parsed_dns_trusted() can be costly
(simply the talloc calls alone are expensive). Instead of re-generating
the pdn_list for every single link attribute, we can change to only
re-generate it when we really need to.
When we add a new link, it reallocates old_el->values, and so we need to
recreate the pdn_list because all the memory pointers will have changed.
However, in the other cases, where we're simply updating the existing
link value (or ignoring the update, if it's already applied), we can
continue using the same pdn_list (rather than re-parsing it again).
This would generally only save time with a full-sync - it won't really
help with the join case (because every link processed results in a
realloc).
On a DB with 5000 users, this makes a full-sync about ~13% faster.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
