1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

34595 Commits

Author SHA1 Message Date
Stefan Metzmacher
f362387352 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Stefan Metzmacher
a206cf2dc1 s4:dns_server: avoid debug noise on successful updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
09da62f1a3 s4:lib/tls: fix the developer build without gnutls support
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
343b0e0af9 s4:smb_server: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
b6d55eefa2 s4:selftest: replace --option=usespnego= with --option=clientusespnego=
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.

The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Volker Lendecke
3022da1a72 libnet: Add NULL checks to py_net_finddc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-09 18:25:07 +01:00
Ralph Boehme
df31e94eb6 s4/torture/fruit: enhance zero AFP_AfpInfo stream test
This test more operations in the zeroed out FinderInfo test, ensuring
after zeroing out FinderInfo, operations on the filehandle still work
and that enumerating streams doesn't return the stream anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-09 12:53:32 +01:00
Ralph Boehme
a22833c297 s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-09 12:53:32 +01:00
Jamie McClymont
7901f7c3ba selftest: close connections after tests in samba4.ldap.rodc_rwdc.python
This test suite had a memory impact of around 2.5GB, from built-up LDAP
connection handlers under the standard process model.

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jan  9 08:22:27 CET 2018 on sn-devel-144
2018-01-09 08:22:27 +01:00
Jamie McClymont
fe164a08dd selftest: close connections after tests in samba4.ldap.secdesc.python
This test suite had a memory impact of around 2.2GB, from LDAP connection
handlers under the standard process model.

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan  8 08:02:15 CET 2018 on sn-devel-144
2018-01-08 08:02:15 +01:00
Jamie McClymont
babf0a7bef selftest: close connections after tests in samba4.ldap.acl.python
Over the length of a run of this suite (which runs under the standard process
model), memory usage from LDAP connection handlers reaches 4GB. This patch
reduces it to a manageable amount.

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
kkplein
ce2ca7fa89 Update util.c to include DBGC_AUTH class
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-08 03:34:17 +01:00
Volker Lendecke
361ea74357 samba: Only use async signal-safe functions in signal handler
Otherwise shutdown can hang

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-01-06 00:07:17 +01:00
Ralph Boehme
e1fb902ca4 s4/torture: test vfs_fruit "fruit:time machine max size" option
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-06 00:07:17 +01:00
Jamie McClymont
523bd03fd6 source4/tests: typo in env name
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-01-04 22:29:08 +01:00
Volker Lendecke
36ab213ae6 dns_server: Remove "max_payload" from dns_server
This would have to be retrieved from the interface type we have I guess.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan  4 05:08:02 CET 2018 on sn-devel-144
2018-01-04 05:08:02 +01:00
Volker Lendecke
35683a60e7 dns_server: Remove unused "dns_generate_options"
This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Volker Lendecke
cc3f9c26ec dns_server: Remove unused "dns" parameter from ask_forwarder_send
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Volker Lendecke
300821b793 dns_server: Use dns_cli_request instead of direct udp
This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Volker Lendecke
507c9b6906 dsdb: Fix the build on 32-bit FreeBSD
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Stefan Metzmacher
d8d21ec437 Happy New Year 2018!
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan  1 19:19:22 CET 2018 on sn-devel-144
2018-01-01 19:19:22 +01:00
Volker Lendecke
dcfa6c021f torture: Fix CID 1426987 Incorrect expression (UNUSED_VALUE)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Dec 28 02:22:04 CET 2017 on sn-devel-144
2017-12-28 02:22:04 +01:00
Douglas Bagnall
cef83c0cc6 samba-tool: --help test, ensuring help tree coverage
`samba-tool [COMMAND] --help` will list sub-commands of COMMAND
(or top-level commands if COMMAND is omitted). This ensures that
`samba-tool COMMAND SUBCOMMAND --help` works for all the commands
found in the help tree.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Stefan Metzmacher
f60af3b61c s4:torture: add smb2.session.expire2 test
This demonstrates the interaction of NT_STATUS_NETWORK_SESSION_EXPIRED
and various SMB2 opcodes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-21 19:12:08 +01:00
Volker Lendecke
ca289d4d14 torture: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-12-21 19:12:08 +01:00
Garming Sam
03f1ca863a release-4-8-0-pre1: New database dump for checking that functional prep works
Next will be a test which compares the current run of the script against
this reference provision.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:12 +01:00
Garming Sam
87cbd97ef4 WindowsServerDocs: Update README for clarity
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
7cc1dfec8c Forest-Wide-Updates.md: Include the description of forest wide updates
This is sourced from the WindowsServerDocs repository on Github under an
MIT/CC 4.0 attribution license. A huge thanks is required for these
being provided and the work done in the process, as they mean a lot less
work for us to repeat.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
b6c33c0ca9 WindowsServerDocs: Update README to get rid of the references to ./gen/
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
1bb0715c93 2008R2: Missing operation (77) for ActiveDirectoryUpdate version 5 (FL)
Operation 77: {82112ba0-7e4c-4a44-89d9-d46c9612bf91}

 - Create the CN=PSPs,CN=System object

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
3cddb6ad07 2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)
Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}

 - Create the CN=Managed Service Accounts object

Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}

 - Add otherWellKnownObject link for CN=Managed Service Accounts

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
1f63ffc965 wscript: Install missing .ldf files
With the update to the newer version of the 2008 R2 schemas, the files
were not available on install.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:10 +01:00
Andreas Schneider
23a62c9f83 dsdb: Improve code and directly close fp
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-12-20 16:04:18 +01:00
Volker Lendecke
287236eac9 dsdb: Fix CID 1426728 Structurally dead code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-20 16:04:18 +01:00
Volker Lendecke
3242bce636 dsdb: Fix CID 1426727 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-20 16:04:18 +01:00
Jamie McClymont
bfcbc9be61 selftest: fix samba3.rpc.samba3.netlogon running after an nt4_member test
samba3.rpc.samba3.netlogon is using get_myname to find a username with which to
perform a join. This means that the test tries to join with the existing
localnt4dc2 user, which happens to work if get_myname is working
correctly (which it isn't -- see next commit about NSS_WRAPPER_HOSTNAME!)

This commit fixes a test run with, for example:
  TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
(given samba3.blackbox.smbclient_ntlm.plain is in the nt4_member env)

...which previously failed due to the combination of this and the
NSS_WRAPPER_HOSTNAME bug.

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 04:22:10 +01:00
Andrew Bartlett
0806ff7dfd s4:samba: Fix default to be running samba as a deamon
Commit 8736013dc4 got the (confusing) sense of opt_fork
wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144
2017-12-19 11:24:29 +01:00
Andrew Bartlett
3efc879d98 dns_server: Do the exact match query first, then do the wildcard lookup
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute.  This is not as efficient as a base DN lookup, so we try for
that first.

A not-found and wildcard response will still fall back to the ONELEVEL
index.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
948791aca7 dns_server: Do not look for a wildcard for @
This query is made for every record returned via BIND9 DLZ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
071ad56aef dns_server: Use the indexed "name" attribute in wildcard lookup
(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Gary Lockyer
416b7e93fc source4/lib/socket/socket_ip.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 08:49:57 CET 2017 on sn-devel-144
2017-12-18 08:49:57 +01:00
Gary Lockyer
d120d7fe84 provision: Changes to support encrypted_secrets module
Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.

Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:17 +01:00
Gary Lockyer
1d3ae2d92f dsdb encrypted secrets module
Encrypt the samba secret attributes on disk.  This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.

Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.

Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
Gary Lockyer
b29ab3a0c1 tests dsdb encrypted secrets module
Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.

This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
David Mulder
b468245c32 gpo: Test that unapply works
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
Andrew Bartlett
1daba6f255 schema: 2008R2 AD schema attributes and classes
Obtained under the Open Protocols Specifications licence from
https://www.microsoft.com/en-us/download/details.aspx?id=23782

These are more complete than the version we have had in the tree until now.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:17 +01:00
Andrew Bartlett
8019c76b56 schema: 2016 AD schema attributes and classes
Obtained under the Open Protocols Specifications licence from
https://www.microsoft.com/en-us/download/details.aspx?id=23782

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:17 +01:00
Garming Sam
8519f98677 provision: RODC revision level should be at 2
This number had been mistakenly updated alongside the standard forest
updates revision. This version number appears to be independent of the
other revision levels.

Also add the change to a new .ldf file, which can be used to apply
the schema change to an existing Samba 4.7 (or earlier) instance.
Update the provision/upgrade test to do just this (otherwise it
complains about differences between a new provision and an older Samba
4.0.0 instance).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:17 +01:00
Garming Sam
c870c34df7 schema: Some 2012 objects were missing systemflags
The adprep LDIF files were adding the systemFlags, but they weren't
present in the 2012 schema files. This is not just a Microsoft
documentation problem - the difference was present when doing a provision
of a 2012 Windows server vs using Adprep.exe to upgrade an older Windows
server.

Samba might as well use the correct systemFlags right from the start.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
c22d022cea upgradeprovision: Change test to always use 2008 R2 schema
This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).

Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.

It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
1f60f5b51a schema: Add option of specifying the base schema for a provision
Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d157f9752b 2008R2: Missing flags on optional features container for objectVersion 45
To match Windows 2008R2, this should have the same flags as the
recycle bin enabled feature.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
ff98bf96e9 2008R2: Missing extended rights for objectVersion 45
We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif

On Windows this was in Sch45.ldf (triggered by adprep schema updates).

We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.

This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.

Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d67f706b34 schema: Re-work extended rights handling in provision (prep for 2012R2)
Add the changes needed to provision a 2012 DC (mostly this just affects
the Extended Rights objects) by moving to the new extended-rights.ldif

The localizationDisplayId is not documented in MS-ATDS so these values
are moved to provision_configuation_modify.ldif and applied after the
display-specifiers.ldif

We don't enable the 2012R2 mode yet. The ${INC2012} variable
just gets replaced with '#' so the lines get commented out and not
applied.

This approach allows us to support provisioning both a 2008R2 DC or
a 2012R2 DC (so that we can test we can upgrade a 2008 DC to 2012).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d6e0f43ab9 provision: Make clarifying header an LDIF comment in extended-rights.ldif
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
e8b200fad3 provision: Align displayName of Property Sets with MS-ADTS 3.1.1.2.3.3
This gives some better names than what the CN of the object was.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d44c811a8c provision: Fill in a nicer displayName for Extended Rights
We replace all the hyphens with a space.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
b9f0fbdeaa provision: Fill in validAccesses in extended-rights.ldif for Property Sets
A Property Right has the value of RIGHT_DS_READ_PROPERTY|RIGHT_DS_WRITE_PROPERTY which is
48 (0x30) per 5.1.3.2 Access Rights.

The property Sets are listed in MS-ATDS 3.1.1.2.3.3 and can also be found by looking
at the attributeSecurityGuid on the schema objects.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
7657168e75 provision: Fill in validAccesses in extended-rights.ldif for Validated Writes
MS-ATDS 5.1.3.2.2 Validated Writes specifies the value of RIGHT_DS_WRITE_PROPERTY_EXTENDED which is
8 (0x08) per 5.1.3.2 Access Rights.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
9840ee76fb provision: Fill in validAccesses in extended-rights.ldif for Control Access Rights
MS-ATDS 5.1.3.2.1 Control Access Rights specifies the value of RIGHT_DS_CONTROL_ACCESS which is
256 (0x100) per 5.1.3.2 Access Rights.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
593a8456a8 provision: Align extended-rights.ldif with the adprep LDIF for 2012R2
This removes the additional rights for 2016 and flags the 2012R2 changes to allow
the same file to be used to produce a 2008R2 or 2012R2 domain

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
6721052216 provision: Reformat appliesTo in Extended Rights into LDIF
We remove comments about Schema 45 and earlier as this is the base
level that Samba supports.  A future commit will move to a
machine-parsable flag for the 2012 schema and remove the 2016 elements.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
7fad4896f6 provision: Remove section numbers from extended rights, replace with dn
This makes this file more like LDIF so we can process it automatically as well as
use it as a text document.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Andrew Bartlett
7bc9c20037 provision: Import extended rights schema from MS-ADTS v47.0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:15 +01:00
Garming Sam
2650e9258b schema: Allow schemaUpdateNow to refresh schema during a transaction
When we upgrade a schema from 2008R2 to 2012R2, we want to apply all the
changes in a single transaction - if we can't apply all the updates then
we don't want to be left with a schema halfway in between the two.

However, as we apply each LDIF update, we also want to refresh the
schema. There are 2 reasons for this:
1. The adprep .LDIF files provided by Microsoft have some writes to
schemaUpdateNow in them.
2. Microsoft uses attribute OIDs in their adprep .LDIF files, which
Samba doesn't handle so well. However, we can replace the OIDs with the
attribute's ldapDisplayName and they work fine. But to do this, we need
to query the schema to map the OID to attribute name. And to query the
schema successfully, the schema needs to be refreshed after the new
attribute object has been added.

Basically this patch avoids bailing out during the dsdb_schema_refresh()
if we are writing schemaUpdateNow as part of a larger transaction.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
d66cbca4e1 adprep: Add the LDF data needed to upgrade to 2012R2 schema
This patch adds the LDF files corresponding to the changes that the
Windows Adprep.exe tool makes when upgrading a AD schema to Windows
2012R2.

This is based on information Microsoft has made public on github
(Schema-Updates.md - see the README.txt for more details).

The LDF files 48-56 are for upgrading to Windows Server 2012, and 57-69
are for Windows Server 2012 R2.

Unfortunately, the raw LDF information from Microsoft wasn't enough to
get the schema working. The .diff files contain changes we needed to
make on top of the raw LDF content from Microsoft.

The basic steps to regenerate the .LDF files are documented in the
README.txt file. The files used to generate the .LDF files are in the
WindowsServerDocs/ sub-directory. (The .LDF generation is done at runtime
during provision).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
d9c6f47851 objectclass: Ensure that backlinks are not replicated
Adprep schema adds backlinks, but they do not have the NOT_REPLICATED
bit. We need to force this in locally to ensure we have it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
0f6e52a268 schema: 2012 and 2012 R2 AD schema attributes and classes
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Garming Sam
f4286f3516 typo: Change case to match DN
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Garming Sam
07f094f69f flags.h: Introduce the 2016 function level constant
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Stefan Metzmacher
6fb5704c11 s4:auth_winbind: remove unused 'winbind_wbclient' backend
This is no longer useful as it doesn't support async requests.

It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
0b72d0b7e5 s4:auth_winbind: remove unused 'winbind_rodc' backend
This is no longer useful as the 'winbind' backend also
handles the rodc case now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
b681810d3c s4:auth_sam: remove unused 'sam_failtrusts' backend
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
a382e05a16 s4:auth/ntlm: remove lpcfg_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
2c720b20ab s4:selftest: remove samba.blackbox.pdbtest.s4winbind test
This is marked as knownfail for quite some time.

I don't think such a test is a reason to the 'auth methods' option.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Stefan Metzmacher
4e99b91b62 s4:selftest: remove samba.blackbox.pdbtest.s4winbind_wbclient test
The "winbind_wbclient" backend is unused and will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Björn Jacke
7bbec4d871 s4: remove ipv6:enabled parameteric option
this was never disabling ipv6, only v6-only interfaces. This can be achieved
with the interfaces parameter also if wanted.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Puran Chand
2ab9847f54 Added smbc_SetLogCallback which lets third party code to capture libsmbclient logs
Signed-off-by: Puran Chand <pchand@vmware.com>
Reviewed-by: Garming Sam <garming@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Dec 10 04:56:23 CET 2017 on sn-devel-144
2017-12-10 04:56:23 +01:00
Jamie McClymont
d2b9f18a0d tests: make password valid in openldap provision test
Test was using an invalid password, which causes test failure with early
password validation patch

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:30 +01:00
Jamie McClymont
698d28ee8c samba-tool: validate password early in domain provision
Checks password against default quality and length standards when it is entered,
allowing a second chance to enter one (if interactive), rather than running
through the provisioning process and bailing on an exception

Includes unit tests for the newly-added python wrapper of check_password_quality
plus black-box tests for the checks in samba-tool.

Breaks an openldap test which uses an invalid password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9710
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12235

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:30 +01:00
Gary Lockyer
704bbae25c source4 dsdb: Allow duplicate non local objectSIDs
Remove the unique constraint on the objectSID index, and enable the
unique_object_sids module.

This allows duplicate objectSIDs on foreign security principals, and
disallows duplicates for local objectSIDs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:29 +01:00
Gary Lockyer
4d5da6c72b source4 dsdb modules: Add new module "unique_object_sids"
New module that sets the LDB_FLAG_INTERNAL_UNIQUE_VALUE on all local
objectSIDS and ensure it is cleared for any foreign security principals.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:29 +01:00
Andrew Bartlett
b8d0602e59 selftest: Rework samba.dsdb locking test to samba.dsdb_lock
This avoids running the test while samba is modifying and locking the same database,
as this can lead to a deadlock.

The deadlock is not seen in production as the LDB read lock is not held while
waiting for another process, but this test needs to do this to demonstrate
the locking safety.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  8 21:47:55 CET 2017 on sn-devel-144
2017-12-08 21:47:55 +01:00
Stefan Metzmacher
aaa946bb9e s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HERE
HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC.

We should not map any error to HDB_ERR_NOT_FOUND_HERE,
we should just pass errors along unmapped.

Otherwise we'll hit the logic bug in:

    if (ret == KDC_PROXY_REQUEST) {
        uint16_t port;

        if (!sock->kdc_socket->kdc->am_rodc) {
            DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC"));
                    talloc_free(call);
            goto done;
        }

And just don't send an error message to the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec  6 23:16:54 CET 2017 on sn-devel-144
2017-12-06 23:16:54 +01:00
Stefan Metzmacher
183e5d1e3d HEIMDAL:kdc: fix dh->q allocation check in get_dh_param()
Thanks to Doug Nazar <nazard@nazar.ca> for spotting this!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310)
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-06 19:06:21 +01:00
Jeremy Allison
9f83d435bb s4: torture: Fix race condition in test_smb2_kernel_oplocks8.
The child process gets the kernel lease and then notifies
the parent process to continue by writing a byte up a pipe.
It then sets the alarm and calls pause() to wait for the
parent process to contact the smbd and get it to trigger
the break request using an open call.

It is possible for the parent to run and trigger the break
request after the child has written to the pipe, but *before*
the child calls pause(). We then miss the signal notifying
the child to break the lease.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13121

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2017-12-01 23:46:14 +01:00
Andrew Bartlett
3e4286ec4f torture: Use torture_assert{,_int_equal}_goto() in smb2.kernel-oplocks
This allows this test to be added as flapping.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-11-30 05:48:34 +01:00
Ralph Boehme
7b00b55876 s4/torture: fruit: in test_adouble_conversion() also check stream list and AFPINFO_STREAM
This reveals that the conversion doesn't work properly with
fruit:metadata=stream.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:25 +01:00
Ralph Boehme
ebbffd8086 s4/torture: fruit: remove use of localdir from test_adouble_conversion test
The previous use of localdir and torture_setup_local_file() was
motivated by the fact that by default vfs_fruit rejects access to files
with a "._" prefix.

Since a previous commit allowed SMB access to ._ files, rewrite the
test_adouble_conversion() test to create the ._ AppleDouble file over
SMB.

This also renders torture_setup_local_file() obsolete.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:25 +01:00
Ralph Boehme
3f9b45a410 selftest: add "fruit:veto_appledouble = no" to fruit shares
This is needed for a subsequent commit that modifies an existing test to
write a ._ file over SMB instead of using the ugly local creation hack.

SMB acces of ._ files requires "fruit:veto_appledouble = no", so let's
set it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:24 +01:00
Ralph Boehme
ac880848a9 s4/torture: let write_stream() deal with stream=NULL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:24 +01:00
Ralph Boehme
e28dd6a0ce selftest: run AppleDouble sidecar-file conversion test runs against all fruit shares
This needs for work in all possible fruit configs, so test it.

This currently fails with stream_depot, as we don't propely copy over
the resourcefork data from the ._ file to the stream.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:24 +01:00
Ralph Boehme
9af9c5c073 s4/torture: use torture_assert_goto in a vfs.fruit test
No change in behavior.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:24 +01:00
Ralph Boehme
75a3c0f3b1 s4/torture: rework stream names tests usage of local xattr call
Previously this test, that tests for correct conversion of ':' in stream
names, only worked with streams_xattr with "fruit:metadata" set to
"netatalk".

In order to have test coverage for fruit shares with other configs,
split the test into two:

one test creates the stream over SMB and run against all shares, the
other one is the unmodified existing test and is only run against the
share with streams_xattr and fruit:metadata=netatalk.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-29 04:35:24 +01:00
Andreas Schneider
8736013dc4 s4:samba: Allow samba daemon to run in foreground
We are passing the no_process_group to become_daemon() that setsid() is
not called. In case we are double forking, we run in SysV daemon mode,
setsid() should be called!

See:
https://www.freedesktop.org/software/systemd/man/daemon.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-28 11:37:06 +01:00
Andreas Schneider
bfafabfb94 s4:samba: Do not segfault if we run into issues
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-28 11:37:06 +01:00
Andrew Bartlett
6cf7abbcfd repl_meta_data: Allow delete of an object with dangling backlinks
This should not happen, but stopping all replication because of it is a pain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Nov 24 19:53:50 CET 2017 on sn-devel-144
2017-11-24 19:53:50 +01:00
Andrej Gessel
40bd7e145a repl_meta_data: Fix removing of backlink on deleted objects
USER is memberOf GROUP and they both were deleted on W2K8R2 AD. Domain join ends
with error below.

Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:421
8: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1
179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=samdom,DC=intern: dsdb_module_
search_dn: did not find base dn CN=GROUP\0ADEL:030d0be1-3ada-4b93-8371-927f2092
3116,CN=Deleted Objects,DC=samdom,DC=intern (0 results): Operations error
Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13120

Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
4815efc0e3 selftest: Add more corruption cases for runtime and dbcheck
These tests now confirm we can handle these issues at runtime
as well as at dbcheck

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
70bf809e0c selftest: add dbcheck tests for duplicate links
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
239fbeb163 dbcheck: detect and fix duplicate links
Check with git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
83aa22260b dsdb:extended_dn_store: implement DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS control
This will be used by dbcheck to fix duplicate link values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
9a1e23a1f6 dsdb:repl_meta_data: implement DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS control
This will be used by dbcheck to fix duplicate link values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
1eb8d8ec5a s4:dsdb: allocate DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS oid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
126d28d0b5 s4:schema_samba4: mark DSDB_CONTROL_INVALID_NOT_IMPLEMENTED 1.3.6.1.4.1.7165.4.3.32 as allocated
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
a784cc3a7f selftest: Additional check for a backlink pointing at a deleted object
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
7be38c6054 selftest: add more dbcheck tests
This validates some more combinations and ensures that the changes
in 962a1b3220 are tested.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
3b111fbdbe dbcheck: Clarify error count bumping in deleted/gone DN handling
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:15 +01:00
Uri Simchoni
2bf01b286c s4-torture: fix type of enum in various places
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:15 +01:00
Uri Simchoni
559367ed60 s4-torture: fix truncation warnings
Fix various places where there is potential truncation
while doing time / size calculations.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:15 +01:00
Garming Sam
8eb95bc1d1 schema_set: Add comment about set schema from ldif in a transaction
This is normally called with a transaction or before access is shared.
The python code and some tests may also cause an issue, but as these are
fixed at runtime, this is only a temporary issue that resolves itself.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:14 +01:00
Garming Sam
17f1c6f9f4 schema: Make writing indices flag an enum for a new state
In schema_load_init, we find that the writing of indices is not locked
in any way. This leads to race conditions. To resolve this, we need to
have a new state (SCHEMA_COMPARE) which can report to the caller that we
need to open a transaction to write the indices.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:14 +01:00
Uri Simchoni
4171191dae s2-rpc-server: fix enum type in assignment
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:21 +01:00
Uri Simchoni
1a2da5b0f8 s4-lib-policy: fix type of enum
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Uri Simchoni
2947945dc3 s4-torture: get rid of extra parentheses
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Uri Simchoni
a83953a094 s4-torture: fix file time checks
NTTIME is an unsigned quantity. When comparing two
of them, first calculate a signed difference, then
take absolute value.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Uri Simchoni
5fd04020c2 dns server: fix warning about enum mismatch
Fix picky developer clang warning about assignment
of an enum value to a variable of a different enum type.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Uri Simchoni
9ad9f7bc5e librpc-build: ignore unused functions in generated code
Some pidl-generated code includes static functions that are
to be optimized-away by the compiler if not used. When
running picky developer with clang that breaks the build. This
change ignores this warning for the pidl-generated python binding
files.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Uri Simchoni
5aa8af0c4a torture: remove spurious semicolon
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00
Garming Sam
6e7d037ace Fix formating of sources to be less than 80 lines
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Nov 21 01:51:59 CET 2017 on sn-devel-144
2017-11-21 01:51:59 +01:00
Andrew Bartlett
3bc0c1f8ee gpoupdate: Move closer to 80 columns
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:15 +01:00
David Mulder
8be71f97b6 doc: Add samba_gpoupdate man page, update WHATSNEW
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:15 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
4a7ccbeab7 gpo: Always enforce policy, even if unchanged
Policies should always be enforced, even if the gpo hasn't changed.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8d4c7229e9 gpo: Add GPO unapply
Keep a log of applied settings, and add an option to samba_gpoupdate to allow unapply. An unapply will revert settings to a state prior to any policy application.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
e750e4a35f gpo: Add gpo tests
Lays down a sysvol gpttmpl.inf with password policies, then runs the samba_gpoupdate command. Verifies policies are applied to the samdb.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
05235a56e3 gpo: Install the samba_gpoupdate script
The samba_gpoupdate script was not being installed by waf.
Added samba_gpoupdate to the wscripts so it gets installed as part of a make install.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
de9cee2262 gpoupdate: Rewrite samba_gpoupdate
Use new python bindings and remove obsoleted code

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8eba3b5d38 gpo: Make the gpclass more easily extensible
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
Luke Morrison
50a64b7ce9 gpo: enable gpo update with addition to build system
Split from "Initial commit for GPO work done by Luke Morrison" by Garming Sam

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Andrew Bartlett
377c0681e1 gpoupdate: Remove developer path from the comment
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:14 +01:00
Andrew Bartlett
a6ea6828f3 gpoupdate: Correct comment about hard-coded 5 second runing of the script
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:14 +01:00
Andrew Bartlett
2e432ef21e gpoupdate: Do not DEBUG(0) every scan interval
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:14 +01:00
Garming Sam
5662e49b49 gpo: Create the gpo update service
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Signed-off-by: David Mulder <dmulder@suse.com>

Then adapted to current master

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
David Mulder
115615d836 gpo: Make the gpoupdate script much more reliable
Using a static file blanks the file when samba_gpoupdate crashes. Transformed
to a tdb file and added transactions. Add info logging to monitor gpo changes,
etc. Also handle parse errors and log an error message, then recover. Modified
the parsing code to use ConfigParser. Also, use the backslash in path names
when opening smb files, otherwise it fails against a windows server.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Luke Morrison
5194cd4e8d gpo: Initial commit for GPO work
Enclosed is my Summer of Code 2013 patch to have vital password GPO always applied to the Samba4 Domain Controller using a GPO update service.

To try it out "make -j" your samba with the patch, apply a security password GPO and see the difference in ~20 seconds. It also takes GPO hierarchy into account.

Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Andrew Bartlett
a80296b12e waf: Move script list to one-per-line
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:14 +01:00
Jeremy Allison
6c0d053ec0 s4: torture: Ensure kernel oplock test can't hang in pause().
Use an alarm to break out of waiting for a signal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13121

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 16 22:27:06 CET 2017 on sn-devel-144
2017-11-16 22:27:06 +01:00
Volker Lendecke
2e5ea35f0b smbtorture: Remove an unused variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 14 03:55:37 CET 2017 on sn-devel-144
2017-11-14 03:55:37 +01:00
Volker Lendecke
a1b2daa06f dreplsrv: Use is_null_sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-13 23:54:47 +01:00
Jeremy Allison
ad82557e13 s4: torture: kernel oplocks. Add smb2.kernel-oplocks.kernel_oplocks8
Test if the server blocks whilst waiting on a kernel lease held by
a non-smbd process.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13121

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Nov 11 20:12:26 CET 2017 on sn-devel-144
2017-11-11 20:12:26 +01:00
Jeremy Allison
15597a95ec s4: torture: kernel_oplocks. Create a regression test case for bug #13058.
It implements the following test case:

1. client of smbd-1 opens the file and sets the oplock.
2. client of smbd-2 tries to open the file. open() fails(EAGAIN) and open is deferred.
3. client of smbd-1 sends oplock break request to the client.
4. client of smbd-1 closes the file.
5. client of smbd-1 opens the file and sets the oplock.
6. client of smbd-2 calls defer_open_done(), sees that the file lease was not changed
			and does not reschedule open.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13058

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2017-11-10 23:27:10 +01:00
Lumir Balhar
e00ba05d33 python: Port ntvfs posix bindings to Python 3 compatible form
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-11-08 17:57:21 +01:00
Ralph Boehme
20d3ae6a45 librpc/idl: rename NFS4 ACL xattr name define
No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
f3f119e456 selftest: split out failing owner related subtest from samba3.raw.acls.create_file|dir
All the other subtests in samba3.raw.acls.create_file|dir pass with
nfs4acl_xattr, it's just the subtest that tries to set the owner which
fails with everything else then acl_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:07 +01:00
Ralph Wuerthner
44c018bdcc s4: torture: Add smb2 FIND_and_set_DOC test case.
Regression tests doing an SMB2_find followed by
a set delete on close and then close on a directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Nov  5 12:31:12 CET 2017 on sn-devel-144
2017-11-05 12:31:12 +01:00
Andrew Bartlett
dc3adc898e s4-smbtorture: Show that the KDC provides no protection from CVE-2017-11103
The server name in the AS-REQ is unprotected, sadly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  2 07:16:50 CET 2017 on sn-devel-144
2017-11-02 07:16:50 +01:00
Andrew Bartlett
4d056974dd s4-smbtorture: Add test krb5.kdc to prove fix for CVE-2017-11103
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-02 03:17:38 +01:00
Günther Deschner
910b0ce2a2 s4-torture: remove obsolete comment in libsmbclient torture suite.
Since smbc_setX calls now handle string allocation using malloc
themselves (since commit 2d41b1ab78) we
indeed no longer need to provide malloced strings (the extra malloc
already got removed earlier).

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 30 21:09:14 CET 2017 on sn-devel-144
2017-10-30 21:09:14 +01:00
Andrew Bartlett
c3aa8809e1 repl_meta_data: Initialise parent_dn to NULL
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Oct 30 04:16:42 CET 2017 on sn-devel-144
2017-10-30 04:16:42 +01:00
Andrew Bartlett
cdb42eae89 repl_meta_data: Explain that we do not truncate the DN at present
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-30 00:16:39 +01:00
Andrew Bartlett
68de8c66c7 repl_meta_data: Use replmd_make_prefix_child_dn() in replmd_conflict_dn()
Now both routines avoid the escape/unescape implicit in ldb_dn_add_child_fmt()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-30 00:16:39 +01:00
Andrew Bartlett
5364f8d3d5 repl_meta_data: Split replmd_make_deleted_child_dn() into a helper function
This will allow it to be used in common with replmd_conflict_dn()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-30 00:16:39 +01:00
Andrew Bartlett
5eff04e9b8 repl_meta_data: Move creation of deleted DN into helper: replmd_make_deleted_child_dn()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-30 00:16:39 +01:00
Andrew Bartlett
b838c14b1b repl_meta_data: Avoid printf() and use binary direct RDN creation for deleted objects
This makes it clearer that we are just replacing the RDN and ensures we do not
somehow create multiple components inside ldb_dn_add_child_fmt().

We also avoid an escape/un-escape round-trip.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-30 00:16:39 +01:00
Volker Lendecke
6475293bc8 samba: Fix CID 1420179 Code maintainability issues UNUSED_VALUE
I don't think pid is used at all here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-27 20:33:25 +02:00
Volker Lendecke
e7a4c31047 samba: Fix CID 1420180 Null pointer dereferences
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-27 20:33:25 +02:00
Andreas Schneider
e56626e864 s4:pyparam: Fix resource leaks on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-27 20:33:25 +02:00
Andreas Schneider
b012f1589b s4:torture: Avoid useless strdup in libsmbclient test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-27 20:33:25 +02:00
Andreas Schneider
ab44be7a27 s4:kdc: Pass down the task to get access to model_ops for kpasswd server
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-10-27 11:29:12 +02:00
Douglas Bagnall
30584a278a linked attribute tests: correct add_all_at_once test
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 26 05:36:11 CEST 2017 on sn-devel-144
2017-10-26 05:36:11 +02:00
Douglas Bagnall
1e62bbaeac linked_attribute tests: helper assert function for expected LdbError
The logic involved in asserting that a function raises an LdbError with
a particular error value has shown itself to be too complicated for me
to repeat too often.

To test this function, you would want a put a test in a bit like this:

    def test_assertRaisesLdbError(self):
        for i in [1, 2, ldb.ERR_ENTRY_ALREADY_EXISTS, 999]:
            def f(*args, **kwargs):
                raise ldb.LdbError(i, 'msg %s' % i)
            self.assertRaisesLdbError(i, 'a message', f, 'la la', la='la')

            def f2(*args, **kwargs):
                raise ldb.LdbError(i + 1, 'msg %s' % i)
            def f3(*args, **kwargs):
                pass
            for f in (f2, f3):
                try:
                    self.assertRaisesLdbError(i, 'a message', f, 'la la', la='la')
                except AssertionError as e:
                    print i, e, f
                    pass
                else:
                    print i, f
                    self.fail('assertRaisesLdbError() failed to fail!')

..but a self-testing test-tester is getting a too meta to run in every
autobuild.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Douglas Bagnall
0f0acb00ea replmd: use check_parsed_dn_duplicates() more widely
replmd_add_fix_la() was already making the same check; here we move it
a bit earlier.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Douglas Bagnall
b6294c84a5 linked attribute tests: fix logic for add test
We were ensuring that when we got an LdbError it was the right type,
but we weren't ensuring we got one at all.

The new test doesn't fail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Douglas Bagnall
7cf3bbcc5c linked attribute tests: ensure duplicate deletes fail
We can't remove the same thing twice in the same message.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Douglas Bagnall
625e65d9f3 replmd: check for duplicate values in MOD_REPLACE case
Because we already have a sorted parsed_dn list, this is a simple
linear scan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Douglas Bagnall
046fc1f7de linked attribute tests: test against duplicates in replace
We should not be able to introduce duplicate links using MOD_REPLACE.
It turns out we could and weren't testing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-26 01:32:14 +02:00
Andreas Schneider
2d260b28f5 s4:scripting: Fix ntstatus_gen.h generation on 32bit
The hex() function results in different output on 32bit systems. It adds
a L for long for some numbers. Thus we have a different header file.

This patch makes sure we have a consistent file generation on different
paltforms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13099

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Oct 25 22:28:39 CEST 2017 on sn-devel-144
2017-10-25 22:28:39 +02:00
Lumir Balhar
806c1bcacd python: Port samba.messaging module to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-10-23 11:42:19 +02:00
Volker Lendecke
c3a1348371 xattr.idl: Don't generate an interface table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Oct 22 21:40:16 CEST 2017 on sn-devel-144
2017-10-22 21:40:16 +02:00
Volker Lendecke
0bd5d7bcbe nfs4acls: Don't generate an interface table for nfs4acls.idl
Nobody uses the function nfs4acl_test.

It took a while to figure out how to get this to build. The "uuid" line in the
idl file triggers pidl to generate the function table entry, which in turn then
triggers tables.pl to register this interface
./bin/default/source4/librpc/gen_ndr/tables.c. We could for example do the same
with xattr_parse_DOSATTRIB. Nobody uses this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-10-22 17:46:15 +02:00
Tim Beale
da8af833cf selftest: Print link meta-data when developer debugging is used
For Windows, DRS is the only way to see the RMD_VERSION of a link, or to
tell what inactive links the DC. Add some debug to display this
information. By default, this debug is turned off.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 20 08:01:35 CEST 2017 on sn-devel-144
2017-10-20 08:01:35 +02:00
Tim Beale
9b3b09ce41 replmd: Remove unnecessary replmd_build_la_val() param
replmd_build_la_val() is creating a new link attribute. In this case,
the RMD_ORIGINATING_USN and RMD_LOCAL_USN are always going to be the
same thing, so we don't need to pass them in as 2 separate parameters.

This isn't required for any bug fix, but is just a general code
tidy-up.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
cd936a725c replmd: Get rid of duplicated replmd_build_la_val() code
replmd_build_la_val() and replmd_set_la_val() are pretty much identical.
Keep the replmd_build_la_val() API (as it makes it clearer we're
creating a new linked attribute), but replace the code with a call to
replmd_set_la_val().

This isn't required for any bug fix, but is just a general tidy-up to
avoid code duplication.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
4cb260f8c0 replmd: Fix RMD_VERSION inital value to match Windows
The initial value for RMD_VERSION is one on Windows. The MS-DRSR spec
states the following in section 5.11 AttributeStamp:

  dwVersion: A 32-bit integer. Set to 1 when a value for the attribute is
  set for the first time. On each subsequent originating update, if the
  current value of dwVersion is less than 0xFFFFFFFF, then increment it
  by 1; otherwise set it to 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13059

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
cef17ce4f0 replmd: Remove static values passed to replmd_build_la_val()
replmd_build_la_val() is used to populate a new link attribute value
from scratch. The version parameter is always passed in as the initial
value (zero), and deleted is always passed in as false.

For cases (like replication) where we want to set version/deleted to
something other than the defaults, we can use replmd_set_la_val()
instead.

This patch changes these 2 parameters to variables instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13059

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
499fa6b4a6 selftest: Add test for initial link attribute RMD_VERSION value
While testing link conflicts I noticed that links on Windows start from
a different RMD_VERSION compared to Samba. This adds a simple test to
highlight the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13059

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
8319536565 replmd: Small refactor to replmd_check_singleval_la_conflict()
Now that the code is all in one place we can refactor it to make it
slightly more readable.

- added more code comments
- tweaked the 'no conflict' return logic to try to make what it's checking
  for more obvious
- removed conflict_pdn (we can just use active_pdn instead)
- added a placeholder variable and tweaked a parameter name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
c83dffc6f1 replmd: Change replmd_check_singleval_la_conflict() logic flow
Return immediately if there's no conflict, which reduces nesting.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
841e724e29 replmd: Move link conflict handling into separate function
Link conflict handling is a corner-case. The logic in
replmd_process_linked_attribute() is already reasonably busy/complex.
Split out the handling of link conflicts into a separate function so
that it doesn't detract from the core replmd_process_linked_attribute()
logic too much.

This refactor should not alter functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
82b56e63b5 replmd: Handle single-valued conflicts for an existing link
Currently the code only handles the case where the received link
attribute is a new link (i.e. pdn == NULL). As well as this, we need to
handle the case where the conflicting link already exists, i.e. it's a
deleted link that has been re-added on another DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
f36b2bb126 replmd: Mark link conflicts as inactive correctly
The previous patch to handle link conflicts was simply overriding the
received information and marking the link as deleted. We should be doing
this as a separate operation to make it clear what has happened, and so
that the new (i.e. inactive) link details get replicated out.

This patch changes it so that when a conflict occurs, we immediately
overwrite the received information to mark it as deleted, and to update
the version/USN/timestamp/originating_invocation_id to make it clear
that this is a new change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
7649652b63 replmd: Use replmd_set_la_val() when adding new links
replmd_set_la_val() and replmd_build_la_val() are almost identical. When
we were processing the replicated link attributes we were calling one
function if the link was new, and a different one if the link existed.
I think we should be able to get away with using replmd_set_la_val() in
both cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
f183dcfad5 replmd: Fix talloc inconsistency in replmd_set_la_val()
All the other talloc_asprintf()s in this function use the mem_ctx, but
for some reason the vstring was using the dsdb_dn->dn. This probably
isn't a big deal, but might have unintentional side-effects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
a607a3e83e replmd: Make replmd_set_la_val() closer to replmd_build_la_val()
These two functions are almost identical. The main difference between
them is the RMD_ADDTIME. replmd_set_la_val() tries to use the
RMD_ADDTIME of the old_dsdb_dn. Whereas replmd_build_la_val() always
uses the time passed in.

Change replmd_set_la_val() so it can accept a NULL old_dsdb_dn (i.e. if
it's a new linked attribute that's being set). If so, it'll end up using
the nttime parameter passed in, same as replmd_build_la_val() does.

Also update replmd_process_linked_attribute (which used to use
replmd_build_la_val()) to now pass in a NULL old_dsdb_dn. There
shouldn't be a difference in behaviour either way, but this exercises
the code change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
f196897bc8 replmd: Handle conflicts for single-valued link attributes better
If 2 DCs independently set a single-valued linked attribute to differing
values, Samba should be able to resolve this problem when replication
occurs.

If the received information is better, then we want to set the existing
link attribute in our DB as inactive.

If our own information is better, then we still want to add the received
link attribute, but mark it as inactive so that it doesn't clobber our
own link.

This still isn't a complete solution. When we add the received attribute
as inactive, we really should be incrementing the version, updating the
USN, etc. Also this only deals with the case where the received link is
completely new (i.e. a received link conflicting with an existing
inactive link isn't handled).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:21 +02:00
Tim Beale
70d532a5c7 replmd: Partial fix for single-valued link conflict
This is the first part of the fix for resolving a single-valued link
conflict.

When processing the replication data for a linked attribute, if we don't
find a match for the link target value, check if the link is a
single-valued attribute and it currently has an active link. If so, then
use the active link instead.

This change means we delete the existing active link (and backlink)
before adding the new link. This prevents the failure in the subsequent
dsdb_check_single_valued_link() check that was happening previously
(because the link would end up with 2 active values).

This is only a partial fix. It stops replication from failing completely
if we ever hit this situation (which means the test is no longer
hitting an assertion when replicating). However, ideally the existing
active link should be retained and just marked as deleted (with this
change, the existing link is overwritten completely).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
20c0f3e1e9 selftest: Add conflict test where the single-valued link already exists
As well as testing scenarios where both variants of the link are new, we
should also check the case where the received link already exists on the
DC as an inactive (i.e. previously deleted) link.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
77abba5880 selftest: Add test for deleted single-valued link conflict
Currently we're only testing the case where the links have been modified
independently on 2 different DCs and both the links are active. We also
want to test the case where one link is active and the other is deleted.

Technically, this isn't really a conflict - the links involve different
target DNs, and the end result is still only one active link.

It's still probably worth having these tests to prove that fixing bug
13055 doesn't break anything.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
9c54e7484f selftest: Make sure single-link conflict retains the deleted link
There should only ever be one active value for a single-valued link
attribute. When a conflict occurs the 'losing' value should still be
present, but should be marked as deleted.

This change is just making the test criteria stricter to make sure that
we fix the bug correctly.

Note that the only way to query the deleted link attributes present
is to send a DRS request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
c9ea47ec6b replmd: Remove unused originating_usn variable
The previous refactor makes it obvious that we aren't actually using
this variable for anything.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
21179febe8 replmd: Refactor logic to check if replicated link is newer
This is precursor work for supporting single-link conflicts.

Split out the code to check if the link update is newer. It's now safe
to call this from the main codepath. This also means we can combine the 2
calls to get the seqnum into a single common call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Tim Beale
91951d869f replmd: Refactor adding the backlink in replmd_process_linked_attribute()
The code to add the backlink is the same in both the 'if' and the 'else'
case, so move it outside the if-else block.

(We're going to rework this block of code quite a bit in order to
support single-value linked attribute conflicts, aka bug #13055).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13055

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-20 04:05:20 +02:00
Andreas Schneider
5bfe93b4eb s4:smbd: Add missing unistd.h include to fix build of process_prefork
error: implicit declaration of function ‘getpgrp’; did you mean ‘getpt’?
[-Werror=implicit-function-declaration]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-19 23:41:11 +02:00
Joe Guo
8ed3cac9e5 python: add a failed test to show Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

This patch is commited to show the issue, a fix patch will come later.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-19 05:33:10 +02:00
Gary Lockyer
ea0cd977a3 source4/smbd: replace DEBUG( with DBG_
Update the debug logging to use the currently preferred debug macros

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Gary Lockyer
123042c2e3 source4/smbd: add a prefork process model.
Add a pre fork process model to bound the number processes forked by
samba.  Currently workers are only pre-forked for the ldap server,  all
the other services have pre-fork support disabled.

When pre-fork support is disabled a new process is started for each
service, and requests are processed by that process.

This commit partially reverts commit
b5be45c453.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Gary Lockyer
778e9a810e source4/smbd: Fix code formatting after refactoring.
Fix code formatting from the refactoring in the previous commits.
Done as a separate patch to make the changes to functionality easier
to review.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Gary Lockyer
e027871b0d process_standard: Do not log at level 2 every time a child exits
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Gary Lockyer
0840252670 source4/smbd: Do not overstamp the process model with "single"
Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct
service_details in the init function.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00