1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

107958 Commits

Author SHA1 Message Date
Stefan Metzmacher
ace49db796 s4:ldap_server: use talloc_zero() in ldapsrv_init_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Stefan Metzmacher
7bf0308a31 s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.

This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.

This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Garming Sam
e244ba4a8f repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144
2017-06-15 05:31:59 +02:00
Andrew Bartlett
a7ef0f8be4 dsdb: Improve debug messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
438496220f dsdb: Ensure replication of renames works in schema partition
This caused failures against vampire_dc (on large-dc), likely due to
more frequent replication propagating the record before it was renamed.
The DC ran out of RIDs and RID allocation causes schema replication,
which failed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12841
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
cf99f2c923 selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
This ensures that object is not cleaned up, triggering a disconnect before we get back
the audit messages.  Otherwise they can be lost when the server task calls exit()
while the message thread is still trying to send them.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Garming Sam
2f045e7fc1 stream_terminate_connection: Prevent use-after-free
This sometimes would show up as corrupted bytes during logs. Hammering
the LDAP server enough times managed to trigger an outright segfault.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
b158f68323 selftest: Add test for gss_krb5/ntlmssp -> SPNEGO
These bare mechs are permitted to go direct to SPNEGO, which must cope with them

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
995f5c03c5 selftest: Add pygensec tests for GSS-SPNEGO and Win2000 emulated SPNEGO
This is to provide some unit testing coverage for these different modes of operation

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
33b818a510 selftest: Add a test for @ATTRIBUTES and @INDEXLIST generation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
f587db7c89 ldb: Rename module -> next_module for clarity
This helps make some future commits less confusing

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
10e7c749e7 dsdb: Correctly call ldb_module_done in dsdb_notification
If we just call ldb_request_done() then we never call the callback.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Stefan Metzmacher
c581ab3ac5 tdb: add run-fcntl-deadlock test
This verifies the F_RDLCK => F_WRLCK upgrade logic in the kernel
for conflicting locks.

This is a standalone test to check the traverse_read vs.
allrecord_lock/prepare_commit interaction.

This is based on the example from
https://lists.samba.org/archive/samba-technical/2017-April/119861.html
from Douglas Bagnall <douglas.bagnall@catalyst.net.nz> and Volker Lendecke <vl@samba.org>.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
2277301e46 ldb_tdb: Improve logging on unique index violation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
f6f73f7091 ldb_tdb: Remove the idxptr DB before we re-index
We do not want the cache or any of the values in it, we want to read the real DB
@INDEX: records.

This matters if a re-index is tiggered in the same transaction
as the modify of the values in the index.  Otherwise we won't see
the old index record (it will not show up in the tdb_traverse)
and so fail to remove it.

That in turn can cause a spurious unqiue index violation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
d8f3034c16 ldb_tdb: Check for memory allocation failure in ltdb_index_transaction_start()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
1ff09f0f82 dsdb: Provide proper errors when dsdb_schema_set_indices_and_attributes fails
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Stefan Metzmacher
ee77759ed5 selftest: pass the workgroup name to Samba3::provision()
Not all environments should use the samba workgroup name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 14 02:53:27 CEST 2017 on sn-devel-144
2017-06-14 02:53:27 +02:00
Stefan Metzmacher
1e33a4f211 testprogs/blackbox: don't use hardcoded values in test_net_ads_dns.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
5715f74e44 s3:script/tests: don't use hardcoded Domain Name in test_smbclient_s3.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
9df4290202 selftest: don't use hardcoded domain names in Samba3::setup_admember()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
6355473fab selftest: test pam_winbind with a local user on ad_member
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
91b36e0c0d selftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the pam_winbind test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
0eb99bd988 python/samba/tests: don't use hardcoded names in *pam_winbind* tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Lumir Balhar
ba4cabb74f python: Port simple libpython module to Python 3 compatible form
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
aa74d6edf5 WHATSNEW: deprecated "profile acls"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 13 22:45:28 CEST 2017 on sn-devel-144
2017-06-13 22:45:28 +02:00
Stefan Metzmacher
c6bc00f1da docs-xml/smbdotconf: deprecated "profile acls"
This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.

Typically something like this seems to work:

[winprofiles]
  comment = Users profiles New
  path = /data/winprofiles/
  browseable = No
  read only = No
  csc policy = disable
  store dos attributes = yes
  vfs objects = acl_xattr

With chmod 1777 on /data/winprofiles/

In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833

It's also useful to something like this in the global
section in order to detect disconnects reliable:

  socket options = TCP_KEEPCNT=5 TCP_KEEPIDLE=30 TCP_KEEPINTVL=1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-13 18:38:14 +02:00
Gary Lockyer
378ae342c4 strerror_r: provide XSI-compliant strerror_r
Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.

This reverts 18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to
make Heimdal use roken, rather than libreplace for strerror_r.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-13 18:38:14 +02:00
Amitay Isaacs
40cc7a1eb3 ctdb-recovery: Log messages at various debug levels
This avoids spamming the logs during recovery at NOTICE level.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 13 13:22:09 CEST 2017 on sn-devel-144
2017-06-13 13:22:09 +02:00
Martin Schwenke
dac075129b ctdb-scripts: Compact server-end TCP connection killing output
When thousands of connections are being killed the logs are flooded
with information about connections that should be killed.  When some
connections are not killed then the number not killed is printed.
This is the wrong way around!  When debugging "fail-back" problems, it
is important to know details of connections that were *not* killed.
It is almost never important to know the full list of all connections
that were *supposed* to be killed.

Instead, print a summary showing how many connections of the total
were killed.  If any were not killed then print a list of remaining
connections.

Update unit tests: infrastructure for fake TCP connections, existing,
test cases, add new test cases.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-06-13 09:12:19 +02:00
Martin Schwenke
d79c601fde ctdb-common: Log a count of dropped messages with non-blocking logging
The non-blocking logging variants can currently silently drop messages
when the socket queue fills.

In this case, count the number of dropped messages and attempt to log
a message about dropped log messages when the next message is logged.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-06-13 09:12:19 +02:00
Martin Schwenke
323291a46e ctdb-tests: Add more NFS eventscript tests for call-out failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-06-13 09:12:19 +02:00
Martin Schwenke
22f2068d45 ctdb-scripts: NFS call-out failures should cause event failure
Failures in startup/shutdown/releaseip/takeip are currently
incorrectly ignored.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12837

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-06-13 09:12:19 +02:00
Guillaume Xavier Taillon
67095c76f6 libbreplace: compatibility fix for AIX
Adds macros for preprocessor compares and replaces an incomptatible
  compare with one of the new macros.
This fixes a comptability bug on AIX.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11621
Signed-off-by: Guillaume Xavier Taillon <gtaillon@ca.ibm.com>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Jun 13 09:11:56 CEST 2017 on sn-devel-144
2017-06-13 09:11:56 +02:00
Volker Lendecke
60a8ba4a6b password_hash: Fix the build on FreeBSD
This ditches a particular aspect of thread safety, but I doubt that
ldb is really thread safe. So in practice, I think we should not
see harm from this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jun 13 05:06:49 CEST 2017 on sn-devel-144
2017-06-13 05:06:49 +02:00
Andrew Bartlett
75eb2e3a09 join.py Add DNS records at domain join time
This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully

We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
 - We do not want to query another DNS server
 - We do not want to obtain a Kerberos ticket for the new DC
   (as the KDC we select may not be the DC we just joined,
   and so may not be in sync with the password we just set)
 - We do not wish to set the _ldap records until we have started
 - We do not wish to use NTLM (the --use-samba-tool mode forces
   NTLM)

The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries.  However this is still better than no
DNS at all.

Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144
2017-06-11 02:04:51 +02:00
Andrew Bartlett
dfe739a252 selftest: Add test confirming join-created DNS entries can be modified as the DC
This ensures that samba_dnsupdate can run in the long term against the new DNS entries

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:22 +02:00
Andrew Bartlett
e36d908106 selftest: Test join.py and confirm that the DNS record is created
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
d0c211691e provision: Allow removing an existing account when force=True is set
This allows a practical override for use in test scripts

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
db475ed6b4 provision: Move default handler for site=None down into dc_join object creation
This makes this code easier to call from a test script

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
b36d4e9ca4 selftest: Use TestCaseInTempDir as base class in dns tests
This will help when we add a new join test based on this code

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
9229809f75 selftest: Create new common base class for dns.py and dns_tkey.py
This will allow more DNS tests to be written in the future with less
code duplication.
2017-06-10 21:48:21 +02:00
Andrew Bartlett
11ba6f8cde selftest: merge DNSTest boilerplate
This will help unifying dns.py and dns_tkey.py to use common subclasses

The code was originally copied, but has since divereged.  This handles
that divergence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
589a6621ee selftest: move make_txt_record() onto self in samba.tests.dns
This will help unifying dns.py and dns_tkey.py to use common subclasses

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
3d313f7da5 samba_dnsupdate: fix "samba-tool" fallback error handling
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
2f42f55ad4 samba_dnsupdate: Extend possible server list to all NS servers for the zone
This should eventually be removed, but for now this unblocks samba_dnsupdate operation
in existing domains that have lost the original Samba DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
c1bf6d2493 dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour.  AD is multi-master so all RW servers are a master.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
21e76e2379 selftest: run dns tests in multiple envs
This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
46380ad97d selftest: confirm we clobber the MNAME in the SOA query in the DNS server
All RW DCs should be their own master DNS server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
96ce51a189 samba_dnsupate: Try to get ticket to the SOA, not the NS servers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00