1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

108028 Commits

Author SHA1 Message Date
Stefan Metzmacher
bcd558eb50 docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
b6e2ddaee1 docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
ab36c1d152 docs-xml: improve documentation of "map untrusted to domain"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
bd69a3e2e9 auth3: prepare the logic for "map untrusted to domain = auto"
This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
a4839defc2 auth3: call is_trusted_domain() as the last condition make_user_info_map()
We should avoid contacting winbind if we already know the domain is our
local sam or our primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Douglas Bagnall
2a92cc1962 gitignore: ignore .gpg-* generated files (for ubuntu 16.04)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 21:40:08 CEST 2017 on sn-devel-144
2017-06-15 21:40:07 +02:00
Douglas Bagnall
ece7a75a42 repl_meta_data: single valued error codes depend on change type
A replace leads to CONSTRAINT_VIOLATION while an add causes
ATTRIBUTE_OR_VALUE_EXISTS. For this we need to check the mod type
before the replmd_modify_la_* calls because they change everything
into a replace.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:11 +02:00
Douglas Bagnall
e150697a1e replmd: special-case member return value in replmd_add_fix_la()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:11 +02:00
Douglas Bagnall
567848498f replmd: check duplicate linked attributes
This is simple enough because we already have the sorted list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Garming Sam
990b23d7b6 replmd: check single values in replmd_add_fix_la
repl_meta_data knows whether linked attributes are appropriately
[un-]duplicated, and this is how it tells ldb_tdb that.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
6f956cce62 ldb: 1.1.31
* Add efficient function to find duplicate values in ldb messages
  (this makes large multi-valued attributes in ldb_tdb more efficient)

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
7d6f36aae3 ldb: relatively efficient functions for finding duplicate values
ldb backends need to make sure they are not adding duplicate values to
multi-valued attributes in ADD and MODIFY operations. Until now they
have done this inefficiently using nested loops. Here we add common
functions that deal with large numbers of values in O(n log n) time,
but continue to use the simple methods for small numbers of values.

These functions take a struct ldb_context pointer and an options flag
arguments, although the ldb is not used, and only one bit of the
options has meaning. This is to allow further patches to switch on
schema-aware comparisons.

This entails an ABI jump to add the two new functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
f3703c1727 dsdb/tests/ldap: test single valued linked attributes
This fails, so we add it to selftest/knownfail.d/

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
ccf61f9878 s4/linked_attribute tests: test duplicate values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
69d0b39a56 dsdb/tests/ldap: multivalued attributes
Various return codes tested against Windows 2012r2.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
142d8617fe python/test: delete_force() passes on command line args
This allows you to use e.g.:

     delete_force(self.ldb, ou, controls=['tree_delete:1'])

Only in tests of course.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
aa61a2212b ldb.h whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
16d208acc4 ldb tests/ldb_mod_op_test: don't double include cmocka.h
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
433d600c56 ldb: fix a typo
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
44764ee33d ldb: fix whitespace in ldb_msg.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Andreas Schneider
a4d9438ecf libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFO
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
2017-06-15 17:32:45 +02:00
Volker Lendecke
b9f32b2ea6 g_lock: open with LOCK_ORDER_3
xattr_tdb needs g_lock in a clustered environment. Nobody else
uses LOCK_ORDER_3 at this moment, so this looks safe.

The last one to use this was dbwrap_watch.tdb, and that's gone. The only
other one was notify_index.tdb, and that's gone too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:15 +02:00
Volker Lendecke
26932271a8 smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.

At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:15 +02:00
Volker Lendecke
2c200dd00d torture3: Test heuristic cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:15 +02:00
Volker Lendecke
d19e7709d9 g_lock: Heuristically check for server existence
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
27eb93c04e torture3: Test lock conflict and cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
2a29c5442d torture3: Test lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
4b2826646b g_lock: Allow lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
8f1cf7b430 torture3: Test g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
90d7784d45 g_lock: Make g_lock_dump return a complete list of locks
To be honest, it did not really make sense to just pass in
lock holders individually. You could argue that it made sense
with in reality only G_LOCK_WRITE around, but soon we will have
G_LOCK_READ and thus multiple lock holders on a single lock.

Now that we also have userdata, change the g_lock_dump API

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
4478cd59ad g_lock: Add g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
c400e2b54e g_lock: Make g_lock_record_store also store userdata
Sequel to the previous commit changing the get/put routines for
the on-disk format

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
4d404f23c9 g_lock: Reformat to allow userdata
The next patches will make g_locks carry data. This
prepares the on-disk format.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
4422124e09 g_lock: Move parsing routines together
No code change, just shuffling around:

Before this patchset, g_lock_parse was somewhere in the middle. This carries no
real logic, put it on top.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
636137a30a g_lock: unparse->put
Make it more in line with server_id_get/put

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
fadc877c59 g_lock: parse->get
Make it more in line with server_id_get/put

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
4d1f9ff1b8 g_lock: Remove a pointless "else"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:14 +02:00
Volker Lendecke
6358901f15 g_lock: Remove unused g_lock_get
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:13 +02:00
Volker Lendecke
49a80e5a0c g_lock: Make it endian-neutral
Add explicit parsing

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:13 +02:00
Volker Lendecke
9677101850 g_lock: More correct error msg
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:13 +02:00
Volker Lendecke
c2cdf579fc torture3: Initial test g_lock
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:13 +02:00
Volker Lendecke
90e2bf50c7 g_lock: Fix two typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:13 +02:00
Stefan Metzmacher
52bd61d7f4 s4:ldap_server: implement async BindSASL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144
2017-06-15 13:18:47 +02:00
Stefan Metzmacher
9f23a88fd3 s4:ldap_server: set result = LDAP_SUCCESS at the end, when we're really done
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
772b816c44 s4:ldap_server: avoid using talloc_reference()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
489bc70c43 s4:ldap_server: remove useless NT_STATUS_IS_OK(status) check
We checked a few lines above already, check with:
git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
126fd7e45d s4:ldap_server: remove useless indentation level arround ldapsrv_backend_Init()
Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
eaa8acf6e3 s4:ldap_server: remove useless indentation level arround gensec_session_info()
Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
a280367177 s4:ldap_server: make the gensec_create_tstream() error checking more clear
Check with 'git show -w'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00
Stefan Metzmacher
461abf3ce3 s4:ldap_server: only touch conn->session_info on success in ldapsrv_BindSASL()
The old conn->session_info (as well as conn->ldb) should only be changed
after a successful Bind().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:24 +02:00