1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

112466 Commits

Author SHA1 Message Date
Andrew Bartlett
d38160c968 dsdb: Use correct memory context for imessaging_client_init() in audit logging
This is only used for selftest, to send out the log messages for checking.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-26 03:27:20 +02:00
Andrew Bartlett
4b077e07a0 audit_logging: Remove duplciate error printing
These errors are already logged at DBG_NOTICE in get_event_server()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-26 03:27:20 +02:00
Andrew Bartlett
dad73e0b68 audit_logging: Initialise event_server
It is better if this is a known zero value to start, even if we check the errors
correctly.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-26 03:27:20 +02:00
Andrew Bartlett
4f50848680 audit_logging: Remove incorrect check for NT_STATUS_OBJECT_NAME_NOT_FOUND
NT_STATUS_OBJECT_NAME_NOT_FOUND is not a case we can ignore, it would mean that event_server
is not initialised.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-26 03:27:20 +02:00
Andrew Bartlett
450210c39a audit_logging: Clarify debug messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-26 03:27:20 +02:00
Andrew Bartlett
f33749fc84 autobuild: Build samba-fileserver --without-json-audit
This build target is already --without-ad-dc and is the one we need to ensure is
compatible with a host without the Jansson JSON library.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 26 02:03:30 CEST 2018 on sn-devel-144
2018-06-26 02:03:30 +02:00
Andrew Bartlett
6b9a9a4d08 dsdb: Ensure a build --without-json-audit --without-ad-dc compiles
We still build some of the ldb_modules even when we are not a DC, so we must
split up the DSDB_MODULE_HELPERS.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-25 23:01:20 +02:00
Andrew Bartlett
b650ea5398 lib/audit_logging: Only build audit_logging_test for --enable-selftest on the AD DC
This allows a --without-ad-dc --enable-selftest build to compile, still testing some
fileserver-only features.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-25 23:01:20 +02:00
Andrew Bartlett
a2783fe1a3 lib/audit_logging: Require jansson JSON library for building the AD DC
This combination is untested and it is reasonable to require this
broadly available library for the AD DC build.

Doing so keeps the combinational complexity down and ensures we test
what we ship.  (It was failing to compile).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-25 23:01:20 +02:00
Andrew Bartlett
5bb60e2dd7 build: Move --without-json-audit and json lib detection to lib/audit_logging
This is the common location of the audit logging code now

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-25 23:01:20 +02:00
Gary Lockyer
b282bcbb75 dsdb: Log the transaction duraton.
This is not a general purpose profiling solution, but these JSON
logs are already being generated and stored, so this is worth adding.

This will allow administrators to identify long running
transactions, and identify potential performance bottlenecks.

This complements a similar patch set to log authentication duration.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 25 11:16:18 CEST 2018 on sn-devel-144
2018-06-25 11:16:18 +02:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Volker Lendecke
05b54cc259 talloc_stack: Call talloc destructors while frame is still around
This fixes "samba-tool ntacl set -d10"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun 23 04:56:44 CEST 2018 on sn-devel-144
2018-06-23 04:56:44 +02:00
Andrej Gessel
f75e8f58cd check return value before using key_values
there are also mem leaks in this function

Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-06-23 02:00:28 +02:00
Andrej Gessel
6b52d21e60 ldb: check return values
Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-06-23 02:00:28 +02:00
Christof Schmitt
97eaeea6a1 krb5_wrap: fix keep_old_entries logic for older kerberos libraries
MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change
from commit 35b2fb4ff3 resulted in breakage for these kerberos
versions: 'net ads keytab create' reads a large KVNO from AD, and only
the lower 8 bits are stored. The next check then removed the entry again
as the 8 bit value did not match the currently valid KVNO.

Fix this by limiting the check to only 8 bits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Sat Jun 23 00:57:47 CEST 2018 on sn-devel-144
2018-06-23 00:57:47 +02:00
Swen Schillig
fb3ddb4874 ctdb-common: replace talloc / memcpy by talloc_memdup
Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Jun 22 11:57:19 CEST 2018 on sn-devel-144
2018-06-22 11:57:19 +02:00
Andreas Schneider
5e89a23ffa krb5_plugin: Add winbind localauth plugin for MIT Kerberos
Applications (like OpenSSH) don't know about users and and
their relationship to Kerberos principals. This plugin allows that
Kerberos principals can be validated against local user accounts.

Administrator@WURST.WORLD -> WURST\Administrator

https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 21 15:52:02 CEST 2018 on sn-devel-144
2018-06-21 15:52:02 +02:00
Jeremy Allison
47c3155517 s3: smbd: Don't use getcwd() directly. We must always go through the VFS.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-21 13:08:17 +02:00
Andreas Schneider
c1c764925e s3:winbind: Fix regression introduced with bso #12851
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 21 01:03:52 CEST 2018 on sn-devel-144
2018-06-21 01:03:52 +02:00
Andreas Schneider
4a3164e0be s3:smbget: Fix buffer truncation issues with gcc8
../source3/utils/smbget.c: In function ‘smb_download_file’:
../source3/utils/smbget.c:97:27: error: ‘b’ directive output may be truncated writing 1 byte into a region of size between 0 and 19 [-Werror=format-truncation=]
   snprintf(buffer, l, "%jdb", (intmax_t)s);
                           ^

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-06-20 22:22:07 +02:00
Andreas Schneider
29f6842ee8 s3:registry: Fix buffer truncation issues issues with gcc8
../source3/registry/reg_perfcount.c: In function ‘reg_perfcount_get_hkpd’:
../source3/registry/reg_perfcount.c:337:29: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
   snprintf(buf, buflen,"%d%s", key_part1, key_part2);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-06-20 22:22:07 +02:00
Andreas Schneider
76828876fa samdb: Fix build error with gcc8
../source4/dsdb/samdb/ldb_modules/samldb.c: In function ‘samldb_add’:
../source4/dsdb/samdb/ldb_modules/samldb.c:424:6: error: ‘found’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
   if (found) {
      ^
../source4/dsdb/samdb/ldb_modules/samldb.c:348:11: note: ‘found’ was declared here
  bool ok, found;
           ^~~~~

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-06-20 22:22:07 +02:00
Swen Schillig
bca97cc473 Possible memory leak in map_info3_to_validation
In case of a failing call to copy_netr_SamInfo3, the allocated memory
for "validation" needs to be free'd before returning.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 20 21:05:40 CEST 2018 on sn-devel-144
2018-06-20 21:05:40 +02:00
Björn Baumbach
defc1ced39 heimdal: remove include/includedir directives for krb5.conf
The original heimdal code introduces a segmentation fault, due to an
uninitialized pointer. This code does not seem to be tested very well.

Revert "heimdal: Add include/includedir directives for krb5.conf"

This reverts commit 0a6e9b6c0e.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Wed Jun 20 17:48:16 CEST 2018 on sn-devel-144
2018-06-20 17:48:16 +02:00
Noel Power
a261a2a429 python/samba/netcmd: Fix NameError exception
Running make test TEST=samba4.drs.samba_tool_drs.python results in

BlackboxProcessError: Command '/tmp/samba-testbase/b12/samba/bin/samba-tool drs clone-dc-database samba.example.com --server=localdc -USAMBADOMAIN/Administrator%locDCpass1 --targetdir=/tmp/samba-testbase/b12/samba/bin/ab/tmp/tmpWPo8r3'; exit status 255; stdout: ''; stderr: 'ERROR(<type 'exceptions.NameError'>): uncaught exception - global name 'logging' is not defined
  File "bin/python/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/drs.py", line 697, in run
    logger.setLevel(logging.INFO)
'

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 20 04:08:53 CEST 2018 on sn-devel-144
2018-06-20 04:08:53 +02:00
Noel Power
f8ecffb61a python/samba: enclose map.values with list (py2/py3)
Fix errors in samba.tests.samba_tool.visualize_drs that with python 3
will generate exception with messages something like
'can't iterate dict_values'

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-20 00:18:23 +02:00
Noel Power
09c2b71e47 python/samba: Another object.next() to next(object) py2/py3 converstion
fix samba.tests.samba_tool.visualize_drs

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-20 00:18:22 +02:00
Noel Power
b0c9de820c python/samba/emulate: py2/py3 .next usage, replace with next() fn 2018-06-20 00:18:22 +02:00
Noel Power
9e349fe82a python/samba/tests: py2/py3 port has_keys usage
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-20 00:18:21 +02:00
Noel Power
fd35e533f1 python/samab: py2/py3 string.upper(astring) -> astring.upper 2018-06-20 00:18:21 +02:00
Noel Power
9650deee03 python/samba: Py2|Py3 compat, fix more missed exception tuple issues 2018-06-20 00:18:20 +02:00
Tim Beale
a3bf30e3a7 tests: Increase PSO test timeouts to minimise failures
When PSOs exist in the DB, there is some extra overhead involved in user
logins (an extra expand-nested-groups operation for every user login).

Currently password_lockout tests are quite query-intensive - each call
to _check_account() does ~6 RPC operations/LDB searches (plus sleeps for
20 millisecs). Plus the actual user login attempt being tested. It looks
like the current test needs to do 3 login attempts/_check_account()
calls within a 2-second window. While the PSO test cases usually work
OK, sometimes they fail (presumably they take slightly longer and fall
outside this 2-second window). Presumably this is due to the cloud
instance's CPU being slightly more loaded when the test is run.

Long-term the plan is to refactor the user login so that the extra
expand-nested-groups operation is unnecessary for PSOs. In the
short-term, increase the window the test uses from 2 seconds to 3
seconds.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-20 00:18:20 +02:00
Tim Beale
016fc48a30 tests: Increase minPwdAge used for PSO tests
The PSO minPwdAge test was using a 1 second timeout. While this seemed
to work fine most of the time, we did see a rackspace failure that was
presumably due to the test taking longer than 1-second to execute
(which resulted in the password not being correctly rejected).

This patch increases the minPwdAge used, to try to avoid this problem
happening.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-20 00:18:19 +02:00
Volker Lendecke
e078991ae7 winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 19 11:43:16 CEST 2018 on sn-devel-144
2018-06-19 11:43:16 +02:00
Volker Lendecke
b81990095f lib: Align integer types
Loop-variable and bound should be the same type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-19 08:59:11 +02:00
Volker Lendecke
ea50825acf idmap_hash: Align integer types
Loop-variable and bound should be the same type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-19 08:59:11 +02:00
Andreas Schneider
95dcdd3d4f testparm: Remove warning from the last century
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-06-19 08:59:11 +02:00
Volker Lendecke
877266f775 librpc/crypto: Fix a misleading comment
Probably cut&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 18 18:34:51 CEST 2018 on sn-devel-144
2018-06-18 18:34:51 +02:00
Nicolas Williams
0a6e9b6c0e heimdal: Add include/includedir directives for krb5.conf
Cherry-pick of Heimdal commit fe43be85587f834266623adb0ecf2793d212a7ca

Removed tests and documentation from original commit by
Björn Baumbach <bb@sernet.de>, since we do not ship them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Mon Jun 18 15:52:26 CEST 2018 on sn-devel-144
2018-06-18 15:52:26 +02:00
Björn Baumbach
88cac23e2b heimdal: small code adaption to cherry-pick heimdal commit
Check asprintf() return value.
Make use of krb5_enomem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-18 13:01:11 +02:00
Jeffrey Altman
f05a1554b7 heimdal: lib/krb5: do not fail set_config_files due to parse error
Follow Apple's lead and do not fail krb5_set_config_files() simply
because one of the files in the profile list fails to parse correctly.
Doing so can lead to hard to find failures and could lead to an end
user shooting themselves in the foot and no longer be able to login
to their system to fix it.

Parse as many of the files as we can.  Only fail krb5_set_config_files()
if init_context_from_config_file() fails.

Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8

Cherry-pick of Heimdal commit b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-18 13:01:11 +02:00
Stefan Metzmacher
721fbbfa70 smbd: remove unused smbd_server_connection->ev_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 18 11:46:36 CEST 2018 on sn-devel-144
2018-06-18 11:46:36 +02:00
Stefan Metzmacher
894e5001c7 smbd: add an effective {smb,smbd_smb2}_request->ev_ctx that holds the event context used for the request processing
In future this will an impersonation wrapper tevent_context based on the
user session.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:21 +02:00
Stefan Metzmacher
f2df8be16b smbd: add an effective connection_struct->user_ev_ctx that holds the event context used for the current user
This will be filled with an impersonation wrapper in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:21 +02:00
Stefan Metzmacher
c835ffa72d smbd: use sconn->root_ev_ctx for smbd_sig_{term,hup}_handler()
They already call change_to_root_user(), which can be removed
later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:21 +02:00
Stefan Metzmacher
182991c26c smbd: use sconn->root_ev_ctx for brl_timeout_fn()
This already calls change_to_root_user(), which can be removed
later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:21 +02:00
Stefan Metzmacher
146938217e smbd: add smbd_server_connection->{root,guest}_ev_ctx pointer
For now these are just the same as smbd_server_connection->ev_ctx,
but this will change in future and we'll use impersonation wrappers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:21 +02:00
Stefan Metzmacher
f5f9b71974 smbd: use raw_ev_ctx to clear the MSG_SMB_CONF_UPDATED registration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:19 +02:00
Stefan Metzmacher
dc517b20f6 smbd: explain that/why we use the raw tevent_context for linux_oplock_signal_handler()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-18 08:59:19 +02:00