Björn Baumbach [Thu, 15 Mar 2018 17:32:31 +0000 (18:32 +0100)]
ms_schema: fix python2.6 incompatibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13337
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:auth: make use of make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
When it's really an anonymous connection, we should reflect that in the
resulting session info.
This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.
We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.
The commit message from a few commit before shows the resulting
auth_session_info change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:rpc_server: make use of make_session_info_anonymous()
For unauthenticated connections we should default to a
session info with an anonymous nt token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 2 Mar 2018 13:39:44 +0000 (14:39 +0100)]
s3:auth: add make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
The following is the difference between guest and anonymous token:
security_token: struct security_token
- num_sids : 0x0000000a (10)
- sids: ARRAY(10)
- sids : S-1-5-21-
3793881525-
3372187982-
3724979742-501
- sids : S-1-5-21-
3793881525-
3372187982-
3724979742-514
- sids : S-1-22-2-65534
- sids : S-1-22-2-65533
+ num_sids : 0x00000009 (9)
+ sids: ARRAY(9)
+ sids : S-1-5-7
sids : S-1-1-0
sids : S-1-5-2
- sids : S-1-5-32-546
sids : S-1-22-1-65533
+ sids : S-1-22-2-65534
+ sids : S-1-22-2-100004
sids : S-1-22-2-100002
sids : S-1-22-2-100003
+ sids : S-1-22-2-65533
privilege_mask : 0x0000000000000000 (0)
...
unix_token : *
unix_token: struct security_unix_token
uid : 0x000000000000fffd (65533)
gid : 0x000000000000fffe (65534)
- ngroups : 0x00000004 (4)
- groups: ARRAY(4)
+ ngroups : 0x00000005 (5)
+ groups: ARRAY(5)
groups : 0x000000000000fffe (65534)
- groups : 0x000000000000fffd (65533)
+ groups : 0x00000000000186a4 (100004)
groups : 0x00000000000186a2 (100002)
groups : 0x00000000000186a3 (100003)
+ groups : 0x000000000000fffd (65533)
info: struct auth_user_info
account_name : *
- account_name : 'nobody'
+ account_name : 'ANONYMOUS LOGON'
user_principal_name : NULL
user_principal_constructed: 0x00 (0)
domain_name : *
- domain_name : 'SAMBA-TEST'
+ domain_name : 'NT AUTHORITY'
dns_domain_name : NULL
- full_name : NULL
- logon_script : NULL
- profile_path : NULL
- home_directory : NULL
- home_drive : NULL
- logon_server : NULL
+ full_name : *
+ full_name : 'Anonymous Logon'
+ logon_script : *
+ logon_script : ''
+ profile_path : *
+ profile_path : ''
+ home_directory : *
+ home_directory : ''
+ home_drive : *
+ home_drive : ''
+ logon_server : *
+ logon_server : 'LOCALNT4DC2'
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
- acct_flags : 0x00000000 (0)
+ acct_flags : 0x00000010 (16)
authenticated : 0x00 (0)
security_token: struct security_token
num_sids : 0x00000006 (6)
sids: ARRAY(6)
+ sids : S-1-5-7
+ sids : S-1-1-0
+ sids : S-1-5-2
sids : S-1-22-1-65533
sids : S-1-22-2-65534
sids : S-1-22-2-65533
- sids : S-1-1-0
- sids : S-1-5-2
- sids : S-1-5-32-546
privilege_mask : 0x0000000000000000 (0)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 2 Mar 2018 16:07:11 +0000 (17:07 +0100)]
s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()
We only need to adjust sanitized_username in order to keep the same behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 23:51:51 +0000 (00:51 +0100)]
s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()
The changes in the resulting token look like this:
unix_token : *
unix_token: struct security_unix_token
uid : 0x0000000000000000 (0)
gid : 0x0000000000000000 (0)
- ngroups : 0x00000000 (0)
- groups: ARRAY(0)
+ ngroups : 0x00000001 (1)
+ groups: ARRAY(1)
+ groups : 0x0000000000000000 (0)
...
domain_name : *
domain_name : 'NT AUTHORITY'
dns_domain_name : NULL
- full_name : NULL
- logon_script : NULL
- profile_path : NULL
- home_directory : NULL
- home_drive : NULL
- logon_server : NULL
+ full_name : *
+ full_name : 'System'
+ logon_script : *
+ logon_script : ''
+ profile_path : *
+ profile_path : ''
+ home_directory : *
+ home_directory : ''
+ home_drive : *
+ home_drive : ''
+ logon_server : *
+ logon_server : 'SLOWSERVER'
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
- acct_flags : 0x00000000 (0)
+ acct_flags : 0x00000010 (16)
authenticated : 0x01 (1)
unix_info : *
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 23:21:13 +0000 (00:21 +0100)]
s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.
This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.
In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:
- S-1-5-88-1-Y gives the uid=Y
- S-1-5-88-2-Y gives the gid=Y
- S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*
The currently implemented flags are:
- AUTH3_UNIX_HINT_QUALIFIED_NAME
unix_name = DOMAIN+ACCOUNT
- AUTH3_UNIX_HINT_ISLOLATED_NAME
unix_name = ACCOUNT
- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
Don't translate the nt token SIDS into uid/gids
using sid mapping.
- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
The unix token won't get expanded gid values
from getgroups_unix_user()
By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.
Note the S-1-5-88-* SIDS never appear in the final security_token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 15:38:10 +0000 (16:38 +0100)]
auth: add auth_user_info_copy() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 22:45:30 +0000 (23:45 +0100)]
s3:auth: remove static from finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 22:40:10 +0000 (23:40 +0100)]
s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 22:36:03 +0000 (23:36 +0100)]
s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 22:26:28 +0000 (23:26 +0100)]
s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
We should add Builtin_Guests depending on the current token
not based on 'is_guest'. Even authenticated users can be member
a guest related group and therefore get Builtin_Guests.
Sadly we still need to use 'is_guest' within create_local_nt_token()
as we only have S-1-22-* SIDs there and still need to
add Builtin_Guests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 13 Mar 2018 20:38:27 +0000 (21:38 +0100)]
s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 13 Mar 2018 20:35:48 +0000 (21:35 +0100)]
s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
We should not crash if we're called with NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 6 Mar 2018 16:14:34 +0000 (17:14 +0100)]
s3:auth: move add_local_groups() out of finalize_local_nt_token()
finalize_local_nt_token() will be used in another place,
were we don't want to add local groups in a following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 2 Mar 2018 15:37:58 +0000 (16:37 +0100)]
s3:auth: add the "Unix Groups" sid for the primary gid
The primary gid might not be in the gid array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 1 Mar 2018 17:05:28 +0000 (18:05 +0100)]
s3:auth: remove unused auth_serversupplied_info->system
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 14 Mar 2018 10:44:49 +0000 (11:44 +0100)]
libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 15 Mar 2018 17:04:21 +0000 (18:04 +0100)]
s3:selftest: run SMB2-ANONYMOUS
This fails against a non AD DC smbd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 15 Mar 2018 16:40:07 +0000 (17:40 +0100)]
s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 18:54:37 +0000 (19:54 +0100)]
winbindd: add retry to _winbind_SendToSam
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144
Ralph Boehme [Mon, 12 Mar 2018 18:53:53 +0000 (19:53 +0100)]
winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 18:53:26 +0000 (19:53 +0100)]
winbindd: add retry to _wbint_DsGetDcName
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 16:09:34 +0000 (17:09 +0100)]
winbindd: add retry to _wbint_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 15:53:49 +0000 (16:53 +0100)]
winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected()
This catches more errors and triggers retry as appropriate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 15:15:02 +0000 (16:15 +0100)]
winbindd: fix logic calling dcerpc_binding_handle_is_connected()
The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 15:11:37 +0000 (16:11 +0100)]
winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()
To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().
All callers pass NULL for now, so no change in behaviour up to here.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 12:39:59 +0000 (13:39 +0100)]
winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 11:20:04 +0000 (12:20 +0100)]
winbindd: call reset_cm_connection_on_error() from reconnect_need_retry()
This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.
Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 10:29:22 +0000 (11:29 +0100)]
winbindd: make reset_cm_connection_on_error() public
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 10:12:34 +0000 (11:12 +0100)]
winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()
reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Mon, 12 Mar 2018 12:30:01 +0000 (13:30 +0100)]
winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c
ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Wed, 28 Feb 2018 15:09:28 +0000 (15:09 +0000)]
winbind: Keep "force_reauth" in invalidate_cm_connection
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 28 Feb 2018 15:08:44 +0000 (15:08 +0000)]
winbind: Add smbcontrol disconnect-dc
Make a winbind child drop all DC connections
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Wed, 28 Feb 2018 07:59:08 +0000 (07:59 +0000)]
utils: Add destroy_netlogon_creds_cli
This is a pure testing utility that will garble the netlogon_creds_cli
session_key. This creates a similar effect to our schannel credentials
as does a domain controller reboot.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 8 Mar 2018 16:35:15 +0000 (17:35 +0100)]
s4: dsdb/password_hash: use UF_TRUST_ACCOUNT_MASK
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 13 23:48:28 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 8 Mar 2018 16:34:08 +0000 (17:34 +0100)]
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK
The name UF_TRUST_ACCOUNT_MASK better reflects the use case and it's not
yet used.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 15 Feb 2018 22:11:38 +0000 (23:11 +0100)]
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:38:19 +0000 (15:38 +0100)]
CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.
It's very important that both modules treat the request identical.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:30:13 +0000 (15:30 +0100)]
CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 14 Feb 2018 18:15:49 +0000 (19:15 +0100)]
CVE-2018-1057: s4:dsdb/acl: run password checking only once
This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 22 Feb 2018 09:54:37 +0000 (10:54 +0100)]
CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:17:26 +0000 (15:17 +0100)]
CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:43:43 +0000 (17:43 +0100)]
CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 21:59:24 +0000 (22:59 +0100)]
CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]
CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]
CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 13:40:59 +0000 (14:40 +0100)]
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 09:56:06 +0000 (10:56 +0100)]
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 11:43:09 +0000 (12:43 +0100)]
CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete
Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Uri Simchoni [Sat, 10 Mar 2018 05:08:28 +0000 (07:08 +0200)]
README.Coding: codify line splitting on function calls
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 13 01:48:21 CET 2018 on sn-devel-144
Swen Schillig [Mon, 5 Mar 2018 11:55:23 +0000 (12:55 +0100)]
s3: Fix max indentation and max column
Minor cleanup reducing the max indentation level and max column length.
Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Martin Schwenke [Thu, 8 Mar 2018 00:49:56 +0000 (11:49 +1100)]
ctdb-tests: Don't use nc -d or -w options
nmap-ncat is used in some distributions to replace netcat. It has a
different meaning for these options.
We can get the same effect as the current combination of -d and -w by
piping a sleep process to nc. Subsequent use of $! works because it
gets the last process in pipeline.
Note that redirecting from /dev/null doesn't work with some versions
of nc. They just exit when they get EOF.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 9 12:24:13 CET 2018 on sn-devel-144
Martin Schwenke [Wed, 31 Jan 2018 06:07:46 +0000 (17:07 +1100)]
Revert "ctdb-doc: Fix monitoring bug in example NFS Ganesha call-out"
The check action should be there. It is used by 20.nfs_ganesha.check.
This reverts commit
4fa9026bbd9f67348d3203e0205c59ff4fb51d2d.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 16 Feb 2018 03:27:39 +0000 (14:27 +1100)]
ctdb-tests: Depend on setup_ctdb_base() to install events.d/
This directory is only used by simple tests when running against local
daemons. Moving it to simple/etc-ctdb/events.d/ means that it is
automatically copied by setup_ctdb_base().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 2 Mar 2018 09:36:39 +0000 (20:36 +1100)]
ctdb-tests: Make fake ssh script set CTDB_BASE
The local daemons code puts the socket in the CTDB_BASE directory.
This means CTDB_NODES_SOCKETS can be replaced by CTDB_BASES, a list of
base directories. The fake ssh script can first determine the correct
CTDB_BASE directory and then use it to set CTDB_SOCKET and
CTDB_PIDFILE.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Feb 2018 07:38:04 +0000 (18:38 +1100)]
ctdb-tests: Use setup_ctdb_base() for simple tests
The comment in local.bash is incorrect. CTDB_BASE will never be set
here because this script is not run under onnode. Instead, this where
CTDB_BASE needs to be set when running against a real cluster.
For local daemons, the check for CTDB_BASE being inconsistent with
node_dir is temporary.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 03:50:59 +0000 (14:50 +1100)]
ctdb-tests: Reindent setup_ctdb() function
This could have been done earlier but previous movement of lines out
to new functions has made the job easier.
Best viewed with show/diff -w.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 22 Feb 2018 09:24:20 +0000 (20:24 +1100)]
ctdb-tests: Clean up nodes and public address file setup
Untangle a single loop into two separate, clear functions. Create a
separate, empty file for the node with no public IPs instead of
pointing the configuration at /dev/null.
Leave the indentation in setup_ctdb() in the old style to make this
commit comprehensible.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 22 Feb 2018 08:56:08 +0000 (19:56 +1100)]
ctdb-tests: Use SIMPLE_TESTS_VAR_DIR for data for local daemons tests
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 1 Mar 2018 04:39:44 +0000 (15:39 +1100)]
ctdb-tests: New directory for simple test state
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Feb 2018 03:09:45 +0000 (14:09 +1100)]
ctdb-tests: Use setup_ctdb_base() for onnode unit tests
The nodes file is now in the CTDB_BASE directory so no CTDB_NODES_FILE
variable is needed.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Feb 2018 00:58:51 +0000 (11:58 +1100)]
ctdb-tests: Use setup_ctdb_base() for eventscript unit tests
There is currently a directory of symlinks that are copied during test
setup. These symlinks are updated during installation so they point
to the right place when copied.
Instead, use setup_ctdb_base() during test setup.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Feb 2018 02:56:34 +0000 (13:56 +1100)]
ctdb-tests: Factor out setup of fake CTDB_BASE
Several test suites need the CTDB_BASE directory to contain a subset
of the regular contents of that subdirectory. In some cases there are
symbolic links in the test directory (or a subdirectory) and these
symbolic links need to be fixed at installation time.
Instead, add new function setup_ctdb_base() to set CTDB_BASE, create
the directory and populate it as specified. This relies on
script_install_paths.sh so it can copy the specified targets. It also
copies any files from the test directory's etc-ctdb/ subdirectory.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 10:02:40 +0000 (21:02 +1100)]
ctdb-scripts: Drop PID file argument from wrapper
Use the default compile-time PID file.
Use a CTDB_PIDFILE environment variable when testing.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 10:19:30 +0000 (21:19 +1100)]
ctdb-daemon: CTDB_PIDFILE environment variable overrides default
Use environment variables for test-only options.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Mar 2018 01:11:53 +0000 (12:11 +1100)]
ctdb-daemon: Provide default location for ctdbd PID file
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 10:01:17 +0000 (21:01 +1100)]
ctdb-scripts: Drop init script PID directory backward compatibility
This tries to be backward compatible with very old versions of CTDB,
so don't bother.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 09:40:08 +0000 (20:40 +1100)]
ctdb-scripts: Don't create directory for PID file
This is already created by installation and/or packaging.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 09:38:51 +0000 (20:38 +1100)]
ctdb-packaging: Package up relevant /var subdirectories
They're already created at installation time. This way they don't
need to be created at startup.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 09:26:08 +0000 (20:26 +1100)]
ctdb-scripts: Drop unnecessary complexity from wrapper
All of this logic was necessary when ctdbd did poor PID file and
socket handling. Those things are now solid, so remove this
unnecessary logic.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 09:16:00 +0000 (20:16 +1100)]
ctdb-scripts: Drop broken wrapper code that uses PID
The code has been broken since commit
4b652c1527afe7eff4075c95946abfa114d74015.
If ctdbd isn't all the way up in time just make a basic attempt to
shut it down.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Mar 2018 09:04:17 +0000 (20:04 +1100)]
ctdb-tests: Rework simple tests daemon start/stop
Separate stopping and starting of daemons during restart
This allows actions to be taken after stopping and allows the init
testcase to be clearer about what it is doing.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Mar 2018 09:34:48 +0000 (20:34 +1100)]
ctdb-packaging: Use RPM's local state directory
Instead of fixed /var.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Feb 2018 02:56:05 +0000 (13:56 +1100)]
ctdb-scripts: Simplify the names of NFS fail counter files
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Feb 2018 02:51:23 +0000 (13:51 +1100)]
ctdb-scripts: Move failure counters to the service state directory
Scripts that use these counters must call ctdb_setup_state_dir().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Feb 2018 02:50:47 +0000 (13:50 +1100)]
ctdb-scripts: Move the reconfigure flag to the script state directory
Scripts that use these functions must call ctdb_setup_state_dir().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Mar 2018 00:43:18 +0000 (11:43 +1100)]
ctdb-scripts: Drop unused function ctdb_setup_service_state_dir()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Mar 2018 00:12:29 +0000 (11:12 +1100)]
ctdb-scripts: Use ctdb_setup_state_dir()
Replace all uses of ctdb_setup_service_state_dir() by
ctdb_setup_state_dir().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Feb 2018 02:49:46 +0000 (13:49 +1100)]
ctdb-scripts: Factor out function ctdb_setup_state_dir()
This allows state directories for scripts other than services.
ctdb_setup_state_dir() takes 2 mandatory arguments.
Unlike ctdb_setup_service_state_dir(), this does not print the
directory name but sets a global variable. The intention is to go
back to a more sensible style of usage.
This will require a shellcheck directive before the first use, such
as:
# Set by ctdb_setup_state_dir
# shellcheck disable=SC2154
foo="${script_state_dir}/bar"
An alternative would be something like the following, which tricks
shellcheck into believing the variable is set:
ctdb_setup_state_dir "service" "foo"
# Shellcheck
script_state_dir="$script_state_dir"
However, this is more cryptic.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Feb 2018 00:42:26 +0000 (11:42 +1100)]
ctdb-scripts: Move script state to its own directory
Don't use the same directory as temporary databases.
Make associated test consistent.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Thu, 8 Mar 2018 03:24:27 +0000 (14:24 +1100)]
ctdb-tools: Fix documentation for ctdb ping command
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 8 Mar 2018 03:23:38 +0000 (14:23 +1100)]
ctdb-tools: Event script commands cannot be run without daemon
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 8 Mar 2018 03:20:43 +0000 (14:20 +1100)]
ctdb-common: Drop unused function ctdb_sys_find_ifname()
The ioctl SIOCGIFCONF does not return IPv6 addresses, so this function
does not work for IPv6 addresses.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 8 Mar 2018 03:19:19 +0000 (14:19 +1100)]
ctdb-tools: Drop ipiface command from ctdb tool
This command is not used anywhere and also does not work for IPv6
addresses.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 6 Mar 2018 03:28:43 +0000 (14:28 +1100)]
ctdb-tools: Wait for ctdb daemon to go away in shutdown
This can only be done on the local node. For remote node, exit as
soon as the control returns.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 8 Mar 2018 00:35:55 +0000 (11:35 +1100)]
ctdb-client: Client code should never free the client context
This should never have been done.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Sat, 3 Mar 2018 15:09:33 +0000 (02:09 +1100)]
ctdb-ib: Avoid fall through case statements
This is clearly unintended. Noticed with gcc 7.3.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Garming Sam [Wed, 7 Mar 2018 00:27:20 +0000 (13:27 +1300)]
ldb_tdb: Remove unnecessary call to tdb_get_seqnum
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 8 14:14:37 CET 2018 on sn-devel-144
Jeremy Allison [Fri, 2 Mar 2018 21:53:55 +0000 (13:53 -0800)]
s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
Ensures they don't get stored in the underlying ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144
Jeremy Allison [Fri, 2 Mar 2018 21:51:54 +0000 (13:51 -0800)]
s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 2 Mar 2018 21:21:37 +0000 (13:21 -0800)]
s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
This will allow us to modify it in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 2 Mar 2018 21:07:48 +0000 (13:07 -0800)]
s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Gary Lockyer [Mon, 22 Jan 2018 22:03:16 +0000 (11:03 +1300)]
ldb_mod_op_test: Make sure that closing the database frees locks
Without the destructor firing, this test used to pass, but now we show
that we must be able to open a new ldb handle.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 7 04:38:02 CET 2018 on sn-devel-144
Gary Lockyer [Thu, 18 Jan 2018 20:28:14 +0000 (09:28 +1300)]
ldb_mod_op_test: Add new nested transactions test
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 11 Jan 2018 01:27:40 +0000 (14:27 +1300)]
selftest: Change name to sam.ldb to align with new partition module assumptions
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 02:30:43 +0000 (15:30 +1300)]
ldb: Remove python warning in tests/python/index.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 16 Feb 2018 00:26:46 +0000 (13:26 +1300)]
ldb_tdb: Build a key value operation library
This allows sharing of the originally ldb_tdb operations to the new
ldb_mdb backend.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 6 01:39:16 CET 2018 on sn-devel-144
Garming Sam [Thu, 12 Jan 2017 22:32:14 +0000 (11:32 +1300)]
partition: Allow a different backend store from @PARTITION
By default, use tdb, but otherwise read the value from backendStore.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>