git.samba.org - samba.git/log

uwrap: Bump version to 1.1.0.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 28 19:44:39 CET 2015 on sn-devel-104

uwrap: Make sure we leave if the id is NULL.

CID #97616

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Support scenario where threads fork or creates threads.

When fork() is called here there is no need to disable uwrap as a whole.
This change disables only uwrap for the thread which called fork().

uwrap catches calls of pthread_create() and pthread_exit() functions
from libpthread library now.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Prepare for overload of libpthread functions.

uwrap_bind_symbol are now renamed to uwrap_bind_symbol_libc
and simlilar uwrap_bind_symbol_libpthread are introduced.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Introduce UWRAP_LOCK_ALL and UWRAP_UNLOCK_ALL macros

Introduce UWRAP_LOCK_ALL and UWRAP_UNLOCK_ALL which make
locking easier.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Rewrite uwrap_libc_fns struct to pass strict aliasing rules.

Also rename struct uwrap_libc_fns fns to uwrap_libc_symbols and
uwrap_load_lib_function to uwrap_bind_symbol (same for _uwrap_load_...
variant.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Fix wrong data types in syscalls switch.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Add support for getresuid() and getresgid() glibc/syscall.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Extend support for (set|get)groups libc functions and syscalls.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Extend support for syscalls called from threads or main process.

We need to distinguish if the syscall is called from main process or
from a thread.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Small uwrap_init optimalization.

Don't call libc_getuid/getgid function twice.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Add support for running with address sanitizer.

The address sanitzer will complain about our hack with variable function
attributes. This disables the checking of it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Reflect changes of uid/gid in threads to main process.

When thread changes uid/gid this change must be reflected to main
process.

Syscalls changes only uid/gid of thread. Call of libc functions changes
also uid/gid of main process.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Small optimalization of uwrap_init().

Don't call getenv("UID_WRAPPER") on start of uwrap_init().

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Optimalization of uid_wrapper_enabled() function.

Check only bool variable inside uwrap structure instead
of calling whole uid_init().

In the best case only one mutex lock is need when check.

NOTES:
* This patch uses __atomic_load gcc builtin function.
* uid_init() were moved outside uid_wrapper_enabled() function.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uid_wrapper: Fix race condition - uwrap_init.

Patch moves uwrap_id_mutex before if (uwrap.initialised) statement
which can be passed by concurrent threads.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Fix race condition - glibc lookups.

Patch adds libc_symbol_binding_mutex which guards global table of libc
functions and their lookup.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Add library constructor and move pthread_atfork inside.

Library constructor is used for pthread_atfork call. Moved here because
pthread_atfork is cumulative and should be called only once.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Use UWRAP_LOCK/UNLOCK macros instead of pthread_mutex_lock/unlock calls.

New macros UWRAP_LOCK/UNLOCK has been created and all calls to
pthread_mutex_lock/unlock has been replaced by these macros.

Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

uwrap: Fix the handle loop for older gcc versions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

waf: Add address sanitizer configure option.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ctdb-scripts: Call iptables/ip6tables directly from iptables_wrapper

Drops the iptables() and ip6tables() functions and, hence, the
hardcoding of paths /sbin/iptables and /sbin/ip6tables.  The latter
avoids problems on openSUSE where (for example) /usr/sbin/iptables is
used instead.

This means that locking around ip*tables commands is only done when
iptables_wrapper is called directly.  This is fine because the only
conflict is when "releaseip" or "takeip"/"updateip" events are run in
parallel.  The other uses in 11.natgw and 70.iscsi are in events where
there will be no collisions.

Making 11.natgw support IPv6 is unnecessary.  Just put a static IPv6
address on each interface - they're plentiful.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Jan 28 08:29:55 CET 2015 on sn-devel-104

ctdb-scripts: Error message, comment and whitespace cleanups

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: iSCSI eventscript should fail when PNN can't be determined

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Make 70.iscsi IPv6-aware

Block iSCSI port for families of all address the node is configured to
host.

Could just unconditional add blocking using ip6tables instead.
However, this would produce errors when no IPv6 public addresses are
configured and ip6tables is not installed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

auth/credentials_krb5: fix memory leak in cli_credentials_failed_kerberos_login().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104

s4-torture: the new krb5 kdc tests are heimdal, not dc specific.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

idl: fix IDL for netr_WorkstationInformation().

This structure is used by the netr_LogonGetDomainInfo call as the input.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server: add support for DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 26 14:23:50 CET 2015 on sn-devel-104

s4:rpc_server: pass the remote address to gensec_set_remote_address()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:rpc_server/lsa: add dcesrv_lsa_OpenTrustedDomain_common()

dcesrv_lsa_OpenTrustedDomain() and dcesrv_lsa_OpenTrustedDomainByName()
need to use the same logic and make sure trusted_domain_user_dn is valid.

Otherwise dcesrv_lsa_OpenTrustedDomainByName() followed by
dcesrv_lsa_DeleteObject() will leave the trust domain account
in the database.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:rpc_server/netlogon: fix bugs in dcesrv_netr_DsRGetDCNameEx2()

We should return the our ip address the client is connected too.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Fix a couple of DEBUG statements that were copied from elsewhere. Removed the misleading function name since the DEBUG message will print out the function name anyway.

Signed-of-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Jan 25 12:58:08 CET 2015 on sn-devel-104

s4:dsdb/tests: add test_timevalues1() to verify timestamp values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 24 20:17:20 CET 2015 on sn-devel-104

ldb: version 1.1.20

- Bug 9810 - validate_ldb of String(Generalized-Time) does not accept millisecond format ".000Z"

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

lib/ldb: fix logic in ldb_val_to_time()

040408072012Z should represent 20040408072012.0Z
as well as 20040408072012.000Z or
20040408072012.RandomIgnoredCharaters...Z

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Update the tevent_data.dox tutrial stuff to fix some errors, including white
space problems.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>
Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sat Jan 24 09:33:03 CET 2015 on sn-devel-104

vfs_glusterfs: Add comments to the pipe(2) code.

The guarantees around read(2) and write(2) and pipes are critical
to understanding this code. Hopefully these comments will help.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 23 20:58:51 CET 2015 on sn-devel-104

selftest: Run krb5.kdc test against users with a UPN

This tests both a UPN in our own realm, and a UPN with a non-realm suffix.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jan 23 08:10:07 CET 2015 on sn-devel-104

torture-krb5: Check for UPN hanlding in krb5.kdc.canon test

This allows us to confirm correct behaviour when a UPN is in use, particularly
with the canonicalize flag and with enterprise principal names

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

kdc: Correctly return the krbtgt/realm@REALM principal from our KDC

This needs to vary depending on if the client requested the canonicalize flag

This was found by our new krb5.kdc test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-krb5: Move checking of server and client names to krb5.kdc.canon

This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canon

This allows the impact of this to be verified with the other options we are setting

This also removes duplication in the kdc.c testsuite.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-krb5: Split the expected behaviour of the RODC up

The expectations of the cached accounts are different to those of the RODC in general.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-kdc: Skip the request-pac behaviour for now against an RODC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-krb5: Add comments

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

kdc: Add TODO to remind us where we need to hook for RODC to get secrets

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

kdc: Fix Samba's KDC to only change the principal in the right cases

If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)

Otherwise, if we are set to enterprise, we
get back the whole principal as-sent

Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture-krb5: Add tests for combinations of enterprise, cannon, and different input principals

This combinational test confirms the interactions between a number of differnet
kerberos flags and principal types.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

torture: Extend krb5.kdc test to confirm correct RODC proxy behaviour

The RODC should answer some requests locally, and others it should defer to the main DC.

We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned
to the KDC.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

sefltest: Add test for enterprise UPN in a different domain

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

kdc: Fix enterpise principal name handling

Based on a patch by Samuel Cabrero <scabrero@zentyal.com>

This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten

This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

heimdal: Really bug in KDC handling of enterprise princs

The value of this commit to Samba is to continue to match Heimdal's
upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL
there is no runtime difference.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

heimdal: Fix bug in KDC handling of enterprise principals

The useful change in Samba from this commit is that we gain
validation of the enterprise principal name.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

torture: Extend KDC test to cover more options and modes

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture: Decode expected packets and test KDC behaviour for wrong passwords

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture: Additionally run testsuite for krb5 and KDC behaviour against all the DC envs

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture: Additionally run testsuite for krb5 and KDC behaviour with unprivileged accounts

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture: Run new testsuite for krb5 and KDC behaviour with machine account also

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

torture: Start a new testsuite for krb5 and KDC behaviour

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

s3-pam_smbpass: Correctly initialize variables.

This fixes a coverity warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 22 22:51:59 CET 2015 on sn-devel-104

s3-pam_smbpass: Remove superfluous NULL check for pam functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-pam_smbpass: Make sure PAM_MAXTRIES can be returned.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-pam_smbpass: Check the return code of secrets_init().

This fixes a coverity warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-pam_smbpass: Fix set_ctrl() return value.

This fixes a cppcheck warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-pam_smbpass: Make sure variables are initialized.

This fixes cppcheck warnings.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-smbspool: Use strtol() instead of atoi().

This fixes a coverity warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbind: Fix idmap initialization

The fix is in the sscanf line: %u in the sscanf format mandates the use of
a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On
little endian 64-bit this might at least put the correct values into
low_id and high_id, but might overwrite the read_only bit set earlier,
depending on structure alignment and packing. On big endian 64-bit,
this will just fail.

Automatic conversion to uint32_t will happen only at assignment, not
when you take a pointer of such a thing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104

s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11066

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 22 13:14:38 CET 2015 on sn-devel-104

Remove use of the "staticforward" macro

This macro was used for compatibility with broken compilers.
Since Python 2.3, it is always defined as `static`, and only exists
"for source compatibility with old C extensions".

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set

Also confirm what bits have to be ignored, or otherwise processed

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104

dsdb-samldb: Clarify userAccountControl manipulation code by always using UF_ flags

The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-samldb: Only allow known and settable userAccountControl bits to be set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Show that we can not change the primaryGroupID of a DC

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/samldb: let samldb_prim_group_change() protect DOMAIN_RID_{READONLY_,}DCS

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Improve userAccountControl handling

We now always check the ACL and invarient rules using the same function

The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag,
not an account type

This list should only be of the account exclusive account type bits.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Add new test samba4.user_account_control.python

This confirms security behaviour of the userAccountControl attribute
as well as the behaviour on ADD as well as MODIFY, for every
userAccountControl bit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specified

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type

This list should only be of the account exclusive account type bits.

Note, this corrects the behaviour in samldb modifies of
userAccountControl.

This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Align sam.py with Windows 2012R2 and uncomment userAccountControl tests

These tests now pass against Samba and Windows 2012R2.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

vfs:glusterfs: whitespace fix.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 22 03:20:17 CET 2015 on sn-devel-104

vfs_snapper: encode and decode Snapper DBus strings

Snapper uses a special character encoding for strings used in DBus
requests and responses. This change ensures that Samba packs and unpacks
strings in the corresponding format, using the previously added
encode/decode helper functions.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_snapper: add DBus string encoding and decoding helpers

Snapper uses the following mechanism for encoding and decoding strings
used in DBus traffic:
Characters above 127 (0x7F - ASCII DEL) must be encoded hexadecimal as
"\x??". As a consequence "\" must be encoded as "\\".

This change adds string encoding and decoding helpers to vfs_snapper.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_snapper: free dbus req messages in error paths

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_glusterfs: Replace eventfd with pipes, for AIO use

Pipes clean up the AIO implementation substantially, due to the fact
that they implement a natural ithread safe queue instead of us
creating our own queue.

Signed-off-by: Ira Cooper <ira@samba.org>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Wed Jan 21 20:40:11 CET 2015 on sn-devel-104

libcli/auth: add netlogon_creds_cli_GetForestTrustInformation*()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan 21 17:19:33 CET 2015 on sn-devel-104

libcli/auth: add netlogon_creds_cli_ServerGetTrustInfo*()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry()

This avoids writing invalid memory, because num_keys was calculated
in a wrong way...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

libsmb: provide authinfo domain for encrypted session referrals

6c9de0cd056afc0b478c02f1bdb0e06532388037 requires this extra change.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 21 04:29:06 CET 2015 on sn-devel-104

CodingStyle: Update example to use our coding practice.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 20 18:51:55 CET 2015 on sn-devel-104

tdb_wrap: don't let tdb_wrap_open() segfault with name==NULL

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11032

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jan 19 16:17:28 CET 2015 on sn-devel-104

selftest: use env.SELFTEST_PREFIX to define subunit_cache

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

README.Coding: Add hint for if-statments

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 19 13:25:12 CET 2015 on sn-devel-104

docs/idmap_rid: remove deprecated base_rid from example

The base_rid option has been deprecated for some time. Specifying a
value of 1000 (as recommended in the parameter description and example
section) can result in failed mapping of group SIDs, where RIDs do not
start at 1000.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jan 19 09:09:22 CET 2015 on sn-devel-104

libsmb: provide authinfo domain for DFS referral auth

libsmbclient uses the smbc_init->smbc_get_auth_data_fn() provided
workgroup/domain in initial connections, but then switches to the
default smb.conf workgroup/domain when handling DFS referrals.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: reuse connections derived from DFS referrals

[MS-DFSC] 3.2.1.1 and 3.2.1.2 states that DFS targets with the same site
location or relative cost are placed in random order in a DFS referral
response.

libsmbclient currently resolves DFS referrals on every API call, always
using the first entry in the referral response. With random ordering,
libsmbclient may open a new server connection, rather than reuse an
existing (cached) connection established in a previous DFS referred API
call.

This change sees libsmbclient check the connection cache for any of the
DFS referral response entries before creating a new connection.

This change is based on a patch by Har Gagan Sahai
<SHarGagan@novell.com>.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10123

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

utils: Fix 'net time' segfault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058

This is part two of the bugfix. Make sure we pass the IP we found to
cli_servertime(). Hence we always pass at least one of name or IP.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>