Andrew Bartlett [Tue, 23 May 2017 03:11:59 +0000 (15:11 +1200)]
dsdb: Teach the Samba partition module how to lock all the DB backends
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 16 Jun 2017 03:49:45 +0000 (15:49 +1200)]
dsdb: Add test showing that the whole DB (including partitions) is locked during a search
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 11 Apr 2017 15:50:08 +0000 (17:50 +0200)]
TODO: ldb: version 1.1.32
* fix ldb_tdb locking (performance) problems
* fix ldb_tdb search inconsistencies
* add cmocka based tests for the locking issues
TODO: review...
Andrew Bartlett [Fri, 16 Jun 2017 03:49:16 +0000 (15:49 +1200)]
ldb: Extend api.py testsuite to show transaction_commit() blocks against the whole-db read lock
The new ldb whole-db lock behaviour now allows this test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 16 Jun 2017 03:44:46 +0000 (15:44 +1200)]
ldb: Extend api.py testsuite to show transaction contents can not be seen outside the transaction
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 16 Jun 2017 00:19:00 +0000 (12:19 +1200)]
ldb: Add test to show that locks are released on TALLOC_FREE(req)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 16 Jun 2017 00:18:39 +0000 (12:18 +1200)]
ldb: Correct comment about version numbers
(ldb releases have been made while this patch set was in train)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 15 Jun 2017 01:56:46 +0000 (13:56 +1200)]
ldb: Lock the whole backend database for the duration of a search
We must hold locks not just for the duration of each search, but for the whole search
as our module stack may make multiple search requests to build up the whole result.
This is explains a number of replication and read corruption issues in Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 11 May 2017 23:39:08 +0000 (01:39 +0200)]
ldb_tdb: Implement read_lock and read_unlock module operations
This allows Samba to provide a consistent view of the DB
despite the use of multiple databases via the partitions module
and over multiple callbacks via a module stack.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 15 Jun 2017 00:10:51 +0000 (12:10 +1200)]
ldb: Add read_lock and read_unlock to ldb_module_ops
This will be used to implement read locking in ldb_tdb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 22 May 2017 04:18:20 +0000 (16:18 +1200)]
ldb: Add test encoding current locking behaviour during ldb_search()
Currently, a lock is not held against modifications once the final
record is returned via a callback, so modifications can be made
during the DONE callback. This makes it hard to write modules
that interpert an ldb search result and do further processing
so will change in the future to allow the full search to be
atomic.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 25 Apr 2017 10:33:53 +0000 (22:33 +1200)]
ldb: Show that writes do not appear during an ldb_search()
A modify or rename during a search must not cause a search to change
output, and attributes having an index should in particular not see
any change in behaviour in this respect
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 29 Mar 2017 23:03:17 +0000 (12:03 +1300)]
ldb_tdb: Ensure we correctly decrement ltdb->read_lock_count
If we do not do this, then we never take the all record lock, and instead do a lock
for every record as we go, which is very slow during a large search
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Stefan Metzmacher [Tue, 11 Apr 2017 15:27:33 +0000 (17:27 +0200)]
TODO: tdb: version 1.3.14
* allow tdb_traverse_read before tdb_transaction[_prepare]_commit()
Andrew Bartlett [Fri, 31 Mar 2017 04:34:13 +0000 (17:34 +1300)]
tdb: Remove locking from tdb_traverse_read()
This restores the original intent of tdb_traverse_read() in
7dd31288a701d772e45b1960ac4ce4cc1be782ed
This is needed to avoid a deadlock with tdb_lockall() and the
transaction start, as ldb_tdb should take the allrecord lock during a
search (which calls tdb_traverse), and can otherwise deadlock against
a transaction starting in another process
We add a test to show that a transaction can now start while a read
traverse is in progress
This allows more operations to happen in parallel. The blocking point
is moved to the prepare commit.
This in turn permits a roughly doubling of unindexed search
performance, because currently ldb_tdb omits to take the lock due to
an unrelated bug, but taking the allrecord lock triggers the
above-mentioned deadlock.
This behaviour was added in
251aaafe3a9213118ac3a92def9ab2104c40d12a for
Solaris 10 in 2005. But the run-fcntl-deadlock test works also on Solaris 10,
see https://lists.samba.org/archive/samba-technical/2017-April/119876.html.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 8 Jun 2017 11:05:26 +0000 (23:05 +1200)]
dsdb: Rework schema_init module to avoid database write and use valid memory
The schema can go away unless the second argument (the memory context) is supplied
There is no need to write the @ATTRIBUTES and @INDEXLIST on every DB load
we only need to write it if the schema is changed, and the repl_meta_data module
will notice if that happens and trigger the DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
extended operation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sat, 10 Jun 2017 07:23:34 +0000 (19:23 +1200)]
dsdb: Add comment explaining requirements on DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jun 16 23:43:46 CEST 2017 on sn-devel-144
Andrew Bartlett [Thu, 8 Jun 2017 11:17:20 +0000 (23:17 +1200)]
dsdb: Do not prevent searches for @ATTRIBUTES because the DB is not set up yet
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 6 Jun 2017 22:44:50 +0000 (10:44 +1200)]
dsdb: Do not run dsdb_replace() on the calculated difference between old and new schema
We can set the database @INDEXLIST and @ATTRIBUTES to the full calculated
values, not the difference, and let the ldb layer work it out under the
transaction lock.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 16 Jun 2017 02:13:42 +0000 (14:13 +1200)]
selftest: confirm that two attributes are also correctly set in the @ records
This shows that the current behaviour in dsdb_schema_set_indices_and_attributes(), while
not ideal, is not actually buggy.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 14 Jun 2017 01:11:56 +0000 (13:11 +1200)]
selftest: Fix failure message in dsdb_schema_info
The rename changes the CN, not the lDAPDisplayName
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sun, 11 Jun 2017 21:19:01 +0000 (23:19 +0200)]
krb5_wrap: handle KRB5_ERR_HOST_REALM_UNKNOWN in smb_krb5_get_realm_from_hostname()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 May 2017 13:05:25 +0000 (15:05 +0200)]
s4:gensec_gssapi: fix CID
1409781: Possible Control flow issues (DEADCODE)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Thu, 15 Jun 2017 04:20:11 +0000 (16:20 +1200)]
selftest: Also wait for winbindd to start
This ensures that the posixacl.py test does not race against winbindd starting up and so
give wrong mappings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 15 Jun 2017 04:19:17 +0000 (16:19 +1200)]
selftest: Correctly print message when nbt is not up in 20 seconds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Thu, 15 Jun 2017 09:48:24 +0000 (11:48 +0200)]
tevent_threads: Fix a rundown race introduced with
1828011317b
The race is easily reproduced by adding a poll(NULL,0,10) in between the two
pthread_mutex_unlock calls in _tevent_threaded_schedule_immediate.
Before
1828011317b, the main thread was signalled only after the helper
had already unlocked event_ctx_mutex.
Full explaination follows:
-----------------------------------------------------------------
Inside _tevent_threaded_schedule_immediate() we have:
476 ret = pthread_mutex_unlock(&ev->scheduled_mutex);
477 if (ret != 0) {
478 abort();
479 }
HERE!!!!
481 ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
482 if (ret != 0) {
483 abort();
484 }
At the HERE!!! point, what happens is tevent_common_threaded_activate_immediate(),
which is blocked on ev->scheduled_mutex, get released and does:
514 while (ev->scheduled_immediates != NULL) {
515 struct tevent_immediate *im = ev->scheduled_immediates;
516 DLIST_REMOVE(ev->scheduled_immediates, im);
517 DLIST_ADD_END(ev->immediate_events, im);
518 }
- making an immediate event ready to be scheduled.
This then returns into epoll_event_loop_once(), which then calls:
910 if (ev->immediate_events &&
911 tevent_common_loop_immediate(ev)) {
912 return 0;
913 }
which causes the immediate event to fire. This immediate
event is the pthread job terminate event, which was previously
set up in pthreadpool_tevent_job_signal() by:
198 if (state->tctx != NULL) {
199 /* with HAVE_PTHREAD */
200 tevent_threaded_schedule_immediate(state->tctx, state->im,
201 pthreadpool_tevent_job_done,
202 state);
So we now call pthreadpool_tevent_job_done() - which does:
225 TALLOC_FREE(state->tctx);
calling tevent_threaded_context_destructor():
384 ret = pthread_mutex_destroy(&tctx->event_ctx_mutex); <---------------- BOOM returns an error !
385 if (ret != 0) {
386 abort();
387 }
as we haven't gotten to line 481 above (the line after
HERE!!!!) so the tctx->event_ctx_mutex is still
locked when we try to destroy it.
So doing an additional:
ret = pthread_mutex_lock(&tctx->event_ctx_mutex);
ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
(error checking elided) forces tevent_threaded_context_destructor()
to wait until tctx->event_ctx_mutex is unlocked before it locks/unlocks
and then is guaranteed safe to destroy.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 13 Jun 2017 03:23:14 +0000 (15:23 +1200)]
dsdb: Remember the last ACL we read during a search and what it expanded to
It may well be the same as the next one we need to check, so we can
avoid parsing it again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 16 07:39:24 CEST 2017 on sn-devel-144
Andrew Bartlett [Tue, 13 Jun 2017 02:26:49 +0000 (14:26 +1200)]
dsdb: Cache the result of checking the parent ACL
This should help a lot for large one-level searches and for subtree searches that are of
flat tree structures
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Fri, 7 Apr 2017 09:22:25 +0000 (11:22 +0200)]
WHATSNEW: change the default for "map untrusted to domain" to "auto"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 11:11:26 +0000 (12:11 +0100)]
docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.
Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 11:11:26 +0000 (12:11 +0100)]
docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 10 Jun 2017 11:30:44 +0000 (13:30 +0200)]
docs-xml: improve documentation of "map untrusted to domain"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 11:08:20 +0000 (12:08 +0100)]
auth3: prepare the logic for "map untrusted to domain = auto"
This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2017 14:09:26 +0000 (15:09 +0100)]
auth3: call is_trusted_domain() as the last condition make_user_info_map()
We should avoid contacting winbind if we already know the domain is our
local sam or our primary domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Jun 2017 22:53:03 +0000 (10:53 +1200)]
gitignore: ignore .gpg-* generated files (for ubuntu 16.04)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 21:40:08 CEST 2017 on sn-devel-144
Douglas Bagnall [Wed, 7 Jun 2017 05:45:15 +0000 (17:45 +1200)]
repl_meta_data: single valued error codes depend on change type
A replace leads to CONSTRAINT_VIOLATION while an add causes
ATTRIBUTE_OR_VALUE_EXISTS. For this we need to check the mod type
before the replmd_modify_la_* calls because they change everything
into a replace.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 31 May 2017 05:40:05 +0000 (17:40 +1200)]
replmd: special-case member return value in replmd_add_fix_la()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 31 May 2017 03:22:45 +0000 (15:22 +1200)]
replmd: check duplicate linked attributes
This is simple enough because we already have the sorted list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 26 May 2017 03:17:21 +0000 (15:17 +1200)]
replmd: check single values in replmd_add_fix_la
repl_meta_data knows whether linked attributes are appropriately
[un-]duplicated, and this is how it tells ldb_tdb that.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Jun 2017 23:34:20 +0000 (11:34 +1200)]
ldb: 1.1.31
* Add efficient function to find duplicate values in ldb messages
(this makes large multi-valued attributes in ldb_tdb more efficient)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Wed, 14 Jun 2017 23:30:33 +0000 (11:30 +1200)]
ldb: relatively efficient functions for finding duplicate values
ldb backends need to make sure they are not adding duplicate values to
multi-valued attributes in ADD and MODIFY operations. Until now they
have done this inefficiently using nested loops. Here we add common
functions that deal with large numbers of values in O(n log n) time,
but continue to use the simple methods for small numbers of values.
These functions take a struct ldb_context pointer and an options flag
arguments, although the ldb is not used, and only one bit of the
options has meaning. This is to allow further patches to switch on
schema-aware comparisons.
This entails an ABI jump to add the two new functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 1 Jun 2017 00:20:15 +0000 (12:20 +1200)]
dsdb/tests/ldap: test single valued linked attributes
This fails, so we add it to selftest/knownfail.d/
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 31 May 2017 05:42:01 +0000 (17:42 +1200)]
s4/linked_attribute tests: test duplicate values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 26 May 2017 03:41:34 +0000 (15:41 +1200)]
dsdb/tests/ldap: multivalued attributes
Various return codes tested against Windows 2012r2.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 7 Jun 2017 05:44:25 +0000 (17:44 +1200)]
python/test: delete_force() passes on command line args
This allows you to use e.g.:
delete_force(self.ldb, ou, controls=['tree_delete:1'])
Only in tests of course.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 6 Jun 2017 23:29:23 +0000 (11:29 +1200)]
ldb.h whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 19 May 2017 00:03:37 +0000 (12:03 +1200)]
ldb tests/ldb_mod_op_test: don't double include cmocka.h
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 19 May 2017 04:09:20 +0000 (16:09 +1200)]
ldb: fix a typo
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 17 May 2017 00:00:55 +0000 (12:00 +1200)]
ldb: fix whitespace in ldb_msg.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 30 May 2017 14:30:33 +0000 (16:30 +0200)]
libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFO
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
Volker Lendecke [Wed, 14 Jun 2017 11:57:56 +0000 (13:57 +0200)]
g_lock: open with LOCK_ORDER_3
xattr_tdb needs g_lock in a clustered environment. Nobody else
uses LOCK_ORDER_3 at this moment, so this looks safe.
The last one to use this was dbwrap_watch.tdb, and that's gone. The only
other one was notify_index.tdb, and that's gone too.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 22 May 2017 14:00:08 +0000 (16:00 +0200)]
smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.
At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 May 2017 08:48:15 +0000 (10:48 +0200)]
torture3: Test heuristic cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 22 May 2017 15:05:57 +0000 (17:05 +0200)]
g_lock: Heuristically check for server existence
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 21 May 2017 06:56:01 +0000 (08:56 +0200)]
torture3: Test lock conflict and cleanup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 15:02:08 +0000 (17:02 +0200)]
torture3: Test lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 14:57:00 +0000 (16:57 +0200)]
g_lock: Allow lock upgrade/downgrade
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 19 May 2017 14:59:06 +0000 (16:59 +0200)]
torture3: Test g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 13:27:46 +0000 (15:27 +0200)]
g_lock: Make g_lock_dump return a complete list of locks
To be honest, it did not really make sense to just pass in
lock holders individually. You could argue that it made sense
with in reality only G_LOCK_WRITE around, but soon we will have
G_LOCK_READ and thus multiple lock holders on a single lock.
Now that we also have userdata, change the g_lock_dump API
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 23 May 2017 10:32:24 +0000 (12:32 +0200)]
g_lock: Add g_lock_write_data
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 14:22:15 +0000 (16:22 +0200)]
g_lock: Make g_lock_record_store also store userdata
Sequel to the previous commit changing the get/put routines for
the on-disk format
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 11:59:20 +0000 (13:59 +0200)]
g_lock: Reformat to allow userdata
The next patches will make g_locks carry data. This
prepares the on-disk format.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 08:37:30 +0000 (10:37 +0200)]
g_lock: Move parsing routines together
No code change, just shuffling around:
Before this patchset, g_lock_parse was somewhere in the middle. This carries no
real logic, put it on top.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: unparse->put
Make it more in line with server_id_get/put
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:53:14 +0000 (16:53 +0200)]
g_lock: parse->get
Make it more in line with server_id_get/put
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:43:01 +0000 (16:43 +0200)]
g_lock: Remove a pointless "else"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 14:40:45 +0000 (16:40 +0200)]
g_lock: Remove unused g_lock_get
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 03:52:56 +0000 (05:52 +0200)]
g_lock: Make it endian-neutral
Add explicit parsing
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 17 May 2017 03:54:36 +0000 (05:54 +0200)]
g_lock: More correct error msg
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 16 May 2017 13:05:49 +0000 (15:05 +0200)]
torture3: Initial test g_lock
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 24 May 2017 11:27:18 +0000 (13:27 +0200)]
g_lock: Fix two typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 11:15:27 +0000 (13:15 +0200)]
s4:ldap_server: implement async BindSASL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 12 May 2017 10:41:13 +0000 (12:41 +0200)]
s4:ldap_server: set result = LDAP_SUCCESS at the end, when we're really done
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:38:59 +0000 (12:38 +0200)]
s4:ldap_server: avoid using talloc_reference()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:31:25 +0000 (12:31 +0200)]
s4:ldap_server: remove useless NT_STATUS_IS_OK(status) check
We checked a few lines above already, check with:
git show -U10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround ldapsrv_backend_Init()
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:27:26 +0000 (12:27 +0200)]
s4:ldap_server: remove useless indentation level arround gensec_session_info()
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:26:12 +0000 (12:26 +0200)]
s4:ldap_server: make the gensec_create_tstream() error checking more clear
Check with 'git show -w'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 13:28:53 +0000 (15:28 +0200)]
s4:ldap_server: only touch conn->session_info on success in ldapsrv_BindSASL()
The old conn->session_info (as well as conn->ldb) should only be changed
after a successful Bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:09:38 +0000 (12:09 +0200)]
s4:ldap_server: terminate the connection if talloc_reference fails
talloc_reference will be removed completely in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:07:31 +0000 (12:07 +0200)]
s4:ldap_server: remove pointless (result != LDAP_SUCCESS) check
We set result = LDAP_SUCCESS above and have goto do_reply;
in all cases where we overwrite 'result'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:04:59 +0000 (12:04 +0200)]
s4:ldap_server: do the transport validation before calling gensec_create_tstream()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:18:07 +0000 (21:18 +0200)]
s4:ldap_server: use talloc_zero for ldapsrv_sasl_postprocess_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:17:40 +0000 (21:17 +0200)]
s4:ldap_server: drop the connection if we fail to allocate ldapsrv_sasl_postprocess_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:14:00 +0000 (21:14 +0200)]
s4:ldap_server: only set *resp->SASL.secblob = output for OK or MORE_PROCESSING_REQUIRED
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:11:00 +0000 (21:11 +0200)]
s4:ldap_server: remove indentation level for the valid credential case
Check with git show -w.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 10:44:05 +0000 (12:44 +0200)]
s4:ldap_server: make sure we destroy the gensec context on error
If the client tries a new bind we need to start with a fresh context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 12 May 2017 14:04:02 +0000 (16:04 +0200)]
s4:ldap_server: avoid pointless check arround LDAP_INVALID_CREDENTIALS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 19:09:08 +0000 (21:09 +0200)]
s4:ldap_server: move invalid credential handling before the success handling.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:13:49 +0000 (19:13 +0200)]
s4:ldap_server: remove an useless indentation level from gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:11:43 +0000 (19:11 +0200)]
s4:ldap_server: always allocate resp->SASL.secblob
The code path with resp->SASL.secblob = NULL was completely untested
(and wrong) as ldapsrv_setup_gensec() is very unlikely to ever fail.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:04:27 +0000 (19:04 +0200)]
s4:ldap_server: add use goto do_reply; to make the logic in ldapsrv_BindSASL() more sane
The following patches will simplify the logic by avoiding else branches
by using early returns.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 16:53:06 +0000 (18:53 +0200)]
s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 16:04:15 +0000 (18:04 +0200)]
s4:ldap_server: implement async BindSimple
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 15:05:02 +0000 (17:05 +0200)]
s4:auth: add authenticate_ldap_simple_bind_send/recv
TODO: we need to make the backend async.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 13:02:41 +0000 (15:02 +0200)]
s4:ldap_server: improve ldapsrv_UnbindRequest implementation
We should abandon outstanding requests and disconnect the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 14:51:15 +0000 (16:51 +0200)]
s4:ldap_server: add call->wait_send/recv infrastructure
If it is set by the dispatch functions, the core server
will use call->wait_send() and wait for it to finally
return frim call->wait_recv() before it asks for the
next incoming pdu.
This can be used to implement bind as async operations.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 13 May 2017 06:20:00 +0000 (08:20 +0200)]
s4:ldap_server: don't log Unbind and Abandon requests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 14:37:21 +0000 (16:37 +0200)]
s4:ldap_server: introduce a ldapsrv_call_destructor()
This makes sure that a call doesn't become an stale
member of the conn->pending_calls list.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 May 2017 17:07:04 +0000 (19:07 +0200)]
s4:ldap_server: use talloc_zero() in ldapsrv_init_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>