dsdb: Do not use _ prefix in tombstone_reanimate module

This should only be used by the C library.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Refactor user objects defaults setter to use attribute/value map

Change-Id: Iaa32af4225219a4c5c42c663022e8be429b8a1d2
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: common helper to determine "primaryGroupID" attribute value

At the moment current implementation does not check if group RID
is existing group RID - this responsibility is left to the caller.

Change-Id: I8c58dd23a7185d63fa2117be0617884eb78d13c1
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Common helper for setting "sAMAccountType" on User objects

Change-Id: I4480e7d1ed0c754e960028e0be9a90ee56935e94
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Move User object default attribute values in separate helper

Change-Id: I1e291bcf0a5c9b2fca11323dc7f8be29f5145d42
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-tests: Add tombstone_reanimation test case to s4 test suite

DC, USERNAME and PASSWORD are passed as environment variables
prefixed with TEST_

Change-Id: I84ff628496bfa3e0538011400328585d080f21b8
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/tests: Do not pre-create LoadParm - connect_samdb_env() will handle it

Change-Id: I3483c5aa50de2f7aca19e4d7cc4fa49bbe5f889d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Use common base method for restoring Deleted objects

Change-Id: I266b58ced814cf7ea3616862506df5b55f4f1d8c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/samldb: Don't allow rename requests on Deleted object

Windows behavior in case of renaming Deleted object is:
* return ERR_NO_SUCH_OBJECT in case client is not providing
  SHOW_DELETED control
* ERR_UNWILLING_TO_PERFORM otherwise

Renaming of Deleted objects is allowed only through special
Tombstone reanimation modify request

Change-Id: I1eb33fc294a5de44917f6037988ea6362e6e21fc
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/test: Delete any leftover objects in the beginning of Cross-NC test

This way we ensure that samdb is clean before we make the test

Change-Id: I3c6fc94763807394e52b6df41548e9aba8b452c1
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/samldb: Relax a bit restrictions in Config partition while
restoring deleted object

Change-Id: Iead460d24058b160b46cf3ddedaf4d84b844da4d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/samdb: Don't relax contraint checking during rename for Deleted objects

Now we have a module to handle to handle Tombstone reanimation
and it is better we do all the check here as usual

Change-Id: Ia5d28d64e99f7a961cfe8b9aa7cc96e4ca56192e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test/reanimate: Fix whitespaces according to PEP8

Change-Id: I7b46992c80178d40a0531b5afd71a7783068a9dd
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Move base tests for Tombstone reanimation in tombstone_reanimation module

So we have them all in one place.

While moving, I have:
* inherited from the base class for Tombstone reanimations
* replace self.ldb with self.samdb

Change-Id: Id3e4f02cc2e0877d736da812c14c91e2311203d2
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Fix duplicated key in a dictionary in sam.py

Change-Id: Ie33d92bd308262d9bfda553d6d5e2cfd98f6d7b3
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/objectclass: remove duplicated declaration for objectclass_do_add

Change-Id: Ib88a45cea64fb661a41ca3b4a3df9dabf509fc6c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: remove trailing ';' in ldap.py

Change-Id: I5edc6e017b576791c1575f71a625c49ccc88fe8f
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/reanimate: Group objects reanimation implementation

Change-Id: Iea92924ff6b33fa3723b104d5dfff1ce5a7a09b0
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/reanimate: Swap rename->modify operations to modify->rename sequence

This way it is more visible that we work on 'deleted object' during modify
and also will help us to handle 'stop rename for deletec objects'
propertly in future

[MS-ADTS]: 3.1.1.5.3.7.3 Undelete Processing Specifics

Change-Id: I9bb644e099a4a2afcb261ad22515c9c4ce4875bb
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/reanimate: Use 'show deleted' control in modify operations too

Before committing changes, object is still deleted - isDeleted = true

Change-Id: Ie1ab53dc594d1bfaf5b9e06316e7a1fc0dd4b8cb
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/samldb: Skip 'sAMAccountType' and 'primaryGroupID' during Tombstone reanimate

tombstone_reanimate.c module is going to restore those attributes
and it needs a way to propagate them to DB

Change-Id: I36f30b33fa204fd28329eab01044a125f7a3f08e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/samldb: Fix type "omputer" -> "computer"

Change-Id: Ic56c6945528b7f60becc4f0b318429f4c22c3d2e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb/reanimate: Implement attribute_restore function

At the moment it works for objects with objectClass user + a common
case of removing isRecycled attribute

Change-Id: I70b0ef0ef65c13d3def82ca53ace52a85a078a37
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-util: Mark attributes with ADD flag in samdb_find_or_add_attribute()

At the moment no flags are set and it works fine, since this function
is solely used in samldb during ADD requests handling.
Pre-setting a flag make it usefull for other modules and request
handlers too

Change-Id: I7e43dcbe2a8f34e3b0ec16ae2db80ef436df8bfe
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Fix Undelete tests after subunit upgrade work

Change-Id: I4712a2a2163a57fde037511afcc1cb7bee05f12e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Use case insensitive comparison for DNs in undelete test

Change-Id: I4a009bb7ed58ab857ac74a235bb5f580911f0d92
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Initial implementation for Tombstone restore test suite

Change-Id: Ib35ff930b6e7cee14317328b6fe25b59eec5262c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment

this is to help me port Python tests to be more Unit test alike
and remove all global handling
Starting from a new test suite - tombstone_reanimation.py

Andrew Bartlett rose his concerns that passing parameters
through environment may make tests hard to trace for
failures. However, passing parameters on command line
is not Unit test alike either. After discussing this with him
offline, we agreed to continue this approach, but prefix
environment variables with "TEST_". So that an env var
should not be used by coincidence.

Change-Id: I29445c42cdcafede3897c8dd1f1529222a74afc9
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Some minor fixes in tombstone_reanimate, to make it work with acl

Change-Id: Idad221c7ecf778fd24f6017bb4c6eacac541086a
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Implementation of access checks on a undelete operation

Special Reanimate-Tombstone access right is required, as well as most of
the checks on a standard rename.

Change-Id: Idae5101a5df4cd0d54fe4ab2f7e5ad7fc1c23648
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Tests for security checks on undelete operation

Implemented according to MS-ADTS 3.1.1.5.3.7.1. Unfortunately it appears
LC is also necessary, and it is not granted by default to anyone but
System and Administrator, so tests had to be done negatively

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: Ic03b8fc4e222e7842ec8a9645a1bb33e7df9c438

s4-dsdb: Mark request during Tombstone reanimation with custom LDAP control

We are going to need this so that underlying modules (acl.c)
can treat those requests properly

Change-Id: I6c12069aa6e7e01197dddda6c610d930d3fd9cb0
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Implement rename/modify requests as local for the module

The aim is for us to be able to fine tune the implementation
and also add custom LDAP controls to mark all requests as
being part of Reanimation procedure

Change-Id: I9f1c04cd21bf032146eb2626d6495711fcadf10c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Add documentation link for Tombstone Reanimation

Change-Id: Ib779c8b0839889371f25ad5751c9cda1a510eb54
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-tests: Print out what the error is in delete_force()

Change-Id: Iaa631179dc79fa756416be8eaf8c55e3b0c1a29f
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Define internal dsdb control to mark Tombstone reanimation requests

Tombstone reanimation requries some special handling which is going
to affect several modules. Most notably:
 - a bit different access checks in acl.c
 - restore certain attributes during modify requests in samldb.c

Control added also to schema_samba4.ldif by Andrew Bartlett
hence the "pair programmed with" tag.

Change-Id: Ief4f7dabbbdc2570924fae48c30ac9c531a701f4
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Make use dsdb_make_object_category() for objectCategory

Change-Id: If65c54a653ad7078ca7a535b5c247db2746b5be7
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Make most specific objectCategory for an object

This is lightweight implementation and should be used on objects
with already verified objectClass attribute value - eg. valid classes,
sorted properly, etc.
Checkout objectclass.c module for heavy weight implementation.

Change-Id: Ifa7880d26246f67e2f982496fcc6c77e6648d56f
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Initialize module context only we are to handle Tombstone request

Change-Id: I73bd2043e96907e3d1a669bdbd943ddee1df8c0a
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Return error codes as windows does for Tombstone reanimation

Tested against Windows Server 2008 R2
In case we try to restore to already existing object, windows
returns: LDB_ERR_ENTRY_ALREADY_EXISTS
Otherwise it is: LDB_ERR_OPERATIONS_ERROR

Change-Id: I6b5fea1e327416ccf5069d97a4a378a527a25f80
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Fix whitespace in deletetest.py

Change-Id: Ic2924b0aa9cffd29fe0c857317ccb65ba53a1c21
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Make unique object names to test with in deletetest

This way we can re-run the test again and again

Change-Id: I29bd878b77073d94a279c38bd0afc2f0befa6f9d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Remove unused method get_ldap_connection()

Change-Id: Ie50f77dbba724dbd3c2822de5c2cfff41016fac6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Remove trailing ';' in deletetest.py

Change-Id: Ic1ad6bbda55be56cbf7ae78a8ad988b8e479a40c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after objectclass

Change-Id: Id9748f36f0aefe40b1894ecd2e5071e3b9c8a6d6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Initial implementation for Tombstone reanimation module

At the moment it works for basic scenario:
 - add user
 - delete user
 - restore deleted user

TODO:
 - security checks
 - flags verification
 - cross-NC checks
 - asynchronous implementation (may not be needed, but anyway)

Change-Id: If396a6dfc766c224acfeb7e93ca75703e08c26e6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb-tests: Some tests for deleted objects undelete operation

Based on MS-ADTS 3.1.1.5.3.7.2

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: I650b315601fce574f9302435f812d1dd4b177e68

dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set

Also confirm what bits have to be ignored, or otherwise processed

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104

dsdb-samldb: Clarify userAccountControl manipulation code by always using UF_ flags

The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-samldb: Only allow known and settable userAccountControl bits to be set

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Show that we can not change the primaryGroupID of a DC

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/samldb: let samldb_prim_group_change() protect DOMAIN_RID_{READONLY_,}DCS

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Improve userAccountControl handling

We now always check the ACL and invarient rules using the same function

The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag,
not an account type

This list should only be of the account exclusive account type bits.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Add new test samba4.user_account_control.python

This confirms security behaviour of the userAccountControl attribute
as well as the behaviour on ADD as well as MODIFY, for every
userAccountControl bit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specified

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type

This list should only be of the account exclusive account type bits.

Note, this corrects the behaviour in samldb modifies of
userAccountControl.

This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb-tests: Align sam.py with Windows 2012R2 and uncomment userAccountControl tests

These tests now pass against Samba and Windows 2012R2.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

vfs:glusterfs: whitespace fix.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 22 03:20:17 CET 2015 on sn-devel-104

vfs_snapper: encode and decode Snapper DBus strings

Snapper uses a special character encoding for strings used in DBus
requests and responses. This change ensures that Samba packs and unpacks
strings in the corresponding format, using the previously added
encode/decode helper functions.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_snapper: add DBus string encoding and decoding helpers

Snapper uses the following mechanism for encoding and decoding strings
used in DBus traffic:
Characters above 127 (0x7F - ASCII DEL) must be encoded hexadecimal as
"\x??". As a consequence "\" must be encoded as "\\".

This change adds string encoding and decoding helpers to vfs_snapper.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_snapper: free dbus req messages in error paths

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_glusterfs: Replace eventfd with pipes, for AIO use

Pipes clean up the AIO implementation substantially, due to the fact
that they implement a natural ithread safe queue instead of us
creating our own queue.

Signed-off-by: Ira Cooper <ira@samba.org>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Wed Jan 21 20:40:11 CET 2015 on sn-devel-104

libcli/auth: add netlogon_creds_cli_GetForestTrustInformation*()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan 21 17:19:33 CET 2015 on sn-devel-104

libcli/auth: add netlogon_creds_cli_ServerGetTrustInfo*()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry()

This avoids writing invalid memory, because num_keys was calculated
in a wrong way...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

libsmb: provide authinfo domain for encrypted session referrals

6c9de0cd056afc0b478c02f1bdb0e06532388037 requires this extra change.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 21 04:29:06 CET 2015 on sn-devel-104

CodingStyle: Update example to use our coding practice.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 20 18:51:55 CET 2015 on sn-devel-104

tdb_wrap: don't let tdb_wrap_open() segfault with name==NULL

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11032

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jan 19 16:17:28 CET 2015 on sn-devel-104

selftest: use env.SELFTEST_PREFIX to define subunit_cache

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

README.Coding: Add hint for if-statments

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 19 13:25:12 CET 2015 on sn-devel-104

docs/idmap_rid: remove deprecated base_rid from example

The base_rid option has been deprecated for some time. Specifying a
value of 1000 (as recommended in the parameter description and example
section) can result in failed mapping of group SIDs, where RIDs do not
start at 1000.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jan 19 09:09:22 CET 2015 on sn-devel-104

libsmb: provide authinfo domain for DFS referral auth

libsmbclient uses the smbc_init->smbc_get_auth_data_fn() provided
workgroup/domain in initial connections, but then switches to the
default smb.conf workgroup/domain when handling DFS referrals.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: reuse connections derived from DFS referrals

[MS-DFSC] 3.2.1.1 and 3.2.1.2 states that DFS targets with the same site
location or relative cost are placed in random order in a DFS referral
response.

libsmbclient currently resolves DFS referrals on every API call, always
using the first entry in the referral response. With random ordering,
libsmbclient may open a new server connection, rather than reuse an
existing (cached) connection established in a previous DFS referred API
call.

This change sees libsmbclient check the connection cache for any of the
DFS referral response entries before creating a new connection.

This change is based on a patch by Har Gagan Sahai
<SHarGagan@novell.com>.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10123

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

utils: Fix 'net time' segfault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058

This is part two of the bugfix. Make sure we pass the IP we found to
cli_servertime(). Hence we always pass at least one of name or IP.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

cli_connect_nb_send: don't segfault on host == NULL.

The functions called futher down can cope with host == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058

This is part one of the bugfix:
This ensures that it is enough to pass one of host or address to the function.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

wafsamba: create unique names when building shared modules

After commit 76fdcf5c15bd904c3686f0c2dd93d27486c61ca4, we could endup
with bin/default/source3/auth/libauth-samba4.so being created two times.
Once by SAMBA3_LIBRARY('auth',...) and once again by SAMBA3_MODULE('auth_samba4', ...).

As a result bin/default/source3/auth/libauth-samba4.so gets randomly
overwritten.

SAMBA3_MODULE('auth_samba4', ...) results in
bin/default/source3/auth/libauth_module_samba4.so now.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 19 04:43:53 CET 2015 on sn-devel-104

wafsamba: remove unused variable in SAMBA_MODULE()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

wafsamba: passing 'subsystem' to SAMBA_MODULE() is not optional

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

wafsamba: make it possible to pass bundled_name to SAMBA_LIBRARY()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

lib/util: add missing commas to statfs_types

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jan 16 13:24:16 CET 2015 on sn-devel-104

samba3.py: Correctly initialize cache directory for passdb test

Running 'make test TESTS=tests.samba3' succeeds, but the log shows that
it tried to open the gencache tdb in the wrong directory:
Unable to create directory /usr/local/samba/var/cache for file gencache.tdb. Error was No such file or directory

Fix this by correctly initializing the cache directory.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Fri Jan 16 02:36:39 CET 2015 on sn-devel-104

smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT.

This sequencing is causing problems for vfs_ceph, and likely
other vfs modules.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 16 00:13:17 CET 2015 on sn-devel-104

CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl

This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104

CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:auth: Force talloc type of session_info pointer to match

This helps us keep things safe in LDB where we put this in a opaque pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Andrew Bartlett

Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: auth - tests: Add test for "force user" being a unix-only user, not in passdb.

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 14 08:46:08 CET 2015 on sn-devel-104

s3: auth: Add previously missing allocation fail check.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().

Core fix for:

https://bugzilla.samba.org/show_bug.cgi?id=11044

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: auth: Convert samu_to_SamInfo3() to use the new utility function.

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

rwrap: Bump version to 1.1.2.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 13 19:19:25 CET 2015 on sn-devel-104

rwrap: Fix ns_name_compress detection.

On some platforms it is a macro and not a function. So we need to
check if the macro exists.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

rwrap: Bump version to 1.1.1.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

rwrap: Fix a possible NULL dereference.

CID: #84271

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jakub Hrozek <jakub.hrozek@gmail.com>
Reviewed-by: Guenther Deschner <gd@samba.org>

rwrap: If we do not have ns_name_compress() use dn_comp().

This should fix older Linux versions which do not export
ns_name_compress(). In newer glibc versions dn_comp() calls
ns_name_compress().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11019

Reviewed-by: Jakub Hrozek <jakub.hrozek@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>

net: Fix sam addgroupmem

Domain local groups come across as SID_TYPE_ALIAS and are sent to us in the
PAC/Info3 struct. We should allow this in net sam addgroupmem.

Volker

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 13 15:28:16 CET 2015 on sn-devel-104

s3-util: Fix authentication with long hostnames.

If the hostname is longer than MAX_NETBIOSNAME_LEN we fail to correctly
check the hostname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11008

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 12 23:10:30 CET 2015 on sn-devel-104

leases_db: don't leak lock_path onto talloc tos

Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 12 19:22:31 CET 2015 on sn-devel-104