Christof Schmitt [Wed, 8 Jul 2015 22:16:33 +0000 (15:16 -0700)]
smbcontrol: Set internal log level to 0
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 8 Jul 2015 22:15:38 +0000 (15:15 -0700)]
smbstatus: Set internal log level to 0
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 8 Jul 2015 22:14:54 +0000 (15:14 -0700)]
rpcclient: Set internal log level to 0
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:30:07 +0000 (19:30 +0200)]
rpc_server: Fix CID
1311342 Null pointer dereferences (REVERSE_INULL)
elem was dereferenced already a few lines above
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul 10 01:01:36 CEST 2015 on sn-devel-104
Volker Lendecke [Thu, 9 Jul 2015 17:27:41 +0000 (19:27 +0200)]
rpc_server: Fix CID
1311341 Integer handling issues (OVERFLOW_BEFORE_WIDEN)
Quoting the full message:
Potentially overflowing expression "total_octets * 8U" with type "unsigned int"
(32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a
context that expects an expression of type "uint64_t" (64 bits, unsigned).
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:24:18 +0000 (19:24 +0200)]
rpc_server: Fix CID
1311340 Null pointer dereferences (NULL_RETURNS)
In practice this might not be relevant, but better be safe.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:22:59 +0000 (19:22 +0200)]
rpc_server: Fix CID
1311339 Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:20:46 +0000 (19:20 +0200)]
smbd: Fix CID
1311338 Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:17:54 +0000 (19:17 +0200)]
smbd: Fix CID
1311337 Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:16:00 +0000 (19:16 +0200)]
dalloc: Fix CID
1097369 API usage errors (VARARGS)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 9 Jul 2015 17:12:09 +0000 (19:12 +0200)]
dalloc: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Christof Schmitt [Wed, 8 Jul 2015 21:40:25 +0000 (14:40 -0700)]
dosmode: Change message of result to informational
Logging the returned mode bits should be only "informational" (level 5).
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 9 15:36:30 CEST 2015 on sn-devel-104
Christof Schmitt [Wed, 8 Jul 2015 21:12:20 +0000 (14:12 -0700)]
vfs: Change final message in check_reduce_name to "info"
"Informational" is a better description for this message; change the log
level accordingly (level 5).
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Wed, 8 Jul 2015 21:07:18 +0000 (14:07 -0700)]
vfs: Make entry message for check_reduced_name a debug message
The interesting information is already logged later; having an
additional message when entering the function should be only done as
debug message (level 10).
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 28 Jun 2015 11:36:22 +0000 (14:36 +0300)]
net: fix the order of DC lookup methods when joining a domain
The dsgetdcname() function is able to try just DNS lookup, just NetBIOS,
or start with DNS and fall back to NetBIOS. For "net ads join", we know
most of the time whether the name of the domain we're joining is a DNS
name or a NetBIOS name. In that case, it makes no sense to try both lookup
methods, especially that DNS may fail and we want to fall back from site-aware
DNS lookup to site-less DNS lookup, with no NetBIOS lookup in between.
This change lets "net ads join" tell libnet what is the type of the domain
name, if it is known.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Thu, 2 Jul 2015 17:09:02 +0000 (20:09 +0300)]
util.c: fix order of inclusion to correctly consume config.h
replace.h has to be the first file included in order to correctly act
upon the definitions in config.h.
Specifically, this change fixes 32-bit i686 builds, which depend upon
_FILE_OFFSET_BITS=64 to be set before any standard library file is
included.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul 9 12:32:03 CEST 2015 on sn-devel-104
Martin Schwenke [Wed, 8 Jul 2015 05:01:11 +0000 (15:01 +1000)]
ctdb-tests: Remove statd-callout when running NFS tests
60.nfs backgrounds it so it persists in the background causing
problems. In particular, it causes the "ctdb ip" command stub to be
run in parallel, which produces inconstent results.
Better not to run it at all in the NFS tests.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Jul 9 09:27:02 CEST 2015 on sn-devel-104
Martin Schwenke [Wed, 8 Jul 2015 04:57:51 +0000 (14:57 +1000)]
ctdb-scripts: Use an "if" statement instead of "&&"
If statd-callout is unwanted, so is removed, then this code fails.
Change to an "if" so that it succeeds as intended.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Mon, 6 Jul 2015 08:15:31 +0000 (18:15 +1000)]
ctdb-tests: Refactor code using simple test harness functions
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 6 Jul 2015 05:14:53 +0000 (15:14 +1000)]
ctdb-tests: Add test cleanup hooks
To do any cleanup before exiting the test, register hooks with
test_cleanup(). Multiple hooks can be registered. All the hooks will
be called before exiting from the test.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 6 Jul 2015 08:07:35 +0000 (18:07 +1000)]
ctdb-tests: Remove unsed code
This code was copied from onnode unit tests, but not used.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 6 Jul 2015 07:35:18 +0000 (17:35 +1000)]
ctdb-tests: Remove extra_header and extra_footer variables
This is now achieved by defining functions extra_header() and
extra_footer().
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 6 Jul 2015 04:45:23 +0000 (14:45 +1000)]
ctdb-tests: Add simple test harnesses for running unit tests
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Uri Simchoni [Wed, 24 Jun 2015 10:09:24 +0000 (13:09 +0300)]
docs: Correct list of supported socket options
Bring the list of supported socket options in smb.conf in sync
with the code
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 9 03:48:13 CEST 2015 on sn-devel-104
Volker Lendecke [Mon, 6 Jul 2015 08:49:47 +0000 (10:49 +0200)]
tdb: Reproducer for Bug 11381
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11381
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 6 Jul 2015 11:13:36 +0000 (13:13 +0200)]
tdb: Fix bug 11381, deadlock
This fixes a deadlock in tdb that is a bad interaction between tdb_lockall
and tdb_traverse. This deadlock condition has been around even before
tdb mutexes, it's just that the kernel fcntl EDEADLK detection protected
us from this ABBA lock condition to become a real deadlock stalling
processes. With tdb mutexes, this deadlock protection is gone, so we do
lock dead.
This patch glosses over this particular ABBA condition, making tdb with
mutexes behave the same as tdb without mutexes. Admittedly this is no
real fix, but it works around a real user's problem.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11381
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 7 Jul 2015 13:36:07 +0000 (15:36 +0200)]
librpc: Fix a "ignoring asprint return" warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Fri, 26 Jun 2015 04:01:10 +0000 (16:01 +1200)]
Fix format size errors for i386 in source3/librpc/crypto/gse.c
Again, sizeof(size_t) != sizeof(uintmax_t).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Fri, 26 Jun 2015 03:25:55 +0000 (15:25 +1200)]
Fix ldap_bind compilation for i386
More size_t != uintmax_t issues:
../source4/libcli/ldap/ldap_bind.c: In function ‘ldap_bind_sasl’:
../source4/libcli/ldap/ldap_bind.c:237:3: error: format ‘%ju’ expects argument of type ‘uintmax_t’, but argument 2 has type ‘size_t’ [-Werror=format=]
DEBUG(1, ("SASL bind triggered with non empty send_queue[%ju]: %s\n",
^
cc1: all warnings being treated as errors
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Fri, 26 Jun 2015 03:05:48 +0000 (15:05 +1200)]
Fix gensec_gssapi compilation for i386
Fixes this:
../source4/auth/gensec/gensec_gssapi.c:1017:3: error: format ‘%ju’ expects argument of type ‘uintmax_t’, but argument 3 has type ‘size_t’ [-Werror=format=]
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 19 May 2015 22:05:00 +0000 (00:05 +0200)]
s4:torture/rpc: extend and improve rpc.lsa.trusted.domains
This adds a lot more validation arround trust credentials and
krb5 interaction.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 8 21:41:17 CEST 2015 on sn-devel-104
Stefan Metzmacher [Tue, 30 Jun 2015 10:08:22 +0000 (12:08 +0200)]
s4:torture/rpc: add missing \n in comments
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jun 2015 10:06:11 +0000 (12:06 +0200)]
s4:torture/rpc: handle NT_STATUS_NO_SUCH_DOMAIN in test_query_each_TrustDom()
lsa_EnumTrusts() may also return non direct trusted domains in the forest.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 11 May 2015 11:35:17 +0000 (13:35 +0200)]
testprogs/blackbox: add test_trust_utils.sh
This tests 'samba-tool domain trust *' commands.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 11 Jun 2015 16:58:42 +0000 (18:58 +0200)]
testprogs/blackbox: let test_kinit_trusts.sh verify that setpassword (via LDAP) is rejected
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 11 May 2015 13:07:49 +0000 (15:07 +0200)]
testprogs/blackbox: let test_kinit_trusts.sh test a enterprise upn from the other foreset
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 11 May 2015 11:45:59 +0000 (13:45 +0200)]
selftest/Samba4: setup forest UPN and SPN namespaces for ad_dc and fl2008r2dc
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 Feb 2015 14:07:40 +0000 (15:07 +0100)]
testprogs/blackbox: add test_kinit_trusts.sh
That verifies kinit and smbclient work across trusts.
It also tests a trust password change and a following
access.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 Feb 2015 08:58:07 +0000 (09:58 +0100)]
selftest/Samba4: setup trusts between forest:fl2008r2dc/ad_dc and externl:fl2003dc/ad_dc
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jan 2015 13:44:44 +0000 (14:44 +0100)]
samba-tool: add 'domain trust *' commands
Available subcommands:
create - Create a domain or forest trust.
delete - Delete a domain trust.
list - List domain trusts.
namespaces - Manage forest trust namespaces.
show - Show trusted domain details.
validate - Validate a domain trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Jan 2015 21:45:47 +0000 (21:45 +0000)]
python/samba: add on optional 'special_name' argument to CredentialsOptions()
This way we have have two sets or credentials on the command line,
while at least one uses some prefix (special_name) for the arguments.
The default options without special_name are:
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
With special_name='local-dc' it's:
Credentials Options (local-dc):
--local-dc-simple-bind-dn=DN
DN to use for a simple bind
--local-dc-password=PASSWORD
Password
--local-dc-username=USERNAME
Username
--local-dc-workgroup=WORKGROUP
Workgroup
--local-dc-no-pass Don't ask for a password
--local-dc-kerberos=KERBEROS
Use Kerberos
--local-dc-ipaddress=IPADDRESS
IP address of server
--local-dc-machine-pass
Use stored machine account password
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 22 Jan 2015 11:23:09 +0000 (11:23 +0000)]
python/samba: add current_unix_time()
This is needed to get the time from modules in python/samba/netcmd/
where a time.py exist.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 11 Apr 2015 09:31:36 +0000 (09:31 +0000)]
s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation()
This should only work on a forest root domain controller and a forest function
level >= 2003.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 29 Jan 2015 15:29:53 +0000 (16:29 +0100)]
s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info()
This collects the whole information about the local forest,
including all domains and defined top level names (uPNSuffixes and
msDS-SPNSuffixes).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 23 Jan 2015 13:40:03 +0000 (14:40 +0100)]
s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains
We redirect this to remote DC as netr_GetForestTrustInformation() via an IRPC
call to winbindd.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 23 Jan 2015 12:32:37 +0000 (13:32 +0100)]
s3:winbindd: add wb_irpc_GetForestTrustInformation()
This allows the netlogon server to forward netr_DrsGetForestTrustInformation()
to winbindd in order to do the work.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 23 Jan 2015 12:07:14 +0000 (13:07 +0100)]
s3:winbindd: implement winbind_GetForestTrustInformation()
We use in internal connection to our local LSA server
in order to update the local msDS-TrustForestTrustInfo attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 23 Jan 2015 12:07:14 +0000 (13:07 +0100)]
librpc/idl: add winbind_GetForestTrustInformation()
This will be used by the netr_DrsGetForestTrustInformation()
in order to contact remote domains via winbindd.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 15 Dec 2014 15:44:26 +0000 (16:44 +0100)]
s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Dec 2014 23:04:37 +0000 (00:04 +0100)]
s3:winbindd: add wb_irpc_LogonControl()
This can be called by the netlogon server to pass netr_LogonControl*()
to a winbindd child process in order to do the real work.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Dec 2014 08:04:42 +0000 (09:04 +0100)]
s3:winbindd: implement _winbind_LogonControl*()
This implements NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}.
These are triggered by the netlogon server (currently only as AD DC) via IRPC.
While NETLOGON_CONTROL_REDISCOVER ignores an optional '\dcname' at the end of
the specified domain name for now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 19 Dec 2014 09:36:29 +0000 (10:36 +0100)]
librpc/idl: add winbind_LogonControl()
This will be used by the netr_LogonControl()
in order to contact remote domains via winbindd.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 15:12:32 +0000 (16:12 +0100)]
s4:rpc_server/lsa: remove unused code
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 28 Jan 2015 08:55:43 +0000 (08:55 +0000)]
s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.
Storing is now done within a transaction in order to avoid races
and inconsistent values.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add dsdb_trust_merge_forest_info() helper function
This is used to merge the netr_GetForestTrustInformation() result with
the existing information in msDS-TrustForestTrustInfo.
New top level names are added with LSA_TLN_DISABLED_NEW
while all others keep their flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and dsdb_trust_verify_forest_info()
These will be used in dcesrv_lsa_lsaRSetForestTrustInformation() in the
following order:
- dsdb_trust_normalize_forest_info_step1() verifies the input
forest_trust_information and does some basic normalization.
- the output of step1 is used in dsdb_trust_verify_forest_info()
to verify overall view of trusts and forests, this may generate
collision records and marks records as conflicting.
- dsdb_trust_normalize_forest_info_step2() prepares the records
to be stored in the msDS-TrustForestTrustInfo attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper function
This emulates a lsa_TrustDomainInfoInfoEx struct for our own domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 3 Feb 2015 17:30:36 +0000 (18:30 +0100)]
s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jun 2015 13:13:03 +0000 (15:13 +0200)]
s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.
Otherwise other code will get INTERNAL_DB_CORRUPTION errors.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jun 2015 13:10:47 +0000 (15:10 +0200)]
s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.
flatName and trustPartner have the same value for downlevel trusts.
And both are required.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 9 Mar 2015 12:19:06 +0000 (13:19 +0100)]
s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Dec 2014 21:02:25 +0000 (22:02 +0100)]
s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 15:53:37 +0000 (15:53 +0000)]
s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper function
This extracts the current and previous nt hashes from trustAuthIncoming
as the passed TDO ldb_message.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 09:42:15 +0000 (09:42 +0000)]
s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2()
For domain trusts we need to extract NL_PASSWORD_VERSION from the password
buffer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 30 Mar 2015 10:31:01 +0000 (12:31 +0200)]
s4:dsdb/password_hash: reject interdomain trust password changes via LDAP
Only the LSA and NETLOGON server should be able to change this, otherwise
the incoming passwords in the trust account and trusted domain object
get out of sync.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 10:42:08 +0000 (10:42 +0000)]
s4:dsdb/common: supported trusted domains in samdb_set_password_sid()
We also need to update trustAuthIncoming of the trustedDomain object.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 10:42:08 +0000 (10:42 +0000)]
s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()
This will simplify the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 11:09:34 +0000 (12:09 +0100)]
s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
For trust account we need to store version number provided by the client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 25 Mar 2015 15:14:44 +0000 (15:14 +0000)]
s4:dsdb/netlogon: add support for CLDAP requests with AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
Windows reuses the ACB_AUTOLOCK flag to handle SEC_CHAN_DNS_DOMAIN domains,
but this not documented yet...
This is triggered by the NETLOGON_CONTROL_REDISCOVER with a domain string
of "example.com\somedc.example.com".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 30 Mar 2015 08:22:46 +0000 (10:22 +0200)]
s4:auth/sam: remove unused sam_get_results_trust()
This is replaced by dsdb_trust_search_tdo() now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 30 Mar 2015 08:17:51 +0000 (10:17 +0200)]
s3:pdb_samba_dsdb: make use of dsdb_trust_search_tdo()
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 30 Mar 2015 08:17:51 +0000 (10:17 +0200)]
s4:kdc/db-glue: make use of dsdb_trust_search_tdo()
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add dsdb_trust_search_tdo*() helper functions
These are more generic and will replace the existing sam_get_results_trust().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 10 Feb 2015 13:43:01 +0000 (14:43 +0100)]
s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM
We lookup the principal against our trust routing table
and return HDB_ERR_WRONG_REALM and the realm of the next trust hoop.
Routing within our own forest is not supported yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 12:12:36 +0000 (13:12 +0100)]
s4:dsdb/common: add helper functions for trusted domain objects (tdo)
The most important things is the dsdb_trust_routing_table with the
dsdb_trust_routing_table_load() and dsdb_trust_routing_by_name() functions.
The routing table has knowledge about trusted domains/forests and
enables the dsdb_trust_routing_by_name() function to find the direct trust
that is responsable for the given name.
This will be used in the kdc and later winbindd to handle cross-trust/forest
routing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 10 Feb 2015 13:37:29 +0000 (14:37 +0100)]
heimdal:kdc: add support for HDB_ERR_WRONG_REALM
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.
entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).
This is needed to route enterprise principals between AD domain trusts.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 Feb 2015 23:07:14 +0000 (00:07 +0100)]
heimdal:kdc: generic support for 3part servicePrincipalNames
This is not DRSUAPI specific, it works for all 3 part principals.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 13 Feb 2015 07:55:11 +0000 (08:55 +0100)]
heimdal:lib/krb5: add krb5_mk_error_ext() helper function
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 10 Feb 2015 12:27:57 +0000 (13:27 +0100)]
heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 10 Jun 2015 08:25:20 +0000 (10:25 +0200)]
s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal
We should always return the principal from the values stored in the database.
This also means we need to ignore a missing HDB_F_CANON.
This was demonstrated by running some new tests against windows.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 1 Jul 2015 03:33:10 +0000 (05:33 +0200)]
s4:kdc/db-glue: preferr the previous password for trust accounts
If no kvno is specified we should return the keys with the lowest value.
For the initial value this means we return the current key with kvno 0 (NULL on
the wire). Later we return the previous key with kvno current - 1.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 10 Apr 2015 20:31:20 +0000 (20:31 +0000)]
s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry()
We should fallback to the current password if the trusted KDC used a wrong kvno.
After commit
6f8b868a29fe47a3b589616fde97099829933ce0, we always have the
previous password filled. With the trust creation we typically don't
have a TRUST_AUTH_TYPE_VERSION in the current nor in the previous array.
This means current_kvno is 0. And now previous_kvno is 255.
A FreeIPA/MIT KDC uses kvno=1 in the referral ticket, which triggered
the 'Request for unknown kvno 1 - current kvno is 0' case.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Paul Wayper [Wed, 8 Jul 2015 02:37:31 +0000 (12:37 +1000)]
Spelling correction: exlusive -> exclusive and semantincs -> semantics
Signed-off-by: Paul Wayper <paulway@redhat.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jul 8 15:54:15 CEST 2015 on sn-devel-104
Paul Wayper [Wed, 8 Jul 2015 02:34:25 +0000 (12:34 +1000)]
Spelling correction: exlusive -> exclusive
Signed-off-by: Paul Wayper <paulway@redhat.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Stefan Metzmacher [Wed, 8 Jul 2015 05:43:20 +0000 (07:43 +0200)]
s3:wscript_build: fix the build using dmapi and fam together
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Jul 8 11:54:24 CEST 2015 on sn-devel-104
Christof Schmitt [Thu, 2 Jul 2015 22:31:29 +0000 (15:31 -0700)]
gpfswrap: Use gpfs.h instead of gpfs_fcntl.h
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul 8 05:55:13 CEST 2015 on sn-devel-104
Christof Schmitt [Thu, 2 Jul 2015 22:20:01 +0000 (15:20 -0700)]
gpfswrap: Remove unused wrapper for gpfs_fnctl
With the removal of the fileset quota check this wrapper function is
longer used.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Christof Schmitt [Mon, 23 Mar 2015 19:57:39 +0000 (12:57 -0700)]
vfs_gpfs: Use C99 initializers instead of ZERO_STRUCT
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Christof Schmitt [Mon, 23 Mar 2015 19:54:34 +0000 (12:54 -0700)]
vfs_gpfs: Use ACL defines from GPFS 3.5 header files
GPFS 3.5 is now the oldest support version. Cleanup the ACL code by
using the defines and structs from the 3.5 header file.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Christof Schmitt [Mon, 6 Jul 2015 21:32:15 +0000 (14:32 -0700)]
ctdb: Accept hex format for pdelete and ptrans commands
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Mon, 6 Jul 2015 20:07:33 +0000 (13:07 -0700)]
ctdb: Create helper function for optional hex input
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 3 May 2015 16:30:45 +0000 (16:30 +0000)]
Remove ctdb_conn.[ch]
This was only used in notify_internal.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 8 02:53:33 CEST 2015 on sn-devel-104
Volker Lendecke [Tue, 16 Jun 2015 14:57:14 +0000 (14:57 +0000)]
notifyd: Add notifydd
A little standalone notify daemon to play around with.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 15 Jun 2015 12:14:03 +0000 (12:14 +0000)]
utils: add net notify
A little tool to play with the notify daemon
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 9 Jan 2015 12:59:46 +0000 (12:59 +0000)]
notify: Remove two now unused stubs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 12 Dec 2014 14:37:30 +0000 (15:37 +0100)]
smbd: Remove SMB_VFS_NOTIFY_WATCH
No longer needed
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 9 Jan 2015 12:48:56 +0000 (12:48 +0000)]
notify: Re-add notify_walk()
This used to be a tdb traverse wrapper. Now we get the notify db from
notifyd via messages.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 9 Jan 2015 12:24:58 +0000 (12:24 +0000)]
notifyd: Add notifyd_parse_db()
The database format notifyd is "private" to it. This makes it
possible for smbcontrol and others to query notifyd's database with
MSG_SMB_NOTIFY_GET_DB and inspect it without having to know exactly what
format it uses.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>