Gary Lockyer [Tue, 6 Mar 2018 00:40:21 +0000 (13:40 +1300)]
ldb-samba: Handle generic mdb:// url scheme in ldb_relative_path()
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 19 Mar 2018 23:58:02 +0000 (12:58 +1300)]
ldb: Release ldb 1.4.0
* New LMDB backend
* Comprehensive tests for index behaviour
* Enforce transactions for writes
* Enforce read lock use for all reads
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 02:11:23 +0000 (15:11 +1300)]
ldb: Add MDB support to ldb://
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 13 Mar 2018 02:08:10 +0000 (15:08 +1300)]
TODO: ldb_mdb/tests: add tests for multiple opens across forks
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
TODO: DO we want this for tdb too???
Gary Lockyer [Mon, 12 Mar 2018 19:14:09 +0000 (08:14 +1300)]
ldb_mdb/tests: test large index key value
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 22 Mar 2018 22:29:25 +0000 (11:29 +1300)]
ldb_mdb: Remove implicit read lock and remove transaction counter
The way to know if we are in a transaction is if there is a non-NULL
transaction handle.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Tue, 13 Mar 2018 02:08:10 +0000 (15:08 +1300)]
ldb_mdb: prevent MDB_env reuse across forks
MDB_env's may not be reused accross forks. Check the pid that the lmdb
structure was created by, and return an error if it is being used by a
different process.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 20 Mar 2018 22:38:22 +0000 (11:38 +1300)]
ldb_mdb: handle EBADE from mdb_env_open
Under some circumstances mdb_env_open returns EBADE, we treat this as
indicating the file is not a valid lmdb format file.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 8 Mar 2018 03:47:59 +0000 (16:47 +1300)]
ldb_mdb: Tests for wrap open
Tests to ensure that the mdb_env wrapping code correctly handles
multiple ldb's point to the same physical database file.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 23:05:34 +0000 (12:05 +1300)]
ldb_mdb: Wrap mdb_env_open
Wrap mdb_env_open to ensure that we only have one MDB_env opened per
database in each process
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 02:27:51 +0000 (15:27 +1300)]
TODO COMMIT MESSAGE ldb_mdb: Apply LMDB key length restrictions at key-value layer
We need to enforce the GUID index mode so end-users do not get a supprise
in mid-operation and we enforce a max key length of 511 so that the
index key trunctation is done correctly.
Otherwise the DB will appear to work until a very long key (DN or index)
is used, after which it will be sad.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Apr 2018 10:15:55 +0000 (12:15 +0200)]
sq ldb_mdb/tests: Run api and index test also on lmdb LIKE THIS? SQ??? WHY not the same dict for all tests? ldb: Allow tests to operate on ldb_mdb after new restrictions
Gary Lockyer [Tue, 6 Mar 2018 02:30:10 +0000 (15:30 +1300)]
SQ??? ldb_mdb/tests: Run api and index test also on lmdb WHY not the same dict for all tests? ldb: Allow tests to operate on ldb_mdb after new restrictions
The tests were working fine on ldb_mdb but only in the mode without
the GUID index. This mode is not OK for production so has been banned
but this means we need to rework the tests to set an objectGUID on
each record.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 5 Mar 2018 20:13:31 +0000 (09:13 +1300)]
ldb_mdb/tests: Run api and index test also on lmdb
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Fri, 2 Feb 2018 02:30:53 +0000 (15:30 +1300)]
TODO: ldb_mdb/tests: Add tests to check for max key length and DB size
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
TODO: is "# we don't want to run ldb_lmdb_size_test" correct?
Gary Lockyer [Tue, 6 Mar 2018 23:05:34 +0000 (12:05 +1300)]
ldb_mdb: Don't allow modify operations on a read only db
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Garming Sam [Mon, 5 Mar 2018 03:04:03 +0000 (16:04 +1300)]
ldb_mdb: Store pid to change destructor on fork
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 1 Mar 2018 03:53:07 +0000 (16:53 +1300)]
ldb_mdb: Enable LDB_FLG_NOSYNC in ldb_mdb
This is used in selftest with 'ldb:nosync = true'.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Apr 2018 10:51:39 +0000 (12:51 +0200)]
lib/ldb/tools/ldbdump.c #include <lmdb.h>
Stefan Metzmacher [Thu, 12 Apr 2018 10:50:29 +0000 (12:50 +0200)]
sq lib/ldb/ldb_mdb/ldb_mdb.[ch] include <lmdb.h>
Gary Lockyer [Mon, 19 Mar 2018 22:25:28 +0000 (11:25 +1300)]
sq ldb_mdb: Implement the lmdb backend for ldb
SQ ldb_mdb: make backends expose if there is an active transaction
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 11 Jan 2017 04:10:19 +0000 (17:10 +1300)]
METZE01 ldb_mdb: Implement the lmdb backend for ldb
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 13 Mar 2018 02:08:10 +0000 (15:08 +1300)]
FAILS: TODO: ldb/tests: add tests for transaction_start/lock_read across forks
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
TODO: this should work also with tdb, we need to have the same external
behavior of tdb and mdb, everything else will cause problems!
TODO: I think we should also protect against a fork between
transaction_start and transaction_[prepare]_commit.
Gary Lockyer [Tue, 6 Mar 2018 02:30:10 +0000 (15:30 +1300)]
TODO commit message ldb: Allow tests to operate on ldb_mdb after new restrictions
The tests were working fine on ldb_mdb but only in the mode without
the GUID index. This mode is not OK for production so has been banned
but this means we need to rework the tests to set an objectGUID on
each record.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Wed, 10 Jan 2018 23:40:01 +0000 (12:40 +1300)]
tests/dlz_bind9: support for multiple db types by using ldb://
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Garming Sam [Thu, 4 Jan 2018 20:28:54 +0000 (09:28 +1300)]
tests: Replace some references to tdb with ldb://
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 00:40:21 +0000 (13:40 +1300)]
ldb-samba: Handle generic ldb:// url scheme in ldb_relative_path()
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 02:11:23 +0000 (15:11 +1300)]
ldb: Introduce new generic ldb:// prefix to allow backend autodetection
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 00:40:21 +0000 (13:40 +1300)]
dsdb:schema_load: make use of ldb_relative_path() in partition_metadata_open()
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 00:40:21 +0000 (13:40 +1300)]
dsdb:partition_metadata: make use of ldb_relative_path() in partition_metadata_open()
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Mon, 19 Mar 2018 23:15:12 +0000 (12:15 +1300)]
ldb tests: add cmocka tests of kv operation interactions with transactions
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 19 Mar 2018 23:14:10 +0000 (12:14 +1300)]
ldb tests: api ensure database correctly populated
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 4 Apr 2018 05:21:30 +0000 (17:21 +1200)]
ldb_tdb: Disallow reads without a transaction or read lock
This will ensure we match LMDB behaviour and avoid a repeat of the per-record locking
issues (compared with full DB locking) we had before Samba 4.7.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 22 Mar 2018 22:28:18 +0000 (11:28 +1300)]
ldb_tdb: Disallow TDB nested transactions and use tdb_transaction_active()
This avoids keeping a counter, which can be error-prone.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 22 Mar 2018 22:27:10 +0000 (11:27 +1300)]
ldb_tdb: Do not make search or DB modifications without a lock
The ldb_cache startup code would previously not take a read lock
nor a sufficiently wide write transaction.
The new code takes a read lock, and if it needs to write takes a
write lock (transaction) and re-reads before continuing.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 19 Mar 2018 22:25:28 +0000 (11:25 +1300)]
ldb: make key/value backends expose if there is an active transaction
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 6 Mar 2018 02:27:51 +0000 (15:27 +1300)]
ldb_tdb: Make sure max_key_length != 0 requires a GUID index mode
We need to enforce the GUID index mode so end-users do not get a supprise
in mid-operation and we enforce a max key length of 511 so that the
index key trunctation is done correctly.
Otherwise the DB will appear to work until a very long key (DN or index)
is used, after which it will be sad.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 12 Apr 2018 12:31:20 +0000 (14:31 +0200)]
ldb/tests: don't use TEVENT_DEPRECATED in ldb_kv_ops_test.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 11 Apr 2018 13:11:10 +0000 (15:11 +0200)]
torture: Test compound request request counters
This will send an unfixed smbd into the
SMB_ASSERT(op->request_count > 0);
in smbd_smb2_request_reply_update_counts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Apr 12 14:38:39 CEST 2018 on sn-devel-144
Stefan Metzmacher [Wed, 11 Apr 2018 10:14:59 +0000 (12:14 +0200)]
s3:smb2_server: correctly maintain request counters for compound requests
If a session expires during a compound request chain,
we exit smbd_smb2_request_dispatch() with
'return smbd_smb2_request_error(req, ...)' before
calling smbd_smb2_request_dispatch_update_counts().
As req->request_counters_updated was only reset
within smbd_smb2_request_dispatch_update_counts(),
smbd_smb2_request_reply_update_counts() was called
twice on the same request, which triggers
SMB_ASSERT(op->request_count > 0);
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
David Mulder [Wed, 11 Apr 2018 18:45:40 +0000 (12:45 -0600)]
gpo: python chardet is not a dep of samba
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Apr 12 11:27:03 CEST 2018 on sn-devel-144
David Mulder [Wed, 11 Apr 2018 18:40:18 +0000 (12:40 -0600)]
libgpo: gpo_copy_file() shouldn't explicitly call smb1
Don't call cli_openx directly to open a file this
calls smb1 code explicitly, which fails if we did
a multi-protocol negotiate and negotiated smb2+.
Use the higher level cli_open() instead.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Tue, 10 Apr 2018 21:07:34 +0000 (15:07 -0600)]
param: Add python binding for lpcfg_cache_path
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Mon, 12 Mar 2018 15:44:38 +0000 (09:44 -0600)]
gpo: Create a gp_sec_ext module
Move the gp_sec_ext into it's own module,
which is how new gp_ext's will be created.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 29 Mar 2018 14:32:02 +0000 (08:32 -0600)]
gpo: Move implementation from samba_gpoupdate
The implementation of group policy apply should
not be in the application script. One reason is
to implement user apply, we can call these
functions via the python c-api, (passing creds
via the command line will expose them via ps).
Another reason for this is if some overrides
the smb.conf "gpo update command" option, it
would be useful to have these functions.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 29 Mar 2018 14:25:05 +0000 (08:25 -0600)]
gpo: Create base class gp_inf_ext
Abstract the process of reading from an ini file,
since other extensions will be reading gpos this
way.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 29 Mar 2018 14:05:21 +0000 (08:05 -0600)]
gpo: Move the file parse function to gp_ext
A file will always be read from the sysvol the
same way, but the data will be read differently.
This patch moves the parse function to gp_ext,
and requires subclasses to implement the read()
function to interpret the data.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 29 Mar 2018 15:07:53 +0000 (09:07 -0600)]
gpo: Move gp_sec_ext __init__ to base class
For this class to be extensible, the constructor
should be available to subclasses.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Thu, 29 Mar 2018 14:00:15 +0000 (08:00 -0600)]
gpo: Rename the inf_to class to gp_ext_setter
This class will be subclassed and used for more
than just inf settings application.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Arvid Requate [Wed, 11 Apr 2018 19:46:25 +0000 (21:46 +0200)]
Check "auth event notification" param in log_json
When Samba is compiled with JSON support it logs an error message
at log level 3 by default for every authentication event:
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
This patch adjusts the log_json function to consider the smb.conf
parameter "auth event notification" before calling auth_message_send.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
Gary Lockyer [Tue, 13 Mar 2018 03:43:54 +0000 (16:43 +1300)]
ldb-samba: require pid match for cached ldb
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 15 Mar 2018 00:44:52 +0000 (13:44 +1300)]
ldb_wrap: Remove the magic cache of database handles except for sam.ldb
sam.ldb is handled in samdb_connect_url(), not this function.
This cache caused issues when "private dir" was changed in a testing script, but also
just generates many-owner shared mutable state that is frowned upon these days.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Apr 2018 01:34:56 +0000 (13:34 +1200)]
dsdb: Use talloc_get_type_abort() in schema_load_{start,end}_transaction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 06:13:59 +0000 (18:13 +1200)]
dsdb: ensure we take out a read lock during the dsdb_init
We have to also take it out in the partitions code when we load the
partition backends.
This ensures that the init handlers hold a whole-db lock just as the
search code does.
To ensure the locking count in schema_load is balanced, the
private data is now created in the first lock_read() call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Apr 2018 00:29:18 +0000 (12:29 +1200)]
dsdb: Rework schema reload during the read lock
Rather than refusing the reload based on making cached sequence numbers match
just load it once at the time the DB is globally locked, if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Apr 2018 23:58:22 +0000 (11:58 +1200)]
dsdb: Load schema during the read_lock() hook, not the search
This should trigger slightly less often and is the more correct place, as
we only load it during the first lock when not in a transaction.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Apr 2018 04:34:21 +0000 (16:34 +1200)]
dsdb: Allow search before init() is called in extended_dn_out
This matches the earlier check of p && p->normalise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 19:54:20 +0000 (07:54 +1200)]
dsdb: Move ldb_set_default_dns() into rootdse_get_private_data()
This call needs to be done at the very first chance, in this case
during the first call to the lock_read() hook, otherwise the
schema_data module can't find the schema.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 19:58:07 +0000 (07:58 +1200)]
dsdb: Create rootdse_get_private_data()
This will get the private data on the first call, allowing that not to be
the init() hook.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Apr 2018 00:51:49 +0000 (12:51 +1200)]
selftest: Make a transaction before @INDEXLIST etc is checked in dsdb_schema_attributes.py
This helps us remove the write to the database from the (soon to be
read locked) init code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 09:59:01 +0000 (21:59 +1200)]
dsdb: Wait until a transaction starts to call dsdb_schema_set_indices_and_attributes()
This avoids starting a transaction in schema_load_init() and allows it
to operate with a read lock held, which will avoid locking issues
(deadlock detected due to lock odering if we do not have a global
read lock).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 09:15:25 +0000 (21:15 +1200)]
dsdb: Allow search before init() call in encrypted_secrets
Simply do not decrypt anything until the init call is run.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 05:51:57 +0000 (17:51 +1200)]
dsdb: Do not create a transaction in partition_init()
This will allow us to lock the databases for read during all of the Samba init
hooks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 9 Apr 2018 02:52:47 +0000 (14:52 +1200)]
dsdb: Ensure to cancel the transaction if we fail to save the prefixMap
This rare error case forgot to call ldb_transaction_cancel()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 15 Mar 2018 00:42:17 +0000 (13:42 +1300)]
ldb_wrap: Remove ldb_transaction_cancel_noerr from ldb_wrap_fork_hook()
Writing to a TDB, without locks (these are per-process) in a forked child is never going to
end well, if a transaction is open at this point we have bigger problems.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Apr 2018 10:47:03 +0000 (22:47 +1200)]
dsdb: check for dSHeuristics more carefully
This check would pass if the dSHeuristics was treated as always being
000000000 for searches which is not enough, we must check for a value
of
000000001 (userPassword enabled).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Apr 2018 10:49:31 +0000 (22:49 +1200)]
dsdb: Check for userPassword support after loading the databases
The net result of this is only that userPassword values (which were
world readable when set) would still be visible after userPassword
started setting the main DB password.
In AD, those values become hidden once the dSHeuristics bit is set,
but Samba lost that when fixing a performance issue with
f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jeremy Allison [Wed, 11 Apr 2018 17:33:22 +0000 (10:33 -0700)]
s3: tests: Regression test to ensure we can never return a DIRECTORY attribute on a stream.
Tests streams_xattr and also streams_depot.
Inspired from a real-world test case by Andrew Walker <awalker@ixsystems.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13380
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 12 02:04:28 CEST 2018 on sn-devel-144
Jeremy Allison [Wed, 11 Apr 2018 18:05:14 +0000 (11:05 -0700)]
s3: smbd. Generic fix for incorrect reporting of stream dos attributes on a directory
According to MS-FSA a stream name does not have
separate DOS attribute metadata, so we must return
the DOS attribute from the base filename. With one caveat,
a non-default stream name can never be a directory.
As this is common to all streams data stores, we handle
it here instead of inside all stream VFS modules.
Otherwise identical logic would have to be added to
all streams modules in their [f]get_dos_attribute_fn()
VFS calls.
Found in real-world use case by Andrew Walker <awalker@ixsystems.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13380
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Jeremy Allison [Wed, 11 Apr 2018 15:41:00 +0000 (08:41 -0700)]
s3: vfs: vfs_streams_xattr: Don't blindly re-use the base file mode bits.
When returning the stat struct for an xattr stream,
we originally base the st_ex_mode field on the value
from the base file containing the xattr. If the base
file is a directory, it will have S_IFDIR set in st_ex_mode,
but streams can never be directories, they must be reported
as regular files.
The original code OR'ed in S_IFREG, but neglected to
AND out S_IFDIR.
Note this is not a complete to fix bug 13380 as
it doesn't fix the generic case with all streams
modules. See later fix and regression test.
Found in real-world use case by Andrew Walker <awalker@ixsystems.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13380
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Volker Lendecke [Wed, 11 Apr 2018 06:27:41 +0000 (08:27 +0200)]
credentials: Fix CID
1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
Volker Lendecke [Wed, 11 Apr 2018 06:26:33 +0000 (08:26 +0200)]
credentials: Fix line length
... just because I'll modify that line in the next commit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 11 Apr 2018 06:21:23 +0000 (08:21 +0200)]
credentials: Revert "credentials: Fix CID
1414796 Explicit null dereferenced"
This reverts commit
90c02ec64d0e3c860f8d6906cf849bdd2c7bcc54.
We have code to take care of password==NULL, this CID must be fixed in a
different way
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 19:27:47 +0000 (21:27 +0200)]
smbd: Fix CID
1414783 Double unlock
The loop is unnecessary, both susv4 as well as the Linux manpage
explicitly say:
> These functions shall not return an error code of [EINTR].
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 19:18:15 +0000 (21:18 +0200)]
dnsrpc: Use TALLOC_FREE instead of an explicit if-statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 19:13:37 +0000 (21:13 +0200)]
winbind: Fix CID
1427625 Calling risky function
Probably not really a problem, but we have generate_random(), so why not
use it?
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 19:05:09 +0000 (21:05 +0200)]
vfs_fruit: Fix CID
1416474 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 18:58:11 +0000 (20:58 +0200)]
tevent: Fix CID
1414792 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 11 Apr 2018 08:42:21 +0000 (10:42 +0200)]
rpc_server: Init local_server_* in make_internal_rpc_pipe_socketpair
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13370
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 11 15:19:19 CEST 2018 on sn-devel-144
Andrew Bartlett [Tue, 10 Apr 2018 04:37:45 +0000 (16:37 +1200)]
lib/util: Call log_stack_trace() in smb_panic_default()
This matches the AD DC with the behaviour in smbd.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 11 04:03:07 CEST 2018 on sn-devel-144
Andrew Bartlett [Tue, 10 Apr 2018 04:35:07 +0000 (16:35 +1200)]
lib/util: Move log_stack_trace() to common code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Tue, 10 Apr 2018 04:06:12 +0000 (16:06 +1200)]
lib/util: Log PANIC before calling pacic action just like s3
This is like the changes made in s3 by
4fa555980070d78b39711ef21d77628d26055bc2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Tue, 10 Apr 2018 03:54:10 +0000 (15:54 +1200)]
s3-lib: Remove support for libexc for IRIX backtraces
IRIX is long dead, and this code needs become_root() which is not in
the top level code.
Additionally, the check for libexc never made it into waf, so this
has been dead code since Samba 4.1.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Mar 2018 17:06:03 +0000 (18:06 +0100)]
libsmb: Pass "account_name/flags" through nb_getdc
Don't hardcode values that we might want to change later
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Mar 2018 17:06:03 +0000 (18:06 +0100)]
libsmb: Pass "account_name/flags" through prep_getdc_request
Don't hardcode values that we might want to change later
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Mar 2018 17:01:08 +0000 (18:01 +0100)]
libsmb: Introduce a helper variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 5 Jan 2018 13:21:05 +0000 (14:21 +0100)]
libsmb: Give dsgetdcname.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Mar 2018 14:31:11 +0000 (15:31 +0100)]
libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Mar 2018 14:35:43 +0000 (15:35 +0100)]
libsmb: Remove unused trustdom_cache.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 Jan 2018 13:21:22 +0000 (14:21 +0100)]
nmbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 Jan 2018 13:07:53 +0000 (14:07 +0100)]
nmbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Apr 2018 14:58:46 +0000 (16:58 +0200)]
tdbtool: Use tdb_wipe_all in "erase" command
This is a lot quicker on large, fragmented databases. tdb_delete can
leave the freelist in a fragmented mess.
Also, it's a lot more robust: I've got a 4GB tdb file that was affected
by the problem fixed with
c7211882a79. These databases have large space
at the end that is not part of any record or freelist
entry. tdb_wipe_all converts this space into a freelist entry. One
downside is that with those broken databases (which should not happen
after
c7211882a79) have unallocated blocks in their file range after
this operation.
I think the speed advantage outweighs this disadvantage.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
William Brown [Tue, 10 Apr 2018 04:51:06 +0000 (14:51 +1000)]
s4:ldb/password_hash.c: improve krb5 context error message
When heimdal encounters a MIT krb5.conf that it does not understand,
it would emit an "ldb operations error". Sadly this does not help
or communicate to the administrator the root cause of the issue.
Improve the error message for when krb init fails during password_hash.c
Signed-off-by: William Brown <william@blackhats.net.au>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 9 Apr 2018 16:32:23 +0000 (09:32 -0700)]
s3: smbd: Unix extensions attempts to change wrong field in fchown call.
Cut and paste error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13375
Reported-by: Rungta, Vandana <vrungta@amazon.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Apr 10 00:45:56 CEST 2018 on sn-devel-144
Jeremy Allison [Fri, 6 Apr 2018 20:52:52 +0000 (13:52 -0700)]
s3: smbd: Fix memory leak in vfswrap_getwd()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13372
Signed-off-by: Andrew Walker <awalker@ixsystems.com>.
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Apr 9 21:48:12 CEST 2018 on sn-devel-144
Ralph Wuerthner [Thu, 29 Mar 2018 08:00:41 +0000 (10:00 +0200)]
s3:smb2_tcon: Add check to prevent non-DFS clients from connecting to an msdfs proxy.
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 7 05:05:22 CEST 2018 on sn-devel-144
Volker Lendecke [Fri, 6 Apr 2018 13:57:36 +0000 (15:57 +0200)]
pdb_nds: Fix CID
1273401 Unused value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 6 Apr 2018 09:04:24 +0000 (11:04 +0200)]
idmap: Fix CID
1363261 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 6 Apr 2018 09:02:48 +0000 (11:02 +0200)]
idmap: Use TALLOC_FREE instead of explicit code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 12 Jan 2018 11:29:17 +0000 (12:29 +0100)]
s4/torture: spelling fix in vfs_fruit test
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>