git.samba.org - samba.git/log

ldb: release ldb 1.4.8

* Check for errors from ldb_unpack_data() in ldb_tdb (bug 13959)
* Check for new pack formats during startup (bug 13977)
* Make ldbdump print out pack format info and keys so we have
low level visibility for testing in python (for bug 13978)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

ldb: ldbdump key and pack format version comments

For testing we need to know the actual KV level key of records and each
record's pack format version. This patch makes ldbdump add comments with
that info. We will parse it out in python tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 05:58:17 UTC 2019 on sn-devel-184

(cherry picked from commit a666a99e4dc594bc153cd26b24cddd547c1cc750)

ldb: baseinfo pack format check on init

We will be adding a new packing format in forthcoming commits and there
may be more versions in the future. We need to make sure the database
contains records in a format we know how to read and write.
Done by fetching the @BASEINFO record and reading the first 4
bytes which contain the packing format version.

NOTE: Configure with --abi-check-disable to build this commit. This
patch is part of a set of LDB ABI changes, and the version update is
done on the last commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13977

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(backported from commit 474e55523224430781ed22aa2d0c8a474306e794)

ldb: Fix segfault parsing new pack formats

We need to check for the errors given by ldb_unpack() et al by preserving
the error code from kv_ctx->parser() called by tdb_parse_record() in
ltdb_parse_record().

Otherwise we will silently accept corrupt records and segfault later.

Likewise new pack formats will confuse the parser but not be
detected except by the incomplete struct ldb_message.

With this patch, the user will see a message like:

Invalid data for index DN=@BASEINFO

Failed to connect to 'st/ad_dc/private/sam.ldb' with backend 'tdb': Unable to load ltdb cache records for backend 'ldb_tdb backend'
Failed to connect to st/ad_dc/private/sam.ldb - Unable to load ltdb cache records for backend 'ldb_tdb backend'

This can be refined in the future by a specific check for
pack format versions in a higher caller, but this much is
needed regardless to detect corrupt records.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit a3101b9704f554a350493553336cbbbd7d4ae02e)

ldb: test for parse errors

Parse errors aren't passed up correctly by the tdb backend. This
patch modifies a test to expose the issue, next patch will fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 2de0aebed60b8e83508f50e5391ede618ce0e595)

VERSION: Bump version up to 4.9.13...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Diable GIT_SNAPSHOT for the 4.9.12 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.9.12.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

vfs_glusterfs: Enable profiling for file system operations

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093

Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 20 19:25:28 UTC 2019 on sn-devel-184

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Aug 26 13:26:08 UTC 2019 on sn-devel-144

vfs_gpfs: Implement special case for denying owner access to ACL

In GPFS, it is not possible to deny ACL or attribute access through a
SPECIAL_OWNER entry. The best that can be done is mapping this to a
named user entry, as this one can at least be stored in an ACL. The same
cannot be done for inheriting SPECIAL_OWNER entries, as these represent
CREATOR OWNER entries, and the limitation of not being able to deny
owner access to ACL or attributes remains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c1770ed96fd3137f45d584ba9328333d5505e3af)

vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function

This is not functional change. It cleans up the code a bit and makes
expanding this codepath in a later patch easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit fbf3a090a9ec94262b2924461cc1d6336af9919c)

docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8bd79ecc37376dbaa35606f9c2777653eb3d55e3)

vfs_gpfs: Remove merge_writeappend parameter

All supported GPFS versions now support setting WRITE and APPEND in the
ACLs independently. Remove this now unused parameter to simplify the
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0aca678fcf1788a76cf0ff11399211c795aa7d2f)

nfs4_acls: Use correct owner information for ACL after owner change

After a chown, the cached stat data is obviously no longer valid. The
code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
a local buffer for the stat data. So later checks of the stat buffer
under the fsp->fsp_name->st would still see the old information.

Fix this by removing the local stat buffer and always update the one
under fsp->fsp_name->st.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 86f7af84f04b06ed96b30f936ace92aa0937be06)

nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL

The previous patch introduced merging of duplicates on the mapping path
from NFS4 ACL entries to DACL entries. Add a testcase to verify the
expected behavior of this codepath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1a137a2f20c2f159c5feaef230a2b85bb9fb23b5)

nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL

The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
mapping back to a DACL, there should be no additional entry. Add a loop
that will check and remove entries that are exact duplicates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9c88602128592ddad537bf70cbe3c51f0b2cebe5)

nfs4_acls: Rename smbacl4_fill_ace4 function

As this function now maps the ACE and also adds it to the NFSv4 ACE,
change the name to better describe its behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 169812943de23cf2752289c63331d786b0b063bd)

nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH

With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
In order to have the file system reflect the owner permissions in the
POSIX modebits, create a second entry for the user. This will be mapped
to the "special owner" entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b796119e2df38d1935064556934dd10da6f3d339)

nfs4_acls: Remove redundant pointer variable

The previous patch introduced a pointer to a local variable to reduce
the amount of lines changed. Remove that pointer and adjust all usage
accordingly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit aa4644193635d846c2e08e8c1e7b512e8009c2ef)

nfs4_acls: Remove redundant logging from smbacl4_fill_ace4

Logging flags in case they do not match seems unnecessary. Other log
messages should show the flags as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7ab0003ffc098247c3ee3962d7061f2af5a2d00e)

nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit abb58b17599bd3f9a06037e208dcc5033c7fdd8b)

nfs4_acls: Move smbacl4_MergeIgnoreReject function

This static function will be called earlier in later patches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3499d97463110f042415d917160bc2743805a544)

nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject

This is only used for logging of a rejected ACL, but does not provide
additional useful information. Remove it to simplify the function a bit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 44790721e4f2c6ee6f46de7ac88123ce1a9f6e39)

nfs4_acls: Add missing braces in smbacl4_win2nfs4

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ba73d2363d93a376ba4947963c9de45a7e683f02)

nfs4_acls: Add helper function for checking INHERIT flags.

This avoids some code duplication. Do not make this static, as it will
be used in a later patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 336e8668c1cc3682cb3c198eb6dc49baf522a79a)

nfs4_acls: Use correct type when checking ownerGID

uid and gid are members of the same union so this makes no difference,
but for type correctness and readability use the gid to check for
ownerGID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3b3d722ce579c19c7b08d06a3adea275537545dc)

nfs4_acls: Use switch/case for checking idmap type

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f198a0867e71f248d4887ab0b6f2832123b16d11)

nfs4_acls: Use sids_to_unixids to lookup uid or gid

This is the newer API to lookup id mappings and will make it easier to
add to the IDMAP_TYPE_BOTH case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d9a2ff559e1ad953141b1118a9e370496f1f61fa)

test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH

When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.

Add a testcase to verify that when mapping from DACLS to NFSv4 ACL
entries with IDMAP_TYPE_BOTH, all entries are mapped as expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 38331b00521ef764893a74add01758f14567d901)

test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH

When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.

Add a testcase to verify that when mapping from NFSv4 ACL entries to
DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 86480410aec1d2331c65826a13f909492165a291)

test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special

The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.

This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the
DACL in the security descriptor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 829c5ea99685c0629fd67ed0528897534ff35b36)

test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special

The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.

This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the DACL in the
security descriptor to the NFSv4 ACL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7ae06d96eb59722154d30e21949f9dba4f2f0bc6)

test_nfs4_acls: Add test for matching DACL entries for acedup

The NFSv4 mapping code has a config option nfs4:acedup for the mapping
path from DACLs to NFSv4 ACLs. Part of this codepath is detecting
duplicate ACL entries. Add a testcase with different ACL entries and
verify that only exactly matching entries are detected as duplicates and
treated accordingly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f55cdf42a14f314102f2e13cb06d4db48c08ad4b)

test_nfs4_acls: Add test for acedup settings

The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
are either merged, ignored or rejected. Add a testcase that has
duplicate ACL entries and verify the expected behavior for all possible
settings of the nfs4:acedup option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9671bf2b9f055012057620207624aa2f4ea6833e)

test_nfs4_acls: Add test for 'map full control' option

"map full control" when enabled adds the DELETE_CHILD permission, when
all other permissions are present. This allows Windows clients to
display the "FULL CONTROL" permissions.

Add a testcase that verifies this mapping when mapping from NFSv4 ACL to
the DACL in the security descriptor. Also verify that switching the
option off disables this behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 30677df4dac4ebfcf4e3198db33f14be37948197)

test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries

Add testcase for mapping from NFSv4 ACL entries for "special owner" and
"special group" to DACL entries in the security descriptor. Each NFSv4
entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR
GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR
entry and an additional explicit entry granting permission on the
current object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1)

test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries

Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
with inheritance flag in the security descriptor to NFSv4 "special
owner" and "special group" entries. This is the correct mapping for
these entries as inheriting "special owner" and "special group" grants
permissions to the actual owner and owning group of the new file or
directory, similar to what CREATOR entries do.

The other side is that CREATOR entries without any inheritance flags do
not make sense, so these are not mapped to NFSv4 ACL entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)

test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries

Add testcase for mapping from entries in the DACL security descriptor to
"special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
ignored, as there is no meaningful mapping for this entry. Verify that
SID entries matching the owner or group are mapped to "special owner"
or "special group", but only if no inheritance flags are used. "special
owner" and "special group" with inheritance flags have the meaning of
CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1f1fa5bde2c76636c1beec39c21067b252ea10be)

test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries

In addition to entries for users and groups, NFSv4 ACLs have the concept
of entries for "special" entries. Only the "owner", "group" and
"everyone" entries are currently used in the ACL mapping.

Add a testcase that verifies the mapping from NFSv4 "special" entries to
the DACL in the security descriptor. Verify that only "owner", "group"
and "everyone" are mapped and all other "special" entries are ignored.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f86148948c7f89307a34e31f6ddede6923149d34)

test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL

Add testcase for mapping the permission flags from the DACL in the
Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as
the same permission bits exist for Security Descriptors and NFSv4 ACLs.
In addition, the code also maps from the generic DACL permissions to a
set of NFSv4 permissions, also verify this mapping.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e4840e680744bd860beedeb5123704c3c0d6a4d7)

test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL

Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
security descriptor. The mapping is simple as each permission bit exists
on both sides.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6)

test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL

Add testcase for the mapping of inheritance flags from the DACL in the
security descriptor to the NFSv4 ACL. The mapping is different for files
and directories as some inheritance flags should not be present for
files. Also other flags are not mapped at all, verify this behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bccd2612761e26ee2514935d56927b2c0c000859)

test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL

Add testcase for the mapping of inheritance flags when mapping from a
NFSv4 ACL to a DACL in the security descriptor. The mapping is different
between files and directories, as some inheritance flags should never be
present for files. Some defined flags like SUCCESSFUL_ACCESS are also
not mapped at this point, also verify this behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 16eb61a900c6749c2554d635ce2dd903f5de1704)

test_nfs4_acls: Add tests for mapping of ACL types

Add testcases for mapping the type field (ALLOW or DENY) between NFSv4
ACLs and security descriptors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit dd5934797526ebb4c6f3027a809401dad3abf701)

test_nfs4_acls: Add tests for mapping of empty ACLs

This is a fairly simple test that ensures the mapping of empty ACLs
(without any ACL entries) is always done the same way.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00f494b25f4e1d1aecf6191523e30f20a90b1e4f)

selftest: Start implementing unit test for nfs4_acls

Existing smbtorture tests set and query ACLs through SMB, only working
with the DACLs in the Security Descriptors, but never check the NFSv4
ACL representation. This patch introduces a unit test to verify the
mapping between between Security Descriptors and NFSv4 ACLs. As the
mapping code queries id mappings, the id mapping cache is first primed
with the mappings used by the tests and those mappings are removed again
during teardown.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8fb906a1860452a320c79ac87917a97303729c19)

nfs4_acls: Remove fsp from smbacl4_win2nfs4

Only the information whether the ACL is for a file or a directory is
required. Replacing the fsp with a flag is clearer and allows for unit
testing of the mapping functions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a06486bb110d04a90b66a0bca4b1b600ef3c0ebf)

Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"

This reverts commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7.

That patch broke the case with ID_TYPE_BOTH where a file is owned by a
group (e.g. using autorid and having a file owned by
BUILTIN\Administrators). In this case, the ACE entry for the group gets
mapped a to a user ACL entry and the group no longer has access (as in
the user's token the group is not mapped to a uid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 42bd3a72a2525aa8a918f4bf7067b30ce8e0e197)

vfs: Use dom_sid_str_buf

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit 59f29acb2cd947d2f594a5af3d73d0cbe8298d92)

Add PrimaryGroupId to group array in DC response

This is a simplified version of the original patch by:
Felix Botner <botner@univention.de>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184

(cherry picked from commit 2ae75184fcb5dc90602aeef113d4c13540073324)

selftest: check for PrimaryGroupId in DC returned group array

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa)

selftest: remote_pac: s/s2u4self/s4u2self/g

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 60afe949c3e664f81c9b0db9c54f701aa2874a5e)

vfs:glusterfs_fuse: build only if we have setmntent()

FreeBSD and other platforms that don't have setmntent() and friends can
not compile this module. This patch lets changes the build to only
compile this module if the setmntent() function is found.

This is the a follow-up fix to the actual fix for bug #13972.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Aug 1 09:49:04 UTC 2019 on sn-devel-184

vfs:glusterfs_fuse: ensure fileids are constant across nodes

Instead of adding a new gluster-specific mode to the fileid module,
this patches provides a fileid algorithm as part of the glusterfs_fuse
vfs module. This can not be configured further, simply adding the
glusterfs_fuse vfs module to the vfs objects configuration will enable
the new fileid mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Sat Jul 13 22:54:56 UTC 2019 on sn-devel-184

smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames

Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184

(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6)

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Aug 16 14:18:35 UTC 2019 on sn-devel-144

lookup_name: allow own domain lookup when flags == 0

In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.

Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.

For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().

[2019/08/03 07:14:24.156065,  1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       lsa_LookupNames3: struct lsa_LookupNames3
          in: struct lsa_LookupNames3
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 0000004c-0000-0000-455d-3018575c0000
              num_names                : 0x00000001 (1)
              names: ARRAY(1)
                  names: struct lsa_String
                      length                   : 0x000a (10)
                      size                     : 0x000c (12)
                      string                   : *
                          string                   : 'XS\ab'
              sids                     : *
                  sids: struct lsa_TransSidArray3
                      count                    : 0x00000000 (0)
                      sids                     : NULL
              level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
              count                    : *
                  count                    : 0x00000000 (0)
              lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
              client_revision          : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189,  6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
  Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00   00 00 00 00 45 5D 30 18   ....L... ....E]0.
  [0010] 57 5C 00 00                                        W\..
[2019/08/03 07:14:24.156228,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2019/08/03 07:14:24.156285,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311,  5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
  lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
  lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
  lookup_name: flags = 0x00

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d)

torture/rpc/lsa: allow testing different lookup levels

Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)

Revert "s3:messages: protect against usage of wrapper tevent_context objects for messaging"

This reverts commit 7f2afc20e1b6397c364a98d1be006377c95e4665.

See the discussion in

https://lists.samba.org/archive/samba-technical/2018-December/131731.html

for the reasoning behind this revert.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2a62a98f5c7107f2f83c0bfc2892243d83e2c88a)

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Thu Aug 8 11:20:26 UTC 2019 on sn-devel-144

Revert "s3:messages: allow messaging_{dgm,ctdb}_register_tevent_context() to use wrapper tevent_context"

This reverts commit 660cf86639753edaa7a7a21a5b5ae207ae7d4260.

See the discussion in

https://lists.samba.org/archive/samba-technical/2018-December/131731.html

for the reasoning behind this revert.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1c3676f3aa9c1564eb140a24ced5ee72b859b87f)

Revert "s3:messages: allow messaging_dgm_ref() to use wrapper tevent_context"

This reverts commit 9dc332060cf5f249ea887dbc60ec7a39b6f91120.

See the discussion in

https://lists.samba.org/archive/samba-technical/2018-December/131731.html

for the reasoning behind this revert.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 26107832cd9d200fb171ef1f991d7ef5478cac18)

Revert "s3:messages: allow messaging_filtered_read_send() to use wrapper tevent_context"

This reverts commit 2b05f1098187e00166649c8ea7c63e6901b9d242.

See the discussion in

https://lists.samba.org/archive/samba-technical/2018-December/131731.html

for the reasoning behind this revert.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e2a5272ac6831b407a0c51bb8615252ec68be6a8)

Revert "s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper"

This reverts commit e186d6a06b1b300256a2cb4138f0532d518d0597.

See the discussion in

https://lists.samba.org/archive/samba-technical/2018-December/131731.html

for the reasoning behind this revert.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0bd10a48e4c08d1eb3a20e79d952b3c0f12be46a)

ctdb-config: depend on /etc/ctdb/nodes file

CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.

Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit c5803507df7def388edcd5b6cbfee30cd217b536)

vfs_catia: pass stat info to synthetic_smb_fname()

This doesn't cause visible damage in vanilla Samba, but would affect downstream
consumers that add additional fields to struct smb_filename.

For the same reason there's no test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015
RN: Ensure vfs_catia passes stat info to stacked VFS modules

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ae6dd4853e3e651f6e56ce735bcb0a2264857385)

samba-tool: add 'import samba.drs_utils' to fsmo.py

On some systems we're seeing this:

ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
     except samba.drs_utils.drsException as e:

E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)

While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.

There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184

(cherry picked from commit 320a5c5425e6ced18b1a9bf19b4f361ee16821ed)

samba-tool: use only one LDAP modify for dns partition fsmo role transfer

We should not risk that we end with no role owner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 6a2e3a15585086bcceb18283216978a2fcb30da3)

s4:torture:fsmo.py: remove unused 'net_cmd' variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0fbb013bef886e425602fdbbef14a4029719818f)

samba-tool: fix replication after dns partition fsmo role transfer

The new role owner need to replicate from the old role owner.

Before we told the old role owner to replicate from itself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)

s4:torture:fsmo.py: test role transfers of dns partitions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5e000a8487d788dd196980b77ec7299c8be74abf)

dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184

(cherry picked from commit aa2a3d95098231f48d7c308881bf66418164111e)

dnsp.idl: fix the dnsp_dns_addr_array definition

The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):

  AddrArray: ARRAY(3)
      AddrArray: struct dnsp_dns_addr
          family                   : 0x0002 (2)
          port                     : 0x0035 (53)
          ipv4                     : 172.31.99.33
          ipv6                     : 0000:0000:0000:0000:0000:0000:0000:0000

[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6fc7cc15048673d109042d7b40684ed63eb4ff9e)

dnsp.idl: fix dnsp_ip4_array definition

In future we should use ipv4address, but that would result in a much
larger change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6d958af0b4cb6fd45cfda0298243859b3b043c6f)

s4:torture: add local.ndr.dnsp tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 9a0c3a475f29138c0c49e0d22cf52ab45178d16b)

dbcheck: fallback to the default tombstoneLifetime of 180 days

If a domain was provisioned by Windows 2000 this value is missing in the
database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184

(cherry picked from commit 2ef79a4c1d695a3e498b142810a1317d85b9b6da)

lib/util: remove unused prototypes in debug.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d98a971247450d494c581c5454e6c270ad1b6880)

lib/util: fix call to dbghdrclass() for DEBUGC()

dbghdrclass() sets the global 'current_msg_class' and for that
DEBUGC() should pass the given dbgc_class instead of the per file
DBGC_CLASS.

This is important with the new per class logfile with:

log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit bb0ffbf38cb1955c9e400003add680eabcf706a6)

s4/libnet: Fix joining a Windows pre-2008R2 DC

From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.

If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.

We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.

I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144

vfs:glusterfs_fuse: treat ENOATTR as ENOENT

The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.

Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.

This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.

- Without this patch, samba against a new gluster will work correctly,
  but the get_real_filename optimization for a non-existing entry
  is lost.

- With this patch, Samba will not work correctly any more against
  very old gluster servers: Those (correctly) returned ENOATTR
  always, which Samba originally interpreted as EOPNOTSUPP, triggering
  the expensive directory scan. With this patch, ENOATTR is
  interpreted as ENOENT, the authoritative answer that the requested
  entry does not exist, which is wrong unless it really does not exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184

(cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff)

vfs:glusterfs: treat ENOATTR as ENOENT

The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.

Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.

This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.

- Without this patch, samba against a new gluster will work correctly,
  but the get_real_filename optimization for a non-existing entry
  is lost.

- With this patch, Samba will not work correctly any more against
  very old gluster servers: Those (correctly) returned ENOATTR
  always, which Samba originally interpreted as EOPNOTSUPP, triggering
  the expensive directory scan. With this patch, ENOATTR is
  interpreted as ENOENT, the authoritative answer that the requested
  entry does not exist, which is wrong unless it really does not exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)

dsdb: Handle DB corner-case where PSO container doesn't exist

A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.

We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.

The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)

s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()

The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)

s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)

s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)

WHATSNEW: Fix typo.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Bump version up to 4.9.12...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.9.11 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.9.11.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

ldb: Release ldb 1.4.7

Compared to 1.4.6:

* LDAP_REFERRAL_SCHEME_OPAQUE was added
   to ldb_module.h in order to fix bug #12478.
   It means that Samba >= 4.9.11 is no longer able to
   build with ldb 1.4.6.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Stefan Metzmacher <metze@samba.org>

VERSION: Bump version up to 4.9.11...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.9.10 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.9.10.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

python/ntacls: use correct "state directory" smb.conf option instead of "state dir"

samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs
Fixes: Unknown parameter encountered: "state dir"
Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 670a12df52df63a067b638d37bec71341bf18bdd)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Wed Jun 26 11:40:27 UTC 2019 on sn-devel-144

docs: Document DCEPRC binding string for rpcclient

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 4 02:03:56 CET 2019 on sn-devel-144

(cherry picked from commit cca48c1a1029685672e1c25e39e8be2be947238f)

s3:mdssvc: fix flex compilation error

[4440/4495] Compiling bin/default/source3/rpc_server/mdssvc/sparql_lexer.lex.c
../../source3/rpc_server/mdssvc/sparql_lexer.l:26: error: "yyalloc" redefined [-Werror]
26 | #define yyalloc SMB_MALLOC

Looks like the dirty redefine trick doesn't work anymore with newer flex
versions. According to the flex manual the right thing to do is to provide own
functions for yyalloc and yyrealloc when passing the options "noyyalloc
noyyrealloc".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13987

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184

(cherry picked from commit 9053391f86a529e0a7dbcd23fa3a555d85c2207c)

Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Jun 21 11:49:59 UTC 2019 on sn-devel-144

ctdb-scripts: Fix tcp_tw_recycle existence check

net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
makes sense to check its existence. Unfortunately, current check does
not test for the procfs file existence. This commit fixes the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13984

Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 4 23:31:24 UTC 2019 on sn-devel-184

(cherry picked from commit 843fbb1207ee7ac84f3282974b66b9290d8da0ac)

docs: Improve documentation of "lanman auth" and "ntlm auth" connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)

vfs_fruit: remove a now unnecessary include

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184

(cherry picked from commit 9a2c9834cb1b77547b8b932c35870301afb9fc25)

vfs_fruit: use VFS functions in ad_read_rsrc_adouble()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9fe84a6345bf5d9fdb1df87a853db3380e6fb0f7)

vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 70c4a8f0ac307009c26e857523192c95b42a92f5)

vfs_fruit: use VFS function in ad_convert_truncate()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3739ad90cf2bbaa2094a34197c894363d2e24a5a)