Andrew Bartlett [Tue, 16 Jul 2019 06:13:48 +0000 (18:13 +1200)]
ldb: release ldb 1.4.8
* Check for errors from ldb_unpack_data() in ldb_tdb (bug 13959)
* Check for new pack formats during startup (bug 13977)
* Make ldbdump print out pack format info and keys so we have
low level visibility for testing in python (for bug 13978)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Aaron Haslett [Mon, 20 May 2019 04:19:51 +0000 (16:19 +1200)]
ldb: ldbdump key and pack format version comments
For testing we need to know the actual KV level key of records and each
record's pack format version. This patch makes ldbdump add comments with
that info. We will parse it out in python tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13978
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 05:58:17 UTC 2019 on sn-devel-184
(cherry picked from commit
a666a99e4dc594bc153cd26b24cddd547c1cc750)
Aaron Haslett [Fri, 10 May 2019 06:10:51 +0000 (18:10 +1200)]
ldb: baseinfo pack format check on init
We will be adding a new packing format in forthcoming commits and there
may be more versions in the future. We need to make sure the database
contains records in a format we know how to read and write.
Done by fetching the @BASEINFO record and reading the first 4
bytes which contain the packing format version.
NOTE: Configure with --abi-check-disable to build this commit. This
patch is part of a set of LDB ABI changes, and the version update is
done on the last commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13977
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(backported from commit
474e55523224430781ed22aa2d0c8a474306e794)
Andrew Bartlett [Wed, 22 May 2019 04:38:08 +0000 (16:38 +1200)]
ldb: Fix segfault parsing new pack formats
We need to check for the errors given by ldb_unpack() et al by preserving
the error code from kv_ctx->parser() called by tdb_parse_record() in
ltdb_parse_record().
Otherwise we will silently accept corrupt records and segfault later.
Likewise new pack formats will confuse the parser but not be
detected except by the incomplete struct ldb_message.
With this patch, the user will see a message like:
Invalid data for index DN=@BASEINFO
Failed to connect to 'st/ad_dc/private/sam.ldb' with backend 'tdb': Unable to load ltdb cache records for backend 'ldb_tdb backend'
Failed to connect to st/ad_dc/private/sam.ldb - Unable to load ltdb cache records for backend 'ldb_tdb backend'
This can be refined in the future by a specific check for
pack format versions in a higher caller, but this much is
needed regardless to detect corrupt records.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
a3101b9704f554a350493553336cbbbd7d4ae02e)
Aaron Haslett [Tue, 28 May 2019 05:22:10 +0000 (17:22 +1200)]
ldb: test for parse errors
Parse errors aren't passed up correctly by the tdb backend. This
patch modifies a test to expose the issue, next patch will fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13959
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
2de0aebed60b8e83508f50e5391ede618ce0e595)
Karolin Seeger [Tue, 27 Aug 2019 08:13:25 +0000 (10:13 +0200)]
VERSION: Bump version up to 4.9.13...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Aug 2019 08:12:40 +0000 (10:12 +0200)]
VERSION: Diable GIT_SNAPSHOT for the 4.9.12 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Aug 2019 08:10:54 +0000 (10:10 +0200)]
WHATSNEW: Add release notes for Samba 4.9.12.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Anoop C S [Mon, 5 Aug 2019 05:15:01 +0000 (10:45 +0530)]
vfs_glusterfs: Enable profiling for file system operations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 20 19:25:28 UTC 2019 on sn-devel-184
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Aug 26 13:26:08 UTC 2019 on sn-devel-144
Christof Schmitt [Tue, 9 Jul 2019 20:39:55 +0000 (13:39 -0700)]
vfs_gpfs: Implement special case for denying owner access to ACL
In GPFS, it is not possible to deny ACL or attribute access through a
SPECIAL_OWNER entry. The best that can be done is mapping this to a
named user entry, as this one can at least be stored in an ACL. The same
cannot be done for inheriting SPECIAL_OWNER entries, as these represent
CREATOR OWNER entries, and the limitation of not being able to deny
owner access to ACL or attributes remains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c1770ed96fd3137f45d584ba9328333d5505e3af)
Christof Schmitt [Tue, 9 Jul 2019 20:08:35 +0000 (13:08 -0700)]
vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
This is not functional change. It cleans up the code a bit and makes
expanding this codepath in a later patch easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
fbf3a090a9ec94262b2924461cc1d6336af9919c)
Christof Schmitt [Wed, 10 Jul 2019 18:06:19 +0000 (11:06 -0700)]
docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
8bd79ecc37376dbaa35606f9c2777653eb3d55e3)
Christof Schmitt [Tue, 9 Jul 2019 19:04:35 +0000 (12:04 -0700)]
vfs_gpfs: Remove merge_writeappend parameter
All supported GPFS versions now support setting WRITE and APPEND in the
ACLs independently. Remove this now unused parameter to simplify the
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0aca678fcf1788a76cf0ff11399211c795aa7d2f)
Christof Schmitt [Wed, 17 Jul 2019 22:29:06 +0000 (15:29 -0700)]
nfs4_acls: Use correct owner information for ACL after owner change
After a chown, the cached stat data is obviously no longer valid. The
code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
a local buffer for the stat data. So later checks of the stat buffer
under the fsp->fsp_name->st would still see the old information.
Fix this by removing the local stat buffer and always update the one
under fsp->fsp_name->st.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
86f7af84f04b06ed96b30f936ace92aa0937be06)
Christof Schmitt [Wed, 10 Jul 2019 20:14:32 +0000 (13:14 -0700)]
nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
The previous patch introduced merging of duplicates on the mapping path
from NFS4 ACL entries to DACL entries. Add a testcase to verify the
expected behavior of this codepath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1a137a2f20c2f159c5feaef230a2b85bb9fb23b5)
Christof Schmitt [Tue, 2 Jul 2019 22:08:11 +0000 (15:08 -0700)]
nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
mapping back to a DACL, there should be no additional entry. Add a loop
that will check and remove entries that are exact duplicates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
9c88602128592ddad537bf70cbe3c51f0b2cebe5)
Christof Schmitt [Thu, 18 Jul 2019 18:49:29 +0000 (11:49 -0700)]
nfs4_acls: Rename smbacl4_fill_ace4 function
As this function now maps the ACE and also adds it to the NFSv4 ACE,
change the name to better describe its behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
169812943de23cf2752289c63331d786b0b063bd)
Christof Schmitt [Wed, 17 Jul 2019 17:49:47 +0000 (10:49 -0700)]
nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
In order to have the file system reflect the owner permissions in the
POSIX modebits, create a second entry for the user. This will be mapped
to the "special owner" entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b796119e2df38d1935064556934dd10da6f3d339)
Christof Schmitt [Tue, 16 Jul 2019 22:56:12 +0000 (15:56 -0700)]
nfs4_acls: Remove redundant pointer variable
The previous patch introduced a pointer to a local variable to reduce
the amount of lines changed. Remove that pointer and adjust all usage
accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
aa4644193635d846c2e08e8c1e7b512e8009c2ef)
Christof Schmitt [Tue, 16 Jul 2019 22:50:36 +0000 (15:50 -0700)]
nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
Logging flags in case they do not match seems unnecessary. Other log
messages should show the flags as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7ab0003ffc098247c3ee3962d7061f2af5a2d00e)
Christof Schmitt [Tue, 16 Jul 2019 22:30:36 +0000 (15:30 -0700)]
nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
abb58b17599bd3f9a06037e208dcc5033c7fdd8b)
Christof Schmitt [Tue, 16 Jul 2019 22:20:25 +0000 (15:20 -0700)]
nfs4_acls: Move smbacl4_MergeIgnoreReject function
This static function will be called earlier in later patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
3499d97463110f042415d917160bc2743805a544)
Christof Schmitt [Mon, 15 Jul 2019 21:43:01 +0000 (14:43 -0700)]
nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
This is only used for logging of a rejected ACL, but does not provide
additional useful information. Remove it to simplify the function a bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
44790721e4f2c6ee6f46de7ac88123ce1a9f6e39)
Christof Schmitt [Tue, 2 Jul 2019 20:20:44 +0000 (13:20 -0700)]
nfs4_acls: Add missing braces in smbacl4_win2nfs4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
ba73d2363d93a376ba4947963c9de45a7e683f02)
Christof Schmitt [Wed, 26 Jun 2019 20:20:17 +0000 (13:20 -0700)]
nfs4_acls: Add helper function for checking INHERIT flags.
This avoids some code duplication. Do not make this static, as it will
be used in a later patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
336e8668c1cc3682cb3c198eb6dc49baf522a79a)
Christof Schmitt [Tue, 25 Jun 2019 22:21:06 +0000 (15:21 -0700)]
nfs4_acls: Use correct type when checking ownerGID
uid and gid are members of the same union so this makes no difference,
but for type correctness and readability use the gid to check for
ownerGID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
3b3d722ce579c19c7b08d06a3adea275537545dc)
Christof Schmitt [Mon, 15 Jul 2019 20:15:32 +0000 (13:15 -0700)]
nfs4_acls: Use switch/case for checking idmap type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f198a0867e71f248d4887ab0b6f2832123b16d11)
Christof Schmitt [Wed, 26 Jun 2019 20:24:16 +0000 (13:24 -0700)]
nfs4_acls: Use sids_to_unixids to lookup uid or gid
This is the newer API to lookup id mappings and will make it easier to
add to the IDMAP_TYPE_BOTH case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d9a2ff559e1ad953141b1118a9e370496f1f61fa)
Christof Schmitt [Tue, 2 Jul 2019 20:04:44 +0000 (13:04 -0700)]
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from DACLS to NFSv4 ACL
entries with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
38331b00521ef764893a74add01758f14567d901)
Christof Schmitt [Tue, 2 Jul 2019 19:50:42 +0000 (12:50 -0700)]
test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from NFSv4 ACL entries to
DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
86480410aec1d2331c65826a13f909492165a291)
Christof Schmitt [Tue, 2 Jul 2019 19:23:02 +0000 (12:23 -0700)]
test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the
DACL in the security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
829c5ea99685c0629fd67ed0528897534ff35b36)
Christof Schmitt [Tue, 2 Jul 2019 19:16:08 +0000 (12:16 -0700)]
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the DACL in the
security descriptor to the NFSv4 ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7ae06d96eb59722154d30e21949f9dba4f2f0bc6)
Christof Schmitt [Tue, 2 Jul 2019 19:09:04 +0000 (12:09 -0700)]
test_nfs4_acls: Add test for matching DACL entries for acedup
The NFSv4 mapping code has a config option nfs4:acedup for the mapping
path from DACLs to NFSv4 ACLs. Part of this codepath is detecting
duplicate ACL entries. Add a testcase with different ACL entries and
verify that only exactly matching entries are detected as duplicates and
treated accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f55cdf42a14f314102f2e13cb06d4db48c08ad4b)
Christof Schmitt [Tue, 2 Jul 2019 19:07:36 +0000 (12:07 -0700)]
test_nfs4_acls: Add test for acedup settings
The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
are either merged, ignored or rejected. Add a testcase that has
duplicate ACL entries and verify the expected behavior for all possible
settings of the nfs4:acedup option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
9671bf2b9f055012057620207624aa2f4ea6833e)
Christof Schmitt [Tue, 2 Jul 2019 19:02:58 +0000 (12:02 -0700)]
test_nfs4_acls: Add test for 'map full control' option
"map full control" when enabled adds the DELETE_CHILD permission, when
all other permissions are present. This allows Windows clients to
display the "FULL CONTROL" permissions.
Add a testcase that verifies this mapping when mapping from NFSv4 ACL to
the DACL in the security descriptor. Also verify that switching the
option off disables this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
30677df4dac4ebfcf4e3198db33f14be37948197)
Christof Schmitt [Tue, 2 Jul 2019 18:57:45 +0000 (11:57 -0700)]
test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
Add testcase for mapping from NFSv4 ACL entries for "special owner" and
"special group" to DACL entries in the security descriptor. Each NFSv4
entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR
GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR
entry and an additional explicit entry granting permission on the
current object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1)
Christof Schmitt [Tue, 2 Jul 2019 18:55:59 +0000 (11:55 -0700)]
test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
with inheritance flag in the security descriptor to NFSv4 "special
owner" and "special group" entries. This is the correct mapping for
these entries as inheriting "special owner" and "special group" grants
permissions to the actual owner and owning group of the new file or
directory, similar to what CREATOR entries do.
The other side is that CREATOR entries without any inheritance flags do
not make sense, so these are not mapped to NFSv4 ACL entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)
Christof Schmitt [Tue, 2 Jul 2019 18:53:15 +0000 (11:53 -0700)]
test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
Add testcase for mapping from entries in the DACL security descriptor to
"special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
ignored, as there is no meaningful mapping for this entry. Verify that
SID entries matching the owner or group are mapped to "special owner"
or "special group", but only if no inheritance flags are used. "special
owner" and "special group" with inheritance flags have the meaning of
CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1f1fa5bde2c76636c1beec39c21067b252ea10be)
Christof Schmitt [Tue, 2 Jul 2019 18:46:23 +0000 (11:46 -0700)]
test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
In addition to entries for users and groups, NFSv4 ACLs have the concept
of entries for "special" entries. Only the "owner", "group" and
"everyone" entries are currently used in the ACL mapping.
Add a testcase that verifies the mapping from NFSv4 "special" entries to
the DACL in the security descriptor. Verify that only "owner", "group"
and "everyone" are mapped and all other "special" entries are ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f86148948c7f89307a34e31f6ddede6923149d34)
Christof Schmitt [Tue, 2 Jul 2019 18:35:34 +0000 (11:35 -0700)]
test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
Add testcase for mapping the permission flags from the DACL in the
Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as
the same permission bits exist for Security Descriptors and NFSv4 ACLs.
In addition, the code also maps from the generic DACL permissions to a
set of NFSv4 permissions, also verify this mapping.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e4840e680744bd860beedeb5123704c3c0d6a4d7)
Christof Schmitt [Tue, 2 Jul 2019 18:33:29 +0000 (11:33 -0700)]
test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
security descriptor. The mapping is simple as each permission bit exists
on both sides.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1767027b44a9e4ebd865022e3f8abb0c72bf15c6)
Christof Schmitt [Tue, 2 Jul 2019 18:30:12 +0000 (11:30 -0700)]
test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
Add testcase for the mapping of inheritance flags from the DACL in the
security descriptor to the NFSv4 ACL. The mapping is different for files
and directories as some inheritance flags should not be present for
files. Also other flags are not mapped at all, verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bccd2612761e26ee2514935d56927b2c0c000859)
Christof Schmitt [Tue, 2 Jul 2019 18:28:31 +0000 (11:28 -0700)]
test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
Add testcase for the mapping of inheritance flags when mapping from a
NFSv4 ACL to a DACL in the security descriptor. The mapping is different
between files and directories, as some inheritance flags should never be
present for files. Some defined flags like SUCCESSFUL_ACCESS are also
not mapped at this point, also verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
16eb61a900c6749c2554d635ce2dd903f5de1704)
Christof Schmitt [Tue, 2 Jul 2019 18:25:33 +0000 (11:25 -0700)]
test_nfs4_acls: Add tests for mapping of ACL types
Add testcases for mapping the type field (ALLOW or DENY) between NFSv4
ACLs and security descriptors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
dd5934797526ebb4c6f3027a809401dad3abf701)
Christof Schmitt [Tue, 2 Jul 2019 18:23:40 +0000 (11:23 -0700)]
test_nfs4_acls: Add tests for mapping of empty ACLs
This is a fairly simple test that ensures the mapping of empty ACLs
(without any ACL entries) is always done the same way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
00f494b25f4e1d1aecf6191523e30f20a90b1e4f)
Christof Schmitt [Tue, 2 Jul 2019 18:22:13 +0000 (11:22 -0700)]
selftest: Start implementing unit test for nfs4_acls
Existing smbtorture tests set and query ACLs through SMB, only working
with the DACLs in the Security Descriptors, but never check the NFSv4
ACL representation. This patch introduces a unit test to verify the
mapping between between Security Descriptors and NFSv4 ACLs. As the
mapping code queries id mappings, the id mapping cache is first primed
with the mappings used by the tests and those mappings are removed again
during teardown.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
8fb906a1860452a320c79ac87917a97303729c19)
Christof Schmitt [Tue, 11 Jun 2019 23:15:10 +0000 (16:15 -0700)]
nfs4_acls: Remove fsp from smbacl4_win2nfs4
Only the information whether the ACL is for a file or a directory is
required. Replacing the fsp with a flag is clearer and allows for unit
testing of the mapping functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
a06486bb110d04a90b66a0bca4b1b600ef3c0ebf)
Christof Schmitt [Fri, 7 Jun 2019 19:55:32 +0000 (12:55 -0700)]
Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
This reverts commit
5d4f7bfda579cecb123cfb1d7130688f1d1c98b7.
That patch broke the case with ID_TYPE_BOTH where a file is owned by a
group (e.g. using autorid and having a file owned by
BUILTIN\Administrators). In this case, the ACE entry for the group gets
mapped a to a user ACL entry and the group no longer has access (as in
the user's token the group is not mapped to a uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
42bd3a72a2525aa8a918f4bf7067b30ce8e0e197)
Volker Lendecke [Tue, 11 Dec 2018 16:17:46 +0000 (17:17 +0100)]
vfs: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit
59f29acb2cd947d2f594a5af3d73d0cbe8298d92)
Isaac Boukris [Wed, 3 Apr 2019 16:45:02 +0000 (19:45 +0300)]
Add PrimaryGroupId to group array in DC response
This is a simplified version of the original patch by:
Felix Botner <botner@univention.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
(cherry picked from commit
2ae75184fcb5dc90602aeef113d4c13540073324)
Isaac Boukris [Fri, 31 May 2019 14:22:50 +0000 (17:22 +0300)]
selftest: check for PrimaryGroupId in DC returned group array
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3700998419738caa1ca8672fbf5dbaccaaa498fa)
Isaac Boukris [Fri, 31 May 2019 17:02:30 +0000 (20:02 +0300)]
selftest: remote_pac: s/s2u4self/s4u2self/g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
60afe949c3e664f81c9b0db9c54f701aa2874a5e)
Michael Adam [Wed, 31 Jul 2019 22:47:29 +0000 (00:47 +0200)]
vfs:glusterfs_fuse: build only if we have setmntent()
FreeBSD and other platforms that don't have setmntent() and friends can
not compile this module. This patch lets changes the build to only
compile this module if the setmntent() function is found.
This is the a follow-up fix to the actual fix for bug #13972.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Aug 1 09:49:04 UTC 2019 on sn-devel-184
Michael Adam [Sat, 18 May 2019 09:28:54 +0000 (11:28 +0200)]
vfs:glusterfs_fuse: ensure fileids are constant across nodes
Instead of adding a new gluster-specific mode to the fileid module,
this patches provides a fileid algorithm as part of the glusterfs_fuse
vfs module. This can not be configured further, simply adding the
glusterfs_fuse vfs module to the vfs objects configuration will enable
the new fileid mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Sat Jul 13 22:54:56 UTC 2019 on sn-devel-184
Alexander Bokovoy [Sat, 10 Aug 2019 08:53:12 +0000 (11:53 +0300)]
smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
(cherry picked from commit
4d276a93fc624dc04d880f5b4157f272d3555be6)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Aug 16 14:18:35 UTC 2019 on sn-devel-144
Alexander Bokovoy [Thu, 1 Aug 2019 12:48:58 +0000 (15:48 +0300)]
lookup_name: allow own domain lookup when flags == 0
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
[2019/08/03 07:14:24.156065, 1, pid=23639, effective(
967001000,
967001000), real(
967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
0000004c-0000-0000-455d-
3018575c0000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x000a (10)
size : 0x000c (12)
string : *
string : 'XS\ab'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189, 6, pid=23639, effective(
967001000,
967001000), real(
967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0.
[0010] 57 5C 00 00 W\..
[2019/08/03 07:14:24.156228, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(
967001000,
967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273, 5, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/08/03 07:14:24.156285, 5, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
lookup_name: flags = 0x00
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
685bb03de6ab733590831d1df4f5fd60d2ac427d)
Alexander Bokovoy [Thu, 1 Aug 2019 18:08:52 +0000 (21:08 +0300)]
torture/rpc/lsa: allow testing different lookup levels
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
317bc6a7342edfa2c503f5932142bf5883485cc9)
Ralph Boehme [Thu, 27 Dec 2018 11:48:30 +0000 (12:48 +0100)]
Revert "s3:messages: protect against usage of wrapper tevent_context objects for messaging"
This reverts commit
7f2afc20e1b6397c364a98d1be006377c95e4665.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
2a62a98f5c7107f2f83c0bfc2892243d83e2c88a)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Thu Aug 8 11:20:26 UTC 2019 on sn-devel-144
Ralph Boehme [Thu, 27 Dec 2018 11:45:42 +0000 (12:45 +0100)]
Revert "s3:messages: allow messaging_{dgm,ctdb}_register_tevent_context() to use wrapper tevent_context"
This reverts commit
660cf86639753edaa7a7a21a5b5ae207ae7d4260.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1c3676f3aa9c1564eb140a24ced5ee72b859b87f)
Ralph Boehme [Thu, 27 Dec 2018 11:45:28 +0000 (12:45 +0100)]
Revert "s3:messages: allow messaging_dgm_ref() to use wrapper tevent_context"
This reverts commit
9dc332060cf5f249ea887dbc60ec7a39b6f91120.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
26107832cd9d200fb171ef1f991d7ef5478cac18)
Ralph Boehme [Thu, 27 Dec 2018 11:45:15 +0000 (12:45 +0100)]
Revert "s3:messages: allow messaging_filtered_read_send() to use wrapper tevent_context"
This reverts commit
2b05f1098187e00166649c8ea7c63e6901b9d242.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
e2a5272ac6831b407a0c51bb8615252ec68be6a8)
Ralph Boehme [Thu, 27 Dec 2018 11:41:25 +0000 (12:41 +0100)]
Revert "s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper"
This reverts commit
e186d6a06b1b300256a2cb4138f0532d518d0597.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
0bd10a48e4c08d1eb3a20e79d952b3c0f12be46a)
Rafael David Tinoco [Thu, 27 Jun 2019 20:12:25 +0000 (20:12 +0000)]
ctdb-config: depend on /etc/ctdb/nodes file
CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.
Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
c5803507df7def388edcd5b6cbfee30cd217b536)
Ralph Boehme [Thu, 27 Jun 2019 10:50:37 +0000 (12:50 +0200)]
vfs_catia: pass stat info to synthetic_smb_fname()
This doesn't cause visible damage in vanilla Samba, but would affect downstream
consumers that add additional fields to struct smb_filename.
For the same reason there's no test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015
RN: Ensure vfs_catia passes stat info to stacked VFS modules
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
ae6dd4853e3e651f6e56ce735bcb0a2264857385)
Björn Baumbach [Tue, 28 May 2019 12:52:36 +0000 (14:52 +0200)]
samba-tool: add 'import samba.drs_utils' to fsmo.py
On some systems we're seeing this:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
except samba.drs_utils.drsException as e:
E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)
While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.
There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184
(cherry picked from commit
320a5c5425e6ced18b1a9bf19b4f361ee16821ed)
Stefan Metzmacher [Tue, 28 May 2019 12:54:19 +0000 (14:54 +0200)]
samba-tool: use only one LDAP modify for dns partition fsmo role transfer
We should not risk that we end with no role owner.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
6a2e3a15585086bcceb18283216978a2fcb30da3)
Björn Baumbach [Tue, 28 May 2019 12:57:15 +0000 (14:57 +0200)]
s4:torture:fsmo.py: remove unused 'net_cmd' variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0fbb013bef886e425602fdbbef14a4029719818f)
Stefan Metzmacher [Tue, 28 May 2019 12:53:09 +0000 (14:53 +0200)]
samba-tool: fix replication after dns partition fsmo role transfer
The new role owner need to replicate from the old role owner.
Before we told the old role owner to replicate from itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)
Björn Baumbach [Fri, 24 May 2019 13:46:17 +0000 (15:46 +0200)]
s4:torture:fsmo.py: test role transfers of dns partitions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5e000a8487d788dd196980b77ec7299c8be74abf)
Stefan Metzmacher [Fri, 24 May 2019 16:36:48 +0000 (18:36 +0200)]
dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184
(cherry picked from commit
aa2a3d95098231f48d7c308881bf66418164111e)
Stefan Metzmacher [Tue, 30 Apr 2019 12:21:22 +0000 (14:21 +0200)]
dnsp.idl: fix the dnsp_dns_addr_array definition
The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):
AddrArray: ARRAY(3)
AddrArray: struct dnsp_dns_addr
family : 0x0002 (2)
port : 0x0035 (53)
ipv4 : 172.31.99.33
ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000
[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
6fc7cc15048673d109042d7b40684ed63eb4ff9e)
Stefan Metzmacher [Tue, 30 Apr 2019 08:07:51 +0000 (10:07 +0200)]
dnsp.idl: fix dnsp_ip4_array definition
In future we should use ipv4address, but that would result in a much
larger change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
6d958af0b4cb6fd45cfda0298243859b3b043c6f)
Stefan Metzmacher [Fri, 24 May 2019 15:39:17 +0000 (17:39 +0200)]
s4:torture: add local.ndr.dnsp tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
9a0c3a475f29138c0c49e0d22cf52ab45178d16b)
Stefan Metzmacher [Mon, 29 Apr 2019 09:59:50 +0000 (11:59 +0200)]
dbcheck: fallback to the default tombstoneLifetime of 180 days
If a domain was provisioned by Windows 2000 this value is missing in the
database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184
(cherry picked from commit
2ef79a4c1d695a3e498b142810a1317d85b9b6da)
Stefan Metzmacher [Fri, 26 Apr 2019 11:32:43 +0000 (13:32 +0200)]
lib/util: remove unused prototypes in debug.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d98a971247450d494c581c5454e6c270ad1b6880)
Stefan Metzmacher [Fri, 26 Apr 2019 11:21:15 +0000 (13:21 +0200)]
lib/util: fix call to dbghdrclass() for DEBUGC()
dbghdrclass() sets the global 'current_msg_class' and for that
DEBUGC() should pass the given dbgc_class instead of the per file
DBGC_CLASS.
This is important with the new per class logfile with:
log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit
bb0ffbf38cb1955c9e400003add680eabcf706a6)
Tim Beale [Mon, 1 Jul 2019 05:06:31 +0000 (17:06 +1200)]
s4/libnet: Fix joining a Windows pre-2008R2 DC
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
(cherry picked from commit
fee8cf326bfe240d3a8720569eab43f474349aff)
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
8899eb21d48b7077328ae560490f9fb9715a6b83)
Tim Beale [Mon, 24 Jun 2019 22:10:17 +0000 (10:10 +1200)]
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
295bf73e9b24b1f2b4594320a6501dc7410d4b43)
Stefan Metzmacher [Mon, 27 May 2019 11:12:14 +0000 (13:12 +0200)]
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0b6e37c9e801435e094194dd60d9213b4868c3de)
Stefan Metzmacher [Mon, 27 May 2019 10:38:43 +0000 (12:38 +0200)]
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
fa5215ce5b93fb032df341e718d7011e619f0916)
Stefan Metzmacher [Mon, 27 May 2019 10:38:43 +0000 (12:38 +0200)]
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
Karolin Seeger [Thu, 4 Jul 2019 07:48:05 +0000 (09:48 +0200)]
WHATSNEW: Fix typo.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 3 Jul 2019 11:44:04 +0000 (13:44 +0200)]
VERSION: Bump version up to 4.9.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 3 Jul 2019 11:42:54 +0000 (13:42 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.9.11 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 3 Jul 2019 11:42:02 +0000 (13:42 +0200)]
WHATSNEW: Add release notes for Samba 4.9.11.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Stefan Metzmacher [Wed, 3 Jul 2019 10:14:03 +0000 (12:14 +0200)]
ldb: Release ldb 1.4.7
Compared to 1.4.6:
* LDAP_REFERRAL_SCHEME_OPAQUE was added
to ldb_module.h in order to fix bug #12478.
It means that Samba >= 4.9.11 is no longer able to
build with ldb 1.4.6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Tue, 2 Jul 2019 07:52:46 +0000 (09:52 +0200)]
VERSION: Bump version up to 4.9.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 2 Jul 2019 07:52:09 +0000 (09:52 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.9.10 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 2 Jul 2019 07:51:39 +0000 (09:51 +0200)]
WHATSNEW: Add release notes for Samba 4.9.10.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Björn Baumbach [Wed, 12 Jun 2019 19:16:25 +0000 (21:16 +0200)]
python/ntacls: use correct "state directory" smb.conf option instead of "state dir"
samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs
Fixes: Unknown parameter encountered: "state dir"
Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
670a12df52df63a067b638d37bec71341bf18bdd)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Wed Jun 26 11:40:27 UTC 2019 on sn-devel-144
Andreas Schneider [Fri, 1 Feb 2019 17:51:53 +0000 (18:51 +0100)]
docs: Document DCEPRC binding string for rpcclient
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 4 02:03:56 CET 2019 on sn-devel-144
(cherry picked from commit
cca48c1a1029685672e1c25e39e8be2be947238f)
Ralph Boehme [Mon, 27 May 2019 10:27:57 +0000 (12:27 +0200)]
s3:mdssvc: fix flex compilation error
[4440/4495] Compiling bin/default/source3/rpc_server/mdssvc/sparql_lexer.lex.c
../../source3/rpc_server/mdssvc/sparql_lexer.l:26: error: "yyalloc" redefined [-Werror]
26 | #define yyalloc SMB_MALLOC
Looks like the dirty redefine trick doesn't work anymore with newer flex
versions. According to the flex manual the right thing to do is to provide own
functions for yyalloc and yyrealloc when passing the options "noyyalloc
noyyrealloc".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13987
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184
(cherry picked from commit
9053391f86a529e0a7dbcd23fa3a555d85c2207c)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Jun 21 11:49:59 UTC 2019 on sn-devel-144
Rafael David Tinoco via samba-technical [Mon, 3 Jun 2019 02:44:15 +0000 (23:44 -0300)]
ctdb-scripts: Fix tcp_tw_recycle existence check
net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
makes sense to check its existence. Unfortunately, current check does
not test for the procfs file existence. This commit fixes the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13984
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 4 23:31:24 UTC 2019 on sn-devel-184
(cherry picked from commit
843fbb1207ee7ac84f3282974b66b9290d8da0ac)
Andrew Bartlett [Fri, 31 May 2019 21:04:48 +0000 (09:04 +1200)]
docs: Improve documentation of "lanman auth" and "ntlm auth" connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)
Ralph Boehme [Fri, 24 May 2019 13:15:59 +0000 (15:15 +0200)]
vfs_fruit: remove a now unnecessary include
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184
(cherry picked from commit
9a2c9834cb1b77547b8b932c35870301afb9fc25)
Ralph Boehme [Fri, 24 May 2019 12:51:17 +0000 (14:51 +0200)]
vfs_fruit: use VFS functions in ad_read_rsrc_adouble()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9fe84a6345bf5d9fdb1df87a853db3380e6fb0f7)
Ralph Boehme [Fri, 24 May 2019 10:51:15 +0000 (12:51 +0200)]
vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
70c4a8f0ac307009c26e857523192c95b42a92f5)
Ralph Boehme [Fri, 24 May 2019 10:07:55 +0000 (12:07 +0200)]
vfs_fruit: use VFS function in ad_convert_truncate()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3739ad90cf2bbaa2094a34197c894363d2e24a5a)