Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 16 10:41:40 UTC 2020 on sn-devel-184
Jeremy Allison [Wed, 15 Jul 2020 22:02:02 +0000 (15:02 -0700)]
s3: libsmb: Cleanup - Make ipstr_list_make() talloc rather than malloc.
Remove the excessive and unneeded ipstr_list_add() function,
fold it into ipstr_list_make() to make it much clearer what
we're doing.
The only use of MALLOC now is in ipstr_list_parse() returned
by namecache_fetch(). We need to fix the caller before
we can move that to talloc. As that is used inside internal_resolve_name()
which is designed to return a MALLOC'ed ip list from all
name resolution mechanisms leave that fix for another day.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul 16 08:16:31 UTC 2020 on sn-devel-184
Martin Schwenke [Thu, 7 May 2020 07:14:34 +0000 (17:14 +1000)]
util: Fix a signed/unsigned comparison
[107/390] Compiling lib/util/time.c
../../../lib/util/time.c: In function ‘timespec_string_buf’:
../../../lib/util/time.c:416:10: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
416 | if (len == -1) {
| ^~
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul 16 04:00:52 UTC 2020 on sn-devel-184
Martin Schwenke [Thu, 7 May 2020 06:57:07 +0000 (16:57 +1000)]
tdb: Fix some signed/unsigned comparisons
[207/389] Compiling lib/tdb/tools/tdbdump.c
../../../lib/tdb/tools/tdbrestore.c: In function ‘read_linehead’:
../../../lib/tdb/tools/tdbrestore.c:43:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare]
43 | for (i=0; i<sizeof(prefix); i++) {
| ^
../../../lib/tdb/tools/tdbrestore.c: In function ‘read_data’:
../../../lib/tdb/tools/tdbrestore.c:95:13: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
95 | for (i=0; i<size; i++) {
| ^
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org>
s4:torture/smb2: split replay_smb3_specification into durable handle and multichannel
It's better to have durable handles and multichannel tested separate:
1. we test both cases in the server
2. it makes it easier to deal with knownfail entries if only one
of these features is active on the server.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Reported by Alexander Pyhalov <apyhalov@gmail.com>
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 14 07:42:54 UTC 2020 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184
When reading entries from gencache, wb_cache_rids_to_names() can
return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
correctly.
This test enforces this situation by filling gencache with one wbinfo
-R and then erasing the winbindd_cache.tdb. This forces winbind to
enter the domain helper process, which will then read from gencache
filled with the previous wbinfo -R.
Without having the entries cached this does not happen because
wb_cache_rids_to_names() via the do_query: path calls deep inside
calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
A longer fix would be to change the callbacks to use "int" instead of
"unsigned". Arguably that might be cleaner, but as this is torture
code I opted for the minimum necessary change.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
s3:smbd: make sure we detect stale smbXsrv_connection pointers in smbXsrv_session_auth0
Pointer values can be reused (yes, I hit that during my testing!).
Introduce a channel_id to identify connections and also add
some timestamps to make debugging easier.
This makes smbXsrv_session_find_auth() much more robust.
This is a similar change as 0cec96526bf4d3209caf36c4a19632ff5d5dd112:
"smb2_server: make sure we detect stale smbXsrv_connection pointers in smbXsrv_channel_global"
s3:smbd: make use of the new ack infrastructure for oplock/lease breaks
This finally implements the retry of failed oplock/lease breaks.
Before smbd_smb2_break_send/recv completed directly after
sendmsg() passed the pdu to the kernel.
Now the completion is (at least) deferred until the
the next smbXsrv_connection_ack_checker() run happens
and smbd_smb2_send_queue_ack_bytes() found that
all bytes of the break notification left the kernel
send queue (and were TCP acked).
If the connection is disconnected all pending break
notifications are completed with an error, which is
then returned by smbd_smb2_break_recv().
smbXsrv_pending_break_submit() will then submit
another break notification via the next available
connection/channel.
The smbXsrv_connection_ack_checker() runs each
rto_usecs (between 0.2s and 1.0s). smbd_smb2_break_send()
will set a timeout of 6*rto_usecs (between 1.2s and 6s).
If smbXsrv_connection_ack_checker() detects via
smbd_smb2_send_queue_ack_bytes() that a pending break
notification is pending for more than its timeout
we'll disconnect the connection with NT_STATUS_IO_TIMEOUT.
This will be handled as any other disconnect and
will in turn also trigger the retry on the next channel.
s3:smbd: force multi-channel to be turned off without FreeBSD/Linux support
For now it's safer to disable multi-channel without having support
for TIOCOUTQ/FIONWRITE on tcp sockets.
Using a fixed retransmission timeout (rto) of 1 second would be ok,
but we better require kernel support for requesting for unacked bytes
in the kernel send queue.
"force:server multi channel support = yes" can be used to overwrite
the compile time restriction (mainly for testing).
This will be the core of the logic that allows
us to retry break notifications.
When we start the "pending break cycle" we ask for
the current retransmission timemout (rto) on the TCP connection
and remember how many unacked bytes are in the kernel's
send queue. Each time we send bytes into the kernel
we add them to the unacked bytes.
We use a timer using the rto interval in order
to check the amount of unacked bytes again.
The provides send_queu_entry.ack.req will be completed
with tevent_req_done() when everything is completely acked,
tevent_req_nterror(NT_STATUS_IO_TIMEOUT) when
send_queu_entry.ack.timeout is expired or
tevent_req_nterror(connection_error) when the connection
gets disconnected.
It works with support from the FreeBSD and Linux kernels.
For other platforms we just have a fixed rto of 1 second.
And pretend all bytes are acked when we recheck after 1 second.
So only a connection error could trigger tevent_req_nterror(),
but there's no timeout. A follow up commit will most likely
disable support for multi-channel if we don't have kernel support.
s3:smbd: add logic to retry break notifications on all available channels
For leases we need to use any available connection with the same
client_guid. That means all connections in the client->connections list.
We try the oldest connection first, as that's what windows is doing.
For oplocks we implement the same as that's what the specification
says. Windows behaves different and we have
'smb2 disable oplock break retry = yes' in order to behave like Windows.
s3:smbd: convert smbd_smb2_send_break() into async smbd_smb2_break_send/recv()
This will make it possible to detect errors in order to retry sending
the break on another connection.
For now we always report NT_STATUS_OK, when we delivered the break
notification to the kernel send queue. But that will change in
the following commits.
This is similar to the smb2.multichannel.leases.test5,
but it tests the oplock case instead of leases.
With Oplocks Windows only sends a single break on the latest channel,
this is not what the spec says...
Maybe we should have a similar test that would expect the
behavior from the [MS-SMB2] (3/4/2020 rev 60.0)
"3.3.4.6 Object Store Indicates an Oplock Break":
...
If the server implements the SMB 3.x dialect family, SMB2 Oplock Break
Notification MUST be sent to the client using the first available
connection in Open.Session.ChannelList where Channel.Connection is not
NULL. If the server fails to send the notification to the client, the
server MUST retry the send using an alternate connection, if available,
in Open.Session.ChannelList.
...
Here I add one test that demonstrates the Windows behavior:
smb2.multichannel.oplocks.test3_windows
and a 2nd test that demonstrates the behavior from MS-SMB2.
smb2.multichannel.oplocks.test3_specification
Note that Windows 10 seems to behave differently and it's not
possible to open all 32 channel used by this test.
Against remote servers it's required to run iptables as root:
The test will also work against a Samba server
with 'smbd:FSCTL_SMBTORTURE = yes', and won't require iptables
in that case.
Samba will get a "smb2 disable oplock break retry" configuration
option to switch between both behaviors, as it's much more common with Samba
that leases are not supported and clients will fallback to
oplocks together with multichannel.
This tests 32 channels, which is the maximum Windows Server
versions support. (Note that Windows 10 (a Client OS as SMB server,
seems to support only 20 channels and may differ in other aspects,
so we ignore that for now).
This works at least against Windows Server 2019
and we see lease break notification retries every ~ 1.3 seconds
with ~ 5 TCP retransmissions. At that rate we see the remaining
5 retries after the conflicting SMB2 Create already returned.
Older Windows Server versions use much longer timeouts in the TCP-stack,
they send lease break notification retries less often and only 4 in
total, all other channels get TCP-RST packets because of missing
TCP keepalive packets before they're used.
The intervals between lease break notification retries are
~19 seconds for 2012[_R2] and ~25 seconds for 2016.
It means that only ~2 lease break notifications arrive before
the open returns after ~35 seconds.
Note that Windows 10 seems to behave differently and it's not
possible to open all 32 channel used by this test.
Against remote servers it's required to run iptables as root:
Having a test that would only pass against Samba makes things way
to complex, they're already complex and we should try to behave
like windows as much as possible.
The next commit will add a better test that will work against Windows
Servers and the future Samba servers.
s4:torture/smb2: refactor block.c to block the OUTPUT path
In order to create useful tests, we should block the outgoing
tcp packets only. That means we're able to see incoming
break notifications, but prevent outgoing TCP ACKs to be delivered
to the server.
s3:g_lock: avoid very expensive generate_random_buffer() in g_lock_parse()
We don't require a sequence number that is incremented,
we just need a value that's not reused.
We use the new generate_unique_u64(), which is much cheaper!
Using smbtorture3 //foo/bar -U% local-g-lock-ping-pong -o 500000
under valgrind --tool=callgrind...
Anubhav Rakshit [Sun, 7 Jun 2020 19:09:59 +0000 (00:39 +0530)]
s3:smbcacls: Add support for DFS path
smbcacls does not handle DFS paths correctly. This is beacuse once the
command encounters a path which returns STATUS_PATH_NOT_COVERED, it does
not attempt a GET REFERRAL.
We use cli_resolve_path API to perform a DFS path resolution to solve
the above problem.
Additionally this removes the known fail against smbcacls tests Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com> Reviewed-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 7 23:03:00 UTC 2020 on sn-devel-184
Noel Power [Thu, 2 Jul 2020 10:44:36 +0000 (11:44 +0100)]
selftest: run smbcacls test against a share with a DFS link
The commit creates a dfs link in existing 'fileserver' env
share msdfs_share. Additionally we create a new dfs target in
a new share (with associated directory)
Additionally add a known fail as smbcacls doesn't not yet navigate DFS links.
A subsequent commit will fix smcacls to handle DFS (and remove the
knownfail)
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
projects / thirdparty / samba.git / log
