Joe Guo [Tue, 3 Jul 2018 22:05:50 +0000 (10:05 +1200)]
pysmbd: add session_info arg to get_conn_tos
Add session_info arg, so caller can pass it in to reuse authentication info
later. This will improve performance a lot while doing ntacl operations
on large amount of files, e.g.: sysvolreset.
Modification for upstream caller will come in following patches.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Now that scavenging is implemented, the DNS update tool needs to be changed so
that it always updates every name required by the DC. Otherwise, the records
might be scavenged.
Aaron Haslett [Fri, 1 Jun 2018 04:07:46 +0000 (16:07 +1200)]
dns: dns record scavenging function (without task)
DNS record scavenging function with testing. The logic of the custom match rule
in previous commit is inverted so that calculations using zone properties can
be taken out of the function's inner loop. Periodic task to come.
dns: custom match rule for DNS records to be tombstoned
A custom match rule for records to be tombstoned by the scavenging process.
Needed because DNS records are a multi-valued attribute on name records, so
without a custom match rule we'd have entire zones into memory to search for
expired records.
Aaron Haslett [Wed, 9 May 2018 06:02:28 +0000 (18:02 +1200)]
dns: record aging tests
First basic DNS record aging tests. These check that we can
turn aging on and off, and that timestamps are written on DNS
add and update calls, but not RPC calls.
Gary Lockyer [Wed, 11 Jul 2018 04:30:38 +0000 (16:30 +1200)]
smb.conf: add dns_zone_scavenging
Add parameter dns_zone_scavenging to control dns zone scavenging.
Scavenging is disabled by default, as due to
https://bugzilla.samba.org/show_bug.cgi?id=12451 the ageing properties of
existing DNS entries are incorrect.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper
imessaging_client_init() can be used with a wrapper tevent_context,
but only if a global messaging_dgm_ref() already exist.
All other uses of imessaging_init() and imessaging_client_init()
require a raw tevent_context.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 12 02:23:37 CEST 2018 on sn-devel-144
s4:messaging: allow imessaging_post_handler() to free the messaging context from a handler
In usecases like using messaging_client_init() with irpc processing we may
free the imessaging_context during the messaging handler.
imessaging_post_handler() is not yet really used, but it will change in
the next commits. imessaging_post_state is a child of imessaging_context
and might be implicitly free'ed before the explicit TALLOC_FREE(state).
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
s3:messages: allow messaging_filtered_read_send() to use wrapper tevent_context
As it gets 'messaging_context' as argument, we're sure a messaging context
with a raw tevent context already exist.
It means we can allow a wrapper tevent context that wrapps the main tevent
context of the messaging context.
The use of tevent_req_defer_callback() makes sure that the callers
callback function calls messaging_filtered_read_recv() from the
correct "wrapped" environment.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Christof Schmitt [Tue, 26 Jun 2018 20:30:06 +0000 (13:30 -0700)]
winbindd: Remove ads.h include from nss_info
nss_info does not use libads. Removing this include
fixes a compile error when trying to compile with a
system provided heimdal library:
[2188/3043] Compiling source3/winbindd/nss_info.c
In file included from ../source3/libads/kerberos_proto.h:33:0,
from ../source3/include/ads.h:154,
from ../source3/winbindd/nss_info.c:24:
../lib/replace/system/kerberos.h:33:10: fatal error: krb5.h: No such file or directory
#include <krb5.h>
^~~~~~~~
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul 11 22:39:36 CEST 2018 on sn-devel-144
Martin Schwenke [Sat, 7 Jul 2018 05:58:06 +0000 (15:58 +1000)]
ctdb-packaging: Enable some standard event scripts if none are enabled
CTDB needs the legacy/00.ctdb event script to be able to function
properly. If this script is not enabled then assume a first-time
install or an upgrade to a version that requires events scripts to be
enabled via symlinks. In these cases enable this script and other
commonly used scripts.
Remove links during uninstall (but not during upgrade).
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 7 Jul 2018 05:23:27 +0000 (15:23 +1000)]
ctdb-build: Enable some standard event scripts if none are enabled
CTDB needs the legacy/00.ctdb event script to be able to function
properly. If this script is not enabled then assume a first-time
install or an upgrade to a version that requires events scripts to be
enabled via symlinks. In these cases enable this script and other
commonly used scripts.
Only do this for a direct install. If DESTDIR is being used then
assume a package is being built and let the packager handle this case.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 18 Jun 2018 06:22:14 +0000 (16:22 +1000)]
ctdb-daemon: Stop inactive/disabled nodes from reporting available IPs
This can be done now that NoIPHostOnAllDisabled is gone and will allow
the public IP address failover logic to be simplified.
In the test code, still filter available IP addresses by node state.
This code can't currently read information about available IP
addresses but that will change in future
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 18 Jun 2018 05:01:01 +0000 (15:01 +1000)]
ctdb-daemon: Change default for tunable NoIPHostOnAllDisabled to 1
Defaulting to host public IP addresses when all nodes are unhealthy
does not obey the principle of least surprise. It has caused much
confusion over the years. It often leads to problems when all nodes
are unhealthy due to something like a cluster filesystem being
unmounted.
Change the default value for this tunable as the first step of
completely removing this behaviour.
Remove tests that set NoIPHostOnAllDisabled=1 and update the expected
result for other tests where no nodes are healthy.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 3 Jul 2018 03:45:25 +0000 (13:45 +1000)]
ctdb-tests: Setup public addresses in 60.nfs unit tests
Even the monitor event runs update_tickles(), which needs public IP
addresses and FAKE_CTDB_NUMNODES to be initialised. Currently this
works by default but soon we'll need FAKE_CTDB_NUMNODES in another
context.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Andrew Bartlett [Wed, 11 Jul 2018 04:03:42 +0000 (16:03 +1200)]
WHATSNEW: Add more text about work done by Catalyst developers
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 11 11:47:09 CEST 2018 on sn-devel-144
vfs_audit: Extend list of recognized syslog(3) facilities and wrap them into #ifdef's. That list should be comprehensive enough to cover most of the existing OSes.
Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Jul 11 08:44:10 CEST 2018 on sn-devel-144
Add the configure option --with-system-heimdalkrb5 to build Samba
explicitly with a system Heimdal kerberos library. This does the same as
the more complicated syntax
Tim Beale [Tue, 10 Jul 2018 22:15:12 +0000 (10:15 +1200)]
WHATSNEW: Added entries for PSOs, domain backup/restore, and rename
Added WHATSNEW blurbs for the following features:
- Password Settings Objects
- Domain backup and restore
- Domain rename tool
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pass 'rdonly' or 'directory' flag to open a directory file.
Signed-off-by: Pooja Mahadik <pooja.mahadik@veritas.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 11 02:22:18 CEST 2018 on sn-devel-144
Based-on-a-patch-from: Mike M Pestorich <mmpestorich@gmail.com>
(similar to github.com/netatalk/netatalk/commit/90aa43d)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 10 23:17:20 CEST 2018 on sn-devel-144
s3:messages: make the loop in msg_dgm_ref_recv() more robust against stale pointers
The interaction between msg_dgm_ref_recv() and msg_dgm_ref_destructor()
doesn't allow two references from messaging_dgm_ref() to be free'd
during the loop in msg_dgm_ref_recv().
In addition to the global 'refs' list, we also need to
have a global 'next_ref' pointer, which can be adjusted in
msg_dgm_ref_destructor().
As AD DC we hit this when using irpc in auth_winbind,
which uses imessaging_client_init().
In addition to the main messaging_dgm_ref() in smbd,
source3/auth/auth_samba4.c: prepare_gensec() and
make_auth4_context_s4() also generate a temporary
imessaging_context for auth_context->msg_ctx from within
auth_generic_prepare().
Gary Lockyer [Tue, 10 Jul 2018 01:57:18 +0000 (13:57 +1200)]
WHATSNEW add entries audit logging and lmdb.
Add WHATSNEW entries for dsdb, password and group change audit logging,
as well as the ldb lmdb backend
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 10 12:53:54 CEST 2018 on sn-devel-144
Christof Schmitt [Tue, 26 Jun 2018 20:32:28 +0000 (13:32 -0700)]
heimdal: Fix build with system provided heimdal library
Trying to compile with a system provided heimdal library
results in this compile error:
[ 876/3043] Compiling source4/auth/kerberos/srv_keytab.c
In file included from /usr/include/heimdal/krb5.h:949:0,
from ../lib/replace/system/kerberos.h:33,
from ../source4/auth/kerberos/srv_keytab.c:31:
/usr/include/heimdal/krb5-protos.h:3894:1: error: unknown type name ‘HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE’; did you mean ‘_WARN_UNUSED_RESULT_’?
HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_WARN_UNUSED_RESULT_
/usr/include/heimdal/krb5-protos.h:3895:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘krb5_generate_random’
krb5_generate_random (
The problem is that Samba provides a minimal krb5-types.h file
for the internal build that gets used during the build with
the system provided heimdal library. As the minimal file
does not provide all definitions, the build fails.
Fix this by having the krb-types.h file simply include the
include file from the system library, if the build is done
using the system provided heimdal library.
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 10 07:30:26 CEST 2018 on sn-devel-144
Tim Beale [Sun, 8 Jul 2018 21:44:30 +0000 (09:44 +1200)]
netcmd: Add sanity-check for invalid domain rename args
We are suggesting to users that it's safe to run a renamed domain in
parallel with the old backed-up domain. However, this would not be the
case if the user (foolishly) "renames" their domain using the exact same
NetBIOS name or DNS realm.
Using the same DNS realm fails later on (updating the dnsRoot values),
but using the same NetBIOS name actually succeeds. While we can't make
samba tools completely idiot-proof, we can protect users from the most
basic of (potentially unintended) errors with some simple sanity-checks.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Fri, 6 Jul 2018 03:59:31 +0000 (15:59 +1200)]
selftest: Add a 'LABDC' testenv to mimic a preproduction test-bed
One of the use-cases for the domain rename tool is to produce a lab
domain that can be used for pre-production testing of Samba.
Basically this involves taking a backup rename with --no-secrets (which
scrubs any sensitive info), and then restoring it.
This patch adds a testenv that mimics how a user would go about creating
a lab-domain. We run the same tests that we run against the restore and
rename testenvs.
Note that the rpc.echo tests for the testallowed and testdenied users
fail, because we don't backup the secrets for these users. So these
tests failing proves that the lab-DC testenv is correct.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Thu, 5 Jul 2018 22:35:03 +0000 (10:35 +1200)]
netcmd: Add brief log file of what the backup actually contains
There are now several different permutations of backup file that can be
created (i.e. online, rename, with/without secrets). Hopefully the admin
users would organize their backup files sensibly, but it can't hurt to
keep track of what the backup-file actually contains in a simple
human-readable file within the backup tar. E.g. We really don't want
backups with secrets-included and secrets-excluded getting mixed up.
Recording the DC used to make the domain backup may be useful in the
event of a catastrophic failure of the domain, e.g. DC replication may
have been broken for some time prior to the failure.
Recording the samba-tool version string may also be useful if there are
ever any backwards-compatibility issues introduced to the backup files.
The intention is to say we only support restoring a backup with the same
version of samba-tool that actually created the backup, however, it'd be
polite to users to actually record that version somewhere.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Thu, 5 Jul 2018 02:33:22 +0000 (14:33 +1200)]
netcmd: Add no-secrets option to domain backups
By default we include all the domain's secrets in the backup file. This
patch adds an extra option to exclude these secrets. In particular, this
is for the use case of creating a lab domain (where you might not feel
comfortable with the secrets for all your users being present).
Mostly this just involves passing the correct option to the join/clone.
I've also made sure that a password is also set for the Admin user
(samba does seem to start up without one set, but this behaviour is
closer to what happens during a provision).
The tests have been extended to use the new option, and to assert that
secrets are/aren't included as expected for some of the builtin testenv
users.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
projects / thirdparty / samba.git / log
