Tim Beale [Tue, 30 Oct 2018 12:51:54 +0000 (12:51 +0000)]
s4/scripting/bin: PY3 convert servicePrincipalName attr to string
res[0]["servicePrincipalName"] is an instance of ldb.bytes in PY3
If we wish to get the string value we need to call the custom
str function which attempts to decode the bytes to 'utf8'
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed by: Noel Power <npower@samba.org>
Noel Power [Thu, 25 Oct 2018 18:10:30 +0000 (19:10 +0100)]
python/samba/tests: PY3 Fix str/bytes issue for json.loads
Python 3.4 seems to need a string
parsed = json.loads (out_jsobj)
File "/usr/lib/python3.4/json/__init__.py", line 312, in loads
s.__class__.__name__))
TypeError: the JSON object must be str, not 'bytes'
however Python 3.5 seems to be happy to consume bytes (or string)
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 11 Oct 2018 13:36:06 +0000 (14:36 +0100)]
s4/dsdb/tests: PY3 port of samba4.ldap.acl.python
convert various attribute results to str so assert function
as expected for tests. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 1 Nov 2018 14:20:20 +0000 (14:20 +0000)]
s4/dsdb/tests/python: PY3 port samba4.ldap_schema.python
+ Misc attributes needed to be converted to strings from bytes to
ensure various asserts work as expected.
+ Fix ndr_unpack call which needs bytes not str
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Tue, 30 Oct 2018 13:25:59 +0000 (13:25 +0000)]
python/samba/tests: Port samba.tests.blackbox.samba_dnsupdate for PY2/PY3
Make sure either the output of tests and/or the item we are searching match
in type. Output of cmd in python3 is bytes, depending on the was the test is
written it may be easier just to convert all output or just a single string
that is used in the test
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Mon, 12 Nov 2018 19:37:31 +0000 (11:37 -0800)]
s3: lib: nmbname: Ensure we limit the NetBIOS name correctly. CID: 1433607
Firstly, make the exit condition from the loop explicit (we must
never write into byte n, where n >= sizeof(name->name).
Secondly ensure exiting from the loop that n==MAX_NETBIOSNAME_LEN,
as this is the sign of a correct NetBIOS name encoding (RFC1002)
in order to properly read the NetBIOS name type (which is always
encoded in byte 16 == name->name[15]).
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 13 20:54:56 CET 2018 on sn-devel-144
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144
Ralph Boehme [Fri, 9 Nov 2018 14:34:24 +0000 (15:34 +0100)]
s4:torture/smb2/session: require a signed session setup reauth response
All existing tests using this function require signing, so currently
this passes. A subsequent commit adds a test where neither client nor
server require signing and that's where this trap will explode.
Invalidate credential cache before connecting to the server, otherwise
we will reuse the credentials from the credential cache populated by the
preceeding tests.
Also invalidate it at the end, otherwise subsequent tests might run into
problems if the credentials expire while authenticating.
Ralph Boehme [Sat, 10 Nov 2018 21:00:04 +0000 (22:00 +0100)]
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.
Ralph Boehme [Sat, 10 Nov 2018 20:56:28 +0000 (21:56 +0100)]
libcli/smb: defer singing check a little bit
This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.
Ralph Boehme [Fri, 9 Nov 2018 11:33:29 +0000 (12:33 +0100)]
s3:selftest: also run smb2.session torture testsuite against ad_member
The next commit adds a subtest to the smb2.session testsuite that
requires Kerberos (ad_dc would work), but where neither SMB2 server or
client must require signing (ad_dc, being an AD DC, requires signing).
The ad_member environment supports Kerberos with the SMB2 server not
mandating signing, that'll do.
Martin Schwenke [Mon, 12 Nov 2018 23:05:21 +0000 (10:05 +1100)]
replace: Add check for variable program_invocation_short_name
It appears that wafsamba's configure() defines _GNU_SOURCE
unconditionally, so checking _GNU_SOURCE isn't enough to know if this
variable is available.
For example, it isn't available on AIX with the xlc compiler:
[ 6/10] Compiling lib/replace/replace.c
...
"../../lib/replace/replace.c", line 991.16: 1506-045 (S) Undeclared identifier program_invocation_short_name.
Instead, add a configure check for program_invocation_short_name and
use it.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 13 11:11:11 CET 2018 on sn-devel-144
Volker Lendecke [Fri, 9 Nov 2018 06:55:40 +0000 (07:55 +0100)]
smbd: Use wire_perms_to_unix in unix_perms_from_wire
Same code, less lines
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 13 04:10:54 CET 2018 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 12 13:44:09 CET 2018 on sn-devel-144
When a keytab of type MEMORY is used, the MIT kerberos krb5_kt_add_entry()
library function adds a keytab entry to the beginning of the keytab table,
instead of the end.
This adds a MIT kerberos conditional to reverse iterate through
the keytable entries to address this.
Signed-off-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 10 12:48:02 CET 2018 on sn-devel-144
Volker Lendecke [Fri, 2 Nov 2018 19:48:07 +0000 (20:48 +0100)]
lib: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 10 02:19:29 CET 2018 on sn-devel-144
Tim Beale [Thu, 8 Nov 2018 23:17:40 +0000 (12:17 +1300)]
mdb_util: Better error message if lmdb-utils not installed
mdb_copy() was dutifully checking the PATH for the mdb_copy executable,
then, if it didn't find it, blindly proceeding anyway and trying to run
a non-existent executable. This resulted in a cryptic error:
ERROR(<type 'exceptions.OSError'>): uncaught exception - [Errno 2] No
such file or directory
Add in an extra check that we actually find the executable and raise a
better human-readable exception if we don't.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 9 21:07:47 CET 2018 on sn-devel-144
Tim Beale [Thu, 8 Nov 2018 22:49:12 +0000 (11:49 +1300)]
selftest: Fix backup testenv creation on certain host machines
When we created the backup-file for the restoredc/renamedc/labdc
testenvs we weren't explicitly a --configfile on the samba-tool command.
This meant the command tried to use the smb.conf form the default
install location, i.e. /usr/local/samba/etc/smb.conf. On the gitlab CI
runner, there's no samba installed, so it ends up using the default
settings, which is fine. However, if the host machine had an invalid
smb.conf installed there, creating the testenv would fail with an error
like:
ERROR(runtime): uncaught exception - Unable to load default file
File "bin/python/samba/netcmd/__init__.py", line 184, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/domain_backup.py", line 222, in run
lp = sambaopts.get_loadparm()
File "bin/python/samba/getopt.py", line 94, in get_loadparm
self._lp.load_default()
We can avoid this by always explictly specifying the backupfromdc's
smb.conf when creating the backup file.
Likewise, labdc/customdc also need the config specified when the admin
password is reset.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Tim Beale [Thu, 8 Nov 2018 22:44:18 +0000 (11:44 +1300)]
selftest: Add README note: always use --configfile in testenv creation
We always need to specify "env->{CONFIGURATION}" when running a samba-tool
command to setup a testenv. Add a note to the README as this wasn't at
all clear.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Philipp Gesang [Mon, 5 Nov 2018 14:54:35 +0000 (15:54 +0100)]
s4-kdc: restore MIT KDC backend
Fix fallout from the KDC prefork patchset (99aea42520fc..).
GCC warns when Samba is being built with --with-system-mitkrb5.
Fix this by adapting the signature of mitkdc_task_init() to match
task_init which has been extended to return a status code.
Status codes try to mimick those of kdc-heimdal.c:kdc_task_init()
as closely as possible.
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Volker Lendecke [Thu, 8 Nov 2018 12:27:58 +0000 (13:27 +0100)]
selftest: Test hide new files timeout
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 9 03:49:55 CET 2018 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 8 11:03:11 CET 2018 on sn-devel-144
==10142== Process terminating with default action of signal 11 (SIGSEGV)
==10142== Bad permissions for mapped region at address 0x6F00A20
==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
Gary Lockyer [Wed, 19 Sep 2018 03:04:35 +0000 (15:04 +1200)]
WHATSNEW: NETLOGON prefork support
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 7 21:17:59 CET 2018 on sn-devel-144
Gary Lockyer [Wed, 29 Aug 2018 03:07:32 +0000 (15:07 +1200)]
source4 smdb rpc_server: Support prefork process model.
Allow the rpc_server to run in the prefork process model. Due to the use
of shared handles and resources all of the rpc end points are serviced
in the first worker process. Those end points that can be run in
multiple processes (currently only Netlogon and management) are serviced in
the first and any subsequent workers.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 22:27:42 +0000 (11:27 +1300)]
traffic_replay: Rework machine accounts to remove redundant code
generate_users_and_groups() now generates the machine acounts as well as
the user accounts, so it seems there's no need to also have
generate_traffic_accounts(), which does the same job.
Instead, we can just pass through the number of machine acounts to
generate_users_and_groups() and delete the other function.
Also updated generate_users_and_groups() so that machine_accounts is
no longer optional (we want to create machine accounts in all cases).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 22:14:41 +0000 (11:14 +1300)]
traffic_replay: Make packet generation work on a pre-populated DB again
Generate separate machine accounts for populating a large DB vs
replaying network traffic.
We want to use different userAccountControl flags in each of the above
cases (i.e. commit 3338a3e257fa9f28). However, this means that once you
use the --generate-users-only option, you can't replay network packets
against the machine accounts.
We can avoid this problem by creating separate machine accounts for each
of 2 different cases, e.g. STGM-0-x machines for traffic-replay, and
PC-0-x machines for padding out the database.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 20:35:41 +0000 (09:35 +1300)]
traffic_replay: Make sure naming assumptions are in a single place
The traffic_replay group/user/machine account names follow a standard
format. This adds a function to generate the machine-name. It also makes
sure the existing user_name() function gets called in all applicable
places.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 21:58:56 +0000 (10:58 +1300)]
traffic_replay: Move 'traffic account' flag up a level
We create machine accounts for 2 different purposes:
1). For traffic generation, i.e. testing realistic network packets.
2). For generating a realistic large DB.
Unfortunately, we want to use different userAccountControl flags for
the 2 different cases. Commit 3338a3e257fa9f28 changed the flags used
for case #2, but this breaks case #1.
The problem is generate_users_and_groups() is called in both cases,
so we want the 'traffic account' flag passed into that function.
This ensures that the machine accounts get created with the appropriate
userAccountControl flags for the particular case you want to test.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 21:52:38 +0000 (10:52 +1300)]
traffic_replay: Move machine account creation
I was assuming that generate_users_and_groups() only gets called in the
--generate-users-only case. However, it also gets called in the default
traffic replay case.
This patch reworks the code so that the number of machine accounts to
create gets passed in, and the 'create 25% more computers than users'
assumption only applies to the --generate-users-only case.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 5 Nov 2018 01:45:34 +0000 (14:45 +1300)]
selftest: Add some more testenv descriptions
This still doesn't cover all the testenvs comprehensively, but it
pretty much exhausts my knowledge of what the various testenvs do.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 7 04:39:05 CET 2018 on sn-devel-144
Volker Lendecke [Sat, 3 Nov 2018 09:11:26 +0000 (10:11 +0100)]
tdb: Align integer types
tdb->max_dead_records is "int", as is the corresponding parameter to
tdb_set_max_dead(). Not that a signed variable makes any sense, but
this is old code and tdb_set_max_dead() is a public API which we
should not change for this.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 6 21:52:32 CET 2018 on sn-devel-144
Volker Lendecke [Wed, 24 Oct 2018 08:51:40 +0000 (10:51 +0200)]
gencache: Prune expired entries
This solves the problem that gencache never shrinks right
now. Whenever we write an entry, we now walk that entry's chain and
delete expired entries. This should be a good balance between
performance and cleanup actions: Reading is still unaffected, and
those who write pay a small penalty while keeping gencache size under
control.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 11 Oct 2018 10:52:40 +0000 (12:52 +0200)]
gencache: Remove transaction-based tdb
At more than one large site I've seen significant problems due to
gencache_stabilize. gencache_stabilize was mainly introduced to
survive machine crashes with the cache still being in place. Given
that most installations crash rarely and this is still a cache, this
safety is overkill and causes real problems.
With the recent changes to tdb, we should be safe enough to run on
completely corrupted databases and properly detect errors. A further
commit will introduce code that wipes the gencache.tdb if such a
corruption is detected.
There is one kind of corruption that we don't properly handle:
Orphaned space in the database. I don't have a good idea yet how to
handle this in a graceful and efficient way during normal operations,
but maybe this idea pops up at some point.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 10 Oct 2018 14:12:28 +0000 (16:12 +0200)]
gencache: Convert to a binary timestamp
Two reasons:
The ascii conversion shows up on profiles.
In a further commit we will get checksums for gencache entries to
protect at hidden corruption due to a crash on the non-transactioned
gencache.tdb. Next to the timestamp this is a second field that is
gencache metadata, and I don't want to deal with a second ascii number
when at least some of the gencache values are binary already.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
projects / thirdparty / samba.git / log
