auth3: prepare the logic for "map untrusted to domain = auto"
This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 21:40:08 CEST 2017 on sn-devel-144
Douglas Bagnall [Wed, 7 Jun 2017 05:45:15 +0000 (17:45 +1200)]
repl_meta_data: single valued error codes depend on change type
A replace leads to CONSTRAINT_VIOLATION while an add causes
ATTRIBUTE_OR_VALUE_EXISTS. For this we need to check the mod type
before the replmd_modify_la_* calls because they change everything
into a replace.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 31 May 2017 05:40:05 +0000 (17:40 +1200)]
replmd: special-case member return value in replmd_add_fix_la()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 31 May 2017 03:22:45 +0000 (15:22 +1200)]
replmd: check duplicate linked attributes
This is simple enough because we already have the sorted list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 26 May 2017 03:17:21 +0000 (15:17 +1200)]
replmd: check single values in replmd_add_fix_la
repl_meta_data knows whether linked attributes are appropriately
[un-]duplicated, and this is how it tells ldb_tdb that.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Jun 2017 23:30:33 +0000 (11:30 +1200)]
ldb: relatively efficient functions for finding duplicate values
ldb backends need to make sure they are not adding duplicate values to
multi-valued attributes in ADD and MODIFY operations. Until now they
have done this inefficiently using nested loops. Here we add common
functions that deal with large numbers of values in O(n log n) time,
but continue to use the simple methods for small numbers of values.
These functions take a struct ldb_context pointer and an options flag
arguments, although the ldb is not used, and only one bit of the
options has meaning. This is to allow further patches to switch on
schema-aware comparisons.
This entails an ABI jump to add the two new functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 22 May 2017 14:00:08 +0000 (16:00 +0200)]
smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.
At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 18 May 2017 13:27:46 +0000 (15:27 +0200)]
g_lock: Make g_lock_dump return a complete list of locks
To be honest, it did not really make sense to just pass in
lock holders individually. You could argue that it made sense
with in reality only G_LOCK_WRITE around, but soon we will have
G_LOCK_READ and thus multiple lock holders on a single lock.
Now that we also have userdata, change the g_lock_dump API
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144
If it is set by the dispatch functions, the core server
will use call->wait_send() and wait for it to finally
return frim call->wait_recv() before it asks for the
next incoming pdu.
This can be used to implement bind as async operations.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.
This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.
This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 16 Nov 2016 01:44:40 +0000 (14:44 +1300)]
repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144
Andrew Bartlett [Wed, 14 Jun 2017 01:12:32 +0000 (13:12 +1200)]
dsdb: Ensure replication of renames works in schema partition
This caused failures against vampire_dc (on large-dc), likely due to
more frequent replication propagating the record before it was renamed.
The DC ran out of RIDs and RID allocation causes schema replication,
which failed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12841 Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Jun 2017 23:20:58 +0000 (11:20 +1200)]
selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
This ensures that object is not cleaned up, triggering a disconnect before we get back
the audit messages. Otherwise they can be lost when the server task calls exit()
while the message thread is still trying to send them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This verifies the F_RDLCK => F_WRLCK upgrade logic in the kernel
for conflicting locks.
This is a standalone test to check the traverse_read vs.
allrecord_lock/prepare_commit interaction.
This is based on the example from
https://lists.samba.org/archive/samba-technical/2017-April/119861.html
from Douglas Bagnall <douglas.bagnall@catalyst.net.nz> and Volker Lendecke <vl@samba.org>.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Jun 2017 02:09:30 +0000 (14:09 +1200)]
ldb_tdb: Remove the idxptr DB before we re-index
We do not want the cache or any of the values in it, we want to read the real DB
@INDEX: records.
This matters if a re-index is tiggered in the same transaction
as the modify of the values in the index. Otherwise we won't see
the old index record (it will not show up in the tdb_traverse)
and so fail to remove it.
That in turn can cause a spurious unqiue index violation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
selftest: pass the workgroup name to Samba3::provision()
Not all environments should use the samba workgroup name.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 14 02:53:27 CEST 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 13 22:45:28 CEST 2017 on sn-devel-144
This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.
Typically something like this seems to work:
[winprofiles]
comment = Users profiles New
path = /data/winprofiles/
browseable = No
read only = No
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
With chmod 1777 on /data/winprofiles/
In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833
It's also useful to something like this in the global
section in order to detect disconnects reliable:
Gary Lockyer [Thu, 1 Jun 2017 01:26:38 +0000 (13:26 +1200)]
strerror_r: provide XSI-compliant strerror_r
Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.
Amitay Isaacs [Thu, 8 Jun 2017 08:22:17 +0000 (18:22 +1000)]
ctdb-recovery: Log messages at various debug levels
This avoids spamming the logs during recovery at NOTICE level.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 13 13:22:09 CEST 2017 on sn-devel-144
When thousands of connections are being killed the logs are flooded
with information about connections that should be killed. When some
connections are not killed then the number not killed is printed.
This is the wrong way around! When debugging "fail-back" problems, it
is important to know details of connections that were *not* killed.
It is almost never important to know the full list of all connections
that were *supposed* to be killed.
Instead, print a summary showing how many connections of the total
were killed. If any were not killed then print a list of remaining
connections.
Update unit tests: infrastructure for fake TCP connections, existing,
test cases, add new test cases.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
projects / thirdparty / samba.git / log
