Volker Lendecke [Fri, 24 Nov 2023 15:27:42 +0000 (16:27 +0100)]
profile: Fix rusage reporting
getrusage already gives accumulated values, so add them to the tdb
record after smbprofile_stats_accumulate. Maybe we should not zero out
our internal copy after writing the tdb, this would save a call to
smbprofile_stats_accumulate() once a second.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 15 12:09:21 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 12 Dec 2023 23:22:04 +0000 (10:22 +1100)]
ctdb-daemon: Use ctdb_connection_to_buf() to simplify
The one case that is no longer handled specially is when the
destination address is IPv4 loopback. This may previously have been
used to avoid flooding the logs when testing. However, that seems
unnecessary - if testing with 127.0.0.1 then make it a public address.
Volker Lendecke [Thu, 12 Oct 2023 15:19:45 +0000 (17:19 +0200)]
smbd: Remove callback for release_ip when "state" is free'ed
If a client connects to a non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a use-after-free
talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
We need to decide between calling ctdbd_unregister_ips() by default, as
it means the tcp connection is really gone and ctdb needs to remove the
'tickle' information. But when a connection was passed to a different
smbd process, we need to use ctdbd_passed_ips() as the tcp connection is
still alive and the 'tickle' information should not be removed within
ctdb.
This demonstrates the crash that happens if a client connects to a
non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a
use-after-free talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
Note that we also need to mark some subtests as flapping
as there's a 2nd problem that happens in the interaction
between smbd processes and ctdb when passing a multichannel
connection to an existing process, it means we sometimes
loose the 'tickle' information within ctdb to that tcp connection.
This is similar to ctdbd_unregister_ips(), but with the
difference that ctdb keeps the 'tickle' information for
the tcp connection alive, because another smbd process
took care of that tcp connection in a multichannel scenario.
With multichannel a tcp connection is registered first with
a temporary smbd process, that calls CTDB_CONTROL_TCP_CLIENT
first and then passes the tcp connection to the longterm smbd
that already handles all connections belonging to the specific
client_guid. That smbd process calls CTDB_CONTROL_TCP_CLIENT
again, but the 'tickle' information is already there.
When the temporary smbd process exists/disconnects from ctdb
or calls CTDB_CONTROL_TCP_CLIENT_DISCONNECTED, the 'tickle'
information is removed, while the longterm smbd process
still serves the tcp connection.
With multichannel a ctdb connection from smbd may hold multiple
tcp connections, which can be disconnected before the smbd
process terminates the whole ctdb connection, so we a
way to remove undo 'CTDB_CONTROL_TCP_CLIENT' again.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 15 10:44:42 UTC 2023 on atb-devel-224
>>> silos = AuthenticationSilo.query(ldb)
>>> for silo in silos:
... print(silo)
...
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 15 03:51:55 UTC 2023 on atb-devel-224
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: getpassword: get rid of pointless overridden constructors
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python: pep257: docstring should use double quotes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 1 Dec 2023 02:01:16 +0000 (15:01 +1300)]
python: Remove references to removed parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 04:32:31 UTC 2023 on atb-devel-224
Douglas Bagnall [Wed, 13 Dec 2023 04:24:50 +0000 (17:24 +1300)]
libcli/security: allow round-trip for conditional ACE hex integers
As with the previous commit, though not addressing the particular fuzz
case, zero hex numbers need to be explicitly written as "0x0", or the
round-trip will fail.
Douglas Bagnall [Wed, 13 Dec 2023 04:20:38 +0000 (17:20 +1300)]
libcli/security: allow round-trip for conditional ACE octal integers
The string "00" will decode into an integer tagged as octal, but
`snprintf("%#oll")` will write the string "0", which would decode as
decimal, so the in the SDDL1->SD1->SDDL2->SD2 round trip, SD1 would
not be the same as SD2.
The effect is really only relevant to SDDL, which wants to remember
what base the numbers were presented in, though the fuzzers and tests
don't directly compare SDDL, which can have extra spaces and so forth.
Douglas Bagnall [Tue, 12 Dec 2023 21:57:41 +0000 (10:57 +1300)]
libcli/security: SDDL decode stops earlier with too many ACEs
For this purpose, "too many" means we know for sure that it won't fit
in packet format, even if all the ACEs are minimum size. This would
fail anyway.
Credit to OSS-Fuzz, who found that 50 thousand ACEs that took more
than 60 seconds to decode. This will now fail after 4096 ACEs which
should be about 150 times faster than 50k (because the realloc loop in
quadratic), so ~0.5 seconds in the fuzz context with sanitisers
enabled. That is still slowish, but SDDL parsing is not a critical
path and without address sanitisers it will be many times faster.
Samuel Cabrero [Tue, 12 Dec 2023 20:17:50 +0000 (21:17 +0100)]
tests: Add a test for the idmap_nss : use_upn setting
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Wed Dec 13 16:05:19 UTC 2023 on atb-devel-224
When translating a Unix ID to a SID the module calls get[pwu|grg]id() but the
name returned by some NSS modules might be a UPN instead of a plain name. If
the new parameter is enabled the returned name will be parsed and correctly
handled.
On the other hand, when translating a SID to a Unix ID the module first
resolves the SID to a domain + name, and then calls get[pw|gr]name() with the
plain name, or the UPN if the new parameter is enabled.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Samuel Cabrero [Tue, 12 Dec 2023 14:55:20 +0000 (15:55 +0100)]
s3:winbind: Register a messaging filter foreach domain child
Instead of registering the "classic" callback for MSG_SMB_CONF_UPDATED,
install a message filter to allow other parts of the code to also
listen for this message because classic callbacks are delivered only
once (see commit a2436b67e5dd47d955a3bea2b83e0693b627ab96).
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Joseph Sutton [Sun, 12 Nov 2023 20:44:26 +0000 (09:44 +1300)]
buildtools: Remove ‘keep_underscore’ parameter
Nothing now passes this in.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 11 02:13:39 UTC 2023 on atb-devel-224
SAMBA_LIBARY()’s ‘keep_underscore’ parameter has an effect only if None
is passed in for ‘bundled_name’. However, SAMBA_PLUGIN() always passes
in a string for ‘bundled_name’. Therefore ‘keep_underscore’ will never
have any effect — remove it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Dec 10 22:22:51 UTC 2023 on atb-devel-224
Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.
selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.
s3:tests: Fix authentication with smbget_user in smbget tests
Currently the smget share is broken. We set `guest ok = yes` so if you
specify invalid names, the authentication will still succeed as we
are mapped to guest.
The smbget_user is a local ad_member user. We need to set the
workstation as the "domain" for the user.
Douglas Bagnall [Fri, 8 Dec 2023 03:37:39 +0000 (16:37 +1300)]
selftest/knownfail.d: move encrypted_secrets to expectedfail.d
From the file itself:
> # The fl2000dc environment is provisioned with the --plaintext-secrets option
> # running the ecnrypted secrets tests on it and expecting them to fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
projects / thirdparty / samba.git / log
