Ralph Boehme [Thu, 16 Mar 2017 16:52:50 +0000 (17:52 +0100)]
winbindd: remove trailing spaces in get_cache()
Trailing spaces are annoyingly highlighted red in my emacs setup so I'd
like to get rid of them. :)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 17 00:20:17 CET 2017 on sn-devel-144
Volker Lendecke [Thu, 16 Mar 2017 08:31:10 +0000 (09:31 +0100)]
docs: Deprecate "map untrusted to domain"
The implementation of this parameter depends on Samba to enumerate
trusted domains. In an active directory environment, we don't know of
a good way to enumerate all domains that we have to accept as trusted,
in particular with multiple forests, one-way and external trusts. We
hope to replace this parameter in the future with something that matches
Windows behaviour better, after the deprecation phase of this parameter
is over and we can remove it.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 15 20:04:32 CET 2017 on sn-devel-144
Having a stale copy in Samba only confuses things.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 15 09:18:21 CET 2017 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
lib/crypto: implement samba.crypto Python module for RC4
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.
Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.
Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Simo Sorce <idra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
Volker Lendecke [Mon, 13 Mar 2017 18:09:27 +0000 (19:09 +0100)]
examples:clifuse: Add a stub for getattr
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 14 19:15:03 CET 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 13 19:45:31 CET 2017 on sn-devel-144
Garming Sam [Sun, 12 Mar 2017 23:18:00 +0000 (12:18 +1300)]
getncchanges: Remove O(n) loop in link parsing
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 13 08:57:24 CET 2017 on sn-devel-144
Garming Sam [Fri, 3 Mar 2017 03:21:12 +0000 (16:21 +1300)]
getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Bob Campbell [Fri, 17 Feb 2017 02:51:36 +0000 (15:51 +1300)]
getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET
This conforms with Windows' behaviour.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Wed, 8 Mar 2017 04:12:32 +0000 (17:12 +1300)]
replmd: Include extra data on DN in search if it exists
This is important for multi-valued DN+Binary (or DN+String) attributes,
as otherwise they will be considered duplicates.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Garming Sam [Wed, 8 Mar 2017 04:12:27 +0000 (17:12 +1300)]
getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
This correctly passes has_get_all_changes through to repl_secrets.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Bob Campbell [Wed, 15 Feb 2017 21:03:29 +0000 (10:03 +1300)]
drsblobs: Add decode for replPropertyMetaData1
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Bob Campbell [Mon, 13 Feb 2017 02:46:37 +0000 (15:46 +1300)]
python/tests: Add repl_rodc test
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Wed, 8 Mar 2017 04:13:40 +0000 (17:13 +1300)]
drsbase: use credentials if supplied
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:17:27 +0000 (17:17 +1300)]
python/dsdb_dn: Add a generic get_bytes method on DNs
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 03:10:16 +0000 (16:10 +1300)]
ldb_tdb: Add better comments for duplicate attr values
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 9 Mar 2017 02:56:12 +0000 (15:56 +1300)]
ldb_tdb: Do not check for duplicate values during a rename
This is not the time to be pretending to be dbcheck, and there are
exceptions to the single-value rules in Samba. This is needed for
the same reasons as the modify case.
(Note: this error was triggered with the demote of an RODC with links)
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 8 Mar 2017 04:12:21 +0000 (17:12 +1300)]
ldb_tdb: Do not care about duplicates if single value check disabled
This behaviour of ignoring duplicates with the flag
LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK is also used in the replace
case here.
When we add a forward DN+Binary link with a duplicate DN, this prevents
us from not being able to add the backlink because it appears to be a
duplicate here.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Chris Lamb [Fri, 17 Feb 2017 19:59:48 +0000 (08:59 +1300)]
Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Uri Simchoni [Fri, 3 Mar 2017 20:00:00 +0000 (22:00 +0200)]
doc: update "ea support" section of the smb.conf manpage
This section was badly outdated.
Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 12 21:04:11 CET 2017 on sn-devel-144
winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain
find_lookup_domain_from_sid() returns the same domain for all non local
sids on a domain member. We should not chunk one wb_lookupsids_send/recv
into multiple wbint_LookupSids_send/recv to the same 'lookup' domain,
just because the requested SIDs don't all belong to the same domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Mar 12 00:56:14 CET 2017 on sn-devel-144
selftest: Do not plan samba3.base.delaywrite twice
This test is already slow. We should not run it twice!
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar 11 04:25:14 CET 2017 on sn-devel-144
Ralph Boehme [Thu, 9 Mar 2017 18:49:56 +0000 (19:49 +0100)]
lib/pthreadpool: fix a memory leak
When copying large files from the server to the client with aio enabled
we noticed that smbd kept growing RSS and VSZ.
valgrind was reporting:
==2503== 4,093,440 bytes in 6,560 blocks are possibly lost in loss record 460 of 460
==2503== at 0x4C299CE: calloc (vg_replace_malloc.c:711)
==2503== by 0x4011C24: _dl_allocate_tls (in /usr/lib64/ld-2.17.so)
==2503== by 0x4E3C960: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.17.so)
==2503== by 0x9B298AE: pthreadpool_add_job (in /usr/lib64/samba/libmessages-dgm-samba4.so)
==2503== by 0x9B29FDC: pthreadpool_tevent_job_send (in /usr/lib64/samba/libmessages-dgm-samba4.so)
==2503== by 0x56A78EF: ??? (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55D86B7: smb_vfs_call_pread_send (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55F7543: schedule_smb2_aio_read (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x5608F57: smbd_smb2_request_process_read (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55FCB6C: smbd_smb2_request_dispatch (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x55FD7DC: ??? (in /usr/lib64/samba/libsmbd-base-samba4.so)
==2503== by 0x641B977: ??? (in /usr/lib64/samba/libtevent.so.0.9.31)
The problem seems to be caused by worked threads that are not properly
started in detached state and thus their tls is not reclaimed upon
thread termination.
In pthreadpool.c we prepare a pthread attribute with
PTHREAD_CREATE_DETACHED, but we don't pass it to pthread_create().
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 10 22:06:02 CET 2017 on sn-devel-144
Garming Sam [Wed, 8 Mar 2017 23:22:13 +0000 (12:22 +1300)]
objectclass_attrs: Remove schema copy shallow from attr_handler2
This appears quite expensive (particularly in provision), and also
unnecessary.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 10 15:34:39 CET 2017 on sn-devel-144
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from
ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
to
ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.
From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).
MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.
s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
With credentials for administrator@FOREST1.EXAMPLE.COM
this patch changes the target_principal for
the ldap service of host dc2.forest2.example.com
from
ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
to
ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
to generate a referral ticket for
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
The problem is that KDCs only return such referral tickets
if there's a forest trust between FOREST1.EXAMPLE.COM
and FOREST2.EXAMPLE.COM. If there's only an external domain
trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
In the case of an external trust the client can still ask
explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
and the KDC of FOREST1.EXAMPLE.COM will generate it.
From there the client can use the
krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
target principal. As _krb5_get_cred_kdc_any() first calls
get_cred_kdc_referral() (which always starts with the client realm)
and falls back to get_cred_kdc_capath() (which starts with the given realm).
MIT krb5 only tries the given realm of the target principal,
if we want to autodetect support for transitive forest trusts,
we'll have to do the fallback ourself.
krb5_wrap: Try to guess the correct realm from the service hostname
If we do not get a realm mapping from the krb5.conf or from the Kerberos
library try to guess it from the service hostname. The guessing of the
realm from the service hostname is already implemented in Heimdal. This
makes the behavior of smb_krb5_get_realm_from_hostname() consistent
with both MIT and Heimdal.
Ian Stakenvicius [Mon, 30 Jan 2017 15:11:46 +0000 (10:11 -0500)]
waf: disable-python - don't include python.h in test_headers.c
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 10 11:24:13 CET 2017 on sn-devel-144
Andrew Bartlett [Mon, 30 Jan 2017 14:36:31 +0000 (09:36 -0500)]
autobuild: Add nopython environment to test --disable-python builds (but without tests)
This ensures we keep this option building as we extend our use of python.
The rule is that new features and changes to existing features that
require python are most welcome, they just need to be disabled for the
minimalistic targets we still ecourage Samba on, that typically just
want smbd
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Ian Stakenvicius [Sat, 28 Jan 2017 03:53:39 +0000 (22:53 -0500)]
waf: disable-python - don't build torture bits
samba-net being disabled causes a chain of dependency or proto.h-based
missing code issues that require a number of modules or subsystems
to be disabled in samba4/torture.
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Ian Stakenvicius [Sat, 28 Jan 2017 02:32:22 +0000 (21:32 -0500)]
waf: disable-python - don't build samba-policy
samba-policy requires samba-net which requires PROVISION, which
is disabled when python isn't available.
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Ian Stakenvicius [Sat, 28 Jan 2017 02:31:21 +0000 (21:31 -0500)]
waf: disable-python - don't build samba-net
samba-net requires PROVISION, which is disabled when python isn't available.
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
projects / thirdparty / samba.git / log
