The branch, master has been updated
via a0f810e selftest: allow more time for tests
from dcfa6c0 torture: Fix CID 1426987 Incorrect expression (UNUSED_VALUE)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a0f810e7e39cde003c9c5e0cb701846472e80a74
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Dec 28 11:45:49 2017 +1300

selftest: allow more time for tests

Maybe make test *should* run in under 4 hours, but it currently
doesn't.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Fri Dec 29 02:48:59 CET 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
selftest/selftest.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 2316f9f..ff19d59 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -441,8 +441,8 @@ if ($opt_testenv) {
# 1 year should be enough :-)
$server_maxtime = 365 * 24 * 60 * 60;
} else {
- # make test should run under 4 hours
- $server_maxtime = 4 * 60 * 60;
+ # make test should run under 5 hours
+ $server_maxtime = 5 * 60 * 60;
}

if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {

The branch, master has been updated
via d8d21ec Happy New Year 2018!
from a0f810e selftest: allow more time for tests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d8d21ec437b40506b000cafd046295f0c5e0c8dd
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Jan 1 00:14:13 2018 +0100

Happy New Year 2018!

Signed-off-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Mon Jan 1 19:19:22 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/include/smb.h | 2 +-
source4/smbd/server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 0e79cb8..3316f09 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -30,7 +30,7 @@
#include "libds/common/roles.h"

/* logged when starting the various Samba daemons */
-#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2017"
+#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2018"

#define SAFETY_MARGIN 1024
#define LARGE_WRITEX_HDR_SIZE 65
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 85dea26..f650d80 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -470,7 +470,7 @@ static int binary_smbd_main(const char *binary_name,
binary_name,
SAMBA_VERSION_STRING));
DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team"
- " 1992-2017\n"));
+ " 1992-2018\n"));

if (sizeof(uint16_t) < 2 ||
sizeof(uint32_t) < 4 ||

The branch, master has been updated
via 7277590 smbldap: don't try start tls on ldaps:// connections
via e29d31f doc-xml: fix dependency as the xml targets depend on Makefile.settings
from d8d21ec Happy New Year 2018!

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7277590f6d746113ff347c7fce3d8ef4d01cc715
Author: Bjoern Jacke <***@samba.org>
Date: Thu Dec 7 16:06:38 2017 +0100

smbldap: don't try start tls on ldaps:// connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6079

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Tue Jan 2 18:01:17 CET 2018 on sn-devel-144

commit e29d31f74f4c2a0f1127d9fb92118b6e42763bf1
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 13 13:39:10 2017 +0100

doc-xml: fix dependency as the xml targets depend on Makefile.settings

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/Makefile | 2 +-
source3/lib/smbldap.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/Makefile b/docs-xml/Makefile
index 6a33b17..d69238b 100644
--- a/docs-xml/Makefile
+++ b/docs-xml/Makefile
@@ -92,7 +92,7 @@ $(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl
@mkdir -p $(@D)
@$(XSLTPROC) --stringparam latex.imagebasedir "$*/" --stringparam noreference 0 --xinclude --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl
+$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings
@mkdir -p $(@D)
$(XSLTPROC) --xinclude --stringparam noreference 0 --output $@ xslt/expand-sambadoc.xsl $<

diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 71166f6..5a67ab7 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -604,7 +604,7 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
int smbldap_start_tls(LDAP *ldap_struct, int version)
{
#ifdef LDAP_OPT_X_TLS
- int rc;
+ int rc,tls;
#endif

if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
@@ -612,6 +612,12 @@ int smbldap_start_tls(LDAP *ldap_struct, int version)
}

#ifdef LDAP_OPT_X_TLS
+ /* check if we use ldaps already */
+ ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
+ if (tls == LDAP_OPT_X_TLS_HARD) {
+ return LDAP_SUCCESS;
+ }
+
if (version != LDAP_VERSION3) {
DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
return LDAP_OPERATIONS_ERROR;

The branch, master has been updated
via 11239f0 credentials: Simplify cli_credentials_get_server_gss_creds()
from 7277590 smbldap: don't try start tls on ldaps:// connections

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 11239f0759601a9db22dfe1e99d3de7f2348a1e5
Author: Andreas Schneider <***@samba.org>
Date: Tue Dec 13 11:38:13 2016 +0100

credentials: Simplify cli_credentials_get_server_gss_creds()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
auth/credentials/credentials_krb5.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index b88497d..585203a 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1151,16 +1151,17 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
}

if (ktc->password_based || obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
- maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
- NULL, NULL, ktc->keytab,
- &gcc->creds);
- } else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
- maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
- NULL, princ, ktc->keytab,
- &gcc->creds);
+ /*
+ * This creates a GSSAPI cred_id_t for match-by-key with only
+ * the keytab set
+ */
+ princ = NULL;
}
+ maj_stat = smb_gss_krb5_import_cred(&min_stat,
+ smb_krb5_context->krb5_context,
+ NULL, princ,
+ ktc->keytab,
+ &gcc->creds);
if (maj_stat) {
if (min_stat) {
ret = min_stat;

The branch, master has been updated
via 36ab213 dns_server: Remove "max_payload" from dns_server
via 35683a6 dns_server: Remove unused "dns_generate_options"
via cc3f9c2 dns_server: Remove unused "dns" parameter from ask_forwarder_send
via 15748c3 ndr_dns: fix pushing unknown resource records
via 300821b dns_server: Use dns_cli_request instead of direct udp
via 0bb92d7 libdns: Add dns_cli_request
via 6238830 libdns: dns/tcp client
via 507c9b6 dsdb: Fix the build on 32-bit FreeBSD
via d8e30cb libdns: Fix a typo
via f7f15c2 tsocket: Fix typos
from 11239f0 credentials: Simplify cli_credentials_get_server_gss_creds()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 36ab213ae66bbbdc95569452e409f50bc866e2f1
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 11:02:45 2017 +0100

dns_server: Remove "max_payload" from dns_server

This would have to be retrieved from the interface type we have I guess.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Thu Jan 4 05:08:02 CET 2018 on sn-devel-144

commit 35683a60e73f0544b4ee7e6853d09d0568d1c1ee
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 11:00:01 2017 +0100

dns_server: Remove unused "dns_generate_options"

This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit cc3f9c26ec05abb38d024c2a9f27f85f2cc92055
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 31 10:59:40 2017 +0100

dns_server: Remove unused "dns" parameter from ask_forwarder_send

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 15748c325c35c5e63ccff8cfcc4f3f555ebda77a
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 13:09:15 2017 +0100

ndr_dns: fix pushing unknown resource records

When pulling for example an RRSIG record, we end up with length!=0 *and*
unexpected.length != 0, but with an unknown rrec. We should be able to
marshall what we retrieved from the wire.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 300821b7934084f06b44b7a63a63db7cb544e8fa
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 11:11:59 2017 +0100

dns_server: Use dns_cli_request instead of direct udp

This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 0bb92d7f377caffb2425cc7757b370bcf671e598
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 11:01:29 2017 +0100

libdns: Add dns_cli_request

First UDP, then TCP if truncation happened

Signed-off-by: Volker Lendecke <***@samba.org>

commit 623883083b5f9b5f07466fee99080c0c7f588551
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 28 22:35:46 2017 +0100

libdns: dns/tcp client

Same signature as the UDP client in the same file. This opens and closes
the socket per request. In the future, we might want to create a
persistent TCP connection for our internal DNS server's forwarder. That
will require proper handling of in-flight requests. Something for
another day.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 507c9b6906ace462692eb499b1e217b5ea131c04
Author: Volker Lendecke <***@samba.org>
Date: Wed Dec 27 12:50:07 2017 +0100

dsdb: Fix the build on 32-bit FreeBSD

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit d8e30cb0aa3e014561fa5488e1cf30344cffe599
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 29 09:36:31 2017 +0100

libdns: Fix a typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit f7f15c25d2ce6e9f856e48c92009394222714d03
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 28 21:41:33 2017 +0100

tsocket: Fix typos

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
lib/tsocket/tsocket.h | 4 +-
libcli/dns/dns.c | 410 ++++++++++++++++++++-
libcli/dns/libdns.h | 30 +-
libcli/dns/wscript_build | 2 +-
librpc/ndr/ndr_dns.c | 11 +-
source4/dns_server/dns_query.c | 69 +---
source4/dns_server/dns_server.c | 2 -
source4/dns_server/dns_server.h | 4 -
source4/dns_server/dns_utils.c | 20 -
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 12 +-
10 files changed, 466 insertions(+), 98 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/tsocket/tsocket.h b/lib/tsocket/tsocket.h
index f52b746..dd0bd98 100644
--- a/lib/tsocket/tsocket.h
+++ b/lib/tsocket/tsocket.h
@@ -805,7 +805,7 @@ bool tstream_bsd_optimize_readv(struct tstream_context *stream,
* @brief Connect async to a TCP endpoint and create a tstream_context for the
* stream based communication.
*
- * Use this function to connenct asynchronously to a remote ipv4 or ipv6 TCP
+ * Use this function to connect asynchronously to a remote ipv4 or ipv6 TCP
* endpoint and create a tstream_context for the stream based communication.
*
* @param[in] mem_ctx The talloc memory context to use.
@@ -961,7 +961,7 @@ struct sockaddr;
*
* @param[in] sa The sockaddr structure to convert.
*
- * @param[in] sa_socklen The lenth of the sockaddr sturucte.
+ * @param[in] sa_socklen The length of the sockaddr structure.
*
* @param[out] addr The tsocket pointer to allocate and fill.
*
diff --git a/libcli/dns/dns.c b/libcli/dns/dns.c
index 7d066d8..6404cb8 100644
--- a/libcli/dns/dns.c
+++ b/libcli/dns/dns.c
@@ -26,8 +26,10 @@
#include "libcli/dns/libdns.h"
#include "lib/util/tevent_unix.h"
#include "lib/util/samba_util.h"
+#include "lib/util/debug.h"
#include "libcli/util/error.h"
-#include "librpc/gen_ndr/dns.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_dns.h"

struct dns_udp_request_state {
struct tevent_context *ev;
@@ -176,3 +178,409 @@ int dns_udp_request_recv(struct tevent_req *req,

return 0;
}
+
+struct dns_tcp_request_state {
+ struct tevent_context *ev;
+ struct tstream_context *stream;
+ const uint8_t *query;
+ size_t query_len;
+
+ uint8_t dns_msglen_hdr[2];
+ struct iovec iov[2];
+
+ size_t nread;
+ uint8_t *reply;
+};
+
+static void dns_tcp_request_connected(struct tevent_req *subreq);
+static void dns_tcp_request_sent(struct tevent_req *subreq);
+static int dns_tcp_request_next_vector(struct tstream_context *stream,
+ void *private_data,
+ TALLOC_CTX *mem_ctx,
+ struct iovec **_vector,
+ size_t *_count);
+static void dns_tcp_request_received(struct tevent_req *subreq);
+
+struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
+{
+ struct tevent_req *req, *subreq;
+ struct dns_tcp_request_state *state;
+ struct tsocket_address *local, *remote;
+ int ret;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct dns_tcp_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->query = query;
+ state->query_len = query_len;
+
+ if (query_len > UINT16_MAX) {
+ tevent_req_error(req, EMSGSIZE);
+ return tevent_req_post(req, ev);
+ }
+
+ ret = tsocket_address_inet_from_strings(state, "ip", NULL, 0, &local);
+ if (ret != 0) {
+ tevent_req_error(req, errno);
+ return tevent_req_post(req, ev);
+ }
+
+ ret = tsocket_address_inet_from_strings(
+ state, "ip", server_addr_string, DNS_SERVICE_PORT, &remote);
+ if (ret != 0) {
+ tevent_req_error(req, errno);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = tstream_inet_tcp_connect_send(state, state->ev,
+ local, remote);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_connected, req);
+
+ return req;
+}
+
+static void dns_tcp_request_connected(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int ret, err;
+
+ ret = tstream_inet_tcp_connect_recv(subreq, &err, state,
+ &state->stream, NULL);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ RSSVAL(state->dns_msglen_hdr, 0, state->query_len);
+ state->iov[0] = (struct iovec) {
+ .iov_base = state->dns_msglen_hdr,
+ .iov_len = sizeof(state->dns_msglen_hdr)
+ };
+ state->iov[1] = (struct iovec) {
+ .iov_base = discard_const_p(void, state->query),
+ .iov_len = state->query_len
+ };
+
+ subreq = tstream_writev_send(state, state->ev, state->stream,
+ state->iov, ARRAY_SIZE(state->iov));
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_sent, req);
+}
+
+static void dns_tcp_request_sent(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int ret, err;
+
+ ret = tstream_writev_recv(subreq, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ subreq = tstream_readv_pdu_send(state, state->ev, state->stream,
+ dns_tcp_request_next_vector, state);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_tcp_request_received, req);
+}
+
+static int dns_tcp_request_next_vector(struct tstream_context *stream,
+ void *private_data,
+ TALLOC_CTX *mem_ctx,
+ struct iovec **_vector,
+ size_t *_count)
+{
+ struct dns_tcp_request_state *state = talloc_get_type_abort(
+ private_data, struct dns_tcp_request_state);
+ struct iovec *vector;
+ uint16_t msglen;
+
+ if (state->nread == 0) {
+ vector = talloc_array(mem_ctx, struct iovec, 1);
+ if (vector == NULL) {
+ return -1;
+ }
+ vector[0] = (struct iovec) {
+ .iov_base = state->dns_msglen_hdr,
+ .iov_len = sizeof(state->dns_msglen_hdr)
+ };
+ state->nread = sizeof(state->dns_msglen_hdr);
+
+ *_vector = vector;
+ *_count = 1;
+ return 0;
+ }
+
+ if (state->nread == sizeof(state->dns_msglen_hdr)) {
+ msglen = RSVAL(state->dns_msglen_hdr, 0);
+
+ state->reply = talloc_array(state, uint8_t, msglen);
+ if (state->reply == NULL) {
+ return -1;
+ }
+
+ vector = talloc_array(mem_ctx, struct iovec, 1);
+ if (vector == NULL) {
+ return -1;
+ }
+ vector[0] = (struct iovec) {
+ .iov_base = state->reply,
+ .iov_len = msglen
+ };
+ state->nread += msglen;
+
+ *_vector = vector;
+ *_count = 1;
+ return 0;
+ }
+
+ *_vector = NULL;
+ *_count = 0;
+ return 0;
+}
+
+static void dns_tcp_request_received(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ int ret, err;
+
+ ret = tstream_readv_pdu_recv(subreq, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
+{
+ struct dns_tcp_request_state *state = tevent_req_data(
+ req, struct dns_tcp_request_state);
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ tevent_req_received(req);
+ return err;
+ }
+
+ *reply_len = talloc_array_length(state->reply);
+ *reply = talloc_move(mem_ctx, &state->reply);
+ tevent_req_received(req);
+
+ return 0;
+}
+
+struct dns_cli_request_state {
+ struct tevent_context *ev;
+ const char *nameserver;
+
+ uint16_t req_id;
+
+ DATA_BLOB query;
+
+ struct dns_name_packet *reply;
+};
+
+static void dns_cli_request_udp_done(struct tevent_req *subreq);
+static void dns_cli_request_tcp_done(struct tevent_req *subreq);
+
+struct tevent_req *dns_cli_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *nameserver,
+ const char *name,
+ enum dns_qclass qclass,
+ enum dns_qtype qtype)
+{
+ struct tevent_req *req, *subreq;
+ struct dns_cli_request_state *state;
+ struct dns_name_question question;
+ struct dns_name_packet out_packet;
+ enum ndr_err_code ndr_err;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct dns_cli_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->nameserver = nameserver;
+
+ DBG_DEBUG("Asking %s for %s/%d/%d via UDP\n", nameserver,
+ name, (int)qclass, (int)qtype);
+
+ generate_random_buffer((uint8_t *)&state->req_id,
+ sizeof(state->req_id));
+
+ question = (struct dns_name_question) {
+ .name = discard_const_p(char, name),
+ .question_type = qtype, .question_class = qclass
+ };
+
+ out_packet = (struct dns_name_packet) {
+ .id = state->req_id,
+ .operation = DNS_OPCODE_QUERY | DNS_FLAG_RECURSION_DESIRED,
+ .qdcount = 1,
+ .questions = &question
+ };
+
+ ndr_err = ndr_push_struct_blob(
+ &state->query, state, &out_packet,
+ (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dns_udp_request_send(state, state->ev, state->nameserver,
+ state->query.data, state->query.length);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, dns_cli_request_udp_done, req);
+ return req;
+}
+
+static void dns_cli_request_udp_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ DATA_BLOB reply;
+ enum ndr_err_code ndr_err;
+ int ret;
+
+ ret = dns_udp_request_recv(subreq, state, &reply.data, &reply.length);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ state->reply = talloc(state, struct dns_name_packet);
+ if (tevent_req_nomem(state->reply, req)) {
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob(
+ &reply, state->reply, state->reply,
+ (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return;
+ }
+ TALLOC_FREE(reply.data);
+
+ if (state->reply->id != state->req_id) {
+ DBG_DEBUG("Got id %"PRIu16", expected %"PRIu16"\n",
+ state->reply->id, state->req_id);
+ tevent_req_error(req, ENOMSG);
+ return;
+ }
+
+ if ((state->reply->operation & DNS_FLAG_TRUNCATION) == 0) {
+ DBG_DEBUG("Got op=%x %"PRIu16"/%"PRIu16"/%"PRIu16"/%"PRIu16
+ " recs\n", (int)state->reply->operation,
+ state->reply->qdcount, state->reply->ancount,
+ state->reply->nscount, state->reply->nscount);
+ tevent_req_done(req);
+ return;
+ }
+
+ DBG_DEBUG("Reply was truncated, retrying TCP\n");
+
+ TALLOC_FREE(state->reply);
+
+ subreq = dns_tcp_request_send(state, state->ev, state->nameserver,
+ state->query.data, state->query.length);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, dns_cli_request_tcp_done, req);
+}
+
+static void dns_cli_request_tcp_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ DATA_BLOB reply;
+ enum ndr_err_code ndr_err;
+ int ret;
+
+ ret = dns_tcp_request_recv(subreq, state, &reply.data, &reply.length);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ state->reply = talloc(state, struct dns_name_packet);
+ if (tevent_req_nomem(state->reply, req)) {
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob(
+ &reply, state->reply, state->reply,
+ (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ tevent_req_error(req, ndr_map_error2errno(ndr_err));
+ return;
+ }
+ TALLOC_FREE(reply.data);
+
+ if (state->reply->id != state->req_id) {
+ DBG_DEBUG("Got id %"PRIu16", expected %"PRIu16"\n",
+ state->reply->id, state->req_id);
+ tevent_req_error(req, ENOMSG);
+ return;
+ }
+
+ DBG_DEBUG("Got op=%x %"PRIu16"/%"PRIu16"/%"PRIu16"/%"PRIu16
+ " recs\n", (int)state->reply->operation,
+ state->reply->qdcount, state->reply->ancount,
+ state->reply->nscount, state->reply->nscount);
+
+ tevent_req_done(req);
+}
+
+int dns_cli_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dns_name_packet **reply)
+{
+ struct dns_cli_request_state *state = tevent_req_data(
+ req, struct dns_cli_request_state);
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ return err;
+ }
+ *reply = talloc_move(mem_ctx, &state->reply);
+ return 0;
+}
diff --git a/libcli/dns/libdns.h b/libcli/dns/libdns.h
index 7ea2eb6..1b7c404 100644
--- a/libcli/dns/libdns.h
+++ b/libcli/dns/libdns.h
@@ -22,6 +22,10 @@
#ifndef __LIBDNS_H__
#define __LIBDNS_H__

+#include "lib/util/data_blob.h"
+#include "lib/util/time.h"
+#include "librpc/gen_ndr/dns.h"
+
/** Send an dns request to a dns server using UDP
*
*@param mem_ctx talloc memory context to use
@@ -39,7 +43,7 @@ struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,

/** Get the dns response from a dns server via UDP
*
- *@param req tevent_req struct returned from dns_request_send
+ *@param req tevent_req struct returned from dns_udp_request_send
*@param mem_ctx talloc memory context to use for the reply string
*@param reply buffer that will be allocated and filled with the dns reply
*@param reply_len length of the reply buffer
@@ -50,4 +54,28 @@ int dns_udp_request_recv(struct tevent_req *req,
uint8_t **reply,
size_t *reply_len);

+struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len);
+int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len);
+
+/*
+ * DNS request with fallback to TCP on truncation
+ */
+
+struct tevent_req *dns_cli_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *nameserver,
+ const char *name,
+ enum dns_qclass qclass,
+ enum dns_qtype qtype);
+int dns_cli_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dns_name_packet **reply);
+
+

The branch, master has been updated
via 114f5da s3: smbd: Use identical logic to test for kernel oplocks on a share.
from 36ab213 dns_server: Remove "max_payload" from dns_server

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 114f5da2fab6f587de77e792274b396fb3d7ce71
Author: Jeremy Allison <***@samba.org>
Date: Wed Jan 3 09:52:33 2018 -0800

s3: smbd: Use identical logic to test for kernel oplocks on a share.

Due to inconsistent use of lp_kernel_oplocks() we could miss kernel
oplocks being on/off in some of our oplock handling code, and thus
use the wrong logic.

Ensure all logic around koplocks and lp_kernel_oplocks() is consistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13193

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Thu Jan 4 16:03:38 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/smbd/oplock.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index 1b2a87b..e848b5e 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -56,7 +56,8 @@ NTSTATUS set_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
- bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if (fsp->oplock_type == LEVEL_II_OPLOCK) {
if (use_kernel &&
@@ -98,7 +99,8 @@ static void release_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
- bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if ((fsp->oplock_type != NO_OPLOCK) &&
use_kernel) {
@@ -131,13 +133,15 @@ static void downgrade_file_oplock(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

if (!EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
DEBUG(0, ("trying to downgrade an already-downgraded oplock!\n"));
return;
}

- if (koplocks) {
+ if (use_kernel) {
koplocks->ops->release_oplock(koplocks, fsp, LEVEL_II_OPLOCK);
}
fsp->oplock_type = LEVEL_II_OPLOCK;
@@ -729,12 +733,14 @@ static void add_oplock_timeout_handler(files_struct *fsp)
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

/*
* If kernel oplocks already notifies smbds when an oplock break times
* out, just return.
*/
- if (koplocks &&
+ if (use_kernel &&
(koplocks->flags & KOPLOCKS_TIMEOUT_NOTIFICATION)) {
return;
}
@@ -845,7 +851,8 @@ static void process_oplock_break_message(struct messaging_context *msg_ctx,
break_to &= ~SMB2_LEASE_READ;
}

- use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks;
+ use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);
if (use_kernel && !(koplocks->flags & KOPLOCKS_LEVEL2_SUPPORTED)) {
DEBUG(10, ("Kernel oplocks don't allow level2\n"));
break_to &= ~SMB2_LEASE_READ;
@@ -1255,8 +1262,10 @@ void smbd_contend_level2_oplocks_begin(files_struct *fsp,
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

- if (koplocks && koplocks->ops->contend_level2_oplocks_begin) {
+ if (use_kernel && koplocks->ops->contend_level2_oplocks_begin) {
koplocks->ops->contend_level2_oplocks_begin(fsp, type);
return;
}
@@ -1269,9 +1278,11 @@ void smbd_contend_level2_oplocks_end(files_struct *fsp,
{
struct smbd_server_connection *sconn = fsp->conn->sconn;
struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops;
+ bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) &&
+ (koplocks != NULL);

/* Only kernel oplocks implement this so far */
- if (koplocks && koplocks->ops->contend_level2_oplocks_end) {
+ if (use_kernel && koplocks->ops->contend_level2_oplocks_end) {
koplocks->ops->contend_level2_oplocks_end(fsp, type);
}
}

The branch, master has been updated
via 7a0a765 docs-xml: plain file URIs need three slashes
via 03f0ba7 docs-xml: figure out samba version for the docs automatically
from 114f5da s3: smbd: Use identical logic to test for kernel oplocks on a share.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7a0a765d535abdd76d86ea88251489d2839ec59b
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 12:55:26 2018 +0100

docs-xml: plain file URIs need three slashes

Signed-off-by: Bjoern Jacke <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Thu Jan 4 20:32:21 CET 2018 on sn-devel-144

commit 03f0ba71953b2738261e897074e7d91c6022c1b7
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 10:38:05 2018 +0100

docs-xml: figure out samba version for the docs automatically

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/build/catalog.xml.in | 8 ++++----
docs-xml/configure.ac | 8 +++++++-
2 files changed, 11 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/build/catalog.xml.in b/docs-xml/build/catalog.xml.in
index 77bf87e..77ec4f2 100644
--- a/docs-xml/build/catalog.xml.in
+++ b/docs-xml/build/catalog.xml.in
@@ -6,16 +6,16 @@

<rewriteURI
uriStartString="http://www.samba.org/samba/DTD/"
- rewritePrefix="file://@abs_top_srcdir@/build/DTD/"/>
+ rewritePrefix="file:///@abs_top_srcdir@/build/DTD/"/>

<rewriteURI
uriStartString="http://www.samba.org/samba/LOCAL.BUILDDIR.DTD/"
- rewritePrefix="file://@abs_top_builddir@/build/DTD/"/>
+ rewritePrefix="file:///@abs_top_builddir@/build/DTD/"/>

<rewriteURI
uriStartString="http://www.gnu.org/licenses/"
- rewritePrefix="file://@abs_top_srcdir@/Samba3-ByExample/"/>
+ rewritePrefix="file:///@abs_top_srcdir@/Samba3-ByExample/"/>
<rewriteURI
uriStartString="http://www.samba.org/samba/smbdotconf/"
- rewritePrefix="file://@abs_top_builddir@/smbdotconf/"/>
+ rewritePrefix="file:///@abs_top_builddir@/smbdotconf/"/>
</catalog>
diff --git a/docs-xml/configure.ac b/docs-xml/configure.ac
index 8c26692..9a7f9ce 100644
--- a/docs-xml/configure.ac
+++ b/docs-xml/configure.ac
@@ -55,8 +55,14 @@ fi

AC_SUBST(TARGETS)

+. ../VERSION
if test x"$DOC_VERSION" = x; then
- AC_MSG_ERROR([Please export DOC_VERSION variable])
+ #AC_MSG_ERROR([Please export DOC_VERSION variable])
+ VERSION_SUFFIX=""
+ if test x"$SAMBA_VERSION_PRE_RELEASE" != x; then
+ VERSION_SUFFIX=pre
+ fi
+ DOC_VERSION=${SAMBA_VERSION_MAJOR}.${SAMBA_VERSION_MINOR}.${SAMBA_VERSION_RELEASE}${VERSION_SUFFIX}
else
AC_MSG_RESULT([DOC_VERSION: ${DOC_VERSION}])
fi

The branch, master has been updated
via 2245a4b autobuild: fix quoting of --restrict-tests
via 523bd03 source4/tests: typo in env name
from 7a0a765 docs-xml: plain file URIs need three slashes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2245a4bf9ac0a5b561a3cc5c4c35c4ecb3485ea6
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Tue Dec 19 13:14:41 2017 +1300

autobuild: fix quoting of --restrict-tests

Currently, passing multiple tests causes those other than the first to be
passed to make, causing failures.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Douglas Bagnall <***@samba.org>
Autobuild-Date(master): Fri Jan 5 02:51:09 CET 2018 on sn-devel-144

commit 523bd03fd6d077a05ed4c60168d8511b5ad18ed6
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Wed Jan 3 03:59:24 2018 +0000

source4/tests: typo in env name

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
script/autobuild.py | 2 +-
source4/selftest/tests.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/script/autobuild.py b/script/autobuild.py
index a4ad544..40bace5 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -83,7 +83,7 @@ tasks = {

"samba-test-only" : [ ("configure", "./configure.developer --with-selftest-prefix=./bin/ab --abi-check-disable" + samba_configure_params, "text/plain"),
("make", "make -j", "text/plain"),
- ("test", "make test FAIL_IMMEDIATELY=1 TESTS=${TESTS}", "text/plain") ],
+ ("test", 'make test FAIL_IMMEDIATELY=1 TESTS="${TESTS}"',"text/plain") ],

# Test cross-compile infrastructure
"samba-xc" : [ ("configure-native", "./configure.developer --with-selftest-prefix=./bin/ab" + samba_configure_params, "text/plain"),
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 755f0c9..91f8a5c 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -726,7 +726,7 @@ planoldpythontestsuite("ad_dc_ntvfs",
# Want a selection of environments across the process models
#
for env in ["ad_dc_ntvfs:local", "ad_dc:local",
- "fl2003dc:local", "fl2008rdc:local",
+ "fl2003dc:local", "fl2008r2dc:local",
"promoted_dc:local"]:
planoldpythontestsuite(env, "samba.tests.blackbox.smbcontrol")

The branch, master has been updated
via 3cbeaf4 docs-xml: add basic Makefile dependencies for targets that use xsltproc
via 9b27948 docs-xml: set a reasonable XML_CATALOG_FILES in Makefile
via a2f5b3b docs-xml: generate build/catalog.xml via Makefile target
from 2245a4b autobuild: fix quoting of --restrict-tests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3cbeaf40937082bd7072d715ae02aa0989835432
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:35:12 2018 +0100

docs-xml: add basic Makefile dependencies for targets that use xsltproc

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

Autobuild-User(master): Björn Jacke <***@sernet.de>
Autobuild-Date(master): Fri Jan 5 19:55:29 CET 2018 on sn-devel-144

commit 9b27948d6540b17d99bed3e39e75b2508f05a489
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:19:13 2018 +0100

docs-xml: set a reasonable XML_CATALOG_FILES in Makefile

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

commit a2f5b3b8e12bfc3d7182a406526b0d7edaf58a31
Author: Björn Jacke <***@samba.org>
Date: Thu Jan 4 16:12:28 2018 +0100

docs-xml: generate build/catalog.xml via Makefile target

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/Makefile | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/Makefile b/docs-xml/Makefile
index d69238b..ba49eae 100644
--- a/docs-xml/Makefile
+++ b/docs-xml/Makefile
@@ -6,6 +6,8 @@
# Jelmer Vernooij <***@samba.org>
include Makefile.settings

+export XML_CATALOG_FILES := $(XML_CATALOG_FILES) /etc/xml/catalog $(shell pwd)/build/catalog.xml
+
# Docs to build
MAIN_DOCS = $(patsubst %/index.xml,%,$(wildcard */index.xml))
MANPAGES = $(sort $(wildcard $(MANPAGEDIR)/*.?.xml))
@@ -16,6 +18,8 @@ DBLATEX_OPTIONS = -p xslt/latex.xsl -i xslt/latex

DATETIME := $(shell date +%Y%m%d%H%M%S)

+XSLTPROC_DEPS = build/catalog.xml build/DTD/samba.build.version
+
ifeq ($(PROFILE), Y)
XSLTPROC += --profile --load-trace --timing
endif
@@ -87,16 +91,16 @@ check:: validate

# Intermediate docbook docs
#
-$(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl
+$(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl $(XSLTPROC_DEPS)
@echo "Converting Samba-specific tags for $*..."
@mkdir -p $(@D)
@$(XSLTPROC) --stringparam latex.imagebasedir "$*/" --stringparam noreference 0 --xinclude --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings
+$(DOCBOOKDIR)/manpages/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl Makefile.settings $(XSLTPROC_DEPS)
@mkdir -p $(@D)
$(XSLTPROC) --xinclude --stringparam noreference 0 --output $@ xslt/expand-sambadoc.xsl $<

-$(DOCBOOKDIR)/manpages/index.xml: $(MANPAGES) xslt/manpage-summary.xsl
+$(DOCBOOKDIR)/manpages/index.xml: $(MANPAGES) xslt/manpage-summary.xsl $(XSLTPROC_DEPS)
@mkdir -p $(@D)
echo "<article><variablelist>" > $@
$(XSLTPROC) xslt/manpage-summary.xsl $(MANPAGES) >> $@
@@ -107,22 +111,22 @@ $(HTMLDIR)/index.html: htmldocs.html
@mkdir -p $(@D)
cp $< $@

-$(HTMLDIR)/%/index.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/%/samba.css xslt/html-chunk.xsl %-images-html-chunks
+$(HTMLDIR)/%/index.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/%/samba.css xslt/html-chunk.xsl %-images-html-chunks $(XSLTPROC_DEPS)
@mkdir -p $(@D)
$(XSLTPROC) --stringparam base.dir "$(HTMLDIR)/$*/" xslt/html-chunk.xsl $<

# Single large HTML files
-$(OUTPUTDIR)/%/samba.css: xslt/html/samba.css
+$(OUTPUTDIR)/%/samba.css: xslt/html/samba.css $(XSLTPROC_DEPS)
@mkdir -p $(@D)
cp $< $@

$(patsubst %,$(HTMLDIR)/%.html,$(MAIN_DOCS)): $(HTMLDIR)/%.html: %-images-html-single

-$(HTMLDIR)/%.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/samba.css xslt/html.xsl
+$(HTMLDIR)/%.html: $(DOCBOOKDIR)/%.xml $(HTMLDIR)/samba.css xslt/html.xsl $(XSLTPROC_DEPS)
$(XSLTPROC) --output $@ xslt/html.xsl $<

# Attributions
-%-attributions.xml:
+%-attributions.xml: $(XSLTPROC_DEPS)
@echo "Generating attributions file $@ from $*/"
@cp -f templates/attributions.xml $@
@$(XSLTPROC) --xinclude -o $@ xslt/generate-attributions.xsl $*/index.xml
@@ -139,7 +143,7 @@ $(TXTDIR)/%.txt: $(HTMLDIR)/%.html
@$(DBLATEX) $(DBLATEX_OPTIONS) -t tex -o $@ $<

# Dependency files
-%.d: $(DOCBOOKDIR)/%.xml xslt/generate-dependencies.xsl
+%.d: $(DOCBOOKDIR)/%.xml xslt/generate-dependencies.xsl $(XSLTPROC_DEPS)
@echo "Generating dependency file for $*"
@$(XSLTPROC) --novalid \
--stringparam txtbasedir "$(TXTDIR)/$*/" \
@@ -193,7 +197,7 @@ $(PSDIR)/%.ps: %/index.xml $(PSDIR) xslt/latex.xsl %-images-latex-eps
%.pdf: %.svg
$(INKSCAPE) -z -f $(abspath $<) --export-pdf=$(abspath $@)

-$(HTMLHELPDIR)/%: $(DOCBOOKDIR)/%.xml %-images-htmlhelp
+$(HTMLHELPDIR)/%: $(DOCBOOKDIR)/%.xml %-images-htmlhelp $(XSLTPROC_DEPS)
$(XSLTPROC) --stringparam htmlhelp.chm $*.chm \
--stringparam manifest.in.base.dir "$@/" \
--stringparam base.dir "$@/" \
@@ -253,6 +257,9 @@ $(PEARSONDIR)/%.report.html: $(PEARSONDIR)/%.xml
%-validate: %/index.xml
cd $(<D) && $(XMLLINT) --xinclude --noent --postvalid --noout $(<F)

+build/catalog.xml: build/catalog.xml.in
+ sed -e "s|@abs_top_srcdir@|`pwd`|g;s|@abs_top_builddir@|`pwd`|g" < build/catalog.xml.in > build/catalog.xml
+
samples: $(DOCBOOKDIR)/Samba3-HOWTO.xml xslt/extract-examples.xsl scripts/indent-smb.conf.pl
@mkdir -p examples
$(XSLTPROC) --xinclude xslt/extract-examples.xsl $< > /dev/null 2> examples/README

The branch, master has been updated
via debf8ba vfs_fileid: add fileid:algorithm = fsname_norootdir
via 1468dd2 vfs_fileid: add fileid:nolockinode parameter
via b599cb2 vfs_fileid: add fileid:algorithm = fsname_nodirs
via 495c646 vfs_fileid: add fileid:algorithm = hostname
via 6a8764e vfs_fileid: convert dev argument of the device_mapping_fn to SMB_STRUCT_STAT
via 9962495 vfs_fileid: add "fstype/mntdir deny/allow list" option
via 326df16 vfs_fileid: preserve errno in an error code path
via 5cce620 vfs_fileid: add a DEBUG message to log dev and inode
via d0def3b tests: The pthreadpooltests do not need a full environment
via 74dbeba dnscli: Make a few functions static
via 361ea74 samba: Only use async signal-safe functions in signal handler
via e1fb902 s4/torture: test vfs_fruit "fruit:time machine max size" option
via 74eebac vfs_fruit: add "time machine max size" option
from 3cbeaf4 docs-xml: add basic Makefile dependencies for targets that use xsltproc

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit debf8ba799ea7a4535e29c20a5f9377932c81938
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:22:16 2018 +0100

vfs_fileid: add fileid:algorithm = fsname_norootdir

Based-on-a-patch-by: Ralph Wuerthner <***@de.ibm.com>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Sat Jan 6 04:41:24 CET 2018 on sn-devel-144

commit 1468dd21c37445cff044583229b107254d53b2b9
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:09:21 2018 +0100

vfs_fileid: add fileid:nolockinode parameter

Based-on-a-patch-by: Ralph Wuerthner <***@de.ibm.com>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit b599cb216815415a63504ec69be3f70f08ea58d5
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:02:53 2018 +0100

vfs_fileid: add fileid:algorithm = fsname_nodirs

Enabling fileid:algorithm = fsname_nodirs uses the hostname algorithm
for directories and thus breaks cluster lock coherence for directories.

Based-on-a-patch-by: Christian Ambach <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 495c646ec5cbd61539f6c547cd6048d7ff167d30
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 16:59:54 2018 +0100

vfs_fileid: add fileid:algorithm = hostname

Using fileid:algorithm = hostname makes fileid generate
fileids based on the hostname. This breaks cluster lock coherence.

Based-on-a-patch-by: Christian Ambach <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 6a8764ebcc0de57e7dd0dc22eaf4a9d201c0dca9
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 16:35:38 2018 +0100

vfs_fileid: convert dev argument of the device_mapping_fn to SMB_STRUCT_STAT

This is in preperation of adding an additional mapping function that
acts differently depending of the file type. No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 996249571d0e8f9285d1b714b1c36d66e7649271
Author: Ralph Wuerthner <***@de.ibm.com>
Date: Tue Jan 12 16:00:24 2016 +0100

vfs_fileid: add "fstype/mntdir deny/allow list" option

When using the fsname or fsid algorithm a stat() and statfs() call is
required for all mounted file systems to generate the file_id. If e.g.
an NFS file system is unresponsive such a call might block and the smbd
process will become unresponsive. Add "fileid:fstype deny",
"fileid:fstype allow", "fileid:mntdir deny", and "fileid:mntdir allow"
options to ignore potentially unresponsive file systems.

See also https://lists.samba.org/archive/samba-technical/2016-January/111553.html
for a discussion about why this is useful.

Signed-off-by: Ralph Wuerthner <***@de.ibm.com>
Reviewed-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 326df161736abc16fb3bd35a18a3e55a44fb3c5d
Author: Ralph Boehme <***@samba.org>
Date: Fri Jan 5 10:23:30 2018 +0100

vfs_fileid: preserve errno in an error code path

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 5cce620bc1eac9a3f0bbf58084b7df2acde6bb15
Author: Ralph Boehme <***@samba.org>
Date: Thu Jan 4 17:25:07 2018 +0100

vfs_fileid: add a DEBUG message to log dev and inode

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit d0def3b2179cfbfca6f35237f2bb23d226a72814
Author: Volker Lendecke <***@samba.org>
Date: Fri Jan 5 10:45:41 2018 +0100

tests: The pthreadpooltests do not need a full environment

Makes "make test TESTS=pthreadpool" faster

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 74dbeba723c642bd207dad9d6881e8aa803b7509
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 4 21:26:58 2018 +0100

dnscli: Make a few functions static

We might want to use the tcp flavor in the future in the forwarder for a
single, persistent TCP connection. Then we can easily re-publish it.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 361ea743576cf125d7957a97ed78a0446dab1a19
Author: Volker Lendecke <***@samba.org>
Date: Thu Jan 4 21:06:02 2018 +0100

samba: Only use async signal-safe functions in signal handler

Otherwise shutdown can hang

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit e1fb902ca408aeecf26ecfd1926ca7824b25a3e7
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 2 19:09:04 2018 +0100

s4/torture: test vfs_fruit "fruit:time machine max size" option

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 74eebac975ee913e49c95b29c13a329edb0744e5
Author: Ralph Boehme <***@samba.org>
Date: Fri Nov 3 10:56:29 2017 +0100

vfs_fruit: add "time machine max size" option

This can be used to configure a per client filesystem size limit on
TimeMachine shares.

It's a nasty hack but it was reportedly working well in Netatalk where
it's taken from.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/vfs_fileid.8.xml | 77 ++++++-
docs-xml/manpages/vfs_fruit.8.xml | 18 ++
libcli/dns/dns.c | 36 ++--
libcli/dns/libdns.h | 38 ----
selftest/target/Samba3.pm | 8 +
source3/modules/vfs_fileid.c | 235 +++++++++++++++++++-
source3/modules/vfs_fruit.c | 428 +++++++++++++++++++++++++++++++++++++
source3/selftest/tests.py | 8 +-
source4/smbd/server.c | 4 +-
source4/torture/vfs/fruit.c | 102 +++++++++
source4/torture/vfs/vfs.c | 1 +
11 files changed, 881 insertions(+), 74 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/vfs_fileid.8.xml b/docs-xml/manpages/vfs_fileid.8.xml
index 5a3a70e..edfdef2 100644
--- a/docs-xml/manpages/vfs_fileid.8.xml
+++ b/docs-xml/manpages/vfs_fileid.8.xml
@@ -40,6 +40,15 @@
generates the device number based on the configured algorithm
(see the "fileid:algorithm" option).
</para>
+
+ <para>When using the fsname or fsid algorithm a
+ <command>stat()</command> and <command>statfs()</command> call is
+ required for all mounted file systems to generate the file_id. If e.g.
+ an NFS file system is unresponsive such a call might block and the smbd
+ process will become unresponsive. Use the "fileid:fstype deny",
+ "fileid:fstype allow", "fileid:mntdir deny", or "fileid:mntdir allow"
+ options to ignore potentially unresponsive file systems.
+ </para>
</refsect1>


@@ -51,17 +60,33 @@
<varlistentry>
<term>fileid:algorithm = ALGORITHM</term>
<listitem>
- <para>Available algorithms are <command>fsname</command>
- and <command>fsid</command>. The default value is
+ <para>Available algorithms are <command>fsname</command>,
+ <command>fsname_nodirs</command>, <command>fsid</command> and
+ <command>hostname</command>. The default value is
<command>fsname</command>.
</para>
<para>The <command>fsname</command> algorithm generates
device id by hashing the kernel device name.
</para>
+ <para>The <command>fsname_nodirs</command> algorithm generates
+ device id by hashing the kernel device name for files and by hashing
+ the hostname for directories. This can be used to deliberately
+ break lock coherency for directories in a cluster.
+ </para>
<para>The <command>fsid</command> algorithm generates
the device id from the <command>f_fsid</command> returned
from the <command>statfs()</command> syscall.
</para>
+ <para>The <command>hostname</command> algorithm generates device
+ id by hashing the hostname. This can be used to deliberately
+ break lock coherency in a cluster.
+ </para>
+ <para>The <command>fsname_norootdir</command> algorithm
+ generates device ids by hashing the kernel device name, except
+ for the root directory of shares where it will use the hostname
+ algorithm. This can be used to deliberately break lock coherency
+ in a cluster for the root directory of a share.
+ </para>
</listitem>
</varlistentry>

@@ -75,6 +100,54 @@
</listitem>
</varlistentry>

+ <varlistentry>
+ <term>fileid:fstype deny = LIST</term>
+ <listitem>
+ <para>List of file system types to be ignored for file_id
+ generation.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:fstype allow = LIST</term>
+ <listitem>
+ <para>List of file system types to be allowed for file_id
+ generation. If this option is set, file system types not listed
+ here are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:mntdir deny = LIST</term>
+ <listitem>
+ <para>List of file system mount points to be ignored for
+ file_id generation.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:mntdir allow = LIST</term>
+ <listitem>
+ <para>List of file system mount points to be allowed for file_id
+ generation. If this option is set, file system mount points
+ not listed here are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fileid:nolockinode</term>
+ <listitem>
+ <para>This option triggers use of the fileid hostname algorithm
+ for the configured inode which can be used to deliberately break
+ lock coherency for the corresponding file or directory in a
+ cluster.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index fcaf173..7f6a0e7 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -242,6 +242,24 @@
</varlistentry>

<varlistentry>
+ <term>fruit:time machine max size = SIZE [K|M|G|T|P]</term>
+ <listitem>
+ <para>Useful for Time Machine: limits the reported disksize, thus
+ preventing Time Machine from using the whole real disk space for
+ backup. The option takes a number plus an optional unit.</para>
+ <para><emphasis>IMPORTANT</emphasis>: This is an approximated
+ calculation that only takes into account the contents of Time
+ Machine sparsebundle images. Therefor you <emphasis>MUST
+ NOT</emphasis> use this volume to store other content when using
+ this option, because it would NOT be accounted.</para>
+ <para>The calculation works by reading the band size from the
+ Info.plist XML file of the sparsebundle, reading the bands/
+ directory counting the number of band files, and then multiplying
+ one with the other.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>fruit:metadata = [ stream | netatalk ]</term>
<listitem>
<para>Controls where the OS X metadata stream is stored:</para>
diff --git a/libcli/dns/dns.c b/libcli/dns/dns.c
index 6404cb8..c30de2d 100644
--- a/libcli/dns/dns.c
+++ b/libcli/dns/dns.c
@@ -45,11 +45,11 @@ struct dns_udp_request_state {
static void dns_udp_request_get_reply(struct tevent_req *subreq);
static void dns_udp_request_done(struct tevent_req *subreq);

-struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len)
+static struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
{
struct tevent_req *req, *subreq;
struct dns_udp_request_state *state;
@@ -158,10 +158,10 @@ static void dns_udp_request_done(struct tevent_req *subreq)
tevent_req_done(req);
}

-int dns_udp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len)
+static int dns_udp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
{
struct dns_udp_request_state *state = tevent_req_data(req,
struct dns_udp_request_state);
@@ -201,11 +201,11 @@ static int dns_tcp_request_next_vector(struct tstream_context *stream,
size_t *_count);
static void dns_tcp_request_received(struct tevent_req *subreq);

-struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len)
+static struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *server_addr_string,
+ const uint8_t *query,
+ size_t query_len)
{
struct tevent_req *req, *subreq;
struct dns_tcp_request_state *state;
@@ -377,10 +377,10 @@ static void dns_tcp_request_received(struct tevent_req *subreq)
tevent_req_done(req);
}

-int dns_tcp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len)
+static int dns_tcp_request_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **reply,
+ size_t *reply_len)
{
struct dns_tcp_request_state *state = tevent_req_data(
req, struct dns_tcp_request_state);
diff --git a/libcli/dns/libdns.h b/libcli/dns/libdns.h
index 1b7c404..15ca257 100644
--- a/libcli/dns/libdns.h
+++ b/libcli/dns/libdns.h
@@ -26,44 +26,6 @@
#include "lib/util/time.h"
#include "librpc/gen_ndr/dns.h"

-/** Send an dns request to a dns server using UDP
- *
- *@param mem_ctx talloc memory context to use
- *@param ev tevent context to use
- *@param server_address address of the server as a string
- *@param query dns query to send
- *@param query_len length of the query
- *@return tevent_req with the active request or NULL on out-of-memory
- */
-struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_address,
- const uint8_t *query,
- size_t query_len);
-
-/** Get the dns response from a dns server via UDP
- *
- *@param req tevent_req struct returned from dns_udp_request_send
- *@param mem_ctx talloc memory context to use for the reply string
- *@param reply buffer that will be allocated and filled with the dns reply
- *@param reply_len length of the reply buffer
- *@return 0/errno
- */
-int dns_udp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len);
-
-struct tevent_req *dns_tcp_request_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *server_addr_string,
- const uint8_t *query,
- size_t query_len);
-int dns_tcp_request_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- uint8_t **reply,
- size_t *reply_len);
-
/*
* DNS request with fallback to TCP on truncation
*/
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index c9888c2..1e652d8e 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1957,6 +1957,14 @@ sub provision($$$$$$$$$)
path = $shrdir
vfs objects = streams_depot acl_xattr

+[vfs_fruit_timemachine]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:time machine = yes
+ fruit:time machine max size = 32K
+
[badname-tmp]
path = $badnames_shrdir
guest ok = yes
diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
index a7c4a49..98cc32d 100644
--- a/source3/modules/vfs_fileid.c
+++ b/source3/modules/vfs_fileid.c
@@ -37,11 +37,64 @@ struct fileid_mount_entry {

struct fileid_handle_data {
uint64_t (*device_mapping_fn)(struct fileid_handle_data *data,
- SMB_DEV_T dev);
+ const SMB_STRUCT_STAT *sbuf);
+ char **fstype_deny_list;
+ char **fstype_allow_list;
+ char **mntdir_deny_list;
+ char **mntdir_allow_list;
unsigned num_mount_entries;
struct fileid_mount_entry *mount_entries;
+ ino_t nolockinode;
};

+/* check if a mount entry is allowed based on fstype and mount directory */
+static bool fileid_mount_entry_allowed(struct fileid_handle_data *data,
+ struct mntent *m)
+{
+ int i;
+ char **fstype_deny = data->fstype_deny_list;
+ char **fstype_allow = data->fstype_allow_list;
+ char **mntdir_deny = data->mntdir_deny_list;
+ char **mntdir_allow = data->mntdir_allow_list;
+
+ if (fstype_deny != NULL) {
+ for (i = 0; fstype_deny[i] != NULL; i++) {
+ if (strcmp(m->mnt_type, fstype_deny[i]) == 0) {
+ return false;
+ }
+ }
+ }
+ if (fstype_allow != NULL) {
+ for (i = 0; fstype_allow[i] != NULL; i++) {
+ if (strcmp(m->mnt_type, fstype_allow[i]) == 0) {
+ break;
+ }
+ }
+ if (fstype_allow[i] == NULL) {
+ return false;
+ }
+ }
+ if (mntdir_deny != NULL) {
+ for (i=0; mntdir_deny[i] != NULL; i++) {
+ if (strcmp(m->mnt_dir, mntdir_deny[i]) == 0) {
+ return false;
+ }
+ }
+ }
+ if (mntdir_allow != NULL) {
+ for (i=0; mntdir_allow[i] != NULL; i++) {
+ if (strcmp(m->mnt_dir, mntdir_allow[i]) == 0) {
+ break;
+ }
+ }
+ if (mntdir_allow[i] == NULL) {
+ return false;
+ }
+ }
+ return true;
+}
+
+
/* load all the mount entries from the mtab */
static void fileid_load_mount_entries(struct fileid_handle_data *data)
{
@@ -58,7 +111,13 @@ static void fileid_load_mount_entries(struct fileid_handle_data *data)
struct stat st;
struct statfs sfs;
struct fileid_mount_entry *cur;
+ bool allowed;

+ allowed = fileid_mount_entry_allowed(data, m);
+ if (!allowed) {
+ DBG_DEBUG("skipping mount entry %s\n", m->mnt_dir);
+ continue;
+ }
if (stat(m->mnt_dir, &st) != 0) continue;
if (statfs(m->mnt_dir, &sfs) != 0) continue;

@@ -136,12 +195,12 @@ static uint64_t fileid_uint64_hash(const uint8_t *s, size_t len)

/* a device mapping using a fsname */
static uint64_t fileid_device_mapping_fsname(struct fileid_handle_data *data,
- SMB_DEV_T dev)
+ const SMB_STRUCT_STAT *sbuf)
{
struct fileid_mount_entry *m;

- m = fileid_find_mount_entry(data, dev);
- if (!m) return dev;
+ m = fileid_find_mount_entry(data, sbuf->st_ex_dev);
+ if (!m) return sbuf->st_ex_dev;

if (m->devid == (uint64_t)-1) {
m->devid = fileid_uint64_hash((const uint8_t *)m->mnt_fsname,
@@ -151,14 +210,55 @@ static uint64_t fileid_device_mapping_fsname(struct fileid_handle_data *data,
return m->devid;
}

+/* a device mapping using a hostname */
+static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
+ const SMB_STRUCT_STAT *sbuf)
+{
+ char hostname[HOST_NAME_MAX+1];
+ char *devname = NULL;
+ uint64_t id;
+ size_t devname_len;
+ int rc;
+
+ rc = gethostname(hostname, HOST_NAME_MAX+1);
+ if (rc != 0) {
+ DBG_ERR("gethostname failed\n");
+ return UINT64_MAX;
+ }
+
+ devname = talloc_asprintf(talloc_tos(), "%s%lu",
+ hostname, sbuf->st_ex_dev);
+ if (devname == NULL) {
+ DBG_ERR("talloc_asprintf failed\n");
+ return UINT64_MAX;
+ }
+ devname_len = talloc_array_length(devname) - 1;
+ TALLOC_FREE(devname);
+
+ id = fileid_uint64_hash((uint8_t *)devname, devname_len);
+ return id;
+}
+
+/* a device mapping using a fsname for files and hostname for dirs */
+static uint64_t fileid_device_mapping_fsname_nodirs(
+ struct fileid_handle_data *data,
+ const SMB_STRUCT_STAT *sbuf)
+{
+ if (S_ISDIR(sbuf->st_ex_mode)) {
+ return fileid_device_mapping_hostname(data, sbuf);
+ }
+
+ return fileid_device_mapping_fsname(data, sbuf);
+}
+
/* device mapping functions using a fsid */
static uint64_t fileid_device_mapping_fsid(struct fileid_handle_data *data,
- SMB_DEV_T dev)
+ const SMB_STRUCT_STAT *sbuf)
{
struct fileid_mount_entry *m;

- m = fileid_find_mount_entry(data, dev);
- if (!m) return dev;
+ m = fileid_find_mount_entry(data, sbuf->st_ex_dev);
+ if (!m) return sbuf->st_ex_dev;

if (m->devid == (uint64_t)-1) {
if (sizeof(fsid_t) > sizeof(uint64_t)) {
@@ -178,11 +278,43 @@ static uint64_t fileid_device_mapping_fsid(struct fileid_handle_data *data,
return m->devid;
}

+static int get_connectpath_ino(struct vfs_handle_struct *handle,
+ ino_t *ino)
+{
+ struct smb_filename *fname = NULL;
+ int ret;
+
+ fname = synthetic_smb_fname(talloc_tos(),
+ handle->conn->connectpath,
+ NULL,
+ NULL,
+ 0);
+ if (fname == NULL) {
+ DBG_ERR("synthetic_smb_fname failed\n");
+ return -1;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, fname);
+ TALLOC_FREE(fname);
+ if (ret != 0) {
+ DBG_ERR("stat failed for %s with %s\n",
+ handle->conn->connectpath, strerror(errno));
+ return -1;
+ }
+
+ return 0;
+}
+
static int fileid_connect(struct vfs_handle_struct *handle,
const char *service, const char *user)
{
struct fileid_handle_data *data;
const char *algorithm;
+ const char **fstype_deny_list = NULL;
+ const char **fstype_allow_list = NULL;
+ const char **mntdir_deny_list = NULL;
+ const char **mntdir_allow_list = NULL;
+ int saved_errno;
int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);

if (ret < 0) {
@@ -191,11 +323,15 @@ static int fileid_connect(struct vfs_handle_struct *handle,

data = talloc_zero(handle->conn, struct fileid_handle_data);
if (!data) {
+ saved_errno = errno;
SMB_VFS_NEXT_DISCONNECT(handle);
DEBUG(0, ("talloc_zero() failed\n"));
+ errno = saved_errno;
return -1;
}

+ data->nolockinode = 0;
+
/*
* "fileid:mapping" is only here as fallback for old setups
* "fileid:algorithm" is the option new setups should use
@@ -208,20 +344,89 @@ static int fileid_connect(struct vfs_handle_struct *handle,
algorithm);
if (strcmp("fsname", algorithm) == 0) {
data->device_mapping_fn = fileid_device_mapping_fsname;
+ } else if (strcmp("fsname_nodirs", algorithm) == 0) {

The branch, master has been updated
via 7bc329f vfs_fileid: fix a use after free
from debf8ba vfs_fileid: add fileid:algorithm = fsname_norootdir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7bc329fcc9776312081f21f6aabd2a3171533287
Author: Ralph Boehme <***@samba.org>
Date: Sat Jan 6 16:13:52 2018 +0100

vfs_fileid: fix a use after free

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Mon Jan 8 03:16:30 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_fileid.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
index 98cc32d..c890876 100644
--- a/source3/modules/vfs_fileid.c
+++ b/source3/modules/vfs_fileid.c
@@ -233,9 +233,11 @@ static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
return UINT64_MAX;
}
devname_len = talloc_array_length(devname) - 1;
- TALLOC_FREE(devname);

id = fileid_uint64_hash((uint8_t *)devname, devname_len);
+
+ TALLOC_FREE(devname);
+
return id;
}

The branch, master has been updated
via fe164a0 selftest: close connections after tests in samba4.ldap.secdesc.python
via babf0a7 selftest: close connections after tests in samba4.ldap.acl.python
via eae6d76 docs-xml: mention that the man pages are "part of" version x
via 5621139 doc: document wins server's smb.conf parameters
via e3cc2af tests:docs: remove explicit exceptions for parametric options
via ece75ea tests:docs: don't try to test parametric option defaults
via 080d590 packaging: add configure option to preprocess and install systemd files
via 3089a56 crypto: Update the REQUIREMENTS
via ca66efc Add substitutions %t, %j, and %J as path-safe variants of %T, %i, and %I.
via d39664f define DBGC_AUTH class
via ce2ca7f Update util.c to include DBGC_AUTH class
via 9010d54 travis-ci: Update package list to match the wiki
from 7bc329f vfs_fileid: fix a use after free

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fe164a08ddfee8efd802ed27a90f24e8afe2789a
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 13:56:03 2018 +1300

selftest: close connections after tests in samba4.ldap.secdesc.python

This test suite had a memory impact of around 2.2GB, from LDAP connection
handlers under the standard process model.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Jan 8 08:02:15 CET 2018 on sn-devel-144

commit babf0a7bef893873af35751b7a8c081d86d2ff6b
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 13:24:25 2018 +1300

selftest: close connections after tests in samba4.ldap.acl.python

Over the length of a run of this suite (which runs under the standard process
model), memory usage from LDAP connection handlers reaches 4GB. This patch
reduces it to a manageable amount.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit eae6d76a366fdd7cfa65a5cf804759a1889976c8
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 13 01:38:25 2017 +0100

docs-xml: mention that the man pages are "part of" version x

writing that they are correct for version x is not always precise. But we're
working on that also :-)

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 5621139fca76d8f52d203fda9f146e942cc1b624
Author: Bjoern Jacke <***@samba.org>
Date: Fri Dec 8 14:52:24 2017 +0100

doc: document wins server's smb.conf parameters

this is from the WINS server, which was released earlier as samba4wins.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit e3cc2af011640eb1077014f820c6fb60da204d92
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 20 21:35:54 2017 +0100

tests:docs: remove explicit exceptions for parametric options

we don't need to list them all as special cases because we exclude parametric
options generally now from the default value test.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit ece75ea9a6f1fd0b86593287a22993482c7b2cc5
Author: Björn Jacke <***@samba.org>
Date: Wed Dec 20 21:23:24 2017 +0100

tests:docs: don't try to test parametric option defaults

we don't get the values of the parametric options.

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 080d590de1ff9f8ebc55aeffaea8d41991466549
Author: Aurelien Aptel <***@suse.com>
Date: Thu Dec 14 16:47:49 2017 +0100

packaging: add configure option to preprocess and install systemd files

Turn the systemd service files under packaging into template (.in) files
with @VAR@ substitutions and add configure options to install and tweak
them.

Signed-off-by: Aurelien Aptel <***@suse.com>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit 3089a5660dd75e1396cd29dfb202a1d4ff1b7cfe
Author: Andreas Schneider <***@samba.org>
Date: Wed Jan 3 11:23:51 2018 +0100

crypto: Update the REQUIREMENTS

Update after call with the GnuTLS maintainer to see what is supported in
GnuTLS, what is working in FIPS mode or not, and what features we require
to move to GnuTLS in future. The benefit will be FIPS certification and
more hardware accelerated crypto.

Bugs have been opened against GnuTLS to implment the missing features or
add functions to declare use of old crypto functions as non-crypto use.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit ca66efc24181ba6a7a4c13397af514b0972b4855
Author: Dr. Thomas Orgis <***@uni-hamburg.de>
Date: Thu Jul 27 12:54:28 2017 +0200

Add substitutions %t, %j, and %J as path-safe variants of %T, %i, and %I.

Rationale: Using the existing substitutions in construction of paths
(dynamic shares, created on client connect) results in directory names with
colons and dots in them. Those can be hard to use when accessed from a
different share, as Windows does not allow : in paths and has some ideas about
dots.

Signed-off-by: Dr. Thomas Orgis <***@uni-hamburg.de>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

commit d39664fc66dafaf5cce2b830033df52da4d81695
Author: kkplein <***@merit.unu.edu>
Date: Tue Dec 19 10:49:10 2017 +0100

define DBGC_AUTH class

Signed-off-by: Mourik Jan C Heupink <***@merit.unu.edu>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ce2ca7fa89921a4ccdac018558025a9d650b0154
Author: kkplein <***@merit.unu.edu>
Date: Mon Dec 18 20:14:31 2017 +0100

Update util.c to include DBGC_AUTH class

Signed-off-by: Mourik Jan C Heupink <***@merit.unu.edu>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 9010d54d6c5c0087f3a14f56e3907461d560a7f5
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 10:31:50 2018 +1300

travis-ci: Update package list to match the wiki

This in turn is based on what we use at Catalyst minus some helpful packages like editors

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
.travis.yml | 2 +-
auth/credentials/credentials_krb5.c | 3 +
auth/credentials/credentials_ntlm.c | 3 +
auth/credentials/credentials_secrets.c | 3 +
auth/gensec/external.c | 3 +
auth/gensec/gensec.c | 3 +
auth/gensec/gensec_start.c | 3 +
auth/gensec/gensec_util.c | 3 +
auth/gensec/ncalrpc.c | 3 +
auth/gensec/schannel.c | 3 +
auth/gensec/spnego.c | 3 +
auth/kerberos/gssapi_helper.c | 3 +
auth/kerberos/gssapi_pac.c | 4 ++
auth/kerberos/kerberos_pac.c | 4 ++
auth/ntlmssp/gensec_ntlmssp_server.c | 3 +
auth/ntlmssp/ntlmssp.c | 3 +
auth/ntlmssp/ntlmssp_client.c | 3 +
auth/ntlmssp/ntlmssp_server.c | 3 +
auth/ntlmssp/ntlmssp_sign.c | 3 +
auth/ntlmssp/ntlmssp_util.c | 3 +
docs-xml/manpages/dbwrap_tool.1.xml | 2 +-
docs-xml/manpages/eventlogadm.8.xml | 2 +-
docs-xml/manpages/findsmb.1.xml | 2 +-
docs-xml/manpages/libsmbclient.7.xml | 2 +-
docs-xml/manpages/lmhosts.5.xml | 2 +-
docs-xml/manpages/log2pcap.1.xml | 2 +-
docs-xml/manpages/mvxattr.1.xml | 2 +-
docs-xml/manpages/nmbd.8.xml | 2 +-
docs-xml/manpages/nmblookup.1.xml | 2 +-
docs-xml/manpages/ntlm_auth.1.xml | 2 +-
docs-xml/manpages/pam_winbind.8.xml | 2 +-
docs-xml/manpages/pam_winbind.conf.5.xml | 2 +-
docs-xml/manpages/pdbedit.8.xml | 2 +-
docs-xml/manpages/profiles.1.xml | 2 +-
docs-xml/manpages/rpcclient.1.xml | 2 +-
docs-xml/manpages/samba-regedit.8.xml | 2 +-
docs-xml/manpages/samba.7.xml | 2 +-
docs-xml/manpages/samba.8.xml | 2 +-
docs-xml/manpages/sharesec.1.xml | 2 +-
docs-xml/manpages/smb.conf.5.xml | 21 ++++++-
docs-xml/manpages/smbcacls.1.xml | 2 +-
docs-xml/manpages/smbclient.1.xml | 2 +-
docs-xml/manpages/smbcontrol.1.xml | 2 +-
docs-xml/manpages/smbcquotas.1.xml | 2 +-
docs-xml/manpages/smbd.8.xml | 2 +-
docs-xml/manpages/smbget.1.xml | 2 +-
docs-xml/manpages/smbgetrc.5.xml | 2 +-
docs-xml/manpages/smbpasswd.5.xml | 2 +-
docs-xml/manpages/smbpasswd.8.xml | 2 +-
docs-xml/manpages/smbspool.8.xml | 2 +-
docs-xml/manpages/smbstatus.1.xml | 2 +-
docs-xml/manpages/smbtar.1.xml | 2 +-
docs-xml/manpages/smbtree.1.xml | 2 +-
docs-xml/manpages/testparm.1.xml | 2 +-
docs-xml/manpages/vfs_aio_fork.8.xml | 2 +-
docs-xml/manpages/vfs_aio_pthread.8.xml | 2 +-
docs-xml/manpages/vfs_audit.8.xml | 2 +-
docs-xml/manpages/vfs_btrfs.8.xml | 2 +-
docs-xml/manpages/vfs_cacheprime.8.xml | 2 +-
docs-xml/manpages/vfs_cap.8.xml | 2 +-
docs-xml/manpages/vfs_catia.8.xml | 2 +-
docs-xml/manpages/vfs_ceph.8.xml | 2 +-
docs-xml/manpages/vfs_commit.8.xml | 2 +-
docs-xml/manpages/vfs_crossrename.8.xml | 2 +-
docs-xml/manpages/vfs_default_quota.8.xml | 2 +-
docs-xml/manpages/vfs_dirsort.8.xml | 2 +-
docs-xml/manpages/vfs_extd_audit.8.xml | 2 +-
docs-xml/manpages/vfs_fake_perms.8.xml | 2 +-
docs-xml/manpages/vfs_fileid.8.xml | 2 +-
docs-xml/manpages/vfs_full_audit.8.xml | 2 +-
docs-xml/manpages/vfs_glusterfs.8.xml | 2 +-
docs-xml/manpages/vfs_gpfs.8.xml | 2 +-
docs-xml/manpages/vfs_linux_xfs_sgid.8.xml | 2 +-
docs-xml/manpages/vfs_media_harmony.8.xml | 2 +-
docs-xml/manpages/vfs_netatalk.8.xml | 2 +-
docs-xml/manpages/vfs_offline.8.xml | 2 +-
docs-xml/manpages/vfs_prealloc.8.xml | 2 +-
docs-xml/manpages/vfs_preopen.8.xml | 2 +-
docs-xml/manpages/vfs_readahead.8.xml | 2 +-
docs-xml/manpages/vfs_readonly.8.xml | 2 +-
docs-xml/manpages/vfs_recycle.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy2.8.xml | 2 +-
docs-xml/manpages/vfs_shell_snap.8.xml | 2 +-
docs-xml/manpages/vfs_snapper.8.xml | 2 +-
docs-xml/manpages/vfs_syncops.8.xml | 2 +-
docs-xml/manpages/vfs_time_audit.8.xml | 2 +-
docs-xml/manpages/vfs_tsmsm.8.xml | 2 +-
docs-xml/manpages/vfs_unityed_media.8.xml | 2 +-
docs-xml/manpages/vfs_worm.8.xml | 2 +-
docs-xml/manpages/vfs_zfsacl.8.xml | 2 +-
docs-xml/manpages/vfstest.1.xml | 2 +-
docs-xml/manpages/wbinfo.1.xml | 2 +-
docs-xml/manpages/winbind_krb5_locator.7.xml | 2 +-
docs-xml/manpages/winbindd.8.xml | 2 +-
.../wins/nbtd-wins_prepend1bto1cqueries.xml | 16 +++++
.../smbdotconf/wins/nbtd-wins_randomize1clist.xml | 19 ++++++
.../wins/nbtd-wins_randomize1clist_mask.xml | 16 +++++
docs-xml/smbdotconf/wins/winsdb-localowner.xml | 12 ++++
docs-xml/smbdotconf/wins/winsdb-nosync.xml | 11 ++++
.../smbdotconf/wins/wreplsrv-periodic_interval.xml | 14 +++++
.../wins/wreplsrv-propagate_name_releases.xml | 23 +++++++
.../wins/wreplsrv-scavenging_interval.xml | 11 ++++
.../wins/wreplsrv-tombstone_extra_timeout.xml | 12 ++++
.../wins/wreplsrv-tombstone_interval.xml | 12 ++++
.../smbdotconf/wins/wreplsrv-tombstone_timeout.xml | 12 ++++
.../smbdotconf/wins/wreplsrv-verify_interval.xml | 13 ++++
lib/crypto/REQUIREMENTS | 70 +++++++++++++++-------
lib/util/time.c | 51 ++++++++++++++++
lib/util/time.h | 15 +++++
packaging/systemd/{nmb.service => nmb.service.in} | 7 ++-
.../systemd/{samba.service => samba.service.in} | 7 ++-
packaging/systemd/{smb.service => smb.service.in} | 7 ++-
.../{winbind.service => winbind.service.in} | 7 ++-
packaging/wscript | 50 ++++++++++++++++
packaging/wscript_build | 16 +++++
python/samba/tests/docs.py | 11 ++--
source3/lib/substitute.c | 32 ++++++++++
source3/torture/torture.c | 53 ++++++++++++++++
source4/dsdb/common/util.c | 4 +-
source4/dsdb/tests/python/acl.py | 32 ++++++++++
source4/dsdb/tests/python/sec_descriptor.py | 5 ++
wscript | 4 ++
wscript_build | 1 +
124 files changed, 655 insertions(+), 118 deletions(-)
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_prepend1bto1cqueries.xml
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_randomize1clist.xml
create mode 100644 docs-xml/smbdotconf/wins/nbtd-wins_randomize1clist_mask.xml
create mode 100644 docs-xml/smbdotconf/wins/winsdb-localowner.xml
create mode 100644 docs-xml/smbdotconf/wins/winsdb-nosync.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-periodic_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-propagate_name_releases.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-scavenging_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_extra_timeout.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_interval.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-tombstone_timeout.xml
create mode 100644 docs-xml/smbdotconf/wins/wreplsrv-verify_interval.xml
rename packaging/systemd/{nmb.service => nmb.service.in} (62%)
rename packaging/systemd/{samba.service => samba.service.in} (62%)
rename packaging/systemd/{smb.service => smb.service.in} (62%)
rename packaging/systemd/{winbind.service => winbind.service.in} (59%)
create mode 100644 packaging/wscript
create mode 100644 packaging/wscript_build


Changeset truncated at 500 lines:

diff --git a/.travis.yml b/.travis.yml
index 4c68c72..645658b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,7 +27,7 @@ matrix:

before_install:
- sudo apt-get update -qq
- - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python-gpgme python3-crypto python3-dev python3-dnspython python3-gpgme realpath screen xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown python3-dev xsltproc zlib1g-dev

script:
- git fetch --unshallow
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 585203a..9da1aa0 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -35,6 +35,9 @@
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
static void cli_credentials_invalidate_client_gss_creds(
struct cli_credentials *cred,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index e6859bf..eed8924 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -28,6 +28,9 @@
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
DATA_BLOB challenge,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index ed148fd..beb2928 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -41,6 +41,9 @@
#include "lib/util/util_tdb.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
diff --git a/auth/gensec/external.c b/auth/gensec/external.c
index 0158045..300ce6b 100644
--- a/auth/gensec/external.c
+++ b/auth/gensec/external.c
@@ -28,6 +28,9 @@
#include "auth/gensec/gensec_proto.h"
#include "auth/gensec/gensec_toplevel_proto.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
* layer is already mutually authenticated.
*/
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 61bff22..e021d0c 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -31,6 +31,9 @@
#include "librpc/gen_ndr/dcerpc.h"
#include "auth/common_auth.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
{
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 4276620..50f4de7 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -33,6 +33,9 @@
#include "lib/util/samba_modules.h"
#include "lib/util/base64.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/* the list of currently registered GENSEC backends */
static const struct gensec_security_ops **generic_security_ops;
static int gensec_num_backends;
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index ca5e581..20c9c2a 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -26,6 +26,9 @@
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
index 70b3bb5..7474b6a 100644
--- a/auth/gensec/ncalrpc.c
+++ b/auth/gensec/ncalrpc.c
@@ -30,6 +30,9 @@
#include "lib/param/param.h"
#include "tsocket.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(TALLOC_CTX *ctx);

struct gensec_ncalrpc_state {
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8e58e73..71e9afd 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -36,6 +36,9 @@
#include "lib/crypto/crypto.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
struct schannel_state {
struct gensec_security *gensec;
uint64_t seq_num;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 9857e78..56f9be4 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -34,6 +34,9 @@
#include "lib/util/asn1.h"
#include "lib/util/base64.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#undef strcasecmp

_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
diff --git a/auth/kerberos/gssapi_helper.c b/auth/kerberos/gssapi_helper.c
index b7ffb6c..52c953c 100644
--- a/auth/kerberos/gssapi_helper.c
+++ b/auth/kerberos/gssapi_helper.c
@@ -23,6 +23,9 @@
#include "auth/kerberos/pac_utils.h"
#include "auth/kerberos/gssapi_helper.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
size_t gssapi_get_sig_size(gss_ctx_id_t gssapi_context,
const gss_OID mech,
uint32_t gss_want_flags,
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 253976a..b695671 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -19,6 +19,10 @@
*/

#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#ifdef HAVE_KRB5

#include "auth/kerberos/pac_utils.h"
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 7b6efdc..0ab0e9a 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -23,6 +23,10 @@
*/

#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#ifdef HAVE_KRB5

#include "librpc/gen_ndr/ndr_krb5pac.h"
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 561c7cf..c0e6cff 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -37,6 +37,9 @@
#include "param/loadparm.h"
#include "libds/common/roles.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Return the credentials of a logged on user, including session keys
* etc.
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 36e7052..37434fb 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -33,6 +33,9 @@ struct auth_session_info;
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Callbacks for NTLMSSP - for both client and server operating modes
*
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 5edd5f4..db2003f 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -36,6 +36,9 @@ struct auth_session_info;
#include "../auth/ntlmssp/ntlmssp_ndr.h"
#include "../nsswitch/libwbclient/wbclient.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/*********************************************************************
Client side NTLMSSP
*********************************************************************/
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 417352b..37ed2bc 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -37,6 +37,9 @@
#include "param/loadparm.h"
#include "libcli/security/session.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/**
* Determine correct target name flags for reply, given server role
* and negotiated flags
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index ad0f9e9..09b7e5a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -26,6 +26,9 @@
#include "../lib/crypto/crc32.h"
#include "../auth/ntlmssp/ntlmssp_private.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#define CLI_SIGN "session key to client-to-server signing key magic constant"
#define CLI_SEAL "session key to client-to-server sealing key magic constant"
#define SRV_SIGN "session key to server-to-client signing key magic constant"
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 9c7325a..6f3b474 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -25,6 +25,9 @@
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"

+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
static void debug_ntlmssp_flags_raw(int level, uint32_t flags)
{
#define _PRINT_FLAG_LINE(v) do { \
diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
index 91b49bb..c2d9c30 100644
--- a/docs-xml/manpages/dbwrap_tool.1.xml
+++ b/docs-xml/manpages/dbwrap_tool.1.xml
@@ -169,7 +169,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/eventlogadm.8.xml b/docs-xml/manpages/eventlogadm.8.xml
index 69e90c1..f567d92 100644
--- a/docs-xml/manpages/eventlogadm.8.xml
+++ b/docs-xml/manpages/eventlogadm.8.xml
@@ -276,7 +276,7 @@

<refsect1>
<title>VERSION</title>
- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/findsmb.1.xml b/docs-xml/manpages/findsmb.1.xml
index aa8e572..63233e2 100644
--- a/docs-xml/manpages/findsmb.1.xml
+++ b/docs-xml/manpages/findsmb.1.xml
@@ -118,7 +118,7 @@ IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/libsmbclient.7.xml b/docs-xml/manpages/libsmbclient.7.xml
index 9c33523..8dab4d0 100644
--- a/docs-xml/manpages/libsmbclient.7.xml
+++ b/docs-xml/manpages/libsmbclient.7.xml
@@ -120,7 +120,7 @@
<title>VERSION</title>

<para>
- This man page is correct for version &doc.version; of the Samba suite.
+ This man page is part of version &doc.version; of the Samba suite.
</para>
</refsect1>

diff --git a/docs-xml/manpages/lmhosts.5.xml b/docs-xml/manpages/lmhosts.5.xml
index a332706..39bfcf8 100644
--- a/docs-xml/manpages/lmhosts.5.xml
+++ b/docs-xml/manpages/lmhosts.5.xml
@@ -93,7 +93,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/log2pcap.1.xml b/docs-xml/manpages/log2pcap.1.xml
index 2cb7ed1..fafe6de 100644
--- a/docs-xml/manpages/log2pcap.1.xml
+++ b/docs-xml/manpages/log2pcap.1.xml
@@ -103,7 +103,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/mvxattr.1.xml b/docs-xml/manpages/mvxattr.1.xml
index 977db9f..59048ce 100644
--- a/docs-xml/manpages/mvxattr.1.xml
+++ b/docs-xml/manpages/mvxattr.1.xml
@@ -83,7 +83,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
index 7fe7f9f..c145e82 100644
--- a/docs-xml/manpages/nmbd.8.xml
+++ b/docs-xml/manpages/nmbd.8.xml
@@ -258,7 +258,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml
index 55a4cc6..c633e07 100644
--- a/docs-xml/manpages/nmblookup.1.xml
+++ b/docs-xml/manpages/nmblookup.1.xml
@@ -190,7 +190,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
index e84b081..4f900d5 100644
--- a/docs-xml/manpages/ntlm_auth.1.xml
+++ b/docs-xml/manpages/ntlm_auth.1.xml
@@ -450,7 +450,7 @@ auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-m
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index fdda333..f57a928 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -253,7 +253,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of Samba.</para>
+ <para>This man page is part of version &doc.version; of Samba.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 4ba9fe2..537007b 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -201,7 +201,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of Samba.</para>
+ <para>This man page is part of version &doc.version; of Samba.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml
index 8766bf0..1cabc0b 100644
--- a/docs-xml/manpages/pdbedit.8.xml
+++ b/docs-xml/manpages/pdbedit.8.xml
@@ -537,7 +537,7 @@ account policy value for bad lockout attempt is now 3
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of
+ <para>This man page is part of version &doc.version; of
the Samba suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml
index 151d2f2..012f843 100644
--- a/docs-xml/manpages/profiles.1.xml
+++ b/docs-xml/manpages/profiles.1.xml
@@ -72,7 +72,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
index b53b46e..1e167f8 100644
--- a/docs-xml/manpages/rpcclient.1.xml
+++ b/docs-xml/manpages/rpcclient.1.xml
@@ -534,7 +534,7 @@ Comma Separated list of Files
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba
+ <para>This man page is part of version &doc.version; of the Samba
suite.</para>
</refsect1>

diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml
index 8a81ee3..719b5e1 100644
--- a/docs-xml/manpages/samba-regedit.8.xml
+++ b/docs-xml/manpages/samba-regedit.8.xml
@@ -71,7 +71,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the Samba suite.</para>
+ <para>This man page is part of version &doc.version; of the Samba suite.</para>
</refsect1>

<refsect1>
diff --git a/docs-xml/manpages/samba.7.xml b/docs-xml/manpages/samba.7.xml
index df1d5a5..761c8d3 100644
--- a/docs-xml/manpages/samba.7.xml
+++ b/docs-xml/manpages/samba.7.xml
@@ -294,7 +294,7 @@
<refsect1>
<title>VERSION</title>

- <para>This man page is correct for version &doc.version; of the
+ <para>This man page is part of version &doc.version; of the
Samba suite. </para>

The branch, master has been updated
via 778d5fd selftest: use net rpc join when joining NT4-style domains
from fe164a0 selftest: close connections after tests in samba4.ldap.secdesc.python

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 778d5fd00a69a6d29c9bf755864d32e737ac924d
Author: Ralph Boehme <***@samba.org>
Date: Sat Jan 6 12:27:27 2018 +0100

selftest: use net rpc join when joining NT4-style domains

Otherwise net join when failing at the CLDAP ping stage will put a
negative entry for the DC in the conncache which can trigger *hard* to
debug problems later in winbindd.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Mon Jan 8 15:22:10 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1e652d8e..f5e6472 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -347,7 +347,7 @@ sub setup_nt4_member($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
- $cmd .= "$net join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
+ $cmd .= "$net rpc join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
$cmd .= " -U$nt4_dc_vars->{USERNAME}\%$nt4_dc_vars->{PASSWORD}";

if (system($cmd) != 0) {

The branch, master has been updated
via c5fb651 pwrap: Build libpamtest as a subsystem to avoid issues
from 778d5fd selftest: use net rpc join when joining NT4-style domains

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c5fb65121d8b26932eb9fb90474a2e5129c3f178
Author: Andreas Schneider <***@samba.org>
Date: Mon Nov 27 19:37:49 2017 +0100

pwrap: Build libpamtest as a subsystem to avoid issues

Making it a subsystem adds the correct include directory for
libpamtest.h.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Mon Jan 8 21:04:16 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
third_party/pam_wrapper/wscript | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/third_party/pam_wrapper/wscript b/third_party/pam_wrapper/wscript
index 75b4eec..b9acf1b 100644
--- a/third_party/pam_wrapper/wscript
+++ b/third_party/pam_wrapper/wscript
@@ -109,9 +109,13 @@ def build(bld):
install=False,
realname='libpam-wrapper.so')

+ bld.SAMBA_SUBSYSTEM('libpamtest',
+ source='libpamtest.c',
+ deps='dl pam')
+
# Can be used to write pam tests in python
for env in bld.gen_python_environments():
bld.SAMBA_PYTHON('pypamtest',
- source='python/pypamtest.c libpamtest.c',
- deps='dl pam',
+ source='python/pypamtest.c',
+ deps='libpamtest',
install=False)

The branch, master has been updated
via 7901f7c selftest: close connections after tests in samba4.ldap.rodc_rwdc.python
from c5fb651 pwrap: Build libpamtest as a subsystem to avoid issues

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7901f7c3baad974d3126c767cb4ef513f88564cd
Author: Jamie McClymont <***@catalyst.net.nz>
Date: Mon Jan 8 19:18:34 2018 +1300

selftest: close connections after tests in samba4.ldap.rodc_rwdc.python

This test suite had a memory impact of around 2.5GB, from built-up LDAP
connection handlers under the standard process model.

Signed-off-by: Jamie McClymont <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue Jan 9 08:22:27 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source4/dsdb/tests/python/password_lockout_base.py | 7 +++++++
source4/dsdb/tests/python/rodc_rwdc.py | 10 ++++++++++
2 files changed, 17 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py
index 992f51d..5f720ef 100644
--- a/source4/dsdb/tests/python/password_lockout_base.py
+++ b/source4/dsdb/tests/python/password_lockout_base.py
@@ -351,6 +351,8 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid)

+ self.addCleanup(self.delete_ldb_connections)
+
# (Re)adds the test user accounts
self.lockout1krb5_creds = self.insta_creds(self.template_creds,
username="lockout1krb5",
@@ -363,6 +365,11 @@ lockoutThreshold: """ + str(lockoutThreshold) + """
kerberos_state=DONT_USE_KERBEROS)
self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)

+ def delete_ldb_connections(self):
+ del self.lockout1krb5_ldb
+ del self.lockout1ntlm_ldb
+ del self.ldb
+
def tearDown(self):
super(BasePasswordTestCase, self).tearDown()

diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py
index 371ff74..8c6dd4c 100644
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -224,6 +224,11 @@ class RodcRwdcCachedTests(password_lockout_base.BasePasswordTestCase):
# make sure DCs are synchronized before the test
self.force_replication()

+ def delete_ldb_connections(self):
+ super(RodcRwdcCachedTests, self).delete_ldb_connections()
+ del self.rwdc_db
+ del self.rodc_db
+
def test_cache_and_flush_password(self):
username = self.lockout1krb5_creds.get_username()
userpass = self.lockout1krb5_creds.get_password()
@@ -767,6 +772,11 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase):
self.rwdc_dn = get_server_ref_from_samdb(self.rwdc_db)
self.rodc_dn = get_server_ref_from_samdb(self.rodc_db)

+ def delete_ldb_connections(self):
+ super(RodcRwdcTests, self).delete_ldb_connections()
+ del self.rwdc_db
+ del self.rodc_db
+
def assertReferral(self, fn, *args, **kwargs):
try:
fn(*args, **kwargs)

The branch, master has been updated
via e61e9e9 vfs_fruit: set delete-on-close for empty finderinfo
via 70d8f7c vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close
via c41e1ea vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream()
via df31e94 s4/torture/fruit: enhance zero AFP_AfpInfo stream test
via a22833c s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized
from 7901f7c selftest: close connections after tests in samba4.ldap.rodc_rwdc.python

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e61e9e98e9ff461055daae2fe78f0202f7ed8663
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 6 22:09:52 2017 +0100

vfs_fruit: set delete-on-close for empty finderinfo

We previously removed the stream from the underlying filesystem stream
backing store when the client zeroes out FinderInfo in the AFP_AfpInfo
stream, but this causes certain operations to fail (eg stat) when trying
to access the stream over any file-handle open on that stream.

So instead of deleting, set delete-on-close on the stream. The previous
commit already implemented not to list list streams with delete-on-close
set which is necessary to implemenent correct macOS semantics for this
particular stream.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Tue Jan 9 17:09:12 CET 2018 on sn-devel-144

commit 70d8f7c5d25f35b58620c2db8f57c7c0758267b3
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 17:32:35 2017 +0100

vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close

This is in preperation of fixing the implementation of removing the
AFP_AfpInfo stream by zeroing the FinderInfo out.

We currently remove the stream blob from the underyling filesystem
backing store, but that results in certain operations to fail on any
still open file-handle.

The fix comes in the next commit which will convert to backing store
delete operation to a set delete-on-close on the stream.

This commit adds filtering on streams that have the delete-on-close
set. It is only needed for the fruit:metadata=stream case, as with
fruit:metadata=netatalk the filtering is already done in
fruit_streaminfo_meta_netatalk().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit c41e1ea9247611473d30184efd953c61955ead15
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 14:56:36 2017 +0100

vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream()

No change in behaviour, just some refactoring before adding more code to
fruit_streaminfo_meta_stream() in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit df31e94eb6241f5e5594f6fd0ec1ad7896e02e27
Author: Ralph Boehme <***@samba.org>
Date: Thu Dec 7 13:43:02 2017 +0100

s4/torture/fruit: enhance zero AFP_AfpInfo stream test

This test more operations in the zeroed out FinderInfo test, ensuring
after zeroing out FinderInfo, operations on the filehandle still work
and that enumerating streams doesn't return the stream anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit a22833c2971dc7234b32741305f40ed62e232e0b
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 6 22:05:23 2017 +0100

s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/modules/vfs_fruit.c | 173 ++++++++++++++++++++++++++++++++++----------
source4/torture/vfs/fruit.c | 89 ++++++++++++++++++++++-
2 files changed, 218 insertions(+), 44 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index dfc0dcc..9533da4 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -4166,26 +4166,35 @@ static ssize_t fruit_pwrite_meta_stream(vfs_handle_struct *handle,
size_t n, off_t offset)
{
AfpInfo *ai = NULL;
- int ret;
+ size_t nwritten;
+ bool ok;

ai = afpinfo_unpack(talloc_tos(), data);
if (ai == NULL) {
return -1;
}

- if (ai_empty_finderinfo(ai)) {
- ret = SMB_VFS_NEXT_UNLINK(handle, fsp->fsp_name);
- if (ret != 0 && errno != ENOENT && errno != ENOATTR) {
- DBG_ERR("Can't delete metadata for %s: %s\n",
- fsp_str_dbg(fsp), strerror(errno));
- TALLOC_FREE(ai);
- return -1;
- }
+ nwritten = SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset);
+ if (nwritten != n) {
+ return -1;
+ }

+ if (!ai_empty_finderinfo(ai)) {
return n;
}

- return SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset);
+ ok = set_delete_on_close(
+ fsp,
+ true,
+ handle->conn->session_info->security_token,
+ handle->conn->session_info->unix_token);
+ if (!ok) {
+ DBG_ERR("set_delete_on_close on [%s] failed\n",
+ fsp_str_dbg(fsp));
+ return -1;
+ }
+
+ return n;
}

static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
@@ -4196,26 +4205,13 @@ static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
AfpInfo *ai = NULL;
char *p = NULL;
int ret;
+ bool ok;

ai = afpinfo_unpack(talloc_tos(), data);
if (ai == NULL) {
return -1;
}

- if (ai_empty_finderinfo(ai)) {
- ret = SMB_VFS_REMOVEXATTR(handle->conn,
- fsp->fsp_name,
- AFPINFO_EA_NETATALK);
-
- if (ret != 0 && errno != ENOENT && errno != ENOATTR) {
- DBG_ERR("Can't delete metadata for %s: %s\n",
- fsp_str_dbg(fsp), strerror(errno));
- return -1;
- }
-
- return n;
- }
-
ad = ad_fget(talloc_tos(), handle, fsp, ADOUBLE_META);
if (ad == NULL) {
ad = ad_init(talloc_tos(), handle, ADOUBLE_META);
@@ -4240,6 +4236,22 @@ static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle,
}

TALLOC_FREE(ad);
+
+ if (!ai_empty_finderinfo(ai)) {
+ return n;
+ }
+
+ ok = set_delete_on_close(
+ fsp,
+ true,
+ handle->conn->session_info->security_token,
+ handle->conn->session_info->unix_token);
+ if (!ok) {
+ DBG_ERR("set_delete_on_close on [%s] failed\n",
+ fsp_str_dbg(fsp));
+ return -1;
+ }
+
return n;
}

@@ -4896,6 +4908,40 @@ static int fruit_fstat(vfs_handle_struct *handle, files_struct *fsp,
return rc;
}

+static NTSTATUS delete_invalid_meta_stream(
+ vfs_handle_struct *handle,
+ const struct smb_filename *smb_fname,
+ TALLOC_CTX *mem_ctx,
+ unsigned int *pnum_streams,
+ struct stream_struct **pstreams)
+{
+ struct smb_filename *sname = NULL;
+ int ret;
+ bool ok;
+
+ ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, AFPINFO_STREAM);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ sname = synthetic_smb_fname(talloc_tos(),
+ smb_fname->base_name,
+ AFPINFO_STREAM_NAME,
+ NULL, 0);
+ if (sname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = SMB_VFS_NEXT_UNLINK(handle, sname);
+ TALLOC_FREE(sname);
+ if (ret != 0) {
+ DBG_ERR("Removing [%s] failed\n", smb_fname_str_dbg(sname));
+ return map_nt_error_from_unix(errno);
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS fruit_streaminfo_meta_stream(
vfs_handle_struct *handle,
struct files_struct *fsp,
@@ -4907,8 +4953,14 @@ static NTSTATUS fruit_streaminfo_meta_stream(
struct stream_struct *stream = *pstreams;
unsigned int num_streams = *pnum_streams;
struct smb_filename *sname = NULL;
+ char *full_name = NULL;
+ uint32_t name_hash;
+ struct share_mode_lock *lck = NULL;
+ struct file_id id = {0};
+ bool delete_on_close_set;
int i;
int ret;
+ NTSTATUS status;
bool ok;

for (i = 0; i < num_streams; i++) {
@@ -4921,35 +4973,76 @@ static NTSTATUS fruit_streaminfo_meta_stream(
return NT_STATUS_OK;
}

- if (stream[i].size == AFP_INFO_SIZE) {
- return NT_STATUS_OK;
- }
-
- DBG_ERR("Removing invalid AFPINFO_STREAM size [%"PRIdMAX"] "
- "from [%s]\n", (intmax_t)stream[i].size,
- smb_fname_str_dbg(smb_fname));
+ if (stream[i].size != AFP_INFO_SIZE) {
+ DBG_ERR("Removing invalid AFPINFO_STREAM size [%jd] from [%s]\n",
+ (intmax_t)stream[i].size, smb_fname_str_dbg(smb_fname));

- ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, AFPINFO_STREAM);
- if (!ok) {
- return NT_STATUS_INTERNAL_ERROR;
+ return delete_invalid_meta_stream(handle, smb_fname, mem_ctx,
+ pnum_streams, pstreams);
}

+ /*
+ * Now check if there's a delete-on-close pending on the stream. If so,
+ * hide the stream. This behaviour was verified against a macOS 10.12
+ * SMB server.
+ */
+
sname = synthetic_smb_fname(talloc_tos(),
smb_fname->base_name,
AFPINFO_STREAM_NAME,
NULL, 0);
if (sname == NULL) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}

- ret = SMB_VFS_NEXT_UNLINK(handle, sname);
- TALLOC_FREE(sname);
+ ret = SMB_VFS_NEXT_STAT(handle, sname);
if (ret != 0) {
- DBG_ERR("Removing [%s] failed\n", smb_fname_str_dbg(sname));
- return map_nt_error_from_unix(errno);
+ status = map_nt_error_from_unix(errno);
+ goto out;
}

- return NT_STATUS_OK;
+ id = SMB_VFS_NEXT_FILE_ID_CREATE(handle, &sname->st);
+
+ lck = get_existing_share_mode_lock(talloc_tos(), id);
+ if (lck == NULL) {
+ status = NT_STATUS_OK;
+ goto out;
+ }
+
+ full_name = talloc_asprintf(talloc_tos(),
+ "%s%s",
+ sname->base_name,
+ AFPINFO_STREAM);
+ if (full_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ status = file_name_hash(handle->conn, full_name, &name_hash);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ delete_on_close_set = is_delete_on_close_set(lck, name_hash);
+ if (delete_on_close_set) {
+ ok = del_fruit_stream(mem_ctx,
+ pnum_streams,
+ pstreams,
+ AFPINFO_STREAM);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+ }
+
+ status = NT_STATUS_OK;
+
+out:
+ TALLOC_FREE(sname);
+ TALLOC_FREE(lck);
+ TALLOC_FREE(full_name);
+ return status;
}

static NTSTATUS fruit_streaminfo_meta_netatalk(
diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c
index 476e920..d071cf6 100644
--- a/source4/torture/vfs/fruit.c
+++ b/source4/torture/vfs/fruit.c
@@ -909,7 +909,7 @@ static char *torture_afpinfo_pack(TALLOC_CTX *mem_ctx,
{
char *buf;

- buf = talloc_array(mem_ctx, char, AFP_INFO_SIZE);
+ buf = talloc_zero_array(mem_ctx, char, AFP_INFO_SIZE);
if (buf == NULL) {
return NULL;
}
@@ -3346,11 +3346,17 @@ static bool test_afpinfo_all0(struct torture_context *tctx,
{
bool ret = true;
NTSTATUS status;
- struct smb2_handle h1;
+ struct smb2_create create;
+ struct smb2_handle h1 = {{0}};
+ struct smb2_handle baseh = {{0}};
+ union smb_setfileinfo setfinfo;
+ union smb_fileinfo getfinfo;
TALLOC_CTX *mem_ctx = talloc_new(tctx);
const char *fname = BASEDIR "\\file";
+ const char *sname = BASEDIR "\\file" AFPINFO_STREAM;
const char *type_creator = "SMB,OLE!";
AfpInfo *info = NULL;
+ char *infobuf = NULL;
const char *streams_basic[] = {
"::$DATA"
};
@@ -3381,13 +3387,88 @@ static bool test_afpinfo_all0(struct torture_context *tctx,

/* Write all 0 to AFP_AfpInfo */
memset(info->afpi_FinderInfo, 0, AFP_FinderSize);
- ret = torture_write_afpinfo(tree, tctx, mem_ctx, fname, info);
- torture_assert_goto(tctx, ret == true, ret, done, "torture_write_afpinfo failed");
+ infobuf = torture_afpinfo_pack(mem_ctx, info);
+ torture_assert_not_null_goto(tctx, infobuf, ret, done,
+ "torture_afpinfo_pack failed\n");
+
+ ZERO_STRUCT(create);
+ create.in.desired_access = SEC_FILE_ALL;
+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+ create.in.create_disposition = NTCREATEX_DISP_OPEN;
+ create.in.share_access = NTCREATEX_SHARE_ACCESS_MASK;
+ create.in.fname = fname;
+
+ status = smb2_create(tree, mem_ctx, &create);
+ torture_assert_goto(tctx, ret == true, ret, done,
+ "smb2_create failed\n");
+ baseh = create.out.file.handle;
+
+ ZERO_STRUCT(create);
+ create.in.desired_access = SEC_FILE_ALL;
+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+ create.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
+ create.in.fname = sname;
+
+ status = smb2_create(tree, mem_ctx, &create);
+ torture_assert_goto(tctx, ret == true, ret, done,
+ "smb2_create failed\n");
+ h1 = create.out.file.handle;
+
+ status = smb2_util_write(tree, h1, infobuf, 0, AFP_INFO_SIZE);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_util_write failed\n");
+
+ /*
+ * Get stream information on open handle, must return only default
+ * stream, the AFP_AfpInfo stream must not be returned.
+ */
+
+ ZERO_STRUCT(getfinfo);
+ getfinfo.generic.level = RAW_FILEINFO_STREAM_INFORMATION;
+ getfinfo.generic.in.file.handle = baseh;
+
+ status = smb2_getinfo_file(tree, tctx, &getfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "get stream info\n");
+
+ torture_assert_int_equal_goto(tctx, getfinfo.stream_info.out.num_streams,
+ 1, ret, done, "stream count");
+
+ smb2_util_close(tree, baseh);
+ ZERO_STRUCT(baseh);
+
+ /*
+ * Try to set some file-basic-info (time) on the stream. This catches
+ * naive implementation mistakes that simply deleted the backing store
+ * from the filesystem in the zero-out step.
+ */
+
+ ZERO_STRUCT(setfinfo);
+ unix_to_nt_time(&setfinfo.basic_info.in.write_time, time(NULL));
+ setfinfo.basic_info.in.attrib = 0x20;
+ setfinfo.generic.level = RAW_SFILEINFO_BASIC_INFORMATION;
+ setfinfo.generic.in.file.handle = h1;
+
+ status = smb2_setinfo_file(tree, &setfinfo);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed\n");
+
+ ret = check_stream_list(tree, tctx, fname, 1, streams_basic, false);
+ torture_assert_goto(tctx, ret == true, ret, done, "check_stream_list");
+
+ smb2_util_close(tree, h1);
+ ZERO_STRUCT(h1);

ret = check_stream_list(tree, tctx, fname, 1, streams_basic, false);
torture_assert_goto(tctx, ret == true, ret, done, "Bad streams");

done:
+ if (!smb2_util_handle_empty(h1)) {
+ smb2_util_close(tree, h1);
+ }
+ if (!smb2_util_handle_empty(baseh)) {
+ smb2_util_close(tree, baseh);
+ }
smb2_util_unlink(tree, fname);
smb2_util_rmdir(tree, BASEDIR);
return ret;

The branch, master has been updated
via 977b3f6 python: Print the finddcs error message
via 3022da1 libnet: Add NULL checks to py_net_finddc
from e61e9e9 vfs_fruit: set delete-on-close for empty finderinfo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 977b3f60cf0f504728f9b63343b9af1e8d6c359d
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 9 12:41:01 2018 +0100

python: Print the finddcs error message

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Tue Jan 9 22:41:28 CET 2018 on sn-devel-144

commit 3022da1a7267f9038f1f0de98d8d54baabd9c567
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 9 10:23:35 2018 +0100

libnet: Add NULL checks to py_net_finddc

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/join.py | 3 +++
python/samba/netcmd/domain.py | 3 +++
source4/libnet/py_net.c | 10 ++++++++++
3 files changed, 16 insertions(+)


Changeset truncated at 500 lines:

diff --git a/python/samba/join.py b/python/samba/join.py
index 63e9b90..9782f53 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -336,6 +336,9 @@ class dc_join(object):
"""find a writeable DC for the given domain"""
try:
ctx.cldap_ret = ctx.net.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
+ except NTSTATUSError as error:
+ raise Exception("Failed to find a writeable DC for domain '%s': %s" %
+ (domain, error[1]))
except Exception:
raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
if ctx.cldap_ret.client_site is not None and ctx.cldap_ret.client_site != "":
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index ada7d6b..2cb14f1 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -1771,6 +1771,9 @@ class DomainTrustCommand(Command):
if require_pdc:
remote_flags |= nbt.NBT_SERVER_PDC
remote_info = remote_net.finddc(flags=remote_flags, domain=domain, address=remote_server)
+ except NTSTATUSError as error:
+ raise CommandError("Failed to find a writeable DC for domain '%s': %s" %
+ (domain, error[1]))
except Exception:
raise CommandError("Failed to find a writeable DC for domain '%s'" % domain)
flag_map = {
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index 7ddee2d..0567dbd 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -697,8 +697,18 @@ static PyObject *py_net_finddc(py_net_Object *self, PyObject *args, PyObject *kw
}

mem_ctx = talloc_new(self->mem_ctx);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }

io = talloc_zero(mem_ctx, struct finddcs);
+ if (io == NULL) {
+ TALLOC_FREE(mem_ctx);
+ PyErr_NoMemory();
+ return NULL;
+ }
+
if (domain != NULL) {
io->in.domain_name = domain;
}

The branch, master has been updated
via a078042 selftest: split a large system invocation line
via ee6e0b1 selftest: split a large system invocation line
via 584a8ac selftest: split a large system invocation line
via 686fc41 selftest: set wrapper env variables when running net groupmap
via 53f709d selftest: remove second loop waiting for winbindd from wait_for_start()
via 0f5b1bd selftest: fix creation of builtin users in wait_for_start
via a206cf2 s4:dns_server: avoid debug noise on successful updates
via 09da62f s4:lib/tls: fix the developer build without gnutls support
via b1c88c0 WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'
via 0341e83 docs-xml: deprecate "server schannel" and change the default to "yes"
via 3a7d931 selftest: explicitly configure some dcs with 'server schannel = auto'
via c7acae9 docs-xml: deprecate "client schannel" and change the default to "yes"
via 1f91cdc WHATSNEW: document removal of 'use spnego" option
via cb5e192 docs-xml: remove deprecated 'use spnego" option
via 343b0e0 s4:smb_server: remove deprecated 'use spnego = no" handling
via 502aa78 s3:smbd: remove deprecated 'use spnego = no" handling
via b6d55ee s4:selftest: replace --option=usespnego= with --option=clientusespnego=
via bb3944c WHATSNEW: document removal 'winbind trusted domains only' option
via c465990 docs-xml: remove deprecated of 'winbind trusted domains only' option
via 6d339b4 winbindd: remove 'winbind trusted domains only' handling
via 22e309e s3:g_lock: keep old mylock on error and don't store new mylock on error
via da3f60b winbindd: use setproctitle
via 502ab53 vfs_fruit: initialise bandsize to please a compiler
from 977b3f6 python: Print the finddcs error message

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a07804278533e8e6d946c51447d940a8d0ed9e4d
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:46:40 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Wed Jan 10 05:19:26 CET 2018 on sn-devel-144

commit ee6e0b19f670f370b5643699a194dec774494f74
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:45:59 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 584a8ac4aa90707cf353975be0f2ddfe65fb065a
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 10:40:41 2018 +0100

selftest: split a large system invocation line

Small cleanup for better code readability, no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 686fc4126dc5b69d34e71f7d014c3c17ba0f649e
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 14:28:40 2018 +0100

selftest: set wrapper env variables when running net groupmap

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 53f709d6e0c9370eaf97554a9377e6d51a3b0e6b
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 18:45:01 2018 +0100

selftest: remove second loop waiting for winbindd from wait_for_start()

A few lines above we already checked that winbindd is running.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 0f5b1bd9e2d16702a7be674fcd4ba4328d6befc1
Author: Ralph Boehme <***@samba.org>
Date: Mon Jan 8 18:38:08 2018 +0100

selftest: fix creation of builtin users in wait_for_start

If "BUILTIN\Users" already exists, attempting to create it would fail,
so we should check for the existence prior to the creation.

It is unclear *why* the mapping sometimes already exist and sometime
not. There are two places where they would have been created:

1. libnet_join_add_dom_rids_to_builtins tries to add the mapping when
joining a domain, but at that point winbindd isn't running

2. when a user is authenticated in smbd, which clearly can't have
happended when in the function wait_for_start

Go figure...

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit a206cf2dc11159b0e9ebe4d1d1d23e4365bd2a8c
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Nov 11 08:48:04 2016 +0100

s4:dns_server: avoid debug noise on successful updates

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 09da62f1a34b85f2cbd1d6a95ec1a04d4d7e389e
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Mar 14 17:11:19 2017 +0100

s4:lib/tls: fix the developer build without gnutls support

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b1c88c01a6138bf29104facc960798f3c1e6b0ee
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:42:06 2017 +0100

WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 0341e83d40dc42fbb1f1e467626418a9e4dedf40
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100

docs-xml: deprecate "server schannel" and change the default to "yes"

No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 3a7d931127a8c739208ae6ca8124cd18fec6b7bb
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 13 13:09:47 2017 +0100

selftest: explicitly configure some dcs with 'server schannel = auto'

This is required for some tests.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c7acae904301cfc6a281d63f4e7d3cc6f4fff938
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:22:22 2017 +0100

docs-xml: deprecate "client schannel" and change the default to "yes"

This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 1f91cdc8bd2a50498a9e0293a75d4e41a3618f64
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

WHATSNEW: document removal of 'use spnego" option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit cb5e19271db1967ed28e08e8969fc438f5942995
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

docs-xml: remove deprecated 'use spnego" option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 343b0e0af9f336233650c34cc1e4baf62c04989c
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

s4:smb_server: remove deprecated 'use spnego = no" handling

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 502aa787044d7215c4c509ee6305931a6eedcc44
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:35:26 2017 +0100

s3:smbd: remove deprecated 'use spnego = no" handling

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b6d55eefa21c548f962a0c5f290eb23c219f3bff
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 13:00:10 2017 +0100

s4:selftest: replace --option=usespnego= with --option=clientusespnego=

I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.

The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit bb3944c6083456b1de4fd88fda8b8186106687d5
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:17:20 2017 +0100

WHATSNEW: document removal 'winbind trusted domains only' option

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c4659908abf01941148682eaa55b01cfa8c3f290
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 11:10:42 2017 +0100

docs-xml: remove deprecated of 'winbind trusted domains only' option

This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6d339b480051b5efc80b895e97c2eaaf8dea6893
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 7 10:54:21 2017 +0100

winbindd: remove 'winbind trusted domains only' handling

This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 22e309e541a1352a2a250d92a72434bb71c2bf45
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 20 08:41:09 2017 +0100

s3:g_lock: keep old mylock on error and don't store new mylock on error

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Volker Lendecke <***@samba.org>

commit da3f60b1e5c6420210d14c9924b3551d83e2f70c
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 20 17:42:45 2017 +0100

winbindd: use setproctitle

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 502ab53d4a543c0d12072727fbfe7313e0acb26e
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Jan 10 00:08:01 2018 +1300

vfs_fruit: initialise bandsize to please a compiler

GCC on a Ubuntu 16.04 instance said:

[3174/4240] Compiling source3/modules/vfs_cap.c
In file included from ../source3/include/includes.h:301:0,
from ../source3/modules/vfs_fruit.c:20:
../source3/modules/vfs_fruit.c: In function
‘fruit_disk_free’:
../source3/../lib/util/debug.h:217:7: error: ‘bandsize’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
&& (dbgtext body) )
^
../source3/modules/vfs_fruit.c:6302:9: note: ‘bandsize’ was
declared here
size_t bandsize;
^
[3175/4240] Compiling source3/modules/vfs_expand_msdfs.c
[3176/4240] Compiling source3/modules/vfs_shadow_copy.c
[3177/4240] Compiling source3/modules/vfs_shadow_copy2.c
cc1: all warnings being treated as errors
Waf: Leaving directory
/home/ubuntu/autobuild/b17854/samba-o3/bin'
Build failed: -> task failed (err #1):
{task: cc vfs_fruit.c -> vfs_fruit_25.o}
make: *** [all] Error 1

As far as I can tell, it is wrong, and the bandsize variable never
gets passed uninititalised to DEBUG.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 6 ++
docs-xml/manpages/idmap_nss.8.xml | 3 +-
docs-xml/smbdotconf/protocol/usespnego.xml | 19 -----
docs-xml/smbdotconf/security/clientschannel.xml | 11 ++-
docs-xml/smbdotconf/security/serverschannel.xml | 13 +++-
.../winbind/winbindtrusteddomainsonly.xml | 22 ------
lib/param/loadparm.c | 6 +-
selftest/knownfail.d/ntlmv2-restrictions | 2 +
selftest/target/Samba3.pm | 80 ++++++++++++++++------
selftest/target/Samba4.pm | 4 ++
source3/lib/g_lock.c | 19 ++++-
source3/modules/vfs_fruit.c | 2 +-
source3/param/loadparm.c | 6 +-
source3/smbd/negprot.c | 1 -
source3/winbindd/wb_getgrsid.c | 11 ---
source3/winbindd/wb_queryuser.c | 12 ----
source3/winbindd/winbindd.c | 4 ++
source3/winbindd/winbindd_cm.c | 2 +
source3/winbindd/winbindd_dual.c | 6 ++
source3/winbindd/winbindd_getpwnam.c | 9 ---
source3/winbindd/winbindd_util.c | 5 +-
source4/dns_server/dns_query.c | 2 +-
source4/dns_server/dns_update.c | 2 +-
source4/lib/tls/tlscert.c | 1 +
source4/selftest/tests.py | 28 ++++----
source4/smb_server/smb/negprot.c | 1 -
26 files changed, 143 insertions(+), 134 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/usespnego.xml
delete mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
create mode 100644 selftest/knownfail.d/ntlmv2-restrictions


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9bcd03c..94278b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -92,6 +92,8 @@ smb.conf changes
-------------- ----------- -------
auth methods Removed
binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
gpo update command New
map untrusted to domain Removed
oplock contention limit Removed
@@ -99,6 +101,10 @@ smb.conf changes
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ winbind trusted domains only Removed


NT4-style replication based net commands removed
diff --git a/docs-xml/manpages/idmap_nss.8.xml b/docs-xml/manpages/idmap_nss.8.xml
index b7c5977..fa8a208 100644
--- a/docs-xml/manpages/idmap_nss.8.xml
+++ b/docs-xml/manpages/idmap_nss.8.xml
@@ -20,8 +20,7 @@
<title>DESCRIPTION</title>

<para>The idmap_nss plugin provides a means to map Unix users and groups
- to Windows accounts and obsoletes the &quot;winbind trusted domains only&quot;
- smb.conf option. This provides a simple means of ensuring that the SID
+ to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml
deleted file mode 100644
index 0c9ffbf..0000000
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<samba:parameter name="use spnego"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This deprecated variable controls whether samba will try
- to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
-</para>
-
-<para>
- Unless further issues are discovered with our SPNEGO
- implementation, there is no reason this should ever be
- disabled.</para>
-</description>
-
-<value type="default">yes</value>
-</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

<para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future.
+ </para>
+
+ <para>
This controls whether the client offers or even demands the use of the netlogon schannel.
<smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel,
<smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@

<para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+
+ <para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future. If you have the need for the behavior of "auto"
+ to be kept, please file a bug at https://bugzilla.samba.org.
+ </para>
+
<para>
This controls whether the server offers or even demands the use of the netlogon schannel.
<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
</para>
</description>

-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
deleted file mode 100644
index 3d420c7..0000000
--- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="winbind trusted domains only"
- context="G"
- type="boolean"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This parameter is designed to allow Samba servers that are members
- of a Samba controlled domain to use UNIX accounts distributed via NIS,
- rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
- Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
- the account user1 in /etc/passwd instead of allocating a new uid for him or her.
- </para>
-
- <para>
- This parameter is now deprecated in favor of the newer idmap_nss backend.
- Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> man page for more information.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddb4507..a18407d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2749,8 +2749,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");

- lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
-
lpcfg_do_global_parameter(lp_ctx, "use mmap", "True");

lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
@@ -2786,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");

- lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");

lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");

@@ -2840,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);

- lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+ lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");

lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");

diff --git a/selftest/knownfail.d/ntlmv2-restrictions b/selftest/knownfail.d/ntlmv2-restrictions
new file mode 100644
index 0000000..eb50b13
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv2-restrictions
@@ -0,0 +1,2 @@
+# 'raw NTLMv2 auth' is not enabled on ad_member
+^samba4.smb.signing.disabled.on.with.-k.no.--option=clientusespnego=no.--signing=off.domain-creds.xcopy\(ad_member\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5e6472..f4ae0f3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -216,6 +216,7 @@ sub setup_nt4_dc($$)
lanman auth = yes
ntlm auth = yes
raw NTLMv2 auth = yes
+ server schannel = auto

rpc_server:epmapper = external
rpc_server:spoolss = external
@@ -2332,6 +2333,8 @@ force_user:x:$gid_force_user:
sub wait_for_start($$$$$)
{
my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+ my $cmd;
+ my $netcmd;
my $ret;

if ($nmbd eq "yes") {
@@ -2365,8 +2368,7 @@ sub wait_for_start($$$$$)
if ($winbindd eq "yes") {
print "checking for winbindd\n";
my $count = 0;
- my $cmd = "";
- $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
$cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
$cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
$cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
@@ -2405,38 +2407,72 @@ sub wait_for_start($$$$$)
}

# Ensure we have domain users mapped.
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
+ $netcmd = "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} ";
+
+ $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=512 unixgroup=domadmins type=domain");
+
+ $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}
- $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin");
+
+ $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin";
+ $ret = system($cmd);
if ($ret != 0) {
- return 1;
+ print("\"$cmd\" failed\n");
+ return 1;
}

+ # note: creating builtin groups requires winbindd for the
+ # unix id allocator
+ my $create_builtin_users = "no";
if ($winbindd eq "yes") {
- # note: creating builtin groups requires winbindd for the
- # unix id allocator
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} sam createbuiltingroup Users");
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ my $wbinfo_out = qx($cmd 2>&1);
+ if ($? != 0) {
+ # wbinfo doesn't give us a better error code then
+ # WBC_ERR_DOMAIN_NOT_FOUND, but at least that's
+ # different then WBC_ERR_WINBIND_NOT_AVAILABLE
+ if ($wbinfo_out !~ /WBC_ERR_DOMAIN_NOT_FOUND/) {
+ print("Failed to run \"wbinfo --sid-to-gid=S-1-5-32-545\": $wbinfo_out");
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ $create_builtin_users = "yes";
+ }
+ }
+ if ($create_builtin_users eq "yes") {
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "sam createbuiltingroup Users";
+ $ret = system($cmd);
if ($ret != 0) {
print "Failed to create BUILTIN\\Users group\n";
+ teardown_env($self, $envvars);
return 0;
}
- my $count = 0;
- do {
- system(Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} cache del IDMAP/SID2XID/S-1-5-32-545");
- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545");
- if ($ret != 0) {
- sleep(2);
- }
- $count++;
- } while ($ret != 0 && $count < 10);
- if ($count == 10) {
- print "WINBINDD not reachable after 20 seconds\n";
+
+ $cmd = Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "cache del IDMAP/SID2XID/S-1-5-32-545";
+ system($cmd);
+
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print "Missing \"BUILTIN\\Users\", did net sam createbuiltingroup Users fail?\n";
teardown_env($self, $envvars);
return 0;
}
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e2e78ab..e6bc3bb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1031,6 +1031,7 @@ winbindd:use external pipes = true

# the source4 smb server doesn't allow signing by default
server signing = enabled
+raw NTLMv2 auth = yes

rpc_server:default = external
rpc_server:svcctl = embedded
@@ -1461,9 +1462,11 @@ sub provision_ad_dc_ntvfs($$)
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
+ server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
@@ -1831,6 +1834,7 @@ sub provision_ad_dc($$$$$$)
lpq cache time = 0
print notify backchannel = yes

+ server schannel = auto
auth event notification = true
$smbconf_args
";
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 68a9ab3..4c42fb0 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -200,6 +200,8 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
TDB_DATA data;
size_t i;
struct g_lock lck;
+ struct g_lock_rec _mylock;
+ struct g_lock_rec *mylock = NULL;
NTSTATUS status;
bool modified = false;
bool ok;
@@ -242,11 +244,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,
status = NT_STATUS_WAS_LOCKED;
goto done;
}
+ if (mylock != NULL) {
+ status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ goto done;
+ }
+ _mylock = lock;
+ mylock = &_mylock;
/*
* Remove "our" lock entry. Re-add it later
* with our new lock type.
*/
g_lock_rec_del(&lck, i);
+ modified = true;
continue;
}

@@ -278,12 +287,18 @@ static NTSTATUS g_lock_trylock(struct db_record *rec, struct server_id self,

modified = true;

+ _mylock = (struct g_lock_rec) {
+ .pid = self,
+ .lock_type = type
+ };
+ mylock = &_mylock;
+
status = NT_STATUS_OK;
done:
if (modified) {
- struct g_lock_rec mylock = { .pid = self, .lock_type = type };
NTSTATUS store_status;
- store_status = g_lock_store(rec, &lck, &mylock);
+
+ store_status = g_lock_store(rec, &lck, mylock);
if (!NT_STATUS_IS_OK(store_status)) {
DBG_WARNING("g_lock_record_store failed: %s\n",
nt_errstr(store_status));
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 9533da4..40ee255 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -6392,7 +6392,7 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct *handle,
bool ok;
char *p = NULL;
size_t sparsebundle_strlen = strlen("sparsebundle");
- size_t bandsize;
+ size_t bandsize = 0;
size_t nbands;
double tm_size;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a2fcc42..582c875 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,10 +651,10 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
- Globals.server_schannel = Auto;
+ Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
@@ -817,7 +817,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
@@ -831,7 +830,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)

Globals.name_cache_timeout = 660; /* In seconds */

- Globals.use_spnego = true;
Globals.client_use_spnego = true;

Globals.client_signing = SMB_SIGNING_DEFAULT;
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdbc2c4..3a9363d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -282,7 +282,6 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
supports it and we can do encrypted passwords */

if (xconn->smb1.negprot.encrypted_passwords &&
- lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index b210645..fa26ea8 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -60,17 +60,6 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}

- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
- }
-
subreq = wb_lookupsid_send(state, ev, &state->sid);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 1c91949..17170c3 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -50,18 +50,6 @@ struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;

- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(user_sid, &our_domain->sid) == 0) {
- char buf[DOM_SID_STR_BUFLEN];
- dom_sid_string_buf(user_sid, buf, sizeof(buf));
- DBG_NOTICE("My domain -- rejecting %s\n", buf);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
- }

The branch, master has been updated
via 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools
via 79cb5cf selftest: Use the ad_dc with smbfs for ad_member env
from a078042 selftest: split a large system invocation line

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4519134ef72511c1d6a7321a6641dd869b4f2759
Author: Andreas Schneider <***@samba.org>
Date: Wed Jan 10 09:32:49 2018 +0100

s3:tests: Fix test_net_tdb.sh with system tdb-tools

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Wed Jan 10 18:30:56 CET 2018 on sn-devel-144

commit 79cb5cfa49abb6f928a6b95895c3c7f063b45472
Author: Andreas Schneider <***@samba.org>
Date: Thu Apr 6 08:50:06 2017 +0200

selftest: Use the ad_dc with smbfs for ad_member env

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
selftest/target/Samba4.pm | 6 +++---
source3/script/tests/test_net_tdb.sh | 9 +++++++--
2 files changed, 10 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e6bc3bb..628f4f1 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2133,10 +2133,10 @@ sub setup_env($$$)
} elsif ($envname eq "chgdcpass") {
return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
} elsif ($envname eq "ad_member") {
- if (not defined($self->{vars}->{ad_dc_ntvfs})) {
- $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
}
- return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+ return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc}, 29);
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
diff --git a/source3/script/tests/test_net_tdb.sh b/source3/script/tests/test_net_tdb.sh
index 731cad3..61b1976 100755
--- a/source3/script/tests/test_net_tdb.sh
+++ b/source3/script/tests/test_net_tdb.sh
@@ -27,6 +27,11 @@ LOCKDIR=$8

FILENAME=net_tdb_testfile

+samba_tdbtool=tdbtool
+if test -x $BINDIR/tdbtool; then
+ samba_tdbtool=$BINDIR/tdbtool
+fi
+
failed=0

incdir=`dirname $0`/../../../testprogs/blackbox
@@ -42,7 +47,7 @@ SMBCLIENTPID=$!
sleep 1

testit "Looking for record key of open file" \
- $BINDIR/tdbtool $LOCKDIR/locking.tdb hexkeys || \
+ $samba_tdbtool $LOCKDIR/locking.tdb hexkeys || \
failed=$(expr $failed + 1)

# The assumption here is that only one file is open, so only one
@@ -52,7 +57,7 @@ testit "Looking for record key of open file" \
#[000] 01 FD 00 00 00 00 00 00 56 02 5C 00 00 00 00 00 ....... V.\....
#[010] 00 00 00 00 00 00 00 00 .......
# Select only the hex data, remove space and join every thing together
-key=0x$($BINDIR/tdbtool $LOCKDIR/locking.tdb hexkeys | \
+key=0x$($samba_tdbtool $LOCKDIR/locking.tdb hexkeys | \
grep '\[' | cut -c 7-56 | sed -e 's/ //g' | tr -d '\n')

testit "Looking for open file in locking.tdb" \

The branch, master has been updated
via 3297f4c Mark wbinfo test flapping
via 6b09ab2 Mark whoami test flapping
via 23ec73e Mark rfc2307 test flapping
via bf19b6c ldb: version 1.3.1
via 6dd0a8c tevent: version 0.9.35
via efe317c talloc: version 2.1.11
via 0623097 talloc: Do not disclose the random talloc magic in free()'ed memory
via e2497b2 talloc: Add tests to require use-after-free to give the correct talloc_abort() string
via 00ee9da talloc: Remove talloc_abort_magic()
from 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3297f4c9bfeb8c9f20829c6a096ea1cebf3772c4
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:39:49 2018 +1300

Mark wbinfo test flapping

please fix and revert

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sat Jan 13 03:01:10 CET 2018 on sn-devel-144

commit 6b09ab2139751637dc773f6ef7fb7f0dd99605e0
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:39:28 2018 +1300

Mark whoami test flapping

please fix and revert!

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 23ec73e0e04975c93863b6f37617cef9b99306ef
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 14:38:45 2018 +1300

Mark rfc2307 test flapping

Please fix and revert

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit bf19b6ccdcd66dfafcc60d290878550f835316eb
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 23:43:05 2018 +0100

ldb: version 1.3.1

* Intersect the index from SCOPE_ONELEVEL with the index for the search expression
(bug #13191)
* smaller/greater comparison tests
* Show the last successful DN when failing to parse LDIF
* ldb_index: Add an attriubute flag to require a unique value.
* silence some clang warnings in picky developer mode

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6dd0a8c1a67922d1f893d5ef500861ec5e7c5a36
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 15:08:14 2018 +0100

tevent: version 0.9.35

* Minor cleanup. wakeup_fd can always be gotten from the event context.
* Use smb_set_close_on_exec() in example code.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit efe317c59204af076bb500ad904d2a5f6a961509
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 07:45:09 2018 +0100

talloc: version 2.1.11

* disable-python - fix talloc wscript if bundling disabled
* Do not disclose the random talloc magic in free()'ed memory

Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 062309755888349afaa05dff7ac48ea8867110e0
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 17:34:31 2018 +1300

talloc: Do not disclose the random talloc magic in free()'ed memory

This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit e2497b26b2ec8a9ae4401d0380431c897959c627
Author: Andrew Bartlett <***@samba.org>
Date: Fri Jan 12 11:17:09 2018 +1300

talloc: Add tests to require use-after-free to give the correct talloc_abort() string

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

commit 00ee9da50b289a68621f2af755d4283fe6cb3bc7
Author: Andrew Bartlett <***@samba.org>
Date: Mon Jan 8 17:29:19 2018 +1300

talloc: Remove talloc_abort_magic()

The check required for talloc_abort_magic() prevents the 'access after free error'
from being printed.

It is also no longer possible to determine the difference between invalid memory
and a talloc version mismatch as the magic is now random on many platforms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Gary Lockyer <***@catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} | 0
lib/ldb/wscript | 2 +-
...-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} | 0
...3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} | 0
.../ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} | 0
lib/talloc/talloc.c | 128 ++++++++++++++-------
lib/talloc/testsuite.c | 68 +++++++++++
lib/talloc/wscript | 2 +-
.../ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} | 0
lib/tevent/wscript | 2 +-
selftest/flapping.d/rfc2307 | 1 +
selftest/flapping.d/wbinfo | 1 +
selftest/flapping.d/whoami | 1 +
15 files changed, 162 insertions(+), 43 deletions(-)
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util.py3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} (100%)
copy lib/tevent/ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} (100%)
create mode 100644 selftest/flapping.d/rfc2307
create mode 100644 selftest/flapping.d/wbinfo
create mode 100644 selftest/flapping.d/whoami


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/ldb-1.3.0.sigs b/lib/ldb/ABI/ldb-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.0.sigs
copy to lib/ldb/ABI/ldb-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0b8ba26..8ae5be3 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'ldb'
-VERSION = '1.3.0'
+VERSION = '1.3.1'

blddir = 'bin'

diff --git a/lib/talloc/ABI/pytalloc-util-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.11.sigs
diff --git a/lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs b/lib/talloc/ABI/talloc-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.10.sigs
copy to lib/talloc/ABI/talloc-2.1.11.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7721fa4..cd159ef 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -75,12 +75,13 @@
#define TALLOC_MAGIC_REFERENCE ((const char *)1)

#define TALLOC_MAGIC_BASE 0xe814ec70
-static unsigned int talloc_magic = (
- ~TALLOC_FLAG_MASK & (
- TALLOC_MAGIC_BASE +
- (TALLOC_BUILD_VERSION_MAJOR << 24) +
- (TALLOC_BUILD_VERSION_MINOR << 16) +
- (TALLOC_BUILD_VERSION_RELEASE << 8)));
+#define TALLOC_MAGIC_NON_RANDOM ( \
+ ~TALLOC_FLAG_MASK & ( \
+ TALLOC_MAGIC_BASE + \
+ (TALLOC_BUILD_VERSION_MAJOR << 24) + \
+ (TALLOC_BUILD_VERSION_MINOR << 16) + \
+ (TALLOC_BUILD_VERSION_RELEASE << 8)))
+static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM;

/* by default we abort when given a bad pointer (such as when talloc_free() is called
on a pointer that came from malloc() */
@@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void)
return talloc_magic;
}

+static inline void _talloc_chunk_set_free(struct talloc_chunk *tc,
+ const char *location)
+{
+ /*
+ * Mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ */
+ tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE
+ | (tc->flags & TALLOC_FLAG_MASK);
+
+ /* we mark the freed memory with where we called the free
+ * from. This means on a double free error we can report where
+ * the first free came from
+ */
+ if (location) {
+ tc->name = location;
+ }
+}
+
+static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc)
+{
+ /*
+ * Mark this memory as not free.
+ *
+ * Why? This is memory either in a pool (and so available for
+ * talloc's re-use or after the realloc(). We need to mark
+ * the memory as free() before any realloc() call as we can't
+ * write to the memory after that.
+ *
+ * We put back the normal magic instead of the 'not random'
+ * magic.
+ */
+
+ tc->flags = talloc_magic |
+ ((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE);
+}
+
static void (*talloc_log_fn)(const char *message);

_PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message))
@@ -429,11 +472,6 @@ static void talloc_abort(const char *reason)
talloc_abort_fn(reason);
}

-static void talloc_abort_magic(unsigned magic)
-{
- talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
-}
-
static void talloc_abort_access_after_free(void)
{
talloc_abort("Bad talloc magic value - access after free");
@@ -450,19 +488,15 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
const char *pp = (const char *)ptr;
struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
- if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) {
- talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK));
- return NULL;
- }
-
- if (tc->flags & TALLOC_FLAG_FREE) {
+ if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
+ == (TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE)) {
talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
talloc_abort_access_after_free();
return NULL;
- } else {
- talloc_abort_unknown_value();
- return NULL;
}
+
+ talloc_abort_unknown_value();
+ return NULL;
}
return tc;
}
@@ -947,13 +981,7 @@ static inline void _tc_free_poolmem(struct talloc_chunk *tc,
pool_tc = talloc_chunk_from_pool(pool);
next_tc = tc_next_chunk(tc);

- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);

TC_INVALIDATE_FULL_CHUNK(tc);

@@ -1103,13 +1131,7 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,

_tc_free_children_internal(tc, ptr, location);

- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);

if (tc->flags & TALLOC_FLAG_POOL) {
struct talloc_pool_hdr *pool;
@@ -1806,8 +1828,22 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
}
#endif

- /* by resetting magic we catch users of the old memory */
- tc->flags |= TALLOC_FLAG_FREE;
+ /*
+ * by resetting magic we catch users of the old memory
+ *
+ * We mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ * What else? We have to re-stamp back a valid normal magic
+ * on this memory once realloc() is done, as it will have done
+ * a memcpy() into the new valid memory. We can't do this in
+ * reverse as that would be a real use-after-free.
+ */
+ _talloc_chunk_set_free(tc, NULL);

#if ALWAYS_REALLOC
if (pool_hdr) {
@@ -1906,7 +1942,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons

if (new_chunk_size == old_chunk_size) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
return ptr;
}
@@ -1921,7 +1957,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons

if (space_left >= space_needed) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
pool_hdr->end = tc_next_chunk(tc);
return ptr;
@@ -1951,12 +1987,24 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
got_new_ptr:
#endif
if (unlikely(!new_ptr)) {
- tc->flags &= ~TALLOC_FLAG_FREE;
+ /*
+ * Ok, this is a strange spot. We have to put back
+ * the old talloc_magic and any flags, except the
+ * TALLOC_FLAG_FREE as this was not free'ed by the
+ * realloc() call after all
+ */
+ _talloc_chunk_set_not_free(tc);
return NULL;
}

+ /*
+ * tc is now the new value from realloc(), the old memory we
+ * can't access any more and was preemptively marked as
+ * TALLOC_FLAG_FREE before the call. Now we mark it as not
+ * free again
+ */
tc = (struct talloc_chunk *)new_ptr;
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
if (malloced) {
tc->flags &= ~TALLOC_FLAG_POOLMEM;
}
diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index dfaeec1..35309e2 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -2006,6 +2006,72 @@ static bool test_magic_protection(void)
return true;
}

+static void test_magic_free_protection_abort(const char *reason)
+{
+ /* exit with errcode 42 to communicate successful test to the parent process */
+ if (strcmp(reason, "Bad talloc magic value - access after free") == 0) {
+ _exit(42);
+ }
+ /* not 42 */
+ _exit(404);
+}
+
+static bool test_magic_free_protection(void)
+{
+ void *pool = talloc_pool(NULL, 1024);
+ int *p1, *p2, *p3;
+ pid_t pid;
+ int exit_status;
+
+ printf("test: magic_free_protection\n");
+ p1 = talloc(pool, int);
+ p2 = talloc(pool, int);
+
+ /* To avoid complaints from the compiler assign values to the p1 & p2. */
+ *p1 = 6;
+ *p2 = 9;
+
+ p3 = talloc_realloc(pool, p2, int, 2048);
+ torture_assert("pool realloc 2048",
+ p3 != p2,
+ "failed: pointer not changed");
+
+ /*
+ * Now access the memory in the pool after the realloc(). It
+ * should be marked as free, so use of the old pointer should
+ * trigger the abort function
+ */
+ pid = fork();
+ if (pid == 0) {
+ talloc_set_abort_fn(test_magic_free_protection_abort);
+
+ talloc_get_name(p2);
+
+ /* Never reached. Make compilers happy */
+ return true;
+ }
+
+ while (wait(&exit_status) != pid);
+
+ if (!WIFEXITED(exit_status)) {
+ printf("Child exited through unexpected abnormal means\n");
+ return false;
+ }
+ if (WEXITSTATUS(exit_status) != 42) {
+ printf("Child exited with wrong exit status\n");
+ return false;
+ }
+ if (WIFSIGNALED(exit_status)) {
+ printf("Child recieved unexpected signal\n");
+ return false;
+ }
+
+ talloc_free(pool);
+
+ printf("success: magic_free_protection\n");
+ return true;
+}
+
static void test_reset(void)
{
talloc_set_log_fn(test_log_stdout);
@@ -2092,6 +2158,8 @@ bool torture_local_talloc(struct torture_context *tctx)
ret &= test_autofree();
test_reset();
ret &= test_magic_protection();
+ test_reset();
+ ret &= test_magic_free_protection();

test_reset();
talloc_disable_null_tracking();
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index ab74e72..0afa162 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'talloc'
-VERSION = '2.1.10'
+VERSION = '2.1.11'


blddir = 'bin'
diff --git a/lib/tevent/ABI/tevent-0.9.31.sigs b/lib/tevent/ABI/tevent-0.9.35.sigs
similarity index 100%
copy from lib/tevent/ABI/tevent-0.9.31.sigs
copy to lib/tevent/ABI/tevent-0.9.35.sigs
diff --git a/lib/tevent/wscript b/lib/tevent/wscript
index 31f7ee7..2c67f1f 100644
--- a/lib/tevent/wscript
+++ b/lib/tevent/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python

APPNAME = 'tevent'
-VERSION = '0.9.34'
+VERSION = '0.9.35'

blddir = 'bin'

diff --git a/selftest/flapping.d/rfc2307 b/selftest/flapping.d/rfc2307
new file mode 100644
index 0000000..2e37edc
--- /dev/null
+++ b/selftest/flapping.d/rfc2307
@@ -0,0 +1 @@
+^idmap.rfc2307.Testing for expected group memberships
diff --git a/selftest/flapping.d/wbinfo b/selftest/flapping.d/wbinfo
new file mode 100644
index 0000000..8ccf2cb
--- /dev/null
+++ b/selftest/flapping.d/wbinfo
@@ -0,0 +1 @@
+^samba.blackbox.wbinfo\(ad_member:local\).confirm
diff --git a/selftest/flapping.d/whoami b/selftest/flapping.d/whoami
new file mode 100644
index 0000000..82f6356
--- /dev/null
+++ b/selftest/flapping.d/whoami
@@ -0,0 +1 @@
+^samba3.unix.whoami machine account.whoami\(nt4_member:local\)

The branch, master has been updated
via f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests
via ce884ee s3/smbd: Add new file information classes
via 4b25c9f vfs_default: use VFS statvfs macro in fs_capabilities
via 2724e0c vfs_ceph: add fs_capabilities hook to avoid local statvfs
from 3297f4c Mark wbinfo test flapping

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f1befc5d5371d531e9aa2b0df73c119b78c2b4cc
Author: Justin Maggard via samba-technical <samba-***@lists.samba.org>
Date: Tue Jan 9 12:04:16 2018 -0800

s3/smbd: Fix error code for unsupported SET_INFO requests

FileValidDataLengthInformation and FileShortNameInformation are both
valid FileInfoClasses that we don't support. According to [MS-SMB2]
3.3.5.21.1, we should be returning STATUS_NOT_SUPPORTED instead of
NT_STATUS_INVALID_LEVEL for these.

Signed-off-by: Justin Maggard <***@netgear.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Jeremy Allison <***@samba.org>
Autobuild-Date(master): Sat Jan 13 07:25:42 CET 2018 on sn-devel-144

commit ce884eeb491e53aab6feb4cb5f49fc61ed89c394
Author: Justin Maggard via samba-technical <samba-***@lists.samba.org>
Date: Tue Jan 9 12:04:15 2018 -0800

s3/smbd: Add new file information classes

Add definitions for missing file information classes documented in
[MS-FSCC] section 2.4.

Signed-off-by: Justin Maggard <***@netgear.com>
Reviewed-by: Jeremy Allison <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 4b25c9f4a4d336a16894452862ea059701b025de
Author: David Disseldorp <***@samba.org>
Date: Wed Jan 10 14:03:09 2018 +0100

vfs_default: use VFS statvfs macro in fs_capabilities

Currently the vfs_default fs_capabilities handler calls statvfs
directly, rather than calling the vfs macro. This behaviour may cause
issues for VFS modules that delegate fs_capabilities handling to
vfs_default but offer their own statvfs hook.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 2724e0cac29cd1632ea28075a740fcc888affb36
Author: David Disseldorp <***@samba.org>
Date: Wed Jan 10 01:37:14 2018 +0100

vfs_ceph: add fs_capabilities hook to avoid local statvfs

Adding the fs_capabilities() hook to the CephFS VFS module avoids
fallback to the vfs_default code-path, which calls statvfs() against the
share path on the *local* filesystem.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208

Signed-off-by: David Disseldorp <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/include/trans2.h | 12 +++++++++++-
source3/modules/vfs_ceph.c | 15 +++++++++++++++
source3/modules/vfs_default.c | 14 +++++++-------
source3/smbd/trans2.c | 5 +++++
4 files changed, 38 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/trans2.h b/source3/include/trans2.h
index 3085344..ece436a 100644
--- a/source3/include/trans2.h
+++ b/source3/include/trans2.h
@@ -329,7 +329,17 @@ Byte offset Type name description
#define SMB_FILE_NETWORK_OPEN_INFORMATION 1034
#define SMB_FILE_ATTRIBUTE_TAG_INFORMATION 1035
#define SMB_FILE_TRACKING_INFORMATION 1036
-#define SMB_FILE_MAXIMUM_INFORMATION 1037
+#define SMB_FILE_ID_BOTH_DIRECTORY_INFORMATION 1037
+#define SMB_FILE_ID_FULL_DIRECTORY_INFORMATION 1038
+#define SMB_FILE_VALID_DATA_LENGTH_INFORMATION 1039
+#define SMB_FILE_SHORT_NAME_INFORMATION 1040
+#define SMB_FILE_SFIO_RESERVE_INFORMATION 1044
+#define SMB_FILE_SFIO_VOLUME_INFORMATION 1045
+#define SMB_FILE_HARD_LINK_INFORMATION 1046
+#define SMB_FILE_NORMALIZED_NAME_INFORMATION 1048
+#define SMB_FILE_ID_GLOBAL_TX_DIRECTORY_INFORMATION 1050
+#define SMB_FILE_STANDARD_LINK_INFORMATION 1054
+#define SMB_FILE_MAXIMUM_INFORMATION 1055

/* NT passthough levels for qfsinfo. */

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index b4a7cee..d612131 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -270,6 +270,20 @@ static int cephwrap_statvfs(struct vfs_handle_struct *handle,
return ret;
}

+static uint32_t cephwrap_fs_capabilities(struct vfs_handle_struct *handle,
+ enum timestamp_set_resolution *p_ts_res)
+{
+ uint32_t caps = FILE_CASE_SENSITIVE_SEARCH | FILE_CASE_PRESERVED_NAMES;
+
+#ifdef HAVE_CEPH_STATX
+ *p_ts_res = TIMESTAMP_SET_NT_OR_BETTER;
+#else
+ *p_ts_res = TIMESTAMP_SET_MSEC;
+#endif
+
+ return caps;
+}
+
/* Directory operations */

static DIR *cephwrap_opendir(struct vfs_handle_struct *handle,
@@ -1399,6 +1413,7 @@ static struct vfs_fn_pointers ceph_fns = {
.get_quota_fn = cephwrap_get_quota,
.set_quota_fn = cephwrap_set_quota,
.statvfs_fn = cephwrap_statvfs,
+ .fs_capabilities_fn = cephwrap_fs_capabilities,

/* Directory operations */

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 073c790..a26bec4 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -129,8 +129,14 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle,
struct vfs_statvfs_struct statbuf;
int ret;

+ smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath,
+ NULL, NULL, 0);
+ if (smb_fname_cpath == NULL) {
+ return caps;
+ }
+
ZERO_STRUCT(statbuf);
- ret = sys_statvfs(conn->connectpath, &statbuf);
+ ret = SMB_VFS_STATVFS(conn, smb_fname_cpath, &statbuf);
if (ret == 0) {
caps = statbuf.FsCapabilities;
}
@@ -140,12 +146,6 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle,
/* Work out what timestamp resolution we can
* use when setting a timestamp. */

- smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath,
- NULL, NULL, 0);
- if (smb_fname_cpath == NULL) {
- return caps;
- }
-
ret = SMB_VFS_STAT(conn, smb_fname_cpath);
if (ret == -1) {
TALLOC_FREE(smb_fname_cpath);
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index dbad71b..512918e 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -8541,6 +8541,11 @@ NTSTATUS smbd_do_setfilepathinfo(connection_struct *conn,
break;
}

+ /* [MS-SMB2] 3.3.5.21.1 states we MUST fail with STATUS_NOT_SUPPORTED. */
+ case SMB_FILE_VALID_DATA_LENGTH_INFORMATION:
+ case SMB_FILE_SHORT_NAME_INFORMATION:
+ return NT_STATUS_NOT_SUPPORTED;
+
/*
* CIFS UNIX extensions.
*/

The branch, master has been updated
via e43ee33 winbindd: set info6 data in append_info3_as_txt
via c8f76bf nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
via 59cb1f6 nsswitch: add "validation_level" and "info6" to winbindd_response
via 7290b5c winbindd: pass validation in append_info3_as_txt
via 194a9e4 winbindd: pass down validation to append_auth_data()
via 7b30f69 winbindd: simplify an if condition in winbindd_dual_pam_auth
via f153c95 winbindd: let winbind_dual_SamLogon return validation
via 1337104 winbindd: remove a space in winbind_dual_SamLogon
via 13d0d52 winbindd: let winbindd_dual_pam_auth_samlogon() return validation info
via cc3ee55 winbindd: let winbind_samlogon_retry_loop return validation info
via aae75d1 winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
via 489e942 s3/rpc_client: return validation from rpccli_netlogon functions
via 7082ebb s3/rpc_client: add map_info3_to_validation()
via 7eed166 s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon
via a001f4b s3/rpc_client: in map_validation_to_info3() make a deep copy
via 158c890 s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
via a1a9feb winbindd: prevent long lines in a later commit
via e9a9a94 winbindd: simplify if condition in find_domain_from_name_noinit()
via 751fa04 winbindd: remove an else branch
via ca4d5ea winbindd: remove a space
via 5812c7c winbindd: fix overly long lines
via ef27942 s3/rpc_client: fix overly long lines
via dcb45d5 s3/torture: fix an error message
via 561a3b7 s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes
via 98ba88a params: mark "ldap ssl ads" as deprecated
via a79df4e7 params: mark "unicode" parameter as deprecated
from f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e43ee33a1b715bbf4026a35ca9b400f8b8b6fec3
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:34:28 2017 +0100

winbindd: set info6 data in append_info3_as_txt

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Sat Jan 13 12:53:59 CET 2018 on sn-devel-144

commit c8f76bfd7223512074d38379593969595642a0f8
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 23:26:33 2017 +0100

nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 59cb1f6f9c3817bc436746e6f29fd44855451838
Author: Ralph Boehme <***@samba.org>
Date: Wed Jan 10 10:20:46 2018 +0100

nsswitch: add "validation_level" and "info6" to winbindd_response

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7290b5cf67e7008cc14ce37a77ea163f47b2183f
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:34:15 2017 +0100

winbindd: pass validation in append_info3_as_txt

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 194a9e4907ade9558e3bf8ebc29d147b5385a3ed
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 10:27:12 2017 +0100

winbindd: pass down validation to append_auth_data()

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7b30f698334e2fc7bc237a45057246c122ede826
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 18:57:53 2018 +0100

winbindd: simplify an if condition in winbindd_dual_pam_auth

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit f153c95176b7759e10996b24b66d9917945372ed
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 16:25:35 2017 +0100

winbindd: let winbind_dual_SamLogon return validation

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 1337104caa26cd3c2155557ae137a7753b15dd83
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 23:11:44 2017 +0100

winbindd: remove a space in winbind_dual_SamLogon

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 13d0d524c46cc3ec61b73d1e74323b403c8eb040
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 15:54:36 2017 +0100

winbindd: let winbindd_dual_pam_auth_samlogon() return validation info

Pass up validation info instead of info3. No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit cc3ee55ae7f9dd3d16a7f580048295559c3c58f1
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 23:26:38 2017 +0100

winbindd: let winbind_samlogon_retry_loop return validation info

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <***@samba.org>

commit aae75d124a5555f1cb5bb1b3f081a9f09b51beb3
Author: Ralph Boehme <***@samba.org>
Date: Tue Jan 9 16:58:06 2018 +0100

winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon

result is already checked a few lines above.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 489e942aa99d8f8a37ce2286923d8c97e97a4181
Author: Ralph Boehme <***@samba.org>
Date: Thu Nov 30 23:35:40 2017 +0100

s3/rpc_client: return validation from rpccli_netlogon functions

Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7082ebbbfb6db036655b63f84c39b6406b963a23
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 15:18:58 2017 +0100

s3/rpc_client: add map_info3_to_validation()

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 7eed1661f61bdd946457fc1b3a968dbdf827956b
Author: Ralph Boehme <***@samba.org>
Date: Thu Nov 30 23:19:07 2017 +0100

s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon

Will be needed in the next commit.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a001f4b5090e391479565e89d16dabe036c54cf0
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 22:04:47 2017 +0100

s3/rpc_client: in map_validation_to_info3() make a deep copy

In later commits we want to map a validation to info3 without modifying
the validation data. Otherwise no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 158c89068b5f0ebd10e41f578530e3210fc1d8b3
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 2 22:35:36 2017 +0100

s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon

The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a1a9feb72001e9107d339555d2d7593c8be637ca
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 08:26:59 2017 +0100

winbindd: prevent long lines in a later commit

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit e9a9a94d84d5ca038c95666da831ea04260b1d17
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 12:23:50 2017 +0100

winbindd: simplify if condition in find_domain_from_name_noinit()

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 751fa043f35bf165662267c87a81342f282b04f0
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 11:40:47 2017 +0100

winbindd: remove an else branch

No change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ca4d5ea362bc8b0f1d348f465831c77922437171
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 10:32:41 2017 +0100

winbindd: remove a space

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 5812c7cb5cb5aef919302806b871869161d5100e
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 07:59:50 2017 +0100

winbindd: fix overly long lines

Just another long lines cleanup. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ef27942146a078733b157e64521d98b5499fd837
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 1 07:58:07 2017 +0100

s3/rpc_client: fix overly long lines

Just long lines cleanup, no further changes. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit dcb45d5c2071ef4d5c7da1534c9e23805a22bc3b
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 9 19:27:22 2017 +0100

s3/torture: fix an error message

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 561a3b7e70f7d6840a89ad9757722eb5435eb062
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Dec 4 15:21:50 2017 +0100

s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 98ba88a7e4dc4c5d5f5bddfc2dd0340b2e4efe78
Author: Björn Jacke <***@samba.org>
Date: Wed Jan 10 16:17:30 2018 +0100

params: mark "ldap ssl ads" as deprecated

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit a79df4e7ce8d893a17185aac63f185892f45ab62
Author: Björn Jacke <***@samba.org>
Date: Wed Jan 10 16:05:39 2018 +0100

params: mark "unicode" parameter as deprecated

Signed-off-by: Bjoern Jacke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/smbdotconf/ldap/ldapsslads.xml | 1 +
docs-xml/smbdotconf/protocol/unicode.xml | 1 +
nsswitch/libwbclient/wbc_pam.c | 14 +-
nsswitch/winbind_struct_protocol.h | 10 +-
source3/auth/auth_util.c | 1 +
source3/auth/proto.h | 2 -
source3/auth/server_info.c | 42 ---
source3/include/vfs.h | 5 -
source3/rpc_client/cli_netlogon.c | 74 +-----
source3/rpc_client/cli_netlogon.h | 54 ++--
source3/rpc_client/util_netlogon.c | 141 +++++++++++
source3/rpc_client/util_netlogon.h | 10 +
source3/rpcclient/cmd_netlogon.c | 14 +-
source3/torture/pdbtest.c | 2 +-
source3/winbindd/winbindd_dual_srv.c | 20 +-
source3/winbindd/winbindd_pam.c | 407 +++++++++++++++++++++++-------
source3/winbindd/winbindd_pam_auth_crap.c | 23 +-
source3/winbindd/winbindd_proto.h | 6 +-
source3/winbindd/winbindd_util.c | 10 +-
19 files changed, 587 insertions(+), 250 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 4fdf4dc..98c3965 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -1,6 +1,7 @@
<samba:parameter name="ldap ssl ads"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option is used to define whether or not Samba should
diff --git a/docs-xml/smbdotconf/protocol/unicode.xml b/docs-xml/smbdotconf/protocol/unicode.xml
index 86fb06c..25810cd 100644
--- a/docs-xml/smbdotconf/protocol/unicode.xml
+++ b/docs-xml/smbdotconf/protocol/unicode.xml
@@ -1,6 +1,7 @@
<samba:parameter name="unicode"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies whether the server and client should support unicode.</para>
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index c31220a..e4cd296 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -100,12 +100,22 @@ static wbcErr wbc_create_auth_info(const struct winbindd_response *resp,

i->account_name = strdup(resp->data.auth.info3.user_name);
BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
- i->user_principal= NULL;
+ if (resp->data.auth.validation_level == 6) {
+ i->user_principal = strdup(resp->data.auth.info6.principal_name);
+ BAIL_ON_PTR_ERROR(i->user_principal, wbc_status);
+ } else {
+ i->user_principal = NULL;
+ }
i->full_name = strdup(resp->data.auth.info3.full_name);
BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
i->domain_name = strdup(resp->data.auth.info3.logon_dom);
BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
- i->dns_domain_name= NULL;
+ if (resp->data.auth.validation_level == 6) {
+ i->dns_domain_name = strdup(resp->data.auth.info6.dns_domainname);
+ BAIL_ON_PTR_ERROR(i->dns_domain_name, wbc_status);
+ } else {
+ i->dns_domain_name = NULL;
+ }

i->acct_flags = resp->data.auth.info3.acct_flags;
memcpy(i->user_session_key,
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index 9100dbc..3f3ebd0 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -59,8 +59,9 @@ typedef char fstring[FSTRING_LEN];
* removed WINBINDD_GID_TO_SID
* removed WINBINDD_UID_TO_SID
* 29: added "authoritative" to response.data.auth
+ * 30: added "validation_level" and "info6" to response.data.auth
*/
-#define WINBIND_INTERFACE_VERSION 29
+#define WINBIND_INTERFACE_VERSION 30

/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
On a 64bit Linux box, we have to support a constant structure size
@@ -434,7 +435,8 @@ struct winbindd_response {
fstring krb5ccname;
uint32_t reject_reason;
uint8_t authoritative;
- uint8_t padding[3];
+ uint8_t padding[1];
+ uint16_t validation_level;
struct policy_settings {
uint32_t min_length_password;
uint32_t password_history;
@@ -468,6 +470,10 @@ struct winbindd_response {
fstring logon_srv;
fstring logon_dom;
} info3;
+ struct info6_text {
+ fstring dns_domainname;
+ fstring principal_name;
+ } info6;
fstring unix_username;
} auth;
struct {
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 464fe25..5bb5a69 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -36,6 +36,7 @@
#include "../librpc/gen_ndr/idmap.h"
#include "lib/param/loadparm.h"
#include "../lib/tsocket/tsocket.h"
+#include "rpc_client/util_netlogon.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 996b432..e774670 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -322,8 +322,6 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3,
struct extra_auth_info *extra);
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig);

/* The following definitions come from auth/pampass.c */

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 8461d20..20d43d2 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -711,45 +711,3 @@ done:

return status;
}
-
-#undef RET_NOMEM
-
-#define RET_NOMEM(ptr) do { \
- if (!ptr) { \
- TALLOC_FREE(info3); \
- return NULL; \
- } } while(0)
-
-struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- const struct netr_SamInfo3 *orig)
-{
- struct netr_SamInfo3 *info3;
- unsigned int i;
- NTSTATUS status;
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (!info3) return NULL;
-
- status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return NULL;
- }
-
- if (orig->sidcount) {
- info3->sidcount = orig->sidcount;
- info3->sids = talloc_array(info3, struct netr_SidAttr,
- orig->sidcount);
- RET_NOMEM(info3->sids);
- for (i = 0; i < orig->sidcount; i++) {
- info3->sids[i].sid = dom_sid_dup(info3->sids,
- orig->sids[i].sid);
- RET_NOMEM(info3->sids[i].sid);
- info3->sids[i].attributes =
- orig->sids[i].attributes;
- }
- }
-
- return info3;
-}
-
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index a201749..bb4a135 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -1474,11 +1474,6 @@ int smb_vfs_call_fsetxattr(struct vfs_handle_struct *handle,
const void *value, size_t size, int flags);
bool smb_vfs_call_aio_force(struct vfs_handle_struct *handle,
struct files_struct *fsp);
-bool smb_vfs_call_is_offline(struct vfs_handle_struct *handle,
- const struct smb_filename *fname,
- SMB_STRUCT_STAT *sbuf);
-int smb_vfs_call_set_offline(struct vfs_handle_struct *handle,
- const struct smb_filename *fname);
NTSTATUS smb_vfs_call_durable_cookie(struct vfs_handle_struct *handle,
struct files_struct *fsp,
TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a67b692..800b995 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -447,53 +447,6 @@ fail:
return status;
}

-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
- uint16_t validation_level,
- union netr_Validation *validation,
- struct netr_SamInfo3 **info3_p)
-{
- struct netr_SamInfo3 *info3;
- NTSTATUS status;
-
- if (validation == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- switch (validation_level) {
- case 3:
- if (validation->sam3 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_move(mem_ctx, &validation->sam3);
- break;
- case 6:
- if (validation->sam6 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (info3 == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return status;
- }
-
- info3->sidcount = validation->sam6->sidcount;
- info3->sids = talloc_move(info3, &validation->sam6->sids);
- break;
- default:
- return NT_STATUS_BAD_VALIDATION_CLASS;
- }
-
- *info3_p = info3;
-
- return NT_STATUS_OK;
-}
-
/* Logon domain user */

NTSTATUS rpccli_netlogon_password_logon(
@@ -508,7 +461,8 @@ NTSTATUS rpccli_netlogon_password_logon(
enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
- struct netr_SamInfo3 **info3)
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
@@ -619,7 +573,7 @@ NTSTATUS rpccli_netlogon_password_logon(
binding_handle,
logon_type,
logon,
- frame,
+ mem_ctx,
&validation_level,
&validation,
authoritative,
@@ -629,14 +583,9 @@ NTSTATUS rpccli_netlogon_password_logon(
return status;
}

- status = map_validation_to_info3(mem_ctx,
- validation_level, validation,
- info3);
TALLOC_FREE(frame);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
+ *_validation_level = validation_level;
+ *_validation = validation;

return NT_STATUS_OK;
}
@@ -661,7 +610,8 @@ NTSTATUS rpccli_netlogon_network_logon(
DATA_BLOB nt_response,
uint8_t *authoritative,
uint32_t *flags,
- struct netr_SamInfo3 **info3)
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
{
NTSTATUS status;
const char *workstation_name_slash;
@@ -672,7 +622,7 @@ NTSTATUS rpccli_netlogon_network_logon(
struct netr_ChallengeResponse lm;
struct netr_ChallengeResponse nt;

- *info3 = NULL;
+ *_validation = NULL;

ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
@@ -733,12 +683,8 @@ NTSTATUS rpccli_netlogon_network_logon(
return status;
}

- status = map_validation_to_info3(mem_ctx,
- validation_level, validation,
- info3);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ *_validation_level = validation_level;
+ *_validation = validation;

return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index da562e0..d31bdee 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -59,30 +59,34 @@ NTSTATUS rpccli_connect_netlogon(
bool force_reauth,
struct cli_credentials *trust_creds,
struct rpc_pipe_client **_rpccli);
-NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *domain,
- const char *username,
- const char *password,
- const char *workstation,
- enum netr_LogonInfoClass logon_type,
- uint8_t *authoritative,
- uint32_t *flags,
- struct netr_SamInfo3 **info3);
-NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
- struct dcerpc_binding_handle *binding_handle,
- TALLOC_CTX *mem_ctx,
- uint32_t logon_parameters,
- const char *username,
- const char *domain,
- const char *workstation,
- const uint8_t chal[8],
- DATA_BLOB lm_response,
- DATA_BLOB nt_response,
- uint8_t *authoritative,
- uint32_t *flags,
- struct netr_SamInfo3 **info3);
+NTSTATUS rpccli_netlogon_password_logon(
+ struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ const char *workstation,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);
+NTSTATUS rpccli_netlogon_network_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8_t chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);

#endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index d22078b..ac804f8 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -61,3 +61,144 @@ NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,

return NT_STATUS_OK;
}
+
+#undef RET_NOMEM
+
+#define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+ return NULL; \
+ } } while(0)
+
+struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo3 *orig)
+{
+ struct netr_SamInfo3 *info3;
+ unsigned int i;
+ NTSTATUS status;
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (!info3) return NULL;
+
+ status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return NULL;
+ }
+
+ if (orig->sidcount) {
+ info3->sidcount = orig->sidcount;
+ info3->sids = talloc_array(info3, struct netr_SidAttr,
+ orig->sidcount);
+ RET_NOMEM(info3->sids);
+ for (i = 0; i < orig->sidcount; i++) {
+ info3->sids[i].sid = dom_sid_dup(info3->sids,
+ orig->sids[i].sid);
+ RET_NOMEM(info3->sids[i].sid);
+ info3->sids[i].attributes =
+ orig->sids[i].attributes;
+ }
+ }
+
+ return info3;
+}
+
+NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ struct netr_SamInfo3 **info3_p)
+{
+ struct netr_SamInfo3 *info3;
+ struct netr_SamInfo6 *info6 = NULL;
+ NTSTATUS status;
+
+ if (validation == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (validation_level) {
+ case 3:
+ if (validation->sam3 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ info3 = copy_netr_SamInfo3(mem_ctx, validation->sam3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ break;
+ case 6:
+ if (validation->sam6 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ info6 = validation->sam6;
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = copy_netr_SamBaseInfo(info3,
+ &info6->base,
+ &info3->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+
+ if (validation->sam6->sidcount > 0) {
+ int i;
+
+ info3->sidcount = info6->sidcount;
+
+ info3->sids = talloc_array(info3,
+ struct netr_SidAttr,
+ info3->sidcount);
+ if (info3->sids == NULL) {
+ TALLOC_FREE(info3);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < info3->sidcount; i++) {
+ info3->sids[i].sid = dom_sid_dup(
+ info3->sids, info6->sids[i].sid);
+ if (info3->sids[i].sid == NULL) {
+ TALLOC_FREE(info3);
+ return NT_STATUS_NO_MEMORY;
+ }
+ info3->sids[i].attributes =
+ info6->sids[i].attributes;
+ }
+ }
+ break;
+ default:
+ return NT_STATUS_BAD_VALIDATION_CLASS;
+ }
+
+ *info3_p = info3;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS map_info3_to_validation(TALLOC_CTX *mem_ctx,

The branch, master has been updated
via 4b17d36 WHATSNEW: document some more new options
via b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
via 9fb3637 winbindd: add more trust types to get_trust_type_string
via 95e3307 libwbclient: add more trust types
via 05558dd wbinfo: support for local, workstation and routed trust types
via ec85579 libwbclient: add trust routing and more trust-types
via f12a43f winbindd: fix trust_is_oubound()
via 09021f9 winbindd: fix trust_is_inbound()
via a39cf19 winbindd: transitive trust logic in trust_is_transitive()
via 939592c winbindd: use add_trusted_domain_from_auth
via f4d27f2 winbindd: add add_trusted_domain_from_auth
via b2ea360 winbindd: add set_routing_domain()
via 2e644af winbindd: add find_default_route_domain()
via 40c9115 winbindd: avoid automatic enumerating trusts on DCs
via 29e6d55 winbindd: load the trusted domains on a DC already in init_domain_list()
via fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
via f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
via a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
via 3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
via 6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
via f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
via 8fde1c6 s3/torture/pdbtest: delete trusted domain at test end
via f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a valid SID
via 4b0641b winbindd: use find_trust_from_name_noinit when we require a direct trust
via 2385e71 winbindd: add find_trust_from_{name,sid}_noinit()
via b724e01 winbindd: remember the secure_channel_type in winbindd_domain
via 5bf2979 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
via 8587445 winbindd: initialize some stack pointers to NULL
via 126d6ce winbindd: rename alternative_name to dns_name
via 5ffade7 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
via c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc()
from e43ee33 winbindd: set info6 data in append_info3_as_txt

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4b17d365bc8df7860ee28b5b0e1f53a9acf2b69d
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Jan 11 12:46:24 2018 +0100

WHATSNEW: document some more new options

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144

commit b4e1e3019a1475cb8c1e3ab9314693d6ed130923
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100

winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 9fb36370a57904770e1c9ca96279a1854481d3f3
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 08:53:16 2017 +0100

winbindd: add more trust types to get_trust_type_string

Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".

Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 95e3307917b5731ab883ee5fce530c5b559b4934
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 16:01:50 2017 +0100

libwbclient: add more trust types

Prepare libwbclient for additional trust types and trust routing.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 05558ddd7e91643c9b8bca92271252e6f5494b69
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 16:02:22 2017 +0100

wbinfo: support for local, workstation and routed trust types

Prepare wbinfo for additional trust types and trust routing.

This also modifies the output line for a "None" trust type by skipping
the transitivity and direction -- that just doesn't make sense without a
trust.

Signed-off-by: Ralph Boehme <***@samba.org>

commit ec85579d87aafba3a78ddd326cf125909007c349
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 19 17:26:46 2017 +0100

libwbclient: add trust routing and more trust-types

This adds the struct member and the defines, the implementation comes
later.

Signed-off-by: Ralph Boehme <***@samba.org>

commit f12a43f4876b4a6bf556ea760ffe8e21f2acacf8
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:46:03 2017 +0100

winbindd: fix trust_is_oubound()

A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 09021f920faba4dc4d2b2e1c0d3d4432e1a759d5
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:44:41 2017 +0100

winbindd: fix trust_is_inbound()

A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <***@samba.org>

commit a39cf19c2514d8f249951b77078683dd6a53504e
Author: Ralph Boehme <***@samba.org>
Date: Tue Nov 28 17:32:59 2017 +0100

winbindd: transitive trust logic in trust_is_transitive()

trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <***@samba.org>

commit 939592c660263b6f9969c30e4c6a1903fcc75831
Author: Ralph Boehme <***@samba.org>
Date: Wed Nov 29 10:55:25 2017 +0100

winbindd: use add_trusted_domain_from_auth

After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <***@samba.org>

commit f4d27f2bf9a32fec02da01351fa5af3867f4b1f7
Author: Ralph Boehme <***@samba.org>
Date: Wed Nov 29 10:10:38 2017 +0100

winbindd: add add_trusted_domain_from_auth

Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <***@samba.org>

commit b2ea3606a7f7325b0e2f5fae46346f8fbf489177
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 17:11:25 2017 +0100

winbindd: add set_routing_domain()

commit 2e644af16428ff6421459020a54cf20c296bc4df
Author: Ralph Boehme <***@samba.org>
Date: Wed Dec 13 17:08:10 2017 +0100

winbindd: add find_default_route_domain()

On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.

Signed-off-by: Ralph Boehme <***@samba.org>

commit 40c91150e36e5818d4a4f25429ed600762cfd49b
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100

winbindd: avoid automatic enumerating trusts on DCs

We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 29e6d55909be1f17ffc140481a90000c1475e92e
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:55:12 2017 +0100

winbindd: load the trusted domains on a DC already in init_domain_list()

We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit fa3b81b21c99093c531181acaac375b99c0816c6
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 19 23:44:00 2017 +0100

pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX

Signed-off-by: Ralph Boehme <***@samba.org>

commit f8bcd37058579ed435daebefd47efe374e9084d2
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:57:27 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain

Signed-off-by: Ralph Boehme <***@samba.org>

commit a55643701b7d1c8c51ef15484af9bf8bebce065d
Author: Ralph Boehme <***@samba.org>
Date: Sun Dec 10 20:03:37 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain

Signed-off-by: Ralph Boehme <***@samba.org>

commit 3091ea3b7a4f19f81b9a545ccc64f80e382e04ef
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 08:41:29 2017 +0100

pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6f9232e26c8b4d4595c339d95977c9b1ca94a601
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 07:59:59 2017 +0100

pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f362387352645c2252bd2412b0a25f7b085c8bc7
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 1 08:33:51 2017 +0100

s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 8fde1c641da4ba23342bf36226ab9291a79acbad
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:56:40 2017 +0100

s3/torture/pdbtest: delete trusted domain at test end

Signed-off-by: Ralph Boehme <***@samba.org>

commit f1bd7c8bb48abc8fabb8374f549b888fbdd3036c
Author: Ralph Boehme <***@samba.org>
Date: Mon Dec 11 07:56:02 2017 +0100

s3/torture/pdbtest: creating a trusted domain requires a valid SID

Signed-off-by: Ralph Boehme <***@samba.org>

commit 4b0641bf10f7561771cee2581e1d7fc4e183c826
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 30 13:04:56 2017 +0100

winbindd: use find_trust_from_name_noinit when we require a direct trust

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 2385e719ba4835ca254eedbdfeffdd875912ec27
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:23:36 2017 +0100

winbindd: add find_trust_from_{name,sid}_noinit()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b724e01ec767caebbfa3723d8346d640a511ded1
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 29 15:10:38 2017 +0100

winbindd: remember the secure_channel_type in winbindd_domain

This way we have an indication of non direct trusts with
SEC_CHAN_NULL.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5bf2979bb6e22c6d3f7565c13329aa60fdce4e0f
Author: Ralph Boehme <***@samba.org>
Date: Sat Dec 16 11:34:23 2017 +0100

winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()

This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.

add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.

Pair-programmed-with: Stefan Metzmacher <***@samba.org>

Signed-off-by: Ralph Boehme <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 85874458852697df8f7c45fb9e7f848367d07a07
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100

winbindd: initialize some stack pointers to NULL

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 126d6ceecfc4371187eec3497a5bae09ec0d159a
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100

winbindd: rename alternative_name to dns_name

This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 5ffade7b29292c671aca51bd82e25de8723d6852
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 15 21:13:52 2017 +0100

winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()

Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit c7c06fd23813a61fdb10745e3ee2838206319bdd
Author: Ralph Boehme <***@samba.org>
Date: Fri Dec 15 21:09:15 2017 +0100

winbindd: enforce valid SID in add_trusted_domain_from_tdc()

It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 21 +-
.../winbind/winbindscantrusteddomains.xml | 29 +
lib/param/loadparm.c | 1 +
nsswitch/libwbclient/wbc_util.c | 16 +-
nsswitch/libwbclient/wbclient.h | 7 +
nsswitch/wbinfo.c | 21 +-
source3/param/loadparm.c | 1 +
source3/passdb/pdb_samba_dsdb.c | 877 ++++++++++++++++++++-
source3/torture/pdbtest.c | 13 +
source3/winbindd/winbindd.c | 15 +-
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_irpc.c | 2 +-
source3/winbindd/winbindd_misc.c | 211 ++++-
source3/winbindd/winbindd_pam_auth.c | 15 +
source3/winbindd/winbindd_pam_auth_crap.c | 24 +-
source3/winbindd/winbindd_ping_dc.c | 2 +-
source3/winbindd/winbindd_proto.h | 8 +
source3/winbindd/winbindd_util.c | 711 +++++++++++++----
source4/dsdb/common/util_trusts.c | 65 ++
19 files changed, 1853 insertions(+), 188 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94278b3..f1e43f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -95,15 +95,18 @@ smb.conf changes
client schannel Default changed/ yes
Deprecated
gpo update command New
+ ldap ssl ads Deprecated
map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
use spnego Removed
server schannel Default changed/ yes
Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
winbind trusted domains only Removed


@@ -150,6 +153,22 @@ reversed to match the parameter ordering of the UNIX extensions
'symlink' command. The usage message for this command has also
been improved to remove confusion.

+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
REMOVED FEATURES
================

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
+ <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to yes (the default), winbindd periodically tries to scan for new
+ trusted domains and adds them to a global list inside of winbindd.
+ The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+ This matches the behaviour of Samba 4.7 and older.</para>
+
+ <para>The construction of that global list is not reliable and often
+ incomplete in complex trust setups. In most situations the list is
+ not needed any more for winbindd to operate correctly.
+ E.g. for plain file serving via SMB using a simple idmap setup
+ with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+ However some more complex setups require the list, e.g.
+ if you specify idmap backends for specific domains.
+ Some pam_winbind setups may also require the global list.</para>
+
+ <para>If you have a setup that doesn't require the global list, you should set
+ <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d..f265459 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)

lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index 3dab0a2..ecfcaa0 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -455,8 +455,22 @@ static wbcErr process_domain_info_string(struct wbcDomainInfo *info,
*s = '\0';
s++;

- if (strcmp(r, "None") == 0) {
+ if (strcmp(r, "Local") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ } else if (strncmp(r, "Routed", strlen("Routed")) == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ info->trust_routing = strdup(r);
+ BAIL_ON_PTR_ERROR(info->trust_routing, wbc_status);
+ } else if (strcmp(r, "Local") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_LOCAL;
+ } else if (strcmp(r, "Workstation") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_WKSTA;
+ } else if (strcmp(r, "RWDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RWDC;
+ } else if (strcmp(r, "RODC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RODC;
+ } else if (strcmp(r, "PDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_PDC;
} else if (strcmp(r, "External") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_EXTERNAL;
} else if (strcmp(r, "Forest") == 0) {
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index ed97a67..81a6a6a 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -187,6 +187,7 @@ struct wbcDomainInfo {
uint32_t domain_flags;
uint32_t trust_flags;
uint32_t trust_type;
+ char *trust_routing;
};

/* wbcDomainInfo->domain_flags */
@@ -209,6 +210,12 @@ struct wbcDomainInfo {
#define WBC_DOMINFO_TRUSTTYPE_FOREST 0x00000001
#define WBC_DOMINFO_TRUSTTYPE_IN_FOREST 0x00000002
#define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003
+#define WBC_DOMINFO_TRUSTTYPE_LOCAL 0x00000004
+#define WBC_DOMINFO_TRUSTTYPE_WKSTA 0x00000005
+#define WBC_DOMINFO_TRUSTTYPE_RWDC 0x00000006
+#define WBC_DOMINFO_TRUSTTYPE_RODC 0x00000007
+#define WBC_DOMINFO_TRUSTTYPE_PDC 0x00000008
+

/**
* @brief Generic Blob
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9cd299a..54d5758 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -536,7 +536,26 @@ static bool wbinfo_list_domains(bool list_all_domains, bool verbose)

switch(domain_list[i].trust_type) {
case WBC_DOMINFO_TRUSTTYPE_NONE:
- d_printf("None ");
+ if (domain_list[i].trust_routing != NULL) {
+ d_printf("%s\n", domain_list[i].trust_routing);
+ } else {
+ d_printf("None\n");
+ }
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_LOCAL:
+ d_printf("Local\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RWDC:
+ d_printf("RWDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RODC:
+ d_printf("RODC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_PDC:
+ d_printf("PDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_WKSTA:
+ d_printf("Workstation ");
break;
case WBC_DOMINFO_TRUSTTYPE_FOREST:
d_printf("Forest ");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 582c875..f1f453e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
+ Globals.winbind_scan_trusted_domains = true;

Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 58168d8..16a7a85 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -40,6 +40,8 @@
#include "source4/auth/auth_sam.h"
#include "auth/credentials/credentials.h"
#include "lib/util/base64.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "lib/util/util_ldb.h"

struct pdb_samba_dsdb_state {
struct tevent_context *ev;
@@ -2132,7 +2134,7 @@ static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid

static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
{
- return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
+ return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
}

static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
@@ -2878,11 +2880,871 @@ static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,

static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
TALLOC_CTX *mem_ctx,
- uint32_t *num_domains,
- struct trustdom_info ***domains)
+ uint32_t *_num_domains,
+ struct trustdom_info ***_domains)
{
- *num_domains = 0;
- *domains = NULL;
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustDirection",
+ NULL
+ };
+ struct ldb_result *res = NULL;
+ unsigned int i;
+ struct trustdom_info **domains = NULL;
+ NTSTATUS status;
+ uint32_t di = 0;
+
+ *_num_domains = 0;
+ *_domains = NULL;
+
+ status = dsdb_trust_search_tdos(state->ldb, NULL,
+ attrs, tmp_ctx, &res);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ if (res->count == 0) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
+ res->count);
+ if (domains == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < res->count; i++) {
+ struct ldb_message *msg = res->msgs[i];
+ struct trustdom_info *d = NULL;
+ const char *name = NULL;
+ struct dom_sid *sid = NULL;
+ uint32_t direction;
+
+ d = talloc_zero(domains, struct trustdom_info);
+ if (d == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
+ if (sid == NULL) {
+ continue;
+ }
+
+ direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+ if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ continue;
+ }
+
+ d->name = talloc_strdup(d, name);
+ if (d->name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ d->sid = *sid;
+
+ domains[di++] = d;
+ }
+
+ talloc_realloc(domains, domains, struct trustdom_info *, di);
+ *_domains = talloc_move(mem_ctx, &domains);
+ *_num_domains = di;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message *msg,
+ TALLOC_CTX *mem_ctx,
+ struct pdb_trusted_domain **_d)
+{
+ struct pdb_trusted_domain *d = NULL;
+ const char *str = NULL;
+ struct dom_sid *sid = NULL;
+ const struct ldb_val *val = NULL;
+ uint64_t val64;
+
+ *_d = NULL;
+
+ d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
+ if (d == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (str == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ d->netbios_name = talloc_strdup(d, str);
+ if (d->netbios_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+ if (str != NULL) {
+ d->domain_name = talloc_strdup(d, str);
+ if (d->domain_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
+ if (sid != NULL) {
+ d->security_identifier = *sid;
+ TALLOC_FREE(sid);
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+ if (val != NULL) {
+ d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_outgoing.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+ if (val != NULL) {
+ d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_incoming.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+ d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
+ d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes", 0);
+
+ val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset", UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->trust_posix_offset = talloc(d, uint32_t);
+ if (d->trust_posix_offset == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->trust_posix_offset = (uint32_t)val64;
+ }
+
+ val64 = ldb_msg_find_attr_as_uint64(msg, "msDS-SupportedEncryptionTypes", UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->supported_enc_type = talloc(d, uint32_t);
+ if (d->supported_enc_type == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->supported_enc_type = (uint32_t)val64;
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
+ if (val != NULL) {
+ d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
+ if (d->trust_forest_trust_info.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *_d = d;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ struct dom_sid *sid,
+ struct pdb_trusted_domain **td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+

The branch, master has been updated
via 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc
via a00312d samba_kcc: simplify NCReplica.set_instantiated_flags()
via 81484f3 samba_kcc: simplify NCReplica constructor
via 315f445 samba_kcc: clarify readonly logging, removing now unused function
via d3f4429 samba_kcc: remove unused functions
via d3c5420 samba_kcc: fix dot_file_dir documentation
via a090d7e samba_kcc: remove an unused function
via c6294c3 samba-tool visualize for understanding AD DC behaviour
via ba2306f samba_kcc: use new graph module for writing dot files
via cebad22 python/graph: module for generating ASCII and graphviz visualisations
via b4a90a6 samba_kcc: respect kcc.read_only flag on RODC
via e579d5b samba_kcc: kcc.debug module defers to samba.colour
via a46c4a3 python: module containing ANSI colour sequences
via f2762d0 python tests: assert string equality, with diff
via 3f2762d samba_kcc: documentation fix
via 6678f33 s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()
from 4b17d36 WHATSNEW: document some more new options

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 08651a08ac10d472a8b170c2f33496192d7faa66
Author: Andrej Gessel <***@janztec.com>
Date: Mon Nov 13 11:07:43 2017 +0100

samba_kcc: do not commit new nTDSConnection, if we are rodc

Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc: attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc: all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc: all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc: part, True)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc: partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc: lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc: connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc: File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc: (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

Signed-off-by: Andrej Gessel <***@janztec.com>
Reviewed-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Sat Jan 13 22:01:49 CET 2018 on sn-devel-144

commit a00312df7d5a9a2394b41111608c4d988ff4e3f2
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Dec 15 15:58:46 2017 +1300

samba_kcc: simplify NCReplica.set_instantiated_flags()

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 81484f32f4dfe4aeb5624430575fe791a9063246
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 17:50:56 2017 +1300

samba_kcc: simplify NCReplica constructor

There is nothing to be gained from setting the dn and guid separately
except subtle bugs.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 315f445a0256b0b63a344286debb6a27053c4d69
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 17:35:29 2017 +1300

samba_kcc: clarify readonly logging, removing now unused function

The unused function was somewhat misnamed.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d3f4429cd6e8a58926753651c015e683b92995ae
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Dec 13 16:04:19 2017 +1300

samba_kcc: remove unused functions

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d3c542051fb19559c5699001da8d9da6c7e66712
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Nov 30 09:24:05 2017 +1300

samba_kcc: fix dot_file_dir documentation

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a090d7ef52cfd2bbc8bdf7028db0e2237def1f3e
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Nov 16 16:47:32 2017 +1300

samba_kcc: remove an unused function

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit c6294c3c7b6c97f15daad7d463bda267726245c7
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Aug 10 11:57:24 2017 +1200

samba-tool visualize for understanding AD DC behaviour

To work out what is happening in a replication graph, it is sometimes
helpful to use visualisations. We introduce a samba-tool subcommand to
write Graphviz dot output and generate text-based heatmaps of the
distance in hops between DCs.

There are two subcommands, two graphical modes, and (roughly) two modes of
operation with respect to the location of authority.

`samba-tool visualize ntdsconn` looks at NTDS Connections.
`samba-tool visualize reps` looks at repsTo and repsFrom objects.

In '--distance' mode (default), the distances between DCs are shown in
a matrix in the terminal. With '--color=yes', this is depicted as a
heatmap. With '--utf8' it is a lttle prettier.

In '--dot' mode, Graphviz dot output is generated. When viewed using
dot or xdot, this shows the network as a graph with DCs as vertices
and connections edges. Certain types of degenerate edges are shown in
different colours or line-styles.

Normally samba-tool talks to one database; with the '-r' (a.k.a.
'--talk-to-remote') option attempts are made to contact all the DCs
known to the first database. This is necessary to get sensible results
from `samba-tool visualize reps` because the repsFrom/To objects are
not replicated, and it can reveal replication issues in other modes.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit ba2306f00d32d2fc55685b388e03e28fd7d97fd7
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Aug 10 15:29:43 2017 +1200

samba_kcc: use new graph module for writing dot files

We avoid changing the (annoying) signature of write_dot_file().

Using samba_kcc to write dot files may be deprecated.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit cebad22ce021ce9051fbe664bc699677796e0fb3
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Wed Jan 10 15:25:22 2018 +1300

python/graph: module for generating ASCII and graphviz visualisations

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit b4a90a650e969cd65b5104d37e9c57275909b336
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Thu Jan 11 21:56:40 2018 +1300

samba_kcc: respect kcc.read_only flag on RODC

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit e579d5bd48dfc7bc93ecc126d42fd4389ded0e28
Author: Douglas Bagnall <***@halo.gen.nz>
Date: Wed Jan 3 09:20:09 2018 +1300

samba_kcc: kcc.debug module defers to samba.colour

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a46c4a39c4d3be88f76c295b0719c025a1c39c3b
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Sun Jan 7 23:17:38 2018 +1300

python: module containing ANSI colour sequences

This is going to be used by `samba-tool visualize` and samba_kcc.

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit f2762d088001408a706e88e0fe6f46181c01fc3f
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 5 16:45:37 2018 +1300

python tests: assert string equality, with diff

In the success case this works just like self.assertEqual(),
but when things fail you get a better representation of where it went
wrong (a unified diff).

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 3f2762d0b716e8a440cefeb1867caa303e21af40
Author: Douglas Bagnall <***@catalyst.net.nz>
Date: Fri Jan 12 07:32:59 2018 +1300

samba_kcc: documentation fix

Signed-off-by: Douglas Bagnall <***@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 6678f33274d4f1784635cd11fc63d9d32a9f9b16
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Jan 12 14:52:45 2018 +0100

s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()

Otherwise this taints other tests which might follow.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
python/samba/colour.py | 50 ++
python/samba/graph.py | 621 +++++++++++++++++++++++++
python/samba/kcc/__init__.py | 21 +-
python/samba/kcc/debug.py | 24 +-
python/samba/kcc/graph_utils.py | 37 +-
python/samba/kcc/kcc_utils.py | 39 +-
python/samba/netcmd/main.py | 1 +
python/samba/netcmd/visualize.py | 574 +++++++++++++++++++++++
python/samba/tests/__init__.py | 23 +
python/samba/tests/graph.py | 152 ++++++
python/samba/tests/samba_tool/visualize.py | 466 +++++++++++++++++++
python/samba/tests/samba_tool/visualize_drs.py | 110 +++++
selftest/tests.py | 1 +
source4/selftest/tests.py | 6 +-
source4/torture/drs/python/samba_tool_drs.py | 3 +
15 files changed, 2037 insertions(+), 91 deletions(-)
create mode 100644 python/samba/colour.py
create mode 100644 python/samba/graph.py
create mode 100644 python/samba/netcmd/visualize.py
create mode 100644 python/samba/tests/graph.py
create mode 100644 python/samba/tests/samba_tool/visualize.py
create mode 100644 python/samba/tests/samba_tool/visualize_drs.py


Changeset truncated at 500 lines:

diff --git a/python/samba/colour.py b/python/samba/colour.py
new file mode 100644
index 0000000..b3d9a71
--- /dev/null
+++ b/python/samba/colour.py
@@ -0,0 +1,50 @@
+# ANSI codes for 4 bit and xterm-256color
+#
+# Copyright (C) Andrew Bartlett 2018
+#
+# Originally written by Douglas Bagnall
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# The 4 bit colours are available as global variables with names like
+# RED, DARK_RED, REV_RED (for red background), and REV_DARK_RED.
+#
+# The 256-colour codes are obtained using xterm_256_color(n), where n
+# is the number of the desired colour.
+
+# C_NORMAL resets to normal, whatever that is
+C_NORMAL = "\033[0m"
+
+UNDERLINE = "\033[4m"
+
+def _gen_ansi_colours():
+ g = globals()
+ for i, name in enumerate(('BLACK', 'RED', 'GREEN', 'YELLOW', 'BLUE',
+ 'MAGENTA', 'CYAN', 'WHITE')):
+ g[name] = "\033[1;3%dm" % i
+ g['DARK_' + name] = "\033[3%dm" % i
+ g['REV_' + name] = "\033[1;4%dm" % i
+ g['REV_DARK_' + name] = "\033[4%dm" % i
+
+_gen_ansi_colours()
+
+# kcc.debug uses these aliases (which make visual sense)
+PURPLE = DARK_MAGENTA
+GREY = DARK_WHITE
+
+def xterm_256_colour(n, bg=False, bold=False):
+ weight = '01;' if bold else ''
+ target = '48' if bg else '38'
+
+ return "\033[%s%s;5;%dm" % (weight, target, int(n))
diff --git a/python/samba/graph.py b/python/samba/graph.py
new file mode 100644
index 0000000..f626287
--- /dev/null
+++ b/python/samba/graph.py
@@ -0,0 +1,621 @@
+# -*- coding: utf-8 -*-
+# Graph topology utilities and dot file generation
+#
+# Copyright (C) Andrew Bartlett 2018.
+#
+# Written by Douglas Bagnall <***@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import print_function
+from samba import colour
+import sys
+
+FONT_SIZE = 10
+
+
+def reformat_graph_label(s):
+ """Break DNs over multiple lines, for better shaped and arguably more
+ readable nodes. We try to split after commas, and if necessary
+ after hyphens or failing that in arbitrary places."""
+ if len(s) < 12:
+ return s
+
+ s = s.replace(',', ',\n')
+ pieces = []
+ for p in s.split('\n'):
+ while len(p) > 20:
+ if '-' in p[2:20]:
+ q, p = p.split('-', 1)
+ else:
+ n = len(p) / 12
+ b = len(p) / n
+ q, p = p[:b], p[b:]
+ pieces.append(q + '-')
+ if p:
+ pieces.append(p)
+
+ return '\\n'.join(pieces)
+
+
+def quote_graph_label(s, reformat=False):
+ """Escape a string as graphvis requires."""
+ # escaping inside quotes is simple in dot, because only " is escaped.
+ # there is no need to count backslashes in sequences like \\\\"
+ s = s.replace('"', '\"')
+ if reformat:
+ s = reformat_graph_label(s)
+ return "%s" % s
+
+
+def shorten_vertex_names(edges, vertices, suffix=',...', aggressive=False):
+ """Replace the common suffix (in practice, the base DN) of a number of
+ vertices with a short string (default ",..."). If this seems
+ pointless because the replaced string is very short or the results
+ seem strange, the original vertices are retained.
+
+ :param edges: a sequence of vertex pairs to shorten
+ :param vertices: a sequence of vertices to shorten
+ :param suffix: the replacement string [",..."]
+
+ :return: tuple of (edges, vertices, replacement)
+
+ If no change is made, the returned edges and vertices will be the
+ original lists and replacement will be None.
+
+ If a change is made, replacement will be a tuple (new, original)
+ indicating the new suffix that replaces the old.
+ """
+ vlist = list(set(x[0] for x in edges) |
+ set(x[1] for x in edges) |
+ set(vertices))
+
+ if len(vlist) < 2:
+ return edges, vertices, None
+
+ # walk backwards along all the strings until we meet a character
+ # that is not shared by all.
+ i = -1
+ try:
+ while True:
+ c = set(x[i] for x in vlist)
+ if len(c) > 1:
+ break
+ i -= 1
+ except IndexError:
+ # We have indexed beyond the start of a string, which should
+ # only happen if one node is a strict suffix of all others.
+ return edges, vertices, None
+
+ # add one to get to the last unanimous character.
+ i += 1
+
+ # now, we actually really want to split on a comma. So we walk
+ # back to a comma.
+ x = vlist[0]
+ while i < len(x) and x[i] != ',':
+ i += 1
+
+ if i >= -len(suffix):
+ # there is nothing to gain here
+ return edges, vertices, None
+
+ edges2 = []
+ vertices2 = []
+
+ for a, b in edges:
+ edges2.append((a[:i] + suffix, b[:i] + suffix))
+ for a in vertices:
+ vertices2.append(a[:i] + suffix)
+
+ replacements = [(suffix, a[i:])]
+
+ if aggressive:
+ # Remove known common annoying strings
+ map = dict((v, v) for v in vertices2)
+ for v in vertices2:
+ if ',CN=Servers,' not in v:
+ break
+ else:
+ map = dict((k, v.replace(',CN=Servers,', ',**,'))
+ for k, v in map.iteritems())
+ replacements.append(('**', 'CN=Servers'))
+
+ for v in vertices2:
+ if not v.startswith('CN=NTDS Settings,'):
+ break
+ else:
+ map = dict((k, v.replace('CN=NTDS Settings,', '*,'))
+ for k, v in map.iteritems())
+ replacements.append(('*', 'CN=NTDS Settings'))
+
+ edges2 = [(map.get(a, a), map.get(b, b)) for a, b in edges2]
+ vertices2 = [map.get(a, a) for a in vertices2]
+
+ return edges2, vertices2, replacements
+
+
+def compile_graph_key(key_items, nodes_above=[], elisions=None,
+ prefix='key_', width=2):
+ """Generate a dot file snippet that acts as a legend for a graph.
+
+ :param key_items: sequence of items (is_vertex, style, label)
+ :param nodes_above: list of vertices (pushes key into right position)
+ :param elision: tuple (short, full) indicating suffix replacement
+ :param prefix: string used to generate key node names ["key_"]
+ :param width: default width of node lines
+
+ Each item in key_items is a tuple of (is_vertex, style, label).
+ is_vertex is a boolean indicating whether the item is a vertex
+ (True) or edge (False). Style is a dot style string for the edge
+ or vertex. label is the text associated with the key item.
+ """
+ edge_lines = []
+ edge_names = []
+ vertex_lines = []
+ vertex_names = []
+ order_lines = []
+ for i, item in enumerate(key_items):
+ is_vertex, style, label = item
+ tag = '%s%d_' % (prefix, i)
+ label = quote_graph_label(label)
+ name = '%s_label' % tag
+
+ if is_vertex:
+ order_lines.append(name)
+ vertex_names.append(name)
+ vertex_lines.append('%s[label="%s"; %s]' %
+ (name, label, style))
+ else:
+ edge_names.append(name)
+ e1 = '%se1' % tag
+ e2 = '%se2' % tag
+ order_lines.append(name)
+ edge_lines.append('subgraph cluster_%s {' % tag)
+ edge_lines.append('%s[label=src; color="#000000"; group="%s_g"]' %
+ (e1, tag))
+ edge_lines.append('%s[label=dest; color="#000000"; group="%s_g"]' %
+ (e2, tag))
+ edge_lines.append('%s -> %s [constraint = false; %s]' % (e1, e2,
+ style))
+ edge_lines.append(('%s[shape=plaintext; style=solid; width=%f; '
+ 'label="%s\\r"]') %
+ (name, width, label))
+ edge_lines.append('}')
+
+ elision_str = ''
+ if elisions:
+ for i, elision in enumerate(reversed(elisions)):
+ order_lines.append('elision%d' % i)
+ short, long = elision
+ if short[0] == ',' and long[0] == ',':
+ short = short[1:]
+ long = long[1:]
+ elision_str += ('\nelision%d[shape=plaintext; style=solid; '
+ 'label="\“%s” means “%s”\\r"]\n'
+ % ((i, short, long)))
+
+ above_lines = []
+ if order_lines:
+ for n in nodes_above:
+ above_lines.append('"%s" -> %s [style=invis]' %
+ (n, order_lines[0]))
+
+ s = ('subgraph cluster_key {\n'
+ 'label="Key";\n'
+ 'subgraph cluster_key_nodes {\n'
+ 'label="";\n'
+ 'color = "invis";\n'
+ '%s\n'
+ '}\n'
+ 'subgraph cluster_key_edges {\n'
+ 'label="";\n'
+ 'color = "invis";\n'
+ '%s\n'
+ '{%s}\n'
+ '}\n'
+ '%s\n'
+ '}\n'
+ '%s\n'
+ '%s [style=invis; weight=9]'
+ '\n'
+ % (';\n'.join(vertex_lines),
+ '\n'.join(edge_lines),
+ ' '.join(edge_names),
+ elision_str,
+ ';\n'.join(above_lines),
+ ' -> '.join(order_lines),
+ ))
+
+ return s
+
+
+def dot_graph(vertices, edges,
+ directed=False,
+ title=None,
+ reformat_labels=True,
+ vertex_colors=None,
+ edge_colors=None,
+ edge_labels=None,
+ vertex_styles=None,
+ edge_styles=None,
+ graph_name=None,
+ shorten_names=False,
+ key_items=None,
+ vertex_clusters=None):
+ """Generate a Graphviz representation of a list of vertices and edges.
+
+ :param vertices: list of vertex names (optional).
+ :param edges: list of (vertex, vertex) pairs
+ :param directed: bool: whether the graph is directed
+ :param title: optional title for the graph
+ :param reformat_labels: whether to wrap long vertex labels
+ :param vertex_colors: if not None, a sequence of colours for the vertices
+ :param edge_colors: if not None, colours for the edges
+ :param edge_labels: if not None, labels for the edges
+ :param vertex_styles: if not None, DOT style strings for vertices
+ :param edge_styles: if not None, DOT style strings for edges
+ :param graph_name: if not None, name of graph
+ :param shorten_names: if True, remove common DN suffixes
+ :param key: (is_vertex, style, description) tuples
+ :param vertex_clusters: list of subgraph cluster names
+
+ Colour, style, and label lists must be the same length as the
+ corresponding list of edges or vertices (or None).
+
+ Colours can be HTML RGB strings ("#FF0000") or common names
+ ("red"), or some other formats you don't want to think about.
+
+ If `vertices` is None, only the vertices mentioned in the edges
+ are shown, and their appearance can be modified using the
+ vertex_colors and vertex_styles arguments. Vertices appearing in
+ the edges but not in the `vertices` list will be shown but their
+ styles can not be modified.
+ """
+ out = []
+ write = out.append
+
+ if vertices is None:
+ vertices = set(x[0] for x in edges) | set(x[1] for x in edges)
+
+ if shorten_names:
+ edges, vertices, elisions = shorten_vertex_names(edges, vertices)
+ else:
+ elisions = None
+
+ if graph_name is None:
+ graph_name = 'A_samba_tool_production'
+
+ if directed:
+ graph_type = 'digraph'
+ connector = '->'
+ else:
+ graph_type = 'graph'
+ connector = '--'
+
+ write('/* generated by samba */')
+ write('%s %s {' % (graph_type, graph_name))
+ if title is not None:
+ write('label="%s";' % (title,))
+ write('fontsize=%s;\n' % (FONT_SIZE))
+ write('node[fontname=Helvetica; fontsize=%s];\n' % (FONT_SIZE))
+
+ prev_cluster = None
+ cluster_n = 0
+ quoted_vertices = []
+ for i, v in enumerate(vertices):
+ v = quote_graph_label(v, reformat_labels)
+ quoted_vertices.append(v)
+ attrs = []
+ if vertex_clusters and vertex_clusters[i]:
+ cluster = vertex_clusters[i]
+ if cluster != prev_cluster:
+ if prev_cluster is not None:
+ write("}")
+ prev_cluster = cluster
+ n = quote_graph_label(cluster)
+ if cluster:
+ write('subgraph cluster_%d {' % cluster_n)
+ cluster_n += 1
+ write('style = "rounded,dotted";')
+ write('node [style="filled"; fillcolor=white];')
+ write('label = "%s";' % n)
+
+ if vertex_styles and vertex_styles[i]:
+ attrs.append(vertex_styles[i])
+ if vertex_colors and vertex_colors[i]:
+ attrs.append('color="%s"' % quote_graph_label(vertex_colors[i]))
+ if attrs:
+ write('"%s" [%s];' % (v, ', '.join(attrs)))
+ else:
+ write('"%s";' % (v,))
+
+ if prev_cluster:
+ write("}")
+
+ for i, edge in enumerate(edges):
+ a, b = edge
+ if a is None:
+ a = "Missing source value"
+ if b is None:
+ b = "Missing destination value"
+
+ a = quote_graph_label(a, reformat_labels)
+ b = quote_graph_label(b, reformat_labels)
+
+ attrs = []
+ if edge_labels:
+ label = quote_graph_label(edge_labels[i])
+ attrs.append('label="%s"' % label)
+ if edge_colors:
+ attrs.append('color="%s"' % quote_graph_label(edge_colors[i]))
+ if edge_styles:
+ attrs.append(edge_styles[i]) # no quoting
+ if attrs:
+ write('"%s" %s "%s" [%s];' % (a, connector, b, ', '.join(attrs)))
+ else:
+ write('"%s" %s "%s";' % (a, connector, b))
+
+ if key_items:
+ key = compile_graph_key(key_items, nodes_above=quoted_vertices,
+ elisions=elisions)
+ write(key)
+
+ write('}\n')
+ return '\n'.join(out)
+
+
+COLOUR_SETS = {
+ 'ansi': {
+ 'alternate rows': (colour.DARK_WHITE, colour.BLACK),
+ 'disconnected': colour.RED,
+ 'connected': colour.GREEN,
+ 'transitive': colour.DARK_YELLOW,
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'ansi-heatmap': {
+ 'alternate rows': (colour.DARK_WHITE, colour.BLACK),
+ 'disconnected': colour.REV_RED,
+ 'connected': colour.REV_GREEN,
+ 'transitive': colour.REV_DARK_YELLOW,
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'xterm-256color': {
+ 'alternate rows': (colour.xterm_256_colour(39),
+ colour.xterm_256_colour(45)),
+ #'alternate rows': (colour.xterm_256_colour(246),
+ # colour.xterm_256_colour(247)),
+ 'disconnected': colour.xterm_256_colour(124, bg=True),
+ 'connected': colour.xterm_256_colour(112),
+ 'transitive': colour.xterm_256_colour(214),
+ 'transitive scale': (colour.xterm_256_colour(190),
+ colour.xterm_256_colour(226),
+ colour.xterm_256_colour(220),
+ colour.xterm_256_colour(214),
+ colour.xterm_256_colour(208),
+ ),
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ 'xterm-256color-heatmap': {
+ 'alternate rows': (colour.xterm_256_colour(171),
+ colour.xterm_256_colour(207)),
+ #'alternate rows': (colour.xterm_256_colour(246),
+ # colour.xterm_256_colour(247)),
+ 'disconnected': colour.xterm_256_colour(124, bg=True),
+ 'connected': colour.xterm_256_colour(112, bg=True),
+ 'transitive': colour.xterm_256_colour(214, bg=True),
+ 'transitive scale': (colour.xterm_256_colour(190, bg=True),
+ colour.xterm_256_colour(226, bg=True),
+ colour.xterm_256_colour(220, bg=True),
+ colour.xterm_256_colour(214, bg=True),
+ colour.xterm_256_colour(208, bg=True),
+ ),
+ 'header': colour.UNDERLINE,
+ 'reset': colour.C_NORMAL,
+ },
+ None: {
+ 'alternate rows': ('',),
+ 'disconnected': '',
+ 'connected': '',
+ 'transitive': '',
+ 'header': '',
+ 'reset': '',
+ }
+}