[SCM] Samba Shared Repository - branch v4-1-test updated
Karolin Seeger
kseeger at samba.org
Mon Aug 5 14:15:10 MDT 2013
The branch, v4-1-test has been updated
via 4bf25ec nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
via 597846c s3: Remove old mode special substitution.
via 1ed811b s4:server: avoid calling into nss_winbind from within 'samba'
via 8925c93 s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820)
via 3f86c28 s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
via 8e4d407 service_stream: Log if the connection termination is deferred or not (bug #9820)
via 30b8af7 Fix bug 9678 - Windows 8 Roaming profiles fail
via 2b6a6fd security.idl: add new security_secinfo bits
via 34e6d50 samba-tool dbcheck: Correctly remove deleted DNs in dbcheck
via d0e3791 dsdb: Include MS-ADTS doc references on deleted object contstraints
via 0a2a985 dsdb tests: Add member/memberOf checking to delete_objects testing
via 7004a3d dsdb: Improve DRS deleted link source/target handing in repl_meta_data
via d6e1e12 dsdb: Ensure we always force deleted objects back under the deleted objects DN
via 042b3e5 dsdb/repl_meta_data: split out replmd_deletion_state()
via 20d8a33 dsdb: Prune deleted objects of links and extra attributes of replicated deletes
via a0a3b58 torture/drs: Expand an error message to aid debugging
via 071b36b dsdb/samdb: use RECYCLED it implies DELETED...
via 55f0779 selftest: ensure samba4.rpc.samr.large-dc.two.samr.many is always tested
via 8cbc577 rpc_server-drsuapi: Improve comments and DEBUG lines
via 5acbbd7 dsdb: Add assert in drepl_take_FSMO_role
via 498c92d selftest: Ensure the DC has started and and got a RID set before we proceed
via 6287ac3 dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails
via e97dfe2 dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches
via 75ef73f dsdb-descriptor: Do not do a subtree search unless we have child entries
via c4c3d7f Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
via 2036f25 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
from 216b3f4 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit 4bf25ec6a10a458e29e98341a97848c9590502ad
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 26 15:36:02 2013 +0200
nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10048
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Jul 26 17:40:26 CEST 2013 on sn-devel-104
Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-1-test): Mon Aug 5 22:14:36 CEST 2013 on sn-devel-104
commit 597846ca89fe83dbd9c7875e31db185fb34e7e41
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Tue Jul 9 17:14:08 2013 +0200
s3: Remove old mode special substitution.
The mode special substitution now happens in a separate function.
The substitution at this point is unnecessary.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Christian Ambach <ambi at samba.org>
Autobuild-User(master): Christian Ambach <ambi at samba.org>
Autobuild-Date(master): Tue Jul 16 00:52:26 CEST 2013 on sn-devel-104
(cherry picked from commit 9b2aa351ceb756d6ea63f3158f0e983ae7262da8)
Fix bug #10045 - Remove a redundant inlined substitution of ACLs.
commit 1ed811b598618421fb4ce4ba0677802fb52a65f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 10 14:48:18 2013 +0200
s4:server: avoid calling into nss_winbind from within 'samba'
The most important part is that the 'winbind_server' doesn't
recurse into itself. This could happen if the krb5 libraries
call getlogin().
As we may run in single process mode, we need to set
_NO_WINBINDD=1 everywhere, the only exception is the forked
'smbd'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 10 23:18:06 CEST 2013 on sn-devel-104
(cherry picked from commit 596b51c666e549fb518d92931d8837922154a2fe)
The last 4 patches address bug #9820 - crash of winbind after "ls -l
/usr/local/samba/var/locks/sysvol".
commit 8925c93f3e1df4886554340ef2edd3d3c81d5ecf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 9 16:38:59 2013 +0200
s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820)
Sadly we may have nested event loops, which won't work correctly with
broken connections, that's why we have to do this...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 10 08:47:38 CEST 2013 on sn-devel-104
(cherry picked from commit e6a58d370403e818bc2cfb8389751b78adcc14fd)
commit 3f86c28c42fc9e3750a7a8bb83b44f2c0fe78fc0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 11:28:03 2013 +1000
s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
Instead, wait until the call attempts to reply, and let it terminate then
(often this happens in the attempt to then write to the broken pipe).
Andrew Bartlett
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2505d48e4fbcd8a805a88ad0b05fb1a16a588197)
commit 8e4d407e6f67c354ac81a5300dbeca2ce7bd49b0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 11:27:03 2013 +1000
service_stream: Log if the connection termination is deferred or not (bug #9820)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit df929d6feb857668ad9da277213e9fae1480ff63)
commit 30b8af74d5f227b6114f0a8d0b04c336feb2372c
Author: Gregor Beck <gbeck at sernet.de>
Date: Thu Aug 1 14:16:24 2013 +0200
Fix bug 9678 - Windows 8 Roaming profiles fail
Windows 8 tries to set 'ATTRIBUTE_SECURITY_INFORMATION' on some
dirs. Ignoring it makes roaming profiles work again.
Just like w2k3 gracefully ignore all the other bits.
Signed-off-by: Gregor Beck <gbeck at sernet.de>
commit 2b6a6fd0e455b85ec3d09b47e83873ec5f3924e6
Author: Gregor Beck <gbeck at sernet.de>
Date: Wed Jul 31 15:28:51 2013 +0200
security.idl: add new security_secinfo bits
[MS-DTYP].pdf 2.4.7
Signed-off-by: Gregor Beck <gbeck at sernet.de>
commit 34e6d50a5645fe670485f54c88de7a2dabfe6078
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 13:32:49 2013 +1000
samba-tool dbcheck: Correctly remove deleted DNs in dbcheck
The previous pattern never matched, as it was a typo.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jul 30 12:55:00 CEST 2013 on sn-devel-104
(cherry picked from commit 7615b2549d9549683978cb3e85b926e2ba63e294)
The last 4 patches address bug #9029 - Replication with --domain-crictical-only
fails to fill in backlinks.
commit d0e3791fdf8d53aedf2c5e6dc499a477710f9030
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 4 20:22:31 2013 +1000
dsdb: Include MS-ADTS doc references on deleted object contstraints
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f2afdb61698c37389be286f9443471d4aeba49b8)
commit 0a2a985355e22389cb2968c6618560d4518b90b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 3 17:51:41 2013 +1000
dsdb tests: Add member/memberOf checking to delete_objects testing
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a9e565a5a4478f7b923f35311e170de2044ff848)
commit 7004a3dd50953313a37cd780465d665caf6006bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 4 19:57:06 2013 +1000
dsdb: Improve DRS deleted link source/target handing in repl_meta_data
We now correctly ignore the link updates if the source or target is
deleted locally.
This fixes the long-standing failure in the vampire_dc dbcheck test.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 0162be32ab4f9716a4300d1f1a0caae8b0133f7c)
commit d6e1e12c2a92ff120bba93da13f4d9c253ea7200
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 17 22:37:20 2013 +1000
dsdb: Ensure we always force deleted objects back under the deleted objects DN
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 32955a1dec3a97ab4550869dbeb5034247f3b1bc)
The last 12 patches address bug #10056 - dsdb improvements from 4.1.
commit 042b3e56d19aeae85dd1d5ff0d1545ce9dbd9456
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 5 09:35:42 2013 +0200
dsdb/repl_meta_data: split out replmd_deletion_state()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a796cad90f1028ccc54a3539e34dc0728b990a96)
commit 20d8a331fe842a736c104bf87df8ce60fba8eee8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 31 20:01:17 2013 +1000
dsdb: Prune deleted objects of links and extra attributes of replicated deletes
When an object is deleted, the links to be removed are not propogated,
you have to watch out for them manually!
We do this by calling back into the originating update delete code (ie
what is called if you ldb_delete() locally) so that any extra
attribute found locally and not on the remote server becomes removed
remotely too.
We currently do the same with links, but that isn't strictly correct,
but for now our getNCChanges server code filters these out, so only
the usn is bumped.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d3aad891c5759f66bd891cb47866d908a0562a8a)
commit a0a3b58640528e583e68d324503ebc2bf0e05f69
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 17 22:37:54 2013 +1000
torture/drs: Expand an error message to aid debugging
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jul 25 13:51:44 CEST 2013 on sn-devel-104
(cherry picked from commit a74c7d780cb6a1e8a5a63ebbbcf36fd7cf717ea1)
commit 071b36bf14d4688b5eb549b8dded6a983f65b00a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 10 14:00:01 2013 +0200
dsdb/samdb: use RECYCLED it implies DELETED...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 63c05e820f1449b2dfa6e4f096d8270284a60bbb)
commit 55f07795e6ccaf986146a071df86c80a3346fe8a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jul 13 19:34:45 2013 +1000
selftest: ensure samba4.rpc.samr.large-dc.two.samr.many is always tested
This test should now be more reliable with the over-allocation of
RID values now fixed.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 93b83151c9563f4c1f47b925fed079d275f8ec43)
commit 8cbc577338a28e2f0e988485b9347c9c7b1435fc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 28 09:19:48 2013 +1000
rpc_server-drsuapi: Improve comments and DEBUG lines
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5e1f2795f28b0a213b4529e046edec68caa3bd41)
commit 5acbbd7b980dee7554b6baa3e66a5d4ab206c8a2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 28 09:15:16 2013 +1000
dsdb: Add assert in drepl_take_FSMO_role
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit e9faf50ee123a8d1d647ebffa39107ca0dce756c)
commit 498c92d1267c85b513aced5784422ea9e4f5bb50
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 19 11:33:36 2013 +1000
selftest: Ensure the DC has started and and got a RID set before we proceed
This avoids errors when a busy DC has not yet fetched a RID set, showing up
as flapping tests when users are created, such as the samr.large-dc test.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ae0ba6bd833f71c4337ae3b6621bf797cb3c48c2)
commit 6287ac361ec57d2b011994e4a176abbbfb4dc32a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 19 10:30:48 2013 +1000
dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails
We now also only poke the RID manager once per request.
This may help track down why RID allocation can fail, as while we
never wait for the RID set to be created/updated, it may be the only
clue the admin gets as to why the async allocations were failing.
Andrew Bartlett
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit db9c3c62c89e1328872e3fdedde22b78770728a9)
commit e97dfe2f2869633e5c36db6dd99177a9179052a7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 23 21:38:40 2013 +1000
dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches
This should be more efficient, particularly in the leaf node case when renaming and
deleting entries on large databases.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 31fb7f9c1b93b0f2114dec5096e43616ed317720)
commit 75ef73f5f912681bf7697ac37c76c0f2ac7ae30b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 23 19:47:35 2013 +1000
dsdb-descriptor: Do not do a subtree search unless we have child entries
This avoids a subtree search here in most cases where an object is deleted.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 03b44d26fd17761675fe33ab29e8f325f59d8a5c)
commit c4c3d7ffc8b136ddfd63b12e52f2e59af2058b0c
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jul 11 09:36:01 2013 -0700
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Fix client-side parsing also. Found by David Disseldorp <ddiss at suse.de>
Signed-off-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(master): Mon Aug 5 14:39:04 CEST 2013 on sn-devel-104
(cherry picked from commit c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e)
commit 2036f255c83d644447e65d00112b494d00d799f4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 10 17:10:17 2013 -0700
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Ensure we never wrap whilst adding client provided input.
Signed-off-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c8d8bb257ac390c89c4238ed86dfef02750b6049)
-----------------------------------------------------------------------
Summary of changes:
file_server/file_server.c | 9 +
librpc/idl/security.idl | 3 +
nsswitch/wbinfo.c | 6 +-
python/samba/dbchecker.py | 2 +-
selftest/flapping | 1 -
selftest/knownfail | 1 -
selftest/target/Samba4.pm | 22 +-
source3/modules/nfs4_acls.c | 15 +-
source3/smbd/nttrans.c | 21 +-
source4/dsdb/repl/drepl_fsmo.c | 7 +-
source4/dsdb/samdb/cracknames.c | 2 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 33 ++-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 4 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 568 +++++++++++++++-----
source4/dsdb/samdb/ldb_modules/ridalloc.c | 56 ++-
source4/dsdb/samdb/ldb_modules/subtree_rename.c | 201 ++++----
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/libcli/raw/raweas.c | 7 +-
source4/rpc_server/dcerpc_server.c | 55 ++-
source4/rpc_server/dcerpc_server.h | 8 +-
source4/rpc_server/drsuapi/getncchanges.c | 7 +-
source4/smbd/server.c | 7 +
source4/smbd/service_stream.c | 6 +-
source4/torture/drs/python/delete_object.py | 280 +++++++++-
source4/winbind/wb_samba3_protocol.c | 5 +
source4/winbind/wb_server.c | 51 ++-
source4/winbind/wb_server.h | 10 +-
27 files changed, 1074 insertions(+), 315 deletions(-)
Changeset truncated at 500 lines:
diff --git a/file_server/file_server.c b/file_server/file_server.c
index 5d44d5a..aab5f39 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -28,6 +28,7 @@
#include "source4/smbd/process_model.h"
#include "file_server/file_server.h"
#include "dynconfig.h"
+#include "nsswitch/winbind_client.h"
/*
called if smbd exits
@@ -64,6 +65,8 @@ static void s3fs_task_init(struct task_server *task)
smbd_path = talloc_asprintf(task, "%s/smbd", dyn_SBINDIR);
smbd_cmd[0] = smbd_path;
+ /* the child should be able to call through nss_winbind */
+ (void)winbind_on();
/* start it as a child process */
subreq = samba_runcmd_send(task, task->event_ctx, timeval_zero(), 1, 0,
smbd_cmd,
@@ -72,6 +75,12 @@ static void s3fs_task_init(struct task_server *task)
"--foreground",
debug_get_output_is_stdout()?"--log-stdout":NULL,
NULL);
+ /* the parent should not be able to call through nss_winbind */
+ if (!winbind_off()) {
+ DEBUG(0,("Failed to re-disable recursive winbindd calls after forking smbd\n"));
+ task_server_terminate(task, "Failed to re-disable recursive winbindd calls", true);
+ return;
+ }
if (subreq == NULL) {
DEBUG(0, ("Failed to start smbd as child daemon\n"));
task_server_terminate(task, "Failed to startup s3fs smb task", true);
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 00bb6e6..381d6e5 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -621,6 +621,9 @@ interface security
SECINFO_DACL = 0x00000004,
SECINFO_SACL = 0x00000008,
SECINFO_LABEL = 0x00000010,
+ SECINFO_ATTRIBUTE = 0x00000020,
+ SECINFO_SCOPE = 0x00000040,
+ SECINFO_BACKUP = 0x00010000,
SECINFO_UNPROTECTED_SACL = 0x10000000,
SECINFO_UNPROTECTED_DACL = 0x20000000,
SECINFO_PROTECTED_SACL = 0x40000000,
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index cfb430b..17977ed 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2064,7 +2064,8 @@ enum {
OPT_LOGOFF,
OPT_LOGOFF_USER,
OPT_LOGOFF_UID,
- OPT_LANMAN
+ OPT_LANMAN,
+ OPT_KRB5CCNAME
};
int main(int argc, char **argv, char **envp)
@@ -2165,7 +2166,7 @@ int main(int argc, char **argv, char **envp)
{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
/* destroys wbinfo --help output */
/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
- { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, OPT_KRB5CCNAME, "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
#endif
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2621,6 +2622,7 @@ int main(int argc, char **argv, char **envp)
case OPT_LANMAN:
case OPT_LOGOFF_USER:
case OPT_LOGOFF_UID:
+ case OPT_KRB5CCNAME:
break;
default:
d_fprintf(stderr, "Invalid option\n");
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index e88f876..8b175c2 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -271,7 +271,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"""handle a missing target DN (both GUID and DN string form are missing)"""
# check if its a backlink
linkID = self.samdb_schema.get_linkId_from_lDAPDisplayName(attrname)
- if (linkID & 1 == 0) and str(dsdb_dn).find('DEL\\0A') == -1:
+ if (linkID & 1 == 0) and str(dsdb_dn).find('\\0ADEL') == -1:
self.report("Not removing dangling forward link")
return
self.err_deleted_dn(dn, attrname, val, dsdb_dn, dsdb_dn)
diff --git a/selftest/flapping b/selftest/flapping
index 170bf7b..afeae65 100644
--- a/selftest/flapping
+++ b/selftest/flapping
@@ -25,4 +25,3 @@
^samba3.raw.samba3checkfsp.samba3checkfsp\(plugin_s4_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
^samba3.raw.samba3closeerr.samba3closeerr\(plugin_s4_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
^samba4.nss.test.*using.*winbind # fails sometimes on sn-devel
-^samba4.rpc.samr.large-dc.two.samr.many.*\(vampire_dc\) # often fails on sn-devel-104, rid allocation?
diff --git a/selftest/knownfail b/selftest/knownfail
index 313d6c9..3943e60 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -175,7 +175,6 @@
^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
-^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database
^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e279beb..e574b48 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -141,6 +141,7 @@ sub check_or_start($$$)
sub wait_for_start($$)
{
my ($self, $testenv_vars) = @_;
+ my $ret;
# give time for nbt server to register its names
print "delaying for nbt name registration\n";
sleep 2;
@@ -161,7 +162,25 @@ sub wait_for_start($$)
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ # Ensure we have the first RID Set before we start tests. This makes the tests more reliable.
+ if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOS_NAME} eq "rodc")) {
+ print "waiting for working LDAP and a RID Set to be allocated\n";
+ my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
+ my $count = 0;
+ my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
+ my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
+ while (system("$ldbsearch -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool > /dev/null") != 0) {
+ $count++;
+ if ($count > 40) {
+ $ret = 1;
+ last;
+ }
+ sleep(1);
+ }
+ }
print $self->getlog_env($testenv_vars);
+
+ return $ret
}
sub write_ldb_file($$$)
@@ -692,7 +711,8 @@ nogroup:x:65534:nobody
NSS_WRAPPER_WINBIND_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
LOCAL_PATH => $ctx->{share},
UID_RFC2307TEST => $uid_rfc2307test,
- GID_RFC2307TEST => $gid_rfc2307test
+ GID_RFC2307TEST => $gid_rfc2307test,
+ SERVER_ROLE => $ctx->{server_role}
};
return $ret;
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 255741c..dab1a2a 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -739,20 +739,9 @@ static bool smbacl4_fill_ace4(
if (sid_to_gid(&ace_nt->trustee, &gid)) {
ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
-
- if (params->mode==e_special && gid==ownerGID) {
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
- ace_v4->who.special_id = SMB_ACE4_WHO_GROUP;
- } else {
- ace_v4->who.gid = gid;
- }
+ ace_v4->who.gid = gid;
} else if (sid_to_uid(&ace_nt->trustee, &uid)) {
- if (params->mode==e_special && uid==ownerUID) {
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
- ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
- } else {
- ace_v4->who.uid = uid;
- }
+ ace_v4->who.uid = uid;
} else {
DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
"convert %s to uid or gid\n",
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index f5e5877..0d74a58 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -890,13 +890,8 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
/* Ensure we have at least one thing set. */
if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
- if (security_info_sent & SECINFO_LABEL) {
- /* Only consider SECINFO_LABEL if no other
- bits are set. Just like W2K3 we don't
- store this. */
- return NT_STATUS_OK;
- }
- return NT_STATUS_INVALID_PARAMETER;
+ /* Just like W2K3 */
+ return NT_STATUS_OK;
}
/* Ensure we have the rights to do this. */
@@ -994,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;
diff --git a/source4/dsdb/repl/drepl_fsmo.c b/source4/dsdb/repl/drepl_fsmo.c
index 37fb684..7a107da 100644
--- a/source4/dsdb/repl/drepl_fsmo.c
+++ b/source4/dsdb/repl/drepl_fsmo.c
@@ -91,11 +91,10 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
extended_op = DRSUAPI_EXOP_FSMO_REQ_PDC;
break;
default:
- DEBUG(2,("Unknown role %u in role transfer\n",
+ DEBUG(0,("Unknown role %u in role transfer\n",
(unsigned)role));
- r->out.result = WERR_DS_DRA_INTERNAL_ERROR;
- talloc_free(tmp_ctx);
- return NT_STATUS_OK;
+ /* IRPC messages are trusted, so this really should not happen */
+ smb_panic("Unknown role despite dsdb_get_fsmo_role_info success");
}
ret = samdb_dn_is_our_ntdsa(service->samdb, role_owner_dn, &is_us);
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 15463a7..0c4cdfc 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -945,7 +945,7 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
real_search_dn = NULL;
}
if (format_desired == DRSUAPI_DS_NAME_FORMAT_GUID){
- dsdb_flags = dsdb_flags| DSDB_SEARCH_SHOW_DELETED;
+ dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
}
/* search with the 'phantom root' flag */
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 7743baa..ceac8db 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -1186,16 +1186,47 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
const char * const no_attrs[] = { "@__NONE__", NULL };
struct descriptor_changes *c;
struct descriptor_changes *stopped_stack = NULL;
+ enum ldb_scope scope;
int ret;
/*
+ * First confirm this object has children, or exists (depending on change->force_self)
+ *
+ * LDB_SCOPE_SUBTREE searches are expensive.
+ *
+ * Note: that we do not search for deleted/recycled objects
+ */
+ ret = dsdb_module_search(module,
+ change,
+ &res,
+ change->dn,
+ LDB_SCOPE_ONELEVEL,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL, /* parent_req */
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (res->count == 0 && !change->force_self) {
+ TALLOC_FREE(res);
+ return LDB_SUCCESS;
+ } else if (res->count == 0 && change->force_self) {
+ scope = LDB_SCOPE_BASE;
+ } else {
+ scope = LDB_SCOPE_SUBTREE;
+ }
+
+ /*
* Note: that we do not search for deleted/recycled objects
*/
ret = dsdb_module_search(module,
change,
&res,
change->dn,
- LDB_SCOPE_SUBTREE,
+ scope,
no_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM,
diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
index eb57f91..63ccbde 100644
--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c
+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
@@ -642,7 +642,7 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques
/* We need to figure out our own extended DN, to fill in as the backlink target */
if (ret == LDB_SUCCESS) {
ret = dsdb_request_add_controls(search_req,
- DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED |
DSDB_SEARCH_SHOW_EXTENDED_DN);
}
if (ret == LDB_SUCCESS) {
@@ -1000,7 +1000,7 @@ static int la_add_callback(struct ldb_request *req, struct ldb_reply *ares)
if (ret == LDB_SUCCESS) {
ret = dsdb_request_add_controls(search_req,
- DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED |
DSDB_SEARCH_SHOW_EXTENDED_DN);
}
if (ret != LDB_SUCCESS) {
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index b6ff7ff..c8cdfec 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2,10 +2,10 @@
ldb database library
Copyright (C) Simo Sorce 2004-2008
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
- Copyright (C) Andrew Tridgell 2005
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005-2013
+ Copyright (C) Andrew Tridgell 2005-2009
Copyright (C) Stefan Metzmacher <metze at samba.org> 2007
- Copyright (C) Matthieu Patou <mat at samba.org> 2010
+ Copyright (C) Matthieu Patou <mat at samba.org> 2010-2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -92,9 +92,12 @@ struct replmd_replicated_request {
uint64_t seq_num;
bool is_urgent;
+
+ bool isDeleted;
};
static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar);
+static int replmd_delete_internals(struct ldb_module *module, struct ldb_request *req, bool re_delete);
enum urgent_situation {
REPL_URGENT_ON_CREATE = 1,
@@ -102,6 +105,70 @@ enum urgent_situation {
REPL_URGENT_ON_DELETE = 4
};
+enum deletion_state {
+ OBJECT_NOT_DELETED=1,
+ OBJECT_DELETED=2,
+ OBJECT_RECYCLED=3,
+ OBJECT_TOMBSTONE=4,
+ OBJECT_REMOVED=5
+};
+
+static void replmd_deletion_state(struct ldb_module *module,
+ const struct ldb_message *msg,
+ enum deletion_state *current_state,
+ enum deletion_state *next_state)
+{
+ int ret;
+ bool enabled = false;
+
+ if (msg == NULL) {
+ *current_state = OBJECT_REMOVED;
+ if (next_state != NULL) {
+ *next_state = OBJECT_REMOVED;
+ }
+ return;
+ }
+
+ ret = dsdb_recyclebin_enabled(module, &enabled);
+ if (ret != LDB_SUCCESS) {
+ enabled = false;
+ }
+
+ if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
+ if (!enabled) {
+ *current_state = OBJECT_TOMBSTONE;
+ if (next_state != NULL) {
+ *next_state = OBJECT_REMOVED;
+ }
+ return;
+ }
+
+ if (ldb_msg_check_string_attribute(msg, "isRecycled", "TRUE")) {
+ *current_state = OBJECT_RECYCLED;
+ if (next_state != NULL) {
+ *next_state = OBJECT_REMOVED;
+ }
+ return;
+ }
+
+ *current_state = OBJECT_DELETED;
+ if (next_state != NULL) {
+ *next_state = OBJECT_RECYCLED;
+ }
+ return;
+ }
+
+ *current_state = OBJECT_NOT_DELETED;
+ if (next_state == NULL) {
+ return;
+ }
+
+ if (enabled) {
+ *next_state = OBJECT_DELETED;
+ } else {
+ *next_state = OBJECT_TOMBSTONE;
+ }
+}
static const struct {
const char *update_name;
@@ -154,7 +221,7 @@ static bool replmd_check_urgent_attribute(const struct ldb_message_element *el)
}
-static int replmd_replicated_apply_next(struct replmd_replicated_request *ar);
+static int replmd_replicated_apply_isDeleted(struct replmd_replicated_request *ar);
/*
initialise the module
@@ -456,10 +523,7 @@ static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares)
}
if (ac->apply_mode) {
- talloc_free(ares);
- ac->index_current++;
-
- ret = replmd_replicated_apply_next(ac);
+ ret = replmd_replicated_apply_isDeleted(ac);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
@@ -2735,8 +2799,11 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are
}
/*
- remove links from objects that point at this object when an object
- is deleted
+ * remove links from objects that point at this object when an object
+ * is deleted. We remove it from the NEXT module per MS-DRSR 5.160
+ * RemoveObj which states that link removal due to the object being
+ * deleted is NOT an originating update - they just go away!
+ *
*/
static int replmd_delete_remove_link(struct ldb_module *module,
const struct dsdb_schema *schema,
@@ -2817,8 +2884,13 @@ static int replmd_delete_remove_link(struct ldb_module *module,
This also handles the mapping of delete to a rename operation
to allow deletes to be replicated.
+
+ It also handles the incoming deleted objects, to ensure they are
+ fully deleted here. In that case re_delete is true, and we do not
+ use this as a signal to change the deleted state, just reinforce it.
+
*/
-static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
+static int replmd_delete_internals(struct ldb_module *module, struct ldb_request *req, bool re_delete)
{
int ret = LDB_ERR_OTHER;
bool retb, disallow_move_on_delete;
@@ -2844,10 +2916,7 @@ static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
"trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated",
"whenChanged", NULL};
unsigned int i, el_count = 0;
- enum deletion_state { OBJECT_NOT_DELETED=1, OBJECT_DELETED=2, OBJECT_RECYCLED=3,
- OBJECT_TOMBSTONE=4, OBJECT_REMOVED=5 };
enum deletion_state deletion_state, next_deletion_state;
- bool enabled;
if (ldb_dn_is_special(req->op.del.dn)) {
return ldb_next_request(module, req);
@@ -2861,6 +2930,7 @@ static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
--
Samba Shared Repository
More information about the samba-cvs
mailing list