[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Fri Sep 6 04:52:09 MDT 2013
The branch, v4-0-test has been updated
via f9c157c Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query.
via 70be15b Move the retry logic when site_name is passed in a NULL or "" to the wrapper function.
via 9930f28 Move the manipulation of site_name into the caller function dsgetdcname().
via 6ddc9a5 Refactor dsgetdcname to be called via a wrapper function.
via 8943d97 dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it.
via e0beb5a smbd: Correctly return INFO_LENGTH_MISMATCH for smb1
via df9fd7f smbd: Fix error return for STREAM_INFO
via d594876 smbd: Revert a93f9c3
via aadd02d smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo
via cedcde9 smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo
via ef717ef smbd: qfsinfo has fixed/variable buffers
via 4220369 smbd: qfilepathinfo has fixed/variable buffers
via 12c77c7 smbd: Use #defines in smb2_getinfo_send
via 6dc2f7f s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data
via cc100f0 s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data
via 235342b s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler
via 2c608aa s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data
via 71c00f1 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small
via 067ce71 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
via cf1ae22 selftest: Add a basic test of samba_upgradedns
via 8424ea2 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ
via e94d37c selftest: Test creation of the dns-SERVER account during selftest
via 8e618de scripting/samba_upgradedns: Tighten up exception and attribute list handling
via d17713f scripting/join.py: Handle creating the dns-NAME account during a DC join
via 6bed1b2 selftest: Fix specification of --machinepass to actually set a unique password
from 8749a30 s3:lib/gencache: place gencache.tdb into /var/cache/samba
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit f9c157cf6892e02e765a64601c4a286d8dadece4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 14:07:43 2013 -0700
Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 4 01:19:05 CEST 2013 on sn-devel-104
(cherry picked from commit bdab6f9431715fbfd28f8cc0dfb4dde2966f22f3)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Fri Sep 6 12:51:06 CEST 2013 on sn-devel-104
commit 70be15bdb448b9c6c8ec047ce6f6df4a696ce61e
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:20:52 2013 -0700
Move the retry logic when site_name is passed in a NULL or "" to the wrapper function.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 68e7b1c9446c7d1274b0fb85b59b90ac1a7f6041)
commit 9930f28a3cf94bdbeb11f551926c105f27c1c12e
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:08:46 2013 -0700
Move the manipulation of site_name into the caller function dsgetdcname().
Leave dsgetdcname_internal() only using const char *site_name.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 181c11066bd53b07015a199f56eb71182e89ff71)
commit 6ddc9a57d025fe196b2f820cfa27429a3acf5643
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:04:37 2013 -0700
Refactor dsgetdcname to be called via a wrapper function.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 66006be7ef703b2935334633d27641050cee5f58)
commit 8943d971ee729e7f00e17125b9011d9456f220f3
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:13:45 2013 -0700
dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit dd12bfbcbf359c1642cc2e968aec62ae904aad5d)
commit e0beb5a2f258757f64ef3c4d0f6928e67a1e5d5b
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:40:19 2013 +0000
smbd: Correctly return INFO_LENGTH_MISMATCH for smb1
This is required if the client offered less buffer than the fixed portion
of the info level data requires
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1b1935b876a14154ef74e447bf53eb7cd0a5dde9)
commit df9fd7fae1adf496f8a9337755684c2a010760ec
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:39:17 2013 +0000
smbd: Fix error return for STREAM_INFO
The stream_info marshalling follows its own rules. This needs unifying
eventually...
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5634f240fd4273cb7327111140ccbea0fd41e3fc)
commit d594876817e5667af56257236fb0bd4af98e80d1
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:38:29 2013 +0000
smbd: Revert a93f9c3
This was too broad and has been replaced by finer-grained error checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b37edda32930fec372d6467d442f67532c3fbd33)
commit aadd02d8c4f6a378a4aabb882287e4b0897cfe65
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:37:34 2013 +0000
smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo
Also, don't overflow the client buffer
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9)
commit cedcde95dd2e391fbdc720f5634f7aa7136aa8c0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:36:03 2013 +0000
smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo
We have to return this error if the client offered less than the fixed
portion of the infolevel data requires
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 91939614760837b2ac2c6bb8b5daac108a4f4670)
commit ef717efda15ad4d8c8100babf9f9ca63f92d7ee3
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:06:27 2013 +0000
smbd: qfsinfo has fixed/variable buffers
The error message will have to change depending whether the buffer is
too small for the fixed or variable buffers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ac41df91a5a425633fc716ca02187e753879d795)
commit 4220369fe28e54c630392ee99e9eb7ec0dceafaf
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:06:27 2013 +0000
smbd: qfilepathinfo has fixed/variable buffers
The error message will have to change depending whether the buffer is
too small for the fixed or variable buffers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 53123996033594f68a3fc9037474aada3aef0750)
commit 12c77c7c24e1c619018e794149367c867f3c85a7
Author: Volker Lendecke <vl at samba.org>
Date: Mon Aug 26 08:36:14 2013 +0000
smbd: Use #defines in smb2_getinfo_send
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Tue Aug 27 15:08:08 CEST 2013 on sn-devel-104
(cherry picked from commit 323cccd35d06c7327c19dc5cb891043507624d7d)
commit 6dc2f7f0beda5e47713a360b528449d33495b09d
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 16:43:39 2013 +0200
s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit 270d29a743a030653037cb176f3764bec3c79b6c)
commit cc100f000421ef8fd147552d9de32676e141e774
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 15:52:06 2013 +0200
s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit ec46f6b91941e38dd92f8e0fb0f278592e3157b6)
commit 235342b63b14745c102b94333d0699b5ac3e6325
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri Jul 5 11:32:27 2013 +0200
s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit 616777f029e462f53c5118d79de8c6405a5fb7c1)
commit 2c608aa2d2393f8e24b85b98e079b43d8c53d527
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri Jul 5 11:03:16 2013 +0200
s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit a91d2b05bab329a8a9772c2c79a3b1e02933182e)
commit 71c00f1138bae008d3fe0bb6df86b8317c228f40
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 08:59:58 2013 +0200
s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit a93f9c3d33e442c84d0c9da7eb5d25ca4b54fc33)
commit 067ce71566b34cd17548c321cc0e2c80c484edf3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 21:00:28 2012 +1100
torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
This exercises some more of the dlz_bind9 code outside BIND, by
sending in a ticket to be access checked, wrapped either in SPNEGO or
just in GSSAPI.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104
(cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840)
The last 7 patches address bug #9091 - When replicating DNS for bind9_dlz we
need to create the server-DNS account remotely.
commit cf1ae22648dff54696947c2a70762bab21b993fc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 10:06:39 2012 +1100
selftest: Add a basic test of samba_upgradedns
This does not check that the command runs correctly, but does at least check
that the command runs to completion without errors.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa)
commit 8424ea2489b6b1575616f322ca44d28a329e27a1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 09:25:11 2012 +1100
selftest: Start internal DNS server on domain provisioned for BIND9_DLZ
This shows that the internal server can use the dns-SERVER account.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d)
commit e94d37c6fce80e3e5d1a7678776b7101f552fd41
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 26 10:03:47 2012 +1100
selftest: Test creation of the dns-SERVER account during selftest
We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a
dns-SERVER account.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902)
commit 8e618de1fdc09b052f5e98b2e5f78210270c04b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 24 09:12:04 2012 +1100
scripting/samba_upgradedns: Tighten up exception and attribute list handling
This avoids asking for attributes that will not be used, and looks only for the
expected exceptions, rather than all exceptions.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd)
commit d17713f7651c333a35ac1069fb3acf17d416b80a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 24 08:56:50 2012 +1100
scripting/join.py: Handle creating the dns-NAME account during a DC join
This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the
domain.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060)
commit 6bed1b2f6f3ab32b31eedffa05efb438d3e3d299
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 28 22:57:45 2013 +1100
selftest: Fix specification of --machinepass to actually set a unique password
Because perl does not assert on dereferencing an invalid hash key
we did not notice that the passwords were being set to machine, not
machineloCalMemberPass.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 166288b162e7b658b48bc908c71f635928edc5b5)
-----------------------------------------------------------------------
Summary of changes:
python/samba/join.py | 73 ++++++++++++++++++++++-
python/samba/provision/sambadns.py | 11 +++-
selftest/target/Samba4.pm | 14 ++--
source3/libsmb/dsgetdcname.c | 85 ++++++++++++++++++++------
source3/smbd/globals.h | 2 +
source3/smbd/smb2_getinfo.c | 47 +++++++++++++--
source3/smbd/trans2.c | 55 +++++++++++++++++-
source4/scripting/bin/samba_upgradedns | 30 ++++++---
source4/selftest/tests.py | 3 +-
source4/setup/secrets_dns.ldif | 2 +-
source4/torture/dns/dlz_bind9.c | 78 ++++++++++++++++++++++++
source4/torture/winbind/winbind.c | 1 +
testprogs/blackbox/test_samba_upgradedns.sh | 37 ++++++++++++
13 files changed, 384 insertions(+), 54 deletions(-)
create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh
Changeset truncated at 500 lines:
diff --git a/python/samba/join.py b/python/samba/join.py
index c55c22c..b2f4da4 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -26,9 +26,12 @@ from samba.ndr import ndr_pack
from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
+from samba.provision.common import setup_path
from samba.schema import Schema
from samba.net import Net
from samba.provision.sambadns import setup_bind9_dns
+from samba import read_and_sub_file
+from base64 import b64encode
import logging
import talloc
import random
@@ -179,6 +182,19 @@ class dc_join(object):
attrs=["msDS-krbTgtLink"])
if res:
ctx.del_noerror(res[0].dn, recursive=True)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)),
+ attrs=[])
+ if res:
+ ctx.del_noerror(res[0].dn, recursive=True)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
+ attrs=[])
+ if res:
+ raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)))
+
if ctx.connection_dn is not None:
ctx.del_noerror(ctx.connection_dn)
if ctx.krbtgt_dn is not None:
@@ -579,6 +595,56 @@ class dc_join(object):
"userAccountControl")
ctx.samdb.modify(m)
+ if ctx.dns_backend.startswith("BIND9_"):
+ ctx.dnspass = samba.generate_random_password(128, 255)
+
+ recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"),
+ {"DNSDOMAIN": ctx.dnsdomain,
+ "DOMAINDN": ctx.base_dn,
+ "HOSTNAME" : ctx.myname,
+ "DNSPASS_B64": b64encode(ctx.dnspass),
+ "DNSNAME" : ctx.dnshostname}))
+ for changetype, msg in recs:
+ assert changetype == ldb.CHANGETYPE_NONE
+ print "Adding DNS account %s with dns/ SPN" % msg["dn"]
+
+ # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP)
+ del msg["clearTextPassword"]
+ # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP
+ del msg["isCriticalSystemObject"]
+ try:
+ ctx.samdb.add(msg)
+ dns_acct_dn = msg["dn"]
+ except ldb.LdbError, (num, _):
+ if num != ldb.ERR_ENTRY_ALREADY_EXISTS:
+ raise
+
+ # The account password set operation should normally be done over
+ # LDAP. Windows 2000 DCs however allow this only with SSL
+ # connections which are hard to set up and otherwise refuse with
+ # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
+ # over SAMR.
+ print "Setting account password for %s" % ctx.samname
+ try:
+ ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+ % ldb.binary_encode(ctx.myname),
+ ctx.dnspass,
+ force_change_at_next_login=False,
+ username=ctx.samname)
+ except ldb.LdbError, (num, _):
+ if num != ldb.ERR_UNWILLING_TO_PERFORM:
+ pass
+ ctx.net.set_password(account_name="dns-" % ctx.myname,
+ domain_name=ctx.domain_name,
+ newpassword=ctx.dnspass)
+
+ res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE,
+ attrs=["msDS-KeyVersionNumber"])
+ if "msDS-KeyVersionNumber" in res[0]:
+ ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
+ else:
+ ctx.dns_key_version_number = None
+
def join_add_objects2(ctx):
"""add the various objects needed for the join, for subdomains post replication"""
@@ -861,13 +927,12 @@ class dc_join(object):
key_version_number=ctx.key_version_number)
if ctx.dns_backend.startswith("BIND9_"):
- dnspass = samba.generate_random_password(128, 255)
-
setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
ctx.names, ctx.paths, ctx.lp, logger,
dns_backend=ctx.dns_backend,
- dnspass=dnspass, os_level=ctx.behavior_version,
- targetdir=ctx.targetdir)
+ dnspass=ctx.dnspass, os_level=ctx.behavior_version,
+ targetdir=ctx.targetdir,
+ key_version_number=ctx.dns_key_version_number)
def join_setup_trusts(ctx):
"""provision the local SAM."""
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index a5a45cf..4acc24b 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
- dnsdomain, dns_keytab_path, dnspass):
+ dnsdomain, dns_keytab_path, dnspass, key_version_number):
"""Add DNS specific bits to a secrets database.
:param secretsdb: Ldb Handle to the secrets database
@@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
except OSError:
pass
+ if key_version_number is None:
+ key_version_number = 1
+
setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
"REALM": realm,
"DNSDOMAIN": dnsdomain,
"DNS_KEYTAB": dns_keytab_path,
"DNSPASS_B64": b64encode(dnspass),
+ "KEY_VERSION_NUMBER": str(key_version_number),
"HOSTNAME": names.hostname,
"DNSNAME" : '%s.%s' % (
names.netbiosname.lower(), names.dnsdomain.lower())
@@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
dns_backend, os_level, site=None, dnspass=None, hostip=None,
- hostip6=None, targetdir=None):
+ hostip6=None, targetdir=None, key_version_number=None):
"""Provision DNS information (assuming BIND9 backend in DC role)
:param samdb: LDB object connected to sam.ldb file
@@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
secretsdb_setup_dns(secretsdb, names,
paths.private_dir, realm=names.realm,
dnsdomain=names.dnsdomain,
- dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+ dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
+ key_version_number=key_version_number)
create_dns_dir(logger, paths)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c8e71c8..9fd2d40 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -875,7 +875,7 @@ sub provision_member($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -943,7 +943,7 @@ sub provision_rpc_proxy($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1030,7 +1030,7 @@ sub provision_promoted_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1043,7 +1043,7 @@ sub provision_promoted_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1104,7 +1104,7 @@ sub provision_vampire_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1169,7 +1169,7 @@ sub provision_subdom_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
$cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1494,7 +1494,7 @@ sub provision_chgdcpass($$)
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, "server services = -dns", "",
+ undef, "", "",
$extra_provision_options);
return undef unless(defined $ret);
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 028a31b..6818b01 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -320,7 +320,6 @@ static NTSTATUS dsgetdcname_cache_fetch(TALLOC_CTX *mem_ctx,
const char *domain_name,
const struct GUID *domain_guid,
uint32_t flags,
- const char *site_name,
struct netr_DsRGetDCNameInfo **info_p)
{
char *key;
@@ -393,7 +392,7 @@ static NTSTATUS dsgetdcname_cached(TALLOC_CTX *mem_ctx,
NTSTATUS status;
status = dsgetdcname_cache_fetch(mem_ctx, domain_name, domain_guid,
- flags, site_name, info);
+ flags, info);
if (!NT_STATUS_IS_OK(status)
&& !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
DEBUG(10,("dsgetdcname_cached: cache fetch failed with: %s\n",
@@ -1094,12 +1093,10 @@ static bool is_closest_site(struct netr_DsRGetDCNameInfo *info)
}
/********************************************************************
- dsgetdcname.
-
- This will be the only public function here.
+ Internal dsgetdcname.
********************************************************************/
-NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
+static NTSTATUS dsgetdcname_internal(TALLOC_CTX *mem_ctx,
struct messaging_context *msg_ctx,
const char *domain_name,
const struct GUID *domain_guid,
@@ -1109,15 +1106,14 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
{
NTSTATUS status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct netr_DsRGetDCNameInfo *myinfo = NULL;
- char *query_site = NULL;
bool first = true;
struct netr_DsRGetDCNameInfo *first_info = NULL;
- DEBUG(10,("dsgetdcname: domain_name: %s, "
+ DEBUG(10,("dsgetdcname_internal: domain_name: %s, "
"domain_guid: %s, site_name: %s, flags: 0x%08x\n",
domain_name,
domain_guid ? GUID_string(mem_ctx, domain_guid) : "(null)",
- site_name, flags));
+ site_name ? site_name : "(null)", flags));
*info = NULL;
@@ -1126,18 +1122,12 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- if ((site_name == NULL) || (site_name[0] == '\0')) {
- query_site = sitename_fetch(domain_name);
- } else {
- query_site = SMB_STRDUP(site_name);
- }
-
if (flags & DS_FORCE_REDISCOVERY) {
goto rediscover;
}
status = dsgetdcname_cached(mem_ctx, msg_ctx, domain_name, domain_guid,
- flags, query_site, &myinfo);
+ flags, site_name, &myinfo);
if (NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -1148,12 +1138,10 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
rediscover:
status = dsgetdcname_rediscover(mem_ctx, msg_ctx, domain_name,
- domain_guid, flags, query_site,
+ domain_guid, flags, site_name,
&myinfo);
done:
- SAFE_FREE(query_site);
-
if (!NT_STATUS_IS_OK(status)) {
if (!first) {
*info = first_info;
@@ -1168,10 +1156,67 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
first = false;
first_info = myinfo;
/* TODO: may use the next_closest_site here */
- query_site = SMB_STRDUP(myinfo->client_site_name);
+ site_name = myinfo->client_site_name;
goto rediscover;
}
*info = myinfo;
return NT_STATUS_OK;
}
+
+/********************************************************************
+ dsgetdcname.
+
+ This will be the only public function here.
+********************************************************************/
+
+NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
+ struct messaging_context *msg_ctx,
+ const char *domain_name,
+ const struct GUID *domain_guid,
+ const char *site_name,
+ uint32_t flags,
+ struct netr_DsRGetDCNameInfo **info)
+{
+ NTSTATUS status;
+ const char *query_site = NULL;
+ char *ptr_to_free = NULL;
+ bool retry_query_with_null = false;
+
+ if ((site_name == NULL) || (site_name[0] == '\0')) {
+ ptr_to_free = sitename_fetch(domain_name);
+ if (ptr_to_free != NULL) {
+ retry_query_with_null = true;
+ }
+ query_site = ptr_to_free;
+ } else {
+ query_site = site_name;
+ }
+
+ status = dsgetdcname_internal(mem_ctx,
+ msg_ctx,
+ domain_name,
+ domain_guid,
+ query_site,
+ flags,
+ info);
+
+ SAFE_FREE(ptr_to_free);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ return status;
+ }
+
+ /* Should we try again with site_name == NULL ? */
+ if (retry_query_with_null) {
+ status = dsgetdcname_internal(mem_ctx,
+ msg_ctx,
+ domain_name,
+ domain_guid,
+ NULL,
+ flags,
+ info);
+ }
+
+ return status;
+}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index b1f69c8..c7badbc 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -138,6 +138,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
char *lock_data,
uint16_t flags2,
unsigned int max_data_bytes,
+ size_t *fixed_portion,
char **ppdata,
unsigned int *pdata_size);
@@ -155,6 +156,7 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn,
uint16_t info_level,
uint16_t flags2,
unsigned int max_data_bytes,
+ size_t *fixed_portion,
struct smb_filename *smb_fname,
char **ppdata,
int *ret_data_len);
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 5616c84..449aeb3 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -159,7 +159,10 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq)
return;
}
- if (!NT_STATUS_IS_OK(call_status)) {
+ /* some GetInfo responses set STATUS_BUFFER_OVERFLOW and return partial,
+ but valid data */
+ if (!(NT_STATUS_IS_OK(call_status) ||
+ NT_STATUS_EQUAL(call_status, STATUS_BUFFER_OVERFLOW))) {
/* Return a specific error with data. */
error = smbd_smb2_request_error_ex(req,
call_status,
@@ -194,7 +197,7 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq)
outdyn = out_output_buffer;
- error = smbd_smb2_request_done(req, outbody, &outdyn);
+ error = smbd_smb2_request_done_ex(req, call_status, outbody, &outdyn, __location__);
if (!NT_STATUS_IS_OK(error)) {
smbd_server_connection_terminate(req->sconn,
nt_errstr(error));
@@ -279,7 +282,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
}
switch (in_info_type) {
- case 0x01:/* SMB2_GETINFO_FILE */
+ case SMB2_GETINFO_FILE:
{
uint16_t file_info_level;
char *data = NULL;
@@ -290,6 +293,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
struct ea_list *ea_list = NULL;
int lock_data_count = 0;
char *lock_data = NULL;
+ size_t fixed_portion;
ZERO_STRUCT(write_time_ts);
@@ -377,6 +381,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
lock_data,
STR_UNICODE,
in_output_buffer_length,
+ &fixed_portion,
&data,
&data_size);
if (!NT_STATUS_IS_OK(status)) {
@@ -387,6 +392,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
+ if (in_output_buffer_length < fixed_portion) {
+ SAFE_FREE(data);
+ tevent_req_nterror(
+ req, NT_STATUS_INFO_LENGTH_MISMATCH);
+ return tevent_req_post(req, ev);
+ }
if (data_size > 0) {
state->out_output_buffer = data_blob_talloc(state,
data,
@@ -395,16 +406,22 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
if (tevent_req_nomem(state->out_output_buffer.data, req)) {
return tevent_req_post(req, ev);
}
+ if (data_size > in_output_buffer_length) {
+ state->out_output_buffer.length =
+ in_output_buffer_length;
+ status = STATUS_BUFFER_OVERFLOW;
+ }
}
SAFE_FREE(data);
break;
}
- case 0x02:/* SMB2_GETINFO_FS */
+ case SMB2_GETINFO_FS:
{
uint16_t file_info_level;
char *data = NULL;
int data_size = 0;
+ size_t fixed_portion;
/* the levels directly map to the passthru levels */
file_info_level = in_file_info_class + 1000;
@@ -413,10 +430,14 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
file_info_level,
STR_UNICODE,
in_output_buffer_length,
+ &fixed_portion,
fsp->fsp_name,
&data,
&data_size);
- if (!NT_STATUS_IS_OK(status)) {
+ /* some responses set STATUS_BUFFER_OVERFLOW and return
--
Samba Shared Repository
More information about the samba-cvs
mailing list