[SCM] Samba Shared Repository - branch v4-5-test updated
Karolin Seeger
kseeger at samba.org
Thu Apr 20 14:37:02 UTC 2017
The branch, v4-5-test has been updated
via 685437e s3:smbd: Fix incorrect use of sys_getgroups()
via 36a97de s3:lib: Fix incorrect logic in sys_broken_getgroups()
via 96c7150 lib: debug: Avoid negative array access.
via 5cba8bb vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
via c0bf985 vfs_acl_xattr: factor out fetching of an extended attribute
via 4b0b012 vfs_xattr_tdb: handle case of zero size.
via 5e29379 selftest: test fetching a large ACL from vfs_acl_xattr
via 8c283d4 ctdb-docs: Fix documentation of -n option to ctdb tool
via 490f722 winbindd: trigger possible passdb_dsdb initialisation
via 46abe7f winbindd: error handling in rpc_lookup_sids()
via bc6d901 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
via 84c7c56 s3/rpc_client: use NT_STATUS_LOOKUP_ERR
via f81a0ff s3/include: add NT_STATUS_LOOKUP_ERR
via 2735992 selftest: fix for wbinfo -s tests for wellknown SIDs
via cca29f8 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
via 888e75a selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
via 82bbb79 selftest: wbinfo -s tests for wellknown SIDs
via 089711e winbindd: use passdb backend for well-known SIDs
via 6bcfe2d s4/torture: vfs_fruit: test for bug 12565
via 92cc3b2 vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
via 1de3e92 waf: Explicitly link libreplace against libnss_wins.so
via f54ff44 selftest: Test for bug 12558
via 2ead4b4 smbd: Fix smb1 findfirst with DFS
via 3dc328c winbindd: Fix password policy for pam authentication
via 107f3ee selftest: tests idmap mapping with idmap_rid
via 6249de7 selftest: new environment "ad_member_idmap_rid"
via d5d552d winbindd: remove unused single_domains array
via 82cf367 winbindd: use correct domain name for failed lookupsids
from fa9bc20 VERSION: Bump version up to 4.5.9.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit 685437eb89fb11bfd9cb8bc8703b3539b665c624
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 17 14:30:54 2017 -0700
s3:smbd: Fix incorrect use of sys_getgroups()
Second arg must be NULL when first arg is 0 (it is in all other places).
Bug report and patch from Hanno Böck <hanno at hboeck.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144
(cherry picked from commit 76b351e907f67cc7d4af4e7d800c7a3aa1269ee8)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Thu Apr 20 16:36:14 CEST 2017 on sn-devel-144
commit 36a97de00dee6dd7acdb0a2fd3322f5ddef1831e
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 17 14:30:04 2017 -0700
s3:lib: Fix incorrect logic in sys_broken_getgroups()
If setlen == 0 then the second argument must be ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 60af864f751706c48b8af448700bf06e33e45946)
commit 96c71509470be1685d9941b70796e534481a48e6
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 17 14:09:24 2017 -0700
lib: debug: Avoid negative array access.
Report and patch from Hanno Böck <hanno at hboeck.de>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12746
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 600f8787e3b605c9f3e8f724c726e63157ee9efc)
commit 5cba8bb5846e7fc53c517c65bc6873e87db84509
Author: Uri Simchoni <uri at samba.org>
Date: Thu Apr 13 12:44:58 2017 +0300
vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
When obtaining the security descriptor via getxattr(), first try
optimistically to supply a buffer of 4K, and if that turns out
to be too small, determine the correct buffer size.
The previous behavior of falling back to a 64K buffer encountered
problem with Linux prior to version 3.6, due to pyisical memory
fragmentation. With those kernels, as long as the buffer is 8K or
smaller, getting the xattr is much less prone to failure due to
memory fragmentation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144
(cherry picked from commit 05d83ccf7a6fecf963fcb980acd50cebfc0c3ea9)
commit c0bf985b472d56a675cb4b17aed43de63e42c0be
Author: Uri Simchoni <uri at samba.org>
Date: Sun Apr 9 00:40:44 2017 +0300
vfs_acl_xattr: factor out fetching of an extended attribute
Pure refactoring - add a function that fetches an extended attribute
based on either the file descriptor or the file name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7b775abd9278ae34110ec87d94a736be7f64884a)
commit 4b0b01268f1d42a8c2615946c1fe0ba364bdf3c1
Author: Uri Simchoni <uri at samba.org>
Date: Thu Apr 13 12:50:47 2017 +0300
vfs_xattr_tdb: handle case of zero size.
With getxattr(), passing a zero buffer size is a
way of obtaining actual xattr size.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4dfa2d6a0972847e3b21ddf05077e50ed72c4ea8)
commit 5e2937966fe20e3747c080ce171c106af157d7f8
Author: Uri Simchoni <uri at samba.org>
Date: Sun Apr 9 00:20:40 2017 +0300
selftest: test fetching a large ACL from vfs_acl_xattr
Add a test that fetches an ACL whose size is larger than 4K.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(back-ported from commit 5017dfeef24b8d568e0146c085f3f979d688acf2)
commit 8c283d4d316a022bef327018fa6409eab15844b8
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Apr 6 12:20:21 2017 +1000
ctdb-docs: Fix documentation of -n option to ctdb tool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12733
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: David Disseldorp <ddiss at samba.org>
(cherry picked from commit 7f714a436250dfeaa1970f78090ef066482711f0)
commit 490f72216c915b25a4a4b2aa24da5894255c85ef
Author: Ralph Boehme <slow at samba.org>
Date: Wed Mar 29 11:13:46 2017 +0200
winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.
The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
(cherry picked from commit 8b32fc4006ae338ddee7c0e5991958ec3463da0d)
commit 46abe7f06c3cbaee205f82da8e91f49859a488ed
Author: Ralph Boehme <slow at samba.org>
Date: Sun Mar 26 08:22:13 2017 +0200
winbindd: error handling in rpc_lookup_sids()
NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.
In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8dfbba59d768b10f6b088cfc49e5dbe6de4834e1)
commit bc6d9010cbe8b5320be489c52da8870b64f9c2f7
Author: Ralph Boehme <slow at samba.org>
Date: Sat Apr 1 16:51:07 2017 +0200
s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 416c74e8c89dc2fb2083beaaa9ac8a6e975ec873)
commit 84c7c56dcd74d57c2ae2b27aac775ea7a35e2cfd
Author: Ralph Boehme <slow at samba.org>
Date: Sat Apr 1 16:56:39 2017 +0200
s3/rpc_client: use NT_STATUS_LOOKUP_ERR
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 0e7e4ebad31caa1ccb392f2fe20c67929149b8c9)
commit f81a0ff5184aac642209691830db7be2735dd741
Author: Ralph Boehme <slow at samba.org>
Date: Sat Apr 1 16:44:45 2017 +0200
s3/include: add NT_STATUS_LOOKUP_ERR
Useful helper macro to check the return value of LSA and SAMR
translations.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit fc37c7327dc7e4ad4405e324fc88d4bbf9b6ef9e)
commit 27359922c2fa31d74942bb717b9a62b32cedc948
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 31 16:06:18 2017 +0200
selftest: fix for wbinfo -s tests for wellknown SIDs
Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f)
commit cca29f8cfee786805ed6c9d7e31a0b54ff0dc8ae
Author: Ralph Boehme <slow at samba.org>
Date: Sun Apr 2 13:42:45 2017 +0200
winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Those are implicitly already catched by the
if (sid->num_auths != 5)
check, but I'd like to make the desired behaviour more obvious.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 167bb5ead8c7193d173fdba8a453279d422fa7ea)
commit 888e75a37868b250042139c5a1c3874bef260935
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 31 16:24:05 2017 +0200
selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8bd5f774fdc1f4ea012885262eb0f40640504de8)
commit 82bbb7924b0533892b19a83a06e7777d565e01bd
Author: Ralph Boehme <slow at samba.org>
Date: Fri Mar 31 16:06:18 2017 +0200
selftest: wbinfo -s tests for wellknown SIDs
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2150de3a73527850547263e853faf4f3fedca6e6)
commit 089711efb6b3298b671d4d46f7f9119c42f96819
Author: Ralph Boehme <slow at samba.org>
Date: Thu Mar 30 23:41:59 2017 +0200
winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:
$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0
On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6b7a14b4b9c3411bd2e05383917e8fdedae51c90)
commit 6bcfe2dc16602ac1365ea97056b222abb4158d7a
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 7 15:13:15 2017 +0100
s4/torture: vfs_fruit: test for bug 12565
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 893fc5abbe0a1b63ebd81f442a8d544572ed76a9)
commit 92cc3b274e8ee7c7de8dc71355e2c47d2c6f926d
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 7 07:44:40 2017 +0100
vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.
If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.
Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a36de8b81aa88c31450e68ec54d6b659b1693878)
commit 1de3e9268908d5892bd795f696fcb8b7907bc30d
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 19 16:21:31 2016 +0200
waf: Explicitly link libreplace against libnss_wins.so
If we do not specify replace as a depencency here, it will not link to
libreplace using an rpath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Jim McDonough <jmcd at samba.org>
(cherry picked from commit d8a5565ae647352d11d622bd4e73ff4568678a7c)
commit f54ff446c4f04eb0654b05621d8f02182750eceb
Author: Volker Lendecke <vl at samba.org>
Date: Fri Apr 7 16:33:57 2017 +0200
selftest: Test for bug 12558
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3667876ebebb7181d89834e6038e2d7218c98797)
commit 2ead4b430fda09fde81ef2dac362b5931891e88a
Author: Volker Lendecke <vl at samba.org>
Date: Thu Apr 6 22:12:36 2017 +0200
smbd: Fix smb1 findfirst with DFS
9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit baa3e71f7968ec3239d80d7602839c2d7c2de74f)
commit 3dc328cf7a46e92f8b933f784bf36e5a103e55de
Author: Christof Schmitt <cs at samba.org>
Date: Mon Mar 27 15:11:08 2017 -0700
winbindd: Fix password policy for pam authentication
Authenticating users from trusted domains would return the password
policy of the joined domain. Fix the code so that the password policy of
the joined domain is only returned for users from that domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144
(cherry picked from commit bc39fb07ced84af4d97853d00d07fb4293352686)
commit 107f3eeebe7f4a372473e18d3237f9a17ebaf0ee
Author: Ralph Boehme <slow at samba.org>
Date: Wed Apr 5 13:27:51 2017 +0200
selftest: tests idmap mapping with idmap_rid
This adds two blackbox tests that run wbinfo --sids-to-unix-ids:
o a non-existing SID from the primary domain should return a mapping
o a SID with a bogus (and therefor unknown) domain must not return a mapping
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Apr 7 00:05:02 CEST 2017 on sn-devel-144
(cherry picked from commit b680ceebf85b2403758a0f9e931f1211e9b80e8d)
commit 6249de7f8e5184fd9c8d02f178bd153b36368d4d
Author: Ralph Boehme <slow at samba.org>
Date: Wed Apr 5 13:27:14 2017 +0200
selftest: new environment "ad_member_idmap_rid"
This uses idmap_rid for the primary domain.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ef10b43469f5b31a696259a70b3e116a350bfd3d)
commit d5d552d1f963a2f91da2b33a55a89ae711e9ccdc
Author: Ralph Boehme <slow at samba.org>
Date: Tue Apr 4 14:23:03 2017 +0200
winbindd: remove unused single_domains array
This was added as part of 9be918116e356c358ef77cc2933e471090088293, but
is not needed anymore as the previous commit changed the logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 9671811da8ad3f91ba7bb0fa868f806bc5afe863)
commit 82cf3678b8d008849e1a1d23b7f9a8be212c3604
Author: Ralph Boehme <slow at samba.org>
Date: Tue Apr 4 14:21:25 2017 +0200
winbindd: use correct domain name for failed lookupsids
What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.
But as a domain member, using
state->single_domains[state->single_sids_done]
for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).
So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a684df160e692710e011c4eb6795a66772025c23)
-----------------------------------------------------------------------
Summary of changes:
ctdb/doc/ctdb.1.xml | 4 +-
lib/util/debug.c | 2 +-
nsswitch/tests/test_idmap_rid.sh | 66 +++++++++++++++++
nsswitch/tests/test_wbinfo.sh | 25 +++++++
nsswitch/wscript_build | 2 +-
selftest/knownfail | 6 --
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 88 +++++++++++++++++++++++
selftest/target/Samba4.pm | 6 ++
source3/include/lsa.h | 4 ++
source3/lib/system.c | 12 ++--
source3/modules/vfs_acl_xattr.c | 84 +++++++++++++++-------
source3/modules/vfs_fruit.c | 14 ++++
source3/modules/vfs_xattr_tdb.c | 12 ++++
source3/rpc_client/cli_lsarpc.c | 8 +--
source3/script/tests/test_large_acl.sh | 59 +++++++++++++++
source3/script/tests/test_smbclient_s3.sh | 11 +++
source3/script/tests/test_wbinfo_sids2xids_int.py | 2 +-
source3/selftest/tests.py | 5 +-
source3/smbd/msdfs.c | 4 +-
source3/smbd/sec_ctx.c | 3 +-
source3/winbindd/wb_lookupsids.c | 21 +++---
source3/winbindd/winbindd_pam.c | 7 +-
source3/winbindd/winbindd_rpc.c | 9 +--
source3/winbindd/winbindd_util.c | 27 +++++--
source4/torture/vfs/fruit.c | 73 ++++++++++++++++++-
26 files changed, 477 insertions(+), 78 deletions(-)
create mode 100755 nsswitch/tests/test_idmap_rid.sh
create mode 100755 source3/script/tests/test_large_acl.sh
Changeset truncated at 500 lines:
diff --git a/ctdb/doc/ctdb.1.xml b/ctdb/doc/ctdb.1.xml
index 71af0a5..4508969 100644
--- a/ctdb/doc/ctdb.1.xml
+++ b/ctdb/doc/ctdb.1.xml
@@ -123,10 +123,10 @@
<title>OPTIONS</title>
<variablelist>
- <varlistentry><term>-n <parameter>PNN-LIST</parameter></term>
+ <varlistentry><term>-n <parameter>PNN</parameter></term>
<listitem>
<para>
- The nodes specified by PNN-LIST should be queried for the
+ The node specified by PNN should be queried for the
requested information. Default is to query the daemon
running on the local host.
</para>
diff --git a/lib/util/debug.c b/lib/util/debug.c
index ed89944..2662c2d 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -396,7 +396,7 @@ static void debug_backends_log(const char *msg, int msg_level)
* a buffer without the newline character.
*/
len = MIN(strlen(msg), FORMAT_BUFR_SIZE - 1);
- if (msg[len - 1] == '\n') {
+ if ((len > 0) && (msg[len - 1] == '\n')) {
len--;
}
diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh
new file mode 100755
index 0000000..7fb5985
--- /dev/null
+++ b/nsswitch/tests/test_idmap_rid.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# Test id mapping with various SIDs and idmap_rid
+#
+
+if [ $# -lt 1 ]; then
+ echo Usage: $0 DOMAIN RANGE_START
+ exit 1
+fi
+
+DOMAIN="$1"
+RANGE_START="$2"
+
+wbinfo="$VALGRIND $BINDIR/wbinfo"
+failed=0
+
+. `dirname $0`/../../testprogs/blackbox/subunit.sh
+
+DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ")
+if [ $? -ne 0 ] ; then
+ echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid"
+ exit 1
+fi
+
+# Find an unused uid and SID
+RID=66666
+MAX_RID=77777
+while true ; do
+ id $RID
+ if [ $? -ne 0 ] ; then
+ SID="$DOMAIN_SID-$RID"
+ $wbinfo -s $SID
+ if [ $? -ne 0 ] ; then
+ break
+ fi
+ fi
+ RID=$(expr $RID + 1)
+ if [ $RID -eq $MAX_RID ] ; then
+ echo "Could not find free SID" | subunit_fail_test "test_idmap_rid"
+ exit 1
+ fi
+done
+
+#
+# Test 1: Using non-existing SID to check backend returns a mapping
+#
+
+EXPECTED_ID=$(expr $RID + $RANGE_START)
+out="$($wbinfo --sids-to-unix-ids=$SID)"
+echo "wbinfo returned: \"$out\", expecting \"$SID -> uid/gid $EXPECTED_ID\""
+test "$out" = "$SID -> uid/gid $EXPECTED_ID"
+ret=$?
+testit "Unknown RID from primary domain returns a mapping" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Test 2: Using bogus SID with bad domain part to check idmap backend does not generate a mapping
+#
+
+SID=S-1-5-21-1111-2222-3333-666
+out="$($wbinfo --sids-to-unix-ids=$SID)"
+echo "wbinfo returned: \"$out\", expecting \"$SID -> unmapped\""
+test "$out" = "$SID -> unmapped"
+ret=$?
+testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 1d14ca3..d3e5dc2 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -82,6 +82,31 @@ else
echo "success: wbinfo -s check for sane mapping"
fi
+while read SID ; do
+ read NAME
+
+ testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1`
+
+ RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z`
+ echo "$SID resolved to $RESOLVED_NAME"
+
+ echo "test: wbinfo -s $SID against $TARGET"
+ if test x"$RESOLVED_NAME" != x"$NAME" ; then
+ echo "$RESOLVED_NAME does not match $NAME"
+ echo "failure: wbinfo -s $SID against $TARGET"
+ failed=`expr $failed + 1`
+ else
+ echo "success: wbinfo -s $SID against $TARGET"
+ fi
+done <<EOF
+S-1-1-0
+/EVERYONE 5
+S-1-3-1
+/CREATOR GROUP 5
+S-1-5-1
+NT AUTHORITY/DIALUP 5
+EOF
+
testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1`
test_sid=`$wbinfo -n $tested_name | cut -d " " -f1`
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index f286896..ab8f8ea 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -42,7 +42,7 @@ if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
bld.SAMBA3_LIBRARY('nss_wins',
keep_underscore=True,
source='wins.c',
- deps='''wbclient''',
+ deps='wbclient replace',
public_headers=[],
public_headers_install=False,
pc_files=[],
diff --git a/selftest/knownfail b/selftest/knownfail
index 7c42777..17667cd 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -22,14 +22,12 @@
^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)
@@ -217,10 +215,6 @@
#
^samba4.winbind.struct.domain_info\(s4member:local\)
^samba4.winbind.struct.getdcname\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--user-groups
-^samba.nss.test using winbind\(s4member:local\)
#
# These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
# hence we have a duplicate UID in nsswitch.
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index a8f3a9b..fc223bb 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -283,6 +283,7 @@ sub get_interface($)
# 11-16 used by selftest.pl for client interfaces
+ $interfaces{"idmapridmember"} = 20;
$interfaces{"localdc"} = 21;
$interfaces{"localvampiredc"} = 22;
$interfaces{"s4member"} = 23;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ce60b52..c574dda 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -541,6 +541,94 @@ sub setup_admember_rfc2307($$$$)
return $ret;
}
+sub setup_ad_member_idmap_rid($$$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_rid config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ idmap config $dcvars->{DOMAIN} : backend = rid
+ idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+";
+
+ my $ret = $self->provision($prefix,
+ "IDMAPRIDMEMBER",
+ "loCalMemberPass",
+ $member_options,
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
+
+ $ret or return undef;
+
+ close(USERMAP);
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+ $ret->{target} = $self;
+
+ return $ret;
+}
+
sub setup_simpleserver($$)
{
my ($self, $path) = @_;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index f1de4b9..5956010 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2002,6 +2002,12 @@ sub setup_env($$$)
}
return $target3->setup_admember_rfc2307("$path/ad_member_rfc2307",
$self->{vars}->{ad_dc_ntvfs}, 34);
+ } elsif ($envname eq "ad_member_idmap_rid") {
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
+ return $target3->setup_ad_member_idmap_rid("$path/ad_member_idmap_rid",
+ $self->{vars}->{ad_dc});
} elsif ($envname eq "none") {
return $self->setup_none("$path/none");
} else {
diff --git a/source3/include/lsa.h b/source3/include/lsa.h
index 7681aed..c23e942 100644
--- a/source3/include/lsa.h
+++ b/source3/include/lsa.h
@@ -22,4 +22,8 @@ int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
const char *dom_name,
struct dom_sid *dom_sid);
+#define NT_STATUS_LOOKUP_ERR(status) \
+ (!NT_STATUS_IS_OK(status) && \
+ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) && \
+ !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))
#endif
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 3d3eeed..99462b6 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -790,12 +790,11 @@ int groups_max(void)
static int sys_broken_getgroups(int setlen, gid_t *gidset)
{
- GID_T gid;
GID_T *group_list;
int i, ngroups;
if(setlen == 0) {
- return getgroups(setlen, &gid);
+ return getgroups(0, NULL);
}
/*
@@ -808,9 +807,6 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset)
return -1;
}
- if (setlen == 0)
- setlen = groups_max();
-
if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) {
DEBUG(0,("sys_getgroups: Malloc fail.\n"));
return -1;
@@ -823,6 +819,12 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset)
return -1;
}
+ /*
+ * We're safe here as if ngroups > setlen then
+ * getgroups *must* return EINVAL.
+ * pubs.opengroup.org/onlinepubs/009695399/functions/getgroups.html
+ */
+
for(i = 0; i < ngroups; i++)
gidset[i] = (gid_t)group_list[i];
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index e1f90ff..421860b 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -37,17 +37,45 @@
Pull a security descriptor into a DATA_BLOB from a xattr.
*******************************************************************/
+static ssize_t getxattr_do(vfs_handle_struct *handle,
+ files_struct *fsp,
+ const struct smb_filename *smb_fname,
+ const char *xattr_name,
+ uint8_t *val,
+ size_t size)
+{
+ ssize_t sizeret;
+ int saved_errno = 0;
+
+ become_root();
+ if (fsp && fsp->fh->fd != -1) {
+ sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size);
+ } else {
+ sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name,
+ XATTR_NTACL_NAME, val, size);
+ }
+ if (sizeret == -1) {
+ saved_errno = errno;
+ }
+ unbecome_root();
+
+ if (saved_errno != 0) {
+ errno = saved_errno;
+ }
+
+ return sizeret;
+}
+
static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
vfs_handle_struct *handle,
files_struct *fsp,
const struct smb_filename *smb_fname,
DATA_BLOB *pblob)
{
- size_t size = 1024;
+ size_t size = 4096;
uint8_t *val = NULL;
uint8_t *tmp;
ssize_t sizeret;
- int saved_errno = 0;
ZERO_STRUCTP(pblob);
@@ -60,35 +88,41 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
}
val = tmp;
- become_root();
- if (fsp && fsp->fh->fd != -1) {
- sizeret = SMB_VFS_FGETXATTR(fsp, XATTR_NTACL_NAME, val, size);
- } else {
- sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name,
- XATTR_NTACL_NAME, val, size);
+ sizeret =
+ getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, val, size);
+
+ if (sizeret >= 0) {
+ pblob->data = val;
+ pblob->length = sizeret;
+ return NT_STATUS_OK;
}
- if (sizeret == -1) {
- saved_errno = errno;
+
+ if (errno != ERANGE) {
+ goto err;
}
- unbecome_root();
- /* Max ACL size is 65536 bytes. */
- if (sizeret == -1) {
- errno = saved_errno;
- if ((errno == ERANGE) && (size != 65536)) {
- /* Too small, try again. */
- size = 65536;
- goto again;
- }
+ /* Too small, try again. */
+ sizeret =
+ getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, NULL, 0);
+ if (sizeret < 0) {
+ goto err;
+ }
- /* Real error - exit here. */
- TALLOC_FREE(val);
- return map_nt_error_from_unix(errno);
+ if (size < sizeret) {
+ size = sizeret;
}
- pblob->data = val;
- pblob->length = sizeret;
- return NT_STATUS_OK;
+ if (size > 65536) {
+ /* Max ACL size is 65536 bytes. */
+ errno = ERANGE;
+ goto err;
+ }
+
+ goto again;
+ err:
+ /* Real error - exit here. */
+ TALLOC_FREE(val);
+ return map_nt_error_from_unix(errno);
}
/*******************************************************************
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 3f3f8c0..4437d45 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2955,6 +2955,20 @@ static int fruit_open_rsrc(vfs_handle_struct *handle,
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct fruit_config_data, return -1);
+ if (((flags & O_ACCMODE) == O_RDONLY)
+ && (flags & O_CREAT)
+ && !VALID_STAT(fsp->fsp_name->st))
+ {
+ /*
+ * This means the stream doesn't exist. macOS SMB server fails
+ * this with NT_STATUS_OBJECT_NAME_NOT_FOUND, so must we. Cf bug
+ * 12565 and the test for this combination in
+ * test_rfork_create().
+ */
+ errno = ENOENT;
+ return -1;
--
Samba Shared Repository
More information about the samba-cvs
mailing list