[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Mar 13 07:58:04 UTC 2017
The branch, master has been updated
via af664b9 getncchanges: Remove O(n) loop in link parsing
via 1816c84 dsdb: Allow parsed_dn_find to have a prefixed blob match
via 6083077 dsdb: Move parsed_dn_find into a common location
via b4a7b3f tests/dbcheck-links: remove spurious sleeping
via f9d570d getncchanges: generalize samdb_result_sid_array_ndr a little
via 2863551 getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret
via c4aa78b objectclass_attrs: Restrict systemOnly attributes
via 45ccd84 tests/match_rules: Use system privilege for msDS-RevealedUsers
via 6bbcd3b dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
via 6b24253 getncchanges: include object SID in tokenGroups calculation for repl secret
via f869da8 tests/repl_rodc: Test the direct allow/deny attribute works
via c8eac3c getncchanges: Reorder and comment code for clarity
via 2e02f36 getncchanges: Prevent a small, but possible race condition in build_object
via cf9552e getncchanges: Refactor filter_attrs from build_object
via 4b4a4c1 getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
via 2cb2513 tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
via a9e3830 getncchanges: Implement functionality for msDS-RevealedUsers
via d3576a9 getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET
via 35f2dc5 replmd: Include extra data on DN in search if it exists
via 1809d67 replmd: Ensure that binary blobs in links are ordered in the database
via c91c237 getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
via 380b56e drsblobs: Add decode for replPropertyMetaData1
via 5397a83 tests/repl_rodc: Duplicate msDS-RevealedUsers test for RODC machine acct
via 325f8e8 python/tests: Add repl_rodc test
via b0d37f6 getncchanges: Return correct denied REPL_SECRET error code
via b01fac2 drsbase: use credentials if supplied
via 213349b python/dsdb_dn: Add a generic get_bytes method on DNs
via ee04f96 ldb_tdb: Add better comments for duplicate attr values
via b562a90 ldb_tdb: Do not check for duplicate values during a rename
via 3b5aeab ldb_tdb: Do not care about duplicates if single value check disabled
via 6bcc856 samba-tool/domain: Correctly re-enable replication
via f114710 werror: Correct the error code checking
via 372f5dd typo: uppon -> upon
via b2478cd Correct "ommited" typos.
from 65aafb1 doc: update "ea support" section of the smb.conf manpage
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit af664b94dc460c0686e6e4aae0f3a90e32151b47
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Mar 13 12:18:00 2017 +1300
getncchanges: Remove O(n) loop in link parsing
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Mar 13 08:57:24 CET 2017 on sn-devel-144
commit 1816c84b291679d3ca117b386cc7128bc040b63c
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Mar 13 12:16:13 2017 +1300
dsdb: Allow parsed_dn_find to have a prefixed blob match
This allows us to search against binary DN using only the attributeID in
the case of msDS-RevealedUsers (as it appears right at the beginning).
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 608307745ea1d9ec41fafef89cf1f3e7b3680576
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Mar 13 12:14:23 2017 +1300
dsdb: Move parsed_dn_find into a common location
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b4a7b3ff5c4bbf1060425fb00977d741e98b5462
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Mar 7 15:42:59 2017 +1300
tests/dbcheck-links: remove spurious sleeping
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9d570d5a3a684138bea271a750f0e7540e51bea
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 10 14:25:21 2017 +1300
getncchanges: generalize samdb_result_sid_array_ndr a little
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2863551e90a0c211a3b7cb42cf0cf37408939e17
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 10 14:31:10 2017 +1300
getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4aa78ba875f3a9ca4e586823ce63826da8daa90
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Mar 7 12:30:09 2017 +1300
objectclass_attrs: Restrict systemOnly attributes
This allows restriction of auditing attributes from being wiped.
Modifications of the RID Set must be done as SYSTEM.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45ccd84ad86b5a48fb15acb208cf1f94e17fbd24
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 15:16:49 2017 +1300
tests/match_rules: Use system privilege for msDS-RevealedUsers
Must be done before the systemOnly attribute is enforced.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bbcd3bbd813bbabea000f19d4dc655d9db8fc73
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 17:31:46 2017 +1300
dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6b2425343b42b46634bfa8a4421388205e64bbde
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 16:02:40 2017 +1300
getncchanges: include object SID in tokenGroups calculation for repl secret
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f869da8161090bc92bf782dd079a3d139e5320c5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 16:05:25 2017 +1300
tests/repl_rodc: Test the direct allow/deny attribute works
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c8eac3cc40aaf048f2efc2ab7fb80146779f09b8
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 11:18:33 2017 +1300
getncchanges: Reorder and comment code for clarity
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e02f3602d4d81497b141ba696a59088284f057e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 11:14:24 2017 +1300
getncchanges: Prevent a small, but possible race condition in build_object
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cf9552effefb7788e86287c45294002ace47ed75
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 11:01:36 2017 +1300
getncchanges: Refactor filter_attrs from build_object
This makes it easier to have a transaction around it.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b4a4c1063487ca6a0849cb92c2a0bdec0087ecf
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Feb 28 16:21:25 2017 +1300
getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2cb251353c8bb805d91079a129da6c20f6257f42
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 14:00:39 2017 +1300
tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a9e38304730c8e70f043fa41ee15c200a234b9e6
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 16:21:12 2017 +1300
getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
commit d3576a95d478ecac53bdbe09f0c352a42066921b
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Fri Feb 17 15:51:36 2017 +1300
getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET
This conforms with Windows' behaviour.
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
commit 35f2dc568158b6dfa8ef1d46376c575d4072c0f7
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 17:12:32 2017 +1300
replmd: Include extra data on DN in search if it exists
This is important for multi-valued DN+Binary (or DN+String) attributes,
as otherwise they will be considered duplicates.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
commit 1809d67e4dd57e950453f69ebdfcfe0588f67168
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 10 17:29:53 2017 +1300
replmd: Ensure that binary blobs in links are ordered in the database
This is required if we are to search them with a binsearch.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c91c237963a8410732fe5dfb829dd14a0bb2f3c3
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 17:12:27 2017 +1300
getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
This correctly passes has_get_all_changes through to repl_secrets.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
commit 380b56e38adeef705d8767ccca28b3d0ebf00bc4
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Thu Feb 16 10:03:29 2017 +1300
drsblobs: Add decode for replPropertyMetaData1
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
commit 5397a83130994d83b35eba905e0de7c418b9c7f6
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 3 13:33:04 2017 +1300
tests/repl_rodc: Duplicate msDS-RevealedUsers test for RODC machine acct
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 325f8e88c553be29ccb6fd4cb70ab8e33b2a7a0a
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Mon Feb 13 15:46:37 2017 +1300
python/tests: Add repl_rodc test
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
commit b0d37f6ca1bbbae389f8fe6d5a2b416f0decb9a9
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Feb 27 14:40:40 2017 +1300
getncchanges: Return correct denied REPL_SECRET error code
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b01fac24ec50150c77139000425ca73494442df5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 17:13:40 2017 +1300
drsbase: use credentials if supplied
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 213349b4bfc10cb24a8555f2cb5aea0a17379836
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 17:17:27 2017 +1300
python/dsdb_dn: Add a generic get_bytes method on DNs
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee04f96b69eb7f7ea6f073cf8228f32252725f8e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Mar 9 16:10:16 2017 +1300
ldb_tdb: Add better comments for duplicate attr values
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
commit b562a90646ab540cc63d054c8500792794984166
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Mar 9 15:56:12 2017 +1300
ldb_tdb: Do not check for duplicate values during a rename
This is not the time to be pretending to be dbcheck, and there are
exceptions to the single-value rules in Samba. This is needed for
the same reasons as the modify case.
(Note: this error was triggered with the demote of an RODC with links)
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
commit 3b5aeaba957696f17a6aac7d748e578886050c2b
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Mar 8 17:12:21 2017 +1300
ldb_tdb: Do not care about duplicates if single value check disabled
This behaviour of ignoring duplicates with the flag
LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK is also used in the replace
case here.
When we add a forward DN+Binary link with a duplicate DN, this prevents
us from not being able to add the backlink because it appears to be a
duplicate here.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell at catalyst.net.nz>
commit 6bcc856b202838f47a8e62feac8b13d8a045e0c5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Mar 9 16:11:41 2017 +1300
samba-tool/domain: Correctly re-enable replication
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1147106efa44943d309b9c75f1b237f8c91254a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Mar 9 14:40:11 2017 +1300
werror: Correct the error code checking
Broken in commit ea3c3f10edac2b6e7e1900b4e75f4be4d70d369a
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 372f5dd4a2e6648b63a2b4d08edbc0d59649abe2
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 10 10:48:38 2017 +1300
typo: uppon -> upon
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2478cdc7d27e26a81acc3f96a85b16b6017e66f
Author: Chris Lamb <chris at chris-lamb.co.uk>
Date: Sat Feb 18 08:59:48 2017 +1300
Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris at chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/Samba3-Developers-Guide/internals.xml | 2 +-
lib/ldb/ldb_tdb/ldb_tdb.c | 66 ++-
libcli/util/werror.h | 2 +
librpc/idl/drsblobs.idl | 7 +
python/samba/common.py | 5 +
python/samba/dbchecker.py | 48 ++
python/samba/netcmd/domain.py | 63 +-
selftest/knownfail | 2 +
source3/libads/ndr.c | 2 +-
source4/dsdb/common/util_links.c | 210 +++++++
.../genrand.h => source4/dsdb/common/util_links.h | 38 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 42 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 205 +------
source4/dsdb/samdb/ldb_modules/ridalloc.c | 8 +-
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/dsdb/samdb/samdb.h | 1 +
source4/dsdb/wscript_build | 2 +-
source4/rpc_server/drsuapi/getncchanges.c | 454 ++++++++++++---
.../add-dangling-multi-backlink.ldif | 10 +
.../add-dangling-multilink-users.ldif | 20 +
.../add-initially-normal-multilink.ldif | 19 +
.../delete-only-multi-backlink.ldif | 13 +
source4/selftest/tests.py | 9 +-
source4/torture/drs/python/drs_base.py | 6 +-
source4/torture/drs/python/repl_rodc.py | 645 +++++++++++++++++++++
source4/torture/local/fsrvp_state.c | 2 +-
testprogs/blackbox/dbcheck-links.sh | 78 ++-
27 files changed, 1622 insertions(+), 339 deletions(-)
create mode 100644 source4/dsdb/common/util_links.c
copy lib/util/genrand.h => source4/dsdb/common/util_links.h (56%)
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-dangling-multi-backlink.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-dangling-multilink-users.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-initially-normal-multilink.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/delete-only-multi-backlink.ldif
create mode 100644 source4/torture/drs/python/repl_rodc.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/Samba3-Developers-Guide/internals.xml b/docs-xml/Samba3-Developers-Guide/internals.xml
index be27121..bd9eaac 100644
--- a/docs-xml/Samba3-Developers-Guide/internals.xml
+++ b/docs-xml/Samba3-Developers-Guide/internals.xml
@@ -308,7 +308,7 @@ SSVAL(). I do not know where these numbers are described.
<listitem><para>
An ASCIIZ string describing the parameters to the API function as defined
in the LAN Manager documentation. The first parameter, which is the server
-name, is ommited. This string is based uppon the API function as described
+name, is omitted. This string is based upon the API function as described
in the manual, not the data which is actually passed.
</para></listitem>
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 8c4989f..6b1187e 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -355,13 +355,17 @@ static int ltdb_add_internal(struct ldb_module *module,
continue;
}
- /* TODO: This is O(n^2) - replace with more efficient check */
- for (j=0; j<el->num_values; j++) {
- if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
- ldb_asprintf_errstring(ldb,
- "attribute '%s': value #%u on '%s' provided more than once",
- el->name, j, ldb_dn_get_linearized(msg->dn));
- return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ if (check_single_value) {
+ /* TODO: This is O(n^2) - replace with more efficient check */
+ for (j=0; j<el->num_values; j++) {
+ if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
+ ldb_asprintf_errstring(ldb,
+ "attribute '%s': value #%u on '%s' "
+ "provided more than once in ADD object",
+ el->name, j,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ }
}
}
}
@@ -794,31 +798,33 @@ int ltdb_modify_internal(struct ldb_module *module,
/* Check that values don't exist yet on multi-
valued attributes or aren't provided twice */
/* TODO: This is O(n^2) - replace with more efficient check */
- for (j = 0; j < el->num_values; j++) {
- if (ldb_msg_find_val(el2, &el->values[j]) != NULL) {
- if (control_permissive) {
- /* remove this one as if it was never added */
- el->num_values--;
- for (k = j; k < el->num_values; k++) {
- el->values[k] = el->values[k + 1];
+ if (!(el->flags & LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK)) {
+ for (j = 0; j < el->num_values; j++) {
+ if (ldb_msg_find_val(el2, &el->values[j]) != NULL) {
+ if (control_permissive) {
+ /* remove this one as if it was never added */
+ el->num_values--;
+ for (k = j; k < el->num_values; k++) {
+ el->values[k] = el->values[k + 1];
+ }
+ j--; /* rewind */
+
+ continue;
}
- j--; /* rewind */
- continue;
+ ldb_asprintf_errstring(ldb,
+ "attribute '%s': value #%u on '%s' already exists",
+ el->name, j, ldb_dn_get_linearized(msg2->dn));
+ ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ goto done;
+ }
+ if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
+ ldb_asprintf_errstring(ldb,
+ "attribute '%s': value #%u on '%s' provided more than once in ADD",
+ el->name, j, ldb_dn_get_linearized(msg2->dn));
+ ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ goto done;
}
-
- ldb_asprintf_errstring(ldb,
- "attribute '%s': value #%u on '%s' already exists",
- el->name, j, ldb_dn_get_linearized(msg2->dn));
- ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
- goto done;
- }
- if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
- ldb_asprintf_errstring(ldb,
- "attribute '%s': value #%u on '%s' provided more than once",
- el->name, j, ldb_dn_get_linearized(msg2->dn));
- ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
- goto done;
}
}
@@ -869,7 +875,7 @@ int ltdb_modify_internal(struct ldb_module *module,
for (j=0; j<el->num_values; j++) {
if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
ldb_asprintf_errstring(ldb,
- "attribute '%s': value #%u on '%s' provided more than once",
+ "attribute '%s': value #%u on '%s' provided more than once in REPLACE",
el->name, j, ldb_dn_get_linearized(msg2->dn));
ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
goto done;
diff --git a/libcli/util/werror.h b/libcli/util/werror.h
index 7adda29..c25a4ab 100644
--- a/libcli/util/werror.h
+++ b/libcli/util/werror.h
@@ -99,6 +99,8 @@ typedef uint32_t WERROR;
#define WERR_ALERTED W_ERROR(0x000002E3)
#define WERR_INVALID_PRIMARY_GROUP W_ERROR(0x0000051C)
+#define WERR_DS_DRA_SECRETS_DENIED W_ERROR(0x000021B6)
+
#define WERR_DNS_ERROR_KEYMASTER_REQUIRED W_ERROR(0x0000238D)
#define WERR_DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE W_ERROR(0x0000238E)
#define WERR_DNS_ERROR_INVALID_NSEC3_PARAMETERS W_ERROR(0x0000238F)
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl
index 09168a8..44f5fda 100644
--- a/librpc/idl/drsblobs.idl
+++ b/librpc/idl/drsblobs.idl
@@ -17,6 +17,9 @@ interface drsblobs {
* replPropertyMetaData
* w2k uses version 1
* w2k3 uses version 1
+ *
+ * Also equivalent to
+ * MS-DRSR 4.1.10.2.22 PROPERTY_META_DATA
*/
typedef [public] struct {
drsuapi_DsAttributeId attid;
@@ -27,6 +30,10 @@ interface drsblobs {
hyper local_usn;
} replPropertyMetaData1;
+ void decode_replPropertyMetaData1(
+ [in] replPropertyMetaData1 blob
+ );
+
typedef struct {
uint32 count;
[value(0)] uint32 reserved;
diff --git a/python/samba/common.py b/python/samba/common.py
index c2a3584..20f170c 100644
--- a/python/samba/common.py
+++ b/python/samba/common.py
@@ -19,6 +19,7 @@
import ldb
import dsdb
+import binascii
def confirm(msg, forced=False, allow_all=False):
@@ -97,3 +98,7 @@ class dsdb_Dn(object):
if self.prefix == '':
return None
return int(self.binary, 16)
+
+ def get_bytes(self):
+ '''return binary as a byte string'''
+ return binascii.unhexlify(self.binary)
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 032c0e7..1a73fe0 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -973,6 +973,54 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if v_guid == obj_guid:
match_count += 1
if match_count != 1:
+ reverse_syntax_oid = self.samdb_schema.get_syntax_oid_from_lDAPDisplayName(reverse_link_name)
+ if syntax_oid == dsdb.DSDB_SYNTAX_BINARY_DN or reverse_syntax_oid == dsdb.DSDB_SYNTAX_BINARY_DN:
+ if not linkID & 1:
+ # Forward binary multi-valued linked attribute
+ forward_count = 0
+ for w in obj[attrname]:
+ w_guid = dsdb_Dn(self.samdb, w).dn.get_extended_component("GUID")
+ if w_guid == guid:
+ forward_count += 1
+
+ if match_count == forward_count:
+ continue
+
+ error_count += 1
+
+ # Add or remove the missing number of backlinks
+ diff_count = forward_count - match_count
+
+ # Loop until the difference between the forward and
+ # the backward links is resolved.
+ while diff_count != 0:
+ if diff_count > 0:
+ # self.err_missing_backlink(obj, attrname,
+ # obj.dn.extended_str(),
+ # reverse_link_name,
+ # dsdb_dn.dn)
+ # diff_count -= 1
+ # TODO no method to fix these right now
+ self.report("ERROR: Can't fix missing "
+ "multi-valued backlinks on %s" % str(dsdb_dn.dn))
+ break
+ else:
+ self.err_orphaned_backlink(res[0], reverse_link_name,
+ obj.dn.extended_str(), attrname,
+ dsdb_dn.dn)
+ diff_count += 1
+
+ else:
+ # If there's a backward link on binary multi-valued linked attribute,
+ # let the check on the forward link remedy the value.
+ # UNLESS, there is no forward link detected.
+ if match_count == 0:
+ self.err_orphaned_backlink(obj, attrname,
+ val, reverse_link_name,
+ dsdb_dn.dn)
+
+ continue
+
error_count += 1
if linkID & 1:
# Backlink exists, but forward link does not
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index e039724..4bd99ba 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -773,10 +773,10 @@ class cmd_domain_demote(Command):
self.errf.write("Deactivating inbound replication\n")
- if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
- nmsg = ldb.Message()
- nmsg.dn = msg[0].dn
+ nmsg = ldb.Message()
+ nmsg.dn = msg[0].dn
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
samdb.modify(nmsg)
@@ -822,19 +822,21 @@ class cmd_domain_demote(Command):
uac = int(str(res[0]["userAccountControl"]))
except Exception, e:
- self.errf.write(
- "Error while demoting, re-enabling inbound replication\n")
- dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
- nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
- samdb.modify(nmsg)
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+ self.errf.write(
+ "Error while demoting, re-enabling inbound replication\n")
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
raise CommandError("Error while changing account control", e)
if (len(res) != 1):
- self.errf.write(
- "Error while demoting, re-enabling inbound replication")
- dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
- nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
- samdb.modify(nmsg)
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+ self.errf.write(
+ "Error while demoting, re-enabling inbound replication")
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
raise CommandError("Unable to find object with samaccountName = %s$"
" in the remote dc" % netbios_name.upper())
@@ -852,11 +854,12 @@ class cmd_domain_demote(Command):
try:
remote_samdb.modify(msg)
except Exception, e:
- self.errf.write(
- "Error while demoting, re-enabling inbound replication")
- dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
- nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
- samdb.modify(nmsg)
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+ self.errf.write(
+ "Error while demoting, re-enabling inbound replication")
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
raise CommandError("Error while changing account control", e)
@@ -880,11 +883,12 @@ class cmd_domain_demote(Command):
scope=ldb.SCOPE_ONELEVEL)
if i == 100:
- self.errf.write(
- "Error while demoting, re-enabling inbound replication\n")
- dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
- nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
- samdb.modify(nmsg)
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+ self.errf.write(
+ "Error while demoting, re-enabling inbound replication\n")
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
msg = ldb.Message()
msg.dn = dc_dn
@@ -905,11 +909,12 @@ class cmd_domain_demote(Command):
newdn = ldb.Dn(remote_samdb, "%s,%s" % (newrdn, str(computer_dn)))
remote_samdb.rename(dc_dn, newdn)
except Exception, e:
- self.errf.write(
- "Error while demoting, re-enabling inbound replication\n")
- dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
- nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
- samdb.modify(nmsg)
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+ self.errf.write(
+ "Error while demoting, re-enabling inbound replication\n")
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
msg = ldb.Message()
msg.dn = dc_dn
@@ -2089,7 +2094,7 @@ class cmd_domain_trust_show(DomainTrustCommand):
local_tdo_forest = local_lsa.lsaRQueryForestTrustInformation(local_policy,
lsaString, lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
except RuntimeError as error:
- if self.check_runtime_error(error, self.NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE):
+ if self.check_runtime_error(error, ntstatus.NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE):
error = None
if self.check_runtime_error(error, ntstatus.NT_STATUS_NOT_FOUND):
error = None
diff --git a/selftest/knownfail b/selftest/knownfail
index 7c5417b..cfd4b35 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -315,3 +315,5 @@
^samba3.smb2.credits.session_setup_credits_granted.*
^samba3.smb2.credits.single_req_credits_granted.*
^samba3.smb2.credits.skipped_mid.*
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_dbcheck
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c
index 957c0fa..6cecbb0 100644
--- a/source3/libads/ndr.c
+++ b/source3/libads/ndr.c
@@ -58,7 +58,7 @@ void ndr_print_ads_struct(struct ndr_print *ndr, const char *name, const struct
#ifdef DEBUG_PASSWORD
ndr_print_string(ndr, "password", r->auth.password);
#else
- ndr_print_string(ndr, "password", "(PASSWORD ommited)");
+ ndr_print_string(ndr, "password", "(PASSWORD omitted)");
#endif
ndr_print_string(ndr, "user_name", r->auth.user_name);
ndr_print_string(ndr, "kdc_server", r->auth.kdc_server);
diff --git a/source4/dsdb/common/util_links.c b/source4/dsdb/common/util_links.c
new file mode 100644
index 0000000..cf1f4be
--- /dev/null
+++ b/source4/dsdb/common/util_links.c
@@ -0,0 +1,210 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Helpers to search for links in the DB
+
+ Copyright (C) Catalyst.Net Ltd 2017
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/util/binsearch.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+
+/*
+ * We choose, as the sort order, the same order as is used in DRS replication,
+ * which is the memcmp() order of the NDR GUID, not that obtained from
+ * GUID_compare().
+ *
+ * This means that sorted links will be in the same order as a new DC would
+ * see them.
+ */
+int ndr_guid_compare(const struct GUID *guid1, const struct GUID *guid2)
+{
+ uint8_t v1_data[16];
+ struct ldb_val v1 = data_blob_const(v1_data, sizeof(v1_data));
+ uint8_t v2_data[16];
+ struct ldb_val v2 = data_blob_const(v2_data, sizeof(v2_data));
+
+ /* This can't fail */
+ ndr_push_struct_into_fixed_blob(&v1, guid1,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ /* This can't fail */
+ ndr_push_struct_into_fixed_blob(&v2, guid2,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ return data_blob_cmp(&v1, &v2);
+}
+
+
+static int la_guid_compare_with_trusted_dn(struct compare_ctx *ctx,
+ struct parsed_dn *p)
+{
+ int cmp = 0;
+ /*
+ * This works like a standard compare function in its return values,
+ * but has an extra trick to deal with errors: zero is returned and
+ * ctx->err is set to the ldb error code.
+ *
+ * That is, if (as is expected in most cases) you get a non-zero
+ * result, you don't need to check for errors.
+ *
+ * We assume the second argument refers to a DN is from the database
+ * and has a GUID -- but this GUID might not have been parsed out yet.
+ */
+ if (p->dsdb_dn == NULL) {
+ int ret = really_parse_trusted_dn(ctx->mem_ctx, ctx->ldb, p,
+ ctx->ldap_oid);
+ if (ret != LDB_SUCCESS) {
+ ctx->err = ret;
+ return 0;
+ }
+ }
+ cmp = ndr_guid_compare(ctx->guid, &p->guid);
+ if (cmp == 0 && ctx->compare_extra_part) {
+ if (ctx->partial_extra_part_length != 0) {
+ /* Allow a prefix match on the blob. */
+ return memcmp(ctx->extra_part.data,
+ p->dsdb_dn->extra_part.data,
+ MIN(ctx->partial_extra_part_length,
+ p->dsdb_dn->extra_part.length));
+ } else {
+ return data_blob_cmp(&ctx->extra_part,
+ &p->dsdb_dn->extra_part);
+ }
+ }
+
+ return cmp;
+}
+
+/* When a parsed_dn comes from the database, sometimes it is not really parsed. */
+
+int really_parse_trusted_dn(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
+ struct parsed_dn *pdn, const char *ldap_oid)
+{
+ NTSTATUS status;
+ struct dsdb_dn *dsdb_dn = dsdb_dn_parse_trusted(mem_ctx, ldb, pdn->v,
+ ldap_oid);
+ if (dsdb_dn == NULL) {
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
+ status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &pdn->guid, "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ pdn->dsdb_dn = dsdb_dn;
+ return LDB_SUCCESS;
+}
+
+
+int parsed_dn_find(struct ldb_context *ldb, struct parsed_dn *pdn,
+ unsigned int count,
+ const struct GUID *guid,
+ struct ldb_dn *target_dn,
+ DATA_BLOB extra_part,
+ size_t partial_extra_part_length,
+ struct parsed_dn **exact,
+ struct parsed_dn **next,
+ const char *ldap_oid,
+ bool compare_extra_part)
+{
+ unsigned int i;
+ struct compare_ctx ctx;
+ if (pdn == NULL) {
+ *exact = NULL;
+ *next = NULL;
+ return LDB_SUCCESS;
+ }
+
+ if (unlikely(GUID_all_zero(guid))) {
+ /*
+ * When updating a link using DRS, we sometimes get a NULL
--
Samba Shared Repository
More information about the samba-cvs
mailing list