[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Thu Aug 23 12:29:02 UTC 2018
The branch, v4-9-test has been updated
via 729ac56 torture: Demonstrate the invalid lock order panic
via 2f93246 vfs_fruit: Fix a leak of "br_lck"
via 018550f python: Fix print in dns_invalid.py
via ccbc9c1 wafsamba/samba_abi: always hide ABI symbols which must be local
via a89ec4e selftest: Load time_audit and full_audit modules for all tests
via b0e1a03 s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv()
via 96a74ab s3:libads: Free addr before we free the context
via 14eed16 s3:winbind: Fix memory leak in nss_init()
via bd0b693 s3:registry: Fix possible memory leak in _reg_perfcount_multi_sz_from_tdb()
via 8f65578 s3:libads: Fix memory leaks in ads_krb5_chg_password()
via f1c2e68 s3:client: Avoid a possible fd leak in do_get()
via 98e7021 s4:lib: Fix a possible fd leak in gp_get_file()
via 6ffa700 s3:utils: Do not leak memory in new_user()
via cdb6f01 s3:utils: Do not overflow the destination buffer in net_idmap_restore()
via 1000cbe s3:passdb: Don't leak memory on error in fetch_ldap_pw()
via 2431f54 wbinfo: Free memory when we leave wbinfo_dsgetdcname()
via 12a8f20 netcmd: Fix --kerberos=yes and --no-secrets domain backups
via b9315fa netcmd: Delete unnecessary function
via 15e1a41 netcmd: Fix kerberos option for domain backups
via 69583d1 netcmd: domain backup didn't support prompting for password
via ec47551 netcmd: Improve domain backup targetdir checks
from 6244e6a VERSION: Bump version up to 4.9.0rc4...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit 729ac56bb4175698c79945c9f0c3711a6ff8886d
Author: Volker Lendecke <vl at samba.org>
Date: Mon Aug 6 14:35:15 2018 +0200
torture: Demonstrate the invalid lock order panic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 21 02:33:05 CEST 2018 on sn-devel-144
(cherry picked from commit ec3c37ee53f21d8c0e80b1d3b3d7e95a4ac8e0bc)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Thu Aug 23 14:28:49 CEST 2018 on sn-devel-144
commit 2f9324688821a02f32c94a01f58c995465a9aa1c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Aug 6 14:33:34 2018 +0200
vfs_fruit: Fix a leak of "br_lck"
Fix a panic if fruit_access_check detects a locking conflict.
do_lock() returns a valid br_lck even in case of a locking conflict.
Not free'ing it leads to a invalid lock order panic later, because
"br_lck" corresponds to a dbwrap lock on brlock.tdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 51d57073798f76ec4f1261945e0ba779b2530009)
commit 018550f1c116b46a401c24e29f0467b32107ed20
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 17 12:06:38 2018 +0200
python: Fix print in dns_invalid.py
https://bugzilla.samba.org/show_bug.cgi?id=13580
Signed-off-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Sat Aug 18 15:21:39 CEST 2018 on sn-devel-144
(cherry picked from commit 9ee4d9466e42ef419ddbb39efbc476532cd221d3)
commit ccbc9c1973b47fc66d6d7e8f117cdf3d66e60e3d
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu Jul 12 10:19:41 2018 +0300
wafsamba/samba_abi: always hide ABI symbols which must be local
binutils 2.31 is going to change how shared libraries are linked, such
that they always provide their own local definitions of the _end, _edata
and _bss_start symbols. This would all be fine, except for shared
libraries that export all symbols be default. (Rather than just
exporting those symbols that form part of their API).
According to binutils developers, we should only export the symbols we
explicitly want to be used. We don't use this principle for all our
libraries and deliberately don't want to have ABI versioning control for
all of them, so the change I introduce here is to explicitly mark those
symbols that will always be added by default linker configuration with
binutils 2.31 as local. Right now these are '_end', '_edata', and
'__bss_start' symbols.
Fixes: https://bugzilla.samba.org/show_bug.cgi?id=13579
Cherry-picked from commit 4e123c46820e737968fa3d1c594aa016cca39637
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a89ec4ea2cd8838634570b1cdd32e28142032dd7
Author: Christof Schmitt <cs at samba.org>
Date: Fri Aug 10 10:38:28 2018 -0700
selftest: Load time_audit and full_audit modules for all tests
Previously the only test was to load these modules to trigger the
smb_vfs_assert_all_fns check. As these modules just pass through the
calls, they can be loaded for all tests to ensure that the codepaths are
exercised. This would have found the problem in
smb_time_audit_offload_read_recv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 13 22:35:20 CEST 2018 on sn-devel-144
(cherry picked from commit a98f09a09db2fc7be85f9171b586e65344a39e92)
commit b0e1a034b4ab1ebb5f7272215d5ff771e87a18a5
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Aug 8 17:42:18 2018 +0200
s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568
Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Reviewed-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4909b966050c921b0a6a32285fee55f5f14dc3ff)
commit 96a74abefaa95c75e5669148b26fedd0736061ea
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 14 18:55:33 2018 +0200
s3:libads: Free addr before we free the context
Introduced by dbdbd4875ecac3e7334750f46f1f494b7afe6628
CID 1438395
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 14 22:02:06 CEST 2018 on sn-devel-144
(cherry picked from commit 9eccf6a16f5b198181a4fa80b835b1a65b40ed76)
commit 14eed16e3d972b6897321c86752851195c438536
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:38:49 2018 +0200
s3:winbind: Fix memory leak in nss_init()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4c0b49b3f982a3a3013a3b6fef3c10b1ca7d2ab0)
commit bd0b693723810f6f37de536e7169d9d1e8738653
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:15:10 2018 +0200
s3:registry: Fix possible memory leak in _reg_perfcount_multi_sz_from_tdb()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Aug 11 04:43:15 CEST 2018 on sn-devel-144
(cherry picked from commit 3e6ce5c6e679fdb39ed8142bf5e1ed4105164826)
commit 8f6557885ab9fbc7096d8bb2fc9138afe76e0a2f
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:02:16 2018 +0200
s3:libads: Fix memory leaks in ads_krb5_chg_password()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit dbdbd4875ecac3e7334750f46f1f494b7afe6628)
commit f1c2e6829a1abc2ebeb47b0a800c6928a344fd1a
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 15:58:32 2018 +0200
s3:client: Avoid a possible fd leak in do_get()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3d32c0263b072e19335eba1451840284409ecb61)
commit 98e7021744e1b22c49b40613058d22ab7bfe02d2
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:42:43 2018 +0200
s4:lib: Fix a possible fd leak in gp_get_file()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d4fb124adfc10de8b7eb1f72b74d7ca83f8415dd)
commit 6ffa700070be7dfbbca2022823b62790fd7f11ad
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:30:03 2018 +0200
s3:utils: Do not leak memory in new_user()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b7b4fc51d0eadbbc94576dda75ae80098a205a24)
commit cdb6f015d4341b86965f20fca0fde78a55e0a28e
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:19:48 2018 +0200
s3:utils: Do not overflow the destination buffer in net_idmap_restore()
Found by covsan.
error[invalidScanfFormatWidth]: Width 128 given in format string (no. 2)
is larger than destination buffer 'sid_string[128]', use %127s to
prevent overflowing it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f20150fb1ea5292f099862af6268d06844954d5e)
commit 1000cbe1c7acf8e018ff1ed7a150532a7ba2ee83
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 16:05:41 2018 +0200
s3:passdb: Don't leak memory on error in fetch_ldap_pw()
Found by covscan.
A candidate to use tallac ...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e4f4f5eb7303a0cce4f426dd9cfd1d6a488495b0)
commit 2431f54365a85581b6829f8d589b17f183b47cc0
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 9 15:53:45 2018 +0200
wbinfo: Free memory when we leave wbinfo_dsgetdcname()
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e6689c3e14c2dfaebaf1109f21e53184fea45d41)
commit 12a8f206b8e7a6cd61bf8e89f170e77c845b1afb
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Aug 9 16:20:10 2018 +1200
netcmd: Fix --kerberos=yes and --no-secrets domain backups
The --kerberos=yes and --no-secrets options didn't work in combination
for domain backups. The problem was creds.get_username() might not
necessarily match the kerberos user (such as in the selftest
environment). If this was the case, then trying to reset the admin
password failed (because the creds.get_username() didn't exist in
the DB).
Because the admin user always has a fixed RID, we can work out the
administrator based on its object SID, instead of relying on the
username in the creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 15 10:19:09 CEST 2018 on sn-devel-144
(cherry picked from commit f249bea1e0538300288e7cf1dcb6037c45f92276)
commit b9315fa19eb6d422b12258aef65cfecd7806d517
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Aug 9 15:35:59 2018 +1200
netcmd: Delete unnecessary function
Minor code cleanup. The last 2 patches gutted this function, to the
point where there's no longer any value in keeping it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit d2d039515119523192676b311d5997afd34f4c90)
commit 15e1a41130281ff32e727e2aafef37cfc7816e5a
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Aug 9 15:34:51 2018 +1200
netcmd: Fix kerberos option for domain backups
The previous fix still didn't work if you specified --kerberos=yes (in
which case the creds still doesn't have a password).
credopts.get_credentials(lp) should be enough to ensure a user/password
is set (it's all that the other commands seem to do).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 8fb706c34682bf6dc6033963518c7eccffc3944f)
commit 69583d1d32e01472b52543a730af63a99ef9c3f6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Aug 9 15:30:55 2018 +1200
netcmd: domain backup didn't support prompting for password
The online/rename backups only worked if you specified both the username
and password in the actual command itself. If you just entered the
username (expecting to be prompted for the password later), then the
command was rejected.
The problem was the order the code was doing things in. We were checking
credopts.creds.get_password() *before* we'd called
credopts.get_credentials(lp), whereas it should be the other way
around.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 14077b6682d7dc1b16e1ccb42ef61e9f4c0a1715)
commit ec475511389aca66549ee403880408a8230ae31f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jul 12 16:13:27 2018 +1200
netcmd: Improve domain backup targetdir checks
+ Added check that specified targetdir is actually a directory (if it
exists)
+ Deleted a redundant 'Creating targetdir' check that would never be hit
+ Move code into a separate function so we can reuse it for offline
backups (which take a different set of parameters, but still have a
targetdir)
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 4f532cc177cd1e95d8ccf8e69f50b315354df34c)
Backported to v4.9 for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_abi.py | 10 ++--
buildtools/wafsamba/tests/test_abi.py | 14 ++++++
nsswitch/wbinfo.c | 3 ++
python/samba/netcmd/domain_backup.py | 56 ++++++++++++----------
python/samba/tests/dns_invalid.py | 2 +-
selftest/target/Samba3.pm | 12 ++---
source3/client/client.c | 7 +++
source3/libads/krb5_setpw.c | 2 +
source3/modules/vfs_fruit.c | 24 ++++++----
source3/modules/vfs_time_audit.c | 12 ++---
source3/passdb/secrets.c | 4 ++
source3/registry/reg_perfcount.c | 15 ++++--
source3/utils/net_idmap.c | 4 +-
source3/utils/pdbedit.c | 10 ++--
source3/winbindd/nss_info.c | 26 ++++++----
source4/lib/policy/gp_filesys.c | 24 ++++++----
source4/torture/vfs/fruit.c | 89 +++++++++++++++++++++++++++++++++++
17 files changed, 237 insertions(+), 77 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index 196b468..4603e76 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -192,10 +192,12 @@ def abi_write_vscript(f, libname, current_version, versions, symmap, abi_match):
f.write("\t\t%s;\n" % x)
else:
f.write("\t\t*;\n")
- if abi_match != ["*"]:
- f.write("\tlocal:\n")
- for x in local_abi:
- f.write("\t\t%s;\n" % x[1:])
+ # Always hide symbols that must be local if exist
+ local_abi.extend(["!_end", "!__bss_start", "!_edata"])
+ f.write("\tlocal:\n")
+ for x in local_abi:
+ f.write("\t\t%s;\n" % x[1:])
+ if global_abi != ["*"]:
if len(global_abi) > 0:
f.write("\t\t*;\n")
f.write("};\n")
diff --git a/buildtools/wafsamba/tests/test_abi.py b/buildtools/wafsamba/tests/test_abi.py
index bba78c1..7489214 100644
--- a/buildtools/wafsamba/tests/test_abi.py
+++ b/buildtools/wafsamba/tests/test_abi.py
@@ -66,6 +66,10 @@ class WriteVscriptTests(TestCase):
1.0 {
\tglobal:
\t\t*;
+\tlocal:
+\t\t_end;
+\t\t__bss_start;
+\t\t_edata;
};
""")
@@ -84,6 +88,10 @@ MYLIB_0.1 {
1.0 {
\tglobal:
\t\t*;
+\tlocal:
+\t\t_end;
+\t\t__bss_start;
+\t\t_edata;
};
""")
@@ -99,6 +107,9 @@ MYLIB_0.1 {
\t\t*;
\tlocal:
\t\texc_*;
+\t\t_end;
+\t\t__bss_start;
+\t\t_edata;
};
""")
@@ -115,6 +126,9 @@ MYLIB_0.1 {
\t\tpub_*;
\tlocal:
\t\texc_*;
+\t\t_end;
+\t\t__bss_start;
+\t\t_edata;
\t\t*;
};
""")
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 1b58c73..c456f6e 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -747,6 +747,9 @@ static bool wbinfo_dsgetdcname(const char *domain_name, uint32_t flags)
d_printf("%s\n", dc_info->dc_site_name);
d_printf("%s\n", dc_info->client_site_name);
+ wbcFreeMemory(str);
+ wbcFreeMemory(dc_info);
+
return true;
}
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
index cfd9796..5f18e81 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -32,7 +32,7 @@ from samba.auth import system_session
from samba.join import DCJoinContext, join_clone, DCCloneAndRenameContext
from samba.dcerpc.security import dom_sid
from samba.netcmd import Option, CommandError
-from samba.dcerpc import misc
+from samba.dcerpc import misc, security
from samba import Ldb
from fsmo import cmd_fsmo_seize
from samba.provision import make_smbconf
@@ -139,34 +139,38 @@ def add_backup_marker(samdb, marker, value):
samdb.modify(m)
-def check_online_backup_args(logger, credopts, server, targetdir):
- # Make sure we have all the required args.
- u_p = {'user': credopts.creds.get_username(),
- 'pass': credopts.creds.get_password()}
- if None in u_p.values():
- raise CommandError("Creds required.")
- if server is None:
- raise CommandError('Server required')
+def check_targetdir(logger, targetdir):
if targetdir is None:
raise CommandError('Target directory required')
if not os.path.exists(targetdir):
logger.info('Creating targetdir %s...' % targetdir)
os.makedirs(targetdir)
+ elif not os.path.isdir(targetdir):
+ raise CommandError("%s is not a directory" % targetdir)
# For '--no-secrets' backups, this sets the Administrator user's password to a
# randomly-generated value. This is similar to the provision behaviour
-def set_admin_password(logger, samdb, username):
+def set_admin_password(logger, samdb):
"""Sets a randomly generated password for the backup DB's admin user"""
+ # match the admin user by RID
+ domainsid = samdb.get_domain_sid()
+ match_admin = "(objectsid={}-{})".format(domainsid,
+ security.DOMAIN_RID_ADMINISTRATOR)
+ search_expr = "(&(objectClass=user){})".format(match_admin)
+
+ # retrieve the admin username (just in case it's been renamed)
+ res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=search_expr)
+ username = str(res[0]['samaccountname'])
+
adminpass = samba.generate_random_password(12, 32)
logger.info("Setting %s password in backup to: %s" % (username, adminpass))
logger.info("Run 'samba-tool user setpassword %s' after restoring DB" %
username)
- samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))"
- % ldb.binary_encode(username), adminpass,
- force_change_at_next_login=False,
+ samdb.setpassword(search_expr, adminpass, force_change_at_next_login=False,
username=username)
@@ -205,15 +209,14 @@ class cmd_domain_backup_online(samba.netcmd.Command):
logger = self.get_logger()
logger.setLevel(logging.DEBUG)
- # Make sure we have all the required args.
- check_online_backup_args(logger, credopts, server, targetdir)
-
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
- if not os.path.exists(targetdir):
- logger.info('Creating targetdir %s...' % targetdir)
- os.makedirs(targetdir)
+ # Make sure we have all the required args.
+ if server is None:
+ raise CommandError('Server required')
+
+ check_targetdir(logger, targetdir)
tmpdir = tempfile.mkdtemp(dir=targetdir)
@@ -250,7 +253,7 @@ class cmd_domain_backup_online(samba.netcmd.Command):
# ensure the admin user always has a password set (same as provision)
if no_secrets:
- set_admin_password(logger, samdb, creds.get_username())
+ set_admin_password(logger, samdb)
# Add everything in the tmpdir to the backup tar file
backup_file = backup_filepath(targetdir, realm, time_str)
@@ -677,8 +680,15 @@ class cmd_domain_backup_rename(samba.netcmd.Command):
logger = self.get_logger()
logger.setLevel(logging.INFO)
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
# Make sure we have all the required args.
- check_online_backup_args(logger, credopts, server, targetdir)
+ if server is None:
+ raise CommandError('Server required')
+
+ check_targetdir(logger, targetdir)
+
delete_old_dns = not keep_dns_realm
new_dns_realm = new_dns_realm.lower()
@@ -692,8 +702,6 @@ class cmd_domain_backup_rename(samba.netcmd.Command):
tmpdir = tempfile.mkdtemp(dir=targetdir)
# setup a join-context for cloning the remote server
- lp = sambaopts.get_loadparm()
- creds = credopts.get_credentials(lp)
include_secrets = not no_secrets
ctx = DCCloneAndRenameContext(new_base_dn, new_domain_name,
new_dns_realm, logger=logger,
@@ -757,7 +765,7 @@ class cmd_domain_backup_rename(samba.netcmd.Command):
# ensure the admin user always has a password set (same as provision)
if no_secrets:
- set_admin_password(logger, samdb, creds.get_username())
+ set_admin_password(logger, samdb)
# Add everything in the tmpdir to the backup tar file
backup_file = backup_filepath(targetdir, new_dns_realm, time_str)
diff --git a/python/samba/tests/dns_invalid.py b/python/samba/tests/dns_invalid.py
index 9f87cd5..46611eb 100644
--- a/python/samba/tests/dns_invalid.py
+++ b/python/samba/tests/dns_invalid.py
@@ -76,7 +76,7 @@ class TestBrokenQueries(DNSTest):
name = "\x10\x11\x05\xa8.%s" % self.get_dns_domain()
q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN)
- print "asking for ", q.name
+ print("asking for %s" % (q.name))
questions.append(q)
self.finish_name_packet(p, questions)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index fee7e21..24d3d7d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -762,14 +762,10 @@ sub setup_simpleserver
my $simpleserver_options = "
lanman auth = yes
ntlm auth = yes
- vfs objects = xattr_tdb streams_depot time_audit full_audit
+ vfs objects = xattr_tdb streams_depot
change notify = no
smb encrypt = off
- full_audit:syslog = no
- full_audit:success = none
- full_audit:failure = none
-
[vfs_aio_pthread]
path = $prefix_abs/share
read only = no
@@ -1723,7 +1719,11 @@ sub provision($$$$$$$$$)
dos filemode = yes
strict rename = yes
strict sync = yes
- vfs objects = acl_xattr fake_acls xattr_tdb streams_depot
+ vfs objects = acl_xattr fake_acls xattr_tdb streams_depot time_audit full_audit
+
+ full_audit:syslog = no
+ full_audit:success = none
+ full_audit:failure = none
printing = vlp
print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
diff --git a/source3/client/client.c b/source3/client/client.c
index f112b8c..25ba01d 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -1160,6 +1160,7 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
start = lseek(handle, 0, SEEK_END);
if (start == -1) {
d_printf("Error seeking local file\n");
+ close(handle);
return 1;
}
}
@@ -1181,6 +1182,9 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
NULL);
if(!NT_STATUS_IS_OK(status)) {
d_printf("getattrib: %s\n", nt_errstr(status));
+ if (newhandle) {
+ close(handle);
+ }
return 1;
}
}
@@ -1193,6 +1197,9 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "parallel_read returned %s\n",
nt_errstr(status));
+ if (newhandle) {
+ close(handle);
+ }
cli_close(targetcli, fnum);
return 1;
}
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index bc96ac6..8f90988 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -222,6 +222,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
/* We have to obtain an INITIAL changepw ticket for changing password */
if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
krb5_get_init_creds_opt_free(context, opts);
+ smb_krb5_free_addresses(context, addr);
krb5_free_context(context);
free(realm);
DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
@@ -234,6 +235,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
kerb_prompter, NULL,
0, chpw_princ, opts);
krb5_get_init_creds_opt_free(context, opts);
+ smb_krb5_free_addresses(context, addr);
SAFE_FREE(chpw_princ);
SAFE_FREE(password);
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 0784262..ebf0f98 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2386,7 +2386,6 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
uint32_t deny_mode)
{
NTSTATUS status = NT_STATUS_OK;
- struct byte_range_lock *br_lck = NULL;
bool open_for_reading, open_for_writing, deny_read, deny_write;
off_t off;
bool have_read = false;
@@ -2444,6 +2443,8 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
/* Set locks */
if ((access_mask & FILE_READ_DATA) && have_read) {
+ struct byte_range_lock *br_lck = NULL;
+
off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
br_lck = do_lock(
handle->conn->sconn->msg_ctx, fsp,
@@ -2451,13 +2452,16 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
READ_LOCK, POSIX_LOCK, false,
&status, NULL);
+ TALLOC_FREE(br_lck);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- TALLOC_FREE(br_lck);
}
if ((deny_mode & DENY_READ) && have_read) {
+ struct byte_range_lock *br_lck = NULL;
+
off = denymode_to_netatalk_brl(fork_type, DENY_READ);
br_lck = do_lock(
handle->conn->sconn->msg_ctx, fsp,
@@ -2465,10 +2469,11 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
READ_LOCK, POSIX_LOCK, false,
&status, NULL);
+ TALLOC_FREE(br_lck);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- TALLOC_FREE(br_lck);
}
}
@@ -2494,6 +2499,8 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
/* Set locks */
if ((access_mask & FILE_WRITE_DATA) && have_read) {
+ struct byte_range_lock *br_lck = NULL;
+
off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
br_lck = do_lock(
handle->conn->sconn->msg_ctx, fsp,
@@ -2501,13 +2508,15 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
READ_LOCK, POSIX_LOCK, false,
&status, NULL);
+ TALLOC_FREE(br_lck);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- TALLOC_FREE(br_lck);
-
}
if ((deny_mode & DENY_WRITE) && have_read) {
+ struct byte_range_lock *br_lck = NULL;
+
off = denymode_to_netatalk_brl(fork_type, DENY_WRITE);
br_lck = do_lock(
handle->conn->sconn->msg_ctx, fsp,
@@ -2515,15 +2524,14 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
READ_LOCK, POSIX_LOCK, false,
&status, NULL);
+ TALLOC_FREE(br_lck);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- TALLOC_FREE(br_lck);
}
}
- TALLOC_FREE(br_lck);
-
return status;
}
diff --git a/source3/modules/vfs_time_audit.c b/source3/modules/vfs_time_audit.c
index e85ded5..1969573 100644
--- a/source3/modules/vfs_time_audit.c
+++ b/source3/modules/vfs_time_audit.c
@@ -1873,13 +1873,12 @@ static NTSTATUS smb_time_audit_offload_read_recv(
struct tevent_req *req,
struct vfs_handle_struct *handle,
TALLOC_CTX *mem_ctx,
- DATA_BLOB *_token_blob)
+ DATA_BLOB *token_blob)
{
struct time_audit_offload_read_state *state = tevent_req_data(
req, struct time_audit_offload_read_state);
struct timespec ts_recv;
double timediff;
- DATA_BLOB token_blob;
NTSTATUS status;
clock_gettime_mono(&ts_recv);
@@ -1893,13 +1892,8 @@ static NTSTATUS smb_time_audit_offload_read_recv(
return status;
}
- token_blob = data_blob_talloc(mem_ctx,
- state->token_blob.data,
- state->token_blob.length);
- if (token_blob.data == NULL) {
- tevent_req_received(req);
- return NT_STATUS_NO_MEMORY;
- }
+ token_blob->length = state->token_blob.length;
+ token_blob->data = talloc_move(mem_ctx, &state->token_blob.data);
tevent_req_received(req);
return NT_STATUS_OK;
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 7533d6b..ce215b1 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -351,6 +351,8 @@ bool fetch_ldap_pw(char **dn, char** pw)
if (!old_style_key) {
DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
+ SAFE_FREE(*pw);
+ SAFE_FREE(*dn);
return False;
}
@@ -361,6 +363,7 @@ bool fetch_ldap_pw(char **dn, char** pw)
if ((data == NULL) || (size < sizeof(old_style_pw))) {
DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
SAFE_FREE(old_style_key);
+ SAFE_FREE(*pw);
SAFE_FREE(*dn);
SAFE_FREE(data);
return False;
@@ -375,6 +378,7 @@ bool fetch_ldap_pw(char **dn, char** pw)
if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
SAFE_FREE(old_style_key);
+ SAFE_FREE(*pw);
SAFE_FREE(*dn);
return False;
}
diff --git a/source3/registry/reg_perfcount.c b/source3/registry/reg_perfcount.c
index db4451e..e31f899 100644
--- a/source3/registry/reg_perfcount.c
+++ b/source3/registry/reg_perfcount.c
@@ -168,6 +168,7 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
TDB_DATA kbuf, dbuf;
char temp[PERFCOUNT_MAX_LEN] = {0};
char *buf1 = *retbuf;
+ char *p = NULL;
uint32_t working_size = 0;
DATA_BLOB name_index, name;
bool ok;
@@ -185,13 +186,16 @@ static uint32_t _reg_perfcount_multi_sz_from_tdb(TDB_CONTEXT *tdb,
}
/* First encode the name_index */
working_size = (kbuf.dsize + 1)*sizeof(uint16_t);
- buf1 = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
- if(!buf1) {
+ p = (char *)SMB_REALLOC(buf1, buffer_size + working_size);
+ if (p == NULL) {
+ SAFE_FREE(buf1);
buffer_size = 0;
return buffer_size;
}
+ buf1 = p;
ok = push_reg_sz(talloc_tos(), &name_index, (const char *)kbuf.dptr);
if (!ok) {
+ SAFE_FREE(buf1);
buffer_size = 0;
return buffer_size;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list