[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Jul 12 05:44:03 UTC 2018
The branch, master has been updated
via 3eecdbc ldb: version 1.4.1
via df858ec talloc: version 2.1.14
via b9efc5a tdb: version 1.3.16
via 52efa79 ldb: Refuse to build Samba against a newer minor version of ldb
via 1a559fd ldb: Ban ldb 1.4.x with Samba 4.8 and earlier
via d55b1dc docs: Remove mention of --without-json-audit from the AD DC
via 5a3690a WHATSNEW: Explain that Jansson is requied for AD DC, mention --without-json-audit
via 932dc28 WHATSNEW: document sysvolreset improvement
via 7422df4 tests/posixacl: Test with and without filling in the unix_token
via eb6cb6e python: Add samba.auth.session_info_fill_unix()
via 77ffadd selftest: Add tests for samba.auth.admin_session()
via c02023f WHATSNEW: Fix spelling
via f87cde1 docs: Explain that "max xmit" is SMB1 only
via 9502b72 WHATSNEW: Add note about defaults changes for the vfs_full_audit and acceptance of all syslog facilities for all audit modules.
via a8a9bb5 tests/posixacl: derive a new testcase to run same tests with session
via 1c09fc2 tests/posixacl: move setUp and tearDown to top
via 6875f43 tests/posixacl: rm duplicated test
via 002987a tests/posixacl: use assertRaises to simplify code
via 11e2c32 tests/posixacl: remove unused imports
via d68c294 tests/posixacl: define global ACL to make code DRY
via 197b4b8 tests/posixacl: define global DOM_SID to make code DRY
via cd9f6c5 tests/posixacl: rm commented code
via 8fb8215 provision/setsysvolacl: create helper function to simplify code
via 5dd25a6 provision/setsysvolacl: build session_info and pass down to setntacl
via 8dc8b8d ntacls: add session_info arg to setntacl and pass down to set_nt_acl api
via e2e6dd9 ntacls: reuse predefined SECURITY_SECINFO_FLAGS
via c9876de smbd/posix_acls: reuse secutiry token from session info if exist
via a9c6ec6 smbd/msdfs: add null check for session_info.unix_info
via aec40e3 pysmbd: add session_info arg to py_smbd_set_nt_acl
via 760e36d pysmbd: add session_info arg to get_conn_tos
via 356f395 WHATSNEW: Add entry for "Dynamic DNS record scavenging support"
via 5965741 python/tests: check setting values on dnsRecord attributes
via aaffc4d tests dns: dns_base.py remove flake8 warnings
via ae9dee4 tests dns: dns.py remove flake8 warnings
via bc2e645 tests dns: fix rpc null byte test
via f0210f5 dns: static records
via 8ef42d4 dns: update tool changed for scavenging
via 86b6155 dns+kcc: adding dns scavenging to kcc periodic run
via 50d961c dns: dns record scavenging function (without task)
via 6bd2f82 dns: Use ldb.SCOPE_SUBTREE in ldap_get_records() routine in tests/dns.py
via 00002b8 dns: custom match rule for DNS records to be tombstoned
via 418cd93 dns: server side implementation of record aging
via 350029b dns: moving name_equal func into common
via d6e111f rpc dns: reset dword aging related zone properties
via b22ce97 rpc dns: reading zone properties from LDB
via b841da0 dns: Reformat DNS with clang-format
via 19910be rpc dns: setting timestamp to 0 on RPC processed records
via c1552c7 dns: record aging tests
via d871e0c smb.conf: add dns_zone_scavenging
from e186d6a s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3eecdbcc38dbe084b285c9720443d819304f7b97
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 11 22:21:32 2018 +0200
ldb: version 1.4.1
* add some missing return value checks
* Fix several mem leaks in ldb_index ldb_search ldb_tdb (bug#13475)
* ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory
on duplicated add. (bug#13471)
* ldb: Fix memory leak on module context (bug#13459)
* Refused build of Samba 4.8 with ldb 1.4 (bug #13519)
* Prevent similar issues in the future at configure time (bug #13519)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jul 12 07:43:22 CEST 2018 on sn-devel-144
commit df858ec17e1d86ac983f0e74f7b80fbac64cab30
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 11 22:19:26 2018 +0200
talloc: version 2.1.14
* Fix some typos in the comments
* Remove extra 0x prefix for the "%p" format specifiers,
avoiding 0x0x0 strings in the output.
* make sure we link extra-python versions of libraries
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9efc5a628007f84c650789027385faaace913e8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 11 22:15:30 2018 +0200
tdb: version 1.3.16
* Fix build on AIX
* Python3 compatibility fixes
* Use tdb_wipe_all in "erase" command
* Harden allocating the tdb recovery area
* Make sure the hash size fits
* Harden tdb_check_used_record against overflow
* Harden tdb_rec_read
* Handle TDB_NEXT_LOCK_ERR in tdb_traverse_internal
* Fix build warnings
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52efa796538ae004ca62ea32fc8c833472991be6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 12:34:56 2018 +1200
ldb: Refuse to build Samba against a newer minor version of ldb
Samba is not compatible with new versions of ldb (except release versions)
Other users would not notice the breakages, but Samba makes many
more assuptions about the LDB internals than any other package.
(Specifically, LDB 1.2 and 1.4 broke builds against released
Samba versions)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13519
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 1a559fd6a9026d72c3cd50d97c454081e9532068
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 13:41:58 2018 +1200
ldb: Ban ldb 1.4.x with Samba 4.8 and earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13519
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit d55b1dc1be661a5e1d429f06b5e1557d6f106326
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 11:56:40 2018 +1200
docs: Remove mention of --without-json-audit from the AD DC
This is no longer optional for the AD DC.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5a3690a48f60d68b66d9a76591382a66e62e1668
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 11:54:56 2018 +1200
WHATSNEW: Explain that Jansson is requied for AD DC, mention --without-json-audit
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 932dc282d4527e06ab5f8b69b486b339828def60
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 16:12:53 2018 +1200
WHATSNEW: document sysvolreset improvement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7422df43bbe0b09f6e7cf57984ea523f4e10249b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 17:08:34 2018 +1200
tests/posixacl: Test with and without filling in the unix_token
Sadly the unix token cannot be created without a running winbindd,
which is not available during provision and a domain restore.
(Internally in smbd a backup API via passdb is used, but this
is not connected to this function at this time)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit eb6cb6e673e430cb8bb0be326f61c547ae42dfa1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 16:48:40 2018 +1200
python: Add samba.auth.session_info_fill_unix()
This fills in the unix portions of the token needed by smbd and the pysmbd bindings
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Joe Guo <joeg at catalyst.net.nz>
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 77ffadd3a04d442c19549611dc8cdf253db3863b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 16:48:07 2018 +1200
selftest: Add tests for samba.auth.admin_session()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Pair-programmed-with: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c02023fbbc320e1c25803da94e7dcc9c9376c36d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 11 22:01:29 2018 +1200
WHATSNEW: Fix spelling
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f87cde1e70f1f5204dedd45e0cc04ae0b7463813
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jul 7 08:51:59 2018 +1200
docs: Explain that "max xmit" is SMB1 only
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 9502b72af61b0437fb5dbf4f44defd4c1151f41d
Author: Timur I. Bakeyev <timur at iXsystems.com>
Date: Sun Jul 8 16:09:59 2018 +0200
WHATSNEW: Add note about defaults changes for the vfs_full_audit and acceptance of all syslog facilities for all audit modules.
Signed-off-by: Timur I. Bakeyev <timur at iXsystems.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a8a9bb553c8195425f385eee1cc8efab8cd889e9
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Fri Jul 6 10:36:54 2018 +1200
tests/posixacl: derive a new testcase to run same tests with session
1. existing tests still run with session_info=None
2. new class override `get_session_info` to return a session, so same
set of tests will run again, but with session.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 1c09fc2de3cb4cb18cba35ea410fb74742cd9065
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Fri Jul 6 10:32:17 2018 +1200
tests/posixacl: move setUp and tearDown to top
Make it clear to find out what we have in test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 6875f4354a356ccdf11b8a08aa9e197e51a3c40f
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 15:50:40 2018 +1200
tests/posixacl: rm duplicated test
There are 2 copy of `test_setposixacl_getposixacl`, this patch removed
the first copy, which was overwritten by the second one.
They are 99% the same except in the last line a_perm is 6 vs 7, and 7 is
the correct number.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 002987ab3d49a20d96b8318f8cfa1ca78c2a280e
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 15:35:14 2018 +1200
tests/posixacl: use assertRaises to simplify code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 11e2c32b4cdd5e3b44d29b86ad3ed1f9d69d66ec
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 15:28:16 2018 +1200
tests/posixacl: remove unused imports
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit d68c294ac4b313fd97d8de4e9a814944da0f8c6d
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 15:25:56 2018 +1200
tests/posixacl: define global ACL to make code DRY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 197b4b8508f5a1e9ed6b538966afd237c328e091
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 15:18:26 2018 +1200
tests/posixacl: define global DOM_SID to make code DRY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit cd9f6c5f74b7f4d5da0e2d892ac1d8b57ddd96f8
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 14:52:02 2018 +1200
tests/posixacl: rm commented code
The example is already in code, no need to keep it here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 8fb821521eea6a4a9ee4f06c1916085dbcdec09d
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 13:03:44 2018 +1200
provision/setsysvolacl: create helper function to simplify code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5dd25a654f01797607d82c44e0fff0a5c390f67d
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 12:07:25 2018 +1200
provision/setsysvolacl: build session_info and pass down to setntacl
Get the admin session info, and pass it down to setntacl.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 8dc8b8d7f9dda3e83632e18bca002b71552a8fa7
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 10:27:23 2018 +1200
ntacls: add session_info arg to setntacl and pass down to set_nt_acl api
Then underneath code can reuse the authentication info in session to
improve performance.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit e2e6dd9d865b97bd5c574181f02208b79c895006
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Tue Jul 3 10:20:39 2018 +1200
ntacls: reuse predefined SECURITY_SECINFO_FLAGS
Use predefined SECURITY_SECINFO_FLAGS to replace bitwise or operations
on flag list.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit c9876defe6c641adc9935d85fca50702974a14d6
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 11:09:50 2018 +1200
smbd/posix_acls: reuse secutiry token from session info if exist
If session info was passed down from upstream, then try to use it to get
security token, other then creating token every time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit a9c6ec66bc52d288dcd9f26371e3639345ffe8b5
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 11:03:42 2018 +1200
smbd/msdfs: add null check for session_info.unix_info
When a session_info passed down to here, the unix_info could be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit aec40e3a39e27766015113d0f6978faaaaa92e88
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 10:18:30 2018 +1200
pysmbd: add session_info arg to py_smbd_set_nt_acl
Add session_info arg as optional and pass it down to get_conn_tos.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 760e36ddbcb8543f99fd34d97e8b6851dd022c1f
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Wed Jul 4 10:05:50 2018 +1200
pysmbd: add session_info arg to get_conn_tos
Add session_info arg, so caller can pass it in to reuse authentication info
later. This will improve performance a lot while doing ntacl operations
on large amount of files, e.g.: sysvolreset.
Modification for upstream caller will come in following patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13521
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 356f39534036064a5aef49c524b6395469f7098f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 10 17:13:48 2018 +1200
WHATSNEW: Add entry for "Dynamic DNS record scavenging support"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 59657418107e40d5b95e85dcff164db5bb60e504
Author: Bob Campbell <bobcampbell at catalyst.net.nz>
Date: Fri Dec 9 09:13:11 2016 +1300
python/tests: check setting values on dnsRecord attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12451
Signed-off-by: Bob Campbell <bobcampbell at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aaffc4d1aadc643d8587159e716b0f35ea3413cf
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Jul 3 17:03:38 2018 +1200
tests dns: dns_base.py remove flake8 warnings
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae9dee4ca0ae94ba1ad40952a2772dede8453772
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 2 16:51:00 2018 +1200
tests dns: dns.py remove flake8 warnings
Remove flake8 warnings from the code, this highlighted the issue with
test_update_add_null_char_rpc_to_dns fixed in the preceding commit.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bc2e645a382d17c9cdf0120751490fa68263f445
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Jul 2 16:47:16 2018 +1200
tests dns: fix rpc null byte test
Fix update_add_null_char_rpc_to_dns so that the test matches the name.
It was not passing the embedded null to the rpc call.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f0210f5d17f27641bccb651313f30087d53c6ef0
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Thu Jun 7 16:51:37 2018 +1200
dns: static records
Modifies bind9 and internal dns to match windows static records behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8ef42d4dab4dfaf5ad225b33f7748914f14dcd8c
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Jul 10 13:14:18 2018 +1200
dns: update tool changed for scavenging
Now that scavenging is implemented, the DNS update tool needs to be changed so
that it always updates every name required by the DC. Otherwise, the records
might be scavenged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 86b61551b381520335977cd129955587758f02a3
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue May 29 15:50:19 2018 +1200
dns+kcc: adding dns scavenging to kcc periodic run
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Pair-Programmed-With: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 50d961c1a2de87067606897b794a47c80513bb64
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Fri Jun 1 16:07:46 2018 +1200
dns: dns record scavenging function (without task)
DNS record scavenging function with testing. The logic of the custom match rule
in previous commit is inverted so that calculations using zone properties can
be taken out of the function's inner loop. Periodic task to come.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bd2f82b9ff7629effe8280ab8f6bf9d721cf767
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Jul 10 13:23:42 2018 +1200
dns: Use ldb.SCOPE_SUBTREE in ldap_get_records() routine in tests/dns.py
DNS records have the odd property that the DN can be reliably determined by the
name only, so we do not need a subtree search.
However by using a subtree search under the zone we can without
trapping exceptions confirm if the record exists or not in the tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 00002b8df9b865b896d264ee22bf6f22cf935f56
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Mon Jul 2 13:48:06 2018 +1200
dns: custom match rule for DNS records to be tombstoned
A custom match rule for records to be tombstoned by the scavenging process.
Needed because DNS records are a multi-valued attribute on name records, so
without a custom match rule we'd have entire zones into memory to search for
expired records.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 418cd93f4c9c90b0f5002e32203be8281af660cf
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Mon Jul 2 13:43:33 2018 +1200
dns: server side implementation of record aging
Code for retrieving aging properties from a zone and using them for timestamp
setting logic during processing of DNS requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 350029bdd8fe90f64d8581b39599d8b8430d7f61
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Jun 5 17:12:44 2018 +1200
dns: moving name_equal func into common
This function is duplicated in the BIND9 and RPC DNS servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6e111ff4212bbab6f8fdc67828afe4d1c154ac4
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Jul 3 15:34:32 2018 +1200
rpc dns: reset dword aging related zone properties
This allows a user to set zone properties relevant to DNS record aging over RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b22ce976862500fcfe56d60698ce9572b50feef9
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Jul 3 15:33:06 2018 +1200
rpc dns: reading zone properties from LDB
Reading zone properties from LDB on server connection initialisation, instead
of them being volatile fields.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b841da04e217646c8bf1eaa3985857ce4207965c
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Jul 10 13:37:18 2018 +1200
dns: Reformat DNS with clang-format
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 19910bea876d2e9797d1e0e3e6594a56662e1e9e
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Wed May 30 18:56:16 2018 +1200
rpc dns: setting timestamp to 0 on RPC processed records
All records created by RPC DNS server calls should have timestamp set to 0
according to [MS-DNSP]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12451
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett<aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1552c70c5a34584ffb23a9a48b6bf1501e1eea4
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Wed May 9 18:02:28 2018 +1200
dns: record aging tests
First basic DNS record aging tests. These check that we can
turn aging on and off, and that timestamps are written on DNS
add and update calls, but not RPC calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d871e0c84c761877563652558f44d8a3df4c49a3
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Jul 11 16:30:38 2018 +1200
smb.conf: add dns_zone_scavenging
Add parameter dns_zone_scavenging to control dns zone scavenging.
Scavenging is disabled by default, as due to
https://bugzilla.samba.org/show_bug.cgi?id=12451 the ageing properties of
existing DNS entries are incorrect.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 51 +-
docs-xml/smbdotconf/domain/dnszonescavenging.xml | 23 +
docs-xml/smbdotconf/logging/loglevel.xml | 9 +-
docs-xml/smbdotconf/misc/dsdbeventnotification.xml | 4 +-
.../misc/dsdbgroupchangenotification.xml | 4 +-
.../misc/dsdbpasswordeventnotification.xml | 4 +-
docs-xml/smbdotconf/protocol/maxxmit.xml | 4 +-
lib/ldb-samba/ldb_matching_rules.c | 136 +++-
lib/ldb-samba/ldb_matching_rules.h | 1 +
lib/ldb/ABI/{ldb-1.4.0.sigs => ldb-1.4.1.sigs} | 0
...b-util.py3-1.4.0.sigs => pyldb-util-1.4.1.sigs} | 0
...il.py3-1.4.0.sigs => pyldb-util.py3-1.4.1.sigs} | 0
lib/ldb/include/ldb_module.h | 16 +-
lib/ldb/wscript | 34 +-
lib/param/loadparm.c | 1 +
...c-util-2.1.9.sigs => pytalloc-util-2.1.14.sigs} | 0
...y3-2.1.9.sigs => pytalloc-util.py3-2.1.14.sigs} | 0
.../ABI/{talloc-2.1.9.sigs => talloc-2.1.14.sigs} | 0
lib/talloc/wscript | 2 +-
lib/tdb/ABI/{tdb-1.3.15.sigs => tdb-1.3.16.sigs} | 0
lib/tdb/wscript | 2 +-
python/samba/ntacls.py | 41 +-
python/samba/provision/__init__.py | 31 +-
python/samba/tests/auth.py | 52 +-
python/samba/tests/blackbox/samba_dnsupdate.py | 18 +-
python/samba/tests/dcerpc/dnsserver.py | 34 +-
python/samba/tests/dns.py | 794 +++++++++++++++++----
python/samba/tests/dns_base.py | 22 +-
python/samba/tests/posixacl.py | 217 +++---
selftest/knownfail.d/dns | 26 +
selftest/tests.py | 2 +-
source3/param/loadparm.c | 1 +
source3/smbd/msdfs.c | 7 +-
source3/smbd/posix_acls.c | 26 +
source3/smbd/pysmbd.c | 56 +-
source4/auth/pyauth.c | 61 ++
source4/dns_server/dlz_bind9.c | 32 +-
source4/dns_server/dns_server.h | 1 -
source4/dns_server/dns_update.c | 41 +-
source4/dns_server/dnsserver_common.c | 160 +++++
source4/dns_server/dnsserver_common.h | 9 +
source4/dsdb/kcc/kcc_periodic.c | 79 +-
source4/dsdb/kcc/kcc_service.h | 5 +
source4/dsdb/kcc/scavenge_dns_records.c | 441 ++++++++++++
source4/dsdb/kcc/scavenge_dns_records.h | 48 ++
source4/dsdb/pydsdb.c | 73 ++
source4/dsdb/wscript_build | 10 +-
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 9 +-
source4/rpc_server/dnsserver/dnsdata.c | 15 -
source4/rpc_server/dnsserver/dnsdb.c | 183 ++++-
source4/rpc_server/dnsserver/dnsserver.h | 14 +-
source4/rpc_server/dnsserver/dnsutils.c | 76 +-
source4/scripting/bin/samba_dnsupdate | 10 +-
source4/setup/schema_samba4.ldif | 1 +
54 files changed, 2458 insertions(+), 428 deletions(-)
create mode 100644 docs-xml/smbdotconf/domain/dnszonescavenging.xml
copy lib/ldb/ABI/{ldb-1.4.0.sigs => ldb-1.4.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.0.sigs => pyldb-util-1.4.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.0.sigs => pyldb-util.py3-1.4.1.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util-2.1.9.sigs => pytalloc-util-2.1.14.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util.py3-2.1.9.sigs => pytalloc-util.py3-2.1.14.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.1.9.sigs => talloc-2.1.14.sigs} (100%)
copy lib/tdb/ABI/{tdb-1.3.15.sigs => tdb-1.3.16.sigs} (100%)
create mode 100644 source4/dsdb/kcc/scavenge_dns_records.c
create mode 100644 source4/dsdb/kcc/scavenge_dns_records.h
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6795e0f..4035fd3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -21,7 +21,7 @@ net ads setspn
---------------
There is a new 'net ads setspn' sub command for managing Windows SPN(s)
-on the AD. This command aims to give the basic functionaility that is
+on the AD. This command aims to give the basic functionality that is
provided on windows by 'setspn.exe' e.g. ability to add, delete and list
Windows SPN(s) stored in a Windows AD Computer object.
@@ -64,7 +64,17 @@ tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
Kerberos would return ALICE as the username. Kerberos would not be able to map
'alice' to 'ALICE' in this case and auth would fail. With this plugin account
names can be correctly mapped. This only applies to GSSAPI authentication,
-not for the geting the initial ticket granting ticket.
+not for the getting the initial ticket granting ticket.
+
+VFS audit modules
+-----------------
+
+The vfs_full_audit module has changed it's default set of monitored successful
+and failed operations from "all" to "none". That helps to prevent potential
+denial of service caused by simple addition of the module to the VFS objects.
+
+Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
+syslog(3) facility, in accordance with the manual page.
Database audit support
----------------------
@@ -98,10 +108,18 @@ For NTLM and Kerberos KDC authentication, the authentication duration is now
logged. Note that the duration is only included in the JSON formatted log
entries.
+JSON library Jansson required for the AD DC
+-------------------------------------------
+
+By default the Jansson JSON library is required for Samba to build.
+It is strictly required for the Samba AD DC, and is optional for
+builds --without-ad-dc by specifying --without-json-audit at configure
+time.
+
New Experimental LMDB LDB backend
---------------------------------
-A new experimental LDB backend using LMBD is now available. This allows
+A new experimental LDB backend using LMDB is now available. This allows
databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
increased in a future release). To enable lmdb, provision or join a domain using
the --backend-store=mdb option.
@@ -211,6 +229,13 @@ Additionally DNS records can be automatically cleaned up for a given
name with the 'samba-tool dns cleanup' command, which aids in cleaning
up partially removed DCs.
+samba-tool ntacl sysvolreset is now much faster
+-----------------------------------------------
+
+The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC,
+is now much faster than in previous versions, after an internal
+rework.
+
Samba now tested with CI GitLab
-------------------------------
@@ -218,6 +243,24 @@ Samba developers now have pre-commit testing available in GitLab,
giving reviewers confidence that the submitted patches pass a full CI
before being submitted to the Samba Team's own autobuild system.
+Dynamic DNS record scavenging support
+-------------------------------------
+
+It is now possible to enable scavenging of DNS Zones to remove DNS
+records that were dynamically created and have not been touched in
+some time.
+
+This support should however only be enabled on new zones or new
+installations. Sadly old Samba versions suffer from BUG 12451 and
+mark dynamic DNS records as static and static records as dynamic.
+While a dbcheck rule may be able to find these in the future,
+currently a reliable test has not been devised.
+
+Finally, there is not currently a command-line tool to enable this
+feature, currently it should be enabled from the DNS Manager tool from
+Windows. Also the feature needs to have been enabled by setting the smb.conf
+parameter "dns zone scavenging = yes".
+
REMOVED FEATURES
================
@@ -237,6 +280,8 @@ to allow better Windows fileserver compatibility in a default install.
map readonly Default changed no
store dos attributes Default changed yes
ea support Default changed yes
+ full_audit:success Default changed none
+ full_audit:failure Default changed none
VFS interface changes
=====================
diff --git a/docs-xml/smbdotconf/domain/dnszonescavenging.xml b/docs-xml/smbdotconf/domain/dnszonescavenging.xml
new file mode 100644
index 0000000..80ec144
--- /dev/null
+++ b/docs-xml/smbdotconf/domain/dnszonescavenging.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="dns zone scavenging"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ When enabled (the default is disabled) unused dynamic dns records are
+ periodically removed.
+ </para>
+ <warning><para>
+ This option should not be enabled for installations created with
+ versions of samba before 4.9. Doing this will result in the loss of
+ static DNS entries. This is due to a bug in previous versions
+ of samba (BUG 12451) which marked dynamic DNS records as static and
+ static records as dynamic.
+ </para></warning>
+ <note><para>
+ If one record for a DNS name is static (non-aging) then no other record
+ for that DNS name will be scavenged.
+ </para></note>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml
index ffd9075..9a02926 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -74,18 +74,15 @@
</itemizedlist>
<para>Changes to the sam.ldb database are logged
- under the dsdb_audit, and if Samba was not compiled with
- --without-json-audit, a JSON representation is logged under
+ under the dsdb_audit and a JSON representation is logged under
dsdb_json_audit.</para>
<para>Password changes and Password resets are logged under
- dsdb_password_audit, and if Samba was not compiled with
- --without-json-audit, a JSON representation is logged under the
+ dsdb_password_audit and a JSON representation is logged under the
dsdb_password_json_audit.</para>
<para>Transaction rollbacks and prepare commit failures are logged under
- the dsdb_transaction_audit, and if Samba was not compiled with
- --without-json-audit, a JSON representation is logged under the
+ the dsdb_transaction_audit and a JSON representation is logged under the
password_json_audit. Logging the transaction details allows the
identification of password and sam.ldb operations that have been rolled
back.</para>
diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
index 6afc799..7df46e1 100644
--- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
@@ -13,9 +13,7 @@
<para>This should be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around). Additionally Samba must be
- not compiled with the --without-json-audit parameter for this
- option to be effective.</para>
+ that the testsuite works around).</para>
<para>The Samba database events are also logged via the normal
logging methods when the <smbconfoption name="log level"/> is
diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
index 2079f51..6354979 100644
--- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
@@ -13,9 +13,7 @@
<para>This should be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around). Additionally Samba must be
- not compiled with the --without-json-audit parameter for this
- option to be effective.</para>
+ that the testsuite works around).</para>
<para>The group events are also logged via the normal
logging methods when the <smbconfoption name="log level"/> is
diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
index 62bf7ff..984321b9 100644
--- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
@@ -13,9 +13,7 @@
<para>This should be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around). Additionally Samba must be
- not compiled with the --without-json-audit parameter for this
- option to be effective.</para>
+ that the testsuite works around).</para>
<para>The password events are also logged via the normal
logging methods when the <smbconfoption name="log level"/> is
diff --git a/docs-xml/smbdotconf/protocol/maxxmit.xml b/docs-xml/smbdotconf/protocol/maxxmit.xml
index aca98d5..d7bd66c 100644
--- a/docs-xml/smbdotconf/protocol/maxxmit.xml
+++ b/docs-xml/smbdotconf/protocol/maxxmit.xml
@@ -4,7 +4,9 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option controls the maximum packet size
- that will be negotiated by Samba. The default is 16644, which
+ that will be negotiated by Samba's
+ <citerefentry><refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for the SMB1 protocol. The default is 16644, which
matches the behavior of Windows 2000. A value below 2048 is likely to cause problems.
You should never need to change this parameter from its default value.
</para>
diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c
index 063a5d3..2aaaeb7 100644
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ b/lib/ldb-samba/ldb_matching_rules.c
@@ -26,6 +26,7 @@
#include "ldb_matching_rules.h"
#include "libcli/security/security.h"
#include "dsdb/common/util.h"
+#include "librpc/gen_ndr/ndr_dnsp.h"
static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
@@ -328,6 +329,125 @@ static int ldb_comparator_trans(struct ldb_context *ldb,
/*
+ * This rule provides match of a dns object with expired records.
+ *
+ * This allows a search filter such as:
+ *
+ * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=131139216000000000
+ *
+ * This allows the caller to find records that should become a DNS
+ * tomestone, despite that information being deep within an NDR packed
+ * object
+ */
+static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb,
+ const char *oid,
+ const struct ldb_message *msg,
+ const char *attribute_to_match,
+ const struct ldb_val *value_to_match,
+ bool *matched)
+{
+ TALLOC_CTX *tmp_ctx;
+ unsigned int i;
+ struct ldb_message_element *el = NULL;
+ struct auth_session_info *session_info = NULL;
+ uint64_t tombstone_time;
+ struct dnsp_DnssrvRpcRecord *rec = NULL;
+ enum ndr_err_code err;
+ *matched = false;
+
+ /* Needs to be dnsRecord, no match otherwise */
+ if (ldb_attr_cmp(attribute_to_match, "dnsRecord") != 0) {
+ return LDB_SUCCESS;
+ }
+
+ el = ldb_msg_find_element(msg, attribute_to_match);
+ if (el == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
+ struct auth_session_info);
+ if (session_info == NULL) {
+ return ldb_oom(ldb);
+ }
+ if (security_session_user_level(session_info, NULL)
+ != SECURITY_SYSTEM) {
+
+ DBG_ERR("unauthorised access\n");
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+
+ /* Just check we don't allow the caller to fill our stack */
+ if (value_to_match->length >= 64) {
+ DBG_ERR("Invalid timestamp passed\n");
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ } else {
+ char *p = NULL;
+ char s[value_to_match->length+1];
+ memcpy(s, value_to_match->data, value_to_match->length);
+ s[value_to_match->length] = 0;
+ if (s[0] == '\0' || s[0] == '-') {
+ DBG_ERR("Empty timestamp passed\n");
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ }
+ tombstone_time = strtoull(s, &p, 10);
+ if (p == NULL || p == s || *p != '\0' ||
+ tombstone_time == ULLONG_MAX) {
+ DBG_ERR("Invalid timestamp string passed\n");
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ }
+ }
+
+ tmp_ctx = talloc_new(ldb);
+ if (tmp_ctx == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ for (i = 0; i < el->num_values; i++) {
+ rec = talloc_zero(tmp_ctx, struct dnsp_DnssrvRpcRecord);
+ if (rec == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+ err = ndr_pull_struct_blob(
+ &(el->values[i]),
+ tmp_ctx,
+ rec,
+ (ndr_pull_flags_fn_t)ndr_pull_dnsp_DnssrvRpcRecord);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)){
+ DBG_ERR("Failed to pull dns rec blob.\n");
+ TALLOC_FREE(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (rec->wType == DNS_TYPE_SOA || rec->wType == DNS_TYPE_NS) {
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ if (rec->wType == DNS_TYPE_TOMBSTONE) {
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+ if (rec->dwTimeStamp == 0) {
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+ if (rec->dwTimeStamp > tombstone_time) {
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ *matched = true;
+ break;
+ }
+
+ TALLOC_FREE(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
+
+/*
* This rule provides match of a link attribute against a 'should be expunged' criteria
*
* This allows a search filter such as:
@@ -448,7 +568,8 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb,
int ldb_register_samba_matching_rules(struct ldb_context *ldb)
{
struct ldb_extended_match_rule *transitive_eval = NULL,
- *match_for_expunge = NULL;
+ *match_for_expunge = NULL,
+ *match_for_dns_to_tombstone_time = NULL;
int ret;
transitive_eval = talloc_zero(ldb, struct ldb_extended_match_rule);
@@ -469,5 +590,18 @@ int ldb_register_samba_matching_rules(struct ldb_context *ldb)
return ret;
}
+ match_for_dns_to_tombstone_time = talloc_zero(
+ ldb,
+ struct ldb_extended_match_rule);
+ match_for_dns_to_tombstone_time->oid = DSDB_MATCH_FOR_DNS_TO_TOMBSTONE_TIME;
+ match_for_dns_to_tombstone_time->callback
+ = dsdb_match_for_dns_to_tombstone_time;
+ ret = ldb_register_extended_match_rule(ldb,
+ match_for_dns_to_tombstone_time);
+ if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(match_for_dns_to_tombstone_time);
+ return ret;
+ }
+
return LDB_SUCCESS;
}
diff --git a/lib/ldb-samba/ldb_matching_rules.h b/lib/ldb-samba/ldb_matching_rules.h
index 421e1ce..28c4e3d 100644
--- a/lib/ldb-samba/ldb_matching_rules.h
+++ b/lib/ldb-samba/ldb_matching_rules.h
@@ -25,5 +25,6 @@
/* This rule provides recursive search of a link attribute */
#define SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL "1.2.840.113556.1.4.1941"
#define DSDB_MATCH_FOR_EXPUNGE "1.3.6.1.4.1.7165.4.5.2"
+#define DSDB_MATCH_FOR_DNS_TO_TOMBSTONE_TIME "1.3.6.1.4.1.7165.4.5.3"
#endif /* _LDB_MATCHING_RULES_H_ */
diff --git a/lib/ldb/ABI/ldb-1.4.0.sigs b/lib/ldb/ABI/ldb-1.4.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.4.0.sigs
copy to lib/ldb/ABI/ldb-1.4.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.0.sigs b/lib/ldb/ABI/pyldb-util-1.4.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.0.sigs
copy to lib/ldb/ABI/pyldb-util-1.4.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.0.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.0.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index fd88c62..6ba2a49 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -54,18 +54,18 @@
#endif
/*
- * Only Samba versions which expect ldb >= 1.2.0
- * are compatible with read_[un]lock() behaviour.
+ * Only Samba versions which expect ldb >= 1.4.0
+ * reopen the ldb after each fork().
*
- * See https://bugzilla.samba.org/show_bug.cgi?id=12859
+ * See https://bugzilla.samba.org/show_bug.cgi?id=13519
*/
#if EXPECTED_SYSTEM_LDB_VERSION_MAJOR > 1
-#define __LDB_READ_LOCK_COMPATIBLE__ 1
-#elif EXPECTED_SYSTEM_LDB_VERSION_MINOR > 1
-#define __LDB_READ_LOCK_COMPATIBLE__ 1
+#define __LDB_FORK_COMPATIBLE__ 1
+#elif EXPECTED_SYSTEM_LDB_VERSION_MINOR > 3
+#define __LDB_FORK_COMPATIBLE__ 1
#endif
-#ifndef __LDB_READ_LOCK_COMPATIBLE__
-#error "Samba < 4.7 is not compatible with this version of ldb due to assumptions around read locks"
+#ifndef __LDB_FORK_COMPATIBLE__
+#error "Samba < 4.9 is not compatible with this version of ldb due to assumptions around fork() behaviour"
#endif
#endif /* defined(_SAMBA_BUILD_) && defined(USING_SYSTEM_LDB) */
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index f5cb1e0..33e787c 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.4.0'
+VERSION = '1.4.1'
blddir = 'bin'
@@ -69,23 +69,33 @@ def configure(conf):
conf.env.standalone_ldb = conf.IN_LAUNCH_DIR()
if not conf.env.standalone_ldb:
+ max_ldb_version = [int(x) for x in VERSION.split(".")]
+ max_ldb_version[2] = 999
+ max_ldb_version_dots = "%d.%d.%d" % tuple(max_ldb_version)
+
if conf.env.disable_python:
- if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=VERSION,
- onlyif='talloc tdb tevent',
- implied_deps='replace talloc tdb tevent'):
+ if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb',
+ minversion=VERSION,
+ maxversion=max_ldb_version_dots,
+ onlyif='talloc tdb tevent',
+ implied_deps='replace talloc tdb tevent'):
conf.define('USING_SYSTEM_LDB', 1)
else:
using_system_pyldb_util = True
- if not conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
- onlyif='talloc tdb tevent',
- implied_deps='replace talloc tdb tevent ldb'):
+ if not conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util',
+ minversion=VERSION,
+ maxversion=max_ldb_version_dots,
+ onlyif='talloc tdb tevent',
+ implied_deps='replace talloc tdb tevent ldb'):
using_system_pyldb_util = False
# We need to get a pyldb-util for all the python versions
# we are building for
if conf.env['EXTRA_PYTHON']:
name = 'pyldb-util' + conf.all_envs['extrapython']['PYTHON_SO_ABI_FLAG']
- if not conf.CHECK_BUNDLED_SYSTEM_PKG(name, minversion=VERSION,
+ if not conf.CHECK_BUNDLED_SYSTEM_PKG(name,
+ minversion=VERSION,
+ maxversion=max_ldb_version_dots,
onlyif='talloc tdb tevent',
implied_deps='replace talloc tdb tevent ldb'):
using_system_pyldb_util = False
@@ -93,9 +103,11 @@ def configure(conf):
if using_system_pyldb_util:
conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
- if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=VERSION,
- onlyif='talloc tdb tevent pyldb-util',
- implied_deps='replace talloc tdb tevent'):
+ if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb',
+ minversion=VERSION,
+ maxversion=max_ldb_version_dots,
--
Samba Shared Repository
More information about the samba-cvs
mailing list