[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Mon Nov 5 14:48:03 UTC 2018
The branch, v4-9-test has been updated
via a0a3ce5 dsdb group audit tests: log_membership_changes extra tests
via 1554338 dsdb group audit tests: check_version improve diagnostics
via a29074f dsdb group audit tests: check_timestamp improve diagnostics
via 5d06550 dsdb group audit: align dn_compare with memcmp
via fd43fd8 dsdb group_audit: Test to replicate BUG 13664
via 9b7bd1c dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path
via 0945b9b dsdb encrypted_secrets tests: Allow "ldb://" in file path
via 19e17ff python tests Blackbox: add random_password
via c20b587 ldb: Bump ldb version to 1.4.3
via 4908da4 lib/ldb: Ensure ldb.Dn can accept utf8 encoded unicode
via 1f7757e lib/ldb/tests: add test for ldb.Dn passed utf8 unicode
via 339a86a lib/ldb: Test correct variable for no mem condition
via d88db0d dsdb: Add comments explaining the limitations of our current backlink behaviour
via 556b2c8 s4:samldb: internally use extended dns while changing the primaryGroupID field
via c9e0e43 s4:repl_meta_data: add support for DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID
via 6616941 s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_replace()
via fcafbe7 s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_delete()
via 8095ffe s4:repl_meta_data: add missing
to a DEBUG message in replmd_modify_la_add()
via 98f2319 s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_add()
via 9d760fe s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_handle_linked_attribs()
via 2d77e4f blackbox/dbcheck-links: Test broken links with missing <SID=...> on linked attributes
via 4da901d dbchecker: Fix missing <SID=...> on linked attributes
via ea9b694 dbchecker: improve verbose output of do_modify()
via c73aca8 s4:dsdb: add DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID oid
via 3fb4c68 testprogs/blackbox: add samba4.blackbox.test_primary_group test
via 2d682e4 s4:dsdb: fix comment on DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
via eadd15a schema_samba4.ldif: add allocation of DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
via 69fb6c1 vfs_fruit: optionally delete AppleDouble files without Resourcefork data
via 6a457df vfs_fruit: add option "delete_empty_adfiles"
via 9022021 vfs_fruit: detect empty resource forks in ad_convert()
via 4a56be1 vfs_fruit: add option "wipe_intentionally_left_blank_rfork"
via f8a4f92 s4:torture: add test for AppleDouble ResourceFork conversion
via 66aaa6a s3:selftest: list vfs testssuites one per line
via 7b04e55 docs:vfs_fruit: add "delete_empty_adfiles" option
via e1f09ff docs:vfs_fruit: add "wipe_intentionally_left_blank_rfork" option
via bedb34a s3:winbind: Check return code of initialize_password_db()
via 0103f91 lib:socket: If returning early, set ifaces
via 4b461cd vfs_fruit: remove check for number of xattrs from ad_convert_xattr
via 40533f0 dsdb: Ensure that a DN (now) pointing at a deleted object counts for objectclass-based MUST
via 24a02a3 tests: Add corner-case test: fromServer points to dead server
via 5e4e3da libcli: Add debug message if fail to negoatiate SMB protocol
via 4b42e0e s3/smbd: Server responds incorrectly if no SMB protocol chosen
via d3be8e2 netcmd: Make sure SMB connection is signed when backing up sysvol
via db23314 python: Allow forced signing via smb.SMB()
via 4933bc8 selftest: Change backup testenvs to use non-default site
via dfc0745 netcmd: Re-create default site for backup-restore (if missing)
via c077dfa tests: Add test-case for restore into non-default site
via 1e7520f netcmd: Add --site option when restoring a domain
from 6c44382 ctdb-daemon: Fix valgrind hit in event code
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit a0a3ce5c2164b3c352598b28df22268161462c6c
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Oct 25 10:52:55 2018 +1300
dsdb group audit tests: log_membership_changes extra tests
Add extra tests to ensure better test coverage of log_membership_changes
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aeef8b41fa03a32859f824f4a09560ad83bd2b50)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Mon Nov 5 15:47:40 CET 2018 on sn-devel-144
commit 155433882adbf6908e8a125643234388b49279a0
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Oct 25 14:38:31 2018 +1300
dsdb group audit tests: check_version improve diagnostics
Change check_version to display the expected, actual along with the
line and name of the failing test, rather than the line in check_version
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c952fc1273397c04fddf177bcd809551d6324bdd)
commit a29074fd52f51156eb0d0a50cd55743430f80ef0
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Oct 25 13:28:09 2018 +1300
dsdb group audit tests: check_timestamp improve diagnostics
Change check_timestamp to display the expected, actual along with the
line and name of the failing test, rather than the line in
check_timestamp.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit e2970887140d558c6359fd9b3f8c2a4c26d2cf35)
commit 5d06550108c119c7b79e30e9a6e17d19ed63e477
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Oct 25 10:52:27 2018 +1300
dsdb group audit: align dn_compare with memcmp
Rename the parameter names and adjust the return codes from dn_compare
so that:
dn_compare(a, b) =>
LESS_THAN means a is less than b.
GREATER_THAN means a is greater than b.
Thanks to metze for suggesting the correct semantics for dn_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13664
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 8420a4d0fddd71af608635a707ef20f37fa9b627)
commit fd43fd88a8df96f8ad31159bd2ee13ef96a1d070
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Oct 23 17:14:34 2018 +1300
dsdb group_audit: Test to replicate BUG 13664
The group audit code incorrectly logs member additions and deletions.
Thanks to metze for the debugging that isolated the issue, and for
suggesting the fix to dn_compare.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13664
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit eeb4089dafc45277d8af19073ef9348451c1836a)
commit 9b7bd1cdc3cf78efc3478333ee8da6fe6ede8a66
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Oct 15 16:02:40 2018 +1300
dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path
Correctly handle "ldb://" and "mdb://" schemes in the file path when
determining the path for the encrypted secrets key file.
When creating a new user and specifying the local file path of the
sam.ldb DB, it was possible to create an account that you could not
login with. The path for the key file was incorrectly calculated
for the "ldb://" and "mdb://" schemes, the scheme was not stripped from
the path and the subsequent open of the key file failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 19 09:34:46 CEST 2018 on sn-devel-144
(cherry picked from commit 7b59cd74f9f75d85b91c6ca517d0243e7f6bd2e1)
commit 0945b9babd7ac28f238b22a84b430589aab1d424
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Oct 15 16:01:47 2018 +1300
dsdb encrypted_secrets tests: Allow "ldb://" in file path
When creating a new user and specifying the local file path of the
sam.ldb DB, it's possible to create an account that you can't actually
login with.
This commit contains tests to verify the bug.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e1eee614ca8a3f0f5609a3d9d8ce7ae926de1f9e)
commit 19e17ff2dd687c03d28e85d031333eb9c02e458a
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Oct 17 09:10:10 2018 +1300
python tests Blackbox: add random_password
Add the random_password method to the BlackboxTestCase class and remove
duplicated copies from other test cases. Also use SystemRandom so that
the generated passwords are more cryptographically sound.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b6e45fb479689cff028b1fe626533b035e313ce3)
commit c20b587a3bb2b339468fefd3f60c5ca85e1873c6
Author: Noel Power <noel.power at suse.com>
Date: Fri Sep 28 15:14:54 2018 +0100
ldb: Bump ldb version to 1.4.3
* Python: Ensure ldb.Dn can accept utf8 encoded unicode (bug 13616)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power at suse.com>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4908da4f518fbbafe9efc514f52534b1f8d854ec
Author: Noel Power <noel.power at suse.com>
Date: Mon Sep 24 12:20:20 2018 +0100
lib/ldb: Ensure ldb.Dn can accept utf8 encoded unicode
Additionally remove the associated known fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cddd54e8654c94dedd57c08af1987ce03212ce20)
commit 1f7757ef4eae87fbc8c35fd2bd5ba9e3e55124ce
Author: Noel Power <noel.power at suse.com>
Date: Mon Sep 24 14:37:50 2018 +0100
lib/ldb/tests: add test for ldb.Dn passed utf8 unicode
object dn format should be a utf8 encoded string
Note: Currently this fails in python2 as the c python binding for
the dn string param uses PyArg_ParseTupleAndKeywords() with 's'
format, this will accept str *or* unicode in the default encoding.
The default encoding in python2 is... ascii.
Also adding here a knownfail to squash the error produced by the test.
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d1492ab919b19d1ca72f1d7c97ac0ca3bee13a2a)
commit 339a86a6a0c6285e34848621a338b794581ec35e
Author: Noel Power <noel.power at suse.com>
Date: Mon Sep 24 11:28:47 2018 +0100
lib/ldb: Test correct variable for no mem condition
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d786e1fca95395e793867278bc0408e33c19908b)
commit d88db0d481d4434d6400035a225cbcb4cba11897
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 30 15:56:43 2018 +1300
dsdb: Add comments explaining the limitations of our current backlink behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Tim Beale <timbeale at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 30 10:32:51 CET 2018 on sn-devel-144
(cherry picked from commit 852e1db12b0afa04a738c03bb2609c084fe96a7f)
commit 556b2c8ecb3af36cb7adbea060ea0db30a29af60
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 24 15:33:49 2018 +0200
s4:samldb: internally use extended dns while changing the primaryGroupID field
This is important, otherwise we'll loose the <SID=> component of the
linked attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7a36cb30b716d56b84e894851c1a18e9eb3a0964)
commit c9e0e43180aa098376a66ccdee57196530cb0e70
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 15:56:18 2018 +0200
s4:repl_meta_data: add support for DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID
This will be used by dbcheck in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0386307e34097f5d9233c970983c7306d1705a87)
commit 66169416c4b3d2f64a1134dc1b3cf9937348a9af
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 18:43:25 2018 +0200
s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_replace()
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1ef145d9d72d847055f6aba8a0070b3e1cfdabbc)
commit fcafbe75cd83f37d8db5523267e1e5404aee4e88
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 18:43:25 2018 +0200
s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_delete()
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 738b52eb0856c8fcdbb8589e8061bcc14700c23a)
commit 8095ffec94ecd978a642fd722af87e7a2137df13
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 19:34:08 2018 +0200
s4:repl_meta_data: add missing \n to a DEBUG message in replmd_modify_la_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 70a306d0bd6806d1fd00d45e3d8cc70c73d09f79)
commit 98f2319bda254b7664c80f6ceb9ef5e7b2fc8e7a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 18:43:25 2018 +0200
s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_la_add()
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 42e69a86ca583e3cb20c63b9c6930b4b3425485d)
commit 9d760fe15528506fb1f318ca778a21215de56692
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 18:43:25 2018 +0200
s4:repl_meta_data: pass down struct replmd_replicated_request to replmd_modify_handle_linked_attribs()
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 966c7febaf0245516481bde924ea6cd738eeb78b)
commit 2d77e4f1034831c06ab33cede55e6b14945c3b22
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 15:56:18 2018 +0200
blackbox/dbcheck-links: Test broken links with missing <SID=...> on linked attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f81771c8593327e058b9cb4330d7e77083df3ea9)
commit 4da901d10cd5067c09b6b94adf2dc0bcaab7c72a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 12 15:56:18 2018 +0200
dbchecker: Fix missing <SID=...> on linked attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a801799ebe26780653f4ed3fa3fc633e31871f7d)
commit ea9b694dd9a0c1b22a6b2832b3be9836d7526835
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 8 17:14:28 2018 +0200
dbchecker: improve verbose output of do_modify()
This makes it easier to debug dbcheck problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c5c99b569569ce36cac94e967ca53e3182abd6f7)
commit c73aca88b5357f774ab199dd0a62379eda9a7c17
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 8 17:13:52 2018 +0200
s4:dsdb: add DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID oid
This will be used to fix missing <SID=> components in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bb9c9e49a5e82f19626cb1b12ec9189fff5114e8)
commit 3fb4c6846b9ccf116fd8ae794e4eacbf517e2251
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 16 15:16:18 2018 +0200
testprogs/blackbox: add samba4.blackbox.test_primary_group test
This demonstrates the bug, that happens when the primaryGroupID
of a user is changed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 364ed537e0bcb3a97cae0f2d1ff72de9423ce0e6)
commit 2d682e4ced7f5041418b892b525b2cb5142f1fec
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 8 17:13:13 2018 +0200
s4:dsdb: fix comment on DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 60131b4452d43b3792e7f27a4190c88e7aabb1b4)
commit eadd15a5a03e3994c2ebc218f6f70c2f72f63d40
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 8 15:35:52 2018 +0200
schema_samba4.ldif: add allocation of DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
This was already allocated in source4/dsdb/samdb/samdb.h with
commit 22208f52e6096fbe9413b8ff339d9446851e0874.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0189f23f5bda263c7462366ee16b2fe4bcda0119)
commit 69fb6c1c8b37b7964a66d5d63693f22e4096eecc
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 9 14:54:31 2018 +0200
vfs_fruit: optionally delete AppleDouble files without Resourcefork data
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3649f1a41a299b14609318ef52b44e2d53cba4b5)
commit 6a457df1fbfa32b78ad46dc93c38ab3a4fc1a493
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 3 12:01:00 2018 +0200
vfs_fruit: add option "delete_empty_adfiles"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e00e61345ccd88022cd24e62ac29e2c56a8f6117)
commit 902202155fa73def59cb00baae5645c9df95052e
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 2 16:05:28 2018 +0200
vfs_fruit: detect empty resource forks in ad_convert()
For some reason the macOS client often writes AppleDouble files with a
non-zero sized resource fork, but the resource fork data is just
boilerplate data with the following string close to the start
This resource fork intentionally left blank
A dump with apple_dump looks like this:
Entry ID : 00000002 : Resource Fork
Offset : 00000052 : 82
Length : 0000011E : 286
-RAW DUMP--: 0 1 2 3 4 5 6 7 8 9 A B C D E F : (ASCII)
00000000 : 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 1E : ................
00000010 : 54 68 69 73 20 72 65 73 6F 75 72 63 65 20 66 6F : This resource fo
00000020 : 72 6B 20 69 6E 74 65 6E 74 69 6F 6E 61 6C 6C 79 : rk intentionally
00000030 : 20 6C 65 66 74 20 62 6C 61 6E 6B 20 20 20 00 00 : left blank ..
00000040 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000100 : 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 1E : ................
00000110 : 00 00 00 00 00 00 00 00 00 1C 00 1E FF FF : ..............
We can safely discard this Resource Fork data.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7be979f958295474f0c0df6a4db0b5bca9a6676d)
commit 4a56be105ba9da08917b38f624a6392b8d58e9bd
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 3 12:01:00 2018 +0200
vfs_fruit: add option "wipe_intentionally_left_blank_rfork"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2dbb2d287399e9c829a4fd4908a6dfba9fdfd7e8)
commit f8a4f9233981f5e3e674d6917e98bec9ae3399d8
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 4 14:28:15 2018 +0200
s4:torture: add test for AppleDouble ResourceFork conversion
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6f022e61597994bc032e61876f24150d7acb3fc2)
commit 66aaa6ae1d7e5a69fc921f8ea338d44eaa5b1367
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 4 13:47:20 2018 +0200
s3:selftest: list vfs testssuites one per line
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c3a1f3ec9ba2402de2a876ca06086b2d53e122f0)
commit 7b04e558fffcf338c09fa1d06dcbfa18ac2153fe
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 4 18:22:31 2018 +0200
docs:vfs_fruit: add "delete_empty_adfiles" option
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2a9574b138f620e0a65cd61a957b99653c8dcd78)
commit e1f09ff387686c88a286804c70dfba6fb8bc7e43
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 2 16:31:15 2018 +0200
docs:vfs_fruit: add "wipe_intentionally_left_blank_rfork" option
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f7a98094f05dd4b9abf5dc9704222aa5a07584d4)
commit bedb34a617bfd4255af6072232fb031083355bfd
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 29 19:45:58 2018 +0100
s3:winbind: Check return code of initialize_password_db()
See https://retrace.fedoraproject.org/faf/reports/1577174/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
commit 0103f91d8b0acd58598689dbd3f8a831ab2ef02e
Author: David Mulder <dmulder at suse.com>
Date: Wed Oct 24 10:55:02 2018 -0600
lib:socket: If returning early, set ifaces
Prevents a segfault in load_interfaces() when total interfaces == 1.
Fixes regression caused by da68a1b2f417ec82ea4ed3e7a4d867cef8ca8f93.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13665
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Sun Oct 28 00:35:35 CEST 2018 on sn-devel-144
(cherry picked from commit 5391e21dea3168691cee1e6ef6c5959e46d62d1e)
commit 4b461cd3133d5826cd7e2017543176a35c39de3a
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 19 12:15:42 2018 +0200
vfs_fruit: remove check for number of xattrs from ad_convert_xattr
Turns out that there exist AppleDouble files with an extended FinderInfo
entry that includes the xattr marshall buffer, but the count of xattrs
in the buffer is just zero.
We do want to discard this extended FinderInfo entry and convert it to a
simple fixed size FinderInfo entry, so remove the check.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13649
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5d565f636fcf49fc1bbbfbc24ef730d2f7cc2cf0)
commit 40533f0552f243d5478b63b78c8bfc762701100b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 12 14:48:04 2018 -0500
dsdb: Ensure that a DN (now) pointing at a deleted object counts for objectclass-based MUST
Add the 'reveal_internals' controls when performing objectclass-based
checks of mandatory attributes. This prevents the extended_dn DSDB
module from suppressing attributes that point to deleted (i.e.
non-existent/expunged) objects.
This ensures that, when modifying an object (and often not even
touching the mandatory attribute) that the fact that an attribute is a
DN, and the DN target is deleted, that the schema check will still pass.
Otherwise a fromServer pointing at a dead server can cause failures,
i.e. you can't modify the affected object at all, because the DSDB
thinks a mandatory attribute is missing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 4092b369aeeb7058d78b8d6f41dbbc6d69203ecc)
commit 24a02a31b5c2506fbbdfeec4ab773e433088a108
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Sep 28 12:35:35 2018 +1200
tests: Add corner-case test: fromServer points to dead server
The fromServer attribute is slightly unique, in that it's a DN (similar
to a one-way link), but it is also a mandatory attribute.
Currently, if fromServer gets a bad value (i.e. a dead server that has
been expunged), the DSDB rejects any attempts to modify the associated
nTDSConnection object (regardless of whether or not you're actually
changing the fromServer attribute).
This patch adds a test-case that demonstrates how the DB can get into
such a state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit dec3eda1f74f5bf7ea91c1be3d5dfd832e9672b9)
commit 5e4e3daad5a906127c332516508ce4fc3de1ab18
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Sep 27 09:53:24 2018 +1200
libcli: Add debug message if fail to negoatiate SMB protocol
Currently if the client and server can't negotiate an SMB protocol, you
just get the followiing error on the client-side, which doesn't tell you
much.
ERROR(runtime): uncaught exception - (3221225667, 'The network responded
incorrectly.')
This patch adds a debug message to help highlight what's actually going
wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 28 11:25:29 CEST 2018 on sn-devel-144
(cherry picked from commit 34cbd89fec836f5de0cb5ba3f289b1f4ae00c5d7)
commit 4b42e0ee4c19f042c27e786d28ee5465e00c8a4c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Sep 27 09:46:41 2018 +1200
s3/smbd: Server responds incorrectly if no SMB protocol chosen
The SMBnegprot response from the server contains the DialectIndex of the
selected protocol from the client's request message. Currently, if no
protocol is selected, the server is responding with a DialectIndex=zero,
which is a valid index (PROTOCOL_CORE by default). The Windows spec, and
historically the code, should return DialectIndex=0xffff if no protocol
is chosen. The following commit changed it recently (presumably
inadvertently), so that it now returns DialectIndex=zero.
06940155f315529c5b5 s3:smbd: Fix size types in reply_negprot()
This results in somewhat confusing error messages on the client side:
ERROR(runtime): uncaught exception - (3221225997, 'The transport
connection has been reset.')
or, when signing is configured as mandatory:
smbXcli_negprot: SMB signing is mandatory and the selected protocol
level (1) doesn't support it.
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
process has requested access to an object but has not been granted those
access rights.')
This patch restores the old behaviour of returning 0xffff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Pair-Programmed-With: Ralph Boehme <slow at samba.org>
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 378706266496ce79c1887fe96ab3b15f56770244)
commit d3be8e21e66f98dce8c4989b01159e6099cf7ee4
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Sep 26 17:01:03 2018 +1200
netcmd: Make sure SMB connection is signed when backing up sysvol
i.e. protect the client against man-in-the-middle attacks by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0122f45f053ecc545950c31bf1fb33fba143478c)
commit db233146d55af15b09e4ca99c04e8e7c78945a04
Author: David Mulder <dmulder at suse.com>
Date: Thu Jun 28 09:01:59 2018 -0600
python: Allow forced signing via smb.SMB()
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4c7348e44d10ca519dd1322fd40b12c69e17a8e6)
Back-ported as a dependency required for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
commit 4933bc841a17bca79cbf5aac2e6baad1343ba528
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Sep 18 16:30:15 2018 +1200
selftest: Change backup testenvs to use non-default site
Previously (i.e. up until the last patch) the backup/restore commands
only worked if the Default-First-Site-Name site was present. If this
site didn't exist, then the various restore testenvs would fail to
start. This is now fixed, but this patch changes the backupfrom testenv
so that it uses a non-default site. This will detect the problem if it
is ever re-introduced.
To do this we need to change provision_ad_dc() so the
extra_provision_options can be specified as an argument. (Note that Perl
treats undef the same as an empty array).
By default, the restore will add the new DC into the
Default-First-Site-Name site. This means the backupfromdc and restored
testenvs will now have different sites, so we need to update the ldapcmp
filters to exclude site-specific attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 696fa6a1e6c615a992a3016ff32405b864b62eec)
commit dfc07455c2a31988012d6369107bf44efd0f8354
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Sep 18 14:54:51 2018 +1200
netcmd: Re-create default site for backup-restore (if missing)
Normally when a new DC joins a domain, samba-tool works out the new
DC's site automatically. However, it does this by querying the existing
DC using CLDAP. In the restore case, there is no DC running. We could
still query the DB on disk and work out the correct site based on the
new DC's IP, however:
- comparing between the CN=Subnet DNs and an IP-address string seems
like it'd be non-trivial to write, and
- in the lab-domain rename case, chances are the user will want a
completely different subnet to what's already in the DB.
The restore command now has a --site option so the user can specify an
appropriate site for the restored DC. This patch makes the restore
command work by default (i.e. without a --site option) even if the
default Default-First-Site-Name doesn't exist. Basically the solution is
to just check Default-First-Site-Name exists and create it if it
doesn't. As the recommended workflow is to use the restored DC as a
temporary seed that you'll later throw away, this approach seems
acceptable. Subsequent DCs will then be joined to the running restored
DC, so an appropriate site will be determined using CLDAP. The only
side-effect is potentially an extra Site object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce57a800c9bed7e6876cdc0baf3a2d5fdc879ecf)
commit c077dfaa6066ea0131ff50e514759fbdbba311cb
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Sep 18 17:23:48 2018 +1200
tests: Add test-case for restore into non-default site
Add a test-case that exercises the new '--site' restore option and
ensures the restored DC gets added to the correct site.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ad69aaf7e13435111fc990954ff0bc81ed5325c5)
commit 1e7520f4e50ab369769d11b7d65a3752d6aeeda5
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Sep 17 15:36:21 2018 +1200
netcmd: Add --site option when restoring a domain
Restoring a backup only worked if the Default-First-Site-Name site was
still present. When the new restored DC account is created, it was
trying to add the new server's DN under CN=Default-First-Site-Name.
However, if the original domain was setup using a different site, then
the restore would fail because the DN didn't exist.
When running the restore command, you should be able to specify the
site that you want the new/restored DC to be in (same as during a
DC 'join'). Passing the correct --site argument is one way to avoid
this problem. (A subsequent patch will further improve the tool so it
can work around non-default sites automatically).
Note we also need to pass the site through to where the new DNS entries
get registered (in the rename case).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e1f255a4d54b59924295ea875fdef62ccebb8811)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/vfs_fruit.8.xml | 25 +
lib/ldb/ABI/{ldb-1.4.2.sigs => ldb-1.4.3.sigs} | 0
...b-util.py3-1.4.2.sigs => pyldb-util-1.4.3.sigs} | 0
...il.py3-1.4.2.sigs => pyldb-util.py3-1.4.3.sigs} | 0
lib/ldb/pyldb.c | 32 +-
lib/ldb/tests/python/api.py | 4 +
lib/ldb/wscript | 2 +-
lib/socket/interfaces.c | 3 +-
libcli/smb/smbXcli_base.c | 1 +
python/samba/dbchecker.py | 45 +-
python/samba/netcmd/domain_backup.py | 40 +-
python/samba/tests/__init__.py | 33 +-
python/samba/tests/blackbox/bug13653.py | 212 ++++++
python/samba/tests/domain_backup.py | 33 +
python/samba/tests/samba_tool/base.py | 7 -
python/samba/tests/samba_tool/user.py | 8 +-
.../samba/tests/samba_tool/user_virtualCryptSHA.py | 18 +-
selftest/knownfail.d/encrypted_secrets | 6 +
selftest/target/Samba3.pm | 18 +
selftest/target/Samba4.pm | 15 +-
source3/modules/vfs_fruit.c | 167 ++++-
source3/selftest/tests.py | 12 +-
source3/smbd/negprot.c | 9 +-
source3/winbindd/winbindd.c | 8 +-
source4/dsdb/pydsdb.c | 1 +
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c | 6 +
source4/dsdb/samdb/ldb_modules/extended_dn_store.c | 7 +
source4/dsdb/samdb/ldb_modules/group_audit.c | 31 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 18 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 11 +
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 269 ++++++--
source4/dsdb/samdb/ldb_modules/samldb.c | 41 +-
.../ldb_modules/tests/test_encrypted_secrets.c | 1 -
.../samdb/ldb_modules/tests/test_group_audit.c | 747 +++++++++++++++++++--
source4/dsdb/samdb/ldb_modules/wscript_build | 17 +-
source4/dsdb/samdb/samdb.h | 5 +-
source4/dsdb/tests/python/attr_from_server.py | 150 +++++
source4/libcli/pysmb.c | 10 +-
...eck-link-output-missing-link-sid-corruption.txt | 8 +
source4/selftest/tests.py | 28 +-
source4/setup/schema_samba4.ldif | 2 +
source4/torture/vfs/fruit.c | 191 ++++++
source4/torture/vfs/vfs.c | 1 +
testprogs/blackbox/dbcheck-links.sh | 110 +++
testprogs/blackbox/ldapcmp_restoredc.sh | 3 +
testprogs/blackbox/test_primary_group.sh | 90 +++
46 files changed, 2214 insertions(+), 231 deletions(-)
copy lib/ldb/ABI/{ldb-1.4.2.sigs => ldb-1.4.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.2.sigs => pyldb-util-1.4.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.2.sigs => pyldb-util.py3-1.4.3.sigs} (100%)
create mode 100644 python/samba/tests/blackbox/bug13653.py
create mode 100644 source4/dsdb/tests/python/attr_from_server.py
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
create mode 100755 testprogs/blackbox/test_primary_group.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index 2583303..e4ca7bd 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -378,6 +378,31 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>fruit:wipe_intentionally_left_blank_rfork = yes | no</term>
+ <listitem>
+ <para>Whether to wipe Resource Fork data that matches the special
+ 286 bytes sized placeholder blob that macOS client create on
+ occasion. The blob contains a string <quote>This resource fork
+ intentionally left blank</quote>, the remaining bytes being mostly
+ zero. There being no one use of this data, it is probably safe to
+ discard it. When this option is enabled, this module truncates the
+ Resource Fork stream to 0 bytes.</para>
+ <para>The default is <emphasis>no</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>fruit:delete_empty_adfiles = yes | no</term>
+ <listitem>
+ <para>Whether to delete empty AppleDouble files. Empty means that
+ the resource fork entry in the AppleDouble files is of size 0, or
+ the size is exactly 286 bytes and the content matches a special
+ boilerplate resource fork created my macOS.</para>
+ <para>The default is <emphasis>no</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/lib/ldb/ABI/ldb-1.4.2.sigs b/lib/ldb/ABI/ldb-1.4.3.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.4.2.sigs
copy to lib/ldb/ABI/ldb-1.4.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs b/lib/ldb/ABI/pyldb-util-1.4.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
copy to lib/ldb/ABI/pyldb-util-1.4.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.4.3.sigs
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 110ec8e..a6290d9 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -857,22 +857,22 @@ static PySequenceMethods py_ldb_dn_seq = {
static PyObject *py_ldb_dn_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)
{
- struct ldb_dn *ret;
- char *str;
- PyObject *py_ldb;
- struct ldb_context *ldb_ctx;
- TALLOC_CTX *mem_ctx;
- PyLdbDnObject *py_ret;
+ struct ldb_dn *ret = NULL;
+ char *str = NULL;
+ PyObject *py_ldb = NULL;
+ struct ldb_context *ldb_ctx = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ PyLdbDnObject *py_ret = NULL;
const char * const kwnames[] = { "ldb", "dn", NULL };
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Os",
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Oes",
discard_const_p(char *, kwnames),
- &py_ldb, &str))
- return NULL;
+ &py_ldb, "utf8", &str))
+ goto out;
if (!PyLdb_Check(py_ldb)) {
PyErr_SetString(PyExc_TypeError, "Expected Ldb");
- return NULL;
+ goto out;
}
ldb_ctx = pyldb_Ldb_AsLdbContext(py_ldb);
@@ -880,24 +880,28 @@ static PyObject *py_ldb_dn_new(PyTypeObject *type, PyObject *args, PyObject *kwa
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
PyErr_NoMemory();
- return NULL;
+ goto out;
}
ret = ldb_dn_new(mem_ctx, ldb_ctx, str);
if (!ldb_dn_validate(ret)) {
talloc_free(mem_ctx);
PyErr_SetString(PyExc_ValueError, "unable to parse dn string");
- return NULL;
+ goto out;
}
py_ret = (PyLdbDnObject *)type->tp_alloc(type, 0);
- if (ret == NULL) {
+ if (py_ret == NULL) {
talloc_free(mem_ctx);
PyErr_NoMemory();
- return NULL;
+ goto out;
}
py_ret->mem_ctx = mem_ctx;
py_ret->dn = ret;
+out:
+ if (str != NULL) {
+ PyMem_Free(discard_const_p(char, str));
+ }
return (PyObject *)py_ret;
}
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index e401096..0a88396 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -137,6 +137,10 @@ class SimpleLdb(LdbBaseTest):
l = ldb.Ldb(self.url(), flags=self.flags())
self.assertEqual(len(l.search(controls=["paged_results:0:5"])), 0)
+ def test_utf8_ldb_Dn(self):
+ l = ldb.Ldb(self.url(), flags=self.flags())
+ dn = ldb.Dn(l, (b'a=' + b'\xc4\x85\xc4\x87\xc4\x99\xc5\x82\xc5\x84\xc3\xb3\xc5\x9b\xc5\xba\xc5\xbc').decode('utf8'))
+
def test_search_attrs(self):
l = ldb.Ldb(self.url(), flags=self.flags())
self.assertEqual(len(l.search(ldb.Dn(l, ""), ldb.SCOPE_SUBTREE, "(dc=*)", ["dc"])), 0)
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 1ea0fd9..f6c34b2 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.4.2'
+VERSION = '1.4.3'
blddir = 'bin'
diff --git a/lib/socket/interfaces.c b/lib/socket/interfaces.c
index 168bff5..ac26b97 100644
--- a/lib/socket/interfaces.c
+++ b/lib/socket/interfaces.c
@@ -363,12 +363,13 @@ static int iface_comp(struct iface_struct *i1, struct iface_struct *i2)
above */
int get_interfaces(TALLOC_CTX *mem_ctx, struct iface_struct **pifaces)
{
- struct iface_struct *ifaces;
+ struct iface_struct *ifaces = NULL;
int total, i, j;
total = _get_interfaces(mem_ctx, &ifaces);
/* If we have an error, no interface or just one we can leave */
if (total <= 1) {
+ *pifaces = ifaces;
return total;
}
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ad1b67b..d94b4d8 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4369,6 +4369,7 @@ static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
}
if (conn->protocol == PROTOCOL_NONE) {
+ DBG_ERR("No compatible protocol selected by server.\n");
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index c64fd4c..a35c407 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -60,6 +60,7 @@ class dbcheck(object):
self.fix_all_string_dn_component_mismatch = False
self.fix_all_GUID_dn_component_mismatch = False
self.fix_all_SID_dn_component_mismatch = False
+ self.fix_all_SID_dn_component_missing = False
self.fix_all_old_dn_string_component_mismatch = False
self.fix_all_metadata = False
self.fix_time_metadata = False
@@ -383,10 +384,11 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
def do_modify(self, m, controls, msg, validate=True):
'''perform a modify with optional verbose output'''
+ controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
if self.verbose:
self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+ self.report("controls: %r" % controls)
try:
- controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
self.samdb.modify(m, controls=controls, validate=validate)
except Exception as err:
if self.in_transaction:
@@ -678,6 +680,38 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to fix incorrect DN %s on attribute %s" % (mismatch_type, attrname)):
self.report("Fixed incorrect DN %s on attribute %s" % (mismatch_type, attrname))
+ def err_dn_component_missing_target_sid(self, dn, attrname, val, dsdb_dn, target_sid_blob):
+ """handle a DN string being incorrect"""
+ self.report("ERROR: missing DN SID component for %s in object %s - %s" % (attrname, dn, val))
+
+ if len(dsdb_dn.prefix) != 0:
+ self.report("Not fixing missing DN SID on DN+BINARY or DN+STRING")
+ return
+
+ correct_dn = ldb.Dn(self.samdb, dsdb_dn.dn.extended_str())
+ correct_dn.set_extended_component("SID", target_sid_blob)
+
+ if not self.confirm_all('Change DN to %s?' % correct_dn.extended_str(),
+ 'fix_all_SID_dn_component_missing'):
+ self.report("Not fixing missing DN SID component")
+ return
+
+ target_guid_blob = correct_dn.get_extended_component("GUID")
+ guid_sid_dn = ldb.Dn(self.samdb, "")
+ guid_sid_dn.set_extended_component("GUID", target_guid_blob)
+ guid_sid_dn.set_extended_component("SID", target_sid_blob)
+
+ m = ldb.Message()
+ m.dn = dn
+ m['new_value'] = ldb.MessageElement(guid_sid_dn.extended_str(), ldb.FLAG_MOD_ADD, attrname)
+ controls = [
+ "show_recycled:1",
+ "local_oid:%s:1" % dsdb.DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID
+ ]
+ if self.do_modify(m, controls,
+ "Failed to ADD missing DN SID on attribute %s" % (attrname)):
+ self.report("Fixed missing DN SID on attribute %s" % (attrname))
+
def err_unknown_attribute(self, obj, attrname):
'''handle an unknown attribute error'''
self.report("ERROR: unknown attribute '%s' in %s" % (attrname, obj.dn))
@@ -1293,7 +1327,14 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
res[0].dn, "GUID")
continue
- if res[0].dn.get_extended_component("SID") != dsdb_dn.dn.get_extended_component("SID"):
+ target_sid = res[0].dn.get_extended_component("SID")
+ link_sid = dsdb_dn.dn.get_extended_component("SID")
+ if link_sid is None and target_sid is not None:
+ error_count += 1
+ self.err_dn_component_missing_target_sid(obj.dn, attrname, val,
+ dsdb_dn, target_sid)
+ continue
+ if link_sid != target_sid:
error_count += 1
self.err_dn_component_target_mismatch(obj.dn, attrname, val, dsdb_dn,
res[0].dn, "SID")
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
index 5f18e81..bbc7224 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -35,7 +35,7 @@ from samba.netcmd import Option, CommandError
from samba.dcerpc import misc, security
from samba import Ldb
from fsmo import cmd_fsmo_seize
-from samba.provision import make_smbconf
+from samba.provision import make_smbconf, DEFAULTSITE
from samba.upgradehelpers import update_krbtgt_account_password
from samba.remove_dc import remove_dc
from samba.provision import secretsdb_self_join
@@ -45,6 +45,7 @@ from samba.provision import guess_names, determine_host_ip, determine_host_ip6
from samba.provision.sambadns import (fill_dns_data_partitions,
get_dnsadmins_sid,
get_domainguid)
+from samba import sites
# work out a SID (based on a free RID) to use when the domain gets restored.
@@ -238,7 +239,7 @@ class cmd_domain_backup_online(samba.netcmd.Command):
# Grab the remote DC's sysvol files and bundle them into a tar file
sysvol_tar = os.path.join(tmpdir, 'sysvol.tar.gz')
- smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)
+ smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds, sign=True)
backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
# remove the default sysvol files created by the clone (we want to
@@ -289,6 +290,7 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
help="set IPv4 ipaddress"),
Option("--host-ip6", type="string", metavar="IP6ADDRESS",
help="set IPv6 ipaddress"),
+ Option("--site", help="Site to add the new server in", type=str),
]
takes_optiongroups = {
@@ -297,7 +299,7 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
}
def register_dns_zone(self, logger, samdb, lp, ntdsguid, host_ip,
- host_ip6):
+ host_ip6, site):
'''
Registers the new realm's DNS objects when a renamed domain backup
is restored.
@@ -324,7 +326,7 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
# Add the DNS objects for the new realm (note: the backup clone already
# has the root server objects, so don't add them again)
- fill_dns_data_partitions(samdb, domainsid, names.sitename, domaindn,
+ fill_dns_data_partitions(samdb, domainsid, site, domaindn,
forestdn, dnsdomain, dnsforest, hostname,
host_ip, host_ip6, domainguid, ntdsguid,
dnsadmins_sid, add_root=False)
@@ -354,8 +356,23 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
chk.check_database(controls=controls, attrs=attrs)
samdb.transaction_commit()
+ def create_default_site(self, samdb, logger):
+ '''Creates the default site, if it doesn't already exist'''
+
+ sitename = DEFAULTSITE
+ search_expr = "(&(cn={0})(objectclass=site))".format(sitename)
+ res = samdb.search(samdb.get_config_basedn(), scope=ldb.SCOPE_SUBTREE,
+ expression=search_expr)
+
+ if len(res) == 0:
+ logger.info("Creating default site '{0}'".format(sitename))
+ sites.create_site(samdb, samdb.get_config_basedn(), sitename)
+
+ return sitename
+
def run(self, sambaopts=None, credopts=None, backup_file=None,
- targetdir=None, newservername=None, host_ip=None, host_ip6=None):
+ targetdir=None, newservername=None, host_ip=None, host_ip6=None,
+ site=None):
if not (backup_file and os.path.exists(backup_file)):
raise CommandError('Backup file not found.')
if targetdir is None:
@@ -399,6 +416,13 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
samdb_path = os.path.join(private_dir, 'sam.ldb')
samdb = SamDB(url=samdb_path, session_info=system_session(), lp=lp)
+ if site is None:
+ # There's no great way to work out the correct site to add the
+ # restored DC to. By default, add it to Default-First-Site-Name,
+ # creating the site if it doesn't already exist
+ site = self.create_default_site(samdb, logger)
+ logger.info("Adding new DC to site '{0}'".format(site))
+
# Create account using the join_add_objects function in the join object
# We need namingContexts, account control flags, and the sid saved by
# the backup process.
@@ -407,7 +431,7 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
ncs = [str(r) for r in res[0].get('namingContexts')]
creds = credopts.get_credentials(lp)
- ctx = DCJoinContext(logger, creds=creds, lp=lp,
+ ctx = DCJoinContext(logger, creds=creds, lp=lp, site=site,
forced_local_samdb=samdb,
netbios_name=newservername)
ctx.nc_list = ncs
@@ -445,7 +469,7 @@ class cmd_domain_backup_restore(cmd_fsmo_seize):
# know the new DC's IP address)
if is_rename:
self.register_dns_zone(logger, samdb, lp, ctx.ntds_guid,
- host_ip, host_ip6)
+ host_ip, host_ip6, site)
secrets_path = os.path.join(private_dir, 'secrets.ldb')
secrets_ldb = Ldb(secrets_path, session_info=system_session(), lp=lp)
@@ -738,7 +762,7 @@ class cmd_domain_backup_rename(samba.netcmd.Command):
# use the old realm) backed here, as well as default files generated
# for the new realm as part of the clone/join.
sysvol_tar = os.path.join(tmpdir, 'sysvol.tar.gz')
- smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)
+ smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds, sign=True)
backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
# connect to the local DB (making sure we use the new/renamed config)
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index f04b42b..bc336f7 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -37,15 +37,19 @@ import samba.auth
import samba.dcerpc.base
from samba.compat import PY3, text_type
from random import randint
-if not PY3:
- # Py2 only
- try:
- from samba.samdb import SamDB
- except ImportError:
- SamDB = lambda *x: None
- import samba.ndr
- import samba.dcerpc.dcerpc
- import samba.dcerpc.epmapper
+from random import SystemRandom
+import string
+try:
+ from samba.samdb import SamDB
+except ImportError:
+ # We are built without samdb support,
+ # imitate it so that connect_samdb() can recover
+ def SamDB(*args, **kwargs):
+ return None
+
+import samba.ndr
+import samba.dcerpc.dcerpc
+import samba.dcerpc.epmapper
try:
from unittest import SkipTest
@@ -387,6 +391,17 @@ class BlackboxTestCase(TestCaseInTempDir):
raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata)
return stdoutdata
+ # Generate a random password that can be safely passed on the command line
+ # i.e. it does not contain any shell meta characters.
+ def random_password(self, count=32):
+ password = SystemRandom().choice(string.ascii_uppercase)
+ password += SystemRandom().choice(string.digits)
+ password += SystemRandom().choice(string.ascii_lowercase)
+ password += ''.join(SystemRandom().choice(string.ascii_uppercase +
+ string.ascii_lowercase +
+ string.digits) for x in range(count - 3))
+ return password
+
def connect_samdb(samdb_url, lp=None, session_info=None, credentials=None,
flags=0, ldb_options=None, ldap_only=False, global_schema=True):
diff --git a/python/samba/tests/blackbox/bug13653.py b/python/samba/tests/blackbox/bug13653.py
new file mode 100644
index 0000000..6ac2389
--- /dev/null
+++ b/python/samba/tests/blackbox/bug13653.py
@@ -0,0 +1,212 @@
+# Black box tests verify bug 13653
+#
+# Copyright (C) Catalyst.Net Ltd'. 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""Blackbox test verifying bug 13653
+
+https://bugzilla.samba.org/show_bug.cgi?id=13653
+
+
+When creating a new user and specifying the local filepath of the sam.ldb DB,
+it's possible to create an account that you can't actually login with.
+
+This only happens if the DB is using encrypted secrets and you specify "ldb://"
+in the sam.ldb path, e.g. "-H ldb://st/ad_dc/private/sam.ldb".
+The user account will be created, but its secrets will not be encrypted.
+Attempts to login as the user will then be rejected due to invalid credentials.
+
+We think this may also cause replication/joins to break.
+
+You do get a warning about "No encrypted secrets key file" when this happens,
+although the reason behind this message is not obvious. Specifying a "tdb://"
+prefix, or not specifying a prefix, works fine.
+
+Example of the problem below using the ad_dc testenv.
+
+addc$ bin/samba-tool user create tdb-user pass12#
+ -H tdb://st/ad_dc/private/sam.ldb
+User 'tdb-user' created successfully
+
+# HERE: using the "ldb://" prefix generates a warning, but the user is still
+# created successfully.
+
+addc$ bin/samba-tool user create ldb-user pass12#
+ -H ldb://st/ad_dc/private/sam.ldb
+No encrypted secrets key file. Secret attributes will not be encrypted or
+decrypted
+
+User 'ldb-user' created successfully
+
+addc$ bin/samba-tool user create noprefix-user pass12#
+ -H st/ad_dc/private/sam.ldb
+User 'noprefix-user' created successfully
+
+addc$ bin/ldbsearch -H ldap://$SERVER -Utdb-user%pass12# '(cn=tdb-user)' dn
+# record 1
+dn: CN=tdb-user,CN=Users,DC=addom,DC=samba,DC=example,DC=com
+
+# Referral
+ref: ldap://addom.samba.example.com/CN=Configuration,DC=addom,DC=samba,
+ DC=example,DC=com
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list