[SCM] Samba Shared Repository - branch v4-8-test updated
Stefan Metzmacher
metze at samba.org
Wed Sep 5 16:33:02 UTC 2018
The branch, v4-8-test has been updated
via 3ea96a2 krb5-samba: interdomain trust uses different salt principal
via d726535 testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt
via 04fee9e testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh
via e311e6e samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords'
via 0534104 s4:selftest: test kinit with the interdomain trust user account
via d39a80c libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK
via 772600f vfs_fruit: Don't unlink the main file
via 64a9107 torture: Make sure that fruit_ftruncate only unlinks streams
via 37f8294 s3:smbd: add a comment stating that file_close_user() is redundant for SMB2
via 9fe8691 s3:smbd: let session logoff close files and tcons before deleting the session
via d36fbe9 s3:smbd: reorder tcon global record deletion and closing files of a tcon
via e667b17 selftest: add a durable handle test with delayed disconnect
via 34eeed2 s4:selftest: reformat smb2_s3only list
via 3304d86 vfs_delay_inject: adding delay to VFS calls
via a2b04c3 s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo()
via 73e383f s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array
via 2e7e58a s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values
via e7b4313 s4:dsdb/common: add samdb_domain_guid() helper function
via 66a0554 dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function
via 96ae85b dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info()
via b7bd12d s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo()
via 7276bdb s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL
via 91a5d38 smbd: Fix a memleak in async search ask sharemode
via 8385a0c ctdb-daemon: Log complete eventd startup command
via f3a2f0b ctdb-daemon: Do not retry connection to eventd
via 0f342d4 ctdb-daemon: Wait for eventd to be ready before connecting
via eb3d91e ctdb-daemon: Open eventd pipe earlier
via a4021fb ctdb-daemon: Improve error handling consistency
via ae515ea ctdb-event: Add support to eventd for the startup notification FD
via 0e50da4 ctdb-common: Add support for sock daemon to notify of successful startup
via b53eb6f s3: util: Do not take over stderr when there is no log file
from 1b01025 s3: smbd: Ensure get_real_filename() copes with empty pathnames.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 3ea96a259258e286284c65e840148b6a7d57a5a8
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Feb 16 18:15:28 2018 +0200
krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN at REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-8-test): Wed Sep 5 18:32:05 CEST 2018 on sn-devel-144
commit d726535d61c6c8ac52e387d500841d6bf967186d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 4 10:53:52 2018 +0200
testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt
This demonstrates the bug we currently have.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1b31fa62567ec549e32c9177b322cfbfb3b6ec1a)
commit 04fee9ebee785cd65b1ecc23c396fb3e7093484c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 4 10:38:44 2018 +0200
testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8526feb100e59bc5a15ceb940e6cecce0de59247)
commit e311e6e8076ddbf49d9a2b67eea33b19078a02d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 4 10:16:59 2018 +0200
samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords'
This might be useful for someone, but at least it's very useful for
tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 39c281a23673691bab621de1a632d64df2c1c102)
commit 0534104e0b9634cde370275da6ed0032281385d8
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Feb 16 18:15:28 2018 +0200
s4:selftest: test kinit with the interdomain trust user account
To test it, add a blackbox test that ensures we pass a keytab-based
authentication with the trust user account for a trusted domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7df505298f71432d5adbcffccde8f97c117a57a6)
commit d39a80ce89403abf2fa8d5702cbf8332b23866a0
Author: Ralph Boehme <slow at samba.org>
Date: Thu Mar 8 17:34:08 2018 +0100
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK
The name UF_TRUST_ACCOUNT_MASK better reflects the use case and it's not
yet used.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8497d2090900b252853278f29a4aaf3bce7515da)
commit 772600feb8b913e924e22ea1a43f973887cfb139
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 7 15:10:31 2018 +0200
vfs_fruit: Don't unlink the main file
The original fix for bug 13441 was missing a check that verifies that
fruit_ftruncate() is actually called on a stream.
Follow-up to
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Pair-Programmed-With: Volker Lendecke <vl at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Aug 23 15:28:48 CEST 2018 on sn-devel-144
(cherry picked from commit 8c14234871820eacde46670d722a676fb5f3a46c)
commit 64a9107807a43462aa097c6cc48b211691e86ef3
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 7 15:11:22 2018 +0200
torture: Make sure that fruit_ftruncate only unlinks streams
Follow-up to
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c39ec64231b261fe4ada02f1f1b9aa344cf35bb5)
commit 37f8294a6336bbe1a7346264d82f8e0dd8132cb9
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 30 15:57:33 2018 +0200
s3:smbd: add a comment stating that file_close_user() is redundant for SMB2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 1 01:26:35 CEST 2018 on sn-devel-144
(cherry picked from commit 5d95f79f604d90c2646225a0f2470f05dd71e19e)
commit 9fe8691cdae495a6b08bd5e525bd6b58e0ac93bc
Author: Ralph Boehme <slow at samba.org>
Date: Wed Aug 29 17:19:29 2018 +0200
s3:smbd: let session logoff close files and tcons before deleting the session
This avoids a race in durable handle reconnects if the reconnect comes
in while the old session is still in the tear-down phase.
The new session is supposed to rendezvous with and wait for destruction
of the old session, which is internally implemented with
dbwrap_watch_send() on the old session record.
If the old session deletes the session record before calling
file_close_user() which marks all file handles as disconnected, the
durable handle reconnect in the new session will fail as the records are
not yet marked as disconnected which is a prerequisite.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8f6edcc1645e0ed35eaec914bd0b672500ce986c)
commit d36fbe95e57fe8a044703e7eee1d7401d1baa6e0
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 30 15:50:02 2018 +0200
s3:smbd: reorder tcon global record deletion and closing files of a tcon
As such, this doesn't change overall behaviour, but in case we ever add
semantics acting on tcon record changes via an API like
dbwrap_watch_send(), this will make a difference as it enforces
ordering.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(backported from commit b70b8503faded81b10859131f08486349876d132)
commit e667b1771584b37b59ceab20cddced3615cf7b8f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 30 19:15:19 2018 +0200
selftest: add a durable handle test with delayed disconnect
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5508024a861e7c85e6c837552ad142aa1d5e8eca)
commit 34eeed27d1293d9fc2c0dd5067a542ceb0797540
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 31 08:28:46 2018 +0200
s4:selftest: reformat smb2_s3only list
No change besides reformatting the list to one entry per line.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3255822f75163cb38e53f634a5c6b03d46bfaff1)
commit 3304d86136e25bf1be013dfd61de1abb2c1ad7c0
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 30 17:27:08 2018 +0200
vfs_delay_inject: adding delay to VFS calls
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 44840ba5b32a2ce7959fd3d7c87822b3159416d3)
commit a2b04c3552c87d33fafa49496310abcccf7b6bfd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 28 12:52:31 2018 +0200
s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo()
We need to handle trusted domains differently than our primary
domain. The most important part is that we don't return
NETR_TRUST_FLAG_PRIMARY for them.
NETR_TRUST_FLAG_{INBOUND,OUTBOUND,IN_FOREST} are the relavant flags
for trusts.
This is an example of what Windows returns in a complex trust
environment:
netr_LogonGetDomainInfo: struct netr_LogonGetDomainInfo
out: struct netr_LogonGetDomainInfo
return_authenticator : *
return_authenticator: struct netr_Authenticator
cred: struct netr_Credential
data : f48b51ff12ff8c6c
timestamp : Tue Aug 28 22:59:03 2018 CEST
info : *
info : union netr_DomainInfo(case 1)
domain_info : *
domain_info: struct netr_DomainInformation
primary_domain: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0014 (20)
size : 0x0016 (22)
string : *
string : 'W2012R2-L4'
dns_domainname: struct lsa_StringLarge
length : 0x0020 (32)
size : 0x0022 (34)
string : *
string : 'w2012r2-l4.base.'
dns_forestname: struct lsa_StringLarge
length : 0x0020 (32)
size : 0x0022 (34)
string : *
string : 'w2012r2-l4.base.'
domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b
domain_sid : *
domain_sid : S-1-5-21-2930975464-1937418634-1288008815
trust_extension: struct netr_trust_extension_container
length : 0x0000 (0)
size : 0x0000 (0)
info : NULL
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domain_count : 0x00000006 (6)
trusted_domains : *
trusted_domains: ARRAY(6)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'FREEIPA'
dns_domainname: struct lsa_StringLarge
length : 0x0018 (24)
size : 0x001a (26)
string : *
string : 'freeipa.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : 00000000-0000-0000-0000-000000000000
domain_sid : *
domain_sid : S-1-5-21-429948374-2562621466-335716826
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 'S1-W2012-L4'
dns_domainname: struct lsa_StringLarge
length : 0x0036 (54)
size : 0x0038 (56)
string : *
string : 's1-w2012-l4.w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : afe7fbde-af82-46cf-88a2-2df6920fc33e
domain_sid : *
domain_sid : S-1-5-21-1368093395-3821428921-3924672915
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000023 (35)
1: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000004 (4)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000020 (32)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
1: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'BLA'
dns_domainname: struct lsa_StringLarge
length : 0x0010 (16)
size : 0x0012 (18)
string : *
string : 'bla.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : 00000000-0000-0000-0000-000000000000
domain_sid : *
domain_sid : S-1-5-21-4053568372-2049667917-3384589010
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x000c (12)
size : 0x000e (14)
string : *
string : 'S4XDOM'
dns_domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 's4xdom.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : 00000000-0000-0000-0000-000000000000
domain_sid : *
domain_sid : S-1-5-21-313966788-4060240134-2249344781
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000022 (34)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000008 (8)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0014 (20)
size : 0x0016 (22)
string : *
string : 'W2012R2-L4'
dns_domainname: struct lsa_StringLarge
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b
domain_sid : *
domain_sid : S-1-5-21-2930975464-1937418634-1288008815
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x0000001d (29)
1: NETR_TRUST_FLAG_IN_FOREST
0: NETR_TRUST_FLAG_OUTBOUND
1: NETR_TRUST_FLAG_TREEROOT
1: NETR_TRUST_FLAG_PRIMARY
1: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
trusted_domains: struct netr_OneDomainInfo
domainname: struct lsa_StringLarge
length : 0x0016 (22)
size : 0x0018 (24)
string : *
string : 'S2-W2012-L4'
dns_domainname: struct lsa_StringLarge
length : 0x004e (78)
size : 0x0050 (80)
string : *
string : 's2-w2012-l4.s1-w2012-l4.w2012r2-l4.base'
dns_forestname: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_guid : 29daace6-cded-4ce3-a754-7482a4d9127c
domain_sid : *
domain_sid : S-1-5-21-167342819-981449877-2130266853
trust_extension: struct netr_trust_extension_container
length : 0x0010 (16)
size : 0x0010 (16)
info : *
info: struct netr_trust_extension
length : 0x00000008 (8)
dummy : 0x00000000 (0)
size : 0x00000008 (8)
flags : 0x00000001 (1)
1: NETR_TRUST_FLAG_IN_FOREST
0: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000001 (1)
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_long1 : 0x00000000 (0)
dummy_long2 : 0x00000000 (0)
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
lsa_policy: struct netr_LsaPolicyInformation
policy_size : 0x00000000 (0)
policy : NULL
dns_hostname: struct lsa_StringLarge
length : 0x0036 (54)
size : 0x0038 (56)
string : *
string : 'torturetest.w2012r2-l4.base'
dummy_string2: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string3: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
dummy_string4: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
workstation_flags : 0x00000003 (3)
1: NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS
1: NETR_WS_FLAG_HANDLES_SPN_UPDATE
supported_enc_types : 0x0000001f (31)
1: KERB_ENCTYPE_DES_CBC_CRC
1: KERB_ENCTYPE_DES_CBC_MD5
1: KERB_ENCTYPE_RC4_HMAC_MD5
1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
0: KERB_ENCTYPE_FAST_SUPPORTED
0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
0: KERB_ENCTYPE_CLAIMS_SUPPORTED
0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
dummy_long3 : 0x00000000 (0)
dummy_long4 : 0x00000000 (0)
result : NT_STATUS_OK
Best viewed with: git show --histogram -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2099add0657126e4a5427ec2db0fe8025478b355)
commit 73e383f212af7d17838ba18ec2811267f302fc30
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 28 16:30:17 2018 +0200
s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array
It's much safer than having uninitialized memory when we hit an error
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ef0b489ad0d93199e08415dd895da5cfe2d1c11a)
commit 2e7e58a586b48667bb28fee12c51d1e1fb3635da
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 28 11:46:16 2018 +0200
s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values
The logic for constructing the values for our own primary domain differs
from the values of trusted domains. In order to make the code easier to
understand we have a new fill_our_one_domain_info() helper that
only takes care of our primary domain.
The cleanup for the trust case will follow in a separate commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 61333f7787d78e3ec5c7bd2874d5a0f1f536275a)
commit e7b43132f7818e1a7f542190e7a7ebc11b383704
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 28 11:52:27 2018 +0200
s4:dsdb/common: add samdb_domain_guid() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e442e094240abbf79aaca00a9d1a053a200a7e8)
commit 66a055434f794210b00dd48914a0ef58c3ecb25d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 23:09:26 2018 +0100
dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function
This is similar to dsdb_trust_xref_tdo_info(), but will also work
if we ever support more than one domain in our forest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c1b0ac95db5c6112d90356c7ada8c3d445e9b668)
commit 96ae85bcc1ec0e8523f475a8060522ff120bad37
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 23:08:08 2018 +0100
dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info()
We should not overwrite it within the function.
Currently it doesn't matter as we don't have multiple domains
within our forest, but that will change in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f5f96f558b499770cdeb3d38998167a387e058b9)
commit b7bd12dd7ea98bab82cfccc19230a41426c2346d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 28 17:46:46 2018 +0200
s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo()
This makes sure we don't treat trusted domains in the same way we treat
our primary domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d5dd8fdc647d6a202c5da0451d395116c2cd92b9)
commit 7276bdb5595fdd2686cc0fde22272d6005e22626
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 3 09:55:18 2018 +0200
s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL
This is better that generating a segfault while dereferencing a NULL
pointer later.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dffc182c6943d21513d8db9f6cf66bdc09206b17)
commit 91a5d382bc0baf66a4701901a7e2096071ce1219
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 3 15:54:48 2018 +0200
smbd: Fix a memleak in async search ask sharemode
fetch_share_mode_unlocked_parser() takes a "struct
fetch_share_mode_unlocked_state *" as
"private_data". fetch_share_mode_send() used a talloc_zero'ed "struct
share_mode_lock". This lead to the parser putting a "struct
share_mode_lock on the NULL talloc_context where nobody really picked it
up.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13602
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0bd109b733fbce774feae2142d25f7e828b56bcb)
commit 8385a0c84bb71304584c3742a21998d2b07fa6c0
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Sep 3 16:12:16 2018 +1000
ctdb-daemon: Log complete eventd startup command
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 6d3d9a85e5630ba398ac953ad1515155f10224d9)
commit f3a2f0b7fbd6891ec951aa71018cc57d62976796
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Aug 27 14:53:37 2018 +1000
ctdb-daemon: Do not retry connection to eventd
Confirmation is now received from eventd that it is accepting
connections, so this is no longer needed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit b430a1ace69bcef3336907557ab5bf04271c1110)
commit 0f342d4595475e8d45cd954f040a5e9dab0a277f
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Aug 27 14:47:38 2018 +1000
ctdb-daemon: Wait for eventd to be ready before connecting
The current method of retrying the connection to eventd means that
messages get logged for each failure.
Instead, pass a pipe file descriptor to eventd and wait for it to
write 0 to the pipe to indicate that it is ready to accept client
connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 62ec1ab1470206d6a2cf300f30ca0b4a39413a38)
Signed-off-by: Martin Schwenke <martin at meltin.net>
commit eb3d91ed61ee5ab3afa862a001e0ca2db9793698
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Aug 27 14:44:24 2018 +1000
ctdb-daemon: Open eventd pipe earlier
The pipe will soon be needed earlier, so initialise it earlier.
Ensure the file descriptors are closed on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit c446ae5e1382d5e32c33ce92243daf6b4338e15a)
commit a4021fb56d8891728ae6c4ed84f79f66d6d9ef92
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Aug 27 15:28:47 2018 +1000
ctdb-daemon: Improve error handling consistency
Other errors free argv, so do it here too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit e357b62fe556609750bdb8d27cf48dfb85c62ec8)
commit ae515ea3dbef52099535d8621b511c254fc21f86
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Aug 24 14:52:29 2018 +1000
ctdb-event: Add support to eventd for the startup notification FD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 11ee92d1bfd73c509d90e7a7386af60a4e1a7fca)
commit 0e50da4c7ebede054a9f4cf8580e57a7a2aa0c96
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Aug 24 14:44:12 2018 +1000
ctdb-common: Add support for sock daemon to notify of successful startup
The daemon writes 0 into the specified file descriptor when it is up
and listening. This can be used to avoid loops in clients that
attempt to connect until they succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13592
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit dc6040c121c65d5551c686f3f1be2891795f48aa)
commit b53eb6f62f83126c28fc8b7d55831f74a589a158
Author: Paulo Alcantara <paulo at paulo.ac>
Date: Fri Aug 17 11:30:16 2018 -0300
s3: util: Do not take over stderr when there is no log file
In case we don't have either a /var/log/samba directory, or pass a
non-existent log directory through '-l' option, all commands that are
daemonized with '-D' option hang when executed within a subshell.
An example on how to trigger that:
# rm -r /var/log/samba
# s=$(nmbd -D -s /etc/samba/smb.conf -l /foo123)
(never returns)
So, when the above command is executed within a subshell the following
happens:
(a) Parent shell creates a pipe, sets write side of it to fd 1
(stdout), call read() on read-side fd, forks off a new child process
and then executes nmbd in it.
(b) nmbd sets up initial logging to go through fd 1 (stdout) by
calling setup_logging(..., DEBUG_DEFAULT_STDOUT). 'state.fd' is now
set to 1.
(c) reopen_logs() is called by the first time which then calls
reopen_logs_internal()
(d) in reopen_logs_internal(), it attempts to create log.nmbd file in
/foo123 directory and fails because directory doesn't exist.
(e) Regardless whether the log file was created or not, it calls
dup2(state.fd, 2) which dups fd 1 into fd 2.
(f) At some point, fd 0 and 1 are closed and set to /dev/null
The problem with that is because parent shell in (a) is still blocked in
read() call and the new write side of the pipe is now fd 2 -- after
dup2() in (e) -- and remains unclosed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13578
Signed-off-by: Paulo Alcantara <palcantara at suse.de>
Reviewed-by: Jim McDonough <jmcd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Aug 18 01:32:25 CEST 2018 on sn-devel-144
(cherry picked from commit 41aa55f49233ea7682cf14e5a7062617274434ce)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 16 +-
ctdb/common/sock_daemon.c | 26 +++
ctdb/common/sock_daemon.h | 10 +
ctdb/server/ctdb_eventd.c | 8 +
ctdb/server/eventscript.c | 156 +++++++++++---
lib/krb5_wrap/krb5_samba.c | 61 ++++--
lib/krb5_wrap/krb5_samba.h | 2 +-
lib/util/debug.c | 7 +-
libds/common/flags.h | 2 +-
python/samba/netcmd/user.py | 24 +++
selftest/target/Samba3.pm | 8 +
source3/locking/share_mode_lock.c | 13 +-
source3/modules/vfs_delay_inject.c | 58 +++++
source3/modules/vfs_fruit.c | 6 +-
source3/modules/wscript_build | 7 +
source3/passdb/machine_account_secrets.c | 3 +-
.../script/tests/test_durable_handle_reconnect.sh | 21 ++
source3/selftest/tests.py | 5 +-
source3/smbd/smbXsrv_session.c | 52 +++--
source3/smbd/smbXsrv_tcon.c | 38 ++--
source3/wscript | 1 +
source4/dsdb/common/util.c | 55 +++++
source4/dsdb/common/util_trusts.c | 22 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 6 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 234 +++++++++++++++------
source4/selftest/tests.py | 9 +-
source4/torture/rpc/netlogon.c | 146 ++++++++++++-
source4/torture/smb2/durable_v2_open.c | 95 +++++++++
source4/torture/smb2/smb2.c | 2 +
source4/torture/vfs/fruit.c | 45 ++++
testprogs/blackbox/subunit.sh | 50 +++++
testprogs/blackbox/test_trust_user_account.sh | 58 +++++
32 files changed, 1063 insertions(+), 183 deletions(-)
create mode 100644 source3/modules/vfs_delay_inject.c
create mode 100755 source3/script/tests/test_durable_handle_reconnect.sh
create mode 100755 testprogs/blackbox/test_trust_user_account.sh
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 9da1aa0..d36797b 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -34,6 +34,7 @@
#include "auth/kerberos/kerberos_util.h"
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"
+#include "../libds/common/flags.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -974,7 +975,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
char *salt_principal = NULL;
- bool is_computer = false;
+ uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
@@ -999,9 +1000,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
switch (cred->secure_channel_type) {
case SEC_CHAN_WKSTA:
- case SEC_CHAN_BDC:
case SEC_CHAN_RODC:
- is_computer = true;
+ uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_BDC:
+ uac_flags = UF_SERVER_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_DNS_DOMAIN:
+ uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
break;
default:
upn = cli_credentials_get_principal(cred, mem_ctx);
@@ -1009,13 +1016,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
TALLOC_FREE(mem_ctx);
return ENOMEM;
}
+ uac_flags = UF_NORMAL_ACCOUNT;
break;
}
ret = smb_krb5_salt_principal(realm,
username, /* sAMAccountName */
upn, /* userPrincipalName */
- is_computer,
+ uac_flags,
mem_ctx,
&salt_principal);
if (ret) {
diff --git a/ctdb/common/sock_daemon.c b/ctdb/common/sock_daemon.c
index 7554cd6..03d3ac1 100644
--- a/ctdb/common/sock_daemon.c
+++ b/ctdb/common/sock_daemon.c
@@ -31,6 +31,7 @@
#include "lib/util/dlinklist.h"
#include "lib/util/tevent_unix.h"
#include "lib/util/become_daemon.h"
+#include "lib/util/sys_rw.h"
#include "common/logging.h"
#include "common/reqid.h"
@@ -71,6 +72,7 @@ struct sock_daemon_context {
struct pidfile_context *pid_ctx;
struct sock_socket *socket_list;
+ int startup_fd;
};
/*
@@ -483,6 +485,7 @@ int sock_daemon_setup(TALLOC_CTX *mem_ctx, const char *daemon_name,
sockd->funcs = funcs;
sockd->private_data = private_data;
+ sockd->startup_fd = -1;
ret = logging_init(sockd, logging, debug_level, daemon_name);
if (ret != 0) {
@@ -514,6 +517,11 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd,
return 0;
}
+void sock_daemon_set_startup_fd(struct sock_daemon_context *sockd, int fd)
+{
+ sockd->startup_fd = fd;
+}
+
/*
* Run socket daemon
*/
@@ -543,6 +551,7 @@ static void sock_daemon_run_socket_fail(struct tevent_req *subreq);
static void sock_daemon_run_watch_pid(struct tevent_req *subreq);
static void sock_daemon_run_wait(struct tevent_req *req);
static void sock_daemon_run_wait_done(struct tevent_req *subreq);
+static void sock_daemon_startup_notify(struct sock_daemon_context *sockd);
struct tevent_req *sock_daemon_run_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -669,6 +678,8 @@ static void sock_daemon_run_started(struct tevent_req *subreq)
return;
}
sock_daemon_run_wait(req);
+
+ sock_daemon_startup_notify(sockd);
}
static void sock_daemon_run_startup_done(struct tevent_req *subreq)
@@ -696,6 +707,8 @@ static void sock_daemon_run_startup_done(struct tevent_req *subreq)
return;
}
sock_daemon_run_wait(req);
+
+ sock_daemon_startup_notify(sockd);
}
static void sock_daemon_run_signal_handler(struct tevent_context *ev,
@@ -961,6 +974,19 @@ static void sock_daemon_run_wait_done(struct tevent_req *subreq)
sock_daemon_run_shutdown(req);
}
+static void sock_daemon_startup_notify(struct sock_daemon_context *sockd)
+{
+ if (sockd->startup_fd != -1) {
+ unsigned int zero = 0;
+ ssize_t num;
+
+ num = sys_write(sockd->startup_fd, &zero, sizeof(zero));
+ if (num != sizeof(zero)) {
+ D_WARNING("Failed to write zero to pipe FD\n");
+ }
+ }
+}
+
bool sock_daemon_run_recv(struct tevent_req *req, int *perr)
{
int ret;
diff --git a/ctdb/common/sock_daemon.h b/ctdb/common/sock_daemon.h
index a071833..a28f8c6 100644
--- a/ctdb/common/sock_daemon.h
+++ b/ctdb/common/sock_daemon.h
@@ -208,6 +208,16 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd,
void *private_data);
/**
+ * @brief Set file descriptor for indicating startup success
+ *
+ * On successful completion, 0 (unsigned int) will be written to the fd.
+ *
+ * @param[in] sockd Socket daemon context
+ * @param[in] fd File descriptor
+ */
+void sock_daemon_set_startup_fd(struct sock_daemon_context *sockd, int fd);
+
+/**
* @brief Async computation start to run a socket daemon
*
* @param[in] mem_ctx Talloc memory context
diff --git a/ctdb/server/ctdb_eventd.c b/ctdb/server/ctdb_eventd.c
index feeac07..f79ee99 100644
--- a/ctdb/server/ctdb_eventd.c
+++ b/ctdb/server/ctdb_eventd.c
@@ -952,8 +952,10 @@ static struct {
const char *pidfile;
const char *socket;
int pid;
+ int startup_fd;
} options = {
.debug_level = "ERR",
+ .startup_fd = -1,
};
struct poptOption cmdline_options[] = {
@@ -972,6 +974,8 @@ struct poptOption cmdline_options[] = {
"eventd pid file", "FILE" },
{ "socket", 's', POPT_ARG_STRING, &options.socket, 0,
"eventd socket path", "FILE" },
+ { "startup-fd", 'S', POPT_ARG_INT, &options.startup_fd, 0,
+ "file descriptor to notify of successful start", "FD" },
POPT_TABLEEND
};
@@ -1068,6 +1072,10 @@ int main(int argc, const char **argv)
goto fail;
}
+ if (options.startup_fd != -1) {
+ sock_daemon_set_startup_fd(sockd, options.startup_fd);
+ }
+
ret = sock_daemon_run(ev, sockd,
options.pidfile, false, false, options.pid);
if (ret == EINTR) {
diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c
index 41807ff..157f653 100644
--- a/ctdb/server/eventscript.c
+++ b/ctdb/server/eventscript.c
@@ -142,6 +142,100 @@ static bool eventd_context_init(TALLOC_CTX *mem_ctx,
return true;
}
+struct eventd_startup_state {
+ bool done;
+ int ret;
+ int fd;
+};
+
+static void eventd_startup_timeout_handler(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval t,
+ void *private_data)
+{
+ struct eventd_startup_state *state =
+ (struct eventd_startup_state *) private_data;
+
+ state->done = true;
+ state->ret = ETIMEDOUT;
+}
+
+static void eventd_startup_handler(struct tevent_context *ev,
+ struct tevent_fd *fde, uint16_t flags,
+ void *private_data)
+{
+ struct eventd_startup_state *state =
+ (struct eventd_startup_state *)private_data;
+ unsigned int data;
+ ssize_t num_read;
+
+ num_read = sys_read(state->fd, &data, sizeof(data));
+ if (num_read == sizeof(data)) {
+ if (data == 0) {
+ state->ret = 0;
+ } else {
+ state->ret = EIO;
+ }
+ } else if (num_read == 0) {
+ state->ret = EPIPE;
+ } else if (num_read == -1) {
+ state->ret = errno;
+ } else {
+ state->ret = EINVAL;
+ }
+
+ state->done = true;
+}
+
+
+static int wait_for_daemon_startup(struct tevent_context *ev,
+ int fd)
+{
+ TALLOC_CTX *mem_ctx;
+ struct tevent_timer *timer;
+ struct tevent_fd *fde;
+ struct eventd_startup_state state = {
+ .done = false,
+ .ret = 0,
+ .fd = fd,
+ };
+
+ mem_ctx = talloc_new(ev);
+ if (mem_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ timer = tevent_add_timer(ev,
+ mem_ctx,
+ tevent_timeval_current_ofs(10, 0),
+ eventd_startup_timeout_handler,
+ &state);
+ if (timer == NULL) {
+ talloc_free(mem_ctx);
+ return ENOMEM;
+ }
+
+ fde = tevent_add_fd(ev,
+ mem_ctx,
+ fd,
+ TEVENT_FD_READ,
+ eventd_startup_handler,
+ &state);
+ if (fde == NULL) {
+ talloc_free(mem_ctx);
+ return ENOMEM;
+ }
+
+ while (! state.done) {
+ tevent_loop_once(ev);
+ }
+
+ talloc_free(mem_ctx);
+
+ return state.ret;
+}
+
+
/*
* Start and stop event daemon
*/
@@ -157,7 +251,7 @@ int ctdb_start_eventd(struct ctdb_context *ctdb)
const char **argv;
int fd[2];
pid_t pid;
- int ret, i;
+ int ret;
bool status;
if (ctdb->ectx == NULL) {
@@ -175,8 +269,15 @@ int ctdb_start_eventd(struct ctdb_context *ctdb)
return -1;
}
- argv = talloc_array(ectx, const char *, 14);
+ ret = pipe(fd);
+ if (ret != 0) {
+ return -1;
+ }
+
+ argv = talloc_array(ectx, const char *, 16);
if (argv == NULL) {
+ close(fd[0]);
+ close(fd[1]);
return -1;
}
@@ -191,34 +292,35 @@ int ctdb_start_eventd(struct ctdb_context *ctdb)
argv[8] = getenv("CTDB_LOGGING");
argv[9] = "-d";
argv[10] = debug_level_to_string(DEBUGLEVEL);
+ argv[11] = "-S";
+ argv[12] = talloc_asprintf(argv, "%d", fd[1]);
if (ectx->debug_hung_script == NULL) {
- argv[11] = NULL;
- argv[12] = NULL;
+ argv[13] = NULL;
+ argv[14] = NULL;
} else {
- argv[11] = "-D";
- argv[12] = ectx->debug_hung_script;
+ argv[13] = "-D";
+ argv[14] = ectx->debug_hung_script;
}
- argv[13] = NULL;
+ argv[15] = NULL;
- if (argv[6] == NULL) {
+ if (argv[6] == NULL || argv[12] == NULL) {
+ close(fd[0]);
+ close(fd[1]);
talloc_free(argv);
return -1;
}
- DEBUG(DEBUG_NOTICE,
- ("Starting event daemon %s %s %s %s %s %s %s %s %s %s %s\n",
- argv[0], argv[1], argv[2], argv[3], argv[4], argv[5],
- argv[6], argv[7], argv[8], argv[9], argv[10]));
-
- ret = pipe(fd);
- if (ret != 0) {
- return -1;
- }
+ D_NOTICE("Starting event daemon "
+ "%s %s %s %s %s %s %s %s %s %s %s %s %s\n",
+ argv[0], argv[1], argv[2], argv[3], argv[4], argv[5],
+ argv[6], argv[7], argv[8], argv[9], argv[10],
+ argv[11], argv[12]);
pid = ctdb_fork(ctdb);
if (pid == -1) {
close(fd[0]);
close(fd[1]);
+ talloc_free(argv);
return -1;
}
@@ -234,6 +336,14 @@ int ctdb_start_eventd(struct ctdb_context *ctdb)
talloc_free(argv);
close(fd[1]);
+ ret = wait_for_daemon_startup(ctdb->ev, fd[0]);
+ if (ret != 0) {
+ ctdb_kill(ctdb, pid, SIGKILL);
+ close(fd[0]);
+ D_ERR("Failed to initialize event daemon (%d)\n", ret);
+ return -1;
+ }
+
ectx->eventd_fde = tevent_add_fd(ctdb->ev, ectx, fd[0],
TEVENT_FD_READ,
eventd_dead_handler, ectx);
@@ -246,17 +356,9 @@ int ctdb_start_eventd(struct ctdb_context *ctdb)
tevent_fd_set_auto_close(ectx->eventd_fde);
ectx->eventd_pid = pid;
- /* Wait to connect to eventd */
- for (i=0; i<10; i++) {
- status = eventd_client_connect(ectx);
- if (status) {
- break;
- }
- sleep(1);
- }
-
+ status = eventd_client_connect(ectx);
if (! status) {
- DEBUG(DEBUG_ERR, ("Failed to initialize event daemon\n"));
+ DEBUG(DEBUG_ERR, ("Failed to connect to event daemon\n"));
ctdb_stop_eventd(ctdb);
return -1;
}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 0ba8aae..73e89ea 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -24,6 +24,7 @@
#include "system/filesys.h"
#include "krb5_samba.h"
#include "lib/crypto/crypto.h"
+#include "../libds/common/flags.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -445,8 +446,7 @@ int smb_krb5_get_pw_salt(krb5_context context,
* @param[in] userPrincipalName The userPrincipalName attribute of the object
* or NULL is not available.
*
- * @param[in] is_computer The indication of the object includes
- * objectClass=computer.
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
*
* @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
*
@@ -459,7 +459,7 @@ int smb_krb5_get_pw_salt(krb5_context context,
int smb_krb5_salt_principal(const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
- bool is_computer,
+ uint32_t uac_flags,
TALLOC_CTX *mem_ctx,
char **_salt_principal)
{
@@ -480,6 +480,23 @@ int smb_krb5_salt_principal(const char *realm,
return EINVAL;
}
+ if (uac_flags & ~UF_ACCOUNT_TYPE_MASK) {
+ /*
+ * catch callers which still
+ * pass 'true'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+ if (uac_flags == 0) {
+ /*
+ * catch callers which still
+ * pass 'false'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
upper_realm = strupper_talloc(frame, realm);
if (upper_realm == NULL) {
TALLOC_FREE(frame);
@@ -493,7 +510,7 @@ int smb_krb5_salt_principal(const char *realm,
/*
* Determine a salting principal
*/
- if (is_computer) {
+ if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
char *tmp = NULL;
@@ -502,20 +519,32 @@ int smb_krb5_salt_principal(const char *realm,
computer_len -= 1;
}
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
- if (tmp == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
- }
+ if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ principal = talloc_asprintf(frame, "krbtgt/%*.*s",
+ computer_len, computer_len,
+ sAMAccountName);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ } else {
- principal = strlower_talloc(frame, tmp);
--
Samba Shared Repository
More information about the samba-cvs
mailing list