[SCM] Samba Shared Repository - branch v4-11-test updated
Karolin Seeger
kseeger at samba.org
Wed Aug 7 12:54:03 UTC 2019
The branch, v4-11-test has been updated
via 62e65124e9d smbd: Fix use-after-free from exit_server_common()
via 6b4c51d0c94 WHATSNEW: Add link to 2012 Windows compatibility wiki page
via 02352ebbef6 WHATSNEW: Make it clearer how the AD database changes will affect users
via 97a742fe761 tests/drs_no_dns: Check dbcheck and ldapcmp pass
via c7a5694f4f8 tests: Add samba_upgradedns to the list of possible cmds
via 8a09ea3c70f netcmd: Allow drs replicate --local to create partitions
via 816053b7bba join: Use a specific attribute order for the DsAddEntry nTDSDSA object
via 636f7dedd40 tests/ldap: Use TLDAP to check the extended DN return
via a1d0ce447e7 tests/tldap: Actually check the paging return code
via 23f8a8ee71b tldap: Paged searches fail when they get to the end
via dd36cafdb96 tldap: Make memcpy of no controls safe
via b95186a5332 ldap_server: Regression in 0559430ab6e5c48d6e853fda0d8b63f2e149015c
via 122d7afb50e WHATSNEW: document new debug encryption smb.conf param
via 98051741ea5 WHATSNEW: add CephFS Snapshot Integration section
via f2c40f4d41a gp_inf: Read/write files with a UTF-16LE BOM in GptTmpl.inf
via 29fa37b717c partition: reversing partition unlocking
via 6877eabea8f partition: correcting lock ordering
from 1c64a2e37b6 WHATSNEW: preview release -> release candidate
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit 62e65124e9d720d5dd27d822e7a25df24ea9f81b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jul 31 14:17:02 2019 +0200
smbd: Fix use-after-free from exit_server_common()
We need to keep the smbXsrv_connection structures around until all
pending requests have had their chance to clean up behind them. If you
look at srv_send_smb(), it's exactly prepared already to just drop
anything on the floor when the transport has been declared dead:
if (!NT_STATUS_IS_OK(xconn->transport.status)) {
/*
* we're not supposed to do any io
*/
return true;
}
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14064
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 1 15:39:13 UTC 2019 on sn-devel-184
(cherry picked from commit c226dc6e8a18343031829c35552e557903593daf)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-11-test): Wed Aug 7 12:53:51 UTC 2019 on sn-devel-184
commit 6b4c51d0c94a34ccd310f4c0e470f043407659d6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 29 10:35:23 2019 +1200
WHATSNEW: Add link to 2012 Windows compatibility wiki page
There's now a lot more info on the wiki on Windows 2012 compatibility,
and how the schema is just a small part of overall compatibility.
Link to this wiki page from the WHATSNEW, so users can read more about
this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14057
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 02352ebbef6dd5669cb28369a3c7e7579c796384
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 29 10:14:06 2019 +1200
WHATSNEW: Make it clearer how the AD database changes will affect users
The release notes currently just have a brief mention of a new LDB pack
format. They don't really cover how this change will actually affect AD
users when upgrading (or more specifically downgrading) with v4.11.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14057
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 97a742fe7617d153e38aac5ad6c887c79a6e2447
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 24 14:53:33 2019 +1200
tests/drs_no_dns: Check dbcheck and ldapcmp pass
When joining a DC without DNS partitions, make sure that the alternate
flow of creating them afterwards results in a database with everything
that is necessary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
RN: Allow a DC join without DNS partitions, to add them later
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 35c54007e6183829d9d85a24b3bd95f469739ad3)
commit c7a5694f4f81676f89969464645c9ff021680eb2
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 24 15:13:43 2019 +1200
tests: Add samba_upgradedns to the list of possible cmds
This will be used to test the replication scenario with no DNS partitions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7d2875bd70cf727730be8dc705bfd01eacaaaa6f)
commit 8a09ea3c70f95a577ed42123ebe8d3ab26f2c39d
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 24 15:18:40 2019 +1200
netcmd: Allow drs replicate --local to create partitions
Currently, neither the offline (--local) or online (normal replica sync)
methods allow partition creation post-join. This overrides the Python
default to not create the DB, which allows TDB + MDB to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d90ccce59754bc833027c06683afac25f7a8d474)
commit 816053b7bba894aa217a895925621801f0d17681
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jul 24 11:00:01 2019 +1200
join: Use a specific attribute order for the DsAddEntry nTDSDSA object
Joining a Windows domain can throw an error if the HasMasterNCs
attribute occurs before msDS-HasMasterNCs. This patch changes the
attribute order so that msDS-HasMasterNCs is always first.
Previously on python2, the dictionary hash order was arbitrary but
constant. By luck, msDS-HasMasterNCs was always before HasMasterNCs, so
we never noticed any problem. With python3, the dictionary hash order
now changes everytime you run the command, so the order is
unpredictable.
To enforce a order, we can change to use an OrderedDict, which will
return the keys in the order they're added.
I've asked Microsoft to clarify the protocol requirement here WRT
attribute order. However, in the meantime we may as well fix the problem
for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14046
RN: When trying to join a Windows domain (with functional level 2008R2)
as an AD domain controller, the 'samba-tool domain join' command could
throw a python exception: 'RuntimeError ("DsAddEntry failed")'. When
this problem occurred, you would also see the message "DsAddEntry failed
with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')"
in the command output. This issue has now been resolved. Note that this
problem would only occur on Samba v4.10 when using the Python3 packages.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jul 24 04:18:21 UTC 2019 on sn-devel-184
(cherry picked from commit 256684c7a86301d26d6cf7298fb70e647bf45cf5)
commit 636f7dedd40d1f357d0b0799496fabeb82e73450
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 31 01:14:42 2019 +0000
tests/ldap: Use TLDAP to check the extended DN return
Tests commit 9f6b87d3f6cc9930d75c1f8d38ad4f5a37da34ab
To run: make test TESTS="samba3.smbtorture_s3.plain.TLDAP"
Reverting the above commit makes this test fail:
'GUID format in control (no hyphens) doesn't match output
tldap_search with extended dn (no val) failed: LDAP error 0 (TLDAP_SUCCESS),
TEST TLDAP FAILED!'
This behaviour couldn't be tested via LDB libraries because they never
deal with the underlying DN string.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Aug 1 06:20:28 UTC 2019 on sn-devel-184
(adapted from commit 464fef34d1d047d73be347cd446b74e0f5eb2370)
commit a1d0ce447e782b88386189969afa46f2dc4ed43a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 31 15:29:07 2019 +1200
tests/tldap: Actually check the paging return code
The test never worked correctly because the code was overlooked. It was
also the case that the connection was never authenticated, and so an
LDAP BIND call has now been added.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
(cherry picked from commit 85a7b594c56f7729bdfa194fee9299a08f6b4785)
commit 23f8a8ee71b6aa2b88174e5d9556508ae48e733e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 31 13:39:13 2019 +1200
tldap: Paged searches fail when they get to the end
The normal case hit the goto label, and should have just returned.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
(cherry picked from commit bff466943e01540b4d3210392e0fd5b1c882c0b9)
commit dd36cafdb96e37eb8ee6b55feb3233dc07558b41
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jul 31 01:08:23 2019 +0000
tldap: Make memcpy of no controls safe
Static analyzers sometimes complain about this case.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
(cherry picked from commit e5452a37425484a95f90604a3e58e8a731460793)
commit b95186a533201b8eeeb49a073e65e60a3a57bf75
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jul 8 16:59:33 2019 +1200
ldap_server: Regression in 0559430ab6e5c48d6e853fda0d8b63f2e149015c
Extended DN requests seem to have been incorrectly handled.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Thu Jul 11 05:25:26 UTC 2019 on sn-devel-184
(cherry picked from commit 9f6b87d3f6cc9930d75c1f8d38ad4f5a37da34ab)
commit 122d7afb50e7d9b67954979b38d4f1b168dfde97
Author: Aurelien Aptel <aaptel at suse.com>
Date: Tue Jul 9 23:55:30 2019 +0200
WHATSNEW: document new debug encryption smb.conf param
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14039
Signed-off-by: Aurelien Aptel <aaptel at suse.com>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit 98051741ea5069b0e6fb7274cd1959460c7f95a1
Author: David Disseldorp <ddiss at samba.org>
Date: Mon Jul 8 13:42:50 2019 +0200
WHATSNEW: add CephFS Snapshot Integration section
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14039
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Aurelien Aptel <aaptel at suse.com>
commit f2c40f4d41a4729bf31534ce34261d70c5dd0071
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jul 18 14:50:57 2019 +1200
gp_inf: Read/write files with a UTF-16LE BOM in GptTmpl.inf
Regression caused by 16596842a62bec0a9d974c48d64000e3c079254e
[MS-GPSB] 2.2 Message Syntax says that you have to write a BOM which I
didn't do up until this patch. UTF-16 as input encoding was marked much
higher up in the inheritance tree, which got overriden with the Python 3
fixes. I've now marked the encoding much more obviously for this file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14004
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Fri Jul 19 02:20:47 UTC 2019 on sn-devel-184
(cherry picked from commit 0bcfc550b1a902e3a6a766b06603ac9285d0ff63)
commit 29fa37b717cc83080ed9eb50345370b8f40d7ce7
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Mon Jul 15 13:32:41 2019 +1200
partition: reversing partition unlocking
Unlock partition databases in the reverse order from which they were
acquired. This is separated from the previous commit for future
bisecting purposes, since the last commit was made to fix specific CI
failures, while this one is a speculative fix made based on code
inspection.
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6c691bf84e41b1edd3228c219f7a94e108795d28)
commit 6877eabea8f34e49b2ccec3ac1793600b8a0475e
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Thu Jul 11 17:12:06 2019 +1200
partition: correcting lock ordering
A schema reading bug was traced to a lock ordering issue in partition.c.
This patch fixes the problem by:
1. Releasing locks/transactions in the order they were acquired.
2. Always lock/start_trans on metadata.tdb first, before any other
databases, and release it last, after all others. This is so that we are
never exposed to MDB's lock semantics, which we don't support.
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f4bc0ea81f2b34607849911f1271b030be8ca02)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 41 +++-
python/samba/gp_parse/gp_inf.py | 9 +-
python/samba/join.py | 23 +-
python/samba/netcmd/drs.py | 4 +-
python/samba/tests/__init__.py | 1 +
source3/lib/tldap_util.c | 7 +-
source3/smbd/server_exit.c | 22 +-
source3/torture/torture.c | 178 ++++++++++++++
source4/dsdb/samdb/ldb_modules/partition.c | 260 ++++++++++++---------
source4/ldap_server/ldap_backend.c | 1 +
.../Windows NT/SecEdit/GptTmpl.inf.SAMBABACKUP | Bin 2580 -> 2582 bytes
source4/selftest/tests.py | 7 +
.../torture/drs/python/samba_tool_drs_no_dns.py | 183 +++++++++++++++
13 files changed, 610 insertions(+), 126 deletions(-)
create mode 100644 source4/torture/drs/python/samba_tool_drs_no_dns.py
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b07e9eba778..3276d884f3a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,6 +12,32 @@ Samba 4.11 will be the next version of the Samba suite.
UPGRADING
=========
+AD Database compatibility
+-------------------------
+
+Samba v4.11 has changed how the AD database is stored on disk. AD users should
+not really be affected by this change when upgrading to v4.11. However, AD
+users should be extremely careful if they need to downgrade from Samba v4.11 to
+an older release.
+
+Samba v4.11 maintains database compatibility with older Samba releases. The
+database will automatically get rewritten in the new v4.11 format when you
+first start the upgraded samba executable.
+
+However, when downgrading from v4.11 you will need to manually downgrade the AD
+database yourself. Note that you will need to do this step before you install
+the downgraded Samba packages. For more details, see:
+https://wiki.samba.org/index.php/Downgrading_an_Active_Directory_DC
+
+When either upgrading or downgrading, users should also avoid making any
+database modifications between installing the new Samba packages and starting
+the samba executable.
+
+Note that when moving between major Samba releases in general, we recommend
+that the AD DC is rejoined to the domain. Using this approach avoids the need
+to explicitly downgrade the database manually. For more details, see:
+https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
+
SMB1 is disabled by default
---------------------------
@@ -59,8 +85,8 @@ worker processes at startup and share the client connections amongst these
workers. The number of worker processes can be configured by the 'prefork
children' setting in the smb.conf (the default is 4).
-Authentication Logging.
------------------------
+Authentication Logging
+----------------------
Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
been added to the Authentication JSON log messages. This contains a random
@@ -116,6 +142,10 @@ Samba's replication code has also been improved to handle replication
with the 2012 schema (the core of this replication fix has also been
backported to 4.9.11 and will be in a 4.10.x release).
+For more about how the AD schema relates to overall Windows compatibility,
+please read:
+https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
+
GnuTLS 3.2 required
-------------------
@@ -254,6 +284,12 @@ CTDB changes
swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
script configuration variable.
+CephFS Snapshot Integration
+---------------------------
+
+CephFS snapshots can now be exposed as previous file versions using the new
+ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
+
REMOVED FEATURES
================
@@ -306,6 +342,7 @@ smb.conf changes
mangled names Changed default illegal
web port Removed
fruit:zero_file_id Changed default False
+ debug encryption New: dump encryption keys False
KNOWN ISSUES
diff --git a/python/samba/gp_parse/gp_inf.py b/python/samba/gp_parse/gp_inf.py
index 79e28159f1f..a3c828fa82d 100644
--- a/python/samba/gp_parse/gp_inf.py
+++ b/python/samba/gp_parse/gp_inf.py
@@ -29,11 +29,11 @@ from samba.gp_parse import GPParser
# [MS-GPSB] Security Protocol Extension
class GptTmplInfParser(GPParser):
sections = None
- encoding = 'utf-16le'
+ encoding = 'utf-16'
+ output_encoding = 'utf-16le'
class AbstractParam:
__metaclass__ = ABCMeta
- encoding = 'utf-16le'
def __init__(self):
self.param_list = []
@@ -333,7 +333,10 @@ class GptTmplInfParser(GPParser):
def write_binary(self, filename):
with codecs.open(filename, 'wb+',
- self.encoding) as f:
+ self.output_encoding) as f:
+ # Write the byte-order mark
+ f.write(u'\ufeff')
+
for s in self.sections:
self.sections[s].write_section(s, f)
diff --git a/python/samba/join.py b/python/samba/join.py
index ac4346c62a3..40920f4f8e5 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -48,6 +48,7 @@ import time
import re
import os
import tempfile
+from collections import OrderedDict
from samba.compat import text_type
from samba.compat import get_string
from samba.netcmd import CommandError
@@ -555,11 +556,14 @@ class DCJoinContext(object):
'''return the ntdsdsa object to add'''
print("Adding %s" % ctx.ntds_dn)
- rec = {
- "dn": ctx.ntds_dn,
- "objectclass": "nTDSDSA",
- "systemFlags": str(samba.dsdb.SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE),
- "dMDLocation": ctx.schema_dn}
+
+ # When joining Windows, the order of certain attributes (mostly only
+ # msDS-HasMasterNCs and HasMasterNCs) seems to matter
+ rec = OrderedDict([
+ ("dn", ctx.ntds_dn),
+ ("objectclass", "nTDSDSA"),
+ ("systemFlags", str(samba.dsdb.SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE)),
+ ("dMDLocation", ctx.schema_dn)])
nc_list = [ctx.base_dn, ctx.config_dn, ctx.schema_dn]
@@ -575,12 +579,17 @@ class DCJoinContext(object):
rec["options"] = "37"
else:
rec["objectCategory"] = "CN=NTDS-DSA,%s" % ctx.schema_dn
+
+ # Note that Windows seems to have an undocumented requirement that
+ # the msDS-HasMasterNCs attribute occurs before HasMasterNCs
+ if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
+ rec["msDS-HasMasterNCs"] = ctx.full_nc_list
+
rec["HasMasterNCs"] = []
for nc in nc_list:
if nc in ctx.full_nc_list:
rec["HasMasterNCs"].append(nc)
- if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
- rec["msDS-HasMasterNCs"] = ctx.full_nc_list
+
rec["options"] = "1"
rec["invocationId"] = ndr_pack(ctx.invocation_id)
diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
index 739498cca1b..9d6e8087e87 100644
--- a/python/samba/netcmd/drs.py
+++ b/python/samba/netcmd/drs.py
@@ -449,8 +449,10 @@ class cmd_drs_replicate(Command):
self.server = SOURCE_DC
drsuapi_connect(self)
+ # Override the default flag LDB_FLG_DONT_CREATE_DB
self.local_samdb = SamDB(session_info=system_session(), url=None,
- credentials=self.creds, lp=self.lp)
+ credentials=self.creds, lp=self.lp,
+ flags=0)
self.samdb = SamDB(url="ldap://%s" % self.server,
session_info=system_session(),
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index c5c212ef829..fef21d261ca 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -404,6 +404,7 @@ class BlackboxTestCase(TestCaseInTempDir):
python_cmds = ["samba-tool",
"samba_dnsupdate",
+ "samba_upgradedns",
"script/traffic_replay",
"script/traffic_learner"]
diff --git a/source3/lib/tldap_util.c b/source3/lib/tldap_util.c
index 152942dab2c..1b86962a32e 100644
--- a/source3/lib/tldap_util.c
+++ b/source3/lib/tldap_util.c
@@ -588,7 +588,9 @@ struct tldap_control *tldap_add_control(TALLOC_CTX *mem_ctx,
if (result == NULL) {
return NULL;
}
- memcpy(result, ctrls, sizeof(struct tldap_control) * num_ctrls);
+ if (num_ctrls > 0) {
+ memcpy(result, ctrls, sizeof(struct tldap_control) * num_ctrls);
+ }
result[num_ctrls] = *ctrl;
return result;
}
@@ -808,7 +810,8 @@ static void tldap_search_paged_done(struct tevent_req *subreq)
}
tevent_req_set_callback(subreq, tldap_search_paged_done, req);
- err:
+ return;
+err:
TALLOC_FREE(asn1);
tevent_req_ldap_error(req, TLDAP_DECODING_ERROR);
diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index 2378c0c15ca..b21501a7a23 100644
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -91,7 +91,6 @@ static void exit_server_common(enum server_exit_reason how,
{
struct smbXsrv_client *client = global_smbXsrv_client;
struct smbXsrv_connection *xconn = NULL;
- struct smbXsrv_connection *xconn_next = NULL;
struct smbd_server_connection *sconn = NULL;
struct messaging_context *msg_ctx = global_messaging_context();
@@ -110,10 +109,7 @@ static void exit_server_common(enum server_exit_reason how,
/*
* Here we typically have just one connection
*/
- for (; xconn != NULL; xconn = xconn_next) {
- xconn_next = xconn->next;
- DLIST_REMOVE(client->connections, xconn);
-
+ for (; xconn != NULL; xconn = xconn->next) {
/*
* This is typically the disconnect for the only
* (or with multi-channel last) connection of the client
@@ -128,8 +124,6 @@ static void exit_server_common(enum server_exit_reason how,
break;
}
}
-
- TALLOC_FREE(xconn);
DO_PROFILE_INC(disconnect);
}
@@ -172,6 +166,20 @@ static void exit_server_common(enum server_exit_reason how,
change_to_root_user();
+ if (client != NULL) {
+ struct smbXsrv_connection *xconn_next = NULL;
+
+ for (xconn = client->connections;
+ xconn != NULL;
+ xconn = xconn_next) {
+ xconn_next = xconn->next;
+ DLIST_REMOVE(client->connections, xconn);
+ TALLOC_FREE(xconn);
+ }
+ }
+
+ change_to_root_user();
+
/* 3 second timeout. */
print_notify_send_messages(msg_ctx, 3);
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 2cb32efea46..f26c634b7a7 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -26,6 +26,7 @@
#include "libcli/security/security.h"
#include "tldap.h"
#include "tldap_util.h"
+#include "tldap_gensec_bind.h"
#include "../librpc/gen_ndr/svcctl.h"
#include "../lib/util/memcache.h"
#include "nsswitch/winbind_client.h"
@@ -45,6 +46,9 @@
#include "lib/util/base64.h"
#include "lib/util/time.h"
#include "lib/gencache.h"
+#include "lib/util/asn1.h"
+#include "lib/param/param.h"
+#include "auth/gensec/gensec.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@@ -11286,6 +11290,8 @@ static bool run_shortname_test(int dummy)
return correct;
}
+TLDAPRC callback_code;
+
static void pagedsearch_cb(struct tevent_req *req)
{
TLDAPRC rc;
@@ -11296,6 +11302,7 @@ static void pagedsearch_cb(struct tevent_req *req)
if (!TLDAP_RC_IS_SUCCESS(rc)) {
d_printf("tldap_search_paged_recv failed: %s\n",
tldap_rc2string(rc));
+ callback_code = rc;
return;
}
if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
@@ -11310,6 +11317,134 @@ static void pagedsearch_cb(struct tevent_req *req)
TALLOC_FREE(msg);
}
+enum tldap_extended_val {
+ EXTENDED_ZERO = 0,
+ EXTENDED_ONE = 1,
+ EXTENDED_NONE = 2,
+};
+
+/*
+ * Construct an extended dn control with either no value, 0 or 1
+ *
+ * No value and 0 are equivalent (non-hyphenated GUID)
+ * 1 has the hyphenated GUID
+ */
+static struct tldap_control *
+tldap_build_extended_control(enum tldap_extended_val val)
+{
+ struct tldap_control empty_control;
+ struct asn1_data *data;
+
+ ZERO_STRUCT(empty_control);
+
+ if (val != EXTENDED_NONE) {
+ data = asn1_init(talloc_tos());
+
+ if (!data) {
+ return NULL;
+ }
+
+ if (!asn1_push_tag(data, ASN1_SEQUENCE(0))) {
+ return NULL;
+ }
+
+ if (!asn1_write_Integer(data, (int)val)) {
+ return NULL;
+ }
+
+ if (!asn1_pop_tag(data)) {
+ return NULL;
+ }
+
+ if (!asn1_blob(data, &empty_control.value)) {
+ return NULL;
+ }
+ }
+
+ empty_control.oid = "1.2.840.113556.1.4.529";
+ empty_control.critical = true;
+
+ return tldap_add_control(talloc_tos(), NULL, 0, &empty_control);
+
+}
+
+static bool tldap_test_dn_guid_format(struct tldap_context *ld, const char *basedn,
+ enum tldap_extended_val control_val)
+{
+ struct tldap_control *control = tldap_build_extended_control(control_val);
+ char *dn = NULL;
+ struct tldap_message **msg;
+ TLDAPRC rc;
+
+ rc = tldap_search(ld, basedn, TLDAP_SCOPE_BASE,
+ "(objectClass=*)", NULL, 0, 0,
+ control, 1, NULL,
+ 0, 0, 0, 0, talloc_tos(), &msg);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ d_printf("tldap_search for domain DN failed: %s\n",
+ tldap_errstr(talloc_tos(), ld, rc));
+ return false;
+ }
+
+ if (!tldap_entry_dn(msg[0], &dn)) {
+ d_printf("tldap_search domain DN fetch failed: %s\n",
+ tldap_errstr(talloc_tos(), ld, rc));
+ return false;
+ }
+
+ d_printf("%s\n", dn);
+ {
+ uint32_t time_low;
+ uint32_t time_mid, time_hi_and_version;
+ uint32_t clock_seq[2];
+ uint32_t node[6];
+ char next;
+
+ switch (control_val) {
+ case EXTENDED_NONE:
+ case EXTENDED_ZERO:
+ /*
+ * When reading GUIDs with hyphens, scanf will treat
+ * hyphen as a hex character (and counts as part of the
+ * width). This creates leftover GUID string which we
+ * check will for with 'next' and closing '>'.
+ */
+ if (12 == sscanf(dn, "<GUID=%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x>%c",
+ &time_low, &time_mid,
+ &time_hi_and_version, &clock_seq[0],
+ &clock_seq[1], &node[0], &node[1],
+ &node[2], &node[3], &node[4],
+ &node[5], &next)) {
+ /* This GUID is good */
+ } else {
+ d_printf("GUID format in control (no hyphens) doesn't match output\n");
+ return false;
+ }
+
+ break;
+ case EXTENDED_ONE:
+ if (12 == sscanf(dn,
+ "<GUID=%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x>%c",
+ &time_low, &time_mid,
+ &time_hi_and_version, &clock_seq[0],
+ &clock_seq[1], &node[0], &node[1],
+ &node[2], &node[3], &node[4],
+ &node[5], &next)) {
+ /* This GUID is good */
+ } else {
+ d_printf("GUID format in control (with hyphens) doesn't match output\n");
+ return false;
+ }
+
+ break;
+ default:
+ return false;
+ }
+ }
+
+ return true;
+}
+
static bool run_tldap(int dummy)
{
struct tldap_context *ld;
@@ -11360,6 +11495,18 @@ static bool run_tldap(int dummy)
return false;
}
+ rc = tldap_gensec_bind(ld, torture_creds, "ldap", host, NULL,
+ loadparm_init_s3(talloc_tos(),
+ loadparm_s3_helpers()),
+ GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ d_printf("tldap_gensec_bind failed\n");
+ return false;
+ }
+
+ callback_code = TLDAP_SUCCESS;
+
req = tldap_search_paged_send(talloc_tos(), ev, ld, basedn,
TLDAP_SCOPE_SUB, "(objectclass=*)",
NULL, 0, 0,
@@ -11374,6 +11521,14 @@ static bool run_tldap(int dummy)
TALLOC_FREE(req);
+ rc = callback_code;
+
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ d_printf("tldap_search with paging failed: %s\n",
+ tldap_errstr(talloc_tos(), ld, rc));
+ return false;
+ }
+
/* test search filters against rootDSE */
filter = "(&(|(name=samba)(nextRid<=10000000)(usnChanged>=10)(samba~=ambas)(!(name=s*m*a)))"
"(|(name:=samba)(name:dn:2.5.13.5:=samba)(:dn:2.5.13.5:=samba)(!(name=*samba))))";
@@ -11387,6 +11542,29 @@ static bool run_tldap(int dummy)
return false;
}
+ /*
+ * Tests to check for regression of:
+ *
+ * https://bugzilla.samba.org/show_bug.cgi?id=14029
+ *
+ * TLDAP used here to pick apart the original string DN (with GUID)
+ */
+ if (!tldap_test_dn_guid_format(ld, basedn, EXTENDED_NONE)) {
+ d_printf("tldap_search with extended dn (no val) failed: %s\n",
+ tldap_errstr(talloc_tos(), ld, rc));
+ return false;
+ }
+ if (!tldap_test_dn_guid_format(ld, basedn, EXTENDED_ZERO)) {
+ d_printf("tldap_search with extended dn (0) failed: %s\n",
+ tldap_errstr(talloc_tos(), ld, rc));
+ return false;
+ }
+ if (!tldap_test_dn_guid_format(ld, basedn, EXTENDED_ONE)) {
+ d_printf("tldap_search with extended dn (1) failed: %s\n",
--
Samba Shared Repository
More information about the samba-cvs
mailing list