[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Feb 1 06:03:04 UTC 2019
The branch, master has been updated
via 545c3e6b124 ldb: Release ldb 1.6.0
via 0e419a2163b pyldb: make ldb.connect() url mandatory
via 3da801aea1a py_net: fix != None check
via b313a6aa9db s4/param/provision: check samdb argument in provision_bare()
via 1f9ac9135c4 s4/pyauth: fix memory leak when context_new() has bad arguments
via f17e36c3f11 s4/pyauth: insist on proper ldb in context_new()
via a7e0741372d s4/pyauth: check ldb argument in py_user_session()
via ec1e56989b2 pygensec: insist on proper AuthContext in start_server
via bdb4132617e pynbt: catch type errors in PyObject_AsNBTName()
via e0c05383901 Tests for segfaults in python bindings
via f00362fb3d0 cracknames: Change search filter to use the smaller index
via 5bfad1b2b08 netcmd: Improve error handling of gpo aclcheck as non-admin
via 1e0db9726bb selftest: Remove unnecessary tests.py options from proclimit tests
via b2126cd6f43 selftest: Add comment elaborating on what ENV_DEPS actually does
via 6cee31b0ba9 selftest: Reorder ENV_DEPS so similar testenvs are together
via 402715206f8 selftest: Fix running proclimit tests locally
via c649aece903 man pages: Add note about standard process model
via d29853ab0a9 selftest: Convert backup/restore testenvs to use default
via 46033515441 selftest: Make process_model argument optional in check_or_start()
via 3f8d83b7539 samba: Change default process model to prefork
via 5e716c0256a ldb: Release ldb 1.5.3
via e7f524fd212 ldb: Add even more comments on what strict does to the list intersections
via 57a565b2fd6 ldb: Rename variable
via 132600685b8 ldb: Elaborate on ldb_kv_search_indexed() comments
via 72928444823 ldb: Remove comment that no longer makes sense
via 9a893f9613b ldb: Avoid inefficient one-level searches
via b4211f69233 selftest: Add dns_hub to selftest/target/README
via a094e16fd58 selftest: Move dns_hub.py into selftest directory
via 5d5a790bd34 dns_hub: Fix flake8 warnings
from 4ecdcc4b462 man pages: document prefork process model
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 545c3e6b12430f19ecd64d628e4f19e1556aa450
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 1 15:09:26 2019 +1300
ldb: Release ldb 1.6.0
* pyldb: make ldb.connect() url mandatory
* New version number for master (Samba 4.11 eventually)
The 1.5.x series will be maintained in the v4-10-test branch
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Feb 1 07:02:56 CET 2019 on sn-devel-144
commit 0e419a2163bf5cd680c75f229cb3750c2e7b9bb6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Apr 18 14:37:12 2018 +1200
pyldb: make ldb.connect() url mandatory
The call fails without it, so we might as well fail sooner
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3da801aea1a67606f25480ac7cd43eee77e003c8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 21 00:37:15 2018 +1200
py_net: fix != None check
Py_None is not false in C, so this branch was always taken.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b313a6aa9db15b2905646074d5e22db47a7c972c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Apr 24 12:40:32 2018 +1200
s4/param/provision: check samdb argument in provision_bare()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f9ac9135c4d4e6173ac2d39b93b8d96e1f038ee
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Apr 24 12:38:22 2018 +1200
s4/pyauth: fix memory leak when context_new() has bad arguments
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f17e36c3f1128566c33d4eabb32cc49ecaaf42af
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu May 3 10:26:34 2018 +1200
s4/pyauth: insist on proper ldb in context_new()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7e0741372d740b6999e873bf55fc6362d594c8e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Apr 24 12:37:02 2018 +1200
s4/pyauth: check ldb argument in py_user_session()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec1e56989b214376aa1c0a00368ffac11432cb94
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu May 3 10:26:26 2018 +1200
pygensec: insist on proper AuthContext in start_server
Fixes another segfault.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bdb4132617ef5082a81fe9247e233ae71e1b91f5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Apr 24 12:34:50 2018 +1200
pynbt: catch type errors in PyObject_AsNBTName()
This fixes some known segfaults.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e0c05383901b52f6a6834171c965dc386d6a9a4a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Apr 20 16:28:29 2018 +1200
Tests for segfaults in python bindings
These tests run in a child process and are regarded as succeeding if they
don't die by signal.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f00362fb3d02f01346504ebe8d1ad8eb0dd5bb47
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 23 16:16:16 2019 +1300
cracknames: Change search filter to use the smaller index
In large domains with many users, '(objectClass=User)' may as well not
be specified because it's iterating over the entire database.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5bfad1b2b08031b99834c9ca39c1900d52c8eb0d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jan 29 13:25:55 2019 +1300
netcmd: Improve error handling of gpo aclcheck as non-admin
Reading the nTSecurityDescriptor attribute over LDAP requires admin
creds. However, if you don't specify admin creds, then you get an error
like this:
bin/samba-tool gpo aclcheck
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
File "bin/python/samba/netcmd/__init__.py", line 184, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/gpo.py", line 1536, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
This patch adds an explicit check/error message to make the problem
clearer.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e0db9726bb91ff967c896686d129aa30563697d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 10:07:26 2019 +1300
selftest: Remove unnecessary tests.py options from proclimit tests
It seems like these extra options were just copy-n-pasted from another
test. The process_limits test doesn't actually try to use these env
variables at all. All the test is doing is creating LDAP connections to
the DC. The SOCKET_WRAPPER_DEFAULT_IFACE may have perhaps been needed,
but we can avoid this by dropping ':local' from the testenv and running
the test as a "client" instead.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2126cd6f434a5c71ced965f1936f5e85ec6caf5
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 10:04:28 2019 +1300
selftest: Add comment elaborating on what ENV_DEPS actually does
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6cee31b0ba966331022c2ab24bbdb7264b093c52
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 09:57:29 2019 +1300
selftest: Reorder ENV_DEPS so similar testenvs are together
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 402715206f8c101c158f5e71db8b2ce509899bdc
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 09:51:44 2019 +1300
selftest: Fix running proclimit tests locally
The dns_hub changes missed a dependency. Fortunately, during an
autobuild, the dns_hub is always up and running by the time the
proclimitdc tests are run. However, the tests were failing if run
locally just on their own.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c649aece90362c94156488d923491f14ff2496e5
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 31 13:30:07 2019 +1300
man pages: Add note about standard process model
Calling this model the 'standard' model made a lot more sense when it
was the default. Add a small note explaining that it has this name for
historical reasons.
(The term 'standard' may have originally been chosen for some other
reason. However, it's hard to find the rationale behind the term from
back in 2005)
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d29853ab0a9754031c8463a593a11fb7bc800cc3
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 31 12:45:31 2019 +1300
selftest: Convert backup/restore testenvs to use default
These testenvs shouldn't be dependent on the process model at all, so we
should be able to convert them to the new default without any
repercussions.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4603351544138f64e7c80ebda2eeb126bdd15d94
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 31 13:12:43 2019 +1300
selftest: Make process_model argument optional in check_or_start()
It's more realistic to *not* always specify a process-model, and rely on
the samba code to use the correct default. This patch changes selftest
so we only use the -M process-model option if a particular process_model
was specified. Otherwise the testenv will use whatever the default is.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f8d83b75390bd6525a3eb8009854d3b854fd54d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 31 12:08:00 2019 +1300
samba: Change default process model to prefork
Prefork is the more sensible default option now, as it better
handles a large number of client connections.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e716c0256a6bec92e7855ccfc077a328320f2ea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 1 14:41:18 2019 +1300
ldb: Release ldb 1.5.3
* Avoid inefficient one-level searches (bug 13762)
* The test api.py should not rely on order of entries in dict (bug 13772)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13772
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e7f524fd2128aacb82e980652af8eb6fd275e1a8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 1 14:22:17 2019 +1300
ldb: Add even more comments on what strict does to the list intersections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 57a565b2fd680fc1a34f4ab91c6f6314f68ef67f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 10 14:25:06 2019 +1300
ldb: Rename variable
The old name confused me because it's not really related to the
one-level index at all. It's the result from evaluating the indexed
search specified in the ac->tree.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 132600685b8c5d4964f20634cd7a64b14f41cfa7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 10 14:19:19 2019 +1300
ldb: Elaborate on ldb_kv_search_indexed() comments
Disclaimer: this is based on my limited understanding of what the code
is doing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72928444823c5b18ac9ef98e7432c999d70aa571
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 10 13:53:47 2019 +1300
ldb: Remove comment that no longer makes sense
This comment was written before the GUID_index_attribute block of code
existed. So we now *do* load the index values and *do* check for a
strict intersect, so the comment is redundant.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a893f9613bd6440abd8e487d22a39ab5b82a7b9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jan 10 13:34:18 2019 +1300
ldb: Avoid inefficient one-level searches
Commit 88ae60ed186c9 introduced a problem that made one-level
searches inefficient if there were a lot of child objects in the same
level, and the requested object didn't exist. Basically, it ignored the
case where ldb_kv_index_dn() returned LDB_ERR_NO_SUCH_OBJECT, i.e. the
indexed lookup was successful, but didn't find a match. At which point,
there was no more processing we needed to do.
The behaviour after 88ae60ed186c9 was to fall-through and run the
ldb_kv_index_filter() function over *all* the children. This still
returned the correct result, but could be costly if there were a lot of
children.
The case 88ae60ed186c9 was trying to fix was where we could not do
an indexed search (e.g. trying to match on a 'attribute=*' filter). In
which case we want to ignore the LDB_ERR_OPERATIONS_ERROR and just run
ldb_kv_index_filter() over all the children. This is still more
efficient than the fallback of doing a full database scan.
This patch adds in a short-circuit for the NO_SUCH_OBJECT case, so we
can skip the unnecessary ldb_kv_index_filter() work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b4211f69233f954a3fa596f464276184d85d322b
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 15:10:45 2019 +1300
selftest: Add dns_hub to selftest/target/README
Add a description explaining what dns_hub does and why we need it.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a094e16fd58bec1d5938a25e941b15c180ec7a55
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 13:26:49 2019 +1300
selftest: Move dns_hub.py into selftest directory
As dns_hub.py is now integral to the selftest environments, it seems to
make sense for it to live under the selftest/ directory.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d5a790bd349c591ea24bb510d7da447b70fdef9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jan 30 13:24:45 2019 +1300
dns_hub: Fix flake8 warnings
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 13 +++
docs-xml/manpages/samba.8.xml | 11 +-
lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.5.3.sigs} | 0
lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.6.0.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.5.3.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.6.0.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.5.3.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.6.0.sigs} | 0
lib/ldb/ldb_key_value/ldb_kv_index.c | 76 ++++++++++---
lib/ldb/pyldb.c | 2 +-
lib/ldb/wscript | 2 +-
libcli/nbt/pynbt.c | 20 +++-
python/samba/netcmd/gpo.py | 4 +
python/samba/tests/segfault.py | 126 +++++++++++++++++++++
selftest/knownfail.d/python-segfaults | 6 +
selftest/target/README | 13 +++
selftest/target/Samba4.pm | 34 ++++--
.../target}/dns_hub.py | 12 +-
source4/auth/gensec/pygensec.c | 10 +-
source4/auth/pyauth.c | 10 ++
source4/dsdb/samdb/cracknames.c | 4 +-
source4/libnet/py_net.c | 2 +-
source4/param/provision.c | 9 +-
source4/selftest/tests.py | 7 +-
source4/smbd/server.c | 2 +-
25 files changed, 312 insertions(+), 51 deletions(-)
copy lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.5.3.sigs} (100%)
copy lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.6.0.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.5.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.6.0.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.5.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.6.0.sigs} (100%)
create mode 100644 python/samba/tests/segfault.py
create mode 100644 selftest/knownfail.d/python-segfaults
rename {python/samba/tests/dns_forwarder_helpers => selftest/target}/dns_hub.py (94%)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a3ed9213d50..85c417a61a9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -16,6 +16,19 @@ UPGRADING
NEW FEATURES/CHANGES
====================
+Default samba process model
+---------------------------
+
+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
REMOVED FEATURES
================
diff --git a/docs-xml/manpages/samba.8.xml b/docs-xml/manpages/samba.8.xml
index 0d542b2fbc8..35b3e9f464e 100644
--- a/docs-xml/manpages/samba.8.xml
+++ b/docs-xml/manpages/samba.8.xml
@@ -116,11 +116,16 @@
<para>A process is created for each Samba service,
and for those services that support it (currently only
LDAP and NETLOGON) a new processes is started
- for each new client connection.</para></listitem>
+ for each new client connection.</para>
+
+ <para>Historically, this was the 'standard' way Samba behaved
+ up until v4.10. Note that this model can be resource intensive
+ if you have a large number of client connections.</para>
+ </listitem>
<listitem><para><emphasis>prefork</emphasis></para>
- <para>A process is started for each Samba service, and a
- fixed number of worker processes are started for those
+ <para>The default. A process is started for each Samba service,
+ and a fixed number of worker processes are started for those
services that support it (currently LDAP, NETLOGON, and KDC).
The client connections are then shared amongst the worker
processes.
diff --git a/lib/ldb/ABI/ldb-1.5.1.sigs b/lib/ldb/ABI/ldb-1.5.3.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.5.1.sigs
copy to lib/ldb/ABI/ldb-1.5.3.sigs
diff --git a/lib/ldb/ABI/ldb-1.5.1.sigs b/lib/ldb/ABI/ldb-1.6.0.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.5.1.sigs
copy to lib/ldb/ABI/ldb-1.6.0.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.5.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.5.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.6.0.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.6.0.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.5.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.5.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.6.0.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.6.0.sigs
diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c
index 6c21c19d654..6d02c91a597 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_index.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c
@@ -1259,6 +1259,14 @@ static bool list_intersect(struct ldb_context *ldb,
return true;
}
+ /*
+ * In both of the below we check for strict and in that
+ * case do not optimise the intersection of this list,
+ * we must never return an entry not in this
+ * list. This allows the index for
+ * SCOPE_ONELEVEL to be trusted.
+ */
+
/* the indexing code is allowed to return a longer list than
what really matches, as all results are filtered by the
full expression at the end - this shortcut avoids a lot of
@@ -1660,7 +1668,13 @@ static int ldb_kv_index_dn_one(struct ldb_module *module,
struct dn_list *list,
enum key_truncation *truncation)
{
- /* Ensure we do not shortcut on intersection for this list */
+ /*
+ * Ensure we do not shortcut on intersection for this list.
+ * We must never be lazy and return an entry not in this
+ * list. This allows the index for
+ * SCOPE_ONELEVEL to be trusted.
+ */
+
list->strict = true;
return ldb_kv_index_dn_attr(
module, ldb_kv, LDB_KV_IDXONE, parent_dn, list, truncation);
@@ -2008,10 +2022,11 @@ int ldb_kv_search_indexed(struct ldb_kv_context *ac, uint32_t *match_count)
return ldb_operr(ldb);
case LDB_SCOPE_ONELEVEL:
+
/*
- * If we ever start to also load the index values for
- * the tree, we must ensure we strictly intersect with
- * this list, as we trust the ONELEVEL index
+ * First, load all the one-level child objects (regardless of
+ * whether they match the search filter or not). The database
+ * maintains a one-level index, so retrieving this is quick.
*/
ret = ldb_kv_index_dn_one(ac->module,
ldb_kv,
@@ -2024,9 +2039,12 @@ int ldb_kv_search_indexed(struct ldb_kv_context *ac, uint32_t *match_count)
}
/*
- * If we have too many matches, running the filter
- * tree over the SCOPE_ONELEVEL can be quite expensive
- * so we now check the filter tree index as well.
+ * If we have too many children, running ldb_kv_index_filter()
+ * over all the child objects can be quite expensive. So next
+ * we do a separate indexed query using the search filter.
+ *
+ * This should be quick, but it may return objects that are not
+ * the direct one-level child objects we're interested in.
*
* We only do this in the GUID index mode, which is
* O(n*log(m)) otherwise the intersection below will
@@ -2037,33 +2055,55 @@ int ldb_kv_search_indexed(struct ldb_kv_context *ac, uint32_t *match_count)
* fast enough in the small case.
*/
if (ldb_kv->cache->GUID_index_attribute != NULL) {
- struct dn_list *idx_one_tree_list
+ struct dn_list *indexed_search_result
= talloc_zero(ac, struct dn_list);
- if (idx_one_tree_list == NULL) {
+ if (indexed_search_result == NULL) {
talloc_free(dn_list);
return ldb_module_oom(ac->module);
}
if (!ldb_kv->cache->attribute_indexes) {
- talloc_free(idx_one_tree_list);
+ talloc_free(indexed_search_result);
talloc_free(dn_list);
return LDB_ERR_OPERATIONS_ERROR;
}
+
/*
- * Here we load the index for the tree.
- *
- * We only care if this is successful, if the
- * index can't trim the result list down then
- * the ONELEVEL index is still good enough.
+ * Try to do an indexed database search
*/
ret = ldb_kv_index_dn(
- ac->module, ldb_kv, ac->tree, idx_one_tree_list);
+ ac->module, ldb_kv, ac->tree,
+ indexed_search_result);
+
+ /*
+ * We can stop if we're sure the object doesn't exist
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(indexed_search_result);
+ talloc_free(dn_list);
+ return LDB_ERR_NO_SUCH_OBJECT;
+ }
+
+ /*
+ * Once we have a successful search result, we
+ * intersect it with the one-level children (dn_list).
+ * This should give us exactly the result we're after
+ * (we still need to run ldb_kv_index_filter() to
+ * handle potential index truncation cases).
+ *
+ * The indexed search may fail because we don't support
+ * indexing on that type of search operation, e.g.
+ * matching against '*'. In which case we fall through
+ * and run ldb_kv_index_filter() over all the one-level
+ * children (which is still better than bailing out here
+ * and falling back to a full DB scan).
+ */
if (ret == LDB_SUCCESS) {
if (!list_intersect(ldb,
ldb_kv,
dn_list,
- idx_one_tree_list)) {
- talloc_free(idx_one_tree_list);
+ indexed_search_result)) {
+ talloc_free(indexed_search_result);
talloc_free(dn_list);
return LDB_ERR_OPERATIONS_ERROR;
}
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index b2cac8a3497..8e48fa5d56d 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1213,7 +1213,7 @@ static PyObject *py_ldb_connect(PyLdbObject *self, PyObject *args, PyObject *kwa
const char * const kwnames[] = { "url", "flags", "options", NULL };
struct ldb_context *ldb_ctx;
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|zIO",
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "z|IO",
discard_const_p(char *, kwnames),
&url, &flags, &py_options))
return NULL;
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index ca0bf410f10..6e224e7b4b7 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.5.2'
+VERSION = '1.6.0'
import sys, os
diff --git a/libcli/nbt/pynbt.c b/libcli/nbt/pynbt.c
index 032561a4bd8..ccd7a039248 100644
--- a/libcli/nbt/pynbt.c
+++ b/libcli/nbt/pynbt.c
@@ -97,13 +97,28 @@ static bool PyObject_AsNBTName(PyObject *obj, struct nbt_name_socket *name_socke
if (PyTuple_Check(obj)) {
if (PyTuple_Size(obj) == 2) {
name->name = PyStr_AsString(PyTuple_GetItem(obj, 0));
+ if (name->name == NULL) {
+ goto err;
+ }
name->type = PyInt_AsLong(PyTuple_GetItem(obj, 1));
+ if (name->type == -1 && PyErr_Occurred()) {
+ goto err;
+ }
name->scope = NULL;
return true;
} else if (PyTuple_Size(obj) == 3) {
name->name = PyStr_AsString(PyTuple_GetItem(obj, 0));
+ if (name->name == NULL) {
+ goto err;
+ }
name->scope = PyStr_AsString(PyTuple_GetItem(obj, 1));
+ if (name->scope == NULL) {
+ goto err;
+ }
name->type = PyInt_AsLong(PyTuple_GetItem(obj, 2));
+ if (name->type == -1 && PyErr_Occurred()) {
+ goto err;
+ }
return true;
} else {
PyErr_SetString(PyExc_TypeError, "Invalid tuple size");
@@ -114,11 +129,14 @@ static bool PyObject_AsNBTName(PyObject *obj, struct nbt_name_socket *name_socke
if (PyStr_Check(obj) || PyUnicode_Check(obj)) {
/* FIXME: Parse string to be able to interpret things like RHONWYN<02> ? */
name->name = PyStr_AsString(obj);
+ if (name->name == NULL) {
+ goto err;
+ }
name->scope = NULL;
name->type = 0;
return true;
}
-
+err:
PyErr_SetString(PyExc_TypeError, "Invalid type for object");
return false;
}
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 1b5e927f633..95fe5d6d439 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1533,6 +1533,10 @@ class cmd_aclcheck(GPOCommand):
fs_sd = conn.get_acl(sharepath, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL, security.SEC_FLAG_MAXIMUM_ALLOWED)
+ if 'nTSecurityDescriptor' not in m:
+ raise CommandError("Could not read nTSecurityDescriptor. "
+ "This requires an Administrator account")
+
ds_sd_ndr = m['nTSecurityDescriptor'][0]
ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()
diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py
new file mode 100644
index 00000000000..38dcb5c7036
--- /dev/null
+++ b/python/samba/tests/segfault.py
@@ -0,0 +1,126 @@
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Catalyst.Net Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Test whether various python calls segfault when given unexpected input.
+"""
+
+import samba.tests
+import os
+import sys
+from samba.net import Net, LIBNET_JOIN_AUTOMATIC
+from samba.credentials import DONT_USE_KERBEROS
+from samba import NTSTATUSError, ntstatus
+from samba.dcerpc import misc, drsuapi
+from samba import auth, gensec
+from samba.samdb import SamDB
+from samba import netbios
+from samba import registry
+from samba import ldb
+
+import traceback
+
+def segfault_detector(f):
+ def wrapper(*args, **kwargs):
+ pid = os.fork()
+ if pid == 0:
+ try:
+ f(*args, **kwargs)
+ except Exception as e:
+ traceback.print_exc()
+ sys.stderr.flush()
+ sys.stdout.flush()
+ os._exit(0)
+
+ pid2, status = os.waitpid(pid, 0)
+ signal = status & 255
+ if os.WIFSIGNALED(status):
+ signal = os.WTERMSIG(status)
+ raise AssertionError("Failed with signal %d" % signal)
+
+ return wrapper
+
+
+class SegfaultTests(samba.tests.TestCase):
+ def get_lp_et_al(self):
+ server = os.environ["SERVER"]
+ lp = self.get_loadparm()
+
+ creds = self.insta_creds(template=self.get_credentials(),
+ kerberos_state=DONT_USE_KERBEROS)
+ return lp, creds, server
+
+ def get_samdb(self):
+ lp, creds, server = self.get_lp_et_al()
+ url = 'ldap://' + server
+ ldb = SamDB(url, credentials=creds, lp=lp)
+ return ldb
+
+ @segfault_detector
+ def test_net_replicate_init__1(self):
+ lp, creds, server = self.get_lp_et_al()
+ net = Net(creds, lp, server=server)
+ net.replicate_init(42, lp, None, misc.GUID())
+
+ @segfault_detector
+ def test_net_replicate_init__3(self):
+ # third argument is also unchecked
+ samdb = self.get_samdb()
+ lp, creds, server = self.get_lp_et_al()
+ net = Net(creds, lp, server=server)
+ net.replicate_init(samdb, lp, 42, misc.GUID())
+
+ @segfault_detector
+ def test_net_replicate_chunk_1(self):
+ lp, creds, server = self.get_lp_et_al()
+ ctr = drsuapi.DsGetNCChangesCtr6()
+ net = Net(creds, lp, server=server)
+ net.replicate_chunk(42, 1, ctr)
+
+ @segfault_detector
+ def test_auth_context_gensec_start_server(self):
+ a = auth.AuthContext(ldb=42, methods=['sam'])
+ # there is no failure yet because the ldb is not actually
+ # dereferenced.
+ g = gensec.Security.start_server(auth_context=a)
+ # and still the ldb is not dereferenced...
+
+ @segfault_detector
+ def test_auth_user_session(self):
+ s = auth.user_session(ldb=42, principal='foo')
+
+ @segfault_detector
+ def test_gensec_start_server(self):
+ gensec.Security.start_server(auth_context=42)
+
+ @segfault_detector
+ def test_netbios_query_name(self):
+ n = netbios.Node()
+ t = n.query_name((42, 'foo'), 'localhost')
+
+ @segfault_detector
+ def test_encrypt_netr_crypt_password(self):
+ lp, creds, server = self.get_lp_et_al()
+ creds.encrypt_netr_crypt_password(42)
+
+ @segfault_detector
+ def test_hive_open_ldb(self):
+ # we don't need to provide a valid path because we segfault first
+ try:
+ registry.open_ldb('', credentials=42)
+ except ldb.LdbError as e:
+ print("failed with %s" % e)
diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
new file mode 100644
index 00000000000..c8331d941ef
--- /dev/null
+++ b/selftest/knownfail.d/python-segfaults
@@ -0,0 +1,6 @@
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_auth_user_session
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_encrypt_netr_crypt_password
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_hive_open_ldb
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_chunk_1
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__1
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
diff --git a/selftest/target/README b/selftest/target/README
index 36b68d5dd24..69d70217bdf 100644
--- a/selftest/target/README
+++ b/selftest/target/README
@@ -41,6 +41,19 @@ Note that several of the testenvs also use local in their name, e.g.
'localvampiredc'. In particular, there's the 'localdc', which is the NetBIOS
name of the DC in the 'ad_dc_ntvfs' testenv.
+dns_hub
+-------
+dns_hub doesn't run a Samba/smbd server like the other testenvs do. It's there
+to solve the problem of how to do DNS more nicely in selftest. Running
+autobuild can start up a lot of different testenvs, and so we end up with
+different DCs running in different domains. Each test suite only wants to talk
+to a specific domain at a time. However, by default the tests all use a common
+client.conf - essentially the tests are simulating a single client that's
+pretending to be in several different domains. The problem is when the test
+wants to resolve a DNS host, which DC should it ask? Each DC only knows about its
+own realm. dns_hub.py acts as a proxy, so it works out the correct DC to forward
+the query to, based on the queried host's realm.
+
Vampire DC
----------
Vampire DC gets its name for historic reasons. It's one of the few testenvs
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index b662776a847..33c66848c56 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -161,10 +161,13 @@ sub check_or_start($$$)
@preargs = split(/ /,$ENV{SAMBA_VALGRIND});
}
+ if (defined($process_model)) {
+ push @optargs, ("-M", $process_model);
+ }
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ exec(@preargs, Samba::bindir_path($self, "samba"), "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
@@ -398,7 +401,7 @@ sub setup_dns_hub_internal($$$)
} else {
push (@preargs, $ENV{PYTHON});
}
- $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "python/samba/tests/dns_forwarder_helpers/dns_hub.py");
+ $ENV{MAKE_TEST_BINARY} = "$self->{srcdir}/selftest/target/dns_hub.py";
push (@args, "$self->{server_maxtime}");
push (@args, "$env->{ipv4}");
close($env->{STDIN_PIPE});
@@ -2332,6 +2335,10 @@ sub check_env($$)
# Declare the environments Samba4 makes available.
# To be set up, they will be called as
# samba4->setup_$envname($self, $path, $dep_1_vars, $dep_2_vars, ...)
+# The interdependencies between the testenvs are declared below. Some testenvs
+# are dependent on another testenv running first, e.g. vampire_dc is dependent
+# on ad_dc_ntvfs because vampire_dc joins ad_dc_ntvfs's domain. All DCs are
+# dependent on dns_hub, which handles resolving DNS queries for the realm.
%Samba4::ENV_DEPS = (
# name => [dep_1, dep_2, ...],
--
Samba Shared Repository
More information about the samba-cvs
mailing list