[SCM] Samba Shared Repository - branch v4-9-test updated

Karolin Seeger kseeger at samba.org
Fri Feb 1 14:19:02 UTC 2019


The branch, v4-9-test has been updated
       via  d1428435b52 ctdb: Print locks latency in machinereadable stats
       via  bb3e0c5c829 vfs_fileid: fix get_connectpath_ino
       via  4588c1c704a lib/audit_logging: actually create talloc
       via  3b19257a7d3 s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection
       via  5cbce550a76 libcli: Add error log if insufficient SMB2 credits
       via  833505239e3 s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list()
       via  0493165a22b s3:libsmb: Honor disable_netbios option in smbsock_connect_send
       via  8e2514a1b1c s3:utils:net: Print debug message about Netbios
       via  c824d35f36c s3:smbpasswd: Print debug message about Netbios
       via  fc3f516a41d s3:libsmb: Print debug message about Netbios
       via  f13c5a9c1fd s3:libsmb: Check disable_netbios in socket connect
       via  3145dae212c audit_logging: Remove debug log header and JSON Authentication: prefix
       via  2cebe0b84f5 json: Modify API to use return codes
      from  76bcdecae23 ldb: Bump ldb version to 1.4.4

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test


- Log -----------------------------------------------------------------
commit d1428435b528f8c6e3b8a38a2160f551aea5f33c
Author: Volker Lendecke <vl at samba.org>
Date:   Mon Jan 14 15:04:59 2019 +0100

    ctdb: Print locks latency in machinereadable stats
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13742
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Wed Jan 16 05:34:17 CET 2019 on sn-devel-144
    
    (cherry picked from commit 193a0d6f01372604b925d1972591062a0bb2400f)
    
    Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-9-test): Fri Feb  1 15:18:15 CET 2019 on sn-devel-144

commit bb3e0c5c8290575331b636720dbc59d7cf90c65c
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date:   Thu Jan 10 14:28:14 2019 +0100

    vfs_fileid: fix get_connectpath_ino
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13741
    
    Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Jan 15 04:13:15 CET 2019 on sn-devel-144
    
    (cherry picked from commit 12398a2d1ddcd326e02e5d8b0749e0e796145165)

commit 4588c1c704ae29f924c2c0d45aa55c1e0afc0055
Author: Philipp Gesang <philipp.gesang at intra2net.com>
Date:   Tue Dec 18 16:09:19 2018 +0100

    lib/audit_logging: actually create talloc
    
    Heal damage of 79f494e51e..
    
    That context is being passed around and freed but is never
    actually allocated on that stack.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13737
    
    Signed-off-by: Philipp Gesang <philipp.gesang at intra2net.com>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    (cherry picked from commit 5c928d7cd1d0ac994fe95892eec235b939ad2ec9)

commit 3b19257a7d31e525c2246c6c8c158d86cccb99a5
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jan 7 15:28:12 2019 +1300

    s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection
    
    cli_smb2_list() appears to be a slightly unique SMB operation in that it
    specifies the max transaction size for the response buffer size. The
    Python bindings highlighted a problem where if cli_smb2_list() were one
    of the first operations performed on the SMBv2 connection, it would fail
    due to insufficient credits. Because the response buffer size is
    (potentially) so much larger, it requires more credits (128) compared
    with other SMB operations.
    
    When talking to a samba DC, the connection credits seem to start off at
    1, then increase by 32 for every SMB reply we receive back from the
    server. After cli_full_connection(), the connection has 65 credits. The
    cli_smb2_create_fnum() in cli_smb2_list() adds another 32 credits, but
    this is still less than the 128 that smb2cli_query_directory() requires.
    
    This problem doesn't happen for smbclient because the cli_cm_open() API
    it uses ends up sending more messages, and so the connection has more
    credits.
    
    This patch changes cli_smb2_list(), so it requests a smaller response
    buffer size if it doesn't have enough credits available for the max
    transaction size. smb2cli_query_directory() is already in a loop, so it
    can span multiple SMB messages if for some reason the transaction size
    isn't big enough for the listings.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Jan 10 02:40:16 CET 2019 on sn-devel-144
    
    (cherry picked from commit fd355dff906f5f4832901bce76544f1a4e50c33d)

commit 5cbce550a7683ad8d62ab0029e283ede5650a3d2
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jan 7 12:06:15 2019 +1300

    libcli: Add error log if insufficient SMB2 credits
    
    Although it's unusual to hit this case, I was seeing it happen while
    working on the SMB python bindings. Even with debug level 10, there was
    nothing coming out to help pin down the source of the
    NT_STATUS_INTERNAL_ERROR.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit bf229de7926f12e329cdb3201f68f20ae776fe32)

commit 833505239e38778db55b89537d2025b08d8f8e40
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Mar 20 15:27:44 2018 +0100

    s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 580ff206431969dc2924d520053b956b7169ca07)

commit 0493165a22bfe9f65605a0fe8c7dba837d588985
Author: Justin Stephenson <jstephen at redhat.com>
Date:   Mon Jan 14 10:36:47 2019 -0500

    s3:libsmb: Honor disable_netbios option in smbsock_connect_send
    
    If disable_netbios is set, return before the tevent timer is triggered
    to prevent outgoing netbios connections.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
    
    Signed-off-by: Justin Stephenson <jstephen at redhat.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)

commit 8e2514a1b1c75ad11b34e988e5c130ffc2ee363e
Author: Justin Stephenson <jstephen at redhat.com>
Date:   Mon Dec 17 15:17:24 2018 -0500

    s3:utils:net: Print debug message about Netbios
    
    With a preceding patch, cli_connect_nb() will return
    NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
    
    Print an informative error message to indicate Netbios is disabled
    if this occurs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
    
    Signed-off-by: Justin Stephenson <jstephen at redhat.com>
    Reviewed-by: Noel Power <nopower at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)

commit c824d35f36cb60d3548770b16597af45618f9448
Author: Justin Stephenson <jstephen at redhat.com>
Date:   Mon Dec 17 14:57:59 2018 -0500

    s3:smbpasswd: Print debug message about Netbios
    
    With a preceding patch, cli_connect_nb() will return
    NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
    
    Print an informative error message to indicate Netbios is disabled
    if this occurs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
    
    Signed-off-by: Justin Stephenson <jstephen at redhat.com>
    Reviewed-by: Noel Power <nopower at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)

commit fc3f516a41db5d58e7222567633f07feb8efe314
Author: Justin Stephenson <jstephen at redhat.com>
Date:   Mon Dec 17 14:40:33 2018 -0500

    s3:libsmb: Print debug message about Netbios
    
    With a preceding patch, cli_connect_nb() will return
    NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
    
    Print an informative error message to indicate Netbios is disabled
    if this occurs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
    
    Signed-off-by: Justin Stephenson <jstephen at redhat.com>
    Reviewed-by: Noel Power <nopower at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)

commit f13c5a9c1fdc1ae6bdbebd4a8c0dab0bcf394c3e
Author: Justin Stephenson <jstephen at redhat.com>
Date:   Thu Jan 3 12:07:01 2019 -0500

    s3:libsmb: Check disable_netbios in socket connect
    
    If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
    for a port 139 connection in the low level socket connection code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
    
    Signed-off-by: Justin Stephenson <jstephen at redhat.com>
    Reviewed-by: Noel Power <nopower at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)

commit 3145dae212c82b9e766e2ab406115b56cc3cd879
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Dec 13 13:53:08 2018 +1300

    audit_logging: Remove debug log header and JSON Authentication: prefix
    
    Feedback from real-world users is that they really want raw JSON
    strings in the log.
    
    We can not easily remove the leading "  " but the other strings above
    and before the JSON are really annoying to strip back off
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
    (cherry-picked from edab1318f9138c0d87de7cc7cfa5da8e29c906f8 and modified
    for v4-9 by Gary Lockyer)

commit 2cebe0b84f58f6796cc587fdfd581edbe983a9a8
Author: Gary Lockyer <gary at catalyst.net.nz>
Date:   Fri Jul 13 09:14:09 2018 +1200

    json: Modify API to use return codes
    
    Modify the auditing JSON API to return a response code, as the consensus
    was that the existing error handling was aesthetically displeasing.
    
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    cherry picked from commit 79f494e51eabb5176747fcf3b9f2efad10ec7f97 and
    adapted to compile on 4.9 by Gary Lockyer)

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_log.c                                    | 320 ++++++++----
 ctdb/tools/ctdb.c                                  |   5 +
 lib/audit_logging/audit_logging.c                  | 546 ++++++++++++++-------
 lib/audit_logging/audit_logging.h                  |  64 +--
 lib/audit_logging/tests/audit_logging_test.c       | 252 ++++++++--
 libcli/smb/smbXcli_base.c                          |   3 +
 source3/libsmb/cli_smb2_fnum.c                     |  15 +-
 source3/libsmb/clidfs.c                            |  10 +-
 source3/libsmb/libsmb_server.c                     |   4 +
 source3/libsmb/passchange.c                        |  16 +-
 source3/libsmb/smbsock_connect.c                   |  12 +
 source3/modules/vfs_fileid.c                       |   4 +-
 source3/utils/net_rpc.c                            |   3 +
 source3/utils/net_time.c                           |   9 +-
 source4/dsdb/samdb/ldb_modules/audit_log.c         | 441 +++++++++++++----
 source4/dsdb/samdb/ldb_modules/audit_util.c        | 148 +++++-
 source4/dsdb/samdb/ldb_modules/group_audit.c       |  93 +++-
 .../samdb/ldb_modules/tests/test_group_audit.c     |   5 +-
 18 files changed, 1440 insertions(+), 510 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_log.c b/auth/auth_log.c
index 38d29db4396..1df112d9a8b 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -78,11 +78,10 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui);
 static void log_json(struct imessaging_context *msg_ctx,
 		     struct loadparm_context *lp_ctx,
 		     struct json_object *object,
-		     const char *type,
 		     int debug_class,
 		     int debug_level)
 {
-	audit_log_json(type, object, debug_class, debug_level);
+	audit_log_json(object, debug_class, debug_level);
 	if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
 		audit_message_send(msg_ctx,
 				   AUTH_EVENT_NAME,
@@ -102,9 +101,8 @@ static void log_json(struct imessaging_context *msg_ctx,
  *  To process the resulting log lines from the commend line use jq to
  *  parse the json.
  *
- *  grep "JSON Authentication" log file |
- *  sed 's;^[^{]*;;' |
- * jq -rc  '"\(.timestamp)\t\(.Authentication.status)\t
+ *  grep "^  {" log file |
+ *  jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
  *           \(.Authentication.clientDomain)\t
  *           \(.Authentication.clientAccount)
  *           \t\(.Authentication.workstation)
@@ -123,63 +121,134 @@ static void log_authentication_event_json(
 	struct dom_sid *sid,
 	int debug_level)
 {
-	struct json_object wrapper = json_new_object();
-	struct json_object authentication;
+	struct json_object wrapper = json_empty_object;
+	struct json_object authentication = json_empty_object;
 	char negotiate_flags[11];
-
-	json_add_timestamp(&wrapper);
-	json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
+	int rc = 0;
 
 	authentication = json_new_object();
-	json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
-	json_add_string(&authentication, "status", nt_errstr(status));
-	json_add_address(&authentication, "localAddress", ui->local_host);
-	json_add_address(&authentication, "remoteAddress", ui->remote_host);
-	json_add_string(&authentication,
-			"serviceDescription",
-			ui->service_description);
-	json_add_string(&authentication,
-			"authDescription",
-			ui->auth_description);
-	json_add_string(&authentication,
-			"clientDomain",
-			ui->client.domain_name);
-	json_add_string(&authentication,
-			"clientAccount",
-			ui->client.account_name);
-	json_add_string(&authentication,
-			"workstation",
-			ui->workstation_name);
-	json_add_string(&authentication, "becameAccount", account_name);
-	json_add_string(&authentication, "becameDomain", domain_name);
-	json_add_sid(&authentication, "becameSid", sid);
-	json_add_string(&authentication,
-			"mappedAccount",
-			ui->mapped.account_name);
-	json_add_string(&authentication,
-			"mappedDomain",
-			ui->mapped.domain_name);
-	json_add_string(&authentication,
-			"netlogonComputer",
-			ui->netlogon_trust_account.computer_name);
-	json_add_string(&authentication,
-			"netlogonTrustAccount",
-			ui->netlogon_trust_account.account_name);
+	if (json_is_invalid(&authentication)) {
+		goto failure;
+	}
+	rc = json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authentication, "status", nt_errstr(status));
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_address(&authentication, "localAddress", ui->local_host);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc =
+	    json_add_address(&authentication, "remoteAddress", ui->remote_host);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "serviceDescription", ui->service_description);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "authDescription", ui->auth_description);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "clientDomain", ui->client.domain_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "clientAccount", ui->client.account_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "workstation", ui->workstation_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authentication, "becameAccount", account_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authentication, "becameDomain", domain_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_sid(&authentication, "becameSid", sid);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "mappedAccount", ui->mapped.account_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "mappedDomain", ui->mapped.domain_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authentication,
+			     "netlogonComputer",
+			     ui->netlogon_trust_account.computer_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authentication,
+			     "netlogonTrustAccount",
+			     ui->netlogon_trust_account.account_name);
+	if (rc != 0) {
+		goto failure;
+	}
 	snprintf(negotiate_flags,
 		 sizeof( negotiate_flags),
 		 "0x%08X",
 		 ui->netlogon_trust_account.negotiate_flags);
-	json_add_string(&authentication,
-			"netlogonNegotiateFlags",
-			negotiate_flags);
-	json_add_int(&authentication,
-		     "netlogonSecureChannelType",
-		     ui->netlogon_trust_account.secure_channel_type);
-	json_add_sid(&authentication,
-		     "netlogonTrustAccountSid",
-		     ui->netlogon_trust_account.sid);
-	json_add_string(&authentication, "passwordType", get_password_type(ui));
-	json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
+	rc = json_add_string(
+	    &authentication, "netlogonNegotiateFlags", negotiate_flags);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_int(&authentication,
+			  "netlogonSecureChannelType",
+			  ui->netlogon_trust_account.secure_channel_type);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_sid(&authentication,
+			  "netlogonTrustAccountSid",
+			  ui->netlogon_trust_account.sid);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authentication, "passwordType", get_password_type(ui));
+	if (rc != 0) {
+		goto failure;
+	}
+
+	wrapper = json_new_object();
+	if (json_is_invalid(&wrapper)) {
+		goto failure;
+	}
+	rc = json_add_timestamp(&wrapper);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
+	if (rc != 0) {
+		goto failure;
+	}
 
 	/*
 	 * While not a general-purpose profiling solution this will
@@ -192,18 +261,28 @@ static void log_authentication_event_json(
 		struct timeval current_time = timeval_current();
 		uint64_t duration =  usec_time_diff(&current_time,
 						    start_time);
-		json_add_int(&authentication,
-			     "duration",
-			     duration);
+		rc = json_add_int(&authentication, "duration", duration);
+		if (rc != 0) {
+			goto failure;
+		}
 	}
 
 	log_json(msg_ctx,
 		 lp_ctx,
 		 &wrapper,
-		 AUTH_JSON_TYPE,
 		 DBGC_AUTH_AUDIT_JSON,
 		 debug_level);
 	json_free(&wrapper);
+	return;
+failure:
+	/*
+	 * On a failure authentication will not have been added to wrapper so it
+	 * needs to be freed to avoid a leak.
+	 *
+	 */
+	json_free(&authentication);
+	json_free(&wrapper);
+	DBG_ERR("Failed to write authentication event JSON log message\n");
 }
 
 /*
@@ -218,8 +297,7 @@ static void log_authentication_event_json(
  *  To process the resulting log lines from the commend line use jq to
  *  parse the json.
  *
- *  grep "JSON Authentication" log_file |\
- *  sed "s;^[^{]*;;" |\
+ *  grep "^  {" log_file |\
  *  jq -rc '"\(.timestamp)\t
  *           \(.Authorization.domain)\t
  *           \(.Authorization.account)\t
@@ -237,53 +315,109 @@ static void log_successful_authz_event_json(
 	struct auth_session_info *session_info,
 	int debug_level)
 {
-	struct json_object wrapper = json_new_object();
-	struct json_object authorization;
+	struct json_object wrapper = json_empty_object;
+	struct json_object authorization = json_empty_object;
 	char account_flags[11];
+	int rc = 0;
 
-	json_add_timestamp(&wrapper);
-	json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
 	authorization = json_new_object();
-	json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
-	json_add_address(&authorization, "localAddress", local);
-	json_add_address(&authorization, "remoteAddress", remote);
-	json_add_string(&authorization,
-			"serviceDescription",
-			service_description);
-	json_add_string(&authorization, "authType", auth_type);
-	json_add_string(&authorization,
-			"domain",
-			session_info->info->domain_name);
-	json_add_string(&authorization,
-			"account",
-			session_info->info->account_name);
-	json_add_sid(&authorization,
-		     "sid",
-		     &session_info->security_token->sids[0]);
-	json_add_guid(&authorization,
-		      "sessionId",
-		      &session_info->unique_session_token);
-	json_add_string(&authorization,
-			"logonServer",
-			session_info->info->logon_server);
-	json_add_string(&authorization,
-			"transportProtection",
-			transport_protection);
+	if (json_is_invalid(&authorization)) {
+		goto failure;
+	}
+	rc = json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_address(&authorization, "localAddress", local);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_address(&authorization, "remoteAddress", remote);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authorization, "serviceDescription", service_description);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&authorization, "authType", auth_type);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authorization, "domain", session_info->info->domain_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authorization, "account", session_info->info->account_name);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_sid(
+	    &authorization, "sid", &session_info->security_token->sids[0]);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_guid(
+	    &authorization, "sessionId", &session_info->unique_session_token);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authorization, "logonServer", session_info->info->logon_server);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(
+	    &authorization, "transportProtection", transport_protection);
+	if (rc != 0) {
+		goto failure;
+	}
 
 	snprintf(account_flags,
 		 sizeof(account_flags),
 		 "0x%08X",
 		 session_info->info->acct_flags);
-	json_add_string(&authorization, "accountFlags", account_flags);
-	json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization);
+	rc = json_add_string(&authorization, "accountFlags", account_flags);
+	if (rc != 0) {
+		goto failure;
+	}
+
+	wrapper = json_new_object();
+	if (json_is_invalid(&wrapper)) {
+		goto failure;
+	}
+	rc = json_add_timestamp(&wrapper);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
+	if (rc != 0) {
+		goto failure;
+	}
+	rc = json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization);
+	if (rc != 0) {
+		goto failure;
+	}
 
 	log_json(msg_ctx,
 		 lp_ctx,
 		 &wrapper,
-		 AUTHZ_JSON_TYPE,
 		 DBGC_AUTH_AUDIT_JSON,
 		 debug_level);
 	json_free(&wrapper);
+	return;
+failure:
+	/*
+	 * On a failure authorization will not have been added to wrapper so it
+	 * needs to be freed to avoid a leak.
+	 *
+	 */
+	json_free(&authorization);
+	json_free(&wrapper);
+	DBG_ERR("Unable to log Authentication event JSON audit message\n");
 }
 
 #else
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index 4c0bcaf26ff..352881a62fe 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -1233,6 +1233,11 @@ static void print_statistics_machine(struct ctdb_statistics *s,
 	printf("%.6f%s", LATENCY_AVG(s->call_latency), options.sep);
 	printf("%.6f%s", s->call_latency.max, options.sep);
 
+	printf("%u%s", s->locks.latency.num, options.sep);
+	printf("%.6f%s", s->locks.latency.min, options.sep);
+	printf("%.6f%s", LATENCY_AVG(s->locks.latency), options.sep);
+	printf("%.6f%s", s->locks.latency.max, options.sep);
+
 	printf("%d%s", s->childwrite_latency.num, options.sep);
 	printf("%.6f%s", s->childwrite_latency.min, options.sep);
 	printf("%.6f%s", LATENCY_AVG(s->childwrite_latency), options.sep);
diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c
index f94f2c2a839..3bb49f7cfc3 100644
--- a/lib/audit_logging/audit_logging.c
+++ b/lib/audit_logging/audit_logging.c
@@ -20,31 +20,6 @@
 /*
  * Error handling:
  *
- * The json_object structure contains a boolean 'error'.  This is set whenever
- * an error is detected. All the library functions check this flag and return
- * immediately if it is set.
- *
- *	if (object->error) {
- *		return;
- *	}
- *
- * This allows the operations to be sequenced naturally with out the clutter
- * of error status checks.
- *
- *	audit = json_new_object();
- *	json_add_version(&audit, OPERATION_MAJOR, OPERATION_MINOR);
- *	json_add_int(&audit, "statusCode", ret);
- *	json_add_string(&audit, "status", ldb_strerror(ret));
- *	json_add_string(&audit, "operation", operation);
- *	json_add_address(&audit, "remoteAddress", remote);
- *	json_add_sid(&audit, "userSid", sid);
- *	json_add_string(&audit, "dn", dn);
- *	json_add_guid(&audit, "transactionId", &ac->transaction_guid);
- *	json_add_guid(&audit, "sessionId", unique_session_token);
- *
- * The assumptions are that errors will be rare, and that the audit logging
- * code should not cause failures. So errors are logged but processing
- * continues on a best effort basis.
  */
 
 #include "includes.h"
@@ -67,7 +42,7 @@
  *
  * @param mem_ctx talloc memory context that owns the returned string.
  *
- * @return a human readable time stamp.
+ * @return a human readable time stamp, or NULL in the event of an error.
  *
  */
 char* audit_get_timestamp(TALLOC_CTX *frame)
@@ -76,11 +51,11 @@ char* audit_get_timestamp(TALLOC_CTX *frame)
 	char tz[10];		/* formatted time zone			 */
 	struct tm* tm_info;	/* current local time			 */
 	struct timeval tv;	/* current system time			 */
-	int r;			/* response code from gettimeofday	 */
+	int ret;		/* response code			 */
 	char * ts;		/* formatted time stamp			 */
 
-	r = gettimeofday(&tv, NULL);
-	if (r) {
+	ret = gettimeofday(&tv, NULL);
+	if (ret != 0) {
 		DBG_ERR("Unable to get time of day: (%d) %s\n",
 			errno,
 			strerror(errno));
@@ -121,24 +96,48 @@ void audit_log_human_text(const char* prefix,
 }
 
 #ifdef HAVE_JANSSON
+/*
+ * Constant for empty json object initialisation
+ */
+const struct json_object json_empty_object = {.valid = false, .root = NULL};
 /*
  * @brief write a json object to the samba audit logs.
  *
  * Write the json object to the audit logs as a formatted string
  *
- * @param prefix Text to be printed at the start of the log line
  * @param message The content of the log line.
  * @param debub_class The debug class to log the message with.
  * @param debug_level The debug level to log the message with.
  */
-void audit_log_json(const char* prefix,
-		    struct json_object* message,
+void audit_log_json(struct json_object* message,
 		    int debug_class,
 		    int debug_level)
 {
-	TALLOC_CTX *ctx = talloc_new(NULL);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list