[SCM] Samba Shared Repository - branch v4-10-test updated

Karolin Seeger kseeger at samba.org
Fri Jun 21 11:15:03 UTC 2019


The branch, v4-10-test has been updated
       via  48c47f5dbbb wafsamba: Use native waf timer
       via  d106f5eb971 s3:mdssvc: fix flex compilation error
       via  7c80167e2af ctdb-scripts: Fix tcp_tw_recycle existence check
       via  4f32284840d docs: Improve documentation of "lanman auth" and "ntlm auth" connection
       via  47a96935df0 vfs_fruit: remove a now unnecessary include
       via  bdc257a1cba vfs_fruit: use VFS functions in ad_read_rsrc_adouble()
       via  2d6a2080afb vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()
       via  91ed0f8beb9 vfs_fruit: use VFS function in ad_convert_truncate()
       via  28cdc4421c2 vfs_fruit: add VFS handle to ad_convert_truncate()
       via  fef47b90e54 vfs_fruit: use fsp and remove mmap in ad_convert_xattr()
       via  7fc300d4655 vfs_fruit: remove use of mmap() from ad_convert_move_reso()
       via  d49df05e619 vfs_fruit: convert ad_open_rsrc() to open a proper fsp with SMB_VFS_CREATE_FILE()
       via  f5d1561c5b1 vfs_fruit: only do cross protocol locking on non-internal opens
       via  9ebfd4f2e51 vfs_fruit: remove a layer of indirection
       via  f890c4fb86c vfs_fruit: pass VFS handle to ad_convert_move_reso()
       via  8f49fbfdebb vfs_fruit: remove xattr code from the AppleDouble subsystem
       via  7bd5ceea7d2 vfs_fruit: remove now unused AppleDouble code for resource fork in xattr
       via  cc1ff660b80 vfs_fruit: use stream code for resource fork size calculation in readdir_attr_rfork_size()
       via  d1164d9f374 vfs_fruit: use correct case FRUIT_RSRC_STREAM in readdir_attr_rfork_size()
       via  8ceb0486446 vfs_fruit: ignore AppleDouble files in fruit_unlink()
       via  30f25ed6214 vfs_fruit: add a missing else
       via  8787ac7938c vfs_fruit: add and use is_adouble_file()
       via  2b8eeb231e0 vfs_fruit: finally, remove ad_handle from struct adouble
       via  ef0522b3434 vfs_fruit: pass handle to ad_convert_delete_adfile()
       via  f2b796844b1 vfs_fruit: pass handle to ad_convert_finderinfo()
       via  3ff1b960c5e vfs_fruit: pass handle to ad_convert_blank_rfork()
       via  4e22296dc6c vfs_fruit: pass handle to ad_convert_xattr()
       via  47e08c03ed8 vfs_fruit: indentation fix
       via  03d1328e33b vfs_fruit: pass handle to ad_read_rsrc() and all the way down
       via  9b4ad2a32a6 vfs_fruit: use proper VFS function in ad_read_meta()
       via  fd63fda7769 vfs_fruit: indentation fix
       via  7a99bba9294 vfs_fruit: pass handle to ad_read_meta()
       via  25ee7f97c6c vfs_fruit: pass handle to ad_read()
       via  ab9a428f335 vfs_fruit: pass handle to ad_set()
       via  92bc9e3e11c vfs_fruit: pass handle to ad_fset()
       via  730c24902d5 s3:auth: explicitly add BUILTIN\Guests to the guest token
       via  b312ceb5730 tests: add a test for guest authentication
       via  d8e33defa5a selftest: allow guest login in the ad_member_idmap_rid env
       via  90a538f4689 s3:smbd: call reinit_guest_session_info() in the conf updated handler
       via  7f6b171c3e9 s3:auth: add reinit_guest_session_info()
       via  813856c1c4e dsdb:audit_log: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."
       via  49acbea1378 ldb_kv: Skip @ records early in a search full scan
       via  d9fed540c36 samba-tool domain provision: Fix --interactive module in python3
       via  8867c178a9b ldap server: generate correct referral schemes
       via  207295b9523 ldap tests: test scheme for referrals
       via  fa1de54cd92 s3/vfs_glusterfs_fuse: Avoid using NAME_MAX directly
       via  778448469bb s3/vfs_glusterfs: Avoid using NAME_MAX directly
       via  bb688404227 Revert "s3/vfs_glusterfs_fuse: Dynamically determine NAME_MAX"
       via  f830628c3aa Revert "s3/vfs_glusterfs: Dynamically determine NAME_MAX"
      from  70e8344a043 VERSION: Bump version up to 4.10.6...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test


- Log -----------------------------------------------------------------
commit 48c47f5dbbb2722a718103267d4a0a40b4eaa6a0
Author: Lukas Slebodnik <lslebodn at fedoraproject.org>
Date:   Wed Jun 12 12:27:04 2019 +0200

    wafsamba: Use native waf timer
    
      __main__:1: DeprecationWarning: time.clock has been deprecated in Python 3.3
      and will be removed from Python 3.8: use time.perf_counter
      or time.process_time instead
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13998
    
    Signed-off-by: Lukas Slebodnik <lslebodn at fedoraproject.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    (cherry picked from commit 8f082904ce580f1a6b8a06ebcc323c99e892bd1f)
    
    Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-10-test): Fri Jun 21 11:14:16 UTC 2019 on sn-devel-144

commit d106f5eb9718d4f4e6305101709045314fde03a1
Author: Ralph Boehme <slow at samba.org>
Date:   Mon May 27 12:27:57 2019 +0200

    s3:mdssvc: fix flex compilation error
    
    [4440/4495] Compiling bin/default/source3/rpc_server/mdssvc/sparql_lexer.lex.c
    ../../source3/rpc_server/mdssvc/sparql_lexer.l:26: error: "yyalloc" redefined [-Werror]
    26 | #define yyalloc SMB_MALLOC
    
    Looks like the dirty redefine trick doesn't work anymore with newer flex
    versions. According to the flex manual the right thing to do is to provide own
    functions for yyalloc and yyrealloc when passing the options "noyyalloc
    noyyrealloc".
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13987
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184
    
    (cherry picked from commit 9053391f86a529e0a7dbcd23fa3a555d85c2207c)

commit 7c80167e2af0afbf530b39efd677cdbffb32ad54
Author: Rafael David Tinoco via samba-technical <samba-technical at lists.samba.org>
Date:   Sun Jun 2 23:44:15 2019 -0300

    ctdb-scripts: Fix tcp_tw_recycle existence check
    
    net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
    makes sense to check its existence. Unfortunately, current check does
    not test for the procfs file existence. This commit fixes the issue.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13984
    
    Signed-off-by: Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Jun  4 23:31:24 UTC 2019 on sn-devel-184
    
    (cherry picked from commit 843fbb1207ee7ac84f3282974b66b9290d8da0ac)

commit 4f32284840dd5d80df6676019641fcb276bf763e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Jun 1 09:04:48 2019 +1200

    docs: Improve documentation of "lanman auth" and "ntlm auth" connection
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)

commit 47a96935df0a1914ca086410c2592cc96f0a378d
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 15:15:59 2019 +0200

    vfs_fruit: remove a now unnecessary include
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184
    
    (cherry picked from commit 9a2c9834cb1b77547b8b932c35870301afb9fc25)

commit bdc257a1cbac7e8c73a084b618ba642476807483
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 14:51:17 2019 +0200

    vfs_fruit: use VFS functions in ad_read_rsrc_adouble()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 9fe84a6345bf5d9fdb1df87a853db3380e6fb0f7)

commit 2d6a2080afb8d2c9c3734904acf7b3e9f75445a1
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 12:51:15 2019 +0200

    vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 70c4a8f0ac307009c26e857523192c95b42a92f5)

commit 91ed0f8beb951de5c13c170e3ce49408256d91d2
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 12:07:55 2019 +0200

    vfs_fruit: use VFS function in ad_convert_truncate()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 3739ad90cf2bbaa2094a34197c894363d2e24a5a)

commit 28cdc4421c2a93f187b58e709c475881929e0d37
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 12:05:51 2019 +0200

    vfs_fruit: add VFS handle to ad_convert_truncate()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 4e44b1da9357120f0ad74e24c650bc6386085c47)

commit fef47b90e5411c641b5ce8842bbe035e4ea51f0c
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 24 11:54:51 2019 +0200

    vfs_fruit: use fsp and remove mmap in ad_convert_xattr()
    
    No need to mmap() anyway, the xattr data is already available in ad->ad_data.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 4ff7ea0e0312c737aefd350f7b8fbed4c8602325)

commit 7fc300d4655423e7d3daa3e6261c43d6a3805e27
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 23 22:44:21 2019 +0200

    vfs_fruit: remove use of mmap() from ad_convert_move_reso()
    
    We now have an fsp that we can use, so we can get rid of mmap() and
    sys_pread()/sys_pwrite().
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 0041855af0b05d6c47558880d6eebd1970179272)

commit d49df05e619876b4ea986bdc7d51bb3eaf685c2f
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 23 16:42:52 2019 +0200

    vfs_fruit: convert ad_open_rsrc() to open a proper fsp with SMB_VFS_CREATE_FILE()
    
    A first step in converting all raw syscalls to use proper VFS functions. All
    existing users of the raw system filedescriptor continue to use the fd from
    fsp->fh for now.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 29418c726be74feb1d8c3ac9f7b8c983901a2aab)

commit f5d1561c5b1b2efd99e1fc010d9fe8594dd2620a
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 23 16:22:39 2019 +0200

    vfs_fruit: only do cross protocol locking on non-internal opens
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit f5f7d1e9bf7e39933ccf7c874e682f9df80a6fec)

commit 9ebfd4f2e5194bad340d2b9093e15730a15c15a0
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 23 08:27:37 2019 +0200

    vfs_fruit: remove a layer of indirection
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 97d485ff2cda85edeba163ea01b6abfa705db20f)

commit f890c4fb86cbb6603da8b040559a4e5704cbe0e4
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 23 08:14:18 2019 +0200

    vfs_fruit: pass VFS handle to ad_convert_move_reso()
    
    Not used for now, that comes next.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 3919ea048fe3b763657e14cdfb5920184a900d27)

commit 8f49fbfdebb6ae61556a533cdf56deaae5cec36e
Author: Ralph Boehme <slow at samba.org>
Date:   Wed May 22 21:15:22 2019 +0200

    vfs_fruit: remove xattr code from the AppleDouble subsystem
    
    The subsystem consumers have been reworked in the previous commits, so this is
    not used anymore. ad_init() doesn't need a handle argument anymore due to this,
    remove it as well.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit e3cb1cb24f2a31d7fd03f3bdf417f4704fb4ac7c)

commit 7bd5ceea7d2d9be05e234ca25dc2b7932b820072
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 14:31:15 2019 +0200

    vfs_fruit: remove now unused AppleDouble code for resource fork in xattr
    
    This was only needed to get the resourcefork size via the ad_* AppleDouble
    function. This is now done with a fstat on the low level xattr fd (remember,
    this is Solaris only code...), so we can remove the xattr special casing from
    the AppleDouble functions.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit cb9dffa1c66294b6eed85e7576aa99c642d0b541)

commit cc1ff660b804c0270a022ce1780078bc62973d15
Author: Ralph Boehme <slow at samba.org>
Date:   Wed May 22 18:08:14 2019 +0200

    vfs_fruit: use stream code for resource fork size calculation in readdir_attr_rfork_size()
    
    This works as well, using an fstat() on the filehandle to get the size. This is
    tested by the torture test "vfs.fruit.SMB2/CREATE context AAPL".
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit a23bcc1916a49bf3e0edece190e5434e39862d2c)

commit d1164d9f374f4b5f7a95a04a0db6213a7cd1318f
Author: Ralph Boehme <slow at samba.org>
Date:   Wed May 22 17:02:20 2019 +0200

    vfs_fruit: use correct case FRUIT_RSRC_STREAM in readdir_attr_rfork_size()
    
    This is a genuine bug, but luckily this would only impact configs which nobody
    uses:
    
      fruit:metadata = netatalk
      fruit:resource = stream
    
    With the above configuration the switch in readdir_attr_rfork_size() would hit
    the default case and so always report resource forks as 0 bytes in size.
    
    All deployment that I've seen that use fruit:resource=stream also use
    fruit:metadata=stream, so the switch takes FRUIT_META_STREAM case which runs the
    correct code readdir_attr_rfork_size_stream().
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 83179a74119de84d20f796c241aae6bccb83a68b)

commit 8ceb048644605affc6fbefbb7d14c512d24af79e
Author: Ralph Boehme <slow at samba.org>
Date:   Tue May 21 11:42:47 2019 +0200

    vfs_fruit: ignore AppleDouble files in fruit_unlink()
    
    Otherwise, if SMB_VFS_UNLINK() is called for an AppleDouble path "._file", we
    try to delete "._._file" which doesn't make sense. AppleDouble files don't have
    AppleDouble themselves.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 797dc649456f39add4af8b54b60db0268ad4e90e)

commit 30f25ed6214aca17de70da3482a2b26bbac2ebcd
Author: Ralph Boehme <slow at samba.org>
Date:   Tue May 21 11:40:33 2019 +0200

    vfs_fruit: add a missing else
    
    Luckily the missing else has the same control flow due to the previous if and
    else blocks calling return.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 44d8568001c87d28962dfc4e3fde6d0f7f409997)

commit 8787ac7938c94e7ba21477354afc1059ab804e67
Author: Ralph Boehme <slow at samba.org>
Date:   Tue May 21 11:39:18 2019 +0200

    vfs_fruit: add and use is_adouble_file()
    
    This adds a helper function that checks whether the last component of a path is
    an AppleDouble sidecar file with "._" name prefix.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit ad70c947c759aa0965ee57f973fb8dc1909e0e39)

commit 2b8eeb231e0df6a85a51e8d9029deb3789cdae03
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 12:19:06 2019 +0200

    vfs_fruit: finally, remove ad_handle from struct adouble
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit e266daaed149561b746dbb8d5e9523862f0057b5)

commit ef0522b3434735db2c5e2673709277725e823e3a
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 12:17:28 2019 +0200

    vfs_fruit: pass handle to ad_convert_delete_adfile()
    
    On the course of removing ad_handle from struct adouble, step 10.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 5f4d16b40e07acf8d27fee62f1a56de175663a1d)

commit f2b796844b1f8dc8486e7859db8c9798db9562f8
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 12:05:07 2019 +0200

    vfs_fruit: pass handle to ad_convert_finderinfo()
    
    On the course of removing ad_handle from struct adouble, step 9.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 50874c1548d62ab0ddaaa6dd4124279ee5029fcf)

commit 3ff1b960c5efab543e60e7758c4e2e3cfe85234e
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 12:02:46 2019 +0200

    vfs_fruit: pass handle to ad_convert_blank_rfork()
    
    On the course of removing ad_handle from struct adouble, step 8.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit adc7ac38b849b4dce4a85fd6442c8d4b9da57686)

commit 4e22296dc6c716c7df4e386ca331c6a0163ad1c5
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:54:10 2019 +0200

    vfs_fruit: pass handle to ad_convert_xattr()
    
    On the course of removing ad_handle from struct adouble, step 7.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit fd2f4cf828ee4c31e3b5a27a79d3a0ee12a5877a)

commit 47e08c03ed8d419d6ce021fabab34c09e84f65ef
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:23:17 2019 +0200

    vfs_fruit: indentation fix
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 400b3c2f8c82b1defe1e321e0cdae486b930344f)

commit 03d1328e33bbf8dcbbc8c1c35c72bc5551e8dae4
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:47:26 2019 +0200

    vfs_fruit: pass handle to ad_read_rsrc() and all the way down
    
    On the course of removing ad_handle from struct adouble, step 5.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 661dfa4a19673fdb30d5bf36279cdf867454b947)

commit 9b4ad2a32a620f9d21be095beeb3a5d5c7cc32b8
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:42:06 2019 +0200

    vfs_fruit: use proper VFS function in ad_read_meta()
    
    Continuing to ignore a possible error for now, this is in an error codepath
    anyway.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 30ca328c698c2e035e240359bda7c9dcbeb646df)

commit fd63fda7769e31dc5e907be1dfc90dfbcf22589f
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:23:17 2019 +0200

    vfs_fruit: indentation fix
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 47721d8d359ef78b8dd4f77f92c30c2caf2c4a80)

commit 7a99bba92946a1b61495501ce9f026d789643073
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:22:24 2019 +0200

    vfs_fruit: pass handle to ad_read_meta()
    
    On the course of removing ad_handle from struct adouble, step 4.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit f8df09157f31b53dbe73eaf4349fc071bfcc1b90)

commit 25ee7f97c6cf7973a359c4aec5831283cd095c05
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 11:19:53 2019 +0200

    vfs_fruit: pass handle to ad_read()
    
    On the course of removing ad_handle from struct adouble, step 3.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit d0abf945e683766029d28915541a4baf9f3879ab)

commit ab9a428f33589225b1d5e1a00c4ee00202c53cf4
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 10:43:55 2019 +0200

    vfs_fruit: pass handle to ad_set()
    
    On the course of removing ad_handle from struct adouble, step 2.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit c78ba30ac4534b7037b979ac96b77b834b2eb2fe)

commit 92bc9e3e11c73429c7f3059991c8673ece58bc55
Author: Ralph Boehme <slow at samba.org>
Date:   Fri May 17 10:41:29 2019 +0200

    vfs_fruit: pass handle to ad_fset()
    
    On the course of removing ad_handle from struct adouble, step 1.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 585d4d49770b4ddc3f7d9dcbb3e322f072767781)

commit 730c24902d5e3dd88ab62072d9f3eaee8657fca2
Author: Ralph Boehme <slow at samba.org>
Date:   Mon May 13 20:16:47 2019 +0200

    s3:auth: explicitly add BUILTIN\Guests to the guest token
    
    This changes ensures that smbd always adds BUILTIN\Guests to the guest token
    which is required for guest authentication.
    
    Currently the guest token depends on the on-disk configured group mappings. If
    there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
    a member, the final guest token won't contain BUILTIN\Guests.
    
    For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
    SESSION_SETUP response, because smbd sets it based on the token containing the
    BUILTIN\Guests SID S-1-5-32-546.
    
    At the same time, the packet is not signed which causes Windows clients and
    smbclient to reject the unsigned SMB2 SESSION_SETUP response.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
    
    Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Jun  5 16:55:26 UTC 2019 on sn-devel-184
    
    (cherry picked from commit a66af4c96accba4ee64eeb1958458b69f3ccec1d)

commit b312ceb5730bf76a989d5b0a9744ebfdeca22e27
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 16 12:47:34 2019 +0200

    tests: add a test for guest authentication
    
    This verifies that smbd always adds BUILTIN\Guests to the guest token which is
    required for guest authentication.
    
    Currently the guest token depends on the on-disk configured group mappings. If
    there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
    a member, the final guest token won't contain BUILTIN\Guests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 0e88f98855e24cfddb55bef65c5910b8e662c630)

commit d8e33defa5a167d80dc304fffe860345b3a1aaa9
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 16 12:43:40 2019 +0200

    selftest: allow guest login in the ad_member_idmap_rid env
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ac2167eb2349dc1c453e14a65692f16c8ba6532e)

commit 90a538f4689488a9adc3ab9f504cc9bc1716e1ff
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 16 12:42:54 2019 +0200

    s3:smbd: call reinit_guest_session_info() in the conf updated handler
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f4e340a48b6f059a1daa66deb9c26da9e8fcd5e7)

commit 7f6b171c3e94ab96ed53633657254eaf2d562668
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 16 12:42:29 2019 +0200

    s3:auth: add reinit_guest_session_info()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 8096cc7eb2b36b074ff17a52dc3540be4ecff6bb)

commit 813856c1c4ee7954e1de8e7112db40a11b8f8001
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 26 14:31:46 2019 +0000

    dsdb:audit_log: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."
    
    We better print "... remote host [Unknown] SID [S-1-5-18] ..."
    in 'dsdb_audit' message, this matches what we print for
    'dsdb_json_audit'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 706aba5bf62e674ae12786f6ab275752b8714464)

commit 49acbea1378152eccb37dc6d25e2855bd7faf461
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Apr 5 10:46:50 2019 +1300

    ldb_kv: Skip @ records early in a search full scan
    
    @ records like @IDXLIST are only available via a base search on the specific name
    but the method by which they were excluded was expensive, after the unpack the
    DN is exploded and ldb_match_msg_error() would reject it for failing to match the
    scope.
    
    This uses the fact that @ records have the DN=@ prefix on their TDB/LMDB key
    to quickly exclude them from consideration.
    
    Based on analysis by Garming Sam.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13893
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Apr 10 06:23:39 UTC 2019 on sn-devel-144
    
    (cherry picked from commit 49b77d8df2d7113ac7ddb75e78de6628933ff852)

commit d9fed540c3669564919997cdfb1500e34f397cc5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sun Mar 10 23:38:27 2019 +0000

    samba-tool domain provision: Fix --interactive module in python3
    
    The prompts were not being printed to the screen because the stream
    was not being flushed.
    
    As reported on the samba mailing list by Adam Xu:
    https://lists.samba.org/archive/samba/2019-March/221753.html
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13828
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Tim Beale <timbeale at catalyst.net.nz>
    (cherry picked from commit 31aecee1446c5006771aaa535ae85810bbfb5db0)

commit 8867c178a9b22f5ed85ec056498ac4647d7f6de5
Author: Gary Lockyer <gary at catalyst.net.nz>
Date:   Tue May 21 13:17:22 2019 +1200

    ldap server: generate correct referral schemes
    
    Ensure that the referrals returned in a search request use the same
    scheme as the request, i.e. referrals recieved via ldap are prefixed
    with "ldap://" and those over ldaps are prefixed with "ldaps://"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
    
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
    
    (cherry picked from commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa)

commit 207295b952365c3785a2f2165c3510b3d4864d77
Author: Gary Lockyer <gary at catalyst.net.nz>
Date:   Tue May 21 13:14:08 2019 +1200

    ldap tests: test scheme for referrals
    
    Ensure that the referrals returned in a search request use the same
    scheme as the request, i.e. referrals recieved via ldap are prefixed
    with "ldap://" and those over ldaps are prefixed with "ldaps://"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
    
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)

commit fa1de54cd92c96bbf914eb39d712f59d5a2f3160
Author: Günther Deschner <gd at samba.org>
Date:   Mon Jun 3 16:28:36 2019 +0200

    s3/vfs_glusterfs_fuse: Avoid using NAME_MAX directly
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Tue Jun 11 00:29:19 UTC 2019 on sn-devel-184

commit 778448469bbe68b2942083a4c9b020717213ed25
Author: Günther Deschner <gd at samba.org>
Date:   Mon Jun 3 16:25:46 2019 +0200

    s3/vfs_glusterfs: Avoid using NAME_MAX directly
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit bb6884042272b943449a225a76d7fab18c2ca00f
Author: Günther Deschner <gd at samba.org>
Date:   Mon Jun 3 14:27:44 2019 +0200

    Revert "s3/vfs_glusterfs_fuse: Dynamically determine NAME_MAX"
    
    This reverts commit e28d172b00cadf492c22bd892e2dda3bf2fe2d70.
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit f830628c3aaf7e7e6243b889c67dfe661f568f24
Author: Günther Deschner <gd at samba.org>
Date:   Mon Jun 3 14:27:18 2019 +0200

    Revert "s3/vfs_glusterfs: Dynamically determine NAME_MAX"
    
    This reverts commit 8e3a042eb9e502821b147f1bbb2d98d59f17a095.
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 buildtools/wafsamba/samba_deps.py           |  25 +-
 ctdb/config/nfs-linux-kernel-callout        |   4 +-
 docs-xml/smbdotconf/security/lanmanauth.xml |  14 +-
 docs-xml/smbdotconf/security/ntlmauth.xml   |   9 +-
 lib/ldb/include/ldb_module.h                |   5 +
 lib/ldb/ldb_key_value/ldb_kv.c              |  12 +-
 lib/ldb/ldb_key_value/ldb_kv.h              |   7 +-
 lib/ldb/ldb_key_value/ldb_kv_index.c        |  14 +-
 lib/ldb/ldb_key_value/ldb_kv_search.c       |  19 +-
 python/samba/netcmd/domain.py               |   1 +
 python/samba/tests/ldap_referrals.py        |  91 ++++++
 selftest/target/Samba3.pm                   |   1 +
 source3/auth/auth_util.c                    |  26 ++
 source3/auth/proto.h                        |   1 +
 source3/modules/vfs_fruit.c                 | 485 +++++++++++++---------------
 source3/modules/vfs_glusterfs.c             |  41 +--
 source3/modules/vfs_glusterfs_fuse.c        |  34 +-
 source3/rpc_server/mdssvc/sparql_lexer.l    |  12 +-
 source3/script/tests/test_guest_auth.sh     | 103 ++++++
 source3/selftest/tests.py                   |   5 +
 source3/smbd/server.c                       |   6 +
 source4/dsdb/samdb/ldb_modules/audit_log.c  |   4 +-
 source4/dsdb/samdb/ldb_modules/partition.c  |  16 +-
 source4/ldap_server/ldap_backend.c          |  18 ++
 source4/ldap_server/ldap_server.c           |   1 +
 source4/ldap_server/ldap_server.h           |   6 +
 source4/selftest/tests.py                   |   9 +
 27 files changed, 609 insertions(+), 360 deletions(-)
 create mode 100644 python/samba/tests/ldap_referrals.py
 create mode 100755 source3/script/tests/test_guest_auth.sh


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py
index f8c38809bd2..03c37079a8c 100644
--- a/buildtools/wafsamba/samba_deps.py
+++ b/buildtools/wafsamba/samba_deps.py
@@ -1,6 +1,6 @@
 # Samba automatic dependency handling and project rules
 
-import os, sys, re, time
+import os, sys, re
 
 from waflib import Build, Options, Logs, Utils, Errors
 from waflib.Logs import debug
@@ -1102,8 +1102,7 @@ def check_project_rules(bld):
     if not force_project_rules and load_samba_deps(bld, tgt_list):
         return
 
-    global tstart
-    tstart = time.clock()
+    timer = Utils.Timer()
 
     bld.new_rules = True
     Logs.info("Checking project rules ...")
@@ -1112,26 +1111,26 @@ def check_project_rules(bld):
 
     expand_subsystem_deps(bld)
 
-    debug("deps: expand_subsystem_deps: %f" % (time.clock() - tstart))
+    debug("deps: expand_subsystem_deps: %s" % str(timer))
 
     replace_grouping_libraries(bld, tgt_list)
 
-    debug("deps: replace_grouping_libraries: %f" % (time.clock() - tstart))
+    debug("deps: replace_grouping_libraries: %s" % str(timer))
 
     build_direct_deps(bld, tgt_list)
 
-    debug("deps: build_direct_deps: %f" % (time.clock() - tstart))
+    debug("deps: build_direct_deps: %s" % str(timer))
 
     break_dependency_loops(bld, tgt_list)
 
-    debug("deps: break_dependency_loops: %f" % (time.clock() - tstart))
+    debug("deps: break_dependency_loops: %s" % str(timer))
 
     if Options.options.SHOWDEPS:
             show_dependencies(bld, Options.options.SHOWDEPS, set())
 
     calculate_final_deps(bld, tgt_list, loops)
 
-    debug("deps: calculate_final_deps: %f" % (time.clock() - tstart))
+    debug("deps: calculate_final_deps: %s" % str(timer))
 
     if Options.options.SHOW_DUPLICATES:
             show_object_duplicates(bld, tgt_list)
@@ -1140,7 +1139,7 @@ def check_project_rules(bld):
     for f in [ build_dependencies, build_includes, add_init_functions ]:
         debug('deps: project rules checking %s', f)
         for t in tgt_list: f(t)
-        debug("deps: %s: %f" % (f, time.clock() - tstart))
+        debug("deps: %s: %s" % (f, str(timer)))
 
     debug('deps: project rules stage1 completed')
 
@@ -1148,17 +1147,17 @@ def check_project_rules(bld):
         Logs.error("Duplicate sources present - aborting")
         sys.exit(1)
 
-    debug("deps: check_duplicate_sources: %f" % (time.clock() - tstart))
+    debug("deps: check_duplicate_sources: %s" % str(timer))
 
     if not bld.check_group_ordering(tgt_list):
         Logs.error("Bad group ordering - aborting")
         sys.exit(1)
 
-    debug("deps: check_group_ordering: %f" % (time.clock() - tstart))
+    debug("deps: check_group_ordering: %s" % str(timer))
 
     show_final_deps(bld, tgt_list)
 
-    debug("deps: show_final_deps: %f" % (time.clock() - tstart))
+    debug("deps: show_final_deps: %s" % str(timer))
 
     debug('deps: project rules checking completed - %u targets checked',
           len(tgt_list))
@@ -1166,7 +1165,7 @@ def check_project_rules(bld):
     if not bld.is_install:
         save_samba_deps(bld, tgt_list)
 
-    debug("deps: save_samba_deps: %f" % (time.clock() - tstart))
+    debug("deps: save_samba_deps: %s" % str(timer))
 
     Logs.info("Project rules pass")
 
diff --git a/ctdb/config/nfs-linux-kernel-callout b/ctdb/config/nfs-linux-kernel-callout
index 3d1dc63c590..12ed17c6d9e 100755
--- a/ctdb/config/nfs-linux-kernel-callout
+++ b/ctdb/config/nfs-linux-kernel-callout
@@ -281,8 +281,8 @@ nfs_startup ()
     basic_stop "nfs" || true
     basic_start "nfs"
     _f="${PROCFS_PATH}/sys/net/ipv4/tcp_tw_recycle"
-    if [ "$_f" ] ; then
-	echo 1 >"$_f"
+    if [ -f "$_f" ] ; then
+	    echo 1 >"$_f"
     fi
 }
 
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
index a9e4f88b89f..97f2fb04dcb 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -24,16 +24,18 @@
     auth is re-enabled later on.
     </para>
 		
-    <para>Unlike the <command moreinfo="none">encrypt
-    passwords</command> option, this parameter cannot alter client
+    <para>Unlike the <parameter moreinfo="none">encrypt
+    passwords</parameter> option, this parameter cannot alter client
     behaviour, and the LANMAN response will still be sent over the
     network.  See the <command moreinfo="none">client lanman
     auth</command> to disable this for Samba's clients (such as smbclient)</para>
 
-    <para>If this option, and <command moreinfo="none">ntlm
-    auth</command> are both disabled, then only NTLMv2 logins will be
-    permited.  Not all clients support NTLMv2, and most will require
-    special configuration to use it.</para>
+    <para>This parameter is overriden by <parameter moreinfo="none">ntlm
+    auth</parameter>, so unless that it is also set to
+    <constant>ntlmv1-permitted</constant> or <constant>yes</constant>,
+    then only NTLMv2 logins will be permited and no LM hash will be
+    stored.  All modern clients support NTLMv2, and but some older
+    clients require special configuration to use it.</para>
 </description>
 
 <value type="default">no</value>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index dceae44d81b..dd5dbaea117 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -19,11 +19,9 @@
     control NTLM authentiation for domain users, this must option must
     be configured on each DC.</para>
 
-    <para>By default with <command moreinfo="none">lanman
-    auth</command> set to <constant>no</constant> and
-    <command moreinfo="none">ntlm auth</command> set to
+    <para>By default with <command moreinfo="none">ntlm auth</command> set to
     <constant>ntlmv2-only</constant> only NTLMv2 logins will be
-    permited.  Most clients support NTLMv2 by default, but some older
+    permited.  All modern clients support NTLMv2 by default, but some older
     clients will require special configuration to use it.</para>
 
     <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
@@ -35,6 +33,9 @@
           <para><constant>ntlmv1-permitted</constant>
 	  (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
 
+	  <para>This is the required setting for to enable the <parameter
+	  moreinfo="none">lanman auth</parameter> parameter.</para>
+
         </listitem>
 
         <listitem>
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 6ba2a49300a..c73fc37f3aa 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -103,6 +103,11 @@ struct ldb_module;
  * attributes, not to be printed in trace messages */
 #define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST"
 
+/*
+ * The scheme to be used for referral entries, i.e. ldap or ldaps
+ */
+#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME"
+
 /*
    these function pointers define the operations that a ldb module can intercept
 */
diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c
index d4f896736a2..31bdfb532f2 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.c
+++ b/lib/ldb/ldb_key_value/ldb_kv.c
@@ -63,12 +63,22 @@ struct ldb_kv_req_spy {
  * Determine if this key could hold a record.  We allow the new GUID
  * index, the old DN index and a possible future ID=
  */
-bool ldb_kv_key_is_record(struct ldb_val key)
+bool ldb_kv_key_is_normal_record(struct ldb_val key)
 {
 	if (key.length < 4) {
 		return false;
 	}
 
+	/*
+	 * @ records are not normal records, we don't want to index
+	 * them nor search on them
+	 */
+	if (key.length > 4 &&
+	    memcmp(key.data, "DN=@", 4) == 0) {
+		return false;
+	}
+
+	/* All other DN= records are however */
 	if (memcmp(key.data, "DN=", 3) == 0) {
 		return true;
 	}
diff --git a/lib/ldb/ldb_key_value/ldb_kv.h b/lib/ldb/ldb_key_value/ldb_kv.h
index 5070a588c00..cbc5213c765 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.h
+++ b/lib/ldb/ldb_key_value/ldb_kv.h
@@ -231,10 +231,11 @@ int ldb_kv_search(struct ldb_kv_context *ctx);
 /*
  * The following definitions come from lib/ldb/ldb_key_value/ldb_kv.c  */
 /*
- * Determine if this key could hold a record.  We allow the new GUID
- * index, the old DN index and a possible future ID=
+ * Determine if this key could hold a normal record.  We allow the new
+ * GUID index, the old DN index and a possible future ID= but not
+ * DN=@.
  */
-bool ldb_kv_key_is_record(struct ldb_val key);
+bool ldb_kv_key_is_normal_record(struct ldb_val key);
 struct ldb_val ldb_kv_key_dn(struct ldb_module *module,
 			     TALLOC_CTX *mem_ctx,
 			     struct ldb_dn *dn);
diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c
index 6d02c91a597..af02107b5d2 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_index.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c
@@ -2925,12 +2925,7 @@ static int re_key(struct ldb_kv_private *ldb_kv,
 
 	ldb = ldb_module_get_ctx(module);
 
-	if (key.length > 4 &&
-	    memcmp(key.data, "DN=@", 4) == 0) {
-		return 0;
-	}
-
-	is_record = ldb_kv_key_is_record(key);
+	is_record = ldb_kv_key_is_normal_record(key);
 	if (is_record == false) {
 		return 0;
 	}
@@ -3012,12 +3007,7 @@ static int re_index(struct ldb_kv_private *ldb_kv,
 
 	ldb = ldb_module_get_ctx(module);
 
-	if (key.length > 4 &&
-	    memcmp(key.data, "DN=@", 4) == 0) {
-		return 0;
-	}
-
-	is_record = ldb_kv_key_is_record(key);
+	is_record = ldb_kv_key_is_normal_record(key);
 	if (is_record == false) {
 		return 0;
 	}
diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c
index a384ee92367..a54f6149b60 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_search.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c
@@ -512,7 +512,24 @@ static int search_func(struct ldb_kv_private *ldb_kv,
 	ac = talloc_get_type(state, struct ldb_kv_context);
 	ldb = ldb_module_get_ctx(ac->module);
 
-	if (ldb_kv_key_is_record(key) == false) {
+	/*
+	 * We want to skip @ records early in a search full scan
+	 *
+	 * @ records like @IDXLIST are only available via a base
+	 * search on the specific name but the method by which they
+	 * were excluded was expensive, after the unpack the DN is
+	 * exploded and ldb_match_msg_error() would reject it for
+	 * failing to match the scope.
+	 *
+	 * ldb_kv_key_is_normal_record() uses the fact that @ records
+	 * have the DN=@ prefix on their TDB/LMDB key to quickly
+	 * exclude them from consideration.
+	 *
+	 * (any other non-records are also excluded by the same key
+	 * match)
+	 */
+
+	if (ldb_kv_key_is_normal_record(key) == false) {
 		return 0;
 	}
 
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 8ebaefa26d6..916c88c87a0 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -390,6 +390,7 @@ class cmd_domain_provision(Command):
                     print("%s [%s]: " % (prompt, default), end=' ')
                 else:
                     print("%s: " % (prompt,), end=' ')
+                sys.stdout.flush()
                 return sys.stdin.readline().rstrip("\n") or default
 
             try:
diff --git a/python/samba/tests/ldap_referrals.py b/python/samba/tests/ldap_referrals.py
new file mode 100644
index 00000000000..86a39d4e602
--- /dev/null
+++ b/python/samba/tests/ldap_referrals.py
@@ -0,0 +1,91 @@
+# Test that ldap referral entiries are created and formatted correctly
+#
+# Copyright (C) Andrew Bartlett 2019
+#
+# Based on Unit tests for the notification control
+# Copyright (C) Stefan Metzmacher 2016
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import print_function
+import optparse
+import os
+import sys
+
+import samba
+from samba.auth import system_session
+import samba.getopt as options
+from samba import ldb
+from samba.samdb import SamDB
+import samba.tests
+from samba.tests.subunitrun import SubunitOptions
+
+sys.path.insert(0, "bin/python")
+parser = optparse.OptionParser("ldap_referrals.py [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+
+class LdapReferralTest(samba.tests.TestCase):
+
+    def setUp(self):
+        super(LdapReferralTest, self).setUp()
+
+    # The referral entries for an ldap request should have the ldap scheme
+    # i.e. then should all start with "ldap://"
+    def test_ldap_search(self):
+        server = os.environ["SERVER"]
+        url = "ldap://{0}".format(server)
+        db = SamDB(
+            url, credentials=creds, session_info=system_session(lp), lp=lp)
+        res = db.search(
+            base=db.domain_dn(),
+            expression="(objectClass=nonexistent)",
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["objectGUID", "samAccountName"])
+
+        referals = res.referals
+        for referal in referals:
+            self.assertTrue(
+                referal.startswith("ldap://"),
+                "{0} does not start with ldap://".format(referal))
+
+    # The referral entries for an ldaps request should have the ldaps scheme
+    # i.e. then should all start with "ldaps://"
+    def test_ldaps_search(self):
+        server = os.environ["SERVER"]
+        url = "ldaps://{0}".format(server)
+        db = SamDB(
+            url, credentials=creds, session_info=system_session(lp), lp=lp)
+        res = db.search(
+            base=db.domain_dn(),
+            expression="(objectClass=nonexistent)",
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["objectGUID", "samAccountName"])
+
+        referals = res.referals
+        for referal in referals:
+            self.assertTrue(
+                referal.startswith("ldaps://"),
+                "{0} does not start with ldaps://".format(referal))
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 892a6a15e2d..9d88253c9fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -609,6 +609,7 @@ sub setup_ad_member_idmap_rid
 	# Prevent overridding the provisioned lib/krb5.conf which sets certain
 	# values required for tests to succeed
 	create krb5 conf = no
+        map to guest = bad user
 ";
 
 	my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d78dbed14b2..8ff20c33759 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1387,6 +1387,21 @@ static NTSTATUS make_new_session_info_guest(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
+	/*
+	 * It's ugly, but for now it's
+	 * needed to force Builtin_Guests
+	 * here, because memberships of
+	 * Builtin_Guests might be incomplete.
+	 */
+	status = add_sid_to_array_unique(session_info->security_token,
+					 &global_sid_Builtin_Guests,
+					 &session_info->security_token->sids,
+					 &session_info->security_token->num_sids);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("Failed to force Builtin_Guests to nt token\n");
+		goto done;
+	}
+
 	/* annoying, but the Guest really does have a session key, and it is
 	   all zeros! */
 	session_info->session_key = data_blob_talloc_zero(session_info, 16);
@@ -1722,6 +1737,17 @@ bool init_guest_session_info(TALLOC_CTX *mem_ctx)
 	return true;
 }
 
+bool reinit_guest_session_info(TALLOC_CTX *mem_ctx)
+{
+	TALLOC_FREE(guest_info);
+	TALLOC_FREE(guest_server_info);
+	TALLOC_FREE(anonymous_info);
+
+	DBG_DEBUG("Reinitialing guest info\n");
+
+	return init_guest_session_info(mem_ctx);
+}
+
 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
 				struct auth_serversupplied_info **server_info)
 {
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 75cf1e6724f..fcfd1f36ca2 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -271,6 +271,7 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
 					 bool is_guest,
 					 struct auth_session_info **session_info);
 bool init_guest_session_info(TALLOC_CTX *mem_ctx);
+bool reinit_guest_session_info(TALLOC_CTX *mem_ctx);
 NTSTATUS init_system_session_info(TALLOC_CTX *mem_ctx);
 bool session_info_set_session_key(struct auth_session_info *info,
 				 DATA_BLOB session_key);
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index be85c9f5412..20121818129 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -29,7 +29,6 @@
 #include "messages.h"
 #include "libcli/security/security.h"
 #include "../libcli/smb/smb2_create_ctx.h"
-#include "lib/util/sys_rw.h"
 #include "lib/util/tevent_ntstatus.h"
 #include "lib/util/tevent_unix.h"
 #include "offload_token.h"
@@ -411,8 +410,7 @@ struct ad_entry {
 };
 
 struct adouble {
-	vfs_handle_struct        *ad_handle;
-	int                       ad_fd;
+	files_struct             *ad_fsp;
 	bool                      ad_opened;
 	adouble_type_t            ad_type;
 	uint32_t                  ad_magic;
@@ -450,18 +448,6 @@ struct ad_entry_order entry_order_dot_und[ADEID_NUM_DOT_UND + 1] = {
 	{0, 0, 0}
 };
 
-/*
- * Fake AppleDouble entry oder for resource fork xattr.  The xattr
- * isn't an AppleDouble file, it simply contains the resource data,
- * but in order to be able to use some API calls like ad_getentryoff()
- * we build a fake/helper struct adouble with this entry order struct.
- */
-static const


-- 
Samba Shared Repository



More information about the samba-cvs mailing list