[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Mar 4 22:42:02 UTC 2019
The branch, master has been updated
via f0ecfd384c2 pidl/Python: initialise a datablob
via c942614eaed dsdb pytsts: reduce scale of subtree rename speed test
via e4ac7fb9dce dsdb/linked_attributes: shortcut exit for backlink fix
via 4f812c1f321 dsdb/linked_attributes: improve formatting in some places
via 6d01cb51147 dsdb/linked_attributes: initialise more pointers to NULL
via 8765ed2f1dd dsdb linked attributes: fix forward links faster
via 518320ae33a dsdb: linked_attributes module knows about sorted links
via bf50324fefd dsdb:replmd: add compatible feature helper function
via 7d8cfe02bb4 dsdb/pytests: sanity checks for links under subtree renames
via 0673ad09ae9 replmd/la: disambiguate error messages a bit
via 1f973220631 dsdb/group_audit: use common get_parsed_dns_trusted()
via 16f4c694b55 dsdb:util_links: count el->values with unsigned int
via edfd33ab3e9 tests/rodc_rwdc: p.communicate() gives bytes, not str
via 4ddfe8fc750 dns_hub: use python 3 shebang
via 4d8aa4a160c s4/auth/krb: fix spelling of entries
via c1b6fe62a4b s4:torture: Make sure we do not create a shadow 'struct params'
via a7d09580ae0 tests: Work auth_log CLIENT_IP out from config instead of env var
via c185bf1dcf8 tests: Work audit_log CLIENT_IP out from config instead of env var
via 4f21f1ca8d5 tests: Remove explicit SOCKET_WRAPPER usage from auth_log tests
via 3dab6563944 s4:tests: Remove unused DC_ENV variable
via 15dda1a82cd s4:tests: Move duplicated test cases into loop
via 25544e101b0 s4:tests: Avoid passing unnecessary env variables to auth_log tests
via 3ce28f918ce tests: Remove redundant credentials from auth_log tests
from 4a9f7d24569 tests: add a simple test for smbcacls -x
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f0ecfd384c279c94b2c341b638426cf1cbd797ce
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Feb 24 19:31:07 2019 +1300
pidl/Python: initialise a datablob
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Mar 4 22:41:01 UTC 2019 on sn-devel-144
commit c942614eaed392736f4037cb3663ea9e38c7d36c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Feb 21 16:47:55 2019 +1300
dsdb pytsts: reduce scale of subtree rename speed test
The speed test, when it was introduced a few patches ago, was
deliberately slow so that we could see how much better the changes
were. It used 500 users, 50 groups, and 27 computers.
Before the changes, it took this long:
rename ou took 64.373s
rename group took 0.160s
rename user took 0.004s
rename computer took 0.123s
After using the sorted links, it took this long:
rename ou took 12.984s
rename group took 0.161s
rename user took 0.004s
rename computer took 0.122s
And with the final patch to stop the linear search early on success:
rename ou took 11.680s
rename group took 0.089s
rename user took 0.004s
rename computer took 0.128s
"rename ou" is the one we were aiming at. Now that we have done that,
we reduce the size of the test so as not to slow down everyone's
autobuilds.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4ac7fb9dce9761c3bf5db6089f95d23cb8ecf39
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Feb 20 17:55:39 2019 +1300
dsdb/linked_attributes: shortcut exit for backlink fix
In most cases there can only be one link for each GUID. If we assume
that is true, we can skip half the search, on average.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f812c1f3217048737512a366d6bfa525f4b8a21
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Feb 27 12:18:11 2019 +1300
dsdb/linked_attributes: improve formatting in some places
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d01cb51147f1a1708ac746c05ebe387312df8be
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Feb 27 12:17:58 2019 +1300
dsdb/linked_attributes: initialise more pointers to NULL
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8765ed2f1dd5b291f449a46a9e99b6ae810d3947
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jan 9 17:57:15 2019 +1300
dsdb linked attributes: fix forward links faster
Rename operations can be very slow in large database with many group
memberships, because the linked attributes need to be found and
rewritten for each moved object and the way we did that was naive.
For a while now Samba has kept forward links in sorted order, so
finding group memberships can be an O(log n) rather than O(n)
operation. This patch makes use of that.
The backlinks are not sorted, nor are forward links in old databases,
so we have to use a linear search in those cases.
There is a little bit of extra work to handle the few kinds of forward
links (e.g. msDS-RevealedUsers) that have DN+Binary values.
Tim and Garming came up with the basic idea and a prototype.
Pair-programmed-with: Tim Beale <timbeale at catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 518320ae33ae6d77d67ec216cd4cd68d69036be1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Feb 15 10:27:14 2019 +1300
dsdb: linked_attributes module knows about sorted links
Until now the linked attrbutes module has allocated its private data
on a per transaction basis, but we prefer to check the sorted links
feature less often than that. So the private data struct is given
module life time and a transaction member to carry out the old role.
In coming patches, the sorted links flag will be used.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf50324fefdde7120838f17e6aee32ffc1345f22
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Feb 15 10:29:33 2019 +1300
dsdb:replmd: add compatible feature helper function
repl_meta_data.c uses the compatible features attribute of the
"@SAMBA_DSDB" special object to record that linked attributes are
being stored in the database in a sorted order. Soon the
linked_attributes module is going to want to know the same thing, and
in time other modules will want to know about other compatible
features, so we introduce a helper function.
Error checking is slightly improved.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7d8cfe02bb4ef30795ccbaee7233e73c29fa9e8c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jan 31 12:18:59 2019 +1300
dsdb/pytests: sanity checks for links under subtree renames
These tests will ensure that linked attributes continue to be handled
correctly under forthcoming changes. The la_move_ou_tree_big() test
will show that the changes make this much faster, after which it can
perhaps be removed.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0673ad09ae989296c69a4282711897740f4c115a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Feb 19 13:54:57 2019 +1300
replmd/la: disambiguate error messages a bit
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f9732206313ff53a410ab20f6dc188af9d2a6f0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Feb 15 13:12:09 2019 +1300
dsdb/group_audit: use common get_parsed_dns_trusted()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16f4c694b558f64250fab3e568594733708aa3fd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Feb 15 13:09:09 2019 +1300
dsdb:util_links: count el->values with unsigned int
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit edfd33ab3e970099a680f0e1f28d135741cf8cc0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Feb 16 10:48:00 2019 +1300
tests/rodc_rwdc: p.communicate() gives bytes, not str
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ddfe8fc750fbc80b49e51cf9e0f2109cb59d710
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Feb 15 22:56:07 2019 +1300
dns_hub: use python 3 shebang
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d8aa4a160c272171a5b488d74b29474f3c26d58
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Feb 19 13:53:24 2019 +1300
s4/auth/krb: fix spelling of entries
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1b6fe62a4b5bfe4c534cf4eaad24b8ed57d3520
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 4 16:59:18 2019 +0100
s4:torture: Make sure we do not create a shadow 'struct params'
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7d09580ae0e03568b6708cf91d4609a881b0a14
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 11:10:46 2019 +1300
tests: Work auth_log CLIENT_IP out from config instead of env var
Instead of passing the CLIENT_IP to the auth_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.
This only works for auth_log_pass_change, but not auth_log.py - the
latter still needs to be run on the :local testenv for other reasons, so
it doesn't use the client.conf. However, we can still update the base
code to use the client.conf IP, as auth_log.py overrides
self.remoteAddress anyway.
The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c185bf1dcf84b2f86af2b79190a479dbc61b3cd3
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 11:06:52 2019 +1300
tests: Work audit_log CLIENT_IP out from config instead of env var
Instead of passing the CLIENT_IP to the audit_log tests, we can just
work out the source-IP that the client will use from its smb.conf file.
Because the audit_log tests are all run on the non-local testenv,
they'll already use the client.conf and the 127.0.0.11 address.
The main advantage of this change is it avoids having hardcoded IP
addresses in the selftest framework.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f21f1ca8d566624a11ab14cdc7698f0ddb45985
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 10:53:43 2019 +1300
tests: Remove explicit SOCKET_WRAPPER usage from auth_log tests
The auth-logging tests are an odd combination of server and client
behaviour. On the one hand we want a IRPC connection to see the auth
events being logged on the server. On the other hand, we want the auth
events to appear to be happening on a client. Currently we hardcode in
the use of a SOCKET_WRAPPER interface to make this happen.
We can avoid this explicit socket wrapper usage by using the server
smb.conf instead in the one place we actually want to act like the
server (creating the IRPC connection). Then we can switch from using
the 'ad_dc*:local' testenvs to use 'ad_dc*', in order to act like a
client by default. The SERVERCONFFILE environment variable has already
been added for the few cases where a test needs explicit access to the
server's smb.conf.
However, for samba.tests.auth_log, the samlogon test cases are still
reliant on being run on the :local testenv, and so we can't switch them
over just yet. This is because the samlogon is using the DC's machine
creds underneath, which will fail on the non-local testenv. We could
create separate machine creds for the client and use those, but this is
a non-trivial rework of the test code.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3dab656394447d10d90acb1a19326bf29eec55a3
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 10:21:37 2019 +1300
s4:tests: Remove unused DC_ENV variable
I believe this was a leftover remnant from an earlier patch revision -
it's now been replaced by the DC_SERVERCONFFILE variable.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 15dda1a82cd993345d5f287f5fc2c0f7a3c12eeb
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 10:19:06 2019 +1300
s4:tests: Move duplicated test cases into loop
This is more consistent with how we run tests elsewhere.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 25544e101b0282d0f932f9e7c7eda66a270751fd
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Feb 26 10:17:21 2019 +1300
s4:tests: Avoid passing unnecessary env variables to auth_log tests
These tests all use the ncalrpc connection, so they're always testing a
connection that's local to the server-side. Therefore passing in the
CLIENT_IP and SOCKET_WRAPPER_DEFAULT_IFACE variables (in order to try to
simulate a client connecting) is unnecessary.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ce28f918cedaf37b4ebc7b80d243030b41c20bb
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jan 28 14:11:09 2019 +1300
tests: Remove redundant credentials from auth_log tests
The LDB connection in these tests is to the direct sam.ldb file on disk,
so the credentials are not actually needed (and in fact, weren't event
initialized correctly). These tests always need to run on the DC itself
(i.e. :local testenv) because they use ncalrpc connections.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
pidl/lib/Parse/Pidl/Samba4/Python.pm | 2 +-
python/samba/tests/audit_log_base.py | 22 +-
python/samba/tests/audit_log_dsdb.py | 1 -
python/samba/tests/audit_log_pass_change.py | 1 -
python/samba/tests/auth_log_base.py | 21 +-
python/samba/tests/auth_log_netlogon.py | 3 -
python/samba/tests/auth_log_netlogon_bad_creds.py | 3 -
python/samba/tests/auth_log_pass_change.py | 1 -
python/samba/tests/auth_log_samlogon.py | 3 -
python/samba/tests/group_audit.py | 1 -
selftest/knownfail | 4 +-
selftest/target/dns_hub.py | 2 +-
source4/auth/kerberos/srv_keytab.c | 2 +-
source4/dsdb/common/util_links.c | 2 +-
source4/dsdb/samdb/ldb_modules/group_audit.c | 11 +-
source4/dsdb/samdb/ldb_modules/linked_attributes.c | 427 ++++++++++++++++----
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 33 +-
source4/dsdb/samdb/ldb_modules/util.c | 47 +++
source4/dsdb/tests/python/rodc_rwdc.py | 2 +-
source4/dsdb/tests/python/subtree_rename.py | 443 +++++++++++++++++++++
source4/selftest/tests.py | 82 ++--
source4/torture/basic/misc.c | 30 +-
22 files changed, 952 insertions(+), 191 deletions(-)
create mode 100644 source4/dsdb/tests/python/subtree_rename.py
Changeset truncated at 500 lines:
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index efa80d7cdd1..26a1d9b4fc6 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -313,7 +313,7 @@ sub PythonStruct($$$$$$)
$self->pidl("{");
$self->indent;
$self->pidl("$cname *object = ($cname *)pytalloc_get_ptr(py_obj);");
- $self->pidl("DATA_BLOB blob;");
+ $self->pidl("DATA_BLOB blob = {.data = NULL, .length = 0};");
$self->pidl("Py_ssize_t blob_length = 0;");
$self->pidl("enum ndr_err_code err;");
$self->pidl("const char * const kwnames[] = { \"data_blob\", \"allow_remaining\", NULL };");
diff --git a/python/samba/tests/audit_log_base.py b/python/samba/tests/audit_log_base.py
index e91c4142f1c..c1223edad84 100644
--- a/python/samba/tests/audit_log_base.py
+++ b/python/samba/tests/audit_log_base.py
@@ -22,6 +22,7 @@ from __future__ import print_function
import samba.tests
from samba.messaging import Messaging
from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
+from samba.param import LoadParm
import time
import json
import os
@@ -41,10 +42,29 @@ class AuditLogTestBase(samba.tests.TestCase):
def setUp(self):
super(AuditLogTestBase, self).setUp()
- lp_ctx = self.get_loadparm()
+
+ # connect to the server's messaging bus (we need to explicitly load a
+ # different smb.conf here, because in all other respects this test
+ # wants to act as a separate remote client)
+ server_conf = os.getenv('SERVERCONFFILE')
+ if server_conf:
+ lp_ctx = LoadParm(filename_for_non_global_lp=server_conf)
+ else:
+ lp_ctx = self.get_loadparm()
self.msg_ctx = Messaging((1,), lp_ctx=lp_ctx)
self.msg_ctx.irpc_add_name(self.event_type)
+ # Now switch back to using the client-side smb.conf. The tests will
+ # use the first interface in the client.conf (we need to strip off
+ # the subnet mask portion)
+ lp_ctx = self.get_loadparm()
+ client_ip_and_mask = lp_ctx.get('interfaces')[0]
+ client_ip = client_ip_and_mask.split('/')[0]
+
+ # the messaging ctx is the server's view of the world, so our own
+ # client IP will be the remoteAddress when connections are logged
+ self.remoteAddress = client_ip
+
#
# Check the remote address of a message against the one beimg used
# for the tests.
diff --git a/python/samba/tests/audit_log_dsdb.py b/python/samba/tests/audit_log_dsdb.py
index 0471c22f243..29861332518 100644
--- a/python/samba/tests/audit_log_dsdb.py
+++ b/python/samba/tests/audit_log_dsdb.py
@@ -43,7 +43,6 @@ class AuditLogDsdbTests(AuditLogTestBase):
self.event_type = DSDB_EVENT_NAME
super(AuditLogDsdbTests, self).setUp()
- self.remoteAddress = os.environ["CLIENT_IP"]
self.server_ip = os.environ["SERVER_IP"]
host = "ldap://%s" % os.environ["SERVER"]
diff --git a/python/samba/tests/audit_log_pass_change.py b/python/samba/tests/audit_log_pass_change.py
index d580698b3ba..4e25c872d2d 100644
--- a/python/samba/tests/audit_log_pass_change.py
+++ b/python/samba/tests/audit_log_pass_change.py
@@ -48,7 +48,6 @@ class AuditLogPassChangeTests(AuditLogTestBase):
self.event_type = DSDB_PWD_EVENT_NAME
super(AuditLogPassChangeTests, self).setUp()
- self.remoteAddress = os.environ["CLIENT_IP"]
self.server_ip = os.environ["SERVER_IP"]
host = "ldap://%s" % os.environ["SERVER"]
diff --git a/python/samba/tests/auth_log_base.py b/python/samba/tests/auth_log_base.py
index c1391080566..d6a3976f456 100644
--- a/python/samba/tests/auth_log_base.py
+++ b/python/samba/tests/auth_log_base.py
@@ -22,6 +22,7 @@ from __future__ import print_function
import samba.tests
from samba.messaging import Messaging
from samba.dcerpc.messaging import MSG_AUTH_LOG, AUTH_EVENT_NAME
+from samba.param import LoadParm
import time
import json
import os
@@ -34,12 +35,30 @@ class AuthLogTestBase(samba.tests.TestCase):
def setUp(self):
super(AuthLogTestBase, self).setUp()
- lp_ctx = self.get_loadparm()
+ # connect to the server's messaging bus (we need to explicitly load a
+ # different smb.conf here, because in all other respects this test
+ # wants to act as a separate remote client)
+ server_conf = os.getenv('SERVERCONFFILE')
+ if server_conf:
+ lp_ctx = LoadParm(filename_for_non_global_lp=server_conf)
+ else:
+ lp_ctx = self.get_loadparm()
self.msg_ctx = Messaging((1,), lp_ctx=lp_ctx)
global msg_ctxs
msg_ctxs.append(self.msg_ctx)
self.msg_ctx.irpc_add_name(AUTH_EVENT_NAME)
+ # Now switch back to using the client-side smb.conf. The tests will
+ # use the first interface in the client.conf (we need to strip off
+ # the subnet mask portion)
+ lp_ctx = self.get_loadparm()
+ client_ip_and_mask = lp_ctx.get('interfaces')[0]
+ client_ip = client_ip_and_mask.split('/')[0]
+
+ # the messaging ctx is the server's view of the world, so our own
+ # client IP will be the remoteAddress when connections are logged
+ self.remoteAddress = client_ip
+
def messageHandler(context, msgType, src, message):
# This does not look like sub unit output and it
# makes these tests much easier to debug.
diff --git a/python/samba/tests/auth_log_netlogon.py b/python/samba/tests/auth_log_netlogon.py
index 83ffd33c1a6..36920eeef34 100644
--- a/python/samba/tests/auth_log_netlogon.py
+++ b/python/samba/tests/auth_log_netlogon.py
@@ -47,12 +47,9 @@ class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogTestsNetLogon, self).setUp()
self.lp = samba.tests.env_loadparm()
- self.creds = Credentials()
-
self.session = system_session()
self.ldb = SamDB(
session_info=self.session,
- credentials=self.creds,
lp=self.lp)
self.domain = os.environ["DOMAIN"]
diff --git a/python/samba/tests/auth_log_netlogon_bad_creds.py b/python/samba/tests/auth_log_netlogon_bad_creds.py
index 3b699bb6505..bd8b497cd88 100644
--- a/python/samba/tests/auth_log_netlogon_bad_creds.py
+++ b/python/samba/tests/auth_log_netlogon_bad_creds.py
@@ -49,12 +49,9 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogTestsNetLogonBadCreds, self).setUp()
self.lp = samba.tests.env_loadparm()
- self.creds = Credentials()
-
self.session = system_session()
self.ldb = SamDB(
session_info=self.session,
- credentials=self.creds,
lp=self.lp)
self.domain = os.environ["DOMAIN"]
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
index f0a0ee68d17..99548679a66 100644
--- a/python/samba/tests/auth_log_pass_change.py
+++ b/python/samba/tests/auth_log_pass_change.py
@@ -45,7 +45,6 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogPassChangeTests, self).setUp()
- self.remoteAddress = os.environ["CLIENT_IP"]
self.server_ip = os.environ["SERVER_IP"]
host = "ldap://%s" % os.environ["SERVER"]
diff --git a/python/samba/tests/auth_log_samlogon.py b/python/samba/tests/auth_log_samlogon.py
index eeb64df41eb..4959543937e 100644
--- a/python/samba/tests/auth_log_samlogon.py
+++ b/python/samba/tests/auth_log_samlogon.py
@@ -47,12 +47,9 @@ class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase):
def setUp(self):
super(AuthLogTestsSamLogon, self).setUp()
self.lp = samba.tests.env_loadparm()
- self.creds = Credentials()
-
self.session = system_session()
self.ldb = SamDB(
session_info=self.session,
- credentials=self.creds,
lp=self.lp)
self.domain = os.environ["DOMAIN"]
diff --git a/python/samba/tests/group_audit.py b/python/samba/tests/group_audit.py
index b8c90a325d5..7163c5016a3 100644
--- a/python/samba/tests/group_audit.py
+++ b/python/samba/tests/group_audit.py
@@ -50,7 +50,6 @@ class GroupAuditTests(AuditLogTestBase):
self.event_type = DSDB_GROUP_EVENT_NAME
super(GroupAuditTests, self).setUp()
- self.remoteAddress = os.environ["CLIENT_IP"]
self.server_ip = os.environ["SERVER_IP"]
host = "ldap://%s" % os.environ["SERVER"]
diff --git a/selftest/knownfail b/selftest/knownfail
index dc78838f9c1..750b5f51e3f 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -339,9 +339,9 @@
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
#
-# rap password tests don't function in the ad_dc_ntvfs:local environment
+# rap password tests don't function in the ad_dc_ntvfs environment
#
-^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs:local\)
+^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
diff --git a/selftest/target/dns_hub.py b/selftest/target/dns_hub.py
index 2cfc8d076aa..e440e72577a 100755
--- a/selftest/target/dns_hub.py
+++ b/selftest/target/dns_hub.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
#
# Unix SMB/CIFS implementation.
# Copyright (C) Volker Lendecke 2017
diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
index d08721ba87c..52e1e228669 100644
--- a/source4/auth/kerberos/srv_keytab.c
+++ b/source4/auth/kerberos/srv_keytab.c
@@ -306,7 +306,7 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
if (!delete_all_kvno) {
/* Create a new keytab. If during the cleanout we found
- * entires for kvno -1, then don't try and duplicate them.
+ * entries for kvno -1, then don't try and duplicate them.
* Otherwise, add kvno, and kvno -1 */
if (saltPrincipal == NULL) {
*perror_string = talloc_strdup(parent_ctx,
diff --git a/source4/dsdb/common/util_links.c b/source4/dsdb/common/util_links.c
index daa4b2f43a6..9e9e2b0161a 100644
--- a/source4/dsdb/common/util_links.c
+++ b/source4/dsdb/common/util_links.c
@@ -114,7 +114,7 @@ int get_parsed_dns_trusted(TALLOC_CTX *mem_ctx, struct ldb_message_element *el,
struct parsed_dn **pdn)
{
/* Here we get a list of 'struct parsed_dns' without the parsing */
- int i;
+ unsigned int i;
*pdn = talloc_zero_array(mem_ctx, struct parsed_dn,
el->num_values);
if (!*pdn) {
diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c
index dd991bfbb07..5a01ac8a185 100644
--- a/source4/dsdb/samdb/ldb_modules/group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/group_audit.c
@@ -291,23 +291,18 @@ static struct parsed_dn *get_parsed_dns(
TALLOC_CTX *mem_ctx,
struct ldb_message_element *el)
{
+ int ret;
struct parsed_dn *pdn = NULL;
- int i;
-
if (el == NULL || el->num_values == 0) {
return NULL;
}
- pdn = talloc_zero_array(mem_ctx, struct parsed_dn, el->num_values);
- if (pdn == NULL) {
+ ret = get_parsed_dns_trusted(mem_ctx, el, &pdn);
+ if (ret == LDB_ERR_OPERATIONS_ERROR) {
DBG_ERR("Out of memory\n");
return NULL;
}
-
- for (i = 0; i < el->num_values; i++) {
- pdn[i].v = &el->values[i];
- }
return pdn;
}
diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
index a88cd173442..81bb31b714c 100644
--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c
+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
@@ -53,10 +53,17 @@
#include "librpc/gen_ndr/ndr_misc.h"
#include "dsdb/samdb/ldb_modules/util.h"
-struct la_private {
+
+struct la_private_transaction {
struct la_context *la_list;
};
+
+struct la_private {
+ struct la_private_transaction *transaction;
+ bool sorted_links;
+};
+
struct la_op_store {
struct la_op_store *next;
struct la_op_store *prev;
@@ -687,19 +694,275 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques
return ret;
}
+
+static int linked_attributes_fix_link_slow(struct ldb_module *module,
+ struct ldb_request *parent,
+ struct ldb_message *msg,
+ struct ldb_dn *new_dn,
+ struct GUID self_guid,
+ const char *syntax_oid,
+ const char *reverse_syntax_oid)
+{
+ int ret;
+ unsigned int i;
+ struct GUID link_guid;
+ struct ldb_message_element *el = &msg->elements[0];
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ bool has_unique_value = strcmp(reverse_syntax_oid, LDB_SYNTAX_DN) == 0;
+ TALLOC_CTX *tmp_ctx = talloc_new(module);
+ if (tmp_ctx == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /*
+ * The msg has one element (el) containing links of one particular
+ * type from the remote object. We know that at least one of those
+ * links points to the object being renamed (identified by self_guid,
+ * renamed to new_dn). Usually only one of the links will point back
+ * to renamed object, but there can be more when the reverse link is a
+ * DN+Binary link.
+ *
+ * This is used for unsorted links, which is to say back links and
+ * forward links on old databases. It necessarily involves a linear
+ * search, though when the link is a plain DN link, we can skip
+ * checking as soon as we find it.
+ *
+ * NOTE: if there are duplicate links, the extra ones will end up as
+ * dangling links to the old DN. This may or may not be better.
+ */
+ for (i = 0; i < el->num_values; i++) {
+ struct dsdb_dn *dsdb_dn = dsdb_dn_parse(msg,
+ ldb,
+ &el->values[i],
+ syntax_oid);
+ if (dsdb_dn == NULL) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
+ ret = la_guid_from_dn(module, parent, dsdb_dn->dn, &link_guid);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ /*
+ * By comparing using the GUID we ensure that even if somehow
+ * the name has got out of sync, this rename will fix it.
+ *
+ * If somehow we don't have a GUID on the DN in the DB, the
+ * la_guid_from_dn call will be more costly, but still give us
+ * a GUID. dbcheck will fix this if run.
+ */
+ if (!GUID_equal(&self_guid, &link_guid)) {
+ continue;
+ }
+
+ ret = ldb_dn_update_components(dsdb_dn->dn, new_dn);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ el->values[i] = data_blob_string_const(
+ dsdb_dn_get_extended_linearized(el->values, dsdb_dn, 1));
+ if (has_unique_value) {
+ break;
+ }
+ }
+
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
+
+static int linked_attributes_fix_forward_link(struct ldb_module *module,
+ struct ldb_message *msg,
+ struct ldb_dn *new_dn,
+ struct GUID self_guid,
+ const char *syntax_oid)
+{
+ int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct parsed_dn *pdn_list = NULL;
+ struct parsed_dn *exact = NULL;
+ struct parsed_dn *next = NULL;
+ bool is_plain_dn;
+ struct ldb_message_element *el = &msg->elements[0];
+ unsigned int num_parsed_dns = el->num_values;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(module);
+ if (tmp_ctx == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /*
+ * The msg has a single element (el) containing forward links which we
+ * trust are sorted in GUID order. We know that at least one of those
+ * links points to the object being renamed (identified by self_guid,
+ * renamed to new_dn), because that object has a backlink pointing
+ * here.
+ *
+ * In most cases we assume there will only be one forward link, which
+ * is found by parsed_dn_find(), but in the case of DN+Binary links
+ * (e.g. msDS-RevealedUsers) there may be many forward links that
+ * share the same DN/GUID but differ in the binary part. For those we
+ * need to look around the link found by parsed_dn_find() and convert
+ * them all -- there is no way to know which forward link belongs to
+ * which backlink.
+ */
+
+ ret = get_parsed_dns_trusted(tmp_ctx, el, &pdn_list);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "get_parsed_dn_trusted() "
+ "error fixing %s links for %s",
+ el->name,
+ ldb_dn_get_linearized(msg->dn));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ /* find our DN in the values */
+ ret = parsed_dn_find(ldb, pdn_list, num_parsed_dns,
+ &self_guid,
+ NULL,
+ data_blob_null, 0,
+ &exact, &next,
+ syntax_oid,
+ false);
+
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "parsed_dn_find() "
+ "error fixing %s links for %s",
+ el->name,
+ ldb_dn_get_linearized(msg->dn));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ if (exact == NULL) {
+ ldb_asprintf_errstring(
+ ldb,
+ "parsed_dn_find could not find %s link for %s",
+ el->name,
+ ldb_dn_get_linearized(msg->dn));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ is_plain_dn = strcmp(syntax_oid, LDB_SYNTAX_DN) == 0;
+
+ if (is_plain_dn) {
+ /*
+ * The common case -- we only have to update a single link
+ */
+ ret = ldb_dn_update_components(exact->dsdb_dn->dn, new_dn);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("could not update components %s %s\n",
+ ldb_dn_get_linearized(exact->dsdb_dn->dn),
+ ldb_dn_get_linearized(new_dn)
+ );
+
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ *(exact->v) = data_blob_string_const(
+ dsdb_dn_get_extended_linearized(el->values,
+ exact->dsdb_dn,
+ 1));
+ } else {
+ /*
+ * The forward link is a DN+Binary (or in some alternate
+ * universes, DN+String), which means the parsed_dns are keyed
+ * on GUID+Binary. We don't know the binary part, which means
+ * from our point of view the list can have entries with
+ * duplicate GUIDs that we can't tell apart. We don't know
+ * which backlink belongs to which GUID+binary, and the binary
+ * search will always find the same one. That means one link
+ * link will get fixed n times, whil n-1 links get fixed
+ * never.
+ *
+ * If we instead fixing all the possible links, we end up
+ * fixing n links n times, which at least works and is
+ * probably not too costly because n is probably small.
+ */
--
Samba Shared Repository
More information about the samba-cvs
mailing list