[SCM] Samba Shared Repository - branch v4-19-test updated
Jule Anger
janger at samba.org
Mon Oct 23 09:44:01 UTC 2023
The branch, v4-19-test has been updated
via ba252e247c5 s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c
via 8c0f1206560 s3:libads: Improve logging for failover scenarios
via 0bb520822c9 s3:libsmb: Improve logging for failover scenarios
via 7038794ec85 s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c
via a72c7228730 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
via 98d0fa6c37d CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
via 0e657c31ac9 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
via 31e4015b78e CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
via 10673100a1b CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
via 427054ab1ba CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
from 2917289991e VERSION: Bump version up to Samba 4.19.3...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test
- Log -----------------------------------------------------------------
commit ba252e247c52ccc7fe54d18b8f9ce88cc53ce1c3
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Oct 18 11:32:57 2023 +0200
s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 21bb84ed1c30b863b4ef17fcebdd79f147142b9f)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Oct 23 09:43:03 UTC 2023 on atb-devel-224
commit 8c0f12065602c3d38b49350b486a12d6e6599cbf
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Oct 18 11:32:57 2023 +0200
s3:libads: Improve logging for failover scenarios
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224
(cherry picked from commit 14600a3128c6b66de4f9291eeec52e34725030c5)
commit 0bb520822c9401f0638e86ec2b7a8665a8776934
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Oct 18 11:32:57 2023 +0200
s3:libsmb: Improve logging for failover scenarios
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5f7a834effea56d683f76a801924c7125385e534)
commit 7038794ec855fd70e76d30f005722ec9c86d071b
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Oct 18 11:32:57 2023 +0200
s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 6063f3ee733348855d6b144091bbdbbe6862494c)
commit a72c72287301d66a5e1c11b30f5fb1e897341414
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:35:31 2016 +0100
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)
commit 98d0fa6c37db90c0cd4a319e3f5b80fe8b91c618
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 7 18:18:58 2023 +0200
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db)
commit 0e657c31ac90687f95391c31880564a909792264
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 15:14:24 2023 +0200
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371)
commit 31e4015b78e4e6ce1f83cc556febb4394bb8ef78
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:34:15 2016 +0100
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
commit 10673100a1be03f7c34befe7a8f2b3bd2d2d50af
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:33:37 2016 +0100
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c)
commit 427054ab1ba6b8798040123fa92aff6fe73fbd93
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 29 23:30:59 2016 +0100
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.
Only the auto inherited SACL is available via a ldap search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8)
-----------------------------------------------------------------------
Summary of changes:
python/samba/dbchecker.py | 27 +++++++++--
python/samba/descriptor.py | 25 +++++++++-
python/samba/provision/__init__.py | 5 ++
python/samba/provision/sambadns.py | 4 ++
selftest/knownfail.d/samba4.ldap.confidential_attr | 1 +
source3/libads/ldap.c | 10 ++++
source3/libsmb/clientgen.c | 5 ++
source3/winbindd/winbindd_cm.c | 31 ++++++++++++-
source3/winbindd/winbindd_pam.c | 4 ++
source4/dsdb/samdb/ldb_modules/dirsync.c | 53 ++--------------------
...eck-link-output-missing-link-sid-corruption.txt | 8 ++--
.../expected-links-after-dbcheck.ldif | 2 +-
.../release-4-5-0-pre1/rootdse-version.final.txt | 2 +-
source4/setup/provision.ldif | 1 +
source4/setup/provision_configuration.ldif | 1 +
source4/setup/provision_dnszones_add.ldif | 1 +
testprogs/blackbox/dbcheck-links.sh | 12 +++++
17 files changed, 130 insertions(+), 62 deletions(-)
create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr
Changeset truncated at 500 lines:
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 84513694fab..48669b5c521 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,7 +20,7 @@
import ldb
import samba
import time
-from base64 import b64decode
+from base64 import b64decode, b64encode
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs
from samba.samdb import dsdb_Dn
from samba.dcerpc import security
-from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.descriptor import (
+ get_wellknown_sds,
+ get_deletedobjects_descriptor,
+ get_diff_sds
+)
from samba.auth import system_session, admin_session
from samba.netcmd import CommandError
from samba.netcmd.fsmo import get_fsmo_roleowner
@@ -351,6 +355,12 @@ class dbcheck(object):
listwko.append('%s:%s' % (wko_prefix, dn))
guid_suffix = ""
+
+ domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+ sec_desc = get_deletedobjects_descriptor(domain_sid,
+ name_map=self.name_map)
+ sec_desc_b64 = b64encode(sec_desc).decode('utf8')
+
# Insert a brand new Deleted Objects container
self.samdb.add_ldif("""dn: %s
objectClass: top
@@ -359,7 +369,8 @@ description: Container for deleted objects
isDeleted: TRUE
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: TRUE
-systemFlags: -1946157056%s""" % (dn, guid_suffix),
+nTSecurityDescriptor:: %s
+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix),
controls=["relax:0", "provision:0"])
delta = ldb.Message()
@@ -2458,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
continue
- if self.reset_well_known_acls:
+ if dn == deleted_objects_dn or self.reset_well_known_acls:
try:
well_known_sd = self.get_wellknown_sd(dn)
except KeyError:
@@ -2467,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
current_sd = ndr_unpack(security.descriptor,
obj[attrname][0])
- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+ ignoreAdditionalACEs = False
+ if not self.reset_well_known_acls:
+ ignoreAdditionalACEs = True
+
+ diff = get_diff_sds(well_known_sd, current_sd,
+ security.dom_sid(self.samdb.get_domain_sid()),
+ ignoreAdditionalACEs=ignoreAdditionalACEs)
if diff != "":
self.err_wrong_default_sd(dn, well_known_sd, diff)
error_count += 1
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index f0568dd9e8e..362510c8c64 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -55,6 +55,16 @@ def get_empty_descriptor(domain_sid, name_map=None):
# "get_schema_descriptor" is located in "schema.py"
+def get_deletedobjects_descriptor(domain_sid, name_map=None):
+ if name_map is None:
+ name_map = {}
+
+ sddl = "O:SYG:SYD:PAI" \
+ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
+ "(A;;RPLC;;;BA)"
+ return sddl2binary(sddl, domain_sid, name_map)
+
+
def get_config_descriptor(domain_sid, name_map=None):
if name_map is None:
name_map = {}
@@ -485,6 +495,7 @@ def get_wellknown_sds(samdb):
# Then subcontainers
subcontainers = [
(ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
(ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
(ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
(ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
@@ -495,6 +506,7 @@ def get_wellknown_sds(samdb):
(ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
(ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
(ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
(ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
(ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
@@ -519,6 +531,9 @@ def get_wellknown_sds(samdb):
if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
subcontainers.append(c)
+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
+ get_deletedobjects_descriptor)
+ subcontainers.append(c)
c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
get_domain_delete_protected1_descriptor)
subcontainers.append(c)
@@ -534,6 +549,9 @@ def get_wellknown_sds(samdb):
if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
subcontainers.append(c)
+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
+ get_deletedobjects_descriptor)
+ subcontainers.append(c)
c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
get_domain_delete_protected1_descriptor)
subcontainers.append(c)
@@ -626,7 +644,8 @@ def get_clean_sd(sd):
return sd_clean
-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True,
+ ignoreAdditionalACEs=False):
"""Get the difference between 2 sd
This function split the textual representation of ACL into smaller
@@ -681,6 +700,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
h_ref.remove(k)
if len(h_cur) + len(h_ref) > 0:
+ if txt == "" and len(h_ref) == 0:
+ if ignoreAdditionalACEs:
+ return ""
+
txt = "%s\tPart %s is different between reference" \
" and current here is the detail:\n" % (txt, part)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 2e418f1e654..1631957f97e 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -82,6 +82,7 @@ from samba.provision.backend import (
LDBBackend,
)
from samba.descriptor import (
+ get_deletedobjects_descriptor,
get_empty_descriptor,
get_config_descriptor,
get_config_partitions_descriptor,
@@ -1456,6 +1457,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
"subRefs")
+ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
+
samdb.invocation_id = invocationid
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
@@ -1487,6 +1490,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
"FOREST_FUNCTIONALITY": str(forestFunctionality),
"DOMAIN_FUNCTIONALITY": str(domainFunctionality),
"NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
"LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
"SERVICES_DESCRIPTOR": protected1_descr,
"PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
@@ -1551,6 +1555,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
"RIDAVAILABLESTART": str(next_rid + 600),
"POLICYGUID_DC": policyguid_dc,
"INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
"LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
"SYSTEM_DESCRIPTOR": system_desc,
"BUILTIN_DESCRIPTOR": builtin_desc,
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 19c5919dac6..f81683c0553 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -42,6 +42,7 @@ from samba.dsdb import (
DS_GUID_USERS_CONTAINER
)
from samba.descriptor import (
+ get_deletedobjects_descriptor,
get_domain_descriptor,
get_domain_delete_protected1_descriptor,
get_domain_delete_protected2_descriptor,
@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
descriptor = get_dns_partition_descriptor(domainsid)
+ deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
"ZONE_DN": domainzone_dn,
@@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
"ZONE_DNS": domainzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
})
@@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
"ZONE_DNS": forestzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
})
diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr
new file mode 100644
index 00000000000..46a75ce928b
--- /dev/null
+++ b/selftest/knownfail.d/samba4.ldap.confidential_attr
@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 2853e15dfd3..cc00753ff74 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -478,6 +478,12 @@ again:
num_requests += 1;
}
+ DBG_DEBUG("Try to create %zu netlogon connections for domain '%s' "
+ "(provided count of addresses was %zu).\n",
+ num_requests,
+ domain,
+ count);
+
if (num_requests == 0) {
status = NT_STATUS_NO_LOGON_SERVERS;
DBG_WARNING("domain[%s] num_requests[%zu] for count[%zu] - %s\n",
@@ -855,6 +861,8 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
bool ok = false;
struct sockaddr_storage ss;
+ DBG_DEBUG("Resolving name of LDAP server '%s'.\n",
+ ads->server.ldap_server);
ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
if (!ok) {
DEBUG(5,("ads_connect: unable to resolve name %s\n",
@@ -900,6 +908,8 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
* Keep trying to find a server and fall through
* into ads_find_dc() again.
*/
+ DBG_DEBUG("Failed to connect to DC via LDAP server IP address, "
+ "trying to find another DC.\n");
}
ntstatus = ads_find_dc(ads);
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index e52e6c2256d..bec1184d53f 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -36,6 +36,11 @@
unsigned int cli_set_timeout(struct cli_state *cli, unsigned int timeout)
{
unsigned int old_timeout = cli->timeout;
+ DBG_DEBUG("Changing connection timeout for server '%s' from %d (ms) to "
+ "%d (ms).\n",
+ smbXcli_conn_remote_name(cli->conn),
+ cli->timeout,
+ timeout);
cli->timeout = timeout;
return old_timeout;
}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 9f56596669b..2ebfb0f6dd8 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1101,6 +1101,9 @@ static bool dcip_check_name_ads(const struct winbindd_domain *domain,
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr), &sa->u.ss);
+ D_DEBUG("Trying to figure out the DC name for domain '%s' at IP '%s'.\n",
+ domain->name,
+ addr);
ads = ads_init(tmp_ctx,
domain->alt_name,
@@ -1159,6 +1162,10 @@ static bool dcip_check_name_ads(const struct winbindd_domain *domain,
saf_store(domain->alt_name, name);
}
+ D_DEBUG("DC name for domain '%s' at IP '%s' is '%s'\n",
+ domain->name,
+ addr,
+ name);
*namep = talloc_move(mem_ctx, &name);
out:
@@ -1516,6 +1523,9 @@ static bool find_dc(TALLOC_CTX *mem_ctx,
*fd = -1;
+ D_NOTICE("First try to connect to the closest DC (using server "
+ "affinity cache). If this fails, try to lookup the DC using "
+ "DNS afterwards.\n");
ok = connect_preferred_dc(mem_ctx, domain, request_flags, fd);
if (ok) {
return true;
@@ -1526,9 +1536,11 @@ static bool find_dc(TALLOC_CTX *mem_ctx,
}
again:
+ D_DEBUG("Retrieving a list of IP addresses for DCs.\n");
if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs, request_flags) || (num_dcs == 0))
return False;
+ D_DEBUG("Retrieved IP addresses for %d DCs.\n", num_dcs);
for (i=0; i<num_dcs; i++) {
if (!add_string_to_array(mem_ctx, dcs[i].name,
@@ -1547,6 +1559,9 @@ static bool find_dc(TALLOC_CTX *mem_ctx,
if ((addrs == NULL) || (dcnames == NULL))
return False;
+ D_DEBUG("Trying to establish a connection to one of the %d DCs "
+ "(timeout of 10 sec for each DC).\n",
+ num_dcs);
status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
num_addrs, 0, 10, fd, &fd_index, NULL);
if (!NT_STATUS_IS_OK(status)) {
@@ -1561,6 +1576,7 @@ static bool find_dc(TALLOC_CTX *mem_ctx,
}
return False;
}
+ D_NOTICE("Successfully connected to DC '%s'.\n", dcs[fd_index].name);
domain->dcaddr = addrs[fd_index];
@@ -1604,6 +1620,11 @@ static bool find_dc(TALLOC_CTX *mem_ctx,
*fd = -1;
}
+ /*
+ * This should not be an infinite loop, since get_dcs() will not return
+ * the DC added to the negative connection cache in the above
+ * winbind_add_failed_connection_entry() call.
+ */
goto again;
}
@@ -1733,11 +1754,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
return NT_STATUS_NO_MEMORY;
}
+ D_NOTICE("Creating connection to domain controller. This is a start of "
+ "a new connection or a DC failover. The failover only happens "
+ "if the domain has more than one DC. We will try to connect 3 "
+ "times at most.\n");
for (retries = 0; retries < 3; retries++) {
bool found_dc;
- DEBUG(10, ("cm_open_connection: dcname is '%s' for domain %s\n",
- domain->dcname ? domain->dcname : "", domain->name));
+ D_DEBUG("Attempt %d/3: DC '%s' of domain '%s'.\n",
+ retries,
+ domain->dcname ? domain->dcname : "",
+ domain->name);
found_dc = find_dc(mem_ctx, domain, request_flags, &fd);
if (!found_dc) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 66d5b4a5a7b..2eeba24222a 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1661,6 +1661,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
retry = false;
+ D_DEBUG("Creating a DCERPC netlogon connection for SAM logon. "
+ "netlogon attempt: %d, samlogon attempt: %d.\n",
+ netr_attempts,
+ attempts);
result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
&netlogon_creds_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
index fbb75790095..124cff25e39 100644
--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
@@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
* list only the attribute that have been modified since last interogation
*
*/
- newmsg = ldb_msg_new(dsc->req);
- if (newmsg == NULL) {
- return ldb_oom(ldb);
- }
for (i = msg->num_elements - 1; i >= 0; i--) {
if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) {
int error = 0;
@@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
*/
return LDB_SUCCESS;
}
- newmsg->dn = ldb_dn_new(newmsg, ldb, "");
- if (newmsg->dn == NULL) {
- return ldb_oom(ldb);
- }
-
el = ldb_msg_find_element(msg, "objectGUID");
if ( el != NULL) {
guidfound = true;
@@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req,
* well will uncomment the code bellow
*/
SMB_ASSERT(guidfound == true);
- /*
- if (guidfound == false) {
- struct GUID guid;
- struct ldb_val *new_val;
- DATA_BLOB guid_blob;
-
- tmp[0] = '\0';
- txt = strrchr(txt, ':');
- if (txt == NULL) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
- txt++;
-
- status = GUID_from_string(txt, &guid);
- if (!NT_STATUS_IS_OK(status)) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
-
- status = GUID_to_ndr_blob(&guid, msg, &guid_blob);
- if (!NT_STATUS_IS_OK(status)) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
-
- new_val = talloc(msg, struct ldb_val);
- if (new_val == NULL) {
- return ldb_oom(ldb);
- }
- new_val->data = talloc_steal(new_val, guid_blob.data);
- new_val->length = guid_blob.length;
- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) {
- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
- }
- }
- */
- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD);
- talloc_steal(newmsg->elements, el->name);
- talloc_steal(newmsg->elements, el->values);
-
- talloc_steal(newmsg->elements, msg);
return ldb_module_send_entry(dsc->req, msg, controls);
}
+ newmsg = ldb_msg_new(dsc->req);
+ if (newmsg == NULL) {
+ return ldb_oom(ldb);
+ }
+
ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd,
(ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
index 34576157f25..a8b65384910 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
@@ -1,8 +1,8 @@
-Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
-Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
Checked 231 objects (2 errors)
Checking 231 objects
-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
-ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
Fixed missing DN SID on attribute member
Fixed missing DN SID on attribute member
diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
index 9ac86fcf1ee..86ff44ea224 100644
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
+++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif
@@ -1381,7 +1381,7 @@ uSNChanged: 3597
dn: CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1,
DC=samba,DC=corp
--
Samba Shared Repository
More information about the samba-cvs
mailing list