[SCM] Samba Shared Repository - branch v4-20-test updated

Jule Anger janger at samba.org
Mon Feb 12 11:56:01 UTC 2024


The branch, v4-20-test has been updated
       via  f8dfce94822 WHATSNEW: Explain new AD DC Claims, authentication policies and Silos
       via  4872b0abf6b WHATSNEW: Add some information about new conditional aces feature
       via  8e8b8fc0548 WHATSNEW: note "acl_claims evaluation" smb.conf option
       via  7f338d6119a ndr: ignore trailing bytes in ndr_pull_security_ace()
       via  0f81aec9a19 ndr: ndr_push_security_ace: calculate coda size once
       via  4808478685c ndr: avoid object ACE push overhead for non-object ACE
       via  276e67fe174 ndr: avoid object ACE pull overhead for non-object ACE
       via  5c0f6a20745 ndr: do not push ACE->coda.ignored blob
       via  d4547daf5ee ndr: mark invalid pull ndr_flags as unlikely
       via  5d0d17a92db ndr: skip talloc when pulling empty DATA_BLOB
       via  e61d447690f ndr: ACE push avoids no-op coda pushes
       via  e4cf11b1b39 ndr: make security_ace push manual
       via  c9974e622bf ndr: short-circuit ace coda if no bytes left
       via  8787185a6ca ndr: shift ndr_pull_security_ace to manual code
       via  f8014cae2eb pidl: calculate subcontext_size only once per pull
       via  b5289d66e9e perftest: ndr_pack runs in none environment
       via  fb49ce47609 perftest:ndr_pack: spin in do_nothing for a while
       via  14edd0fd1ef perftest:ndr_pack: use a valid dummy SID
       via  1287f182167 perftest:ndr_pack_performance: remove irrelevant imports, options
       via  7f0bdf2b99e perftest:ndr_pack: slightly reduce python overhead
       via  66fa6885551 perftest: ndr_pack_performance gets more SD types
       via  daf5b5f5eb2 perftest:ndr_pack: rename SD tests with object ACEs
      from  59365287486 docs-xml: Build and install man page for wspsearch

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -----------------------------------------------------------------
commit f8dfce94822f043d27de2d92a3f0b3d0f27c5de4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Feb 1 11:33:27 2024 +1300

    WHATSNEW: Explain new AD DC Claims, authentication policies and Silos
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-20-test): Mon Feb 12 11:55:51 UTC 2024 on atb-devel-224

commit 4872b0abf6b085f7e7ae14524be6fe99887468fe
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 15 15:21:11 2024 +1300

    WHATSNEW: Add some information about new conditional aces feature
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

commit 8e8b8fc0548fc497473aad09e6f0f0a55e572da8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 15 15:22:27 2024 +1300

    WHATSNEW: note "acl_claims evaluation" smb.conf option
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

commit 7f338d6119acd5a3129248d4e61df626f4087560
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 8 15:05:35 2024 +1300

    ndr: ignore trailing bytes in ndr_pull_security_ace()
    
    This returns the behaviour with ordinary ACEs to where it was with 4.19.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 0c1f421c107be3156b3f1db75aced24a1bca3d2f)

commit 0f81aec9a19fe3f0c7d1bcc26c2d354a22747903
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 8 14:50:30 2024 +1300

    ndr: ndr_push_security_ace: calculate coda size once
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit a72c198921f64f2502f543c7158762c64cb3074e)

commit 4808478685caea32b5d5580a940b314f785000c3
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 1 10:21:55 2024 +1300

    ndr: avoid object ACE push overhead for non-object ACE
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit ecb5da3e49283ca3a03dea81d22db4a081e192e4)

commit 276e67fe174caab58d9a020a9357ca0d04631f13
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 1 10:21:33 2024 +1300

    ndr: avoid object ACE pull overhead for non-object ACE
    
    When an ACE is not an object ACE, which is common, setting the switch
    value and attempting the object ACE GUID pull is just going to do
    nothing, and we know that ahead of time. By noticing that we can save
    a bit of time on a common operation.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit fce4d51eb492a6fc807c6849cd4bd65ca7714509)

commit 5c0f6a207453c1ef11fc8cef42ab0a6b02abf99b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Dec 31 17:45:36 2023 +1300

    ndr: do not push ACE->coda.ignored blob
    
    From 1e80221b2340de5ef5e2a17f10511bbc2c041163 (2008) until
    c73034cf7c4392f5d3505319948bc84634c20fa5 (conditional ACEs, etc, 2023)
    we had a manual ndr_pull_security_ace() that would discard trailing
    bytes, which are those bytes that we now call the coda. The ACE types
    that we handled then are those that end up with a coda.ignored data
    blob.
    
    With this we effectively restore the long-standing behaviour in the
    event that we push and pull an ACE -- though now we discard the
    ignored bytes on push rather than pull.
    
    This change is not because the trailing bytes caused any problems (as
    far as is known), but because it is much faster to not do the push.
    
    It may be that such ACEs no longer occur.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 2a60ec98409b161cfeb4b51414ba61feb26c01b9)

commit d4547daf5eed02e7820519a40cff42259fa74d43
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Fri Dec 29 15:27:08 2023 +1300

    ndr: mark invalid pull ndr_flags as unlikely
    
    This might have little effect, but sometimes we see primatives like
    ndr_pull_uint32() taking a few percent of the CPU time, and this is in
    all those functions.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 4face258dee93dcd01dce71fcb7448b285ff4860)

commit 5d0d17a92db235cecb5bbe4c6a0efc29a294c745
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Fri Dec 29 15:15:48 2023 +1300

    ndr: skip talloc when pulling empty DATA_BLOB
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit c2673b02a7a51761e8b6631eb0c0e7062cbbed7b)

commit e61d447690f12a5e9be236517716d63626a859f8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Dec 31 17:39:23 2023 +1300

    ndr: ACE push avoids no-op coda pushes
    
    We don't expect an ordinary ACE to have a non-empty coda, and we don't
    really want to push it if it does, but for this patch we still will.
    
    This will not change the data on the wire.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit ee1b8ae04b10306c059174a5b4b637b080fe23fd)

commit e4cf11b1b399daca6de070f6166e66ce85d81894
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Dec 31 17:30:47 2023 +1300

    ndr: make security_ace push manual
    
    This will allow some optimisations; in this commit we just copy the
    code.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit dc08e7924c2e359afeb4b86f306868cad00189a0)

commit c9974e622bf0a62d65376d4bae417924f7ec8e03
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Dec 31 13:06:40 2023 +1300

    ndr: short-circuit ace coda if no bytes left
    
    The overwhelmingly common case is that there are no bytes left, and
    regardless of the ACE type we want to store an empty blob.
    
    We know the blob will be empty if there are no bytes, so we don't need
    to allocate a sub-ndr and tokens list and so forth.
    
    This can save almost half the time of a security descriptor pull.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit ac0c8ee01ea624e9c486251da2132710c2a43ddc)

commit 8787185a6caef33f3053ae29587ea88d06d30be1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Sun Dec 31 13:03:32 2023 +1300

    ndr: shift ndr_pull_security_ace to manual code
    
    This was manual until commit c73034cf7c4392f5d3505319948bc84634c20fa5
    (a few months ago).
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 1e6a876c2cc4b3b54895dde879492e756bb9b963)

commit f8014cae2ebebd1364806e92d6a0c19ace4c7789
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Dec 28 23:07:56 2023 +1300

    pidl: calculate subcontext_size only once per pull
    
    For security_ace_coda in security.idl, the sub-context size is
    involves a slightly non-trivial function call which returns a constant
    value.
    
    In all other cases, a constant expression is used, and this makes
    no difference.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 9811762775b28e16035afb2c319b55c4bf3699d3)

commit b5289d66e9ed6f95419b908f005c14c3afe42528
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Fri Jan 5 13:19:39 2024 +1300

    perftest: ndr_pack runs in none environment
    
    This is worth changing, because having a server running in the
    background can only add noise to the results.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 5fa663766548eac2cc5932ae03d03b79ad1751b5)

commit fb49ce4760979194bddd644bfe8f497f34e7193d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Jan 4 01:54:29 2024 +1300

    perftest:ndr_pack: spin in do_nothing for a while
    
    The idea was to get a less jittery idea of the underlying noise, but
    ut is still almost instant. This I suppose is useful in indicating
    that this much of the test has very little overhead.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 93e6ea4cff2cb6bd084db27139addeea06945ea5)

commit 14edd0fd1ef8b05e51ce8f67c1208c8160cd59f0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Jan 4 01:52:39 2024 +1300

    perftest:ndr_pack: use a valid dummy SID
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit 2f68545087f25e5d4c7a7742d99527c7ebbd02ab)

commit 1287f182167253c03e84fa6a934c7df38323ddeb
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Jan 4 01:51:56 2024 +1300

    perftest:ndr_pack_performance: remove irrelevant imports, options
    
    This includes removing the ANCIENT_SAMBA switch for pre-4.3, as
    nobody cares anymore and many tests would not run correctly anyway.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit ceb5389260c4469a8f03ee884325ca981c18a36a)

commit 7f0bdf2b99e0891c2705b3472cace34b2b20f280
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Wed Jan 3 09:43:01 2024 +1300

    perftest:ndr_pack: slightly reduce python overhead
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit d25fe2447b553087f6285c80907ca5d0debcd827)

commit 66fa6885551e3d16692f5dab23f9c7bdf0c52e66
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Mon Jan 1 21:48:15 2024 +1300

    perftest: ndr_pack_performance gets more SD types
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit e802611743a9b899c18d6eeaa0a46323b676c296)

commit daf5b5f5eb2906e793836505d4777c8340b633d1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Wed Jan 3 09:26:51 2024 +1300

    perftest:ndr_pack: rename SD tests with object ACEs
    
    We are looking at an optimisation for non-object ACEs, which
    are more common, but these tests are overwhelmed by object
    (OA) ACEs.
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
    (cherry picked from commit d5371f6bcd2fe991d08fcf2006ce62e6a7449ae9)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                      |  85 +++++++++++++++
 librpc/idl/security.idl                           |   2 +-
 librpc/ndr/libndr.h                               |   2 +-
 librpc/ndr/ndr_basic.c                            |   6 ++
 librpc/ndr/ndr_sec_helper.c                       | 107 ++++++++++++++++++-
 pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm          |   5 +-
 selftest/perf_tests.py                            |   4 +-
 source4/dsdb/tests/python/ndr_pack_performance.py | 121 ++++++++++------------
 8 files changed, 261 insertions(+), 71 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8158a80288c..f7c38dc9f0e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -108,6 +108,90 @@ New options added are:
                         and all files/directories below.
  - '--restore savefile' Restores the stored DACLS to files in directory
 
+Samba-tool extensions for AD Claims, Authentication Policies and Silos
+----------------------------------------------------------------------
+
+samba-tool now allows users to be associated with claims.  In the
+Samba AD DC, claims derive from Active Directory attributes mapped
+into specific names.  These claims can be used in rules, which are
+conditional ACEs in a security descriptor, that decide if a user is
+restricted by an authentication policy.
+
+samba-tool also allows the creation and management of authentication
+policies, which are rules about where a user may authenticate from,
+if NTLM is permitted, and what services a user may authenticate to.
+
+Finally, support is added for the creation and management of
+authentication silos, which are helpful in defining network boundaries
+by grouping users and the services they connect to.
+
+Please note: The command line syntax for these tools is not final, and
+may change before the next release, as we gain user feedback.  The
+syntax will be locked in once Samba offers 2016 AD Functional Level as
+a default.
+
+AD DC support for Authentication Silos and Authentication Policies
+------------------------------------------------------------------
+
+The Samba AD DC now also honours any existing claims, authentication
+policy and authentication silo configuration previously created (eg
+from an import of a Microsoft AD), as well as new configurations
+created with samba-tool.  The use of Microsoft's Powershell based
+client tools is not expected to work.
+
+To use this feature, the functional level must be set to 2012_R2 or
+later with:
+
+ ad dc functional level = 2016
+
+in the smb.conf.
+
+The smb.conf file on each DC must have 'ad dc functional level = 2016'
+set to have the partially complete feature available.  This will also,
+at first startup, update the server's own AD entry with the configured
+functional level.
+
+For new domains, add these parameters to 'samba-tool provision'
+
+--option="ad dc functional level = 2016" --function-level=2016
+
+The second option, setting the overall domain functional level
+indicates that all DCs should be at this functional level.
+
+To raise the domain functional level of an existing domain, after
+updating the smb.conf and restarting Samba run
+samba-tool domain schemaupgrade --schema=2019
+samba-tool domain functionalprep --function-level=2016
+samba-tool domain level raise --domain-level=2016 --forest-level=2016
+
+This support is still new, so is not enabled by default in this
+release.  The above instructions are set at 2016, which while not
+complete, matches what our testing environment validates.
+
+Conditional ACEs and Resource Attribute ACEs
+--------------------------------------------
+
+Ordinary Access Control Entries (ACEs) unconditionally allow or deny
+access to a given user or group. Conditional ACEs have an additional
+section that describes conditions under which the ACE applies. If the
+conditional expression is true, the ACE works like an ordinary ACE,
+otherwise it is ignored. The condition terms can refer to claims,
+group memberships, and attributes on the object itself. These
+attributes are described in Resource Attribute ACEs that occur in the
+object's System Access Control List (SACL). Conditional ACEs are
+described in Microsoft documentation.
+
+Conditional ACE evaluation is controlled by the "acl claims
+evaluation" smb.conf option. The default value is "AD DC only" which
+enables them in AD DC settings. The other option is "never", which
+disables them altogether. There is currently no option to enable them
+on the file server (this is likely to change in future releases).
+
+The Security Descriptor Definition Language has extensions for
+conditional ACEs and resource attribute ACEs; these are now supported
+by Samba.
+
+
 REMOVED FEATURES
 ================
 
@@ -127,6 +211,7 @@ smb.conf changes
   Parameter Name                          Description     Default
   --------------                          -----------     -------
   smb3 unix extensions                    Per share       -
+  acl claims evaluation                   new             AD DC only
 
 
 KNOWN ISSUES
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d1552475b63..8783b678157 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -715,7 +715,7 @@ interface security
 		[default][flag(NDR_REMAINING)] DATA_BLOB ignored;
 	} security_ace_coda;
 
-	typedef [public,gensize,nosize] struct {
+	typedef [public,gensize,nosize,nopush,nopull] struct {
 		security_ace_type type;  /* SEC_ACE_TYPE_* */
 		security_ace_flags flags; /* SEC_ACE_FLAG_* */
 		[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index 70dd01e49a6..03d1aead01a 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -367,7 +367,7 @@ enum ndr_compression_alg {
 };
 
 #define NDR_PULL_CHECK_FLAGS(ndr, ndr_flags) do { \
-	if ((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS)) { \
+	if (unlikely((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS))) { \
 		return ndr_pull_error(ndr, NDR_ERR_FLAGS, "Invalid pull struct ndr_flags 0x%"PRI_NDR_FLAGS_TYPE, ndr_flags); \
 	} \
 } while (0)
diff --git a/librpc/ndr/ndr_basic.c b/librpc/ndr/ndr_basic.c
index fc8620f28c7..5fd15730a74 100644
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -1453,6 +1453,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_DATA_BLOB(struct ndr_pull *ndr, ndr_flags_ty
 	} else {
 		NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &length));
 	}
+	if (length == 0) {
+		/* skip the talloc for an empty blob */
+		blob->data = NULL;
+		blob->length = 0;
+		return NDR_ERR_SUCCESS;
+	}
 	NDR_PULL_NEED_BYTES(ndr, length);
 	*blob = data_blob_talloc(ndr->current_mem_ctx, ndr->data+ndr->offset, length);
 	ndr->offset += length;
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index d74d31b2823..f870a17aafc 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -64,7 +64,11 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
 	} else if (ace->type == SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE) {
 		ret += ndr_size_security_ace_coda(&ace->coda, ace->type, flags);
 	} else {
-		ret += ace->coda.ignored.length;
+		/*
+		 * Normal ACEs have a coda.ignored blob that is always or
+		 * almost always empty. We aren't going to push it (it is
+		 * ignored), so we don't add that length to the size.
+		 */
 	}
 	/* round up to a multiple of 4  (MS-DTYP 2.4.4.1) */
 	ret = (ret + 3ULL) & ~3ULL;
@@ -75,6 +79,107 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
 	return ret;
 }
 
+
+static inline enum ndr_err_code ndr_maybe_pull_security_ace_object_ctr(struct ndr_pull *ndr,
+								       ndr_flags_type ndr_flags,
+								       struct security_ace *r)
+{
+	/*
+	 * If this is not an object ACE (as is usually common),
+	 * ndr_pull_security_ace_object_ctr() will do nothing.
+	 *
+	 * By avoiding calling the function in that case, we avoid some
+	 * tallocing and ndr token busywork.
+	 */
+	bool is_object = sec_ace_object(r->type);
+	if (is_object) {
+		NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, is_object));
+		NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct security_ace *r)
+{
+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+	if (ndr_flags & NDR_SCALARS) {
+		ssize_t sub_size;
+		NDR_CHECK(ndr_pull_align(ndr, 5));
+		NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
+		NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
+		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
+		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
+		NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+		NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+		sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags);
+		if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) {
+			r->coda.ignored.data = NULL;
+			r->coda.ignored.length = 0;
+		} else {
+			struct ndr_pull *_ndr_coda;
+			NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size));
+			NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, &r->coda, r->type));
+			NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+			NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_coda, 0, sub_size));
+		}
+		NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+
+static inline enum ndr_err_code ndr_maybe_push_security_ace_object_ctr(struct ndr_push *ndr,
+								       ndr_flags_type ndr_flags,
+								       const struct security_ace *r)
+{
+	/*
+	 * ndr_push_security_ace_object_ctr() does nothing (except tallocing
+	 * and ndr_token fiddling) unless the ACE is an object ACE, which is
+	 * usually very unlikely.
+	 */
+	bool is_object = sec_ace_object(r->type);
+	if (is_object) {
+		NDR_CHECK(ndr_push_set_switch_value(ndr, &r->object, is_object));
+		NDR_CHECK(ndr_push_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct security_ace *r)
+{
+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
+	if (ndr_flags & NDR_SCALARS) {
+		NDR_CHECK(ndr_push_align(ndr, 5));
+		NDR_CHECK(ndr_push_security_ace_type(ndr, NDR_SCALARS, r->type));
+		NDR_CHECK(ndr_push_security_ace_flags(ndr, NDR_SCALARS, r->flags));
+		NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, ndr_size_security_ace(r, ndr->flags)));
+		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->access_mask));
+		NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+		NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+		if (sec_ace_has_extra_blob(r->type)) {
+			struct ndr_push *_ndr_coda;
+			size_t coda_size = ndr_subcontext_size_of_ace_coda(
+				r,
+				ndr_size_security_ace(r, ndr->flags),
+				ndr->flags);
+			NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_coda, 0, coda_size));
+			NDR_CHECK(ndr_push_set_switch_value(_ndr_coda, &r->coda, r->type));
+			NDR_CHECK(ndr_push_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+			NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_coda, 0, coda_size));
+		}
+		NDR_CHECK(ndr_push_trailer_align(ndr, 5));
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+
 /*
  * An ACE coda can't be bigger than the space allowed for by
  * ace->size, so we need to check this from the context of the ACE.
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 859da0a914f..d7386d5b2cc 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -603,7 +603,8 @@ sub ParseSubcontextPullStart($$$$$)
 	$self->pidl("{");
 	$self->indent;
 	$self->pidl("struct ndr_pull *$subndr;");
-	$self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+	$self->pidl("ssize_t sub_size = $subcontext_size;");
+	$self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, sub_size));");
 
 	if (defined $l->{COMPRESSION}) {
 		$subndr = $self->ParseCompressionPullStart($e, $l, $subndr, $env);
@@ -622,7 +623,7 @@ sub ParseSubcontextPullEnd($$$$$)
 		$self->ParseCompressionPullEnd($e, $l, $subndr, $env);
 	}
 
-	$self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+	$self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, sub_size));");
 	$self->deindent;
 	$self->pidl("}");
 }
diff --git a/selftest/perf_tests.py b/selftest/perf_tests.py
index 2aed9deded9..cfbbf0e056e 100644
--- a/selftest/perf_tests.py
+++ b/selftest/perf_tests.py
@@ -26,8 +26,8 @@ plantestsuite_loadlist("samba4.ldap.ad_dc_performance.python(ad_dc_ntvfs)",
                         '--workgroup=$DOMAIN',
                         '$LOADLIST', '$LISTOPT'])
 
-plantestsuite_loadlist("samba4.ndr_pack_performance.python(ad_dc_ntvfs)",
-                       "ad_dc_ntvfs",
+plantestsuite_loadlist("samba4.ndr_pack_performance.python",
+                       "none",
                        [python, os.path.join(samba4srcdir,
                                              "dsdb/tests/python/ndr_pack_performance.py"),
                         '$SERVER', '-U"$USERNAME%$PASSWORD"',
diff --git a/source4/dsdb/tests/python/ndr_pack_performance.py b/source4/dsdb/tests/python/ndr_pack_performance.py
index 5defacf19ec..45c1816df39 100644
--- a/source4/dsdb/tests/python/ndr_pack_performance.py
+++ b/source4/dsdb/tests/python/ndr_pack_performance.py
@@ -4,10 +4,7 @@ import optparse
 import sys
 sys.path.insert(0, 'bin/python')
 
-import os
 import samba
-import samba.getopt as options
-import random
 import gzip
 
 # We try to use the test infrastructure of Samba 4.3+, but if it
@@ -16,45 +13,13 @@ import gzip
 #
 # Don't copy this horror into ordinary tests -- it is special for
 # performance tests that want to apply to old versions.
-try:
-    from samba.tests.subunitrun import SubunitOptions, TestProgram
-    ANCIENT_SAMBA = False
-except ImportError:
-    ANCIENT_SAMBA = True
-    samba.ensure_external_module("testtools", "testtools")
-    samba.ensure_external_module("subunit", "subunit/python")
-    from subunit.run import SubunitTestRunner
-    import unittest
+
+from samba.tests.subunitrun import TestProgram
 
 from samba.ndr import ndr_pack, ndr_unpack
 from samba.dcerpc import security
 from samba.dcerpc import drsuapi
 
-parser = optparse.OptionParser("ndr_pack_performance.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-if not ANCIENT_SAMBA:
-    subunitopts = SubunitOptions(parser)
-    parser.add_option_group(subunitopts)
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
-    parser.print_usage()
-    sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-random.seed(1)
-
 
 BIG_SD_SDDL = ''.join(
     """O:S-1-5-21-3328325300-3937145445-4190589019-512G:S-1-5-2
@@ -130,6 +95,23 @@ IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030
 0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d
 e6-11d0-a285-00aa003049e2;ED)""".split())
 
+
+CONDITIONAL_ACE_SDDL = ('O:SYG:SYD:(XA;OICI;CR;;;WD;'
+                        '(@USER.ad://ext/AuthenticationSilo == "siloname"))')
+
+NON_OBJECT_SDDL = (
+    "O:S-1-5-21-2212615479-2695158682-2101375468-512"
+    "G:S-1-5-21-2212615479-2695158682-2101375468-513"
+    "D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+    "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
+    "(A;OICIIO;FA;;;CO)"
+    "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+    "(A;OICI;FA;;;SY)"
+    "(A;OICI;0x1200a9;;;AU)"
+    "(A;OICI;0x1200a9;;;ED)")
+
+
+
 # set SCALE = 100 for normal test, or 1 for testing the test.
 SCALE = 100
 
@@ -144,57 +126,82 @@ class UserTests(samba.tests.TestCase):
         return f.read()
 
     def get_desc(self, sddl):
-        dummy_sid = security.dom_sid("S-2-0-0")
+        dummy_sid = security.dom_sid("S-1-2-3")
         return security.descriptor.from_sddl(sddl, dummy_sid)
 
     def get_blob(self, sddl):
         return ndr_pack(self.get_desc(sddl))
 
-    def test_00_00_do_nothing(self):
+    def test_00_00_do_nothing(self, cycles=10000):
         # this gives us an idea of the overhead
-        pass
+        for i in range(SCALE * cycles):
+            pass
 
     def _test_pack(self, unpacked, cycles=10000):
+        pack = unpacked.__ndr_pack__
         for i in range(SCALE * cycles):
-            ndr_pack(unpacked)
+            pack()
 
     def _test_unpack(self, blob, cycles=10000, cls=security.descriptor):
         for i in range(SCALE * cycles):
-            ndr_unpack(cls, blob)
+            cls().__ndr_unpack__(blob)
 
     def _test_pack_unpack(self, desc, cycles=5000, cls=security.descriptor):
         blob2 = ndr_pack(desc)
-
         for i in range(SCALE * cycles):
             blob = ndr_pack(desc)
             desc = ndr_unpack(cls, blob)
 
         self.assertEqual(blob, blob2)
 
-    def test_pack_big_sd(self):
+    def test_pack_big_sd_with_object_aces(self):
         unpacked = self.get_desc(BIG_SD_SDDL)
         self._test_pack(unpacked)
 
-    def test_unpack_big_sd(self):
+    def test_unpack_big_sd_with_object_aces(self):
         blob = self.get_blob(BIG_SD_SDDL)
         self._test_unpack(blob)
 
-    def test_pack_unpack_big_sd(self):
+    def test_pack_unpack_big_sd_with_object_aces(self):
         unpacked = self.get_desc(BIG_SD_SDDL)
         self._test_pack_unpack(unpacked)
 
-    def test_pack_little_sd(self):
+    def test_pack_little_sd_with_object_aces(self):
         unpacked = self.get_desc(LITTLE_SD_SDDL)
         self._test_pack(unpacked)
 
-    def test_unpack_little_sd(self):
+    def test_unpack_little_sd_with_object_aces(self):
         blob = self.get_blob(LITTLE_SD_SDDL)
         self._test_unpack(blob)
 
-    def test_pack_unpack_little_sd(self):
+    def test_pack_unpack_little_sd_with_object_aces(self):
         unpacked = self.get_desc(LITTLE_SD_SDDL)
         self._test_pack_unpack(unpacked)
 
+    def test_pack_conditional_ace_sd(self):
+        unpacked = self.get_desc(CONDITIONAL_ACE_SDDL)
+        self._test_pack(unpacked)
+
+    def test_unpack_conditional_ace_sd(self):
+        blob = self.get_blob(CONDITIONAL_ACE_SDDL)
+        self._test_unpack(blob)
+
+    def test_pack_unpack_conditional_ace_sd(self):
+        unpacked = self.get_desc(CONDITIONAL_ACE_SDDL)
+        self._test_pack_unpack(unpacked)
+
+    def test_pack_non_object_sd(self):
+        unpacked = self.get_desc(NON_OBJECT_SDDL)
+        self._test_pack(unpacked)
+
+    def test_unpack_non_object_sd(self):
+        blob = self.get_blob(NON_OBJECT_SDDL)
+        self._test_unpack(blob)
+
+    def test_pack_unpack_non_object_sd(self):
+        unpacked = self.get_desc(NON_OBJECT_SDDL)
+        self._test_pack_unpack(unpacked)
+
     def test_unpack_repl_sample(self):
         blob = self.get_file_blob('testdata/replication-ndrpack-example.gz')
         self._test_unpack(blob, cycles=20, cls=drsuapi.DsGetNCChangesCtr6)
@@ -205,18 +212,4 @@ class UserTests(samba.tests.TestCase):
         self._test_pack(desc, cycles=20)
 
 
-if "://" not in host:
-    if os.path.isfile(host):
-        host = "tdb://%s" % host
-    else:
-        host = "ldap://%s" % host


-- 
Samba Shared Repository



More information about the samba-cvs mailing list