samba.git, branch talloc-2.1.10 Unnamed repository; edit this file 'description' to name the repository. talloc: version 2.1.10 2017-07-21T21:31:03+00:00 Stefan Metzmacher metze@samba.org 2017-07-21T12:33:57+00:00 be7f6f4d5d4bba6f3017cbc49700fd64c9fa86f1 * build, documentation and python3 improvements Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
* build, documentation and python3 improvements

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done() 2017-07-21T21:29:39+00:00 Stefan Metzmacher metze@samba.org 2017-07-20T09:56:21+00:00 13f91927e0f642e58c70d7b0b2f68df861ac661c This was missing in commit d718e92d5e145dccd492c46febc249e462ce50c6. Sadly we can't have automated tests for this as we only implement the client side for this protocol. I've tested with using: bin/smbtorture \ -W BLA --realm=BLA.BASE \ -s /dev/null -Uadministrator%A1b2C3d4 \ ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \ rpc.epmapper.epmapper.Lookup_simple \ and: bin/smbtorture \ -W BLA --realm=BLA.BASE \ -s /dev/null -Uadministrator%A1b2C3d4 \ ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \ rpc.epmapper.epmapper.Lookup_simple \ BUG: https://bugzilla.samba.org/show_bug.cgi?id=12919 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jul 21 23:29:39 CEST 2017 on sn-devel-144 
This was missing in commit d718e92d5e145dccd492c46febc249e462ce50c6.

Sadly we can't have automated tests for this as we only implement
the client side for this protocol.

I've tested with using:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \
  rpc.epmapper.epmapper.Lookup_simple \

and:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \
  rpc.epmapper.epmapper.Lookup_simple \

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12919

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 21 23:29:39 CEST 2017 on sn-devel-144
winbindd: avoid refreshing sequence number when domain is offline 2017-07-21T17:11:13+00:00 Uri Simchoni uri@samba.org 2017-06-07T17:34:33+00:00 5c1e2f564ba75212be9fc48f8a6788a017060420 When there's no connectivity to the domain, avoid attempt to refresh sequence number. Before the change, this was avoided only if winbind offline logon was enabled. However, being able to operate based on cached data is desired even when offline logons are disabled (offline logons are about caching credentials for PAM authentication, a user may not want this and still want service from the SMB server during short AD disconnects). Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
winbindd: queryuser - only get group name if needed 2017-07-21T17:11:13+00:00 Uri Simchoni uri@samba.org 2017-06-07T17:33:57+00:00 c819c7d58f05692628eb9673dfdca5dc1d212d43 When calculating the user entry for a user, the primary group id *name* might be needed if it is part of a home dir / shell template (%g or %G). Only resolve primary group SID to primary group name if it is needed, thereby saving a round-trip to the DC (and better handling situations where it is disconnected). Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).

Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
winbindd: cache name-to-sid from PAC based on lookup domain 2017-07-21T17:11:13+00:00 Uri Simchoni uri@samba.org 2017-06-07T17:33:24+00:00 e3a151e2472d97891c97cc898f27f3ccf712bf35 The name-to-sid lookup for trusted domains is not necessarily done against the domain - in AD member case it is done against the primary domain. Therefore the caching should also be done against the lookup domain. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
vfs_ceph: fix cephwrap_chdir() 2017-07-21T17:10:46+00:00 David Disseldorp ddiss@samba.org 2017-07-14T21:55:29+00:00 1dcacff083019810e207a3d123a81fe32d9dde1a When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local* chdir() to the share path. This breaks smb client directory listings. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144 
When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144
selftest: Add test for password change when NTLM is disabled 2017-07-21T11:54:35+00:00 Tim Beale timbeale@catalyst.net.nz 2017-07-04T05:27:27+00:00 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7 When NTLM is disabled, the server should reject NTLM-based password changes. Changing the password is a bit complicated from python, but because the server should reject the password change outright with NTLM_BLOCKED, the test doesn't actually need to provide valid credentials. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144 
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE 2017-07-21T07:30:25+00:00 Andrew Bartlett abartlet@samba.org 2017-04-20T02:00:21+00:00 4031b303e495210ee8d6a4e2dd49974d90f9c402 This should not happen, but we have seen this happen in autobuild before the whole-DB locking issues were resolved by https://bugzilla.samba.org/show_bug.cgi?id=12858 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
This should not happen, but we have seen this happen in autobuild
before the whole-DB locking issues were resolved by
https://bugzilla.samba.org/show_bug.cgi?id=12858

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
build: fix ceph_statx check when configured with libcephfs_dir 2017-07-20T21:02:27+00:00 David Disseldorp ddiss@suse.de 2017-07-20T09:10:57+00:00 ff7df3d3f5259362a6bb6780d6b532e57e89681d When configured with a custom libcephfs_dir, the ceph_statx check fails to link. This is due to the location of the ceph-common dependency, which is installed under a ceph subdirectory. ceph/build > make DESTDIR=./inst install ... ceph/build > find inst/|grep -e /libcephfs -e /libceph-common inst/usr/local/lib64/ceph/libceph-common.so.0 inst/usr/local/lib64/ceph/libceph-common.so inst/usr/local/lib64/libcephfs.so.2.0.0 inst/usr/local/lib64/libcephfs.so.2 inst/usr/local/lib64/libcephfs.so inst/usr/local/include/cephfs/libcephfs.h Signed-off-by: David Disseldorp <ddiss@suse.de> Reviewed-by: Jeff Layton <jlayton@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Thu Jul 20 23:02:27 CEST 2017 on sn-devel-144 
When configured with a custom libcephfs_dir, the ceph_statx check fails
to link. This is due to the location of the ceph-common dependency,
which is installed under a ceph subdirectory.

ceph/build > make DESTDIR=./inst install
...
ceph/build > find inst/|grep -e /libcephfs -e /libceph-common
inst/usr/local/lib64/ceph/libceph-common.so.0
inst/usr/local/lib64/ceph/libceph-common.so
inst/usr/local/lib64/libcephfs.so.2.0.0
inst/usr/local/lib64/libcephfs.so.2
inst/usr/local/lib64/libcephfs.so
inst/usr/local/include/cephfs/libcephfs.h

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Jeff Layton <jlayton@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Jul 20 23:02:27 CEST 2017 on sn-devel-144
s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only) 2017-07-20T16:49:27+00:00 Noel Power noel.power@suse.com 2017-07-20T12:01:50+00:00 c57dcafb150823b00fd873046e65a966a8488fa8 uint16_t get_fileinfo(...) returns file attributes, this function called cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL, NULL, NULL, NULL); which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above was obtained via (when using protocol > SMB). Note: This only seems to be an issue when run against a windows server, with smbd SMB1 & SMB2 work fine. status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum, NULL); The failing cli_qfileinfo_basic call above is unnecessary as we can already obtain the required information from the cli_ntcreate call Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> 
uint16_t get_fileinfo(...) returns file attributes, this function
called

     cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL,
                     NULL, NULL, NULL);

which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above
was obtained via (when using protocol > SMB). Note: This only seems to be
an issue when run against a windows server, with smbd SMB1 & SMB2 work fine.

    status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
                  0, FILE_SHARE_READ|FILE_SHARE_WRITE,
                  FILE_OPEN, 0x0, 0x0, &fnum, NULL);

The failing cli_qfileinfo_basic call above is unnecessary as we can already
obtain the required information from the cli_ntcreate call

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>