samba.git/python/samba/tests/dcerpc, branch talloc-2.3.1 Unnamed repository; edit this file 'description' to name the repository. selftest: add end-to-end tests for mdssvc with a fake HTTP server 2019-10-09T14:35:29+00:00 Ralph Boehme slow@samba.org 2019-07-28T13:25:54+00:00 da7dec0a50fa5d9f6b92403d8703cd6b7a42159c Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Noel Power <noel.power@suse.com> 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
rpc samr: EnumDomainUsers perf improvement 2019-08-30T07:08:36+00:00 Aaron Haslett aaronhaslett@catalyst.net.nz 2019-08-13T06:14:12+00:00 961f07fb76287359e6a10263b1ea8035367e5375 EnumDomainUsers currently takes too long, significantly slowing down calls to winbind's getpwent which is a core unix API. The time is taken up by a GUID lookup for every record in the cached result. The advantages of this approach are: 1. It meets the specified requirement that if a record yet to be returned by a search in progress (with a resume handle) is deleted or modified, the future returned results correctly reflect the new changes. 2. Memory footprint for a search in progress is only 16 bytes per record. But, those benefits are not worth the significant performance hit of the lookups, so this patch changes the function to run the search and cache the RIDs and names of all records matching the search when the request is made. This makes the memory footprint around 200 bytes per record or up to 2MB per concurrent search for a 100k user database. The speedup achieved by this change is around 50%, and in tandem with some winbindd improvements as part of the same task has achieved around 15x speedup for getpwent. The lost specification compliance is unlikely to cause a problem for any known usage of this RPC call. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
EnumDomainUsers currently takes too long, significantly slowing down
calls to winbind's getpwent which is a core unix API. The time is taken
up by a GUID lookup for every record in the cached result. The advantages
of this approach are:
1. It meets the specified requirement that if a record yet to be returned
	by a search in progress (with a resume handle) is deleted or
	modified, the future returned results correctly reflect the
	new changes.
2. Memory footprint for a search in progress is only 16 bytes per record.

But, those benefits are not worth the significant performance hit
of the lookups, so this patch changes the function to run the search
and cache the RIDs and names of all records matching the search when
the request is made. This makes the memory footprint around 200 bytes
per record or up to 2MB per concurrent search for a 100k user database.
The speedup achieved by this change is around 50%, and in tandem with
some winbindd improvements as part of the same task has achieved around
15x speedup for getpwent.

The lost specification compliance is unlikely to cause a problem for any
known usage of this RPC call.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/dcerpc/raw_protocol: Add more tests for DCERPC_AUTH_LEVEL_PACKET 2019-08-01T16:59:02+00:00 Günther Deschner gd@samba.org 2016-08-31T13:55:10+00:00 4b88e1d997cdb39c4b4e71ea742168598fbb2dff Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Aug 1 16:59:02 UTC 2019 on sn-devel-184 
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  1 16:59:02 UTC 2019 on sn-devel-184
tests/dcerpc/raw_protocol: split test_spnego_integrity_request into 2 parts 2019-08-01T15:40:17+00:00 Stefan Metzmacher metze@samba.org 2019-08-01T11:04:16+00:00 e0e68ea25514fdb05921eabec6a4cdd587a9844e This can be a generic test that can be used for more auth_levels. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This can be a generic test that can be used for more auth_levels.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
tests/dcerpc/raw_protocol: split test_spnego_connect_request() into 2 parts 2019-08-01T15:40:17+00:00 Stefan Metzmacher metze@samba.org 2019-08-01T11:04:16+00:00 ff2f20439c403340ec886bf31f055355dfbfcdbf This can be a generic test that can be used for more auth_levels. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This can be a generic test that can be used for more auth_levels.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2 2019-06-19T07:01:12+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2019-05-22T01:23:25+00:00 1cac79dd982496f1112dcb63339307cbb9ec00f1 We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We still want to return DOES_NOT_EXIST when request_filter is not 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation 2019-06-19T07:01:12+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2019-05-22T00:58:01+00:00 7ea74d55ad55027118ca8b32596f32ac4182dce6 We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We still want to return DOES_NOT_EXIST when request_filter is not 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s2 decrpc samr: Add tests for QueryDomainInfo 2019-02-14T04:03:23+00:00 Gary Lockyer gary@catalyst.net.nz 2019-02-13T01:34:06+00:00 f3fd2d9457920b3da3e0ce6c1c6ee77be6849c65 Add tests for the number of domain users, groups and aliases returned by QueryDomainInfo. These tests revealed that the existing code was not checking the returned elements to ensure they were part of the domain. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add tests for the number of domain users, groups and aliases returned by
QueryDomainInfo.

These tests revealed that the existing code was not checking the
returned elements to ensure they were part of the domain.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
py:dcerpc/raw_protocol: add tests to demonstrate how security context multiplexing works 2019-01-12T02:13:41+00:00 Stefan Metzmacher metze@samba.org 2018-11-21T10:01:55+00:00 a0b230631bcb0fd9b0299aa41711af08cc2594c3 Important things are this: - It's not required to use the bind time feature negotiation in order to use it, it's only a hint for the client, but nothing is really negotiated, unlike the request multiplexing with the DCERPC_PFC_FLAG_CONC_MPX. - There's special handling related to AUTH_LEVEL_CONNECT and requests without auth trailer - An security context is identified by the unique tuple of auth_type, auth_level and auth_context_id (all together!), not just the auth_context_id. - There's a limit of 2049 explicit authentication contexts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Important things are this:
- It's not required to use the bind time feature negotiation in order
  to use it, it's only a hint for the client, but nothing is really
  negotiated, unlike the request multiplexing with the
  DCERPC_PFC_FLAG_CONC_MPX.
- There's special handling related to AUTH_LEVEL_CONNECT
  and requests without auth trailer
- An security context is identified by the unique
  tuple of auth_type, auth_level and auth_context_id (all together!),
  not just the auth_context_id.
- There's a limit of 2049 explicit authentication contexts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
py:dcerpc/raw_testcase: add assertEqualsStrLower() 2019-01-12T02:13:41+00:00 Stefan Metzmacher metze@samba.org 2018-11-26T10:49:22+00:00 3f535ed1adfe9c7088852a2c6aa56988440ce8fa BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>