samba.git/source4/dsdb, branch talloc-2.3.4 Unnamed repository; edit this file 'description' to name the repository. dsdb: Do not reuse "ret" variable as return code and for memcmp() comparison 2022-05-05T01:19:54+00:00 Andrew Bartlett abartlet@samba.org 2022-03-31T08:22:08+00:00 7a36b01888995031d00dbdba208fc9f522658f86 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu May 5 01:19:54 UTC 2022 on sn-devel-184 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May  5 01:19:54 UTC 2022 on sn-devel-184
tests/passwords: Add tests for password history with simple binds 2022-05-05T00:27:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-11T04:43:42+00:00 c294f729110f59b68c567bfe2b6da3a297a829a9 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/passwords: Remove unused imports 2022-05-05T00:27:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-11T04:37:10+00:00 08904752bba49039cf90534e6285defa17d23a0b Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest: Rework password_lockout_base.py to allow logon_basics test to be run in ad_dc_no_ntlm 2022-05-05T00:27:33+00:00 Andrew Bartlett abartlet@samba.org 2022-03-31T09:45:40+00:00 a9caf760b6f952461ecd4894b0cab1c2648f1e96 We need to ensure that even if NTLM is disabled, that the test can still bootstrap and fail normally. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
We need to ensure that even if NTLM is disabled, that the test
can still bootstrap and fail normally.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
dsdb: Clarify that most errors in make_error_and_update_badPwdCount() are not returned 2022-05-05T00:27:33+00:00 Andrew Bartlett abartlet@samba.org 2022-03-31T23:06:45+00:00 5348bd80035025e91158088db8efdea971b70557 This is mainly just to be clear, and was done while failing to work around compiler warnings. For the curious it was gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (CentOS 7) build with -O3, which gave with other, later patches: ../../source4/dsdb/samdb/ldb_modules/password_hash.c: In function ‘check_password_restrictions_and_log’: ../../source4/dsdb/samdb/ldb_modules/password_hash.c:3231:5: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow] if (ret == LDB_SUCCESS) { ^ Regardless, we make it clear that all values assigned to "ret" are local small constants. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
This is mainly just to be clear, and was done while failing to work around compiler
warnings.

For the curious it was gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (CentOS 7)
build with -O3, which gave with other, later patches:

../../source4/dsdb/samdb/ldb_modules/password_hash.c: In function ‘check_password_restrictions_and_log’:
../../source4/dsdb/samdb/ldb_modules/password_hash.c:3231:5: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
  if (ret == LDB_SUCCESS) {
     ^

Regardless, we make it clear that all values assigned to "ret" are
local small constants.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
s4/dsdb/repl_meta_data: Receive function arguments in correct order 2022-05-02T19:13:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-15T23:10:19+00:00 7e2cc5eda84cc9fc7395b86e0908e88c72a320dc The incorrect ordering was introduced in commit b9c5417b523c4c53cb275c12ec84bbc849705bec. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15007 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> 
The incorrect ordering was introduced in commit
b9c5417b523c4c53cb275c12ec84bbc849705bec.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15007

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
dsdb: Fix a typo 2022-04-26T21:41:29+00:00 Volker Lendecke vl@samba.org 2022-04-10T18:14:38+00:00 cdef977031e6171735c2f75403aaf325ac53e8e6 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
s4:dsdb:tests: Also pass tests if asserted identity is present 2022-04-13T12:59:30+00:00 Andreas Schneider asn@samba.org 2022-01-24T12:04:23+00:00 9b03e31fba7aa726f3c481f18f9e9e5b4c96c381 We should make sure that we use NTLMSSP or Kerberos consistently for the tests and don't mix them. We're also much stricter and symmetric_difference() to check if the sets are actually the same. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> 
We should make sure that we use NTLMSSP or Kerberos consistently
for the tests and don't mix them.

We're also much stricter and symmetric_difference() to
check if the sets are actually the same.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
s4:dsdb/descriptor: skip duplicates in descriptor_sd_propagation_object() 2022-03-30T12:06:21+00:00 Stefan Metzmacher metze@samba.org 2022-02-10T11:46:10+00:00 f7f65ceb46d04e48667e6cba8f3e9b9fd0cd290e We're now sure that the security descriptor propagation happened first for parent objects. It means we can safely skip processing the same object twice in descriptor_sd_propagation_object(). For the database with ~ 22000 objects it reduced the commit time from 2m 50s down to 2m 24s. The statistics are changed from: descriptor_prepare_commit: changes: num_registrations=50000 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=68800 to: descriptor_prepare_commit: changes: num_registrations=50000 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=22000 descriptor_prepare_commit: objects: num_skipped=41600 It means that we have "changes: num_registered" and "objects: num_processed" exactly match the number of replicated objects. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Mar 30 12:06:21 UTC 2022 on sn-devel-184 
We're now sure that the security descriptor propagation happened
first for parent objects.

It means we can safely skip processing the same object twice in
descriptor_sd_propagation_object().

For the database with ~ 22000 objects it reduced the commit time
from 2m 50s down to 2m 24s.

The statistics are changed from:

descriptor_prepare_commit: changes: num_registrations=50000
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=68800

to:

descriptor_prepare_commit: changes: num_registrations=50000
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=22000
descriptor_prepare_commit: objects: num_skipped=41600

It means that we have "changes: num_registered" and
"objects: num_processed" exactly match the number
of replicated objects.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 30 12:06:21 UTC 2022 on sn-devel-184
s4:dsdb/descriptor: sort descriptor_changes tree based 2022-03-30T11:13:35+00:00 Stefan Metzmacher metze@samba.org 2022-02-10T16:19:31+00:00 bd1e667a62d63c51a3b5e43660c7c23dd855785a For the hot code path, e.g. the commit after the initial replication, we typically have one descriptor_changes for each object in the database. It means that we most likely have 5 naming contexts/partitions. Except of their head/root object have a valid parent_guid, so can move all of them into the tree structure. Now we start the processing at the partition root objects, which means that we also process all child objects in the same run. While processing these objects we are most likely able to mark their related descriptor_changes structure as done removing it from the hierarchy. With the 22000 object domain it reduces the time spend in the commit stage from 3m 20s down to 2m 50s. The statistics are changed from: descriptor_prepare_commit: changes: num_registrations=50000 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_processed=22000 descriptor_prepare_commit: objects: num_processed=80800 to: descriptor_prepare_commit: changes: num_registrations=50000 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=68800 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
For the hot code path, e.g. the commit after the initial replication,
we typically have one descriptor_changes for each object in the
database.

It means that we most likely have 5 naming contexts/partitions.
Except of their head/root object have a valid parent_guid,
so can move all of them into the tree structure.

Now we start the processing at the partition root objects,
which means that we also process all child objects in
the same run. While processing these objects we are most
likely able to mark their related descriptor_changes structure
as done removing it from the hierarchy.

With the 22000 object domain it reduces the time spend in
the commit stage from 3m 20s down to 2m 50s.

The statistics are changed from:

descriptor_prepare_commit: changes: num_registrations=50000
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_processed=22000
descriptor_prepare_commit: objects: num_processed=80800

to:

descriptor_prepare_commit: changes: num_registrations=50000
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=68800

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>