The branch, v4-0-test has been updated via 1f9586f dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable via f69bee5 Revert "dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable" via 19e184e libsmb: provide authinfo domain for encrypted session referrals via 371d159 libsmb: provide authinfo domain for DFS referral auth via 2856b64 libsmb: reuse connections derived from DFS referrals from f9693a1 VERSION: Bump version up to 4.0.25.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 1f9586f12afb432f469f0dbfab9a2727a9db454a Author: Garming Sam <garm...@catalyst.net.nz> Date: Thu Dec 4 11:53:12 2014 +1300 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable This includes additional tests based directly on the docs, rather than simply testing our internal implementation in client and server contexts, that create a user and groups. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022 Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Garming-Sam <garm...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104 (similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9) Change-Id: Ia98bf5a62bb69e15ae6420b34e09a65c1f3e79dd Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-0-test): Thu Jan 29 23:19:43 CET 2015 on sn-devel-104 commit f69bee506c2a309340aefaa17522d82ea1003543 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 26 23:48:01 2015 +0100 Revert "dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable" This reverts commit 017ff207a6883a50705de985e8653e2a05f3b024. commit 19e184e63db2ca5cf81941911d28c681bdbc0dc0 Author: David Disseldorp <dd...@samba.org> Date: Mon Jan 19 13:39:35 2015 +0100 libsmb: provide authinfo domain for encrypted session referrals 6c9de0cd056afc0b478c02f1bdb0e06532388037 requires this extra change. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059 Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Jan 21 04:29:06 CET 2015 on sn-devel-104 (cherry picked from commit 6da86012a2ca521efe0cf1bf05fcd04c3099b190) commit 371d159e2db2679d7346475b625a870dda4a5852 Author: David Disseldorp <dd...@samba.org> Date: Fri Jan 16 16:21:23 2015 +0100 libsmb: provide authinfo domain for DFS referral auth libsmbclient uses the smbc_init->smbc_get_auth_data_fn() provided workgroup/domain in initial connections, but then switches to the default smb.conf workgroup/domain when handling DFS referrals. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059 Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6c9de0cd056afc0b478c02f1bdb0e06532388037) [dd...@samba.org: 4.0 rebase with cli_init_creds() call] commit 2856b641f321ecfd430fef24cd1158c0e2a1dd01 Author: David Disseldorp <dd...@samba.org> Date: Fri Jan 16 16:21:22 2015 +0100 libsmb: reuse connections derived from DFS referrals [MS-DFSC] 3.2.1.1 and 3.2.1.2 states that DFS targets with the same site location or relative cost are placed in random order in a DFS referral response. libsmbclient currently resolves DFS referrals on every API call, always using the first entry in the referral response. With random ordering, libsmbclient may open a new server connection, rather than reuse an existing (cached) connection established in a previous DFS referred API call. This change sees libsmbclient check the connection cache for any of the DFS referral response entries before creating a new connection. This change is based on a patch by Har Gagan Sahai <sharga...@novell.com>. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10123 Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 7b7d4f740fe5017107d3100041cc8c7982f0eac7) [dd...@samba.org: 4.0 rebase without smbXcli_tcon context] ----------------------------------------------------------------------- Summary of changes: source3/libsmb/clidfs.c | 118 +++++++++++++++++++++++-------- source4/dsdb/tests/python/token_group.py | 4 +- 2 files changed, 92 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index b2e2e9e..ee1f536 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -95,6 +95,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, char *newserver, *newshare; const char *username; const char *password; + const char *domain; NTSTATUS status; int flags = 0; @@ -162,11 +163,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, username = get_cmdline_auth_info_username(auth_info); password = get_cmdline_auth_info_password(auth_info); + domain = get_cmdline_auth_info_domain(auth_info); + if ((domain == NULL) || (domain[0] == '\0')) { + domain = lp_workgroup(); + } status = cli_session_setup(c, username, password, strlen(password), password, strlen(password), - lp_workgroup()); + domain); if (!NT_STATUS_IS_OK(status)) { /* If a password was not supplied then * try again with a null username. */ @@ -187,7 +192,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, d_printf("Anonymous login successful\n"); status = cli_init_creds(c, "", lp_workgroup(), ""); } else { - status = cli_init_creds(c, username, lp_workgroup(), password); + status = cli_init_creds(c, username, domain, password); } if (!NT_STATUS_IS_OK(status)) { @@ -218,7 +223,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, force_encrypt, username, password, - lp_workgroup())) { + domain)) { cli_shutdown(c); return do_connect(ctx, newserver, newshare, auth_info, false, @@ -240,7 +245,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, status = cli_cm_force_encryption(c, username, password, - lp_workgroup(), + domain, sharename); if (!NT_STATUS_IS_OK(status)) { cli_shutdown(c); @@ -776,6 +781,11 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx, /******************************************************************** ********************************************************************/ +struct cli_dfs_path_split { + char *server; + char *share; + char *extrapath; +}; NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, const char *mountpt, @@ -793,15 +803,16 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, char *cleanpath = NULL; char *extrapath = NULL; int pathlen; - char *server = NULL; - char *share = NULL; struct cli_state *newcli = NULL; + struct cli_state *ccli = NULL; + int count = 0; char *newpath = NULL; char *newmount = NULL; char *ppath = NULL; SMB_STRUCT_STAT sbuf; uint32 attributes; NTSTATUS status; + struct cli_dfs_path_split *dfs_refs = NULL; if ( !rootcli || !path || !targetcli ) { return NT_STATUS_INVALID_PARAMETER; @@ -885,26 +896,83 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, return status; } - /* Just store the first referral for now. */ - if (!refs[0].dfspath) { return NT_STATUS_NOT_FOUND; } - if (!split_dfs_path(ctx, refs[0].dfspath, &server, &share, - &extrapath)) { - return NT_STATUS_NOT_FOUND; + + /* + * Bug#10123 - DFS referal entries can be provided in a random order, + * so check the connection cache for each item to avoid unnecessary + * reconnections. + */ + dfs_refs = talloc_array(ctx, struct cli_dfs_path_split, num_refs); + if (dfs_refs == NULL) { + return NT_STATUS_NO_MEMORY; + } + + for (count = 0; count < num_refs; count++) { + if (!split_dfs_path(dfs_refs, refs[count].dfspath, + &dfs_refs[count].server, + &dfs_refs[count].share, + &dfs_refs[count].extrapath)) { + TALLOC_FREE(dfs_refs); + return NT_STATUS_NOT_FOUND; + } + + ccli = cli_cm_find(rootcli, dfs_refs[count].server, + dfs_refs[count].share); + if (ccli != NULL) { + extrapath = dfs_refs[count].extrapath; + *targetcli = ccli; + break; + } + } + + /* + * If no cached connection was found, then connect to the first live + * referral server in the list. + */ + for (count = 0; (ccli == NULL) && (count < num_refs); count++) { + /* Connect to the target server & share */ + status = cli_cm_connect(ctx, rootcli, + dfs_refs[count].server, + dfs_refs[count].share, + dfs_auth_info, + false, + smb1cli_conn_encryption_on(rootcli->conn), + smbXcli_conn_protocol(rootcli->conn), + 0, + 0x20, + targetcli); + if (!NT_STATUS_IS_OK(status)) { + d_printf("Unable to follow dfs referral [\\%s\\%s]\n", + dfs_refs[count].server, + dfs_refs[count].share); + continue; + } else { + extrapath = dfs_refs[count].extrapath; + break; + } + } + + /* No available referral server for the connection */ + if (*targetcli == NULL) { + TALLOC_FREE(dfs_refs); + return status; } /* Make sure to recreate the original string including any wildcards. */ dfs_path = cli_dfs_make_full_path(ctx, rootcli, path); if (!dfs_path) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NO_MEMORY; } pathlen = strlen(dfs_path); consumed = MIN(pathlen, consumed); *pp_targetpath = talloc_strdup(ctx, &dfs_path[consumed]); if (!*pp_targetpath) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NO_MEMORY; } dfs_path[consumed] = '\0'; @@ -915,23 +983,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, * (in \server\share\path format). */ - /* Open the connection to the target server & share */ - status = cli_cm_open(ctx, rootcli, - server, - share, - dfs_auth_info, - false, - smb1cli_conn_encryption_on(rootcli->conn), - smbXcli_conn_protocol(rootcli->conn), - 0, - 0x20, - targetcli); - if (!NT_STATUS_IS_OK(status)) { - d_printf("Unable to follow dfs referral [\\%s\\%s]\n", - server, share ); - return status; - } - if (extrapath && strlen(extrapath) > 0) { /* EMC Celerra NAS version 5.6.50 (at least) doesn't appear to */ /* put the trailing \ on the path, so to be save we put one in if needed */ @@ -947,6 +998,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, *pp_targetpath); } if (!*pp_targetpath) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NO_MEMORY; } } @@ -960,18 +1012,21 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, d_printf("cli_resolve_path: " "dfs_path (%s) not in correct format.\n", dfs_path ); + TALLOC_FREE(dfs_refs); return NT_STATUS_NOT_FOUND; } ppath++; /* Now pointing at start of server name. */ if ((ppath = strchr_m( dfs_path, '\\' )) == NULL) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NOT_FOUND; } ppath++; /* Now pointing at start of share name. */ if ((ppath = strchr_m( ppath+1, '\\' )) == NULL) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NOT_FOUND; } @@ -979,6 +1034,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, newmount = talloc_asprintf(ctx, "%s\\%s", mountpt, ppath ); if (!newmount) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NOT_FOUND; } @@ -1003,6 +1059,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, */ *targetcli = newcli; *pp_targetpath = newpath; + TALLOC_FREE(dfs_refs); return status; } } @@ -1013,14 +1070,17 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, if ((*targetcli)->dfsroot) { dfs_path = talloc_strdup(ctx, *pp_targetpath); if (!dfs_path) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NO_MEMORY; } *pp_targetpath = cli_dfs_make_full_path(ctx, *targetcli, dfs_path); if (*pp_targetpath == NULL) { + TALLOC_FREE(dfs_refs); return NT_STATUS_NO_MEMORY; } } + TALLOC_FREE(dfs_refs); return NT_STATUS_OK; } @@ -1077,7 +1137,7 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx, status = cli_cm_force_encryption(cli, username, password, - lp_workgroup(), + domain, "IPC$"); if (!NT_STATUS_IS_OK(status)) { return false; diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py index 1a9a71f..cba6480 100755 --- a/source4/dsdb/tests/python/token_group.py +++ b/source4/dsdb/tests/python/token_group.py @@ -497,6 +497,8 @@ if not "://" in url: runner = SubunitTestRunner() rc = 0 -if not runner.run(unittest.makeSuite(TokenTest)).wasSuccessful(): +if not runner.run(unittest.makeSuite(StaticTokenTest)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(DynamicTokenTest)).wasSuccessful(): rc = 1 sys.exit(rc) -- Samba Shared Repository