The branch, v4-0-test has been updated
via 1f9586f dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups,
tokenGroupsNoGCAcceptable
via f69bee5 Revert "dsdb: Add tokenGroupsGlobalAndUniversal,
tokenGroups, tokenGroupsNoGCAcceptable"
via 19e184e libsmb: provide authinfo domain for encrypted session
referrals
via 371d159 libsmb: provide authinfo domain for DFS referral auth
via 2856b64 libsmb: reuse connections derived from DFS referrals
from f9693a1 VERSION: Bump version up to 4.0.25.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 1f9586f12afb432f469f0dbfab9a2727a9db454a
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Thu Dec 4 11:53:12 2014 +1300
dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups,
tokenGroupsNoGCAcceptable
This includes additional tests based directly on the docs, rather than
simply testing our internal implementation in client and server contexts,
that create a user and groups.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming-Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
(similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9)
Change-Id: Ia98bf5a62bb69e15ae6420b34e09a65c1f3e79dd
Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-0-test): Thu Jan 29 23:19:43 CET 2015 on sn-devel-104
commit f69bee506c2a309340aefaa17522d82ea1003543
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Jan 26 23:48:01 2015 +0100
Revert "dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups,
tokenGroupsNoGCAcceptable"
This reverts commit 017ff207a6883a50705de985e8653e2a05f3b024.
commit 19e184e63db2ca5cf81941911d28c681bdbc0dc0
Author: David Disseldorp <dd...@samba.org>
Date: Mon Jan 19 13:39:35 2015 +0100
libsmb: provide authinfo domain for encrypted session referrals
6c9de0cd056afc0b478c02f1bdb0e06532388037 requires this extra change.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Wed Jan 21 04:29:06 CET 2015 on sn-devel-104
(cherry picked from commit 6da86012a2ca521efe0cf1bf05fcd04c3099b190)
commit 371d159e2db2679d7346475b625a870dda4a5852
Author: David Disseldorp <dd...@samba.org>
Date: Fri Jan 16 16:21:23 2015 +0100
libsmb: provide authinfo domain for DFS referral auth
libsmbclient uses the smbc_init->smbc_get_auth_data_fn() provided
workgroup/domain in initial connections, but then switches to the
default smb.conf workgroup/domain when handling DFS referrals.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 6c9de0cd056afc0b478c02f1bdb0e06532388037)
[dd...@samba.org: 4.0 rebase with cli_init_creds() call]
commit 2856b641f321ecfd430fef24cd1158c0e2a1dd01
Author: David Disseldorp <dd...@samba.org>
Date: Fri Jan 16 16:21:22 2015 +0100
libsmb: reuse connections derived from DFS referrals
[MS-DFSC] 3.2.1.1 and 3.2.1.2 states that DFS targets with the same site
location or relative cost are placed in random order in a DFS referral
response.
libsmbclient currently resolves DFS referrals on every API call, always
using the first entry in the referral response. With random ordering,
libsmbclient may open a new server connection, rather than reuse an
existing (cached) connection established in a previous DFS referred API
call.
This change sees libsmbclient check the connection cache for any of the
DFS referral response entries before creating a new connection.
This change is based on a patch by Har Gagan Sahai
<sharga...@novell.com>.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10123
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 7b7d4f740fe5017107d3100041cc8c7982f0eac7)
[dd...@samba.org: 4.0 rebase without smbXcli_tcon context]
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/clidfs.c | 118 +++++++++++++++++++++++--------
source4/dsdb/tests/python/token_group.py | 4 +-
2 files changed, 92 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index b2e2e9e..ee1f536 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -95,6 +95,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
char *newserver, *newshare;
const char *username;
const char *password;
+ const char *domain;
NTSTATUS status;
int flags = 0;
@@ -162,11 +163,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
username = get_cmdline_auth_info_username(auth_info);
password = get_cmdline_auth_info_password(auth_info);
+ domain = get_cmdline_auth_info_domain(auth_info);
+ if ((domain == NULL) || (domain[0] == '\0')) {
+ domain = lp_workgroup();
+ }
status = cli_session_setup(c, username,
password, strlen(password),
password, strlen(password),
- lp_workgroup());
+ domain);
if (!NT_STATUS_IS_OK(status)) {
/* If a password was not supplied then
* try again with a null username. */
@@ -187,7 +192,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
d_printf("Anonymous login successful\n");
status = cli_init_creds(c, "", lp_workgroup(), "");
} else {
- status = cli_init_creds(c, username, lp_workgroup(), password);
+ status = cli_init_creds(c, username, domain, password);
}
if (!NT_STATUS_IS_OK(status)) {
@@ -218,7 +223,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
force_encrypt,
username,
password,
- lp_workgroup())) {
+ domain)) {
cli_shutdown(c);
return do_connect(ctx, newserver,
newshare, auth_info, false,
@@ -240,7 +245,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
status = cli_cm_force_encryption(c,
username,
password,
- lp_workgroup(),
+ domain,
sharename);
if (!NT_STATUS_IS_OK(status)) {
cli_shutdown(c);
@@ -776,6 +781,11 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
/********************************************************************
********************************************************************/
+struct cli_dfs_path_split {
+ char *server;
+ char *share;
+ char *extrapath;
+};
NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
const char *mountpt,
@@ -793,15 +803,16 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
char *cleanpath = NULL;
char *extrapath = NULL;
int pathlen;
- char *server = NULL;
- char *share = NULL;
struct cli_state *newcli = NULL;
+ struct cli_state *ccli = NULL;
+ int count = 0;
char *newpath = NULL;
char *newmount = NULL;
char *ppath = NULL;
SMB_STRUCT_STAT sbuf;
uint32 attributes;
NTSTATUS status;
+ struct cli_dfs_path_split *dfs_refs = NULL;
if ( !rootcli || !path || !targetcli ) {
return NT_STATUS_INVALID_PARAMETER;
@@ -885,26 +896,83 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
return status;
}
- /* Just store the first referral for now. */
-
if (!refs[0].dfspath) {
return NT_STATUS_NOT_FOUND;
}
- if (!split_dfs_path(ctx, refs[0].dfspath, &server, &share,
- &extrapath)) {
- return NT_STATUS_NOT_FOUND;
+
+ /*
+ * Bug#10123 - DFS referal entries can be provided in a random order,
+ * so check the connection cache for each item to avoid unnecessary
+ * reconnections.
+ */
+ dfs_refs = talloc_array(ctx, struct cli_dfs_path_split, num_refs);
+ if (dfs_refs == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (count = 0; count < num_refs; count++) {
+ if (!split_dfs_path(dfs_refs, refs[count].dfspath,
+ &dfs_refs[count].server,
+ &dfs_refs[count].share,
+ &dfs_refs[count].extrapath)) {
+ TALLOC_FREE(dfs_refs);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ ccli = cli_cm_find(rootcli, dfs_refs[count].server,
+ dfs_refs[count].share);
+ if (ccli != NULL) {
+ extrapath = dfs_refs[count].extrapath;
+ *targetcli = ccli;
+ break;
+ }
+ }
+
+ /*
+ * If no cached connection was found, then connect to the first live
+ * referral server in the list.
+ */
+ for (count = 0; (ccli == NULL) && (count < num_refs); count++) {
+ /* Connect to the target server & share */
+ status = cli_cm_connect(ctx, rootcli,
+ dfs_refs[count].server,
+ dfs_refs[count].share,
+ dfs_auth_info,
+ false,
+ smb1cli_conn_encryption_on(rootcli->conn),
+ smbXcli_conn_protocol(rootcli->conn),
+ 0,
+ 0x20,
+ targetcli);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("Unable to follow dfs referral [\\%s\\%s]\n",
+ dfs_refs[count].server,
+ dfs_refs[count].share);
+ continue;
+ } else {
+ extrapath = dfs_refs[count].extrapath;
+ break;
+ }
+ }
+
+ /* No available referral server for the connection */
+ if (*targetcli == NULL) {
+ TALLOC_FREE(dfs_refs);
+ return status;
}
/* Make sure to recreate the original string including any wildcards. */
dfs_path = cli_dfs_make_full_path(ctx, rootcli, path);
if (!dfs_path) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NO_MEMORY;
}
pathlen = strlen(dfs_path);
consumed = MIN(pathlen, consumed);
*pp_targetpath = talloc_strdup(ctx, &dfs_path[consumed]);
if (!*pp_targetpath) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NO_MEMORY;
}
dfs_path[consumed] = '\0';
@@ -915,23 +983,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
* (in \server\share\path format).
*/
- /* Open the connection to the target server & share */
- status = cli_cm_open(ctx, rootcli,
- server,
- share,
- dfs_auth_info,
- false,
- smb1cli_conn_encryption_on(rootcli->conn),
- smbXcli_conn_protocol(rootcli->conn),
- 0,
- 0x20,
- targetcli);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf("Unable to follow dfs referral [\\%s\\%s]\n",
- server, share );
- return status;
- }
-
if (extrapath && strlen(extrapath) > 0) {
/* EMC Celerra NAS version 5.6.50 (at least) doesn't appear to
*/
/* put the trailing \ on the path, so to be save we put one in
if needed */
@@ -947,6 +998,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
*pp_targetpath);
}
if (!*pp_targetpath) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NO_MEMORY;
}
}
@@ -960,18 +1012,21 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
d_printf("cli_resolve_path: "
"dfs_path (%s) not in correct format.\n",
dfs_path );
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NOT_FOUND;
}
ppath++; /* Now pointing at start of server name. */
if ((ppath = strchr_m( dfs_path, '\\' )) == NULL) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NOT_FOUND;
}
ppath++; /* Now pointing at start of share name. */
if ((ppath = strchr_m( ppath+1, '\\' )) == NULL) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NOT_FOUND;
}
@@ -979,6 +1034,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
newmount = talloc_asprintf(ctx, "%s\\%s", mountpt, ppath );
if (!newmount) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NOT_FOUND;
}
@@ -1003,6 +1059,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
*/
*targetcli = newcli;
*pp_targetpath = newpath;
+ TALLOC_FREE(dfs_refs);
return status;
}
}
@@ -1013,14 +1070,17 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
if ((*targetcli)->dfsroot) {
dfs_path = talloc_strdup(ctx, *pp_targetpath);
if (!dfs_path) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NO_MEMORY;
}
*pp_targetpath = cli_dfs_make_full_path(ctx, *targetcli,
dfs_path);
if (*pp_targetpath == NULL) {
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_NO_MEMORY;
}
}
+ TALLOC_FREE(dfs_refs);
return NT_STATUS_OK;
}
@@ -1077,7 +1137,7 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx,
status = cli_cm_force_encryption(cli,
username,
password,
- lp_workgroup(),
+ domain,
"IPC$");
if (!NT_STATUS_IS_OK(status)) {
return false;
diff --git a/source4/dsdb/tests/python/token_group.py
b/source4/dsdb/tests/python/token_group.py
index 1a9a71f..cba6480 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -497,6 +497,8 @@ if not "://" in url:
runner = SubunitTestRunner()
rc = 0
-if not runner.run(unittest.makeSuite(TokenTest)).wasSuccessful():
+if not runner.run(unittest.makeSuite(StaticTokenTest)).wasSuccessful():
+ rc = 1
+if not runner.run(unittest.makeSuite(DynamicTokenTest)).wasSuccessful():
rc = 1
sys.exit(rc)
--
Samba Shared Repository
