The branch, v4-13-test has been updated
via bb49e891025 winbind: Fix lookuprids cache problem
via 12997bb8196 winbind: Add test for lookuprids cache problem
via ab227e7db1c torture3: Align integer types
via 2bdf5e9c292 dbcheck: Allow a dangling forward link outside our
known NCs
via 18628ba1558 ctdb-scripts: Use nfsconf as a last resort get nfsd
thread count
via 8bd4e018780 ctdb-scripts: Use nfsconf as a last resort to set
NFS_HOSTNAME
via 983b35fdcf8 docs: Fix documentation for require_membership_of of
pam_winbind.conf
via f2f122d65a7 docs: Fix documentation for require_membership_of of
pam_winbind
from 19fecfaa35f kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for
Primary:Kerberos
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -----------------------------------------------------------------
commit bb49e891025bdb71bacb8ed084c286d9d4da2cad
Author: Volker Lendecke <v...@samba.org>
Date: Wed Jul 8 15:09:45 2020 +0200
winbind: Fix lookuprids cache problem
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184
(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4)
Autobuild-User(v4-13-test): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(v4-13-test): Mon Aug 10 10:46:37 UTC 2020 on sn-devel-184
commit 12997bb81961e98668d3de16fdb09ada3996408d
Author: Volker Lendecke <v...@samba.org>
Date: Wed Jul 8 15:00:49 2020 +0200
winbind: Add test for lookuprids cache problem
When reading entries from gencache, wb_cache_rids_to_names() can
return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
correctly.
This test enforces this situation by filling gencache with one wbinfo
-R and then erasing the winbindd_cache.tdb. This forces winbind to
enter the domain helper process, which will then read from gencache
filled with the previous wbinfo -R.
Without having the entries cached this does not happen because
wb_cache_rids_to_names() via the do_query: path calls deep inside
calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61)
commit ab227e7db1cc41dbd8667da752e9420cef1091a1
Author: Volker Lendecke <v...@samba.org>
Date: Tue Jul 7 08:50:31 2020 +0200
torture3: Align integer types
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2bdf5e9c292364b45b43dbf985245641a16fa398
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jul 27 11:37:29 2020 +1200
dbcheck: Allow a dangling forward link outside our known NCs
If we do not have the NC of the target object we can not be really sure
that the object is redundent and so we want to keep it for now
and not (as happened until now) break the dbcheck run made during the
replication stage of a "samba-tool domain backup rename".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14450
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 05228c4e07013c0e6f78f1330b3b787271282ca8)
commit 18628ba15585f991b004ef4bd66abf2f8ed12b3f
Author: Martin Schwenke <mar...@meltin.net>
Date: Mon Jul 20 12:02:45 2020 +1000
ctdb-scripts: Use nfsconf as a last resort get nfsd thread count
If nfsconf exists then use it as last resort to attempt to extract
[nfsd]:threads from /etc/nfs.conf.
Invocation of nfsconf requires "|| true" because this script uses "set
-e". Add a stub that always fails to at least test this much.
RN: Use nfsconf utility for variable values in CTDB NFS scripts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14444
Signed-off-by: Martin Schwenke <mar...@meltin.net>
Reviewed-by: Amitay Isaacs <ami...@gmail.com>
Autobuild-User(master): Amitay Isaacs <ami...@samba.org>
Autobuild-Date(master): Mon Jul 27 07:06:58 UTC 2020 on sn-devel-184
(cherry picked from commit 642dc6ded6426ba2fbf3ac1e5cd71aae11ca245b)
commit 8bd4e0187803b4263dae9eafb07d539350f30ce0
Author: Martin Schwenke <mar...@meltin.net>
Date: Mon Jul 13 10:16:33 2020 +1000
ctdb-scripts: Use nfsconf as a last resort to set NFS_HOSTNAME
If nfsconf exists then use it as last resort to attempt to extract
[statd]:name from /etc/nfs.conf.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14444
Signed-off-by: Martin Schwenke <mar...@meltin.net>
Reviewed-by: Amitay Isaacs <ami...@gmail.com>
(cherry picked from commit 334dd8cedda6a341e3b89c9adc8102ea5480e452)
commit 983b35fdcf85826d3b667c8c5b0234402a6863c7
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 17 12:14:16 2020 +0200
docs: Fix documentation for require_membership_of of pam_winbind.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
(cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01)
commit f2f122d65a7e9377772a6ce0dca97a2e45bb22fc
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 9 11:48:26 2020 +0200
docs: Fix documentation for require_membership_of of pam_winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
-----------------------------------------------------------------------
Summary of changes:
ctdb/config/nfs-linux-kernel-callout | 3 ++
ctdb/config/statd-callout | 21 +++++++++---
ctdb/tests/UNIT/eventscripts/stubs/nfsconf | 5 +++
docs-xml/manpages/pam_winbind.8.xml | 8 +++--
docs-xml/manpages/pam_winbind.conf.5.xml | 9 +++--
python/samba/dbchecker.py | 24 ++++++++++++-
selftest/target/Samba4.pm | 39 ++++++++++++++++++++++
.../script/tests/test_wbinfo_lookuprids_cache.sh | 21 ++++++++++++
source3/selftest/tests.py | 5 +++
source3/torture/test_notify.c | 3 +-
source3/winbindd/winbindd_dual_srv.c | 3 +-
11 files changed, 128 insertions(+), 13 deletions(-)
create mode 100755 ctdb/tests/UNIT/eventscripts/stubs/nfsconf
create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh
Changeset truncated at 500 lines:
diff --git a/ctdb/config/nfs-linux-kernel-callout
b/ctdb/config/nfs-linux-kernel-callout
index 71d8ecf8074..6a372d4b4fd 100755
--- a/ctdb/config/nfs-linux-kernel-callout
+++ b/ctdb/config/nfs-linux-kernel-callout
@@ -299,6 +299,9 @@ nfs_check_thread_count ()
# assume that those using the default don't care about the number
# of threads and that they have switched on this feature in error.
_configured_threads="${RPCNFSDCOUNT:-${USE_KERNEL_NFSD_NUMBER}}"
+ if [ -z "$_configured_threads" ] && type nfsconf >/dev/null 2>&1 ; then
+ _configured_threads=$(nfsconf --get nfsd threads) || true
+ fi
[ -n "$_configured_threads" ] || return 0
_threads_file="${PROCFS_PATH}/fs/nfsd/threads"
diff --git a/ctdb/config/statd-callout b/ctdb/config/statd-callout
index b75135bbde5..67ed2a5bc62 100755
--- a/ctdb/config/statd-callout
+++ b/ctdb/config/statd-callout
@@ -3,10 +3,18 @@
# This must run as root as CTDB tool commands need to access CTDB socket
[ "$(id -u)" -eq 0 ] || exec sudo "$0" "$@"
-# this script needs to be installed so that statd points to it with the -H
-# command line argument. The easiest way to do that is to put something like
this in
-# /etc/sysconfig/nfs:
-# STATD_HOSTNAME="myhostname -H /etc/ctdb/statd-callout"
+# statd must be configured to use this script as its high availability
call-out.
+#
+# In most Linux versions this can be done using something like the following...
+#
+# /etc/sysconfig/nfs (Red Hat) or /etc/default/nfs-common (Debian):
+# NFS_HOSTNAME=myhostname
+# STATD_HOSTNAME="${NFS_HOSTNAME} -H /etc/ctdb/statd-callout"
+#
+# Newer Red Hat Linux variants instead use /etc/nfs.conf:
+# [statd]
+# name = myhostname
+# ha-callout = /etc/ctdb/statd-callout
[ -n "$CTDB_BASE" ] || \
CTDB_BASE=$(d=$(dirname "$0") ; cd -P "$d" ; echo "$PWD")
@@ -23,6 +31,11 @@ die ()
# Try different variables to find config file for NFS_HOSTNAME
load_system_config "nfs" "nfs-common"
+# If NFS_HOSTNAME not set then try to pull it out of /etc/nfs.conf
+if [ -z "$NFS_HOSTNAME" ] && type nfsconf >/dev/null 2>&1 ; then
+ NFS_HOSTNAME=$(nfsconf --get statd name)
+fi
+
[ -n "$NFS_HOSTNAME" ] || \
die "NFS_HOSTNAME is not configured. statd-callout failed"
diff --git a/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
b/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
new file mode 100755
index 00000000000..84dd9ea5f60
--- /dev/null
+++ b/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# This always fails for now, since there are no tests that expect to
+# use it.
+exit 1
diff --git a/docs-xml/manpages/pam_winbind.8.xml
b/docs-xml/manpages/pam_winbind.8.xml
index 622e9e188d9..32030ef0ecc 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -84,9 +84,11 @@
If this option is set, pam_winbind will only succeed if the
user is a member of the given SID or NAME. A SID
can be either a group-SID, an alias-SID or even an user-SID. It
is also possible to give a NAME instead of the
SID. That name must have the form:
<parameter>MYDOMAIN\mygroup</parameter> or
- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
- NAME may not contain any spaces. It is thus recommended to only
use SIDs. You can verify the list of SIDs a
- user is a member of with <command>wbinfo
--user-sids=SID</command>.
+ <parameter>MYDOMAIN\myuser</parameter> (where '\' character
corresponds to the value of
+ <parameter>winbind separator</parameter> parameter). It is also
possible to use a UPN in the form
+ <parameter>user@REALM</parameter> or
<parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
+ the SID internally. Note that NAME may not contain any spaces.
It is thus recommended to only use SIDs. You can
+ verify the list of SIDs a user is a member of with
<command>wbinfo --user-sids=SID</command>.
</para>
<para>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml
b/docs-xml/manpages/pam_winbind.conf.5.xml
index c4a7771fb31..0bc288f91a1 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -69,9 +69,12 @@
If this option is set, pam_winbind will only succeed if the
user is a member of the given SID or NAME. A SID
can be either a group-SID, an alias-SID or even an user-SID. It
is also possible to give a NAME instead of the
SID. That name must have the form:
<parameter>MYDOMAIN\mygroup</parameter> or
- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
- NAME may not contain any spaces. It is thus recommended to only
use SIDs. You can verify the list of SIDs a
- user is a member of with <command>wbinfo
--user-sids=SID</command>. This setting is empty by default.
+ <parameter>MYDOMAIN\myuser</parameter> (where '\' character
corresponds to the value of
+ <parameter>winbind separator</parameter> parameter). It is also
possible to use a UPN in the form
+ <parameter>user@REALM</parameter> or
<parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
+ the SID internally. Note that NAME may not contain any spaces.
It is thus recommended to only use SIDs. You can
+ verify the list of SIDs a user is a member of with
<command>wbinfo --user-sids=SID</command>.
+ This setting is empty by default.
</para>
<para>This option only operates during password authentication,
and will not restrict access if a password is not required for any reason (such
as SSH key-based login).</para>
</listitem>
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 7496a463930..593aa8cf6d2 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -621,7 +621,29 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn),
str(to_base)))
return 0
nc_root = self.samdb.get_nc_root(dn)
- target_nc_root = self.samdb.get_nc_root(dsdb_dn.dn)
+ try:
+ target_nc_root = self.samdb.get_nc_root(dsdb_dn.dn)
+ except ldb.LdbError as e:
+ (enum, estr) = e.args
+ if enum != ldb.ERR_NO_SUCH_OBJECT:
+ raise
+ target_nc_root = None
+
+ if target_nc_root is None:
+ # We don't bump the error count as Samba produces
+ # these in normal operation creating a lab domain (due
+ # to the way the rename is handled, links to
+ # now-expunged objects will never be fixed to stay
+ # inside the NC
+ self.report("WARNING: no target object found for GUID "
+ "component for link "
+ "%s in object to %s outside our NCs"
+ "%s - %s" % (attrname, dsdb_dn.dn, dn, val))
+ self.report("Not removing dangling one-way "
+ "left-over link outside our NCs "
+ "(we might be building a renamed/lab domain)")
+ return 0
+
if nc_root != target_nc_root:
# We don't bump the error count as Samba produces these
# in normal operation
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 1466cbd8d48..88c95c3a078 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2942,6 +2942,45 @@ sub setup_backupfromdc
$self->setup_namespaces($env, $upn_array, $spn_array);
+ # Set up a dangling forward link to an expunged object
+ #
+ # We need this to ensure that the "samba-tool domain backup rename"
+ # that is part of the creation of the labdc environment can
+ # cope with this situation on the source DC.
+
+ if (not $self->write_ldb_file("$env->{PRIVATEDIR}/sam.ldb", "
+dn: ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: organizationalUnit
+-
+
+dn: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: msExchConfigurationContainer
+-
+
+dn: cn=linkfrom,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: msExchConfigurationContainer
+addressBookRoots: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+-
+
+")) {
+ return undef;
+ }
+ my $ldbdel = Samba::bindir_path($self, "ldbdel");
+ my $cmd = "$ldbdel -H $env->{PRIVATEDIR}/sam.ldb
cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to delete link target: \n$cmd");
+ return undef;
+ }
+
+ # Expunge will ensure that linkto is totally wiped from the DB
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ $cmd = "$samba_tool domain tombstones expunge --tombstone-lifetime=0
$env->{CONFIGURATION}";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to expunge link target: \n$cmd");
+ return undef;
+ }
return $env;
}
diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh
b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
new file mode 100755
index 00000000000..0b21ffcd7c9
--- /dev/null
+++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}"
+TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}"
+TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}"
+NET="$VALGRIND ${NET:-$BINDIR/net}"
+
+cache="$LOCK_DIR"/winbindd_cache.tdb
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1`
+testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
+
+key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2)
+
+testit "delete" "$TDBTOOL" "$cache" delete "$key"
+testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index cfdfaa98c84..e2aebdcb6e2 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -365,6 +365,11 @@ env = "nt4_member:local"
plantestsuite("samba3.wbinfo_sids_to_xids", env,
[os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_sids_to_xids.sh")])
+plantestsuite(
+ "samba.wbinfo_lookuprids_cache",
+ env,
+ [os.path.join(samba3srcdir,
+ "script/tests/test_wbinfo_lookuprids_cache.sh")])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
diff --git a/source3/torture/test_notify.c b/source3/torture/test_notify.c
index 20b39d1e5db..893113371e6 100644
--- a/source3/torture/test_notify.c
+++ b/source3/torture/test_notify.c
@@ -641,7 +641,7 @@ bool run_notify_bench3(int dummy)
struct tevent_context *ev;
struct tevent_barrier *small;
struct tevent_barrier *large;
- unsigned i, j;
+ int i;
unsigned num_done = 0;
struct timeval ts, now;
@@ -680,6 +680,7 @@ bool run_notify_bench3(int dummy)
}
for (i=0; i<torture_nprocs; i++) {
+ int j;
for (j=0; j<torture_numops; j++) {
int idx = i * torture_numops + j;
struct tevent_req *req;
diff --git a/source3/winbindd/winbindd_dual_srv.c
b/source3/winbindd/winbindd_dual_srv.c
index 6071bee6d65..b8694db3db9 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -673,7 +673,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct
wbint_LookupRids *r)
r->in.rids->rids, r->in.rids->num_rids,
&domain_name, &names, &types);
reset_cm_connection_on_error(domain, NULL, status);
- if (!NT_STATUS_IS_OK(status)) {
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
return status;
}
--
Samba Shared Repository
