The branch, v4-13-test has been updated via bb49e891025 winbind: Fix lookuprids cache problem via 12997bb8196 winbind: Add test for lookuprids cache problem via ab227e7db1c torture3: Align integer types via 2bdf5e9c292 dbcheck: Allow a dangling forward link outside our known NCs via 18628ba1558 ctdb-scripts: Use nfsconf as a last resort get nfsd thread count via 8bd4e018780 ctdb-scripts: Use nfsconf as a last resort to set NFS_HOSTNAME via 983b35fdcf8 docs: Fix documentation for require_membership_of of pam_winbind.conf via f2f122d65a7 docs: Fix documentation for require_membership_of of pam_winbind from 19fecfaa35f kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log ----------------------------------------------------------------- commit bb49e891025bdb71bacb8ed084c286d9d4da2cad Author: Volker Lendecke <v...@samba.org> Date: Wed Jul 8 15:09:45 2020 +0200 winbind: Fix lookuprids cache problem Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184 (cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4) Autobuild-User(v4-13-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-13-test): Mon Aug 10 10:46:37 UTC 2020 on sn-devel-184 commit 12997bb81961e98668d3de16fdb09ada3996408d Author: Volker Lendecke <v...@samba.org> Date: Wed Jul 8 15:00:49 2020 +0200 winbind: Add test for lookuprids cache problem When reading entries from gencache, wb_cache_rids_to_names() can return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle correctly. This test enforces this situation by filling gencache with one wbinfo -R and then erasing the winbindd_cache.tdb. This forces winbind to enter the domain helper process, which will then read from gencache filled with the previous wbinfo -R. Without having the entries cached this does not happen because wb_cache_rids_to_names() via the do_query: path calls deep inside calls dcerpc_lsa_lookup_sids_noalloc(), which hides the STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61) commit ab227e7db1cc41dbd8667da752e9420cef1091a1 Author: Volker Lendecke <v...@samba.org> Date: Tue Jul 7 08:50:31 2020 +0200 torture3: Align integer types Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 2bdf5e9c292364b45b43dbf985245641a16fa398 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jul 27 11:37:29 2020 +1200 dbcheck: Allow a dangling forward link outside our known NCs If we do not have the NC of the target object we can not be really sure that the object is redundent and so we want to keep it for now and not (as happened until now) break the dbcheck run made during the replication stage of a "samba-tool domain backup rename". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14450 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 05228c4e07013c0e6f78f1330b3b787271282ca8) commit 18628ba15585f991b004ef4bd66abf2f8ed12b3f Author: Martin Schwenke <mar...@meltin.net> Date: Mon Jul 20 12:02:45 2020 +1000 ctdb-scripts: Use nfsconf as a last resort get nfsd thread count If nfsconf exists then use it as last resort to attempt to extract [nfsd]:threads from /etc/nfs.conf. Invocation of nfsconf requires "|| true" because this script uses "set -e". Add a stub that always fails to at least test this much. RN: Use nfsconf utility for variable values in CTDB NFS scripts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14444 Signed-off-by: Martin Schwenke <mar...@meltin.net> Reviewed-by: Amitay Isaacs <ami...@gmail.com> Autobuild-User(master): Amitay Isaacs <ami...@samba.org> Autobuild-Date(master): Mon Jul 27 07:06:58 UTC 2020 on sn-devel-184 (cherry picked from commit 642dc6ded6426ba2fbf3ac1e5cd71aae11ca245b) commit 8bd4e0187803b4263dae9eafb07d539350f30ce0 Author: Martin Schwenke <mar...@meltin.net> Date: Mon Jul 13 10:16:33 2020 +1000 ctdb-scripts: Use nfsconf as a last resort to set NFS_HOSTNAME If nfsconf exists then use it as last resort to attempt to extract [statd]:name from /etc/nfs.conf. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14444 Signed-off-by: Martin Schwenke <mar...@meltin.net> Reviewed-by: Amitay Isaacs <ami...@gmail.com> (cherry picked from commit 334dd8cedda6a341e3b89c9adc8102ea5480e452) commit 983b35fdcf85826d3b667c8c5b0234402a6863c7 Author: Andreas Schneider <a...@samba.org> Date: Fri Jul 17 12:14:16 2020 +0200 docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> (cherry picked from commit 71b7140fd0a33e7e8c5bf37c2897cea8224b3f01) commit f2f122d65a7e9377772a6ce0dca97a2e45bb22fc Author: Andreas Schneider <a...@samba.org> Date: Thu Jul 9 11:48:26 2020 +0200 docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971) ----------------------------------------------------------------------- Summary of changes: ctdb/config/nfs-linux-kernel-callout | 3 ++ ctdb/config/statd-callout | 21 +++++++++--- ctdb/tests/UNIT/eventscripts/stubs/nfsconf | 5 +++ docs-xml/manpages/pam_winbind.8.xml | 8 +++-- docs-xml/manpages/pam_winbind.conf.5.xml | 9 +++-- python/samba/dbchecker.py | 24 ++++++++++++- selftest/target/Samba4.pm | 39 ++++++++++++++++++++++ .../script/tests/test_wbinfo_lookuprids_cache.sh | 21 ++++++++++++ source3/selftest/tests.py | 5 +++ source3/torture/test_notify.c | 3 +- source3/winbindd/winbindd_dual_srv.c | 3 +- 11 files changed, 128 insertions(+), 13 deletions(-) create mode 100755 ctdb/tests/UNIT/eventscripts/stubs/nfsconf create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh Changeset truncated at 500 lines: diff --git a/ctdb/config/nfs-linux-kernel-callout b/ctdb/config/nfs-linux-kernel-callout index 71d8ecf8074..6a372d4b4fd 100755 --- a/ctdb/config/nfs-linux-kernel-callout +++ b/ctdb/config/nfs-linux-kernel-callout @@ -299,6 +299,9 @@ nfs_check_thread_count () # assume that those using the default don't care about the number # of threads and that they have switched on this feature in error. _configured_threads="${RPCNFSDCOUNT:-${USE_KERNEL_NFSD_NUMBER}}" + if [ -z "$_configured_threads" ] && type nfsconf >/dev/null 2>&1 ; then + _configured_threads=$(nfsconf --get nfsd threads) || true + fi [ -n "$_configured_threads" ] || return 0 _threads_file="${PROCFS_PATH}/fs/nfsd/threads" diff --git a/ctdb/config/statd-callout b/ctdb/config/statd-callout index b75135bbde5..67ed2a5bc62 100755 --- a/ctdb/config/statd-callout +++ b/ctdb/config/statd-callout @@ -3,10 +3,18 @@ # This must run as root as CTDB tool commands need to access CTDB socket [ "$(id -u)" -eq 0 ] || exec sudo "$0" "$@" -# this script needs to be installed so that statd points to it with the -H -# command line argument. The easiest way to do that is to put something like this in -# /etc/sysconfig/nfs: -# STATD_HOSTNAME="myhostname -H /etc/ctdb/statd-callout" +# statd must be configured to use this script as its high availability call-out. +# +# In most Linux versions this can be done using something like the following... +# +# /etc/sysconfig/nfs (Red Hat) or /etc/default/nfs-common (Debian): +# NFS_HOSTNAME=myhostname +# STATD_HOSTNAME="${NFS_HOSTNAME} -H /etc/ctdb/statd-callout" +# +# Newer Red Hat Linux variants instead use /etc/nfs.conf: +# [statd] +# name = myhostname +# ha-callout = /etc/ctdb/statd-callout [ -n "$CTDB_BASE" ] || \ CTDB_BASE=$(d=$(dirname "$0") ; cd -P "$d" ; echo "$PWD") @@ -23,6 +31,11 @@ die () # Try different variables to find config file for NFS_HOSTNAME load_system_config "nfs" "nfs-common" +# If NFS_HOSTNAME not set then try to pull it out of /etc/nfs.conf +if [ -z "$NFS_HOSTNAME" ] && type nfsconf >/dev/null 2>&1 ; then + NFS_HOSTNAME=$(nfsconf --get statd name) +fi + [ -n "$NFS_HOSTNAME" ] || \ die "NFS_HOSTNAME is not configured. statd-callout failed" diff --git a/ctdb/tests/UNIT/eventscripts/stubs/nfsconf b/ctdb/tests/UNIT/eventscripts/stubs/nfsconf new file mode 100755 index 00000000000..84dd9ea5f60 --- /dev/null +++ b/ctdb/tests/UNIT/eventscripts/stubs/nfsconf @@ -0,0 +1,5 @@ +#!/bin/sh + +# This always fails for now, since there are no tests that expect to +# use it. +exit 1 diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml index 622e9e188d9..32030ef0ecc 100644 --- a/docs-xml/manpages/pam_winbind.8.xml +++ b/docs-xml/manpages/pam_winbind.8.xml @@ -84,9 +84,11 @@ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with <command>wbinfo --user-sids=SID</command>. + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>. </para> <para> diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index c4a7771fb31..0bc288f91a1 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -69,9 +69,12 @@ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or - <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with <command>wbinfo --user-sids=SID</command>. This setting is empty by default. + <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of + <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form + <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can + verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>. + This setting is empty by default. </para> <para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para> </listitem> diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py index 7496a463930..593aa8cf6d2 100644 --- a/python/samba/dbchecker.py +++ b/python/samba/dbchecker.py @@ -621,7 +621,29 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) return 0 nc_root = self.samdb.get_nc_root(dn) - target_nc_root = self.samdb.get_nc_root(dsdb_dn.dn) + try: + target_nc_root = self.samdb.get_nc_root(dsdb_dn.dn) + except ldb.LdbError as e: + (enum, estr) = e.args + if enum != ldb.ERR_NO_SUCH_OBJECT: + raise + target_nc_root = None + + if target_nc_root is None: + # We don't bump the error count as Samba produces + # these in normal operation creating a lab domain (due + # to the way the rename is handled, links to + # now-expunged objects will never be fixed to stay + # inside the NC + self.report("WARNING: no target object found for GUID " + "component for link " + "%s in object to %s outside our NCs" + "%s - %s" % (attrname, dsdb_dn.dn, dn, val)) + self.report("Not removing dangling one-way " + "left-over link outside our NCs " + "(we might be building a renamed/lab domain)") + return 0 + if nc_root != target_nc_root: # We don't bump the error count as Samba produces these # in normal operation diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 1466cbd8d48..88c95c3a078 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2942,6 +2942,45 @@ sub setup_backupfromdc $self->setup_namespaces($env, $upn_array, $spn_array); + # Set up a dangling forward link to an expunged object + # + # We need this to ensure that the "samba-tool domain backup rename" + # that is part of the creation of the labdc environment can + # cope with this situation on the source DC. + + if (not $self->write_ldb_file("$env->{PRIVATEDIR}/sam.ldb", " +dn: ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com +objectclass: organizationalUnit +- + +dn: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com +objectclass: msExchConfigurationContainer +- + +dn: cn=linkfrom,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com +objectclass: msExchConfigurationContainer +addressBookRoots: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com +- + +")) { + return undef; + } + my $ldbdel = Samba::bindir_path($self, "ldbdel"); + my $cmd = "$ldbdel -H $env->{PRIVATEDIR}/sam.ldb cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com"; + + unless(system($cmd) == 0) { + warn("Failed to delete link target: \n$cmd"); + return undef; + } + + # Expunge will ensure that linkto is totally wiped from the DB + my $samba_tool = Samba::bindir_path($self, "samba-tool"); + $cmd = "$samba_tool domain tombstones expunge --tombstone-lifetime=0 $env->{CONFIGURATION}"; + + unless(system($cmd) == 0) { + warn("Failed to expunge link target: \n$cmd"); + return undef; + } return $env; } diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh new file mode 100755 index 00000000000..0b21ffcd7c9 --- /dev/null +++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}" +TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}" +TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}" +NET="$VALGRIND ${NET:-$BINDIR/net}" + +cache="$LOCK_DIR"/winbindd_cache.tdb + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh + +testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1` +testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` + +key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2) + +testit "delete" "$TDBTOOL" "$cache" delete "$key" +testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index cfdfaa98c84..e2aebdcb6e2 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -365,6 +365,11 @@ env = "nt4_member:local" plantestsuite("samba3.wbinfo_sids_to_xids", env, [os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_sids_to_xids.sh")]) +plantestsuite( + "samba.wbinfo_lookuprids_cache", + env, + [os.path.join(samba3srcdir, + "script/tests/test_wbinfo_lookuprids_cache.sh")]) env = "ad_member" t = "WBCLIENT-MULTI-PING" diff --git a/source3/torture/test_notify.c b/source3/torture/test_notify.c index 20b39d1e5db..893113371e6 100644 --- a/source3/torture/test_notify.c +++ b/source3/torture/test_notify.c @@ -641,7 +641,7 @@ bool run_notify_bench3(int dummy) struct tevent_context *ev; struct tevent_barrier *small; struct tevent_barrier *large; - unsigned i, j; + int i; unsigned num_done = 0; struct timeval ts, now; @@ -680,6 +680,7 @@ bool run_notify_bench3(int dummy) } for (i=0; i<torture_nprocs; i++) { + int j; for (j=0; j<torture_numops; j++) { int idx = i * torture_numops + j; struct tevent_req *req; diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index 6071bee6d65..b8694db3db9 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -673,7 +673,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) r->in.rids->rids, r->in.rids->num_rids, &domain_name, &names, &types); reset_cm_connection_on_error(domain, NULL, status); - if (!NT_STATUS_IS_OK(status)) { + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) { return status; } -- Samba Shared Repository