The branch, v4-17-stable has been updated via bdd1a7c5f2f VERSION: Disable GIT_SNAPSHOT for the 4.17.8 release. via 5f8ce6404cf WHATSNEW: Add release notes for Samba 4.17.8. via 05f30cea353 winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users via 8cf0241459f winbind: Test wbinfo -u with more than 1000 users via 2d5ac37d251 dsgetdcname: do not assume local system uses IPv4 via b026bbe24c1 s3:lib: Do not try to match '.' and '..' directories in is_in_path() via c13b5b7dc89 s3:tests: Add test that veto files works for hidden files via 647c7c75f8f s3:tests: Create a temporary directory for test_veto_files.sh via 65168f33f95 libcli/security: rewrite calculate_inherited_from_parent() via f53ef993ffc shadow_copy2: Fix stream open for streams_depot paths via 8c9945e24b2 streams_depot: Create files when requested via 8011cea58e3 rpcd_mdssvc: initialize POSIX locking via 0c633912732 smbXsrv_tcon: avoid storing temporary (invalid!) records. via fd477e4ff6f net_ads: fill ads->auth.realm from c->creds via 45a264bf5b6 testprogs/blackbox: add test_net_ads_search_server.sh via d8fa74a176e smbd: Fix case normalization in for directories via d7d81510c38 s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). via 72d3c4f6799 smbd: Prevent creation of vetoed files via ad60260323c CI: add a test creating a vetoed file via 0fba21c1bfa dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test via e9e902f7393 dsdb/tests: Move SD modification on class-created objects to classSetUp via 7fe8a7d710d s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size. via f7e888f78ec tests: Add samba3.blackbox.zero_readsize test. via e2df45934ab dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join via eaff4ef6162 selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join via 3ecdec683b6 CVE-2020-25720 pydsdb: Add AD schema GUID constants via b1c7df203d0 tsocket: Increase tcp_user_timeout max_loops via bf5ccd5a140 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() via f27cff23350 idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache via 182410af7de idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet via 13a593254af idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later via e5c9a3597af idmap_hash: split out a idmap_hash_sid_to_id() helper function via da270642918 idmap_hash: split out a idmap_hash_id_to_sid() helper function via 61f3e674076 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid via a19fe930199 idmap_hash: we don't need to call idmap_hash_initialize() over an over again via 5a754810dea idmap_hash: remove unused error checks via 1e6eeb8efb2 idmap_hash: fix comments about the algorithm via bac09f85daa idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids via edc8659b505 idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain via 148d5ad7698 winbindd: don't call set_domain_online_request() in the idmap child via cb204cfc69b VERSION: Bump version up to Samba 4.17.8... from 2761e60b563 VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 82 +++++- lib/tsocket/tests/test_tstream.c | 2 +- libcli/security/create_descriptor.c | 247 +++++++++++++----- libcli/smb/smbXcli_base.c | 11 + libds/common/flags.h | 14 ++ python/samba/join.py | 19 ++ selftest/target/Samba3.pm | 4 + source3/lib/util.c | 5 + source3/libsmb/dsgetdcname.c | 49 ++-- source3/modules/vfs_shadow_copy2.c | 25 +- source3/modules/vfs_streams_depot.c | 2 +- source3/rpc_server/rpcd_mdssvc.c | 8 + source3/script/tests/test_veto_files.sh | 80 +++++- source3/script/tests/test_wbinfo_u_large_ad.sh | 28 +++ source3/script/tests/test_zero_readsize.sh | 101 ++++++++ source3/smbd/filename.c | 18 +- source3/smbd/globals.h | 5 + source3/smbd/open.c | 2 +- source3/smbd/smb1_service.c | 48 ++-- source3/smbd/smb2_service.c | 15 -- source3/smbd/smb2_tcon.c | 58 +++-- source3/smbd/smbXsrv_tcon.c | 29 ++- source3/utils/net_ads.c | 10 +- source3/winbindd/idmap_autorid.c | 15 +- source3/winbindd/idmap_hash/idmap_hash.c | 302 +++++++++++++++-------- source3/winbindd/winbindd_dual.c | 7 - source3/winbindd/winbindd_samr.c | 102 +++++--- source4/dsdb/pydsdb.c | 15 ++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +- source4/dsdb/samdb/samdb.h | 2 + source4/dsdb/tests/python/large_ldap.py | 20 +- source4/selftest/tests.py | 16 ++ source4/torture/drs/python/ridalloc_exop.py | 135 ++++++++++ testprogs/blackbox/test_net_ads_search_server.sh | 37 +++ 35 files changed, 1202 insertions(+), 326 deletions(-) create mode 100755 source3/script/tests/test_wbinfo_u_large_ad.sh create mode 100755 source3/script/tests/test_zero_readsize.sh create mode 100755 testprogs/blackbox/test_net_ads_search_server.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f1fe0a90b66..bcfbd046e24 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=17 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 694e29c45eb..c9f39ce3912 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,82 @@ + ============================== + Release Notes for Samba 4.17.8 + May 11, 2023 + ============================== + + +This is the latest stable release of the Samba 4.17 release series. + + +Changes since 4.17.7 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15302: log flood: smbd_calculate_access_mask_fsp: Access denied: + message level should be lower. + * BUG 15306: Floating point exception (FPE) via cli_pull_send at + source3/libsmb/clireadwrite.c. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15328: test_tstream_more_tcp_user_timeout_spin fails intermittently on + Rackspace GitLab runners. + * BUG 15329: Reduce flapping of ridalloc test. + * BUG 15351: large_ldap test is unreliable. + +o Ralph Boehme <s...@samba.org> + * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. + * BUG 15354: mdssvc may crash when initializing. + +o Volker Lendecke <v...@samba.org> + * BUG 15313: Large directory optimization broken for non-lcomp path elements. + * BUG 15357: streams_depot fails to create streams. + * BUG 15358: shadow_copy2 and streams_depot don't play well together. + * BUG 15366: wbinfo -u fails on ad dc with >1000 users. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15317: winbindd idmap child contacts the domain controller without a + need. + * BUG 15318: idmap_autorid may fail to map sids of trusted domains for the + first time. + * BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. + * BUG 15323: net ads search -P doesn't work against servers in other domains. + * BUG 15338: DS ACEs might be inherited to unrelated object classes. + * BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed. + +o Andreas Schneider <a...@samba.org> + * BUG 15360: Setting veto files = /.*/ break listing directories. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not + allow full write to all attributes (additional changes). + * BUG 15329: Reduce flapping of ridalloc test. + +o Nathaniel W. Turner <ntur...@exagrid.com> + * BUG 15325: dsgetdcname: assumes local system uses IPv4. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.17.7 March 29, 2023 @@ -67,8 +146,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.17.6 March 09, 2023 diff --git a/lib/tsocket/tests/test_tstream.c b/lib/tsocket/tests/test_tstream.c index a920e671cda..47008bb8bf8 100644 --- a/lib/tsocket/tests/test_tstream.c +++ b/lib/tsocket/tests/test_tstream.c @@ -322,7 +322,7 @@ static void test_tstream_server_spin_client_tcp_user_timeout(struct socket_pair rc = write(sp->socket_client, TEST_STRING, sizeof(TEST_STRING)); assert_return_code(rc, errno); sp->expected_errno = ETIMEDOUT; - sp->max_loops = 15; + sp->max_loops = 30; } static void test_tstream_server_spin_client_both_timer(struct tevent_context *ev, diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index ef60d847033..947d6c19d58 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -78,7 +78,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) /* Not sure what this has to be, * and it does not seem to have any influence */ -static bool object_in_list(struct GUID *object_list, struct GUID *object) +static bool object_in_list(const struct GUID *object_list, const struct GUID *object) { size_t i; @@ -107,7 +107,7 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) /* returns true if the ACE gontains generic information * that needs to be processed additionally */ -static bool desc_ace_has_generic(struct security_ace *ace) +static bool desc_ace_has_generic(const struct security_ace *ace) { if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ || ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) { @@ -155,12 +155,114 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, } for (i=0; i < acl->num_aces; i++) { - struct security_ace *ace = &acl->aces[i]; - if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || - (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { - struct GUID inherited_object = GUID_zero(); + const struct security_ace *ace = &acl->aces[i]; + const struct GUID *inherited_object = NULL; + const struct GUID *inherited_property = NULL; + struct security_ace *tmp_ace = NULL; + bool applies = false; + bool inherited_only = false; + bool expand_ace = false; + bool expand_only = false; + + if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { + applies = true; + } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + applies = true; + } + + if (!applies) { + /* + * If the ace doesn't apply to the + * current node, we should only keep + * it as SEC_ACE_FLAG_OBJECT_INHERIT + * on a container. We'll add + * SEC_ACE_FLAG_INHERITED_ACE + * and SEC_ACE_FLAG_INHERIT_ONLY below. + * + * Otherwise we should completely ignore it. + */ + if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + continue; + } + } + + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + inherited_property = &ace->object.object.type.type; + } + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + inherited_object = &ace->object.object.inherited_type.inherited_type; + } + + if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) { + /* + * An explicit object class schemaId is given, + * but doesn't belong to the current object. + */ + applies = false; + } - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, + break; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + if (!applies) { + /* + * If the ACE doesn't apply to + * the current object, we should + * ignore it as it should not be + * inherited any further + */ + continue; + } + /* + * We should only keep the expanded version + * of the ACE on the current object. + */ + expand_ace = true; + expand_only = true; + } else if (applies) { + /* + * We check if should also add + * the expanded version of the ACE + * in addition, in case we should + * expand generic access bits or + * special sids. + * + * In that case we need to + * keep the original ACE with + * SEC_ACE_FLAG_INHERIT_ONLY. + */ + expand_ace = desc_ace_has_generic(ace); + if (expand_ace) { + inherited_only = true; + } + } else { + /* + * If the ACE doesn't apply + * to the current object, + * we need to keep it with + * SEC_ACE_FLAG_INHERIT_ONLY + * in order to apply them to + * grandchildren + */ + inherited_only = true; + } + + if (expand_ace) { + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, struct security_ace, tmp_acl->num_aces+1); if (tmp_acl->aces == NULL) { @@ -168,61 +270,96 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, return NULL; } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; - /* remove IO flag from the child's ace */ - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && - !desc_ace_has_generic(ace)) { - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; - } + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; - if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - case SEC_ACE_TYPE_ACCESS_DENIED: - case SEC_ACE_TYPE_SYSTEM_AUDIT: - case SEC_ACE_TYPE_SYSTEM_ALARM: - case SEC_ACE_TYPE_ALLOWED_COMPOUND: - break; - - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { - inherited_object = ace->object.object.inherited_type.inherited_type; - } + *tmp_ace = *ace; + + /* + * Expand generic access bits as well as special + * sids. + */ + desc_expand_generic(tmp_ace, owner, group); + + /* + * Expanded ACEs are marked as inherited, + * but never inherited any further to + * grandchildren. + */ + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + + /* + * Expanded ACEs never have an explicit + * object class schemaId, so clear it + * if present. + */ + if (inherited_object != NULL) { + tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; + } - if (!object_in_list(object_list, &inherited_object)) { - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; + /* + * If the ACE had an explicit object class + * schemaId, but no attribute/propertySet + * we need to downgrate the _OBJECT variants + * to the normal ones. + */ + if (inherited_property == NULL) { + switch (tmp_ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED; + break; + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED; + break; + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM; + break; + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT; + break; } - - break; } - tmp_acl->num_aces++; - if (is_container) { - if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && - (desc_ace_has_generic(ace))) { - tmp_acl->aces = talloc_realloc(tmp_acl, - tmp_acl->aces, - struct security_ace, - tmp_acl->num_aces+1); - if (tmp_acl->aces == NULL) { - talloc_free(tmp_ctx); - return NULL; - } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], - owner, - group); - tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE; - tmp_acl->num_aces++; - } + if (expand_only) { + continue; } } + + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, + struct security_ace, + tmp_acl->num_aces+1); + if (tmp_acl->aces == NULL) { + talloc_free(tmp_ctx); + return NULL; + } + + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; + + *tmp_ace = *ace; + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + + if (inherited_only) { + tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } else { + tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + } } if (tmp_acl->num_aces == 0) { return NULL; diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index c5d13bd5837..1500d484e83 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5088,6 +5088,17 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) conn->smb2.server.system_time = BVAL(body, 40); conn->smb2.server.start_time = BVAL(body, 48); + if (conn->smb2.server.max_trans_size == 0 || + conn->smb2.server.max_read_size == 0 || + conn->smb2.server.max_write_size == 0) { + /* + * We can't connect to servers we can't + * do any operations on. + */ + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + security_offset = SVAL(body, 56); security_length = SVAL(body, 58); diff --git a/libds/common/flags.h b/libds/common/flags.h index bee1016b294..c013d2f0f25 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -237,6 +237,20 @@ /* wellknown GUIDs for optional directory features */ #define DS_GUID_FEATURE_RECYCLE_BIN "766ddcd8-acd0-445e-f3b9-a7f9b6744f2a" +/* GUIDs for AD schema attributes and classes */ +#define DS_GUID_SCHEMA_ATTR_DEPARTMENT "bf96794f-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME "72e39547-7b18-11d1-adef-00c04fd8d5cd" +#define DS_GUID_SCHEMA_ATTR_INSTANCE_TYPE "bf96798c-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_ATTR_MS_SFU_30 "16c5d1d3-35c2-4061-a870-a5cefda804f0" +#define DS_GUID_SCHEMA_ATTR_NT_SECURITY_DESCRIPTOR "bf9679e3-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID "bf967a00-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME "f3a64788-5306-11d1-a9c5-0000f80367c1" +#define DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL "bf967a68-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_ATTR_USER_PASSWORD "bf967a6e-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_CLASS_COMPUTER "bf967a86-0de6-11d0-a285-00aa003049e2" +#define DS_GUID_SCHEMA_CLASS_MANAGED_SERVICE_ACCOUNT "ce206244-5827-4a86-ba1c-1c0c386c1b64" +#define DS_GUID_SCHEMA_CLASS_USER "bf967aba-0de6-11d0-a285-00aa003049e2" + /* dsHeuristics character indexes see MS-ADTS 7.1.1.2.4.1.2 */ #define DS_HR_SUPFIRSTLASTANR 0x00000001 diff --git a/python/samba/join.py b/python/samba/join.py index 650bb5a08ae..30d33d43f11 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -50,6 +50,7 @@ import tempfile from collections import OrderedDict from samba.common import get_string from samba.netcmd import CommandError +from samba import dsdb class DCJoinException(Exception): @@ -937,6 +938,10 @@ class DCJoinContext(object): """Replicate the SAM.""" ctx.logger.info("Starting replication") + + # A global transaction is started so that linked attributes + # are applied at the very end, once all partitions are + # replicated. This helps get all cross-partition links. ctx.local_samdb.transaction_start() try: source_dsa_invocation_id = misc.GUID(ctx.samdb.get_invocation_id()) @@ -1057,7 +1062,21 @@ class DCJoinContext(object): ctx.local_samdb.transaction_cancel() raise else: + + # This is a special case, we have completed a full + # replication so if a link comes to us that points to a + # deleted object, and we asked for all objects already, we + # just have to ignore it, the chance to re-try the + # replication with GET_TGT has long gone. This can happen + # if the object is deleted and sent to us after the link + # was sent, as we are processing all links in the + # transaction_commit(). + if not ctx.domain_replica_flags & drsuapi.DRSUAPI_DRS_CRITICAL_ONLY: + ctx.local_samdb.set_opaque_integer(dsdb.DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME, + 1) ctx.local_samdb.transaction_commit() + ctx.local_samdb.set_opaque_integer(dsdb.DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME, + 0) ctx.logger.info("Committed SAM database") -- Samba Shared Repository