The branch, master has been updated
via 91eb3f1d223 testprogs/blackbox: add --recursive tests to
test_samba-tool_ntacl.sh
via 11741791cc6 testprogs/blackbox: move 'ntacl get' out of
test_changedomsid() in test_samba-tool_ntacl.sh
via 619f097b7d4 testprogs/blackbox: pass $CONFIGURATION to
test_samba-tool_ntacl.sh
via 16b9b508af4 samba-tool/ntacl: implement set --recursive
via 27b29cfa766 samba-tool/ntacl: add set --verbose and print out the
file/directory name
via 6327fd9cdba samba-tool/ntacl: don't announce -q,--quiet in --help
as it's not used at all
via 4ca5b78f5b7 samba-tool/ntacl: let changedomsid ignore symlinks
via 3694f2ce620 vfs_aio_pthread: don't crash without a pthreadpool
via 0e9f1eec5a2 samba-tool: print default (domain) for
--dns-directory-partition option in help message
via b26dcfba10e tests/krb5/s4u_tests.py: add
test_constrained_delegation_authtime
via 489cdefa6ab tests/krb5/s4u_tests.py: add
test_constrained_delegation_with_enc_auth_data_[no_]subkey()
from 0ef8083cca0 WHATSNEW: Mention new default schema and Functional
Level prep
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed May 17 11:26:48 2023 +0200
testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224
commit 11741791cc6ae339efd71b122ea9313b710bf1ac
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed May 17 11:26:48 2023 +0200
testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in
test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 619f097b7d4c0fa4614ab12042292c1e9a8fe234
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed May 17 11:26:48 2023 +0200
testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 16b9b508af4432abe5717da129b1be921c0227c6
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 2 16:18:51 2023 +0200
samba-tool/ntacl: implement set --recursive
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 27b29cfa766099252b417da06599aee585a228bc
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 2 16:18:26 2023 +0200
samba-tool/ntacl: add set --verbose and print out the file/directory name
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6327fd9cdbaf3dad4b09ce291de1f42259e11d2b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 2 16:18:26 2023 +0200
samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at
all
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4ca5b78f5b7c35e6276d92f7948334dad7a59456
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 16 13:57:51 2023 +0200
samba-tool/ntacl: let changedomsid ignore symlinks
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3694f2ce6205a647eb5dab2115785fb45decaf0b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue May 2 15:15:16 2023 +0200
vfs_aio_pthread: don't crash without a pthreadpool
During 'samba-tool ntacl sysvolreset' and similar.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0e9f1eec5a2e484d947a433cc854d9903de8537f
Author: Björn Baumbach <b...@sernet.de>
Date: Wed Jun 21 20:52:03 2023 +0200
samba-tool: print default (domain) for --dns-directory-partition option in
help message
Signed-off-by: Björn Baumbach <b...@sernet.de>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 24 00:12:47 2022 +0100
tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime
This demonstrates that we use the correct authtime
when doing constrained delegation.
The actual fix for the problem is already in place via
commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from
addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 17 14:46:55 2022 +0100
tests/krb5/s4u_tests.py: add
test_constrained_delegation_with_enc_auth_data_[no_]subkey()
This demonstrates that we use the correct key for EncAuthorizationData
together with constrained delegation.
The actual fix for the problem is already in place via
commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patches are:
38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when
decryption AuthorizationData
61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt
b->enc_authorization_data in tgs_build_reply()
fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an
authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/dns.py | 2 +-
python/samba/netcmd/ntacl.py | 97 +++++++++++-----
python/samba/tests/krb5/s4u_tests.py | 126 ++++++++++++++++++++-
source3/modules/vfs_aio_pthread.c | 7 ++
source4/selftest/tests.py | 2 +-
testprogs/blackbox/test_samba-tool_ntacl.sh | 170 ++++++++++++++++++++++++----
6 files changed, 350 insertions(+), 54 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/dns.py b/python/samba/netcmd/dns.py
index f10e67e0d4e..d40f01fa1cd 100644
--- a/python/samba/netcmd/dns.py
+++ b/python/samba/netcmd/dns.py
@@ -917,7 +917,7 @@ class cmd_zonecreate(Command):
Option('--dns-directory-partition',
help='Specify the naming context for the new zone, which '
'affects the replication scope (domain or forest wide '
- 'replication).',
+ 'replication, default: domain).',
default='domain',
metavar='domain|forest',
choices=['domain', 'forest'],
diff --git a/python/samba/netcmd/ntacl.py b/python/samba/netcmd/ntacl.py
index 8675719017d..b6aaed7712a 100644
--- a/python/samba/netcmd/ntacl.py
+++ b/python/samba/netcmd/ntacl.py
@@ -70,7 +70,7 @@ def get_local_domain_sid(lp):
class cmd_ntacl_set(Command):
"""Set ACLs on a file."""
- synopsis = "%prog <acl> <file> [options]"
+ synopsis = "%prog <acl> <path> [options]"
takes_optiongroups = {
"sambaopts": options.SambaOptions,
@@ -79,21 +79,25 @@ class cmd_ntacl_set(Command):
}
takes_options = [
- Option("-q", "--quiet", help="Be quiet", action="store_true"),
+ # --quiet is not used at all...
+ Option("-q", "--quiet", help=Option.SUPPRESS_HELP,
action="store_true"),
+ Option("-v", "--verbose", help="Be verbose", action="store_true"),
Option("--xattr-backend", type="choice", help="xattr backend type
(native fs or tdb)",
choices=["native", "tdb"]),
Option("--eadb-file", help="Name of the tdb file where attributes are
stored", type="string"),
Option("--use-ntvfs", help="Set the ACLs directly to the TDB or xattr
for use with the ntvfs file server", action="store_true"),
Option("--use-s3fs", help="Set the ACLs for use with the default s3fs
file server via the VFS layer", action="store_true"),
+ Option("--recursive", help="Set the ACLs for directories and their
contents recursively", action="store_true"),
+ Option("--follow-symlinks", help="Follow symlinks",
action="store_true"),
Option("--service", help="Name of the smb.conf service to use when
applying the ACLs", type="string")
]
- takes_args = ["acl", "file"]
+ takes_args = ["acl", "path"]
- def run(self, acl, file, use_ntvfs=False, use_s3fs=False,
- quiet=False, xattr_backend=None, eadb_file=None,
+ def run(self, acl, path, use_ntvfs=False, use_s3fs=False,
+ quiet=False, verbose=False, xattr_backend=None, eadb_file=None,
credopts=None, sambaopts=None, versionopts=None,
- service=None):
+ recursive=False, follow_symlinks=False, service=None):
logger = self.get_logger()
lp = sambaopts.get_loadparm()
domain_sid = get_local_domain_sid(lp)
@@ -103,15 +107,41 @@ class cmd_ntacl_set(Command):
elif use_s3fs:
use_ntvfs = False
- setntacl(lp,
- file,
- acl,
- str(domain_sid),
- system_session_unix(),
- xattr_backend,
- eadb_file,
- use_ntvfs=use_ntvfs,
- service=service)
+ def _setntacl_path(_path):
+ if not follow_symlinks and os.path.islink(_path):
+ if recursive:
+ self.outf.write("ignored symlink: %s\n" % _path)
+ return
+ raise CommandError("symlink: %s: requires --follow-symlinks" %
(_path))
+
+ if verbose:
+ if os.path.islink(_path):
+ self.outf.write("symlink: %s\n" % _path)
+ elif os.path.isdir(_path):
+ self.outf.write("dir: %s\n" % _path)
+ else:
+ self.outf.write("file: %s\n" % _path)
+ try:
+ return setntacl(lp,
+ _path,
+ acl,
+ str(domain_sid),
+ system_session_unix(),
+ xattr_backend,
+ eadb_file,
+ use_ntvfs=use_ntvfs,
+ service=service)
+ except Exception as e:
+ raise CommandError("Could not set acl for %s: %s" % (_path, e))
+
+ _setntacl_path(path)
+
+ if recursive and os.path.isdir(path):
+ for root, dirs, files in os.walk(path,
followlinks=follow_symlinks):
+ for name in files:
+ _setntacl_path(os.path.join(root, name))
+ for name in dirs:
+ _setntacl_path(os.path.join(root, name))
if use_ntvfs:
logger.warning("Please note that POSIX permissions have NOT been
changed, only the stored NT ACL")
@@ -234,12 +264,12 @@ class cmd_ntacl_changedomsid(Command):
action="store_true"),
]
- takes_args = ["old_domain_sid", "new_domain_sid", "file"]
+ takes_args = ["old_domain_sid", "new_domain_sid", "path"]
def run(self,
old_domain_sid_str,
new_domain_sid_str,
- file,
+ path,
use_ntvfs=False,
use_s3fs=False,
service=None,
@@ -274,20 +304,31 @@ class cmd_ntacl_changedomsid(Command):
raise CommandError("Could not parse old sid %s: %s" %
(new_domain_sid_str, e))
- def changedom_sids(file):
+ def changedom_sids(_path):
+ if not follow_symlinks and os.path.islink(_path):
+ if recursive:
+ self.outf.write("ignored symlink: %s\n" % _path)
+ return
+ raise CommandError("symlink: %s: requires --follow-symlinks" %
(_path))
+
if verbose:
- self.outf.write("file: %s\n" % file)
+ if os.path.islink(_path):
+ self.outf.write("symlink: %s\n" % _path)
+ elif os.path.isdir(_path):
+ self.outf.write("dir: %s\n" % _path)
+ else:
+ self.outf.write("file: %s\n" % _path)
try:
acl = getntacl(lp,
- file,
+ _path,
system_session_unix(),
xattr_backend,
eadb_file,
direct_db_access=use_ntvfs,
service=service)
except Exception as e:
- raise CommandError("Could not get acl for %s: %s" % (file, e))
+ raise CommandError("Could not get acl for %s: %s" % (_path, e))
orig_sddl = acl.as_sddl(domain_sid)
if verbose:
@@ -320,7 +361,7 @@ class cmd_ntacl_changedomsid(Command):
try:
setntacl(lp,
- file,
+ _path,
acl,
new_domain_sid,
system_session_unix(),
@@ -329,19 +370,19 @@ class cmd_ntacl_changedomsid(Command):
use_ntvfs=use_ntvfs,
service=service)
except Exception as e:
- raise CommandError("Could not set acl for %s: %s" % (file, e))
+ raise CommandError("Could not set acl for %s: %s" % (_path, e))
- def recursive_changedom_sids(file):
- for root, dirs, files in os.walk(file,
followlinks=follow_symlinks):
+ def recursive_changedom_sids(_path):
+ for root, dirs, files in os.walk(_path,
followlinks=follow_symlinks):
for f in files:
changedom_sids(os.path.join(root, f))
for d in dirs:
changedom_sids(os.path.join(root, d))
- changedom_sids(file)
- if recursive and os.path.isdir(file):
- recursive_changedom_sids(file)
+ changedom_sids(path)
+ if recursive and os.path.isdir(path):
+ recursive_changedom_sids(path)
if use_ntvfs:
logger.warning("Please note that POSIX permissions have NOT been "
diff --git a/python/samba/tests/krb5/s4u_tests.py
b/python/samba/tests/krb5/s4u_tests.py
index 83ca06e4577..fbd32d00dd1 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -23,6 +23,7 @@ sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
import functools
+import time
from samba import dsdb, ntstatus
from samba.dcerpc import krb5pac, lsa, security
@@ -37,6 +38,7 @@ from samba.tests.krb5.raw_testcase import (
)
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
+ AD_IF_RELEVANT,
ARCFOUR_HMAC_MD5,
KDC_ERR_BADMATCH,
KDC_ERR_BADOPTION,
@@ -49,7 +51,9 @@ from samba.tests.krb5.rfc4120_constants import (
KU_PA_ENC_TIMESTAMP,
KU_AS_REP_ENC_PART,
KU_TGS_REP_ENC_PART_SUB_KEY,
- NT_PRINCIPAL
+ KU_TGS_REQ_AUTH_DAT_SESSION,
+ KU_TGS_REQ_AUTH_DAT_SUBKEY,
+ NT_PRINCIPAL,
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@@ -559,6 +563,8 @@ class S4UKerberosTests(KDCBaseTest):
def _run_delegation_test(self, kdc_dict):
s4u2self = kdc_dict.pop('s4u2self', False)
+ authtime_delay = kdc_dict.pop('authtime_delay', 0)
+
client_opts = kdc_dict.pop('client_opts', None)
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
@@ -598,6 +604,8 @@ class S4UKerberosTests(KDCBaseTest):
opts=service1_opts)
service1_tgt = self.get_tgt(service1_creds)
+ self.assertElementPresent(service1_tgt.ticket_private, 'authtime')
+ service1_tgt_authtime =
self.getElementValue(service1_tgt.ticket_private, 'authtime')
client_username = client_creds.get_username()
client_realm = client_creds.get_realm()
@@ -625,6 +633,8 @@ class S4UKerberosTests(KDCBaseTest):
ARCFOUR_HMAC_MD5))
if s4u2self:
+ self.assertEqual(authtime_delay, 0)
+
def generate_s4u2self_padata(_kdc_exchange_dict,
_callback_dict,
req_body):
@@ -670,19 +680,32 @@ class S4UKerberosTests(KDCBaseTest):
client_service_tkt = s4u2self_kdc_exchange_dict['rep_ticket_creds']
else:
+ if authtime_delay != 0:
+ time.sleep(authtime_delay)
+ fresh = True
+ else:
+ fresh = False
+
client_tgt = self.get_tgt(client_creds,
kdc_options=client_tkt_options,
- expected_flags=expected_flags)
+ expected_flags=expected_flags,
+ fresh=fresh)
client_service_tkt = self.get_service_ticket(
client_tgt,
service1_creds,
kdc_options=client_tkt_options,
- expected_flags=expected_flags)
+ expected_flags=expected_flags,
+ fresh=fresh)
modify_client_tkt_fn = kdc_dict.pop('modify_client_tkt_fn', None)
if modify_client_tkt_fn is not None:
client_service_tkt = modify_client_tkt_fn(client_service_tkt)
+ self.assertElementPresent(client_service_tkt.ticket_private,
'authtime')
+ expected_authtime =
self.getElementValue(client_service_tkt.ticket_private, 'authtime')
+ if authtime_delay > 1:
+ self.assertNotEqual(expected_authtime, service1_tgt_authtime)
+
additional_tickets = [client_service_tkt.ticket]
modify_service_tgt_fn = kdc_dict.pop('modify_service_tgt_fn', None)
@@ -722,7 +745,11 @@ class S4UKerberosTests(KDCBaseTest):
pac_options = kdc_dict.pop('pac_options', None)
- authenticator_subkey = self.RandomKey(Enctype.AES256)
+ use_authenticator_subkey = kdc_dict.pop('use_authenticator_subkey',
True)
+ if use_authenticator_subkey:
+ authenticator_subkey = self.RandomKey(Enctype.AES256)
+ else:
+ authenticator_subkey = None
expected_proxy_target = service2_creds.get_spn()
@@ -759,22 +786,65 @@ class S4UKerberosTests(KDCBaseTest):
expected_transited_services=expected_transited_services,
expect_pac=expect_pac)
+ EncAuthorizationData = kdc_dict.pop('enc-authorization-data', None)
+
+ if EncAuthorizationData is not None:
+ if authenticator_subkey is not None:
+ EncAuthorizationData_key = authenticator_subkey
+ EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY
+ else:
+ EncAuthorizationData_key = client_service_tkt.session_key
+ EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SESSION
+ else:
+ EncAuthorizationData_key = None
+ EncAuthorizationData_usage = None
+
self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
realm=service2_realm,
sname=service2_sname,
etypes=etypes,
- additional_tickets=additional_tickets)
+ additional_tickets=additional_tickets,
+ EncAuthorizationData=EncAuthorizationData,
+
EncAuthorizationData_key=EncAuthorizationData_key,
+
EncAuthorizationData_usage=EncAuthorizationData_usage)
if not expected_error_mode:
# Check whether the ticket contains a PAC.
ticket = kdc_exchange_dict['rep_ticket_creds']
+ self.assertElementEqual(ticket.ticket_private, 'authtime',
expected_authtime)
pac = self.get_ticket_pac(ticket, expect_pac=expect_pac)
+ ticket_auth_data = ticket.ticket_private.get('authorization-data')
+ expected_num_ticket_auth_data = 0
if expect_pac:
self.assertIsNotNone(pac)
+ expected_num_ticket_auth_data += 1
else:
self.assertIsNone(pac)
+ if EncAuthorizationData is not None:
+ expected_num_ticket_auth_data += len(EncAuthorizationData)
+
+ if expected_num_ticket_auth_data == 0:
+ self.assertIsNone(ticket_auth_data)
+ else:
+ self.assertIsNotNone(ticket_auth_data)
+ self.assertEqual(len(ticket_auth_data),
+ expected_num_ticket_auth_data)
+
+ if EncAuthorizationData is not None:
+ enc_ad_plain = self.der_encode(
+ EncAuthorizationData,
+ asn1Spec=krb5_asn1.AuthorizationData())
+ req_EncAuthorizationData = self.der_decode(
+ enc_ad_plain,
+ asn1Spec=krb5_asn1.AuthorizationData())
+
+ rep_EncAuthorizationData = ticket_auth_data.copy()
+ if expect_pac:
+ rep_EncAuthorizationData.pop(0)
+ self.assertEqual(rep_EncAuthorizationData,
req_EncAuthorizationData)
+
# Ensure we used all the parameters given to us.
self.assertEqual({}, kdc_dict)
@@ -793,6 +863,52 @@ class S4UKerberosTests(KDCBaseTest):
'allow_delegation': True
})
+ def test_constrained_delegation_authtime(self):
+ # Test constrained delegation.
+ self._run_delegation_test(
+ {
+ 'expected_error_mode': 0,
+ 'allow_delegation': True,
+ 'authtime_delay': 2,
+ })
+
+ def test_constrained_delegation_with_enc_auth_data_subkey(self):
+ # Test constrained delegation.
+ EncAuthorizationData = []
+ relevant_elems = []
+ auth_data777 = self.AuthorizationData_create(777,
b'AuthorizationData777')
+ relevant_elems.append(auth_data777)
+ auth_data999 = self.AuthorizationData_create(999,
b'AuthorizationData999')
+ relevant_elems.append(auth_data999)
+ ad_relevant = self.der_encode(relevant_elems,
asn1Spec=krb5_asn1.AD_IF_RELEVANT())
+ ad_data = self.AuthorizationData_create(AD_IF_RELEVANT, ad_relevant)
+ EncAuthorizationData.append(ad_data)
+ self._run_delegation_test(
+ {
+ 'expected_error_mode': 0,
+ 'allow_delegation': True,
+ 'enc-authorization-data': EncAuthorizationData,
+ })
+
+ def test_constrained_delegation_with_enc_auth_data_no_subkey(self):
+ # Test constrained delegation.
+ EncAuthorizationData = []
+ relevant_elems = []
+ auth_data777 = self.AuthorizationData_create(777,
b'AuthorizationData777')
+ relevant_elems.append(auth_data777)
+ auth_data999 = self.AuthorizationData_create(999,
b'AuthorizationData999')
+ relevant_elems.append(auth_data999)
+ ad_relevant = self.der_encode(relevant_elems,
asn1Spec=krb5_asn1.AD_IF_RELEVANT())
+ ad_data = self.AuthorizationData_create(AD_IF_RELEVANT, ad_relevant)
+ EncAuthorizationData.append(ad_data)
+ self._run_delegation_test(
+ {
+ 'expected_error_mode': 0,
+ 'allow_delegation': True,
+ 'enc-authorization-data': EncAuthorizationData,
+ 'use_authenticator_subkey': False,
+ })
+
def test_constrained_delegation_authentication_asserted_identity(self):
# Test constrained delegation and check asserted identity is the
# authentication authority. Note that we should always find this
diff --git a/source3/modules/vfs_aio_pthread.c
b/source3/modules/vfs_aio_pthread.c
index 5d051b4f7da..428ae5f2a4c 100644
--- a/source3/modules/vfs_aio_pthread.c
+++ b/source3/modules/vfs_aio_pthread.c
@@ -468,6 +468,13 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle,
return -1;
}
+ if (fsp->conn->sconn->pool == NULL) {
+ /*
+ * a threadpool is required for async support
+ */
+ aio_allow_open = false;
+ }
+
if (fsp->conn->sconn->client->server_multi_channel_enabled) {
/*
* This module is not compatible with multi channel yet.
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 51b5e1ac4f6..235d87266fd 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -826,7 +826,7 @@
plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client",
plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)",
"ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER',
'$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23'])
plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)",
"ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER',
'$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)",
"ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER',
'$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
-plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)",
"ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX',
'$DOMSID'])
+plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)",
"ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX',
'$DOMSID', configuration])
env = "ad_member:local"
plantestsuite("samba4.blackbox.net_ads_search_server_P.primary", env,
diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh
b/testprogs/blackbox/test_samba-tool_ntacl.sh
index 24589729791..1571b1a72c5 100755
--- a/testprogs/blackbox/test_samba-tool_ntacl.sh
+++ b/testprogs/blackbox/test_samba-tool_ntacl.sh
@@ -2,20 +2,28 @@
# Blackbox tests for samba-tool ntacl get/set on member server
# Copyright (C) 2018 Björn Baumbach <b...@sernet.de>
-if [ $# -ne 2 ]; then
- echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID"
+if [ $# -ne 3 ]; then
+ echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID CONFIGURATION"
exit 1
fi
+set -u
+set -e
+
PREFIX=$1
domain_sid=$2
+CONFIGURATION=$3
failed=0
samba4bindir="$BINDIR"
samba_tool="$samba4bindir/samba-tool"
-testfile="$PREFIX/ntacl_testfile"
+testdirtop="$PREFIX/ntacl_testdirtop"
+testfile="$testdirtop/testfile"
+testdir1="$testdirtop/dir1"
+testdir1f="$testdirtop/dir1/file"
+testdir1l="$testdirtop/dir1/symlink"
# acl from samba_tool/ntacl.py tests
acl="O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
@@ -31,8 +39,9 @@ test_get_acl()
{
testfile="$1"
exptextedacl="$2"
+ shift 2
- retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl) || return
$?
+ retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl "$@") ||
return $?
test "$retacl" = "$exptextedacl"
}
@@ -41,8 +50,9 @@ test_set_acl()
{
--
Samba Shared Repository
