The branch, v4-18-test has been updated via cbbfc917b96 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers via f967b91da76 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container via edac27f5408 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() via 74a508b39e6 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container via 46a168c9a89 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files via e884fc791e5 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() via 8e33532980d gitignore: add WAF lockfile via acf4286fbed build: Add 'make printversion' to provide version string from 653984f4a6d ctdb-daemon: Call setproctitle_init()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log ----------------------------------------------------------------- commit cbbfc917b9635bc62825ea64a157028297f54fb7 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 29 23:35:31 2016 +0100 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566) Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-18-test): Mon Oct 23 09:52:22 UTC 2023 on atb-devel-224 commit f967b91da76f86a9feb4c1469fccfce93be8bc79 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jun 7 18:18:58 2023 +0200 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db) commit edac27f5408191567233983562091484ebbbad0a Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jun 26 15:14:24 2023 +0200 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() This makes the next change easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371) commit 74a508b39e6fd5036a2adc99d559bd3852f8ce8d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 29 23:34:15 2016 +0100 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container This revealed a bug in our dirsync code, so we mark test_search_with_dirsync_deleted_objects as knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47) commit 46a168c9a89e82ccaf8d27669d1ae5459f7becb9 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 29 23:33:37 2016 +0100 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c) commit e884fc791e59bd6ebd41b4a2ab7c9d7dc45415f4 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 29 23:30:59 2016 +0100 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() samba-tool drs clone-dc-database was quite useful to find the true value of nTSecurityDescriptor of the CN=Delete Objects containers. Only the auto inherited SACL is available via a ldap search. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8) commit 8e33532980d9b4b16520a5092336bd86f882e0f5 Author: Michael Adam <ob...@samba.org> Date: Mon Oct 16 19:04:55 2023 +0200 gitignore: add WAF lockfile BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Christof Schmitt <christof.schm...@us.ibm.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224 (cherry picked from commit 310629508bfbedecfab9b653b7cba0282f5c0e8b) commit acf4286fbed5014af58a7fcf0055b1b80f00705d Author: Christof Schmitt <christof.schm...@us.ibm.com> Date: Thu Sep 12 16:11:34 2013 -0700 build: Add 'make printversion' to provide version string BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Christof Schmitt <christof.schm...@us.ibm.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a) ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + Makefile | 4 ++ python/samba/dbchecker.py | 27 +++++++++-- python/samba/descriptor.py | 25 +++++++++- python/samba/provision/__init__.py | 5 ++ python/samba/provision/sambadns.py | 4 ++ selftest/knownfail.d/samba4.ldap.confidential_attr | 1 + source4/dsdb/samdb/ldb_modules/dirsync.c | 53 ++-------------------- ...eck-link-output-missing-link-sid-corruption.txt | 8 ++-- .../expected-links-after-dbcheck.ldif | 2 +- .../release-4-5-0-pre1/rootdse-version.final.txt | 2 +- source4/setup/provision.ldif | 1 + source4/setup/provision_configuration.ldif | 1 + source4/setup/provision_dnszones_add.ldif | 1 + testprogs/blackbox/dbcheck-links.sh | 12 +++++ wscript | 5 ++ 16 files changed, 92 insertions(+), 60 deletions(-) create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr Changeset truncated at 500 lines: diff --git a/.gitignore b/.gitignore index de3feaabf28..9a663e2a065 100644 --- a/.gitignore +++ b/.gitignore @@ -88,3 +88,4 @@ compile_commands.json .clangd/ .cache/ .ropeproject/ +.tmplock diff --git a/Makefile b/Makefile index 7f5960d5191..dbb9fcdf1c3 100644 --- a/Makefile +++ b/Makefile @@ -67,6 +67,10 @@ distcheck: touch .tmplock WAFLOCK=.tmplock $(WAF) distcheck +printversion: + touch .tmplock + WAFLOCK=.tmplock $(WAF) printversion + clean: $(WAF) clean diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py index c9341f6500c..d5bb8a5a1fc 100644 --- a/python/samba/dbchecker.py +++ b/python/samba/dbchecker.py @@ -20,7 +20,7 @@ import ldb import samba import time -from base64 import b64decode +from base64 import b64decode, b64encode from samba import dsdb from samba import common from samba.dcerpc import misc @@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack from samba.dcerpc import drsblobs from samba.samdb import dsdb_Dn from samba.dcerpc import security -from samba.descriptor import get_wellknown_sds, get_diff_sds +from samba.descriptor import ( + get_wellknown_sds, + get_deletedobjects_descriptor, + get_diff_sds +) from samba.auth import system_session, admin_session from samba.netcmd import CommandError from samba.netcmd.fsmo import get_fsmo_roleowner @@ -351,6 +355,12 @@ class dbcheck(object): listwko.append('%s:%s' % (wko_prefix, dn)) guid_suffix = "" + + domain_sid = security.dom_sid(self.samdb.get_domain_sid()) + sec_desc = get_deletedobjects_descriptor(domain_sid, + name_map=self.name_map) + sec_desc_b64 = b64encode(sec_desc).decode('utf8') + # Insert a brand new Deleted Objects container self.samdb.add_ldif("""dn: %s objectClass: top @@ -359,7 +369,8 @@ description: Container for deleted objects isDeleted: TRUE isCriticalSystemObject: TRUE showInAdvancedViewOnly: TRUE -systemFlags: -1946157056%s""" % (dn, guid_suffix), +nTSecurityDescriptor:: %s +systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix), controls=["relax:0", "provision:0"]) delta = ldb.Message() @@ -2458,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) error_count += 1 continue - if self.reset_well_known_acls: + if dn == deleted_objects_dn or self.reset_well_known_acls: try: well_known_sd = self.get_wellknown_sd(dn) except KeyError: @@ -2467,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) current_sd = ndr_unpack(security.descriptor, obj[attrname][0]) - diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid())) + ignoreAdditionalACEs = False + if not self.reset_well_known_acls: + ignoreAdditionalACEs = True + + diff = get_diff_sds(well_known_sd, current_sd, + security.dom_sid(self.samdb.get_domain_sid()), + ignoreAdditionalACEs=ignoreAdditionalACEs) if diff != "": self.err_wrong_default_sd(dn, well_known_sd, diff) error_count += 1 diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index ac4c7e3273d..34877fa4814 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}): # "get_schema_descriptor" is located in "schema.py" +def get_deletedobjects_descriptor(domain_sid, name_map=None): + if name_map is None: + name_map = {} + + sddl = "O:SYG:SYD:PAI" \ + "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \ + "(A;;RPLC;;;BA)" + return sddl2binary(sddl, domain_sid, name_map) + + def get_config_descriptor(domain_sid, name_map={}): sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ @@ -407,6 +417,7 @@ def get_wellknown_sds(samdb): # Then subcontainers subcontainers = [ (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), + (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor), (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), @@ -417,6 +428,7 @@ def get_wellknown_sds(samdb): (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), + (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor), (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), @@ -441,6 +453,9 @@ def get_wellknown_sds(samdb): if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn: c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)), + get_deletedobjects_descriptor) + subcontainers.append(c) c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), get_domain_delete_protected1_descriptor) subcontainers.append(c) @@ -456,6 +471,9 @@ def get_wellknown_sds(samdb): if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn: c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)), + get_deletedobjects_descriptor) + subcontainers.append(c) c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), get_domain_delete_protected1_descriptor) subcontainers.append(c) @@ -548,7 +566,8 @@ def get_clean_sd(sd): return sd_clean -def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): +def get_diff_sds(refsd, cursd, domainsid, checkSacl=True, + ignoreAdditionalACEs=False): """Get the difference between 2 sd This function split the textual representation of ACL into smaller @@ -603,6 +622,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): h_ref.remove(k) if len(h_cur) + len(h_ref) > 0: + if txt == "" and len(h_ref) == 0: + if ignoreAdditionalACEs: + return "" + txt = "%s\tPart %s is different between reference" \ " and current here is the detail:\n" % (txt, part) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index ff9b8fac916..f7d7468e4fa 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -78,6 +78,7 @@ from samba.provision.backend import ( LDBBackend, ) from samba.descriptor import ( + get_deletedobjects_descriptor, get_empty_descriptor, get_config_descriptor, get_config_partitions_descriptor, @@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid, msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD, "subRefs") + deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8') + samdb.invocation_id = invocationid # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it @@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, + "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, "SERVICES_DESCRIPTOR": protected1_descr, "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, @@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, "RIDAVAILABLESTART": str(next_rid + 600), "POLICYGUID_DC": policyguid_dc, "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, + "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, "SYSTEM_DESCRIPTOR": system_desc, "BUILTIN_DESCRIPTOR": builtin_desc, diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 9184711a764..d057b7830ad 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -42,6 +42,7 @@ from samba.dsdb import ( DS_GUID_USERS_CONTAINER ) from samba.descriptor import ( + get_deletedobjects_descriptor, get_domain_descriptor, get_domain_delete_protected1_descriptor, get_domain_delete_protected2_descriptor, @@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, domainzone_dn = "DC=DomainDnsZones,%s" % domaindn forestzone_dn = "DC=ForestDnsZones,%s" % forestdn descriptor = get_dns_partition_descriptor(domainsid) + deletedobjects_desc = get_deletedobjects_descriptor(domainsid) setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { "ZONE_DN": domainzone_dn, @@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, "ZONE_DNS": domainzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, + "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), }) @@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, "ZONE_DNS": forestzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, + "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), }) diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr new file mode 100644 index 00000000000..46a75ce928b --- /dev/null +++ b/selftest/knownfail.d/samba4.ldap.confidential_attr @@ -0,0 +1 @@ +^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c index fbb75790095..124cff25e39 100644 --- a/source4/dsdb/samdb/ldb_modules/dirsync.c +++ b/source4/dsdb/samdb/ldb_modules/dirsync.c @@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req, * list only the attribute that have been modified since last interogation * */ - newmsg = ldb_msg_new(dsc->req); - if (newmsg == NULL) { - return ldb_oom(ldb); - } for (i = msg->num_elements - 1; i >= 0; i--) { if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) { int error = 0; @@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req, */ return LDB_SUCCESS; } - newmsg->dn = ldb_dn_new(newmsg, ldb, ""); - if (newmsg->dn == NULL) { - return ldb_oom(ldb); - } - el = ldb_msg_find_element(msg, "objectGUID"); if ( el != NULL) { guidfound = true; @@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req, * well will uncomment the code bellow */ SMB_ASSERT(guidfound == true); - /* - if (guidfound == false) { - struct GUID guid; - struct ldb_val *new_val; - DATA_BLOB guid_blob; - - tmp[0] = '\0'; - txt = strrchr(txt, ':'); - if (txt == NULL) { - return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - txt++; - - status = GUID_from_string(txt, &guid); - if (!NT_STATUS_IS_OK(status)) { - return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - - status = GUID_to_ndr_blob(&guid, msg, &guid_blob); - if (!NT_STATUS_IS_OK(status)) { - return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - - new_val = talloc(msg, struct ldb_val); - if (new_val == NULL) { - return ldb_oom(ldb); - } - new_val->data = talloc_steal(new_val, guid_blob.data); - new_val->length = guid_blob.length; - if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) { - return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - } - */ - ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD); - talloc_steal(newmsg->elements, el->name); - talloc_steal(newmsg->elements, el->values); - - talloc_steal(newmsg->elements, msg); return ldb_module_send_entry(dsc->req, msg, controls); } + newmsg = ldb_msg_new(dsc->req); + if (newmsg == NULL) { + return ldb_oom(ldb); + } + ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd, (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt index 34576157f25..a8b65384910 100644 --- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt +++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt @@ -1,8 +1,8 @@ -Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] -Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] +Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] +Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES] Checked 231 objects (2 errors) Checking 231 objects -ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp -ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp +ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3773>;<RMD_ORIGINATING_USN=3773>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp +ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3772>;<RMD_ORIGINATING_USN=3772>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp Fixed missing DN SID on attribute member Fixed missing DN SID on attribute member diff --git a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif index 9ac86fcf1ee..86ff44ea224 100644 --- a/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif +++ b/source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif @@ -1381,7 +1381,7 @@ uSNChanged: 3597 dn: CN=Deleted Objects,DC=release-4-5-0-pre1,DC=samba,DC=corp objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=release-4-5-0-pre1, DC=samba,DC=corp -uSNChanged: 3377 +uSNChanged: 3750 # record 215 dn: CN=ForeignSecurityPrincipals,DC=release-4-5-0-pre1,DC=samba,DC=corp diff --git a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt index 0028f9b6e4a..7ed468b6c0c 100644 --- a/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt +++ b/source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt @@ -1 +1 @@ -highestCommittedUSN: 3746 +highestCommittedUSN: 3750 diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 5d9eba49f86..7f966fd57f8 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -34,6 +34,7 @@ isDeleted: TRUE isCriticalSystemObject: TRUE showInAdvancedViewOnly: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} # Computers located in "provision_computers*.ldif" # Users/Groups located in "provision_users*.ldif" diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 53c9c8536de..8fcbddbdae4 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -14,6 +14,7 @@ description: Container for deleted objects isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} # Extended rights diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif index 860aa4b72b3..a2d6b6bab8f 100644 --- a/source4/setup/provision_dnszones_add.ldif +++ b/source4/setup/provision_dnszones_add.ldif @@ -8,6 +8,7 @@ description: Deleted objects isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} dn: CN=LostAndFound,${ZONE_DN} objectClass: top diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh index aaf93a8cc48..63ad8dbce44 100755 --- a/testprogs/blackbox/dbcheck-links.sh +++ b/testprogs/blackbox/dbcheck-links.sh @@ -59,6 +59,16 @@ dbcheck() fi } +dbcheck_acl_reset() +{ + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor +} + +dbcheck_acl_clean() +{ + $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor +} + dbcheck_dangling() { dbcheck "" "1" "--selftest-check-expired-tombstones" @@ -925,6 +935,8 @@ EOF remove_directory $PREFIX_ABS/${RELEASE} testit $RELEASE undump || failed=$(expr $failed + 1) +testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) +testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1) testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) diff --git a/wscript b/wscript index 08995fbe4ec..b87b043e12b 100644 --- a/wscript +++ b/wscript @@ -542,6 +542,11 @@ def distcheck(): '''test that distribution tarball builds and installs''' samba_version.load_version(env=None) +def printversion(ctx): + '''print version''' + ver = samba_version.load_version(env=None) + print('Samba Version: ' + ver.STRING_WITH_NICKNAME) + def wildcard_cmd(cmd): '''called on a unknown command''' from samba_wildcard import run_named_build_task -- Samba Shared Repository