The branch, v4-21-stable has been updated
via 654d41a19c2 VERSION: Disable GIT_SNAPSHOT for the 4.21.1 release.
via e0b16a96d50 WHATSNEW: Add release notes for Samba 4.21.1.
via 84c6a02adc4 s3:smbd: avoid false positives for got_oplock and
have_other_lease in delay_for_oplock_fn
via bd13b39b6de s3:smbd: allow reset_share_mode_entry() to handle more
than one durable handle
via fb406446b95 s3:smbd: let durable_reconnect_fn already check for a
disconnected handle with the correct file_id
via da144e3cf5c s4:torture/smb2: add
smb2.durable-v2-open.{keep,purge}-disconnected-* tests
via 710dc5dca50 s4:torture/smb2: add
smb2.durable-v2-open.{[non]stat[RH]-and,two-same,two-different}-lease
via 97542f40947 s3:smbd: only store durable handles with byte range
locks when having WRITE lease
via ceb5bbc7e30 s4:torture/smb2: add
smb2.durable-v2-open.lock-{oplock,lease,noW-lease}
via 1d97e7cc2cf s4:torture/smb2: add smb2.durable-open.lock-noW-lease
via 7d158ba707f s4:torture/smb2: improve error handling in
durable_v2_open.c
via 706b26c88b5 s4:torture/smb2: improve error handling in
durable_open.c
via 66a21e46d0b system_mitkrb5: require 1.16 as we use
ENCTYPE_AES256_CTS_HMAC_SHA384_192
via aca7b7b44b7 netcmd:domain:policy: Fix missing conversion from
tgt_lifetime minutes to 10^(-7) seconds
via bbfc736f268 s3: SIGHUP handlers use consistent log level 3
via 8fa36e029bd shadow_copy2: Ignore VFS_OPEN_HOW_WITH_BACKUP_INTENT
via f36c7d623ba s4:lib/messaging: fix interaction between
imessaging_reinit and irpc_destructor
via 0b3e0bc2920 ldb: Build lmdb backend also in non-AD case
via aabaf6aaf55 lib:ldb: Document environment variables in ldb manpage
via a56ce559eb1 lib:ldb: Remove trailing spaces from ldb.3.xml
via c9463d6dc98 lib:ldb: Don't use RTLD_DEEPBIND by default
via a4cc81cc2f2 lib:ldb: Remove trailing spaces from ldb_modules.c
via d42fa9251f9 smbd: remove just created sharemode entry in the error
codepaths
via 923d52f9033 smbd: consolidate DH reconnect failure code
via 87ead9aec51 s3:tests: let test_durable_handle_reconnect.sh run
smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
via 8fd281aff73 s4:torture/smb2: add
smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
via bb7be26b5dc vfs_error_inject: add 'error_inject:durable_reconnect =
st_ex_nlink'
via acf50a3abfb smbd: add option "smbd:debug events" for tevent
handling duration threshold warnings
via 41f1b054ca0 smbd: move trace_state variable behind tv variable
via 62309ed5907 smbd: add option "smbd lease break:debug hung procs"
via 1d930df5404 smbd: log share_mode_watch_recv() errors as errors
via f4b1210f958 s3/lib: add option "serverid watch:debug script"
via 1f6fc1ba3b5 s3/lib: add option "serverid watch:debug = yes" to
print kernel stack of hanging process
via ae157ab2729 s3/lib: add next helper variable in server_id_watch_*
via 4bec0a7fd10 s3:utils: use the correct secrets.tdb in
net_use_krb_machine_account()
via d583d40ca32 s3:utils: let 'net ads testjoin' fail without valid
machine credentials
via 52772aed8b4 s3:test_update_keytab_clustered: add net ads testjoin
checks in more places
via 0ed55bfe082 sync machine password to keytab: handle FreeIPA use case
via 505f48fff98 smbd: use metadata_fsp(fsp) in copy_access_posix_acl()
for SMB_VFS_SYS_ACL_SET_FD
via 882eadc3855 smbtorture: test creating stream doesn't crash when
using "inherit permissions = yes"
via ed84c6e9457 VERSION: Bump version up to Samba 4.21.1...
from 1c7d4b5b388 VERSION: Disable GIT_SNAPSHOT for the 4.21.0 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 72 +
.../security/syncmachinepasswordtokeytab.xml | 29 +-
lib/ldb/common/ldb_modules.c | 55 +-
lib/ldb/man/ldb.3.xml | 23 +-
lib/ldb/wscript | 22 +-
python/samba/netcmd/domain/auth/policy/policy.py | 18 +-
.../samba/tests/samba_tool/domain_auth_policy.py | 19 +-
selftest/knownfail | 1 -
selftest/knownfail.d/smb2.durable-v2-open.bug15708 | 7 +
selftest/selftest.pl | 6 -
selftest/skip | 1 +
selftest/target/Samba3.pm | 5 +
selftest/wscript | 5 +-
source3/lib/server_id_watch.c | 129 +-
source3/libads/kerberos_keytab.c | 5 +
source3/locking/share_mode_lock.c | 315 +-
source3/modules/vfs_error_inject.c | 76 +
source3/modules/vfs_shadow_copy2.c | 2 +-
source3/printing/queue_process.c | 2 +-
.../script/tests/test_durable_handle_reconnect.sh | 18 +
.../script/tests/test_update_keytab_clustered.sh | 16 +-
source3/selftest/tests.py | 2 +
source3/smbd/durable.c | 185 +-
source3/smbd/open.c | 141 +-
source3/smbd/posix_acls.c | 4 +-
source3/smbd/server.c | 2 +-
source3/smbd/smb2_process.c | 74 +-
source3/utils/net.c | 8 +
source3/utils/net_ads.c | 6 +
source3/utils/net_util.c | 6 +-
source3/utils/testparm.c | 3 +-
source3/winbindd/winbindd_dual.c | 2 +-
source4/lib/messaging/messaging.c | 9 +
source4/torture/smb2/durable_open.c | 136 +-
source4/torture/smb2/durable_v2_open.c | 3412 +++++++++++++++++++-
source4/torture/smb2/smb2.c | 4 +
source4/torture/smb2/streams.c | 73 +
wscript_configure_system_mitkrb5 | 2 +-
39 files changed, 4467 insertions(+), 430 deletions(-)
create mode 100644 selftest/knownfail.d/smb2.durable-v2-open.bug15708
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f1ea62151ca..5ccd19a89c2 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1e921100f80..e6db953bedc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+ ==============================
+ Release Notes for Samba 4.21.1
+ October 14, 2024
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.0
+--------------------
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15624: DH reconnect error handling can lead to stale sharemode
entries.
+ * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default
+ when creating a stream.
+
+o Alexander Bokovoy <a...@samba.org>
+ * BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration.
+
+o Andréas Leroux <aler...@tranquil.it>
+ * BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS-
+ ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool
+ domain auth policy modify".
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15280: irpc_destructor may crash during shutdown.
+ * BUG 15624: DH reconnect error handling can lead to stale sharemode
entries.
+ * BUG 15649: Durable handle is not granted when a previous OPEN exists with
+ NoOplock.
+ * BUG 15651: Durable handle is granted but reconnect fails.
+ * BUG 15708: Disconnected durable handles with RH lease should not be purged
+ by a new non conflicting open.
+ * BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb
in
+ a cluster.
+ * BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc
+ 8009 etypes are used.
+
+o Christof Schmitt <c...@samba.org>
+ * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup.
+ * BUG 15721: Cannot build libldb lmdb backend on a build without AD DC.
+
+o Jones Syue <joness...@qnap.com>
+ * BUG 15706: Consistent log level for sighup handler.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.0
September 02, 2024
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index 4cad9da73f2..f7dc30023d4 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption
name="machine password
</para>
<para>
-The option takes a list of keytab strings. Each string has this form:
+The option takes a list of keytab strings to describe how to synchronize
+content of those keytabs or a single 'disabled' value to disable the
+synchronization.
+
+Each string has this form:
<programlisting>
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then
winbind connects to DC.
</para>
<para>
-If no value is present, winbind uses value
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
-where the path to the keytab is obtained either from the krb5 library or from
<smbconfoption name="dedicated keytab file"/>
+If no value is present and <smbconfoption name="kerberos method"/> is
different from
+'secrets only', the behavior differs between winbind and net utility:
+</para>
+<itemizedlist>
+ <listitem>
+ <para><userinput>winbind</userinput> uses value
+
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+ where the path to the keytab is obtained either from the
krb5 library or from
+ <smbconfoption name="dedicated keytab file"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para><userinput>net changesecretpw -f</userinput> command
uses the default 'disabled' value.</para>
+ </listitem>
+ <listitem><para>No other <userinput>net</userinput> subcommands use
the 'disabled' value.</para></listitem>
+</itemizedlist>
+
+<para>
+If a single value 'disabled' is present, the synchronization process is
+disabled. This is required for FreeIPA domain member setup where keytab
+synchronization uses a protocol not implemented by Samba.
</para>
<para>
diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c
index b5627b0d04f..08d251f9bdd 100644
--- a/lib/ldb/common/ldb_modules.c
+++ b/lib/ldb/common/ldb_modules.c
@@ -631,9 +631,9 @@ int ldb_next_start_trans(struct ldb_module *module)
/* Set a default error string, to place the blame somewhere */
ldb_asprintf_errstring(module->ldb, "start_trans error in
module %s: %s (%d)", module->ops->name, ldb_strerror(ret), ret);
}
- if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
- ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_start_trans
error: %s",
- ldb_errstring(module->ldb));
+ if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
+ ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_start_trans
error: %s",
+ ldb_errstring(module->ldb));
}
return ret;
}
@@ -650,9 +650,9 @@ int ldb_next_end_trans(struct ldb_module *module)
/* Set a default error string, to place the blame somewhere */
ldb_asprintf_errstring(module->ldb, "end_trans error in module
%s: %s (%d)", module->ops->name, ldb_strerror(ret), ret);
}
- if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
- ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_end_trans
error: %s",
- ldb_errstring(module->ldb));
+ if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
+ ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_end_trans
error: %s",
+ ldb_errstring(module->ldb));
}
return ret;
}
@@ -720,9 +720,9 @@ int ldb_next_prepare_commit(struct ldb_module *module)
/* Set a default error string, to place the blame somewhere */
ldb_asprintf_errstring(module->ldb, "prepare_commit error in
module %s: %s (%d)", module->ops->name, ldb_strerror(ret), ret);
}
- if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
- ldb_debug(module->ldb, LDB_DEBUG_TRACE,
"ldb_next_prepare_commit error: %s",
- ldb_errstring(module->ldb));
+ if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
+ ldb_debug(module->ldb, LDB_DEBUG_TRACE,
"ldb_next_prepare_commit error: %s",
+ ldb_errstring(module->ldb));
}
return ret;
}
@@ -739,9 +739,9 @@ int ldb_next_del_trans(struct ldb_module *module)
/* Set a default error string, to place the blame somewhere */
ldb_asprintf_errstring(module->ldb, "del_trans error in module
%s: %s (%d)", module->ops->name, ldb_strerror(ret), ret);
}
- if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
- ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_del_trans
error: %s",
- ldb_errstring(module->ldb));
+ if ((module && module->ldb->flags & LDB_FLG_ENABLE_TRACING)) {
+ ldb_debug(module->ldb, LDB_DEBUG_TRACE, "ldb_next_del_trans
error: %s",
+ ldb_errstring(module->ldb));
}
return ret;
}
@@ -777,17 +777,17 @@ int ldb_module_send_entry(struct ldb_request *req,
req->handle->nesting == 0) {
char *s;
struct ldb_ldif ldif;
-
+
ldif.changetype = LDB_CHANGETYPE_NONE;
ldif.msg = discard_const_p(struct ldb_message, msg);
ldb_debug_add(req->handle->ldb, "ldb_trace_response: ENTRY\n");
- /*
+ /*
* The choice to call
* ldb_ldif_write_redacted_trace_string() is CRITICAL
* for security. It ensures that we do not output
- * passwords into debug logs
+ * passwords into debug logs
*/
s = ldb_ldif_write_redacted_trace_string(req->handle->ldb, msg,
&ldif);
@@ -945,7 +945,7 @@ static int ldb_modules_load_path(const char *path, const
char *version)
int dlopen_flags;
#ifdef RTLD_DEEPBIND
- bool deepbind_enabled = (getenv("LDB_MODULES_DISABLE_DEEPBIND") ==
NULL);
+ bool deepbind_enabled = (getenv("LDB_MODULES_ENABLE_DEEPBIND") != NULL);
#endif
ret = stat(path, &st);
@@ -981,21 +981,12 @@ static int ldb_modules_load_path(const char *path, const
char *version)
dlopen_flags = RTLD_NOW;
#ifdef RTLD_DEEPBIND
/*
- * use deepbind if possible, to avoid issues with different
- * system library variants, for example ldb modules may be linked
- * against Heimdal while the application may use MIT kerberos.
- *
- * See the dlopen manpage for details.
- *
- * One typical user is the bind_dlz module of Samba,
- * but symbol versioning might be enough...
+ * On systems where e.g. different kerberos libraries are used, like a
+ * mix of Heimdal and MIT Kerberos, LDB_MODULES_ENABLE_DEEPBIND should
+ * be set to avoid issues.
*
- * We need a way to disable this in order to allow the
- * ldb_*ldap modules to work with a preloaded socket wrapper.
- *
- * So in future we may remove this completely
- * or at least invert the default behavior.
- */
+ * By default Linux distributions only have one Kerberos library.
+ */
if (deepbind_enabled) {
dlopen_flags |= RTLD_DEEPBIND;
}
@@ -1104,8 +1095,8 @@ static int ldb_modules_load_dir(const char *modules_dir,
const char *version)
return LDB_SUCCESS;
}
-/*
- load any additional modules from the given directory
+/*
+ load any additional modules from the given directory
*/
void ldb_set_modules_dir(struct ldb_context *ldb, const char *path)
{
diff --git a/lib/ldb/man/ldb.3.xml b/lib/ldb/man/ldb.3.xml
index 1c0a2ece552..f8d3cb50446 100644
--- a/lib/ldb/man/ldb.3.xml
+++ b/lib/ldb/man/ldb.3.xml
@@ -243,11 +243,32 @@ ldb_search(3) manual pages.
</itemizedlist>
</refsect1>
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <itemizedlist>
+ <listitem><para>
+ <envar>LDB_URL</envar>
+ - connect to the provided URL (cmdline tools only)
+ </para></listitem>
+
+ <listitem><para>
+ <envar>LDB_MODULES_PATH</envar>
+ - path where to load ldb modules from
+ </para></listitem>
+
+ <listitem><para>
+ <envar>LDB_MODULES_ENABLE_DEEPBIND</envar>
+ - enable RTLD_DEEPBIND when loading ldb modules
+ </para></listitem>
+ </itemizedlist>
+</refsect1>
+
<refsect1>
<title>Author</title>
<para>
- ldb was written by
+ ldb was written by
<ulink url="https://www.samba.org/~tridge/";>Andrew
Tridgell</ulink>.
</para>
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 8ae95cbd6d6..ab33f7784a6 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -33,21 +33,17 @@ def configure(conf):
conf.CONFIG_GET('ENABLE_SELFTEST'):
Logs.warn("NOTE: Some AD DC parts of selftest will fail")
+ conf.env.REQUIRE_LMDB = False
+ elif Options.options.without_ldb_lmdb:
+ if not Options.options.without_ad_dc and \
+ conf.CONFIG_GET('ENABLE_SELFTEST'):
+ raise Errors.WafError('--without-ldb-lmdb conflicts '
+ 'with --enable-selftest while '
+ 'building the AD DC')
+
conf.env.REQUIRE_LMDB = False
else:
- if Options.options.without_ad_dc:
- conf.env.REQUIRE_LMDB = False
- else:
- if Options.options.without_ldb_lmdb:
- if not Options.options.without_ad_dc and \
- conf.CONFIG_GET('ENABLE_SELFTEST'):
- raise Errors.WafError('--without-ldb-lmdb conflicts '
- 'with --enable-selftest while '
- 'building the AD DC')
-
- conf.env.REQUIRE_LMDB = False
- else:
- conf.env.REQUIRE_LMDB = True
+ conf.env.REQUIRE_LMDB = True
# if lmdb support is enabled then we require lmdb
# is present, build the mdb back end and enable lmdb support in
diff --git a/python/samba/netcmd/domain/auth/policy/policy.py
b/python/samba/netcmd/domain/auth/policy/policy.py
index 207aa33c8d3..a1552c20fc5 100644
--- a/python/samba/netcmd/domain/auth/policy/policy.py
+++ b/python/samba/netcmd/domain/auth/policy/policy.py
@@ -26,7 +26,13 @@ from samba.domain.models import (MAX_TGT_LIFETIME,
MIN_TGT_LIFETIME,
from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option
from samba.netcmd.validators import Range
+from samba.nt_time import NT_TICKS_PER_SEC
+def mins_to_tgt_lifetime(minutes):
+ """Convert minutes to the tgt_lifetime attributes unit which is 10^-7
seconds"""
+ if minutes is not None:
+ return minutes * 60 * NT_TICKS_PER_SEC
+ return minutes
class UserOptions(options.OptionGroup):
"""User options used by policy create and policy modify commands."""
@@ -238,14 +244,14 @@ class cmd_domain_auth_policy_create(Command):
description=description,
strong_ntlm_policy=StrongNTLMPolicy[strong_ntlm_policy.upper()],
user_allow_ntlm_auth=useropts.allow_ntlm_auth,
- user_tgt_lifetime=useropts.tgt_lifetime,
+ user_tgt_lifetime=mins_to_tgt_lifetime(useropts.tgt_lifetime),
user_allowed_to_authenticate_from=useropts.allowed_to_authenticate_from,
user_allowed_to_authenticate_to=useropts.allowed_to_authenticate_to,
service_allow_ntlm_auth=serviceopts.allow_ntlm_auth,
- service_tgt_lifetime=serviceopts.tgt_lifetime,
+
service_tgt_lifetime=mins_to_tgt_lifetime(serviceopts.tgt_lifetime),
service_allowed_to_authenticate_from=serviceopts.allowed_to_authenticate_from,
service_allowed_to_authenticate_to=serviceopts.allowed_to_authenticate_to,
- computer_tgt_lifetime=computeropts.tgt_lifetime,
+
computer_tgt_lifetime=mins_to_tgt_lifetime(computeropts.tgt_lifetime),
computer_allowed_to_authenticate_to=computeropts.allowed_to_authenticate_to,
)
@@ -346,7 +352,7 @@ class cmd_domain_auth_policy_modify(Command):
StrongNTLMPolicy[strong_ntlm_policy.upper()]
if useropts.tgt_lifetime is not None:
- policy.user_tgt_lifetime = useropts.tgt_lifetime
+ policy.user_tgt_lifetime =
mins_to_tgt_lifetime(useropts.tgt_lifetime)
if useropts.allowed_to_authenticate_from is not None:
policy.user_allowed_to_authenticate_from = \
@@ -360,7 +366,7 @@ class cmd_domain_auth_policy_modify(Command):
##################
if serviceopts.tgt_lifetime is not None:
- policy.service_tgt_lifetime = serviceopts.tgt_lifetime
+ policy.service_tgt_lifetime =
mins_to_tgt_lifetime(serviceopts.tgt_lifetime)
if serviceopts.allowed_to_authenticate_from is not None:
policy.service_allowed_to_authenticate_from = \
@@ -374,7 +380,7 @@ class cmd_domain_auth_policy_modify(Command):
###########
if computeropts.tgt_lifetime is not None:
- policy.computer_tgt_lifetime = computeropts.tgt_lifetime
+ policy.computer_tgt_lifetime =
mins_to_tgt_lifetime(computeropts.tgt_lifetime)
if computeropts.allowed_to_authenticate_to is not None:
policy.computer_allowed_to_authenticate_to = \
diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py
b/python/samba/tests/samba_tool/domain_auth_policy.py
index 864979608ea..d5fa295ecd1 100644
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -27,12 +27,19 @@ from unittest.mock import patch
from samba.dcerpc import security
from samba.domain.models.exceptions import ModelError
from samba.ndr import ndr_pack, ndr_unpack
+from samba.nt_time import NT_TICKS_PER_SEC
from samba.samdb import SamDB
from samba.sd_utils import SDUtils
from .silo_base import SiloTest
+def mins_to_tgt_lifetime(minutes):
+ """Convert minutes to the tgt_lifetime attributes unit which is 10^-7
seconds"""
+ if minutes is not None:
+ return minutes * 60 * NT_TICKS_PER_SEC
+ return minutes
+
class AuthPolicyCmdTestCase(SiloTest):
def test_list(self):
@@ -135,7 +142,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
- self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "60")
+ self.assertEqual(str(policy["msDS-UserTGTLifetime"]),
str(mins_to_tgt_lifetime(60)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -169,7 +176,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
- self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "60")
+ self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]),
str(mins_to_tgt_lifetime(60)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -203,7 +210,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Check policy fields.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
- self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "60")
+ self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]),
str(mins_to_tgt_lifetime(60)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "create",
@@ -644,7 +651,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed.
policy = self.get_authentication_policy(name)
- self.assertEqual(str(policy["msDS-UserTGTLifetime"]), "120")
+ self.assertEqual(str(policy["msDS-UserTGTLifetime"]),
str(mins_to_tgt_lifetime(120)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -680,7 +687,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed.
policy = self.get_authentication_policy(name)
- self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]), "120")
+ self.assertEqual(str(policy["msDS-ServiceTGTLifetime"]),
str(mins_to_tgt_lifetime(120)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
@@ -716,7 +723,7 @@ class AuthPolicyCmdTestCase(SiloTest):
# Verify field was changed.
policy = self.get_authentication_policy(name)
- self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]), "120")
+ self.assertEqual(str(policy["msDS-ComputerTGTLifetime"]),
str(mins_to_tgt_lifetime(120)))
# check lower bounds (45)
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
diff --git a/selftest/knownfail b/selftest/knownfail
index 03f8b466994..31e70a1a9d3 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -218,7 +218,6 @@
^samba3.smb2.compound.interim2 # wrong return code (STATUS_CANCELLED)
^samba3.smb2.compound.aio.interim2 # wrong return code (STATUS_CANCELLED)
^samba3.smb2.lock.*replay_broken_windows # This tests the windows behaviour
-^samba3.smb2.lease.statopen3
^samba3.smb2.lease.unlink # we currently do not downgrade RH lease to R after
unlink
^samba4.smb2.ioctl.compress_notsup.*\(ad_dc_ntvfs\)
^samba3.raw.session.*reauth2 # maybe fix this?
diff --git a/selftest/knownfail.d/smb2.durable-v2-open.bug15708
b/selftest/knownfail.d/smb2.durable-v2-open.bug15708
new file mode 100644
index 00000000000..3a6380c6d65
--- /dev/null
+++ b/selftest/knownfail.d/smb2.durable-v2-open.bug15708
@@ -0,0 +1,7 @@
+#
+# https://bugzilla.samba.org/show_bug.cgi?id=15708 is not fixed
+# yet, it requires some complex changes within handle_share_mode_lease()
+# merging logic of open_mode_check() and delay_for_oplock()...
--
Samba Shared Repository
