The branch, master has been updated via ccaf661f7c7 tldap: Receiving "msgid == 0" means the connection is dead via a4ecd112e77 test: Test winbind idmap_ad ticket expiry behaviour via 7af2df01dff idmap_ad: Pass tldap debug messages on to DEBUG() via a2b281bed02 tldap: Add PRINTF_ATTRIBUTE declaration to tldap_debug() via 2a2a6b27ccc tldap: Make sure all requests are cancelled on rundown via f745f5b1256 tldap: Centralize connection rundown on error via cb852c9dc0d tldap: Maintain the ldap read request in tldap_context via 14f6d1996ec tldap: Always remove ourselves from ld->pending at cleanup time via f816ccb8f4d tldap: Fix tldap_msg_received() via b85dbc9ccf8 tldap: Only free() ld->pending if "req" is part of it via eb72f887b0b ldap_server: Terminate LDAP connections on krb ticket expiry via 77f72fb01fa ldap_server: Add the krb5 expiry to conn->limits via 35c4bb0b0c5 torture: Test ldap session expiry via c8c2f8ba733 build: Wrap a long line from 4dbe8d11316 python: Remove remaining references to third_party python libs
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ccaf661f7c75717341140e3fbfb2a48f96ea952c Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 18:09:14 2020 +0200 tldap: Receiving "msgid == 0" means the connection is dead We never use msgid=0, see tldap_next_msgid(). RFC4511 section 4.4.1 says that the unsolicited disconnect response uses msgid 0. We don't parse this message, which supposedly is an extended response: Windows up to 2019 sends an extended response in an ASN.1 encoding that does not match RFC4511. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Fri Aug 21 20:37:25 UTC 2020 on sn-devel-184 commit a4ecd112e7754ab25bcae749594952a28c4c8905 Author: Volker Lendecke <v...@samba.org> Date: Thu Aug 13 14:59:58 2020 +0200 test: Test winbind idmap_ad ticket expiry behaviour We need to make sure that winbind's idmap_ad deals fine with an expired krb ticket used to connect to AD via LDAP. In a customer situation we have seen the RFC4511 section 4.4.1 unsolicited ldap exop response coming through, but the TCP disconnect that Windows seems to do after that did not make it. Winbind deals fine with a TCP disconnect, but right now it does not handle just the section 4.4.1 response properly: It completely hangs. This test requests a ticket valid for 5 seconds and makes the LDAP server postpone the TCP disconnect after the ticket expiry for 10 seconds. The tests that winbind reacts to the ticket expiry exop response by making sure in this situation the wbinfo call running into the issue takes less than 8 seconds. If it did not look at the expiry exop response, it would take more than 10 seconds. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7af2df01dff62d6d9ca572f320ef60dea41d6064 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 11 18:24:39 2020 +0200 idmap_ad: Pass tldap debug messages on to DEBUG() Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit a2b281bed022c04427ef478529462ff84fe42908 Author: Volker Lendecke <v...@samba.org> Date: Wed Aug 12 13:26:18 2020 +0200 tldap: Add PRINTF_ATTRIBUTE declaration to tldap_debug() Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2a2a6b27cccb2409d321c7e03feb8baa047d1bf4 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 17:44:42 2020 +0200 tldap: Make sure all requests are cancelled on rundown Put messages into the ld->pending array before sending them out, not after they have been sent. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f745f5b12560dbcb7be6f3ffb3bc10704c87149c Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 17:30:22 2020 +0200 tldap: Centralize connection rundown on error Whenever send or recv return -1, we have to cancel all pending requests and our transport stream is no longer usable: Discard it upon such an error. To avoid duplicate state, tldap_connection_ok() now looks at whether we have a tstream_context around. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit cb852c9dc0d0fa1d3e7473082ad6b460106b314b Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 17:14:14 2020 +0200 tldap: Maintain the ldap read request in tldap_context Required for proper connection rundown, we need to TALLOC_FREE() the read request before shutting down the tstream Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 14f6d1996ec38620b1c05a3b6c0e26dd21801fac Author: Volker Lendecke <v...@samba.org> Date: Mon Aug 17 21:59:48 2020 +0200 tldap: Always remove ourselves from ld->pending at cleanup time Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f816ccb8f4d212fe7f6bf36f90cbb9297c899786 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 16:54:34 2020 +0200 tldap: Fix tldap_msg_received() The callback of "req" might have destroyed "ld", we can't reference this anymore after calling tevent_req_done(req). Defer calling the callbacks, which also means that the callbacks can't have added anything to ld->pending. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b85dbc9ccf80d8c19aff33c1da83954e5d6a37ef Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 11 16:16:12 2020 +0200 tldap: Only free() ld->pending if "req" is part of it Best reviewed with "git show -U10". We need to check that "req" is actually the last request that is being freed before freeing the whole array. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit eb72f887b0bf91c050fd5d911f58a1b3ff9b8bcc Author: Volker Lendecke <v...@samba.org> Date: Mon Aug 10 16:24:04 2020 +0200 ldap_server: Terminate LDAP connections on krb ticket expiry See RFC4511 section 4.4.1 and https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html for details: Windows terminates LDAP connections when the krb5 ticket expires, Samba should do the same. This patch slightly deviates from Windows behaviour by sending a LDAP exop response with msgid 0 that is ASN1-encoded conforming to RFC4511. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 77f72fb01faba45babfe6080f805361492ce49e5 Author: Volker Lendecke <v...@samba.org> Date: Fri Aug 7 13:40:58 2020 +0200 ldap_server: Add the krb5 expiry to conn->limits Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 35c4bb0b0c55a65490fe199edb1a534548104e95 Author: Volker Lendecke <v...@samba.org> Date: Wed Aug 12 15:50:58 2020 +0200 torture: Test ldap session expiry LDAP connections should time out when the kerberos ticket used to authenticate expires. Windows does this with a RFC4511 section 4.4.1 message (that as of August 2020 is encoded not according to the RFC) followed by a TCP disconnect. ldb sees the section 4.4.1 as a protocol violation and returns LDB_ERR_PROTOCOL_ERROR. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c8c2f8ba73324ba43ccef9f6d1c0c726d7ec0d25 Author: Volker Lendecke <v...@samba.org> Date: Wed Aug 12 15:48:01 2020 +0200 build: Wrap a long line There will be another entry in the next commit Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: nsswitch/tests/test_ticket_expiry.sh | 74 +++++++++++++++++ selftest/target/Samba3.pm | 1 + selftest/target/Samba4.pm | 6 +- source3/lib/tldap.c | 146 +++++++++++++++++++++++----------- source3/selftest/tests.py | 5 ++ source3/winbindd/idmap_ad.c | 36 +++++++++ source4/ldap_server/ldap_backend.c | 37 +++++++++ source4/ldap_server/ldap_bind.c | 15 ++++ source4/ldap_server/ldap_server.c | 66 +++++++++++++++ source4/ldap_server/ldap_server.h | 2 + source4/selftest/tests.py | 4 + source4/torture/ldap/common.c | 2 + source4/torture/ldap/session_expiry.c | 121 ++++++++++++++++++++++++++++ source4/torture/wscript_build | 13 ++- 14 files changed, 478 insertions(+), 50 deletions(-) create mode 100755 nsswitch/tests/test_ticket_expiry.sh create mode 100644 source4/torture/ldap/session_expiry.c Changeset truncated at 500 lines: diff --git a/nsswitch/tests/test_ticket_expiry.sh b/nsswitch/tests/test_ticket_expiry.sh new file mode 100755 index 00000000000..3b98b0fe87a --- /dev/null +++ b/nsswitch/tests/test_ticket_expiry.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# Test winbind ad backend behaviour when the kerberos ticket expires + +if [ $# -ne 1 ]; then + echo Usage: $0 DOMAIN + exit 1 +fi + +DOMAIN="$1" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +net="$VALGRIND $BINDIR/net" + +failed=0 + +. `dirname $0`/../../testprogs/blackbox/subunit.sh + +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") +if [ $? -ne 0 ] ; then + echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" + exit 1 +fi +ADMINS_SID="$DOMAIN_SID-512" + +# Previous tests might have put in a mapping +$net cache del IDMAP/SID2XID/"$ADMINS_SID" + +# Trigger a winbind ad connection with a 5-second ticket lifetime, +# see the smb.conf for the ad_member_idmap_ad environment we're in +# +# We expect failure here because there are no mappings in AD. In this +# test we are only interested in the winbind LDAP connection as such, +# we don't really care whether idmap_ad works fine. This is done in +# different tests. And a negative lookup also triggers the LDAP +# connection. + +testit_expect_failure "Deleting0 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +testit_expect_failure "Expecting failure1, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || + failed=$(expr $failed + 1) + +testit "Deleting1 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +# allow our kerberos ticket to expire +testit "Sleeping for 6 seconds" sleep 6 || failed=$(expr $failed + 1) + +# Try again, check how long it took to recover from ticket expiry +# +# On the LDAP connection two things happen: First we get an +# unsolicited exop response telling us the network session was +# abandoned, and secondly the LDAP server will kill the TCP +# connection. Our ldap server is configured to defer the TCP +# disconnect by 10 seconds. We need to make sure that winbind already +# reacts to the unsolicited exop reply, discarding the connection. The +# only way is to make sure the following wbinfo does not take too +# long. + +# We need to do the test command in this funny way as on gitlab we're +# using the bash builtin + +START=$(date +%s) +testit_expect_failure "Expecting failure2, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || + failed=$(expr $failed + 1) +END=$(date +%s) +DURATION=$(expr $END - $START) +testit "timeout DURATION[$DURATION] < 8" test "$DURATION" -le 8 || + failed=$(expr $failed + 1) + +testit "Deleting2 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || + failed=$(expr $failed + 1) + +exit $failed diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 753af49cf67..0a8cefa811d 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1061,6 +1061,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{DOMAIN} : range = 2000000-2999999 idmap config $dcvars->{TRUST_DOMAIN} : backend = ad idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 + gensec_gssapi:requested_life_time = 5 "; my $ret = $self->provision( diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 88c95c3a078..649e923ff9a 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1728,7 +1728,11 @@ sub provision_fl2008r2dc($$$) my ($self, $prefix, $dcvars) = @_; print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n"; - my $extra_conf_options = "ldap server require strong auth = no"; + my $extra_conf_options = " + ldap server require strong auth = no + # delay by 10 seconds, 10^7 usecs + ldap_server:delay_expire_disconnect = 10000 +"; my $extra_provision_options = ["--base-schema=2008_R2"]; my $ret = $self->provision($prefix, "domain controller", diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c index bf5fc05d785..0e39a307728 100644 --- a/source3/lib/tldap.c +++ b/source3/lib/tldap.c @@ -29,6 +29,7 @@ #include "../lib/util/tevent_unix.h" static TLDAPRC tldap_simple_recv(struct tevent_req *req); +static bool tldap_msg_set_pending(struct tevent_req *req); #define TEVENT_TLDAP_RC_MAGIC (0x87bcd26e) @@ -83,10 +84,10 @@ struct tldap_ctx_attribute { struct tldap_context { int ld_version; struct tstream_context *conn; - bool server_down; int msgid; struct tevent_queue *outgoing; struct tevent_req **pending; + struct tevent_req *read_req; /* For the sync wrappers we need something like get_last_error... */ struct tldap_message *last_msg; @@ -132,6 +133,11 @@ void tldap_set_debug(struct tldap_context *ld, ld->log_private = log_private; } +static void tldap_debug( + struct tldap_context *ld, + enum tldap_debug_level level, + const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); + static void tldap_debug(struct tldap_context *ld, enum tldap_debug_level level, const char *fmt, ...) @@ -185,10 +191,22 @@ struct tldap_context *tldap_context_create(TALLOC_CTX *mem_ctx, int fd) bool tldap_connection_ok(struct tldap_context *ld) { + int ret; + if (ld == NULL) { return false; } - return !ld->server_down; + + if (ld->conn == NULL) { + return false; + } + + ret = tstream_pending_bytes(ld->conn); + if (ret == -1) { + return false; + } + + return true; } static size_t tldap_pending_reqs(struct tldap_context *ld) @@ -424,6 +442,43 @@ static bool tldap_push_controls(struct asn1_data *data, return asn1_pop_tag(data); /* ASN1_CONTEXT(0) */ } +#define tldap_context_disconnect(ld, status) \ + _tldap_context_disconnect(ld, status, __location__) + +static void _tldap_context_disconnect(struct tldap_context *ld, + TLDAPRC status, + const char *location) +{ + if (ld->conn == NULL) { + /* + * We don't need to tldap_debug() on + * a potential 2nd run. + * + * The rest of the function would just + * be a noop for the 2nd run anyway. + */ + return; + } + + tldap_debug(ld, TLDAP_DEBUG_WARNING, + "tldap_context_disconnect: %s at %s\n", + tldap_rc2string(status), + location); + tevent_queue_stop(ld->outgoing); + TALLOC_FREE(ld->read_req); + TALLOC_FREE(ld->conn); + + while (talloc_array_length(ld->pending) > 0) { + struct tevent_req *req = NULL; + struct tldap_msg_state *state = NULL; + + req = ld->pending[0]; + state = tevent_req_data(req, struct tldap_msg_state); + tevent_req_defer_callback(req, state->ev); + tevent_req_ldap_error(req, status); + } +} + static void tldap_msg_sent(struct tevent_req *subreq); static void tldap_msg_received(struct tevent_req *subreq); @@ -437,6 +492,7 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, struct tevent_req *req, *subreq; struct tldap_msg_state *state; DATA_BLOB blob; + bool ok; tldap_debug(ld, TLDAP_DEBUG_TRACE, "tldap_msg_send: sending msg %d\n", id); @@ -449,7 +505,8 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->id = id; - if (state->ld->server_down) { + ok = tldap_connection_ok(ld); + if (!ok) { tevent_req_ldap_error(req, TLDAP_SERVER_DOWN); return tevent_req_post(req, ev); } @@ -470,6 +527,11 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + if (!tldap_msg_set_pending(req)) { + tevent_req_oom(req); + return tevent_req_post(req, ev);; + } + state->iov.iov_base = (void *)blob.data; state->iov.iov_len = blob.length; @@ -492,11 +554,6 @@ static void tldap_msg_unset_pending(struct tevent_req *req) tevent_req_set_cleanup_fn(req, NULL); - if (num_pending == 1) { - TALLOC_FREE(ld->pending); - return; - } - for (i=0; i<num_pending; i++) { if (req == ld->pending[i]) { break; @@ -511,6 +568,11 @@ static void tldap_msg_unset_pending(struct tevent_req *req) return; } + if (num_pending == 1) { + TALLOC_FREE(ld->pending); + return; + } + /* * Remove ourselves from the cli->pending array */ @@ -529,14 +591,7 @@ static void tldap_msg_unset_pending(struct tevent_req *req) static void tldap_msg_cleanup(struct tevent_req *req, enum tevent_req_state req_state) { - switch (req_state) { - case TEVENT_REQ_USER_ERROR: - case TEVENT_REQ_RECEIVED: - tldap_msg_unset_pending(req); - return; - default: - return; - } + tldap_msg_unset_pending(req); } static bool tldap_msg_set_pending(struct tevent_req *req) @@ -546,7 +601,6 @@ static bool tldap_msg_set_pending(struct tevent_req *req) struct tldap_context *ld; struct tevent_req **pending; int num_pending; - struct tevent_req *subreq; ld = state->ld; num_pending = tldap_pending_reqs(ld); @@ -560,7 +614,7 @@ static bool tldap_msg_set_pending(struct tevent_req *req) ld->pending = pending; tevent_req_set_cleanup_fn(req, tldap_msg_cleanup); - if (num_pending > 0) { + if (ld->read_req != NULL) { return true; } @@ -568,12 +622,12 @@ static bool tldap_msg_set_pending(struct tevent_req *req) * We're the first one, add the read_ldap request that waits for the * answer from the server */ - subreq = read_ldap_send(ld->pending, state->ev, ld->conn); - if (subreq == NULL) { + ld->read_req = read_ldap_send(ld->pending, state->ev, ld->conn); + if (ld->read_req == NULL) { tldap_msg_unset_pending(req); return false; } - tevent_req_set_callback(subreq, tldap_msg_received, ld); + tevent_req_set_callback(ld->read_req, tldap_msg_received, ld); return true; } @@ -589,13 +643,7 @@ static void tldap_msg_sent(struct tevent_req *subreq) nwritten = tstream_writev_queue_recv(subreq, &err); TALLOC_FREE(subreq); if (nwritten == -1) { - state->ld->server_down = true; - tevent_req_ldap_error(req, TLDAP_SERVER_DOWN); - return; - } - - if (!tldap_msg_set_pending(req)) { - tevent_req_oom(req); + tldap_context_disconnect(state->ld, TLDAP_SERVER_DOWN); return; } } @@ -619,21 +667,25 @@ static void tldap_msg_received(struct tevent_req *subreq) ssize_t received; size_t num_pending; int i, err; - TLDAPRC status; + TLDAPRC status = TLDAP_PROTOCOL_ERROR; int id; uint8_t type; bool ok; received = read_ldap_recv(subreq, talloc_tos(), &inbuf, &err); TALLOC_FREE(subreq); + ld->read_req = NULL; if (received == -1) { - ld->server_down = true; status = TLDAP_SERVER_DOWN; goto fail; } data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); if (data == NULL) { + /* + * We have to disconnect all, we can't tell which of + * the requests this reply is for. + */ status = TLDAP_NO_MEMORY; goto fail; } @@ -652,6 +704,17 @@ static void tldap_msg_received(struct tevent_req *subreq) tldap_debug(ld, TLDAP_DEBUG_TRACE, "tldap_msg_received: got msg %d " "type %d\n", id, (int)type); + if (id == 0) { + tldap_debug( + ld, + TLDAP_DEBUG_WARNING, + "tldap_msg_received: got msgid 0 of " + "type %"PRIu8", disconnecting\n", + type); + tldap_context_disconnect(ld, TLDAP_SERVER_DOWN); + return; + } + num_pending = talloc_array_length(ld->pending); for (i=0; i<num_pending; i++) { @@ -677,38 +740,25 @@ static void tldap_msg_received(struct tevent_req *subreq) tldap_msg_unset_pending(req); num_pending = talloc_array_length(ld->pending); + tevent_req_defer_callback(req, state->ev); tevent_req_done(req); done: if (num_pending == 0) { return; } - if (talloc_array_length(ld->pending) > num_pending) { - /* - * The callback functions called from tevent_req_done() above - * have put something on the pending queue. We don't have to - * trigger the read_ldap_send(), tldap_msg_set_pending() has - * done it for us already. - */ - return; - } state = tevent_req_data(ld->pending[0], struct tldap_msg_state); - subreq = read_ldap_send(ld->pending, state->ev, ld->conn); - if (subreq == NULL) { + ld->read_req = read_ldap_send(ld->pending, state->ev, ld->conn); + if (ld->read_req == NULL) { status = TLDAP_NO_MEMORY; goto fail; } - tevent_req_set_callback(subreq, tldap_msg_received, ld); + tevent_req_set_callback(ld->read_req, tldap_msg_received, ld); return; fail: - while (talloc_array_length(ld->pending) > 0) { - req = ld->pending[0]; - state = tevent_req_data(req, struct tldap_msg_state); - tevent_req_defer_callback(req, state->ev); - tevent_req_ldap_error(req, status); - } + tldap_context_disconnect(ld, status); } static TLDAPRC tldap_msg_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 5e4fbf8a603..556b50c38f5 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -887,6 +887,11 @@ for t in tests: plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD') +plantestsuite( + "idmap_ad.ticket_expiry", + "ad_member_idmap_ad:local", + [os.path.join(samba3srcdir, "../nsswitch/tests/test_ticket_expiry.sh"), + '$DOMAIN']) test = 'rpc.lsa.lookupsids' auth_options = ["", "ntlm", "spnego", "spnego,ntlm", "spnego,smb1", "spnego,smb2"] diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index 6d879cdf4d7..3bfeeee2d74 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -254,6 +254,41 @@ static TLDAPRC get_posix_schema_names(struct tldap_context *ld, return TLDAP_SUCCESS; } +static void idmap_ad_tldap_debug(void *log_private, + enum tldap_debug_level level, + const char *fmt, + va_list ap) +{ + int samba_level = -1; + + switch (level) { + case TLDAP_DEBUG_FATAL: + samba_level = DBGLVL_ERR; + break; + case TLDAP_DEBUG_ERROR: + samba_level = DBGLVL_ERR; + break; + case TLDAP_DEBUG_WARNING: + samba_level = DBGLVL_WARNING; + break; + case TLDAP_DEBUG_TRACE: + samba_level = DBGLVL_DEBUG; + break; + } + + if (CHECK_DEBUGLVL(samba_level)) { + char *s = NULL; + int ret; + + ret = vasprintf(&s, fmt, ap); + if (ret == -1) { + return; + } + DEBUG(samba_level, ("idmap_ad_tldap: %s", s)); + free(s); + } +} + static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, const char *domname, struct tldap_context **pld) @@ -307,6 +342,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, TALLOC_FREE(dcinfo); return NT_STATUS_NO_MEMORY; } + tldap_set_debug(ld, idmap_ad_tldap_debug, NULL); /* * Here we use or own machine account as diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index bf724335a25..2839082daef 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -1384,11 +1384,48 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call) return NT_STATUS_OK; } +static NTSTATUS ldapsrv_expired(struct ldapsrv_call *call) -- Samba Shared Repository