The branch, master has been updated via ab30a8b provision: Make dsacl2fsacl() take a security.dom_sid, not str via 0334515 provision: Also walk directories checking ACLs via abbbbb5 wintest: Try harder to recover from apparent failure to dcpromo via 0b7bb77 selftest: check that samba-tool gpo works for basic operations via 26faa8f dsdb: Simplify DsCrackNameOneFilter a bit via ec3cbb6 wafsamba.abi: Fix abi_match with both excludes and includes. via d02c8ba wafsamba.samba_abi: Add basic unit tests. via 97102fa buildtools: Remove extra space from global: line via ea5ef95 wafsamba.samba_abi: Refactor abi_write_vscript to take file argument. from 3d93616 s3:smbd: pass the current time to make_connection[_smb1]()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ab30a8bf0fb9bd4ee3c907183132f3b9abb67c7a Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 5 20:44:14 2012 +1100 provision: Make dsacl2fsacl() take a security.dom_sid, not str Reviewed-by: Jelmer Vernooij <jel...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Nov 6 00:12:43 CET 2012 on sn-devel-104 commit 033451587db21d6e4b829e89a64f894a32682131 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 5 15:22:02 2012 +1100 provision: Also walk directories checking ACLs The directory walk was missed due to a cut-and-paste error. Andrew Bartlett Reviewed-by: Jelmer Vernooij <jel...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> commit abbbbb5cdc39b71c0f243ff1e660d1f35a4923e3 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 5 19:35:51 2012 +1100 wintest: Try harder to recover from apparent failure to dcpromo Reviewed-by: Jelmer Vernooij <jel...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 0b7bb774ce836722d219d6e466a76b12c1a03de3 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Nov 5 12:57:17 2012 +1100 selftest: check that samba-tool gpo works for basic operations Reviewed-by: Jelmer Vernooij <jel...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 26faa8fe3a42f9d1278d81773c8808b05fcd76f8 Author: Volker Lendecke <v...@samba.org> Date: Sat Nov 3 09:36:29 2012 +0100 dsdb: Simplify DsCrackNameOneFilter a bit For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ec3cbb6c476698523c9b5ac047787df101746891 Author: Jelmer Vernooij <jel...@samba.org> Date: Mon Nov 5 19:36:30 2012 +0100 wafsamba.abi: Fix abi_match with both excludes and includes. This fixes a regression introduced by 9c3e294400234ebdf9b98031bae583524fd0b0ac which caused internal symbols in libldb to be exposed. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9357 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stephen Gallagher <sgall...@redhat.com> commit d02c8ba122cef7d8b254e5be3ae757eb3bb14235 Author: Jelmer Vernooij <jel...@samba.org> Date: Mon Nov 5 19:36:29 2012 +0100 wafsamba.samba_abi: Add basic unit tests. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stephen Gallagher <sgall...@redhat.com> commit 97102fa9963ba88f4ab72165a02071990031a73b Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 6 07:48:52 2012 +1100 buildtools: Remove extra space from global: line This makes it easier to put the expected values in a file as we will not have trailing whitespace that is against git style. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jelmer Vernooij <jel...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ea5ef95fbebe28cca11f86a9015aab77522f5e18 Author: Jelmer Vernooij <jel...@samba.org> Date: Mon Nov 5 19:36:28 2012 +0100 wafsamba.samba_abi: Refactor abi_write_vscript to take file argument. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stephen Gallagher <sgall...@redhat.com> ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/samba_abi.py | 32 +++++---- buildtools/wafsamba/tests/test_abi.py | 67 ++++++++++++++++++++ selftest/target/Samba4.pm | 2 +- source4/dsdb/samdb/cracknames.c | 5 +- source4/scripting/python/samba/netcmd/gpo.py | 4 +- source4/scripting/python/samba/ntacls.py | 3 +- .../scripting/python/samba/provision/__init__.py | 6 +- .../scripting/python/samba/tests/samba_tool/gpo.py | 57 +++++++++++++++++ source4/selftest/tests.py | 7 ++ wintest/wintest.py | 13 ++++- 10 files changed, 172 insertions(+), 24 deletions(-) create mode 100644 source4/scripting/python/samba/tests/samba_tool/gpo.py Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py index ed977ba..488dab8 100644 --- a/buildtools/wafsamba/samba_abi.py +++ b/buildtools/wafsamba/samba_abi.py @@ -152,22 +152,23 @@ def abi_process_file(fname, version, symmap): symmap[symname] = version f.close() -def abi_write_vscript(vscript, libname, current_version, versions, symmap, abi_match): - '''write a vscript file for a library in --version-script format - :param vscript: Path to the vscript file +def abi_write_vscript(f, libname, current_version, versions, symmap, abi_match): + """Write a vscript file for a library in --version-script format. + + :param f: File-like object to write to :param libname: Name of the library, uppercased :param current_version: Current version :param versions: Versions to consider :param symmap: Dictionary mapping symbols -> version - :param abi_match: List of symbols considered to be public in the current version - ''' + :param abi_match: List of symbols considered to be public in the current + version + """ invmap = {} for s in symmap: invmap.setdefault(symmap[s], []).append(s) - f = open(vscript, mode='w') last_key = "" versions = sorted(versions, key=version_key) for k in versions: @@ -175,8 +176,8 @@ def abi_write_vscript(vscript, libname, current_version, versions, symmap, abi_m if symver == current_version: break f.write("%s {\n" % symver) - if k in invmap: - f.write("\tglobal: \n") + if k in sorted(invmap.keys()): + f.write("\tglobal:\n") for s in invmap.get(k, []): f.write("\t\t%s;\n" % s); f.write("}%s;\n\n" % last_key) @@ -190,14 +191,13 @@ def abi_write_vscript(vscript, libname, current_version, versions, symmap, abi_m f.write("\t\t%s;\n" % x) else: f.write("\t\t*;\n") - if len(local_abi) > 0: + if abi_match != ["*"]: f.write("\tlocal:\n") for x in local_abi: f.write("\t\t%s;\n" % x[1:]) - elif abi_match != ["*"]: - f.write("\tlocal: *;\n") + if len(global_abi) > 0: + f.write("\t\t*;\n") f.write("};\n") - f.close() def abi_build_vscript(task): @@ -213,8 +213,12 @@ def abi_build_vscript(task): version = basename[len(task.env.LIBNAME)+1:-len(".sigs")] versions.append(version) abi_process_file(fname, version, symmap) - abi_write_vscript(tgt, task.env.LIBNAME, task.env.VERSION, versions, symmap, - task.env.ABI_MATCH) + f = open(tgt, mode='w') + try: + abi_write_vscript(f, task.env.LIBNAME, task.env.VERSION, versions, + symmap, task.env.ABI_MATCH) + finally: + f.close() def ABI_VSCRIPT(bld, libname, abi_directory, version, vscript, abi_match=None): diff --git a/buildtools/wafsamba/tests/test_abi.py b/buildtools/wafsamba/tests/test_abi.py index 0aa0d56..bba78c1 100644 --- a/buildtools/wafsamba/tests/test_abi.py +++ b/buildtools/wafsamba/tests/test_abi.py @@ -17,9 +17,12 @@ from wafsamba.tests import TestCase from wafsamba.samba_abi import ( + abi_write_vscript, normalise_signature, ) +from cStringIO import StringIO + class NormaliseSignatureTests(TestCase): @@ -51,3 +54,67 @@ class NormaliseSignatureTests(TestCase): 'uuid = {time_low = 2324192516, time_mid = 7403, time_hi_and_version = 4553, clock_seq = "\\237\\350", node = "\\b\\000+\\020H`"}, if_version = 2', normalise_signature('$244 = {uuid = {time_low = 2324192516, time_mid = 7403, time_hi_and_version = 4553, clock_seq = "\\237\\350", node = "\\b\\000+\\020H`"}, if_version = 2}')) + +class WriteVscriptTests(TestCase): + + def test_one(self): + f = StringIO() + abi_write_vscript(f, "MYLIB", "1.0", [], { + "old": "1.0", + "new": "1.0"}, ["*"]) + self.assertEquals(f.getvalue(), """\ +1.0 { +\tglobal: +\t\t*; +}; +""") + + def test_simple(self): + # No restrictions. + f = StringIO() + abi_write_vscript(f, "MYLIB", "1.0", ["0.1"], { + "old": "0.1", + "new": "1.0"}, ["*"]) + self.assertEquals(f.getvalue(), """\ +MYLIB_0.1 { +\tglobal: +\t\told; +}; + +1.0 { +\tglobal: +\t\t*; +}; +""") + + def test_exclude(self): + f = StringIO() + abi_write_vscript(f, "MYLIB", "1.0", [], { + "exc_old": "0.1", + "old": "0.1", + "new": "1.0"}, ["!exc_*"]) + self.assertEquals(f.getvalue(), """\ +1.0 { +\tglobal: +\t\t*; +\tlocal: +\t\texc_*; +}; +""") + + def test_excludes_and_includes(self): + f = StringIO() + abi_write_vscript(f, "MYLIB", "1.0", [], { + "pub_foo": "1.0", + "exc_bar": "1.0", + "other": "1.0" + }, ["pub_*", "!exc_*"]) + self.assertEquals(f.getvalue(), """\ +1.0 { +\tglobal: +\t\tpub_*; +\tlocal: +\t\texc_*; +\t\t*; +}; +""") diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index fbc8117..20114c9 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -799,7 +799,7 @@ sub provision($$$$$$$$$) [sysvol] path = $ctx->{statedir}/sysvol - read only = yes + read only = no [netlogon] path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index 8b52aa3..f136dec 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -1070,7 +1070,10 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ if (sid == NULL) { info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING; return WERR_OK; - } else if (samdb_find_attribute(sam_ctx, result, "objectClass", "domain")) { + } + + if (samdb_find_attribute(sam_ctx, result, "objectClass", + "domain")) { /* This can also find a DomainDNSZones entry, * but it won't have the SID we just * checked. */ diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py index 53bfcaa..347231b 100644 --- a/source4/scripting/python/samba/netcmd/gpo.py +++ b/source4/scripting/python/samba/netcmd/gpo.py @@ -975,9 +975,9 @@ class cmd_create(Command): ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl() # Create a file system security descriptor - domain_sid = self.samdb.get_domain_sid() + domain_sid = security.dom_sid(self.samdb.get_domain_sid()) sddl = dsacl2fsacl(ds_sd, domain_sid) - fs_sd = security.descriptor.from_sddl(sddl, security.dom_sid(domain_sid)) + fs_sd = security.descriptor.from_sddl(sddl, domain_sid) # Set ACL sio = ( security.SECINFO_OWNER | diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index f304047..89d450a 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -198,14 +198,13 @@ def ldapmask2filemask(ldm): return filemask -def dsacl2fsacl(dssddl, domsid): +def dsacl2fsacl(dssddl, sid): """ This function takes an the SDDL representation of a DS ACL and return the SDDL representation of this ACL adapted for files. It's used for Policy object provision """ - sid = security.dom_sid(domsid) ref = security.descriptor.from_sddl(dssddl, sid) fdescr = security.descriptor() fdescr.owner_sid = ref.owner_sid diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index b385556..47bc6f9 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1395,7 +1395,7 @@ def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, p acl = ndr_unpack(security.descriptor, str(policy["nTSecurityDescriptor"])).as_sddl() policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) - set_dir_acl(policy_path, dsacl2fsacl(acl, str(domainsid)), lp, + set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, str(domainsid), use_ntvfs, passdb=passdb) @@ -1484,7 +1484,7 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): if fsacl_sddl != acl: raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) - for name in files: + for name in dirs: fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access) if fsacl is None: raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name))) @@ -1522,7 +1522,7 @@ def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, acl = ndr_unpack(security.descriptor, str(policy["nTSecurityDescriptor"])).as_sddl() policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"])) - check_dir_acl(policy_path, dsacl2fsacl(acl, str(domainsid)), lp, + check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, domainsid, direct_db_access) diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py new file mode 100644 index 0000000..84154f5 --- /dev/null +++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py @@ -0,0 +1,57 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Andrew Bartlett 2012 +# +# based on time.py: +# Copyright (C) Sean Dague <sda...@linux.vnet.ibm.com> 2011 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +from samba.tests.samba_tool.base import SambaToolCmdTest + +class GpoCmdTestCase(SambaToolCmdTest): + """Tests for samba-tool time subcommands""" + + gpo_name = "testgpo" + + def test_gpo_list(self): + """Run gpo list against the server and make sure it looks accurate""" + (result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s" % os.environ["SERVER"]) + self.assertCmdSuccess(result, "Ensuring gpo listall ran successfully") + + def test_fetchfail(self): + """Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist""" + (result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s" % +os.environ["SERVER"]) + self.assertEquals(result, -1, "check for result code") + + def test_fetch(self): + """Run against a real GPO, and make sure it passes""" + (result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "--tmpdir", os.environ['SELFTEST_PREFIX']) + self.assertCmdSuccess(result, "Ensuring gpo fetched successfully") + + def setUp(self): + """set up a temporary GPO to work with""" + super(GpoCmdTestCase, self).setUp() + (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"])) + self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0] + + self.assertCmdSuccess(result, "Ensuring gpo created successfully") + + def tearDown(self): + """remove the temporary GPO to work with""" + (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"])) + self.assertCmdSuccess(result, "Ensuring gpo deleted successfully") + super(GpoCmdTestCase, self).tearDown() diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index ca5bdd3..58936e8 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -405,6 +405,13 @@ planpythontestsuite("dc:local", "samba.tests.dcerpc.bare") planpythontestsuite("dc:local", "samba.tests.dcerpc.unix") planpythontestsuite("dc:local", "samba.tests.dcerpc.srvsvc") planpythontestsuite("dc:local", "samba.tests.samba_tool.timecmd") + +# We run this test against both AD DC implemetnations because it is +# the only test we have of GPO get/set behaviour, and this involves +# the file server as well as the LDAP server. +planpythontestsuite("dc:local", "samba.tests.samba_tool.gpo") +planpythontestsuite("plugin_s4_dc:local", "samba.tests.samba_tool.gpo") + planpythontestsuite("dc:local", "samba.tests.samba_tool.processes") planpythontestsuite("dc:local", "samba.tests.samba_tool.user") planpythontestsuite("dc:local", "samba.tests.samba_tool.group") diff --git a/wintest/wintest.py b/wintest/wintest.py index c0f1eeb..61664ae 100644 --- a/wintest/wintest.py +++ b/wintest/wintest.py @@ -852,12 +852,23 @@ RebootOnCompletion=No child.expect("C:") child.expect("C:") child.sendline("dcpromo /answer:answers.txt") - i = child.expect(["You must restart this computer", "failed", "Active Directory Domain Services was not installed", "C:"], timeout=240) + i = child.expect(["You must restart this computer", "failed", "Active Directory Domain Services was not installed", "C:", pexpect.TIMEOUT], timeout=240) if i == 1 or i == 2: raise Exception("dcpromo failed") + if i == 4: # timeout + child = self.open_telnet("${WIN_HOSTNAME}", "administrator", "${WIN_PASS}") + child.sendline("shutdown -r -t 0") self.port_wait("${WIN_IP}", 139, wait_for_fail=True) self.port_wait("${WIN_IP}", 139) + + child = self.open_telnet("${WIN_HOSTNAME}", "administrator", "${WIN_PASS}") + # Check if we became a DC by now + if not self.get_is_dc(child): + raise Exception("dcpromo failed (and wasn't a DC even after rebooting)") + # Give DNS registration a kick + child.sendline("ipconfig /registerdns") + self.retry_cmd("host -t SRV _ldap._tcp.${WIN_REALM} ${WIN_IP}", ['has SRV record'], retries=60, delay=5 ) -- Samba Shared Repository