The branch, master has been updated
via e1d50a6 dsdb-operational: Avoid doing the ldb_attr_cmp if bypass
flag is not set
via a0faf16 torture: Fix fsmo test to use correct -H samba-tool syntax
via 18d7e5d dsdb: Do not hold the transaction over the IRPC call to
perform a role transfer
via b40d134 selftest: also skip raw.search as it also spins
via 316fd08 drs-fsmo: Improve handling of FSMO role takeover.
from 6a10255 dsdb-acl: calculate sDRightsEffective based on
"nTSecurityDescriptor"
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e1d50a6b24012b42f9987b439a4b94cd8db79999
Author: Matthieu Patou <m...@matws.net>
Date: Thu Dec 27 00:01:49 2012 -0800
dsdb-operational: Avoid doing the ldb_attr_cmp if bypass flag is not set
Most of the time this flag is not set and so we can avoid the strcasecmp
in ldb_attr_cmp()
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Jan 17 17:10:32 CET 2013 on sn-devel-104
commit a0faf16ae9aefc4963b2583970509b1b23e27ce1
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Nov 17 13:49:00 2012 +1100
torture: Fix fsmo test to use correct -H samba-tool syntax
However, the test still does not pass.
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 18d7e5df0eb8fb593e66daf25d142584f44b5b87
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jan 15 09:56:46 2013 +1100
dsdb: Do not hold the transaction over the IRPC call to perform a role
transfer
This avoids one samba process locking out another from the DB.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b40d134bc1866dd7e5b5e7dfc5bf01f6d55b1c1f
Author: Andrew Bartlett <abart...@samba.org>
Date: Sun Jan 13 13:03:13 2013 +1100
selftest: also skip raw.search as it also spins
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 316fd085ad2b587b82d817358240f84ae054a543
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 20 14:59:17 2012 +1100
drs-fsmo: Improve handling of FSMO role takeover.
This needs to be more async, and give less scary errors.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 1 -
selftest/skip | 1 +
source4/dsdb/repl/drepl_fsmo.c | 5 +--
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
source4/dsdb/samdb/ldb_modules/rootdse.c | 38 ++++++++++++++++++++++++-
source4/rpc_server/drsuapi/getncchanges.c | 3 +-
source4/torture/drs/python/fsmo.py | 4 +-
7 files changed, 44 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index bdeb92b..39485af 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -135,7 +135,6 @@
^samba4.smb2.acls.*.owner
^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
#^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.*
-^samba4.drs.fsmo.python
^samba4.libsmbclient.opendir.opendir # This requires netbios browsing
^samba4.rpc.drsuapi.*.drsuapi.DsGetDomainControllerInfo\(.*\)$
^samba4.rpc.drsuapi.*.drsuapi.DsCrackNames\(.*\)$
diff --git a/selftest/skip b/selftest/skip
index 43866bb..5c49306 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -107,3 +107,4 @@ bench # don't run benchmarks in our selftest
^samba4.rpc.unixinfo # This contains a server-side getpwuid call which hangs
the server when nss_winbindd is in use
^samba.tests.dcerpc.unix # This contains a server-side getpwuid call which
hangs the server when nss_winbindd is in use
base.dir2 # This test spins on modern ext4, so we have to skip it
+raw.search # This test spins on modern ext4, so we have to skip it
diff --git a/source4/dsdb/repl/drepl_fsmo.c b/source4/dsdb/repl/drepl_fsmo.c
index 0e83982..37fb684 100644
--- a/source4/dsdb/repl/drepl_fsmo.c
+++ b/source4/dsdb/repl/drepl_fsmo.c
@@ -108,9 +108,8 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
return NT_STATUS_OK;
}
- if (is_us ||
- (extended_op == DRSUAPI_EXOP_NONE)) {
- DEBUG(0,("FSMO role check failed for DN %s and owner %s \n",
+ if (is_us) {
+ DEBUG(5,("FSMO role check failed, we already own DN %s with
%s\n",
ldb_dn_get_linearized(fsmo_role_dn),
ldb_dn_get_linearized(role_owner_dn)));
r->out.result = WERR_OK;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index c642ad8..b1122b3 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -612,7 +612,7 @@ struct op_controls_flags {
};
static bool check_keep_control_for_attribute(struct op_controls_flags*
controls_flags, const char* attr) {
- if (ldb_attr_cmp(attr, "msDS-KeyVersionNumber") == 0 &&
controls_flags->bypassoperational) {
+ if (controls_flags->bypassoperational && ldb_attr_cmp(attr,
"msDS-KeyVersionNumber") == 0 ) {
return true;
}
return false;
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c
b/source4/dsdb/samdb/ldb_modules/rootdse.c
index ba71b5f..eaf6451 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1297,6 +1297,7 @@ static int rootdse_add(struct ldb_module *module, struct
ldb_request *req)
struct fsmo_transfer_state {
struct ldb_context *ldb;
struct ldb_request *req;
+ struct ldb_module *module;
};
/*
@@ -1307,6 +1308,7 @@ static void rootdse_fsmo_transfer_callback(struct
tevent_req *treq)
struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq,
struct fsmo_transfer_state);
NTSTATUS status;
WERROR werr;
+ int ret;
struct ldb_request *req = fsmo->req;
struct ldb_context *ldb = fsmo->ldb;
@@ -1314,16 +1316,31 @@ static void rootdse_fsmo_transfer_callback(struct
tevent_req *treq)
talloc_free(fsmo);
if (!NT_STATUS_IS_OK(status)) {
ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s",
nt_errstr(status));
+ /*
+ * Now that it is failed, start the transaction up
+ * again so the wrappers can close it without additional error
+ */
+ ldb_next_start_trans(fsmo->module);
ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
return;
}
if (!W_ERROR_IS_OK(werr)) {
ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s",
win_errstr(werr));
+ /*
+ * Now that it is failed, start the transaction up
+ * again so the wrappers can close it without additional error
+ */
+ ldb_next_start_trans(fsmo->module);
ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
return;
}
- ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
+ /*
+ * Now that it is done, start the transaction up again so the
+ * wrappers can close it without error
+ */
+ ret = ldb_next_start_trans(fsmo->module);
+ ldb_module_done(req, NULL, NULL, ret);
}
static int rootdse_become_master(struct ldb_module *module,
@@ -1358,6 +1375,13 @@ static int rootdse_become_master(struct ldb_module
*module,
"RODC cannot become a role master.");
}
+ /*
+ * We always delete the transaction, not commit it, because
+ * this gives the least supprise to this supprising action (as
+ * we will never record anything done to this point
+ */
+ ldb_next_del_trans(module);
+
msg = imessaging_client_init(tmp_ctx, lp_ctx,
ldb_get_event_context(ldb));
if (!msg) {
@@ -1376,10 +1400,20 @@ static int rootdse_become_master(struct ldb_module
*module,
}
fsmo->ldb = ldb;
fsmo->req = req;
+ fsmo->module = module;
- /* we send the call asynchronously, as the ldap client is
+ /*
+ * we send the call asynchronously, as the ldap client is
* expecting to get an error back if the role transfer fails
+ *
+ * We need more than the default 10 seconds IRPC allows, so
+ * set a longer timeout (default ldb timeout is 300 seconds).
+ * We send an async reply when we are done.
+ *
+ * We are the first module, so don't bother working out how
+ * long we have spent so far.
*/
+ dcerpc_binding_handle_set_timeout(irpc_handle, req->timeout);
treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb),
irpc_handle, role);
if (treq == NULL) {
diff --git a/source4/rpc_server/drsuapi/getncchanges.c
b/source4/rpc_server/drsuapi/getncchanges.c
index c3fd000..575d037 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2022,7 +2022,8 @@ allowed:
werr = drsuapi_UpdateRefs(b_state, mem_ctx, &ureq);
if (!W_ERROR_IS_OK(werr)) {
- DEBUG(0,(__location__ ": Failed UpdateRefs in
DsGetNCChanges - %s\n",
+ DEBUG(0,(__location__ ": Failed UpdateRefs on %s for %s
in DsGetNCChanges - %s\n",
+ drs_ObjectIdentifier_to_string(mem_ctx,
ncRoot), ureq.dest_dsa_dns_name,
win_errstr(werr)));
}
}
diff --git a/source4/torture/drs/python/fsmo.py
b/source4/torture/drs/python/fsmo.py
index f1fa6ef..8a1e9ff 100644
--- a/source4/torture/drs/python/fsmo.py
+++ b/source4/torture/drs/python/fsmo.py
@@ -61,8 +61,8 @@ class DrsFsmoTestCase(drs_base.DrsBaseTestCase):
creds = self.get_credentials()
cmd_line_auth = "-U%s/%s%%%s" % (creds.get_domain(),
creds.get_username(),
creds.get_password())
- # bin/samba-tool fsmo transfer --role=role --url=ldap://DC:389
- cmd_line = "%s fsmo transfer --role=%s --url=ldap://%s:389 %s" %
(net_cmd, role, DC,
+ # bin/samba-tool fsmo transfer --role=role -H ldap://DC:389
+ cmd_line = "%s fsmo transfer --role=%s -H ldap://%s:389 %s" %
(net_cmd, role, DC,
cmd_line_auth)
ret = os.system(cmd_line)
self.assertEquals(ret, 0, "Transferring role %s to %s has failed!" %
(role, DC))
--
Samba Shared Repository
