The branch, master has been updated via 60cae0a dsdb: Add comment explaining requirements on DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID via 5561218 dsdb: Do not prevent searches for @ATTRIBUTES because the DB is not set up yet via ec9b1e8 dsdb: Do not run dsdb_replace() on the calculated difference between old and new schema via 5067bce selftest: confirm that two attributes are also correctly set in the @ records via cccd578 selftest: Fix failure message in dsdb_schema_info via b4ae820 krb5_wrap: handle KRB5_ERR_HOST_REALM_UNKNOWN in smb_krb5_get_realm_from_hostname() via 3d96b09 s4:gensec_gssapi: fix CID 1409781: Possible Control flow issues (DEADCODE) via 1b88c5d selftest: Also wait for winbindd to start via 8d53ff1 selftest: Correctly print message when nbt is not up in 20 seconds via 1fe7ec2 tevent_threads: Fix a rundown race introduced with 1828011317b from aafc1c2 dsdb: Remember the last ACL we read during a search and what it expanded to
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 60cae0a7045a43f5da5c00e95308f2e1ec1b3161 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Jun 10 19:23:34 2017 +1200 dsdb: Add comment explaining requirements on DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Jun 16 23:43:46 CEST 2017 on sn-devel-144 commit 5561218d2811aa5e226d29bf2880e84a56bac904 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 8 23:17:20 2017 +1200 dsdb: Do not prevent searches for @ATTRIBUTES because the DB is not set up yet Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ec9b1e881c3eef503d6b4b311594113acf7d47d8 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jun 7 10:44:50 2017 +1200 dsdb: Do not run dsdb_replace() on the calculated difference between old and new schema We can set the database @INDEXLIST and @ATTRIBUTES to the full calculated values, not the difference, and let the ldb layer work it out under the transaction lock. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5067bceaa21fe86fa77a1aeb88a4bce3ba07e479 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Jun 16 14:13:42 2017 +1200 selftest: confirm that two attributes are also correctly set in the @ records This shows that the current behaviour in dsdb_schema_set_indices_and_attributes(), while not ideal, is not actually buggy. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit cccd5786f06a23d142d3a4cf75039d80b9987433 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jun 14 13:11:56 2017 +1200 selftest: Fix failure message in dsdb_schema_info The rename changes the CN, not the lDAPDisplayName Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b4ae820648dcbc265a89d271538c5e97137a8353 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Jun 11 23:19:01 2017 +0200 krb5_wrap: handle KRB5_ERR_HOST_REALM_UNKNOWN in smb_krb5_get_realm_from_hostname() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3d96b093b7d24534ae091b626ea044c6bae7930d Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 23 15:05:25 2017 +0200 s4:gensec_gssapi: fix CID 1409781: Possible Control flow issues (DEADCODE) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1b88c5d4c0e5da2e4092a06f6cd6bf3c8b767883 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 15 16:20:11 2017 +1200 selftest: Also wait for winbindd to start This ensures that the posixacl.py test does not race against winbindd starting up and so give wrong mappings BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8d53ff10f8912f31e491b554d45aa0c9be041487 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 15 16:19:17 2017 +1200 selftest: Correctly print message when nbt is not up in 20 seconds BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1fe7ec237a7036d76764ef1981de6b3000b2cfd3 Author: Volker Lendecke <v...@samba.org> Date: Thu Jun 15 11:48:24 2017 +0200 tevent_threads: Fix a rundown race introduced with 1828011317b The race is easily reproduced by adding a poll(NULL,0,10) in between the two pthread_mutex_unlock calls in _tevent_threaded_schedule_immediate. Before 1828011317b, the main thread was signalled only after the helper had already unlocked event_ctx_mutex. Full explaination follows: ----------------------------------------------------------------- Inside _tevent_threaded_schedule_immediate() we have: 476 ret = pthread_mutex_unlock(&ev->scheduled_mutex); 477 if (ret != 0) { 478 abort(); 479 } HERE!!!! 481 ret = pthread_mutex_unlock(&tctx->event_ctx_mutex); 482 if (ret != 0) { 483 abort(); 484 } At the HERE!!! point, what happens is tevent_common_threaded_activate_immediate(), which is blocked on ev->scheduled_mutex, get released and does: 514 while (ev->scheduled_immediates != NULL) { 515 struct tevent_immediate *im = ev->scheduled_immediates; 516 DLIST_REMOVE(ev->scheduled_immediates, im); 517 DLIST_ADD_END(ev->immediate_events, im); 518 } - making an immediate event ready to be scheduled. This then returns into epoll_event_loop_once(), which then calls: 910 if (ev->immediate_events && 911 tevent_common_loop_immediate(ev)) { 912 return 0; 913 } which causes the immediate event to fire. This immediate event is the pthread job terminate event, which was previously set up in pthreadpool_tevent_job_signal() by: 198 if (state->tctx != NULL) { 199 /* with HAVE_PTHREAD */ 200 tevent_threaded_schedule_immediate(state->tctx, state->im, 201 pthreadpool_tevent_job_done, 202 state); So we now call pthreadpool_tevent_job_done() - which does: 225 TALLOC_FREE(state->tctx); calling tevent_threaded_context_destructor(): 384 ret = pthread_mutex_destroy(&tctx->event_ctx_mutex); <---------------- BOOM returns an error ! 385 if (ret != 0) { 386 abort(); 387 } as we haven't gotten to line 481 above (the line after HERE!!!!) so the tctx->event_ctx_mutex is still locked when we try to destroy it. So doing an additional: ret = pthread_mutex_lock(&tctx->event_ctx_mutex); ret = pthread_mutex_unlock(&tctx->event_ctx_mutex); (error checking elided) forces tevent_threaded_context_destructor() to wait until tctx->event_ctx_mutex is unlocked before it locks/unlocks and then is guaranteed safe to destroy. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/krb5_wrap/krb5_samba.c | 4 +++ lib/tevent/tevent_threads.c | 17 +++++++++++ python/samba/tests/dsdb_schema_attributes.py | 41 +++++++++++++++++++++++++-- selftest/target/Samba4.pm | 24 +++++++++++++++- source4/auth/gensec/gensec_gssapi.c | 5 +++- source4/dsdb/samdb/ldb_modules/schema_load.c | 3 +- source4/dsdb/samdb/ldb_modules/show_deleted.c | 5 ++++ source4/dsdb/schema/schema_set.c | 14 +++++++-- source4/dsdb/tests/python/dsdb_schema_info.py | 4 +-- 9 files changed, 108 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 2e43f79..0c8b402 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2669,6 +2669,10 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, } kerr = krb5_get_host_realm(ctx, hostname, &realm_list); + if (kerr == KRB5_ERR_HOST_REALM_UNKNOWN) { + realm_list = NULL; + kerr = 0; + } if (kerr != 0) { DEBUG(3,("kerberos_get_realm_from_hostname %s: " "failed %s\n", diff --git a/lib/tevent/tevent_threads.c b/lib/tevent/tevent_threads.c index 8ecda02..4d1a880 100644 --- a/lib/tevent/tevent_threads.c +++ b/lib/tevent/tevent_threads.c @@ -381,6 +381,23 @@ static int tevent_threaded_context_destructor( DLIST_REMOVE(tctx->event_ctx->threaded_contexts, tctx); } + /* + * We have to coordinate with _tevent_threaded_schedule_immediate's + * unlock of the event_ctx_mutex. We're in the main thread here, + * and we can be scheduled before the helper thread finalizes its + * call _tevent_threaded_schedule_immediate. This means we would + * pthreadpool_destroy a locked mutex, which is illegal. + */ + ret = pthread_mutex_lock(&tctx->event_ctx_mutex); + if (ret != 0) { + abort(); + } + + ret = pthread_mutex_unlock(&tctx->event_ctx_mutex); + if (ret != 0) { + abort(); + } + ret = pthread_mutex_destroy(&tctx->event_ctx_mutex); if (ret != 0) { abort(); diff --git a/python/samba/tests/dsdb_schema_attributes.py b/python/samba/tests/dsdb_schema_attributes.py index 28f9078..df6c8bb 100644 --- a/python/samba/tests/dsdb_schema_attributes.py +++ b/python/samba/tests/dsdb_schema_attributes.py @@ -112,9 +112,7 @@ systemOnly: FALSE self.assertIn(attr_ldap_name, [str(x) for x in idx_res[0]["@IDXATTR"]]) - def test_AddUnIndexedAttribute(self): - # create names for an attribute to add (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("schemaAttributes-Attr-") ldif = self._make_attr_ldif(attr_name, attr_dn, 2) @@ -136,3 +134,42 @@ systemOnly: FALSE idx_res = self.samdb.search(base="@INDEXLIST", scope=ldb.SCOPE_BASE) self.assertNotIn(attr_ldap_name, [str(x) for x in idx_res[0]["@IDXATTR"]]) + + + def test_AddTwoIndexedAttributes(self): + # create names for an attribute to add + (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("schemaAttributes-Attr-") + ldif = self._make_attr_ldif(attr_name, attr_dn, 3, + "searchFlags: %d" % samba.dsdb.SEARCH_FLAG_ATTINDEX) + + # add the new attribute + self.samdb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # create names for an attribute to add + (attr_name2, attr_ldap_name2, attr_dn2) = self._make_obj_names("schemaAttributes-Attr-") + ldif = self._make_attr_ldif(attr_name2, attr_dn2, 4, + "searchFlags: %d" % samba.dsdb.SEARCH_FLAG_ATTINDEX) + + # add the new attribute + self.samdb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # Check @ATTRIBUTES + + attr_res = self.samdb.search(base="@ATTRIBUTES", scope=ldb.SCOPE_BASE) + + self.assertIn(attr_ldap_name, attr_res[0]) + self.assertEquals(len(attr_res[0][attr_ldap_name]), 1) + self.assertEquals(attr_res[0][attr_ldap_name][0], "CASE_INSENSITIVE") + + self.assertIn(attr_ldap_name2, attr_res[0]) + self.assertEquals(len(attr_res[0][attr_ldap_name2]), 1) + self.assertEquals(attr_res[0][attr_ldap_name2][0], "CASE_INSENSITIVE") + + # Check @INDEXLIST + + idx_res = self.samdb.search(base="@INDEXLIST", scope=ldb.SCOPE_BASE) + + self.assertIn(attr_ldap_name, [str(x) for x in idx_res[0]["@IDXATTR"]]) + self.assertIn(attr_ldap_name2, [str(x) for x in idx_res[0]["@IDXATTR"]]) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 316ef83..ea81d7d 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -207,7 +207,7 @@ sub wait_for_start($$) } $count++; } while ($ret != 0 && $count < 20); - if ($count == 10) { + if ($count == 20) { warn("nbt not reachable after 20 retries\n"); teardown_env($self, $testenv_vars); return 0; @@ -245,6 +245,28 @@ sub wait_for_start($$) sleep(1); } } + + my $wbinfo = Samba::bindir_path($self, "wbinfo"); + + $count = 0; + do { + my $cmd = "NSS_WRAPPER_PASSWD=$testenv_vars->{NSS_WRAPPER_PASSWD} "; + $cmd .= "NSS_WRAPPER_GROUP=$testenv_vars->{NSS_WRAPPER_GROUP} "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=$testenv_vars->{SELFTEST_WINBINDD_SOCKET_DIR} "; + $cmd .= "$wbinfo -p"; + $ret = system($cmd); + + if ($ret != 0) { + sleep(1); + } + $count++; + } while ($ret != 0 && $count < 20); + if ($count == 20) { + warn("winbind not reachable after 20 retries\n"); + teardown_env($self, $testenv_vars); + return 0; + } + print $self->getlog_env($testenv_vars); return $ret diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 8bc5452..a61b2b2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -457,10 +457,11 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { - bool fallback = false; #ifdef SAMBA4_USES_HEIMDAL struct gsskrb5_send_to_kdc send_to_kdc; krb5_error_code ret; +#else + bool fallback = false; #endif nt_status = gensec_gssapi_client_creds(gensec_security, ev); @@ -581,10 +582,12 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec return NT_STATUS_NO_MEMORY; } +#ifndef SAMBA4_USES_HEIMDAL if (fallback && strequal(client_realm, server_realm)) { goto init_sec_context_done; } +#endif /* !SAMBA4_USES_HEIMDAL */ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, target_principal, diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c index 6ffa465..a2f8e57 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_load.c +++ b/source4/dsdb/samdb/ldb_modules/schema_load.c @@ -512,12 +512,13 @@ static int schema_load_del_transaction(struct ldb_module *module) return ldb_next_del_trans(module); } +/* This is called in a transaction held by the callers */ static int schema_load_extended(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct dsdb_schema *schema; int ret; - + if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID) != 0) { return ldb_next_request(module, req); } diff --git a/source4/dsdb/samdb/ldb_modules/show_deleted.c b/source4/dsdb/samdb/ldb_modules/show_deleted.c index 773dcfb..6b5fdaa 100644 --- a/source4/dsdb/samdb/ldb_modules/show_deleted.c +++ b/source4/dsdb/samdb/ldb_modules/show_deleted.c @@ -51,6 +51,11 @@ static int show_deleted_search(struct ldb_module *module, struct ldb_request *re int ret; const char *attr_filter = NULL; + /* do not manipulate our control entries */ + if (ldb_dn_is_special(req->op.search.base)) { + return ldb_next_request(module, req); + } + ldb = ldb_module_get_ctx(module); state = talloc_get_type(ldb_module_get_private(module), struct show_deleted_state); diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c index 977c9e3..df27e19 100644 --- a/source4/dsdb/schema/schema_set.c +++ b/source4/dsdb/schema/schema_set.c @@ -174,7 +174,12 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb, goto op_error; } if (mod_msg->num_elements > 0) { - ret = dsdb_replace(ldb, mod_msg, 0); + /* + * Do the replace with the constructed message, + * to avoid needing a lock between this search + * and the replace + */ + ret = dsdb_replace(ldb, msg, 0); } talloc_free(mod_msg); } @@ -210,7 +215,12 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb, goto op_error; } if (mod_msg->num_elements > 0) { - ret = dsdb_replace(ldb, mod_msg, 0); + /* + * Do the replace with the constructed message, + * to avoid needing a lock between this search + * and the replace + */ + ret = dsdb_replace(ldb, msg_idx, 0); } talloc_free(mod_msg); } diff --git a/source4/dsdb/tests/python/dsdb_schema_info.py b/source4/dsdb/tests/python/dsdb_schema_info.py index 0ae95b3..f3452d6 100755 --- a/source4/dsdb/tests/python/dsdb_schema_info.py +++ b/source4/dsdb/tests/python/dsdb_schema_info.py @@ -141,7 +141,7 @@ systemOnly: FALSE try: self.sam_db.rename(attr_dn, attr_dn_new) except LdbError, (num, _): - self.fail("failed to change lDAPDisplayName for %s: %s" % (attr_name, _)) + self.fail("failed to change CN for %s: %s" % (attr_name, _)) # compare resulting schemaInfo schi_after = self._getSchemaInfo() @@ -187,7 +187,7 @@ systemOnly: FALSE try: self.sam_db.rename(class_dn, class_dn_new) except LdbError, (num, _): - self.fail("failed to change lDAPDisplayName for %s: %s" % (class_name, _)) + self.fail("failed to change CN for %s: %s" % (class_name, _)) # compare resulting schemaInfo schi_after = self._getSchemaInfo() -- Samba Shared Repository