The branch, master has been updated via 5d73bb4acd7 s3:utils: Use talloc instead of malloc functions via b9d93eccbc0 s3:util: Use a talloc stackframe in rpc_trustdom_establish() via e844f483bd8 s3:utils: Use a destructor in rpc_trustdom_establish() via 77a4ff5435b s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish() via 78f03c386c1 python: Add test for checking the SHA256SUM via f5de1f8585e python:netcmd: Create a SHA256SUM file with checksums via e584350a550 python:netcmd: Only put regular files into the tarball via 9fb57dab377 s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads' via 1185410a0d7 s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c from ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5d73bb4acd7cf062b9fd1a9ea6721e41a5e721fb Author: Andreas Schneider <a...@samba.org> Date: Thu Jun 6 17:37:32 2024 +0200 s3:utils: Use talloc instead of malloc functions Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Jun 6 21:32:53 UTC 2024 on atb-devel-224 commit b9d93eccbc03f135ea14a8bd3a4f5b16ed0bbdc6 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 09:55:15 2024 +0200 s3:util: Use a talloc stackframe in rpc_trustdom_establish() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e844f483bd825741d3532d3304c822ab02cf96b5 Author: Andreas Schneider <a...@samba.org> Date: Thu Jun 6 17:31:10 2024 +0200 s3:utils: Use a destructor in rpc_trustdom_establish() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 77a4ff5435be5b80e96d7f85e71aac1949c5cff9 Author: Andreas Schneider <a...@samba.org> Date: Tue Apr 30 09:46:33 2024 +0200 s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish() This is not used anywhere in that functions or the functions we are calling. It was replaced by command line cli credentials stored in c->creds. This fixes a memory leak. Direct leak of 12 byte(s) in 1 object(s) allocated from: #0 0x7f17fdaf5830 in strdup ../../../../libsanitizer/asan/asan_interceptors.cpp:578 #1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752 #2 0x55f079bf0723 in rpc_trustdom_establish ../../source3/utils/net_rpc.c:6591 #3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483 #5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413 #7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436 #9 0x7f17f8a2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 78f03c386c14b9e773763a8c41fdc1689a4f284d Author: Andreas Schneider <a...@samba.org> Date: Thu Jun 6 10:12:08 2024 +0200 python: Add test for checking the SHA256SUM Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f5de1f8585e1d4eda9530eee87046277a2c793e7 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 15 08:10:03 2023 +0100 python:netcmd: Create a SHA256SUM file with checksums This allows to verify the backup tarball contents with: sha256sum -c SHA256SUM Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e584350a550f7ec2008721ecafb254af92ed7525 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 15 08:05:42 2023 +0100 python:netcmd: Only put regular files into the tarball We also have ldapi, other sockets or pipes around, we don't want to add. This will be relevant for adding checksums later. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9fb57dab377e53c9bd8450dda51a164bc712dca3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jun 6 10:39:33 2024 +0200 s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads' Otherwise we don't get the correct header include paths and krb5.h in a non default location won't be found. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1185410a0d717e22b359e11a538a08c0352e8703 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jun 6 10:38:48 2024 +0200 s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/netcmd/domain/backup.py | 27 ++++++++++- python/samba/tests/domain_backup.py | 29 ++++++++++-- source3/libsmb/namequery.c | 1 - source3/utils/net_rpc.c | 89 ++++++++++++------------------------ source3/utils/wscript_build | 2 +- 5 files changed, 80 insertions(+), 68 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/domain/backup.py b/python/samba/netcmd/domain/backup.py index a9a5a5beacf..b27105116dc 100644 --- a/python/samba/netcmd/domain/backup.py +++ b/python/samba/netcmd/domain/backup.py @@ -56,6 +56,7 @@ from samba.dsdb import _dsdb_load_udv_v2 from samba.ndr import ndr_pack from samba.credentials import SMB_SIGNING_REQUIRED from samba import safe_tarfile as tarfile +import hashlib # work out a SID (based on a free RID) to use when the domain gets restored. @@ -133,6 +134,14 @@ def backup_filepath(targetdir, name, time_str): return os.path.join(targetdir, filename) +def create_sha256sum(filename): + hash = hashlib.new('sha256') + with open(filename, "rb") as f: + for chunk in iter(lambda: f.read(65536), b""): + hash.update(chunk) + return hash.hexdigest() + + def create_backup_tar(logger, tmpdir, backup_filepath): # Adds everything in the tmpdir into a new tar file logger.info("Creating backup file %s..." % backup_filepath) @@ -1228,20 +1237,36 @@ class cmd_domain_backup_offline(samba.netcmd.Command): os.remove(backup_fn) logger.info('building backup tar') + + chksum_list = [] + for path in all_files: arc_path = self.get_arc_path(path, paths) if os.path.exists(path + self.backup_ext): logger.info(' adding backup ' + arc_path + self.backup_ext + ' to tar and deleting file') + chksum_list.append( + "%s %s" % (create_sha256sum(path + self.backup_ext), + arc_path)) tar.add(path + self.backup_ext, arcname=arc_path) os.remove(path + self.backup_ext) elif path.endswith('.ldb') or path.endswith('.tdb'): logger.info(' skipping ' + arc_path) - else: + elif os.path.isfile(path): logger.info(' adding misc file ' + arc_path) + chksum_list.append("%s %s" % + (create_sha256sum(path), + arc_path)) tar.add(path, arcname=arc_path) + chksum_filepath = os.path.join(temp_tar_dir, "SHA256SUM") + with open(chksum_filepath, "w") as f: + for c in chksum_list: + f.write(c + '\n') + tar.add(chksum_filepath, os.path.basename(chksum_filepath)) + os.remove(chksum_filepath) + tar.close() os.rename(temp_tar_name, os.path.join(targetdir, diff --git a/python/samba/tests/domain_backup.py b/python/samba/tests/domain_backup.py index c2ba2db0b08..7ec5d3afa52 100644 --- a/python/samba/tests/domain_backup.py +++ b/python/samba/tests/domain_backup.py @@ -17,12 +17,14 @@ from samba import provision, param import os import shutil +import subprocess from samba.tests import (env_loadparm, create_test_ou, BlackboxProcessError, BlackboxTestCase, connect_samdb) import ldb from samba.samdb import SamDB from samba.auth import system_session from samba import Ldb, dn_from_dns_name +from samba.netcmd import CommandError from samba.netcmd.fsmo import get_fsmo_roleowner import re from samba import sites @@ -131,13 +133,30 @@ class DomainBackupBase(BlackboxTestCase): extract_dir = self.restore_dir() with tarfile.open(backup_file) as tf: tf.extractall(extract_dir) + return extract_dir - def _test_backup_untar(self, primary_domain_secrets=0): + def _test_backup_untar( + self, + primary_domain_secrets=0, + verify_checksums=False + ): """Creates a backup, untars the raw files, and sanity-checks the DB""" backup_file = self.create_backup() - self.untar_backup(backup_file) - - private_dir = os.path.join(self.restore_dir(), "private") + extract_dir = self.untar_backup(backup_file) + + if (verify_checksums): + p = subprocess.Popen( + ["sha256sum", "-c", "SHA256SUM"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + cwd=extract_dir, + ) + (out, err) = p.communicate() + if p.returncode: + print("Error: " + err.decode('utf-8')) + raise CommandError('Failed to verify checksums') + + private_dir = os.path.join(extract_dir, "private") samdb_path = os.path.join(private_dir, "sam.ldb") lp = env_loadparm() samdb = SamDB(url=samdb_path, session_info=system_session(), lp=lp) @@ -612,7 +631,7 @@ class DomainBackupOffline(DomainBackupBase): self.base_cmd = ["domain", "backup", "offline"] def test_backup_untar(self): - self._test_backup_untar(primary_domain_secrets=1) + self._test_backup_untar(primary_domain_secrets=1, verify_checksums=True) def test_backup_restore_with_conf(self): self._test_backup_restore_with_conf() diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 8f6a9b51f81..9a47f034d38 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -30,7 +30,6 @@ #include "libsmb/nmblib.h" #include "libsmb/unexpected.h" #include "../libcli/nbt/libnbt.h" -#include "libads/kerberos_proto.h" #include "lib/gencache.h" #include "librpc/gen_ndr/dns.h" #include "lib/util/util_net.h" diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index c7f0126c465..b04be2efea7 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6538,7 +6538,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, struct sockaddr_storage server_ss; struct rpc_pipe_client *pipe_hnd = NULL; struct policy_handle connect_hnd; - TALLOC_CTX *mem_ctx; + TALLOC_CTX *frame = talloc_stackframe(); NTSTATUS nt_status, result; struct dom_sid *domain_sid; char* domain_name; @@ -6553,6 +6553,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, }, }; uint32_t out_version = 0; + int rc = -1; /* * Connect to \\server\ipc$ as 'our domain' account with password @@ -6562,38 +6563,25 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, d_printf("%s\n%s", _("Usage:"), _("net rpc trustdom establish <domain_name>\n")); - return -1; + goto out; } - domain_name = smb_xstrdup(argv[0]); - if (!strupper_m(domain_name)) { - SAFE_FREE(domain_name); - return -1; + domain_name = talloc_strdup_upper(frame, argv[0]); + if (domain_name == NULL) { + goto out; } /* account name used at first is our domain's name with '$' */ - if (asprintf(&acct_name, "%s$", lp_workgroup()) == -1) { - return -1; - } - if (!strupper_m(acct_name)) { - SAFE_FREE(domain_name); - SAFE_FREE(acct_name); - return -1; + acct_name = talloc_asprintf_strupper_m(frame, "%s$", lp_workgroup()); + if (acct_name == NULL) { + goto out; } cli_credentials_set_username(c->creds, acct_name, CRED_SPECIFIED); - /* - * opt_workgroup will be used by connection functions further, - * hence it should be set to remote domain name instead of ours - */ - if (c->opt_workgroup) { - c->opt_workgroup = smb_xstrdup(domain_name); - }; - /* find the domain controller */ if (!net_find_pdc(&server_ss, pdc_name, domain_name)) { DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name)); - return -1; + goto out; } /* connect to ipc$ as username/password */ @@ -6603,7 +6591,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, /* Is it trusting domain account for sure ? */ DEBUG(0, ("Couldn't verify trusting domain account. Error was %s\n", nt_errstr(nt_status))); - return -1; + goto out; } /* store who we connected to */ @@ -6620,23 +6608,15 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't connect to domain %s controller. Error was %s.\n", domain_name, nt_errstr(nt_status))); - return -1; + goto out; } - if (!(mem_ctx = talloc_init("establishing trust relationship to " - "domain %s", domain_name))) { - DEBUG(0, ("talloc_init() failed\n")); - cli_shutdown(cli); - return -1; - } /* Make sure we're talking to a proper server */ - nt_status = rpc_trustdom_get_pdc(c, cli, mem_ctx, domain_name); + nt_status = rpc_trustdom_get_pdc(c, cli, frame, domain_name); if (!NT_STATUS_IS_OK(nt_status)) { - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } /* @@ -6647,15 +6627,13 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, &pipe_hnd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) )); - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } b = pipe_hnd->binding_handle; nt_status = dcerpc_lsa_open_policy_fallback(b, - mem_ctx, + frame, pipe_hnd->srv_name_slash, true, KEY_QUERY_VALUE, @@ -6666,14 +6644,12 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, if (any_nt_status_not_ok(nt_status, result, &nt_status)) { DBG_ERR("Couldn't open policy handle: %s\n", nt_errstr(nt_status)); - cli_shutdown(cli); - talloc_free(mem_ctx); - return -1; + goto out; } /* Querying info level 5 */ - nt_status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx, + nt_status = dcerpc_lsa_QueryInfoPolicy(b, frame, &connect_hnd, LSA_POLICY_INFO_ACCOUNT_DOMAIN, &info, @@ -6681,16 +6657,12 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("LSA Query Info failed. Returned error was %s\n", nt_errstr(nt_status))); - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } if (NT_STATUS_IS_ERR(result)) { DEBUG(0, ("LSA Query Info failed. Returned error was %s\n", nt_errstr(result))); - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } domain_sid = info->account_domain.sid; @@ -6706,30 +6678,27 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, if (!pdb_set_trusteddom_pw(domain_name, pwd, domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } /* * Close the pipes and clean up */ - nt_status = dcerpc_lsa_Close(b, mem_ctx, &connect_hnd, &result); + nt_status = dcerpc_lsa_Close(b, frame, &connect_hnd, &result); if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n", nt_errstr(nt_status))); - cli_shutdown(cli); - talloc_destroy(mem_ctx); - return -1; + goto out; } - cli_shutdown(cli); - - talloc_destroy(mem_ctx); - d_printf(_("Trust to domain %s established\n"), domain_name); - return 0; + + rc = 0; +out: + cli_shutdown(cli); + TALLOC_FREE(frame); + return rc; } /** diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build index ca57e8004f2..e486af0ac6d 100644 --- a/source3/utils/wscript_build +++ b/source3/utils/wscript_build @@ -9,7 +9,7 @@ bld.SAMBA3_SUBSYSTEM('CONN_TDB', bld.SAMBA3_SUBSYSTEM('DNS_UTIL', source='net_dns.c net_ads_join_dns.c', - deps='addns') + deps='addns ads') bld.SAMBA3_BINARY('profiles', source='profiles.c', -- Samba Shared Repository