The branch, master has been updated
via 5d73bb4acd7 s3:utils: Use talloc instead of malloc functions
via b9d93eccbc0 s3:util: Use a talloc stackframe in
rpc_trustdom_establish()
via e844f483bd8 s3:utils: Use a destructor in rpc_trustdom_establish()
via 77a4ff5435b s3:utils: Remove overwrite of opt_workgroup in
rpc_trustdom_establish()
via 78f03c386c1 python: Add test for checking the SHA256SUM
via f5de1f8585e python:netcmd: Create a SHA256SUM file with checksums
via e584350a550 python:netcmd: Only put regular files into the tarball
via 9fb57dab377 s3:utils: DNS_UTIL depends on libads headers so we need
to depend on 'ads'
via 1185410a0d7 s3:libsmb: we no longer need libads/kerberos_proto.h in
namequery.c
from ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED
should be ignored
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5d73bb4acd7cf062b9fd1a9ea6721e41a5e721fb
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 6 17:37:32 2024 +0200
s3:utils: Use talloc instead of malloc functions
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Jun 6 21:32:53 UTC 2024 on atb-devel-224
commit b9d93eccbc03f135ea14a8bd3a4f5b16ed0bbdc6
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 09:55:15 2024 +0200
s3:util: Use a talloc stackframe in rpc_trustdom_establish()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e844f483bd825741d3532d3304c822ab02cf96b5
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 6 17:31:10 2024 +0200
s3:utils: Use a destructor in rpc_trustdom_establish()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 77a4ff5435be5b80e96d7f85e71aac1949c5cff9
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 30 09:46:33 2024 +0200
s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish()
This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.
Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x7f17fdaf5830 in strdup
../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
#2 0x55f079bf0723 in rpc_trustdom_establish
../../source3/utils/net_rpc.c:6591
#3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
#5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
#7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
#9 0x7f17f8a2a1ef in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 78f03c386c14b9e773763a8c41fdc1689a4f284d
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 6 10:12:08 2024 +0200
python: Add test for checking the SHA256SUM
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f5de1f8585e1d4eda9530eee87046277a2c793e7
Author: Andreas Schneider <a...@samba.org>
Date: Wed Feb 15 08:10:03 2023 +0100
python:netcmd: Create a SHA256SUM file with checksums
This allows to verify the backup tarball contents with:
sha256sum -c SHA256SUM
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e584350a550f7ec2008721ecafb254af92ed7525
Author: Andreas Schneider <a...@samba.org>
Date: Wed Feb 15 08:05:42 2023 +0100
python:netcmd: Only put regular files into the tarball
We also have ldapi, other sockets or pipes around, we don't want to
add. This will be relevant for adding checksums later.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9fb57dab377e53c9bd8450dda51a164bc712dca3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jun 6 10:39:33 2024 +0200
s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads'
Otherwise we don't get the correct header include paths and krb5.h in
a non default location won't be found.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1185410a0d717e22b359e11a538a08c0352e8703
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jun 6 10:38:48 2024 +0200
s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/domain/backup.py | 27 ++++++++++-
python/samba/tests/domain_backup.py | 29 ++++++++++--
source3/libsmb/namequery.c | 1 -
source3/utils/net_rpc.c | 89 ++++++++++++------------------------
source3/utils/wscript_build | 2 +-
5 files changed, 80 insertions(+), 68 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/domain/backup.py
b/python/samba/netcmd/domain/backup.py
index a9a5a5beacf..b27105116dc 100644
--- a/python/samba/netcmd/domain/backup.py
+++ b/python/samba/netcmd/domain/backup.py
@@ -56,6 +56,7 @@ from samba.dsdb import _dsdb_load_udv_v2
from samba.ndr import ndr_pack
from samba.credentials import SMB_SIGNING_REQUIRED
from samba import safe_tarfile as tarfile
+import hashlib
# work out a SID (based on a free RID) to use when the domain gets restored.
@@ -133,6 +134,14 @@ def backup_filepath(targetdir, name, time_str):
return os.path.join(targetdir, filename)
+def create_sha256sum(filename):
+ hash = hashlib.new('sha256')
+ with open(filename, "rb") as f:
+ for chunk in iter(lambda: f.read(65536), b""):
+ hash.update(chunk)
+ return hash.hexdigest()
+
+
def create_backup_tar(logger, tmpdir, backup_filepath):
# Adds everything in the tmpdir into a new tar file
logger.info("Creating backup file %s..." % backup_filepath)
@@ -1228,20 +1237,36 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
os.remove(backup_fn)
logger.info('building backup tar')
+
+ chksum_list = []
+
for path in all_files:
arc_path = self.get_arc_path(path, paths)
if os.path.exists(path + self.backup_ext):
logger.info(' adding backup ' + arc_path + self.backup_ext +
' to tar and deleting file')
+ chksum_list.append(
+ "%s %s" % (create_sha256sum(path + self.backup_ext),
+ arc_path))
tar.add(path + self.backup_ext, arcname=arc_path)
os.remove(path + self.backup_ext)
elif path.endswith('.ldb') or path.endswith('.tdb'):
logger.info(' skipping ' + arc_path)
- else:
+ elif os.path.isfile(path):
logger.info(' adding misc file ' + arc_path)
+ chksum_list.append("%s %s" %
+ (create_sha256sum(path),
+ arc_path))
tar.add(path, arcname=arc_path)
+ chksum_filepath = os.path.join(temp_tar_dir, "SHA256SUM")
+ with open(chksum_filepath, "w") as f:
+ for c in chksum_list:
+ f.write(c + '\n')
+ tar.add(chksum_filepath, os.path.basename(chksum_filepath))
+ os.remove(chksum_filepath)
+
tar.close()
os.rename(temp_tar_name,
os.path.join(targetdir,
diff --git a/python/samba/tests/domain_backup.py
b/python/samba/tests/domain_backup.py
index c2ba2db0b08..7ec5d3afa52 100644
--- a/python/samba/tests/domain_backup.py
+++ b/python/samba/tests/domain_backup.py
@@ -17,12 +17,14 @@
from samba import provision, param
import os
import shutil
+import subprocess
from samba.tests import (env_loadparm, create_test_ou, BlackboxProcessError,
BlackboxTestCase, connect_samdb)
import ldb
from samba.samdb import SamDB
from samba.auth import system_session
from samba import Ldb, dn_from_dns_name
+from samba.netcmd import CommandError
from samba.netcmd.fsmo import get_fsmo_roleowner
import re
from samba import sites
@@ -131,13 +133,30 @@ class DomainBackupBase(BlackboxTestCase):
extract_dir = self.restore_dir()
with tarfile.open(backup_file) as tf:
tf.extractall(extract_dir)
+ return extract_dir
- def _test_backup_untar(self, primary_domain_secrets=0):
+ def _test_backup_untar(
+ self,
+ primary_domain_secrets=0,
+ verify_checksums=False
+ ):
"""Creates a backup, untars the raw files, and sanity-checks the DB"""
backup_file = self.create_backup()
- self.untar_backup(backup_file)
-
- private_dir = os.path.join(self.restore_dir(), "private")
+ extract_dir = self.untar_backup(backup_file)
+
+ if (verify_checksums):
+ p = subprocess.Popen(
+ ["sha256sum", "-c", "SHA256SUM"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ cwd=extract_dir,
+ )
+ (out, err) = p.communicate()
+ if p.returncode:
+ print("Error: " + err.decode('utf-8'))
+ raise CommandError('Failed to verify checksums')
+
+ private_dir = os.path.join(extract_dir, "private")
samdb_path = os.path.join(private_dir, "sam.ldb")
lp = env_loadparm()
samdb = SamDB(url=samdb_path, session_info=system_session(), lp=lp)
@@ -612,7 +631,7 @@ class DomainBackupOffline(DomainBackupBase):
self.base_cmd = ["domain", "backup", "offline"]
def test_backup_untar(self):
- self._test_backup_untar(primary_domain_secrets=1)
+ self._test_backup_untar(primary_domain_secrets=1,
verify_checksums=True)
def test_backup_restore_with_conf(self):
self._test_backup_restore_with_conf()
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 8f6a9b51f81..9a47f034d38 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -30,7 +30,6 @@
#include "libsmb/nmblib.h"
#include "libsmb/unexpected.h"
#include "../libcli/nbt/libnbt.h"
-#include "libads/kerberos_proto.h"
#include "lib/gencache.h"
#include "librpc/gen_ndr/dns.h"
#include "lib/util/util_net.h"
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index c7f0126c465..b04be2efea7 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6538,7 +6538,7 @@ static int rpc_trustdom_establish(struct net_context *c,
int argc,
struct sockaddr_storage server_ss;
struct rpc_pipe_client *pipe_hnd = NULL;
struct policy_handle connect_hnd;
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS nt_status, result;
struct dom_sid *domain_sid;
char* domain_name;
@@ -6553,6 +6553,7 @@ static int rpc_trustdom_establish(struct net_context *c,
int argc,
},
};
uint32_t out_version = 0;
+ int rc = -1;
/*
* Connect to \\server\ipc$ as 'our domain' account with password
@@ -6562,38 +6563,25 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
d_printf("%s\n%s",
_("Usage:"),
_("net rpc trustdom establish <domain_name>\n"));
- return -1;
+ goto out;
}
- domain_name = smb_xstrdup(argv[0]);
- if (!strupper_m(domain_name)) {
- SAFE_FREE(domain_name);
- return -1;
+ domain_name = talloc_strdup_upper(frame, argv[0]);
+ if (domain_name == NULL) {
+ goto out;
}
/* account name used at first is our domain's name with '$' */
- if (asprintf(&acct_name, "%s$", lp_workgroup()) == -1) {
- return -1;
- }
- if (!strupper_m(acct_name)) {
- SAFE_FREE(domain_name);
- SAFE_FREE(acct_name);
- return -1;
+ acct_name = talloc_asprintf_strupper_m(frame, "%s$", lp_workgroup());
+ if (acct_name == NULL) {
+ goto out;
}
cli_credentials_set_username(c->creds, acct_name, CRED_SPECIFIED);
- /*
- * opt_workgroup will be used by connection functions further,
- * hence it should be set to remote domain name instead of ours
- */
- if (c->opt_workgroup) {
- c->opt_workgroup = smb_xstrdup(domain_name);
- };
-
/* find the domain controller */
if (!net_find_pdc(&server_ss, pdc_name, domain_name)) {
DEBUG(0, ("Couldn't find domain controller for domain %s\n",
domain_name));
- return -1;
+ goto out;
}
/* connect to ipc$ as username/password */
@@ -6603,7 +6591,7 @@ static int rpc_trustdom_establish(struct net_context *c,
int argc,
/* Is it trusting domain account for sure ? */
DEBUG(0, ("Couldn't verify trusting domain account. Error was
%s\n",
nt_errstr(nt_status)));
- return -1;
+ goto out;
}
/* store who we connected to */
@@ -6620,23 +6608,15 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("Couldn't connect to domain %s controller. Error was
%s.\n",
domain_name, nt_errstr(nt_status)));
- return -1;
+ goto out;
}
- if (!(mem_ctx = talloc_init("establishing trust relationship to "
- "domain %s", domain_name))) {
- DEBUG(0, ("talloc_init() failed\n"));
- cli_shutdown(cli);
- return -1;
- }
/* Make sure we're talking to a proper server */
- nt_status = rpc_trustdom_get_pdc(c, cli, mem_ctx, domain_name);
+ nt_status = rpc_trustdom_get_pdc(c, cli, frame, domain_name);
if (!NT_STATUS_IS_OK(nt_status)) {
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
/*
@@ -6647,15 +6627,13 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
&pipe_hnd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
nt_errstr(nt_status) ));
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
b = pipe_hnd->binding_handle;
nt_status = dcerpc_lsa_open_policy_fallback(b,
- mem_ctx,
+ frame,
pipe_hnd->srv_name_slash,
true,
KEY_QUERY_VALUE,
@@ -6666,14 +6644,12 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
if (any_nt_status_not_ok(nt_status, result, &nt_status)) {
DBG_ERR("Couldn't open policy handle: %s\n",
nt_errstr(nt_status));
- cli_shutdown(cli);
- talloc_free(mem_ctx);
- return -1;
+ goto out;
}
/* Querying info level 5 */
- nt_status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
+ nt_status = dcerpc_lsa_QueryInfoPolicy(b, frame,
&connect_hnd,
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
&info,
@@ -6681,16 +6657,12 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
nt_errstr(nt_status)));
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
if (NT_STATUS_IS_ERR(result)) {
DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
nt_errstr(result)));
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
domain_sid = info->account_domain.sid;
@@ -6706,30 +6678,27 @@ static int rpc_trustdom_establish(struct net_context
*c, int argc,
if (!pdb_set_trusteddom_pw(domain_name, pwd, domain_sid)) {
DEBUG(0, ("Storing password for trusted domain failed.\n"));
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
/*
* Close the pipes and clean up
*/
- nt_status = dcerpc_lsa_Close(b, mem_ctx, &connect_hnd, &result);
+ nt_status = dcerpc_lsa_Close(b, frame, &connect_hnd, &result);
if (NT_STATUS_IS_ERR(nt_status)) {
DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n",
nt_errstr(nt_status)));
- cli_shutdown(cli);
- talloc_destroy(mem_ctx);
- return -1;
+ goto out;
}
- cli_shutdown(cli);
-
- talloc_destroy(mem_ctx);
-
d_printf(_("Trust to domain %s established\n"), domain_name);
- return 0;
+
+ rc = 0;
+out:
+ cli_shutdown(cli);
+ TALLOC_FREE(frame);
+ return rc;
}
/**
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index ca57e8004f2..e486af0ac6d 100644
--- a/source3/utils/wscript_build
+++ b/source3/utils/wscript_build
@@ -9,7 +9,7 @@ bld.SAMBA3_SUBSYSTEM('CONN_TDB',
bld.SAMBA3_SUBSYSTEM('DNS_UTIL',
source='net_dns.c net_ads_join_dns.c',
- deps='addns')
+ deps='addns ads')
bld.SAMBA3_BINARY('profiles',
source='profiles.c',
--
Samba Shared Repository
