The branch, v4-20-test has been updated via 5b90acbef15 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share via 4b4b0152fd7 selftest: Add a python blackbox test for some misc (widelink) DFS tests via dceb2e56b63 script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision via 5d593a735d3 build: Add --vendor-name --vendor-patch-revision options to ./configure via f46faceae1f ctdb/docs: Include ceph rados namespace support in man page via 9110627bc24 ctdb/ceph: Add optional namespace support for mutex helper via df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored via 89817ed2165 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows via fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on error via f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section via 3b36f447040 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() via 299818567ea s4:dns_server: use the client provided algorithm for the fake TSIG structure via 7ddd758da50 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG via 6e395cabf38 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY via ed8ef00c297 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED via a7f3293ddf7 python:tests/dns_tkey: add test_update_tsig_record_access_denied() via 9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey via 5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper via ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022 via bda80382eb5 python:tests/dns_base: let verify_packet() work against Windows via fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig algorithms via 7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig updates via 6438249cf1e python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}() via 501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms via c7a936ecd27 python:tests/dns_base: maintain a dict with tkey related state via da7c313740d python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True via 85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode) via e58fe908371 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers via 12d4e452410 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument via 9cfc2e24331 python:tests/dns_tkey: make use of self.assert_echoed_dns_error() via f7f0518b46a python:tests/dns_base: add self.assert_echoed_dns_error() via c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle short receives via 3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet() via 19fc5bb6b9d python:tests/dns_base: generate a real signature in bad_sign_packet() from 8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log ----------------------------------------------------------------- commit 5b90acbef156174ea65014a298f926218a760c4e Author: Noel Power <noel.po...@suse.com> Date: Fri Jun 7 19:35:47 2024 +0100 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share This patch also removes known fail for existing test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435 Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224 (cherry picked from commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267) [noel.po...@suse.com backported to Samba 4.20 minor change to use 4.20 create_open_symlink_err fn instead of read_symlink_reparse] Autobuild-User(v4-20-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-20-test): Tue Jun 18 08:33:30 UTC 2024 on atb-devel-224 commit 4b4b0152fd7cce2923ffcfe04eb07de4cc8721d7 Author: Noel Power <noel.po...@suse.com> Date: Tue Jun 11 11:19:50 2024 +0100 selftest: Add a python blackbox test for some misc (widelink) DFS tests On master attempting to chdir into a nested dfs link e.g. cd dfslink (works) cd dfslink/another_dfslink (fails) [1] Add a test for this scenario (nested chdir) [2] Add test for enumerating a dfs link in root of dfs share [3] Add a test to check case insensitive chdir into dfs link on widelink enabled share Add knownfails for tests 1 and 3 Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Jeremy Allison <j...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435 (cherry picked from commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5) commit dceb2e56b63c27ebe174b58c2bd5fab1fd3e4415 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 30 21:13:01 2024 +1200 script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> RN: We have added new options --vendor-name and --vendor-patch-revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious. [abart...@samba.org adapted to 4.20 still having the seperate LDB build system from commit 72112d4814eb3872016c1168c477531be835a1f9] commit 5d593a735d371774b5a8847a4e820c894ec3e25f Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 30 10:50:12 2024 +1200 build: Add --vendor-name --vendor-patch-revision options to ./configure These options are for packagers and vendors to set so that when Samba developers are debugging an issue, we know exactly which package is in use, and so have an idea if any patches have been applied. This is included in the string that a Samba backtrace gives, as part of the PANIC message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654 REF: https://lists.samba.org/archive/samba-technical/2024-May/138992.html Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 651fb94c374c7f84405d960a9e0a0fd7fcb285dd) commit f46faceae1fb5ad81dd1c099e99e3e3cf7a0701e Author: Günther Deschner <g...@samba.org> Date: Fri Jun 7 14:40:07 2024 +0530 ctdb/docs: Include ceph rados namespace support in man page BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665 Document the new optional argument to specify the namespace to be associated with RADOS objects in a pool. Pair-Programmed-With: Anoop C S <anoo...@samba.org> Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): Anoop C S <anoo...@samba.org> Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224 (cherry picked from commit 35f6c3f3d4a5521e6576fcc0dd7dd3bbcea041b2) commit 9110627bc24c5eda24d38a296cc72b2ffae54832 Author: Günther Deschner <g...@samba.org> Date: Fri Jun 7 14:39:37 2024 +0530 ctdb/ceph: Add optional namespace support for mutex helper BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665 RADOS objects within a pool can be associated to a namespace for logical separation. librados already provides an API to configure such a namespace with respect to a context. Make use of it as an optional argument to the helper binary. Pair-Programmed-With: Anoop C S <anoo...@samba.org> Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> (cherry picked from commit d8c52995f68fe088dd2174562faee69ed1c95edd) commit df54d3fdda9cf9ad526c25fa13bca2daf75df356 Author: Stefan Metzmacher <me...@samba.org> Date: Thu May 30 14:52:22 2024 +0200 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored If the client does not have permissions to update the record, but the record already has the data the update tries to apply, it's a no-op that should result in success instead of failing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224 (cherry picked from commit ed61c57e02309b738e73fb12877a0a565b627724) commit 89817ed2165320185d7254872a5c875cb04f12d1 Author: Stefan Metzmacher <me...@samba.org> Date: Thu May 30 14:39:28 2024 +0200 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows This means we no longer generate strange errors/warnings in the Windows event log nor in the nsupdate -g output. Note: this is a only difference between gss-tsig and the legacy gss.microsoft.com algorithms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 76fec2668e73b9d15447abee551d5c04148aaf27) commit fdd61d60caa96ca585f94916873a3485de1acf5b Author: Stefan Metzmacher <me...@samba.org> Date: Thu May 30 14:42:53 2024 +0200 s4:dns_server: dns_verify_tsig should return REFUSED on error BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146) commit f663b386156afec4a8d8bd5f99b5ffe7f365f144 Author: Stefan Metzmacher <me...@samba.org> Date: Thu May 30 14:41:21 2024 +0200 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7) commit 3b36f447040d28bfc6494e84edbf98f947cba2a3 Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:38:24 2024 +0200 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit ae7538af04435658d2ba6dcab109beecb6c5f13e) commit 299818567ea8238a791942428bcf9887e9738ac8 Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:38:24 2024 +0200 s4:dns_server: use the client provided algorithm for the fake TSIG structure BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit bd0235cd515d5602ed9501bfc810a2487364ea10) commit 7ddd758da50cc04a527061209c2f809b66b56f1f Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:38:24 2024 +0200 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 3467d1491490830d61d16cb6278051daf48466fc) commit 6e395cabf38b6ad42fbdcb56e72f08940cb070f3 Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:38:24 2024 +0200 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250) commit ed8ef00c297026350ea79e79248f2b9a0eaabe6b Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:36:40 2024 +0200 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit a56627b0d125ef7b456bebe307087f324f1f0422) commit a7f3293ddf764aa370db0147e245d73b687f29e4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 11:40:51 2024 +0200 python:tests/dns_tkey: add test_update_tsig_record_access_denied() This demonstrates that access_denied is only generated if the client really generates a change in the database. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 708a6fae6978e1462e1a53f4ee08f11b51a5637a) commit 9137bb66ab48d1220d88537c9a403a376439da28 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 11:39:56 2024 +0200 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 753428a3b6c488c4aacea04d2ddb9ea73244695a) commit 5a98bc50263c03a8302587f8f5e6baf62e1234b5 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 11:39:56 2024 +0200 python:tests/dns_base: add get_unpriv_creds() helper BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 88457da00d4110b419f7a7ccabcd542fa77e463f) commit ff0afdd1b056d26af785fc34209eded06615c9a4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:17:54 2024 +0200 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 848318338b2972f331e067bf1c8d6c7dac0748c8) commit bda80382eb5f501eda1764c57832c8a386490427 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:17:54 2024 +0200 python:tests/dns_base: let verify_packet() work against Windows BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 8324d0739dfdd0a081c403e298a9038ee7df681f) commit fdfd4e8adcee923909a0dc64cce5c867fb6c2a23 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 17:26:39 2024 +0200 python:tests/dns_tkey: test bad and changing tsig algorithms BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit de4ed363d378f2065a4634f94af80ea0e3965c96) commit 7dabac46b5ac13949c450424d54f8cf4b39733e0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 17:18:34 2024 +0200 python:tests/dns_tkey: add gss.microsoft.com tsig updates BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b9b03ca503c43c7ee06df6c331839bd47f9eac8c) commit 6438249cf1e52375c343f61dce8100cba614997e Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 14:15:45 2024 +0200 python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}() Also test using the additional record in the answers section. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 3c7cb85eaf8371be55a371601cc354440dab7a94) commit 501a25a1f07dc71699ae9610010b13d05d652573 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 16:41:12 2024 +0200 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 740bda87a80b97816d892e8f7aae28759f6916ec) commit c7a936ecd2723440f46eb1423135fcb391164943 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 14:10:52 2024 +0200 python:tests/dns_base: maintain a dict with tkey related state This will allow tests to backup the whole state and mix them. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b0af60e7850e656ef98edeac657c66b853080dab) commit da7c313740d01f85c1c2f4e0c6bdecaa5bedbbfa Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 14:14:11 2024 +0200 python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 1b1e7e06cf6ebd283de73c351267d53b42663d2f) commit 85784854629c406f23cc46f075012696b59b392c Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 16:07:53 2024 +0200 python:tests/dns_base: pass tkey_trans(expected_rcode) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 27d92fa808c6617353c36fdb230504e880f4925b) commit e58fe908371c46b9e0e4518e7f9614ac796a584a Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 14:08:13 2024 +0200 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers It's possible to put the additional into the answers section, so we should be able to test that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit cd747307d845f3cff723a7916aeeb31458f19202) commit 12d4e452410f29cb23e130ddeaf44592ba98b7b2 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:17:54 2024 +0200 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit f8dfa9b33bdedffbe2e3b6e229ffae4beb3c712e) commit 9cfc2e24331139dd4f8a4d2feb3bf335bd8cb049 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:35:58 2024 +0200 python:tests/dns_tkey: make use of self.assert_echoed_dns_error() Failed DNS updates just echo the request flaged as response, all other elements are unchanged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 6e997f93d53ac45af79aec030bad73f51bdc5629) commit f7f0518b46a9d5c26fc6a362105c463bc6865817 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:35:58 2024 +0200 python:tests/dns_base: add self.assert_echoed_dns_error() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit ce591464cb12ab00a5d5752a7cea5f909c3c3f1b) commit c00749edb35115e111739473d7db57f33bff55a3 Author: Stefan Metzmacher <me...@samba.org> Date: Fri May 31 08:07:24 2024 +0200 python:tests/dns_base: let dns_transaction_tcp() handle short receives With socket_wrapper we only get 1500 byte chunks... BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit c741d0f3969abe821e8ee2a10f848159eb2749fe) commit 3bd80a2545a57b88e58cedf5f9d7281fef15b361 Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:16:40 2024 +0200 python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit c594cbad4af97031bb7b5b0eb2fb228b00acf646) commit 19fc5bb6b9d75ddb1b031817c7ee7688d7ca587f Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 29 13:11:24 2024 +0200 python:tests/dns_base: generate a real signature in bad_sign_packet() We just destroy the signature bytes but keep the header unchanged. This makes it easier to look at it in wireshark. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56) ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/samba_version.py | 5 + ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml | 4 +- ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 +++- python/samba/tests/blackbox/misc_dfs_widelink.py | 86 ++++++ python/samba/tests/dns_base.py | 213 ++++++++++----- python/samba/tests/dns_tkey.py | 325 ++++++++++++++++++++--- python/samba/tests/join.py | 2 +- script/autobuild.py | 3 +- source3/smbd/files.c | 18 ++ source4/dns_server/dns_crypto.c | 49 +++- source4/dns_server/dns_query.c | 27 +- source4/dns_server/dns_update.c | 11 + source4/dns_server/dnsserver_common.c | 2 + source4/selftest/tests.py | 9 +- wscript | 20 ++ 15 files changed, 705 insertions(+), 119 deletions(-) create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py index 31103e0f8c4..576168f5723 100644 --- a/buildtools/wafsamba/samba_version.py +++ b/buildtools/wafsamba/samba_version.py @@ -253,6 +253,11 @@ def samba_version_file(version_file, path, env=None, is_install=True): print("Failed to parse line %s from %s" % (line, version_file)) raise + if "SAMBA_VERSION_VENDOR_SUFFIX" in env: + version_dict["SAMBA_VERSION_VENDOR_SUFFIX"] = env.SAMBA_VERSION_VENDOR_SUFFIX + if "SAMBA_VERSION_VENDOR_PATCH" in env: + version_dict["SAMBA_VERSION_VENDOR_PATCH"] = str(env.SAMBA_VERSION_VENDOR_PATCH) + return SambaVersion(version_dict, path, env=env, is_install=is_install) diff --git a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml index f558f873d9a..93d79cea5dc 100644 --- a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml +++ b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml @@ -29,12 +29,14 @@ <manvolnum>5</manvolnum></citerefentry>: </para> <screen format="linespecific"> -cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object] +cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object] [Timeout] [-n Namespace] Cluster: Ceph cluster name (e.g. ceph) User: Ceph cluster user name (e.g. client.admin) Pool: Ceph RADOS pool name Object: Ceph RADOS object name +Timeout: Ceph RADOS lock duration in seconds (optional) +Namespace: Ceph RADOS pool namespace (optional) </screen> <para> The Ceph cluster <parameter>Cluster</parameter> must be up and running, diff --git a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c index 7d868a38b23..46566c97a83 100644 --- a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c +++ b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c @@ -42,9 +42,18 @@ static char *progname = NULL; +static void usage(void) +{ + fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> " + "<RADOS pool> <RADOS object> " + "[lock duration secs] [-n RADOS namespace]\n", + progname); +} + static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name, const char *ceph_auth_name, const char *pool_name, + const char *namespace, rados_t *_ceph_cluster, rados_ioctx_t *_ioctx) { @@ -87,6 +96,10 @@ static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name, return ret; } + if (namespace != NULL) { + rados_ioctx_set_namespace(ioctx, namespace); + } + *_ceph_cluster = ceph_cluster; *_ioctx = ioctx; @@ -145,6 +158,7 @@ struct ctdb_mutex_rados_state { const char *ceph_cluster_name; const char *ceph_auth_name; const char *pool_name; + const char *namespace; const char *object; uint64_t lock_duration_s; int ppid; @@ -295,15 +309,13 @@ static int ctdb_mutex_rados_mgr_reg(rados_t ceph_cluster) int main(int argc, char *argv[]) { int ret; + int opt; struct ctdb_mutex_rados_state *cmr_state; progname = argv[0]; - if ((argc != 5) && (argc != 6)) { - fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> " - "<RADOS pool> <RADOS object> " - "[lock duration secs]\n", - progname); + if (argc < 5) { + usage(); ret = -EINVAL; goto err_out; } @@ -325,15 +337,36 @@ int main(int argc, char *argv[]) cmr_state->ceph_auth_name = argv[2]; cmr_state->pool_name = argv[3]; cmr_state->object = argv[4]; - if (argc == 6) { + + optind = 5; + while ((opt = getopt(argc, argv, "n:")) != -1) { + switch(opt) { + case 'n': + cmr_state->namespace = optarg; + break; + default: + usage(); + ret = -EINVAL; + goto err_ctx_cleanup; + } + } + + if (argv[optind] != NULL) { /* optional lock duration provided */ char *endptr = NULL; - cmr_state->lock_duration_s = strtoull(argv[5], &endptr, 0); - if ((endptr == argv[5]) || (*endptr != '\0')) { + cmr_state->lock_duration_s = strtoull(argv[optind], &endptr, 0); + if ((endptr == argv[optind]) || (*endptr != '\0')) { fprintf(stdout, CTDB_MUTEX_STATUS_ERROR); ret = -EINVAL; goto err_ctx_cleanup; } + if (argv[++optind] != NULL) { + /* incorrect count or format for optional arguments */ + usage(); + ret = -EINVAL; + goto err_ctx_cleanup; + } + } else { cmr_state->lock_duration_s = CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT; @@ -398,6 +431,7 @@ int main(int argc, char *argv[]) ret = ctdb_mutex_rados_ctx_create(cmr_state->ceph_cluster_name, cmr_state->ceph_auth_name, cmr_state->pool_name, + cmr_state->namespace, &cmr_state->ceph_cluster, &cmr_state->ioctx); if (ret < 0) { diff --git a/python/samba/tests/blackbox/misc_dfs_widelink.py b/python/samba/tests/blackbox/misc_dfs_widelink.py new file mode 100644 index 00000000000..7948590d710 --- /dev/null +++ b/python/samba/tests/blackbox/misc_dfs_widelink.py @@ -0,0 +1,86 @@ +# Blackbox tests for DFS (widelink) +# +# Copyright (C) Noel Power noel.po...@suse.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +from samba.tests import BlackboxTestCase, BlackboxProcessError +from samba.samba3 import param as s3param + +from samba.credentials import Credentials + +import os + +class DfsWidelinkBlockboxTestBase(BlackboxTestCase): + + def setUp(self): + super().setUp() + self.lp = s3param.get_context() + self.server = os.environ["SERVER"] + self.user = os.environ["USER"] + self.passwd = os.environ["PASSWORD"] + self.creds = Credentials() + self.creds.guess(self.lp) + self.creds.set_username(self.user) + self.creds.set_password(self.passwd) + self.testdir = os.getenv("TESTDIR", "msdfs-share-wl") + self.share = os.getenv("SHARE", "msdfs-share-wl") + self.dirpath = os.path.join(os.environ["LOCAL_PATH"],self.testdir) + # allow a custom teardown function to be defined + self.cleanup = None + self.cleanup_args = [] + + def tearDown(self): + try: + if (self.cleanup): + self.cleanup(self.cleanup_args) + except Exception as e: + print("remote remove failed: %s" % str(e)) + + def build_test_cmd(self, cmd, args): + cmd = [cmd, "-U%s%%%s" % (self.user, self.passwd)] + cmd.extend(args) + return cmd + + def test_ci_chdir(self): + parent_dir = "msdfs-src1" + dirs = [parent_dir, parent_dir.upper()] + # try as named dir first then try upper-cased version + for adir in dirs: + smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "cd %s" % (adir)]) + try: + out_str = self.check_output(smbclient_args) + except BlackboxProcessError as e: + print(str(e)) + self.fail(str(e)) + + def test_nested_chdir(self): + parent_dir = "dfshop1" + child_dir = "dfshop2" + smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "cd %s/%s" % (parent_dir,child_dir)]) + try: + out_str = self.check_output(smbclient_args) + except BlackboxProcessError as e: + print(str(e)) + self.fail(str(e)) + + def test_enumerate_dfs_link(self): + smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "dir"]) + try: + out_str = self.check_output(smbclient_args) + except BlackboxProcessError as e: + print(str(e)) + self.fail(str(e)) + out_str = out_str.decode() + self.assertIn("msdfs-src1", out_str) diff --git a/python/samba/tests/dns_base.py b/python/samba/tests/dns_base.py index d320a0e9183..43a62b1ac57 100644 --- a/python/samba/tests/dns_base.py +++ b/python/samba/tests/dns_base.py @@ -20,6 +20,7 @@ from samba.tests import TestCaseInTempDir from samba.dcerpc import dns, dnsp from samba import gensec, tests from samba import credentials +from samba import NTSTATUSError import struct import samba.ndr as ndr import random @@ -76,6 +77,24 @@ class DNSTest(TestCaseInTempDir): self.assertEqual(p_opcode, opcode, "Expected OPCODE %s, got %s" % (opcode, p_opcode)) + def assert_dns_flags_equals(self, packet, flags): + "Helper function to check opcode" + p_flags = packet.operation & (~(dns.DNS_OPCODE|dns.DNS_RCODE)) + self.assertEqual(p_flags, flags, "Expected FLAGS %02x, got %02x" % + (flags, p_flags)) + + def assert_echoed_dns_error(self, request, response, response_p, rcode): + + request_p = ndr.ndr_pack(request) + + self.assertEqual(response.id, request.id) + self.assert_dns_rcode_equals(response, rcode) + self.assert_dns_opcode_equals(response, request.operation & dns.DNS_OPCODE) + self.assert_dns_flags_equals(response, + (request.operation | dns.DNS_FLAG_REPLY) & (~(dns.DNS_OPCODE|dns.DNS_RCODE))) + self.assertEqual(len(response_p), len(request_p)) + self.assertEqual(response_p[4:], request_p[4:]) + def make_name_packet(self, opcode, qid=None): "Helper creating a dns.name_packet" p = dns.name_packet() @@ -112,6 +131,8 @@ class DNSTest(TestCaseInTempDir): return self.creds.get_realm().lower() def dns_transaction_udp(self, packet, host, + allow_remaining=False, + allow_truncated=False, dump=False, timeout=None): "send a DNS query and read the reply" s = None @@ -128,8 +149,22 @@ class DNSTest(TestCaseInTempDir): recv_packet = s.recv(2048, 0) if dump: print(self.hexdump(recv_packet)) - response = ndr.ndr_unpack(dns.name_packet, recv_packet) + if allow_truncated: + # with allow_remaining + # we add some zero bytes + # in order to also parse truncated + # responses + recv_packet_p = recv_packet + 32*b"\x00" + allow_remaining = True + else: + recv_packet_p = recv_packet + response = ndr.ndr_unpack(dns.name_packet, recv_packet_p, + allow_remaining=allow_remaining) return (response, recv_packet) + except RuntimeError as re: + if s is not None: + s.close() + raise AssertionError(re) finally: if s is not None: s.close() @@ -151,11 +186,26 @@ class DNSTest(TestCaseInTempDir): tcp_packet += send_packet s.sendall(tcp_packet) - recv_packet = s.recv(0xffff + 2, 0) + recv_packet = b'' + length = None + for i in range(0, 2 + 0xffff): + if len(recv_packet) >= 2: + length, = struct.unpack('!H', recv_packet[0:2]) + remaining = 2 + length + else: + remaining = 2 + 12 + remaining -= len(recv_packet) + if remaining == 0: + break + recv_packet += s.recv(remaining, 0) if dump: print(self.hexdump(recv_packet)) response = ndr.ndr_unpack(dns.name_packet, recv_packet[2:]) + except RuntimeError as re: + if s is not None: + s.close() + raise AssertionError(re) finally: if s is not None: s.close() @@ -217,18 +267,41 @@ class DNSTKeyTest(DNSTest): self.creds.set_username(tests.env_get_var_value('USERNAME')) self.creds.set_password(tests.env_get_var_value('PASSWORD')) self.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + + self.unpriv_creds = None + self.newrecname = "tkeytsig.%s" % self.get_dns_domain() - def tkey_trans(self, creds=None): + def get_unpriv_creds(self): + if self.unpriv_creds is not None: + return self.unpriv_creds + + self.unpriv_creds = credentials.Credentials() + self.unpriv_creds.guess(self.lp_ctx) + self.unpriv_creds.set_username(tests.env_get_var_value('USERNAME_UNPRIV')) + self.unpriv_creds.set_password(tests.env_get_var_value('PASSWORD_UNPRIV')) + self.unpriv_creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + + return self.unpriv_creds + + def tkey_trans(self, creds=None, algorithm_name="gss-tsig", + tkey_req_in_answers=False, + expected_rcode=dns.DNS_RCODE_OK): "Do a TKEY transaction and establish a gensec context" if creds is None: creds = self.creds - self.key_name = "%s.%s" % (uuid.uuid4(), self.get_dns_domain()) + mech = 'spnego' + + tkey = {} + tkey['name'] = "%s.%s" % (uuid.uuid4(), self.get_dns_domain()) + tkey['creds'] = creds + tkey['mech'] = mech + tkey['algorithm'] = algorithm_name p = self.make_name_packet(dns.DNS_OPCODE_QUERY) - q = self.make_name_question(self.key_name, + q = self.make_name_question(tkey['name'], dns.DNS_QTYPE_TKEY, dns.DNS_QCLASS_IN) questions = [] @@ -236,30 +309,30 @@ class DNSTKeyTest(DNSTest): self.finish_name_packet(p, questions) r = dns.res_rec() - r.name = self.key_name + r.name = tkey['name'] r.rr_type = dns.DNS_QTYPE_TKEY r.rr_class = dns.DNS_QCLASS_IN r.ttl = 0 r.length = 0xffff rdata = dns.tkey_record() - rdata.algorithm = "gss-tsig" + rdata.algorithm = algorithm_name rdata.inception = int(time.time()) rdata.expiration = int(time.time()) + 60 * 60 rdata.mode = dns.DNS_TKEY_MODE_GSSAPI rdata.error = 0 rdata.other_size = 0 - self.g = gensec.Security.start_client(self.settings) - self.g.set_credentials(creds) - self.g.set_target_service("dns") - self.g.set_target_hostname(self.server) - self.g.want_feature(gensec.FEATURE_SIGN) - self.g.start_mech_by_name("spnego") + tkey['gensec'] = gensec.Security.start_client(self.settings) + tkey['gensec'].set_credentials(creds) + tkey['gensec'].set_target_service("dns") + tkey['gensec'].set_target_hostname(self.server) + tkey['gensec'].want_feature(gensec.FEATURE_SIGN) + tkey['gensec'].start_mech_by_name(tkey['mech']) finished = False client_to_server = b"" - (finished, server_to_client) = self.g.update(client_to_server) + (finished, server_to_client) = tkey['gensec'].update(client_to_server) self.assertFalse(finished) data = [x if isinstance(x, int) else ord(x) for x in list(server_to_client)] @@ -268,56 +341,76 @@ class DNSTKeyTest(DNSTest): r.rdata = rdata additional = [r] - p.arcount = 1 - p.additional = additional + if tkey_req_in_answers: + p.ancount = 1 + p.answers = additional + else: + p.arcount = 1 + p.additional = additional (response, response_packet) =\ self.dns_transaction_tcp(p, self.server_ip) + if expected_rcode != dns.DNS_RCODE_OK: + self.assert_echoed_dns_error(p, response, response_packet, expected_rcode) + return self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK) tkey_record = response.answers[0].rdata server_to_client = bytes(tkey_record.key_data) - (finished, client_to_server) = self.g.update(server_to_client) + (finished, client_to_server) = tkey['gensec'].update(server_to_client) self.assertTrue(finished) + self.tkey = tkey + self.verify_packet(response, response_packet) def verify_packet(self, response, response_packet, request_mac=b""): + self.assertEqual(response.arcount, 1) self.assertEqual(response.additional[0].rr_type, dns.DNS_QTYPE_TSIG) + if self.tkey['algorithm'] == "gss-tsig": + gss_tsig = True + else: + gss_tsig = False + + request_mac_len = b"" + if len(request_mac) > 0 and gss_tsig: + request_mac_len = struct.pack('!H', len(request_mac)) + tsig_record = response.additional[0].rdata mac = bytes(tsig_record.mac) + self.assertEqual(tsig_record.original_id, response.id) + self.assertEqual(tsig_record.mac_size, len(mac)) + # Cut off tsig record from dns response packet for MAC verification # and reset additional record count. - key_name_len = len(self.key_name) + 2 - tsig_record_len = len(ndr.ndr_pack(tsig_record)) + key_name_len + 10 - - # convert str/bytes to a list (of string char or int) - # so it can be modified - response_packet_list = [x if isinstance(x, int) else ord(x) for x in response_packet] - del response_packet_list[-tsig_record_len:] - response_packet_list[11] = 0 - - # convert modified list (of string char or int) to str/bytes - response_packet_wo_tsig = bytes(response_packet_list) + response_copy = ndr.ndr_deepcopy(response) + response_copy.arcount = 0 + response_packet_wo_tsig = ndr.ndr_pack(response_copy) fake_tsig = dns.fake_tsig_rec() - fake_tsig.name = self.key_name + fake_tsig.name = self.tkey['name'] fake_tsig.rr_class = dns.DNS_QCLASS_ANY fake_tsig.ttl = 0 fake_tsig.time_prefix = tsig_record.time_prefix fake_tsig.time = tsig_record.time fake_tsig.algorithm_name = tsig_record.algorithm_name fake_tsig.fudge = tsig_record.fudge - fake_tsig.error = 0 - fake_tsig.other_size = 0 + fake_tsig.error = tsig_record.error + fake_tsig.other_size = tsig_record.other_size + fake_tsig.other_data = tsig_record.other_data -- Samba Shared Repository