6212 lines
244 KiB
Diff
6212 lines
244 KiB
Diff
From 9032322cc713e82a316b271bb2fa0a867c69b021 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 22 Jul 2024 12:26:55 +0200
|
|
Subject: [PATCH 01/24] s3:notifyd: Use a watcher per db record
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This fixes a O(n²) performance regression in notifyd. The problem was
|
|
that we had a watcher per notify instance. This changes the code to have
|
|
a watcher per notify db entry.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14430
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit af011b987a4ad0d3753d83cc0b8d97ad64ba874a)
|
|
---
|
|
source3/smbd/notifyd/notifyd.c | 214 ++++++++++++++++++-------
|
|
source3/smbd/notifyd/notifyd_db.c | 5 +-
|
|
source3/smbd/notifyd/notifyd_entry.c | 51 ++++--
|
|
source3/smbd/notifyd/notifyd_private.h | 46 ++++--
|
|
4 files changed, 228 insertions(+), 88 deletions(-)
|
|
|
|
diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c
|
|
index 64dd26a7e11..0b07ab3e435 100644
|
|
--- a/source3/smbd/notifyd/notifyd.c
|
|
+++ b/source3/smbd/notifyd/notifyd.c
|
|
@@ -337,6 +337,7 @@ static bool notifyd_apply_rec_change(
|
|
struct messaging_context *msg_ctx)
|
|
{
|
|
struct db_record *rec = NULL;
|
|
+ struct notifyd_watcher watcher = {};
|
|
struct notifyd_instance *instances = NULL;
|
|
size_t num_instances;
|
|
size_t i;
|
|
@@ -344,6 +345,7 @@ static bool notifyd_apply_rec_change(
|
|
TDB_DATA value;
|
|
NTSTATUS status;
|
|
bool ok = false;
|
|
+ bool new_watcher = false;
|
|
|
|
if (pathlen == 0) {
|
|
DBG_WARNING("pathlen==0\n");
|
|
@@ -374,8 +376,12 @@ static bool notifyd_apply_rec_change(
|
|
value = dbwrap_record_get_value(rec);
|
|
|
|
if (value.dsize != 0) {
|
|
- if (!notifyd_parse_entry(value.dptr, value.dsize, NULL,
|
|
- &num_instances)) {
|
|
+ ok = notifyd_parse_entry(value.dptr,
|
|
+ value.dsize,
|
|
+ &watcher,
|
|
+ NULL,
|
|
+ &num_instances);
|
|
+ if (!ok) {
|
|
goto fail;
|
|
}
|
|
}
|
|
@@ -390,8 +396,22 @@ static bool notifyd_apply_rec_change(
|
|
goto fail;
|
|
}
|
|
|
|
- if (value.dsize != 0) {
|
|
- memcpy(instances, value.dptr, value.dsize);
|
|
+ if (num_instances > 0) {
|
|
+ struct notifyd_instance *tmp = NULL;
|
|
+ size_t num_tmp = 0;
|
|
+
|
|
+ ok = notifyd_parse_entry(value.dptr,
|
|
+ value.dsize,
|
|
+ NULL,
|
|
+ &tmp,
|
|
+ &num_tmp);
|
|
+ if (!ok) {
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
+ memcpy(instances,
|
|
+ tmp,
|
|
+ sizeof(struct notifyd_instance) * num_tmp);
|
|
}
|
|
|
|
for (i=0; i<num_instances; i++) {
|
|
@@ -414,41 +434,106 @@ static bool notifyd_apply_rec_change(
|
|
*instance = (struct notifyd_instance) {
|
|
.client = *client,
|
|
.instance = *chg,
|
|
- .internal_filter = chg->filter,
|
|
- .internal_subdir_filter = chg->subdir_filter
|
|
};
|
|
|
|
num_instances += 1;
|
|
}
|
|
|
|
- if ((instance->instance.filter != 0) ||
|
|
- (instance->instance.subdir_filter != 0)) {
|
|
- int ret;
|
|
+ /*
|
|
+ * Calculate an intersection of the instances filters for the watcher.
|
|
+ */
|
|
+ if (instance->instance.filter > 0) {
|
|
+ uint32_t filter = instance->instance.filter;
|
|
+
|
|
+ if ((watcher.filter & filter) != filter) {
|
|
+ watcher.filter |= filter;
|
|
+
|
|
+ new_watcher = true;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Calculate an intersection of the instances subdir_filters for the
|
|
+ * watcher.
|
|
+ */
|
|
+ if (instance->instance.subdir_filter > 0) {
|
|
+ uint32_t subdir_filter = instance->instance.subdir_filter;
|
|
|
|
- TALLOC_FREE(instance->sys_watch);
|
|
+ if ((watcher.subdir_filter & subdir_filter) != subdir_filter) {
|
|
+ watcher.subdir_filter |= subdir_filter;
|
|
|
|
- ret = sys_notify_watch(entries, sys_notify_ctx, path,
|
|
- &instance->internal_filter,
|
|
- &instance->internal_subdir_filter,
|
|
- notifyd_sys_callback, msg_ctx,
|
|
- &instance->sys_watch);
|
|
- if (ret != 0) {
|
|
- DBG_WARNING("sys_notify_watch for [%s] returned %s\n",
|
|
- path, strerror(errno));
|
|
+ new_watcher = true;
|
|
}
|
|
}
|
|
|
|
if ((instance->instance.filter == 0) &&
|
|
(instance->instance.subdir_filter == 0)) {
|
|
+ uint32_t tmp_filter = 0;
|
|
+ uint32_t tmp_subdir_filter = 0;
|
|
+
|
|
/* This is a delete request */
|
|
- TALLOC_FREE(instance->sys_watch);
|
|
*instance = instances[num_instances-1];
|
|
num_instances -= 1;
|
|
+
|
|
+ for (i = 0; i < num_instances; i++) {
|
|
+ struct notifyd_instance *tmp = &instances[i];
|
|
+
|
|
+ tmp_filter |= tmp->instance.filter;
|
|
+ tmp_subdir_filter |= tmp->instance.subdir_filter;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * If the filter has changed, register a new watcher with the
|
|
+ * changed filter.
|
|
+ */
|
|
+ if (watcher.filter != tmp_filter ||
|
|
+ watcher.subdir_filter != tmp_subdir_filter)
|
|
+ {
|
|
+ watcher.filter = tmp_filter;
|
|
+ watcher.subdir_filter = tmp_subdir_filter;
|
|
+
|
|
+ new_watcher = true;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (new_watcher) {
|
|
+ /*
|
|
+ * In case we removed all notify instances, we want to remove
|
|
+ * the watcher. We won't register a new one, if no filters are
|
|
+ * set anymore.
|
|
+ */
|
|
+
|
|
+ TALLOC_FREE(watcher.sys_watch);
|
|
+
|
|
+ watcher.sys_filter = watcher.filter;
|
|
+ watcher.sys_subdir_filter = watcher.subdir_filter;
|
|
+
|
|
+ /*
|
|
+ * Only register a watcher if we have filter.
|
|
+ */
|
|
+ if (watcher.filter != 0 || watcher.subdir_filter != 0) {
|
|
+ int ret = sys_notify_watch(entries,
|
|
+ sys_notify_ctx,
|
|
+ path,
|
|
+ &watcher.sys_filter,
|
|
+ &watcher.sys_subdir_filter,
|
|
+ notifyd_sys_callback,
|
|
+ msg_ctx,
|
|
+ &watcher.sys_watch);
|
|
+ if (ret != 0) {
|
|
+ DBG_WARNING("sys_notify_watch for [%s] "
|
|
+ "returned %s\n",
|
|
+ path,
|
|
+ strerror(errno));
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
DBG_DEBUG("%s has %zu instances\n", path, num_instances);
|
|
|
|
if (num_instances == 0) {
|
|
+ TALLOC_FREE(watcher.sys_watch);
|
|
+
|
|
status = dbwrap_record_delete(rec);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_WARNING("dbwrap_record_delete returned %s\n",
|
|
@@ -456,13 +541,21 @@ static bool notifyd_apply_rec_change(
|
|
goto fail;
|
|
}
|
|
} else {
|
|
- value = make_tdb_data(
|
|
- (uint8_t *)instances,
|
|
- sizeof(struct notifyd_instance) * num_instances);
|
|
+ struct TDB_DATA iov[2] = {
|
|
+ {
|
|
+ .dptr = (uint8_t *)&watcher,
|
|
+ .dsize = sizeof(struct notifyd_watcher),
|
|
+ },
|
|
+ {
|
|
+ .dptr = (uint8_t *)instances,
|
|
+ .dsize = sizeof(struct notifyd_instance) *
|
|
+ num_instances,
|
|
+ },
|
|
+ };
|
|
|
|
- status = dbwrap_record_store(rec, value, 0);
|
|
+ status = dbwrap_record_storev(rec, iov, ARRAY_SIZE(iov), 0);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- DBG_WARNING("dbwrap_record_store returned %s\n",
|
|
+ DBG_WARNING("dbwrap_record_storev returned %s\n",
|
|
nt_errstr(status));
|
|
goto fail;
|
|
}
|
|
@@ -706,12 +799,18 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data,
|
|
.when = tstate->msg->when };
|
|
struct iovec iov[2];
|
|
size_t path_len = key.dsize;
|
|
+ struct notifyd_watcher watcher = {};
|
|
struct notifyd_instance *instances = NULL;
|
|
size_t num_instances = 0;
|
|
size_t i;
|
|
+ bool ok;
|
|
|
|
- if (!notifyd_parse_entry(data.dptr, data.dsize, &instances,
|
|
- &num_instances)) {
|
|
+ ok = notifyd_parse_entry(data.dptr,
|
|
+ data.dsize,
|
|
+ &watcher,
|
|
+ &instances,
|
|
+ &num_instances);
|
|
+ if (!ok) {
|
|
DBG_DEBUG("Could not parse notifyd_entry\n");
|
|
return;
|
|
}
|
|
@@ -734,9 +833,11 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data,
|
|
|
|
if (tstate->covered_by_sys_notify) {
|
|
if (tstate->recursive) {
|
|
- i_filter = instance->internal_subdir_filter;
|
|
+ i_filter = watcher.sys_subdir_filter &
|
|
+ instance->instance.subdir_filter;
|
|
} else {
|
|
- i_filter = instance->internal_filter;
|
|
+ i_filter = watcher.sys_filter &
|
|
+ instance->instance.filter;
|
|
}
|
|
} else {
|
|
if (tstate->recursive) {
|
|
@@ -1146,46 +1247,39 @@ static int notifyd_add_proxy_syswatches(struct db_record *rec,
|
|
struct db_context *db = dbwrap_record_get_db(rec);
|
|
TDB_DATA key = dbwrap_record_get_key(rec);
|
|
TDB_DATA value = dbwrap_record_get_value(rec);
|
|
- struct notifyd_instance *instances = NULL;
|
|
- size_t num_instances = 0;
|
|
- size_t i;
|
|
+ struct notifyd_watcher watcher = {};
|
|
char path[key.dsize+1];
|
|
bool ok;
|
|
+ int ret;
|
|
|
|
memcpy(path, key.dptr, key.dsize);
|
|
path[key.dsize] = '\0';
|
|
|
|
- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
|
|
- &num_instances);
|
|
+ /* This is a remote database, we just need the watcher. */
|
|
+ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL);
|
|
if (!ok) {
|
|
DBG_WARNING("Could not parse notifyd entry for %s\n", path);
|
|
return 0;
|
|
}
|
|
|
|
- for (i=0; i<num_instances; i++) {
|
|
- struct notifyd_instance *instance = &instances[i];
|
|
- uint32_t filter = instance->instance.filter;
|
|
- uint32_t subdir_filter = instance->instance.subdir_filter;
|
|
- int ret;
|
|
+ watcher.sys_watch = NULL;
|
|
+ watcher.sys_filter = watcher.filter;
|
|
+ watcher.sys_subdir_filter = watcher.subdir_filter;
|
|
|
|
- /*
|
|
- * This is a remote database. Pointers that we were
|
|
- * given don't make sense locally. Initialize to NULL
|
|
- * in case sys_notify_watch fails.
|
|
- */
|
|
- instances[i].sys_watch = NULL;
|
|
-
|
|
- ret = state->sys_notify_watch(
|
|
- db, state->sys_notify_ctx, path,
|
|
- &filter, &subdir_filter,
|
|
- notifyd_sys_callback, state->msg_ctx,
|
|
- &instance->sys_watch);
|
|
- if (ret != 0) {
|
|
- DBG_WARNING("inotify_watch returned %s\n",
|
|
- strerror(errno));
|
|
- }
|
|
+ ret = state->sys_notify_watch(db,
|
|
+ state->sys_notify_ctx,
|
|
+ path,
|
|
+ &watcher.filter,
|
|
+ &watcher.subdir_filter,
|
|
+ notifyd_sys_callback,
|
|
+ state->msg_ctx,
|
|
+ &watcher.sys_watch);
|
|
+ if (ret != 0) {
|
|
+ DBG_WARNING("inotify_watch returned %s\n", strerror(errno));
|
|
}
|
|
|
|
+ memcpy(value.dptr, &watcher, sizeof(struct notifyd_watcher));
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
@@ -1193,21 +1287,17 @@ static int notifyd_db_del_syswatches(struct db_record *rec, void *private_data)
|
|
{
|
|
TDB_DATA key = dbwrap_record_get_key(rec);
|
|
TDB_DATA value = dbwrap_record_get_value(rec);
|
|
- struct notifyd_instance *instances = NULL;
|
|
- size_t num_instances = 0;
|
|
- size_t i;
|
|
+ struct notifyd_watcher watcher = {};
|
|
bool ok;
|
|
|
|
- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
|
|
- &num_instances);
|
|
+ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL);
|
|
if (!ok) {
|
|
DBG_WARNING("Could not parse notifyd entry for %.*s\n",
|
|
(int)key.dsize, (char *)key.dptr);
|
|
return 0;
|
|
}
|
|
- for (i=0; i<num_instances; i++) {
|
|
- TALLOC_FREE(instances[i].sys_watch);
|
|
- }
|
|
+ TALLOC_FREE(watcher.sys_watch);
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
diff --git a/source3/smbd/notifyd/notifyd_db.c b/source3/smbd/notifyd/notifyd_db.c
|
|
index 18228619e9a..7dc3cd58081 100644
|
|
--- a/source3/smbd/notifyd/notifyd_db.c
|
|
+++ b/source3/smbd/notifyd/notifyd_db.c
|
|
@@ -40,7 +40,10 @@ static bool notifyd_parse_db_parser(TDB_DATA key, TDB_DATA value,
|
|
memcpy(path, key.dptr, key.dsize);
|
|
path[key.dsize] = 0;
|
|
|
|
- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
|
|
+ ok = notifyd_parse_entry(value.dptr,
|
|
+ value.dsize,
|
|
+ NULL,
|
|
+ &instances,
|
|
&num_instances);
|
|
if (!ok) {
|
|
DBG_DEBUG("Could not parse entry for path %s\n", path);
|
|
diff --git a/source3/smbd/notifyd/notifyd_entry.c b/source3/smbd/notifyd/notifyd_entry.c
|
|
index 539010de03a..f3b0e908136 100644
|
|
--- a/source3/smbd/notifyd/notifyd_entry.c
|
|
+++ b/source3/smbd/notifyd/notifyd_entry.c
|
|
@@ -21,22 +21,51 @@
|
|
* Parse an entry in the notifyd_context->entries database
|
|
*/
|
|
|
|
-bool notifyd_parse_entry(
|
|
- uint8_t *buf,
|
|
- size_t buflen,
|
|
- struct notifyd_instance **instances,
|
|
- size_t *num_instances)
|
|
+/**
|
|
+ * @brief Parse a notifyd database entry.
|
|
+ *
|
|
+ * The memory we pass down needs to be aligned. If it isn't aligned we can run
|
|
+ * into obscure errors as we just point into the data buffer.
|
|
+ *
|
|
+ * @param data The data to parse
|
|
+ * @param data_len The length of the data to parse
|
|
+ * @param watcher A pointer to store the watcher data or NULL.
|
|
+ * @param instances A pointer to store the array of notify instances or NULL.
|
|
+ * @param pnum_instances The number of elements in the array. If you just want
|
|
+ * the number of elements pass NULL for the watcher and instances pointers.
|
|
+ *
|
|
+ * @return true on success, false if an error occurred.
|
|
+ */
|
|
+bool notifyd_parse_entry(uint8_t *data,
|
|
+ size_t data_len,
|
|
+ struct notifyd_watcher *watcher,
|
|
+ struct notifyd_instance **instances,
|
|
+ size_t *pnum_instances)
|
|
{
|
|
- if ((buflen % sizeof(struct notifyd_instance)) != 0) {
|
|
- DBG_WARNING("invalid buffer size: %zu\n", buflen);
|
|
+ size_t ilen;
|
|
+
|
|
+ if (data_len < sizeof(struct notifyd_watcher)) {
|
|
return false;
|
|
}
|
|
|
|
- if (instances != NULL) {
|
|
- *instances = (struct notifyd_instance *)buf;
|
|
+ if (watcher != NULL) {
|
|
+ *watcher = *((struct notifyd_watcher *)(uintptr_t)data);
|
|
}
|
|
- if (num_instances != NULL) {
|
|
- *num_instances = buflen / sizeof(struct notifyd_instance);
|
|
+
|
|
+ ilen = data_len - sizeof(struct notifyd_watcher);
|
|
+ if ((ilen % sizeof(struct notifyd_instance)) != 0) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (pnum_instances != NULL) {
|
|
+ *pnum_instances = ilen / sizeof(struct notifyd_instance);
|
|
}
|
|
+ if (instances != NULL) {
|
|
+ /* The (uintptr_t) cast removes a warning from -Wcast-align. */
|
|
+ *instances =
|
|
+ (struct notifyd_instance *)(uintptr_t)
|
|
+ (data + sizeof(struct notifyd_watcher));
|
|
+ }
|
|
+
|
|
return true;
|
|
}
|
|
diff --git a/source3/smbd/notifyd/notifyd_private.h b/source3/smbd/notifyd/notifyd_private.h
|
|
index 36c08f47c54..db8e6e1c005 100644
|
|
--- a/source3/smbd/notifyd/notifyd_private.h
|
|
+++ b/source3/smbd/notifyd/notifyd_private.h
|
|
@@ -20,30 +20,48 @@
|
|
#include "lib/util/server_id.h"
|
|
#include "notifyd.h"
|
|
|
|
+
|
|
/*
|
|
- * notifyd's representation of a notify instance
|
|
+ * Representation of a watcher for a path
|
|
+ *
|
|
+ * This will be stored in the db.
|
|
*/
|
|
-struct notifyd_instance {
|
|
- struct server_id client;
|
|
- struct notify_instance instance;
|
|
-
|
|
- void *sys_watch; /* inotify/fam/etc handle */
|
|
+struct notifyd_watcher {
|
|
+ /*
|
|
+ * This is an intersections of the filter the watcher is listening for.
|
|
+ */
|
|
+ uint32_t filter;
|
|
+ uint32_t subdir_filter;
|
|
|
|
/*
|
|
- * Filters after sys_watch took responsibility of some bits
|
|
+ * Those are inout variables passed to the sys_watcher. The sys_watcher
|
|
+ * will remove the bits it can't handle.
|
|
*/
|
|
- uint32_t internal_filter;
|
|
- uint32_t internal_subdir_filter;
|
|
+ uint32_t sys_filter;
|
|
+ uint32_t sys_subdir_filter;
|
|
+
|
|
+ /* The handle for inotify/fam etc. */
|
|
+ void *sys_watch;
|
|
+};
|
|
+
|
|
+/*
|
|
+ * Representation of a notifyd instance
|
|
+ *
|
|
+ * This will be stored in the db.
|
|
+ */
|
|
+struct notifyd_instance {
|
|
+ struct server_id client;
|
|
+ struct notify_instance instance;
|
|
};
|
|
|
|
/*
|
|
* Parse an entry in the notifyd_context->entries database
|
|
*/
|
|
|
|
-bool notifyd_parse_entry(
|
|
- uint8_t *buf,
|
|
- size_t buflen,
|
|
- struct notifyd_instance **instances,
|
|
- size_t *num_instances);
|
|
+bool notifyd_parse_entry(uint8_t *data,
|
|
+ size_t data_len,
|
|
+ struct notifyd_watcher *watcher,
|
|
+ struct notifyd_instance **instances,
|
|
+ size_t *num_instances);
|
|
|
|
#endif
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From da6309049eb21ec5cd6bdf7942203960adbc37c0 Mon Sep 17 00:00:00 2001
|
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Date: Thu, 5 Dec 2024 16:35:51 +1300
|
|
Subject: [PATCH 02/24] util: add a crypt wrapper, derived from
|
|
dsdb:password_hash
|
|
|
|
This is going to be used by the dsdb password_hash module, and exposed
|
|
to Python via pyglue.
|
|
|
|
We're doing this because Python 3.13 has dropped crypt from the Python
|
|
standard library.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756
|
|
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 93bc860e8f344a96d0496edbc5d463f2c5411fcd)
|
|
---
|
|
lib/util/util_crypt.c | 90 ++++++++++++++++++++++++++++++++++++++++++
|
|
lib/util/util_crypt.h | 5 +++
|
|
lib/util/wscript_build | 6 +++
|
|
3 files changed, 101 insertions(+)
|
|
create mode 100644 lib/util/util_crypt.c
|
|
create mode 100644 lib/util/util_crypt.h
|
|
|
|
diff --git a/lib/util/util_crypt.c b/lib/util/util_crypt.c
|
|
new file mode 100644
|
|
index 00000000000..0f7b2d0fd31
|
|
--- /dev/null
|
|
+++ b/lib/util/util_crypt.c
|
|
@@ -0,0 +1,90 @@
|
|
+#include <replace.h>
|
|
+#include "data_blob.h"
|
|
+#include <talloc.h>
|
|
+#include <crypt.h>
|
|
+#include "util_crypt.h"
|
|
+
|
|
+
|
|
+static int crypt_as_best_we_can(const char *phrase,
|
|
+ const char *setting,
|
|
+ const char **hashp)
|
|
+{
|
|
+ int ret = 0;
|
|
+ const char *hash = NULL;
|
|
+
|
|
+#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN)
|
|
+ struct crypt_data crypt_data = {
|
|
+ .initialized = 0 /* working storage used by crypt */
|
|
+ };
|
|
+#endif
|
|
+
|
|
+ /*
|
|
+ * crypt_r() and crypt() may return a null pointer upon error
|
|
+ * depending on how libcrypt was configured, so we prefer
|
|
+ * crypt_rn() from libcrypt / libxcrypt which always returns
|
|
+ * NULL on error.
|
|
+ *
|
|
+ * POSIX specifies returning a null pointer and setting
|
|
+ * errno.
|
|
+ *
|
|
+ * RHEL 7 (which does not use libcrypt / libxcrypt) returns a
|
|
+ * non-NULL pointer from crypt_r() on success but (always?)
|
|
+ * sets errno during internal processing in the NSS crypto
|
|
+ * subsystem.
|
|
+ *
|
|
+ * By preferring crypt_rn we avoid the 'return non-NULL but
|
|
+ * set-errno' that we otherwise cannot tell apart from the
|
|
+ * RHEL 7 behaviour.
|
|
+ */
|
|
+ errno = 0;
|
|
+
|
|
+#ifdef HAVE_CRYPT_RN
|
|
+ hash = crypt_rn(phrase, setting,
|
|
+ &crypt_data,
|
|
+ sizeof(crypt_data));
|
|
+#elif HAVE_CRYPT_R
|
|
+ hash = crypt_r(phrase, setting, &crypt_data);
|
|
+#else
|
|
+ /*
|
|
+ * No crypt_r falling back to crypt, which is NOT thread safe
|
|
+ * Thread safety MT-Unsafe race:crypt
|
|
+ */
|
|
+ hash = crypt(phrase, setting);
|
|
+#endif
|
|
+ /*
|
|
+ * On error, crypt() and crypt_r() may return a null pointer,
|
|
+ * or a pointer to an invalid hash beginning with a '*'.
|
|
+ */
|
|
+ ret = errno;
|
|
+ errno = 0;
|
|
+ if (hash == NULL || hash[0] == '*') {
|
|
+ if (ret == 0) {
|
|
+ /* this is annoying */
|
|
+ ret = ENOTRECOVERABLE;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ *hashp = hash;
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+
|
|
+int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
|
|
+ const char *phrase,
|
|
+ const char *setting,
|
|
+ DATA_BLOB *blob)
|
|
+{
|
|
+ const char *hash = NULL;
|
|
+ int ret = crypt_as_best_we_can(phrase, setting, &hash);
|
|
+ if (ret != 0) {
|
|
+ blob->data = NULL;
|
|
+ blob->length = 0;
|
|
+ return ret;
|
|
+ }
|
|
+ blob->length = strlen(hash);
|
|
+ blob->data = talloc_memdup(mem_ctx, hash, blob->length);
|
|
+ if (blob->data == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
diff --git a/lib/util/util_crypt.h b/lib/util/util_crypt.h
|
|
new file mode 100644
|
|
index 00000000000..8c289e489e8
|
|
--- /dev/null
|
|
+++ b/lib/util/util_crypt.h
|
|
@@ -0,0 +1,5 @@
|
|
+
|
|
+int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
|
|
+ const char *phrase,
|
|
+ const char *cmd,
|
|
+ DATA_BLOB *blob);
|
|
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
|
|
index b4fcfeaba07..7de9c0b7b17 100644
|
|
--- a/lib/util/wscript_build
|
|
+++ b/lib/util/wscript_build
|
|
@@ -253,6 +253,12 @@ else:
|
|
private_library=True,
|
|
local_include=False)
|
|
|
|
+ bld.SAMBA_LIBRARY('util_crypt',
|
|
+ source='util_crypt.c',
|
|
+ deps='talloc crypt',
|
|
+ private_library=True,
|
|
+ local_include=False)
|
|
+
|
|
|
|
bld.SAMBA_SUBSYSTEM('UNIX_PRIVS',
|
|
source='unix_privs.c',
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 334093563640f232bb337675417f1e8a410987de Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
|
|
Date: Mon, 20 Jan 2025 16:00:51 +0100
|
|
Subject: [PATCH 03/24] s3: Add new keytab specifiers
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
|
|
|
|
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 15e191736d3eaba83b2fb4b901e1df2214526b64)
|
|
---
|
|
selftest/target/Samba3.pm | 3 +-
|
|
source3/libads/kerberos_keytab.c | 631 +++++++++++++--------
|
|
source3/script/tests/test_update_keytab.sh | 449 +++++++++++----
|
|
3 files changed, 730 insertions(+), 353 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
index 17343e63e52..cc4498ff36e 100755
|
|
--- a/selftest/target/Samba3.pm
|
|
+++ b/selftest/target/Samba3.pm
|
|
@@ -807,7 +807,8 @@ sub provision_ad_member
|
|
\"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\
|
|
- \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
|
|
+ \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\
|
|
+ \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
|
|
";
|
|
}
|
|
|
|
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
index dbf8af44c1f..619a7bda0d4 100644
|
|
--- a/source3/libads/kerberos_keytab.c
|
|
+++ b/source3/libads/kerberos_keytab.c
|
|
@@ -30,6 +30,7 @@
|
|
#include "ads.h"
|
|
#include "secrets.h"
|
|
#include "librpc/gen_ndr/ndr_secrets.h"
|
|
+#include "lib/util/string_wrappers.h"
|
|
|
|
#ifdef HAVE_KRB5
|
|
|
|
@@ -41,44 +42,59 @@
|
|
#endif
|
|
|
|
enum spn_spec_type {
|
|
- SPN_SPEC_DEFAULT,
|
|
- SPN_SPEC_SYNC,
|
|
+ SPN_SPEC_ACCOUNT_NAME,
|
|
+ SPN_SPEC_SYNC_ACCOUNT_NAME,
|
|
+ SPN_SPEC_HOST,
|
|
+ SPN_SPEC_SYNC_UPN,
|
|
+ SPN_SPEC_SYNC_SPNS,
|
|
SPN_SPEC_FULL,
|
|
- SPN_SPEC_PREFIX
|
|
+ SPN_SPEC_PREFIX,
|
|
+ SPN_SPEC_MAX
|
|
};
|
|
|
|
-/* pw2kt_conf contains 1 parsed line from "sync machine password to keytab" */
|
|
-struct pw2kt_conf {
|
|
- enum spn_spec_type spn_spec;
|
|
+/* Specifier */
|
|
+struct pw2kt_specifier {
|
|
+ bool is_set;
|
|
+ char **spn_spec_vals; /* Array of full SPNs or prefixes */
|
|
+};
|
|
+
|
|
+/* Descriptor contains 1 parsed line from "sync machine password to keytab" */
|
|
+struct pw2kt_keytab_desc {
|
|
char *keytab;
|
|
bool sync_etypes;
|
|
bool sync_kvno;
|
|
bool additional_dns_hostnames;
|
|
bool netbios_aliases;
|
|
bool machine_password;
|
|
- char **spn_spec_array;
|
|
- size_t num_spn_spec;
|
|
+ struct pw2kt_specifier spec_array[SPN_SPEC_MAX];
|
|
};
|
|
|
|
-/* State used by pw2kt */
|
|
-struct pw2kt_state {
|
|
+/* Global state - stores initial data */
|
|
+struct pw2kt_global_state {
|
|
/* Array of parsed lines from "sync machine password to keytab" */
|
|
- struct pw2kt_conf *keytabs;
|
|
- size_t num_keytabs;
|
|
+ struct pw2kt_keytab_desc *keytabs;
|
|
+ /* Accumulated configuration from all keytabs */
|
|
bool sync_etypes;
|
|
bool sync_kvno;
|
|
bool sync_spns;
|
|
+ bool sync_upn;
|
|
+ bool sync_sam_account;
|
|
/* These are from DC */
|
|
krb5_kvno ad_kvno;
|
|
uint32_t ad_etypes;
|
|
+ char *ad_upn;
|
|
+ char *ad_sam_account;
|
|
char **ad_spn_array;
|
|
size_t ad_num_spns;
|
|
/* This is from secrets.db */
|
|
struct secrets_domain_info1 *info;
|
|
};
|
|
|
|
-/* State used by pw2kt_process_keytab */
|
|
-struct pw2kt_process_state {
|
|
+/*
|
|
+ * Manages krb5lib data created during processing of 'global state'.
|
|
+ * One instance per keytab.
|
|
+ */
|
|
+struct pw2kt_keytab_state {
|
|
krb5_keytab keytab;
|
|
krb5_context context;
|
|
krb5_keytab_entry *array1;
|
|
@@ -88,151 +104,206 @@ struct pw2kt_process_state {
|
|
krb5_enctype preferred_etype;
|
|
};
|
|
|
|
-static ADS_STATUS pw2kt_scan_add_spn(TALLOC_CTX *ctx,
|
|
- const char *spn,
|
|
- struct pw2kt_conf *conf)
|
|
+static ADS_STATUS pw2kt_add_val(TALLOC_CTX *ctx,
|
|
+ struct pw2kt_specifier *spec,
|
|
+ const char *spn_val)
|
|
{
|
|
- conf->spn_spec_array = talloc_realloc(ctx,
|
|
- conf->spn_spec_array,
|
|
- char *,
|
|
- conf->num_spn_spec + 1);
|
|
- if (conf->spn_spec_array == NULL) {
|
|
+ size_t len = talloc_array_length(spec->spn_spec_vals);
|
|
+ spec->spn_spec_vals = talloc_realloc(ctx,
|
|
+ spec->spn_spec_vals,
|
|
+ char *,
|
|
+ len + 1);
|
|
+ if (spec->spn_spec_vals == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
- conf->spn_spec_array[conf->num_spn_spec] = talloc_strdup(
|
|
- conf->spn_spec_array, spn);
|
|
- if (conf->spn_spec_array[conf->num_spn_spec] == NULL) {
|
|
+ spec->spn_spec_vals[len] = talloc_strdup(spec->spn_spec_vals, spn_val);
|
|
+ if (spec->spn_spec_vals[len] == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
- conf->num_spn_spec++;
|
|
|
|
return ADS_SUCCESS;
|
|
}
|
|
|
|
+static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx,
|
|
+ struct pw2kt_global_state *gstate,
|
|
+ struct pw2kt_keytab_desc *desc,
|
|
+ const char *option)
|
|
+{
|
|
+ enum spn_spec_type spec_type;
|
|
+ struct pw2kt_specifier *spec;
|
|
+ char *vals = NULL;
|
|
+ char *tmp = NULL;
|
|
+ ADS_STATUS status;
|
|
+
|
|
+ /* First check for options sync_kvno, sync_etypes, ... */
|
|
+ if (strequal(option, "sync_kvno")) {
|
|
+ desc->sync_kvno = gstate->sync_kvno = true;
|
|
+ return ADS_SUCCESS;
|
|
+ } else if (strequal(option, "sync_etypes")) {
|
|
+ desc->sync_etypes = gstate->sync_etypes = true;
|
|
+ return ADS_SUCCESS;
|
|
+ } else if (strequal(option, "additional_dns_hostnames")) {
|
|
+ desc->additional_dns_hostnames = true;
|
|
+ return ADS_SUCCESS;
|
|
+ } else if (strequal(option, "netbios_aliases")) {
|
|
+ desc->netbios_aliases = true;
|
|
+ return ADS_SUCCESS;
|
|
+ } else if (strequal(option, "machine_password")) {
|
|
+ desc->machine_password = true;
|
|
+ return ADS_SUCCESS;
|
|
+ }
|
|
+
|
|
+ vals = strchr_m(option, '=');
|
|
+ if (vals != NULL) {
|
|
+ *vals = 0;
|
|
+ vals++;
|
|
+ }
|
|
+
|
|
+ if (strequal(option, "account_name")) {
|
|
+ spec_type = SPN_SPEC_ACCOUNT_NAME;
|
|
+ } else if (strequal(option, "sync_account_name")) {
|
|
+ spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME;
|
|
+ gstate->sync_sam_account = true;
|
|
+ } else if (strequal(option, "host")) {
|
|
+ spec_type = SPN_SPEC_HOST;
|
|
+ } else if (strequal(option, "sync_upn")) {
|
|
+ spec_type = SPN_SPEC_SYNC_UPN;
|
|
+ gstate->sync_upn = true;
|
|
+ } else if (strequal(option, "sync_spns")) {
|
|
+ spec_type = SPN_SPEC_SYNC_SPNS;
|
|
+ gstate->sync_spns = true;
|
|
+ } else if (strequal(option, "spns")) {
|
|
+ spec_type = SPN_SPEC_FULL;
|
|
+ } else if (strequal(option, "spn_prefixes")) {
|
|
+ spec_type = SPN_SPEC_PREFIX;
|
|
+ } else {
|
|
+ DBG_ERR("Invalid option: '%s'\n", option);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
+ }
|
|
+
|
|
+ desc->spec_array[spec_type].is_set = true;
|
|
+ if (spec_type != SPN_SPEC_PREFIX && spec_type != SPN_SPEC_FULL) {
|
|
+ return ADS_SUCCESS;
|
|
+ }
|
|
+ if (vals == NULL) {
|
|
+ DBG_ERR("SPN specifier: %s is missing '='\n", option);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
+ }
|
|
+ spec = &desc->spec_array[spec_type];
|
|
+
|
|
+ /* Entries are separated via ',' */
|
|
+ while ((tmp = strchr_m(vals, ',')) != NULL) {
|
|
+ *tmp = 0;
|
|
+ tmp++;
|
|
+ status = pw2kt_add_val(ctx, spec, vals);
|
|
+ if (!ADS_ERR_OK(status)) {
|
|
+ return status;
|
|
+ }
|
|
+ vals = tmp;
|
|
+ if (*vals == 0) {
|
|
+ DBG_ERR("Invalid syntax (trailing ','): %s\n", option);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
+ }
|
|
+ }
|
|
+ /* Process the last entry */
|
|
+ return pw2kt_add_val(ctx, spec, vals);
|
|
+}
|
|
+
|
|
/*
|
|
* Parse the smb.conf and find out if it is needed to read from DC:
|
|
- * - servicePrincipalNames
|
|
+ * - servicePrincipalName
|
|
* - msDs-KeyVersionNumber
|
|
+ * - userPrincipalName
|
|
+ * - sAMAccountName
|
|
+ *
|
|
+ * Example of a line:
|
|
+ * /etc/krb5/krb5.keytab:account_name:snps=s1@REALM.COM,spn2@REALM.ORG:host:sync_kvno:machine_password
|
|
*/
|
|
-static ADS_STATUS pw2kt_scan_line(const char *line, struct pw2kt_state *state)
|
|
+static ADS_STATUS pw2kt_scan_line(const char *line,
|
|
+ struct pw2kt_global_state *gstate)
|
|
{
|
|
- char *keytabname = NULL;
|
|
- char *spn_spec = NULL;
|
|
- char *spn_val = NULL;
|
|
- char *option = NULL;
|
|
- struct pw2kt_conf *conf = NULL;
|
|
+ char *tmp = NULL;
|
|
+ char *olist = NULL;
|
|
+ struct pw2kt_keytab_desc *desc = NULL;
|
|
ADS_STATUS status;
|
|
+ size_t num_keytabs = talloc_array_length(gstate->keytabs);
|
|
|
|
- state->keytabs = talloc_realloc(state,
|
|
- state->keytabs,
|
|
- struct pw2kt_conf,
|
|
- state->num_keytabs + 1);
|
|
- if (state->keytabs == NULL) {
|
|
+ gstate->keytabs = talloc_realloc(gstate,
|
|
+ gstate->keytabs,
|
|
+ struct pw2kt_keytab_desc,
|
|
+ num_keytabs + 1);
|
|
+ if (gstate->keytabs == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
- conf = &state->keytabs[state->num_keytabs];
|
|
- state->num_keytabs++;
|
|
+ desc = &gstate->keytabs[num_keytabs];
|
|
+ ZERO_STRUCT(*desc);
|
|
|
|
- keytabname = talloc_strdup(state->keytabs, line);
|
|
- if (keytabname == NULL) {
|
|
+ desc->keytab = talloc_strdup(gstate->keytabs, line);
|
|
+ if (desc->keytab == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
|
|
- ZERO_STRUCT(*conf);
|
|
- conf->keytab = keytabname;
|
|
- spn_spec = strchr_m(keytabname, ':');
|
|
- if (spn_spec == NULL) {
|
|
- DBG_ERR("Invalid format! ':' expected in '%s'\n", keytabname);
|
|
+ olist = strchr_m(desc->keytab, ':');
|
|
+ if (olist == NULL) {
|
|
+ DBG_ERR("Invalid format! ':' expected in '%s'\n", line);
|
|
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
}
|
|
- *spn_spec++ = 0;
|
|
-
|
|
- /* reverse match with strrchr_m() */
|
|
- while ((option = strrchr_m(spn_spec, ':')) != NULL) {
|
|
- *option++ = 0;
|
|
- if (strequal(option, "sync_kvno")) {
|
|
- conf->sync_kvno = state->sync_kvno = true;
|
|
- } else if (strequal(option, "sync_etypes")) {
|
|
- conf->sync_etypes = state->sync_etypes = true;
|
|
- } else if (strequal(option, "additional_dns_hostnames")) {
|
|
- conf->additional_dns_hostnames = true;
|
|
- } else if (strequal(option, "netbios_aliases")) {
|
|
- conf->netbios_aliases = true;
|
|
- } else if (strequal(option, "machine_password")) {
|
|
- conf->machine_password = true;
|
|
- } else {
|
|
- DBG_WARNING("Unknown option '%s'!\n", option);
|
|
- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
- }
|
|
- }
|
|
+ *olist = 0;
|
|
+ olist++;
|
|
|
|
- spn_val = strchr_m(spn_spec, '=');
|
|
- if (spn_val != NULL) {
|
|
- *spn_val++ = 0;
|
|
- }
|
|
+ /* Always add 'host' principal */
|
|
+ desc->spec_array[SPN_SPEC_HOST].is_set = true;
|
|
|
|
- if (strcmp(spn_spec, "account_name") == 0) {
|
|
- conf->spn_spec = SPN_SPEC_DEFAULT;
|
|
- } else if (strcmp(spn_spec, "sync_spns") == 0) {
|
|
- conf->spn_spec = SPN_SPEC_SYNC;
|
|
- state->sync_spns = true;
|
|
- } else if (strcmp(spn_spec, "spns") == 0 ||
|
|
- strcmp(spn_spec, "spn_prefixes") == 0)
|
|
- {
|
|
- char *spn = NULL, *tmp = NULL;
|
|
-
|
|
- conf->spn_spec = strcmp(spn_spec, "spns") == 0
|
|
- ? SPN_SPEC_FULL
|
|
- : SPN_SPEC_PREFIX;
|
|
- conf->num_spn_spec = 0;
|
|
- spn = spn_val;
|
|
- while ((tmp = strchr_m(spn, ',')) != NULL) {
|
|
- *tmp++ = 0;
|
|
- status = pw2kt_scan_add_spn(state->keytabs, spn, conf);
|
|
- if (!ADS_ERR_OK(status)) {
|
|
- return status;
|
|
- }
|
|
- spn = tmp;
|
|
+ /* Entries are separated via ':' */
|
|
+ while ((tmp = strchr_m(olist, ':')) != NULL) {
|
|
+ *tmp = 0;
|
|
+ tmp++;
|
|
+ status = pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist);
|
|
+ if (!ADS_ERR_OK(status)) {
|
|
+ return status;
|
|
+ }
|
|
+ olist = tmp;
|
|
+ if (*olist == 0) {
|
|
+ DBG_ERR("Invalid syntax (trailing ':'): %s\n", line);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
}
|
|
- /* Do not forget the last entry */
|
|
- return pw2kt_scan_add_spn(state->keytabs, spn, conf);
|
|
- } else {
|
|
- DBG_WARNING("Invalid SPN specifier: %s\n", spn_spec);
|
|
- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
}
|
|
-
|
|
- return ADS_SUCCESS;
|
|
+ /* Process the last entry */
|
|
+ return pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist);
|
|
}
|
|
|
|
/*
|
|
- * Fill struct pw2kt_state with defaults if "sync machine password to keytab"
|
|
- * is missing in smb.conf
|
|
+ * Fill struct pw2kt_global_state with defaults if
|
|
+ * "sync machine password to keytab" is missing in smb.conf
|
|
+ * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host).
|
|
*/
|
|
-static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state)
|
|
+static ADS_STATUS pw2kt_default_cfg(const char *name,
|
|
+ struct pw2kt_global_state *state)
|
|
{
|
|
char *keytabname = NULL;
|
|
- struct pw2kt_conf *conf = NULL;
|
|
+ struct pw2kt_keytab_desc *desc = NULL;
|
|
|
|
state->keytabs = talloc_zero_array(state->keytabs,
|
|
- struct pw2kt_conf,
|
|
+ struct pw2kt_keytab_desc,
|
|
1);
|
|
if (state->keytabs == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
- conf = &state->keytabs[0];
|
|
- state->num_keytabs = 1;
|
|
+ desc = &state->keytabs[0];
|
|
|
|
keytabname = talloc_strdup(state->keytabs, name);
|
|
if (keytabname == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
-
|
|
- conf->spn_spec = SPN_SPEC_SYNC;
|
|
- conf->keytab = keytabname;
|
|
- conf->machine_password = true;
|
|
- conf->sync_kvno = state->sync_kvno = true;
|
|
+ desc->keytab = keytabname;
|
|
+ desc->machine_password = true;
|
|
+ desc->sync_kvno = state->sync_kvno = true;
|
|
state->sync_spns = true;
|
|
|
|
+ desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true;
|
|
+ desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true;
|
|
+ desc->spec_array[SPN_SPEC_HOST].is_set = true;
|
|
+
|
|
return ADS_SUCCESS;
|
|
}
|
|
|
|
@@ -240,7 +311,7 @@ static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state)
|
|
* For the given principal add to the array entries created from all pw->keys[]
|
|
*/
|
|
static krb5_error_code pw2kt_process_add_pw(
|
|
- struct pw2kt_process_state *state2,
|
|
+ struct pw2kt_keytab_state *state2,
|
|
krb5_principal princ,
|
|
krb5_kvno vno,
|
|
struct secrets_domain_info1_password *pw)
|
|
@@ -287,11 +358,10 @@ static krb5_error_code pw2kt_process_add_pw(
|
|
* For the given principal add to the array entries based on password,
|
|
* old_password, older_password and next_change->password.
|
|
*/
|
|
-static krb5_error_code pw2kt_process_add_info(
|
|
- struct pw2kt_process_state *state2,
|
|
- krb5_kvno kvno,
|
|
- const char *princs,
|
|
- struct secrets_domain_info1 *info)
|
|
+static krb5_error_code pw2kt_process_add_info(struct pw2kt_keytab_state *state2,
|
|
+ krb5_kvno kvno,
|
|
+ const char *princs,
|
|
+ struct secrets_domain_info1 *info)
|
|
{
|
|
krb5_error_code ret;
|
|
krb5_principal princ = NULL;
|
|
@@ -336,7 +406,7 @@ static krb5_error_code pw2kt_process_add_info(
|
|
return ret;
|
|
}
|
|
|
|
-static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2)
|
|
+static int pw2kt_keytab_state_destructor(struct pw2kt_keytab_state *state2)
|
|
{
|
|
int i;
|
|
size_t len2 = talloc_array_length(state2->array2);
|
|
@@ -356,7 +426,7 @@ static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2)
|
|
}
|
|
|
|
/* Read the whole keytab to krb5_keytab_entry array */
|
|
-static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2)
|
|
+static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_keytab_state *state2)
|
|
{
|
|
krb5_error_code ret = 0, ret2 = 0;
|
|
krb5_kt_cursor cursor;
|
|
@@ -402,18 +472,173 @@ static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2)
|
|
return ret != 0 ? ret : ret2;
|
|
}
|
|
|
|
-static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state,
|
|
- struct pw2kt_conf *keytabptr)
|
|
+#define ADD_INFO(P) \
|
|
+ ret = pw2kt_process_add_info(state2, kvno, (P), gstate->info); \
|
|
+ if (ret != 0) { \
|
|
+ return ADS_ERROR_KRB5(ret); \
|
|
+ }
|
|
+
|
|
+static ADS_STATUS pw2kt_add_prefix(struct pw2kt_global_state *gstate,
|
|
+ struct pw2kt_keytab_state *state2,
|
|
+ struct pw2kt_keytab_desc *keytabptr,
|
|
+ const char *prefix)
|
|
{
|
|
krb5_error_code ret = 0;
|
|
- krb5_kvno kvno = -1;
|
|
- size_t i, j, len1 = 0, len2 = 0;
|
|
+ krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1;
|
|
char *princ_s = NULL;
|
|
const char **netbios_alias = NULL;
|
|
const char **addl_hostnames = NULL;
|
|
+
|
|
+ /* Add prefix/dnshostname@REALM */
|
|
+ princ_s = talloc_asprintf(talloc_tos(),
|
|
+ "%s/%s@%s",
|
|
+ prefix,
|
|
+ lp_dns_hostname(),
|
|
+ lp_realm());
|
|
+ if (princ_s == NULL) {
|
|
+ return ADS_ERROR_KRB5(ENOMEM);
|
|
+ }
|
|
+ ADD_INFO(princ_s);
|
|
+
|
|
+ /* Add prefix/NETBIOSNAME@REALM */
|
|
+ princ_s = talloc_asprintf(talloc_tos(),
|
|
+ "%s/%s@%s",
|
|
+ prefix,
|
|
+ lp_netbios_name(),
|
|
+ lp_realm());
|
|
+ if (princ_s == NULL) {
|
|
+ return ADS_ERROR_KRB5(ENOMEM);
|
|
+ }
|
|
+ ADD_INFO(princ_s);
|
|
+
|
|
+ if (keytabptr->netbios_aliases) {
|
|
+ for (netbios_alias = lp_netbios_aliases();
|
|
+ netbios_alias != NULL && *netbios_alias != NULL;
|
|
+ netbios_alias++)
|
|
+ {
|
|
+ fstring netbios_lower;
|
|
+
|
|
+ fstrcpy(netbios_lower, *netbios_alias);
|
|
+ if (!strlower_m(netbios_lower)) {
|
|
+ return ADS_ERROR_NT(
|
|
+ NT_STATUS_INVALID_PARAMETER);
|
|
+ }
|
|
+
|
|
+ /* Add prefix/NETBIOSALIAS@REALM */
|
|
+ princ_s = talloc_asprintf(talloc_tos(),
|
|
+ "%s/%s@%s",
|
|
+ prefix,
|
|
+ *netbios_alias,
|
|
+ lp_realm());
|
|
+ if (princ_s == NULL) {
|
|
+ return ADS_ERROR_KRB5(ENOMEM);
|
|
+ }
|
|
+ ADD_INFO(princ_s);
|
|
+
|
|
+ /* Add prefix/netbiosalias.dnsdomain@REALM */
|
|
+ princ_s = talloc_asprintf(talloc_tos(),
|
|
+ "%s/%s.%s@%s",
|
|
+ prefix,
|
|
+ netbios_lower,
|
|
+ lp_dnsdomain(),
|
|
+ lp_realm());
|
|
+ if (princ_s == NULL) {
|
|
+ return ADS_ERROR_KRB5(ENOMEM);
|
|
+ }
|
|
+ ADD_INFO(princ_s);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (keytabptr->additional_dns_hostnames) {
|
|
+ for (addl_hostnames = lp_additional_dns_hostnames();
|
|
+ addl_hostnames != NULL && *addl_hostnames != NULL;
|
|
+ addl_hostnames++)
|
|
+ {
|
|
+ /* Add prefix/additionalhostname@REALM */
|
|
+ princ_s = talloc_asprintf(talloc_tos(),
|
|
+ "%s/%s@%s",
|
|
+ prefix,
|
|
+ *addl_hostnames,
|
|
+ lp_realm());
|
|
+ if (princ_s == NULL) {
|
|
+ return ADS_ERROR_KRB5(ENOMEM);
|
|
+ }
|
|
+ ADD_INFO(princ_s);
|
|
+ }
|
|
+ }
|
|
+ return ADS_SUCCESS;
|
|
+}
|
|
+
|
|
+static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate,
|
|
+ struct pw2kt_keytab_state *state2,
|
|
+ struct pw2kt_keytab_desc *keytabptr,
|
|
+ enum spn_spec_type spec_type)
|
|
+{
|
|
+ krb5_error_code ret = 0;
|
|
+ ADS_STATUS status;
|
|
+ krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1;
|
|
+ struct pw2kt_specifier *spec = &keytabptr->spec_array[spec_type];
|
|
+ size_t i, num_spn_spec_vals;
|
|
+
|
|
+ if (!spec->is_set) {
|
|
+ return ADS_SUCCESS;
|
|
+ }
|
|
+ switch (spec_type) {
|
|
+ case SPN_SPEC_ACCOUNT_NAME:
|
|
+ ADD_INFO(gstate->info->account_name);
|
|
+ break;
|
|
+ case SPN_SPEC_SYNC_ACCOUNT_NAME:
|
|
+ ADD_INFO(gstate->ad_sam_account);
|
|
+ break;
|
|
+ case SPN_SPEC_HOST:
|
|
+ status = pw2kt_add_prefix(gstate, state2, keytabptr, "host");
|
|
+ if (!ADS_ERR_OK(status)) {
|
|
+ return status;
|
|
+ }
|
|
+ break;
|
|
+ case SPN_SPEC_SYNC_UPN:
|
|
+ if (gstate->ad_upn != NULL) {
|
|
+ ADD_INFO(gstate->ad_upn);
|
|
+ }
|
|
+ break;
|
|
+ case SPN_SPEC_SYNC_SPNS:
|
|
+ for (i = 0; i < gstate->ad_num_spns; i++) {
|
|
+ ADD_INFO(gstate->ad_spn_array[i]);
|
|
+ }
|
|
+ break;
|
|
+ case SPN_SPEC_FULL:
|
|
+ num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals);
|
|
+ for (i = 0; i < num_spn_spec_vals; i++) {
|
|
+ ADD_INFO(spec->spn_spec_vals[i]);
|
|
+ }
|
|
+ break;
|
|
+ case SPN_SPEC_PREFIX:
|
|
+ num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals);
|
|
+ for (i = 0; i < num_spn_spec_vals; i++) {
|
|
+ status = pw2kt_add_prefix(gstate,
|
|
+ state2,
|
|
+ keytabptr,
|
|
+ spec->spn_spec_vals[i]);
|
|
+ if (!ADS_ERR_OK(status)) {
|
|
+ return status;
|
|
+ }
|
|
+ }
|
|
+ break;
|
|
+ default:
|
|
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
+ }
|
|
+ return ADS_SUCCESS;
|
|
+}
|
|
+
|
|
+static ADS_STATUS pw2kt_process_keytab(struct pw2kt_global_state *state,
|
|
+ struct pw2kt_keytab_desc *keytabptr)
|
|
+{
|
|
+ krb5_error_code ret = 0;
|
|
+ size_t i, j, k, len1 = 0, len2 = 0;
|
|
size_t *index_array1 = NULL;
|
|
size_t *index_array2 = NULL;
|
|
- struct pw2kt_process_state *state2 = NULL;
|
|
+ struct pw2kt_keytab_state *state2 = NULL;
|
|
+ ADS_STATUS status;
|
|
|
|
if (!keytabptr->machine_password) {
|
|
DBG_ERR("No 'machine_password' option for '%s'. Skip it.\n",
|
|
@@ -421,11 +646,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state,
|
|
return ADS_SUCCESS;
|
|
}
|
|
|
|
- state2 = talloc_zero(state, struct pw2kt_process_state);
|
|
+ state2 = talloc_zero(state, struct pw2kt_keytab_state);
|
|
if (state2 == NULL) {
|
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
|
}
|
|
- talloc_set_destructor(state2, pw2kt_process_state_destructor);
|
|
+ talloc_set_destructor(state2, pw2kt_keytab_state_destructor);
|
|
|
|
ret = smb_krb5_init_context_common(&state2->context);
|
|
if (ret != 0) {
|
|
@@ -479,100 +704,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state,
|
|
}
|
|
}
|
|
|
|
- if (keytabptr->sync_kvno) {
|
|
- kvno = state->ad_kvno;
|
|
- }
|
|
-
|
|
-#define ADD_INFO(P) \
|
|
- ret = pw2kt_process_add_info(state2, kvno, (P), state->info); \
|
|
- if (ret != 0) { \
|
|
- return ADS_ERROR_KRB5(ret); \
|
|
- }
|
|
-
|
|
- /* Add ACCOUNTNAME$ entries */
|
|
- switch (keytabptr->spn_spec) {
|
|
- case SPN_SPEC_DEFAULT:
|
|
- ADD_INFO(state->info->account_name);
|
|
- break;
|
|
- case SPN_SPEC_SYNC:
|
|
- for (i = 0; i < state->ad_num_spns; i++) {
|
|
- ADD_INFO(state->ad_spn_array[i]);
|
|
- }
|
|
- break;
|
|
- case SPN_SPEC_FULL:
|
|
- for (i = 0; i < keytabptr->num_spn_spec; i++) {
|
|
- ADD_INFO(keytabptr->spn_spec_array[i]);
|
|
- }
|
|
- break;
|
|
- case SPN_SPEC_PREFIX:
|
|
- for (i = 0; i < keytabptr->num_spn_spec; i++) {
|
|
- princ_s = talloc_asprintf(talloc_tos(),
|
|
- "%s/%s@%s",
|
|
- keytabptr->spn_spec_array[i],
|
|
- lp_netbios_name(),
|
|
- lp_realm());
|
|
- if (princ_s == NULL) {
|
|
- return ADS_ERROR_KRB5(ENOMEM);
|
|
- }
|
|
- ADD_INFO(princ_s);
|
|
-
|
|
- if (!keytabptr->netbios_aliases) {
|
|
- goto additional_dns_hostnames;
|
|
- }
|
|
- for (netbios_alias = lp_netbios_aliases();
|
|
- netbios_alias != NULL && *netbios_alias != NULL;
|
|
- netbios_alias++)
|
|
- {
|
|
- /* Add PREFIX/netbiosname@REALM */
|
|
- princ_s = talloc_asprintf(
|
|
- talloc_tos(),
|
|
- "%s/%s@%s",
|
|
- keytabptr->spn_spec_array[i],
|
|
- *netbios_alias,
|
|
- lp_realm());
|
|
- if (princ_s == NULL) {
|
|
- return ADS_ERROR_KRB5(ENOMEM);
|
|
- }
|
|
- ADD_INFO(princ_s);
|
|
-
|
|
- /* Add PREFIX/netbiosname.domainname@REALM */
|
|
- princ_s = talloc_asprintf(
|
|
- talloc_tos(),
|
|
- "%s/%s.%s@%s",
|
|
- keytabptr->spn_spec_array[i],
|
|
- *netbios_alias,
|
|
- lp_dnsdomain(),
|
|
- lp_realm());
|
|
- if (princ_s == NULL) {
|
|
- return ADS_ERROR_KRB5(ENOMEM);
|
|
- }
|
|
- ADD_INFO(princ_s);
|
|
- }
|
|
-
|
|
-additional_dns_hostnames:
|
|
- if (!keytabptr->additional_dns_hostnames) {
|
|
- continue;
|
|
- }
|
|
- for (addl_hostnames = lp_additional_dns_hostnames();
|
|
- addl_hostnames != NULL && *addl_hostnames != NULL;
|
|
- addl_hostnames++)
|
|
- {
|
|
- /* Add PREFIX/netbiosname@REALM */
|
|
- princ_s = talloc_asprintf(
|
|
- talloc_tos(),
|
|
- "%s/%s@%s",
|
|
- keytabptr->spn_spec_array[i],
|
|
- *addl_hostnames,
|
|
- lp_realm());
|
|
- if (princ_s == NULL) {
|
|
- return ADS_ERROR_KRB5(ENOMEM);
|
|
- }
|
|
- ADD_INFO(princ_s);
|
|
- }
|
|
+ for (k = 0; k < SPN_SPEC_MAX; k++) {
|
|
+ status = pw2kt_process_specifier(state, state2, keytabptr, k);
|
|
+ if (!ADS_ERR_OK(status)) {
|
|
+ return status;
|
|
}
|
|
- break;
|
|
- default:
|
|
- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
|
|
}
|
|
|
|
ret = smb_krb5_kt_open(state2->context,
|
|
@@ -718,7 +854,7 @@ sync_kvno:
|
|
return ADS_ERROR_KRB5(ret);
|
|
}
|
|
|
|
-static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state)
|
|
+static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state)
|
|
{
|
|
ADS_STATUS status;
|
|
LDAPMessage *res = NULL;
|
|
@@ -762,7 +898,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state)
|
|
"msDS-SupportedEncryptionTypes",
|
|
&state->ad_etypes);
|
|
if (!ok) {
|
|
- DBG_WARNING("Failed to determine encryption types.\n");
|
|
+ DBG_ERR("Failed to determine encryption types.\n");
|
|
ads_msgfree(ads, res);
|
|
TALLOC_FREE(tmp_ctx);
|
|
return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
|
|
@@ -773,7 +909,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state)
|
|
uint32_t kvno = -1;
|
|
ok = ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno);
|
|
if (!ok) {
|
|
- DBG_WARNING("Failed to determine the system's kvno.\n");
|
|
+ DBG_ERR("Failed to determine the system's kvno.\n");
|
|
ads_msgfree(ads, res);
|
|
TALLOC_FREE(tmp_ctx);
|
|
return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
|
|
@@ -787,8 +923,34 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state)
|
|
res,
|
|
"servicePrincipalName",
|
|
&state->ad_num_spns);
|
|
- if (state->ad_spn_array == NULL) {
|
|
- DBG_WARNING("Failed to determine SPNs.\n");
|
|
+ if (state->ad_spn_array == NULL || state->ad_num_spns == 0) {
|
|
+ DBG_ERR("Failed to determine servicePrincipalName.\n");
|
|
+ ads_msgfree(ads, res);
|
|
+ TALLOC_FREE(tmp_ctx);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (state->sync_upn) {
|
|
+ state->ad_upn = ads_pull_string(ads,
|
|
+ state,
|
|
+ res,
|
|
+ "userPrincipalName");
|
|
+ if (state->ad_upn == NULL) {
|
|
+ DBG_ERR("Failed to determine userPrincipalName.\n");
|
|
+ ads_msgfree(ads, res);
|
|
+ TALLOC_FREE(tmp_ctx);
|
|
+ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (state->sync_sam_account) {
|
|
+ state->ad_sam_account = ads_pull_string(ads,
|
|
+ state,
|
|
+ res,
|
|
+ "sAMAccountName");
|
|
+ if (state->ad_sam_account == NULL) {
|
|
+ DBG_ERR("Failed to determine sAMAccountName.\n");
|
|
ads_msgfree(ads, res);
|
|
TALLOC_FREE(tmp_ctx);
|
|
return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
|
|
@@ -864,13 +1026,14 @@ NTSTATUS sync_pw2keytabs(void)
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
const struct loadparm_substitution *lp_sub =
|
|
loadparm_s3_global_substitution();
|
|
- struct pw2kt_state *state = NULL;
|
|
+ struct pw2kt_global_state *state = NULL;
|
|
const char **line = NULL;
|
|
const char **lp_ptr = NULL;
|
|
const char *pwsync_script = NULL;
|
|
NTSTATUS status_nt;
|
|
ADS_STATUS status_ads;
|
|
int i;
|
|
+ size_t num_keytabs;
|
|
|
|
DBG_DEBUG("Syncing machine password from secrets to keytabs.\n");
|
|
|
|
@@ -879,7 +1042,7 @@ NTSTATUS sync_pw2keytabs(void)
|
|
return NT_STATUS_OK; /* nothing todo */
|
|
}
|
|
|
|
- state = talloc_zero(frame, struct pw2kt_state);
|
|
+ state = talloc_zero(frame, struct pw2kt_global_state);
|
|
if (state == NULL) {
|
|
TALLOC_FREE(frame);
|
|
return NT_STATUS_NO_MEMORY;
|
|
@@ -921,7 +1084,9 @@ NTSTATUS sync_pw2keytabs(void)
|
|
}
|
|
|
|
params_ready:
|
|
- if (state->sync_etypes || state->sync_kvno || state->sync_spns) {
|
|
+ if (state->sync_etypes || state->sync_kvno || state->sync_spns ||
|
|
+ state->sync_upn || state->sync_sam_account)
|
|
+ {
|
|
status_ads = pw2kt_get_dc_info(state);
|
|
if (!ADS_ERR_OK(status_ads)) {
|
|
DBG_WARNING("cannot read from DC\n");
|
|
@@ -929,9 +1094,10 @@ params_ready:
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
} else {
|
|
- DBG_DEBUG("No 'sync_etypes', 'sync_kvno' and 'sync_spns' in "
|
|
- "parameter 'sync machine password to keytab' => "
|
|
- "no need to talk to DC.\n");
|
|
+ DBG_DEBUG("No 'sync_etypes', 'sync_kvno', 'sync_spns', "
|
|
+ "'sync_upn' and 'sync_sam_account' in parameter "
|
|
+ "'sync machine password to keytab' => no need to "
|
|
+ "talk to DC.\n");
|
|
}
|
|
|
|
if (!secrets_init()) {
|
|
@@ -951,7 +1117,8 @@ params_ready:
|
|
return status_nt;
|
|
}
|
|
|
|
- for (i = 0; i < state->num_keytabs; i++) {
|
|
+ num_keytabs = talloc_array_length(state->keytabs);
|
|
+ for (i = 0; i < num_keytabs; i++) {
|
|
status_ads = pw2kt_process_keytab(state, &state->keytabs[i]);
|
|
if (!ADS_ERR_OK(status_ads)) {
|
|
TALLOC_FREE(frame);
|
|
diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh
|
|
index 2c38b53ccca..82c64984787 100755
|
|
--- a/source3/script/tests/test_update_keytab.sh
|
|
+++ b/source3/script/tests/test_update_keytab.sh
|
|
@@ -20,208 +20,416 @@ samba_net="$BINDIR/net $CONFIGURATION"
|
|
samba_rpcclient="$BINDIR/rpcclient $CONFIGURATION"
|
|
smbclient="${BINDIR}/smbclient"
|
|
|
|
-keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k"
|
|
+keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k keytab4k"
|
|
keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3"
|
|
keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno"
|
|
|
|
-# default, no specifiers
|
|
+# Generate the next ~300 lines for keytab templates using these steps:
|
|
+# make testenv SELFTEST_TESTENV="ad_member_idmap_nss:local"
|
|
+# source3/script/tests/test_update_keytab.sh ADDOMAIN --configfile=st/ad_member_idmap_nss/lib/server.conf
|
|
+# and finally source it from the vim editor
|
|
+# :r! for k in keytab0 keytab0k keytab1 keytab1k keytab2 keytab2k keytab3 keytab3k keytab4k ; do (echo $k=\"\\; bin/net --configfile=st/ad_member_idmap_nss/lib/server.conf ads keytab list /path/st/ad_member_idmap_nss/$k |sort -k3 |grep -v Vno|sed 's/\$/\\$/'; echo '";'; echo ); done
|
|
+
|
|
keytab0="\
|
|
- -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# sync_kvno=yes
|
|
keytab0k="\
|
|
- 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# sync_spns=yes
|
|
keytab1="\
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# sync_spns=yes:sync_kvno=yes
|
|
keytab1k="\
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# spn_prefixes=imap,smtp
|
|
keytab2="\
|
|
+ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# spn_prefixes=imap,smtp:sync_kvno=yes
|
|
keytab2k="\
|
|
- 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# spns=wurst/brot\@$dcvars->{REALM}
|
|
keytab3="\
|
|
+ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
-# spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno=yes
|
|
keytab3k="\
|
|
- 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 3 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+";
|
|
+
|
|
+keytab4k="\
|
|
+ 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
+ 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
# find the biggest vno and store it into global variable vno
|
|
@@ -289,9 +497,9 @@ SED2="s/^ \+-\?[0-9]\+ \+//"
|
|
|
|
compare_keytabs_sync_kvno()
|
|
{
|
|
- sed "$SED1" < "$1" | sort -k1rn -k3 | sed "$SED2" > "${1}.sync_kvno"
|
|
- sed "$SED1" < "$2" | sort -k1rn -k3 | sed "$SED2" > "${2}.sync_kvno"
|
|
- diff --ignore-case "${1}.sync_kvno" "${2}.sync_kvno"
|
|
+ sed "$SED1" < "$1" | sed "$SED2" | sort > "${1}.sync_kvno"
|
|
+ sed "$SED1" < "$2" | sed "$SED2" | sort > "${2}.sync_kvno"
|
|
+ diff "${1}.sync_kvno" "${2}.sync_kvno"
|
|
return $?
|
|
}
|
|
|
|
@@ -299,7 +507,7 @@ compare_keytabs_nosync_kvno()
|
|
{
|
|
sed "$SED1" < "$1" | sort -k1rn -k3 > "${1}.nosync_kvno"
|
|
sed "$SED1" < "$2" | sort -k1rn -k3 > "${2}.nosync_kvno"
|
|
- diff --ignore-case "${1}.nosync_kvno" "${2}.nosync_kvno"
|
|
+ diff "${1}.nosync_kvno" "${2}.nosync_kvno"
|
|
return $?
|
|
}
|
|
|
|
@@ -391,6 +599,7 @@ printf '%s' "$keytab2" > "$TMPDIR/keytab2_template"
|
|
printf '%s' "$keytab2k" > "$TMPDIR/keytab2k_template"
|
|
printf '%s' "$keytab3" > "$TMPDIR/keytab3_template"
|
|
printf '%s' "$keytab3k" > "$TMPDIR/keytab3k_template"
|
|
+printf '%s' "$keytab4k" > "$TMPDIR/keytab4k_template"
|
|
|
|
# Other approach could e.g. compare first six entries from the template.
|
|
# The 6 entries correspond to password and old_password, each has 3 enc. types.
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From f1e0fce49fbd1890da053d05c8511010cb7f2911 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
|
|
Date: Tue, 14 Jan 2025 11:29:54 +0100
|
|
Subject: [PATCH 04/24] docs-xml:smbdotconf: Document new options for 'sync
|
|
machinepassword to keytab'
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
|
|
|
|
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
|
|
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224
|
|
|
|
(cherry picked from commit 7a662e097be5e0d3f7779fa544486968b8f57063)
|
|
---
|
|
docs-xml/manpages/net.8.xml | 24 +++++------
|
|
.../security/syncmachinepasswordtokeytab.xml | 42 ++++++++++++-------
|
|
2 files changed, 38 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
|
|
index f388644172f..8091368a48e 100644
|
|
--- a/docs-xml/manpages/net.8.xml
|
|
+++ b/docs-xml/manpages/net.8.xml
|
|
@@ -1549,29 +1549,25 @@ to show in the result.
|
|
|
|
<para>
|
|
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
|
|
-name="sync machine password to keytab"/>. The keytab is created only for
|
|
+name="sync machine password to keytab"/> . The keytab can be created only when
|
|
+machine password is available in secrets.tdb, i.e. only for
|
|
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
|
|
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
|
|
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
|
|
only</smbconfoption> and <smbconfoption name="sync machine password to keytab"/>
|
|
(default is empty) the keytab is not generated at all. Keytab with a default
|
|
-name and SPNs synced from AD is created for <smbconfoption name="kerberos
|
|
-method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
|
|
-password to keytab"/> is missing.
|
|
+name containing: SPNs synced from AD, account name COMPUTER$ and principal
|
|
+host/dns_hostname is created for <smbconfoption name="kerberos method">secrets
|
|
+and keytab</smbconfoption> if <smbconfoption name="sync machine password to
|
|
+keytab"/> is missing.
|
|
</para>
|
|
<para>
|
|
-Till Samba 4.20.0, two more entries were created by default: the machinename of
|
|
-the client (ending with '$') and the UPN (host/domain@REALM). If these two
|
|
-entries are still needed, each must be specified in an own keytab file.
|
|
-Example below will generate three keytab files that contain SPNs synced from
|
|
-AD, host UPN and machine$ SPN:
|
|
+Till Samba 4.20, these entries were created by default: the account name
|
|
+COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
|
|
+such keytab ('host' is added implicitly):
|
|
</para>
|
|
<programlisting>
|
|
-<smbconfoption name="sync machine password to keytab">
|
|
-/etc/krb5.keytab0:sync_spns:machine_password,
|
|
-/etc/krb5.keytab1:spns=host/smb.com@SMB.COM:machine_password,
|
|
-/etc/krb5.keytab2:account_name:machine_password
|
|
-</smbconfoption>
|
|
+<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
|
|
</programlisting>
|
|
<para>
|
|
No changes are made to the computer AD account.
|
|
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
index f7dc30023d4..02eaf3162c0 100644
|
|
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
@@ -24,36 +24,49 @@ synchronization.
|
|
|
|
Each string has this form:
|
|
<programlisting>
|
|
-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
|
+absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
|
</programlisting>
|
|
|
|
-where spn_spec can have exactly one of these four forms:
|
|
+spn_spec can be specified multiple times (separated using ':') and each spn_spec can have exactly one of these forms:
|
|
<programlisting>
|
|
account_name
|
|
+sync_account_name
|
|
+sync_upn
|
|
sync_spns
|
|
spn_prefixes=value1[,value2[...]]
|
|
spns=value1[,value2[...]]
|
|
</programlisting>
|
|
-No other combinations are allowed.
|
|
</para>
|
|
|
|
<para>
|
|
-Specifiers:
|
|
+Every keytab contains the 'host' principal and principals according the specification below:
|
|
<programlisting>
|
|
-account_name - creates entry using principal 'computer$@REALM'.
|
|
-sync_spns - uses principals received from AD DC.
|
|
-spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified.
|
|
-spns - creates only the principals defined in the list.
|
|
+account_name - COMPUTER$@REALM
|
|
+sync_account_name - uses attribute "sAMAccountName" from AD
|
|
+host - always present, no need to specify it explicitly
|
|
+ the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes
|
|
+sync_upn - uses attribute "userPrincipalName" (if exists in AD)
|
|
+sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
|
|
+spn_prefixes - creates these two principals from each prefix. e.g.:
|
|
+ prefix/<smbconfoption name="netbios name"/>@REALM
|
|
+ prefix/<smbconfoption name="dns hostname"/>@REALM
|
|
+ with :netbios_aliases for each netbiosalias in <smbconfoption name="netbios aliases"/>
|
|
+ prefix/netbiosalias@REALM
|
|
+ prefix/netbiosalias.dnsdomain@REALM
|
|
+ with :additional_dns_hostnames for each additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
|
|
+ prefix/additionaldnshostname@REALM
|
|
+spns - creates only the principals defined in the list
|
|
</programlisting>
|
|
+'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD).
|
|
</para>
|
|
|
|
<para>
|
|
Options:
|
|
<programlisting>
|
|
-sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib.
|
|
-sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1.
|
|
-netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/>
|
|
-additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/>
|
|
+sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib.
|
|
+sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1.
|
|
+netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
|
|
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
|
|
machine_password - mandatory, if missing the entry is ignored. For future use.
|
|
</programlisting>
|
|
</para>
|
|
@@ -68,7 +81,8 @@ Example:
|
|
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
|
|
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
|
|
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
|
|
-"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
|
|
+"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
|
|
+"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
|
|
</programlisting>
|
|
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
|
|
</para>
|
|
@@ -80,7 +94,7 @@ If no value is present and <smbconfoption name="kerberos method"/> is different
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><userinput>winbind</userinput> uses value
|
|
- <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
|
+ <programlisting>/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password</programlisting>
|
|
where the path to the keytab is obtained either from the krb5 library or from
|
|
<smbconfoption name="dedicated keytab file"/>.
|
|
</para>
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 4dc163e87824aac33107767881d4a47033c5d9dd Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
|
|
Date: Fri, 14 Feb 2025 17:28:54 +0100
|
|
Subject: [PATCH 05/24] s3:libads: Remove specifier for 'host' principal from
|
|
'sync machine password to keytab'
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use specifier 'spn_prefixes=host' instead of 'host'
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
|
|
|
|
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf)
|
|
---
|
|
selftest/target/Samba3.pm | 6 +--
|
|
source3/libads/kerberos_keytab.c | 21 +++-------
|
|
source3/script/tests/test_update_keytab.sh | 48 ----------------------
|
|
3 files changed, 9 insertions(+), 66 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
index cc4498ff36e..6650690fbb7 100755
|
|
--- a/selftest/target/Samba3.pm
|
|
+++ b/selftest/target/Samba3.pm
|
|
@@ -804,11 +804,11 @@ sub provision_ad_member
|
|
\"$prefix_abs/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab1:sync_spns:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\
|
|
- \"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\
|
|
- \"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\
|
|
+ \"$prefix_abs/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\
|
|
+ \"$prefix_abs/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\
|
|
\"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\
|
|
- \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
|
|
+ \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
|
|
";
|
|
}
|
|
|
|
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
index 619a7bda0d4..5913db299ad 100644
|
|
--- a/source3/libads/kerberos_keytab.c
|
|
+++ b/source3/libads/kerberos_keytab.c
|
|
@@ -44,7 +44,6 @@
|
|
enum spn_spec_type {
|
|
SPN_SPEC_ACCOUNT_NAME,
|
|
SPN_SPEC_SYNC_ACCOUNT_NAME,
|
|
- SPN_SPEC_HOST,
|
|
SPN_SPEC_SYNC_UPN,
|
|
SPN_SPEC_SYNC_SPNS,
|
|
SPN_SPEC_FULL,
|
|
@@ -164,8 +163,6 @@ static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx,
|
|
} else if (strequal(option, "sync_account_name")) {
|
|
spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME;
|
|
gstate->sync_sam_account = true;
|
|
- } else if (strequal(option, "host")) {
|
|
- spec_type = SPN_SPEC_HOST;
|
|
} else if (strequal(option, "sync_upn")) {
|
|
spec_type = SPN_SPEC_SYNC_UPN;
|
|
gstate->sync_upn = true;
|
|
@@ -251,9 +248,6 @@ static ADS_STATUS pw2kt_scan_line(const char *line,
|
|
*olist = 0;
|
|
olist++;
|
|
|
|
- /* Always add 'host' principal */
|
|
- desc->spec_array[SPN_SPEC_HOST].is_set = true;
|
|
-
|
|
/* Entries are separated via ':' */
|
|
while ((tmp = strchr_m(olist, ':')) != NULL) {
|
|
*tmp = 0;
|
|
@@ -275,7 +269,8 @@ static ADS_STATUS pw2kt_scan_line(const char *line,
|
|
/*
|
|
* Fill struct pw2kt_global_state with defaults if
|
|
* "sync machine password to keytab" is missing in smb.conf
|
|
- * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host).
|
|
+ * Creates 1 keytab with these SPN specifiers:
|
|
+ * sync_spns:account_name:spn_prefixes=host:sync_kvno:machine_password
|
|
*/
|
|
static ADS_STATUS pw2kt_default_cfg(const char *name,
|
|
struct pw2kt_global_state *state)
|
|
@@ -302,9 +297,11 @@ static ADS_STATUS pw2kt_default_cfg(const char *name,
|
|
|
|
desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true;
|
|
desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true;
|
|
- desc->spec_array[SPN_SPEC_HOST].is_set = true;
|
|
+ desc->spec_array[SPN_SPEC_PREFIX].is_set = true;
|
|
|
|
- return ADS_SUCCESS;
|
|
+ return pw2kt_add_val(state->keytabs,
|
|
+ &desc->spec_array[SPN_SPEC_PREFIX],
|
|
+ "host");
|
|
}
|
|
|
|
/*
|
|
@@ -590,12 +587,6 @@ static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate,
|
|
case SPN_SPEC_SYNC_ACCOUNT_NAME:
|
|
ADD_INFO(gstate->ad_sam_account);
|
|
break;
|
|
- case SPN_SPEC_HOST:
|
|
- status = pw2kt_add_prefix(gstate, state2, keytabptr, "host");
|
|
- if (!ADS_ERR_OK(status)) {
|
|
- return status;
|
|
- }
|
|
- break;
|
|
case SPN_SPEC_SYNC_UPN:
|
|
if (gstate->ad_upn != NULL) {
|
|
ADD_INFO(gstate->ad_upn);
|
|
diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh
|
|
index 82c64984787..21edf8b8882 100755
|
|
--- a/source3/script/tests/test_update_keytab.sh
|
|
+++ b/source3/script/tests/test_update_keytab.sh
|
|
@@ -40,48 +40,18 @@ keytab0="\
|
|
-2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
keytab0k="\
|
|
4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
keytab1="\
|
|
- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
@@ -118,15 +88,9 @@ keytab1="\
|
|
";
|
|
|
|
keytab1k="\
|
|
- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
@@ -295,24 +259,12 @@ keytab2k="\
|
|
";
|
|
|
|
keytab3="\
|
|
- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
-1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
-2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
-3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
";
|
|
|
|
keytab3k="\
|
|
- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
|
|
4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 8bb9f6f5d9f5db755dfd950260288dfd746cfbb6 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
|
|
Date: Fri, 14 Feb 2025 17:27:26 +0100
|
|
Subject: [PATCH 06/24] docs: Update documentation for 'sync machine password
|
|
to keytab'
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use specifier 'spn_prefixes=host' instead of 'host'
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
|
|
|
|
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
|
|
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224
|
|
|
|
(cherry picked from commit 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b)
|
|
---
|
|
docs-xml/manpages/net.8.xml | 4 ++--
|
|
.../security/syncmachinepasswordtokeytab.xml | 11 +++++------
|
|
2 files changed, 7 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
|
|
index 8091368a48e..a5f004d6e12 100644
|
|
--- a/docs-xml/manpages/net.8.xml
|
|
+++ b/docs-xml/manpages/net.8.xml
|
|
@@ -1564,10 +1564,10 @@ keytab"/> is missing.
|
|
<para>
|
|
Till Samba 4.20, these entries were created by default: the account name
|
|
COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
|
|
-such keytab ('host' is added implicitly):
|
|
+such keytab:
|
|
</para>
|
|
<programlisting>
|
|
-<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
|
|
+<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
|
|
</programlisting>
|
|
<para>
|
|
No changes are made to the computer AD account.
|
|
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
index 02eaf3162c0..ec3fffc1119 100644
|
|
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
|
@@ -39,12 +39,10 @@ spns=value1[,value2[...]]
|
|
</para>
|
|
|
|
<para>
|
|
-Every keytab contains the 'host' principal and principals according the specification below:
|
|
+Every keytab contains principals according the specification below:
|
|
<programlisting>
|
|
account_name - COMPUTER$@REALM
|
|
sync_account_name - uses attribute "sAMAccountName" from AD
|
|
-host - always present, no need to specify it explicitly
|
|
- the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes
|
|
sync_upn - uses attribute "userPrincipalName" (if exists in AD)
|
|
sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
|
|
spn_prefixes - creates these two principals from each prefix. e.g.:
|
|
@@ -55,6 +53,7 @@ spn_prefixes - creates these two principals from each prefix. e.g.:
|
|
prefix/netbiosalias.dnsdomain@REALM
|
|
with :additional_dns_hostnames for each additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
|
|
prefix/additionaldnshostname@REALM
|
|
+ - 'host' principal should be created using specifier spn_prefixes
|
|
spns - creates only the principals defined in the list
|
|
</programlisting>
|
|
'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD).
|
|
@@ -65,8 +64,8 @@ Options:
|
|
<programlisting>
|
|
sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib.
|
|
sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1.
|
|
-netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
|
|
-additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
|
|
+netbios_aliases - evaluated only for spn_prefixes (see details above).
|
|
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
|
|
machine_password - mandatory, if missing the entry is ignored. For future use.
|
|
</programlisting>
|
|
</para>
|
|
@@ -82,7 +81,7 @@ Example:
|
|
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
|
|
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
|
|
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
|
|
-"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
|
|
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
|
|
</programlisting>
|
|
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
|
|
</para>
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 205bed2a3a8cb8d2ff9651244aab02b2f9f602ae Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Allison <jra@samba.org>
|
|
Date: Wed, 15 Jan 2025 10:21:19 -0800
|
|
Subject: [PATCH 07/24] auth: Add missing talloc_free() in error code path.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
|
|
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
|
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
|
Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224
|
|
|
|
(cherry picked from commit c514ce8dcadcbbf0d86f3038d2be0f9253a76b75)
|
|
---
|
|
auth/kerberos/kerberos_pac.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
|
|
index b6272ac15eb..1f7d3e7ef26 100644
|
|
--- a/auth/kerberos/kerberos_pac.c
|
|
+++ b/auth/kerberos/kerberos_pac.c
|
|
@@ -360,6 +360,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
if (ret) {
|
|
DEBUG(5, ("PAC Decode: Failed to verify the service "
|
|
"signature: %s\n", error_message(ret)));
|
|
+ talloc_free(tmp_ctx);
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
}
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From b531c84559e2391c38e4c7640610462046d2d7c6 Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Allison <jra@samba.org>
|
|
Date: Thu, 16 Jan 2025 16:12:31 -0800
|
|
Subject: [PATCH 08/24] auth: Cleanup exit code paths in kerberos_decode_pac().
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
One more memory leak missed and now fixed. tmp_ctx
|
|
must be freed once the pac data is talloc_move'd.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
|
|
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Reviewed-by: Christian Ambach <ambi@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
|
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
|
Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224
|
|
|
|
(cherry picked from commit f9eb0b248da0689c82656f3e482161c45749afb6)
|
|
---
|
|
auth/kerberos/kerberos_pac.c | 88 ++++++++++++++++++------------------
|
|
1 file changed, 43 insertions(+), 45 deletions(-)
|
|
|
|
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
|
|
index 1f7d3e7ef26..4c61cfe838f 100644
|
|
--- a/auth/kerberos/kerberos_pac.c
|
|
+++ b/auth/kerberos/kerberos_pac.c
|
|
@@ -137,7 +137,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
time_t tgs_authtime,
|
|
struct PAC_DATA **pac_data_out)
|
|
{
|
|
- NTSTATUS status;
|
|
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
|
|
enum ndr_err_code ndr_err;
|
|
krb5_error_code ret;
|
|
DATA_BLOB modified_pac_blob;
|
|
@@ -173,8 +173,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
|
|
srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
|
|
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_NO_MEMORY;
|
|
+ status = NT_STATUS_NO_MEMORY;
|
|
+ goto out;
|
|
}
|
|
|
|
ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
|
|
@@ -183,15 +183,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't parse the PAC: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
if (pac_data->num_buffers < 4) {
|
|
/* we need logon_info, service_key and kdc_key */
|
|
DEBUG(0,("less than 4 PAC buffers\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
ndr_err = ndr_pull_struct_blob(
|
|
@@ -201,15 +200,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't parse the PAC: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
if (pac_data_raw->num_buffers < 4) {
|
|
/* we need logon_info, service_key and kdc_key */
|
|
DEBUG(0,("less than 4 PAC buffers\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
|
|
@@ -217,8 +215,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
|
|
"PAC_DATA_RAW has %d\n", pac_data->num_buffers,
|
|
pac_data_raw->num_buffers));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
for (i=0; i < pac_data->num_buffers; i++) {
|
|
@@ -229,8 +227,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
|
|
"%d while PAC_DATA_RAW has %d\n", i,
|
|
data_buf->type, raw_buf->type));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
switch (data_buf->type) {
|
|
case PAC_TYPE_LOGON_INFO:
|
|
@@ -263,26 +261,26 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
|
|
if (!logon_info) {
|
|
DEBUG(0,("PAC no logon_info\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
if (!logon_name) {
|
|
DEBUG(0,("PAC no logon_name\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
if (!srv_sig_ptr || !srv_sig_blob) {
|
|
DEBUG(0,("PAC no srv_key\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
if (!kdc_sig_ptr || !kdc_sig_blob) {
|
|
DEBUG(0,("PAC no kdc_key\n"));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
/* Find and zero out the signatures,
|
|
@@ -297,8 +295,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't parse the KDC signature: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
ndr_err = ndr_pull_struct_blob(
|
|
@@ -308,8 +305,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't parse the SRV signature: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
/* Now zero the decoded structure */
|
|
@@ -326,8 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't repack the KDC signature: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
ndr_err = ndr_push_struct_blob(
|
|
srv_sig_blob, pac_data_raw, srv_sig_wipe,
|
|
@@ -336,8 +331,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't repack the SRV signature: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
/* push out the whole structure, but now with zero'ed signatures */
|
|
@@ -348,8 +342,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(0,("can't repack the RAW PAC: %s\n",
|
|
nt_errstr(status)));
|
|
- talloc_free(tmp_ctx);
|
|
- return status;
|
|
+ goto out;
|
|
}
|
|
|
|
if (service_keyblock) {
|
|
@@ -360,8 +353,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
if (ret) {
|
|
DEBUG(5, ("PAC Decode: Failed to verify the service "
|
|
"signature: %s\n", error_message(ret)));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_ACCESS_DENIED;
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ goto out;
|
|
}
|
|
|
|
if (krbtgt_keyblock) {
|
|
@@ -371,8 +364,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
if (ret) {
|
|
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
|
|
smb_get_krb5_error_message(context, ret, tmp_ctx)));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_ACCESS_DENIED;
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ goto out;
|
|
}
|
|
}
|
|
}
|
|
@@ -388,8 +381,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
nt_time_string(tmp_ctx, logon_name->logon_time)));
|
|
DEBUG(2, ("PAC Decode: Ticket: %s\n",
|
|
nt_time_string(tmp_ctx, tgs_authtime_nttime)));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_ACCESS_DENIED;
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ goto out;
|
|
}
|
|
}
|
|
|
|
@@ -401,8 +394,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
if (ret) {
|
|
DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
|
|
logon_name->account_name, error_message(ret)));
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
|
+ goto out;
|
|
}
|
|
|
|
bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
|
|
@@ -413,8 +406,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
logon_name->account_name,
|
|
client_principal_string));
|
|
SAFE_FREE(client_principal_string);
|
|
- talloc_free(tmp_ctx);
|
|
- return NT_STATUS_ACCESS_DENIED;
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ goto out;
|
|
}
|
|
SAFE_FREE(client_principal_string);
|
|
|
|
@@ -435,10 +428,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
|
}
|
|
|
|
if (pac_data_out) {
|
|
- *pac_data_out = talloc_steal(mem_ctx, pac_data);
|
|
+ *pac_data_out = talloc_move(mem_ctx, &pac_data);
|
|
}
|
|
|
|
- return NT_STATUS_OK;
|
|
+ status = NT_STATUS_OK;
|
|
+
|
|
+ out:
|
|
+
|
|
+ TALLOC_FREE(tmp_ctx);
|
|
+ return status;
|
|
}
|
|
|
|
NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From ffdb675281389635e34b6f06d68222db5f2e83a5 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Thu, 9 Jan 2025 08:57:17 +0100
|
|
Subject: [PATCH 09/24] dbwrap: check for option "tdb_hash_size:DBNAME.tdb" in
|
|
db_open()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 7eb135c42d530a16e80e165d9e8e99d920797f12)
|
|
---
|
|
source3/lib/dbwrap/dbwrap_open.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
|
|
index 52c8a94aeff..91556f22819 100644
|
|
--- a/source3/lib/dbwrap/dbwrap_open.c
|
|
+++ b/source3/lib/dbwrap/dbwrap_open.c
|
|
@@ -80,6 +80,11 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
|
|
base = name;
|
|
}
|
|
|
|
+ hash_size = lp_parm_int(GLOBAL_SECTION_SNUM,
|
|
+ "tdb_hash_size",
|
|
+ base,
|
|
+ hash_size);
|
|
+
|
|
if (tdb_flags & TDB_CLEAR_IF_FIRST) {
|
|
bool try_readonly = false;
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From fd7331e9e50c130d98b490c3cc1d8fa77ec575a1 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Thu, 9 Jan 2025 12:27:43 +0100
|
|
Subject: [PATCH 10/24] smbtorture: add test "open-brlock-deadlock"
|
|
|
|
smbtorture reproducer for bug 15767. As it needs a very specific setup that
|
|
can't easily be done in selftest, the test is only executed when manually called
|
|
with
|
|
|
|
--option=torture:open_brlock_deadlock_timemout=SEC
|
|
|
|
To prepare the setup for the test set:
|
|
|
|
tdb_hash_size:locking.tdb = 1
|
|
tdb_hash_size:brlock.tdb = 1
|
|
|
|
and remove both tdb from disk which is needed so the TDBs get recreated with the
|
|
new hash_size.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 7c60498cee7dca5770d4d1f623c472d585ae9cae)
|
|
---
|
|
source4/torture/smb2/lock.c | 283 ++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 283 insertions(+)
|
|
|
|
diff --git a/source4/torture/smb2/lock.c b/source4/torture/smb2/lock.c
|
|
index eac0d557fc3..e5cf61a471a 100644
|
|
--- a/source4/torture/smb2/lock.c
|
|
+++ b/source4/torture/smb2/lock.c
|
|
@@ -3465,6 +3465,288 @@ done:
|
|
return ret;
|
|
}
|
|
|
|
+struct open_brlock_deadlock_state {
|
|
+ bool stop;
|
|
+ bool ok;
|
|
+ struct torture_context *tctx;
|
|
+ struct smb2_tree *tree1;
|
|
+ struct smb2_tree *tree2;
|
|
+ struct smb2_create cr;
|
|
+ struct smb2_request *cr_req;
|
|
+ struct smb2_close cl;
|
|
+ struct smb2_request *cl_req;
|
|
+
|
|
+ struct smb2_lock_element el;
|
|
+ struct smb2_lock lock;
|
|
+ struct smb2_request *lock_req;
|
|
+};
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_opened(struct smb2_request *req);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_open(
|
|
+ struct open_brlock_deadlock_state *state)
|
|
+{
|
|
+ if (state->stop) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ state->cr_req = smb2_create_send(state->tree1, &state->cr);
|
|
+ torture_assert_goto(state->tctx, state->cr_req != NULL, state->ok, failed,
|
|
+ "smb2_create_send failed\n");
|
|
+
|
|
+ state->cr_req->async.fn = test_open_brlock_deadlock_loop_opened;
|
|
+ state->cr_req->async.private_data = state;
|
|
+ return;
|
|
+failed:
|
|
+ state->stop = true;
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_close(
|
|
+ struct open_brlock_deadlock_state *state);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_opened(struct smb2_request *req)
|
|
+{
|
|
+ struct open_brlock_deadlock_state *state = req->async.private_data;
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = smb2_create_recv(req, frame, &state->cr);
|
|
+ torture_assert_ntstatus_ok_goto(state->tctx, status,
|
|
+ state->ok, failed, __location__);
|
|
+ state->cr_req = NULL;
|
|
+
|
|
+ TALLOC_FREE(frame);
|
|
+ test_open_brlock_deadlock_loop_close(state);
|
|
+ return;
|
|
+
|
|
+failed:
|
|
+ state->stop = true;
|
|
+ TALLOC_FREE(frame);
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_closed(struct smb2_request *req);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_close(
|
|
+ struct open_brlock_deadlock_state *state)
|
|
+{
|
|
+ if (state->stop) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ state->cl.in.file = state->cr.out.file;
|
|
+ state->cl_req = smb2_close_send(state->tree1, &state->cl);
|
|
+ torture_assert_goto(state->tctx, state->cl_req != NULL, state->ok, failed,
|
|
+ "smb2_create_send failed\n");
|
|
+
|
|
+ state->cl_req->async.fn = test_open_brlock_deadlock_loop_closed;
|
|
+ state->cl_req->async.private_data = state;
|
|
+ return;
|
|
+failed:
|
|
+ state->stop = true;
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_closed(struct smb2_request *req)
|
|
+{
|
|
+ struct open_brlock_deadlock_state *state = req->async.private_data;
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = smb2_close_recv(req, &state->cl);
|
|
+ torture_assert_ntstatus_ok_goto(state->tctx, status,
|
|
+ state->ok, failed, __location__);
|
|
+ state->cl_req = NULL;
|
|
+
|
|
+ TALLOC_FREE(frame);
|
|
+ test_open_brlock_deadlock_loop_open(state);
|
|
+ return;
|
|
+
|
|
+failed:
|
|
+ state->stop = true;
|
|
+ TALLOC_FREE(frame);
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_locked(struct smb2_request *req);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_lock(
|
|
+ struct open_brlock_deadlock_state *state)
|
|
+{
|
|
+ if (state->stop) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ state->el.flags = SMB2_LOCK_FLAG_EXCLUSIVE;
|
|
+
|
|
+ state->lock_req = smb2_lock_send(state->tree2, &state->lock);
|
|
+ torture_assert_goto(state->tctx, state->lock_req != NULL,
|
|
+ state->ok, failed,
|
|
+ "smb2_create_send failed\n");
|
|
+
|
|
+ state->lock_req->async.fn = test_open_brlock_deadlock_loop_locked;
|
|
+ state->lock_req->async.private_data = state;
|
|
+ return;
|
|
+failed:
|
|
+ state->stop = true;
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_unlock(
|
|
+ struct open_brlock_deadlock_state *state);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_locked(struct smb2_request *req)
|
|
+{
|
|
+ struct open_brlock_deadlock_state *state = req->async.private_data;
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = smb2_lock_recv(req, &state->lock);
|
|
+ torture_assert_ntstatus_ok_goto(state->tctx, status,
|
|
+ state->ok, failed, __location__);
|
|
+ state->lock_req = NULL;
|
|
+
|
|
+ TALLOC_FREE(frame);
|
|
+ test_open_brlock_deadlock_loop_unlock(state);
|
|
+ return;
|
|
+
|
|
+failed:
|
|
+ state->stop = true;
|
|
+ TALLOC_FREE(frame);
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_unlocked(struct smb2_request *req);
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_unlock(
|
|
+ struct open_brlock_deadlock_state *state)
|
|
+{
|
|
+ if (state->stop) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ state->el.flags = SMB2_LOCK_FLAG_UNLOCK;
|
|
+
|
|
+ state->lock_req = smb2_lock_send(state->tree2, &state->lock);
|
|
+ torture_assert_goto(state->tctx, state->lock_req != NULL,
|
|
+ state->ok, failed,
|
|
+ "smb2_create_send failed\n");
|
|
+
|
|
+ state->lock_req->async.fn = test_open_brlock_deadlock_loop_unlocked;
|
|
+ state->lock_req->async.private_data = state;
|
|
+ return;
|
|
+failed:
|
|
+ state->stop = true;
|
|
+}
|
|
+
|
|
+static void test_open_brlock_deadlock_loop_unlocked(struct smb2_request *req)
|
|
+{
|
|
+ struct open_brlock_deadlock_state *state = req->async.private_data;
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = smb2_lock_recv(req, &state->lock);
|
|
+ torture_assert_ntstatus_ok_goto(state->tctx, status,
|
|
+ state->ok, failed, __location__);
|
|
+ state->lock_req = NULL;
|
|
+
|
|
+ TALLOC_FREE(frame);
|
|
+ test_open_brlock_deadlock_loop_lock(state);
|
|
+ return;
|
|
+
|
|
+failed:
|
|
+ state->stop = true;
|
|
+ TALLOC_FREE(frame);
|
|
+}
|
|
+
|
|
+
|
|
+static void test_open_brlock_deadlock_timeout(struct tevent_context *ev,
|
|
+ struct tevent_timer *te,
|
|
+ struct timeval current_time,
|
|
+ void *private_data)
|
|
+{
|
|
+ struct open_brlock_deadlock_state *state = private_data;
|
|
+ state->stop = true;
|
|
+}
|
|
+
|
|
+static bool test_open_brlock_deadlock(struct torture_context *tctx,
|
|
+ struct smb2_tree *tree1,
|
|
+ struct smb2_tree *tree2)
|
|
+{
|
|
+ int timeout_sec = torture_setting_int(tctx, "open_brlock_deadlock_timemout", 0);
|
|
+ const char *fname1 = BASEDIR "\\test_open_brlock_deadlock1.txt";
|
|
+ const char *fname2 = BASEDIR "\\test_open_brlock_deadlock2.txt";
|
|
+ struct open_brlock_deadlock_state state;
|
|
+ struct smb2_handle h = {};
|
|
+ uint8_t buf[200];
|
|
+ struct tevent_timer *te = NULL;
|
|
+ NTSTATUS status;
|
|
+ bool ret = true;
|
|
+
|
|
+ if (timeout_sec == 0) {
|
|
+ torture_skip_goto(tctx, done, "Test skipped, pass '--option=torture:open_brlock_deadlock_timemout=SEC' to run\n");
|
|
+ }
|
|
+
|
|
+ state = (struct open_brlock_deadlock_state) {
|
|
+ .tctx = tctx,
|
|
+ .tree1 = tree1,
|
|
+ .tree2 = tree2,
|
|
+ };
|
|
+
|
|
+ ret = smb2_util_setup_dir(tctx, tree1, BASEDIR);
|
|
+ torture_assert_goto(tctx, ret, ret, done,
|
|
+ "smb2_util_setup_dir failed");
|
|
+
|
|
+ status = torture_smb2_testfile(tree1, fname1, &h);
|
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
|
+ "torture_smb2_testfile failed");
|
|
+ status = smb2_util_close(tree1, h);
|
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
|
+ "smb2_util_close failed");
|
|
+
|
|
+ status = torture_smb2_testfile(tree2, fname2, &h);
|
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
|
+ "torture_smb2_testfile failed");
|
|
+
|
|
+ status = smb2_util_write(tree2, h, buf, 0, ARRAY_SIZE(buf));
|
|
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
|
|
+ "smb2_util_write failed");
|
|
+
|
|
+ state.cr = (struct smb2_create) {
|
|
+ .in.desired_access = SEC_FILE_READ_DATA,
|
|
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
|
|
+ .in.create_disposition = NTCREATEX_DISP_OPEN,
|
|
+ .in.fname = fname1,
|
|
+ };
|
|
+
|
|
+ state.el = (struct smb2_lock_element) {
|
|
+ .length = 1,
|
|
+ .offset = 0,
|
|
+ };
|
|
+ state.lock = (struct smb2_lock) {
|
|
+ .in.locks = &state.el,
|
|
+ .in.lock_count = 1,
|
|
+ .in.file.handle = h,
|
|
+ };
|
|
+
|
|
+ te = tevent_add_timer(tctx->ev,
|
|
+ tctx,
|
|
+ timeval_current_ofs(timeout_sec, 0),
|
|
+ test_open_brlock_deadlock_timeout,
|
|
+ &state);
|
|
+ torture_assert_goto(tctx, te != NULL, ret, done, __location__);
|
|
+
|
|
+ test_open_brlock_deadlock_loop_open(&state);
|
|
+ test_open_brlock_deadlock_loop_lock(&state);
|
|
+
|
|
+ while (!state.stop) {
|
|
+ int rc = tevent_loop_once(tctx->ev);
|
|
+ torture_assert_int_equal(tctx, rc, 0, "tevent_loop_once");
|
|
+ }
|
|
+
|
|
+done:
|
|
+ if (!smb2_util_handle_empty(h)) {
|
|
+ smb2_util_close(tree2, h);
|
|
+ }
|
|
+ smb2_deltree(tree1, BASEDIR);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
/* basic testing of SMB2 locking
|
|
*/
|
|
struct torture_suite *torture_smb2_lock_init(TALLOC_CTX *ctx)
|
|
@@ -3506,6 +3788,7 @@ struct torture_suite *torture_smb2_lock_init(TALLOC_CTX *ctx)
|
|
torture_suite_add_1smb2_test(suite, "replay_smb3_specification_multi",
|
|
test_replay_smb3_specification_multi);
|
|
torture_suite_add_1smb2_test(suite, "ctdb-delrec-deadlock", test_deadlock);
|
|
+ torture_suite_add_2smb2_test(suite, "open-brlock-deadlock", test_open_brlock_deadlock);
|
|
|
|
suite->description = talloc_strdup(suite, "SMB2-LOCK tests");
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From fe9563bc0140fbbb2aa5a6342a1948984c59043a Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Mon, 6 Jan 2025 15:59:27 +0100
|
|
Subject: [PATCH 11/24] s3/brlock: split out brl_get_locks_readonly_parse()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 94e7cbcc32b73e4d56e7209e04d22d4270a6eb5b)
|
|
---
|
|
source3/locking/brlock.c | 43 ++++++++++++++++++++++++++--------------
|
|
1 file changed, 28 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index b0295174954..c75b83c048d 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -1768,29 +1768,18 @@ static void brl_get_locks_readonly_parser(TDB_DATA key, TDB_DATA data,
|
|
*state->br_lock = br_lck;
|
|
}
|
|
|
|
-struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp)
|
|
+static struct byte_range_lock *brl_get_locks_readonly_parse(TALLOC_CTX *mem_ctx,
|
|
+ files_struct *fsp)
|
|
{
|
|
struct byte_range_lock *br_lock = NULL;
|
|
struct brl_get_locks_readonly_state state;
|
|
NTSTATUS status;
|
|
|
|
- DEBUG(10, ("seqnum=%d, fsp->brlock_seqnum=%d\n",
|
|
- dbwrap_get_seqnum(brlock_db), fsp->brlock_seqnum));
|
|
-
|
|
- if ((fsp->brlock_rec != NULL)
|
|
- && (dbwrap_get_seqnum(brlock_db) == fsp->brlock_seqnum)) {
|
|
- /*
|
|
- * We have cached the brlock_rec and the database did not
|
|
- * change.
|
|
- */
|
|
- return fsp->brlock_rec;
|
|
- }
|
|
-
|
|
/*
|
|
* Parse the record fresh from the database
|
|
*/
|
|
|
|
- state.mem_ctx = fsp;
|
|
+ state.mem_ctx = mem_ctx;
|
|
state.br_lock = &br_lock;
|
|
|
|
status = dbwrap_parse_record(
|
|
@@ -1803,7 +1792,7 @@ struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp)
|
|
/*
|
|
* No locks on this file. Return an empty br_lock.
|
|
*/
|
|
- br_lock = talloc_zero(fsp, struct byte_range_lock);
|
|
+ br_lock = talloc_zero(mem_ctx, struct byte_range_lock);
|
|
if (br_lock == NULL) {
|
|
return NULL;
|
|
}
|
|
@@ -1821,6 +1810,30 @@ struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp)
|
|
br_lock->modified = false;
|
|
br_lock->record = NULL;
|
|
|
|
+ return br_lock;
|
|
+}
|
|
+
|
|
+struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp)
|
|
+{
|
|
+ struct byte_range_lock *br_lock = NULL;
|
|
+
|
|
+ DEBUG(10, ("seqnum=%d, fsp->brlock_seqnum=%d\n",
|
|
+ dbwrap_get_seqnum(brlock_db), fsp->brlock_seqnum));
|
|
+
|
|
+ if ((fsp->brlock_rec != NULL)
|
|
+ && (dbwrap_get_seqnum(brlock_db) == fsp->brlock_seqnum)) {
|
|
+ /*
|
|
+ * We have cached the brlock_rec and the database did not
|
|
+ * change.
|
|
+ */
|
|
+ return fsp->brlock_rec;
|
|
+ }
|
|
+
|
|
+ br_lock = brl_get_locks_readonly_parse(fsp, fsp);
|
|
+ if (br_lock == NULL) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/*
|
|
* Cache the brlock struct, invalidated when the dbwrap_seqnum
|
|
* changes. See beginning of this routine.
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 2c3e6fed2b1fc6e854293446ed74b9e98900815e Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Mon, 6 Jan 2025 17:07:11 +0100
|
|
Subject: [PATCH 12/24] s3/brlock: add brl_req_set()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit c9c04c7d75dee0c3e6e843b581624a3852042057)
|
|
---
|
|
source3/locking/brlock.c | 9 +++++++++
|
|
source3/locking/proto.h | 3 +++
|
|
2 files changed, 12 insertions(+)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index c75b83c048d..51d9dc2e599 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -84,6 +84,15 @@ struct files_struct *brl_fsp(struct byte_range_lock *brl)
|
|
return brl->fsp;
|
|
}
|
|
|
|
+
|
|
+void brl_req_set(struct byte_range_lock *br_lck,
|
|
+ TALLOC_CTX *req_mem_ctx,
|
|
+ const struct GUID *req_guid)
|
|
+{
|
|
+ br_lck->req_mem_ctx = req_mem_ctx;
|
|
+ br_lck->req_guid = req_guid;
|
|
+}
|
|
+
|
|
TALLOC_CTX *brl_req_mem_ctx(const struct byte_range_lock *brl)
|
|
{
|
|
if (brl->req_mem_ctx == NULL) {
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index 7fc177d7aa6..3413596baed 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -32,6 +32,9 @@ void brl_shutdown(void);
|
|
|
|
unsigned int brl_num_locks(const struct byte_range_lock *brl);
|
|
struct files_struct *brl_fsp(struct byte_range_lock *brl);
|
|
+void brl_req_set(struct byte_range_lock *br_lck,
|
|
+ TALLOC_CTX *req_mem_ctx,
|
|
+ const struct GUID *req_guid);
|
|
TALLOC_CTX *brl_req_mem_ctx(const struct byte_range_lock *brl);
|
|
const struct GUID *brl_req_guid(const struct byte_range_lock *brl);
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 1a3c7565c112ba2bf6342c93f74b1888fb1dcdfc Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Sat, 1 Feb 2025 10:37:40 +0100
|
|
Subject: [PATCH 13/24] s3/brlock: add share_mode_do_locked_brl()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit e17fb732c89f8b34de00904383044de3c4f85bd0)
|
|
---
|
|
source3/locking/brlock.c | 103 +++++++++++++++++++++++++++++++++++++++
|
|
source3/locking/proto.h | 8 +++
|
|
2 files changed, 111 insertions(+)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index 51d9dc2e599..fcbce52f9c1 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -34,6 +34,7 @@
|
|
#include "serverid.h"
|
|
#include "messages.h"
|
|
#include "util_tdb.h"
|
|
+#include "source3/locking/share_mode_lock.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_LOCKING
|
|
@@ -1927,3 +1928,105 @@ done:
|
|
talloc_free(frame);
|
|
return ret;
|
|
}
|
|
+
|
|
+struct share_mode_do_locked_brl_state {
|
|
+ share_mode_do_locked_brl_fn_t cb;
|
|
+ void *cb_data;
|
|
+ struct files_struct *fsp;
|
|
+ NTSTATUS status;
|
|
+};
|
|
+
|
|
+static void share_mode_do_locked_brl_fn(struct share_mode_lock *lck,
|
|
+ void *private_data)
|
|
+{
|
|
+ struct share_mode_do_locked_brl_state *state = private_data;
|
|
+ struct byte_range_lock *br_lck = NULL;
|
|
+ TDB_DATA key = make_tdb_data((uint8_t *)&state->fsp->file_id,
|
|
+ sizeof(state->fsp->file_id));
|
|
+
|
|
+ if (lp_locking(state->fsp->conn->params) &&
|
|
+ state->fsp->fsp_flags.can_lock)
|
|
+ {
|
|
+ br_lck = brl_get_locks_readonly_parse(talloc_tos(),
|
|
+ state->fsp);
|
|
+ if (br_lck == NULL) {
|
|
+ state->status = NT_STATUS_NO_MEMORY;
|
|
+ return;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ state->cb(lck, br_lck, state->cb_data);
|
|
+
|
|
+ if (br_lck == NULL || !br_lck->modified) {
|
|
+ TALLOC_FREE(br_lck);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ br_lck->record = dbwrap_fetch_locked(brlock_db, br_lck, key);
|
|
+ if (br_lck->record == NULL) {
|
|
+ DBG_ERR("Could not lock byte range lock entry for '%s'\n",
|
|
+ fsp_str_dbg(state->fsp));
|
|
+ TALLOC_FREE(br_lck);
|
|
+ state->status = NT_STATUS_INTERNAL_DB_ERROR;
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ byte_range_lock_flush(br_lck);
|
|
+ share_mode_wakeup_waiters(br_lck->fsp->file_id);
|
|
+ TALLOC_FREE(br_lck);
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Run cb with a glock'ed locking.tdb record, providing both a share_mode_lock
|
|
+ * and a br_lck object. An initial read-only, but upgradable, br_lck object is
|
|
+ * fetched from brlock.tdb while holding the glock on the locking.tdb record.
|
|
+ *
|
|
+ * This function only ever hold one low-level TDB chainlock at a time on either
|
|
+ * locking.tdb or brlock.tdb, so it can't run afoul any lock order violations.
|
|
+ *
|
|
+ * Note that br_lck argument in the callback might be NULL in case lp_locking()
|
|
+ * is disabled, the fsp doesn't allow locking or is a directory, so either
|
|
+ * the caller or the callback have to check for this.
|
|
+ */
|
|
+NTSTATUS share_mode_do_locked_brl(files_struct *fsp,
|
|
+ share_mode_do_locked_brl_fn_t cb,
|
|
+ void *cb_data)
|
|
+{
|
|
+ static bool recursion_guard;
|
|
+ TALLOC_CTX *frame = NULL;
|
|
+ struct share_mode_do_locked_brl_state state = {
|
|
+ .fsp = fsp,
|
|
+ .cb = cb,
|
|
+ .cb_data = cb_data,
|
|
+ };
|
|
+ NTSTATUS status;
|
|
+
|
|
+ SMB_ASSERT(!recursion_guard);
|
|
+
|
|
+ /* silently return ok on print files as we don't do locking there */
|
|
+ if (fsp->print_file) {
|
|
+ return NT_STATUS_OK;
|
|
+ }
|
|
+
|
|
+ frame = talloc_stackframe();
|
|
+
|
|
+ recursion_guard = true;
|
|
+ status = share_mode_do_locked_vfs_allowed(
|
|
+ fsp->file_id,
|
|
+ share_mode_do_locked_brl_fn,
|
|
+ &state);
|
|
+ recursion_guard = false;
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("share_mode_do_locked_vfs_allowed() failed for %s - %s\n",
|
|
+ fsp_str_dbg(fsp), nt_errstr(status));
|
|
+ TALLOC_FREE(frame);
|
|
+ return status;
|
|
+ }
|
|
+ if (!NT_STATUS_IS_OK(state.status)) {
|
|
+ TALLOC_FREE(frame);
|
|
+ return state.status;
|
|
+ }
|
|
+
|
|
+ TALLOC_FREE(frame);
|
|
+ return NT_STATUS_OK;
|
|
+}
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index 3413596baed..c9d769ba53f 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -87,6 +87,14 @@ struct byte_range_lock *brl_get_locks_for_locking(TALLOC_CTX *mem_ctx,
|
|
files_struct *fsp,
|
|
TALLOC_CTX *req_mem_ctx,
|
|
const struct GUID *req_guid);
|
|
+struct share_mode_lock;
|
|
+typedef void (*share_mode_do_locked_brl_fn_t)(
|
|
+ struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck, /* br_lck can be NULL */
|
|
+ void *private_data);
|
|
+NTSTATUS share_mode_do_locked_brl(files_struct *fsp,
|
|
+ share_mode_do_locked_brl_fn_t fn,
|
|
+ void *private_data);
|
|
struct byte_range_lock *brl_get_locks(TALLOC_CTX *mem_ctx,
|
|
files_struct *fsp);
|
|
struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp);
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From f29fdf9d8da34db5b129f2ccd00a597dcfe68e55 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Wed, 8 Jan 2025 15:43:04 +0100
|
|
Subject: [PATCH 14/24] s3/brlock: don't increment current_lock_count if
|
|
do_lock_fn() failed
|
|
|
|
Also only assign psmblctx and pblocker_pid if the lock request failed.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 3a0c6e99de4377f44bc29766b6ceb79040caed9f)
|
|
---
|
|
source3/locking/locking.c | 20 +++++++++++---------
|
|
1 file changed, 11 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
|
|
index 41b54b14c6b..ea692711627 100644
|
|
--- a/source3/locking/locking.c
|
|
+++ b/source3/locking/locking.c
|
|
@@ -344,19 +344,21 @@ NTSTATUS do_lock(files_struct *fsp,
|
|
nt_errstr(status));
|
|
return status;
|
|
}
|
|
-
|
|
- if (psmblctx != NULL) {
|
|
- *psmblctx = state.blocker_smblctx;
|
|
- }
|
|
- if (pblocker_pid != NULL) {
|
|
- *pblocker_pid = state.blocker_pid;
|
|
+ if (!NT_STATUS_IS_OK(state.status)) {
|
|
+ DBG_DEBUG("do_lock_fn returned %s\n",
|
|
+ nt_errstr(state.status));
|
|
+ if (psmblctx != NULL) {
|
|
+ *psmblctx = state.blocker_smblctx;
|
|
+ }
|
|
+ if (pblocker_pid != NULL) {
|
|
+ *pblocker_pid = state.blocker_pid;
|
|
+ }
|
|
+ return state.status;
|
|
}
|
|
|
|
- DBG_DEBUG("returning status=%s\n", nt_errstr(state.status));
|
|
-
|
|
increment_current_lock_count(fsp, lock_flav);
|
|
|
|
- return state.status;
|
|
+ return NT_STATUS_OK;
|
|
}
|
|
|
|
/****************************************************************************
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 68a48f73a8987db27d80d13f2871fd9c057df196 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Wed, 29 Jan 2025 06:13:29 +0100
|
|
Subject: [PATCH 15/24] s3/locking: add brl_set_modified()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 2772f147c9b13cd2160181c4f7905b54ab765054)
|
|
---
|
|
source3/locking/brlock.c | 5 +++++
|
|
source3/locking/proto.h | 1 +
|
|
2 files changed, 6 insertions(+)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index fcbce52f9c1..0e58339b108 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -2030,3 +2030,8 @@ NTSTATUS share_mode_do_locked_brl(files_struct *fsp,
|
|
TALLOC_FREE(frame);
|
|
return NT_STATUS_OK;
|
|
}
|
|
+
|
|
+void brl_set_modified(struct byte_range_lock *br_lck, bool modified)
|
|
+{
|
|
+ br_lck->modified = modified;
|
|
+}
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index c9d769ba53f..c74539c8161 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -99,6 +99,7 @@ struct byte_range_lock *brl_get_locks(TALLOC_CTX *mem_ctx,
|
|
files_struct *fsp);
|
|
struct byte_range_lock *brl_get_locks_readonly(files_struct *fsp);
|
|
bool brl_cleanup_disconnected(struct file_id fid, uint64_t open_persistent_id);
|
|
+void brl_set_modified(struct byte_range_lock *br_lck, bool modified);
|
|
|
|
/* The following definitions come from locking/locking.c */
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 4888165536438d742e46be57087dbc2b29bd190c Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Wed, 29 Jan 2025 06:13:44 +0100
|
|
Subject: [PATCH 16/24] smbd: use share_mode_do_locked_brl()
|
|
|
|
Fix a deadlock that can happen if two clients happen to open and byte-range-lock
|
|
two different files whos record in locking.tdb and brlock.tdb happen to sit on
|
|
the same hashchain.
|
|
|
|
The deadlock was introduced by commit
|
|
680c7907325b433856ac1dd916ab63e671fbe4ab. Before, we used share_mode_do_locked()
|
|
in do_lock() which meant we acquired a chainlock on locking.tdb before getting a
|
|
chainlock on brlock.tdb via brl_get_locks_for_locking(), so the TDB chainlock
|
|
order invariant was always uphold.
|
|
|
|
The following race between specific client requests lead to the deadlock.
|
|
|
|
Client A) issues a byte-range-lock request on a file:
|
|
|
|
A1) glock locking.tdb (via _share_mode_do_locked_vfs_allowed())
|
|
A2) chainlock brlock.tdb (via brl_lock())
|
|
A3) attempt to chainlock locking.tdb (via share_mode_g_lock_dump())
|
|
[1]
|
|
|
|
Client B) opens a different (!) file:
|
|
|
|
B1) glock and chainlock locking.tdb (via _share_mode_entry_prepare_lock())
|
|
B2) attempt to chainlock brlock.tdb (via file_has_brlocks())
|
|
[2]
|
|
|
|
The glock from A1 is per record and hence doesn't synchronize with the glock
|
|
from B1 as it is for a different file and hence a different record, subsequently
|
|
A2 and A3 violate the lock order constraint
|
|
|
|
To avoid the chainlock lock order violation in the second client we modify the
|
|
br-lock code to not take the brlock.tdb chainlock from step A2 via
|
|
br_get_locks() for the whole time we process the request. Instead we just fetch
|
|
the br-locks via br_get_locks_readonly(), so when running into
|
|
contend_level2_oplocks_begin_default() to check for leases and looking into
|
|
locking.tdb we don't hold a brlock.tdb chainlock.
|
|
|
|
Or im simpler terms, we only ever take at most one low-level TDB chainlock at a
|
|
time:
|
|
|
|
Byte-range-lock code calls share_mode_do_locked_brl(..., cb_fn, ...):
|
|
1) chainlock locking.tdb
|
|
2) glock locking.tdb (via share_mode_do_locked_vfs_allowed())
|
|
3) chainunlock locking.tdb
|
|
4) share_mode_do_locked_brl_fn() -> brl_get_locks_readonly_parse():
|
|
a) chainlock brlock.tdb
|
|
b) parse record and store in-memory copy
|
|
c) chainunlock brlock.tdb
|
|
5) run cb_fn()
|
|
6) chainlock brlock.tdb:
|
|
a) br_lck->record = dbwrap_fetch_locked(brlock_db, ...)
|
|
b) store modifed br_lck from 5) via byte_range_lock_flush()
|
|
7) chainunlock brlock.tdb
|
|
8) chainlock locking.tdb
|
|
9) gunlock locking.tdb
|
|
10) chainunlock locking.tdb
|
|
|
|
All access to brlock.tdb is synchronized correctly via glocks on the locking.tdb
|
|
record of the file (step 3)), so operations still appear atomic to clients.
|
|
|
|
As a result of using share_mode_do_locked_brl(), the functions do_[un]lock() ->
|
|
brl_[un]lock() now loop over the same br_lck object in memory, avoiding
|
|
repeatedly fetching and storing the locks per loop.
|
|
|
|
[1]
|
|
Full SBT:
|
|
|
|
#0 0x00007fffa0cecbb0 in __pthread_mutex_lock_full () from /lib64/glibc-hwcaps/power9/libpthread-2.28.so
|
|
#1 0x00007fffa0a73cf8 in chain_mutex_lock (m=<optimized out>, m@entry=0x7fff9ae071b0, waitflag=<optimized out>, waitflag@entry=true) at ../../lib/tdb/common/mutex.c:182
|
|
#2 0x00007fffa0a7432c in tdb_mutex_lock (tdb=0x1543ba120, rw=<optimized out>, off=<optimized out>, len=<optimized out>, waitflag=<optimized out>, pret=0x7fffd7df3858) at ../../lib/tdb/common/mutex.c:234
|
|
#3 0x00007fffa0a6812c in fcntl_lock (waitflag=<optimized out>, len=1, off=376608, rw=0, tdb=0x1543ba120) at ../../lib/tdb/common/lock.c:200
|
|
#4 tdb_brlock (tdb=0x1543ba120, rw_type=<optimized out>, offset=<optimized out>, len=1, flags=<optimized out>) at ../../lib/tdb/common/lock.c:200
|
|
#5 0x00007fffa0a68af8 in tdb_nest_lock (flags=<optimized out>, ltype=0, offset=<optimized out>, tdb=0x1543ba120) at ../../lib/tdb/common/lock.c:390
|
|
#6 tdb_nest_lock (tdb=0x1543ba120, offset=<optimized out>, ltype=<optimized out>, flags=<optimized out>) at ../../lib/tdb/common/lock.c:336
|
|
#7 0x00007fffa0a69088 in tdb_lock_list (tdb=0x1543ba120, list=<optimized out>, ltype=<optimized out>, waitflag=<optimized out>) at ../../lib/tdb/common/lock.c:482
|
|
#8 0x00007fffa0a69198 in tdb_lock (tdb=0x1543ba120, list=<optimized out>, ltype=<optimized out>) at ../../lib/tdb/common/lock.c:500
|
|
#9 0x00007fffa0a64b50 in tdb_find_lock_hash (tdb=<optimized out>, tdb@entry=0x1543ba120, key=..., hash=<optimized out>, locktype=<optimized out>, locktype@entry=0, rec=<optimized out>, rec@entry=0x7fffd7df3ab0) at ../../lib/tdb/common/tdb.c:165
|
|
#10 0x00007fffa0a64ed0 in tdb_parse_record (tdb=0x1543ba120, key=..., parser=0x7fffa0e74470 <db_ctdb_ltdb_parser>, private_data=0x7fffd7df3b18) at ../../lib/tdb/common/tdb.c:329
|
|
#11 0x00007fffa0e74cbc in db_ctdb_ltdb_parse (db=<optimized out>, private_data=0x7fffd7df3b70, parser=0x7fffa0e76470 <db_ctdb_parse_record_parser_nonpersistent>, key=...) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:170
|
|
#12 db_ctdb_try_parse_local_record (ctx=ctx@entry=0x1543d4580, key=..., state=state@entry=0x7fffd7df3b70) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:1385
|
|
#13 0x00007fffa0e76024 in db_ctdb_parse_record (db=<optimized out>, key=..., parser=0x7fffa1313910 <dbwrap_watched_parse_record_parser>, private_data=0x7fffd7df3c08) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:1425
|
|
#14 0x00007fffa0884760 in dbwrap_parse_record (db=<optimized out>, key=..., parser=<optimized out>, private_data=<optimized out>) at ../../lib/dbwrap/dbwrap.c:454
|
|
#15 0x00007fffa1313ab4 in dbwrap_watched_parse_record (db=0x1543a7160, key=..., parser=0x7fffa13187d0 <g_lock_dump_fn>, private_data=0x7fffd7df3ce8) at ../../source3/lib/dbwrap/dbwrap_watch.c:783
|
|
#16 0x00007fffa0884760 in dbwrap_parse_record (db=<optimized out>, key=..., parser=<optimized out>, private_data=<optimized out>) at ../../lib/dbwrap/dbwrap.c:454
|
|
#17 0x00007fffa131c004 in g_lock_dump (ctx=<error reading variable: value has been optimized out>, key=..., fn=0x7fffa14f3d70 <fsp_update_share_mode_flags_fn>, private_data=0x7fffd7df3dd8) at ../../source3/lib/g_lock.c:1653
|
|
#18 0x00007fffa14f434c in share_mode_g_lock_dump (key=..., fn=0x7fffa14f3d70 <fsp_update_share_mode_flags_fn>, private_data=0x7fffd7df3dd8) at ../../source3/locking/share_mode_lock.c:96
|
|
#19 0x00007fffa14f8d44 in fsp_update_share_mode_flags (fsp=0x15433c550) at ../../source3/locking/share_mode_lock.c:1181
|
|
#20 file_has_read_lease (fsp=0x15433c550) at ../../source3/locking/share_mode_lock.c:1207
|
|
#21 0x00007fffa15ccc98 in contend_level2_oplocks_begin_default (type=<optimized out>, fsp=0x15433c550) at ../../source3/smbd/smb2_oplock.c:1282
|
|
#22 smbd_contend_level2_oplocks_begin (fsp=0x15433c550, type=<optimized out>) at ../../source3/smbd/smb2_oplock.c:1338
|
|
#23 0x00007fffa0dd0b54 in contend_level2_oplocks_begin (fsp=<optimized out>, type=<optimized out>) at ../../source3/lib/smbd_shim.c:72
|
|
#24 0x00007fffa14ecfd0 in brl_lock_windows_default (br_lck=0x154421330, plock=0x7fffd7df4250) at ../../source3/locking/brlock.c:457
|
|
#25 0x00007fffa150b70c in vfswrap_brl_lock_windows (handle=<optimized out>, br_lck=<optimized out>, plock=<optimized out>) at ../../source3/modules/vfs_default.c:3424
|
|
#26 0x00007fffa1561910 in smb_vfs_call_brl_lock_windows (handle=<optimized out>, br_lck=<optimized out>, plock=<optimized out>) at ../../source3/smbd/vfs.c:2686
|
|
#27 0x00007fff9c0a7350 in smb_time_audit_brl_lock_windows (handle=<optimized out>, br_lck=0x154421330, plock=0x7fffd7df4250) at ../../source3/modules/vfs_time_audit.c:1740
|
|
#28 0x00007fffa1561910 in smb_vfs_call_brl_lock_windows (handle=<optimized out>, br_lck=<optimized out>, plock=<optimized out>) at ../../source3/smbd/vfs.c:2686
|
|
#29 0x00007fffa14ed410 in brl_lock (br_lck=0x154421330, smblctx=3102281601, pid=..., start=0, size=18446744073709551615, lock_type=<optimized out>, lock_flav=WINDOWS_LOCK, blocker_pid=0x7fffd7df4540, psmblctx=0x7fffd7df4558) at ../../source3/locking/brlock.c:1004
|
|
#30 0x00007fffa14e7b18 in do_lock_fn (lck=<optimized out>, private_data=0x7fffd7df4508) at ../../source3/locking/locking.c:271
|
|
#31 0x00007fffa14fcd94 in _share_mode_do_locked_vfs_allowed (id=..., fn=0x7fffa14e7a60 <do_lock_fn>, private_data=0x7fffd7df4508, location=<optimized out>) at ../../source3/locking/share_mode_lock.c:2927
|
|
#32 0x00007fffa14e918c in do_lock (fsp=0x15433c550, req_mem_ctx=<optimized out>, req_guid=<optimized out>, smblctx=<optimized out>, count=18446744073709551615, offset=0, lock_type=<optimized out>, lock_flav=<optimized out>, pblocker_pid=0x7fffd7df46f0,
|
|
psmblctx=0x7fffd7df46d8) at ../../source3/locking/locking.c:335
|
|
#33 0x00007fffa155381c in smbd_do_locks_try (fsp=0x15433c550, num_locks=<optimized out>, locks=0x1543bc310, blocker_idx=0x7fffd7df46d6, blocking_pid=0x7fffd7df46f0, blocking_smblctx=0x7fffd7df46d8) at ../../source3/smbd/blocking.c:46
|
|
#34 0x00007fffa159dc90 in smbd_smb2_lock_try (req=req@entry=0x1543bc080) at ../../source3/smbd/smb2_lock.c:590
|
|
#35 0x00007fffa159ee8c in smbd_smb2_lock_send (in_locks=<optimized out>, in_lock_count=1, in_lock_sequence=<optimized out>, fsp=0x15433c550, smb2req=0x1543532e0, ev=0x154328120, mem_ctx=0x1543532e0) at ../../source3/smbd/smb2_lock.c:488
|
|
#36 smbd_smb2_request_process_lock (req=0x1543532e0) at ../../source3/smbd/smb2_lock.c:150
|
|
#37 0x00007fffa158a368 in smbd_smb2_request_dispatch (req=0x1543532e0) at ../../source3/smbd/smb2_server.c:3515
|
|
#38 0x00007fffa158c540 in smbd_smb2_io_handler (fde_flags=<optimized out>, xconn=0x154313f30) at ../../source3/smbd/smb2_server.c:5112
|
|
#39 smbd_smb2_connection_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/smb2_server.c:5150
|
|
#40 0x00007fffa1198b2c in tevent_common_invoke_fd_handler (fde=0x1543670f0, flags=<optimized out>, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
|
|
#41 0x00007fffa11a2b9c in epoll_event_loop (tvalp=0x7fffd7df4b28, epoll_ev=0x1543b4e80) at ../../lib/tevent/tevent_epoll.c:730
|
|
#42 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:946
|
|
#43 0x00007fffa11a0090 in std_event_loop_once (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent_standard.c:110
|
|
#44 0x00007fffa119744c in _tevent_loop_once (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent.c:823
|
|
#45 0x00007fffa1197884 in tevent_common_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:950
|
|
#46 0x00007fffa119ffc0 in std_event_loop_wait (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent_standard.c:141
|
|
#47 0x00007fffa1197978 in _tevent_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:971
|
|
#48 0x00007fffa15737fc in smbd_process (ev_ctx=0x154328120, msg_ctx=<optimized out>, sock_fd=<optimized out>, interactive=<optimized out>) at ../../source3/smbd/smb2_process.c:2158
|
|
#49 0x000000011db5c554 in smbd_accept_connection (ev=0x154328120, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1150
|
|
#50 0x00007fffa1198b2c in tevent_common_invoke_fd_handler (fde=0x1543ac2d0, flags=<optimized out>, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
|
|
#51 0x00007fffa11a2b9c in epoll_event_loop (tvalp=0x7fffd7df4f98, epoll_ev=0x154328350) at ../../lib/tevent/tevent_epoll.c:730
|
|
#52 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:946
|
|
#53 0x00007fffa11a0090 in std_event_loop_once (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent_standard.c:110
|
|
#54 0x00007fffa119744c in _tevent_loop_once (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent.c:823
|
|
#55 0x00007fffa1197884 in tevent_common_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:950
|
|
#56 0x00007fffa119ffc0 in std_event_loop_wait (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent_standard.c:141
|
|
#57 0x00007fffa1197978 in _tevent_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:971
|
|
#58 0x000000011db58c54 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x154328120) at ../../source3/smbd/server.c:1499
|
|
#59 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2258
|
|
|
|
[2]
|
|
Full SBT:
|
|
|
|
#0 0x00007fffa0cecbb0 in __pthread_mutex_lock_full () from /lib64/glibc-hwcaps/power9/libpthread-2.28.so
|
|
#1 0x00007fffa0a73cf8 in chain_mutex_lock (m=<optimized out>, m@entry=0x7fff9b3a71b0, waitflag=<optimized out>, waitflag@entry=true) at ../../lib/tdb/common/mutex.c:182
|
|
#2 0x00007fffa0a7432c in tdb_mutex_lock (tdb=0x1543c6900, rw=<optimized out>, off=<optimized out>, len=<optimized out>, waitflag=<optimized out>, pret=0x7fffd7df2e28) at ../../lib/tdb/common/mutex.c:234
|
|
#3 0x00007fffa0a6812c in fcntl_lock (waitflag=<optimized out>, len=1, off=376608, rw=0, tdb=0x1543c6900) at ../../lib/tdb/common/lock.c:200
|
|
#4 tdb_brlock (tdb=0x1543c6900, rw_type=<optimized out>, offset=<optimized out>, len=1, flags=<optimized out>) at ../../lib/tdb/common/lock.c:200
|
|
#5 0x00007fffa0a68af8 in tdb_nest_lock (flags=<optimized out>, ltype=0, offset=<optimized out>, tdb=0x1543c6900) at ../../lib/tdb/common/lock.c:390
|
|
#6 tdb_nest_lock (tdb=0x1543c6900, offset=<optimized out>, ltype=<optimized out>, flags=<optimized out>) at ../../lib/tdb/common/lock.c:336
|
|
#7 0x00007fffa0a69088 in tdb_lock_list (tdb=0x1543c6900, list=<optimized out>, ltype=<optimized out>, waitflag=<optimized out>) at ../../lib/tdb/common/lock.c:482
|
|
#8 0x00007fffa0a69198 in tdb_lock (tdb=0x1543c6900, list=<optimized out>, ltype=<optimized out>) at ../../lib/tdb/common/lock.c:500
|
|
#9 0x00007fffa0a64b50 in tdb_find_lock_hash (tdb=<optimized out>, tdb@entry=0x1543c6900, key=..., hash=<optimized out>, locktype=<optimized out>, locktype@entry=0, rec=<optimized out>, rec@entry=0x7fffd7df3080) at ../../lib/tdb/common/tdb.c:165
|
|
#10 0x00007fffa0a64ed0 in tdb_parse_record (tdb=0x1543c6900, key=..., parser=0x7fffa0e74470 <db_ctdb_ltdb_parser>, private_data=0x7fffd7df30e8) at ../../lib/tdb/common/tdb.c:329
|
|
#11 0x00007fffa0e74cbc in db_ctdb_ltdb_parse (db=<optimized out>, private_data=0x7fffd7df3140, parser=0x7fffa0e76470 <db_ctdb_parse_record_parser_nonpersistent>, key=...) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:170
|
|
#12 db_ctdb_try_parse_local_record (ctx=ctx@entry=0x154328fc0, key=..., state=state@entry=0x7fffd7df3140) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:1385
|
|
#13 0x00007fffa0e76024 in db_ctdb_parse_record (db=<optimized out>, key=..., parser=0x7fffa14ec820 <brl_get_locks_readonly_parser>, private_data=0x7fffd7df3218) at ../../source3/lib/dbwrap/dbwrap_ctdb.c:1425
|
|
#14 0x00007fffa0884760 in dbwrap_parse_record (db=<optimized out>, key=..., parser=<optimized out>, private_data=<optimized out>) at ../../lib/dbwrap/dbwrap.c:454
|
|
#15 0x00007fffa14ef5bc in brl_get_locks_readonly (fsp=0x1543d01e0) at ../../source3/locking/brlock.c:1884
|
|
#16 0x00007fffa1546968 in file_has_brlocks (fsp=0x1543d01e0) at ../../source3/smbd/open.c:2232
|
|
#17 delay_for_oplock (pgranted=<synthetic pointer>, poplock_type=<synthetic pointer>, first_open_attempt=<optimized out>, create_disposition=1, have_sharing_violation=false, lck=0x7fffd7df3ce8, lease=0x0, oplock_request=0, fsp=0x1543d01e0) at ../../source3/smbd/open.c:2749
|
|
#18 handle_share_mode_lease (pgranted=<synthetic pointer>, poplock_type=<synthetic pointer>, first_open_attempt=<optimized out>, lease=0x0, oplock_request=0, share_access=7, access_mask=131201, create_disposition=1, lck=0x7fffd7df3ce8, fsp=0x1543d01e0) at ../../source3/smbd/open.c:2865
|
|
#19 check_and_store_share_mode (first_open_attempt=<optimized out>, lease=0x0, oplock_request=0, share_access=7, access_mask=131201, create_disposition=1, lck=0x7fffd7df3ce8, req=0x154414800, fsp=0x1543d01e0) at ../../source3/smbd/open.c:3333
|
|
#20 open_ntcreate_lock_add_entry (lck=0x7fffd7df3ce8, keep_locked=0x7fffd7df3ad0, private_data=0x7fffd7df3cc8) at ../../source3/smbd/open.c:3688
|
|
#21 0x00007fffa14f6248 in share_mode_entry_prepare_lock_fn (glck=0x7fffd7df35b8, cb_private=0x7fffd7df3a88) at ../../source3/locking/share_mode_lock.c:2978
|
|
#22 0x00007fffa1317680 in g_lock_lock_cb_run_and_store (cb_state=cb_state@entry=0x7fffd7df35b8) at ../../source3/lib/g_lock.c:597
|
|
#23 0x00007fffa1319df8 in g_lock_lock_simple_fn (rec=0x7fffd7df3798, value=..., private_data=0x7fffd7df39a0) at ../../source3/lib/g_lock.c:1212
|
|
#24 0x00007fffa13160e0 in dbwrap_watched_do_locked_fn (backend_rec=<optimized out>, backend_value=..., private_data=0x7fffd7df3768) at ../../source3/lib/dbwrap/dbwrap_watch.c:458
|
|
#25 0x00007fffa0884e48 in dbwrap_do_locked (db=<optimized out>, key=..., fn=0x7fffa1316080 <dbwrap_watched_do_locked_fn>, private_data=0x7fffd7df3768) at ../../lib/dbwrap/dbwrap.c:602
|
|
#26 0x00007fffa1315274 in dbwrap_watched_do_locked (db=0x1543a7160, key=..., fn=0x7fffa1319ca0 <g_lock_lock_simple_fn>, private_data=0x7fffd7df39a0) at ../../source3/lib/dbwrap/dbwrap_watch.c:480
|
|
#27 0x00007fffa0884d60 in dbwrap_do_locked (db=<optimized out>, key=..., fn=<optimized out>, private_data=<optimized out>) at ../../lib/dbwrap/dbwrap.c:582
|
|
#28 0x00007fffa131b458 in g_lock_lock (ctx=0x1543cc630, key=..., type=<optimized out>, timeout=..., cb_fn=0x7fffa14f6190 <share_mode_entry_prepare_lock_fn>, cb_private=0x7fffd7df3a88) at ../../source3/lib/g_lock.c:1267
|
|
#29 0x00007fffa14fd060 in _share_mode_entry_prepare_lock (prepare_state=0x7fffd7df3cc8, id=..., servicepath=<optimized out>, smb_fname=<optimized out>, old_write_time=<optimized out>, fn=<optimized out>, private_data=0x7fffd7df3cc8, location=0x7fffa165b880 "../../source3/smbd/open.c:4292") at ../../source3/locking/share_mode_lock.c:3033
|
|
#30 0x00007fffa15491e0 in open_file_ntcreate (conn=conn@entry=0x154382050, req=req@entry=0x154414800, access_mask=<optimized out>, access_mask@entry=131201, share_access=share_access@entry=7, create_disposition=create_disposition@entry=1, create_options=create_options@entry=0, new_dos_attributes=<optimized out>, new_dos_attributes@entry=128, oplock_request=oplock_request@entry=0, lease=<optimized out>, lease@entry=0x0, private_flags=<optimized out>, private_flags@entry=0, parent_dir_fname=<optimized out>, smb_fname_atname=<optimized out>, pinfo=<optimized out>, pinfo@entry=0x7fffd7df3f1c, fsp=<optimized out>, fsp@entry=0x1543d01e0) at ../../source3/smbd/open.c:4286
|
|
#31 0x00007fffa154b94c in create_file_unixpath (conn=conn@entry=0x154382050, req=req@entry=0x154414800, dirfsp=dirfsp@entry=0x15439a7f0, smb_fname=smb_fname@entry=0x154416300, access_mask=access_mask@entry=131201, share_access=share_access@entry=7, create_disposition=create_disposition@entry=1, create_options=create_options@entry=0, file_attributes=file_attributes@entry=128, oplock_request=<optimized out>, oplock_request@entry=0, lease=<optimized out>, lease@entry=0x0, allocation_size=allocation_size@entry=0, private_flags=private_flags@entry=0, sd=sd@entry=0x0, ea_list=ea_list@entry=0x0, result=result@entry=0x7fffd7df4168, pinfo=pinfo@entry=0x7fffd7df4160) at ../../source3/smbd/open.c:6290
|
|
#32 0x00007fffa154dfac in create_file_default (conn=0x154382050, req=0x154414800, dirfsp=0x15439a7f0, smb_fname=0x154416300, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=128, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x1544144e8, pinfo=0x1544144fc, in_context_blobs=0x7fffd7df4798, out_context_blobs=0x154414710) at ../../source3/smbd/open.c:6609
|
|
#33 0x00007fffa150972c in vfswrap_create_file (handle=<optimized out>, req=<optimized out>, dirfsp=<optimized out>, smb_fname=<optimized out>, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=128, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x1544144e8, pinfo=0x1544144fc, in_context_blobs=0x7fffd7df4798, out_context_blobs=0x154414710) at ../../source3/modules/vfs_default.c:776
|
|
#34 0x00007fffa1559cbc in smb_vfs_call_create_file (handle=<optimized out>, req=<optimized out>, dirfsp=<optimized out>, smb_fname=<optimized out>, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=128, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x1544144e8, pinfo=0x1544144fc, in_context_blobs=0x7fffd7df4798, out_context_blobs=0x154414710) at ../../source3/smbd/vfs.c:1560
|
|
#35 0x00007fff9c0a9ec4 in smb_time_audit_create_file (handle=0x154426820, req=0x154414800, dirfsp=0x15439a7f0, fname=0x154416300, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=128, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result_fsp=0x1544144e8, pinfo=0x1544144fc, in_context_blobs=0x7fffd7df4798, out_context_blobs=0x154414710) at ../../source3/modules/vfs_time_audit.c:634
|
|
#36 0x00007fffa1559cbc in smb_vfs_call_create_file (handle=<optimized out>, req=<optimized out>, dirfsp=<optimized out>, smb_fname=<optimized out>, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=128, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x1544144e8, pinfo=0x1544144fc, in_context_blobs=0x7fffd7df4798, out_context_blobs=0x154414710) at ../../source3/smbd/vfs.c:1560
|
|
#37 0x00007fffa1597aa8 in smbd_smb2_create_send (in_context_blobs=..., in_name=0x154413ca0, in_create_options=<optimized out>, in_create_disposition=<optimized out>, in_share_access=<optimized out>, in_file_attributes=<optimized out>, in_desired_access=<optimized out>, in_impersonation_level=<optimized out>, in_oplock_level=<optimized out>, smb2req=0x154413770, ev=0x154328120, mem_ctx=0x154413770) at ../../source3/smbd/smb2_create.c:1115
|
|
#38 smbd_smb2_request_process_create (smb2req=0x154413770) at ../../source3/smbd/smb2_create.c:291
|
|
#39 0x00007fffa158a628 in smbd_smb2_request_dispatch (req=0x154413770) at ../../source3/smbd/smb2_server.c:3485
|
|
#40 0x00007fffa158c540 in smbd_smb2_io_handler (fde_flags=<optimized out>, xconn=0x154313f30) at ../../source3/smbd/smb2_server.c:5112
|
|
#41 smbd_smb2_connection_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/smb2_server.c:5150
|
|
#42 0x00007fffa1198b2c in tevent_common_invoke_fd_handler (fde=0x15435add0, flags=<optimized out>, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
|
|
#43 0x00007fffa11a2b9c in epoll_event_loop (tvalp=0x7fffd7df4b28, epoll_ev=0x1543b4e80) at ../../lib/tevent/tevent_epoll.c:730
|
|
#44 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:946
|
|
#45 0x00007fffa11a0090 in std_event_loop_once (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent_standard.c:110
|
|
#46 0x00007fffa119744c in _tevent_loop_once (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent.c:823
|
|
#47 0x00007fffa1197884 in tevent_common_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:950
|
|
#48 0x00007fffa119ffc0 in std_event_loop_wait (ev=0x154328120, location=0x7fffa1668db8 "../../source3/smbd/smb2_process.c:2158") at ../../lib/tevent/tevent_standard.c:141
|
|
#49 0x00007fffa1197978 in _tevent_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:971
|
|
#50 0x00007fffa15737fc in smbd_process (ev_ctx=0x154328120, msg_ctx=<optimized out>, sock_fd=<optimized out>, interactive=<optimized out>) at ../../source3/smbd/smb2_process.c:2158
|
|
#51 0x000000011db5c554 in smbd_accept_connection (ev=0x154328120, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1150
|
|
#52 0x00007fffa1198b2c in tevent_common_invoke_fd_handler (fde=0x1543ac2d0, flags=<optimized out>, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
|
|
#53 0x00007fffa11a2b9c in epoll_event_loop (tvalp=0x7fffd7df4f98, epoll_ev=0x154328350) at ../../lib/tevent/tevent_epoll.c:730
|
|
#54 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:946
|
|
#55 0x00007fffa11a0090 in std_event_loop_once (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent_standard.c:110
|
|
#56 0x00007fffa119744c in _tevent_loop_once (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent.c:823
|
|
#57 0x00007fffa1197884 in tevent_common_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:950
|
|
#58 0x00007fffa119ffc0 in std_event_loop_wait (ev=0x154328120, location=0x11db60b50 "../../source3/smbd/server.c:1499") at ../../lib/tevent/tevent_standard.c:141
|
|
#59 0x00007fffa1197978 in _tevent_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:971
|
|
#60 0x000000011db58c54 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x154328120) at ../../source3/smbd/server.c:1499
|
|
#61 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2258
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(backported from commit 2eef298ff4c5baf15c7d29c65fb021dbed5b0a93)
|
|
[slow@samba.org: changed argument of share_mode_watch_send()]
|
|
[slow@samba.org: small context change in vfs_fruit]
|
|
---
|
|
source3/locking/locking.c | 109 +++++--------------
|
|
source3/locking/proto.h | 4 +-
|
|
source3/modules/vfs_fruit.c | 91 +++++++++++-----
|
|
source3/smbd/blocking.c | 202 +++++++++++++++++++-----------------
|
|
source3/smbd/proto.h | 19 ++--
|
|
source3/smbd/smb2_lock.c | 77 +++++++++-----
|
|
source3/smbd/smb2_reply.c | 53 ++++++----
|
|
7 files changed, 293 insertions(+), 262 deletions(-)
|
|
|
|
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
|
|
index ea692711627..ffb89378cb5 100644
|
|
--- a/source3/locking/locking.c
|
|
+++ b/source3/locking/locking.c
|
|
@@ -241,52 +241,7 @@ static void decrement_current_lock_count(files_struct *fsp,
|
|
Utility function called by locking requests.
|
|
****************************************************************************/
|
|
|
|
-struct do_lock_state {
|
|
- struct files_struct *fsp;
|
|
- TALLOC_CTX *req_mem_ctx;
|
|
- const struct GUID *req_guid;
|
|
- uint64_t smblctx;
|
|
- uint64_t count;
|
|
- uint64_t offset;
|
|
- enum brl_type lock_type;
|
|
- enum brl_flavour lock_flav;
|
|
-
|
|
- struct server_id blocker_pid;
|
|
- uint64_t blocker_smblctx;
|
|
- NTSTATUS status;
|
|
-};
|
|
-
|
|
-static void do_lock_fn(
|
|
- struct share_mode_lock *lck,
|
|
- void *private_data)
|
|
-{
|
|
- struct do_lock_state *state = private_data;
|
|
- struct byte_range_lock *br_lck = NULL;
|
|
-
|
|
- br_lck = brl_get_locks_for_locking(talloc_tos(),
|
|
- state->fsp,
|
|
- state->req_mem_ctx,
|
|
- state->req_guid);
|
|
- if (br_lck == NULL) {
|
|
- state->status = NT_STATUS_NO_MEMORY;
|
|
- return;
|
|
- }
|
|
-
|
|
- state->status = brl_lock(
|
|
- br_lck,
|
|
- state->smblctx,
|
|
- messaging_server_id(state->fsp->conn->sconn->msg_ctx),
|
|
- state->offset,
|
|
- state->count,
|
|
- state->lock_type,
|
|
- state->lock_flav,
|
|
- &state->blocker_pid,
|
|
- &state->blocker_smblctx);
|
|
-
|
|
- TALLOC_FREE(br_lck);
|
|
-}
|
|
-
|
|
-NTSTATUS do_lock(files_struct *fsp,
|
|
+NTSTATUS do_lock(struct byte_range_lock *br_lck,
|
|
TALLOC_CTX *req_mem_ctx,
|
|
const struct GUID *req_guid,
|
|
uint64_t smblctx,
|
|
@@ -297,22 +252,13 @@ NTSTATUS do_lock(files_struct *fsp,
|
|
struct server_id *pblocker_pid,
|
|
uint64_t *psmblctx)
|
|
{
|
|
- struct do_lock_state state = {
|
|
- .fsp = fsp,
|
|
- .req_mem_ctx = req_mem_ctx,
|
|
- .req_guid = req_guid,
|
|
- .smblctx = smblctx,
|
|
- .count = count,
|
|
- .offset = offset,
|
|
- .lock_type = lock_type,
|
|
- .lock_flav = lock_flav,
|
|
- };
|
|
+ files_struct *fsp = brl_fsp(br_lck);
|
|
+ struct server_id blocker_pid;
|
|
+ uint64_t blocker_smblctx;
|
|
NTSTATUS status;
|
|
|
|
- /* silently return ok on print files as we don't do locking there */
|
|
- if (fsp->print_file) {
|
|
- return NT_STATUS_OK;
|
|
- }
|
|
+ SMB_ASSERT(req_mem_ctx != NULL);
|
|
+ SMB_ASSERT(req_guid != NULL);
|
|
|
|
if (!fsp->fsp_flags.can_lock) {
|
|
if (fsp->fsp_flags.is_directory) {
|
|
@@ -336,25 +282,27 @@ NTSTATUS do_lock(files_struct *fsp,
|
|
fsp_fnum_dbg(fsp),
|
|
fsp_str_dbg(fsp));
|
|
|
|
- status = share_mode_do_locked_vfs_allowed(fsp->file_id,
|
|
- do_lock_fn,
|
|
- &state);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DBG_DEBUG("share_mode_do_locked returned %s\n",
|
|
- nt_errstr(status));
|
|
- return status;
|
|
- }
|
|
- if (!NT_STATUS_IS_OK(state.status)) {
|
|
- DBG_DEBUG("do_lock_fn returned %s\n",
|
|
- nt_errstr(state.status));
|
|
+ brl_req_set(br_lck, req_mem_ctx, req_guid);
|
|
+ status = brl_lock(br_lck,
|
|
+ smblctx,
|
|
+ messaging_server_id(fsp->conn->sconn->msg_ctx),
|
|
+ offset,
|
|
+ count,
|
|
+ lock_type,
|
|
+ lock_flav,
|
|
+ &blocker_pid,
|
|
+ &blocker_smblctx);
|
|
+ brl_req_set(br_lck, NULL, NULL);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_DEBUG("brl_lock failed: %s\n", nt_errstr(status));
|
|
if (psmblctx != NULL) {
|
|
- *psmblctx = state.blocker_smblctx;
|
|
+ *psmblctx = blocker_smblctx;
|
|
}
|
|
if (pblocker_pid != NULL) {
|
|
- *pblocker_pid = state.blocker_pid;
|
|
+ *pblocker_pid = blocker_pid;
|
|
}
|
|
- return state.status;
|
|
- }
|
|
+ return status;
|
|
+ }
|
|
|
|
increment_current_lock_count(fsp, lock_flav);
|
|
|
|
@@ -365,14 +313,14 @@ NTSTATUS do_lock(files_struct *fsp,
|
|
Utility function called by unlocking requests.
|
|
****************************************************************************/
|
|
|
|
-NTSTATUS do_unlock(files_struct *fsp,
|
|
+NTSTATUS do_unlock(struct byte_range_lock *br_lck,
|
|
uint64_t smblctx,
|
|
uint64_t count,
|
|
uint64_t offset,
|
|
enum brl_flavour lock_flav)
|
|
{
|
|
+ files_struct *fsp = brl_fsp(br_lck);
|
|
bool ok = False;
|
|
- struct byte_range_lock *br_lck = NULL;
|
|
|
|
if (!fsp->fsp_flags.can_lock) {
|
|
return fsp->fsp_flags.is_directory ?
|
|
@@ -391,11 +339,6 @@ NTSTATUS do_unlock(files_struct *fsp,
|
|
fsp_fnum_dbg(fsp),
|
|
fsp_str_dbg(fsp));
|
|
|
|
- br_lck = brl_get_locks(talloc_tos(), fsp);
|
|
- if (!br_lck) {
|
|
- return NT_STATUS_NO_MEMORY;
|
|
- }
|
|
-
|
|
ok = brl_unlock(br_lck,
|
|
smblctx,
|
|
messaging_server_id(fsp->conn->sconn->msg_ctx),
|
|
@@ -403,8 +346,6 @@ NTSTATUS do_unlock(files_struct *fsp,
|
|
count,
|
|
lock_flav);
|
|
|
|
- TALLOC_FREE(br_lck);
|
|
-
|
|
if (!ok) {
|
|
DEBUG(10,("do_unlock: returning ERRlock.\n" ));
|
|
return NT_STATUS_RANGE_NOT_LOCKED;
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index c74539c8161..e332abf34ec 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -120,7 +120,7 @@ NTSTATUS query_lock(files_struct *fsp,
|
|
uint64_t *poffset,
|
|
enum brl_type *plock_type,
|
|
enum brl_flavour lock_flav);
|
|
-NTSTATUS do_lock(files_struct *fsp,
|
|
+NTSTATUS do_lock(struct byte_range_lock *br_lck,
|
|
TALLOC_CTX *req_mem_ctx,
|
|
const struct GUID *req_guid,
|
|
uint64_t smblctx,
|
|
@@ -130,7 +130,7 @@ NTSTATUS do_lock(files_struct *fsp,
|
|
enum brl_flavour lock_flav,
|
|
struct server_id *pblocker_pid,
|
|
uint64_t *psmblctx);
|
|
-NTSTATUS do_unlock(files_struct *fsp,
|
|
+NTSTATUS do_unlock(struct byte_range_lock *br_lck,
|
|
uint64_t smblctx,
|
|
uint64_t count,
|
|
uint64_t offset,
|
|
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
|
|
index b63fff7f95d..e85c26c9dc0 100644
|
|
--- a/source3/modules/vfs_fruit.c
|
|
+++ b/source3/modules/vfs_fruit.c
|
|
@@ -629,11 +629,21 @@ static bool test_netatalk_lock(files_struct *fsp, off_t in_offset)
|
|
return false;
|
|
}
|
|
|
|
-static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
- files_struct *fsp,
|
|
- uint32_t access_mask,
|
|
- uint32_t share_mode)
|
|
+struct check_access_state {
|
|
+ NTSTATUS status;
|
|
+ files_struct *fsp;
|
|
+ uint32_t access_mask;
|
|
+ uint32_t share_mode;
|
|
+};
|
|
+
|
|
+static void fruit_check_access(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
{
|
|
+ struct check_access_state *state = private_data;
|
|
+ files_struct *fsp = state->fsp;
|
|
+ uint32_t access_mask = state->access_mask;
|
|
+ uint32_t share_mode = state->share_mode;
|
|
NTSTATUS status = NT_STATUS_OK;
|
|
off_t off;
|
|
bool share_for_read = (share_mode & FILE_SHARE_READ);
|
|
@@ -647,6 +657,14 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
/* FIXME: hardcoded data fork, add resource fork */
|
|
enum apple_fork fork_type = APPLE_FORK_DATA;
|
|
|
|
+ /*
|
|
+ * The caller has checked fsp->fsp_flags.can_lock and lp_locking so
|
|
+ * br_lck has to be there!
|
|
+ */
|
|
+ SMB_ASSERT(br_lck != NULL);
|
|
+
|
|
+ state->status = NT_STATUS_OK;
|
|
+
|
|
DBG_DEBUG("fruit_check_access: %s, am: %s/%s, sm: 0x%x\n",
|
|
fsp_str_dbg(fsp),
|
|
access_mask & FILE_READ_DATA ? "READ" :"-",
|
|
@@ -654,7 +672,7 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
share_mode);
|
|
|
|
if (fsp_get_io_fd(fsp) == -1) {
|
|
- return NT_STATUS_OK;
|
|
+ return;
|
|
}
|
|
|
|
/* Read NetATalk opens and deny modes on the file. */
|
|
@@ -677,22 +695,26 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
/* If there are any conflicts - sharing violation. */
|
|
if ((access_mask & FILE_READ_DATA) &&
|
|
netatalk_already_open_with_deny_read) {
|
|
- return NT_STATUS_SHARING_VIOLATION;
|
|
+ state->status = NT_STATUS_SHARING_VIOLATION;
|
|
+ return;
|
|
}
|
|
|
|
if (!share_for_read &&
|
|
netatalk_already_open_for_reading) {
|
|
- return NT_STATUS_SHARING_VIOLATION;
|
|
+ state->status = NT_STATUS_SHARING_VIOLATION;
|
|
+ return;
|
|
}
|
|
|
|
if ((access_mask & FILE_WRITE_DATA) &&
|
|
netatalk_already_open_with_deny_write) {
|
|
- return NT_STATUS_SHARING_VIOLATION;
|
|
+ state->status = NT_STATUS_SHARING_VIOLATION;
|
|
+ return;
|
|
}
|
|
|
|
if (!share_for_write &&
|
|
netatalk_already_open_for_writing) {
|
|
- return NT_STATUS_SHARING_VIOLATION;
|
|
+ state->status = NT_STATUS_SHARING_VIOLATION;
|
|
+ return;
|
|
}
|
|
|
|
if (!(access_mask & FILE_READ_DATA)) {
|
|
@@ -700,15 +722,16 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
* Nothing we can do here, we need read access
|
|
* to set locks.
|
|
*/
|
|
- return NT_STATUS_OK;
|
|
+ return;
|
|
}
|
|
|
|
/* Set NetAtalk locks matching our access */
|
|
if (access_mask & FILE_READ_DATA) {
|
|
off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
|
|
req_guid.time_hi_and_version = __LINE__;
|
|
+
|
|
status = do_lock(
|
|
- fsp,
|
|
+ br_lck,
|
|
talloc_tos(),
|
|
&req_guid,
|
|
fsp->op->global->open_persistent_id,
|
|
@@ -718,17 +741,18 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
POSIX_LOCK,
|
|
NULL,
|
|
NULL);
|
|
-
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- return status;
|
|
+ state->status = status;
|
|
+ return;
|
|
}
|
|
}
|
|
|
|
if (!share_for_read) {
|
|
off = denymode_to_netatalk_brl(fork_type, DENY_READ);
|
|
req_guid.time_hi_and_version = __LINE__;
|
|
+
|
|
status = do_lock(
|
|
- fsp,
|
|
+ br_lck,
|
|
talloc_tos(),
|
|
&req_guid,
|
|
fsp->op->global->open_persistent_id,
|
|
@@ -738,17 +762,18 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
POSIX_LOCK,
|
|
NULL,
|
|
NULL);
|
|
-
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- return status;
|
|
+ state->status = status;
|
|
+ return;
|
|
}
|
|
}
|
|
|
|
if (access_mask & FILE_WRITE_DATA) {
|
|
off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
|
|
req_guid.time_hi_and_version = __LINE__;
|
|
+
|
|
status = do_lock(
|
|
- fsp,
|
|
+ br_lck,
|
|
talloc_tos(),
|
|
&req_guid,
|
|
fsp->op->global->open_persistent_id,
|
|
@@ -758,17 +783,18 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
POSIX_LOCK,
|
|
NULL,
|
|
NULL);
|
|
-
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- return status;
|
|
+ state->status = status;
|
|
+ return;
|
|
}
|
|
}
|
|
|
|
if (!share_for_write) {
|
|
off = denymode_to_netatalk_brl(fork_type, DENY_WRITE);
|
|
req_guid.time_hi_and_version = __LINE__;
|
|
+
|
|
status = do_lock(
|
|
- fsp,
|
|
+ br_lck,
|
|
talloc_tos(),
|
|
&req_guid,
|
|
fsp->op->global->open_persistent_id,
|
|
@@ -778,13 +804,11 @@ static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
|
|
POSIX_LOCK,
|
|
NULL,
|
|
NULL);
|
|
-
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- return status;
|
|
+ state->status = status;
|
|
+ return;
|
|
}
|
|
}
|
|
-
|
|
- return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS check_aapl(vfs_handle_struct *handle,
|
|
@@ -4376,16 +4400,27 @@ static NTSTATUS fruit_create_file(vfs_handle_struct *handle,
|
|
}
|
|
|
|
if ((config->locking == FRUIT_LOCKING_NETATALK) &&
|
|
+ lp_locking(fsp->conn->params) &&
|
|
+ fsp->fsp_flags.can_lock &&
|
|
(fsp->op != NULL) &&
|
|
!fsp->fsp_flags.is_pathref)
|
|
{
|
|
- status = fruit_check_access(
|
|
- handle, *result,
|
|
- access_mask,
|
|
- share_access);
|
|
+ struct check_access_state state = (struct check_access_state) {
|
|
+ .fsp = fsp,
|
|
+ .access_mask = access_mask,
|
|
+ .share_mode = share_access,
|
|
+ };
|
|
+
|
|
+ status = share_mode_do_locked_brl(fsp,
|
|
+ fruit_check_access,
|
|
+ &state);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto fail;
|
|
}
|
|
+ if (!NT_STATUS_IS_OK(state.status)) {
|
|
+ status = state.status;
|
|
+ goto fail;
|
|
+ }
|
|
}
|
|
|
|
return status;
|
|
diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c
|
|
index 8b41288bfbf..c9d9aff98b7 100644
|
|
--- a/source3/smbd/blocking.c
|
|
+++ b/source3/smbd/blocking.c
|
|
@@ -29,31 +29,27 @@
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_LOCKING
|
|
|
|
-NTSTATUS smbd_do_locks_try(
|
|
- struct files_struct *fsp,
|
|
- uint16_t num_locks,
|
|
- struct smbd_lock_element *locks,
|
|
- uint16_t *blocker_idx,
|
|
- struct server_id *blocking_pid,
|
|
- uint64_t *blocking_smblctx)
|
|
+NTSTATUS smbd_do_locks_try(struct byte_range_lock *br_lck,
|
|
+ struct smbd_do_locks_state *state)
|
|
{
|
|
- NTSTATUS status = NT_STATUS_OK;
|
|
+ bool unlock_ok;
|
|
uint16_t i;
|
|
+ NTSTATUS status = NT_STATUS_OK;
|
|
|
|
- for (i=0; i<num_locks; i++) {
|
|
- struct smbd_lock_element *e = &locks[i];
|
|
+ for (i = 0; i < state->num_locks; i++) {
|
|
+ struct smbd_lock_element *e = &state->locks[i];
|
|
|
|
status = do_lock(
|
|
- fsp,
|
|
- locks, /* req_mem_ctx */
|
|
+ br_lck,
|
|
+ state->locks, /* req_mem_ctx */
|
|
&e->req_guid,
|
|
e->smblctx,
|
|
e->count,
|
|
e->offset,
|
|
e->brltype,
|
|
e->lock_flav,
|
|
- blocking_pid,
|
|
- blocking_smblctx);
|
|
+ &state->blocking_pid,
|
|
+ &state->blocking_smblctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
@@ -63,18 +59,35 @@ NTSTATUS smbd_do_locks_try(
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
- *blocker_idx = i;
|
|
+ state->blocker_idx = i;
|
|
+ unlock_ok = true;
|
|
|
|
/*
|
|
* Undo the locks we successfully got
|
|
*/
|
|
for (i = i-1; i != UINT16_MAX; i--) {
|
|
- struct smbd_lock_element *e = &locks[i];
|
|
- do_unlock(fsp,
|
|
- e->smblctx,
|
|
- e->count,
|
|
- e->offset,
|
|
- e->lock_flav);
|
|
+ struct smbd_lock_element *e = &state->locks[i];
|
|
+ NTSTATUS ulstatus;
|
|
+
|
|
+ ulstatus = do_unlock(br_lck,
|
|
+ e->smblctx,
|
|
+ e->count,
|
|
+ e->offset,
|
|
+ e->lock_flav);
|
|
+ if (!NT_STATUS_IS_OK(ulstatus)) {
|
|
+ DBG_DEBUG("Failed to undo lock flavour %s lock "
|
|
+ "type %s start=%"PRIu64" len=%"PRIu64" "
|
|
+ "requested for file [%s]\n",
|
|
+ lock_flav_name(e->lock_flav),
|
|
+ lock_type_name(e->brltype),
|
|
+ e->offset,
|
|
+ e->count,
|
|
+ fsp_str_dbg(brl_fsp(br_lck)));
|
|
+ unlock_ok = false;
|
|
+ }
|
|
+ }
|
|
+ if (unlock_ok) {
|
|
+ brl_set_modified(br_lck, false);
|
|
}
|
|
|
|
return status;
|
|
@@ -118,13 +131,6 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req);
|
|
static void smbd_smb1_do_locks_retry(struct tevent_req *subreq);
|
|
static void smbd_smb1_blocked_locks_cleanup(
|
|
struct tevent_req *req, enum tevent_req_state req_state);
|
|
-static NTSTATUS smbd_smb1_do_locks_check(
|
|
- struct files_struct *fsp,
|
|
- uint16_t num_locks,
|
|
- struct smbd_lock_element *locks,
|
|
- uint16_t *blocker_idx,
|
|
- struct server_id *blocking_pid,
|
|
- uint64_t *blocking_smblctx);
|
|
|
|
static void smbd_smb1_do_locks_setup_timeout(
|
|
struct smbd_smb1_do_locks_state *state,
|
|
@@ -378,18 +384,35 @@ static NTSTATUS smbd_smb1_do_locks_check_blocked(
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
-static NTSTATUS smbd_smb1_do_locks_check(
|
|
- struct files_struct *fsp,
|
|
- uint16_t num_locks,
|
|
- struct smbd_lock_element *locks,
|
|
- uint16_t *blocker_idx,
|
|
- struct server_id *blocking_pid,
|
|
- uint64_t *blocking_smblctx)
|
|
+static void smbd_smb1_do_locks_try_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
{
|
|
+ struct tevent_req *req = talloc_get_type_abort(
|
|
+ private_data, struct tevent_req);
|
|
+ struct smbd_smb1_do_locks_state *state = tevent_req_data(
|
|
+ req, struct smbd_smb1_do_locks_state);
|
|
+ struct smbd_do_locks_state brl_state;
|
|
+ struct files_struct *fsp = state->fsp;
|
|
struct tevent_req **blocked = fsp->blocked_smb1_lock_reqs;
|
|
size_t num_blocked = talloc_array_length(blocked);
|
|
- NTSTATUS status;
|
|
+ struct timeval endtime = { 0 };
|
|
+ struct tevent_req *subreq = NULL;
|
|
size_t bi;
|
|
+ NTSTATUS status;
|
|
+ bool ok;
|
|
+ bool expired;
|
|
+
|
|
+ /*
|
|
+ * The caller has checked fsp->fsp_flags.can_lock and lp_locking so
|
|
+ * br_lck has to be there!
|
|
+ */
|
|
+ SMB_ASSERT(br_lck != NULL);
|
|
+
|
|
+ brl_state = (struct smbd_do_locks_state) {
|
|
+ .num_locks = state->num_locks,
|
|
+ .locks = state->locks,
|
|
+ };
|
|
|
|
/*
|
|
* We check the pending/blocked requests
|
|
@@ -404,8 +427,8 @@ static NTSTATUS smbd_smb1_do_locks_check(
|
|
tevent_req_data(blocked[bi],
|
|
struct smbd_smb1_do_locks_state);
|
|
|
|
- if (blocked_state->locks == locks) {
|
|
- SMB_ASSERT(blocked_state->num_locks == num_locks);
|
|
+ if (blocked_state->locks == state->locks) {
|
|
+ SMB_ASSERT(blocked_state->num_locks == state->num_locks);
|
|
|
|
/*
|
|
* We found ourself...
|
|
@@ -416,61 +439,24 @@ static NTSTATUS smbd_smb1_do_locks_check(
|
|
status = smbd_smb1_do_locks_check_blocked(
|
|
blocked_state->num_locks,
|
|
blocked_state->locks,
|
|
- num_locks,
|
|
- locks,
|
|
- blocker_idx,
|
|
- blocking_smblctx);
|
|
+ state->num_locks,
|
|
+ state->locks,
|
|
+ &brl_state.blocker_idx,
|
|
+ &brl_state.blocking_smblctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- *blocking_pid = messaging_server_id(
|
|
- fsp->conn->sconn->msg_ctx);
|
|
- return status;
|
|
+ brl_state.blocking_pid = messaging_server_id(
|
|
+ fsp->conn->sconn->msg_ctx);
|
|
+ goto check_retry;
|
|
}
|
|
}
|
|
|
|
- status = smbd_do_locks_try(
|
|
- fsp,
|
|
- num_locks,
|
|
- locks,
|
|
- blocker_idx,
|
|
- blocking_pid,
|
|
- blocking_smblctx);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- return status;
|
|
- }
|
|
-
|
|
- return NT_STATUS_OK;
|
|
-}
|
|
-
|
|
-static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
-{
|
|
- struct smbd_smb1_do_locks_state *state = tevent_req_data(
|
|
- req, struct smbd_smb1_do_locks_state);
|
|
- struct files_struct *fsp = state->fsp;
|
|
- struct share_mode_lock *lck;
|
|
- struct timeval endtime = { 0 };
|
|
- struct server_id blocking_pid = { 0 };
|
|
- uint64_t blocking_smblctx = 0;
|
|
- struct tevent_req *subreq = NULL;
|
|
- NTSTATUS status;
|
|
- bool ok;
|
|
- bool expired;
|
|
-
|
|
- lck = get_existing_share_mode_lock(state, fsp->file_id);
|
|
- if (tevent_req_nomem(lck, req)) {
|
|
- DBG_DEBUG("Could not get share mode lock\n");
|
|
- return;
|
|
- }
|
|
-
|
|
- status = smbd_smb1_do_locks_check(
|
|
- fsp,
|
|
- state->num_locks,
|
|
- state->locks,
|
|
- &state->blocker,
|
|
- &blocking_pid,
|
|
- &blocking_smblctx);
|
|
+ status = smbd_do_locks_try(br_lck, &brl_state);
|
|
if (NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
+
|
|
+ state->blocker = brl_state.blocker_idx;
|
|
+
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
|
|
/*
|
|
* We got NT_STATUS_RETRY,
|
|
@@ -494,8 +480,8 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
* locking.tdb may cause retries.
|
|
*/
|
|
|
|
- if (blocking_smblctx != UINT64_MAX) {
|
|
- SMB_ASSERT(blocking_smblctx == 0);
|
|
+ if (brl_state.blocking_smblctx != UINT64_MAX) {
|
|
+ SMB_ASSERT(brl_state.blocking_smblctx == 0);
|
|
goto setup_retry;
|
|
}
|
|
|
|
@@ -516,6 +502,8 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
endtime = timeval_current_ofs_msec(state->retry_msecs);
|
|
goto setup_retry;
|
|
}
|
|
+
|
|
+check_retry:
|
|
if (!ERROR_WAS_LOCK_DENIED(status)) {
|
|
goto done;
|
|
}
|
|
@@ -529,7 +517,7 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
smbd_smb1_do_locks_setup_timeout(state, &state->locks[state->blocker]);
|
|
DBG_DEBUG("timeout=%"PRIu32", blocking_smblctx=%"PRIu64"\n",
|
|
state->timeout,
|
|
- blocking_smblctx);
|
|
+ brl_state.blocking_smblctx);
|
|
|
|
/*
|
|
* The client specified timeout expired
|
|
@@ -554,7 +542,7 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
|
|
endtime = state->endtime;
|
|
|
|
- if (blocking_smblctx == UINT64_MAX) {
|
|
+ if (brl_state.blocking_smblctx == UINT64_MAX) {
|
|
struct timeval tmp;
|
|
|
|
smbd_smb1_do_locks_update_polling_msecs(state);
|
|
@@ -568,11 +556,11 @@ static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
|
|
setup_retry:
|
|
subreq = share_mode_watch_send(
|
|
- state, state->ev, lck, blocking_pid);
|
|
+ state, state->ev, lck, brl_state.blocking_pid);
|
|
if (tevent_req_nomem(subreq, req)) {
|
|
+ status = NT_STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
- TALLOC_FREE(lck);
|
|
tevent_req_set_callback(subreq, smbd_smb1_do_locks_retry, req);
|
|
|
|
if (timeval_is_zero(&endtime)) {
|
|
@@ -586,10 +574,38 @@ setup_retry:
|
|
}
|
|
return;
|
|
done:
|
|
- TALLOC_FREE(lck);
|
|
smbd_smb1_brl_finish_by_req(req, status);
|
|
}
|
|
|
|
+static void smbd_smb1_do_locks_try(struct tevent_req *req)
|
|
+{
|
|
+ struct smbd_smb1_do_locks_state *state = tevent_req_data(
|
|
+ req, struct smbd_smb1_do_locks_state);
|
|
+ NTSTATUS status;
|
|
+
|
|
+ if (!state->fsp->fsp_flags.can_lock) {
|
|
+ if (state->fsp->fsp_flags.is_directory) {
|
|
+ return smbd_smb1_brl_finish_by_req(req,
|
|
+ NT_STATUS_INVALID_DEVICE_REQUEST);
|
|
+ }
|
|
+ return smbd_smb1_brl_finish_by_req(req,
|
|
+ NT_STATUS_INVALID_HANDLE);
|
|
+ }
|
|
+
|
|
+ if (!lp_locking(state->fsp->conn->params)) {
|
|
+ return smbd_smb1_brl_finish_by_req(req, NT_STATUS_OK);
|
|
+ }
|
|
+
|
|
+ status = share_mode_do_locked_brl(state->fsp,
|
|
+ smbd_smb1_do_locks_try_fn,
|
|
+ req);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ smbd_smb1_brl_finish_by_req(req, status);
|
|
+ return;
|
|
+ }
|
|
+ return;
|
|
+}
|
|
+
|
|
static void smbd_smb1_do_locks_retry(struct tevent_req *subreq)
|
|
{
|
|
struct tevent_req *req = tevent_req_callback_data(
|
|
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
|
|
index 90387aeb6c3..5faf651b007 100644
|
|
--- a/source3/smbd/proto.h
|
|
+++ b/source3/smbd/proto.h
|
|
@@ -86,13 +86,18 @@ ssize_t pwrite_fsync_recv(struct tevent_req *req, int *perr);
|
|
|
|
/* The following definitions come from smbd/blocking.c */
|
|
|
|
-NTSTATUS smbd_do_locks_try(
|
|
- struct files_struct *fsp,
|
|
- uint16_t num_locks,
|
|
- struct smbd_lock_element *locks,
|
|
- uint16_t *blocker_idx,
|
|
- struct server_id *blocking_pid,
|
|
- uint64_t *blocking_smblctx);
|
|
+struct smbd_do_locks_state {
|
|
+ uint16_t num_locks;
|
|
+ struct smbd_lock_element *locks;
|
|
+ NTSTATUS status;
|
|
+ uint16_t blocker_idx;
|
|
+ struct server_id blocking_pid;
|
|
+ uint64_t blocking_smblctx;
|
|
+};
|
|
+
|
|
+NTSTATUS smbd_do_locks_try(struct byte_range_lock *br_lck,
|
|
+ struct smbd_do_locks_state *state);
|
|
+
|
|
struct tevent_req *smbd_smb1_do_locks_send(
|
|
TALLOC_CTX *mem_ctx,
|
|
struct tevent_context *ev,
|
|
diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c
|
|
index c9d810f71ba..14f912bf2da 100644
|
|
--- a/source3/smbd/smb2_lock.c
|
|
+++ b/source3/smbd/smb2_lock.c
|
|
@@ -569,33 +569,32 @@ static void smbd_smb2_lock_update_polling_msecs(
|
|
state->polling_msecs += v_min;
|
|
}
|
|
|
|
-static void smbd_smb2_lock_try(struct tevent_req *req)
|
|
+static void smbd_do_locks_try_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
{
|
|
+ struct tevent_req *req = talloc_get_type_abort(
|
|
+ private_data, struct tevent_req);
|
|
struct smbd_smb2_lock_state *state = tevent_req_data(
|
|
req, struct smbd_smb2_lock_state);
|
|
- struct share_mode_lock *lck = NULL;
|
|
- uint16_t blocker_idx;
|
|
- struct server_id blocking_pid = { 0 };
|
|
- uint64_t blocking_smblctx;
|
|
- NTSTATUS status;
|
|
+ struct smbd_do_locks_state brl_state;
|
|
struct tevent_req *subreq = NULL;
|
|
struct timeval endtime = { 0 };
|
|
+ NTSTATUS status;
|
|
|
|
- lck = get_existing_share_mode_lock(
|
|
- talloc_tos(), state->fsp->file_id);
|
|
- if (tevent_req_nomem(lck, req)) {
|
|
- return;
|
|
- }
|
|
+ /*
|
|
+ * The caller has checked fsp->fsp_flags.can_lock and lp_locking so
|
|
+ * br_lck has to be there!
|
|
+ */
|
|
+ SMB_ASSERT(br_lck != NULL);
|
|
|
|
- status = smbd_do_locks_try(
|
|
- state->fsp,
|
|
- state->lock_count,
|
|
- state->locks,
|
|
- &blocker_idx,
|
|
- &blocking_pid,
|
|
- &blocking_smblctx);
|
|
+ brl_state = (struct smbd_do_locks_state) {
|
|
+ .num_locks = state->lock_count,
|
|
+ .locks = state->locks,
|
|
+ };
|
|
+
|
|
+ status = smbd_do_locks_try(br_lck, &brl_state);
|
|
if (NT_STATUS_IS_OK(status)) {
|
|
- TALLOC_FREE(lck);
|
|
tevent_req_done(req);
|
|
return;
|
|
}
|
|
@@ -622,8 +621,8 @@ static void smbd_smb2_lock_try(struct tevent_req *req)
|
|
* locking.tdb may cause retries.
|
|
*/
|
|
|
|
- if (blocking_smblctx != UINT64_MAX) {
|
|
- SMB_ASSERT(blocking_smblctx == 0);
|
|
+ if (brl_state.blocking_smblctx != UINT64_MAX) {
|
|
+ SMB_ASSERT(brl_state.blocking_smblctx == 0);
|
|
goto setup_retry;
|
|
}
|
|
|
|
@@ -658,7 +657,6 @@ static void smbd_smb2_lock_try(struct tevent_req *req)
|
|
status = NT_STATUS_LOCK_NOT_GRANTED;
|
|
}
|
|
if (!NT_STATUS_EQUAL(status, NT_STATUS_LOCK_NOT_GRANTED)) {
|
|
- TALLOC_FREE(lck);
|
|
tevent_req_nterror(req, status);
|
|
return;
|
|
}
|
|
@@ -670,12 +668,11 @@ static void smbd_smb2_lock_try(struct tevent_req *req)
|
|
state->retry_msecs = 0;
|
|
|
|
if (!state->blocking) {
|
|
- TALLOC_FREE(lck);
|
|
tevent_req_nterror(req, status);
|
|
return;
|
|
}
|
|
|
|
- if (blocking_smblctx == UINT64_MAX) {
|
|
+ if (brl_state.blocking_smblctx == UINT64_MAX) {
|
|
smbd_smb2_lock_update_polling_msecs(state);
|
|
|
|
DBG_DEBUG("Blocked on a posix lock. Retry in %"PRIu32" msecs\n",
|
|
@@ -688,8 +685,7 @@ setup_retry:
|
|
DBG_DEBUG("Watching share mode lock\n");
|
|
|
|
subreq = share_mode_watch_send(
|
|
- state, state->ev, lck, blocking_pid);
|
|
- TALLOC_FREE(lck);
|
|
+ state, state->ev, lck, brl_state.blocking_pid);
|
|
if (tevent_req_nomem(subreq, req)) {
|
|
return;
|
|
}
|
|
@@ -708,6 +704,35 @@ setup_retry:
|
|
}
|
|
}
|
|
|
|
+static void smbd_smb2_lock_try(struct tevent_req *req)
|
|
+{
|
|
+ struct smbd_smb2_lock_state *state = tevent_req_data(
|
|
+ req, struct smbd_smb2_lock_state);
|
|
+ NTSTATUS status;
|
|
+
|
|
+ if (!state->fsp->fsp_flags.can_lock) {
|
|
+ if (state->fsp->fsp_flags.is_directory) {
|
|
+ tevent_req_nterror(req,
|
|
+ NT_STATUS_INVALID_DEVICE_REQUEST);
|
|
+ return;
|
|
+ }
|
|
+ tevent_req_nterror(req, NT_STATUS_INVALID_HANDLE);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (!lp_locking(state->fsp->conn->params)) {
|
|
+ return tevent_req_done(req);
|
|
+ }
|
|
+
|
|
+ status = share_mode_do_locked_brl(state->fsp,
|
|
+ smbd_do_locks_try_fn,
|
|
+ req);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ tevent_req_nterror(req, status);
|
|
+ return;
|
|
+ }
|
|
+}
|
|
+
|
|
static void smbd_smb2_lock_retry(struct tevent_req *subreq)
|
|
{
|
|
struct tevent_req *req = tevent_req_callback_data(
|
|
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
|
|
index 2b65fb30d76..3de36a7d673 100644
|
|
--- a/source3/smbd/smb2_reply.c
|
|
+++ b/source3/smbd/smb2_reply.c
|
|
@@ -2122,23 +2122,22 @@ uint64_t get_lock_offset(const uint8_t *data, int data_offset,
|
|
return offset;
|
|
}
|
|
|
|
-struct smbd_do_unlocking_state {
|
|
- struct files_struct *fsp;
|
|
- uint16_t num_ulocks;
|
|
- struct smbd_lock_element *ulocks;
|
|
- NTSTATUS status;
|
|
-};
|
|
-
|
|
-static void smbd_do_unlocking_fn(
|
|
- struct share_mode_lock *lck,
|
|
- void *private_data)
|
|
+static void smbd_do_unlocking_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
{
|
|
- struct smbd_do_unlocking_state *state = private_data;
|
|
- struct files_struct *fsp = state->fsp;
|
|
+ struct smbd_do_locks_state *state = private_data;
|
|
+ struct files_struct *fsp = brl_fsp(br_lck);
|
|
uint16_t i;
|
|
|
|
- for (i = 0; i < state->num_ulocks; i++) {
|
|
- struct smbd_lock_element *e = &state->ulocks[i];
|
|
+ /*
|
|
+ * The caller has checked fsp->fsp_flags.can_lock and lp_locking so
|
|
+ * br_lck has to be there!
|
|
+ */
|
|
+ SMB_ASSERT(br_lck != NULL);
|
|
+
|
|
+ for (i = 0; i < state->num_locks; i++) {
|
|
+ struct smbd_lock_element *e = &state->locks[i];
|
|
|
|
DBG_DEBUG("unlock start=%"PRIu64", len=%"PRIu64" for "
|
|
"pid %"PRIu64", file %s\n",
|
|
@@ -2154,7 +2153,7 @@ static void smbd_do_unlocking_fn(
|
|
}
|
|
|
|
state->status = do_unlock(
|
|
- fsp, e->smblctx, e->count, e->offset, e->lock_flav);
|
|
+ br_lck, e->smblctx, e->count, e->offset, e->lock_flav);
|
|
|
|
DBG_DEBUG("do_unlock returned %s\n",
|
|
nt_errstr(state->status));
|
|
@@ -2172,20 +2171,30 @@ NTSTATUS smbd_do_unlocking(struct smb_request *req,
|
|
uint16_t num_ulocks,
|
|
struct smbd_lock_element *ulocks)
|
|
{
|
|
- struct smbd_do_unlocking_state state = {
|
|
- .fsp = fsp,
|
|
- .num_ulocks = num_ulocks,
|
|
- .ulocks = ulocks,
|
|
+ struct smbd_do_locks_state state = {
|
|
+ .num_locks = num_ulocks,
|
|
+ .locks = ulocks,
|
|
};
|
|
NTSTATUS status;
|
|
|
|
DBG_NOTICE("%s num_ulocks=%"PRIu16"\n", fsp_fnum_dbg(fsp), num_ulocks);
|
|
|
|
- status = share_mode_do_locked_vfs_allowed(
|
|
- fsp->file_id, smbd_do_unlocking_fn, &state);
|
|
+ if (!fsp->fsp_flags.can_lock) {
|
|
+ if (fsp->fsp_flags.is_directory) {
|
|
+ return NT_STATUS_INVALID_DEVICE_REQUEST;
|
|
+ }
|
|
+ return NT_STATUS_INVALID_HANDLE;
|
|
+ }
|
|
+
|
|
+ if (!lp_locking(fsp->conn->params)) {
|
|
+ return NT_STATUS_OK;
|
|
+ }
|
|
|
|
+ status = share_mode_do_locked_brl(fsp,
|
|
+ smbd_do_unlocking_fn,
|
|
+ &state);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- DBG_DEBUG("share_mode_do_locked_vfs_allowed failed: %s\n",
|
|
+ DBG_DEBUG("share_mode_do_locked_brl failed: %s\n",
|
|
nt_errstr(status));
|
|
return status;
|
|
}
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 45211424de82b03e187369286034b7c49136ba5f Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Wed, 8 Jan 2025 12:51:37 +0100
|
|
Subject: [PATCH 17/24] s3/brlock: remove brl_get_locks_for_locking()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 0c4c430c50e15d591a0d871a5f3e59e8be0d0a83)
|
|
---
|
|
source3/locking/brlock.c | 19 -------------------
|
|
source3/locking/proto.h | 4 ----
|
|
2 files changed, 23 deletions(-)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index 0e58339b108..b9decbc9e2a 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -1733,25 +1733,6 @@ struct byte_range_lock *brl_get_locks(TALLOC_CTX *mem_ctx, files_struct *fsp)
|
|
return br_lck;
|
|
}
|
|
|
|
-struct byte_range_lock *brl_get_locks_for_locking(TALLOC_CTX *mem_ctx,
|
|
- files_struct *fsp,
|
|
- TALLOC_CTX *req_mem_ctx,
|
|
- const struct GUID *req_guid)
|
|
-{
|
|
- struct byte_range_lock *br_lck = NULL;
|
|
-
|
|
- br_lck = brl_get_locks(mem_ctx, fsp);
|
|
- if (br_lck == NULL) {
|
|
- return NULL;
|
|
- }
|
|
- SMB_ASSERT(req_mem_ctx != NULL);
|
|
- br_lck->req_mem_ctx = req_mem_ctx;
|
|
- SMB_ASSERT(req_guid != NULL);
|
|
- br_lck->req_guid = req_guid;
|
|
-
|
|
- return br_lck;
|
|
-}
|
|
-
|
|
struct brl_get_locks_readonly_state {
|
|
TALLOC_CTX *mem_ctx;
|
|
struct byte_range_lock **br_lock;
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index e332abf34ec..44b43c1b1e2 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -83,10 +83,6 @@ int brl_forall(void (*fn)(struct file_id id, struct server_id pid,
|
|
br_off start, br_off size,
|
|
void *private_data),
|
|
void *private_data);
|
|
-struct byte_range_lock *brl_get_locks_for_locking(TALLOC_CTX *mem_ctx,
|
|
- files_struct *fsp,
|
|
- TALLOC_CTX *req_mem_ctx,
|
|
- const struct GUID *req_guid);
|
|
struct share_mode_lock;
|
|
typedef void (*share_mode_do_locked_brl_fn_t)(
|
|
struct share_mode_lock *lck,
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From ef4e89916360c8d7f2372c8508c8a79dfd995c47 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Mon, 27 Jan 2025 15:22:26 +0100
|
|
Subject: [PATCH 18/24] smbd: call locking_close_file() while still holding a
|
|
glock on the locking.tdb record
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 4d680b6c17ee7674b9686aec2b69038f89e1989a)
|
|
---
|
|
source3/smbd/close.c | 26 +++++++++++++++++++-------
|
|
1 file changed, 19 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
|
|
index 1b027a319a4..964c3530e8d 100644
|
|
--- a/source3/smbd/close.c
|
|
+++ b/source3/smbd/close.c
|
|
@@ -303,6 +303,17 @@ static void close_share_mode_lock_prepare(struct share_mode_lock *lck,
|
|
*/
|
|
*keep_locked = false;
|
|
|
|
+ if (fsp->current_lock_count > 0) {
|
|
+ /*
|
|
+ * Remove the byte-range locks under the glock
|
|
+ */
|
|
+ *keep_locked = true;
|
|
+ }
|
|
+
|
|
+ if (fh_get_refcount(fsp->fh) > 1) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
if (fsp->oplock_type != NO_OPLOCK) {
|
|
ok = remove_share_oplock(lck, fsp);
|
|
if (!ok) {
|
|
@@ -453,6 +464,12 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
|
|
return status;
|
|
}
|
|
|
|
+ locking_close_file(fsp, close_type);
|
|
+
|
|
+ if (fh_get_refcount(fsp->fh) > 1) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
/* Remove the oplock before potentially deleting the file. */
|
|
if (fsp->oplock_type != NO_OPLOCK) {
|
|
release_file_oplock(fsp);
|
|
@@ -890,13 +907,8 @@ static NTSTATUS close_normal_file(struct smb_request *req, files_struct *fsp,
|
|
the same handle we only have one share mode. Ensure we only remove
|
|
the share mode on the last close. */
|
|
|
|
- if (fh_get_refcount(fsp->fh) == 1) {
|
|
- /* Should we return on error here... ? */
|
|
- tmp = close_remove_share_mode(fsp, close_type);
|
|
- status = ntstatus_keeperror(status, tmp);
|
|
- }
|
|
-
|
|
- locking_close_file(fsp, close_type);
|
|
+ tmp = close_remove_share_mode(fsp, close_type);
|
|
+ status = ntstatus_keeperror(status, tmp);
|
|
|
|
/*
|
|
* Ensure pending modtime is set before closing underlying fd.
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 96d3bacbd967b355c91bc1d9e583edb1cdd3bd19 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Thu, 30 Jan 2025 17:35:26 +0100
|
|
Subject: [PATCH 19/24] s3/locking: prepare brl_locktest() for upgradable
|
|
read-only locks
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 8f9387ceb5c94c7db92ab342e33c64b858c301b1)
|
|
---
|
|
source3/locking/brlock.c | 5 +++--
|
|
source3/locking/locking.c | 4 ++--
|
|
source3/locking/proto.h | 3 ++-
|
|
3 files changed, 7 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index b9decbc9e2a..92621c41577 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -1192,7 +1192,8 @@ bool brl_unlock(struct byte_range_lock *br_lck,
|
|
****************************************************************************/
|
|
|
|
bool brl_locktest(struct byte_range_lock *br_lck,
|
|
- const struct lock_struct *rw_probe)
|
|
+ const struct lock_struct *rw_probe,
|
|
+ bool upgradable)
|
|
{
|
|
bool ret = True;
|
|
unsigned int i;
|
|
@@ -1205,7 +1206,7 @@ bool brl_locktest(struct byte_range_lock *br_lck,
|
|
* Our own locks don't conflict.
|
|
*/
|
|
if (brl_conflict_other(&locks[i], rw_probe)) {
|
|
- if (br_lck->record == NULL) {
|
|
+ if (!upgradable) {
|
|
/* readonly */
|
|
return false;
|
|
}
|
|
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
|
|
index ffb89378cb5..993d3a96591 100644
|
|
--- a/source3/locking/locking.c
|
|
+++ b/source3/locking/locking.c
|
|
@@ -145,7 +145,7 @@ bool strict_lock_check_default(files_struct *fsp, struct lock_struct *plock)
|
|
if (!br_lck) {
|
|
return true;
|
|
}
|
|
- ret = brl_locktest(br_lck, plock);
|
|
+ ret = brl_locktest(br_lck, plock, false);
|
|
|
|
if (!ret) {
|
|
/*
|
|
@@ -156,7 +156,7 @@ bool strict_lock_check_default(files_struct *fsp, struct lock_struct *plock)
|
|
if (br_lck == NULL) {
|
|
return true;
|
|
}
|
|
- ret = brl_locktest(br_lck, plock);
|
|
+ ret = brl_locktest(br_lck, plock, true);
|
|
TALLOC_FREE(br_lck);
|
|
}
|
|
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index 44b43c1b1e2..44808171f1a 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -66,7 +66,8 @@ bool brl_unlock(struct byte_range_lock *br_lck,
|
|
bool brl_unlock_windows_default(struct byte_range_lock *br_lck,
|
|
const struct lock_struct *plock);
|
|
bool brl_locktest(struct byte_range_lock *br_lck,
|
|
- const struct lock_struct *rw_probe);
|
|
+ const struct lock_struct *rw_probe,
|
|
+ bool upgradable);
|
|
NTSTATUS brl_lockquery(struct byte_range_lock *br_lck,
|
|
uint64_t *psmblctx,
|
|
struct server_id pid,
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From b88988bcc9ce1fa0b8152e0eb89cb496f675fbc1 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Wed, 2 Apr 2025 12:43:15 +0200
|
|
Subject: [PATCH 20/24] smbd: check can_lock in strict_lock_check_default()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 678f28c1af7c160ffdcb0e4baa0a7d4b9906f2e5)
|
|
---
|
|
source3/locking/locking.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
|
|
index 993d3a96591..ce2ccaccd11 100644
|
|
--- a/source3/locking/locking.c
|
|
+++ b/source3/locking/locking.c
|
|
@@ -117,7 +117,10 @@ bool strict_lock_check_default(files_struct *fsp, struct lock_struct *plock)
|
|
return True;
|
|
}
|
|
|
|
- if (!lp_locking(fsp->conn->params) || !strict_locking) {
|
|
+ if (!lp_locking(fsp->conn->params) ||
|
|
+ !strict_locking ||
|
|
+ !fsp->fsp_flags.can_lock)
|
|
+ {
|
|
return True;
|
|
}
|
|
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From e5d8f12b8ecfcd52ec8dc32147b1f2c6d8115c37 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Thu, 30 Jan 2025 07:40:32 +0100
|
|
Subject: [PATCH 21/24] smbd: use share_mode_do_locked_brl() in
|
|
strict_lock_check_default()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 56bb20c87a733ab8f7efedd881ea0ecaf51b2ba8)
|
|
---
|
|
source3/locking/locking.c | 43 +++++++++++++++++++++++++++++++++------
|
|
1 file changed, 37 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
|
|
index ce2ccaccd11..ddaa5405f02 100644
|
|
--- a/source3/locking/locking.c
|
|
+++ b/source3/locking/locking.c
|
|
@@ -107,10 +107,32 @@ void init_strict_lock_struct(files_struct *fsp,
|
|
};
|
|
}
|
|
|
|
+struct strict_lock_check_state {
|
|
+ bool ret;
|
|
+ files_struct *fsp;
|
|
+ struct lock_struct *plock;
|
|
+};
|
|
+
|
|
+static void strict_lock_check_default_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
+{
|
|
+ struct strict_lock_check_state *state = private_data;
|
|
+
|
|
+ /*
|
|
+ * The caller has checked fsp->fsp_flags.can_lock and lp_locking so
|
|
+ * br_lck has to be there!
|
|
+ */
|
|
+ SMB_ASSERT(br_lck != NULL);
|
|
+
|
|
+ state->ret = brl_locktest(br_lck, state->plock, true);
|
|
+}
|
|
+
|
|
bool strict_lock_check_default(files_struct *fsp, struct lock_struct *plock)
|
|
{
|
|
struct byte_range_lock *br_lck;
|
|
int strict_locking = lp_strict_locking(fsp->conn->params);
|
|
+ NTSTATUS status;
|
|
bool ret = False;
|
|
|
|
if (plock->size == 0) {
|
|
@@ -149,18 +171,27 @@ bool strict_lock_check_default(files_struct *fsp, struct lock_struct *plock)
|
|
return true;
|
|
}
|
|
ret = brl_locktest(br_lck, plock, false);
|
|
-
|
|
if (!ret) {
|
|
/*
|
|
* We got a lock conflict. Retry with rw locks to enable
|
|
* autocleanup. This is the slow path anyway.
|
|
*/
|
|
- br_lck = brl_get_locks(talloc_tos(), fsp);
|
|
- if (br_lck == NULL) {
|
|
- return true;
|
|
+
|
|
+ struct strict_lock_check_state state =
|
|
+ (struct strict_lock_check_state) {
|
|
+ .fsp = fsp,
|
|
+ .plock = plock,
|
|
+ };
|
|
+
|
|
+ status = share_mode_do_locked_brl(fsp,
|
|
+ strict_lock_check_default_fn,
|
|
+ &state);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("share_mode_do_locked_brl [%s] failed: %s\n",
|
|
+ fsp_str_dbg(fsp), nt_errstr(status));
|
|
+ state.ret = false;
|
|
}
|
|
- ret = brl_locktest(br_lck, plock, true);
|
|
- TALLOC_FREE(br_lck);
|
|
+ ret = state.ret;
|
|
}
|
|
|
|
DBG_DEBUG("flavour = %s brl start=%" PRIu64 " "
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From c26eded8448722126d73f3113da6b27378185475 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 28 Jan 2025 11:19:05 +0100
|
|
Subject: [PATCH 22/24] smbd: use share_mode_do_locked_brl() in
|
|
vfs_default_durable_disconnect()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(backported from commit 393379fc9c726eb781fd1bfb3a70ea2802739aff)
|
|
[slow@samba.org: conflict due to removed delayed write time handling]
|
|
---
|
|
source3/locking/brlock.c | 14 +----
|
|
source3/locking/proto.h | 9 ++-
|
|
source3/smbd/durable.c | 117 ++++++++++++++++++++++++---------------
|
|
3 files changed, 82 insertions(+), 58 deletions(-)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index 92621c41577..4dcae87691b 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -1368,14 +1368,14 @@ void brl_close_fnum(struct byte_range_lock *br_lck)
|
|
}
|
|
}
|
|
|
|
-bool brl_mark_disconnected(struct files_struct *fsp)
|
|
+bool brl_mark_disconnected(struct files_struct *fsp,
|
|
+ struct byte_range_lock *br_lck)
|
|
{
|
|
uint32_t tid = fsp->conn->cnum;
|
|
uint64_t smblctx;
|
|
uint64_t fnum = fsp->fnum;
|
|
unsigned int i;
|
|
struct server_id self = messaging_server_id(fsp->conn->sconn->msg_ctx);
|
|
- struct byte_range_lock *br_lck = NULL;
|
|
|
|
if (fsp->op == NULL) {
|
|
return false;
|
|
@@ -1391,11 +1391,6 @@ bool brl_mark_disconnected(struct files_struct *fsp)
|
|
return true;
|
|
}
|
|
|
|
- br_lck = brl_get_locks(talloc_tos(), fsp);
|
|
- if (br_lck == NULL) {
|
|
- return false;
|
|
- }
|
|
-
|
|
for (i=0; i < br_lck->num_locks; i++) {
|
|
struct lock_struct *lock = &br_lck->lock_data[i];
|
|
|
|
@@ -1405,22 +1400,18 @@ bool brl_mark_disconnected(struct files_struct *fsp)
|
|
*/
|
|
|
|
if (lock->context.smblctx != smblctx) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (lock->context.tid != tid) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (!server_id_equal(&lock->context.pid, &self)) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (lock->fnum != fnum) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
@@ -1430,7 +1421,6 @@ bool brl_mark_disconnected(struct files_struct *fsp)
|
|
}
|
|
|
|
br_lck->modified = true;
|
|
- TALLOC_FREE(br_lck);
|
|
return true;
|
|
}
|
|
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index 44808171f1a..d3b4e02bc26 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -75,7 +75,14 @@ NTSTATUS brl_lockquery(struct byte_range_lock *br_lck,
|
|
br_off *psize,
|
|
enum brl_type *plock_type,
|
|
enum brl_flavour lock_flav);
|
|
-bool brl_mark_disconnected(struct files_struct *fsp);
|
|
+
|
|
+struct brl_connectstate {
|
|
+ bool ok;
|
|
+ struct files_struct *fsp;
|
|
+};
|
|
+
|
|
+bool brl_mark_disconnected(struct files_struct *fsp,
|
|
+ struct byte_range_lock *br_lck);
|
|
bool brl_reconnect_disconnected(struct files_struct *fsp);
|
|
void brl_close_fnum(struct byte_range_lock *br_lck);
|
|
int brl_forall(void (*fn)(struct file_id id, struct server_id pid,
|
|
diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
|
|
index bd0c9f58e24..d315cb21ccc 100644
|
|
--- a/source3/smbd/durable.c
|
|
+++ b/source3/smbd/durable.c
|
|
@@ -133,6 +133,63 @@ NTSTATUS vfs_default_durable_cookie(struct files_struct *fsp,
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
+struct durable_disconnect_state {
|
|
+ NTSTATUS status;
|
|
+ struct files_struct *fsp;
|
|
+};
|
|
+
|
|
+static void default_durable_disconnect_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
+{
|
|
+ struct durable_disconnect_state *state = private_data;
|
|
+ struct files_struct *fsp = state->fsp;
|
|
+ struct smb_file_time ft;
|
|
+ bool ok;
|
|
+
|
|
+ /* Ensure any pending write time updates are done. */
|
|
+ if (fsp->update_write_time_event) {
|
|
+ fsp_flush_write_time_update(fsp);
|
|
+ }
|
|
+
|
|
+
|
|
+ init_smb_file_time(&ft);
|
|
+
|
|
+ if (fsp->fsp_flags.write_time_forced) {
|
|
+ NTTIME mtime = share_mode_changed_write_time(lck);
|
|
+ ft.mtime = nt_time_to_full_timespec(mtime);
|
|
+ } else if (fsp->fsp_flags.update_write_time_on_close) {
|
|
+ if (is_omit_timespec(&fsp->close_write_time)) {
|
|
+ ft.mtime = timespec_current();
|
|
+ } else {
|
|
+ ft.mtime = fsp->close_write_time;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!is_omit_timespec(&ft.mtime)) {
|
|
+ round_timespec(fsp->conn->ts_res, &ft.mtime);
|
|
+ file_ntimes(fsp->conn, fsp, &ft);
|
|
+ }
|
|
+
|
|
+ ok = mark_share_mode_disconnected(lck, fsp);
|
|
+ if (!ok) {
|
|
+ state->status = NT_STATUS_UNSUCCESSFUL;
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (br_lck == NULL) {
|
|
+ state->status = NT_STATUS_OK;
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ ok = brl_mark_disconnected(fsp, br_lck);
|
|
+ if (!ok) {
|
|
+ state->status = NT_STATUS_UNSUCCESSFUL;
|
|
+ return;
|
|
+ }
|
|
+ state->status = NT_STATUS_OK;
|
|
+}
|
|
+
|
|
NTSTATUS vfs_default_durable_disconnect(struct files_struct *fsp,
|
|
const DATA_BLOB old_cookie,
|
|
TALLOC_CTX *mem_ctx,
|
|
@@ -143,8 +200,7 @@ NTSTATUS vfs_default_durable_disconnect(struct files_struct *fsp,
|
|
enum ndr_err_code ndr_err;
|
|
struct vfs_default_durable_cookie cookie;
|
|
DATA_BLOB new_cookie_blob = data_blob_null;
|
|
- struct share_mode_lock *lck;
|
|
- bool ok;
|
|
+ struct durable_disconnect_state state;
|
|
|
|
*new_cookie = data_blob_null;
|
|
|
|
@@ -198,52 +254,23 @@ NTSTATUS vfs_default_durable_disconnect(struct files_struct *fsp,
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
- /* Ensure any pending write time updates are done. */
|
|
- if (fsp->update_write_time_event) {
|
|
- fsp_flush_write_time_update(fsp);
|
|
- }
|
|
+ state = (struct durable_disconnect_state) {
|
|
+ .fsp = fsp,
|
|
+ };
|
|
|
|
- /*
|
|
- * The above checks are done in mark_share_mode_disconnected() too
|
|
- * but we want to avoid getting the lock if possible
|
|
- */
|
|
- lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
|
|
- if (lck != NULL) {
|
|
- struct smb_file_time ft;
|
|
-
|
|
- init_smb_file_time(&ft);
|
|
-
|
|
- if (fsp->fsp_flags.write_time_forced) {
|
|
- NTTIME mtime = share_mode_changed_write_time(lck);
|
|
- ft.mtime = nt_time_to_full_timespec(mtime);
|
|
- } else if (fsp->fsp_flags.update_write_time_on_close) {
|
|
- if (is_omit_timespec(&fsp->close_write_time)) {
|
|
- ft.mtime = timespec_current();
|
|
- } else {
|
|
- ft.mtime = fsp->close_write_time;
|
|
- }
|
|
- }
|
|
-
|
|
- if (!is_omit_timespec(&ft.mtime)) {
|
|
- round_timespec(conn->ts_res, &ft.mtime);
|
|
- file_ntimes(conn, fsp, &ft);
|
|
- }
|
|
-
|
|
- ok = mark_share_mode_disconnected(lck, fsp);
|
|
- if (!ok) {
|
|
- TALLOC_FREE(lck);
|
|
- }
|
|
- }
|
|
- if (lck != NULL) {
|
|
- ok = brl_mark_disconnected(fsp);
|
|
- if (!ok) {
|
|
- TALLOC_FREE(lck);
|
|
- }
|
|
+ status = share_mode_do_locked_brl(fsp,
|
|
+ default_durable_disconnect_fn,
|
|
+ &state);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("share_mode_do_locked_brl [%s] failed: %s\n",
|
|
+ fsp_str_dbg(fsp), nt_errstr(status));
|
|
+ return status;
|
|
}
|
|
- if (lck == NULL) {
|
|
- return NT_STATUS_NOT_SUPPORTED;
|
|
+ if (!NT_STATUS_IS_OK(state.status)) {
|
|
+ DBG_ERR("default_durable_disconnect_fn [%s] failed: %s\n",
|
|
+ fsp_str_dbg(fsp), nt_errstr(state.status));
|
|
+ return state.status;
|
|
}
|
|
- TALLOC_FREE(lck);
|
|
|
|
status = vfs_stat_fsp(fsp);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 33afc50416b09f2c025975fd7a98686f046005ae Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Wed, 2 Apr 2025 14:52:03 +0200
|
|
Subject: [PATCH 23/24] smbd: use share_mode_do_locked_brl() in
|
|
vfs_default_durable_reconnect()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(backported from commit dc03a06ffcc79d0818ae4a36fe3f2df705144138)
|
|
[slow@samba.org: conflict due to removed delayed write time handling]
|
|
[slow@samba.org: conflict due to filename_convert_dirfsp_rel()]
|
|
---
|
|
source3/locking/brlock.c | 15 +-
|
|
source3/locking/proto.h | 3 +-
|
|
source3/smbd/durable.c | 439 ++++++++++++++++++++-------------------
|
|
3 files changed, 234 insertions(+), 223 deletions(-)
|
|
|
|
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
|
|
index 4dcae87691b..edc5c34ebc3 100644
|
|
--- a/source3/locking/brlock.c
|
|
+++ b/source3/locking/brlock.c
|
|
@@ -1424,14 +1424,14 @@ bool brl_mark_disconnected(struct files_struct *fsp,
|
|
return true;
|
|
}
|
|
|
|
-bool brl_reconnect_disconnected(struct files_struct *fsp)
|
|
+bool brl_reconnect_disconnected(struct files_struct *fsp,
|
|
+ struct byte_range_lock *br_lck)
|
|
{
|
|
uint32_t tid = fsp->conn->cnum;
|
|
uint64_t smblctx;
|
|
uint64_t fnum = fsp->fnum;
|
|
unsigned int i;
|
|
struct server_id self = messaging_server_id(fsp->conn->sconn->msg_ctx);
|
|
- struct byte_range_lock *br_lck = NULL;
|
|
|
|
if (fsp->op == NULL) {
|
|
return false;
|
|
@@ -1449,13 +1449,7 @@ bool brl_reconnect_disconnected(struct files_struct *fsp)
|
|
* them instead.
|
|
*/
|
|
|
|
- br_lck = brl_get_locks(talloc_tos(), fsp);
|
|
- if (br_lck == NULL) {
|
|
- return false;
|
|
- }
|
|
-
|
|
if (br_lck->num_locks == 0) {
|
|
- TALLOC_FREE(br_lck);
|
|
return true;
|
|
}
|
|
|
|
@@ -1468,22 +1462,18 @@ bool brl_reconnect_disconnected(struct files_struct *fsp)
|
|
*/
|
|
|
|
if (lock->context.smblctx != smblctx) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (lock->context.tid != TID_FIELD_INVALID) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (!server_id_is_disconnected(&lock->context.pid)) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
if (lock->fnum != FNUM_FIELD_INVALID) {
|
|
- TALLOC_FREE(br_lck);
|
|
return false;
|
|
}
|
|
|
|
@@ -1494,7 +1484,6 @@ bool brl_reconnect_disconnected(struct files_struct *fsp)
|
|
|
|
fsp->current_lock_count = br_lck->num_locks;
|
|
br_lck->modified = true;
|
|
- TALLOC_FREE(br_lck);
|
|
return true;
|
|
}
|
|
|
|
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
|
|
index d3b4e02bc26..37d382833fc 100644
|
|
--- a/source3/locking/proto.h
|
|
+++ b/source3/locking/proto.h
|
|
@@ -83,7 +83,8 @@ struct brl_connectstate {
|
|
|
|
bool brl_mark_disconnected(struct files_struct *fsp,
|
|
struct byte_range_lock *br_lck);
|
|
-bool brl_reconnect_disconnected(struct files_struct *fsp);
|
|
+bool brl_reconnect_disconnected(struct files_struct *fsp,
|
|
+ struct byte_range_lock *br_lck);
|
|
void brl_close_fnum(struct byte_range_lock *br_lck);
|
|
int brl_forall(void (*fn)(struct file_id id, struct server_id pid,
|
|
enum brl_type lock_type,
|
|
diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
|
|
index d315cb21ccc..82777d3b81b 100644
|
|
--- a/source3/smbd/durable.c
|
|
+++ b/source3/smbd/durable.c
|
|
@@ -563,121 +563,42 @@ static bool durable_reconnect_fn(
|
|
return false; /* Look at potential other entries */
|
|
}
|
|
|
|
-NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
- struct smb_request *smb1req,
|
|
- struct smbXsrv_open *op,
|
|
- const DATA_BLOB old_cookie,
|
|
- TALLOC_CTX *mem_ctx,
|
|
- files_struct **result,
|
|
- DATA_BLOB *new_cookie)
|
|
+struct vfs_default_durable_reconnect_state {
|
|
+ NTSTATUS status;
|
|
+ TALLOC_CTX *mem_ctx;
|
|
+ struct smb_request *smb1req;
|
|
+ struct smbXsrv_open *op;
|
|
+ struct vfs_default_durable_cookie cookie;
|
|
+ struct files_struct *fsp;
|
|
+ DATA_BLOB new_cookie_blob;
|
|
+};
|
|
+
|
|
+static void vfs_default_durable_reconnect_fn(struct share_mode_lock *lck,
|
|
+ struct byte_range_lock *br_lck,
|
|
+ void *private_data)
|
|
{
|
|
+ struct vfs_default_durable_reconnect_state *state = private_data;
|
|
const struct loadparm_substitution *lp_sub =
|
|
loadparm_s3_global_substitution();
|
|
- struct share_mode_lock *lck;
|
|
+ struct files_struct *fsp = state->fsp;
|
|
struct share_mode_entry e = { .pid = { .pid = 0, }};
|
|
- struct durable_reconnect_state rstate = { .op = op, .e = &e, };
|
|
- struct files_struct *fsp = NULL;
|
|
- NTSTATUS status;
|
|
- bool ok;
|
|
- int ret;
|
|
+ struct durable_reconnect_state rstate = { .op = state->op, .e = &e, };
|
|
struct vfs_open_how how = { .flags = 0, };
|
|
struct file_id file_id;
|
|
- struct smb_filename *smb_fname = NULL;
|
|
- enum ndr_err_code ndr_err;
|
|
- struct vfs_default_durable_cookie cookie;
|
|
- DATA_BLOB new_cookie_blob = data_blob_null;
|
|
bool have_share_mode_entry = false;
|
|
-
|
|
- *result = NULL;
|
|
- *new_cookie = data_blob_null;
|
|
-
|
|
- if (!lp_durable_handles(SNUM(conn))) {
|
|
- return NT_STATUS_NOT_SUPPORTED;
|
|
- }
|
|
-
|
|
- /*
|
|
- * the checks for kernel oplocks
|
|
- * and similar things are done
|
|
- * in the vfs_default_durable_cookie()
|
|
- * call below.
|
|
- */
|
|
-
|
|
- ndr_err = ndr_pull_struct_blob_all(
|
|
- &old_cookie,
|
|
- talloc_tos(),
|
|
- &cookie,
|
|
- (ndr_pull_flags_fn_t)ndr_pull_vfs_default_durable_cookie);
|
|
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
- status = ndr_map_error2ntstatus(ndr_err);
|
|
- return status;
|
|
- }
|
|
-
|
|
- if (strcmp(cookie.magic, VFS_DEFAULT_DURABLE_COOKIE_MAGIC) != 0) {
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
- }
|
|
-
|
|
- if (cookie.version != VFS_DEFAULT_DURABLE_COOKIE_VERSION) {
|
|
- return NT_STATUS_INVALID_PARAMETER;
|
|
- }
|
|
-
|
|
- if (!cookie.allow_reconnect) {
|
|
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- }
|
|
-
|
|
- if (strcmp(cookie.servicepath, conn->connectpath) != 0) {
|
|
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- }
|
|
-
|
|
- /* Create an smb_filename with stream_name == NULL. */
|
|
- smb_fname = synthetic_smb_fname(talloc_tos(),
|
|
- cookie.base_name,
|
|
- NULL,
|
|
- NULL,
|
|
- 0,
|
|
- 0);
|
|
- if (smb_fname == NULL) {
|
|
- return NT_STATUS_NO_MEMORY;
|
|
- }
|
|
-
|
|
- ret = SMB_VFS_LSTAT(conn, smb_fname);
|
|
- if (ret == -1) {
|
|
- status = map_nt_error_from_unix_common(errno);
|
|
- DEBUG(1, ("Unable to lstat stream: %s => %s\n",
|
|
- smb_fname_str_dbg(smb_fname),
|
|
- nt_errstr(status)));
|
|
- return status;
|
|
- }
|
|
-
|
|
- if (!S_ISREG(smb_fname->st.st_ex_mode)) {
|
|
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- }
|
|
-
|
|
- file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
|
|
- if (!file_id_equal(&cookie.id, &file_id)) {
|
|
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- }
|
|
-
|
|
- /*
|
|
- * 1. check entry in locking.tdb
|
|
- */
|
|
-
|
|
- lck = get_existing_share_mode_lock(mem_ctx, file_id);
|
|
- if (lck == NULL) {
|
|
- DEBUG(5, ("vfs_default_durable_reconnect: share-mode lock "
|
|
- "not obtained from db\n"));
|
|
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- }
|
|
+ int ret;
|
|
+ bool ok;
|
|
|
|
ok = share_mode_forall_entries(lck, durable_reconnect_fn, &rstate);
|
|
if (!ok) {
|
|
DBG_WARNING("share_mode_forall_entries failed\n");
|
|
- status = NT_STATUS_INTERNAL_DB_ERROR;
|
|
+ state->status = NT_STATUS_INTERNAL_DB_ERROR;
|
|
goto fail;
|
|
}
|
|
|
|
if (e.pid.pid == 0) {
|
|
DBG_WARNING("Did not find a unique valid share mode entry\n");
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
@@ -685,69 +606,36 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
DEBUG(5, ("vfs_default_durable_reconnect: denying durable "
|
|
"reconnect for handle that was not marked "
|
|
"disconnected (e.g. smbd or cluster node died)\n"));
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
- if (e.share_file_id != op->global->open_persistent_id) {
|
|
+ if (e.share_file_id != state->op->global->open_persistent_id) {
|
|
DBG_INFO("denying durable "
|
|
"share_file_id changed %"PRIu64" != %"PRIu64" "
|
|
"(e.g. another client had opened the file)\n",
|
|
e.share_file_id,
|
|
- op->global->open_persistent_id);
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->op->global->open_persistent_id);
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
if ((e.access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) &&
|
|
- !CAN_WRITE(conn))
|
|
+ !CAN_WRITE(fsp->conn))
|
|
{
|
|
DEBUG(5, ("vfs_default_durable_reconnect: denying durable "
|
|
"share[%s] is not writeable anymore\n",
|
|
- lp_servicename(talloc_tos(), lp_sub, SNUM(conn))));
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
- goto fail;
|
|
- }
|
|
-
|
|
- /*
|
|
- * 2. proceed with opening file
|
|
- */
|
|
-
|
|
- status = fsp_new(conn, conn, &fsp);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DEBUG(0, ("vfs_default_durable_reconnect: failed to create "
|
|
- "new fsp: %s\n", nt_errstr(status)));
|
|
+ lp_servicename(talloc_tos(), lp_sub, SNUM(fsp->conn))));
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
fh_set_private_options(fsp->fh, e.private_options);
|
|
- fsp->file_id = file_id;
|
|
- fsp->file_pid = smb1req->smbpid;
|
|
- fsp->vuid = smb1req->vuid;
|
|
fsp->open_time = e.time;
|
|
fsp->access_mask = e.access_mask;
|
|
fsp->fsp_flags.can_read = ((fsp->access_mask & FILE_READ_DATA) != 0);
|
|
fsp->fsp_flags.can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
|
|
- fsp->fnum = op->local_id;
|
|
- fsp_set_gen_id(fsp);
|
|
|
|
- /*
|
|
- * TODO:
|
|
- * Do we need to store the modified flag in the DB?
|
|
- */
|
|
- fsp->fsp_flags.modified = false;
|
|
- /*
|
|
- * no durables for directories
|
|
- */
|
|
- fsp->fsp_flags.is_directory = false;
|
|
- /*
|
|
- * For normal files, can_lock == !is_directory
|
|
- */
|
|
- fsp->fsp_flags.can_lock = true;
|
|
- /*
|
|
- * We do not support aio write behind for smb2
|
|
- */
|
|
- fsp->fsp_flags.aio_write_behind = false;
|
|
fsp->oplock_type = e.op_type;
|
|
|
|
if (fsp->oplock_type == LEASE_OPLOCK) {
|
|
@@ -760,21 +648,21 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
*/
|
|
if (!GUID_equal(fsp_client_guid(fsp),
|
|
&e.client_guid)) {
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
- status = leases_db_get(
|
|
+ state->status = leases_db_get(
|
|
&e.client_guid,
|
|
&e.lease_key,
|
|
- &file_id,
|
|
+ &fsp->file_id,
|
|
¤t_state, /* current_state */
|
|
NULL, /* breaking */
|
|
NULL, /* breaking_to_requested */
|
|
NULL, /* breaking_to_required */
|
|
&lease_version, /* lease_version */
|
|
&epoch); /* epoch */
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
+ if (!NT_STATUS_IS_OK(state->status)) {
|
|
goto fail;
|
|
}
|
|
|
|
@@ -785,53 +673,46 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
lease_version,
|
|
epoch);
|
|
if (fsp->lease == NULL) {
|
|
- status = NT_STATUS_NO_MEMORY;
|
|
+ state->status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
- fsp->initial_allocation_size = cookie.initial_allocation_size;
|
|
- fh_set_position_information(fsp->fh, cookie.position_information);
|
|
+ fsp->initial_allocation_size = state->cookie.initial_allocation_size;
|
|
+ fh_set_position_information(fsp->fh, state->cookie.position_information);
|
|
fsp->fsp_flags.update_write_time_triggered =
|
|
- cookie.update_write_time_triggered;
|
|
+ state->cookie.update_write_time_triggered;
|
|
fsp->fsp_flags.update_write_time_on_close =
|
|
- cookie.update_write_time_on_close;
|
|
- fsp->fsp_flags.write_time_forced = cookie.write_time_forced;
|
|
+ state->cookie.update_write_time_on_close;
|
|
+ fsp->fsp_flags.write_time_forced = state->cookie.write_time_forced;
|
|
fsp->close_write_time = nt_time_to_full_timespec(
|
|
- cookie.close_write_time);
|
|
+ state->cookie.close_write_time);
|
|
|
|
- status = fsp_set_smb_fname(fsp, smb_fname);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DEBUG(0, ("vfs_default_durable_reconnect: "
|
|
- "fsp_set_smb_fname failed: %s\n",
|
|
- nt_errstr(status)));
|
|
- goto fail;
|
|
- }
|
|
-
|
|
- op->compat = fsp;
|
|
- fsp->op = op;
|
|
+ state->op->compat = fsp;
|
|
+ fsp->op = state->op;
|
|
|
|
ok = reset_share_mode_entry(
|
|
lck,
|
|
e.pid,
|
|
e.share_file_id,
|
|
- messaging_server_id(conn->sconn->msg_ctx),
|
|
- smb1req->mid,
|
|
+ messaging_server_id(fsp->conn->sconn->msg_ctx),
|
|
+ state->smb1req->mid,
|
|
fh_get_gen_id(fsp->fh));
|
|
if (!ok) {
|
|
DBG_DEBUG("Could not set new share_mode_entry values\n");
|
|
- status = NT_STATUS_INTERNAL_ERROR;
|
|
+ state->status = NT_STATUS_INTERNAL_ERROR;
|
|
goto fail;
|
|
}
|
|
have_share_mode_entry = true;
|
|
|
|
- ok = brl_reconnect_disconnected(fsp);
|
|
- if (!ok) {
|
|
- status = NT_STATUS_INTERNAL_ERROR;
|
|
- DEBUG(1, ("vfs_default_durable_reconnect: "
|
|
- "failed to reopen brlocks: %s\n",
|
|
- nt_errstr(status)));
|
|
- goto fail;
|
|
+ if (br_lck != NULL) {
|
|
+ ok = brl_reconnect_disconnected(fsp, br_lck);
|
|
+ if (!ok) {
|
|
+ state->status = NT_STATUS_INTERNAL_ERROR;
|
|
+ DBG_ERR("failed to reopen brlocks: %s\n",
|
|
+ nt_errstr(state->status));
|
|
+ goto fail;
|
|
+ }
|
|
}
|
|
|
|
/*
|
|
@@ -845,10 +726,9 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
how.flags = O_RDONLY;
|
|
}
|
|
|
|
- status = fd_openat(conn->cwd_fsp, fsp->fsp_name, fsp, &how);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DEBUG(1, ("vfs_default_durable_reconnect: failed to open "
|
|
- "file: %s\n", nt_errstr(status)));
|
|
+ state->status = fd_openat(fsp->conn->cwd_fsp, fsp->fsp_name, fsp, &how);
|
|
+ if (!NT_STATUS_IS_OK(state->status)) {
|
|
+ DBG_ERR("failed to open file: %s\n", nt_errstr(state->status));
|
|
goto fail;
|
|
}
|
|
|
|
@@ -863,70 +743,66 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
|
|
ret = SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st);
|
|
if (ret == -1) {
|
|
- status = map_nt_error_from_unix_common(errno);
|
|
- DEBUG(1, ("Unable to fstat stream: %s => %s\n",
|
|
- smb_fname_str_dbg(smb_fname),
|
|
- nt_errstr(status)));
|
|
+ state->status = map_nt_error_from_unix_common(errno);
|
|
+ DBG_ERR("Unable to fstat stream: %s => %s\n",
|
|
+ fsp_str_dbg(fsp),
|
|
+ nt_errstr(state->status));
|
|
goto fail;
|
|
}
|
|
|
|
if (!S_ISREG(fsp->fsp_name->st.st_ex_mode)) {
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
- file_id = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st);
|
|
- if (!file_id_equal(&cookie.id, &file_id)) {
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ file_id = vfs_file_id_from_sbuf(fsp->conn, &fsp->fsp_name->st);
|
|
+ if (!file_id_equal(&state->cookie.id, &file_id)) {
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
(void)fdos_mode(fsp);
|
|
|
|
- ok = vfs_default_durable_reconnect_check_stat(&cookie.stat_info,
|
|
+ ok = vfs_default_durable_reconnect_check_stat(&state->cookie.stat_info,
|
|
&fsp->fsp_name->st,
|
|
fsp_str_dbg(fsp));
|
|
if (!ok) {
|
|
- status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ state->status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
goto fail;
|
|
}
|
|
|
|
- status = set_file_oplock(fsp);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
+ state->status = set_file_oplock(fsp);
|
|
+ if (!NT_STATUS_IS_OK(state->status)) {
|
|
goto fail;
|
|
}
|
|
|
|
- status = vfs_default_durable_cookie(fsp, mem_ctx, &new_cookie_blob);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DEBUG(1, ("vfs_default_durable_reconnect: "
|
|
- "vfs_default_durable_cookie - %s\n",
|
|
- nt_errstr(status)));
|
|
+ state->status = vfs_default_durable_cookie(fsp,
|
|
+ state->mem_ctx,
|
|
+ &state->new_cookie_blob);
|
|
+ if (!NT_STATUS_IS_OK(state->status)) {
|
|
+ DBG_ERR("vfs_default_durable_cookie - %s\n",
|
|
+ nt_errstr(state->status));
|
|
goto fail;
|
|
}
|
|
|
|
- smb1req->chain_fsp = fsp;
|
|
- smb1req->smb2req->compat_chain_fsp = fsp;
|
|
-
|
|
- DEBUG(10, ("vfs_default_durable_reconnect: opened file '%s'\n",
|
|
- fsp_str_dbg(fsp)));
|
|
+ state->smb1req->chain_fsp = fsp;
|
|
+ state->smb1req->smb2req->compat_chain_fsp = fsp;
|
|
|
|
- TALLOC_FREE(lck);
|
|
+ DBG_DEBUG("opened file '%s'\n", fsp_str_dbg(fsp));
|
|
|
|
fsp->fsp_flags.is_fsa = true;
|
|
|
|
- *result = fsp;
|
|
- *new_cookie = new_cookie_blob;
|
|
-
|
|
- return NT_STATUS_OK;
|
|
+ state->status = NT_STATUS_OK;
|
|
+ return;
|
|
|
|
fail:
|
|
- if (fsp != NULL && have_share_mode_entry) {
|
|
+ if (have_share_mode_entry) {
|
|
/*
|
|
* Something is screwed up, delete the sharemode entry.
|
|
*/
|
|
del_share_mode(lck, fsp);
|
|
}
|
|
- if (fsp != NULL && fsp_get_pathref_fd(fsp) != -1) {
|
|
+ if (fsp_get_pathref_fd(fsp) != -1) {
|
|
NTSTATUS close_status;
|
|
close_status = fd_close(fsp);
|
|
if (!NT_STATUS_IS_OK(close_status)) {
|
|
@@ -934,11 +810,156 @@ fail:
|
|
nt_errstr(close_status));
|
|
}
|
|
}
|
|
- TALLOC_FREE(lck);
|
|
- if (fsp != NULL) {
|
|
- op->compat = NULL;
|
|
- fsp->op = NULL;
|
|
- file_free(smb1req, fsp);
|
|
+ state->op->compat = NULL;
|
|
+ fsp->op = NULL;
|
|
+}
|
|
+
|
|
+NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
|
|
+ struct smb_request *smb1req,
|
|
+ struct smbXsrv_open *op,
|
|
+ const DATA_BLOB old_cookie,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ files_struct **result,
|
|
+ DATA_BLOB *new_cookie)
|
|
+{
|
|
+ struct vfs_default_durable_reconnect_state state;
|
|
+ struct smb_filename *smb_fname = NULL;
|
|
+ struct file_id file_id;
|
|
+ NTSTATUS status;
|
|
+ enum ndr_err_code ndr_err;
|
|
+ int ret;
|
|
+
|
|
+ *result = NULL;
|
|
+ *new_cookie = data_blob_null;
|
|
+
|
|
+ if (!lp_durable_handles(SNUM(conn))) {
|
|
+ return NT_STATUS_NOT_SUPPORTED;
|
|
+ }
|
|
+
|
|
+ state = (struct vfs_default_durable_reconnect_state) {
|
|
+ .mem_ctx = mem_ctx,
|
|
+ .smb1req = smb1req,
|
|
+ .op = op,
|
|
+ };
|
|
+
|
|
+ /*
|
|
+ * the checks for kernel oplocks
|
|
+ * and similar things are done
|
|
+ * in the vfs_default_durable_cookie()
|
|
+ * call below.
|
|
+ */
|
|
+
|
|
+ ndr_err = ndr_pull_struct_blob_all(
|
|
+ &old_cookie,
|
|
+ talloc_tos(),
|
|
+ &state.cookie,
|
|
+ (ndr_pull_flags_fn_t)ndr_pull_vfs_default_durable_cookie);
|
|
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
+ status = ndr_map_error2ntstatus(ndr_err);
|
|
+ return status;
|
|
}
|
|
- return status;
|
|
+
|
|
+ if (strcmp(state.cookie.magic, VFS_DEFAULT_DURABLE_COOKIE_MAGIC) != 0) {
|
|
+ return NT_STATUS_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (state.cookie.version != VFS_DEFAULT_DURABLE_COOKIE_VERSION) {
|
|
+ return NT_STATUS_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (!state.cookie.allow_reconnect) {
|
|
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ }
|
|
+
|
|
+ if (strcmp(state.cookie.servicepath, conn->connectpath) != 0) {
|
|
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ }
|
|
+
|
|
+ /* Create an smb_filename with stream_name == NULL. */
|
|
+ smb_fname = synthetic_smb_fname(talloc_tos(),
|
|
+ state.cookie.base_name,
|
|
+ NULL,
|
|
+ NULL,
|
|
+ 0,
|
|
+ 0);
|
|
+ if (smb_fname == NULL) {
|
|
+ return NT_STATUS_NO_MEMORY;
|
|
+ }
|
|
+
|
|
+ ret = SMB_VFS_LSTAT(conn, smb_fname);
|
|
+ if (ret == -1) {
|
|
+ status = map_nt_error_from_unix_common(errno);
|
|
+ DEBUG(1, ("Unable to lstat stream: %s => %s\n",
|
|
+ smb_fname_str_dbg(smb_fname),
|
|
+ nt_errstr(status)));
|
|
+ return status;
|
|
+ }
|
|
+ if (!S_ISREG(smb_fname->st.st_ex_mode)) {
|
|
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ }
|
|
+
|
|
+ file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
|
|
+ if (!file_id_equal(&state.cookie.id, &file_id)) {
|
|
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
+ }
|
|
+
|
|
+ status = fsp_new(conn, conn, &state.fsp);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("failed to create new fsp: %s\n",
|
|
+ nt_errstr(status));
|
|
+ return status;
|
|
+ }
|
|
+ state.fsp->file_id = file_id;
|
|
+ state.fsp->file_pid = smb1req->smbpid;
|
|
+ state.fsp->vuid = smb1req->vuid;
|
|
+ state.fsp->fnum = op->local_id;
|
|
+ fsp_set_gen_id(state.fsp);
|
|
+
|
|
+ status = fsp_set_smb_fname(state.fsp, smb_fname);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("fsp_set_smb_fname failed: %s\n",
|
|
+ nt_errstr(status));
|
|
+ file_free(smb1req, state.fsp);
|
|
+ return status;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * TODO:
|
|
+ * Do we need to store the modified flag in the DB?
|
|
+ */
|
|
+ state.fsp->fsp_flags.modified = false;
|
|
+ /*
|
|
+ * no durables for directories
|
|
+ */
|
|
+ state.fsp->fsp_flags.is_directory = false;
|
|
+ /*
|
|
+ * For normal files, can_lock == !is_directory
|
|
+ */
|
|
+ state.fsp->fsp_flags.can_lock = true;
|
|
+ /*
|
|
+ * We do not support aio write behind for smb2
|
|
+ */
|
|
+ state.fsp->fsp_flags.aio_write_behind = false;
|
|
+
|
|
+ status = share_mode_do_locked_brl(state.fsp,
|
|
+ vfs_default_durable_reconnect_fn,
|
|
+ &state);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("share_mode_do_locked_brl [%s] failed: %s\n",
|
|
+ smb_fname_str_dbg(smb_fname), nt_errstr(status));
|
|
+ file_free(smb1req, state.fsp);
|
|
+ return status;
|
|
+ }
|
|
+ if (!NT_STATUS_IS_OK(state.status)) {
|
|
+ DBG_ERR("default_durable_reconnect_fn [%s] failed: %s\n",
|
|
+ smb_fname_str_dbg(smb_fname),
|
|
+ nt_errstr(state.status));
|
|
+ file_free(smb1req, state.fsp);
|
|
+ return state.status;
|
|
+ }
|
|
+
|
|
+ *result = state.fsp;
|
|
+ *new_cookie = state.new_cookie_blob;
|
|
+
|
|
+ return NT_STATUS_OK;
|
|
}
|
|
--
|
|
2.49.0
|
|
|
|
|
|
From 810c9268742b761d3e32aedb624d343bdf51d467 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 28 Jan 2025 14:48:39 +0100
|
|
Subject: [PATCH 24/24] s3:rpc_server/srvsvc: use brl_get_locks_readonly()
|
|
instead of brl_get_locks()
|
|
|
|
No need to keep the record locked longer then needed.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit c36cc2b6720a2cfe54ce52a500dc499418e27e34)
|
|
---
|
|
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 12 +++++++++---
|
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
|
|
index 1129576f751..b19baf9e625 100644
|
|
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
|
|
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
|
|
@@ -192,17 +192,23 @@ static WERROR net_enum_files(TALLOC_CTX *ctx,
|
|
/* need to count the number of locks on a file */
|
|
|
|
for (i=0; i<(*ctr3)->count; i++) {
|
|
- struct files_struct fsp = { .file_id = f_enum_cnt.fids[i], };
|
|
+ struct files_struct *fsp = NULL;
|
|
struct byte_range_lock *brl = NULL;
|
|
|
|
- brl = brl_get_locks(ctx, &fsp);
|
|
+ fsp = talloc_zero(talloc_tos(), struct files_struct);
|
|
+ if (fsp == NULL) {
|
|
+ return WERR_NOT_ENOUGH_MEMORY;
|
|
+ }
|
|
+ fsp->file_id = f_enum_cnt.fids[i];
|
|
+
|
|
+ brl = brl_get_locks_readonly(fsp);
|
|
if (brl == NULL) {
|
|
continue;
|
|
}
|
|
|
|
(*ctr3)->array[i].num_locks = brl_num_locks(brl);
|
|
-
|
|
TALLOC_FREE(brl);
|
|
+ TALLOC_FREE(fsp);
|
|
}
|
|
|
|
return WERR_OK;
|
|
--
|
|
2.49.0
|
|
|