[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.20] 28 commits: VERSION: Bump version up to Samba 4.20.0rc2...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Thu Feb 15 20:27:53 GMT 2024
Michael Tokarev pushed to branch upstream_4.20 at Debian Samba Team / samba
Commits:
7908c00d by Jule Anger at 2024-01-29T17:31:31+01:00
VERSION: Bump version up to Samba 4.20.0rc2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
9e946a8d by Andreas Schneider at 2024-02-05T12:58:13+00:00
python:gp: Fix logging with gp
This allows enable INFO level logging with: `samba-gpupdate -d3`
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889)
- - - - -
59365287 by Anoop C S at 2024-02-05T14:05:01+00:00
docs-xml: Build and install man page for wspsearch
Commit 49b6137f7c2244aeb3cf9b65fc9d46fcf0b8dc55 switched the default
to install `wspsearch` client from False to True but missed to build
and install the corresponding man page. Therefore adding wspsearch.1
to the list of man pages to be built and installed by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15565
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Tue Jan 30 14:38:58 UTC 2024 on atb-devel-224
(cherry picked from commit a48f8ae30775bb2dc07768c3df88968800f51470)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Mon Feb 5 14:05:01 UTC 2024 on atb-devel-224
- - - - -
daf5b5f5 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest:ndr_pack: rename SD tests with object ACEs
We are looking at an optimisation for non-object ACEs, which
are more common, but these tests are overwhelmed by object
(OA) ACEs.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit d5371f6bcd2fe991d08fcf2006ce62e6a7449ae9)
- - - - -
66fa6885 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest: ndr_pack_performance gets more SD types
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit e802611743a9b899c18d6eeaa0a46323b676c296)
- - - - -
7f0bdf2b by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest:ndr_pack: slightly reduce python overhead
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit d25fe2447b553087f6285c80907ca5d0debcd827)
- - - - -
1287f182 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest:ndr_pack_performance: remove irrelevant imports, options
This includes removing the ANCIENT_SAMBA switch for pre-4.3, as
nobody cares anymore and many tests would not run correctly anyway.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit ceb5389260c4469a8f03ee884325ca981c18a36a)
- - - - -
14edd0fd by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest:ndr_pack: use a valid dummy SID
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 2f68545087f25e5d4c7a7742d99527c7ebbd02ab)
- - - - -
fb49ce47 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest:ndr_pack: spin in do_nothing for a while
The idea was to get a less jittery idea of the underlying noise, but
ut is still almost instant. This I suppose is useful in indicating
that this much of the test has very little overhead.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 93e6ea4cff2cb6bd084db27139addeea06945ea5)
- - - - -
b5289d66 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
perftest: ndr_pack runs in none environment
This is worth changing, because having a server running in the
background can only add noise to the results.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 5fa663766548eac2cc5932ae03d03b79ad1751b5)
- - - - -
f8014cae by Douglas Bagnall at 2024-02-12T10:53:13+00:00
pidl: calculate subcontext_size only once per pull
For security_ace_coda in security.idl, the sub-context size is
involves a slightly non-trivial function call which returns a constant
value.
In all other cases, a constant expression is used, and this makes
no difference.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 9811762775b28e16035afb2c319b55c4bf3699d3)
- - - - -
8787185a by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: shift ndr_pull_security_ace to manual code
This was manual until commit c73034cf7c4392f5d3505319948bc84634c20fa5
(a few months ago).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 1e6a876c2cc4b3b54895dde879492e756bb9b963)
- - - - -
c9974e62 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: short-circuit ace coda if no bytes left
The overwhelmingly common case is that there are no bytes left, and
regardless of the ACE type we want to store an empty blob.
We know the blob will be empty if there are no bytes, so we don't need
to allocate a sub-ndr and tokens list and so forth.
This can save almost half the time of a security descriptor pull.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit ac0c8ee01ea624e9c486251da2132710c2a43ddc)
- - - - -
e4cf11b1 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: make security_ace push manual
This will allow some optimisations; in this commit we just copy the
code.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit dc08e7924c2e359afeb4b86f306868cad00189a0)
- - - - -
e61d4476 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: ACE push avoids no-op coda pushes
We don't expect an ordinary ACE to have a non-empty coda, and we don't
really want to push it if it does, but for this patch we still will.
This will not change the data on the wire.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit ee1b8ae04b10306c059174a5b4b637b080fe23fd)
- - - - -
5d0d17a9 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: skip talloc when pulling empty DATA_BLOB
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit c2673b02a7a51761e8b6631eb0c0e7062cbbed7b)
- - - - -
d4547daf by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: mark invalid pull ndr_flags as unlikely
This might have little effect, but sometimes we see primatives like
ndr_pull_uint32() taking a few percent of the CPU time, and this is in
all those functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 4face258dee93dcd01dce71fcb7448b285ff4860)
- - - - -
5c0f6a20 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: do not push ACE->coda.ignored blob
>From 1e80221b2340de5ef5e2a17f10511bbc2c041163 (2008) until
c73034cf7c4392f5d3505319948bc84634c20fa5 (conditional ACEs, etc, 2023)
we had a manual ndr_pull_security_ace() that would discard trailing
bytes, which are those bytes that we now call the coda. The ACE types
that we handled then are those that end up with a coda.ignored data
blob.
With this we effectively restore the long-standing behaviour in the
event that we push and pull an ACE -- though now we discard the
ignored bytes on push rather than pull.
This change is not because the trailing bytes caused any problems (as
far as is known), but because it is much faster to not do the push.
It may be that such ACEs no longer occur.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 2a60ec98409b161cfeb4b51414ba61feb26c01b9)
- - - - -
276e67fe by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: avoid object ACE pull overhead for non-object ACE
When an ACE is not an object ACE, which is common, setting the switch
value and attempting the object ACE GUID pull is just going to do
nothing, and we know that ahead of time. By noticing that we can save
a bit of time on a common operation.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit fce4d51eb492a6fc807c6849cd4bd65ca7714509)
- - - - -
48084786 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: avoid object ACE push overhead for non-object ACE
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit ecb5da3e49283ca3a03dea81d22db4a081e192e4)
- - - - -
0f81aec9 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: ndr_push_security_ace: calculate coda size once
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit a72c198921f64f2502f543c7158762c64cb3074e)
- - - - -
7f338d61 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
ndr: ignore trailing bytes in ndr_pull_security_ace()
This returns the behaviour with ordinary ACEs to where it was with 4.19.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit 0c1f421c107be3156b3f1db75aced24a1bca3d2f)
- - - - -
8e8b8fc0 by Douglas Bagnall at 2024-02-12T10:53:13+00:00
WHATSNEW: note "acl_claims evaluation" smb.conf option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
4872b0ab by Douglas Bagnall at 2024-02-12T10:53:13+00:00
WHATSNEW: Add some information about new conditional aces feature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
f8dfce94 by Andrew Bartlett at 2024-02-12T11:55:51+00:00
WHATSNEW: Explain new AD DC Claims, authentication policies and Silos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Mon Feb 12 11:55:51 UTC 2024 on atb-devel-224
- - - - -
f06a06b7 by Jule Anger at 2024-02-12T14:01:59+01:00
WHATSNEW: Add release notes for Samba 4.20.0rc2.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
0167b75a by Jule Anger at 2024-02-12T14:04:39+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc2 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
6d67fdfc by Michael Tokarev at 2024-02-15T23:01:37+03:00
New upstream version 4.20.0~rc2+dfsg
- - - - -
11 changed files:
- VERSION
- WHATSNEW.txt
- docs-xml/wscript_build
- librpc/idl/security.idl
- librpc/ndr/libndr.h
- librpc/ndr/ndr_basic.c
- librpc/ndr/ndr_sec_helper.c
- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
- python/samba/gp/util/logging.py
- selftest/perf_tests.py
- source4/dsdb/tests/python/ndr_pack_performance.py
Changes:
=====================================
VERSION
=====================================
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
=====================================
WHATSNEW.txt
=====================================
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first release candidate of Samba 4.20. This is *not*
+This is the second release candidate of Samba 4.20. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -108,6 +108,90 @@ New options added are:
and all files/directories below.
- '--restore savefile' Restores the stored DACLS to files in directory
+Samba-tool extensions for AD Claims, Authentication Policies and Silos
+----------------------------------------------------------------------
+
+samba-tool now allows users to be associated with claims. In the
+Samba AD DC, claims derive from Active Directory attributes mapped
+into specific names. These claims can be used in rules, which are
+conditional ACEs in a security descriptor, that decide if a user is
+restricted by an authentication policy.
+
+samba-tool also allows the creation and management of authentication
+policies, which are rules about where a user may authenticate from,
+if NTLM is permitted, and what services a user may authenticate to.
+
+Finally, support is added for the creation and management of
+authentication silos, which are helpful in defining network boundaries
+by grouping users and the services they connect to.
+
+Please note: The command line syntax for these tools is not final, and
+may change before the next release, as we gain user feedback. The
+syntax will be locked in once Samba offers 2016 AD Functional Level as
+a default.
+
+AD DC support for Authentication Silos and Authentication Policies
+------------------------------------------------------------------
+
+The Samba AD DC now also honours any existing claims, authentication
+policy and authentication silo configuration previously created (eg
+from an import of a Microsoft AD), as well as new configurations
+created with samba-tool. The use of Microsoft's Powershell based
+client tools is not expected to work.
+
+To use this feature, the functional level must be set to 2012_R2 or
+later with:
+
+ ad dc functional level = 2016
+
+in the smb.conf.
+
+The smb.conf file on each DC must have 'ad dc functional level = 2016'
+set to have the partially complete feature available. This will also,
+at first startup, update the server's own AD entry with the configured
+functional level.
+
+For new domains, add these parameters to 'samba-tool provision'
+
+--option="ad dc functional level = 2016" --function-level=2016
+
+The second option, setting the overall domain functional level
+indicates that all DCs should be at this functional level.
+
+To raise the domain functional level of an existing domain, after
+updating the smb.conf and restarting Samba run
+samba-tool domain schemaupgrade --schema=2019
+samba-tool domain functionalprep --function-level=2016
+samba-tool domain level raise --domain-level=2016 --forest-level=2016
+
+This support is still new, so is not enabled by default in this
+release. The above instructions are set at 2016, which while not
+complete, matches what our testing environment validates.
+
+Conditional ACEs and Resource Attribute ACEs
+--------------------------------------------
+
+Ordinary Access Control Entries (ACEs) unconditionally allow or deny
+access to a given user or group. Conditional ACEs have an additional
+section that describes conditions under which the ACE applies. If the
+conditional expression is true, the ACE works like an ordinary ACE,
+otherwise it is ignored. The condition terms can refer to claims,
+group memberships, and attributes on the object itself. These
+attributes are described in Resource Attribute ACEs that occur in the
+object's System Access Control List (SACL). Conditional ACEs are
+described in Microsoft documentation.
+
+Conditional ACE evaluation is controlled by the "acl claims
+evaluation" smb.conf option. The default value is "AD DC only" which
+enables them in AD DC settings. The other option is "never", which
+disables them altogether. There is currently no option to enable them
+on the file server (this is likely to change in future releases).
+
+The Security Descriptor Definition Language has extensions for
+conditional ACEs and resource attribute ACEs; these are now supported
+by Samba.
+
+
REMOVED FEATURES
================
@@ -127,6 +211,20 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smb3 unix extensions Per share -
+ acl claims evaluation new AD DC only
+
+
+CHANGES SINCE 4.20.0rc1
+=======================
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 15574: Performance regression for NDR parsing of security descriptors.
+
+o Anoop C S <anoopcs at samba.org>
+ * BUG 15565: Build and install man page for wspsearch client utility.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15558: samba-gpupdate logging doesn't work.
KNOWN ISSUES
=====================================
docs-xml/wscript_build
=====================================
@@ -54,6 +54,7 @@ manpages='''
manpages/wbinfo.1
manpages/winbindd.8
manpages/samba-log-parser.1
+ manpages/wspsearch.1
'''
pam_winbind_manpages = '''
=====================================
librpc/idl/security.idl
=====================================
@@ -715,7 +715,7 @@ interface security
[default][flag(NDR_REMAINING)] DATA_BLOB ignored;
} security_ace_coda;
- typedef [public,gensize,nosize] struct {
+ typedef [public,gensize,nosize,nopush,nopull] struct {
security_ace_type type; /* SEC_ACE_TYPE_* */
security_ace_flags flags; /* SEC_ACE_FLAG_* */
[value(ndr_size_security_ace(r,ndr->flags))] uint16 size;
=====================================
librpc/ndr/libndr.h
=====================================
@@ -367,7 +367,7 @@ enum ndr_compression_alg {
};
#define NDR_PULL_CHECK_FLAGS(ndr, ndr_flags) do { \
- if ((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS)) { \
+ if (unlikely((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS))) { \
return ndr_pull_error(ndr, NDR_ERR_FLAGS, "Invalid pull struct ndr_flags 0x%"PRI_NDR_FLAGS_TYPE, ndr_flags); \
} \
} while (0)
=====================================
librpc/ndr/ndr_basic.c
=====================================
@@ -1453,6 +1453,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_DATA_BLOB(struct ndr_pull *ndr, ndr_flags_ty
} else {
NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &length));
}
+ if (length == 0) {
+ /* skip the talloc for an empty blob */
+ blob->data = NULL;
+ blob->length = 0;
+ return NDR_ERR_SUCCESS;
+ }
NDR_PULL_NEED_BYTES(ndr, length);
*blob = data_blob_talloc(ndr->current_mem_ctx, ndr->data+ndr->offset, length);
ndr->offset += length;
=====================================
librpc/ndr/ndr_sec_helper.c
=====================================
@@ -64,7 +64,11 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
} else if (ace->type == SEC_ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE) {
ret += ndr_size_security_ace_coda(&ace->coda, ace->type, flags);
} else {
- ret += ace->coda.ignored.length;
+ /*
+ * Normal ACEs have a coda.ignored blob that is always or
+ * almost always empty. We aren't going to push it (it is
+ * ignored), so we don't add that length to the size.
+ */
}
/* round up to a multiple of 4 (MS-DTYP 2.4.4.1) */
ret = (ret + 3ULL) & ~3ULL;
@@ -75,6 +79,107 @@ size_t ndr_size_security_ace(const struct security_ace *ace, libndr_flags flags)
return ret;
}
+
+static inline enum ndr_err_code ndr_maybe_pull_security_ace_object_ctr(struct ndr_pull *ndr,
+ ndr_flags_type ndr_flags,
+ struct security_ace *r)
+{
+ /*
+ * If this is not an object ACE (as is usually common),
+ * ndr_pull_security_ace_object_ctr() will do nothing.
+ *
+ * By avoiding calling the function in that case, we avoid some
+ * tallocing and ndr token busywork.
+ */
+ bool is_object = sec_ace_object(r->type);
+ if (is_object) {
+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, is_object));
+ NDR_CHECK(ndr_pull_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
+_PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct security_ace *r)
+{
+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ ssize_t sub_size;
+ NDR_CHECK(ndr_pull_align(ndr, 5));
+ NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
+ NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
+ NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+ sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags);
+ if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) {
+ r->coda.ignored.data = NULL;
+ r->coda.ignored.length = 0;
+ } else {
+ struct ndr_pull *_ndr_coda;
+ NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size));
+ NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, &r->coda, r->type));
+ NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+ NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_coda, 0, sub_size));
+ }
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
+static inline enum ndr_err_code ndr_maybe_push_security_ace_object_ctr(struct ndr_push *ndr,
+ ndr_flags_type ndr_flags,
+ const struct security_ace *r)
+{
+ /*
+ * ndr_push_security_ace_object_ctr() does nothing (except tallocing
+ * and ndr_token fiddling) unless the ACE is an object ACE, which is
+ * usually very unlikely.
+ */
+ bool is_object = sec_ace_object(r->type);
+ if (is_object) {
+ NDR_CHECK(ndr_push_set_switch_value(ndr, &r->object, is_object));
+ NDR_CHECK(ndr_push_security_ace_object_ctr(ndr, ndr_flags, &r->object));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_push_security_ace(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct security_ace *r)
+{
+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 5));
+ NDR_CHECK(ndr_push_security_ace_type(ndr, NDR_SCALARS, r->type));
+ NDR_CHECK(ndr_push_security_ace_flags(ndr, NDR_SCALARS, r->flags));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, ndr_size_security_ace(r, ndr->flags)));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->access_mask));
+ NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_SCALARS, r));
+ NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->trustee));
+ if (sec_ace_has_extra_blob(r->type)) {
+ struct ndr_push *_ndr_coda;
+ size_t coda_size = ndr_subcontext_size_of_ace_coda(
+ r,
+ ndr_size_security_ace(r, ndr->flags),
+ ndr->flags);
+ NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_coda, 0, coda_size));
+ NDR_CHECK(ndr_push_set_switch_value(_ndr_coda, &r->coda, r->type));
+ NDR_CHECK(ndr_push_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
+ NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_coda, 0, coda_size));
+ }
+ NDR_CHECK(ndr_push_trailer_align(ndr, 5));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ NDR_CHECK(ndr_maybe_push_security_ace_object_ctr(ndr, NDR_BUFFERS, r));
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+
/*
* An ACE coda can't be bigger than the space allowed for by
* ace->size, so we need to check this from the context of the ACE.
=====================================
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
=====================================
@@ -603,7 +603,8 @@ sub ParseSubcontextPullStart($$$$$)
$self->pidl("{");
$self->indent;
$self->pidl("struct ndr_pull *$subndr;");
- $self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+ $self->pidl("ssize_t sub_size = $subcontext_size;");
+ $self->pidl("NDR_CHECK(ndr_pull_subcontext_start($ndr, &$subndr, $l->{HEADER_SIZE}, sub_size));");
if (defined $l->{COMPRESSION}) {
$subndr = $self->ParseCompressionPullStart($e, $l, $subndr, $env);
@@ -622,7 +623,7 @@ sub ParseSubcontextPullEnd($$$$$)
$self->ParseCompressionPullEnd($e, $l, $subndr, $env);
}
- $self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, $subcontext_size));");
+ $self->pidl("NDR_CHECK(ndr_pull_subcontext_end($ndr, $subndr, $l->{HEADER_SIZE}, sub_size));");
$self->deindent;
$self->pidl("}");
}
=====================================
python/samba/gp/util/logging.py
=====================================
@@ -23,9 +23,10 @@ import gettext
import random
import sys
-logger = logging.getLogger()
+logger = logging.getLogger("gp")
+
+
def logger_init(name, log_level):
- logger = logging.getLogger(name)
logger.addHandler(logging.StreamHandler(sys.stdout))
logger.setLevel(logging.CRITICAL)
if log_level == 1:
=====================================
selftest/perf_tests.py
=====================================
@@ -26,8 +26,8 @@ plantestsuite_loadlist("samba4.ldap.ad_dc_performance.python(ad_dc_ntvfs)",
'--workgroup=$DOMAIN',
'$LOADLIST', '$LISTOPT'])
-plantestsuite_loadlist("samba4.ndr_pack_performance.python(ad_dc_ntvfs)",
- "ad_dc_ntvfs",
+plantestsuite_loadlist("samba4.ndr_pack_performance.python",
+ "none",
[python, os.path.join(samba4srcdir,
"dsdb/tests/python/ndr_pack_performance.py"),
'$SERVER', '-U"$USERNAME%$PASSWORD"',
=====================================
source4/dsdb/tests/python/ndr_pack_performance.py
=====================================
@@ -4,10 +4,7 @@ import optparse
import sys
sys.path.insert(0, 'bin/python')
-import os
import samba
-import samba.getopt as options
-import random
import gzip
# We try to use the test infrastructure of Samba 4.3+, but if it
@@ -16,45 +13,13 @@ import gzip
#
# Don't copy this horror into ordinary tests -- it is special for
# performance tests that want to apply to old versions.
-try:
- from samba.tests.subunitrun import SubunitOptions, TestProgram
- ANCIENT_SAMBA = False
-except ImportError:
- ANCIENT_SAMBA = True
- samba.ensure_external_module("testtools", "testtools")
- samba.ensure_external_module("subunit", "subunit/python")
- from subunit.run import SubunitTestRunner
- import unittest
+
+from samba.tests.subunitrun import TestProgram
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba.dcerpc import drsuapi
-parser = optparse.OptionParser("ndr_pack_performance.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-if not ANCIENT_SAMBA:
- subunitopts = SubunitOptions(parser)
- parser.add_option_group(subunitopts)
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-random.seed(1)
-
BIG_SD_SDDL = ''.join(
"""O:S-1-5-21-3328325300-3937145445-4190589019-512G:S-1-5-2
@@ -130,6 +95,23 @@ IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030
0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d
e6-11d0-a285-00aa003049e2;ED)""".split())
+
+CONDITIONAL_ACE_SDDL = ('O:SYG:SYD:(XA;OICI;CR;;;WD;'
+ '(@USER.ad://ext/AuthenticationSilo == "siloname"))')
+
+NON_OBJECT_SDDL = (
+ "O:S-1-5-21-2212615479-2695158682-2101375468-512"
+ "G:S-1-5-21-2212615479-2695158682-2101375468-513"
+ "D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+ "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
+ "(A;OICIIO;FA;;;CO)"
+ "(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
+ "(A;OICI;FA;;;SY)"
+ "(A;OICI;0x1200a9;;;AU)"
+ "(A;OICI;0x1200a9;;;ED)")
+
+
+
# set SCALE = 100 for normal test, or 1 for testing the test.
SCALE = 100
@@ -144,57 +126,82 @@ class UserTests(samba.tests.TestCase):
return f.read()
def get_desc(self, sddl):
- dummy_sid = security.dom_sid("S-2-0-0")
+ dummy_sid = security.dom_sid("S-1-2-3")
return security.descriptor.from_sddl(sddl, dummy_sid)
def get_blob(self, sddl):
return ndr_pack(self.get_desc(sddl))
- def test_00_00_do_nothing(self):
+ def test_00_00_do_nothing(self, cycles=10000):
# this gives us an idea of the overhead
- pass
+ for i in range(SCALE * cycles):
+ pass
def _test_pack(self, unpacked, cycles=10000):
+ pack = unpacked.__ndr_pack__
for i in range(SCALE * cycles):
- ndr_pack(unpacked)
+ pack()
def _test_unpack(self, blob, cycles=10000, cls=security.descriptor):
for i in range(SCALE * cycles):
- ndr_unpack(cls, blob)
+ cls().__ndr_unpack__(blob)
def _test_pack_unpack(self, desc, cycles=5000, cls=security.descriptor):
blob2 = ndr_pack(desc)
-
for i in range(SCALE * cycles):
blob = ndr_pack(desc)
desc = ndr_unpack(cls, blob)
self.assertEqual(blob, blob2)
- def test_pack_big_sd(self):
+ def test_pack_big_sd_with_object_aces(self):
unpacked = self.get_desc(BIG_SD_SDDL)
self._test_pack(unpacked)
- def test_unpack_big_sd(self):
+ def test_unpack_big_sd_with_object_aces(self):
blob = self.get_blob(BIG_SD_SDDL)
self._test_unpack(blob)
- def test_pack_unpack_big_sd(self):
+ def test_pack_unpack_big_sd_with_object_aces(self):
unpacked = self.get_desc(BIG_SD_SDDL)
self._test_pack_unpack(unpacked)
- def test_pack_little_sd(self):
+ def test_pack_little_sd_with_object_aces(self):
unpacked = self.get_desc(LITTLE_SD_SDDL)
self._test_pack(unpacked)
- def test_unpack_little_sd(self):
+ def test_unpack_little_sd_with_object_aces(self):
blob = self.get_blob(LITTLE_SD_SDDL)
self._test_unpack(blob)
- def test_pack_unpack_little_sd(self):
+ def test_pack_unpack_little_sd_with_object_aces(self):
unpacked = self.get_desc(LITTLE_SD_SDDL)
self._test_pack_unpack(unpacked)
+ def test_pack_conditional_ace_sd(self):
+ unpacked = self.get_desc(CONDITIONAL_ACE_SDDL)
+ self._test_pack(unpacked)
+
+ def test_unpack_conditional_ace_sd(self):
+ blob = self.get_blob(CONDITIONAL_ACE_SDDL)
+ self._test_unpack(blob)
+
+ def test_pack_unpack_conditional_ace_sd(self):
+ unpacked = self.get_desc(CONDITIONAL_ACE_SDDL)
+ self._test_pack_unpack(unpacked)
+
+ def test_pack_non_object_sd(self):
+ unpacked = self.get_desc(NON_OBJECT_SDDL)
+ self._test_pack(unpacked)
+
+ def test_unpack_non_object_sd(self):
+ blob = self.get_blob(NON_OBJECT_SDDL)
+ self._test_unpack(blob)
+
+ def test_pack_unpack_non_object_sd(self):
+ unpacked = self.get_desc(NON_OBJECT_SDDL)
+ self._test_pack_unpack(unpacked)
+
def test_unpack_repl_sample(self):
blob = self.get_file_blob('testdata/replication-ndrpack-example.gz')
self._test_unpack(blob, cycles=20, cls=drsuapi.DsGetNCChangesCtr6)
@@ -205,18 +212,4 @@ class UserTests(samba.tests.TestCase):
self._test_pack(desc, cycles=20)
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-
-if ANCIENT_SAMBA:
- runner = SubunitTestRunner()
- if not runner.run(unittest.TestLoader().loadTestsFromTestCase(
- UserTests)).wasSuccessful():
- sys.exit(1)
- sys.exit(0)
-else:
- TestProgram(module=__name__, opts=subunitopts)
+TestProgram(module=__name__)
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/629deed6571f57716ee99715991006b02bbfe36e...6d67fdfc5f7f17d909f5a3bfca465b1a0a4ac644
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/629deed6571f57716ee99715991006b02bbfe36e...6d67fdfc5f7f17d909f5a3bfca465b1a0a4ac644
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20240215/02b9deee/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list