diff options
24 files changed, 222 insertions, 135 deletions
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index e74e3f5b3b..466c4bf129 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -38,6 +38,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) char *pserver = NULL; bool connected_ok = False; struct named_mutex *mutex = NULL; + NTSTATUS status; if (!(cli = cli_initialise())) return NULL; @@ -49,7 +50,6 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) p = pserver; while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) { - NTSTATUS status; desthost = talloc_sub_basic(mem_ctx, current_user_info.smb_name, @@ -112,9 +112,12 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) DEBUG(3,("got session\n")); - if (!cli_negprot(cli)) { + status = cli_negprot(cli); + + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(mutex); - DEBUG(1,("%s rejected the negprot\n",desthost)); + DEBUG(1, ("%s rejected the negprot: %s\n", + desthost, nt_errstr(status))); cli_shutdown(cli); return NULL; } diff --git a/source3/include/proto.h b/source3/include/proto.h index 5e2b823d64..212bbf0df7 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2364,8 +2364,12 @@ bool cli_ulogoff(struct cli_state *cli); bool cli_send_tconX(struct cli_state *cli, const char *share, const char *dev, const char *pass, int passlen); bool cli_tdis(struct cli_state *cli); -void cli_negprot_send(struct cli_state *cli); -bool cli_negprot(struct cli_state *cli); +void cli_negprot_sendsync(struct cli_state *cli); +NTSTATUS cli_negprot(struct cli_state *cli); +struct async_req *cli_negprot_send(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct cli_state *cli); +NTSTATUS cli_negprot_recv(struct async_req *req); bool cli_session_request(struct cli_state *cli, struct nmb_name *calling, struct nmb_name *called); NTSTATUS cli_connect(struct cli_state *cli, diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 125345fccb..b5287774f5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1206,7 +1206,7 @@ bool cli_tdis(struct cli_state *cli) Send a negprot command. ****************************************************************************/ -void cli_negprot_send(struct cli_state *cli) +void cli_negprot_sendsync(struct cli_state *cli) { char *p; int numprots; @@ -1241,75 +1241,89 @@ void cli_negprot_send(struct cli_state *cli) Send a negprot command. ****************************************************************************/ -bool cli_negprot(struct cli_state *cli) +struct async_req *cli_negprot_send(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct cli_state *cli) { - char *p; + struct async_req *result; + uint8_t *bytes = NULL; int numprots; - int plength; if (cli->protocol < PROTOCOL_NT1) cli->use_spnego = False; - memset(cli->outbuf,'\0',smb_size); - - plength = 0; - /* setup the protocol strings */ for (numprots=0; numprots < ARRAY_SIZE(prots); numprots++) { + uint8_t c = 2; if (prots[numprots].prot > cli->protocol) { break; } - plength += strlen(prots[numprots].name)+2; - } - - cli_set_message(cli->outbuf,0,plength,True); - - p = smb_buf(cli->outbuf); - for (numprots=0; numprots < ARRAY_SIZE(prots); numprots++) { - if (prots[numprots].prot > cli->protocol) { - break; + bytes = (uint8_t *)talloc_append_blob( + talloc_tos(), bytes, data_blob_const(&c, sizeof(c))); + if (bytes == NULL) { + return NULL; + } + bytes = smb_bytes_push_str(bytes, false, prots[numprots].name); + if (bytes == NULL) { + return NULL; } - *p++ = 2; - p += clistr_push(cli, p, prots[numprots].name, -1, STR_TERMINATE); } - SCVAL(cli->outbuf,smb_com,SMBnegprot); - cli_setup_packet(cli); + result = cli_request_send(mem_ctx, ev, cli, SMBnegprot, 0, 0, NULL, + talloc_get_size(bytes), bytes); + TALLOC_FREE(bytes); + return result; +} - SCVAL(smb_buf(cli->outbuf),0,2); +NTSTATUS cli_negprot_recv(struct async_req *req) +{ + struct cli_request *cli_req = talloc_get_type_abort( + req->private_data, struct cli_request); + struct cli_state *cli = cli_req->cli; + uint8_t wct; + uint16_t *vwv; + uint16_t num_bytes; + uint8_t *bytes; + NTSTATUS status; + uint16_t protnum; - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; + if (async_req_is_error(req, &status)) { + return status; + } - show_msg(cli->inbuf); + status = cli_pull_reply(req, &wct, &vwv, &num_bytes, &bytes); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + protnum = SVAL(vwv, 0); - if (cli_is_error(cli) || - ((int)SVAL(cli->inbuf,smb_vwv0) >= numprots)) { - return(False); + if ((protnum >= ARRAY_SIZE(prots)) + || (prots[protnum].prot > cli_req->cli->protocol)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; } - cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; + cli->protocol = prots[protnum].prot; if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) { DEBUG(0,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } if (cli->protocol >= PROTOCOL_NT1) { struct timespec ts; /* NT protocol */ - cli->sec_mode = CVAL(cli->inbuf,smb_vwv1); - cli->max_mux = SVAL(cli->inbuf, smb_vwv1+1); - cli->max_xmit = IVAL(cli->inbuf,smb_vwv3+1); - cli->sesskey = IVAL(cli->inbuf,smb_vwv7+1); - cli->serverzone = SVALS(cli->inbuf,smb_vwv15+1); + cli->sec_mode = CVAL(vwv + 1, 0); + cli->max_mux = SVAL(vwv + 1, 1); + cli->max_xmit = IVAL(vwv + 3, 1); + cli->sesskey = IVAL(vwv + 7, 1); + cli->serverzone = SVALS(vwv + 15, 1); cli->serverzone *= 60; /* this time arrives in real GMT */ - ts = interpret_long_date(cli->inbuf+smb_vwv11+1); + ts = interpret_long_date(((char *)(vwv+11))+1); cli->servertime = ts.tv_sec; - cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); - cli->capabilities = IVAL(cli->inbuf,smb_vwv9+1); + cli->secblob = data_blob(bytes, num_bytes); + cli->capabilities = IVAL(vwv + 9, 1); if (cli->capabilities & CAP_RAW_MODE) { cli->readbraw_supported = True; cli->writebraw_supported = True; @@ -1317,9 +1331,10 @@ bool cli_negprot(struct cli_state *cli) /* work out if they sent us a workgroup */ if (!(cli->capabilities & CAP_EXTENDED_SECURITY) && smb_buflen(cli->inbuf) > 8) { - clistr_pull(cli, cli->server_domain, - smb_buf(cli->inbuf)+8, sizeof(cli->server_domain), - smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); + clistr_pull(cli, cli->server_domain, + bytes+8, sizeof(cli->server_domain), + num_bytes-8, + STR_UNICODE|STR_NOALIGN); } /* @@ -1331,7 +1346,7 @@ bool cli_negprot(struct cli_state *cli) /* Fail if server says signing is mandatory and we don't want to support it. */ if (!cli->sign_info.allow_smb_signing) { DEBUG(0,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } cli->sign_info.negotiated_smb_signing = True; cli->sign_info.mandatory_signing = True; @@ -1339,7 +1354,7 @@ bool cli_negprot(struct cli_state *cli) /* Fail if client says signing is mandatory and the server doesn't support it. */ if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) { DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } cli->sign_info.negotiated_smb_signing = True; cli->sign_info.mandatory_signing = True; @@ -1357,17 +1372,18 @@ bool cli_negprot(struct cli_state *cli) } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->use_spnego = False; - cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); - cli->max_xmit = SVAL(cli->inbuf,smb_vwv2); - cli->max_mux = SVAL(cli->inbuf, smb_vwv3); - cli->sesskey = IVAL(cli->inbuf,smb_vwv6); - cli->serverzone = SVALS(cli->inbuf,smb_vwv10); + cli->sec_mode = SVAL(vwv + 1, 0); + cli->max_xmit = SVAL(vwv + 2, 0); + cli->max_mux = SVAL(vwv + 3, 0); + cli->sesskey = IVAL(vwv + 6, 0); + cli->serverzone = SVALS(vwv + 10, 0); cli->serverzone *= 60; /* this time is converted to GMT by make_unix_date */ - cli->servertime = cli_make_unix_date(cli,cli->inbuf+smb_vwv8); - cli->readbraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x1) != 0); - cli->writebraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x2) != 0); - cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); + cli->servertime = cli_make_unix_date( + cli, (char *)(vwv + 8)); + cli->readbraw_supported = ((SVAL(vwv + 5, 0) & 0x1) != 0); + cli->writebraw_supported = ((SVAL(vwv + 5, 0) & 0x2) != 0); + cli->secblob = data_blob(bytes, num_bytes); } else { /* the old core protocol */ cli->use_spnego = False; @@ -1381,7 +1397,42 @@ bool cli_negprot(struct cli_state *cli) if (getenv("CLI_FORCE_ASCII")) cli->capabilities &= ~CAP_UNICODE; - return True; + return NT_STATUS_OK; +} + +NTSTATUS cli_negprot(struct cli_state *cli) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct event_context *ev; + struct async_req *req; + NTSTATUS status = NT_STATUS_NO_MEMORY; + + if (cli->fd_event != NULL) { + /* + * Can't use sync call while an async call is in flight + */ + cli_set_error(cli, NT_STATUS_INVALID_PARAMETER); + goto fail; + } + + ev = event_context_init(frame); + if (ev == NULL) { + goto fail; + } + + req = cli_negprot_send(frame, ev, cli); + if (req == NULL) { + goto fail; + } + + while (req->state < ASYNC_REQ_DONE) { + event_loop_once(ev); + } + + status = cli_negprot_recv(req); + fail: + TALLOC_FREE(frame); + return status; } /**************************************************************************** @@ -1667,12 +1718,9 @@ again: cli->fallback_after_kerberos = true; } - if (!cli_negprot(cli)) { - DEBUG(1,("failed negprot\n")); - nt_status = cli_nt_error(cli); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_UNSUCCESSFUL; - } + nt_status = cli_negprot(cli); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("failed negprot: %s\n", nt_errstr(nt_status))); cli_shutdown(cli); return nt_status; } diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index f0ac39fed0..4597e63c98 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -195,8 +195,11 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx, DEBUG(4,(" session request ok\n")); - if (!cli_negprot(c)) { - d_printf("protocol negotiation failed\n"); + status = cli_negprot(c); + + if (!NT_STATUS_IS_OK(status)) { + d_printf("protocol negotiation failed: %s\n", + nt_errstr(status)); cli_shutdown(c); return NULL; } diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index 5e37871deb..f4714346d1 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -433,7 +433,9 @@ again: DEBUG(4,(" session request ok\n")); - if (!cli_negprot(c)) { + status = cli_negprot(c); + + if (!NT_STATUS_IS_OK(status)) { cli_shutdown(c); errno = ETIMEDOUT; return NULL; diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index 4c76234e0c..2746a4681e 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -71,10 +71,12 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam cli->protocol = PROTOCOL_NT1; - if (!cli_negprot(cli)) { + result = cli_negprot(cli); + + if (!NT_STATUS_IS_OK(result)) { asprintf(err_str, "machine %s rejected the negotiate " "protocol. Error was : %s.\n", - remote_machine, cli_errstr(cli) ); + remote_machine, nt_errstr(result)); result = cli_nt_error(cli); cli_shutdown(cli); return result; diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 915f73233d..9cb887ae51 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -740,6 +740,7 @@ static NTSTATUS fset_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp, psd = nc_psd; } +#if 0 if ((security_info_sent & DACL_SECURITY_INFORMATION) && psd->dacl != NULL && (psd->type & (SE_DESC_DACL_AUTO_INHERITED| @@ -755,6 +756,7 @@ static NTSTATUS fset_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp, } psd = new_psd; } +#endif if (DEBUGLEVEL >= 10) { DEBUG(10,("fset_nt_acl_tdb: storing tdb sd for file %s\n", diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 2edb441741..3c8f241ad9 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -579,6 +579,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, psd = nc_psd; } +#if 0 if ((security_info_sent & DACL_SECURITY_INFORMATION) && psd->dacl != NULL && (psd->type & (SE_DESC_DACL_AUTO_INHERITED| @@ -594,6 +595,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, } psd = new_psd; } +#endif if (DEBUGLEVEL >= 10) { DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n", diff --git a/source3/nmbd/nmbd_synclists.c b/source3/nmbd/nmbd_synclists.c index 5a2f5c46b4..9e09060f27 100644 --- a/source3/nmbd/nmbd_synclists.c +++ b/source3/nmbd/nmbd_synclists.c @@ -100,7 +100,8 @@ static void sync_child(char *name, int nm_type, return; } - if (!cli_negprot(cli)) { + status = cli_negprot(cli); + if (!NT_STATUS_IS_OK(status)) { cli_shutdown(cli); return; } diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c index c98d11426d..261d8fd670 100644 --- a/source3/smbd/oplock.c +++ b/source3/smbd/oplock.c @@ -821,10 +821,33 @@ void release_level_2_oplocks_on_change(files_struct *fsp) share_mode_entry_to_message(msg, share_entry); - messaging_send_buf(smbd_messaging_context(), share_entry->pid, - MSG_SMB_ASYNC_LEVEL2_BREAK, - (uint8 *)msg, - MSG_SMB_SHARE_MODE_ENTRY_SIZE); + /* + * Deal with a race condition when breaking level2 + * oplocks. Don't send all the messages and release + * the lock, this allows someone else to come in and + * get a level2 lock before any of the messages are + * processed, and thus miss getting a break message. + * Ensure at least one entry (the one we're breaking) + * is processed immediately under the lock and becomes + * set as NO_OPLOCK to stop any waiter getting a level2. + * Bugid #5980. + */ + + if (procid_is_me(&share_entry->pid)) { + DATA_BLOB blob = data_blob_const(msg, + MSG_SMB_SHARE_MODE_ENTRY_SIZE); + process_oplock_async_level2_break_message(smbd_messaging_context(), + NULL, + MSG_SMB_ASYNC_LEVEL2_BREAK, + share_entry->pid, + &blob); + } else { + messaging_send_buf(smbd_messaging_context(), + share_entry->pid, + MSG_SMB_ASYNC_LEVEL2_BREAK, + (uint8 *)msg, + MSG_SMB_SHARE_MODE_ENTRY_SIZE); + } } /* We let the message receivers handle removing the oplock state diff --git a/source3/torture/locktest.c b/source3/torture/locktest.c index 247c9abcc1..1bff95f4f3 100644 --- a/source3/torture/locktest.c +++ b/source3/torture/locktest.c @@ -212,8 +212,10 @@ static struct cli_state *connect_one(char *share, int snum) DEBUG(4,(" session request ok\n")); - if (!cli_negprot(c)) { - DEBUG(0,("protocol negotiation failed\n")); + status = cli_negprot(c); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("protocol negotiation failed: %s\n", + nt_errstr(status))); cli_shutdown(c); return NULL; } diff --git a/source3/torture/masktest.c b/source3/torture/masktest.c index 8fea15877f..2c3bda1d43 100644 --- a/source3/torture/masktest.c +++ b/source3/torture/masktest.c @@ -212,8 +212,10 @@ static struct cli_state *connect_one(char *share) DEBUG(4,(" session request ok\n")); - if (!cli_negprot(c)) { - DEBUG(0,("protocol negotiation failed\n")); + status = cli_negprot(c); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("protocol negotiation failed: %s\n", + nt_errstr(status))); cli_shutdown(c); return NULL; } diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 382b3b65eb..5584c22a8f 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -2346,7 +2346,7 @@ static bool run_negprot_nowait(int dummy) } for (i=0;i<50000;i++) { - cli_negprot_send(cli); + cli_negprot_sendsync(cli); } if (!torture_close_connection(cli)) { @@ -4726,6 +4726,7 @@ static bool run_error_map_extract(int dummy) { static struct cli_state *c_dos; static struct cli_state *c_nt; + NTSTATUS status; uint32 error; @@ -4744,8 +4745,11 @@ static bool run_error_map_extract(int dummy) { c_nt->use_spnego = False; - if (!cli_negprot(c_nt)) { - printf("%s rejected the NT-error negprot (%s)\n",host, cli_errstr(c_nt)); + status = cli_negprot(c_nt); + + if (!NT_STATUS_IS_OK(status)) { + printf("%s rejected the NT-error negprot (%s)\n", host, + nt_errstr(status)); cli_shutdown(c_nt); return False; } @@ -4765,8 +4769,10 @@ static bool run_error_map_extract(int dummy) { c_dos->use_spnego = False; c_dos->force_dos_errors = True; - if (!cli_negprot(c_dos)) { - printf("%s rejected the DOS-error negprot (%s)\n",host, cli_errstr(c_dos)); + status = cli_negprot(c_dos); + if (!NT_STATUS_IS_OK(status)) { + printf("%s rejected the DOS-error negprot (%s)\n", host, + nt_errstr(status)); cli_shutdown(c_dos); return False; } @@ -4839,9 +4845,10 @@ static bool run_sesssetup_bench(int dummy) return false; } - if (!cli_negprot(c)) { + status = cli_negprot(c); + if (!NT_STATUS_IS_OK(status)) { printf("%s rejected the NT-error negprot (%s)\n", host, - cli_errstr(c)); + nt_errstr(status)); cli_shutdown(c); return false; } diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index f69d3f9012..5c83b590c1 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6326,7 +6326,8 @@ bool net_rpc_check(struct net_context *c, unsigned flags) if (!attempt_netbios_session_request(&cli, global_myname(), server_name, &server_ss)) goto done; - if (!cli_negprot(cli)) + status = cli_negprot(cli); + if (!NT_STATUS_IS_OK(status)) goto done; if (cli->protocol < PROTOCOL_NT1) goto done; diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c index f569538fac..8be9ed922c 100644 --- a/source3/utils/net_time.c +++ b/source3/utils/net_time.c @@ -51,8 +51,10 @@ static time_t cli_servertime(const char *host, struct sockaddr_storage *pss, int fprintf(stderr,"Session request failed\n"); goto done; } - if (!cli_negprot(cli)) { - fprintf(stderr,"Protocol negotiation failed\n"); + status = cli_negprot(cli); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, "Protocol negotiation failed: %s\n", + nt_errstr(status)); goto done; } diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 5f592fc6b7..3135b6a2a3 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -831,9 +831,10 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, cli_setup_signing_state(*cli, Undefined); - if (!cli_negprot(*cli)) { - DEBUG(1, ("cli_negprot failed\n")); - result = NT_STATUS_UNSUCCESSFUL; + result = cli_negprot(*cli); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result))); goto done; } diff --git a/source4/libcli/auth/smbencrypt.c b/source4/libcli/auth/smbencrypt.c index b902dddb0f..bbb363e0dd 100644 --- a/source4/libcli/auth/smbencrypt.c +++ b/source4/libcli/auth/smbencrypt.c @@ -585,7 +585,7 @@ bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx, *new_pass = data_blob_talloc(mem_ctx, &in_buffer[512 - byte_len], byte_len); - if (!*new_pass->data) { + if (!new_pass->data) { return false; } diff --git a/source4/ntvfs/sysdep/sys_notify.c b/source4/ntvfs/sysdep/sys_notify.c index a27386bb13..117d16d20a 100644 --- a/source4/ntvfs/sysdep/sys_notify.c +++ b/source4/ntvfs/sysdep/sys_notify.c @@ -25,7 +25,7 @@ #include "includes.h" #include "system/filesys.h" #include "ntvfs/sysdep/sys_notify.h" -#include "lib/events/events.h" +#include "../lib/tevent/tevent.h" #include "../lib/util/dlinklist.h" #include "param/param.h" diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index b81f618a48..3711ed7bab 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -830,6 +830,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, message("Setting up sam.ldb AD schema") setup_add_ldif(samdb, setup_path("schema.ldif"), {"SCHEMADN": names.schemadn}) + setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), + {"SCHEMADN": names.schemadn}) message("Setting up sam.ldb configuration data") setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { diff --git a/source4/setup/ad-schema/MS-AD_Schema_Attributes_v20080618.txt b/source4/setup/ad-schema/MS-AD_Schema_Attributes_v20080618.txt index 324a5bf3f9..743e1d0abe 100644 --- a/source4/setup/ad-schema/MS-AD_Schema_Attributes_v20080618.txt +++ b/source4/setup/ad-schema/MS-AD_Schema_Attributes_v20080618.txt @@ -1654,7 +1654,6 @@ searchFlags: 0 rangeLower: 1
rangeUpper: 512
mapiID: 35943
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Employee-Type
@@ -1669,7 +1668,6 @@ searchFlags: fCOPY rangeLower: 1
rangeUpper: 256
mapiID: 35945
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Enabled
@@ -1756,7 +1754,6 @@ searchFlags: 0 mapiID: 32935
systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-
systemOnly: TRUE
cn: Extended-Class-Info
@@ -2722,8 +2719,6 @@ mapiID: 14857 isMemberOfPartialAttributeSet: TRUE
systemFlags: FLAG_SCHEMA_BASE_OBJECT
-systemFlags: 0
-
cn: Address-Home
ldapDisplayName: homePostalAddress
attributeId: 1.2.840.113556.1.2.617
@@ -2737,7 +2732,6 @@ rangeLower: 1 rangeUpper: 4096
attributeSecurityGuid: 77b5b886-944a-11d1-aebd-0000f80367c1
mapiID: 14941
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: host
@@ -2978,8 +2972,6 @@ mapiID: 32959 systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-searchFlags: 0
-
cn: IpHostNumber
ldapDisplayName: ipHostNumber
attributeId: 1.3.6.1.1.1.1.19
@@ -6280,7 +6272,7 @@ isSingleValued: TRUE systemOnly: FALSE
searchFlags: 0
rangeLower: 0
-schemaIdGuid:: 421f889a-472e-4fe4-8eb9-e1d0bc6071b2
+schemaIdGuid: 421f889a-472e-4fe4-8eb9-e1d0bc6071b2
systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
@@ -6294,7 +6286,7 @@ systemOnly: FALSE searchFlags: 0
rangeLower: 0
rangeUpper: 65535
-schemaIdGuid:: b8c8c35e-4a19-4a95-99d0-69fe4446286f
+schemaIdGuid: b8c8c35e-4a19-4a95-99d0-69fe4446286f
systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
@@ -6307,7 +6299,7 @@ isSingleValued: TRUE systemOnly: FALSE
searchFlags: 0
rangeLower: 0
-schemaIdGuid:: b05bda89-76af-468a-b892-1be55558ecc8
+schemaIdGuid: b05bda89-76af-468a-b892-1be55558ecc8
systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
@@ -6717,7 +6709,7 @@ omSyntax: 1 isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
-schemaIdGuid:: 75ccdd8f-af6c-4487-bb4b-69e4d38a959c
+schemaIdGuid: 75ccdd8f-af6c-4487-bb4b-69e4d38a959c
systemFlags: FLAG_SCHEMA_BASE_OBJECT
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
@@ -7032,6 +7024,7 @@ schemaFlagsEx: FLAG_ATTR_IS_CRITICAL cn: ms-DS-Resultant-PSO
ldapDisplayName: msDS-ResultantPSO
+attributeId: 1.2.840.113556.1.4.2022
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
@@ -7494,7 +7487,7 @@ attributeSyntax: 2.5.5.10 omSyntax: 4
isSingleValued: TRUE
rangeUpper: 102400
-schemaIdGuid: 1fd55ea8-88a7-47dc-8129-0daa-97186a54
+schemaIdGuid: 1fd55ea8-88a7-47dc-8129-0daa97186a54
searchFlags: fRODCFilteredAttribute | fCONFIDENTIAL | fCOPY |fPRESERVEONDELETE
systemFlags: FLAG_SCHEMA_BASE_OBJECT
@@ -7522,7 +7515,6 @@ systemFlags: FLAG_SCHEMA_BASE_OBJECT cn: ms-FVE-VolumeGuid
ldapDisplayName: msFVE-VolumeGuid
-attributeId: 1.2.840.113556.1.4.1965
attributeId: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
@@ -8425,8 +8417,6 @@ rangeUpper: 128 isMemberOfPartialAttributeSet: TRUE
systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
-systemFlags: FLAG_SCHEMA_BASE_OBJECT
-
cn: MSMQ-Version
ldapDisplayName: mSMQVersion
attributeId: 1.2.840.113556.1.4.942
@@ -12196,7 +12186,6 @@ systemOnly: TRUE searchFlags: 0
linkID: 101
systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_NOT_REPLICATED
-
isSingleValued: TRUE
cn: Repl-Interval
@@ -12224,8 +12213,6 @@ isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_IS_OPERATIONAL |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER | FLAG_ATTR_NOT_REPLICATED
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER | FLAG_ATTR_NOT_REPLICATED
-
cn: Repl-Topology-Stay-Of-Execution
ldapDisplayName: replTopologyStayOfExecution
attributeId: 1.2.840.113556.1.4.677
@@ -12872,7 +12859,6 @@ searchFlags: 0 rangeLower: 1
rangeUpper: 64
mapiID: 33072
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Next-Level-Store
@@ -12929,7 +12915,6 @@ searchFlags: 0 linkID: 95
systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_NOT_REPLICATED
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-
isSingleValued: TRUE
cn: Server-Role
@@ -12942,7 +12927,6 @@ schemaIdGuid: bf967a33-0de6-11d0-a285-00aa003049e2 systemOnly: FALSE
searchFlags: 0
attributeSecurityGuid: b8119fd0-04f6-4762-ab7a-4986c76b3f9a
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Server-State
@@ -13235,7 +13219,6 @@ attributeSecurityGuid: 59ba2f42-79a2-11d0-9020-00c04fc2d3cf isMemberOfPartialAttributeSet: TRUE
systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-
systemOnly: TRUE
cn: Signature-Algorithms
@@ -13339,7 +13322,6 @@ isSingleValued: FALSE schemaIdGuid: 1be8f17c-a9ff-11d0-afe2-00c04fd930c9
systemOnly: FALSE
searchFlags: 0
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Surname
@@ -14442,7 +14424,6 @@ rangeUpper: 32768 attributeSecurityGuid: 77b5b886-944a-11d1-aebd-0000f80367c1
mapiID: 14960
isMemberOfPartialAttributeSet: TRUE
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: User-Workstations
@@ -14580,8 +14561,6 @@ isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_IS_OPERATIONAL |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
-
cn: Version-Number
ldapDisplayName: versionNumber
attributeId: 1.2.840.113556.1.4.141
@@ -14708,8 +14687,6 @@ isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-systemFlags: FLAG_SCHEMA_BASE_OBJECT
-
cn: Organization-Name
ldapDisplayName: o
attributeId: 2.5.4.10
@@ -14892,7 +14869,6 @@ mapiID: 32807 isMemberOfPartialAttributeSet: TRUE
systemFlags: FLAG_SCHEMA_BASE_OBJECT |FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
-
systemOnly: FALSE
cn: Object-Version
@@ -14971,7 +14947,6 @@ isSingleValued: TRUE schemaIdGuid: 07383076-91df-11d1-aebc-0000f80367c1
systemOnly: FALSE
searchFlags: 0
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: OMT-Indx-Guid
@@ -15099,7 +15074,6 @@ isSingleValued: TRUE schemaIdGuid: 0738307b-91df-11d1-aebc-0000f80367c1
systemOnly: FALSE
searchFlags: 0
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: organizationalStatus
@@ -15244,7 +15218,6 @@ isSingleValued: TRUE schemaIdGuid: 0738307a-91df-11d1-aebc-0000f80367c1
systemOnly: FALSE
searchFlags: 0
-
systemFlags: FLAG_SCHEMA_BASE_OBJECT
cn: Phone-Office-Other
diff --git a/source4/setup/ad-schema/MS-AD_Schema_Classes_v20080618.txt b/source4/setup/ad-schema/MS-AD_Schema_Classes_v20080618.txt index cd784edfc3..e2655d57da 100644 --- a/source4/setup/ad-schema/MS-AD_Schema_Classes_v20080618.txt +++ b/source4/setup/ad-schema/MS-AD_Schema_Classes_v20080618.txt @@ -277,20 +277,20 @@ subClassOf: top systemMustContain: msDS-MaximumPasswordAge, msDS-MinimumPasswordAge,msDS-MinimumPasswordLength, msDS-PasswordComplexityEnabled,msDS-LockoutObservationWindow, msDS-LockoutDuration,msDS-LockoutThreshold, msDS-PasswordReversibleEncryptionEnabled,msDS-PasswordSettingsPrecedence, msDS-PasswordHistoryLength
systemMayContain: msDS-PSOAppliesTo
systemPossSuperiors: msDS-PasswordSettingsContainer
-schemaIdGuid:: 3bcd9db8-f84b-451c-952f-6c52b81f9ec6
+schemaIdGuid: 3bcd9db8-f84b-451c-952f-6c52b81f9ec6
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,<RootDomainDN>
systemFlags: FLAG_SCHEMA_BASE_OBJECT
-cn: ms-DS-Password-Settings
+cn: ms-DS-Password-Settings-Container
ldapDisplayName: msDS-PasswordSettingsContainer
governsId: 1.2.840.113556.1.5.256
objectClassCategory: 1
rdnAttId: cn
subClassOf: top
systemPossSuperiors: Container
-schemaIdGuid:: 5b06b06a-4cf3-44c0-bd16-43bc10a987da
+schemaIdGuid: 5b06b06a-4cf3-44c0-bd16-43bc10a987da
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Password-Settings-Container,CN=Schema,CN=Configuration,<RootDomainDN>
diff --git a/source4/setup/aggregate_schema.ldif b/source4/setup/aggregate_schema.ldif new file mode 100644 index 0000000000..2726704719 --- /dev/null +++ b/source4/setup/aggregate_schema.ldif @@ -0,0 +1,3 @@ +dn: CN=Aggregate,${SCHEMADN} +objectClass: top +objectClass: subSchema diff --git a/source4/setup/prefixMap.txt b/source4/setup/prefixMap.txt index 8ba9b9531c..267098000b 100644 --- a/source4/setup/prefixMap.txt +++ b/source4/setup/prefixMap.txt @@ -30,5 +30,12 @@ 29:1.3.6.1.4.1.250.1 30:1.2.840.113549.1.9 31:0.9.2342.19200300.100.4 -32:1.3.6.1.4.1.7165.4.1 -33:1.3.6.1.4.1.7165.4.2 +32:1.2.840.113556.1.6.23 +33:1.2.840.113556.1.6.18.1 +34:1.2.840.113556.1.6.18.2 +35:1.2.840.113556.1.6.13.3 +36:1.2.840.113556.1.6.13.4 +37:1.3.6.1.1.1.1 +38:1.3.6.1.1.1.2 +39:1.3.6.1.4.1.7165.4.1 +40:1.3.6.1.4.1.7165.4.2 diff --git a/source4/setup/schema.ldif b/source4/setup/schema.ldif index 40ef709ac3..56eb7ce0c0 100644 --- a/source4/setup/schema.ldif +++ b/source4/setup/schema.ldif @@ -10373,6 +10373,3 @@ systemFlags: 16 defaultHidingValue: TRUE defaultObjectCategory: CN=Group-Policy-Container,${SCHEMADN} -dn: CN=Aggregate,${SCHEMADN} -objectClass: top -objectClass: subSchema |