The Samba-Bugzilla – Attachment 16185 Details for
Bug 14465
idmap_ad does not deal properly with a RFC4511 section 4.4.1 response
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.11
bug-14465-4.11.txt (text/plain), 42.52 KB, created by
Volker Lendecke
on 2020-08-25 19:59:53 UTC
(
hide
)
Description:
Patch for 4.11
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2020-08-25 19:59:53 UTC
Size:
42.52 KB
patch
obsolete
>From de692970345c7b7e47b9d6bb8f6dfae70c44aecb Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 12 Aug 2020 15:48:01 +0200 >Subject: [PATCH 01/14] build: Wrap a long line > >There will be another entry in the next commit > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit c8c2f8ba73324ba43ccef9f6d1c0c726d7ec0d25) >--- > source4/torture/wscript_build | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build >index 573710d9180f..ea7653454890 100644 >--- a/source4/torture/wscript_build >+++ b/source4/torture/wscript_build >@@ -253,7 +253,17 @@ bld.SAMBA_MODULE('TORTURE_UNIX', > > > bld.SAMBA_MODULE('TORTURE_LDAP', >- source='ldap/common.c ldap/basic.c ldap/schema.c ldap/uptodatevector.c ldap/cldap.c ldap/netlogon.c ldap/cldapbench.c ldap/ldap_sort.c ldap/nested_search.c', >+ source=''' >+ ldap/common.c >+ ldap/basic.c >+ ldap/schema.c >+ ldap/uptodatevector.c >+ ldap/cldap.c >+ ldap/netlogon.c >+ ldap/cldapbench.c >+ ldap/ldap_sort.c >+ ldap/nested_search.c >+ ''', > subsystem='smbtorture', > deps='cli-ldap cli_cldap samdb popt POPT_CREDENTIALS torture ldbsamba', > internal_module=True, >-- >2.20.1 > > >From 1fa9f78d6336c493510067f78f55006fef59947d Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 12 Aug 2020 15:50:58 +0200 >Subject: [PATCH 02/14] torture: Test ldap session expiry > >LDAP connections should time out when the kerberos ticket used to authenticate >expires. Windows does this with a RFC4511 section 4.4.1 message (that as of >August 2020 is encoded not according to the RFC) followed by a TCP disconnect. > >ldb sees the section 4.4.1 as a protocol violation and returns >LDB_ERR_PROTOCOL_ERROR. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 35c4bb0b0c55a65490fe199edb1a534548104e95) >--- > selftest/knownfail.d/ldap | 1 + > source4/selftest/tests.py | 7 +- > source4/torture/ldap/common.c | 2 + > source4/torture/ldap/session_expiry.c | 121 ++++++++++++++++++++++++++ > source4/torture/wscript_build | 1 + > 5 files changed, 131 insertions(+), 1 deletion(-) > create mode 100644 source4/torture/ldap/session_expiry.c > >diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap >index 0331d3687d41..21c1aca7e6e7 100644 >--- a/selftest/knownfail.d/ldap >+++ b/selftest/knownfail.d/ldap >@@ -1,3 +1,4 @@ > # the attributes too long test returns the wrong error > ^samba4.ldap.python.+test_attribute_ranges_too_long > samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes >+^samba4.ldap.session-expiry.session-expiry\(ad_dc_default\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 73f273d00452..c819a61418ff 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -152,7 +152,12 @@ for options in ['-U"$USERNAME%$PASSWORD"']: > "%s/test_ldb.sh ldapi $PREFIX_ABS/ad_dc_ntvfs/private/ldapi %s" % (bbdir, options)) > > for t in smbtorture4_testsuites("ldap."): >- plansmbtorture4testsuite(t, "ad_dc_default", '-U"$USERNAME%$PASSWORD" //$SERVER_IP/_none_') >+ if t == "ldap.session-expiry": >+ # This requires kerberos and thus the server name >+ plansmbtorture4testsuite( >+ t, "ad_dc_default", '-U"$USERNAME%$PASSWORD" //$DC_SERVER/_none_') >+ else: >+ plansmbtorture4testsuite(t, "ad_dc_default", '-U"$USERNAME%$PASSWORD" //$SERVER_IP/_none_') > > for t in smbtorture4_testsuites("dsdb."): > plansmbtorture4testsuite(t, "ad_dc:local", "localhost") >diff --git a/source4/torture/ldap/common.c b/source4/torture/ldap/common.c >index 9482e0392bcc..d16f611fa771 100644 >--- a/source4/torture/ldap/common.c >+++ b/source4/torture/ldap/common.c >@@ -124,6 +124,8 @@ NTSTATUS torture_ldap_init(TALLOC_CTX *ctx) > torture_suite_add_simple_test(suite, "schema", torture_ldap_schema); > torture_suite_add_simple_test(suite, "uptodatevector", torture_ldap_uptodatevector); > torture_suite_add_simple_test(suite, "nested-search", test_ldap_nested_search); >+ torture_suite_add_simple_test( >+ suite, "session-expiry", torture_ldap_session_expiry); > > suite->description = talloc_strdup(suite, "LDAP and CLDAP tests"); > >diff --git a/source4/torture/ldap/session_expiry.c b/source4/torture/ldap/session_expiry.c >new file mode 100644 >index 000000000000..35dda439b17f >--- /dev/null >+++ b/source4/torture/ldap/session_expiry.c >@@ -0,0 +1,121 @@ >+/* >+ * Unix SMB/CIFS implementation. >+ * >+ * Test LDB attribute functions >+ * >+ * Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008-2009 >+ * Copyright (C) Matthieu Patou <mat@matws.net> 2009 >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include "includes.h" >+#include "lib/events/events.h" >+#include <ldb.h> >+#include <ldb_errors.h> >+#include "ldb_wrap.h" >+#include "param/param.h" >+#include "lib/cmdline/popt_common.h" >+#include "auth/credentials/credentials.h" >+#include "libcli/ldap/ldap_client.h" >+#include "torture/smbtorture.h" >+#include "torture/ldap/proto.h" >+ >+bool torture_ldap_session_expiry(struct torture_context *torture) >+{ >+ const char *host = torture_setting_string(torture, "host", NULL); >+ struct cli_credentials *credentials = popt_get_cmdline_credentials(); >+ struct ldb_context *ldb = NULL; >+ const char *url = NULL; >+ bool ret = false; >+ bool ok; >+ struct ldb_dn *rootdn = NULL; >+ struct ldb_result *result = NULL; >+ int rc = LDB_SUCCESS; >+ >+ /* >+ * Further down we request a ticket lifetime of 4 >+ * seconds. Give the server 10 seconds for this to kick in >+ */ >+ const struct timeval endtime = timeval_current_ofs(10, 0); >+ >+ url = talloc_asprintf(torture, "ldap://%s/", host); >+ torture_assert_goto( >+ torture, url!=NULL, ret, fail, "talloc_asprintf failed"); >+ >+ cli_credentials_set_kerberos_state( >+ credentials, CRED_MUST_USE_KERBEROS); >+ >+ ok = lpcfg_set_option( >+ torture->lp_ctx, "gensec_gssapi:requested_life_time=4"); >+ torture_assert_goto( >+ torture, ok, ret, fail, "lpcfg_set_option failed"); >+ >+ ldb = ldb_wrap_connect( >+ torture, >+ torture->ev, >+ torture->lp_ctx, >+ url, >+ NULL, >+ credentials, >+ 0); >+ torture_assert_goto( >+ torture, ldb!=NULL, ret, fail, "ldb_wrap_connect failed"); >+ >+ rootdn = ldb_dn_new(ldb, ldb, NULL); >+ torture_assert_goto( >+ torture, rootdn!=NULL, ret, fail, "ldb_dn_new failed"); >+ >+ rc = ldb_search( >+ ldb, /* ldb */ >+ ldb, /* mem_ctx */ >+ &result, /* result */ >+ rootdn, /* base */ >+ LDB_SCOPE_BASE, /* scope */ >+ NULL, /* attrs */ >+ "(objectclass=*)"); /* exp_fmt */ >+ torture_assert_goto( >+ torture, rc==LDB_SUCCESS, ret, fail, "1st ldb_search failed"); >+ >+ do { >+ smb_msleep(1000); >+ >+ rc = ldb_search( >+ ldb, /* ldb */ >+ ldb, /* mem_ctx */ >+ &result, /* result */ >+ rootdn, /* base */ >+ LDB_SCOPE_BASE, /* scope */ >+ NULL, /* attrs */ >+ "(objectclass=*)"); /* exp_fmt */ >+ printf("ldb_search returned %s\n", ldb_strerror(rc)); >+ TALLOC_FREE(result); >+ >+ if (rc != LDB_SUCCESS) { >+ break; >+ } >+ } while (!timeval_expired(&endtime)); >+ >+ torture_assert_goto( >+ torture, >+ rc==LDB_ERR_PROTOCOL_ERROR, >+ ret, >+ fail, >+ "expected LDB_ERR_PROTOCOL_ERROR after 4 seconds"); >+ >+ ret = true; >+fail: >+ TALLOC_FREE(ldb); >+ return ret; >+} >diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build >index ea7653454890..9149d24ac118 100644 >--- a/source4/torture/wscript_build >+++ b/source4/torture/wscript_build >@@ -263,6 +263,7 @@ bld.SAMBA_MODULE('TORTURE_LDAP', > ldap/cldapbench.c > ldap/ldap_sort.c > ldap/nested_search.c >+ ldap/session_expiry.c > ''', > subsystem='smbtorture', > deps='cli-ldap cli_cldap samdb popt POPT_CREDENTIALS torture ldbsamba', >-- >2.20.1 > > >From 2f68ee4d44ff03d8c100063be963b1c86bbccd23 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 7 Aug 2020 13:40:58 +0200 >Subject: [PATCH 03/14] ldap_server: Add the krb5 expiry to conn->limits > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 77f72fb01faba45babfe6080f805361492ce49e5) >--- > source4/ldap_server/ldap_bind.c | 15 +++++++++++++++ > source4/ldap_server/ldap_server.c | 4 ++++ > source4/ldap_server/ldap_server.h | 1 + > 3 files changed, 20 insertions(+) > >diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c >index 5cddecd79be4..54493d040fff 100644 >--- a/source4/ldap_server/ldap_bind.c >+++ b/source4/ldap_server/ldap_bind.c >@@ -29,6 +29,7 @@ > #include "auth/gensec/gensec_tstream.h" > #include "param/param.h" > #include "../lib/util/tevent_ntstatus.h" >+#include "lib/util/time_basic.h" > > static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx, > HRESULT hresult, >@@ -483,6 +484,7 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq) > const char *errstr = NULL; > char *ldb_errstring = NULL; > DATA_BLOB output = data_blob_null; >+ NTTIME expire_time_nt; > > status = gensec_update_recv(subreq, call, &output); > TALLOC_FREE(subreq); >@@ -602,6 +604,19 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq) > goto do_reply; > } > >+ expire_time_nt = gensec_expire_time(conn->gensec); >+ if (expire_time_nt != GENSEC_EXPIRE_TIME_INFINITY) { >+ struct timeval_buf buf; >+ >+ nttime_to_timeval(&conn->limits.expire_time, expire_time_nt); >+ >+ DBG_DEBUG("Setting connection expire_time to %s\n", >+ timeval_str_buf(&conn->limits.expire_time, >+ false, >+ true, >+ &buf)); >+ } >+ > if (context != NULL) { > const void *ptr = NULL; > >diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c >index a9b162b284e6..3a37ddbcaf95 100644 >--- a/source4/ldap_server/ldap_server.c >+++ b/source4/ldap_server/ldap_server.c >@@ -47,6 +47,7 @@ > #include "../lib/util/tevent_ntstatus.h" > #include "../libcli/util/tstream.h" > #include "libds/common/roles.h" >+#include "lib/util/time.h" > > static void ldapsrv_terminate_connection_done(struct tevent_req *subreq); > >@@ -178,6 +179,9 @@ static int ldapsrv_load_limits(struct ldapsrv_connection *conn) > conn->limits.max_page_size = 1000; > conn->limits.max_notifications = 5; > conn->limits.search_timeout = 120; >+ conn->limits.expire_time = (struct timeval) { >+ .tv_sec = get_time_t_max(), >+ }; > > > tmp_ctx = talloc_new(conn); >diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h >index e1efe8a49438..74c19fd2fbc4 100644 >--- a/source4/ldap_server/ldap_server.h >+++ b/source4/ldap_server/ldap_server.h >@@ -61,6 +61,7 @@ struct ldapsrv_connection { > int max_notifications; > int search_timeout; > struct timeval endtime; >+ struct timeval expire_time; /* Krb5 ticket expiry */ > const char *reason; > } limits; > >-- >2.20.1 > > >From 0d88075111f02c29f40c138698bfd221027de2fa Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 10 Aug 2020 16:24:04 +0200 >Subject: [PATCH 04/14] ldap_server: Terminate LDAP connections on krb ticket > expiry > >See RFC4511 section 4.4.1 and > >https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html > >for details: Windows terminates LDAP connections when the krb5 ticket >expires, Samba should do the same. This patch slightly deviates from >Windows behaviour by sending a LDAP exop response with msgid 0 that is >ASN1-encoded conforming to RFC4511. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit eb72f887b0bf91c050fd5d911f58a1b3ff9b8bcc) >--- > selftest/knownfail.d/ldap | 1 - > source4/ldap_server/ldap_backend.c | 37 ++++++++++++++++++ > source4/ldap_server/ldap_server.c | 62 ++++++++++++++++++++++++++++++ > source4/ldap_server/ldap_server.h | 1 + > 4 files changed, 100 insertions(+), 1 deletion(-) > >diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap >index 21c1aca7e6e7..0331d3687d41 100644 >--- a/selftest/knownfail.d/ldap >+++ b/selftest/knownfail.d/ldap >@@ -1,4 +1,3 @@ > # the attributes too long test returns the wrong error > ^samba4.ldap.python.+test_attribute_ranges_too_long > samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes >-^samba4.ldap.session-expiry.session-expiry\(ad_dc_default\) >diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c >index bf724335a250..2839082daefd 100644 >--- a/source4/ldap_server/ldap_backend.c >+++ b/source4/ldap_server/ldap_backend.c >@@ -1384,11 +1384,48 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call) > return NT_STATUS_OK; > } > >+static NTSTATUS ldapsrv_expired(struct ldapsrv_call *call) >+{ >+ struct ldapsrv_reply *reply = NULL; >+ struct ldap_ExtendedResponse *r = NULL; >+ >+ DBG_DEBUG("Sending connection expired message\n"); >+ >+ reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse); >+ if (reply == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ /* >+ * According to RFC4511 section 4.4.1 this has a msgid of 0 >+ */ >+ reply->msg->messageid = 0; >+ >+ r = &reply->msg->r.ExtendedResponse; >+ r->response.resultcode = LDB_ERR_UNAVAILABLE; >+ r->response.errormessage = "The server has timed out this connection"; >+ r->oid = "1.3.6.1.4.1.1466.20036"; /* see rfc4511 section 4.4.1 */ >+ >+ ldapsrv_queue_reply(call, reply); >+ return NT_STATUS_OK; >+} >+ > NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) > { > unsigned int i; > struct ldap_message *msg = call->request; >+ struct ldapsrv_connection *conn = call->conn; > NTSTATUS status; >+ bool expired; >+ >+ expired = timeval_expired(&conn->limits.expire_time); >+ if (expired) { >+ status = ldapsrv_expired(call); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ return NT_STATUS_NETWORK_SESSION_EXPIRED; >+ } > > /* Check for undecoded critical extensions */ > for (i=0; msg->controls && msg->controls[i]; i++) { >diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c >index 3a37ddbcaf95..fd2309b7ce3b 100644 >--- a/source4/ldap_server/ldap_server.c >+++ b/source4/ldap_server/ldap_server.c >@@ -69,6 +69,7 @@ static void ldapsrv_terminate_connection(struct ldapsrv_connection *conn, > > tevent_queue_stop(conn->sockets.send_queue); > TALLOC_FREE(conn->sockets.read_req); >+ TALLOC_FREE(conn->deferred_expire_disconnect); > if (conn->active_call) { > tevent_req_cancel(conn->active_call); > conn->active_call = NULL; >@@ -1016,16 +1017,62 @@ static struct tevent_req *ldapsrv_process_call_send(TALLOC_CTX *mem_ctx, > return req; > } > >+static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq); >+ > static void ldapsrv_process_call_trigger(struct tevent_req *req, > void *private_data) > { > struct ldapsrv_process_call_state *state = > tevent_req_data(req, > struct ldapsrv_process_call_state); >+ struct ldapsrv_connection *conn = state->call->conn; > NTSTATUS status; > >+ if (conn->deferred_expire_disconnect != NULL) { >+ /* >+ * Just drop this on the floor >+ */ >+ tevent_req_done(req); >+ return; >+ } >+ > /* make the call */ > status = ldapsrv_do_call(state->call); >+ >+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) { >+ /* >+ * For testing purposes, defer the TCP disconnect >+ * after having sent the msgid 0 >+ * 1.3.6.1.4.1.1466.20036 exop response. LDAP clients >+ * should not wait for the TCP connection to close but >+ * handle this packet equivalent to a TCP >+ * disconnect. This delay enables testing both cases >+ * in LDAP client libraries. >+ */ >+ >+ int defer_msec = lpcfg_parm_int( >+ conn->lp_ctx, >+ NULL, >+ "ldap_server", >+ "delay_expire_disconnect", >+ 0); >+ >+ conn->deferred_expire_disconnect = tevent_wakeup_send( >+ conn, >+ conn->connection->event.ctx, >+ timeval_current_ofs_msec(defer_msec)); >+ if (tevent_req_nomem(conn->deferred_expire_disconnect, req)) { >+ return; >+ } >+ tevent_req_set_callback( >+ conn->deferred_expire_disconnect, >+ ldapsrv_disconnect_ticket_expired, >+ conn); >+ >+ tevent_req_done(req); >+ return; >+ } >+ > if (!NT_STATUS_IS_OK(status)) { > tevent_req_nterror(req, status); > return; >@@ -1034,6 +1081,21 @@ static void ldapsrv_process_call_trigger(struct tevent_req *req, > tevent_req_done(req); > } > >+static void ldapsrv_disconnect_ticket_expired(struct tevent_req *subreq) >+{ >+ struct ldapsrv_connection *conn = tevent_req_callback_data( >+ subreq, struct ldapsrv_connection); >+ bool ok; >+ >+ ok = tevent_wakeup_recv(subreq); >+ TALLOC_FREE(subreq); >+ if (!ok) { >+ DBG_WARNING("tevent_wakeup_recv failed\n"); >+ } >+ conn->deferred_expire_disconnect = NULL; >+ ldapsrv_terminate_connection(conn, "network session expired"); >+} >+ > static NTSTATUS ldapsrv_process_call_recv(struct tevent_req *req) > { > NTSTATUS status; >diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h >index 74c19fd2fbc4..c94bd914b9b7 100644 >--- a/source4/ldap_server/ldap_server.h >+++ b/source4/ldap_server/ldap_server.h >@@ -66,6 +66,7 @@ struct ldapsrv_connection { > } limits; > > struct tevent_req *active_call; >+ struct tevent_req *deferred_expire_disconnect; > > struct ldapsrv_call *pending_calls; > }; >-- >2.20.1 > > >From 815af91887a60da0867fa5c574a064ac3a4e9a22 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 16:16:12 +0200 >Subject: [PATCH 05/14] tldap: Only free() ld->pending if "req" is part of it > >Best reviewed with "git show -U10". We need to check that "req" is >actually the last request that is being freed before freeing the whole >array. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit b85dbc9ccf80d8c19aff33c1da83954e5d6a37ef) >--- > source3/lib/tldap.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index bf5fc05d785e..9da0e0c086e6 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -492,11 +492,6 @@ static void tldap_msg_unset_pending(struct tevent_req *req) > > tevent_req_set_cleanup_fn(req, NULL); > >- if (num_pending == 1) { >- TALLOC_FREE(ld->pending); >- return; >- } >- > for (i=0; i<num_pending; i++) { > if (req == ld->pending[i]) { > break; >@@ -511,6 +506,11 @@ static void tldap_msg_unset_pending(struct tevent_req *req) > return; > } > >+ if (num_pending == 1) { >+ TALLOC_FREE(ld->pending); >+ return; >+ } >+ > /* > * Remove ourselves from the cli->pending array > */ >-- >2.20.1 > > >From d34b4fbdd6b0e5bbab123285d593924496eb42a4 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 16:54:34 +0200 >Subject: [PATCH 06/14] tldap: Fix tldap_msg_received() > >The callback of "req" might have destroyed "ld", we can't reference >this anymore after calling tevent_req_done(req). Defer calling the >callbacks, which also means that the callbacks can't have added >anything to ld->pending. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit f816ccb8f4d212fe7f6bf36f90cbb9297c899786) >--- > source3/lib/tldap.c | 10 +--------- > 1 file changed, 1 insertion(+), 9 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 9da0e0c086e6..9274db126c46 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -677,21 +677,13 @@ static void tldap_msg_received(struct tevent_req *subreq) > tldap_msg_unset_pending(req); > num_pending = talloc_array_length(ld->pending); > >+ tevent_req_defer_callback(req, state->ev); > tevent_req_done(req); > > done: > if (num_pending == 0) { > return; > } >- if (talloc_array_length(ld->pending) > num_pending) { >- /* >- * The callback functions called from tevent_req_done() above >- * have put something on the pending queue. We don't have to >- * trigger the read_ldap_send(), tldap_msg_set_pending() has >- * done it for us already. >- */ >- return; >- } > > state = tevent_req_data(ld->pending[0], struct tldap_msg_state); > subreq = read_ldap_send(ld->pending, state->ev, ld->conn); >-- >2.20.1 > > >From 20788ea6c50b4355c20ad3c82d0313df0a05df1b Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 17 Aug 2020 21:59:48 +0200 >Subject: [PATCH 07/14] tldap: Always remove ourselves from ld->pending at > cleanup time > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 14f6d1996ec38620b1c05a3b6c0e26dd21801fac) >--- > source3/lib/tldap.c | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 9274db126c46..09f8446677d7 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -529,14 +529,7 @@ static void tldap_msg_unset_pending(struct tevent_req *req) > static void tldap_msg_cleanup(struct tevent_req *req, > enum tevent_req_state req_state) > { >- switch (req_state) { >- case TEVENT_REQ_USER_ERROR: >- case TEVENT_REQ_RECEIVED: >- tldap_msg_unset_pending(req); >- return; >- default: >- return; >- } >+ tldap_msg_unset_pending(req); > } > > static bool tldap_msg_set_pending(struct tevent_req *req) >-- >2.20.1 > > >From c5c6a361459dd84bdc4d05ae999365e69fd84ff6 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 17:14:14 +0200 >Subject: [PATCH 08/14] tldap: Maintain the ldap read request in tldap_context > >Required for proper connection rundown, we need to TALLOC_FREE() the >read request before shutting down the tstream > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit cb852c9dc0d0fa1d3e7473082ad6b460106b314b) >--- > source3/lib/tldap.c | 17 +++++++++-------- > 1 file changed, 9 insertions(+), 8 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 09f8446677d7..3bf58d0df3e6 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -87,6 +87,7 @@ struct tldap_context { > int msgid; > struct tevent_queue *outgoing; > struct tevent_req **pending; >+ struct tevent_req *read_req; > > /* For the sync wrappers we need something like get_last_error... */ > struct tldap_message *last_msg; >@@ -539,7 +540,6 @@ static bool tldap_msg_set_pending(struct tevent_req *req) > struct tldap_context *ld; > struct tevent_req **pending; > int num_pending; >- struct tevent_req *subreq; > > ld = state->ld; > num_pending = tldap_pending_reqs(ld); >@@ -553,7 +553,7 @@ static bool tldap_msg_set_pending(struct tevent_req *req) > ld->pending = pending; > tevent_req_set_cleanup_fn(req, tldap_msg_cleanup); > >- if (num_pending > 0) { >+ if (ld->read_req != NULL) { > return true; > } > >@@ -561,12 +561,12 @@ static bool tldap_msg_set_pending(struct tevent_req *req) > * We're the first one, add the read_ldap request that waits for the > * answer from the server > */ >- subreq = read_ldap_send(ld->pending, state->ev, ld->conn); >- if (subreq == NULL) { >+ ld->read_req = read_ldap_send(ld->pending, state->ev, ld->conn); >+ if (ld->read_req == NULL) { > tldap_msg_unset_pending(req); > return false; > } >- tevent_req_set_callback(subreq, tldap_msg_received, ld); >+ tevent_req_set_callback(ld->read_req, tldap_msg_received, ld); > return true; > } > >@@ -619,6 +619,7 @@ static void tldap_msg_received(struct tevent_req *subreq) > > received = read_ldap_recv(subreq, talloc_tos(), &inbuf, &err); > TALLOC_FREE(subreq); >+ ld->read_req = NULL; > if (received == -1) { > ld->server_down = true; > status = TLDAP_SERVER_DOWN; >@@ -679,12 +680,12 @@ static void tldap_msg_received(struct tevent_req *subreq) > } > > state = tevent_req_data(ld->pending[0], struct tldap_msg_state); >- subreq = read_ldap_send(ld->pending, state->ev, ld->conn); >- if (subreq == NULL) { >+ ld->read_req = read_ldap_send(ld->pending, state->ev, ld->conn); >+ if (ld->read_req == NULL) { > status = TLDAP_NO_MEMORY; > goto fail; > } >- tevent_req_set_callback(subreq, tldap_msg_received, ld); >+ tevent_req_set_callback(ld->read_req, tldap_msg_received, ld); > return; > > fail: >-- >2.20.1 > > >From 194bdd78f5b353743bf3f70e7833663b389c9797 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 17:30:22 +0200 >Subject: [PATCH 09/14] tldap: Centralize connection rundown on error > >Whenever send or recv return -1, we have to cancel all pending >requests and our transport stream is no longer usable: Discard it upon >such an error. > >To avoid duplicate state, tldap_connection_ok() now looks at whether >we have a tstream_context around. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit f745f5b12560dbcb7be6f3ffb3bc10704c87149c) >--- > source3/lib/tldap.c | 72 +++++++++++++++++++++++++++++++++++++-------- > 1 file changed, 60 insertions(+), 12 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 3bf58d0df3e6..de9f0c70ff11 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -83,7 +83,6 @@ struct tldap_ctx_attribute { > struct tldap_context { > int ld_version; > struct tstream_context *conn; >- bool server_down; > int msgid; > struct tevent_queue *outgoing; > struct tevent_req **pending; >@@ -186,10 +185,22 @@ struct tldap_context *tldap_context_create(TALLOC_CTX *mem_ctx, int fd) > > bool tldap_connection_ok(struct tldap_context *ld) > { >+ int ret; >+ > if (ld == NULL) { > return false; > } >- return !ld->server_down; >+ >+ if (ld->conn == NULL) { >+ return false; >+ } >+ >+ ret = tstream_pending_bytes(ld->conn); >+ if (ret == -1) { >+ return false; >+ } >+ >+ return true; > } > > static size_t tldap_pending_reqs(struct tldap_context *ld) >@@ -425,6 +436,43 @@ static bool tldap_push_controls(struct asn1_data *data, > return asn1_pop_tag(data); /* ASN1_CONTEXT(0) */ > } > >+#define tldap_context_disconnect(ld, status) \ >+ _tldap_context_disconnect(ld, status, __location__) >+ >+static void _tldap_context_disconnect(struct tldap_context *ld, >+ TLDAPRC status, >+ const char *location) >+{ >+ if (ld->conn == NULL) { >+ /* >+ * We don't need to tldap_debug() on >+ * a potential 2nd run. >+ * >+ * The rest of the function would just >+ * be a noop for the 2nd run anyway. >+ */ >+ return; >+ } >+ >+ tldap_debug(ld, TLDAP_DEBUG_WARNING, >+ "tldap_context_disconnect: %s at %s\n", >+ tldap_rc2string(status), >+ location); >+ tevent_queue_stop(ld->outgoing); >+ TALLOC_FREE(ld->read_req); >+ TALLOC_FREE(ld->conn); >+ >+ while (talloc_array_length(ld->pending) > 0) { >+ struct tevent_req *req = NULL; >+ struct tldap_msg_state *state = NULL; >+ >+ req = ld->pending[0]; >+ state = tevent_req_data(req, struct tldap_msg_state); >+ tevent_req_defer_callback(req, state->ev); >+ tevent_req_ldap_error(req, status); >+ } >+} >+ > static void tldap_msg_sent(struct tevent_req *subreq); > static void tldap_msg_received(struct tevent_req *subreq); > >@@ -438,6 +486,7 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, > struct tevent_req *req, *subreq; > struct tldap_msg_state *state; > DATA_BLOB blob; >+ bool ok; > > tldap_debug(ld, TLDAP_DEBUG_TRACE, "tldap_msg_send: sending msg %d\n", > id); >@@ -450,7 +499,8 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, > state->ev = ev; > state->id = id; > >- if (state->ld->server_down) { >+ ok = tldap_connection_ok(ld); >+ if (!ok) { > tevent_req_ldap_error(req, TLDAP_SERVER_DOWN); > return tevent_req_post(req, ev); > } >@@ -582,7 +632,7 @@ static void tldap_msg_sent(struct tevent_req *subreq) > nwritten = tstream_writev_queue_recv(subreq, &err); > TALLOC_FREE(subreq); > if (nwritten == -1) { >- state->ld->server_down = true; >+ tldap_context_disconnect(state->ld, TLDAP_SERVER_DOWN); > tevent_req_ldap_error(req, TLDAP_SERVER_DOWN); > return; > } >@@ -612,7 +662,7 @@ static void tldap_msg_received(struct tevent_req *subreq) > ssize_t received; > size_t num_pending; > int i, err; >- TLDAPRC status; >+ TLDAPRC status = TLDAP_PROTOCOL_ERROR; > int id; > uint8_t type; > bool ok; >@@ -621,13 +671,16 @@ static void tldap_msg_received(struct tevent_req *subreq) > TALLOC_FREE(subreq); > ld->read_req = NULL; > if (received == -1) { >- ld->server_down = true; > status = TLDAP_SERVER_DOWN; > goto fail; > } > > data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); > if (data == NULL) { >+ /* >+ * We have to disconnect all, we can't tell which of >+ * the requests this reply is for. >+ */ > status = TLDAP_NO_MEMORY; > goto fail; > } >@@ -689,12 +742,7 @@ static void tldap_msg_received(struct tevent_req *subreq) > return; > > fail: >- while (talloc_array_length(ld->pending) > 0) { >- req = ld->pending[0]; >- state = tevent_req_data(req, struct tldap_msg_state); >- tevent_req_defer_callback(req, state->ev); >- tevent_req_ldap_error(req, status); >- } >+ tldap_context_disconnect(ld, status); > } > > static TLDAPRC tldap_msg_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, >-- >2.20.1 > > >From df8feb164a6e044e76f417a4209f4636e3688332 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 17:44:42 +0200 >Subject: [PATCH 10/14] tldap: Make sure all requests are cancelled on rundown > >Put messages into the ld->pending array before sending them out, not >after they have been sent. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 2a2a6b27cccb2409d321c7e03feb8baa047d1bf4) >--- > source3/lib/tldap.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index de9f0c70ff11..52012ab9a55e 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -29,6 +29,7 @@ > #include "../lib/util/tevent_unix.h" > > static TLDAPRC tldap_simple_recv(struct tevent_req *req); >+static bool tldap_msg_set_pending(struct tevent_req *req); > > #define TEVENT_TLDAP_RC_MAGIC (0x87bcd26e) > >@@ -521,6 +522,11 @@ static struct tevent_req *tldap_msg_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >+ if (!tldap_msg_set_pending(req)) { >+ tevent_req_oom(req); >+ return tevent_req_post(req, ev);; >+ } >+ > state->iov.iov_base = (void *)blob.data; > state->iov.iov_len = blob.length; > >@@ -633,12 +639,6 @@ static void tldap_msg_sent(struct tevent_req *subreq) > TALLOC_FREE(subreq); > if (nwritten == -1) { > tldap_context_disconnect(state->ld, TLDAP_SERVER_DOWN); >- tevent_req_ldap_error(req, TLDAP_SERVER_DOWN); >- return; >- } >- >- if (!tldap_msg_set_pending(req)) { >- tevent_req_oom(req); > return; > } > } >-- >2.20.1 > > >From 4257dae23207f8930f17880c68fe7f71c274944d Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 12 Aug 2020 13:26:18 +0200 >Subject: [PATCH 11/14] tldap: Add PRINTF_ATTRIBUTE declaration to > tldap_debug() > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit a2b281bed022c04427ef478529462ff84fe42908) >--- > source3/lib/tldap.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 52012ab9a55e..af6959ee895a 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -133,6 +133,11 @@ void tldap_set_debug(struct tldap_context *ld, > ld->log_private = log_private; > } > >+static void tldap_debug( >+ struct tldap_context *ld, >+ enum tldap_debug_level level, >+ const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); >+ > static void tldap_debug(struct tldap_context *ld, > enum tldap_debug_level level, > const char *fmt, ...) >-- >2.20.1 > > >From f6f623cfa7e6e3c52d533b3e34bd385cd214cd6e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Aug 2020 18:24:39 +0200 >Subject: [PATCH 12/14] idmap_ad: Pass tldap debug messages on to DEBUG() > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 7af2df01dff62d6d9ca572f320ef60dea41d6064) >--- > source3/winbindd/idmap_ad.c | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > >diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c >index 6d879cdf4d7b..3bfeeee2d74b 100644 >--- a/source3/winbindd/idmap_ad.c >+++ b/source3/winbindd/idmap_ad.c >@@ -254,6 +254,41 @@ static TLDAPRC get_posix_schema_names(struct tldap_context *ld, > return TLDAP_SUCCESS; > } > >+static void idmap_ad_tldap_debug(void *log_private, >+ enum tldap_debug_level level, >+ const char *fmt, >+ va_list ap) >+{ >+ int samba_level = -1; >+ >+ switch (level) { >+ case TLDAP_DEBUG_FATAL: >+ samba_level = DBGLVL_ERR; >+ break; >+ case TLDAP_DEBUG_ERROR: >+ samba_level = DBGLVL_ERR; >+ break; >+ case TLDAP_DEBUG_WARNING: >+ samba_level = DBGLVL_WARNING; >+ break; >+ case TLDAP_DEBUG_TRACE: >+ samba_level = DBGLVL_DEBUG; >+ break; >+ } >+ >+ if (CHECK_DEBUGLVL(samba_level)) { >+ char *s = NULL; >+ int ret; >+ >+ ret = vasprintf(&s, fmt, ap); >+ if (ret == -1) { >+ return; >+ } >+ DEBUG(samba_level, ("idmap_ad_tldap: %s", s)); >+ free(s); >+ } >+} >+ > static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > const char *domname, > struct tldap_context **pld) >@@ -307,6 +342,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > TALLOC_FREE(dcinfo); > return NT_STATUS_NO_MEMORY; > } >+ tldap_set_debug(ld, idmap_ad_tldap_debug, NULL); > > /* > * Here we use or own machine account as >-- >2.20.1 > > >From 7fffedae3c6d9c427b8c0868af1811882e5c0d5c Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 13 Aug 2020 14:59:58 +0200 >Subject: [PATCH 13/14] test: Test winbind idmap_ad ticket expiry behaviour > >We need to make sure that winbind's idmap_ad deals fine with an >expired krb ticket used to connect to AD via LDAP. In a customer >situation we have seen the RFC4511 section 4.4.1 unsolicited ldap exop >response coming through, but the TCP disconnect that Windows seems to >do after that did not make it. Winbind deals fine with a TCP >disconnect, but right now it does not handle just the section 4.4.1 >response properly: It completely hangs. > >This test requests a ticket valid for 5 seconds and makes the LDAP >server postpone the TCP disconnect after the ticket expiry for 10 >seconds. The tests that winbind reacts to the ticket expiry exop >response by making sure in this situation the wbinfo call running into >the issue takes less than 8 seconds. If it did not look at the expiry >exop response, it would take more than 10 seconds. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit a4ecd112e7754ab25bcae749594952a28c4c8905) >--- > nsswitch/tests/test_ticket_expiry.sh | 74 ++++++++++++++++++++++++++++ > selftest/knownfail.d/ticket_expiry | 1 + > selftest/target/Samba3.pm | 1 + > selftest/target/Samba4.pm | 6 ++- > source3/selftest/tests.py | 5 ++ > 5 files changed, 86 insertions(+), 1 deletion(-) > create mode 100755 nsswitch/tests/test_ticket_expiry.sh > create mode 100644 selftest/knownfail.d/ticket_expiry > >diff --git a/nsswitch/tests/test_ticket_expiry.sh b/nsswitch/tests/test_ticket_expiry.sh >new file mode 100755 >index 000000000000..3b98b0fe87af >--- /dev/null >+++ b/nsswitch/tests/test_ticket_expiry.sh >@@ -0,0 +1,74 @@ >+#!/bin/sh >+# Test winbind ad backend behaviour when the kerberos ticket expires >+ >+if [ $# -ne 1 ]; then >+ echo Usage: $0 DOMAIN >+ exit 1 >+fi >+ >+DOMAIN="$1" >+ >+wbinfo="$VALGRIND $BINDIR/wbinfo" >+net="$VALGRIND $BINDIR/net" >+ >+failed=0 >+ >+. `dirname $0`/../../testprogs/blackbox/subunit.sh >+ >+DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") >+if [ $? -ne 0 ] ; then >+ echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" >+ exit 1 >+fi >+ADMINS_SID="$DOMAIN_SID-512" >+ >+# Previous tests might have put in a mapping >+$net cache del IDMAP/SID2XID/"$ADMINS_SID" >+ >+# Trigger a winbind ad connection with a 5-second ticket lifetime, >+# see the smb.conf for the ad_member_idmap_ad environment we're in >+# >+# We expect failure here because there are no mappings in AD. In this >+# test we are only interested in the winbind LDAP connection as such, >+# we don't really care whether idmap_ad works fine. This is done in >+# different tests. And a negative lookup also triggers the LDAP >+# connection. >+ >+testit_expect_failure "Deleting0 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || >+ failed=$(expr $failed + 1) >+ >+testit_expect_failure "Expecting failure1, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || >+ failed=$(expr $failed + 1) >+ >+testit "Deleting1 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || >+ failed=$(expr $failed + 1) >+ >+# allow our kerberos ticket to expire >+testit "Sleeping for 6 seconds" sleep 6 || failed=$(expr $failed + 1) >+ >+# Try again, check how long it took to recover from ticket expiry >+# >+# On the LDAP connection two things happen: First we get an >+# unsolicited exop response telling us the network session was >+# abandoned, and secondly the LDAP server will kill the TCP >+# connection. Our ldap server is configured to defer the TCP >+# disconnect by 10 seconds. We need to make sure that winbind already >+# reacts to the unsolicited exop reply, discarding the connection. The >+# only way is to make sure the following wbinfo does not take too >+# long. >+ >+# We need to do the test command in this funny way as on gitlab we're >+# using the bash builtin >+ >+START=$(date +%s) >+testit_expect_failure "Expecting failure2, no mapping in AD" $wbinfo --sid-to-gid "$ADMINS_SID" || >+ failed=$(expr $failed + 1) >+END=$(date +%s) >+DURATION=$(expr $END - $START) >+testit "timeout DURATION[$DURATION] < 8" test "$DURATION" -le 8 || >+ failed=$(expr $failed + 1) >+ >+testit "Deleting2 IDMAP/SID2XID/$ADMINS_SID" $net cache del IDMAP/SID2XID/"$ADMINS_SID" || >+ failed=$(expr $failed + 1) >+ >+exit $failed >diff --git a/selftest/knownfail.d/ticket_expiry b/selftest/knownfail.d/ticket_expiry >new file mode 100644 >index 000000000000..04e508a9f8e6 >--- /dev/null >+++ b/selftest/knownfail.d/ticket_expiry >@@ -0,0 +1 @@ >+idmap_ad.ticket_expiry.timeout.DURATION.*\(ad_member_idmap_ad:local\) >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index a15979199f0b..c22c567cd654 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -728,6 +728,7 @@ sub setup_ad_member_idmap_ad > idmap config $dcvars->{DOMAIN} : range = 2000000-2999999 > idmap config $dcvars->{TRUST_DOMAIN} : backend = ad > idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 >+ gensec_gssapi:requested_life_time = 5 > "; > > my $ret = $self->provision($prefix, $dcvars->{DOMAIN}, >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index a599099c59db..4758a5513d14 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1709,7 +1709,11 @@ sub provision_fl2008r2dc($$$) > my ($self, $prefix, $dcvars) = @_; > > print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n"; >- my $extra_conf_options = "ldap server require strong auth = no"; >+ my $extra_conf_options = " >+ ldap server require strong auth = no >+ # delay by 10 seconds, 10^7 usecs >+ ldap_server:delay_expire_disconnect = 10000 >+"; > my $extra_provision_options = ["--use-ntvfs", "--base-schema=2008_R2"]; > my $ret = $self->provision($prefix, > "domain controller", >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 817fc783062a..430a7e327f2a 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -719,6 +719,11 @@ for t in tests: > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') > plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD') > >+plantestsuite( >+ "idmap_ad.ticket_expiry", >+ "ad_member_idmap_ad:local", >+ [os.path.join(samba3srcdir, "../nsswitch/tests/test_ticket_expiry.sh"), >+ '$DOMAIN']) > > test = 'rpc.lsa.lookupsids' > auth_options = ["", "ntlm", "spnego", "spnego,ntlm", "spnego,smb1", "spnego,smb2"] >-- >2.20.1 > > >From c5e3fd2bacd39aafb8c42617bba396f0b48324e8 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 11 Aug 2020 18:09:14 +0200 >Subject: [PATCH 14/14] tldap: Receiving "msgid == 0" means the connection is > dead > >We never use msgid=0, see tldap_next_msgid(). RFC4511 section 4.4.1 >says that the unsolicited disconnect response uses msgid 0. We don't >parse this message, which supposedly is an extended response: Windows >up to 2019 sends an extended response in an ASN.1 encoding that does >not match RFC4511. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Volker Lendecke <vl@samba.org> >Autobuild-Date(master): Fri Aug 21 20:37:25 UTC 2020 on sn-devel-184 > >(cherry picked from commit ccaf661f7c75717341140e3fbfb2a48f96ea952c) >--- > selftest/knownfail.d/ticket_expiry | 1 - > source3/lib/tldap.c | 11 +++++++++++ > 2 files changed, 11 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/ticket_expiry > >diff --git a/selftest/knownfail.d/ticket_expiry b/selftest/knownfail.d/ticket_expiry >deleted file mode 100644 >index 04e508a9f8e6..000000000000 >--- a/selftest/knownfail.d/ticket_expiry >+++ /dev/null >@@ -1 +0,0 @@ >-idmap_ad.ticket_expiry.timeout.DURATION.*\(ad_member_idmap_ad:local\) >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index af6959ee895a..0e39a3077285 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -704,6 +704,17 @@ static void tldap_msg_received(struct tevent_req *subreq) > tldap_debug(ld, TLDAP_DEBUG_TRACE, "tldap_msg_received: got msg %d " > "type %d\n", id, (int)type); > >+ if (id == 0) { >+ tldap_debug( >+ ld, >+ TLDAP_DEBUG_WARNING, >+ "tldap_msg_received: got msgid 0 of " >+ "type %"PRIu8", disconnecting\n", >+ type); >+ tldap_context_disconnect(ld, TLDAP_SERVER_DOWN); >+ return; >+ } >+ > num_pending = talloc_array_length(ld->pending); > > for (i=0; i<num_pending; i++) { >-- >2.20.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
cs
:
review+
vl
:
ci-passed+
Actions:
View
Attachments on
bug 14465
:
16183
|
16184
| 16185