Christof Schmitt | 1 Jul 21:04 2016

[PATCH] gensec: Change log level for message when obtaining PAC from gss_get_name_attribute failed

From f561450f92d5b614be51e11bcf52aabb1d26dcad Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs <at>>
Date: Fri, 1 Jul 2016 11:52:15 -0700
Subject: [PATCH] gensec: Change log level for message when obtaining PAC from
 gss_get_name_attribute failed

This is the second part for the issue from commit 8bb4fccd. A KDC that
does not return a PAC first triggers this message, then the "resorting
to local user lookup" one. Change the log level for the "obtaining PAC
via GSSAPI gss_get_name_attribute" message as well to avoid spamming the
logs during normal usage. While changing this message, also remove the
discard_const since it is no longer required.

Signed-off-by: Christof Schmitt <cs <at>>
 auth/kerberos/gssapi_pac.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 685d0ec..8bbd19c 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
 <at>  <at>  -112,12 +112,10  <at>  <at>  NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		&pac_buffer, &pac_display_buffer, &more);

 	if (gss_maj != 0) {
-		DEBUG(0, ("obtaining PAC via GSSAPI gss_get_name_attribute failed: %s\n",
-			  gssapi_error_string(mem_ctx,
-					      gss_maj,
-					      gss_min,
(Continue reading)

Jeremy Allison | 1 Jul 20:25 2016

Re: [PATCH] Remove fcntl calls in tdb

On Fri, Jul 01, 2016 at 09:22:54AM +1200, Bob Campbell wrote:
> Hi Jeremy,
> A patch for this is attached. We've put an extra return under where it
> calls tdb_increment_seqnum_nonblock; I think this is the correct behavior.
> Thanks.

LGTM. Ralph, are you OK with this also ?

> From 675c775ed01fe089e7f5a8fb75ec53b6d8cc50de Mon Sep 17 00:00:00 2001
> From: Bob Campbell <bobcampbell <at>>
> Date: Thu, 30 Jun 2016 09:51:23 +1200
> Subject: [PATCH] tdb: avoid many fcntl calls when incrementing seqnum
> Signed-off-by: Bob Campbell <bobcampbell <at>>
> Signed-off-by: Garming Sam <garming <at>>
> Pair-programmed-with: Garming Sam <garming <at>>
> ---
>  lib/tdb/common/tdb.c | 5 +++++
>  1 file changed, 5 insertions(+)
> diff --git a/lib/tdb/common/tdb.c b/lib/tdb/common/tdb.c
> index 9885d8c..dd93680 100644
> --- a/lib/tdb/common/tdb.c
> +++ b/lib/tdb/common/tdb.c
>  <at>  <at>  -59,6 +59,11  <at>  <at>  static void tdb_increment_seqnum(struct tdb_context *tdb)
>  		return;
>  	}
(Continue reading)

Steve French | 1 Jul 17:23 2016

ctdb getdbmap doesn't include registry.tdb

How do you tell ctdb to manage registry.tdb?

In a test system, I just ran "ctdb getdbmap" I noticed that
registry.tdb was not included in the list, although 17 others are (see
below).  smb.conf does have include = registry, and net conf list
shows a few config parms.  Presumably the registry.tdb needs to be
upgraded to be clustered, perhaps the problem is caused if any
registry commands (net conf) are issued prior to starting ctdb?

# ctdb getdbmap

Number of databases:17

dbid:0x5bcfcbd7 name:printer_list.tdb path:/var/lib/ctdb/printer_list.tdb.0

dbid:0x66f71b8c name:smbXsrv_open_global.tdb

dbid:0x3ef19640 name:passdb.tdb
path:/var/lib/ctdb/persistent/passdb.tdb.0 PERSISTENT

dbid:0x2ca251cf name:account_policy.tdb
path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT

dbid:0xa1413774 name:group_mapping.tdb
path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT

dbid:0xc3078fba name:share_info.tdb
path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT

(Continue reading)

Richard Sharpe | 1 Jul 06:12 2016

Patch: testprogs/blackbox: Improve the net ads dns register tests ...

Hi folks,

The attached patch improves the test somewhat by adding tests for
unprivileged users to ensure that they can add new names to the domain
but cannot update names they do not own.

Please review and push if appropriate.


Richard Sharpe
Richard Sharpe | 30 Jun 17:16 2016

net ads dns register against Samba DC allows what appears to be ordinary users to add DNS names?

Hi folks,

Using ldbmodify I managed to modify the userAccountControl field of
the user I added and then used it to to try to add a DNS name.

Imagine my surprise when I found that an ordinary user can add DNS addresses.

I am pretty sure that Windows does not allow that.

The samAccountType for the account was 805306368.

Is there a bug in the Samba DC code there?


Richard Sharpe

Richard Sharpe | 30 Jun 15:55 2016

net user claims to accept a -f flag but it is mistaken it seems and creates a disabled account

Hi folks,

I have been attempting to use net user add ... to create an account
for my last net ads dns test, but the account is created disabled and
cannot be used.

What is an alternative way to create an account in the domain or how
can I get rid of the disabled flag from the account using some command
line tool from a domain member?


Richard Sharpe

Uri Simchoni | 30 Jun 11:18 2016

[PATCH] selftest: add tests for member join + kerberos


The attached patch set adds domain join tests with Kerberos (net ads
join -k). It also shifts the test env for the test from ad_member to
ad_dc, because:

1. It's more appropriate - the member server plays no part in this test
(I believe Andrew pointed that out when the test was initially added)

2. "net ads join -k" fails under the ad_member testenv. This testenv
uses the ntfvs file server on the DC side. It seems like after the
successful join, there's an attempt to verify the join, which involves
netlogon RPC over NP using machine account. The request to open the pipe
fails if the session had been setup with Kerberos (the Create request
for "netlogon" on the IPC$ share). I decided not to invest time in what
seems to be an ntvfs server bug (after all, this works against Windows
and against our AD with smbd as file server). If someone thinks I made
the wrong choice I'll dig some more.

Review & push appreciated.
From c105b7b09d26b53511ef06329b2f8b56949cedc4 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri <at>>
Date: Thu, 30 Jun 2016 11:55:20 +0300
Subject: [PATCH] selftest: add test for domain join + kerberos-only auth

Add "net ads join/leave -k" tests to the net_ads test suite.
(Continue reading)

Garming Sam | 30 Jun 02:48 2016

[PATCH] Enable Samba KCC for 4.5


I propose that we should enable the python samba KCC for 4.5. For any
reasonably sized domain, the fully connected topology where every DC
talks to every DC causes quite a big performance hit. One domain we
encountered which uses the new KCC, appeared to have large replication
pulses when just a lone DC was introduced briefly with the old KCC and
subsequently crippled the domain. The new KCC, unlike the old one
actually obeys site link restrictions and most of the improvement comes
from the intersite replication code I wrote when I worked on this

We're still aware of shortcomings and are hoping to do a bit more work
to possibly address some of them or at least investigate them, but many
of those cases are when DCs are down or missing or when links slowly
accumulate over time. In the case of link accumulation, it would still
take a long time before it got as worse as the original KCC however and
it should be easily fixed by wiping all connections from the domain and
rebuilding from scratch. The trouble is not the fear of over-connecting
domains, but under-connecting them and failing to get replication
changes to everybody. So far, the domains we have observed have failed
to demonstrate any noticeable issues and we know of people running it
without any major issues.

In domains where it might fail to work, at worst they can turn on the
old KCC and get the old replication topology. But for larger domains, it
seems a necessary change, and even an accidental mix of the two KCC can
do some real damage.

(Continue reading)

Bob Campbell | 30 Jun 01:53 2016

[PATCH] Remove fcntl calls in tdb

Hi all,

This patch removes a bunch of needless fcntl calls upon incrementing
seqnum in TDB when there is already a transaction lock held. This was
done as a result of trying to improve provisioning time. Although it
doesn't actually reduce the time noticeably, it does remove some of the
noise in strace so that we could look at what other system calls were
taking lots of time.

We've managed to improve provision times significantly by shifting
operations into transactions, which we will hopefully get into the tree

Günther Deschner | 29 Jun 15:05 2016

[PATCH] move netlogon_samlogon_response to idl


this allows to easily dump mailslot replies/cldap 'netlogon' replies
with ndrdump.

Please review & push,


Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner <at>
Samba Team                              gd <at>

Richard Sharpe | 29 Jun 04:08 2016

Client's credentials have been revoked trying to use an account I added during a self test

Hi folks,

I am trying to add this code to the net ads dns tests:

   # This should be an expect_failure test ...
   testit "Adding an unprivileged user" $VALGRIND $net_tool user add
$failed + 1`
   testit "unprivileged users should not be able to add a DNS entry"
$VALGRIND $net_tool ads dns register funnyname2.$REALM
-U$UNPRIVUSER%$UNPRIVPASS && failed=`expr $failed + 1`

The command to add the user succeeds, but the command to try to add
the dns NAM fails with this error:

samba4.blackbox.net_ads_dns(ad_member:local).unprivileged users should
not be able to add a DNS entry(ad_member:local)
REASON: Exception: Exception: kerberos_kinit_password
unprivuser <at> SAMBA.EXAMPLE.COM failed: Clients credentials have been

Why does that happen in the self test environment?


(Continue reading)