[Pkg-samba-maint] [Git][samba-team/samba][stretch] 185 commits: VERSION: Bump version up to 4.5.13...

Mathieu Parent gitlab at salsa.debian.org
Sun Dec 30 06:45:45 GMT 2018


Mathieu Parent pushed to branch stretch at Debian Samba Team / samba


Commits:
3de773ef by Stefan Metzmacher at 2017-07-12T11:41:23Z
VERSION: Bump version up to 4.5.13...

and re-enable GIT_SNAPSHOTS.

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
911e3abd by Ralph Boehme at 2017-07-13T08:51:16Z
s3/smbd: let non_widelink_open() chdir() to directories directly

If the caller passes O_DIRECTORY we just try to chdir() to smb_fname
directly, not to the parent directory.

The security check in check_reduced_name() will continue to work, but
this fixes the case of an open() for a previous version of a
subdirectory that contains snapshopt.

Eg:

[share]
    path = /shares/test
    vfs objects = shadow_copy2
    shadow:snapdir = .snapshots
    shadow:snapdirseverywhere = yes

Directory tree with fake snapshots:

$ tree -a /shares/test/
/shares/test/
├── dir
│   ├── file
│   └── .snapshots
│       └── @GMT-2017.07.04-04.30.12
│           └── file
├── dir2
│   └── file
├── file
├── .snapshots
│   └── @GMT-2001.01.01-00.00.00
│       ├── dir2
│       │   └── file
│       └── file
└── testfsctl.dat

./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*'
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\*

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b886a9443d49f6e27fa3863d87c9e24d12e62874)

- - - - -
2cae38b0 by Ralph Boehme at 2017-07-13T08:51:16Z
selftest: add a test for accessing previous version of directories with snapdirseverywhere

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Jul  8 00:33:51 CEST 2017 on sn-devel-144

(cherry picked from commit cc9ba98c08665e0ed6927fd81fa43a7bb7842e45)

- - - - -
82f9cbab by Stefan Metzmacher at 2017-07-13T08:51:16Z
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()

The result is only used temporary and should not be leaked on a long term
memory context as 'conn'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 77cbced5d2f8bf65c8d02f5edfaba8cbad519d08)

- - - - -
3a491cd6 by Stefan Metzmacher at 2017-07-13T08:51:17Z
krb5_wrap: add smb_krb5_free_data_contents() compat define (for v4-5)

4.6 and higher have renamed kerberos_free_data_contents() into
smb_krb5_free_data_contents() in commit
e8632e2af50588dd47dc00fb72e85a398c844622.

But here we don't want to backport that commit,
while making it easy to backports patches from master.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
941aaa99 by Günther Deschner at 2017-07-13T08:51:17Z
werror: replace WERR_SETUP_NOT_JOINED with WERR_NERR_SETUPNOTJOINED in source3/libnet/libnet_join.c

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
(cherry picked from commit 3bb394f3d62aaeda5c71cf1d508a7b67fd6e742d)

- - - - -
0c8ae836 by Stefan Metzmacher at 2017-07-13T08:51:17Z
pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 81bbfb010599b65308aca89cc50532372ca4cb00)

- - - - -
7b3bfd5d by Stefan Metzmacher at 2017-07-13T08:51:17Z
librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags

The range included the unused (1<<14) before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 91d8272e8604b5d87bcc0ce365b553bc760c8ed3)

- - - - -
9bbacf57 by Stefan Metzmacher at 2017-07-13T08:51:17Z
librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 32aa3a199dfd61eb5982e158008964b4747599b8)

- - - - -
899c0d5e by Stefan Metzmacher at 2017-07-13T08:51:17Z
idl_types.h: add NDR_SECRET shortcut

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 969ab12c56cd12dcc0e63e9b662397c1604a0cc0)

- - - - -
208c7719 by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:librpc: let NDR_SECRETS depend on NDR_SECURITY

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4260b52a399667bcdbaa375a20952237ff68449c)

- - - - -
88abba9f by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libads: remove unused kerberos_secrets_store_salting_principal()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c56043a94a10c76a220ce3c7eb7cb8cf2e992cab)

- - - - -
5b962527 by Stefan Metzmacher at 2017-07-13T08:51:17Z
krb5_wrap: add smb_krb5_salt_principal()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5df46700cfb0a15fec2d366e12728cd497188741)

- - - - -
cef8c677 by Stefan Metzmacher at 2017-07-13T08:51:17Z
krb5_wrap: add smb_krb5_salt_principal2data()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ec2da944d304852d76137e8f9d234462bc807c6b)

- - - - -
77980add by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join: remove dead code from libnet_join_connect_ads()

username[strlen(username)] is *always* '\0'!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5958c6790fbceb39065353c07fe25f74ddf09ef0)

- - - - -
35b6d50c by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 826223cc8d36871c2bcb37fe23241f1dbe99a0db)

- - - - -
d68b34ba by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 03e455f5a815ce2134e216dc28929646a964384f)

- - - - -
f18c0caf by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join: remember the domain_guid for AD domains

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fc2bad0cf34fca5e65fba7e036acf1d8c61f05c0)

- - - - -
18cd9780 by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3b13e4d2d0f73c6374ffdae57528cd1a7f333792)

- - - - -
9d818ce2 by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 549c9d9a07d3002442cbbb7a90d0a7fef4a92bff)

- - - - -
4765cb4c by Stefan Metzmacher at 2017-07-13T08:51:17Z
s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()

We should separate the calculation and the storing steps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0c65d5f41023076fd201c3a179df77dd615cdb01)

- - - - -
7110ea36 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0ab7944a2b00df4aa155a239c86f97e4e731b864)

- - - - -
a2102896 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libnet_join: call do_JoinConfig() after we did remote changes on the server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 559de1e7236fd4a38f2a1f9980216db95d0430ce)

- - - - -
00a2ce6f by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()

We should not store the secrets before we did all remote changes
(except the optional dns updates).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a922e01baeccedc3ffc8a893f1d6072bb203220f)

- - - - -
87b27a5b by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7d2eea39112fd69d2b710181b23301562efea387)

- - - - -
0f4d1818 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback

The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 487b4717b58a6f1ba913708ce8419145b7f4fac8)

- - - - -
2ef7d5ab by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libads: provide a simpler kerberos_fetch_salt_princ() function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5fe939e32cdaf7bb5b6dac67e7b0118ce65846be)

- - - - -
0aa6bfde by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1d1cf9792f9227e65857c85ff66a961331e3c16e)

- - - - -
aa2f79be by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libnet: make use of kerberos_secrets_fetch_salt_princ()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 51ae7b42d4d52016b39b79447a3e28d473e676cb)

- - - - -
24478a55 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b0928a2687a9ffe92ebdce7b5252781d62e7e02d)

- - - - -
701361c6 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac)

- - - - -
fd161f15 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c

These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 504b446d8dc7410ad63eba9d214e9cf271cf3b2f)

- - - - -
de0f7301 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: rework des_salt_key() to take the realm as argument

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 072dd87e639d7dbfc583ede5ddf6559d9d433b8b)

- - - - -
ec6b9392 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: split out a domain_guid_keystr() function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d37e30cef7906b7b2b14351ad81d0d884811557b)

- - - - -
0a363257 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: add some const to secrets_store_domain_guid()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 99013685a1114829579e420df3625ed79eb7ee94)

- - - - -
f30adda2 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4e37d7805b345d80ca6e8a598e39fc81f72a27ce)

- - - - -
f5dc61c9 by Stefan Metzmacher at 2017-07-13T08:51:18Z
s3:secrets: rename secrets_delete() to secrets_delete_entry()

secrets_delete_entry() fails if the key doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cd1e888773c4fd3db63ce38a496fc3d54eb8e021)

- - - - -
1bbefc1c by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fde4af1c329655d7ef3f55727632b3f026a3ea73)

- - - - -
96319f6d by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c5ded1123797b2bd152b0989e24eba7cae6a5792)

- - - - -
fdbf0dee by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 45eea321a6faa6db1c9c706a27527cc0766dc831)

- - - - -
a920733c by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5b95cb74e7b2838d228f9773c0e20982b81d1e7d)

- - - - -
04384a47 by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5bc2764fe517748c03a57b61f2f7ef889c92825d)

- - - - -
64b39196 by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cf8a4646fe71a974b6a5ee13ae7d7751a5a0adc9)

- - - - -
3c3765fb by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dfaadc81925e313901c9b30cd98a4b4fd2404f9d)

- - - - -
9afd00e7 by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()

We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bfe35abc1fb15e70a99fa74d064051a1ad541ed0)

- - - - -
c1d6f18d by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:trusts_util: pass dcname to trust_pw_change()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1421abfc733247a6b71eefd819dfeae7151a6d78)

- - - - -
09461fe4 by Stefan Metzmacher at 2017-07-13T08:51:19Z
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()

This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.

We allow up to 4 hashes (next, current, old, older).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ddd7ac68ccae8b4df6c6a65b3dad20e21924f538)

- - - - -
0c7de3ca by Stefan Metzmacher at 2017-07-13T08:51:19Z
libcli/auth: add const to set_pw_in_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1b48c8515ed8fd29204c82cc47f958f4636cd494)

- - - - -
399945b4 by Stefan Metzmacher at 2017-07-13T08:51:19Z
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0f5945a06df4bef501ca5085c621294057007225)

- - - - -
1e5489d9 by Stefan Metzmacher at 2017-07-13T08:51:19Z
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()

Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.

We have better ways to indentify which password worked than only using
the current one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d60404b032eca5384d889352f52b9b129861b4af)

- - - - -
e635a4fb by Stefan Metzmacher at 2017-07-13T08:51:19Z
lsa.idl: make lsa_DnsDomainInfo [public]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea0798881a7aaf5897a3a3806149536d3d54fc3b)

- - - - -
19addd11 by Stefan Metzmacher at 2017-07-13T08:51:20Z
netlogon.idl: make netr_TrustFlags [public]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 60274475332dafdfb829a7c086ea09cd9ed00540)

- - - - -
4d666520 by Stefan Metzmacher at 2017-07-13T08:51:20Z
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 28ac10503476de3c000b3deee2c1f67e0b305578)

- - - - -
97b72e3f by Stefan Metzmacher at 2017-07-13T08:51:20Z
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts

This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.

The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.

While being there I also thought about possible new features,
which we may implement in the near future.

We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.

I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a59c9cba31a801d90db06b767cfd44776f4ede77)

- - - - -
f3da2954 by Stefan Metzmacher at 2017-07-13T08:51:20Z
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials

We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.

We keep storing the legacy values:
 SECRETS/SID/
 SECRETS/DOMGUID/
 SECRETS/MACHINE_LAST_CHANGE_TIME/
 SECRETS/MACHINE_PASSWORD/
 SECRETS/MACHINE_PASSWORD.PREV/
 SECRETS/SALTING_PRINCIPAL/DES/

This allows downgrades to older Samba versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5f0038fba612afd7fc15b7ab321df979891170d8)

- - - - -
d9a23941 by Stefan Metzmacher at 2017-07-13T08:51:20Z
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c7c17d9f503d6037aa8ed0bd7ab7cf52f5f28382)

- - - - -
75a05ad5 by Stefan Metzmacher at 2017-07-13T08:51:20Z
s3:libnet: make use of secrets_store_JoinCtx()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c3ad8be5d5192070c599350d6ab28c064206b6cf)

- - - - -
ab5109fd by Stefan Metzmacher at 2017-07-13T08:51:20Z
s3:trusts_util: make use the workstation password change more robust

We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.

Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.

If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.

This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).

An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.

Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 40c42af11fda062fef9df96a9b5ae3e02709f07c)

- - - - -
7d86014e by Stefan Metzmacher at 2017-07-13T08:51:20Z
net: make use of secrets_*_password_change() for "net changesecretpw"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3)

- - - - -
ad1e456f by Stefan Metzmacher at 2017-07-13T08:51:20Z
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b874dc90c91dd41c35e99bf7c4fe04220465edca)

- - - - -
6c728cc3 by Stefan Metzmacher at 2017-07-13T08:51:20Z
s3:secrets: remove unused secrets_store_[prev_]machine_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit f513c20ee04fe896900c99ae804753d445414d7d)

- - - - -
65120599 by Stefan Metzmacher at 2017-07-13T13:03:29Z
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join

Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 9530284383f252efd64bfdf138579964c6500eba)

Autobuild-User(v4-5-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-5-test): Thu Jul 13 15:03:29 CEST 2017 on sn-devel-144

- - - - -
35cba471 by Günther Deschner at 2017-07-24T00:25:21Z
vfs_fruit: add fruit:model = <modelname> parametric option

fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve

will all display a different icon inside Finder.

Formerly, we used "Samba" which resulted in a "?" icon in Finder, with
the new default "MacSamba" we appear with a computer box icon at least.

Guenther

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12840

Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Jul 12 03:17:57 CEST 2017 on sn-devel-144

(cherry picked from commit 259e1706e3206b215e136ea9d5beef4c9e3fcdee)

- - - - -
dbb28145 by Ralph Boehme at 2017-07-24T00:25:21Z
vfs_fruit: don't use MS NFS ACEs with Windows clients

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12897

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Thu Jul 13 22:21:08 CEST 2017 on sn-devel-144

(cherry picked from commit df0db9d8f893f9245c6289200303b94a6e2d48d0)

- - - - -
56593285 by Ralph Boehme at 2017-07-24T00:25:21Z
s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12910

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7f4e7cfd1b0bd917395c631a1a8195fffd13bbad)

- - - - -
5d740e45 by Thomas Jarosch at 2017-07-24T04:24:58Z
s3: libsmb: Fix use-after-free when accessing pointer *p.

talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927

Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

(cherry picked from commit 890137cffedcaf88a9ff808c01335ee14fcfd8da)

Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Mon Jul 24 06:24:58 CEST 2017 on sn-devel-144

- - - - -
cfa8c189 by Jeremy Allison at 2017-07-25T03:32:52Z
s3: smbd: Fix a read after free if a chained SMB1 call goes async.

Reported to the Samba Team by Yihan Lian <lianyihan at 360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!

smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5fe76a5474823ed7602938a07c9c43226a7882a3)

Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Tue Jul 25 05:32:53 CEST 2017 on sn-devel-144

- - - - -
3475d11f by David Disseldorp at 2017-07-25T13:53:04Z
vfs_ceph: fix cephwrap_chdir()

When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911

Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144

(cherry picked from commit 1dcacff083019810e207a3d123a81fe32d9dde1a)

Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Tue Jul 25 15:53:04 CEST 2017 on sn-devel-144

- - - - -
9792ec26 by Jeremy Allison at 2017-08-14T08:50:09Z
s3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2 to match SMB1.

SMB1 uses attr == 0 to clear all attributes
on a file (end up with FILE_ATTRIBUTE_NORMAL),
and attr == FILE_ATTRIBUTE_NORMAL to mean ignore
request attribute change.

SMB2 uses exactly the reverse. Unfortunately as the
cli_setatr() ABI is exposed inside libsmbclient,
we must make the SMB2 cli_smb2_setatr() call
export the same ABI as the SMB1 cli_setatr()
which calls it. This means reversing the sense
of the requested attr argument if it's zero
or FILE_ATTRIBUTE_NORMAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12899

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
(cherry picked from commit f1cc79a46d56bda99c392d491d88479cd6427a32)

- - - - -
5b3f0317 by Ralph Boehme at 2017-08-14T08:50:10Z
s3/smbd: handling of failed DOS attributes reading

Only fall back to using UNIX modes if we get NOT_IMPLEMENTED. This is
exactly what we already do when setting DOS attributes.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit 9de1411d9e7c7ac3da544345d4dea7fd73dff01b)

- - - - -
c493d8e6 by Ralph Boehme at 2017-08-14T08:50:10Z
s3/smbd: handle EACCES when fetching DOS attributes from xattr

When trying to fetch the DOS attributes xattr via SMB_VFS_GETXATTR() if
the filesystem doesn't grant read access to the file the xattr read
request fails with EACCESS.

But according to MS-FSA 2.1.5.1.2.1 "Algorithm to Check Access to an
Existing File" FILE_LIST_DIRECTORY on a directory implies
FILE_READ_ATTRIBUTES for directory entries.

So if the user can open the parent directory for reading this implies
FILE_LIST_DIRECTORY and we can safely call SMB_VFS_GETXATTR() as root,
ensuring we can read the DOS attributes xattr.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(backported from commit c54fcb7cbd0de244eed4134e877da6e9c16e7aab)

- - - - -
ad113e07 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_gpfs: handle EACCES when fetching DOS attributes from xattr

When trying to fetch the DOS attributes via gpfswrap_get_winattrs_path()
if the filesystem doesn't grant READ_ATTR to the file the function fails
with EACCESS.

But according to MS-FSA 2.1.5.1.2.1 "Algorithm to Check Access to an
Existing File" FILE_LIST_DIRECTORY on a directory implies
FILE_READ_ATTRIBUTES for directory entries.

So if the user can open the parent directory for reading this implies
FILE_LIST_DIRECTORY and we can safely call gpfswrap_get_winattrs_path()
with DAC_OVERRIDE_CAPABILITY.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug  9 01:21:14 CEST 2017 on sn-devel-144

(cherry picked from commit 62d73f5b936550d623ef4f31c7438ac3c90105b9)

- - - - -
bfa7ac0a by Jeremy Allison at 2017-08-14T08:50:10Z
s3: libsmbclient: Fix cli_setpathinfo_basic() to treat mode == -1 as no change.

This is only called from SMBC_setatr(), so bring it into line with
the specification for that function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12913

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 812006fa8f26004609901b0ddef1c3ed05eff35e)

- - - - -
a6f4924b by Jeremy Allison at 2017-08-14T08:50:10Z
s3: libsmb: Add cli_smb2_setpathinfo(), to be called by cli_setpathinfo_basic().

Fix to prevent libsmbclient from accidently making SMB1 calls inside an SMB2
connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12913

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 2a15c70603bb23a68a2e3de0b00bfd98508f78e0)

- - - - -
57f129b4 by Jeremy Allison at 2017-08-14T08:50:10Z
s3: libsmb: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().

This removes duplicate code paths and ensures we have only one
function calling the underlying smb2cli_set_info() for setting
info levels by path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12913

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b1e5b894b089433e59c96915a27559d179bdb6c5)

- - - - -
715e1c91 by Jeremy Allison at 2017-08-14T08:50:10Z
s3: torture: Add a test for cli_setpathinfo_basic() to smbtorture3.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12913

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bfa07323590357542eb06ad5faa2dc5a5736e3f1)

- - - - -
da22be91 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: invalidate stat info if xattr was not found

We stat the basefile so we leave valid stat info from the base file
behind, even though the xattr for the stream was not there.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit ec32f33ea6d50d9cb504400c3ef1e78643502e1a)

- - - - -
c6422830 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: remove all uses of fd, use name based functions

We don't really need an fd in this module, all calls to the VFS xattr
API can just use the name based versions.

This paves the way for removing the open of the basefile in
streams_xattr_open() in a later commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit ea906bb476516c05e7cbda478afd32acb443c03e)

- - - - -
10b04e9b by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: remove fsp argument from get_xattr_size()

Still in the process of changing all handle based operations to use path
based operations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit 4cc59e6d011cd3804499ba82bb4071973aa9d494)

- - - - -
62c97196 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: always pass NULL as fsp arg to get_ea_value()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit 0ed3075ee7edfecde7455a2c64e9df882828343b)

- - - - -
f7e96aed by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: implement all missing handle based VFS functions

Implement all missing handle based VFS function. If the call is on a
named stream, implement the appropriate action for the VFS function, in
most cases a no-op.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit 9647af6bec62c9f61d541aad4a9b8f25fd5bc627)

- - - - -
38d8b62d by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_streams_xattr: return a fake fd in streams_xattr_open()

The final step in changing vfs_streams_xattr to not call open() on the
basefile anymore. Instead, we just return a fake file fd based on
dup'ing a pipe fd. Previous commits ensured all calls to VFS API
functions use pathname based versions to do their work.

This ensures we don't trigger kernel oplock breaks for client "open
stream" requests when needlessly opening the basefile.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 0a8559d4c9e4fc73c30a06b5f45f3b870afe4439)

- - - - -
c03af9fc by Ralph Boehme at 2017-08-14T08:50:10Z
s4/torture: reproducer for kernel oplocks issue with streams

test_smb2_kernel_oplocks3() wouldn't have failed without the patches,
I'm just adding it to have at least one test that tests with 2
clients. All other tests use just one client.

test_smb2_kernel_oplocks4() is the reproducer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
(backported from commit a334fff8a8c779704ee04ae784024efb67a6e9c9)

- - - - -
12c818b6 by Ralph Boehme at 2017-08-14T08:50:10Z
s4/torture: additional tests for kernel-oplocks

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
(backported from commit bbc225de83e7b0e5eaeb1b843532d1f0fca91a3c)

- - - - -
d6c99162 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_fruit: use path based setxattr call in ad_fset()

This allows later commits to remove opening of the basefile which
conflict with "kernel oplocks = yes".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit aff6fc49f4ac244aef162200a37bd846719e1e4f)

- - - - -
379dbb5f by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_fruit: don't open basefile in ad_open() and simplify API

We never need an fd on the basefile when operating on the metadata, as
we can always use path based syscalls. Opening the basefile conflicts
with "kernel oplocks" so just don't do it.

Additional changes:

- remove the adouble_type_t argument to ad_open(), the type is passed
  and set when allocating a struct adouble with ad_alloc()

- additionally pass an optional fsp to ad_open() (so the caller can pass
  NULL). With this change we can move the fd inheritance from fsp to ad
  into ad_open() itself where it belongs and remove it from the caller
  ad_fget()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
(backported from commit e92a39255e66f655e2758f0a71a01eaf258cf711)

- - - - -
b559efc4 by Ralph Boehme at 2017-08-14T08:50:10Z
vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk()

Do not open the basefile, that conflict with "kernel oplocks = yes". We
just return a fake file fd based on dup'ing a pipe fd and ensure all VFS
functions that go through vfs_fruit and work on the metadata stream can
deal with it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit 7583ee6e1c558067e4c7a7351085fcc0e4240366)

- - - - -
2339d4bc by Ralph Boehme at 2017-08-14T12:52:17Z
vfs_fruit: factor out common code from ad_get() and ad_fget()

As a result of the previous changes ad_get() and ad_fget() do completey
the same, so factor out the common code to a new helper function. No
change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Aug  9 22:33:36 CEST 2017 on sn-devel-144

(backported from commit d55c27abc5a7357f740c7065bbe12e7f36b57125)

Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Mon Aug 14 14:52:17 CEST 2017 on sn-devel-144

- - - - -
0247ece5 by Karolin Seeger at 2017-08-30T10:32:10Z
WHATSNEW: Add release notes for Samba 4.5.13.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
3c9bc040 by Karolin Seeger at 2017-08-30T10:32:45Z
VERSION: Disable GIT_SNAPSHOTS for the 4.5.13 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
5c645ed6 by Karolin Seeger at 2017-08-30T10:33:20Z
VERSION: Bump version up to 4.5.14...

and re-enable GIT_SNAPSHOTS.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
f14a94b5 by Stefan Metzmacher at 2017-09-04T09:34:04Z
CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED

This is an addition to the fixes for CVE-2015-5296.

It applies to smb2mount -e, smbcacls -e and smbcquotas -e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
f82c2354 by Stefan Metzmacher at 2017-09-04T09:34:29Z
CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
5d296e6e by Stefan Metzmacher at 2017-09-04T09:34:43Z
CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server()

It's important that we use a signed connection to get the GPOs!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
dc24ef0f by Stefan Metzmacher at 2017-09-04T09:34:58Z
CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
f30ea844 by Stefan Metzmacher at 2017-09-04T09:35:11Z
CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
609e6b09 by Stefan Metzmacher at 2017-09-04T09:35:31Z
CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested

With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
282a1d12 by Stefan Metzmacher at 2017-09-04T09:35:59Z
CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function

This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
157f2a70 by Stefan Metzmacher at 2017-09-04T09:36:11Z
CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on()

This will keep enforced encryption across dfs referrals.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a43b36f5 by Jeremy Allison at 2017-09-12T03:31:54Z
CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
b5178cb0 by Stefan Metzmacher at 2017-09-12T03:31:54Z
selftest: make samba3.blackbox.smbclient_s3.*follow.symlinks.*no as flapping

This is fixed in master and 4.7. For the backports we can just ignore
failures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12914

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
bb90fee8 by Karolin Seeger at 2017-09-13T16:39:40Z
WHATSNEW: Add release notes for Samba 4.5.14.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
f261c9a5 by Karolin Seeger at 2017-09-13T16:42:04Z
VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
cea68b69 by Mathieu Parent at 2017-09-19T14:54:31Z
Patches for CVE-2017-12150, CVE-2017-12151 and CVE-2017-12163

- - - - -
34f93fcb by Mathieu Parent at 2017-09-19T15:52:28Z
Adapt patches to 4.5.8

See 0d0d9820531aca17a5300f4e4eb47f07a999aaca

- - - - -
29a501b8 by Stefan Metzmacher at 2017-09-19T15:52:29Z
CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED

This is an addition to the fixes for CVE-2015-5296.

It applies to smb2mount -e, smbcacls -e and smbcquotas -e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
354e2263 by Stefan Metzmacher at 2017-09-19T15:52:29Z
CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a85975ed by Stefan Metzmacher at 2017-09-19T15:52:30Z
CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server()

It's important that we use a signed connection to get the GPOs!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
27701be2 by Stefan Metzmacher at 2017-09-19T15:52:31Z
CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
ee72f46b by Stefan Metzmacher at 2017-09-19T15:52:31Z
CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
58ea302c by Stefan Metzmacher at 2017-09-19T15:52:32Z
CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested

With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
38c98c74 by Stefan Metzmacher at 2017-09-19T15:52:32Z
CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function

This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
17b3e3af by Stefan Metzmacher at 2017-09-19T15:52:33Z
CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on()

This will keep enforced encryption across dfs referrals.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
3f357e45 by Jeremy Allison at 2017-09-19T15:52:33Z
CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
612c5902 by Mathieu Parent at 2017-09-19T19:56:35Z
Release 2:4.5.8+dfsg-2+deb9u2

- - - - -
21811ac6 by Karolin Seeger at 2017-11-17T11:04:37Z
VERSION: Bump version up to 4.5.15...

and re-enable GIT_SNAPSHOTS.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
c28d9227 by Gary Lockyer at 2017-11-17T11:04:37Z
blackbox tests: method to check specific exit codes

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 74ebcf6dfc84b6aab6838fa99e12808eb6b913d9)

- - - - -
bd200ea5 by Joe Guo at 2017-11-17T11:04:37Z
python: use communicate to fix Popen deadlock

`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144

(cherry picked from commit 5dc773a5b00834c7a53130a73a48f49048bd55e8)

Autobuild-User(v4-5-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-5-test): Tue Nov 14 14:35:22 CET 2017 on sn-devel-144

- - - - -
007f5b54 by Jeremy Allison at 2017-11-17T11:04:37Z
s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746

When setting up the chain, always use 'next->' variables
not the 'req->' one.

Bug discovered by 连一汉 <lianyihan at 360.cn>

CVE-2017-14746

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
c1a22e59 by Jeremy Allison at 2017-11-17T11:04:37Z
s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.

Ensure we zero out unused grown area.

CVE-2017-15275

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
d7526d66 by Karolin Seeger at 2017-11-17T11:04:37Z
WHATSNEW: Add release notes for Samba 4.5.15.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
f3338154 by Karolin Seeger at 2017-11-17T11:13:04Z
VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
d9778067 by Mathieu Parent at 2018-03-05T13:33:55Z
Rebaselined stretch-security from stretch

- - - - -
fbe5e359 by Jeremy Allison at 2018-03-05T13:40:27Z
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
121b8640 by Mathieu Parent at 2018-03-05T14:33:26Z
Patch for CVE-2018-1050: "Codenomicon crashes in spoolss server code"

- - - - -
f8f11248 by Ralph Boehme at 2018-03-05T14:33:26Z
CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete

Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
ef60d6a9 by Ralph Boehme at 2018-03-05T14:33:27Z
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
ff0f0cc1 by Ralph Boehme at 2018-03-05T14:33:27Z
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
e47fb74e by Ralph Boehme at 2018-03-05T14:33:27Z
CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
9a04ea99 by Ralph Boehme at 2018-03-05T14:33:28Z
CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
1dc0d1ca by Ralph Boehme at 2018-03-05T14:33:28Z
CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d79dba9d by Ralph Boehme at 2018-03-05T14:33:29Z
CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
5387ee93 by Ralph Boehme at 2018-03-05T14:33:29Z
CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
272f8577 by Ralph Boehme at 2018-03-05T14:33:29Z
CVE-2018-1057: s4/dsdb: correctly detect password resets

This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
9bdeb028 by Ralph Boehme at 2018-03-05T14:33:30Z
CVE-2018-1057: s4:dsdb/acl: run password checking only once

This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
4f41ee25 by Ralph Boehme at 2018-03-05T14:33:30Z
CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control

Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
2455be1c by Ralph Boehme at 2018-03-05T14:33:30Z
CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID

This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
022068fc by Ralph Boehme at 2018-03-05T14:33:31Z
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control

This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
10d58b44 by Mathieu Parent at 2018-03-05T14:33:31Z
Patches for CVE-2018-1057: "Unprivileged user can change any user (and admin) password"

- - - - -
218e3c0b by Mathieu Parent at 2018-03-05T14:33:31Z
Release 2:4.5.12+dfsg-2+deb9u2

- - - - -
f3ec20fd by Karolin Seeger at 2018-03-12T12:01:25Z
VERSION: Bump version up to 4.5.16.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 8376a89e40b82c0b4b365b8daf155159f59945cb)

- - - - -
64b6a9f6 by Karolin Seeger at 2018-03-12T12:02:04Z
VERSION: Re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
dff5d439 by Jeremy Allison at 2018-03-12T12:06:09Z
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
e5774640 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete

Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7eabe3d4 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
abf925c2 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d552abe8 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
99f46aab by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
6d5caffb by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
54c363e0 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
6c980a03 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
67fa44aa by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4/dsdb: correctly detect password resets

This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
bb43ab08 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: run password checking only once

This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
4adcba5f by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control

Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
e5b8c81d by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID

This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
36639815 by Ralph Boehme at 2018-03-12T12:06:14Z
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control

This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
3e0aa758 by Karolin Seeger at 2018-03-12T12:09:35Z
WHATSNEW: Add release notes for Samba 4.6.16.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
4b43ad87 by Karolin Seeger at 2018-03-12T12:10:30Z
VERSION: Disable GIT_SNAPSHOT for the 4.6.16 release.

CVE-2018-1050 (Denial of Service Attack on external print server.)
CVE-2018-1057 (Authenticated users can change other users' password.)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
fc0672f3 by Tim Beale at 2018-11-21T19:14:08Z
CVE-2018-10919 security: Move object-specific access checks into separate function

Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.

This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
4a8682ff by Tim Beale at 2018-11-21T19:14:08Z
CVE-2018-10919 security: Add more comments to the object-specific access checks

Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
d4cf4119 by Tim Beale at 2018-11-21T19:14:08Z
CVE-2018-10919 tests: Add tests for guessing confidential attributes

Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.

The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
  user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
  access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls

These tests all pass when run against a Windows Dc and all fail against
a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
f2d392cd by Tim Beale at 2018-11-21T19:14:09Z
CVE-2018-10919 tests: Add test case for object visibility with limited rights

Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.

All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).

This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.

This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
0150c9bf by Gary Lockyer at 2018-11-21T19:14:09Z
CVE-2018-10919 tests: test ldap searches for non-existent attributes.

It is perfectly legal to search LDAP for an attribute that is not part
of the schema.  That part of the query should simply not match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
90729bcc by Tim Beale at 2018-11-21T19:14:09Z
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights

An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
81f55cce by Tim Beale at 2018-11-21T19:14:09Z
CVE-2018-10919 acl_read: Split access_mask logic out into helper function

So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
d67483e1 by Tim Beale at 2018-11-21T19:14:09Z
CVE-2018-10919 acl_read: Small refactor to aclread_callback()

Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
2b713d01 by Tim Beale at 2018-11-21T19:14:10Z
CVE-2018-10919 acl_read: Flip the logic in the dirsync check

This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
a4930079 by Tim Beale at 2018-11-21T19:14:10Z
CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches

A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.

Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.

To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.

Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
  suppresses the result as long as the replPropertyMetaData attribute is
  removed). However, there doesn't appear to be any test that highlights
  that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
  searches like 'objectClass=*', even though we don't have Read Property
  access rights for the objectClass attribute. The logic that Windows
  uses does not appear to be clearly documented, so I've made a best
  guess that seems to mirror Windows behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
df536fff by Tim Beale at 2018-11-21T19:14:10Z
CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case

The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.

The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
  hangs around for deleted objcts. Because the attributes now persist
  across test case runs, I've used a different attribute to normal.
  (Technically, the dirsync search expressions are now specific enough
  that the regular attribute could be used, but it would make things
  quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
  now more complicated. Currently dirsync adds an extra-filter to the
  '!' searches to exclude deleted objects, i.e. samaccountname matches
  the test-objects AND the object is not deleted. We now extend this to
  include deleted objects with lastKnownParent equal to the test OU.
  The search expression matches either case so that we can use the same
  expression throughout the test (regardless of whether the object is
  deleted yet or not).

This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
ffd8797d by Jeremy Allison at 2018-11-21T19:14:10Z
libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
		listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
52175a07 by Jeremy Allison at 2018-11-21T19:14:10Z
libsmb: Harden smbc_readdir_internal() against returns from malicious servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
		listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
55634757 by Salvatore Bonaccorso at 2018-11-21T19:14:11Z
Import Debian changes 2:4.5.12+dfsg-2+deb9u3

samba (2:4.5.12+dfsg-2+deb9u3) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Confidential attribute disclosure from the AD LDAP server (CVE-2018-10919)
  * Insufficient input validation on client directory listing in libsmbclient
    (CVE-2018-10858)

- - - - -
bed48072 by Aaron Haslett at 2018-11-23T21:58:45Z
CVE-2018-14629 dns: CNAME loop prevention using counter

Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.

(backport to Samba 4.5)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

- - - - -
07f588bf by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Wait for port for 15 seconds

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 668e4e4a436756d73d64790fd0a7e79fa4769ffe)

- - - - -
12d46bca by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Check that the subprocess is still living

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ad3b3e978ebf0692580166f9deba0368a922362d)

- - - - -
2a5f1343 by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Fail out with an assertion instead OOB error

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Tue Sep  6 15:41:54 CEST 2016 on sn-devel-144

(cherry picked from commit 451907739cc14717c12875b88fbbe63a53e9cbec)

- - - - -
70eb7ecc by Andrew Bartlett at 2018-11-23T21:58:46Z
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal

In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.

This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
24906f1c by Andrew Bartlett at 2018-11-23T21:58:47Z
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
229dae30 by Garming Sam at 2018-11-23T21:58:47Z
CVE-2018-16851 ldap_server: Check ret before manipulating blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4d0080e0 by Mathieu Parent at 2018-11-23T21:58:47Z
Add patches for previous fixes

- - - - -
9014cb54 by Mathieu Parent at 2018-11-23T21:58:47Z
Release 2:4.5.12+dfsg-2+deb9u4 to stretch-security

- - - - -
1ed75f6f by Mathieu Parent at 2018-12-29T20:58:06Z
New upstream version 4.5.16+dfsg
- - - - -
ff9d3587 by Mathieu Parent at 2018-12-29T21:01:09Z
Merge tag 'upstream/4.5.16+dfsg' into stretch

Upstream version 4.5.16+dfsg

- - - - -
5b2a9c94 by Mathieu Parent at 2018-12-29T21:19:07Z
Preparare 2:4.5.16+dfsg-1

- - - - -
2dcb0d32 by Mathieu Parent at 2018-12-29T21:39:23Z
Drop merged patches

- - - - -


21 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-statistics.7.html
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb-tunables.7.html
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.1.html
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.7.html
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_diagnostics.1.html
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd.1.html
- ctdb/doc/ctdbd.conf.5
- ctdb/doc/ctdbd.conf.5.html
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ctdbd_wrapper.1.html
- ctdb/doc/ltdbtool.1
- ctdb/doc/ltdbtool.1.html
- ctdb/doc/onnode.1


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/6b982e98dd4f8fd189ff82fcb21706462810472d...2dcb0d3216ba74f7e22f4f4b1ec1595f568c8d07

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/6b982e98dd4f8fd189ff82fcb21706462810472d...2dcb0d3216ba74f7e22f4f4b1ec1595f568c8d07
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20181230/90872224/attachment-0001.html>


More information about the Pkg-samba-maint mailing list