[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.9] 89 commits: VERSION: Bump version up to 4.9.12...
Mathieu Parent
gitlab at salsa.debian.org
Tue Sep 3 21:24:47 BST 2019
Mathieu Parent pushed to branch upstream_4.9 at Debian Samba Team / samba
Commits:
63547807 by Karolin Seeger at 2019-07-03T11:44:04Z
VERSION: Bump version up to 4.9.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
88a60f59 by Karolin Seeger at 2019-07-08T11:43:57Z
WHATSNEW: Fix typo.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
3bcaef67 by Stefan Metzmacher at 2019-07-08T11:43:57Z
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
- - - - -
a47fd552 by Stefan Metzmacher at 2019-07-08T11:43:57Z
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)
- - - - -
948b60d2 by Stefan Metzmacher at 2019-07-08T11:43:57Z
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)
- - - - -
00dbe9ff by Tim Beale at 2019-07-08T11:43:58Z
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)
- - - - -
e126fdaa by Michael Adam at 2019-07-08T11:43:58Z
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)
- - - - -
ea481544 by Michael Adam at 2019-07-08T11:43:58Z
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
(cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff)
- - - - -
f7a5adf0 by Tim Beale at 2019-07-08T16:24:31Z
s4/libnet: Fix joining a Windows pre-2008R2 DC
>From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144
- - - - -
bdc11a6b by Stefan Metzmacher at 2019-08-08T07:32:20Z
lib/util: fix call to dbghdrclass() for DEBUGC()
dbghdrclass() sets the global 'current_msg_class' and for that
DEBUGC() should pass the given dbgc_class instead of the per file
DBGC_CLASS.
This is important with the new per class logfile with:
log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(similar to commit bb0ffbf38cb1955c9e400003add680eabcf706a6)
- - - - -
9af7a1cc by Stefan Metzmacher at 2019-08-08T07:32:20Z
lib/util: remove unused prototypes in debug.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d98a971247450d494c581c5454e6c270ad1b6880)
- - - - -
4fd604b1 by Stefan Metzmacher at 2019-08-08T07:32:20Z
dbcheck: fallback to the default tombstoneLifetime of 180 days
If a domain was provisioned by Windows 2000 this value is missing in the
database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184
(cherry picked from commit 2ef79a4c1d695a3e498b142810a1317d85b9b6da)
- - - - -
d9b747c0 by Stefan Metzmacher at 2019-08-08T07:32:20Z
s4:torture: add local.ndr.dnsp tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 9a0c3a475f29138c0c49e0d22cf52ab45178d16b)
- - - - -
b5956912 by Stefan Metzmacher at 2019-08-08T07:32:20Z
dnsp.idl: fix dnsp_ip4_array definition
In future we should use ipv4address, but that would result in a much
larger change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 6d958af0b4cb6fd45cfda0298243859b3b043c6f)
- - - - -
8ce25bdb by Stefan Metzmacher at 2019-08-08T07:32:21Z
dnsp.idl: fix the dnsp_dns_addr_array definition
The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):
AddrArray: ARRAY(3)
AddrArray: struct dnsp_dns_addr
family : 0x0002 (2)
port : 0x0035 (53)
ipv4 : 172.31.99.33
ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000
[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 6fc7cc15048673d109042d7b40684ed63eb4ff9e)
- - - - -
043675f3 by Stefan Metzmacher at 2019-08-08T07:32:21Z
dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184
(cherry picked from commit aa2a3d95098231f48d7c308881bf66418164111e)
- - - - -
cf5002e0 by Björn Baumbach at 2019-08-08T07:32:21Z
s4:torture:fsmo.py: test role transfers of dns partitions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5e000a8487d788dd196980b77ec7299c8be74abf)
- - - - -
6b9d7481 by Stefan Metzmacher at 2019-08-08T07:32:21Z
samba-tool: fix replication after dns partition fsmo role transfer
The new role owner need to replicate from the old role owner.
Before we told the old role owner to replicate from itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)
- - - - -
8fb77c2d by Björn Baumbach at 2019-08-08T07:32:21Z
s4:torture:fsmo.py: remove unused 'net_cmd' variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0fbb013bef886e425602fdbbef14a4029719818f)
- - - - -
f1eeb8e6 by Stefan Metzmacher at 2019-08-08T07:32:21Z
samba-tool: use only one LDAP modify for dns partition fsmo role transfer
We should not risk that we end with no role owner.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 6a2e3a15585086bcceb18283216978a2fcb30da3)
- - - - -
db44860c by Björn Baumbach at 2019-08-08T07:32:21Z
samba-tool: add 'import samba.drs_utils' to fsmo.py
On some systems we're seeing this:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
except samba.drs_utils.drsException as e:
E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)
While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.
There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184
(cherry picked from commit 320a5c5425e6ced18b1a9bf19b4f361ee16821ed)
- - - - -
97727eef by Ralph Boehme at 2019-08-08T07:32:21Z
vfs_catia: pass stat info to synthetic_smb_fname()
This doesn't cause visible damage in vanilla Samba, but would affect downstream
consumers that add additional fields to struct smb_filename.
For the same reason there's no test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015
RN: Ensure vfs_catia passes stat info to stacked VFS modules
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ae6dd4853e3e651f6e56ce735bcb0a2264857385)
- - - - -
de909ff8 by Rafael David Tinoco at 2019-08-08T07:32:21Z
ctdb-config: depend on /etc/ctdb/nodes file
CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.
Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty
Signed-off-by: Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit c5803507df7def388edcd5b6cbfee30cd217b536)
- - - - -
9daacf18 by Ralph Boehme at 2019-08-08T07:32:21Z
Revert "s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper"
This reverts commit e186d6a06b1b300256a2cb4138f0532d518d0597.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 0bd10a48e4c08d1eb3a20e79d952b3c0f12be46a)
- - - - -
116c4a79 by Ralph Boehme at 2019-08-08T07:32:21Z
Revert "s3:messages: allow messaging_filtered_read_send() to use wrapper tevent_context"
This reverts commit 2b05f1098187e00166649c8ea7c63e6901b9d242.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit e2a5272ac6831b407a0c51bb8615252ec68be6a8)
- - - - -
a4ad9d6e by Ralph Boehme at 2019-08-08T07:32:22Z
Revert "s3:messages: allow messaging_dgm_ref() to use wrapper tevent_context"
This reverts commit 9dc332060cf5f249ea887dbc60ec7a39b6f91120.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 26107832cd9d200fb171ef1f991d7ef5478cac18)
- - - - -
5a3fa183 by Ralph Boehme at 2019-08-08T07:32:22Z
Revert "s3:messages: allow messaging_{dgm,ctdb}_register_tevent_context() to use wrapper tevent_context"
This reverts commit 660cf86639753edaa7a7a21a5b5ae207ae7d4260.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 1c3676f3aa9c1564eb140a24ced5ee72b859b87f)
- - - - -
2627724e by Ralph Boehme at 2019-08-08T11:20:26Z
Revert "s3:messages: protect against usage of wrapper tevent_context objects for messaging"
This reverts commit 7f2afc20e1b6397c364a98d1be006377c95e4665.
See the discussion in
https://lists.samba.org/archive/samba-technical/2018-December/131731.html
for the reasoning behind this revert.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2a62a98f5c7107f2f83c0bfc2892243d83e2c88a)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Thu Aug 8 11:20:26 UTC 2019 on sn-devel-144
- - - - -
4fd7914e by Alexander Bokovoy at 2019-08-16T09:47:28Z
torture/rpc/lsa: allow testing different lookup levels
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)
- - - - -
d89fc30d by Alexander Bokovoy at 2019-08-16T09:47:28Z
lookup_name: allow own domain lookup when flags == 0
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000004c-0000-0000-455d-3018575c0000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x000a (10)
size : 0x000c (12)
string : *
string : 'XS\ab'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0.
[0010] 57 5C 00 00 W\..
[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
lookup_name: flags = 0x00
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d)
- - - - -
bf5ac945 by Alexander Bokovoy at 2019-08-16T14:18:35Z
smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Fri Aug 16 14:18:35 UTC 2019 on sn-devel-144
- - - - -
c7e98332 by Michael Adam at 2019-08-26T10:23:23Z
vfs:glusterfs_fuse: ensure fileids are constant across nodes
Instead of adding a new gluster-specific mode to the fileid module,
this patches provides a fileid algorithm as part of the glusterfs_fuse
vfs module. This can not be configured further, simply adding the
glusterfs_fuse vfs module to the vfs objects configuration will enable
the new fileid mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Sat Jul 13 22:54:56 UTC 2019 on sn-devel-184
- - - - -
3aa131b5 by Michael Adam at 2019-08-26T10:23:23Z
vfs:glusterfs_fuse: build only if we have setmntent()
FreeBSD and other platforms that don't have setmntent() and friends can
not compile this module. This patch lets changes the build to only
compile this module if the setmntent() function is found.
This is the a follow-up fix to the actual fix for bug #13972.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Thu Aug 1 09:49:04 UTC 2019 on sn-devel-184
- - - - -
1c43f6b1 by Isaac Boukris at 2019-08-26T10:23:24Z
selftest: remote_pac: s/s2u4self/s4u2self/g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 60afe949c3e664f81c9b0db9c54f701aa2874a5e)
- - - - -
c20f77fe by Isaac Boukris at 2019-08-26T10:23:24Z
selftest: check for PrimaryGroupId in DC returned group array
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa)
- - - - -
1784a664 by Isaac Boukris at 2019-08-26T10:23:24Z
Add PrimaryGroupId to group array in DC response
This is a simplified version of the original patch by:
Felix Botner <botner at univention.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
(cherry picked from commit 2ae75184fcb5dc90602aeef113d4c13540073324)
- - - - -
d2b711ae by Volker Lendecke at 2019-08-26T10:23:24Z
vfs: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 59f29acb2cd947d2f594a5af3d73d0cbe8298d92)
- - - - -
0af50d85 by Christof Schmitt at 2019-08-26T10:23:24Z
Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
This reverts commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7.
That patch broke the case with ID_TYPE_BOTH where a file is owned by a
group (e.g. using autorid and having a file owned by
BUILTIN\Administrators). In this case, the ACE entry for the group gets
mapped a to a user ACL entry and the group no longer has access (as in
the user's token the group is not mapped to a uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 42bd3a72a2525aa8a918f4bf7067b30ce8e0e197)
- - - - -
1db5a290 by Christof Schmitt at 2019-08-26T10:23:24Z
nfs4_acls: Remove fsp from smbacl4_win2nfs4
Only the information whether the ACL is for a file or a directory is
required. Replacing the fsp with a flag is clearer and allows for unit
testing of the mapping functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a06486bb110d04a90b66a0bca4b1b600ef3c0ebf)
- - - - -
c84bdb31 by Christof Schmitt at 2019-08-26T10:23:24Z
selftest: Start implementing unit test for nfs4_acls
Existing smbtorture tests set and query ACLs through SMB, only working
with the DACLs in the Security Descriptors, but never check the NFSv4
ACL representation. This patch introduces a unit test to verify the
mapping between between Security Descriptors and NFSv4 ACLs. As the
mapping code queries id mappings, the id mapping cache is first primed
with the mappings used by the tests and those mappings are removed again
during teardown.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8fb906a1860452a320c79ac87917a97303729c19)
- - - - -
ee47f743 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add tests for mapping of empty ACLs
This is a fairly simple test that ensures the mapping of empty ACLs
(without any ACL entries) is always done the same way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 00f494b25f4e1d1aecf6191523e30f20a90b1e4f)
- - - - -
7f1c567a by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add tests for mapping of ACL types
Add testcases for mapping the type field (ALLOW or DENY) between NFSv4
ACLs and security descriptors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit dd5934797526ebb4c6f3027a809401dad3abf701)
- - - - -
d142e46a by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
Add testcase for the mapping of inheritance flags when mapping from a
NFSv4 ACL to a DACL in the security descriptor. The mapping is different
between files and directories, as some inheritance flags should never be
present for files. Some defined flags like SUCCESSFUL_ACCESS are also
not mapped at this point, also verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 16eb61a900c6749c2554d635ce2dd903f5de1704)
- - - - -
0aadba93 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
Add testcase for the mapping of inheritance flags from the DACL in the
security descriptor to the NFSv4 ACL. The mapping is different for files
and directories as some inheritance flags should not be present for
files. Also other flags are not mapped at all, verify this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bccd2612761e26ee2514935d56927b2c0c000859)
- - - - -
f431a1b7 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
security descriptor. The mapping is simple as each permission bit exists
on both sides.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6)
- - - - -
c9650274 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
Add testcase for mapping the permission flags from the DACL in the
Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as
the same permission bits exist for Security Descriptors and NFSv4 ACLs.
In addition, the code also maps from the generic DACL permissions to a
set of NFSv4 permissions, also verify this mapping.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e4840e680744bd860beedeb5123704c3c0d6a4d7)
- - - - -
f900a6e1 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
In addition to entries for users and groups, NFSv4 ACLs have the concept
of entries for "special" entries. Only the "owner", "group" and
"everyone" entries are currently used in the ACL mapping.
Add a testcase that verifies the mapping from NFSv4 "special" entries to
the DACL in the security descriptor. Verify that only "owner", "group"
and "everyone" are mapped and all other "special" entries are ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f86148948c7f89307a34e31f6ddede6923149d34)
- - - - -
f0581b94 by Christof Schmitt at 2019-08-26T10:23:25Z
test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
Add testcase for mapping from entries in the DACL security descriptor to
"special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
ignored, as there is no meaningful mapping for this entry. Verify that
SID entries matching the owner or group are mapped to "special owner"
or "special group", but only if no inheritance flags are used. "special
owner" and "special group" with inheritance flags have the meaning of
CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1f1fa5bde2c76636c1beec39c21067b252ea10be)
- - - - -
e8f8c4c8 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
with inheritance flag in the security descriptor to NFSv4 "special
owner" and "special group" entries. This is the correct mapping for
these entries as inheriting "special owner" and "special group" grants
permissions to the actual owner and owning group of the new file or
directory, similar to what CREATOR entries do.
The other side is that CREATOR entries without any inheritance flags do
not make sense, so these are not mapped to NFSv4 ACL entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)
- - - - -
79f9a501 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
Add testcase for mapping from NFSv4 ACL entries for "special owner" and
"special group" to DACL entries in the security descriptor. Each NFSv4
entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR
GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR
entry and an additional explicit entry granting permission on the
current object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1)
- - - - -
b21c3f38 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for 'map full control' option
"map full control" when enabled adds the DELETE_CHILD permission, when
all other permissions are present. This allows Windows clients to
display the "FULL CONTROL" permissions.
Add a testcase that verifies this mapping when mapping from NFSv4 ACL to
the DACL in the security descriptor. Also verify that switching the
option off disables this behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 30677df4dac4ebfcf4e3198db33f14be37948197)
- - - - -
5b130cc4 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for acedup settings
The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
are either merged, ignored or rejected. Add a testcase that has
duplicate ACL entries and verify the expected behavior for all possible
settings of the nfs4:acedup option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9671bf2b9f055012057620207624aa2f4ea6833e)
- - - - -
92d2e243 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for matching DACL entries for acedup
The NFSv4 mapping code has a config option nfs4:acedup for the mapping
path from DACLs to NFSv4 ACLs. Part of this codepath is detecting
duplicate ACL entries. Add a testcase with different ACL entries and
verify that only exactly matching entries are detected as duplicates and
treated accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f55cdf42a14f314102f2e13cb06d4db48c08ad4b)
- - - - -
f6427639 by Christof Schmitt at 2019-08-26T10:23:26Z
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the DACL in the
security descriptor to the NFSv4 ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ae06d96eb59722154d30e21949f9dba4f2f0bc6)
- - - - -
c5da1d66 by Christof Schmitt at 2019-08-26T10:23:27Z
test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
The mapping code between NFSv4 ACLs and security descriptors still has
the deprecated config setting "nfs4:mode = special". This should not be
used as it has security problems: All entries matching owner or group
are mapped to "special owner" or "special group", which can change its
meaning when being inherited to a new file or directory with different
owner and owning group.
This mode should eventually be removed, but as long as it still exists
add testcases to verify the expected behavior. This patch adds the
testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the
DACL in the security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 829c5ea99685c0629fd67ed0528897534ff35b36)
- - - - -
8ad87b9a by Christof Schmitt at 2019-08-26T10:23:27Z
test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from NFSv4 ACL entries to
DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 86480410aec1d2331c65826a13f909492165a291)
- - - - -
9ba27632 by Christof Schmitt at 2019-08-26T10:23:27Z
test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
aware whether a particular entry is for a user or a group. The
underlying assumption then is that is should not matter, as both the ACL
mapping maps everything to NFSv4 ACL group entries and the user's token
will contain gid entries for the groups.
Add a testcase to verify that when mapping from DACLS to NFSv4 ACL
entries with IDMAP_TYPE_BOTH, all entries are mapped as expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 38331b00521ef764893a74add01758f14567d901)
- - - - -
d50b5fc5 by Christof Schmitt at 2019-08-26T10:23:27Z
nfs4_acls: Use sids_to_unixids to lookup uid or gid
This is the newer API to lookup id mappings and will make it easier to
add to the IDMAP_TYPE_BOTH case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d9a2ff559e1ad953141b1118a9e370496f1f61fa)
- - - - -
2493a9f8 by Christof Schmitt at 2019-08-26T10:23:27Z
nfs4_acls: Use switch/case for checking idmap type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f198a0867e71f248d4887ab0b6f2832123b16d11)
- - - - -
10266805 by Christof Schmitt at 2019-08-26T10:23:27Z
nfs4_acls: Use correct type when checking ownerGID
uid and gid are members of the same union so this makes no difference,
but for type correctness and readability use the gid to check for
ownerGID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3b3d722ce579c19c7b08d06a3adea275537545dc)
- - - - -
ff1cee15 by Christof Schmitt at 2019-08-26T10:23:27Z
nfs4_acls: Add helper function for checking INHERIT flags.
This avoids some code duplication. Do not make this static, as it will
be used in a later patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmit <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 336e8668c1cc3682cb3c198eb6dc49baf522a79a)
- - - - -
966916da by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Add missing braces in smbacl4_win2nfs4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ba73d2363d93a376ba4947963c9de45a7e683f02)
- - - - -
8c8f09c3 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
This is only used for logging of a rejected ACL, but does not provide
additional useful information. Remove it to simplify the function a bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 44790721e4f2c6ee6f46de7ac88123ce1a9f6e39)
- - - - -
02a5fbd0 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Move smbacl4_MergeIgnoreReject function
This static function will be called earlier in later patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3499d97463110f042415d917160bc2743805a544)
- - - - -
7555f121 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit abb58b17599bd3f9a06037e208dcc5033c7fdd8b)
- - - - -
596a4e4d by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
Logging flags in case they do not match seems unnecessary. Other log
messages should show the flags as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ab0003ffc098247c3ee3962d7061f2af5a2d00e)
- - - - -
d297f347 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Remove redundant pointer variable
The previous patch introduced a pointer to a local variable to reduce
the amount of lines changed. Remove that pointer and adjust all usage
accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit aa4644193635d846c2e08e8c1e7b512e8009c2ef)
- - - - -
657f79f8 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
In order to have the file system reflect the owner permissions in the
POSIX modebits, create a second entry for the user. This will be mapped
to the "special owner" entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b796119e2df38d1935064556934dd10da6f3d339)
- - - - -
b4b61724 by Christof Schmitt at 2019-08-26T10:23:28Z
nfs4_acls: Rename smbacl4_fill_ace4 function
As this function now maps the ACE and also adds it to the NFSv4 ACE,
change the name to better describe its behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 169812943de23cf2752289c63331d786b0b063bd)
- - - - -
1f10af9f by Christof Schmitt at 2019-08-26T10:23:29Z
nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
mapping back to a DACL, there should be no additional entry. Add a loop
that will check and remove entries that are exact duplicates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9c88602128592ddad537bf70cbe3c51f0b2cebe5)
- - - - -
c5d46911 by Christof Schmitt at 2019-08-26T10:23:29Z
nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
The previous patch introduced merging of duplicates on the mapping path
from NFS4 ACL entries to DACL entries. Add a testcase to verify the
expected behavior of this codepath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1a137a2f20c2f159c5feaef230a2b85bb9fb23b5)
- - - - -
548cc518 by Christof Schmitt at 2019-08-26T10:23:29Z
nfs4_acls: Use correct owner information for ACL after owner change
After a chown, the cached stat data is obviously no longer valid. The
code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
a local buffer for the stat data. So later checks of the stat buffer
under the fsp->fsp_name->st would still see the old information.
Fix this by removing the local stat buffer and always update the one
under fsp->fsp_name->st.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 86f7af84f04b06ed96b30f936ace92aa0937be06)
- - - - -
b3560baa by Christof Schmitt at 2019-08-26T10:23:29Z
vfs_gpfs: Remove merge_writeappend parameter
All supported GPFS versions now support setting WRITE and APPEND in the
ACLs independently. Remove this now unused parameter to simplify the
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0aca678fcf1788a76cf0ff11399211c795aa7d2f)
- - - - -
bba26e38 by Christof Schmitt at 2019-08-26T10:23:29Z
docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8bd79ecc37376dbaa35606f9c2777653eb3d55e3)
- - - - -
fe990205 by Christof Schmitt at 2019-08-26T10:23:29Z
vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
This is not functional change. It cleans up the code a bit and makes
expanding this codepath in a later patch easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit fbf3a090a9ec94262b2924461cc1d6336af9919c)
- - - - -
0cb08a23 by Christof Schmitt at 2019-08-26T10:23:29Z
vfs_gpfs: Implement special case for denying owner access to ACL
In GPFS, it is not possible to deny ACL or attribute access through a
SPECIAL_OWNER entry. The best that can be done is mapping this to a
named user entry, as this one can at least be stored in an ACL. The same
cannot be done for inheriting SPECIAL_OWNER entries, as these represent
CREATOR OWNER entries, and the limitation of not being able to deny
owner access to ACL or attributes remains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c1770ed96fd3137f45d584ba9328333d5505e3af)
- - - - -
dcff563d by Anoop C S at 2019-08-26T13:26:08Z
vfs_glusterfs: Enable profiling for file system operations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093
Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 20 19:25:28 UTC 2019 on sn-devel-184
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Mon Aug 26 13:26:08 UTC 2019 on sn-devel-144
- - - - -
1205c5cb by Karolin Seeger at 2019-08-27T08:14:30Z
WHATSNEW: Add release notes for Samba 4.9.12.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
53d19bf5 by Karolin Seeger at 2019-08-27T08:14:50Z
VERSION: Diable GIT_SNAPSHOT for the 4.9.12 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
674ef369 by Karolin Seeger at 2019-08-28T07:39:14Z
VERSION: Bump version up to 4.9.13...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
4772adbe by Jeremy Allison at 2019-08-28T07:39:46Z
CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
Will be called on elsewhere on successful impersonation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
5604883d by Stefan Metzmacher at 2019-08-28T07:39:46Z
CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
We should not leave current_user.done_chdir as true if we didn't call
chdir_current_service() with success.
This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
chdir_current_service() worked once on one share but later failed on another
share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
104557f2 by Stefan Metzmacher at 2019-08-28T07:39:46Z
CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
1305693d by Stefan Metzmacher at 2019-08-28T07:39:46Z
CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
The next patch will otherwise break the fsrvp related tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c9852875 by Stefan Metzmacher at 2019-08-28T07:39:46Z
CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
8e2c37bd by Stefan Metzmacher at 2019-08-28T07:39:46Z
CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
This makes sure we always call chdir_current_service() even
when we still impersonated the user. Which is important
in order to run the SMB* request within the correct working directory
and only if the user has permissions to enter that directory.
It makes sure we always update conn->lastused_count
in chdir_current_service() for each request.
Note that vfs_ChDir() (called from chdir_current_service())
maintains its own cache and avoids calling SMB_VFS_CHDIR()
if possible.
It means we still avoid syscalls if we get a multiple requests
for the same session/tcon tuple.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
514743b2 by Karolin Seeger at 2019-08-28T07:44:22Z
WHATSNEW: Add release notes for Samba 4.9.13.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
CVE-2019-10197 [SECURITY][EMBARGOED] permissions check deny can allow user to
escape from the share.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
1acf30ac by Karolin Seeger at 2019-08-28T07:45:38Z
VERSION: Disable GIT_SNAPSHOT for the 4.9.13 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
93257106 by Mathieu Parent at 2019-09-03T19:07:03Z
New upstream version 4.9.13+dfsg
- - - - -
30 changed files:
- VERSION
- WHATSNEW.txt
- auth/auth_sam_reply.c
- ctdb/config/ctdb.service
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- docs-xml/manpages/vfs_glusterfs_fuse.8.xml
- docs-xml/manpages/vfs_gpfs.8.xml
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/findsmb.1
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/8bad427e91365049b12a676286299c4871f3460f...932571068ed2d1977cceeeb5e9869bd802d1d034
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/8bad427e91365049b12a676286299c4871f3460f...932571068ed2d1977cceeeb5e9869bd802d1d034
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190903/7244efb9/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list