[Pkg-samba-maint] [Git][samba-team/samba][experimental] 1851 commits: VERSION: Bump version up to 4.18.0pre1...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Fri Jan 20 18:30:54 GMT 2023
Michael Tokarev pushed to branch experimental at Debian Samba Team / samba
Commits:
f5faafb5 by Jule Anger at 2022-08-08T16:22:13+02:00
VERSION: Bump version up to 4.18.0pre1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
4292cfa4 by Jule Anger at 2022-08-08T16:24:21+02:00
WHATSNEW: Start release notes for Samba 4.18.0pre1.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
751b2b85 by Jule Anger at 2022-08-08T15:51:44+00:00
ldb: change the version to 2.7.0 for Samba 4.18
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Mon Aug 8 15:51:44 UTC 2022 on sn-devel-184
- - - - -
cb8518e1 by Pavel Filipenský at 2022-08-08T18:06:37+00:00
s3:include: Fix trailing whitespaces in secrets.h
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d6490bdc by Pavel Filipenský at 2022-08-08T19:03:08+00:00
s3:passdb: Remove unused function secrets_fetch_trust_account_password()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 8 19:03:08 UTC 2022 on sn-devel-184
- - - - -
b1b513ee by Volker Lendecke at 2022-08-09T19:07:29+00:00
smbd: Use dirfsp where we have it
One reference to conn->cwd_fsp less, makes "mkdir" look less ugly in
strace.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4d015b4b by Volker Lendecke at 2022-08-09T20:04:26+00:00
smbstatus: Fix the 32-bit build on FreeBSD
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 9 20:04:26 UTC 2022 on sn-devel-184
- - - - -
19f73f19 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_ldb.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_ldb.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c44289ce by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_ldb_simple.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_ldb_simple.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
81f16949 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_net_ads.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_net_ads.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
865531f9 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_net_ads_dns.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_net_ads_dns.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
8a4a8b7a by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_net_ads_fips.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_net_ads_fips.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
a43a7e78 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_net_offline.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_net_offline.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
7403de7e by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_net_rpc_user.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_net_rpc_user.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
0a4eb5d8 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_offline_logon.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_offline_logon.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c7d01342 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_old_enctypes.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_old_enctypes.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
8490449f by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_password_settings.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_password_settings.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
9d1a2552 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_pdbtest.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_pdbtest.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c253c99d by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_pkinit_pac.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_pkinit_pac.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
6e300ccd by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_pkinit_simple.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_pkinit_simple.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
ef9dc727 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_primary_group.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_primary_group.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4627320e by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_rpcclient_schannel.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_rpcclient_schannel.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
f1ebc2d7 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_s4u_heimdal.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
eff28db8 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_samba-tool_ntacl.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_samba-tool_ntacl.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
dae369f4 by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_samba_upgradedns.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_samba_upgradedns.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
2d64eafa by Andreas Schneider at 2022-08-10T09:22:30+00:00
testprogs: Reformat test_smbtorture_test_names.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_smbtorture_test_names.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
854a45ca by Andreas Schneider at 2022-08-10T10:21:48+00:00
testprogs: Reformat test_special_group.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_special_group.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Aug 10 10:21:48 UTC 2022 on sn-devel-184
- - - - -
12d67003 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_trust_ntlm.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_trust_ntlm.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
eced0939 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_trust_token.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_trust_token.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
8c65813c by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_trust_user_account.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_trust_user_account.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
138e7f05 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_trust_utils.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_trust_utils.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
34322c49 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_weak_crypto.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_weak_crypto.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4973baf6 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_weak_crypto_server.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_weak_crypto_server.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
1c89bdb6 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_weak_disable_ntlmssp_ldap.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
022f5aa7 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat test_wintest.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_wintest.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c1325fc1 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat tombstones-expunge.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/tombstones-expunge.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
db8849ea by Andreas Schneider at 2022-08-10T13:17:31+00:00
testprogs: Reformat upgradeprovision-oldrelease.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/upgradeprovision-oldrelease.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
bb2e0622 by Andreas Schneider at 2022-08-10T13:17:31+00:00
testsuite: Reformat shell scripts
shfmt -f testsuite/ | xargs shfmt -w -p -i 0 -fn
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
042141ef by Andreas Schneider at 2022-08-10T14:14:04+00:00
third_party: Reformat shell scripts
shfmt -w -p -i 0 -fn third_party/update.sh
shfmt -w -p -i 0 -fn third_party/waf/update.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Aug 10 14:14:04 UTC 2022 on sn-devel-184
- - - - -
0d3995ce by Ralph Boehme at 2022-08-10T15:32:35+00:00
smdb: use fsp_is_alternate_stream() in open_file()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
b26dc252 by Ralph Boehme at 2022-08-10T15:32:35+00:00
vfs_xattr_tdb: move close_xattr_db()
This just makes the diff of the next commit smaller and easier to digest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
451ad315 by Ralph Boehme at 2022-08-10T15:32:35+00:00
vfs_xattr_tdb: add a module config
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
92e0045d by Ralph Boehme at 2022-08-10T15:32:35+00:00
vfs_xattr_tdb: add "xattr_tdb:ignore_user_xattr" option
Allows passing on "user." xattr to the backend. This can be useful for testing
specific aspects of operation on streams when "streams_xattr" is configured as
stream filesystem backend.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
23bc760e by Ralph Boehme at 2022-08-10T15:32:35+00:00
CI: add a test trying to delete a stream on a pathref ("stat open") handle
When using vfs_streams_xattr, for a pathref handle of a stream the system fd
will be a fake fd created by pipe() in vfs_fake_fd().
For the following callchain we wrongly pass a stream fsp to
SMB_VFS_FGET_NT_ACL():
SMB_VFS_CREATE_FILE(..., "file:stream", ...)
=> open_file():
if (open_fd):
-> taking the else branch:
-> smbd_check_access_rights_fsp(stream_fsp)
-> SMB_VFS_FGET_NT_ACL(stream_fsp)
This is obviously wrong and can lead to strange permission errors when using
vfs_acl_xattr:
in vfs_acl_xattr we will try to read the stored ACL by calling
fgetxattr(fake-fd) which of course faild with EBADF. Now unfortunately the
vfs_acl_xattr code ignores the specific error and handles this as if there was
no ACL stored and subsequently runs the code to synthesize a default ACL
according to the setting of "acl:default acl style".
As the correct access check for streams has already been carried out by calling
check_base_file_access() from create_file_unixpath(), the above problem is not
a security issue: it can only lead to "decreased" permissions resulting in
unexpected ACCESS_DENIED errors.
The fix is obviously going to be calling
smbd_check_access_rights_fsp(stream_fsp->base_fsp).
This test verifies that deleting a file works when the stored NT ACL grants
DELETE_FILE while the basic POSIX permissions (used in the acl_xattr fallback
code) do not.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
c949e4b2 by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: use metadata_fsp() with SMB_VFS_FGET_NT_ACL()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
4ab29e2a by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: use metadata_fsp() with SMB_VFS_FSET_NT_ACL()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
03b9ce84 by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: use metadata_fsp() with SMB_VFS_FGET_DOS_ATTRIBUTES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
55e55804 by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: use metadata_fsp() with SMB_VFS_FSET_DOS_ATTRIBUTES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
3af8f8e8 by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: ignore request to set the SPARSE attribute on streams
As per MS-FSA 2.1.1.5 this is a per stream attribute, but our backends don't
support it in a consistent way, therefor just pretend success and ignore the
request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
06555c6b by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: use metadata_fsp() in get_acl_group_bits()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f0299abf by Ralph Boehme at 2022-08-10T15:32:35+00:00
smbd: skip access checks for stat-opens on streams in open_file()
For streams, access is already checked in create_file_unixpath() by
check_base_file_access().
We already skip the access check in this function when doing an IO open of a
file, see above in open_file(), also skip it for "stat opens".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
51243e38 by Ralph Boehme at 2022-08-10T15:32:35+00:00
vfs_streams_xattr: restrict which fcntl's are allowed on streams
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
fc45fcfd by Ralph Boehme at 2022-08-10T16:32:35+00:00
vfs_default: assert all passed in fsp's and names are non-stream type
Enforce fsp is a non-stream one in as many VFS operations as possible in
vfs_default. We really need an assert here instead of returning an error, as
otherwise he can have very hard to diagnose bugs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Aug 10 16:32:35 UTC 2022 on sn-devel-184
- - - - -
60ce54c3 by Pavel Filipenský at 2022-08-11T05:39:30+00:00
s3:passdb: Remove upgrade support of samba-2.2 style ldap password
It was introduced in 2002. Probably we no longer need to support
password upgrade from samba-2.2.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
1b470aaa by Pavel Filipenský at 2022-08-11T06:34:56+00:00
s3:passdb: Consolidate error checking in fetch_ldap_pw()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 11 06:34:56 UTC 2022 on sn-devel-184
- - - - -
8c7e8c5f by Stefan Metzmacher at 2022-08-11T18:28:36+00:00
s3:include: remove unused update_stat_ex_file_id() prototype
It was removed by commit 643da37fd139413651a6198fb0f6e550f7de6584
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a0a97d27 by Stefan Metzmacher at 2022-08-11T18:28:36+00:00
smbd: avoid calling SMB_VFS_FGET_NT_ACL() if do_not_check_mask already covers all
This is inspired by 0d4cb5a641e1fea2d369bdc66470a580321366c2,
which avoids SMB_VFS_FGET_NT_ACL() for the root user again.
Opens with just FILE_READ_ATTRIBUTES are very common, so it's worth
optimizing for it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cd01f513 by Stefan Metzmacher at 2022-08-11T18:28:36+00:00
s3:g_lock: use TDB_VOLATILE to avoid fcntl locks
This improves 'time smbtorture3 //foo/bar -U% local-g-lock-ping-pong -o 50000000'
from ~1.400.000 to ~3.400.000 operations per second any a testsystem.
As we also use TDB_VOLATILE for locking.tdb, this is a much more
realistic test now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
72caffbe by Stefan Metzmacher at 2022-08-11T18:28:36+00:00
s4:param: add --option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4" support...
We already handle this in the source3/libsmb code, but it's good to
have this also for torture tests.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8ee783c4 by Stefan Metzmacher at 2022-08-11T18:28:36+00:00
s4:torture/smb2: teach smb2.bench.path-contention-shared about --option="torture:qdepth=4"
This can now test more than one open/close loop per connection.
time smbtorture //127.0.0.1/m -Uroot%test \
smb2.create.bench-path-contention-shared \
--option='torture:bench_path=' \
--option="torture:timelimit=60" \
--option="torture:nprocs=1" \
--option="torture:qdepth=4"
The default is still 1, but it's very useful for tests.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
23988f19 by Stefan Metzmacher at 2022-08-11T19:23:37+00:00
s4:torture/smb2: add smb2.bench.echo
This test calls SMB2_Echo in a loop per connection.
For 4 connections with 2 parallel loops use this:
time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.echo \
--option="torture:timelimit=600" \
--option="torture:nprocs=1" \
--option="torture:qdepth=2"
Sometimes the bottleneck is the smbtorture process.
In order to bring the smbd process to 100% cpu, you can use
'--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"'
and run multiple instances of the test at the same time,
which both talk to the same smbd process.
This is a very useful test to show how many requests are possible
at the raw SMB2 layer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 11 19:23:37 UTC 2022 on sn-devel-184
- - - - -
2818fd69 by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Fix cosmetic bug logging pathnames from Linux kernel clients using SMB1 DFS calls.
The Linux kernel SMB1 client has a bug - it sends
DFS pathnames as:
\\server\share\path
instead of:
\server\share\path
Causing us to mis-parse server,share,remaining_path here
and jump into 'goto local_path' at 'share\path' instead
of 'path'.
This doesn't cause an error as the limits on share names
are similar to those on pathnames.
parse_dfs_path() which we call before filename parsing
copes with this by calling trim_char on the leading '\'
characters before processing.
Do the same here so logging of pathnames looks better.
How did I find this ? Lots and lots of manual
testing with the Linux kernel client to make
sure all the recent changes haven't broken Linux
SMB1/2/3 DFS :-).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
bcba5502 by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Add new function check_path_syntax_smb2_msdfs() for SMB2 MSDFS paths.
#ifdef'ed out as static and not yet used.
We can't just call check_path_syntax() on these as
they are of the form hostname\share[\extrapath]
(where [\extrapath] is optional).
hostname here can be an IPv6 ':' separated address,
which check_path_syntax() fails on due to the streamname
processing.
NB. This also has to cope with out existing (broken)
libsmbclient libraries that sometimes set the DFS
flag and then send a local pathname. Cope by just
calling the normal check_path_syntax() on the
whole pathname in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7bd7fa0a by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Add helper function check_path_syntax_smb2().
Not yet used, but uses check_path_syntax_smb2_msdfs()
so remove the #ifdef's around that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4fafc341 by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: In smbd_smb2_create_send() call the helper function check_path_syntax_smb2().
Previously for DFS names we were skipping this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a2a097fc by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Make sure we have identical check_path_syntax logic in smbd_smb2_create_durable_lease_check(), as for smb2_create.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0a4a27ce by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Ensure smb2_file_rename_information() uses the SMB2 pathname parsers, not the SMB1 parsers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2df8a8ab by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Add TALLOC_CTX * parameter to parse_dfs_path().
Not yet used. Preparing to remove 'struct dfs_path'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
f92711f0 by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Remove use of 'struct dfs_path'. Not needed for a (hostname, servicename, path) tuple.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6c83c674 by Jeremy Allison at 2022-08-12T18:19:30+00:00
s3: smbd: Remove definition of struct dfs_path.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4f5d02f8 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Add helper function msdfs_servicename_matches_connection().
Not yet used so commented out.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
c0a1d7c7 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Use helper function msdfs_servicename_matches_connection() in parse_dfs_path().
Replaces ugly complex logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a3c9eb79 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Use helper function msdfs_servicename_matches_connection() in dfs_redirect().
Replaces ugly complex logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
245d07ab by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Add dfs_filename_convert(). Simple wrapper around parse_dfs_path().
Not yet used.
This is what we will use to replace dfs_redirect() in the filename
conversion code. Keep as a wrapper for now as we might want to
add some error checking around the 'hostname' and 'service'
returns.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
da625e4a by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: In get referred_path(), make sure check_path_syntax() is called on returned reqpath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a92f4f7a by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: In get create_junction(), make sure check_path_syntax() is called on returned reqpath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b5f68095 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Allow openat_pathref_dirfsp_nosymlink() to return NT_STATUS_PATH_NOT_COVERED for a DFS link on a DFS share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
07ef9e30 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: In filename_convert_dirfsp_nosymlink(), allow a NT_STATUS_PATH_NOT_COVERED error to be returned.
openat_pathref_dirfsp_nosymlink() can now return NT_STATUS_PATH_NOT_COVERED.
Don't convert this automatically into NT_STATUS_OBJECT_PATH_NOT_FOUND..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d80bedc3 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: In filename_convert_dirfsp_nosymlink(), cope with an MS-DFS link as the terminal component.
If the terminal component was an MSDFS link, openat_pathref_fsp_case_insensitive() will
return NT_STATUS_OBJECT_NAME_NOT_FOUND with a VALID_STAT of a symlink.
If this is the case, check if we actually found a terminal MS-DFS link
at the end of the pathname and return NT_STATUS_PATH_NOT_COVERED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
fcf19d91 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Remove call to dfs_redirect() from filename_convert_smb1_search_path().
Use dfs_filename_convert() instead. Code is now much simpler.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d20b60c3 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Remove call to dfs_redirect() from filename_convert_dirfsp_nosymlink().
Use dfs_filename_convert() instead. There are now no more callers of dfs_redirect().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6b1224b2 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Remove dfs_redirect().
A moment of silence please.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
22d4f625 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Add new version of dfs_path_lookup() that uses filename_convert_dirfsp().
Commented out as not yet used but it's easier to see the
new logic this way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
88e8bfec by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Switch get_referred_path() over to use the new dfs_path_lookup().
New function doesn't need a TWRP argument and returns NT_STATUS_OK
on successful redirect, not NT_STATUS_PATH_NOT_COVERED.
Comment out the old dfs_path_lookup().
There are now no more users of unix_convert().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
cc638c25 by Jeremy Allison at 2022-08-12T18:19:31+00:00
s3: smbd: Remove the old dfs_path_lookup() code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
78e4aac7 by Jeremy Allison at 2022-08-12T19:18:25+00:00
s3: smbd: Remove unix_convert() and associated functions.
All code now uses filename_convert_dirfsp() for race-free
filename conversion.
Best viewed with:
$ git show --patience
----------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| |
| unix_convert |
| |
| |
| 9th August |
| 2022 |
| |
| |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///\/|_)_______
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 12 19:18:25 UTC 2022 on sn-devel-184
- - - - -
4a702cdd by Andreas Schneider at 2022-08-12T20:48:31+00:00
s3:util: Initialize json_object structures so we can call json_free()
CID 1507863
CID 1507865
CID 1507866
CID 1507867
CID 1507868
CID 1507869
CID 1507870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15140
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a38fad29 by Andreas Schneider at 2022-08-12T21:50:23+00:00
s3:utils: Fix NULL check
CID 1507864
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15140
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 12 21:50:23 UTC 2022 on sn-devel-184
- - - - -
085f1485 by Stefan Metzmacher at 2022-08-15T15:03:36+00:00
s3:tests: add a lot more tests to test_symlink_traversal_smb2.sh
We now also test more path components checking the difference between
OBJECT_NAME_NOT_FOUND and OBJECT_PATH_NOT_FOUND.
We also test with symlinks within the path instead of only checking
symlinks as final path components (at least for the dirfsp part).
This ensures the following commits won't introduce regressions
when adding the openat2(RESOLVE_NO_SYMLINK) optimization.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
2b51bad7 by Stefan Metzmacher at 2022-08-15T15:03:36+00:00
wafsamba: allow cflags for CHECK_TYPE[_IN]()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
cea9451f by Stefan Metzmacher at 2022-08-15T15:03:36+00:00
vfs_io_uring: hide a possible definition of struct open_how in liburing/compat.h
liburing.h will include liburing/compat.h, which either includes
linux/openat2.h or defines struct open_how itself.
This will help with the following changes, which will provide
openat2() via libreplace's system/filesys.h, either including
linux/openat2.h or defining open_how ourself.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
2369d083 by Stefan Metzmacher at 2022-08-15T15:03:36+00:00
vfs_btrfs: fix include order, includes.h or replace.h should be first
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
ce804b78 by Stefan Metzmacher at 2022-08-15T15:03:36+00:00
lib/replace: add a replacement for openat2() that returns ENOSYS
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
37ba6df1 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
lib/replace: always include <sys/syscall.h> in replace.c if available
It will be used for openat2() soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
b89001e9 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
lib/replace: use syscall(__NR_openat2) if available
There's no glibc wrapper for openat2() yet, so we need
to use syscall(__NR_openat2) ourself.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f7618dd3 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
lib/replace: add fallback defines for __NR_openat2
sys/syscall.h might be older than the runtime kernel.
If the kernel has support for openat2() we should
try to use if anyway.
The callers have to deal with ENOSYS anyway,
so there's no difference if we get that from syscall(__NR_openat2)
or directly from rep_openat2().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
ae1a84f7 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
lib/replace: let DISABLE_OPATH also undef __NR_openat2
The reason for DISABLE_OPATH is to simulate a non-linux
system, so we should not use openat2() either.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f7dc2755 by Volker Lendecke at 2022-08-15T15:03:37+00:00
vfs: define VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
This will allow us to make use of openat2(RESOLVE_NO_SYMLINKS) soon.
The caller should check if connection_struct.open_how_resolve contains
VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS before using it, this avoids waisting
cpu time. But even then the caller must be prepared to handle -1/ENOSYS.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
17484d06 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
s3:smbd: let openat_pathref_dirfsp_nosymlink() do a verification loop against . and .. first
I guess we should catch NT_STATUS_OBJECT_NAME_INVALID first,
currently the check is already done in check_path_syntax*,
but we may remove it in future.
But the most important reason for this is the
openat2(RESOLVE_NO_SYMLINK) optimization, which will
be introduced in the following commits.
Review with: git show -w
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
35b99c87 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
s3:smbd: let openat_pathref_dirfsp_nosymlink() handle ELOOP similar to ENOTDIR
This is no likely to happen as we use O_NOFOLLOW with O_DIRECTORY,
but it's better to be prepared...
This will be more important in the upcoming openat2(RESOLVE_NO_SYMLINK)
case, but we should be consitent...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
d6653067 by Volker Lendecke at 2022-08-15T15:03:37+00:00
s3:smbd: let openat_pathref_dirfsp_nosymlink() try VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS first
This will reduce the amount of syscalls and the related cost drastically
for long path names.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
8544f449 by Stefan Metzmacher at 2022-08-15T15:03:37+00:00
vfs_default: prepare O_PATH usage with openat2()
When O_PATH is specified in flags, flag bits other than O_CLOEXEC,
O_DIRECTORY, and O_NOFOLLOW are ignored.
In preparation to use openat2(), which gives an error instead of
ignoring flags, we better remove unexpected flags, callers typically
pass O_RDONLY and O_NONBLOCK.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
4708ba2f by Volker Lendecke at 2022-08-15T15:03:37+00:00
vfs_default: Use openat2(RESOLVE_NO_SYMLINKS) if available
This improves the following test:
time smbtorture //127.0.0.1/m -Uroot%test \
smb2.create.bench-path-contention-shared \
--option='torture:bench_path=Apps\1\2\3\4\5\6\7\8\9\10' \
--option="torture:timelimit=600" \
--option="torture:nprocs=1"
From:
open[num/s=14186,avslat=0.000044,minlat=0.000042,maxlat=0.000079]
close[num/s=14185,avslat=0.000027,minlat=0.000025,maxlat=0.000057]
to:
open[num/s=16917,avslat=0.000038,minlat=0.000035,maxlat=0.000340]
close[num/s=16916,avslat=0.000020,minlat=0.000019,maxlat=0.000104]
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
076c22fb by Stefan Metzmacher at 2022-08-15T16:00:26+00:00
selftest/Samba3: let nt4_dc* use vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=no
We should always test the code path without openat2 being available,
even if the kernel supports it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Aug 15 16:00:26 UTC 2022 on sn-devel-184
- - - - -
c6933673 by Jeremy Allison at 2022-08-16T07:33:36+00:00
s3: tests: Add samba3.blackbox.test_veto_files.
Shows we currently don't look at smb.conf veto files parameter
when opening a file or directory. Checks multi-component paths.
Also checks veto files that might be hidden behind a mangled
name.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
1c293060 by Jeremy Allison at 2022-08-16T07:33:36+00:00
s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink().
Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component.
Note IS_VETO_PATH only looks at the last component, so we must
do it during the directory walk on each component.
Note, we also have to check after a call to get_real_filename_at()
as it may have demangled the client sent name into a filesystem
name that matches the "veto files" parameter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
1654eae1 by Jeremy Allison at 2022-08-16T08:26:54+00:00
s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive().
Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for final component.
Note we have to call the check before each call to
openat_pathref_fsp(), as each call may be using a
different filesystem name. The first name is the
one passed into openat_pathref_fsp_case_insensitive()
by the caller, the second one is a name retrieved from
get_real_filename_cache_key(), and the third one is the name
retrieved from get_real_filename_at(). The last two
calls may have demangled the client given name into
a veto'ed path on the filesystem.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Aug 16 08:26:54 UTC 2022 on sn-devel-184
- - - - -
5adf0512 by Stefan Metzmacher at 2022-08-16T10:54:30+00:00
s3:vfs.h: add comment about VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
55b3bcc3 by Stefan Metzmacher at 2022-08-16T11:51:36+00:00
s3:vfs.h: change SMB_VFS_INTERFACE_VERSION to 48 for 4.18
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Aug 16 11:51:36 UTC 2022 on sn-devel-184
- - - - -
4b91702a by Jule Anger at 2022-08-16T14:11:32+00:00
s3:tests: let smbstatus json tests fail if jq is not installed
Signed-off-by: Jule Anger <janger at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ddbf1b29 by Jule Anger at 2022-08-16T15:04:54+00:00
manpages: add smbstatus option --json with sample output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15147
Signed-off-by: Jule Anger <janger at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Aug 16 15:04:54 UTC 2022 on sn-devel-184
- - - - -
563a2c8d by Andreas Schneider at 2022-08-17T06:13:35+00:00
waf: Fix SO version number of libsamba-errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15141
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
- - - - -
123f1c07 by Christian Ambach at 2022-08-17T07:14:21+00:00
s3:utils remove documentation of -l as alias for --long
This was removed in 94fc9ca4c506468ab1907d501c0964d67b9d963c, so remove it from
the usage output and manpage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15145
Signed-off-by: Christian Ambach <ambi at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Aug 17 07:14:21 UTC 2022 on sn-devel-184
- - - - -
0bdfb5a5 by Jeremy Allison at 2022-08-17T08:59:34+00:00
s3/smbd: Use after free when iterating smbd_server_connection->connections
In SMB2 smbd_smb2_tree_connect() we create a new conn struct
inside make_connection_smb2() then move the ownership to tcon using:
tcon->compat = talloc_move(tcon, &compat_conn);
so the lifetime of tcon->compat is tied directly to tcon.
Inside smbXsrv_tcon_disconnect() we have:
908 ok = chdir_current_service(tcon->compat);
909 if (!ok) {
910 status = NT_STATUS_INTERNAL_ERROR;
911 DEBUG(0, ("smbXsrv_tcon_disconnect(0x%08x, '%s'): "
912 "chdir_current_service() failed: %s\n",
913 tcon->global->tcon_global_id,
914 tcon->global->share_name,
915 nt_errstr(status)));
916 tcon->compat = NULL;
917 return status;
918 }
919
920 close_cnum(tcon->compat, vuid);
921 tcon->compat = NULL;
If chdir_current_service(tcon->compat) fails, we return status without ever having
called close_cnum(tcon->compat, vuid), leaving the conn pointer left in the linked
list sconn->connections.
The caller frees tcon and (by ownership) tcon->compat, still leaving the
freed tcon->compat pointer on the sconn->connections linked list.
When deadtime_fn() fires and walks the sconn->connections list it
indirects this freed pointer. We must call close_cnum() on error also.
Valgrind trace from Noel Power <noel.power at suse.com> is:
==6432== Invalid read of size 8
==6432== at 0x52CED3A: conn_lastused_update (conn_idle.c:38)
==6432== by 0x52CEDB1: conn_idle_all (conn_idle.c:54)
==6432== by 0x5329971: deadtime_fn (smb2_process.c:1566)
==6432== by 0x5DA2339: smbd_idle_event_handler (util_event.c:45)
==6432== by 0x685F2F8: tevent_common_invoke_timer_handler (tevent_timed.c:376)
==6432== Address 0x19074b88 is 232 bytes inside a block of size 328 free'd
==6432== at 0x4C3451B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B38521: _tc_free_internal (talloc.c:1222)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B385C5: _talloc_free_internal (talloc.c:1248)
==6432== by 0x5B3988D: _talloc_free (talloc.c:1792)
==6432== by 0x5349B22: smbd_smb2_flush_send_queue (smb2_server.c:4828)
==6432== Block was alloc'd at
==6432== at 0x4C332EF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B378D9: __talloc_with_prefix (talloc.c:783)
==6432== by 0x5B37A73: __talloc (talloc.c:825)
==6432== by 0x5B37E0C: _talloc_named_const (talloc.c:982)
==6432== by 0x5B3A8ED: _talloc_zero (talloc.c:2421)
==6432== by 0x539873A: conn_new (conn.c:70)
==6432== by 0x532D692: make_connection_smb2 (smb2_service.c:909)
==6432== by 0x5352B5E: smbd_smb2_tree_connect (smb2_tcon.c:344)
https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
f92bacbe by Jeremy Allison at 2022-08-17T09:54:06+00:00
s3/smbd: Use after free when iterating smbd_server_connection->connections
Change conn_free() to just use a destructor. We now
catch any other places where we may have forgetten to
call conn_free() - it's implicit on talloc_free(conn).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Based on code from Noel Power <noel.power at suse.com>.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed Aug 17 09:54:06 UTC 2022 on sn-devel-184
- - - - -
5ae4a624 by Andreas Schneider at 2022-08-17T10:08:35+00:00
bootstrap: Install ShellCheck and shfmt
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
b696ae1b by Andreas Schneider at 2022-08-17T10:08:35+00:00
script: Add script to run shellcheck on shell scripts
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
665db976 by Andreas Schneider at 2022-08-17T10:08:35+00:00
s3:script: Fix variable asignment in test_dfree_command.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
95947788 by Andreas Schneider at 2022-08-17T10:08:35+00:00
testprogs: Fix variable asignment in test_wintest.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
0461fa13 by Andreas Schneider at 2022-08-17T10:08:35+00:00
examples: Fix shellcheck error in get_next_oid
examples/LDAP/get_next_oid:6:4: error: Remove spaces around += to assign
(or quote '+=' if literal). [SC2285]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
fe33eaba by Andreas Schneider at 2022-08-17T10:08:35+00:00
examples: Remove trailing spaces in VampireDriversFunctions
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c3823ff3 by Andreas Schneider at 2022-08-17T10:08:35+00:00
examples: Fix shellcheck error in VampireDriversFunctions
examples/printing/VampireDriversFunctions:183:24: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
72f16b63 by Andreas Schneider at 2022-08-17T10:08:35+00:00
nsswitch: Fix shellcheck errors in test_rfc2307_mapping.sh
nsswitch/tests/test_rfc2307_mapping.sh:65:139: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
233a0cd6 by Andreas Schneider at 2022-08-17T10:08:35+00:00
lib:fuzzing: Fix shellcheck errors in build_samba.sh
lib/fuzzing/oss-fuzz/build_samba.sh:24:27: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
e4371a4c by Andreas Schneider at 2022-08-17T11:03:54+00:00
release-script: Fix shellcheck errors
./release-scripts/build-docs:4:7: error: Double quote array expansions
to avoid re-splitting elements. [SC2068]
Same error for the other scripts.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Aug 17 11:03:54 UTC 2022 on sn-devel-184
- - - - -
9203d171 by Jeremy Allison at 2022-08-18T13:07:34+00:00
s3: smbd: Add "enum file_close_type close_type" parameter to close_cnum().
Not yet used, but needed so we can differentiate between
SHUTDOWN_CLOSE and ERROR_CLOSE in smbXsrv_tcon_disconnect()
if we fail to chdir. In that case we want to close the fd,
but not run any delete-on-close actions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
7005a635 by Jeremy Allison at 2022-08-18T13:07:34+00:00
s3: smbd: Add "enum file_close_type close_type" parameter to file_close_conn().
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
cf5f7b14 by Jeremy Allison at 2022-08-18T14:10:18+00:00
s3: smbd: Plumb close_type parameter through close_file_in_loop(), file_close_conn()
Allows close_file_in_loop() to differentiate between SHUTDOWN_CLOSE
(previously it only used this close type) and ERROR_CLOSE - called
on error from smbXsrv_tcon_disconnect() in the error path. In that
case we want to close the fd, but not run any delete-on-close actions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra at samba.org>
Reivewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Thu Aug 18 14:10:18 UTC 2022 on sn-devel-184
- - - - -
7592aad4 by Stefan Metzmacher at 2022-08-18T18:45:34+00:00
s3:smbd: share_mode_flags_set() takes SMB2_LEASE_* values
We currently only ever pass SMB2_LEASE_READ and both
have the same value of 0x1, so for now it's only cosmetic,
but that will change soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
9e5ff607 by Stefan Metzmacher at 2022-08-18T18:45:34+00:00
s4:torture/smb2: add smb2.lease.v[1,2]_bug_15148
This demonstrates the bug that happens with a
write to a file handle holding an R lease,
while there are other openers without any lease.
When one of the other openers writes to the file,
the R lease of the only lease holder isn't broken to NONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
96e2a827 by Stefan Metzmacher at 2022-08-18T19:41:33+00:00
s3:smbd: only clear LEASE_READ if there's no read lease is left
If contend_level2_oplocks_begin_default() skips break it's
own lease, we should not clear SHARE_MODE_LEASE_READ
in share_mode_data->flags.
Otherwise that lease won't see any lease break notifications
for writes from other clients (file handles not using the same lease
key).
So we need to count the number existing read leases (including
the one with the same lease key) in order to know it's
safe to clear SMB2_LEASE_READ/SHARE_MODE_LEASE_READ.
Otherwise the next run (likely from another client)
will get the wrong result from file_has_read_lease().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 18 19:41:33 UTC 2022 on sn-devel-184
- - - - -
b954d181 by Volker Lendecke at 2022-08-19T11:42:38+00:00
vfs_gpfs: Prevent mangling of GPFS timestamps after 2106
gpfs_set_times as of August 2020 stores 32-bit unsigned tv_sec. We
should not silently garble time stamps but reject the attempt to set
an out-of-range timestamp.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
- - - - -
06f35eda by Volker Lendecke at 2022-08-19T12:43:06+00:00
lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Aug 19 12:43:06 UTC 2022 on sn-devel-184
- - - - -
bf1dd1a1 by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
lib/util: add unlikely() to SMB_ASSERT()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bb3dddcd by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:g_lock: add some const to the shared array passed via g_lock_dump*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c75de325 by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:g_lock: avoid useless talloc_array(0) in g_lock_dump()
In the common case we don't have any shared lock holders,
so there's no need to allocate memory for the empty array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0fbca175 by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:smbd: only run validate_oplock_types() with smbd:validate_oplock_types = yes
This is really expensive as share_mode_forall_entries() is currently
doing a talloc_memdup() of the whole record...
This is mainly used to avoid regressions, so only
use smbd:validate_oplock_types = yes in make test,
but skip it for production.
This improves the following test:
time smbtorture //127.0.0.1/m -Uroot%test \
smb2.create.bench-path-contention-shared \
--option='torture:bench_path=file.dat' \
--option="torture:timelimit=60" \
--option="torture:nprocs=256" \
--option="torture:qdepth=1"
From:
open[num/s=8852,avslat=0.014999,minlat=0.000042,maxlat=0.054600]
close[num/s=8850,avslat=0.014136,minlat=0.000025,maxlat=0.054537]
to:
open[num/s=11377,avslat=0.012075,minlat=0.000041,maxlat=0.054107]
close[num/s=11375,avslat=0.010594,minlat=0.000023,maxlat=0.053620]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8b3b3166 by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:locking: pass lease_key explicitly to set_share_mode()
We should avoid accessing fsp->lease if possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bf8f2258 by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:locking: move get_existing_share_mode_lock() to share_mode_lock.[ch]
This should be where get_share_mode_lock() is located.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
76da56aa by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:smbd: inline fsp_lease_type_is_exclusive() logic into contend_level2_oplocks_begin_default
SMB2_LEASE_WRITE is the indication for an exclusive lease,
the fact that a SMB2_LEASE_WRITE can't exists without
SMB2_LEASE_READ is not important here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
60ae7a5a by Stefan Metzmacher at 2022-08-19T18:41:34+00:00
s3:smbd: lease_match_break_fn() only needs leases_db_get() once
get_lease_type() will just call leases_db_get() again...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d4f18f99 by Stefan Metzmacher at 2022-08-19T19:39:18+00:00
s3:smbd: let delay_for_oplock_fn() only call leases_db_get() once
get_lease_type() will just call leases_db_get() again for leases,
so only call it for oplocks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 19 19:39:18 UTC 2022 on sn-devel-184
- - - - -
b5848d39 by Ralph Boehme at 2022-08-22T08:02:35+00:00
smbtorture: rename smb2.streams.attributes to smb2.streams.attributes1
A subsequent commit adds another streams test named "attributes2", this change
avoids matching the new testname with the existing knownfail entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
e74b10e1 by Ralph Boehme at 2022-08-22T08:02:35+00:00
smbtorture: add test smb2.stream.attributes2
Specifically torture the creation date is the same for the file and its streams.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
3f7d8db9 by Ralph Boehme at 2022-08-22T08:02:35+00:00
smbd: add and use vfs_fget_dos_attributes()
Commit d71ef1365cdde47aeb3465699181656b0655fa04 caused a regression where the
creation date on streams wasn't updated anymore on the stream fsp.
By adding a simple wrapper vfs_fget_dos_attributes() that takes care of
- passing only the base_fsp to the VFS, so the VFS can be completely agnostic of
all the streams related complexity like fake fds,
- propagating any updated btime from the base_fsp->fsp_name to the
stream_fsp->fsp_name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
968a5ae8 by Ralph Boehme at 2022-08-22T08:02:36+00:00
smbd: directly pass fsp to SMB_VFS_FGETXATTR() in fget_ea_dos_attribute()
We're now consistently passing the base_fsp to SMB_VFS_FSET_DOS_ATTRIBUTES(), so
we don't need to check for a stream_fsp here anymore.
Additionally vfs_default will assert a non-stream fsp inside
vfswrap_fgetxattr(), so in case any caller wrongly passes a stream fsp, this is
caught in vfs_default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
40d4912d by Joseph Sutton at 2022-08-22T08:02:36+00:00
libcli/smb: Ensure we call tevent_req_nterror() on failure
Commit 3594c3ae202688fd8aae5f7f5e20464cb23feea9 added a NULL check for
'inhdr', but it meant we didn't always call tevent_req_nterror() when we
should.
Now we handle connection errors. We now also set an error status if the
NULL check fails.
I noticed this when an ECONNRESET error from a server refusing SMB1
wasn't handled, and the client subsequently hung in epoll_wait().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
75e03ea0 by Joseph Sutton at 2022-08-22T09:03:29+00:00
libcli/smb: Set error status if 'iov' pointer is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Aug 22 09:03:29 UTC 2022 on sn-devel-184
- - - - -
4b87e58f by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in mksyms.sh
source3/script/mksyms.sh:33:19: error: Double quote array expansions to
avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
3f080f7d by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in dlopen.sh
source3/script/tests/dlopen.sh:51:12: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
8c23b829 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_dfree_command.sh
source3/script/tests/test_dfree_command.sh:38:59: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
249b8e8a by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_dfree_quota.sh
source3/script/tests/test_dfree_quota.sh:125:65: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
8b359fa4 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_net_cred_change.sh
source3/script/tests/test_net_cred_change.sh:13:64: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4c02eb4d by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_net_lookup.sh
source3/script/tests/test_net_lookup.sh:37:9: error: Remove spaces
around = to assign (or use [ ] to compare, or quote '=' if literal).
[SC2283]
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
6f65ecfe by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_net_registry_check.sh
source3/script/tests/test_net_registry_check.sh:33:32: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4edb4d97 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_net_registry_roundtrip.sh
source3/script/tests/test_net_registry_roundtrip.sh:51:2: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
source3/script/tests/test_net_registry_roundtrip.sh:55:16: error:
Argument mixes string and array. Use * or separate argument. [SC2145]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4abfa262 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_preserve_case.sh
source3/script/tests/test_preserve_case.sh:42:59: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
ae67e068 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_rpcclient_samlogon.sh
source3/script/tests/test_rpcclient_samlogon.sh:17:114: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
47eacce8 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_smbclient_s3.sh
source3/script/tests/test_smbclient_s3.sh:270:5: error: Couldn't parse
this test expression. Fix to allow more checks. [SC1073]
source3/script/tests/test_smbclient_s3.sh:270:11: error: Expected test
to end here (don't wrap commands in []/[[]]). Fix any mentioned problems
and try again. [SC1072]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
a8b19ebf by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_smbspool.sh
test_smbspool.sh:124:24: error: Couldn't parse this test expression. Fix
to allow more checks. [SC1073]
test_smbspool.sh:124:44: error: If grouping expressions inside [..], use
\( ..\). [SC1026]
test_smbspool.sh:124:46: error: Expected test to end here (don't wrap
commands in []/[[]]). Fix any mentioned problems and try again. [SC1072]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
25e9a74e by Andreas Schneider at 2022-08-22T14:20:36+00:00
s3:script: Fix shellcheck errors in test_smbstatus.sh
test_smbstatus.sh:78:22: error: Use braces when expanding arrays, e.g.
${array[idx]} (or ${var}[.. to quiet). [SC1087]
test_smbstatus.sh:135:22: error: Use braces when expanding arrays, e.g.
${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
a82301d5 by Andreas Schneider at 2022-08-22T14:20:36+00:00
testprogs: Fix shellcheck errors in common_test_fns.inc
common_test_fns.inc:13:64: error: Double quote array expansions to avoid
re-splitting elements. [SC2068]
common_test_fns.inc:32:64: error: Double quote array expansions to avoid
re-splitting elements. [SC2068]
common_test_fns.inc:53:64: error: Double quote array expansions to avoid
re-splitting elements. [SC2068]
common_test_fns.inc:80:64: error: Double quote array expansions to avoid
re-splitting elements. [SC2068]
common_test_fns.inc:106:61: error: Double quote array expansions to
avoid re-splitting elements. [SC2068]
common_test_fns.inc:110:32: error: Double quote array expansions to
avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
866b8dcb by Andreas Schneider at 2022-08-22T14:20:36+00:00
s4:client: Fix shellcheck errors in test_smbclient.sh
source4/client/tests/test_smbclient.sh:31:99: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
source4/client/tests/test_smbclient.sh:41:116: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
source4/client/tests/test_smbclient.sh:43:94: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
d85a2dbf by Andreas Schneider at 2022-08-22T14:20:36+00:00
s4:script: Fix shellcheck errors in find_unused_options.sh
source4/script/find_unused_options.sh:20:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/script/find_unused_options.sh:30:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4b2f4189 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s4:selftest: Fix shellcheck errors in test_w2k3.sh
source4/selftest/test_w2k3.sh:40:67: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/selftest/test_w2k3.sh:46:66: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/selftest/test_w2k3.sh:48:66: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
6c287142 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s4:selftest: Fix shellcheck errors in wintest_2k3_dc.sh
source4/selftest/win/wintest_2k3_dc.sh:57:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/selftest/win/wintest_2k3_dc.sh:62:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/selftest/win/wintest_2k3_dc.sh:85:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
source4/selftest/win/wintest_2k3_dc.sh:101:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
b1e80d02 by Andreas Schneider at 2022-08-22T14:20:36+00:00
s4:setup: Fix shellcheck errors in provision_fileperms.sh
source4/setup/tests/provision_fileperms.sh:27:14: error: Iterating over
ls output is fragile. Use globs. [SC2045]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
b7a024e4 by Andreas Schneider at 2022-08-22T15:15:11+00:00
s4:selftest: Fix shellcheck errors in wintest_net.sh
source4/selftest/win/wintest_net.sh:57:27: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Mon Aug 22 15:15:11 UTC 2022 on sn-devel-184
- - - - -
8c1c63aa by Andreas Schneider at 2022-08-22T20:35:36+00:00
s4:selftest: Fix shellcheck errors in wintest_rpc.sh
source4/selftest/win/wintest_rpc.sh:61:27: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
7a89d22b by Andreas Schneider at 2022-08-22T20:35:36+00:00
s4:torture: Fix shellcheck errors in test_gentest.sh
source4/torture/tests/test_gentest.sh:31:235: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
0618bd8a by Andreas Schneider at 2022-08-22T20:35:36+00:00
s4:tortue: Fix shellcheck errors in test_locktest.sh
source4/torture/tests/test_locktest.sh:26:137: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
cbf1f890 by Andreas Schneider at 2022-08-22T20:35:36+00:00
s4:torture: Fix shellcheck errors in test_masktest.sh
source4/torture/tests/test_masktest.sh:26:117: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4b19bbaa by Andreas Schneider at 2022-08-22T20:35:36+00:00
s4:utils: Fix shellcheck errors in test_samba_tool.sh
source4/utils/tests/test_samba_tool.sh:38:110: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
447e6b92 by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in dbcheck-oldrelease.sh
testprogs/blackbox/dbcheck-oldrelease.sh:249:95: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:304:166: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:316:128: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:325:145: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:398:197: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:420:97: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:428:134: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:438:122: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:446:146: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:455:134: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:474:146: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/dbcheck-oldrelease.sh:483:134: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
5dd28ade by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_chgdcpass.sh
testprogs/blackbox/test_chgdcpass.sh:48:79: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_chgdcpass.sh:49:74: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
edf04332 by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_export_keytab_heimdal.sh
testprogs/blackbox/test_export_keytab_heimdal.sh:65:79: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:67:102: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:69:113: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:72:158: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:74:169: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:77:147: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:79:165: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:82:178: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_heimdal.sh:112:80: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
e4a4ce9c by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_export_keytab_mit.sh
testprogs/blackbox/test_export_keytab_mit.sh:45:47: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:92:98: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:94:106: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:97:117: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:100:166: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:102:177: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:105:155: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:107:173: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_export_keytab_mit.sh:132:94: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4ce5d8df by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_kinit_mit.sh
testprogs/blackbox/test_kinit_mit.sh:54:62: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:110:107: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:114:126: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:128:126: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:130:154: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:132:118: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:164:195: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:201:154: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:263:122: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_mit.sh:301:116: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
4aa50e72 by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_kinit_trusts_heimdal.sh
testprogs/blackbox/test_kinit_trusts_heimdal.sh:80:114: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
391d0cf6 by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_kinit_heimdal.sh
testprogs/blackbox/test_kinit_heimdal.sh:83:107: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:87:126: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:101:126: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:103:154: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:105:112: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:118:195: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:145:154: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:217:122: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_heimdal.sh:251:116: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
1e4ea99e by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_kinit_trusts_mit.sh
testprogs/blackbox/test_kinit_trusts_mit.sh:55:63: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_kinit_trusts_mit.sh:109:106: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
d9ebb77c by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_kpasswd_heimdal.sh
testprogs/blackbox/test_kpasswd_heimdal.sh:46:57: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
150cbc0f by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_password_settings.sh
testprogs/blackbox/test_password_settings.sh:48:57: error: Double quote
array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
cd24e2df by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellchecks errors in test_pdbtest.sh
testprogs/blackbox/test_pdbtest.sh:61:53: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:73:157: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:76:79: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:78:92: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:80:79: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:90:79: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:92:75: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:96:73: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:100:99: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:104:89: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:111:125: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_pdbtest.sh:115:70: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
355f6206 by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_weak_crypto_server.sh
testprogs/blackbox/test_weak_crypto_server.sh:59:65: error: Use braces
when expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet).
[SC1087]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
c4ba21bc by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in test_wintest.sh
testprogs/blackbox/test_wintest.sh:15:97: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/test_wintest.sh:40:31: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
f12aa54b by Andreas Schneider at 2022-08-22T20:35:36+00:00
testprogs: Fix shellcheck errors in upgradeprovision-oldrelease.sh
testprogs/blackbox/upgradeprovision-oldrelease.sh:134:103: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/upgradeprovision-oldrelease.sh:140:117: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/upgradeprovision-oldrelease.sh:145:105: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/upgradeprovision-oldrelease.sh:151:122: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/upgradeprovision-oldrelease.sh:156:110: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
testprogs/blackbox/upgradeprovision-oldrelease.sh:162:134: error: Double
quote array expansions to avoid re-splitting elements. [SC2068]
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
339e78f2 by Andreas Schneider at 2022-08-22T21:30:09+00:00
gitlab-ci: Add a shellcheck runner
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Mon Aug 22 21:30:09 UTC 2022 on sn-devel-184
- - - - -
66e40690 by Ralph Boehme at 2022-08-23T11:52:29+00:00
s4/libcli/smb2: avoid using smb2_composite_setpathinfo() in smb2_util_setatr()
smb2_composite_setpathinfo() uses SEC_FLAG_MAXIMUM_ALLOWED which can
have unwanted side effects like breaking oplocks if the effective access
includes [READ|WRITE]_DATA.
For changing the DOS attributes we only need SEC_FILE_WRITE_ATTRIBUTE. With this
change test_smb2_oplock_batch25() doesn't trigger an oplock break anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9b2d2815 by Ralph Boehme at 2022-08-23T11:52:29+00:00
smbtorture: check required access for SMB2-GETINFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
6d493a9d by Ralph Boehme at 2022-08-23T12:54:08+00:00
smbd: implement access checks for SMB2-GETINFO as per MS-SMB2 3.3.5.20.1
The spec lists the following as requiring special access:
- for requiring FILE_READ_ATTRIBUTES:
FileBasicInformation
FileAllInformation
FileNetworkOpenInformation
FileAttributeTagInformation
- for requiring FILE_READ_EA:
FileFullEaInformation
All other infolevels are unrestricted.
We ignore the IPC related infolevels:
FilePipeInformation
FilePipeLocalInformation
FilePipeRemoteInformation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
RN: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Aug 23 12:54:08 UTC 2022 on sn-devel-184
- - - - -
672ec613 by Joseph Sutton at 2022-08-25T12:59:29+00:00
schema_samba4.ldif: Allocate previously added OIDs
DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added
to source4/dsdb/samdb/samdb.h in commit
c2ab1f4696fa3f52918a126d0b37993a07f68bcb.
DSDB_EXTENDED_SCHEMA_LOAD was added in commit
1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
f99fb9aa by Joseph Sutton at 2022-08-25T13:55:47+00:00
python:tests: Allocate OID range for testing to avoid collisions
sid_strings.py used the same OID range as ldap_schema.py, which
occasionally led to test failures when the same OID was generated twice.
Using a different range, and making use of the expected RID if we have
it, should reduce the likelihood of collisions.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Aug 25 13:55:47 UTC 2022 on sn-devel-184
- - - - -
b88e7322 by Martin Schwenke at 2022-08-25T15:22:36+00:00
ctdb-tests: Reformat script using shfmt -w -p -i 0 -fn
Whitespace changes only.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
42aedc62 by Martin Schwenke at 2022-08-25T15:22:36+00:00
ctdb-tests: Fix typos
These lines are just wrong:
try_command_on_node -v $test_node "ip addr show to ${test_node}"
if -n "$out"; then
The 2nd variable referenced should be $test_ip. The 2nd line causes
"-n: command not found" because it is missing [] test command
brackets.
Both typos would probably make the test pass unconditionally.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
ff4935d1 by Martin Schwenke at 2022-08-25T15:22:36+00:00
ctdb-tests: Simplify IP address checking
Use a new function and wait_until() to simplify.
get_test_ip_mask_and_iface() not needed here because
select_test_node_and_ips() sets $test_ip, and neither $mask nor $iface
is used.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
a0e0fde0 by Martin Schwenke at 2022-08-25T16:15:45+00:00
ctdb-tests: Avoid shellcheck warnings
Mostly
SC2086: Double quote to prevent globbing and word splitting.
Use ctdb_onnode() where it simplifies code. No behaviour changes
intended.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Thu Aug 25 16:15:45 UTC 2022 on sn-devel-184
- - - - -
989aa441 by Joseph Sutton at 2022-08-25T17:01:31+00:00
s3:tests: Create test directory and file prior to revoking permissions
If 'chmod 0' is performed first, then we won't have the required
permissions for the subsequent 'mkdir' and 'touch', and they will fail.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9fa6ab22 by Joseph Sutton at 2022-08-25T17:56:31+00:00
s3:tests: Transfer test files into temporary directory
The presence of these two files is causing 'check-clean-tree' to fail.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 25 17:56:31 UTC 2022 on sn-devel-184
- - - - -
f641abfc by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:libads: Fix trailing whitespaces in util.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
c9c120da by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:libsmb: Fix trailing whitespaces in trusts_util.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
fa29eed6 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
lib:util: Add BURN_FREE() and BURN_FREE_STR()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
85643803 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
lib:replace: Add macro BURN_STR() to zero memory of a string
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
8de68574 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
lib:util: Zero memory in generate_random_machine_password()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4df98ed0 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:libads: Zero memory in ads_change_trust_account_password()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
988077c3 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:libsmb: Zero memory in trust_pw_change()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b6dde7d3 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory using BURN_FREE() in secrets_fetch_trust_account_password_legacy() and secrets_fetch_domain_info1_by_key()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ca3c9fa0 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory using BURN_FREE_STR() in secrets_fetch_or_upgrade_domain_info()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ad9044a1 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory using BURN_FREE_STR() in get_trust_pw_hash2()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0d7e34a6 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero password in secrets_{fetch,store}_trusted_domain_password()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
04d4bc54 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3: Zero memory of idmap_fetch_secret() users
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2706fdae by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:lib: Fix trailing whitespaces in smbldap.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2357f6e2 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Fix trailing whitespaces in pdb_ldap.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
84d5e156 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero password in fetch_ldap_pw()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
3151e760 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero password in fetch_ldap_pw() callers
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
02f66758 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Fix whitespaces in pdb_get_set.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
035e2021 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory for plaintext_pw from 'struct samu'
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ccae2a4a by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:auth: Zero memory in sam_password_ok()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
12478c24 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: s/BURN_PTR_SIZE/BURN_STR/ in samu_destroy()
This makes sure that strlen(user->plaintext_pw) is not called twice.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
003854a4 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory in pdb_set_plaintext_passwd()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
1772a057 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero memory in pdb_set_pw_history()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
8941c748 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:net: Fix trailing whitespace in net.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
5b647513 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero password in secrets_fetch_ipc_userpass()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2578eb3b by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Fix possible memory leak in secrets_fetch_ipc_userpass()
If domain or username are empty strings (""), we need to free them.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
83dc061f by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:net: Zero password in secrets_fetch_ipc_userpass() callers
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4b2df80e by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:afs: Zero memory for afs_keyfile
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
28a3d511 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
lib:krb5: Change memset() to BURN_PTR_SIZE()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ebfc1672 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero local memory in secrets_fetch()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
01c0ab19 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero local memory in secrets_domain_info_kerberos_keys()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
da2c7232 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero secrets_domain_info1_password created via secrets_fetch()
Zero out these members of struct secrets_domain_info1_password:
DATA_BLOB cleartext_blob;
struct samr_Password nt_hash;
struct secrets_domain_info1_kerberos_key *keys;
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
79754f04 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero secrets_domain_info1_password created via secrets_domain_info_password_create()
Zero out these members of struct secrets_domain_info1_password:
DATA_BLOB cleartext_blob;
struct samr_Password nt_hash;
struct secrets_domain_info1_kerberos_key *keys;
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
9c2ffef0 by Pavel Filipenský at 2022-08-26T07:59:32+00:00
s3:passdb: Zero sensitive memory in lsa_secret_{set/get}_common()
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
9aa52bb3 by Douglas Bagnall at 2022-08-26T07:59:32+00:00
pytest/segfault: abort for generate_random_bytes(-1)
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
333e1efa by Douglas Bagnall at 2022-08-26T07:59:32+00:00
pyglue: check talloc buffer for random bytes
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b7b4d6da by Douglas Bagnall at 2022-08-26T07:59:32+00:00
pyglue: generate_random_bytes/str accept positive numbers only
We aren't yet able to generate negative numbers of random bytes.
Instead a request for -n bytes is implicitly converted into one for
SIZE_MAX - n bytes, which is typically very large. Memory exhaustion
seems a likely outcome.
With this patch callers will see a ValueError.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4f902dba by Douglas Bagnall at 2022-08-26T07:59:32+00:00
pyglue: generate_random_[machine]_password: reject negative numbers
Other range errors (e.g. min > max) are caught in the wrapped
functions which returns EINVAL, so we don't recapitulate that logic
(see next commit though).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
fa3f0499 by Douglas Bagnall at 2022-08-26T08:59:28+00:00
pyglue:generate_random_[machine]_password: ValueError for bad values
The actual range is 14 to 255 for machine passwords, and there is a
min <= max check for both.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Aug 26 08:59:28 UTC 2022 on sn-devel-184
- - - - -
5f51fa9c by Anoop C S at 2022-08-26T16:31:37+00:00
vfs_glusterfs: Accept fsp with const qualifier
This is in preparation to avoid any `const` qualifier being discarded
warning with future changes to various *_at() calls which has `const
file_struct` arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3425fa0d by Anoop C S at 2022-08-26T16:31:37+00:00
source3/wscript: Detect glusterfs-api with *at() calls support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
184a9913 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_openat() for SMB_VFS_OPENAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
56c4aab1 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_mkdirat() for SMB_VFS_MKDIRAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2b721ff2 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_renameat() for SMB_VFS_RENAMEAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2fa71202 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_unlinkat() for SMB_VFS_UNLINKAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b2746eb5 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_symlinkat() for SMB_VFS_SYMLINKAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
58b6cdab by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_readlinkat() for SMB_VFS_READLINKAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
21654af5 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_linkat() for SMB_VFS_LINKAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a4235200 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_mknodat() for SMB_VFS_MKNODAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
310a9080 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_symlinkat() for SMB_VFS_CREATE_DFS_PATHAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
55548d74 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_readlinkat() for SMB_VFS_READ_DFS_PATHAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
65f4c4e3 by Anoop C S at 2022-08-26T16:31:38+00:00
vfs_glusterfs: Use glfs_fgetxattr() for SMB_VFS_GET_REAL_FILENAME_AT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b7c460b9 by Anoop C S at 2022-08-26T17:33:15+00:00
vfs_glusterfs: Implement SMB_VFS_FSTATAT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15157
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 26 17:33:15 UTC 2022 on sn-devel-184
- - - - -
9a133602 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmbclient: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f05b529b by Volker Lendecke at 2022-08-26T18:54:37+00:00
smbd: Adapt a call to setup_dfs_referral() to README.Coding
Makes it easier to handle in a debugger
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
281b00a2 by Volker Lendecke at 2022-08-26T18:54:37+00:00
vfs: Fix a copy&paste error
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3aa9d05e by Volker Lendecke at 2022-08-26T18:54:37+00:00
dfs_server: Fix typos
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7fe12e79 by Volker Lendecke at 2022-08-26T18:54:37+00:00
lib: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
df4c3f0f by Volker Lendecke at 2022-08-26T18:54:37+00:00
smbd: Save a line with tevent_req_nomem()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
556e1a5e by Volker Lendecke at 2022-08-26T18:54:37+00:00
examples: Make libsmbclient samples look a *bit* less ugly
Remove trailing whitespace, indent to tabs. Yes, this introduces long
lines, but makes review with "git show -w" trivial.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7c26512b by Volker Lendecke at 2022-08-26T18:54:37+00:00
smbd: Adapt np_[read|write]_send() to more recent tevent_req conventions
We usually don't do "goto post_status;" anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c53d8659 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Slightly simplify SMBC_parse_path()
Don't manually duplicate the talloc_strndup() functionality
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b93c2d5b by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6a74546a by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Tab-indent SMBC_module_[init|terminate]()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4df36cd1 by Volker Lendecke at 2022-08-26T18:54:37+00:00
examples: A tiny bit of README.Coding for teststat.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c047c660 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Move static strings to the .text segment
We don't need to copy these to the stack, this saves 200 bytes of .text
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9fca3007 by Volker Lendecke at 2022-08-26T18:54:37+00:00
smbd: Modernize DBG statements in open_fake_file()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1025349a by Volker Lendecke at 2022-08-26T18:54:37+00:00
lib: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7b96948e by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Add tevent_req_received() to cli_posix_readlink_recv()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ba70eb48 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Save a few lines in cli_unix_extensions_version()
This is more recent style for sync wrappers
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
767eb334 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Correctly return ioctl error from cli_readlink()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ffc9072f by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Remove map_fnum_to_smb2_handle() from cli_smb2_getatr()
Not used
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
05267304 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Remove map_fnum_to_smb2_handle() from cli_smb2_qpathinfo2()
Not used
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c31df02c by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Remove unused code
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f3b2c2b5 by Volker Lendecke at 2022-08-26T18:54:37+00:00
libsmb: Remove cli_full_connection_creds_sess_start()
This contained very simple tevent_req logic, hiding that confused the
code for me when reading. Also, this change saves 3 lines...
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a4f9f7c8 by Volker Lendecke at 2022-08-26T18:54:38+00:00
libsmb: Introduce helper var to cli_tree_connect_*_done()
README.Coding, makes it easier to debug
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4ddd277c by Volker Lendecke at 2022-08-26T19:54:03+00:00
smbXcli: Pass negotiate contexts through smbXcli_negprot_send/recv
We already don't allow setting max_credits in the sync wrapper, so
omit the contexts there as well.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 26 19:54:03 UTC 2022 on sn-devel-184
- - - - -
78ef185a by Ralph Boehme at 2022-08-28T19:59:28+00:00
smbd: add missing check for IPC share for TRANS2_GET_DFS_REFERRAL
Cf MS-CIFS 3.3.5.58.11.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
06750a96 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Add a new function parse_dfs_path_strict().
#ifdef'ed out as not yet used. This will replace
parse_dfs_path() for all client sent names via
DFS RPC calls and for SMB_VFS_GET_DFS_REFERRALS().
The paths sent in these calls are guaranteed
to be of canonical form:
\SERVER\share\pathname.
Both for SMB1 and SMB2+ so we can be more strict
when parsing them.
Checks DFS path starts with separator.
Checks hostname is ours.
Ensures servicename (share) is sent, and
if so, terminates the name or is followed by
\pathname.
Errors out if any checks fail.
Reserve parse_dfs_path() for DFS names sent
via "ordinary" SMB 1/2/3 calls where we must
be more lenient in parsing.
Note parse_dfs_path_strict() does not have
bool allow_broken_path or 'struct connection_struct'
as it will not be called from places that use
these.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b6afd481 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: In dfs_filename_convert(), don't ask for hostname, sharename and then just free them.
Wastes a talloc/free.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
88e92049 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Add a comment explaing why dfs_filename_convert() must continue to use parse_dfs_path().
libsmbclient libraries will always set the FLAGS2_DFS_PATHNAMES
bit when talking to a DFS share, but don't always canonicalize
the incoming pathname to a DFS one (see the code for cli_list()
that puts a non-DFS pathname into SMB2trans2_FindFirst for
example). This is a problem in our client libraries for both
SMB1 and SMB2+
As we still must cope with these older clients we must
keep the lenient parsing for DFS filenames sent over SMB1/2/3.
A future task - change the use of parse_dfs_path() in
dfs_filename_convert() to parse_dfs_path_strict() for SMB2
only and then try and get all our torture tests to pass.
This is not an easy fix (and would still break old clients
out there as well :-( ).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6869e015 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Change get_referred_path() to use parse_dfs_path_strict().
Remove #ifdef's around parse_dfs_path_strict() as we're
now using it.
Note we no longer use allow_broken_path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e4045bd7 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Change create_junction() to use parse_dfs_path_strict().
Note we no longer use allow_broken_path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b33787fb by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: In create_junction() remove hostname check. parse_dfs_path_strict() already does this.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2780509a by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: In create_junction() don't read hostname from parse_dfs_path_strict().
It isn't used anymore inside create_junction().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
9d65f1c2 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Remove unneeded NULL check inside msdfs_servicename_matches_connection().
This is now only called from is from parse_dfs_path(),
and for that we know conn is non-NULL.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
32f6eb2e by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Remove allow_broken_path from get_referred_path() and it's callers.
It no longer looks at this bool, we must already have a
canonicalized path here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
63e569a4 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Remove allow_broken_path from create_junction().
We no longer look at it, we know we must have a canonicalized
DFS path here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5f0efdfe by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Now parse_dfs_path() is only called from dfs_filename_convert() replace allow_broken_path with an SMB1 check.
dfs_filename_convert() always sets allow_broken_path = !smb2,
so just move this bool inside of parse_dfs_path().
We can now remove allow_broken_path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
3c18b278 by Jeremy Allison at 2022-08-28T19:59:28+00:00
s3: smbd: Remove allow_broken_path parameter from parse_dfs_path().
Nothing now looks at it.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0d5016fb by Jeremy Allison at 2022-08-28T20:58:57+00:00
s3: smbd: parse_dfs_path() - Fix comment explaining where this is called from and with what kind of path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sun Aug 28 20:58:57 UTC 2022 on sn-devel-184
- - - - -
12e0c579 by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbtorture: close handle and delete file in tree_base()
Otherwise the session might still be around with the open handle when the next
test starts and then fails to delete the testfile.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c73d666e by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbtorture: turn maximum_allowed test into a test suite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e3d883c0 by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbtorture: add a test opening a READ-ONLY file with SEC_FLAG_MAXIMUM_ALLOWED
Passes against Windows, currently fails against Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
RN: Requesting maximum allowed permission of file with DOS read-only attribute results in access denied error
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5ed188e4 by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbd: remove const from smb_fname arg of set_ea_dos_attribute()
We need to update the btime of fsp->fsp_name->st.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9da1e7a4 by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbd: update smb_fname->st btime with the rounded value with NTTIME granularity
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
169d8fe4 by Ralph Boehme at 2022-08-29T17:22:32+00:00
smbd: cache DOS attributes in struct smb_filename.cached_dos_attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
77231941 by Ralph Boehme at 2022-08-29T18:20:19+00:00
smbd: fix opening a READ-ONLY file with SEC_FLAG_MAXIMUM_ALLOWED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14215
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 29 18:20:20 UTC 2022 on sn-devel-184
- - - - -
e4929866 by Jeremy Allison at 2022-08-30T17:10:33+00:00
s3: torture: Add a comprehensive SMB2 DFS path torture tester.
Passes fully against Windows.
This shows that DFS paths on Windows on SMB2 must
be of the form:
SERVER\SHARE\PATH
but the actual contents of the strings SERVER and
SHARE don't need to match the given server or share.
The algorithm the Windows server uses is the following:
Look for a '\\' character, and assign anything before
that to the SERVER component. The characters in this
component are not checked for validity.
Look for a second '\\' character and assign anything
between the first and second '\\' characters to the
SHARE component. The characters in the share component
are checked for validity, but only ':' is flagged as
an illegal sharename character despite what:
[MS-FSCC] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/dc9978d7-6299-4c5a-a22d-a039cdc716ea
says.
Anything after the second '\\' character is assigned
to the PATH component and becomes the share-relative
path.
If there aren't two '\\' characters it removes
everything and ends up with the empty string as
the share relative path.
To give some examples, the following pathnames all map
to the directory at the root of the DFS share:
SERVER\SHARE
SERVER
""
ANY\NAME
ANY
::::\NAME
the name:
SERVER\:
is illegal (sharename contains ':') and the name:
ANY\NAME\file
maps to a share-relative pathname of "file",
despite "ANY" not being the server name, and
"NAME" not being the DFS share name we are
connected to.
Adds a knownfail for smbd as our current code
in parse_dfs_path() is completely incorrect
here and tries to map "incorrect" DFS names
into local paths. I will work on fixing this
later, but we should be able to remove parse_dfs_path()
entirely and move the DFS pathname logic before
the call to filename_convert_dirfsp() in the
same way Volker suggested and was able to achieve
for extract_snapshot_token() and the @GMT pathname
processing.
Also proves the "target" paths for SMB2_SETINFO
rename and hardlink must *not* be DFS-paths.
Next I will work on a torture tester for SMB1
DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reivewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 30 17:10:33 UTC 2022 on sn-devel-184
- - - - -
1788b59b by Noel Power at 2022-08-31T15:07:31+00:00
s3/winbindd: Fix bad access to sid array (with debug level >= info)
==6436== at 0xA85F95B: dom_sid_string_buf (dom_sid.c:444)
==6436== by 0xA85FBF2: dom_sid_str_buf (dom_sid.c:515)
==6436== by 0x17EDF8: wb_lookupusergroups_recv (wb_lookupusergroups.c:115)
==6436== by 0x17F964: wb_gettoken_gotgroups (wb_gettoken.c:123)
==6436== by 0x56AD332: _tevent_req_notify_callback (tevent_req.c:141)
==6436== by 0x56AD493: tevent_req_finish (tevent_req.c:193)
==6436== by 0x56AD5C0: tevent_req_trigger (tevent_req.c:250)
==6436== by 0x56AC119: tevent_common_invoke_immediate_handler (tevent_immediate.c:190)
==6436== by 0x56AC268: tevent_common_loop_immediate (tevent_immediate.c:236)
==6436== by 0x56B678A: epoll_event_loop_once (tevent_epoll.c:919)
==6436== by 0x56B31C3: std_event_loop_once (tevent_standard.c:110)
==6436== by 0x56AA621: _tevent_loop_once (tevent.c:825)
==6436==
==6436== Invalid read of size 1
==6436== at 0xA85F95B: dom_sid_string_buf (dom_sid.c:444)
==6436== by 0xA85FBF2: dom_sid_str_buf (dom_sid.c:515)
==6436== by 0x17EDF8: wb_lookupusergroups_recv (wb_lookupusergroups.c:115)
==6436== by 0x17F964: wb_gettoken_gotgroups (wb_gettoken.c:123)
==6436== by 0x56AD332: _tevent_req_notify_callback (tevent_req.c:141)
==6436== by 0x56AD493: tevent_req_finish (tevent_req.c:193)
==6436== by 0x56AD5C0: tevent_req_trigger (tevent_req.c:250)
==6436== by 0x56AC119: tevent_common_invoke_immediate_handler (tevent_immediate.c:190)
==6436== by 0x56AC268: tevent_common_loop_immediate (tevent_immediate.c:236)
==6436== by 0x56B678A: epoll_event_loop_once (tevent_epoll.c:919)
==6436== by 0x56B31C3: std_event_loop_once (tevent_standard.c:110)
==6436== by 0x56AA621: _tevent_loop_once (tevent.c:825)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15160
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Aug 31 15:07:31 UTC 2022 on sn-devel-184
- - - - -
43811868 by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbd: Introduce "conn" helper var in smbd_smb2_create_after_exec()
Will be used more in the future
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
efc81874 by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbd: Convert smb2_posix_cc_info() to use an existing blob
Less malloc
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d7e92879 by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbd: Convert store_smb2_posix_info() to use an existing blob
Less malloc
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ae5dc52d by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbXcli: Detect the SMB311 posix negotiate context
The server will only return this if the client requested in via
smbXcli_negprot_send()'s in_ctx parameter. This adds knowledge about
SMB2_CREATE_TAG_POSIX to smbXcli_base.c with a function to query
it. The alternative would have been to detect this in the caller, but
this would have meant that we also would need a
smbXcli_conn_set_have_posix() function or something similar.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2711521b by Volker Lendecke at 2022-09-02T13:31:38+00:00
libsmb: Allow to request SMB311 posix in source3/libsmb
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b9eff7b9 by Volker Lendecke at 2022-09-02T13:31:38+00:00
pylibsmb: Allow requesting Posix extensions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0bd31c71 by Volker Lendecke at 2022-09-02T13:31:38+00:00
pylibsmb: Add "have_posix" function
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0f75963c by Volker Lendecke at 2022-09-02T13:31:38+00:00
param: Add "smb3 unix extensions"
Only available in DEVELOPER builds. Adding now to get some testing
step by step done.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
887facd3 by Volker Lendecke at 2022-09-02T13:31:38+00:00
tests: Add smb3 posix negotiate tests
Make sure we do and don't announce posix depending on "smb3 unix
extensions" parameter
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5d95de06 by Volker Lendecke at 2022-09-02T13:31:38+00:00
libsmb: Allow smb2 neg ctx in cli_full_connection_creds_send()
Will be used to test smb3 posix contexts
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b833431b by Volker Lendecke at 2022-09-02T13:31:38+00:00
pylibsmb: Allow passing negotiate contexts
Pass in a list of tuples with (type, bytes)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
51f99b7f by Volker Lendecke at 2022-09-02T13:31:38+00:00
tests: Test invalid smb3 unix negotiate contexts
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
68ba3021 by Volker Lendecke at 2022-09-02T13:31:38+00:00
pylibsmb: Add smb2 create tag strings
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
cb0381dd by Volker Lendecke at 2022-09-02T13:31:38+00:00
pylibsmb: Add create_ex()
This is an extension of the create() function allowing smb2 create
contexts to be passed back and forth and also returning the
smb_create_returns. A new function seemed necessary for me because we
need to return not just the fnum. So I chose a 3-tuple, see the test
for an example how to use this.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
95657d40 by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbd: Introduce helper var in smbd_smb2_create_fetch_create_ctx()
xconn will be used in another place soon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
eaaa7425 by Volker Lendecke at 2022-09-02T13:31:38+00:00
smbd: Handle SMB2_CREATE_TAG_POSIX at the smb2 layer
We're not doing anything with this yet, this is just to provide a test
counterpart. Protected by -DDEVELOPER and "smb3 unix extensions = yes"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a5156649 by Volker Lendecke at 2022-09-02T14:31:25+00:00
tests: Test basic handling of SMB2_CREATE_TAG_POSIX
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Sep 2 14:31:25 UTC 2022 on sn-devel-184
- - - - -
3dcdab86 by Ralph Boehme at 2022-09-02T15:00:36+00:00
smbtorture: add a test trying to create a stream on share without streams support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
201e1969 by Ralph Boehme at 2022-09-02T15:00:36+00:00
smbd: return NT_STATUS_OBJECT_NAME_INVALID if a share doesn't support streams
This is what a Windows server returns. Tested with a share residing on a FAT
formatted drive, a Windows filesystem that doesn't support streams.
Combinations tested:
file::$DATA
file:stream
file:stream:$DATA
All three fail with NT_STATUS_OBJECT_NAME_INVALID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
3a37e415 by Volker Lendecke at 2022-09-02T15:56:56+00:00
smbd: Catch streams on non-stream shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Sep 2 15:56:56 UTC 2022 on sn-devel-184
- - - - -
a8ed2441 by Jeremy Allison at 2022-09-02T16:42:34+00:00
s3: torture: Add a comprehensive SMB1 DFS path torture tester.
smbtorture3 test is: SMB1-DFS-PATHS
Tests open, and then all 4 methods of renaming/hardlinking
files:
1). SMBmv
2). SMBtrans2 SETPATHINFO
3). SMBtrans2 SETFILEINFO
4). SMBntrename
Also added a test for SMB1findfirst.
smbtorture3 test is: SMB1-DFS-SEARCH-PATHS.
What this shows is that Windows strips off the
SMB1findfirst mask *before* calling the DFS path
parser (smbd currently does not).
Added so we know how to fix the server code to match Windows
behavior in parsing DFS paths in different calls going forward.
Passes fully against Windows. Adds knownfails for smbd.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
- - - - -
2643b7b5 by Saurabh Singh at 2022-09-02T17:40:00+00:00
Cleanup and bug fixes in vxfs vfs code.
1) Added debug messages in lib_vxfs.c for get, set and list attr functions
2) Removed vxfs_clearwxattr_fd and vxfs_clearwxattr_path code since it is no longer required now.
3) Replaced strcasecmp with vxfs_strcasecmp
4) Changed vxfs_fset_xattr to retain security.NTACL attribute
5) Fixed deny permissions not retained for a file created on CIFS share in vxfs_set_xattr
Signed-off-by: Saurabh Singh <saurabh.singh at veritas.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 2 17:40:00 UTC 2022 on sn-devel-184
- - - - -
3fd18a0d by Stefan Metzmacher at 2022-09-02T20:02:29+00:00
s3:tests: let test_smbXsrv_client_dead_rec.sh cleanup the correct files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0efcfaa4 by Stefan Metzmacher at 2022-09-02T20:02:29+00:00
s3:tests: add test_smbXsrv_client_cross_node.sh
This demonstrates that a client-guid connected to ctdb node 0
caused a connection with the same client-guid to be rejected by
ctdb node 1. Node 1 rejects the SMB2 Negotiate with
NT_STATUS_NOT_SUPPORTED, because passing the multi-channel connection
to a different node is not supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
21ef01e7 by Stefan Metzmacher at 2022-09-02T20:02:29+00:00
smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8591d942 by Stefan Metzmacher at 2022-09-02T20:59:15+00:00
smbXsrv_client: notify a different node to drop a connection by client guid.
If a client disconnected all its interfaces and reconnects when
the come back, it will likely start from any ip address returned
dns, which means it can try to connect to a different ctdb node.
The old node may not have noticed the disconnect and still holds
the client_guid based smbd.
Up unil now the new node returned NT_STATUS_NOT_SUPPORTED to
the SMB2 Negotiate request, as messaging_send_iov[_from]() will
return -1/ENOSYS if a file descriptor os passed to a process on
a different node.
Now we tell the other node to teardown all client connections
belonging to the client-guid.
Note that this is not authenticated, but if an attacker can
capture the client-guid, he can also inject TCP resets anyway,
to get the same effect.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 2 20:59:15 UTC 2022 on sn-devel-184
- - - - -
aa9f3a2d by Andrew Walker at 2022-09-06T20:10:17+00:00
nsswitch:libwbclient - fix leak in wbcCtxPingDc2
Memory allocated for response is never freed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15164
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 6 20:10:17 UTC 2022 on sn-devel-184
- - - - -
2359741b by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest: add file removal helpers for TestCaseInTempDir
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:
try:
shutil.rmtree(os.path.join(self.tempdir, "a"))
os.remove(os.path.join(self.tempdir, "b"))
shutil.rmtree(os.path.join(self.tempdir, "c"))
except Exception:
pass
where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with
self.rm_files('b')
self.rm_dirs('a', 'c')
the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.
If on the other hand, we have
self.rm_files('b', must_exist=True)
self.rm_dirs('a', 'c')
then the FileNotFoundError causes a failure (not an error).
We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
85bc1552 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/downgradedatabase: use TestCaseInTempDir.rm_files
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
4e3dabad by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samdb_api: use TestCaseInTempDir.rm_files
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
7455c53f by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/join: use TestCaseInTempDir.rm_files/dirs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
251360d6 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
3f0aab45 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
24f7d714 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
0a5298f0 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytests: move ValidNetbiosNameTests to samba.tests.netbios
These were the only tests in __init__.py.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
98f5332b by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest: SambaToolCmdTest allows easier StringIO replacement
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
d9443fad by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samba-tool visualize: fix docstring
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e7d78400 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest samba-tool visualize: extend colour tests for $NO_COLOR
As described at https://no-color.org/, the NO_COLOR environment
variable is a widely used defacto-ish standard for asking for no
colour. If someone goes
NO_COLOR=whatever samba-tool ...
we want to assume they want no ANSI colour codes, as if they had used
--color=no. But first we want to test that, so here we are.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
6ced3d21 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool visualize: respect $NO_COLOR
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
6160e956 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool visualize: remove py2 compat for colour calculations
io.StringIO has .isatty(); the old cStringIO did not,
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
664653b8 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
pytest/samba-tool visualize: test '--color' aliases
By convention, 'tty' is a common alias for 'auto', 'always' and
'force' mean 'yes', and 'never' means no. It seems 'never; and
'always' are more common than 'yes' and 'no'.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
37f92c6c by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool visualise: expand set of --color switches
To match convention, and elsewhere.
We can't easily use colour.is_colour_wanted() because we could (via
--output) be intending to write to a file that isn't open yet, so we
have no .isatty() to query.
Also, because --color-scheme implies --color (as documented in
--help), it trumps most 'auto' checks, but not NO_COLOR.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
a45c76b5 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
python/colour: helper functions to read all signs
The accepted hints are presumably arguments to --color.
We follow the behaviour of `ls` in what we accept.
`git` is stricter, accepting only {always,never,auto}.
`grep` is looser accepting mixed case variants.
historically we have used {yes,no,auto}.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
ade31017 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
py/samba/logger: respect NO_COLOR env variable
As per https://no-color.org/
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
eefc0304 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool: respect NO_COLOR env variable and --color options
This allows the NO_COLOR environment variable and --color=never to
work for samba-tool commands that use this method. So far that means
some parts of drs showrepl.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
7d178ab9 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
s4/tests/samba-tool drs showrepl: use vars for common strings
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
c61e8cde by Douglas Bagnall at 2022-09-06T21:12:36+00:00
s4/tests/samba-tool drs showrepl: test NO_COLOR and --color variants
"--color variants" meaning --color=always instead of --color=yes, etc.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
62fe118e by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool: reduce repetitious jargon on credentials failure
We already print the following due to DBG_ERR()s:
cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such file or directory
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to 'ldap://10.53.57.30' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
We don't *really* need to follow that with:
ERROR(ldb): LDAP connection to ldap://10.53.57.30 failed - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
rather we can say:
Bad username or password.
Also, we don't really need to print a traceback, which we seem to do
for some commands and not others.
Maybe *sometimes* "bad username or password" might be technically
incorrect (e.g. --simple-bind-dn), but in those cases the user is
already behaving strangely, and they will still see the
LDAP_INVALID_CREDENTIALS twice. Kerberos failures don't come this way..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9608
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ca753591 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool: avoid traceback for options errors
What option? None yet, but see the next two commits.
We use a local reference to optparse.OptionValueError, to save typing
and make the eventual switch to argparse easier.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
604832b8 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
py/getopt: improve messages for bad --debug arg
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c2178d87 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
py/getopt: improve messages for bad --realm
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
11376474 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
py/getopt: allow --option arguments to contain '='
smb.conf lines can have = on the right hand side. For example, in
st/ad_dc/etc/smb.conf we have 3 examples, including:
gpo update command = python3 source4/scripting/bin/samba-gpupdate [...] --target=Computer
If we tried to provide the same line via --option, it would split on
both '=', and the set value would end at '--target'.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
90780936 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool: avoid traceback for NT_STATUS_NETWORK_UNREACHABLE
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f580c8b0 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool: do not force a traceback on CommandError
When a CommandError has an 'inner exception', we have been printing
drowning out the error message with a long traceback of the exception
we tried to catch.
People who really want to see tracebacks can use -d3.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
98e85fc6 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain provision: better message if tdbbackup missing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12893
Reported-by: Jeff Sadowski <jeff.sadowski at gmail.com>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b1b5ead by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dbcheck: improve --help for --reset-well-known-acls
This option is for updating from pre-4.0.4 when something went wrong
with ACLs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9872
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c824ad8d by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain: fix error string for account lockout duration
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
26b86bc5 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: add a wrapper for better error messages
This will help turn simple common errors into CommandError messages.
At this stage, no messages are intercepted.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e931104d by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: use DnsConnWrapper widely
This covers all the cases where there are no existing CommandError
messages, and no other uses of the dns_conn (i.e., not cmd_update).
Forthcoming commits will introduce default messages for these.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9e774fc1 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: catch DS_UNAVAILABLE errors as CommandErrors
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
47684f57 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: catch ZONE_ALREADY_EXISTS errors as CommandErrors
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1ae4738a by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: RECORD_DOES_NOT_EXIST errors as CommandErrors
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
36241042 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: NAME_DOES_NOT_EXIST errors; add docstring
In practice, these always refer to zones.
We're adding the docstring now, because it made no sense when
default_messages was empty.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
633872c7 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: zonedelete uses DnsConnWrapper messages
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
bee727a5 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: query uses DnsConnWrapper messages
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
38ccbf46 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: add uses DnsConnWrapper messages
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
99d48c85 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: delete uses DnsConnWrapper messages
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ca82806f by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: update_record uses DnsConnWrapper
The special thing about this one is the dns_conn is also used in the
dns_record_match() library function, which wants a real dns
connection.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2aa5b56b by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: use DnsconnWrapper in zonecreate
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fbd815c1 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool dns: catch werror.WERR_ACCESS_DENIED
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4959d07b by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool ldapcmp: use ValueError, not Exception
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c26a8f6a by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool ldapcmp: use shorter names in cmp_attrs
This simplifies a fix in the next commit.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b13c121f by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool ldapcmp: do not assume common attributes
This has caused numerous reports of
ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'
File /usr/lib/python3/dist-packages/samba/netcmd/__init__.py, line 185, in _run
return self.run(*args, **kwargs)
File /usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py, line 957, in run
if b1.diff(b2):
File /usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py, line 781, in diff
if object1 == object2:
File /usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py, line 549, in __eq__
return self.cmp_attrs(other)
File /usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py, line 590, in cmp_attrs
if isinstance(self.attributes[x], list) and isinstance(other.attributes[x], list):
because other does not have attribute 'x'.
It is better to assume other.attributes[x] is None, which will compare
as unequal to whatever self.attributes[x] is, showing up as a diff
rather than a crash.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
960ae819 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool ldapcmp: use CommandError, not assertion
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2cdafb94 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool ldapcmp: use CommandError on auth failure
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6d401526 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain: helper function for domain level names
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0363879d by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain show: use level_to_string()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
bcc9f7f3 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain show: report level 2016
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5af823a7 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain: expand string_version_to_constant range
This won't actually have any effect yet -- the new values are
inaccessible in the place it is used because the range is limited by
the --function-level option config.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8b17b2a5 by Douglas Bagnall at 2022-09-06T21:12:36+00:00
samba-tool domain: add string_to_level() helper
Reverse transform of level_to_string(), obviously.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
84002281 by Douglas Bagnall at 2022-09-06T22:07:23+00:00
samba-tool domain: use string_to_level helper()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Tue Sep 6 22:07:23 UTC 2022 on sn-devel-184
- - - - -
8df9fdc5 by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pytest: samba-tool ntacl should report errors better
We want `samba-tool ntacl sysvolreset` and `samba-tool ntacl
sysvolcheck` to fail when the Policies folder is not in place, but not
to produce an inscrutable stacktrace.
https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a64839bc by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pytest: posixacl getntacl should raise OSError
Not TypeError, which is supposed to be about Python data types. This
way we get to check/see an errno and strerror, and will allow us to
set the filename which will be useful for some errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dfc92d29 by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pybindings: xattr_native raises OSError not TypeError
Most likely it is a bad filename or attribute, not the wrong type of
argument.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a5eeed52 by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pysmbd: avoid leaks in get_nt_acl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1b4938c3 by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pysmbd: get_nt_acl() raises FileNotFoundError if appropriate
rather than an NTStatusError, which is harder to decipher, and which
carries less information (namely, not the name of the problematic
file).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dc9f29e5 by Douglas Bagnall at 2022-09-07T05:01:37+00:00
pysmbd: set_nt_acl() can raise FileNotFoundError
rather than an NTStatusError, which is harder to decipher, and which
carries less information (namely, not the name of the problematic file).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5a4b050f by Douglas Bagnall at 2022-09-07T06:02:20+00:00
samba-tool ntacl: better messages for missing files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Sep 7 06:02:20 UTC 2022 on sn-devel-184
- - - - -
c3855fb6 by Volker Lendecke at 2022-09-07T18:40:28+00:00
smbd: Save a few lines by using tevent_req_nterror()'s retval
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2ae7ad97 by Volker Lendecke at 2022-09-07T18:40:28+00:00
librpc: Simplify ndr_size_dom_sid28()
all_zero() treats a NULL pointer as true.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9d432f3c by Volker Lendecke at 2022-09-07T18:40:28+00:00
librpc: Simplify ndr_size_dom_sid28()
Don't duplicate the calculation
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9aca11a7 by Volker Lendecke at 2022-09-07T18:40:28+00:00
ldb: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
47e2df56 by Volker Lendecke at 2022-09-07T18:40:28+00:00
ldb: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f14a4527 by Volker Lendecke at 2022-09-07T18:40:28+00:00
smbtorture3: Avoid an "else"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d74a5a7c by Volker Lendecke at 2022-09-07T18:40:28+00:00
smbd: Shorten long lines
This code is young enough to justify a README.Coding patch, at least
IMO.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5a4098ae by Volker Lendecke at 2022-09-07T18:40:28+00:00
smbd: Remove unused variables
ReadDirName happily takes NULL for "sbuf"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
04e127d9 by Volker Lendecke at 2022-09-07T18:40:28+00:00
torture3: Remove an unused variable
ReadDirName happily takes NULL for "sbuf"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4a54e3f2 by Volker Lendecke at 2022-09-07T18:40:28+00:00
smbd: Remove an unused variable
ReadDirName happily takes NULL for "sbuf"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f1050f5b by Volker Lendecke at 2022-09-07T18:40:28+00:00
torture3: Pass NULL to ReadDirName
Do the necessary fstat manually
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1dc8a996 by Volker Lendecke at 2022-09-07T18:40:28+00:00
ntlm_auth: Remove an unused #include
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c2e235ef by Andrew Walker at 2022-09-07T19:40:17+00:00
s3:modules - fix read of uninitialized memory
For loop accesses entry->next after entry
has been removed from list in glfs_clear_preopened().
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 7 19:40:17 UTC 2022 on sn-devel-184
- - - - -
ab6b9465 by Stefan Metzmacher at 2022-09-08T07:16:36+00:00
s3:libads: split out ads_fill_cldap_reply() out of ads_try_connect()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
8132edf1 by Stefan Metzmacher at 2022-09-08T08:12:46+00:00
s3:libads: let cldap_ping_list() use cldap_multi_netlogon()
We have a list of ip addresses, so we can request them
all together under a single timeout, instead of asking
each ip with it's own timeout.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 8 08:12:46 UTC 2022 on sn-devel-184
- - - - -
8b403ab7 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: do not crash on unimplemented .run()
The run() method is always called with arguments, so it crashes before
the NotImplementedError() is ever reached. That's OK, but this is better.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9ec0863f by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: separate ._run() from command resolution
Prior to this commit, in super-commands, the first half of the _run()
is resolving what sub-command to run, and the second half is working
out what to print if that failed. Some issues with that are:
* it looks a little bit complicated.
* the tests can't use the tool's resolution code, because it runs
immediately, while the tests first want to fiddle with self.outf
and so on.
* it makes it harder to subclass and override the resolution code, so
instead we do strange things like where we subclass dict as in
main.py.
So we split it into ._resolve() and ._run().
There are a few tests that break. We mark these as flapping, rather
than knownfail, so as to avoid going into extremely fine-grain filters
for tests that will be fixed within a few commits.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ed787869 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: more conventional usage of parser.parse_args
By default parse_args will use sys.argv[1:], which is to say the
command-line without the command name. We have always fed it the
equivalent of sys.argv, then trimmed the command off the result. That
was a bit silly.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
304ac5bb by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: _resolve() can set outf, errf
We catch output in outf and errf for testing, which we currently do
with
cmd.outf = self.stringIO()
cmd.errf = self.stringIO()
on the final resolved commands. But this does not catch the output of
the super-commands, of which we normally expect none. Using
supercmd._resolve(*args, outf=self.stringIO(), errf=self.stringIO())
will redirect output all the way up the chain.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
153ad8fc by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: command that has exception, shows exception
This will make a difference to the string printed in the cases that
call self.usage(), resulting in more specified usage for the
sub-command. It would also matter if the samba-tool sub-command had a
different .show_command_error() or .errf, but I don't think that
happens.
Note: usually command._run() will have caught and shown the exception,
returning -1.
We also rename away 'cmd' so we don't again imagine it is the command
we are running.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5247c87c by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: add a convenience function that does it all
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c41887d9 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest/netcmd: fix for new samba-tool api
In this case we are skipping _resolve().
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
202182e0 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest/samba_dnsupdate: fix using samba-tool function
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8b23ef30 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest/password-lockout: fix using samba_tool function
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a1c615f8 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest/samba-tool: entry function follows too logic
To further align the logic of the tool and the tests, we use
the same logic in the test function as in samba-tool. In
effect, this means the function is even less likely to raise
an exception, rahter printing it out and returning an error code.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4bfcd16a by Douglas Bagnall at 2022-09-08T22:34:36+00:00
samba-tool: binary uses samba_tool function
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
273797d8 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest: samba-tool: coalesce run*cmd functions
We have had three different functions for resolving samba-tool commands,
depending on whether they are nested 1, 2, or n deep (where n could also
be 1 or 2). This API evolved around a separation of sub-command names and
options, so that the Command that was eventually found could be given the
right outf and errf.
Now we can just use the same outf and errf for all levels, and we can not
care about this distinction.
All these functions are now synonyms, and we keep them all for now for
backward-compatibility.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
09888694 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
make runcmd, runsubcmd, exact aliases
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b5013634 by Douglas Bagnall at 2022-09-08T22:34:36+00:00
pytest samba-tool forest: use runcmd
This is an example/test to show how runsublevelcmd() converts into
runcmd() whilst ensuring it works.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b475e020 by Andreas Schneider at 2022-09-08T22:34:36+00:00
s4:gensec: Do not link subsystems against dlopen() modules!
This is not a shared library. This only worked because we use
'--as-needed' as linker option.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b9018d3 by Andreas Schneider at 2022-09-08T22:34:36+00:00
waf: Do not use as-needed if we build with Address Sanitizer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
08dda9ce by Andreas Schneider at 2022-09-08T22:34:36+00:00
selftest: Remove tailing whitspaces in selftest.pl
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1591d7bd by Andreas Schneider at 2022-09-08T22:34:36+00:00
selftest: Fix address sanitizer with python3
==9542==AddressSanitizer: failed to intercept 'crypt'
==9542==AddressSanitizer: failed to intercept 'crypt_r'
[..]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7ffcec4bf3c0 sp 0x7ffcec4beb58 T0)
==29768==Hint: pc points to the zero page.
==29768==The signal is caused by a READ memory access.
==29768==Hint: address points to the zero page.
#0 0x0 (<unknown module>)
#1 0x7f052cca4129 in crypt_crypt_impl /usr/src/debug/python310-core-3.10.6-3.1.x86_64/Modules/_cryptmodule.c:44
We would need to build python without --as-needed as we can't so that
we need to preload the library to avoid a segfault.
See also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7800097a by Andreas Schneider at 2022-09-08T22:34:36+00:00
selftest: Create asan_options variable
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a88bb04c by Andreas Schneider at 2022-09-08T22:34:36+00:00
selftest: Add Address Sanitizer suppressions
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
761ce8cf by Andreas Schneider at 2022-09-08T23:34:15+00:00
s4:kdc: Set kerberos debug class for kdc service
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 8 23:34:15 UTC 2022 on sn-devel-184
- - - - -
e5345549 by Joseph Sutton at 2022-09-09T00:14:38+00:00
claims.idl: Add claim type definitions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
88c9e2af by Joseph Sutton at 2022-09-09T00:14:38+00:00
krb5pac.idl: Add definitions for claims PAC buffers
The PAC device info definition comes from [MS-PAC] 2.12.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
20082340 by Joseph Sutton at 2022-09-09T00:14:38+00:00
tests/krb5: Add function for creating claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fa90633b by Joseph Sutton at 2022-09-09T00:14:38+00:00
tests/krb5: Add xpress (de)compression functions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6170d46c by Joseph Sutton at 2022-09-09T00:14:38+00:00
tests/krb5: Check claims buffers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8b8a2680 by Joseph Sutton at 2022-09-09T00:14:38+00:00
tests/krb5: Allow specifying sname for getting service ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dadd3223 by Joseph Sutton at 2022-09-09T01:11:05+00:00
tests/krb5: Add claims tests
Based on tests originally written by Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184
- - - - -
3ce1d2fd by Michael Tokarev at 2022-09-12T02:29:32+00:00
Fix spelling mistakes.
Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 12 02:29:32 UTC 2022 on sn-devel-184
- - - - -
534b88de by Björn Jacke at 2022-09-12T02:30:36+00:00
docs-xml: some fixes and updates for ea and acl docs in smb.conf
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
66289ab6 by Andreas Schneider at 2022-09-12T03:27:55+00:00
s4:kdc: Set Kerberos debug class for all KDC files
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184
- - - - -
15f464a3 by Jeremy Allison at 2022-09-12T15:21:30+00:00
s3: smbtorture3: Fix invalid tests for file identity.
The test SMB1-DFS-PATHS was using the file ino number
to check for file identity, fetching it using cli_qfileinfo_basic().
This works for SMB2, but the info level used by this for SMB1
(SMB_QUERY_FILE_ALL_INFO) doesn't return the ino number, so
all comparisons were succeeding as zero.
Change to using crtime (create time) for identity comparison
instead. This fix is mostly a rename of ino -> crtime, with
some changes around the tests and printf on error, but it
is easier to do in one go.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
c9a71e07 by Jeremy Allison at 2022-09-12T16:21:23+00:00
s3: smbtorture: In run_smb1_dfs_paths() ensure we're actually reading and testing crtimes from the filesystem.
Ensures crtime of the root of the share and a newly created
file crtime are different. Should help avoid mistakes like the
error fixed by the previous commit.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Sep 12 16:21:23 UTC 2022 on sn-devel-184
- - - - -
6932ccf3 by Joseph Sutton at 2022-09-12T23:07:37+00:00
s3:rpc_server: Fix typo in error message
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f9850c77 by Joseph Sutton at 2022-09-12T23:07:37+00:00
lib:crypto: Zero auth_tag array in encryption test
If samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt() does not fill the
array completely, we may be comparing uninitialised bytes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
03f0e4d5 by Joseph Sutton at 2022-09-12T23:07:37+00:00
s4:torture: Zero samr_UserInfo union in password set test
If init_samr_CryptPasswordAES() does not fill the
u.info31.password.auth_data array completely, we may be comparing
uninitialised bytes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cec59b82 by Joseph Sutton at 2022-09-12T23:07:37+00:00
lib:crypto: Check for overflow before filling pauth_tag array
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
121e439e by Joseph Sutton at 2022-09-12T23:07:37+00:00
lib:crypto: Use constant time memory comparison to check HMAC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b27a67af by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data with DES
This lets us access single-DES from Python. This function is used in a
following commit for encrypting an NT hash to obtain the verifier for a
SAMR password change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
17b8d164 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4
This lets us access MD4, which might not be available in hashlib, from
Python. This function is used in a following commit for hashing a
password to obtain the verifier for a SAMR password change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4bb9d85f by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 lib:crypto: Add Python functions for AES SAMR password change
These functions allow us to perform key derivation and AES256 encryption
in Python. They will be used in a following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
91e2e561 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 tests/krb5: Add tests for password lockout race
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
439f96a2 by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user
This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.
This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2087b0cd by Gary Lockyer at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out
samdb_result_msds_LockoutObservationWindow() is split out of
samdb_result_effective_badPwdCount()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
40871724 by Gary Lockyer at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic
To ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically,
without always opening a transaction, we will need to make a note
of all bad and successful passwords in a side-DB outside the
transaction lock.
This provides the functions needed for that and hooks them in
(future commits will handle errors and use the results).
Based on patches by Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
7b8e32ef by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Reread the user record if a bad password is noticed..
As is, this is pointless, as we need a transaction to make this
any less of a race, but this provides the steps towards that goal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
d6cf245b by Gary Lockyer at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c
cmocka unit tests for the authsam_reread_user_logon_data in
source4/auth/sam.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
336e303c by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change
This is more specific than NT_STATUS_UNSUCCESSFUL, and for the SAMR
password change, matches the result the call to samdb_result_passwords()
would give.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
de4cc0a3 by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4 auth: make bad password count increment atomic
Ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically.
Use bad password indicator (in a distinct TDB) to determine if to open a transaction
We open a transaction when we have seen the hint that this user
has recorded a bad password. This allows us to avoid always
needing one, while not missing a possible lockout.
We also go back and get a transation if we did not take out
one out but we chose to do a write (eg for lastLogonTimestamp)
Based on patches by Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4a9e0fdc by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b954acfd by Gary Lockyer at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Return only the result message and free the surrounding result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
55147335 by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out
authsam_calculate_lastlogon_sync_interval() is split out of authsam_update_lastlogon_timestamp()
Based on work by Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
71218103 by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()
By bringing this function inline it can then be split out in a
subsequent commit.
Based on work by Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b5f78b7b by Andrew Bartlett at 2022-09-12T23:07:37+00:00
CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables
These variables are not important to protect against a race with
and a double-read can easily be avoided by moving them up the file
a little.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
d8a862cb by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update
The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in
preference to NT_STATUS_WRONG_PASSWORD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a65147a9 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4:dsdb: Update bad password count inside transaction
Previously, there was a gap between calling dsdb_update_bad_pwd_count()
and dsdb_module_modify() where no transaction was in effect. Another
process could slip in and modify badPwdCount, only for our update to
immediately overwrite it. Doing the update inside the transaction will
help for the following commit when we make it atomic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
96479747 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
We reread the account details inside the transaction in case the account
has been locked out in the meantime. If it has, we return the
appropriate error code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2b593c34 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch
This simplifies the code for the following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b1e74089 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()
If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.
Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
bdfc9d96 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4:kdc: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a268a1a0 by Joseph Sutton at 2022-09-12T23:07:37+00:00
CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
268ea7be by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()
This may return an error if we find the account is locked out.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8587734b by Jeremy Allison at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s3: ensure bad password count atomic updates
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts. This is especially
bad on constrained or overcommitted hardware.
To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.
Discovered by Nathaniel W. Turner.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
65c473d4 by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts. This is especially
bad on constrained or overcommitted hardware.
To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.
Derived from a similar patch to source3/auth/check_samsec.c by
Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
03a50d8f by Joseph Sutton at 2022-09-12T23:07:38+00:00
lib:util: Check memset_s() error code in talloc_keep_secret_destructor()
Panic if memset_s() fails.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6edf88f5 by Joseph Sutton at 2022-09-12T23:07:38+00:00
libcli:auth: Keep passwords from convert_string_talloc() secret
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1258746b by Joseph Sutton at 2022-09-12T23:07:38+00:00
s3:rpc_server: Use BURN_STR() to zero password
This ensures these calls are not optimised away.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fabbea25 by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user
This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.
This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f74f92ae by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s4-rpc_server: Use user privileges for SAMR password change
We don't (and shouldn't) need system prvileges to perform the password
change, so drop to the privileges of the user by setting
DSDB_SESSION_INFO. We need to reuse the same sam_ctx: creating a new one
with only user privileges would not work, because any database
modifications would be blocked by the transaction taken out on the
original context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fcabcb32 by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3
Now the initial account search is performed under the transaction,
ensuring the overall password change is atomic. We set DSDB_SESSION_INFO
to drop our privileges to those of the user before we perform the actual
password change, and restore them afterwards if we need to update the
bad password count.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7981cba8 by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password()
All of its callers, where necessary, take out a transaction covering the
entire password set or change operation, so a transaction is no longer
needed here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1d869a2a by Joseph Sutton at 2022-09-12T23:07:38+00:00
CVE-2021-20251 s3:rpc_server: Split change_oem_password() call out of samr_set_password_aes()
Now samr_set_password_aes() just returns the new password in a similar
manner to check_oem_password(). This simplifies the logic for the
following change to recheck whether the account is locked out, and to
update the bad password count.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8ae0c38d by Joseph Sutton at 2022-09-13T00:08:07+00:00
CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR AES password change
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts. This is especially
bad on constrained or overcommitted hardware.
To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.
We also update the bad password count if the password is wrong, which we
did not previously do.
Derived from a similar patch to source3/auth/check_samsec.c by
Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 13 00:08:07 UTC 2022 on sn-devel-184
- - - - -
84e44cff by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add a new test SMB2-NON-DFS-SHARE.
This one is tricky. It sends SMB2 DFS pathnames to a non-DFS
share, and sets the SMB2 flag FLAGS2_DFS_PATHNAMES in the SMB2
packet.
Windows will have non of it and (correctly) treats the pathnames
as local paths (they're going to a non-DFS share). Samba fails.
This proves the server looks as the share DFS capability to
override the flag in the SMB2 packet.
Passes against Windows. Added knownfail for Samba.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
ddc88e5c by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add an SMB1 operations torture tester.
Only tests SMB1unlink for now, but I will add other operations
later.
smbtorture3 test is: SMB1-DFS-OPERATIONS.
Passes fully against Windows. Adds knownfail for smbd.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
2eb561f0 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_mkdir() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
f7b06ea3 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_rmdir() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
18bdcd85 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_ntcreatex() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
4e8e78e2 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_nttrans_create() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
ad472f77 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_openx() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
f1475e64 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_open() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
cc3d76d8 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_create() DFS test to run_smb1_dfs_operations().
Tests SMBcreate and SMBmknew.
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
243433bd by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_getatr() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
5cbb8abc by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_setatr() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
7b5955dc by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_chkpath() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off--by: Noel Power <npower at samba.org>
- - - - -
85dc30f9 by Jeremy Allison at 2022-09-14T17:33:37+00:00
s3: smbtorture3: Add test_smb1_ctemp() DFS test to run_smb1_dfs_operations().
NB. This passes against Windows, but SMBctemp is broken on a Windows DFS
share and always returns NT_STATUS_FILE_IS_A_DIRECTORY.
When we fix the Samba server to correctly process DFS
pathnames we'll have to change this test to understand
it's running against smbd and modify the expected behavior
to match a working server.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
95bd776d by Jeremy Allison at 2022-09-14T18:37:06+00:00
s3: smbtorture3: Add test_smb1_qpathinfo() DFS test to run_smb1_dfs_operations().
Passes against Windows.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 14 18:37:06 UTC 2022 on sn-devel-184
- - - - -
a213a371 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Add missing memory allocation fail checks in cli_ntcreate1_send().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
c7749103 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Add missing memory allocation fail check in cli_openx_create().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
dfd7c6ca by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Cleanup - remove unused fname_src parameter from cli_dfs_target_check().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
c3c71649 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Add pair cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Wraps cli_state_save_tcon()//cli_state_restore_tcon() but
also returns cli->sharename.
We are going to replace all uses of cli_state_save_tcon()/cli_state_restore_tcon()
so we also save/restore the cli->share for DFS purposes.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviwed-by: Noel Power <npower at samba.org>
- - - - -
73fde1fb by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_lsa_lookup_sid() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
83dab423 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_lsa_lookup_name() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
fcf09027 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_check_msdfs_proxy() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
cf02ed2f by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: torture: In run_smb2_basic(), replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
d116a079 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: torture: In run_tcon_test() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Also fix a comment in run_uid_regression_test().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
fddade45 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: utils: In show_userlist() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
4e3ea1b2 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: smbcacls: In cli_lsa_lookup_domain_sid(), replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
There are now no more external users of cli_state_save_tcon()/cli_state_restore_tcon()
so we can make them static.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
ad97a97b by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Make cli_state_save_tcon()/cli_state_restore_tcon() static.
There are no external callers.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
070b73e3 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_list_old_send(), push state->mask into the packet, not just mask.
This doesn't matter right now, but it will when I
add DFS path awareness to cli_list().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
26b4a695 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Add cli_dfs_is_already_full_path() function.
Returns true if it's already a fully qualified DFS path.
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
dd9cdfb3 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: For SMB2 opens on a DFS share, convert to a DFS path if not already done.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
c98d165e by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Add smb1_dfs_share_path() to convert a name into a DFS path if needed.
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
4a9458d0 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Fix SMB1 cli_list_trans_send() (SMBtrans2:TRANSACT2_FINDFIRST) to cope with DFS paths.
See smbtorture3: SMB1-DFS-SEARCH-PATHS: test_smb1_findfirst_path
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
d9f0d924 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Fix SMB1 cli_list_old_send() to cope with DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
3c2a31b4 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Fix cli_resolve_path() to cope with DFS paths passed in as well as local paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
f34fad61 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: smbcacls: Now cli_resolve_path() and cli_list() can handle DFS names we no longer need local_cli_resolve_path().
Remove local_cli_resolve_path(). No more special treatment for DFS names in smbcacls.
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Noel Power <noel.power at suse.com>
- - - - -
2d28696e by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: Make cli_setpathinfo_send() (SMBtrans2: TRANSACT2_SETPATHINFO) DFS path aware.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
4da3c724 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS source pathname.
smbtorture3: SMB1-DFS-PATHS: test_smb1_mv() shows
SMBmv uses DFS for src and dst.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
44bf2bc8 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS dst pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_mv().
Remove the old code that stripped a DFS name from the
destination filename, and go through smb1_dfs_share_path()
as we did for fname_src in the last commit.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
f1765c9c by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS source pathname.
smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_rename() shows
SMBntrename uses DFS for src and dst.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
73a6e2b1 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS dst pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_rename().
and smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_hardlink().
Remove the old code that stripped a DFS name from the
destination filename, and go through smb1_dfs_share_path()
as we did for fname_src in the last commit.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
e2efea7d by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_unlink_send() (SMBunlink) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_unlink() shows
SMBunlink uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
47cf519e by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_mkdir_send() (SMBmkdir) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_mkdir() shows
SMBmkdir uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
8561eaa0 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_rmdir_send() (SMBrmdir) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_rmdir() shows
SMBrmdir uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
198869af by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_ntcreate1_send() (SMBntcreateX) check for DFS pathname..
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_ntcreatex() shows
SMBntcreateX uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
ab125722 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_nttrans_create_send() (SMBnttrans:NT_TRANSACT_CREATE) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_nttrans_create() shows
SMBnttrans:NT_TRANSACT_CREATE uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
b58cee42 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_openx_create() (SMBopenX) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_openx() shows
SMBopenX uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
75339aec by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_getatr_send() (SMBgetatr) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_getatr() shows
SMBgetatr uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
a53c049c by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_setatr_send() (SMBsetatr) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_setatr() shows
SMBsetatr uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
6a82167f by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_chkpath_send() (SMBcheckpath) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_chkpath() shows
SMBcheckpath uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
5c083e8b by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_ctemp_send() (SMBctemp) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_ctemp() shows
SMBctemp uses DFS paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
adc4a1b2 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_set_ea_path() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
fa7e6899 by Jeremy Allison at 2022-09-15T18:43:32+00:00
s3: libsmb: In cli_qpathinfo_send() (SMBtrans2:TRANSACT2_QPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_qpathinfo()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
b4455f04 by Jeremy Allison at 2022-09-15T19:44:00+00:00
s3: libsmb: In cli_posix_open_internal_send() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 15 19:44:00 UTC 2022 on sn-devel-184
- - - - -
cbbf3fd7 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify
The variable sub_sddl1 previously went unused, so this call to
modify_sd_on_dn() was presumably intended to go here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
890d2c5c by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 python:tests: Ensure that access checks don't succeed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0af5706b by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29
These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cc709077 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions
We want to be able to use these values in Python tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2563f852 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 pydsdb: Add AD schema GUID constants
This helps reduce the profusion of magic constant values in Python
tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c2761a47 by Nadezhda Ivanova at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch includes tests for the proposed change of behavior.
test_add_c3 and c4 pass, because mandatory attributes can still be
set, and in the old behavior SD permissions were irrelevant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0e1d8929 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720: s4-acl: Move definition of acl_check_self_membership()
This allows us to make use of it in acl_add().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
08187833 by Nadezhda Ivanova at 2022-09-16T02:32:36+00:00
CVE-2020-25720: s4-acl: Change behavior of Create Children check
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6dc6ca56 by Nadezhda Ivanova at 2022-09-16T02:32:36+00:00
CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior
Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
72b8e982 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights
se_access_check() will be changed in a following commit to remove the
implicit WRITE_DAC right that comes with being the owner of an object.
We want to keep this implicit right for file access, and by using
se_file_access_check() we can preserve the existing behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5073d599 by Nadezhda Ivanova at 2022-09-16T02:32:36+00:00
CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
acc9999a by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
95fe9659 by Joseph Sutton at 2022-09-16T02:32:36+00:00
CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cc64ea24 by Andrew Bartlett at 2022-09-16T03:31:42+00:00
CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check
It is strange that sDRightsEffective pays no attention to the
dSHeuristics flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 16 03:31:42 UTC 2022 on sn-devel-184
- - - - -
517f09eb by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-scripts: Drop assumption that there are VLANs with no '@'
VLAN configuration on Linux often uses a convention of naming a VLAN
on <iface> with VLAN ID <tag> as <iface>.<tag>. To be able to monitor
the underlying interface, the original 10.interface code naively
simply stripped off the '.' and everything after (i.e. ".*", as a glob
pattern).
Some users do not use the above convention. A VLAN can be named
without including the underlying interface, but still with a
tag (e.g. vlan<tag> - the word "vlan" following by the tag) or, more
generally, perhaps without a tag (e.g. <vlan> - an arbitrary name).
The ip(8) command lists a VLAN as <vlan>@<iface>. The underlying
interface can be found by stripping everything up to and including an
'@' (i.e. "*@").
Commit bc71251433ce618c95c674d7cbe75b01a94adad9 added support for
stripping "*@". However, on suspicion, it kept support for the case
where there is no '@', falling back to stripping ".*". If ip(8) ever
did this then it was a long time ago - it has been printing a format
including '@' since at least 2004.
Stripping ".*" interferes with interesting administrative decisions,
like having '.' in interface names.
So, drop the fallback to stripping ".*" because it appears to be
unnecessary and can cause inconvenience.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
67e0ca5e by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-tests: Reformat script with "shfmt -w -p -i 0 -fn"
As per current Samba convention.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
ef921bdb by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-tests: Avoid ShellCheck warnings
Although this is a test stub, it is complicated enough to encourage
ShellCheck cleanliness.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
5abaec49 by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-tests: Implement "ip -brief link show" in ip stub
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
a31fb7e5 by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-scripts: Simplify determination of real interface
This can now be made trivial.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
4ee0abae by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-tests: Avoid shellcheck warnings in remaining test stubs
A small amount of effort...
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
0e388a19 by Martin Schwenke at 2022-09-16T03:36:32+00:00
ctdb-tests: Include eventscript stub commands in shellcheck test
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
4f5b4bd9 by Martin Schwenke at 2022-09-16T04:35:09+00:00
ctdb-tests: Reformat remaining test stubs with "shfmt -w -p -i 0 -fn"
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Fri Sep 16 04:35:09 UTC 2022 on sn-devel-184
- - - - -
7af1326a by Douglas Bagnall at 2022-09-16T05:46:35+00:00
samba-tool: simplify and clarify SuperCommand._run() a little
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
eab89c8e by Douglas Bagnall at 2022-09-16T05:46:35+00:00
pytest/password_lockout: be less verbose by default
leaving the carefully constructed verbosity there for whoever choses
to switch it on.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1f60e881 by Douglas Bagnall at 2022-09-16T05:46:35+00:00
libaddns: remove duplicate declaration
Also declared on line 257, exactly the same.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9983ea0e by Douglas Bagnall at 2022-09-16T05:46:35+00:00
s4/server: stop suggesting ntvfs in error message
I am not sure about the rpc proxy.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
53f6dbe0 by Douglas Bagnall at 2022-09-16T05:46:35+00:00
ldb: ldb_build_search_req() check for a talloc failure
The failure in question would have to be a `talloc_strdup(dn, "")` in
ldb_dn_from_ldb_val().
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3119349a by Douglas Bagnall at 2022-09-16T05:46:36+00:00
libcli/auth/proto.h: remove unneeded path details.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4f30d06a by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytest: samba-tool visualize: fix filename
Overwriting the other file was harmless but misleading.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4c623356 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
py:colour: colour_if_wanted() returns the result
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5dd4696f by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool: make --color a general option
We don't put --color into options.SambaOptions because we can't handle
the 'auto' case in the options module without knowing whether or not
self.outf is a tty, and a) this might not be resolved and b) is fiddly
to pass through.
The .use_colour class flag allows samba-tool subcommands to avoid having
--color, and is *also* useful in the short term for visualise and drs
commands to avoid having this --color clobber their own bespoke versions
(temporarily, during the transition).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
baf7c5c5 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool: save --color choice for subcommands
In particular, visualize needs it to decide colour for an output
file that may or may not be stdout, so it needs to make its own
decision for that file.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7d4387d1 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool drs showrepl: use global --color option
This changes the default from --color=no to --color=auto.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c0d0c136 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool: --color=auto looks at stderr and stdout
More often than not we are using colour in stderr, but are deciding
based on stdout's tty-ness. This patch changes to use both, and will
affect the following situation:
samba-tool 2>/tmp/errors # used to be colour, now not.
of course, if you want colour, you can always
samba-tool --color=yes 2>/tmp/errors
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
adf8b8b4 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
py:colour: is_colour_wanted() can take filenames
We need this for `samba-tool visualize -o -` which means output to
stdout, and which has always had a tty test for colour. Rather than
continue to duplicate the full logic there, we can reuse this.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
07cbb10d by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool visualise: use global --color
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a64e6c96 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool visualize: simplify --color-scheme calculations
If you ask for a --color-scheme, you are implicitly asking for --color.
That was documented in --help, but not followed here.
Now --color=no --color-scheme=ansi will use colour for the graph, but not
for other output. This might be useful when the graph is going to a
different place than everything else (`-o foo.txt > bar.txt`).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b350a9c3 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool: write ERROR in red if colour is wanted
Often we'll write something like
ERROR: Unable to find user "potato"
which can get lost in the jumble of other output. With this patch, we
colour the word "ERROR" red but not the rest of the string, unless it is
determined that colour is not wanted (due to one of --color=never,
NO_COLOR=1, output is not a tty).
We choose to redden the word "ERROR" only to maintain legibility in the
actual message, while hopefully increasing the noticeability of the line.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ed72ec76 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
samba-tool: no stack trace on missing ldb tdb
Now, in a testenv, if you forget to use '-s st/ad_dc/etc/smb.conf',
you only see this:
$ bin/samba-tool user rename dsadsa
ldb: Unable to open tdb '$HERE/st/client/private/secrets.ldb': No such file or directory
ldb: Failed to connect to '$HERE/st/client/private/secrets.ldb' with backend 'tdb': Unable to open tdb '$HERE/st/client/private/secrets.ldb': No such file or directory
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not open secrets.ldb and failed to open $HERE/st/client/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ltdb: tdb($HERE/st/client/private/sam.ldb): tdb_open_ex: could not open file $HERE/st/client/private/sam.ldb: No such file or directory
Unable to open tdb '$HERE/st/client/private/sam.ldb': No such file or directory
Failed to connect to 'tdb://$HERE/st/client/private/sam.ldb' with backend 'tdb': Unable to open tdb '$HERE/st/client/private/sam.ldb': No such file or directory
ERROR(ldb): uncaught exception - Unable to open tdb '$HERE/st/client/private/sam.ldb': No such file or directory
rather than all that AND a stack trace.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2775d6b5 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytest: samba-tool visualize: improve a message
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3c5cb278 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests: remove backwards compat workaround for python 2.6
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b1ff59fb by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests:s4/drs/ridalloc_exop: avoid unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7f9fedd7 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests:s4/drs/linked_attributes_drs: avoid unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7283fed0 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests:s4/drs/repl_rodc: avoid unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1cf48a58 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests:s4/drs/repl_move: avoid unused and star imports
Found the names using something like:
flake8 repl_move.py | \
grep -oP "(?<=F405 ')[\w.]+" /tmp/repl_move | sort | uniq
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
884f1052 by Douglas Bagnall at 2022-09-16T05:46:36+00:00
pytests:s4/drs/getnc_schema: avoid unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3e95c677 by Douglas Bagnall at 2022-09-16T06:47:43+00:00
pytests:s4/dsdb/passwords: avoid unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 16 06:47:43 UTC 2022 on sn-devel-184
- - - - -
9ef2f734 by Andreas Schneider at 2022-09-16T20:30:31+00:00
s3:auth: Flush the GETPWSID in memory cache for NTLM auth
Example valgrind output:
==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F4C7: main (in /usr/sbin/winbindd)
You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.
pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
- - - - -
e1ca4e28 by Volker Lendecke at 2022-09-17T04:15:35+00:00
vfs: Add dirfsp to connectpath_fn()
So far we only call CONNECTPATH on full paths. In the future, we'll
have a call that will not have converted a relative path to absolute
just for efficiency reasons. To give shadow_copy2 the chance to still
find the snapshot directory, pass the dirfsp down to it.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fbc17c41 by Volker Lendecke at 2022-09-17T04:15:35+00:00
shadow_copy2: Use dirfsp for connectpath
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dbf93c9e by Volker Lendecke at 2022-09-17T04:15:35+00:00
shadow_copy2: Use dirfsp if it's around
Not used yet, and the "if" around dirfsp!=NULL will go away in a later
patch.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b4445ef9 by Volker Lendecke at 2022-09-17T04:15:35+00:00
smbd: Slightly simplify non_widelink_open()
Avoid the "is_share_root" boolean: One special case less to take care
of further down and in callers: Sanitize the relative name so that it
can never contain a path separator
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1bf0289b by Volker Lendecke at 2022-09-17T04:15:35+00:00
smbd: Make readlink_talloc() public
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2c8935cf by Volker Lendecke at 2022-09-17T04:15:35+00:00
smbd: Rewrite non_widelink_open()
The previous implementation relied on recursion into
non_widelink_open() via process_symlink_open(). The latter used
readlink() to just make sure that the opened file is actually a
symlink.
This implementation now relies on a fstat/fstatat on failure to open a
file, removing a little complexity deciphering error codes
correctly. It also relies on reading the symlink in user space,
turning the recursion into a loop.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f3350bff by Volker Lendecke at 2022-09-17T04:15:35+00:00
smbd: Remove non_widelink_open() support code
process_symlink_open() and check_reduced_name() are no longer used,
non_widelink_open() was the only user of both.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6e5d79ff by Volker Lendecke at 2022-09-17T05:15:04+00:00
shadow_copy2: Remove an intermediate if-statement
Now we always pass in a dirfsp from our only caller
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 17 05:15:04 UTC 2022 on sn-devel-184
- - - - -
318eb65c by Douglas Bagnall at 2022-09-19T06:10:36+00:00
py/dbchecker: dbcheck prints bits of colour if asked
Prefixes like ERROR, WARNING, and INFO are given interpretive colours.
This won't change anything until samba-tool decides to ask for colour,
which, who knows, might even be in the next commit.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2b039eb8 by Douglas Bagnall at 2022-09-19T06:10:36+00:00
samba-tool dbcheck: use colour if wanted
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d71258b4 by Douglas Bagnall at 2022-09-19T06:10:36+00:00
dbcheck: do not crash on empty DN
we had
$ bin/samba-tool dbcheck -H st/rpc_proxy/private/sam.ldb
Checking 202 objects
ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
File "/home/douglasb/src/samba/bin/python/samba/netcmd/__init__.py", line 230, in _run
return self.run(*args, **kwargs)
File "/home/douglasb/src/samba/bin/python/samba/netcmd/dbcheck.py", line 173, in run
error_count = chk.check_database(DN=DN, scope=search_scope,
File "/home/douglasb/src/samba/bin/python/samba/dbchecker.py", line 255, in check_database
error_count += self.check_object(object.dn, requested_attrs=attrs)
File "/home/douglasb/src/samba/bin/python/samba/dbchecker.py", line 2616, in check_object
expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Now we have:
$ bin/samba-tool dbcheck -H st/rpc_proxy/private/sam.ldb
Checking 202 objects
ERROR: could not handle parent DN '': skipping RDN checks
Please use --fix to fix these errors
Checked 202 objects (1 errors)
which is still not really right, since --fix won't help.
(same with st/s4member/private/sam.ldb).
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
10bcf2bb by Douglas Bagnall at 2022-09-19T06:10:36+00:00
dbcheck: don't recommend --fix for errors we can't fix
and/or won't fix.
I think there are others that should be here.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
98c7af03 by Douglas Bagnall at 2022-09-19T06:10:36+00:00
py/dbcheck: improve 'please --fix' message
The dbcheck module is used in places other than samba-tool (backup,
provision) where the old 'use --fix' message made no sense. Also,
now that we're not necessarily claiming to fix all errors, we say
how many we think we can.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dad0c9a5 by Douglas Bagnall at 2022-09-19T06:10:36+00:00
docs/man/samba-tool explain --color
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
063976fc by Douglas Bagnall at 2022-09-19T07:14:31+00:00
WHATSNEW: samba-tool: fewer tracebacks, more colour
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 19 07:14:31 UTC 2022 on sn-devel-184
- - - - -
68d20326 by Volker Lendecke at 2022-09-19T17:23:31+00:00
libsmb: Use tevent_req_nterror()'s retval
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e4d8dc79 by Volker Lendecke at 2022-09-19T17:23:31+00:00
vfs: Avoid a talloc in vfswrap_parent_pathname()
We copy smb_fname_in->base_name just to overwrite it again
immediately. Expand synthetic_smb_fname() here.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3b344f50 by Volker Lendecke at 2022-09-19T17:23:31+00:00
vfs: Simplify vfswrap_parent_pathname()
We don't really need a talloc_stackframe() here
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cb6d2a91 by Volker Lendecke at 2022-09-19T17:23:31+00:00
registry3: Remove some unused functions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f41c7ea8 by Volker Lendecke at 2022-09-19T17:23:31+00:00
registry3: Move registry_value_cmp() to its only user
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
724dcb14 by Volker Lendecke at 2022-09-19T17:23:31+00:00
source3: A few whitespace fixes
review with git sh -w
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
26bfffc6 by Volker Lendecke at 2022-09-19T17:23:31+00:00
shadow_copy2: Avoid a few ZERO_STRUCT()s
Give the compiler more hints what's going on
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9d5f4563 by Volker Lendecke at 2022-09-19T17:23:31+00:00
shadow_copy2: Don't implicitly return memory off talloc_tos()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
46f4d645 by Volker Lendecke at 2022-09-19T17:23:31+00:00
smbd: Use PATH_MAX as symlink target buffer
We use that instead of the arbitrary 4k in open.c as well
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b7359c52 by Volker Lendecke at 2022-09-19T17:23:31+00:00
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e343d24d by Volker Lendecke at 2022-09-19T17:23:31+00:00
streams_xattr: Avoid a talloc_strdup
We can print a short string with %.*s, no talloc_strdup()
and *stype='\0' required.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f0108015 by Volker Lendecke at 2022-09-19T17:23:31+00:00
vfs: Simplify xattr_tdb_mkdirat()
We have the dirfsp and the relative name. And with fstatat we don't
need the full pathname anymore.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bfe07fda by Volker Lendecke at 2022-09-19T17:23:31+00:00
lib: Move extract_snapshot_token() to util_path.c
Make it available to replace clistr_is_previous_version_path() in
libsmb/
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6a3da608 by Volker Lendecke at 2022-09-19T17:23:31+00:00
lib: Add separator argument to find_snapshot_token()
We'll use the logic for \ based strings next
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
36c5f31d by Volker Lendecke at 2022-09-19T18:21:56+00:00
libsmb: Use find_snapshot_token() for clistr_is_previous_version_path()
Dedup that string parsing logic
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 19 18:21:56 UTC 2022 on sn-devel-184
- - - - -
7014475f by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:torture: fix strict aliasing warnings in cmd_vfs.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fb2776f7 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:locking: remove unused NO_LOCKING_COUNT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
50188fb4 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:locking: let reset_share_mode_entry() report errors to the caller
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15166
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9b815ab6 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:smbd: let lease_match() call TALLOC_FREE(lck); on error
We ignore the error from share_mode_forall_leases(), but
we still need to cleanup the share_mode_lock we are holding...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3ef56747 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:g_lock: fix error handling in g_lock_watch_data_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15167
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
170a4812 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:smbd: let smbXsrv_{session,tcon,open}_global.tdb use TDB_VOLATILE
This avoids using fcntl() locks for dbwrap_delete()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bd088b46 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:open_files.idl: add share_mode_entry_op_type
This makes it easier to read log files...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d8de42c1 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:locking: log all locking_tdb_data_{get,fetch}() errors at level 0
These should never fail without notice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c61a375f by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:locking: log all g_lock_writev_data() errors at level 0
These should never fail without notice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3e577508 by Stefan Metzmacher at 2022-09-20T00:34:34+00:00
s3:locking: let fsp_update_share_mode_flags() log all errors at level 0
These should never fail without notice, share_mode_do_locked() should
never fail with NT_STATUS_NOT_FOUND for an existing fsp.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e12c3b56 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: log g_lock_locks() error at level 0
These should never fail without notice...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b19e5063 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: log add locking_tdb_data_store() errors at level 0
These should never fail without notice...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dd4a94ec by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: log g_lock_dump() error in locking_tdb_data_fetch() at level 0
This should never fail without notice...
Note we already checked for NT_STATUS_NOT_FOUND before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f0e0c0af by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let set_delete_on_close_lck() log errors and panic
Most of the calls in set_delete_on_close_lck() are checked with
asserts, so do panic in all situation where things go wrong in an
unexpected way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ca2dce31 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let share_mode_forall_leases() log all errors at level 0
These should never fail without notice...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
96fe4239 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: log all share_mode_forall_entries() errors at level 0
These should never fail without notice...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e1d1b340 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: change some debug messages to level unless we got NT_STATUS_NOT_FOUND
NT_STATUS_NOT_FOUND is not a real error in most cases so we should keep
it on level 10, but all other errors should never be without notice...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5bba79d6 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: introduce share_mode_data->not_stored
share_mode_data->fresh was very similar, but only set
and never used.
Now we remember 'not_stored' instead, the 'not_' is easier
as ndr_pull sets [skip] elements to 0.
We use this as indication to move the value to
memcache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
703a4ff5 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: split out share_mode_data_ltdb_store()
This will allow us to use it in other places too
and we'll avoid to storing multiple times.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
db78fe13 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let share_mode_forall_entries() call TALLOC_FREE(ltdb)
We should free ltdb as soon as possible...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f4e0a6fe by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: replace locking_tdb_data_store() with share_mode_data_ltdb_store()
This means we flush share_mode_data at the same time...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
65715e34 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: move fsp_update_share_mode_flags* related functions further down
It will soon need to use 'struct locking_tdb_data'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6ab4457b by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: just use g_lock_dump() for fsp_update_share_mode_flags()
We don't need to protect this with g_lock_lock/g_lock_unlock
as we just want the current flags, we're still protected by the
dbwrap layer lock.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e7cf1b07 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: move locking related vfs functions to smbd/vfs.c
This allows us to make VFS_FIND local to smbd/vfs.c in the
next step.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
641bfc59 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: move VFS_FIND() to smbd/vfs.c
It's only used there...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f2fdeb17 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: add helpers to deny vfs calls in some sections
Code denying vfs calls can do:
{
struct smb_vfs_deny_state vfs_deny = {};
smb_vfs_deny_push(&vfs_deny);
VFS calls are not allowed here...
smb_vfs_deny_pop(&vfs_deny);
}
This will allow us to safely run some code under a
tdb chainlock later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
aa7df0fb by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: add smb_vfs_assert_allowed() to kernel oplock code
Kernel oplocks can block in the same way vfs operations can do.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f971a4ae by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add share_mode_do_locked_vfs_{denied,allowed}()
These function will add an abstraction to protect
a function that is not allowed to call vfs functions
or allow vfs functions to be called.
Currently these are implemented similar,
but we'll optimize them in the next commits.
The idea is that share_mode_do_locked_vfs_denied()
will be able to run fast enough in order to run
under a tdb chainlock (just a pthread mutex).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7c6113de by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: protect smbd_do_unlocking() with share_mode_do_locked_vfs_allowed()
share_mode_do_locked() will be make static soon.
Here we just want to avoid concurrent access to brlock.tdb
in order to maintain the lock order, we're not interested in the
locking.tdb content at all, expect that there's at least one
entry and we want to wake potential watchers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0d5a9603 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: protect do_lock() with share_mode_do_locked_vfs_allowed()
share_mode_do_locked() will be make static soon.
Here we just want to avoid concurrent access to brlock.tdb
in order to maintain the lock order, we're not interested in the
locking.tdb content at all, expect that there's at least one
entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7e2ec6ee by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make share_mode_do_locked() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b508c5a0 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let share_mode_wakeup_waiters() use share_mode_do_locked_vfs_denied()
This allows us get rid of the otherwise unused share_mode_do_locked().
It means we only have one code path that handles the g_lock handling.
This looks like a performance degradation, but all callers of
share_mode_wakeup_waiters() already took the share_mode_lock,
so we only increment the refcount. Note the additional
talloc(mem_ctx, struct share_mode_lock) will be optimized away
in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b6789ff1 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add share_mode_lock_access_private_data()
In future we should avoid dereference 'struct share_mode_lock'
as much as possible.
This will also allow us to load struct share_mode_data
only if required in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4d697278 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let rename_share_filename_state maintain a struct share_mode_data pointer
We only need to access lck->data once...
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
357adc2f by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_lock_access_private_data() in rename_share_filename()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d42bb5d8 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add share_mode_lock_file_id()
This will simplify some (mostly debug) code soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
45253acc by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let remove_lease_if_stale() use share_mode_lock_file_id()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7d982e85 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let reset_delete_on_close_lck() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2e7ccb72 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let set_delete_on_close_lck() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c5334b0d by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let get_delete_on_close_token() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ee78d948 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let is_delete_on_close_set() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e018c634 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let set_sticky_write_time() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
db0e6732 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let set_write_time() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
faf9388e by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let get_share_mode_write_time() use share_mode_lock_access_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
557323ca by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add and use share_mode_lock_assert_private_data()
We should avoid dereference 'struct share_mode_lock' as much as possible.
In some places we just rely on share_mode_lock_access_private_data()
to work, if needed the caller should already check it's result...
Note that share_mode_lock_assert_private_data() can't fail up to
now, but we want to change that in future and only load it on
demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
eef0c8e2 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_lock_file_id() in share_mode_watch_send()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f63b9b53 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_lock_access_private_data() in share_mode_forall_entries()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e6ef5474 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: pass struct share_mode_data to share_mode_entry_do()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
06e2aa3c by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_lock_access_private_data() in reset_share_mode_entry()
We should avoid dereference 'struct share_mode_lock' as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8979311c by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make 'struct share_mode_lock' private to share_mode_lock.c
There are no callers left dereferencing it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
47f1d936 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: move get_existing_share_mode_lock() into setup_poll_open()
This will simplify the next steps...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c5c7a377 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: let setup_poll_open() use share_mode_do_locked_vfs_denied()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
432272a7 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add share_mode_set_{changed,old}_write_time() helpers
These will be used in future to call them unter an existing share mode
lock...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bb7d7656 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of new share_mode_set_{changed,old}_write_time() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c8458f23 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let set_delete_on_close() use share_mode_do_locked_vfs_denied()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
42f96d29 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: let lease_match() use share_mode_do_locked_vfs_denied()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1198e8c0 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_do_locked_vfs_denied() in file_has_open_streams()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2474b063 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_do_locked_vfs_denied() in set_write_time()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b9edf3c6 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: make use of share_mode_do_locked_vfs_denied() in set_sticky_write_time()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1288989f by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: let update_write_time_on_close() use share_mode_{old,changed}_write_time()
We're already holding a share_mode_lock, so we can use it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b80bc630 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: let update_write_time_on_close() use share_mode_do_locked_vfs_denied()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0fbd1254 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smb2_trans2: make use of share_mode_do_locked_vfs_allowed() in smb_posix_unlink()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ca9014d0 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: move from uint8_t share_mode_lock_key_data[] to struct file_id
This will allow us to have better debug messages and will also make
further changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0b94695e by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: remove static_share_mode_data_refcount
The effective value of share_mode_lock_key_refcount
is 'share_mode_lock_key_refcount + static_share_mode_data_refcount',
which is quite confusing.
This complexity is not needed and we can just use
share_mode_lock_key_refcount.
This will also simplify further changes.
Review with: git show -U15 -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
977498d3 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: split out get_share_mode_lock_internal()
This detaches the logic from the talloc(mem_ctx, struct share_mode_lock).
In future we will have cases where we use a stack variable instead,
which will be much cheaper.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a2f6f96a by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: split out put_share_mode_lock_internal()
This pairs with get_share_mode_lock_internal() and will allow us
to use a struct share_mode_lock stack variable in future,
which will be much cheaper.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d7f42946 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: let _share_mode_do_locked_vfs_* use get/put_share_mode_lock_internal
This avoids calling talloc(mem_ctx, struct share_mode_lock)
and uses stack variables instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c1ec8310 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:dbwrap_watch: let dbwrap_watched_watch_skip_alerting() also clear the selected watcher
If a watcher was already selected for a wakeup notification reset it...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3829acc4 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:dbwrap_watch: add dbwrap_watched_watch_reset_alerting() helper
This can be used if the decision of using dbwrap_watched_watch_skip_alerting()
needs to be reverted...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6f2ce1fd by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:dbwrap_watch: add dbwrap_watched_watch_force_alerting()
This is useful when we want to wakeup the next watcher
without modifying the record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3c26ee84 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
lib/dbwrap: allow dbwrap_merge_dbufs() to update an existing buffer
This will be useful in future...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3a517413 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: reorder the logic in g_lock_lock_simple_fn()
First we fully check if we'll get the lock
and then store the lock.
This is not change in behavior, but it will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a75194d4 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add g_lock_lock_cb_state infrastructure
This prepares some helper functions in order to
allow callers of g_lock_lock() to pass in a callback function
that will run under the tdb chainlock when G_LOCK_WRITE was granted.
The idea is that the callers callback function would only be allowed
to run these new helper functions, while all key based function are
not to be allowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d19fa657 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add g_lock_ctx->busy and assert it to false
This prepares some helper functions in order to
allow callers of g_lock_lock() to pass in a callback function
that will run under the tdb chainlock when G_LOCK_WRITE was granted.
The idea is that the callers callback function would run with
g_lock_ctx->busy == true and all key based function are not be allowed
during the execution of the callback function. Only the
g_lock_lock_cb_state based helper function are allowed to be used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7cac6eb5 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: remove redundant code in g_lock_trylock()
g_lock_cleanup_shared() handles lck.num_shared == 0 just fine...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6bda6891 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: reorder the logic in g_lock_trylock()
We now have only one code path that stores the fully
granted lock.
This is not change in behavior, but it will simplify further
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
63291ea5 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add callback function to g_lock_trylock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
01c629a4 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add callback function to g_lock_lock_simple_fn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
37c9600f by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add callback function to g_lock_lock_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
17e496c6 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:g_lock: add callback function to g_lock_lock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b971a21a by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add current_share_mode_glck helper functions
We'll soon make use of callback functions passed to g_lock_lock(),
during these callback function we'll only be allowed to
call 'g_lock_lock_cb_state' based functions.
Given that nesting of share_mode call, we need to
make it transparent to the callers and the detail
that we optimize using g_lock_lock() callbacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cba16925 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: optimize share_mode_do_locked_vfs_denied() with g_lock_lock callback
It means that in callers function will run under a single tdb chainlock,
which means callers from the outside will never see the record being
locked at g_lock level, as the g_lock is only held in memory.
within the single tdb chainlock. As a result we'll very unlikely hit
the case where we need to wait for a g_lock using the dbwrap_watch
logic.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
775dc007 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:locking: add share_mode_entry_prepare_{lock,unlock}() infrastructure
When adding or deleting share mode entries elements, we typically
have a pattern like this:
1. get the g_lock via get_[existing_]share_mode_lock()
2. do some checking of the existing record
3. add/delete a share_mode_entry to the record
4. do some vfs operations still protected by the g_lock
5. (optional) cleanup of the record on failure
6. release the g_lock
We can optimize this to:
- Run 1-3. under a tdb chainlock
- Only protect vfs operations with the g_lock
if a new file was created/will be deleted
- Regrab the g_lock for a cleanup.
The new share_mode_entry_prepare_lock()
allows the caller to run a function within a tdb chainlock
similar to share_mode_do_locked_vfs_denied() where vfs calls are denied
and the execution is done within a tdb chainlock.
But the callback function is allowed to decide if it wants to
keep the lock at the g_lock layer on return.
The decision is kept in struct share_mode_entry_prepare_state,
which is then passed to share_mode_entry_prepare_unlock()
with an optional callback to do some cleanup under the
still existing g_lock or a regrabed g_lock.
In the ideal case the callback function passed to
share_mode_entry_prepare_lock() is able to decide that
it can drop the g_lock and the share_mode_entry_prepare_unlock().
gets a NULL callback as there's nothing to cleanup.
In this case share_mode_entry_prepare_unlock() is a noop.
This will allow us to avoid fallbacks to the dbwrap_watch based
waiting for the g_lock in the SMB2 Create and Close code paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
150308d1 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: add more detailed debugging to delay_for_oplock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0796c5de by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: move grant_fsp_lease()/set_file_oplock() out of delay_for_oplocks()
It means delay_for_oplocks() is no longer asking for kernel oplocks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
aae504cd by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: move grant_fsp_lease()/set_file_oplock() out of handle_share_mode_lease()
The aim is to call set_file_oplock() after set_share_mode(), so that we
only ask for kernel oplocks after set_share_mode().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4d06aa15 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: call grant_fsp_lease() after set_share_mode()
This means we don't have to call remove_lease_if_stale() if
set_share_mode() fails. It's easier to cleanup the share mode entry.
And it makes the code flow easier to the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0bfdae92 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: call set_file_oplock() after set_share_mode()
The important part is the call to get a kernel oplock is deferred
until after set_share_mode(). The goal is to get the code
between get_share_mode_lock() and set_share_mode() free of any
blocking operation.
As we were optimistic to get the oplock that was asked for,
we need to remove_share_oplock() in order to set NO_OPLOCK
also in the share_mode entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0a8619c8 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: prepare delay_for_oplock() for directories
We don't support directory leases yet, so it should be
an noop for now.
The point is that we want to call
delay_for_oplock(oplock_request=NO_OPLOCK)
for directories soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9e619f53 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: also call handle_share_mode_lease for directories
It means we call open_mode_check() now only via handle_share_mode_lease()
and the fact that we never grant any directory leases (yet), means
that delay_for_oplocks() avoids the share_mode_forall_entries() loop.
This is a way into supporting directory leases, but that's not
the point for this commit, the point is that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
26669613 by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: split out check_and_store_share_mode()
This shows that the code in open_file_ntcreate() and
open_directory() is basically the same now, which
simplifies things a lot.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a4dd4d5f by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: maintain all SHARE_MODE_LEASE_* flags not only _READ
Remember SMB2 Create is the only was to upgrade a lease.
The strategy is that opening of a file will always result
in storing the total lease bits.
But we're lazy clearing the flags on close.
We'll only clear them by traversing all entries when
we break a NONE or when opening a new handle.
We don't do any decision on SHARE_MODE_LEASE_{HANDLE,WRITE},
maybe we'll do in future, but at least it should be much more
sane for debugging now!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
387f126d by Stefan Metzmacher at 2022-09-20T00:34:35+00:00
s3:smbd: remove static from release_file_oplock()
It will be used in close.c in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
095da847 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: let close_directory() hold the lock during delete_all_streams/rmdir_internals
Now that we're using g_lock, it doesn't mean we're holding a tdb
chainlock.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ce868b09 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: improve !delete_file logic in close_remove_share_mode()
This makes it much easier to understand the logic (at least for me).
It will make the following changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dab7df93 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: let close_directory() use the same delete_dir logic as close_remove_share_mode()
This will make further changes simpler.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b0082076 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: remove one indentation level in close_directory()
We now use a goto done in order to skip the deletion part.
This means the code flow is now almost idential compared to
close_remove_share_mode().
It prepares to split common code to be shared by
close_remove_share_mode() and close_directory().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ac811f6f by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: let close_directory() only change the user if needed
The logic is now similar to close_remove_share_mode().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0f02f68f by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: avoid remove_oplock() in close_remove_share_mode()
This inlines remove_oplock() into close_remove_share_mode() and
calls remove_share_oplock() and release_file_oplock() directly.
The idea is that we'll soon call remove_share_oplock()
under a tdb chainlock, while release_file_oplock() needs to be called outside.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f9ea7839 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: split out some generic code from close_remove_share_mode()
close_share_mode_lock_prepare() will operates on share_mode_lock
in order to check if the object needs to be deleted or if
we can remove the share_mode_entry directly.
close_share_mode_lock_cleanup() will finish after the object
has been deleted.
We can reuse these function in close_directory() soon and
in the end we'll avoid get_existing_share_mode_lock()
and call them via share_mode_entry_prepare_{lock,unlock}(),
so that they can run under a tdb chainlock.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d04b6e9d by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: make use of close_share_mode_lock_{prepare,cleanup}() in close_directory()
It's good to have this in common as close_remove_share_mode()
and in the end we'll avoid get_existing_share_mode_lock()
and call them via share_mode_entry_prepare_{lock,unlock}(),
so that they can run under a tdb chainlock.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1ae7e47a by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: make use of share_mode_entry_prepare_{lock_del,unlock}() in close_{remove_share_mode,directory}()
This gives a nice speed up...
The following test with 256 commections all looping with open/close
on the same inode (share root) is improved drastically:
smbtorture //127.0.0.1/m -Uroot%test smb2.bench.path-contention-shared \
--option='torture:bench_path=' \
--option="torture:timelimit=60" \
--option="torture:nprocs=256" \
--option="torture:qdepth=1"
>From some like this:
open[num/s=11536,avslat=0.011450,minlat=0.000039,maxlat=0.052707]
close[num/s=11534,avslat=0.010878,minlat=0.000022,maxlat=0.052342]
to:
open[num/s=13225,avslat=0.010504,minlat=0.000042,maxlat=0.054023]
close[num/s=13223,avslat=0.008971,minlat=0.000022,maxlat=0.053838]
But this is only half of the solution, the next commits will
add a similar optimization to the open code, at the end we'll
perform like we did in Samba 4.12:
open[num/s=37680,avslat=0.003471,minlat=0.000040,maxlat=0.061411]
close[num/s=37678,avslat=0.003440,minlat=0.000022,maxlat=0.051536]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
12f6c129 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: let open_file_ntcreate() calculate info = FILE_WAS_* before get_share_mode_lock()
This will simplify further changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
680c7907 by Stefan Metzmacher at 2022-09-20T00:34:36+00:00
s3:smbd: make use of share_mode_entry_prepare_{lock_add,unlock}() in open_{file_ntcreate,directory}()
This gives a nice speed up...
The following test with 256 commections all looping with open/close
on the same inode (share root) is improved drastically:
smbtorture //127.0.0.1/m -Uroot%test smb2.bench.path-contention-shared \
--option='torture:bench_path=' \
--option="torture:timelimit=60" \
--option="torture:nprocs=256" \
--option="torture:qdepth=1"
>From something like this:
open[num/s=11536,avslat=0.011450,minlat=0.000039,maxlat=0.052707]
close[num/s=11534,avslat=0.010878,minlat=0.000022,maxlat=0.052342]
(only this commit with the close part reverted) to:
open[num/s=12722,avslat=0.009548,minlat=0.000051,maxlat=0.054338]
close[num/s=12720,avslat=0.010701,minlat=0.000033,maxlat=0.054372]
(with both patches) to:
open[num/s=37680,avslat=0.003471,minlat=0.000040,maxlat=0.061411]
close[num/s=37678,avslat=0.003440,minlat=0.000022,maxlat=0.051536]
So we are finally perform similar like we did in Samba 4.12,
which resulted in:
open[num/s=36846,avslat=0.003574,minlat=0.000043,maxlat=0.020378]
close[num/s=36844,avslat=0.003552,minlat=0.000026,maxlat=0.020321]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3b6255b5 by Stefan Metzmacher at 2022-09-20T01:34:55+00:00
s3:locking: remove unused get_share_mode_lock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 20 01:34:55 UTC 2022 on sn-devel-184
- - - - -
a83e9ca6 by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-build: Use pcap-config when available
The build currently fails on AIX, which can't find the pcap headers
because they're installed in a non-standard place. However, there is
a pcap-config script available.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
d1543d5c by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-build: Add --enable-pcap configure option
This forces the use pcap for packet capture on Linux.
It appears that using a raw socket for capture does not work with
infiniband - pcap support for that to come.
Don't (yet?) change the default capture method to pcap. On some
platforms (e.g. my personal Intel NUC, running Debian testing), pcap
is much less reliable than the raw socket. However, pcap seems fine
on most other platforms.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
c522f4f6 by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Move a misplaced comment
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
ad445abe by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Do not use raw socket when ENABLE_PCAP is defined
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
8b54587b by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Fix a warning in the pcap code
[173/416] Compiling ctdb/common/system_socket.c
../../common/system_socket.c: In function ‘ctdb_sys_read_tcp_packet’:
../../common/system_socket.c:1016:15: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
1016 | eth = (struct ether_header *)buffer;
| ^
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
40380a80 by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Stop a pcap-related crash on error
errbuf can't be NULL. Might as well use it.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
075414dc by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Use pcap_get_selectable_fd()
This is preferred because it will fail for devices that do not support
epoll_wait() and similar.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
33a80c1d by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Improve/add debug
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
5dd964aa by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-tools: Improve/add debug
In particular, knowing the reason fetching the packet fails can help
with debugging unsupported protocols in the pcap code.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
3bf20300 by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Add packet type detection to pcap-based capture
The current code will almost certainly generate ENOMSG for
non-ethernet packets, even for ethernet packets when the "any"
interface is used.
pcap_datalink(3PCAP) says:
Do NOT assume that the packets for a given capture or ``savefile``
will have any given link-layer header type, such as DLT_EN10MB for
Ethernet. For example, the "any" device on Linux will have a
link-layer header type of DLT_LINUX_SLL or DLT_LINUX_SLL2 even if
all devices on the sys‐ tem at the time the "any" device is opened
have some other data link type, such as DLT_EN10MB for Ethernet.
So, pcap_datalink() must be used.
Detect pcap packet types that are supported (currently only ethernet)
in the open code. There is no use continuing if the read code can't
parse packets. The pattern of using switch statements supports future
addition of other packet types.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
e5541a7e by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Support "any" interface for pcap-based capture
This uses Linux cooked capture link-layer headers. See:
https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html
The header type needs to be checked to ensure the protocol
type (i.e. ether type, for the protocols we might be interested in) is
meaningful. The size of the header needs to be known so it can be
skipped, allowing the IP header to be found and parsed.
It would be possible to define support for DLT_LINUX_SLL2 if it is
missing. However, if a platform is missing support in the header file
then it is almost certainly missing in the run-time library too.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
9f7d69a0 by Martin Schwenke at 2022-09-20T10:43:37+00:00
ctdb-common: Support IB in pcap-based capture
Add simple support for IPoIB via DLT_LINUX_SLL and DLT_LINUX_SLL2.
This seems to work, even when an IB interface is specified.
If this is later found to be insufficient, support for DLT_IPOIB can
be implemented. See https://www.tcpdump.org/linktypes.html for a
starting point.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
- - - - -
d9dda4b7 by Martin Schwenke at 2022-09-20T11:42:16+00:00
ctdb-scripts: Add debugging variable CTDB_KILLTCP_DEBUGLEVEL
To debug ctdb_killtcp failures, add
CTDB_KILLTCP_DEBUGLEVEL=DEBUG
to script.options.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue Sep 20 11:42:16 UTC 2022 on sn-devel-184
- - - - -
f6b391e0 by Volker Lendecke at 2022-09-23T06:50:17+00:00
vfs_gpfs: Protect against timestamps before the Unix epoch
In addition to b954d181cd2 we should also protect against timestamps
before the epoch.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Sep 23 06:50:17 UTC 2022 on sn-devel-184
- - - - -
b600b0c8 by Jeremy Allison at 2022-09-23T09:51:20+00:00
s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
The function smbd_server_connection_terminate_done() does not free subreq
which is allocated in smbXsrv_connection_shutdown_send, this can be a
memory leakage if multi-channel is enabled.
Suggested fix by haihua yang <hhyangdev at gmail.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15174
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Sep 23 09:51:20 UTC 2022 on sn-devel-184
- - - - -
7efe673f by Christian Merten at 2022-09-27T16:46:35+00:00
libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1a9aac53 by Christian Merten at 2022-09-27T16:46:35+00:00
libcli security_descriptor: Compare object type and inherited object type when comparing ACEs
Fixed security_ace_equal returning true, despite differing object type, by checking (inherited) object type
of both ACEs is equal.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6501e4f0 by Christian Merten at 2022-09-27T16:46:35+00:00
libcli security/sddl: Make sddl_encode_ace visible
Removed static flag from sddl_encode_ace and added to headers.
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Christian Merten <christian at merten.dev>
- - - - -
84a54d2f by Christian Merten at 2022-09-27T16:46:35+00:00
librpc ndr/py_security: Export ACE deletion functions to python
Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b0f494c1 by Christian Merten at 2022-09-27T16:46:35+00:00
librpc ndr/py_security: Export security_ace_equal as richcmp to python
Patched security_ace with a richcmp function given by
security_ace_equal.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
80cf4c86 by Christian Merten at 2022-09-27T16:46:35+00:00
librpc ndr/py_security: Export sddl_encode_ace to python
Added sddl_encode_ace as new method as_sddl to security_ace class in python.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1bd08133 by Christian Merten at 2022-09-27T16:46:35+00:00
samba-tool dsacl: Add subcommand to delete ACEs
A new subcommand has been added to samba-tool dsacl to delete one or multiple ACEs from the security
descriptor of an object.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
492d3316 by Christian Merten at 2022-09-27T16:46:35+00:00
samba-tool dsacl: Add unit tests for delete subcommand
Two unit tests for the new samba-tool dsacl delete command have been added.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c9902b05 by Christian Merten at 2022-09-27T16:46:35+00:00
samba-tool dsacl: Create helper functions to remove code duplication
Make multiple methods of dsacl command classes separate helper functions to avoid code duplication.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dff58819 by Christian Merten at 2022-09-27T16:46:35+00:00
samba-tool dsacl: Create common superclass for dsacl commands
Created a base class for dsacl commands providing print_acl and some fixed command line options to
reduce code duplication.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
42b88992 by Christian Merten at 2022-09-27T16:46:35+00:00
samba-tool dsacl: Add get and delete subcommand to samba-tool dsacl man section
Added get and delete subcommands to the man section of samba-tool dsacl.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
50eb747c by Christian Merten at 2022-09-27T16:46:35+00:00
python security: Add unit tests for comparing ACEs and exporting as SDDL
Added two unit tests for the python functions to compare ACEs and to
export an ACE as SDDL.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d89400b6 by Christian Merten at 2022-09-27T17:46:22+00:00
samba-tool dsacl: Add additional unit test for delete subcommand
Added one more unit test to the delete subcommand. This test adds
two ACEs, deletes one of them and checks if the right one was deleted
and the other one stayed the same.
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 27 17:46:22 UTC 2022 on sn-devel-184
- - - - -
f3dc1a42 by Jeremy Allison at 2022-09-28T18:36:35+00:00
s3: torture: Fix test SMB2-DFS-PATHS to pass against Windows server 2022.
There is only one difference between Windows 2022 and Windows 2008.
Opening an empty ("") DFS path succeeds in opening the share
root on Windows 2008 but fails with NT_STATUS_INVALID_PARAMETER
on Windows 2022. Allow the test to cope with both.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
- - - - -
318da783 by Jeremy Allison at 2022-09-28T19:34:29+00:00
s3: smbtorture3: Add new SMB2-DFS-SHARE-NON-DFS-PATH test.
Uses non-DFS names and DFS-names against a DFS share, shows that Windows
looks correctly at the DFS flag when SMB2 requests are
made on a DFS share. Passes against Windows 2022.
Mark as knownfail for smbd.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed Sep 28 19:34:29 UTC 2022 on sn-devel-184
- - - - -
d257c760 by Volker Lendecke at 2022-10-03T20:03:32+00:00
vfs: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4b3bfbaf by Volker Lendecke at 2022-10-03T20:03:32+00:00
torture3: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
25bb94e0 by Volker Lendecke at 2022-10-03T20:03:32+00:00
python: whitespace fixes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
36bd73e8 by Volker Lendecke at 2022-10-03T20:03:32+00:00
smbXcli: Align smb2cli_req_create() with tevent_req conventions
We don't return NULL if tevent_req_create() succeeded, and elsewhere
in this function we already pass tevent_req_nterror or
tevent_req_nomem (via set_endtime).
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4388ba47 by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Centralize the SMB2 protocol check
Instead of checking protocol correctness in every highlevel routine,
we should rely on the lowerlevel one in smbXcli_base.c to give the
INVALID_PARAMETER error return when running on SMB1
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
50b13868 by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Add cli_smb2_fsctl_send/recv
Slightly refactor the symlink operations later based on this
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dccc060b by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Add cli_fsctl_send/recv
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
aaacbd0f by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Convert cli_readlink() to cli_fsctl_send/recv
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
091ce9c5 by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Remove unused cli_smb2_get_reparse_point_fnum_send/recv
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3d2d066c by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Convert cli_symlink to cli_fsctl
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f471b2c7 by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Remove unused cli_smb2_set_reparse_point_fnum_send/recv
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3804161d by Volker Lendecke at 2022-10-03T20:03:32+00:00
libsmb: Fix the smbclient readlink command
We use cli_smb2_qpathinfo_basic() for cli_resolve_path() before
calling cli_readlink(). This fails as it never tries with
FILE_OPEN_REPARSE_POINT, so we never get to the point where we
actually can issue the FSCTL_GET_REPARSE_POINT.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a91fa70a by Joseph Sutton at 2022-10-03T21:05:31+00:00
tevent: Fix flag clearing
We presumably meant to clear this bit, rather than clearing all bits
other than it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 3 21:05:31 UTC 2022 on sn-devel-184
- - - - -
62b42624 by Andrew Bartlett at 2022-10-04T02:48:37+00:00
selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT
The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.
This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
7ff743d6 by Andrew Bartlett at 2022-10-04T02:48:37+00:00
selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database
This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
314bc44f by Andrew Bartlett at 2022-10-04T02:48:37+00:00
s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.
This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
b0bbc94d by Andrew Bartlett at 2022-10-04T02:48:37+00:00
selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT
The chgdcpass server now emulates older verions of Samba that
fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.
We now show this is in effect by the fact that tests now fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
483c48f5 by Andrew Bartlett at 2022-10-04T02:48:37+00:00
s4-libnet: Add messages to object count mismatch failures
This helps explain these better than WERR_GEN_FAILURE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
bff2bc9c by Andrew Bartlett at 2022-10-04T02:48:37+00:00
python-drs: Add client-side debug and fallback for GET_ANC
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
6a5d03e2 by Nikola Radovanovic at 2022-10-04T02:48:37+00:00
samba-tool: Use authentication file to pass credentials
In order not to pass credentials in clear-text directly over command line, this is a patch to store username/password/domain in a file and use it during domain join for example.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15031
Signed-off-by: Nikola Radovanovic <radovanovic.extern at univention.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
37406b9d by Douglas Bagnall at 2022-10-04T03:48:43+00:00
CVE-2007-4559 python: ensure sanity in our tarfiles
Python's tarfile module is not very careful about paths that step out
of the target directory. We can be a bit better at little cost.
This was reported in 2007[1], and has recently been publicised [2, for
example].
We were informed of this bug in December 2021 by Luis Alberto López
Alvar, but decided then that there were no circumstances under which
this was a security concern. That is, if you can alter the backup
files, you can already do worse things. But there is a case to guard
against an administrator being tricked into trying to restore a file
that isn't based on a real backup.
[1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559
[2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 4 03:48:43 UTC 2022 on sn-devel-184
- - - - -
ab7b1642 by Joseph Sutton at 2022-10-05T04:23:32+00:00
selftest: Simplify krb5 test environments
We don't need the local configuration here.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8f3cbf30 by Joseph Sutton at 2022-10-05T04:23:32+00:00
pdb_samba_dsdb: Handle dsdb_search_one() errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0c19fca3 by Joseph Sutton at 2022-10-05T04:23:32+00:00
python/samba: Fix typos in error messages
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a68428a9 by Joseph Sutton at 2022-10-05T04:23:32+00:00
pyldb: Have functions operating on DNs raise LdbError
The return codes of these functions are not often checked. Throwing an
exception ensures we won't continue blindly on if DN manipulation fails.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
12677ff6 by Joseph Sutton at 2022-10-05T04:23:32+00:00
python: Handle LdbError thrown from functions operating on DNs
None of these functions can return False now. Instead we must catch the
LdbError if we want to perform further error handling.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0c784808 by Joseph Sutton at 2022-10-05T04:23:32+00:00
tests/krb5: Make use of client_opts for TGS-REQs
Previously we would ignore 'client_opts' and always use the same user
and machine accounts for TGS-REQs. Use 'client_opts' and add a new
'armor_opts' parameter for specifying options of the armoring account.
Furthermore, our test-specific ticket caching is no longer of use, for
get_tgt() and get_service_ticket() now implement ticket caching. Remove
it and eliminate the possibility of mistakenly using stale tickets.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ccbce565 by Joseph Sutton at 2022-10-05T04:23:32+00:00
tests/krb5: Add create_ccache_with_ticket()
This function returns a ccache containing a previously obtained ticket.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d2c5a297 by Joseph Sutton at 2022-10-05T04:23:32+00:00
s4-auth: Add missing newlines to log messages
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
01b6c87c by Joseph Sutton at 2022-10-05T04:23:32+00:00
lib:krb5_wrap: Use case-sensitive comparison against 'krbtgt'
This matches the other comparisons against krbtgt, kadmin, etc., which
are all case-sensitive.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c52f5ee8 by Joseph Sutton at 2022-10-05T04:23:32+00:00
lib:crypto: Change error return to SMB_ASSERT()
Getting an HMAC too long to fit our array is a programming error. It
should always be 64 bytes exactly.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
35206497 by Joseph Sutton at 2022-10-05T04:23:32+00:00
pyldb: Fix tests going unused
These tests are redeclared later and so are never used. Give them new
names so that they will be run again.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
90c371d6 by Joseph Sutton at 2022-10-05T04:23:32+00:00
pytest: samba-tool: Fix undefined escape sequence
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
de23fd66 by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Fix section links
These are not valid smbconfoptions, so we end up with dangling links.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e9f4528d by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Fix reference to obsolete 'lock spin count' parameter
We should not create a dangling link.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
728fabea by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Remove references to obsolete 'write cache size' parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
112e43fc by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Fix reference to 'read only' parameter
It should be 'read only', not 'read-only'.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2a26dd3a by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Fix reference to 'wide links' parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
534bc646 by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Fix references to 'encrypt passwords' parameter
It should be 'encrypt passwords', not 'encrypted passwords'.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ffdf0177 by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: 'security = auto' is now the default parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2344af97 by Joseph Sutton at 2022-10-05T04:23:32+00:00
docs-xml: Remove reference to invalid 'user' parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b346a369 by Joseph Sutton at 2022-10-05T04:23:33+00:00
docs-xml: Remove nested calls to translate()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
27a2ee0d by Joseph Sutton at 2022-10-05T04:23:33+00:00
dbcheck: Fix truncation of warning messages
We are stripping off one too many characters.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
84796220 by Joseph Sutton at 2022-10-05T04:23:33+00:00
lib:krb5_wrap: Add helper functions to make krb5_data structure
These will be used in following commits.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f86404b7 by Joseph Sutton at 2022-10-05T04:23:33+00:00
s4:kdc: Refactor samba_make_krb5_pac()
This function is longwinded and needlessly allocates intermediary
buffers. Simplify it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d4ce0a0e by Joseph Sutton at 2022-10-05T04:23:33+00:00
s4:kdc: Make use of smb_krb5_data_from_blob() helper function
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b32a3d71 by Joseph Sutton at 2022-10-05T04:23:33+00:00
s4:kdc: Don't copy data for empty PAC buffer
Heimdal's 'data->length > 0' assertion in krb5_pac_add_buffer() is gone
as of f33f73f82fb2d5d96928ce5910e2d0d939c2ff57, so we no longer need to
specify a non-zero length.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3ad0fa69 by Joseph Sutton at 2022-10-05T05:23:50+00:00
pyldb: Fix typos in function names
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 5 05:23:50 UTC 2022 on sn-devel-184
- - - - -
9a8bc67f by Anoop C S at 2022-10-06T08:34:56+00:00
vfs_glusterfs: Remove special handling of O_CREAT flag
Special handling of O_CREAT flag in SMB_VFS_OPENAT code path was the
only option to ensure correctness due to a bug in libgfapi as detailed
in issue #3838[1] from GlusterFS upstream. This has been fixed recently
so that O_CREAT is handled correctly within glfs_openat() enbaling us to
remove the corresponding special case from vfs_gluster_openat().
[1] https://github.com/gluster/glusterfs/issues/3838
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct 6 08:34:56 UTC 2022 on sn-devel-184
- - - - -
688be017 by Volker Lendecke at 2022-10-06T15:10:20+00:00
ctdb: Fix a use-after-free in run_proc
If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:
==495196== Invalid read of size 8
==495196== at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196== by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196== by 0x4890F41: _talloc_free (talloc.c:1792)
==495196== by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196== by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196== by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196== by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196== by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196== by 0x4890F41: _talloc_free (talloc.c:1792)
==495196== by 0x10DE62: main (run_proc_test.c:86)
==495196== Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196== at 0x48399AB: free (vg_replace_malloc.c:538)
==495196== by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196== by 0x4890F41: _talloc_free (talloc.c:1792)
==495196== by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196== by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196== by 0x4890F41: _talloc_free (talloc.c:1792)
==495196== by 0x10DE62: main (run_proc_test.c:86)
==495196== Block was alloc'd at
==495196== at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196== by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196== by 0x488EC73: __talloc (talloc.c:825)
==495196== by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196== by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196== by 0x10C8F2: proc_new (run_proc.c:61)
==495196== by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196== by 0x10DDF6: main (run_proc_test.c:79)
This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().
This is an attempt at a quick fix, I believe we should convert
run_proc_context->plist into an array of tevent_req's, so that we can
properly TALLOC_FREE() according to the "natural" hierarchy and not
just pull an arbitrary thread out of that heap.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Oct 6 15:10:20 UTC 2022 on sn-devel-184
- - - - -
1b8a8732 by Jeremy Allison at 2022-10-06T22:03:35+00:00
s4: smbtorture: Add fsync_resource_fork test to fruit tests.
This shows we currently hang when sending an SMB2_OP_FLUSH on
an AFP_Resource fork.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
- - - - -
35c637f2 by Jeremy Allison at 2022-10-06T22:03:35+00:00
s3: VFS: fruit. Implement fsync_send()/fsync_recv().
For type == ADOUBLE_META, fio->fake_fd is true so
writes are already synchronous, just call tevent_req_post().
For type == ADOUBLE_RSRC we know we are configured
with FRUIT_RSRC_ADFILE (because fruit_must_handle_aio_stream()
returned true), so we can just call SMB_VFS_NEXT_FSYNC_SEND()
after replacing fsp with fio->ad_fsp.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
- - - - -
a7fba3ff by Ralph Boehme at 2022-10-06T22:03:35+00:00
vfs_fruit: add missing calls to tevent_req_received()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
- - - - -
0bf8d136 by Björn Jacke at 2022-10-06T23:04:51+00:00
docs-xml: some fixes to acl parameter documentation
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Oct 6 23:04:51 UTC 2022 on sn-devel-184
- - - - -
8cbd9e63 by Anoop C S at 2022-10-12T11:46:36+00:00
vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use dirfsp->fsp_name->base_name
for glfs_getxattr() and return the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6a6bd1a0 by Anoop C S at 2022-10-12T11:46:36+00:00
vfs_glusterfs: Do not use glfs_fgetxattr() for SMB_VFS_GET_REAL_FILENAME_AT
glfs_fgetxattr() or generally fgetxattr() will return EBADF as dirfsp
here is a pathref fsp. GlusterFS client log had following entries
indicating the error:
W [MSGID: 114031] [client-rpc-fops_v2.c:993:client4_0_fgetxattr_cbk] \
0-vol-client-0: remote operation failed. [{errno=9}, {error=Bad file descriptor}]
Therefore use glfs_getxattr() only for implementing get_real_filename_at
logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7af4bfe8 by Anoop C S at 2022-10-12T11:46:36+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
Fallback mechanism was missing in vfs_gluster_fgetxattr() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_flistxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
cc397175 by Anoop C S at 2022-10-12T12:48:50+00:00
vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use fsp->fsp_name->base_name and
return directory stream obtained from glfs_opendir().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Oct 12 12:48:50 UTC 2022 on sn-devel-184
- - - - -
636ec45c by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed
If we hit a race, when a client disconnects the connection after the initial
SMB2 Negotiate request, before the connection is completely passed to
process serving the given client guid, the temporary smbd which accepted the
new connection may already detected the disconnect and exitted before
the long term smbd servicing the client guid was able to send the
MSG_SMBXSRV_CONNECTION_PASSED message.
The result was a log message like this:
smbXsrv_client_connection_pass_loop: smb2srv_client_connection_passed() failed => NT_STATUS_OBJECT_NAME_NOT_FOUND
and all connections belonging to the client guid were dropped,
because we called exit_server_cleanly().
Now we ignore NT_STATUS_OBJECT_NAME_NOT_FOUND from
smb2srv_client_connection_passed() and let the normal
event loop detect the broken connection, so that only
that connection is terminated (not the whole smbd process).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
acb3d821 by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record()
DBG_WARNING() already adds the function name as prefix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
56c597bc by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send()
dbwrap_watched_watch_send() should typically be the last thing to call
before the db record is unlocked, as it's not that easy to undo.
In future we want to recover from smb2srv_client_connection_{pass,drop}()
returning NT_STATUS_OBJECT_NAME_NOT_FOUND and it would add complexity if
would need to undo dbwrap_watched_watch_send() at that point.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
8c8d8cf0 by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed
This will simplify the following changes...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5d66d5b8 by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
If we get NT_STATUS_OBJECT_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
we should just keep the connection and overwrite the stale record in
smbXsrv_client_global.tdb. It's basically a race with serverid_exists()
and a process that doesn't cleanly teardown.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5d91ecf0 by Anoop C S at 2022-10-13T12:30:37+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES
Fallback mechanism was missing in vfs_gluster_fntimes() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_fgetxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a120fb1c by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
s4:messaging: add imessaging_init_discard_incoming()
We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.
With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
32df5e49 by Stefan Metzmacher at 2022-10-13T12:30:37+00:00
s3:auth_samba4: make use of imessaging_init_discard_incoming()
Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
266bcedc by Stefan Metzmacher at 2022-10-13T13:32:30+00:00
s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()
imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184
- - - - -
d26d3d9b by Noel Power at 2022-10-14T12:37:29+00:00
s3/rpcclient: Duplicate string returned from poptGetArg
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==4407== Invalid read of size 1
==4407== at 0x146263: main (rpcclient.c:1262)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x14627D: main (rpcclient.c:1263)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 8
==4407== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ff003fc8 by Noel Power at 2022-10-14T12:37:29+00:00
s3/param: Fix use after free with popt-1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==5325== Invalid read of size 1
==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
31d3d10b by Noel Power at 2022-10-14T12:37:29+00:00
s3/utils: Add missing poptFreeContext
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e82699fc by Noel Power at 2022-10-14T12:37:29+00:00
s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==5914== Invalid read of size 1
==5914== at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914== by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914== by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914== by 0x10DED1: print_user_info (pdbedit.c:372)
==5914== by 0x111413: main (pdbedit.c:1324)
==5914== Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914== by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x1113E6: main (pdbedit.c:1323)
==5914== Block was alloc'd at
==5914== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914== by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x110AE5: main (pdbedit.c:1137)
==5914==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4b15d8c2 by Noel Power at 2022-10-14T12:37:29+00:00
s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==6055== Command: ./bin/testparm /etc/samba/smb.conf
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
Load smb config files from /etc/samba/smb.conf
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7e0e3f47 by Noel Power at 2022-10-14T13:38:55+00:00
s4/lib/registry: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357== at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357== by 0x4861432: reg_diff_load (patchfile.c:345)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184
- - - - -
0671d91a by Jeremy Allison at 2022-10-14T17:00:35+00:00
s3: VFS: vfs_full_audit. Remove SMB_VFS_OP_FSYNC, it no longer exists in sync form.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
fbcaecab by Volker Lendecke at 2022-10-14T17:00:35+00:00
full_audit: whitespace fixes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6dcf8d76 by Volker Lendecke at 2022-10-14T17:58:56+00:00
vfs-docs: Fix the list of full_audit operations
I got this list with
modified source3/modules/test_vfs_full_audit.c
@@ -34,6 +34,7 @@ static void test_full_audit_array(void **state)
for (i=0; i<SMB_VFS_OP_LAST; i++) {
assert_non_null(vfs_op_names[i].name);
assert_int_equal(vfs_op_names[i].type, i);
+ fprintf(stderr, "%s\n", vfs_op_names[i].name);
}
}
which *should* be part of a script to fix
docs-xml/manpages/vfs_full_audit.8.xml
every time after a VFS change. I can't focus on the scripting right
now, so just fix it manually.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 14 17:58:56 UTC 2022 on sn-devel-184
- - - - -
19eb88bc by Noel Power at 2022-10-17T18:46:29+00:00
s3/param: Check return of talloc_strdup
followup to commit ff003fc87b8164610dfd6572347c05308c4b2fd7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
972127da by Noel Power at 2022-10-17T18:46:29+00:00
s3/utils: Check return of talloc_strdup
followup to e82699fcca3716d9ed0450263fd83f948de8ffbe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0326549a by Noel Power at 2022-10-17T19:49:36+00:00
s3/utils: check result of talloc_strdup
follow to commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184
- - - - -
9eda4328 by Jeremy Allison at 2022-10-18T23:20:37+00:00
s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
- - - - -
fd0c01da by Jeremy Allison at 2022-10-19T00:13:56+00:00
s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file..
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct 19 00:13:56 UTC 2022 on sn-devel-184
- - - - -
f0fb8b95 by Andrew Bartlett at 2022-10-19T16:14:36+00:00
lib/tsocket: Add tests for loop on EAGAIN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9950efd8 by Stefan Metzmacher at 2022-10-19T16:14:36+00:00
lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
This will be used on its own soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
29a65da6 by Stefan Metzmacher at 2022-10-19T16:14:36+00:00
lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
This also returns an error if we got TCP_FIN from the peer,
which is only reported by an explicit POLLRDHUP check.
Also on FreeBSD getsockopt(fd, SOL_SOCKET, SO_ERROR) fetches
and resets the error, so a 2nd call no longer returns an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4c7e2b9b by Stefan Metzmacher at 2022-10-19T16:14:36+00:00
lib/tsocket: remember the first error as tstream_bsd->error
If we found that the connection is broken, there's no point
in trying to use it anymore, so just return the first error we detected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e232ba94 by Stefan Metzmacher at 2022-10-19T16:14:36+00:00
lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
There were some reports that strace output an LDAP server socket is in
CLOSE_WAIT state, returning EAGAIN for writev over and over (after a call to
epoll() each time).
In the tstream_bsd code the problem happens when we have a pending
writev_send, while there's no readv_send pending. In that case
we still ask for TEVENT_FD_READ in order to notice connection errors
early, so we try to call writev even if the socket doesn't report TEVENT_FD_WRITE.
And there are situations where we do that over and over again.
It happens like this with a Linux kernel:
tcp_fin() has this:
struct tcp_sock *tp = tcp_sk(sk);
inet_csk_schedule_ack(sk);
sk->sk_shutdown |= RCV_SHUTDOWN;
sock_set_flag(sk, SOCK_DONE);
switch (sk->sk_state) {
case TCP_SYN_RECV:
case TCP_ESTABLISHED:
/* Move to CLOSE_WAIT */
tcp_set_state(sk, TCP_CLOSE_WAIT);
inet_csk_enter_pingpong_mode(sk);
break;
It means RCV_SHUTDOWN gets set as well as TCP_CLOSE_WAIT, but
sk->sk_err is not changed to indicate an error.
tcp_sendmsg_locked has this:
...
err = -EPIPE;
if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
goto do_error;
while (msg_data_left(msg)) {
int copy = 0;
skb = tcp_write_queue_tail(sk);
if (skb)
copy = size_goal - skb->len;
if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) {
bool first_skb;
new_segment:
if (!sk_stream_memory_free(sk))
goto wait_for_space;
...
wait_for_space:
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
if (copied)
tcp_push(sk, flags & ~MSG_MORE, mss_now,
TCP_NAGLE_PUSH, size_goal);
err = sk_stream_wait_memory(sk, &timeo);
if (err != 0)
goto do_error;
It means if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) doesn't
hit as we only have RCV_SHUTDOWN and sk_stream_wait_memory returns
-EAGAIN.
tcp_poll has this:
if (sk->sk_shutdown & RCV_SHUTDOWN)
mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
So we'll get EPOLLIN | EPOLLRDNORM | EPOLLRDHUP triggering
TEVENT_FD_READ and writev/sendmsg keeps getting EAGAIN.
So we need to always clear TEVENT_FD_READ if we don't
have readable handler in order to avoid burning cpu.
But we turn it on again after a timeout of 1 second
in order to monitor the error state of the connection.
And now that our tsocket_bsd_error() helper checks for POLLRDHUP,
we can check if the socket is in an error state before calling the
writable handler when TEVENT_FD_READ was reported.
Only on error we'll call the writable handler, which will pick
the error without calling writev().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
eb2f3526 by Stefan Metzmacher at 2022-10-19T17:13:39+00:00
s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
If the client is not able to receive the results within connections idle
time, then we should treat it as dead. It's value is 15 minutes (900 s)
by default.
In order to limit that further an admin can use 'socket options'
and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT
to useful values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184
- - - - -
67811e12 by Joseph Sutton at 2022-10-20T03:59:37+00:00
tests/krb5: Add test requesting a service ticket expiring post-2038
Windows 11 22H2 performs such requests, with year 9999.
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).
REF: https://github.com/heimdal/heimdal/issues/1011
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
50cbdecf by Joseph Sutton at 2022-10-20T05:00:23+00:00
tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
- - - - -
ed35f40d by Joseph Sutton at 2022-10-21T03:57:33+00:00
krb5: Add compatability for krb5_const_pac type
This allows this type to be used in Samba in the future for
both Kerberos implementations
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
2ccb69e0 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-kdc: Fix typo in MIT glue
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
549f3f85 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-kdc: Correct MIT talloc ctx names
The name of the context looks like it should match the name of the
function, but doesn't quite.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
349c5794 by Joseph Sutton at 2022-10-21T03:57:33+00:00
librpc/ndr: Fix incorrect error string in SID parser
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
2b331c67 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-auth: Fix typo in erberos_pac_to_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
1b550258 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-auth: Mention correct PAC buffer in error msg
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
fb171809 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Rename user_attrs to attrs to avoid conflict and add static const
This now local and static const list was otherwise a duplicate symbol
shadowing with the global user_attrs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
16b7c1f3 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Make tdo_attrs static const
This follows the same with 'attrs' in the previous commit.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
cc38a614 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Use a raw python string to avoid creating and invalid escape sequence
While the invalid escape sequence worked and was passed to the LDB
layer for it's use, linting tools will complain so we should not do
this. We don't want to get caught out when a future python version
becomes more strict.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
f5ed2936 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: remove unused Python variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
f7d94c67 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Use Python 'del' rather than assigning over with None
This is the clearer way to trigger the destruction of this variable
and so the LDB connection under it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
7ec569b3 by Joseph Sutton at 2022-10-21T03:57:33+00:00
libcli/security: Fix function header comments in SID handling
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
16746593 by Joseph Sutton at 2022-10-21T03:57:33+00:00
libcli/security: Make null_sid static const, not just const
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
31eb2986 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s3-utils: Fix typo in error message in net groupmap
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
0042ace3 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Remove unused import in token_group python test
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
81c23aa0 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: simplify conditional in python token_group test
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
1716efc0 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-dsdb: Remove unused variables in token_group python test
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
19895c93 by Joseph Sutton at 2022-10-21T03:57:33+00:00
ldb: don't call comparison() directly in LDB_TYPESAFE_QSORT
The result is not used, it is only part of the macro to gain
type-checking.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
ca6cb0c6 by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4-join: Fix typos in recent GET_ANC patch set
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
e131450b by Joseph Sutton at 2022-10-21T03:57:33+00:00
testprogs: fix CVE reference in kpassed test
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
6b7fd9bb by Joseph Sutton at 2022-10-21T03:57:33+00:00
docs: Fix double-word in "inherit owner" manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14034
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a4212081 by Joseph Sutton at 2022-10-21T03:57:33+00:00
docs: Fix double-word in "prefork backoff increment"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14034
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
6231c09f by Joseph Sutton at 2022-10-21T03:57:33+00:00
samba-tool: Fix double-word in samba-tool domain passwordsettings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14034
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a2ba0fa3 by Joseph Sutton at 2022-10-21T03:57:33+00:00
python: Use list comprehension in string_to_byte_array()
Samba is now a mature user of Python and can cope with a
list comprehension from time to time.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
12b53e0d by Joseph Sutton at 2022-10-21T03:57:33+00:00
python: Fix invalid escape by using a raw string
These escapes are meant for the regular expression engine
not the string parser.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a503162e by Joseph Sutton at 2022-10-21T03:57:33+00:00
python: Remove unused imports in auth_log tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
f50e0c3c by Joseph Sutton at 2022-10-21T03:57:33+00:00
s4:gensec Avoid memory leak in error case in gensec_gssapi
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
37831c9e by Joseph Sutton at 2022-10-21T04:53:47+00:00
docs-xml: Fix outdated comment in documentation
This was written prior to the release of Windows Vista and later
versions.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Fri Oct 21 04:53:47 UTC 2022 on sn-devel-184
- - - - -
211a6a63 by David Mulder at 2022-10-21T17:47:37+00:00
winbind: Fix potential memory leak in winbind gpupdate
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
284afec2 by David Mulder at 2022-10-21T18:48:18+00:00
winbind: Enforce user group policy when enabled
This only enforces user group policy at logon.
We should also enforce this policy every 90 to
120 minutes, but a logoff will need to cancel the
timer and we cannot have multiple timers if there
are multiple sessions for the same user.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184
- - - - -
5c627988 by Christof Schmitt at 2022-10-24T15:43:35+00:00
vfs_gpfs: Remove support for old GPFS without DACL_PROTECTED support
GPFS 3.5 introduced support for storing the DACL_PROTECTED flag as part
of the ACL. That version has long been superceded. Remove this now
unused codepath.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15211
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
da663b5d by Christof Schmitt at 2022-10-24T16:41:03+00:00
vfs_gpfs: Remove documentation for removed gpfs:refuse_dacl_protected option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15211
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Bjoern Jacke <bjacke at samba.org>
Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Mon Oct 24 16:41:03 UTC 2022 on sn-devel-184
- - - - -
e3ebda8c by Andreas Schneider at 2022-10-25T09:34:33+00:00
s3:librpc: Improve GSE error message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
- - - - -
16335412 by Andreas Schneider at 2022-10-25T09:34:33+00:00
s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
- - - - -
30ca92a8 by Andreas Schneider at 2022-10-25T09:34:33+00:00
s4:libnet: If we successfully changed the password we are done
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
- - - - -
416bf5a4 by Noel Power at 2022-10-25T09:34:33+00:00
s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
prior to this commit return of samdb_set_password_aes was set to
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
otherwise (and in this case can be partially responsible for failures
in test samba.tests.auth_log_pass_change (with later gnutls)
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0b562285 by Jule Anger at 2022-10-25T11:47:31+02:00
VERSION: Bump version up to Samba 4.17.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
ce7c418c by Noel Power at 2022-10-25T10:30:59+00:00
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184
- - - - -
cd48f2da by Joseph Sutton at 2022-10-25T10:31:33+00:00
CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ec456766 by Joseph Sutton at 2022-10-25T10:31:33+00:00
CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c8e85295 by Joseph Sutton at 2022-10-25T10:31:33+00:00
CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
16120b73 by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dffc997a by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ad9d1690 by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ba60f647 by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
841b6ddc by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2d0ad4ed by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d12bd2cd by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2671f995 by Joseph Sutton at 2022-10-25T10:31:34+00:00
CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
dc650bde by Volker Lendecke at 2022-10-25T10:31:34+00:00
CVE-2022-3592 smbd: No empty path components in openat_pathref_dirfsp_nosymlink()
Upper layers must have filtered this, everything else is a bug
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
c770b787 by Volker Lendecke at 2022-10-25T10:31:34+00:00
CVE-2022-3592 torture3: Show that our symlink traversal checks are insecure
This test shows that we don't properly check whether symlink targets
are inside the exported share. Linking to <share-root>a/etc makes us
loop back into filename_convert_dirfsp_nosymlink() with /etc as a
directory name.
On Linux systems with openat2(RESOLVE_NO_SYMLINKS) we pass "/etc"
directly into that call after some checks for "."/".." as invalid file
name components. "/etc" is okay for openat2(), but this test must also
succeed on systems without RESOLVE_NO_SYMLINKS (sn-devel-184 for
example). On systems without RESOLVE_NO_SYMLINKS split up the path
"/etc" into path components, in this case "" and "etc". So we pass ""
down to openat(), which correctly fails with ENOENT.
Summary: Only with RESOLVE_NO_SYMLINKS we're hit by bug 15207, and
this test shows by expecting CONNECTION_DISCONNECTED that we violate
the internal assumption of empty path components with an unexpected
symlink target, making it testable on systems with and without
RESOLVE_NO_SYMLINKS.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
fbc0feec by Volker Lendecke at 2022-10-25T10:31:34+00:00
CVE-2022-3592 lib: lib/util/fault.h requires _SAMBA_DEBUG_H for SMB_ASSERT()
fault.h has:
which leads to SMB_ASSERT not being defined when you include
samba_util.h (and thus fault.h) before debug.h.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
d905dbdd by Volker Lendecke at 2022-10-25T10:31:34+00:00
CVE-2022-3592 lib: Move subdir_of() to source3/lib/util_path.c
Make it available for other components
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
d385058c by Volker Lendecke at 2022-10-25T11:27:02+00:00
CVE-2022-3592 smbd: Slightly simplify filename_convert_dirfsp()
subdir_of() calculates the share-relative rest for us, don't do the
strlen(connectpath) calculation twice. subdir_of() also checks that
the target properly ends on a directory. With just strncmp a symlink
to x->/aa/etc would qualify as in share /a, so a "get x/passwd" leads to a
pretty unfortunate result. This is the proper fix for bug 15207, so we
need to change the expected error code to OBJECT_PATH_NOT_FOUND
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Oct 25 11:27:02 UTC 2022 on sn-devel-184
- - - - -
42069152 by David Mulder at 2022-10-25T14:25:36+00:00
gpo: Test to ensure startup scripts don't crash w/out params
Startup scripts were failing to execute when no
parameters were provided to the script.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15212
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4f63c128 by David Mulder at 2022-10-25T15:21:08+00:00
gpo: Fix startup scripts to not fail w/out params
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15212
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Tue Oct 25 15:21:08 UTC 2022 on sn-devel-184
- - - - -
0a66c739 by Philipp Gesang at 2022-10-25T16:25:40+00:00
s3-lib: restore truncating behavior of push_ascii_nstring()
Some users of push_ascii_nstring() (notably name_to_unstring())
expect the output to be truncated if it would exceed the size of
an nstring after conversion. However this broke in 2011 due to
commit d546adeab5 ("Change convert_string_internal() and
convert_string_error() to bool return"). This patch restores the
old behavior.
The issue can be observed in syslog after setting the
``workgroup`` to a 16+ characters long string which triggers a
DEBUG() message:
Oct 17 11:28:45 dev nmbd[11716]: name_to_nstring: workgroup name 0123456789ABCDEF0123456789ABCDEF is too long. Truncating to
Signed-off-by: Philipp Gesang <philipp.gesang at intra2net.com>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Oct 25 16:25:40 UTC 2022 on sn-devel-184
- - - - -
1cc68d33 by Michael Tokarev at 2022-10-25T20:13:14+03:00
d/rules: stop dh_installpam from installing samba.pam to the samba package (#1022775, #1022776)
- - - - -
ce709ba2 by Michael Tokarev at 2022-10-25T20:14:28+03:00
update changelog; upload 4.16.6+dfsg-3 to unstable
- - - - -
53c8b81c by Michael Tokarev at 2022-10-26T19:42:11+03:00
poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse (#1022826)
This is become an issue with popt-1.9, https://bugzilla.samba.org/show_bug.cgi?id=15205
These patches are included in 4.17 already.
- - - - -
2bd73416 by Michael Tokarev at 2022-10-26T20:10:49+03:00
update changelog; upload 4.16.6+dfsg-4 to unstable
- - - - -
e1b48965 by Michael Tokarev at 2022-10-26T21:17:21+03:00
d/rules: install pam.d/samba with mode 0644, not 0755
- - - - -
3bd08ed7 by Michael Tokarev at 2022-10-26T21:34:15+03:00
d/source/lintian-overrides: ctdb/doc/*.html actually has sources
- - - - -
7cffc007 by Michael Tokarev at 2022-10-26T21:34:20+03:00
d/source/lintian-overrides: very-long-line-length-in-source-file *
- - - - -
d207aadc by Michael Tokarev at 2022-10-26T21:56:58+03:00
d/*.lintian-overrides: update some overrides for new lintian
- - - - -
f4891f0f by Michael Tokarev at 2022-10-26T21:57:14+03:00
d/libpam-winbind.lintian-overrides: +spare-manual-page pam_winbind.8
- - - - -
fba998ee by Michael Tokarev at 2022-10-26T21:57:14+03:00
move samba:idmap_script.8.gz and samba-libs:idmap_rfc2307.8.gz to winbind
- - - - -
52e8ac77 by Michael Tokarev at 2022-10-26T22:46:56+03:00
d/winbind.lintian-overrides: +spare-manual-page winbind_krb5_locator.8
- - - - -
d22d7147 by Michael Tokarev at 2022-10-26T22:46:59+03:00
d/libldb2.lintian-overrides: +package-contains-empty-directory .../ldb/modules/ldb/
- - - - -
b9515e54 by Michael Tokarev at 2022-10-26T22:46:59+03:00
d/source/lintian-overrides: +debian-control-has-unusual-field-spacing Breaks
- - - - -
e40fdc39 by Michael Tokarev at 2022-10-26T22:47:13+03:00
d/*.lintian-overrides: +hardening-no-fortify-functions for some simple shared libs
- - - - -
dcf3cc45 by Michael Tokarev at 2022-10-26T22:48:59+03:00
update changelog; upload 4.16.6+dfsg-5 to unstable
- - - - -
8e7da40f by Michael Tokarev at 2022-10-27T12:28:40+03:00
d/samba.lintian-overrides: *docs-outside-share-doc usr/share/samba/setup/
Keep schema and its specification in the same place
- - - - -
1ea5e5d2 by Michael Tokarev at 2022-10-27T12:34:26+03:00
d/rules: use the right dir for dh_shlibdeps -l
dpkg-shlibdeps (and dh_shlibdeps) uses -ldir as a path
*within package install directories* (like, debian/$pkg/),
not as absolute path on the build host. It searches all
debian/$pkg/$dir for the libraries, in order to know the
package where this library resides. It was used incorrectly
in the past as ${CURDIR}/debian/tmp/usr/lib/samba/, it should
have been /usr/lib/samba instead.
- - - - -
e943a405 by Michael Tokarev at 2022-10-27T14:19:20+03:00
rewrite shlibs/symbols-generating file
Replace debian/make_shlibs file with an entirely new debian/genshlibs file
which uses different approach to deal with samba shared libs.
See comments in d/genshlibs for all the details.
This makes whole shlibs/symbols generation much cleaner and 10x faster.
- - - - -
9e04ca16 by Michael Tokarev at 2022-10-27T14:19:21+03:00
debian/libnss-winbind.triggers: activate ldconfig trigger
- - - - -
c481fd31 by Michael Tokarev at 2022-10-27T14:19:21+03:00
add debian/samba-libs.symbols with libsmbldap library
and adjust d/samba-libs.lintian-overrides:
+shared-library-symbols-not-tracked *
- - - - -
8eacffb2 by Michael Tokarev at 2022-10-27T14:19:21+03:00
d/samba.examples: do not install smbadduser: csh considered harmful
- - - - -
87c4cc60 by Michael Tokarev at 2022-10-27T14:30:41+03:00
d/rules: remove long-unused commented-out override_dh_perl-arch
- - - - -
e95e8cca by Michael Tokarev at 2022-10-27T15:00:33+03:00
update chanelog
- - - - -
f388e03f by Michael Tokarev at 2022-10-27T16:59:27+03:00
d/genshlibs: add the forgotten mkdir for d/$pkg/DEBIAN
- - - - -
c15308c1 by Michael Tokarev at 2022-10-27T16:59:27+03:00
remove static/fixed branding d/patches/VERSION.patch
- - - - -
0aee7382 by Michael Tokarev at 2022-10-27T16:59:27+03:00
d/rules: implement dynamic branding of VERSION file based on dpkg-vendor
- - - - -
d70bdef6 by Michael Tokarev at 2022-10-27T17:00:16+03:00
d/rules: simplify package interdependency checking
- - - - -
d0ec0b5b by Michael Tokarev at 2022-10-27T17:33:22+03:00
d/rules: add a lot more interpackage dependency checks
- - - - -
ea1f53fc by David Mulder at 2022-10-27T18:18:36+00:00
winbind: Fix user gpupdate called with NULL smb.conf
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8b55dabf by David Mulder at 2022-10-27T18:18:36+00:00
winbind: Add smbconf fallback for gpupdate_callback
We should use the configfile specified, but also
fallback if none is specified.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
80856941 by Volker Lendecke at 2022-10-27T18:18:36+00:00
smbd: Remove a comment left by copy&paste
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
801731b6 by Volker Lendecke at 2022-10-27T18:18:36+00:00
smbd: Remove "link_depth" parameter from non_widelink_open()
We don't recurse anymore but loop inside.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6404c3f6 by Volker Lendecke at 2022-10-27T18:18:36+00:00
smbd: Cut long lines
This is recent enough to justify just a README.Coding formatting change
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f3eeb922 by Volker Lendecke at 2022-10-27T18:18:36+00:00
torture3: Fix an error message
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
653bcbc1 by Volker Lendecke at 2022-10-27T18:18:36+00:00
gensec: Align an integer type
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
12a556bd by Volker Lendecke at 2022-10-27T18:18:36+00:00
lib: Remove two unused macros
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a91ff509 by Volker Lendecke at 2022-10-27T18:18:36+00:00
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
53d1b188 by Volker Lendecke at 2022-10-27T18:18:36+00:00
pyrpc4: Simplify py_ndr_syntax_id() with GUID_buf_string()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e287dfe9 by Volker Lendecke at 2022-10-27T18:18:36+00:00
librpc: Add a pair of {}
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b0d321f8 by Volker Lendecke at 2022-10-27T18:18:36+00:00
librpc: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8971f2ae by Volker Lendecke at 2022-10-27T18:18:36+00:00
librpc: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
167bc2cf by Volker Lendecke at 2022-10-27T18:18:36+00:00
librpc: Avoid an else
With an early return; we don't need the "else"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
eaf38a44 by Volker Lendecke at 2022-10-27T18:18:36+00:00
lib: Avoid an #include includes.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
23ba1dab by Volker Lendecke at 2022-10-27T18:18:36+00:00
lib: Avoid an #include includes.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
15f958d7 by Volker Lendecke at 2022-10-27T18:18:36+00:00
rpc_server: Remove an unneeded #include
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6d334fe2 by Volker Lendecke at 2022-10-27T18:18:36+00:00
ntvfs: Remove orphans from 2006
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
51e65fa9 by Volker Lendecke at 2022-10-27T18:18:36+00:00
lib: Whitespace fixes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4638eeba by Volker Lendecke at 2022-10-27T18:18:36+00:00
tests: Rename python/samba/tests/libsmb.py
samba/libsmb.py will become a common file to do the library
initialization for our tests. We already have two copies in
smb3unix.py and libsmb.py, and there might be more soon.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6be2d465 by Volker Lendecke at 2022-10-27T18:18:36+00:00
tests: Factor out libsmb environment setup
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ab2c3859 by Volker Lendecke at 2022-10-27T18:18:36+00:00
tests: Use samba.tests.libsmb.LibsmbTests in libsmb-basic.py
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9d4ac46e by Volker Lendecke at 2022-10-27T18:18:36+00:00
tests: Use samba.tests.libsmb.LibsmbTests in smb3unix.py
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fa7ad454 by Volker Lendecke at 2022-10-27T18:18:36+00:00
smbd: Apply some const to a variable that's never changed
Probably doesn't do much in compiled code, but looks cleaner to me
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6d552b1e by Volker Lendecke at 2022-10-27T18:18:36+00:00
pylibsmb: Simplify py_cli_create_contexts()
Py_BuildValue() can create tuples.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7e29e70f by Volker Lendecke at 2022-10-27T18:18:36+00:00
pylibsmb: Simplify py_cli_create_returns()
Py_BuildValue() can create dictionaries.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
80dc3bc2 by Andreas Schneider at 2022-10-27T18:18:36+00:00
s3:param: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
81f4335d by Andreas Schneider at 2022-10-27T18:18:36+00:00
s3:client: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b787692b by Andreas Schneider at 2022-10-27T18:18:36+00:00
s3:utils: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0e8949bd by Andreas Schneider at 2022-10-27T18:18:36+00:00
wafsamba: Add -Werror=old-style-definition
See https://fedoraproject.org/wiki/Changes/PortingToModernC
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3de61dc6 by Andreas Schneider at 2022-10-27T18:18:36+00:00
wafsamba: Add -Werror=implicit-int
https://fedoraproject.org/wiki/Changes/PortingToModernC
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ae86c620 by Andreas Schneider at 2022-10-27T18:18:36+00:00
lib:replace: Fix trailing whitespace in wscript
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6f1a9ef2 by Andreas Schneider at 2022-10-27T19:11:30+00:00
lib:replace: Require bool from C99
https://fedoraproject.org/wiki/Changes/PortingToModernC
We define True to true from stdbool.h and the same for false. So we
don't have to do a cleanup now.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Oct 27 19:11:30 UTC 2022 on sn-devel-184
- - - - -
39cf93c7 by Samuel Cabrero at 2022-10-27T21:14:43+00:00
bootstrap: Update to openSUSE 15.4
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b7ea69bd by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_add_entry()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7958e18b by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
173b6f6e by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
lib/krb5_wrap: document the enctype argument of smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3881a440 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
s3:libads: ads_keytab_flush() doesn't need a valid kvno
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
956c6562 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3dd26cb4 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
s3:libads: add ads_keytab_delete_entry()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
17779a68 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
s3:util: add 'net ads keytab delete'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
dd0984c7 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
testprogs/blackbox: let test_net_ads.sh consistently use the tmp WORKDIR
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
797b38f5 by Stefan Metzmacher at 2022-10-27T21:14:43+00:00
testprogs/blackbox: fix prinicple => principal in test_net_ads.sh
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8c94bbba by Stefan Metzmacher at 2022-10-27T22:14:53+00:00
testprogs/blackbox: add 'net ads keytab delete' tests to test_net_ads.sh
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Oct 27 22:14:53 UTC 2022 on sn-devel-184
- - - - -
34c6db64 by Daniel Kobras at 2022-10-28T06:24:30+00:00
s3: smbd: Consistently map EAs to user namespace
Samba has always been mapping Windows EAs to the 'user' namespace on the
POSIX side. However, in the opposite direction, the mapping would also map
other user-readable POSIX EA namespaces to Windows EAs, only stripping the
'user' namespace prefix, and passing all other EA names verbatim.
This means any POSIX EA 'other.foo' collides with 'user.other.foo' on the
Windows side, hence the mapping of non-user namespaces is unreliable.
Also, copy operations via Windows would rename an existing POSIX EA
'other.foo' in the source file to 'user.other.foo' in the destination. The
'user' namespace, however, may not be enabled on the underlying filesystem,
leading to subtle failure modes like the ones reported in eg.
<https://bugzilla.samba.org/show_bug.cgi?id=15186>
Fix the issues by restricting the mapping to the 'user' POSIX EA namespace
consistently for either direction.
Link: https://lists.samba.org/archive/samba-technical/2022-September/137634.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Michael Weiser <michael.weiser at atos.net>
Tested-by: Michael Weiser <michael.weiser at atos.net>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
69273c3a by Daniel Kobras at 2022-10-28T07:24:18+00:00
docs-xml: ea support option restricted to user ns
Update documentation to match current behavior.
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Oct 28 07:24:18 UTC 2022 on sn-devel-184
- - - - -
ffc59fe0 by David Mulder at 2022-10-28T13:43:59+00:00
smbd: Correct store_smb2_posix_info size check
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Oct 28 13:43:59 UTC 2022 on sn-devel-184
- - - - -
a665bf05 by Michael Tokarev at 2022-10-29T08:25:32+03:00
d/NEWS: merge it into d/samba.NEWS
The single d/NEWS (which is copied into *every* package) entry
was about removal of swat, a tool to manage smb.conf for samba.
It is only relevant for the samba binary package, it is not
interesting for all other packages.
It is old news anyway (almost 10 years old). At least we have
several lintian warnings removed now (out of 750+ due to mips*
executable stack).
- - - - -
05ab8738 by Michael Tokarev at 2022-10-29T08:29:15+03:00
update changelog; upload 4.16.6+dfsg-6 to unstable
- - - - -
edd64ec7 by Michael Tokarev at 2022-10-30T14:04:54+03:00
d/changelog: start of 4.17
- - - - -
ca7f7402 by Michael Tokarev at 2022-10-30T14:05:04+03:00
update upstream version number
- - - - -
829a79a8 by Michael Tokarev at 2022-10-30T16:01:39+03:00
Update upstream source from tag 'upstream/4.17.2+dfsg'
Update to upstream version '4.17.2+dfsg'
with Debian dir ca7f74022da37513229a6297015ce4d85ca6bb35
- - - - -
44bbcda8 by Michael Tokarev at 2022-10-30T16:03:51+03:00
remove poptGetArg-misuse-fixes-1022826.diff (applied upstream)
This reverts commit 53c8b81c6b8a53b72fc42f57d966d075cb5ad9a4.
- - - - -
0a19f9d4 by Michael Tokarev at 2022-10-30T16:04:39+03:00
remove dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch
This reverts commit f53483a5169218edd534e5fb4dc3b89419159bc8
the change is included in 4.17.
- - - - -
d52a197b by Michael Tokarev at 2022-10-30T16:05:01+03:00
removed: spelling.patch (partially applied upstream) weak-crypto-allowed-clarify.diff (applied upstream)
- - - - -
4eae5b37 by Michael Tokarev at 2022-10-30T16:05:07+03:00
+spelling.patch: a few more spelling fixes
- - - - -
8f3964b9 by Michael Tokarev at 2022-10-30T16:05:11+03:00
refresh: ctdb-create-piddir.patch
- - - - -
cf3610bd by Michael Tokarev at 2022-10-30T16:05:17+03:00
refresh: fix-nfs-service-name-to-nfs-kernel-server.patch
- - - - -
9cd71611 by Michael Tokarev at 2022-10-30T16:05:24+03:00
d/control: update minimum versions for talloc/tevent/tdb
- - - - -
e97223c2 by Michael Tokarev at 2022-10-30T16:05:28+03:00
d/rules: do not install ctdb.service, it is installed by upstream now
- - - - -
640e810e by Michael Tokarev at 2022-10-30T16:05:34+03:00
d/ctdb.install: do not install ctdb_wrapper (not used anymore)
- - - - -
731622e2 by Michael Tokarev at 2022-10-30T16:05:37+03:00
d/libldb2.symbols, d/d/python3-ldb.symbols.in: add new versions: 2.6.0 2.6.1
- - - - -
b5af5497 by Michael Tokarev at 2022-10-30T16:05:43+03:00
d/libldb2.symbols: mark symbols added in 2.5.2 as added in 2.6.1, remove 2.5.1 & 2.5.2 versions
- - - - -
440b9c9c by Michael Tokarev at 2022-10-30T16:05:46+03:00
d/python3-ldb.symbols.in: remove 2.5.1 & 2.5.2 versions
- - - - -
2a433707 by Michael Tokarev at 2022-10-30T16:05:53+03:00
move libpac-samba4.so.0 from samba to samba-libs (#1021450)
- - - - -
b9ce9fee by Michael Tokarev at 2022-10-30T16:05:58+03:00
d/rules: as of 4.17, no need to explicitly build intermediate targets anymore
- - - - -
d25aa7e1 by Michael Tokarev at 2022-10-30T16:06:03+03:00
d/rules: remove now-unused ${WAFv} macro
- - - - -
cba45ee0 by Michael Tokarev at 2022-10-30T16:22:16+03:00
update changelog; upload 4.17.2+dfsg-1 to experimental
- - - - -
3f665c23 by Michael Tokarev at 2022-10-30T16:22:42+03:00
update changelog; upload 4.17.2+dfsg-2 to experimental
- - - - -
fc0d8801 by Michael Tokarev at 2022-10-30T16:23:49+03:00
d/changelog: include entries from 4.17.x experimental branch
- - - - -
55307373 by Michael Tokarev at 2022-10-30T16:53:06+03:00
d/samba-libs.lintian-overrides: update package-name-doesnt-match-sonames to match all libs
- - - - -
2d1c8533 by Michael Tokarev at 2022-10-30T17:01:44+03:00
update changelog; upload 4.17.2+dfsg-3 to unstable
also mention closing of #1021022 by 4.17.0+dfsg-1
- - - - -
29edf6ca by Michael Tokarev at 2022-10-31T09:14:10+03:00
d/control: stop suggesting smbldap-tools
The package is orphan in Debian, seems to be removed/dead upstream too.
Samba these days comes with its own internal ldap server, it is unclear
if it ever work with external ldap.
- - - - -
dcac415e by Andrew Bartlett at 2022-10-31T09:05:10+00:00
lib/tsocket: Add tests for loop on EAGAIN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f0fb8b9508346aed50528216fd959a9b1a941409)
- - - - -
8a4ef3d9 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
This will be used on its own soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9950efd83e1a4b5e711f1d36fefa8a5d5e8b2410)
- - - - -
5c051d38 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
This also returns an error if we got TCP_FIN from the peer,
which is only reported by an explicit POLLRDHUP check.
Also on FreeBSD getsockopt(fd, SOL_SOCKET, SO_ERROR) fetches
and resets the error, so a 2nd call no longer returns an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 29a65da63d730ecead1e7d4a81a76dd1c8c179ea)
- - - - -
419986dc by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: remember the first error as tstream_bsd->error
If we found that the connection is broken, there's no point
in trying to use it anymore, so just return the first error we detected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4c7e2b9b60de5d02bb3f69effe7eddbf466a6155)
- - - - -
b615bf43 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
There were some reports that strace output an LDAP server socket is in
CLOSE_WAIT state, returning EAGAIN for writev over and over (after a call to
epoll() each time).
In the tstream_bsd code the problem happens when we have a pending
writev_send, while there's no readv_send pending. In that case
we still ask for TEVENT_FD_READ in order to notice connection errors
early, so we try to call writev even if the socket doesn't report TEVENT_FD_WRITE.
And there are situations where we do that over and over again.
It happens like this with a Linux kernel:
tcp_fin() has this:
struct tcp_sock *tp = tcp_sk(sk);
inet_csk_schedule_ack(sk);
sk->sk_shutdown |= RCV_SHUTDOWN;
sock_set_flag(sk, SOCK_DONE);
switch (sk->sk_state) {
case TCP_SYN_RECV:
case TCP_ESTABLISHED:
/* Move to CLOSE_WAIT */
tcp_set_state(sk, TCP_CLOSE_WAIT);
inet_csk_enter_pingpong_mode(sk);
break;
It means RCV_SHUTDOWN gets set as well as TCP_CLOSE_WAIT, but
sk->sk_err is not changed to indicate an error.
tcp_sendmsg_locked has this:
...
err = -EPIPE;
if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
goto do_error;
while (msg_data_left(msg)) {
int copy = 0;
skb = tcp_write_queue_tail(sk);
if (skb)
copy = size_goal - skb->len;
if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) {
bool first_skb;
new_segment:
if (!sk_stream_memory_free(sk))
goto wait_for_space;
...
wait_for_space:
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
if (copied)
tcp_push(sk, flags & ~MSG_MORE, mss_now,
TCP_NAGLE_PUSH, size_goal);
err = sk_stream_wait_memory(sk, &timeo);
if (err != 0)
goto do_error;
It means if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) doesn't
hit as we only have RCV_SHUTDOWN and sk_stream_wait_memory returns
-EAGAIN.
tcp_poll has this:
if (sk->sk_shutdown & RCV_SHUTDOWN)
mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
So we'll get EPOLLIN | EPOLLRDNORM | EPOLLRDHUP triggering
TEVENT_FD_READ and writev/sendmsg keeps getting EAGAIN.
So we need to always clear TEVENT_FD_READ if we don't
have readable handler in order to avoid burning cpu.
But we turn it on again after a timeout of 1 second
in order to monitor the error state of the connection.
And now that our tsocket_bsd_error() helper checks for POLLRDHUP,
we can check if the socket is in an error state before calling the
writable handler when TEVENT_FD_READ was reported.
Only on error we'll call the writable handler, which will pick
the error without calling writev().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e232ba946f00aac39d67197d9939bc923814479c)
- - - - -
743a56e5 by Stefan Metzmacher at 2022-10-31T09:05:10+00:00
s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
If the client is not able to receive the results within connections idle
time, then we should treat it as dead. It's value is 15 minutes (900 s)
by default.
In order to limit that further an admin can use 'socket options'
and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT
to useful values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184
(cherry picked from commit eb2f3526032803f34c88ef1619a832a741f71910)
- - - - -
c59f9c33 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s3:librpc: Improve GSE error message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit e3ebda8c6ae6e0c202e2b11a65b98b4f247ae4db)
- - - - -
d26e2da3 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit 16335412ff312ecb330f7890bd3e94117a5fa6ff)
- - - - -
c57b3d37 by Andreas Schneider at 2022-10-31T09:05:10+00:00
s4:libnet: If we successfully changed the password we are done
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit 30ca92a8164e1c3a76cdb798ee997d27621a5abb)
- - - - -
e84108f3 by Noel Power at 2022-10-31T09:05:10+00:00
s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
prior to this commit return of samdb_set_password_aes was set to
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
otherwise (and in this case can be partially responsible for failures
in test samba.tests.auth_log_pass_change (with later gnutls)
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 416bf5a41827a4e486215bfc8e47abc570c6e899)
- - - - -
057f60cc by Noel Power at 2022-10-31T10:08:34+00:00
python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ce7c418ca4f8f82e61a9a02a6589ab1c4df51d63)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Oct 31 10:08:34 UTC 2022 on sn-devel-184
- - - - -
f4507b39 by Daniel Kobras at 2022-10-31T21:06:12+00:00
s3: smbd: Consistently map EAs to user namespace
Samba has always been mapping Windows EAs to the 'user' namespace on the
POSIX side. However, in the opposite direction, the mapping would also map
other user-readable POSIX EA namespaces to Windows EAs, only stripping the
'user' namespace prefix, and passing all other EA names verbatim.
This means any POSIX EA 'other.foo' collides with 'user.other.foo' on the
Windows side, hence the mapping of non-user namespaces is unreliable.
Also, copy operations via Windows would rename an existing POSIX EA
'other.foo' in the source file to 'user.other.foo' in the destination. The
'user' namespace, however, may not be enabled on the underlying filesystem,
leading to subtle failure modes like the ones reported in eg.
<https://bugzilla.samba.org/show_bug.cgi?id=15186>
Fix the issues by restricting the mapping to the 'user' POSIX EA namespace
consistently for either direction.
Link: https://lists.samba.org/archive/samba-technical/2022-September/137634.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Michael Weiser <michael.weiser at atos.net>
Tested-by: Michael Weiser <michael.weiser at atos.net>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 34c6db64c2ff62673f8df218487cda4139c10843)
- - - - -
5c32c822 by Daniel Kobras at 2022-10-31T22:03:46+00:00
docs-xml: ea support option restricted to user ns
Update documentation to match current behavior.
Signed-off-by: Daniel Kobras <kobras at puzzle-itc.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Oct 28 07:24:18 UTC 2022 on sn-devel-184
(cherry picked from commit 69273c3a836ede97c7fde74e2f1fdc84e92ec86f)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Oct 31 22:03:46 UTC 2022 on sn-devel-184
- - - - -
7917e5ba by Michael Tokarev at 2022-11-01T10:28:06+03:00
d/control: samba-libs breaks bullseye sssd-ad (#1013259)
- - - - -
4de7afad by Michael Tokarev at 2022-11-01T11:48:53+03:00
d/samba-libs.install: be more explicit about sonames of public libs to catch soname changes (#1013259)
(and add comments)
- - - - -
ee3616a9 by Michael Tokarev at 2022-11-01T12:19:24+03:00
libndr-debug-level-compat.diff, libndr-revert-so3.diff: revert libndr.so.2->3 soname bump (#1013259)
During samba 4.17 development, a simple debugging helper in libndr
has been changed, which resulted in soname bump (from 2 to 3). But
it was really trivial to provide compatibility symbol for the old
users of this library. Do this now, and instead of changing
soversion from 2.0.0 to 3.0.0, change it to 2.0.1 instead.
- - - - -
9b3ffa57 by Michael Tokarev at 2022-11-01T12:52:27+03:00
d/samba-libs.symbols: add symbols for libndr.so.2
- - - - -
6a414e5b by Michael Tokarev at 2022-11-01T13:24:41+03:00
d/control: reformat comment
- - - - -
83bf4cd7 by Michael Tokarev at 2022-11-01T13:24:41+03:00
update changelog; upload 4.17.2+dfsg-4 to unstable
- - - - -
419b799a by Michael Tokarev at 2022-11-01T17:29:17+03:00
d/control: bump version of broken-by-samba-libs sssd and add more affected sssd packages
Bump version to the one in ubuntu jammy since it is also affected by
libndr.so.1=>.2 bump.
Add sssd-ipa (due to libsss_ipa.so linked with libndr)
and sssd-ad-common (sssd_pac linked with libndr) to Breaks.
- - - - -
74636dfe by Jeremy Allison at 2022-11-01T17:32:30+00:00
s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 for success, should return zero).
Add torture test to show smbc_getxattr() should return -1 on
failure, 0 on success.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
bdbb38d1 by Jeremy Allison at 2022-11-01T18:31:22+00:00
s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 1 18:31:22 UTC 2022 on sn-devel-184
- - - - -
6353f9e9 by Andrew Bartlett at 2022-11-02T04:23:34+00:00
Add Heimdal test file test_base.c to bi-directional encoding ignore list
Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data
that triggers our LTR and RTL detection code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
074e9284 by Joseph Sutton at 2022-11-02T04:23:34+00:00
third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ab4c7bda by Volker Lendecke at 2022-11-02T04:23:34+00:00
heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ef28247f by Andrew Bartlett at 2022-11-02T04:23:34+00:00
third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222)
This commit won't compile on it's own, as we need to fix the build system
to cope in the next commit.
The purpose of this commit is to update to a new lorikeet-heimdal tree
that includes the previous two patches and is rebased on a current
Heimdal master snapshot.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
bf446bcf by Joseph Sutton at 2022-11-02T05:21:29+00:00
third_party/heimdal_build: Update fallthrough macro for switch statements
This is an adaptation to Heimdal:
commit 133f5174820b34e2a12c3f3412bf554cae2ee22f
Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
Date: Fri Sep 16 09:57:24 2022 -0400
rewrite fallthrough to HEIM_FALLTHROUGH to deal with new Apple SDKs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Nov 2 05:21:29 UTC 2022 on sn-devel-184
- - - - -
61cc6192 by Michael Tokarev at 2022-11-02T09:35:07+03:00
update changelog; upload 4.17.2+dfsg-5 to unstable
- - - - -
fee5f480 by Michael Tokarev at 2022-11-02T10:45:12+03:00
d/control: fix comment
- - - - -
6aed8265 by Michael Tokarev at 2022-11-02T10:45:42+03:00
update changelog; upload 4.17.2+dfsg-6 to unstable
- - - - -
22e1aa95 by Michael Tokarev at 2022-11-02T14:37:15+03:00
Revert "libndr-debug-level-compat.diff, libndr-revert-so3.diff: revert libndr.so.2->3 soname bump (#1013259)"
This reverts commit ee3616a98bdb5a75ed8eee25a58d4ec582c31e56.
Upstream samba does not want to change this, so we'll do it the other way.
- - - - -
429ed1da by Michael Tokarev at 2022-11-02T18:31:05+03:00
revert libndr.so.2 changes and just provide a compat symlink for it
Upstream does not want to revert their - completely unwarranted -
libndr.so.2=>.3 soname bump, despite provided patches. So, in order
to stay compatible and eliminate possible further issues, revert the
revert, and provide the compatibility symlink at the filesystem level
since new libndr.so.3 is comletely compatible with libndr.so.2 besides
this internal ndr_print_debug() symbol (which is actually not used by
anything).
- - - - -
94b4e9dd by Michael Tokarev at 2022-11-02T18:31:07+03:00
d/samba-libs.links: add comments describing libndr.so.N issue
- - - - -
b7259b99 by Michael Tokarev at 2022-11-02T18:31:07+03:00
d/samba-libs.links: add libndr.so.1 compat symlink too
- - - - -
85604fe7 by Michael Tokarev at 2022-11-02T18:31:07+03:00
d/control: unbreak bullseye/jammy sssd-ad-common, sssd-ad, sssd-ipa by samba-libs once libndr.so.1 compat link is here
- - - - -
483afa1e by Michael Tokarev at 2022-11-02T18:31:07+03:00
update changelog
- - - - -
ed8dfaa1 by Michael Tokarev at 2022-11-02T20:44:07+03:00
update changelog; upload 4.17.2+dfsg7 to unstable
- - - - -
382745a7 by Michael Tokarev at 2022-11-02T21:48:38+03:00
d/rules: do not explicitly enable quotas on non-linux
The idea is to explicitly enable everything interesting on linux,
but let ./configure to figure it out on other OSes. If quota will
be supported on Hurd one day, it will be enabled automatically there.
- - - - -
fbc99573 by Michael Tokarev at 2022-11-02T21:49:44+03:00
d/rules: no need to disable systemd on non-linux, let ./configure to figure it
- - - - -
b3292b54 by vporpo at 2022-11-02T22:47:10+00:00
smbget: Adds a rate limiting option --limit-rate in KB/s
This patch implements a very simple rate limiter. It works by pausing the main
download loop whenever the bytes transferred are more than what we would get
with if it were transferred at the rate set by the user.
Please note that this may reduce the blocksize if the limit is too small.
Signed-off-by: Vasileios Porpodas <v.porpodas at gmail.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 2 22:47:10 UTC 2022 on sn-devel-184
- - - - -
1eb07efc by Michael Tokarev at 2022-11-03T14:50:05+03:00
d/winbind.postinst: switch addgroup => groupadd and eliminate getent
This fixes piuparts failure. Apparently some other package dropped
adduser dependency and winbind package started failing.
Apparently adduser is not needed: addgroup does the same but easier,
its --force mode combines a check for group existance and group
creation if it doesn't exist.
- - - - -
24258d59 by Michael Tokarev at 2022-11-03T14:52:13+03:00
d/samba.postinst: switch addgroup => groupadd and eliminate getent
- - - - -
a3e8d554 by Michael Tokarev at 2022-11-03T14:58:53+03:00
d/smb.conf: use useradd in example create user script too
- - - - -
1907d4f1 by Michael Tokarev at 2022-11-03T15:05:16+03:00
update changelog; upload 4.17.2+dfsg-8 to unstable
- - - - -
0814ad1e by Michael Tokarev at 2022-11-04T12:53:45+03:00
hurd-compat.patch: some minor compatibility tweaks for hurd
- - - - -
f5d77cb6 by Pavel Filipenský at 2022-11-04T10:06:28+00:00
s3:winbind: Avoid unnecessary locking in wb_parent_idmap_setup_send()
A function in tevent environment can span over several context loop iterations.
Every iteration 'unschedules' the current code and a different functions can
access not yet fully initialized structures.
A locking is used to avoid this. In tevent, we use tevent queues as a locking
mechanism. Every function trying to access lock protected data, puts itself to
a queue. The function must remove itself from the queue only after the complete
work is done.
A good coding practise is to lock only the smallest code path and not to use the
locking if not needed.
wb_parent_idmap_setup_send() uses queue "wb_parent_idmap_config_queue" for:
- testing if the setup is ready
- setting up all idmap domains
But "testing if the setup is ready" can be coded as an atomic operation without
needing a lock.
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Nov 4 10:06:28 UTC 2022 on sn-devel-184
- - - - -
2d880b95 by Michael Tokarev at 2022-11-04T13:21:47+03:00
d/rules: ceph is linux-only like glusterfs; combine linux features into single block
- - - - -
7e982421 by Michael Tokarev at 2022-11-04T13:37:29+03:00
d/rules: add another conditional, with_snapper
snapper vfs module is another linux-only feature
which is enabled in source3/wscript on linux.
When doing shlibdeps run, check if we're building
with_snapper
- - - - -
d119a30e by Michael Tokarev at 2022-11-04T13:42:08+03:00
d/rules: consolidate iflinux linux-specific blocks into one
- - - - -
853a4ecd by David Mulder at 2022-11-04T18:08:29+00:00
gp: Move GNOME admx templates
waf fails to install the templates if there is a
space in the name.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1eb2f1cc by David Mulder at 2022-11-04T18:08:29+00:00
gpo: Install the GNOME Settings admx templates
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
635b1adf by David Mulder at 2022-11-04T19:09:09+00:00
gpo: GPME doesn't permit nesting of admx categories in builtin
The gnome settings were nested within a builtin
admx category, which GPME does not permit. This
was hiding the GNOME settings anytime windows
admx templates were present.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Nov 4 19:09:09 UTC 2022 on sn-devel-184
- - - - -
4908bdfa by Michael Tokarev at 2022-11-05T18:00:34+03:00
d/rules: support "terse" build option for non-verbose build
- - - - -
b8d09810 by Michael Tokarev at 2022-11-06T20:00:22+03:00
d/rules: remove third_party/heimdal/lib/gssapi/gssapi.h (#1013205)
https://lists.samba.org/archive/samba-technical/2022-November/137788.html
This fixes the <gssapi/gssapi.h> vs -I search path mess, fixes ftbfs on sparc64
- - - - -
50f3bbb8 by Michael Tokarev at 2022-11-06T20:13:40+03:00
update changelog; upload 4.17.2+dfsg-9 to unstable
- - - - -
721cfe94 by Volker Lendecke at 2022-11-07T21:57:33+00:00
torture3: Fix a copy&paste error and a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8b4a3c12 by Volker Lendecke at 2022-11-07T21:57:33+00:00
torture3: Run the "hidenewfiles" test against SMB2
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e8848a3e by Volker Lendecke at 2022-11-07T21:57:33+00:00
torture: Show that "hide new files timeout" also hides directories
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
be1431a8 by Volker Lendecke at 2022-11-07T22:58:33+00:00
smbd: Don't hide directories with "hide new files timeout"
The intention of this option was to hide *files*. Before this patch we
also hide directories where new files are dropped.
This is a change in behaviour, but I think this option is niche enough
to justify not adding another parameter that we then need to test. If
workflows break with this change and people depend on directories also
to be hidden, we can still add the additional option value required.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Nov 7 22:58:33 UTC 2022 on sn-devel-184
- - - - -
77bb72d6 by Joseph Sutton at 2022-11-08T02:39:37+00:00
build: Remove unused dependencies
We don't need to include these any more, and removing them allows us to
simplify the build system for system Heimdal builds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a3ee0ce2 by Joseph Sutton at 2022-11-08T02:39:37+00:00
wscript: Correctly determine dependencies for system Heimdal build
Previously, the call to CHECK_BUNDLED_SYSTEM() in
check_system_heimdal_lib() could have us pick up MIT Kerberos headers
when we should only be using system Heimdal headers. Now, we just
perform an explicit check for the functions we require, which should
avoid any use of the MIT libraries.
We also remove some library checks for Heimdal components that we don't
use directly, restricting the checks to only the functions we need.
Finally, we no longer need to recurse into third_party/heimdal_build
when performing a system Heimdal build.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6fe69922 by Joseph Sutton at 2022-11-08T02:39:37+00:00
wafsamba: Have CHECK_C_PROTOTYPE() pass through 'lib' into CHECK_CODE()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7d3416e8 by Joseph Sutton at 2022-11-08T02:39:37+00:00
krb5: Detect support for krb5_const_pac type
We can't unconditionally assume (as we did in
third_party/heimdal_build/wscript_configure) that Heimdal has this type,
since we may have an older system Heimdal that lacks it. We must also
check whether krb5_pac_get_buffer() is usable with krb5_const_pac, and
declare krb5_const_pac as a non-const typedef if not.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
aa62775e by Joseph Sutton at 2022-11-08T02:39:37+00:00
s4-auth: Make PAC parameters const
These functions have no need to modify the PACs passed in, and this
change permits us to operate on const PACs in the KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
03250eef by Stefan Metzmacher at 2022-11-08T02:39:37+00:00
s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac()
This allows us to add claims blobs to the PAC once we have the ability
to create them.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f96fbe6e by Stefan Metzmacher at 2022-11-08T02:39:37+00:00
s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs()
The blob will be empty until we properly support claims.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
bdbe5c5a by Stefan Metzmacher at 2022-11-08T02:39:37+00:00
s4:kdc: add initial support for compound claims
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
0161d375 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Remove unused copy-and-paste remnant
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
90f39b69 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Remember to pass in expected_groups parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6674f675 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Fix bits_to_etypes() to not fail on Resource SID compression bit
It's not an encryption type bit, so we should ignore it here.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3a13e3b6 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Allow creating groups with a specified type
This will be useful for testing the handling of Domain-Local groups.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
29723765 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Allow adding multiple members to a group
As well as passing in a single 'str', we can now choose to pass a
collection of member DN strings.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f59f6968 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Allow creating accounts without Resource SID compression support
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5a613db6 by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Add (un)expected group parameters to get_service_ticket() and get_tgt()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
8556576d by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Overhaul PAC logon info group checking
We can now verify attributes of SIDs and the PAC locations in which SIDs
are placed. We also gain the ability to assert that no SIDs are present
in the PAC other than the ones we expect.
We lighten somewhat the requirement that no duplicates are present among
the SIDs, as such a situation may arise even with Windows, especially if
group types are changed. For example, if a Universal group containing a
user is changed to a Domain-Local group in between an AS-REQ and a
TGS-REQ, the group's SID will be added to the PAC once for each request.
We only verify that there are no exact duplicates (SID, attributes, and
PAC location all being identical).
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
53f9ac4b by Joseph Sutton at 2022-11-08T02:39:37+00:00
tests/krb5: Allow checking domain SID in PAC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
612eeff2 by Joseph Sutton at 2022-11-08T03:37:37+00:00
tests/krb5: Add tests of PAC group handling
In which we make AS and TGS requests and verify the SIDs we expect are
returned in the PAC.
Example command to test against Windows Server 2019 functional level
2016 with FAST enabled:
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \
DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \
PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \
SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \
TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Nov 8 03:37:37 UTC 2022 on sn-devel-184
- - - - -
159054c3 by Joseph Sutton at 2022-11-08T08:21:19+00:00
third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 074e92849715ed3485703cfbba3771d405e4e78a)
- - - - -
b1cf93f7 by Volker Lendecke at 2022-11-08T08:21:19+00:00
heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a)
- - - - -
2803e76f by Volker Lendecke at 2022-11-08T09:23:52+00:00
smbd: Fix Bug 15221
In 4.17 process_symlink_open() will replace smb_fname_rel->base_name with the
link target relative to the share root. So if the link target ends up in a
subdirectory of a share, we put a target including a slash into the memcache.
Later access will trust the stat cache, passing the target directly to
openat_pathref_fsp() which will panic if it gets a real dirfsp and a relname
with a slash.
Name mangling is not required: Accessing a symlink pointing at a subdirectory
at least 2 levels deep in the share with a wrong upper/lower case combination
reproduces it.
This patch is really a workaround. The "real" fix would be to backport the
patches removing process_symlink_open() from master, but this is a bigger
change.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15221
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Tue Nov 8 09:23:52 UTC 2022 on sn-devel-184
- - - - -
30308137 by David Mulder at 2022-11-08T22:33:37+00:00
gp: Ignore crontab -l error, since it means empty
We should not fail when crontab -l errors, this
just means the crontab is empty.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 8 22:33:37 UTC 2022 on sn-devel-184
- - - - -
2fb7ac84 by Michael Tokarev at 2022-11-09T09:54:48+03:00
d/rules: stop stripping +dfsg suffix from ldb version, it makes no sense
..but it makes the same version string to be found everywhere
- - - - -
76adda9d by Stefan Metzmacher at 2022-11-09T11:18:02+00:00
lib/replace: fix memory leak in snprintf replacements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15230
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Nov 9 11:18:02 UTC 2022 on sn-devel-184
- - - - -
75d1f7a1 by Michael Tokarev at 2022-11-09T21:48:38+03:00
d/control: declare dependency on password (for groupadd in postinst) for winbind and samba (#1023759)
- - - - -
10537a89 by Jeremy Allison at 2022-11-09T20:34:07+00:00
s4: libcli: Ignore errors when getting A records after fetching AAAA records.
The target may only be available over IPv6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 9 20:34:07 UTC 2022 on sn-devel-184
- - - - -
4a68d43b by Andreas Schneider at 2022-11-09T23:15:07+00:00
third_party: Update nss_wrapper to version 1.1.13
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 9 23:15:07 UTC 2022 on sn-devel-184
- - - - -
12edd038 by Volker Lendecke at 2022-11-10T07:27:31+00:00
smbd: Some whitespace fixes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d9c4f94e by Volker Lendecke at 2022-11-10T07:27:31+00:00
smbd: Add "server addresses" parameter
This is a per-share parameter to limit share visibility and
accessibility to specific server IP addresses.
This can be used to limit the visibility and accessibility of shares
on different subnets offered by the server.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9321a533 by Volker Lendecke at 2022-11-10T07:27:31+00:00
lib: Add lp_allow_local_address()
Helper function for listing and accessing shares
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
23167a4d by Volker Lendecke at 2022-11-10T07:27:31+00:00
smbd: Implement "server addresses" for tree connect
Only allow share connections if the server address matches
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
e2448125 by Volker Lendecke at 2022-11-10T07:27:31+00:00
srvsvc: Only list shares in "server addresses"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
55feb593 by Volker Lendecke at 2022-11-10T07:27:31+00:00
testprogs: Add testit_grep_count() helper
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
f9a3a6b4 by Volker Lendecke at 2022-11-10T07:27:31+00:00
testprogs: Fix testit_expect_failure_grep()
Callers expect success (i.e. retval==0) if grep failed with non-zero
error status.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
09e9dd57 by Volker Lendecke at 2022-11-10T08:23:14+00:00
torture: Test the "server addresses" parameter
Thanks to Metze for the hint that all file servers already listen on 2
addressess -- V4 and V6 :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Nov 10 08:23:14 UTC 2022 on sn-devel-184
- - - - -
f2367b87 by Michael Tokarev at 2022-11-10T14:03:15+03:00
d/control: mark libufing-dev build dep with <!pkg.samba.nouring>
This makes it much easier to build samba packages on older distributions
where liburing does not exist (eg ubuntu focal)
- - - - -
9e40de8c by Michael Tokarev at 2022-11-10T15:56:26+03:00
d/rules: parametrise list of packages to omit (on ubuntu-i386) with ${omit-pkgs}
- - - - -
9be6aa6a by Michael Tokarev at 2022-11-10T16:03:47+03:00
d/rules: use variables in a more consistent way
- - - - -
08c8f439 by Michael Tokarev at 2022-11-10T16:03:51+03:00
enable pkg.samba.mitkrb5 build profile to build with system mit-kerberos5
- enable libkrb5-dev build dependency (>= 1.19.0),
- remove third_party/heimdal out of the way just in case
- (and move it back in "clean" target),
- add extra options to configure -- --with-system-mitkrb5,
- enable --with-experimental-mit-ad-dc,
- remove heimdal libraries from samba-libs.install (and a few other *.install)
(with <!mitkrb5> mark)
- adds few more files to winbind.install and samba.install
(with <mitkrb5> mark)
For now, all package names are the same no matter if the profile has been
enabled or not, but packages from different builds are obviously not
compatible with each other.
- - - - -
b089d4b2 by Michael Tokarev at 2022-11-10T16:08:20+03:00
for mitkrb5 build profile, add "mitkrb5" version suffix to certain packages
Having two builds of samba package, one with mitkrb5 profile and one without,
various packages from two builds are not compatible with each other, --
for example, samba built with mitkrb5 can not be used with samba-libs built
without mitkrb5 and vise versa. Add "mitkrb5" suffix to version of various
packages with direct =$version dependencies between each other, so that the
correct dependencies will be picked up.
This might be automated perhaps - everything which depends on samba-libs
with exact version should be marked with that version suffix.
- - - - -
3ad8e8d4 by David Mulder at 2022-11-12T00:34:34+00:00
gp: Password and Kerberos policies fail on unknown key
If unrecognized keys are set in the GptTmpl.inf,
the extensions would fail to apply.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2ea3adfd by David Mulder at 2022-11-12T01:34:17+00:00
gp: Test that Password and Kerberos policies fail on unknown key
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Nov 12 01:34:17 UTC 2022 on sn-devel-184
- - - - -
04f8f4aa by Michael Tokarev at 2022-11-13T17:16:38+03:00
d/rules: fix missing ldb:Depends for mitkrb5 case (and fix ifneq)
- - - - -
f65d34a9 by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: always define rados:Depends & vfsmods:Depends substvars
- - - - -
608658b3 by Michael Tokarev at 2022-11-13T17:25:15+03:00
unwrap-getresgid-typo.patch (https://bugzilla.samba.org/show_bug.cgi?id=15227)
(for the testsuite only)
- - - - -
4f37b118 by Michael Tokarev at 2022-11-13T17:25:15+03:00
nsswitch-pam-data-time_t.patch (https://bugzilla.samba.org/show_bug.cgi?id=15224)
- - - - -
5ba5b862 by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/control: tdb-tools and lmdb-utils packages are also needed for tests (commented out for now)
- - - - -
71fe244a by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: update knownfail tests
- - - - -
5925f01a by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: use single ${config-args} variable and move it a bit
- - - - -
3b0292d9 by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: make ${build-pkgs} non-recursively-expanding (minor)
- - - - -
a8d780a4 by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: little optimisations
- - - - -
0472e4bd by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: stop exporting buildflags, export compiler options when needed
We used to have DPKG_EXPORT_BUILDFLAGS=1, which means all buildflag
variables are exported to all commands make(1) run. But make(1)
evaluates each exported variable before running any external command,
so it had to run dpkg-buildflags once for *every* exported buildflag -
when not run under dpkg-buildpackage (which exports them all before
running ./debian/rules). This leads to a noticeable and annoying delay
each time running ./debian/rules manually to debug stuff. But samba
build system uses CFLAGS et al just once when configuring stuff, so
there is no reason to export all these variables for any command run
from d/rules *except* the configure step (two of them). Specify
CPPFLAGS, CFLAGS and LDFLAGS="${LDFLAGS} directly in there.
This speeds up plain d/rules invocations dramatically.
- - - - -
42f666e5 by Michael Tokarev at 2022-11-13T17:25:15+03:00
d/rules: some more little optimisations for variables and expansion
- - - - -
75deb9d8 by Michael Tokarev at 2022-11-13T17:25:16+03:00
update changelog
- - - - -
5d845fec by Joseph Sutton at 2022-11-13T15:38:16+01:00
CVE-2022-42898 third_party/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Heavily edited by committer Nico Williams <nico at twosigma.com>, original by
Joseph Sutton <josephsutton at catalyst.net.nz>.
Signed-off-by: Nico Williams <nico at twosigma.com>
[jsutton at samba.org Zero-initialised header_size in krb5_pac_parse() to
avoid a maybe-uninitialized error; added a missing check for ret == 0]
- - - - -
5e5de5df by Jule Anger at 2022-11-13T18:42:53+01:00
WHATSNEW: Add release notes for Samba 4.17.3.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
d9e0a10a by Michael Tokarev at 2022-11-14T10:46:33+03:00
do not check for smb.conf (errors) in samba-common-bin.postinst
The checks there has been introduced as a solution for #816301,
the problem was that samba restart failed during upgrade if
obsolete parameters were set in smb.conf. The check served
no purpose though, since the result is still the same: the
upgrade fails and no other (non-samba) packages are upgraded.
The only good outcome was a message printed about what's
wrong, instead of it being hidden in the logs when the failure
is during restart.
Now, there's also #616075, which says samba upgrade failure
should not prevent other packages from upgrading.
The right thing to do - in my opinion - is to let samba to check
the configuration, do not fail if samba restart failed (this
way other packages can still be upgraded), but display more
verbose error messages about the failures/errors if any.
With systemd it is easier to find, at least.
Remove the smb.conf check from samba-common-bin.postinst,
but add mkdir /run/samba to other .postinst scripts where
[samba-tool] testparam is being used to remove its useless
warning about missing /run/samba.
- - - - -
abc4495e by Jeremy Allison at 2022-11-14T17:13:36+00:00
s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fa4eba13 by Jeremy Allison at 2022-11-14T18:13:31+00:00
s3: smbd: Always use metadata_fsp() when processing fsctls.
Currently all fsctls we implement need the base fsp, not
an alternate data stream fsp. We may revisit this later
if we implement fsctls that operate on an ADS.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Walker <awalker at ixsystems.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Nov 14 18:13:31 UTC 2022 on sn-devel-184
- - - - -
096a323a by David Mulder at 2022-11-15T01:08:38+00:00
gp: Fix startup scripts add args
The args for the command could not be parsed
because samba-tool detects the '-' and thinks its
part of the samba-tool command.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3bee89c1 by David Mulder at 2022-11-15T01:08:38+00:00
gp: startup scripts add clarify 'args' option
Make sure it is clear how to specify args for the
command, and that multiple args can be passed
wrapped in quotes.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f04f205d by David Mulder at 2022-11-15T01:08:38+00:00
gp: startup scripts list enclude newline in output
The output for listing startup scripts wasn't
clear because there was no newline between
entries.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4321be51 by David Mulder at 2022-11-15T01:08:38+00:00
gp: Fix startup scripts list not fail with empty args
This fixes the startup scripts list command to
not fail when the parameters variable is empty.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
15696da0 by David Mulder at 2022-11-15T02:09:45+00:00
gp: Fix startup scripts add not always set runonce
The runonce is always being set because neither
True nor False is ever None.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 15 02:09:45 UTC 2022 on sn-devel-184
- - - - -
212ebbf7 by Jule Anger at 2022-11-15T08:05:46+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.3 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
e6c17f18 by Michael Tokarev at 2022-11-15T18:59:29+03:00
d/rules: more knownfail tests tweaks
- - - - -
23eb1eea by Michael Tokarev at 2022-11-15T19:03:17+03:00
New upstream version 4.17.3+dfsg
- - - - -
95fd24c3 by Michael Tokarev at 2022-11-15T19:04:16+03:00
Update upstream source from tag 'upstream/4.17.3+dfsg'
Update to upstream version '4.17.3+dfsg'
with Debian dir 7bf67646720324fb04dfbbdee8bdd796df7a670e
- - - - -
120f7790 by Jule Anger at 2022-11-15T17:13:45+01:00
Merge tag 'samba-4.17.3' into v4-17-test
samba: tag release samba-4.17.3
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
3e1f07b1 by Jule Anger at 2022-11-15T17:14:48+01:00
VERSION: Bump version up to Samba 4.17.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
756c2337 by Michael Tokarev at 2022-11-15T19:16:55+03:00
d/rules: comment out knownfail for schannel_anon_setpw for now
- - - - -
d3b3f7a8 by Michael Tokarev at 2022-11-15T19:21:49+03:00
d/rules: add ntvfs.cifs.ntlm.base.unlink.unlink(rpc_proxy) to knownfails
- - - - -
04169605 by Michael Tokarev at 2022-11-15T19:26:28+03:00
update changelog; upload 4.17.3+dfsg-1 to unstable
- - - - -
434f461e by Joseph Sutton at 2022-11-15T17:02:52+00:00
CVE-2022-42898 third_party/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Heavily edited by committer Nico Williams <nico at twosigma.com>, original by
Joseph Sutton <josephsutton at catalyst.net.nz>.
Signed-off-by: Nico Williams <nico at twosigma.com>
[jsutton at samba.org Zero-initialised header_size in krb5_pac_parse() to
avoid a maybe-uninitialized error; added a missing check for ret == 0]
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Nov 15 17:02:52 UTC 2022 on sn-devel-184
- - - - -
f0ca9546 by Jeremy Allison at 2022-11-16T06:00:56+00:00
s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
Can easily be seen by doing make test TESTS=fruit
and looking in st/nt4_dc/smbd_test.log.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Nov 16 06:00:56 UTC 2022 on sn-devel-184
- - - - -
0fd7b13e by Noel Power at 2022-11-16T09:58:44+00:00
s4:lib:tls: Don't negotiate session resumption with session tickets
tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.
This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.
Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
tstream_tls_readv_send
->tstream_tls_readv_crypt_next
->tstream_tls_retry_read
->gnutls_record_recv
instead of the core gnutls routines.
This results in the response processing failing due to the
currently 'unexpected' New Ticket message.
In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.
Signed-off-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184
- - - - -
7cb50405 by Jeremy Allison at 2022-11-16T15:09:45+00:00
nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184
- - - - -
ebaafb23 by Andreas Schneider at 2022-11-16T16:29:30+00:00
gitlab-ci: Update Fedora to version 37
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 16:29:30 UTC 2022 on sn-devel-184
- - - - -
f6284877 by Noel Power at 2022-11-16T19:29:21+00:00
nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184
- - - - -
17a110c1 by Jeremy Allison at 2022-11-17T04:58:28+00:00
s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE
compound. Internally the flush goes async and
we free the req, then we process the close.
When the flush completes it tries to access
already freed data.
Found using the Apple MacOSX client at SNIA SDC 2022.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6f149dfd by Jeremy Allison at 2022-11-17T04:58:28+00:00
s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH
compound if we immediately close the file afterward.
Internally the flushes go async and we free the req, then
we process the close. When the flushes complete they try to access
already freed data.
Extra test which will allow me to test when the final
component (flush) of the compound goes async and returns
NT_STATUS_PENDING.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e668c3a8 by Jeremy Allison at 2022-11-17T04:58:28+00:00
s3: smbd: Add utility function smbd_smb2_is_last_in_compound().
Not yet used. Returns true if we're processing the last SMB2 request in a
compound.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
26adf334 by Jeremy Allison at 2022-11-17T05:55:42+00:00
s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a compound anywhere but the last operation in the list.
Async read and write go synchronous in the same case,
so do the same here.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Nov 17 05:55:42 UTC 2022 on sn-devel-184
- - - - -
ce3d27a9 by Andreas Schneider at 2022-11-18T18:17:28+00:00
s3:tests: Add substitution test for include directive
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
c213ead8 by Andreas Schneider at 2022-11-18T18:17:28+00:00
s3:tests: Add substitution test for listing shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f03665bb by Andreas Schneider at 2022-11-18T19:17:31+00:00
s3:rpc_server: Fix include directive substitution when enumerating shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Nov 18 19:17:31 UTC 2022 on sn-devel-184
- - - - -
d37272a2 by Michael Tokarev at 2022-11-21T20:41:36+03:00
fruit-disable-useless-size_t-overflow-check.patch (#974868)
- - - - -
8cd4aa4e by Michael Tokarev at 2022-11-21T20:41:36+03:00
CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
Fix regression on 32bit systems:
https://bugzilla.samba.org/show_bug.cgi?id=15203
- - - - -
244eeced by Michael Tokarev at 2022-11-21T20:42:11+03:00
update changelog; upload 4.17.3+dfsg-2 to unstable
- - - - -
4c2b4188 by David Mulder at 2022-11-21T21:01:30+00:00
gp: Test that samba-tool gpo manage lists gpme sudoers
The file format for storing the sudo rules
changed in samba-tool, but these can still be
added via the GPME. We should still include them
here.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cc0c784d by David Mulder at 2022-11-21T21:01:30+00:00
gp: Make samba-tool gpo manage sudoers list backward compatible
Ensure `samba-tool gpo manage sudoers list` is
backward compatible with the GPME sudo rules.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d0c4aebb by David Mulder at 2022-11-21T21:01:30+00:00
gp: Test that samba-tool gpo manage removes gpme sudoers
The file format for storing the sudo rules
changed in samba-tool, but these can still be
added via the GPME. We should still include them
here.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8d0d79ba by David Mulder at 2022-11-21T21:01:30+00:00
gp: Make samba-tool gpo manage sudoers remove backward compatible
Ensure `samba-tool gpo manage sudoers remove` is
backward compatible with the GPME sudo rules.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9f6cf276 by David Mulder at 2022-11-21T21:01:31+00:00
gp: samba-tool manage gpo access add don't fail w/out upn
The search response for the user could possibly
not include a upn (this happens with Administrator
for example).
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ca5f8072 by David Mulder at 2022-11-21T21:01:31+00:00
gp: PAM Access should implicitly deny ALL w/ allow
If an allow entry is specified, the PAM Access
CSE should implicitly deny ALL (everyone other
than the explicit allow entries).
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
59b5abbe by David Mulder at 2022-11-21T22:05:01+00:00
gp: Test PAM Access with DENY_ALL
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Nov 21 22:05:01 UTC 2022 on sn-devel-184
- - - - -
9735498f by Volker Lendecke at 2022-11-22T18:27:33+00:00
pam_winbind: Fix a memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9dddb9a2 by Volker Lendecke at 2022-11-22T18:27:33+00:00
lib: Make lib/util/iov_buf.h self-contained
We need "struct iovec", which comes in via sys/uio.h, incuded by
system/filesys.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0789dd69 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libcli: Make "attr_strs" static
This saves 70 bytes of .text, we don't need this on the stack.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cb6d9e7b by Volker Lendecke at 2022-11-22T18:27:33+00:00
idl: Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b7d4b8ea by Volker Lendecke at 2022-11-22T18:27:33+00:00
lib: Whitespace fixes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
71789c7f by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add template code
I've looked this up in my samples too often :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b4c45dec by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Fix removing a rogue reparse point
If you set a reparse point for which Windows server does not have a
handler, it returns NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED when you
later open it without FILE_OPEN_REPARSE_POINT.
See the discussion thread starting with
https://lists.samba.org/archive/cifs-protocol/2022-November/003888.html
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fdb7e91d by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Fix cli_smb2_fsctl_recv()
Untested code is broken code... data_blob_talloc() returns a NULL blob
for NULL/0 input.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c3d65f10 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Fix cli_fsctl()
Untested code is broken code. Found while testing symlinks over SMB1.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b7fd2cf5 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Add "DOMAIN" to authentication creds
If you want to create symlinks on Windows using reparse points, you
need to authenticate as local administrator, just "administrator" is
not enough. So this is required to run some tests against Windows.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f71bdfba by Volker Lendecke at 2022-11-22T18:27:33+00:00
tests: Fix an incorrect comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c14b8dc0 by Volker Lendecke at 2022-11-22T18:27:33+00:00
smbd: Factor out safe_symlink_target_path()
Small refactoring to make filename_convert_dirfsp() itself a bit
shorter using a subroutine.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9e07a818 by Volker Lendecke at 2022-11-22T18:27:33+00:00
smbd: Pass error_context_count through smbd_smb2_request_error_ex()
See [MS-SMB2] 2.2.2: This field MUST be set to 0 for SMB dialects
other than 3.1.1. For the SMB dialect 3.1.1, if this field is nonzero,
the ErrorData field MUST be formatted as a variable-length array of
SMB2 ERROR Context structures containing ErrorContextCount entries.
Not used right now yet, but once we start to return STOPPED_ON_SYMLINK properly
this is required.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f2c0f118 by Volker Lendecke at 2022-11-22T18:27:33+00:00
smbd: Pass unparsed_path_length to symlink_reparse_buffer_marshall()
[MS-FSCC] 2.1.2.4 Symbolic Link Reparse Data Buffer lists this field
as reserved, but [MS-SMB2] 2.2.2.2.1 Symbolic Link Error Response is
the exact same format with the reserved field as UnparsedPathLength.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3fbd4b27 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Keep name_utf16 around in smb2cli_create()
This is needed to pass up the "unparsed" part of the smb2 symlink
error response in unix charset form.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
218baae2 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Parse the smb2 symlink error response in smb2cli_create()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0c419b8a by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Return symlink error struct from smb2cli_create_recv()
Looks larger than it is, this just adds a parameter and while there
adapts long lines to README.Coding
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
18d6334c by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Pass symlink error up through cli_smb2_create_fnum_recv()
Not passing through the sync wrapper yet. Not needed right now, and
it's simple to add if required.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
37784b86 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Pass symlink error to create_ex exception
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
98a627b9 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add smb1_posix() to request smb1 posix extensions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7d133943 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add smb1_readlink()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
68a4be1e by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add smb1_symlink()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
99730a59 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add create options
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d79566c7 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add fsctl()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e7516fa9 by Volker Lendecke at 2022-11-22T18:27:33+00:00
libsmb: Factor out reparse_buffer_marshall from symlink_reparse_buffer_marshall()
Make it easier to play with reparse points
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7f63e98b by Volker Lendecke at 2022-11-22T18:27:33+00:00
libcli: Add python wappers to reparse_symlink.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5907dff3 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add FSCTL codes
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c33f3a38 by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add CreateDisposition values
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c58c826e by Volker Lendecke at 2022-11-22T18:27:33+00:00
pylibsmb: Add protocol()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
45091feb by Volker Lendecke at 2022-11-22T18:27:33+00:00
tests: Start testing reparsepoints
This still all fails, but if you run them against Windows they work.
How to run:
PYTHONPATH=bin/python \
LOCAL_PATH=/tmp \
SMB1_SHARE=share \
SMB2_SHARE=share \
SHARENAME=share \
SERVER_IP=<server-ip> \
DOMAIN=<your-domain> \
USERNAME=Administrator \
PASSWORD=<your-password> \
SMB_CONF_PATH=/usr/local/samba/etc/smb.conf \
SERVERCONFFILE="$SMB_CONF_PATH" \
python3 -m samba.subunit.run samba.tests.reparsepoints
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2e3e27f7 by Volker Lendecke at 2022-11-22T18:27:33+00:00
tests: Add nosymlinks_smb1allow share
The next commits will create symlinks via posix extensions to test the
smb2 symlink error return. Creating posix symlinks is not allowed with
follow symlinks = no, but it's currently our only way to create
symlinks over SMB. This could go away once we can create symlinks via
reparse points.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
09f8d4ac by Volker Lendecke at 2022-11-22T19:25:34+00:00
tests: Start testing smb2 symlink error returns
This still all fails, but if you run them against Windows they work.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 22 19:25:34 UTC 2022 on sn-devel-184
- - - - -
e3207e6c by Stefan Metzmacher at 2022-11-23T12:44:16+00:00
lib/replace: fix memory leak in snprintf replacements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15230
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Nov 9 11:18:02 UTC 2022 on sn-devel-184
(cherry picked from commit 76adda9d2fea9f93f4cf97536db5c0be6deeb98c)
- - - - -
560805be by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:tests: Add substitution test for include directive
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(backported from commit ce3d27a9f5a98b4680af5fb5a595b0e7e94f8c30)
- - - - -
969df454 by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:tests: Add substitution test for listing shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit c213ead8c4c1b5287294a67e65f271fbb0b922b2)
- - - - -
2c1b9574 by Andreas Schneider at 2022-11-23T12:44:16+00:00
s3:rpc_server: Fix include directive substitution when enumerating shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f)
- - - - -
2ce1a1ec by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use dirfsp->fsp_name->base_name
for glfs_getxattr() and return the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8cbd9e63724d80c06565d0c90bd107166dfd9bbe)
- - - - -
d904e80e by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Do not use glfs_fgetxattr() for SMB_VFS_GET_REAL_FILENAME_AT
glfs_fgetxattr() or generally fgetxattr() will return EBADF as dirfsp
here is a pathref fsp. GlusterFS client log had following entries
indicating the error:
W [MSGID: 114031] [client-rpc-fops_v2.c:993:client4_0_fgetxattr_cbk] \
0-vol-client-0: remote operation failed. [{errno=9}, {error=Bad file descriptor}]
Therefore use glfs_getxattr() only for implementing get_real_filename_at
logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 6a6bd1a0530424def64d2d462b54e4c1f4f9bebb)
- - - - -
9f307955 by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
Fallback mechanism was missing in vfs_gluster_fgetxattr() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_flistxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7af4bfe8285714c137b6347b17305c9cd0702bdd)
- - - - -
4a3dcb32 by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
It was unnecessary to construct full directory path as "dir/." which is
same as "dir". We could just directly use fsp->fsp_name->base_name and
return directory stream obtained from glfs_opendir().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Oct 12 12:48:50 UTC 2022 on sn-devel-184
(cherry picked from commit cc397175cb9a1b06f268ecf6b3d62f621947cbba)
- - - - -
9dbbce3f by Anoop C S at 2022-11-23T12:44:16+00:00
vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES
Fallback mechanism was missing in vfs_gluster_fntimes() for path based
call. Therefore adding a similar mechanism as seen with other calls like
vfs_gluster_fsetxattr, vfs_gluster_fgetxattr etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15198
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 5d91ecf01dce95400da5d6ac181144df1e32ca35)
- - - - -
d7e34c8b by Jeremy Allison at 2022-11-23T12:44:16+00:00
nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184
(cherry picked from commit 7cb50405515298b75dcc512633fb3877045aabc6)
- - - - -
50fd29d8 by Noel Power at 2022-11-23T13:56:46+00:00
nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184
(cherry picked from commit f6284877ce07fc5ddf4f4e2d824013b645d6e12c)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Nov 23 13:56:47 UTC 2022 on sn-devel-184
- - - - -
c37b4d79 by Stefan Metzmacher at 2022-11-23T16:22:55+00:00
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Nov 23 16:22:55 UTC 2022 on sn-devel-184
- - - - -
f738842a by Andrew Bartlett at 2022-11-24T11:01:37+00:00
tests: Replace OpenSSL MD4 invocation with a python3 call
This will allow the test to pass on Ubuntu 22.04 which has MD4 disabled
in OpenSSL by default.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
3dbe8fd6 by Andrew Bartlett at 2022-11-24T11:01:37+00:00
bootstrap: Spelling fix in bootstrap from Michael Tokarev
This could not previously be included as all changes require a full image rebuild
as they change the SHA1 hash.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
2dcd8369 by Joseph Sutton at 2022-11-24T11:01:37+00:00
bootstrap: Remove duplicate line from CentOS 8 powertools install
This was missed in 136ec5bc01e2648bae34a1158f923fbf5a86d561 when
we moved to CentOS 8 stream.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
1414269d by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
73ec7253 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
s4:messaging: add irpc_bh_do_ndr_print() in order to debug irpc calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
44192d5f by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
s4:kdc: make sure reset_bad_password_netlogon() stops subreq before return
We pass the stack variable 'req' to dcerpc_winbind_SendToSam_r_send(),
so we need to make sure the runtime of the subreq in not longer
than the stack variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4c2e1d62 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
s3:locking: relax __SHARE_MODE_LOCK_SPACE check for 32bit platforms
sizeof(struct share_mode_lock) is only 28 bytes instead of 32 bytes
on 32bit systems...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
6dddb268 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
lib/replace: let rep_openat2() inject O_LARGEFILE as needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15251
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
838f6207 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
third_party: Update socket_wrapper to version 1.3.5
This injects O_LARGEFILE as needed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
dce639f8 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9ba10b97 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
selftest: samba-ktest-mit also needs $ENV{KRB5RCACHETYPE} = "none"
We need to pass --mitkrb5 to selftest.pl in all cases we use
system mit kerberos not only when we also test the kdc.
We can't use a replay cache in selftest verifies the stat.st_uid
against getuid().
BTW: while debugging this on ubuntu 22.04 I exported
KRB5_TRACE="/dev/stderr", which means we get tracing into
the servers log file and into selftest_prefix/subunit for the client...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
98c1e357 by Stefan Metzmacher at 2022-11-24T11:01:37+00:00
selftest: add --default-ldb-backend option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
95676825 by Stefan Metzmacher at 2022-11-24T12:05:26+00:00
gitlab-ci: do some basic testing on ubuntu1804-32bit
For now we allow build warnings and only do some basic testing.
We also ignore timestamp related problems, as well as some charset
failures.
Over time we should try to address the situation by not allowing warnings
and verify if expected failures are harmless or not.
But it's already much better then having no 32bit testing at all!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Nov 24 12:05:26 UTC 2022 on sn-devel-184
- - - - -
3b9ccfa4 by Ralph Boehme at 2022-11-24T16:39:12+00:00
net: use correct printf format, fi3_id is an uint32_t
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Nov 24 16:39:12 UTC 2022 on sn-devel-184
- - - - -
c8bf9495 by Stefan Metzmacher at 2022-11-25T06:07:32+00:00
vfs: fix the build of nfs4acl_xattr_ without rpc/xdr.h support
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Nov 25 06:07:32 UTC 2022 on sn-devel-184
- - - - -
fdb19ce8 by Ralph Boehme at 2022-11-28T09:19:33+00:00
torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
535a08df by Ralph Boehme at 2022-11-28T10:14:12+00:00
smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
Cf MS-FSA 2.1.5.14.2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 28 10:14:12 UTC 2022 on sn-devel-184
- - - - -
72004f8f by Jeremy Allison at 2022-11-29T10:26:37+00:00
s3: smbd: Add SMB2_FILE_POSIX_INFORMATION getinfo info level (100 on the wire).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
2c1a02d6 by Jeremy Allison at 2022-11-29T10:26:37+00:00
smbd: Plumb SMB2_FIND_POSIX_INFORMATION through the directory reading code.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
99de8d7c by David Mulder at 2022-11-29T10:26:37+00:00
libsmb: Make info_level configurable in dir listing
This was hard coded to SMB2_FIND_ID_BOTH_DIRECTORY_INFO
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
28478799 by David Mulder at 2022-11-29T10:26:37+00:00
libsmb: Allow listing with posix context
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
7c2f08d5 by David Mulder at 2022-11-29T10:26:37+00:00
tests/s3: Test SMB2_FIND_POSIX_INFORMATION dir query
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
08226d6c by David Mulder at 2022-11-29T10:26:37+00:00
smbd: Implement SMB2_FILE_POSIX_INFORMATION in smbd_marshall_dir_entry
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f0e11374 by David Mulder at 2022-11-29T10:26:37+00:00
tests/s3: Test reserved chars in posix filename
Disabled because we don't handle posix paths
correctly yet.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f481cd4a by David Mulder at 2022-11-29T10:26:37+00:00
libcli: Add client support for SMB2_FILE_POSIX_INFORMATION
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
160173ee by David Mulder at 2022-11-29T10:26:37+00:00
tests/s3: Test delete on close with SMB3 posix
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
09c8426b by David Mulder at 2022-11-29T10:26:37+00:00
tests/s3: Test case sensitive open with SMB3 posix
Disabled because we don't handle posix paths
correctly yet.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
a73d9032 by David Mulder at 2022-11-29T10:26:37+00:00
tests/s3: Test file/dir permissions with SMB3 posix
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
bdb98c83 by David Mulder at 2022-11-29T10:26:37+00:00
smbd: Implement SMB2_FS_POSIX_INFORMATION_INTERNAL
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
d0ad452f by David Mulder at 2022-11-29T10:26:38+00:00
s3: smbd: store_smb2_posix_info hide info for '..'
When receiving a query for '..', hide the owner
and group sids, the inode, and the dev id.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
bbc82a5d by David Mulder at 2022-11-29T10:26:38+00:00
s3: Test that store_smb2_posix_info hides info for '..'
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
357bafe6 by Volker Lendecke at 2022-11-29T11:23:58+00:00
smbd: Allow POSIX getinfo levels for smb3 unix extensions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Nov 29 11:23:58 UTC 2022 on sn-devel-184
- - - - -
49b40a13 by Andreas Schneider at 2022-12-01T15:03:19+00:00
s4:torture: Fix segfault in multichannel test
The timer for the timeout_cb() handler was created on a memory context
which doesn't get freed, so the timer was still valid when running
the next test and fired there. It was then writing into random memory
leading to segfaults.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Dec 1 15:03:19 UTC 2022 on sn-devel-184
- - - - -
f5b2ae58 by Jeremy Allison at 2022-12-01T15:04:58+00:00
s3: tests: Change smb2.compound_async to run against share aio_delay_inject instead of tmp.
It doesn't hurt the fsync compound async tests, and we need this for
the next commits to ensure smb2_read/smb2_write compound tests take
longer than 500ms so can be sure the last read/write in the compound
will go async.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
48b12f11 by Jeremy Allison at 2022-12-01T15:04:58+00:00
s4: torture: Tweak the compound padding basefile test to send 3 reads instead of 2, and check the middle read padding.
The protocol allows the last read in a related compound to be split
off and possibly go async (and smbd soon will do this). If the
last read is split off, then the padding is different. By sending
3 reads and checking the padding on the 2nd read, we cope with
the smbd change and are still correctly checking the padding
on a compound related read.
Do this for the base filename compound padding test.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
fc6c76e6 by Jeremy Allison at 2022-12-01T15:04:58+00:00
s4: torture: Tweak the compound padding streamfile test to send 3 reads instead of 2, and check the middle read padding.
The protocol allows the last read in a related compound to be split
off and possibly go async (and smbd soon will do this). If the
last read is split off, then the padding is different. By sending
3 reads and checking the padding on the 2nd read, we cope with
the smbd change and are still correctly checking the padding
on a compound related read.
Do this for the stream filename compound padding test.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ffd9b94f by Jeremy Allison at 2022-12-01T15:04:58+00:00
s4: torture: Add compound_async.write_write test to show we don't go async on the last write in a compound.
Add knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
088b8a1e by Jeremy Allison at 2022-12-01T15:04:58+00:00
s4: torture: Add compound_async.read_read test to show we don't go async on the last read in a compound.
Add knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0bb48107 by Jeremy Allison at 2022-12-01T15:04:58+00:00
s3: smbd: Fix schedule_aio_smb2_write() to allow the last write in a compound to go async.
Remove knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
39df9f4a by Jeremy Allison at 2022-12-01T16:04:07+00:00
s3: smbd: Fix schedule_smb2_aio_read() to allow the last read in a compound to go async.
Remove knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Dec 1 16:04:07 UTC 2022 on sn-devel-184
- - - - -
23e3c41d by Michael Tokarev at 2022-12-01T21:17:44+03:00
d/control: winbind should depend on the same binary:Version of libwbclient
Without this dependency, shlib:Depends asks for libwbclient0 >= 2:4.5.0+dfsg,
but that one used different wbclient <=> winbind protocol, so any wbinfo
run resulted in something like
failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
Thank you Stefan Weichinger for the patience while finding this one!
- - - - -
32b93eda by Michael Tokarev at 2022-12-01T22:35:54+03:00
libnss-winbind: add postinst/postrm scripts to add/remove nsswitch.conf entry
Theres dh-sequence-installnss in bookworm+, but it mjt dislikes
that one, - it is trivial to do that in plain sed.
- - - - -
136ad597 by Michael Tokarev at 2022-12-01T22:40:13+03:00
update changelog; upload 4.17.3+dfsg-3 to unstable
- - - - -
4e18e923 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
util: add stable sort functions
Sometimes (e.g. in lzxpress Huffman encoding, and in some of our
tests: c.f. https://lists.samba.org/archive/samba-technical/2018-March/126010.html)
we want a stable sort algorithm (meaning one that retains the previous
order of items that compare equal).
The GNU libc qsort() is *usually* stable, in that it first tries to
use a mergesort but reverts to quicksort if the necessary allocations
fail. That has led Samba developers to unthinkingly assume qsort() is
stable which is not the case on many platforms, and might not always
be on GNU/Linuxes either.
This adds four functions. stable_sort() sorts an array, and requires
an auxiliary working array of the same size. stable_sort_talloc()
takes a talloc context so it ca create a working array and call
stable_sort(). stable_sort_r() takes an opaque context blob that gets
passed to the compare function, like qsort_r() and ldb_qsort(). And
stable_sort_talloc_r() rounds out the quadrant.
These are LGPL so that the can be used in ldb, which has problems with
unstable sort.
The tests are borrowed and extended from test_ldb_qsort.c.
When sorting non-trivial structs this is roughly as fast as GNU qsort,
but GNU qsort has optimisations for small items, using direct
assignments of rather than memcpy where the size allows the item to be
cast as some kind of int.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e24efb88 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
fuzz: add fuzzers for stable_sort
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
f6cda06d by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: move lzxpress_plain test into tests/
We are going to add more tests for lib/compression, and they can't all
be called "testsuite.c".
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
7cff3ce2 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
test/source_chars: ignore testdata/compression
We are going to have all kinds of rubbish there.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
bd35feaf by Douglas Bagnall at 2022-12-01T22:56:39+00:00
testdata: add test vectors for LZ77+Huffman [de-]compression
Some of the decompressed files were found via fuzzing, some are public
domain texts, and some are designed to test one aspect or another of
the format. For example, some aspects of Huffman tree creation can
only be tested when there is an extreme imbalance in the frequency of
symbols.
See the README for what files are where.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
f86035c6 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: add LZ77 + Huffman decompression
This format is described in [MS-XCA] 2.1 and 2.2, with exegesis in
many posts on the cifs-protocol list[1].
The two public functions are:
ssize_t lzxpress_huffman_decompress(const uint8_t *input,
size_t input_size,
uint8_t *output,
size_t output_size);
uint8_t *lzxpress_huffman_decompress_talloc(TALLOC_CTX *mem_ctx,
const uint8_t *input_bytes,
size_t input_size,
size_t output_size);
In both cases the caller needs to know the *exact* decompressed size,
which is essential for decompression. The _talloc version allocates
the buffer for you, and uses the talloc context to allocate a 128k
working buffer. THe non-talloc function will allocate the working
buffer on the stack.
This compression format gives better compression for messages of
several kilobytes than the "plain" LXZPRESS compression, but is
probably a bit slower to decompress and is certainly worse for very
short messages, having a fixed 256 byte overhead for the first Huffman
table.
Experiments show decompression rates between 20 and 500 MB per second,
depending on the compression ratio and data size, on an i5-1135G7 with
no compiler optimisations.
This compression format is used in AD claims and in SMB, but that
doesn't happen with this commit.
I will not try to describe LZ77 or Huffman encoding here. Don't expect
an answer in MS-XCA either; instead read the code and/or Wikipedia.
[1] Much of that starts here:
https://lists.samba.org/archive/cifs-protocol/2022-October/
but there's more earlier, particularly in June/July 2020, when
Aurélien Aptel was working on an implementation that ended up in
Wireshark.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
d4e3f0c8 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: LZ77 + Huffman compression
This compresses files as described in MS-XCA 2.2, and as decompressed
by the decompressor in the previous commit.
As with the decompressor, there are two public functions -- one that
uses a talloc context, and one that uses pre-allocated memory. The
compressor requires a tightly bound amount of auxillary memory
(>220kB) in a few different buffers, which is all gathered together in
the public struct lzxhuff_compressor_mem. An instantiated but not
initialised copy of this struct is required by the non-talloc
function; it can be used over and over again.
Our compression speed is about the same as the decompression speed
(between 20 and 500 MB/s on this laptop, depending on the data), and
our compression ratio is very similar to that of Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
955214ef by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression/lzhuff: add debug flag to skip LZ77
Encoding without LZ77 matches is valid, and it is useful for isolating
bugs.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
77048aaa by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: debug routines for lzxpress-huffman
If you need to see a Huffman tree (and sometimes you do), set
DEBUG_HUFFMAN_TREE to true at the top of lzxpress_huffman.c, and run:
make bin/test_lzx_huffman && bin/test_lzx_huffman
Actually, that will show you hundreds of trees, and you'll be glad of
that if you are ever trying to understand this.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e7959850 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression/tests: add lzhuffman timer functions
With LZXHUFF_DEBUG_VERBOSE set, we measure the compression and
decompression rate relative to the decompressed size.
On reasonably long strings on my laptop, compiled with -O0, it turns
out to between 20 and 500 MB/s, both ways, depending on the complexity
of the string. Very short strings are of course dominated by overhead.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
cda3c1a2 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
fuzz: add fuzz_lzxpress_huffman_decompress
Most strings will not successfully decompress, which is OK. What we
care about of course is memory safety.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
307aded6 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
fuzz: add fuzz_lzxpress_huffman_compress
This differs from fuzz_lzxpress_huffman_round_trip (next commit) in
that the output buffer might be too small for the compressed data, in
which case we want to see an error and not a crash.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e58e9935 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
fuzz: add fuzz_lzxpress_huffman_round_trip
This compresses some data, decompresses it, and asserts that the
result is identical to the original string.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
bce33816 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: add a debug script to describe headers
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
dadecede by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: helper script to make unbalanced data
Huffman tree re-quantisation and perhaps other code paths are only
triggered by pathological data like this.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
7804570a by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: script to test 3 byte hash
Compression uses a 3 byte hash remember LZ77 matches in a 14-bit table.
This script runs the hash over all 16M combinations, then again over
all ASCII combinations, counting collisions to find hot-spots.
If you think you have a better hash, you are probably right, but you
should try it here -- alter h() -- before committing to it. This one is
literally the first one I thought of.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
6a7c0ca2 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: Windows utility to generate test vectors
If compiled on Windows using Cygwin, MSYS2, or similar, this will output
compressed versions of files exactly as specified by MZ-XCA, if the
following conditions are met:
1. The file > 300 bytes.
2. The compressed file is smaller than the decompressed file.
Otherwise it returns the data unchanged. Without warning; that's just
how the API works.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
1a3d8da7 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: test util to generate fuzzing seeds
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e5f9deed by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression: add test scripts README
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
1f0aea77 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
selftest: be less confident in commending st/summary
st/summary is useless. If you'll find anything, it'll be in st/subunit.
However, in case *something* useful ever ends up there we still mention it.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
c2db7fda by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/comression: convert test_lzxpress_plain to cmocka
Mainly so I can go
make bin/test_lzxpress_plain && bin/test_lzxpress_plain
valgrind bin/test_lzxpress_plain
rr bin/test_lzxpress_plain
rr replay
in a tight loop.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
9589f528 by Douglas Bagnall at 2022-12-01T22:56:39+00:00
lib/compression/lzx-plain: relax size requirements on long file
We are going to change from a slow exact match algorithm to a fast
heuristic search that will not always get the same results as the
exhaustive search.
To be precise, a million zeros will compress to 112 rather than 93 bytes.
We don't insist on an exact size, because that is not an issue here.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
ce7ea07d by Douglas Bagnall at 2022-12-01T22:56:40+00:00
testdata: move compression examples to re-use with lzxpress plain
Everything that is in testdata/compression/lzxpress-huffman/ can also
be used for lzxpress plain tests, which is something we really need.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
c0f28d71 by Douglas Bagnall at 2022-12-01T22:56:40+00:00
lib/compression: add test data for lzxpress plain compression
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e4066b2b by Douglas Bagnall at 2022-12-01T22:56:40+00:00
lib/compression: more tests for lzxpress plain compression
These are based on (i.e. copied and pasted from) the LZ77 + Huffman
tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
fb35cf29 by Douglas Bagnall at 2022-12-01T22:56:40+00:00
lib/compression/lzxpress compression: use a write context struct
This will make it possible to move encoding operations into helper
functions, which will make it easier to restructure the code to use a
hash table for faster matching.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
caa643e3 by Douglas Bagnall at 2022-12-01T22:56:40+00:00
lib/compression/lzxpress: shift encoding into helper functions
This makes it easier to rework the encoding decision to depend on a
hash table match rather than the current exhaustive search.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
d9c19254 by Douglas Bagnall at 2022-12-02T00:00:04+00:00
lib/compression/lzxpress: fix our slow compression
This uses the same hash table method as lzxpress_huffman, though the
code can't be directly reused as the sizes of the offsets is
different, and there is not a block processing step here.
This will worsen the compression ratio compared to the exhaustive
search we previously used, though we still perform better than
Windows. To put numbers on it, the test files used to compress to 0.91
of Windows' compression size, and now they compress to 0.96.
On the other hand this is many orders of magnitude faster. It is
difficult to say exactly how much faster -- while the testsuite time
has only improved 200-fold (from 7 minutes to 2 seconds), most of the
remaining 2 seconds is used in data generation and management, not
compression. OSSFuzz consistently finds new vectors that time out
after a minute; on these we'll see nearly an order of magnitude of
orders of magnitude inprovement.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Fri Dec 2 00:00:04 UTC 2022 on sn-devel-184
- - - - -
1f3826a7 by Christof Schmitt at 2022-12-02T07:00:31+00:00
posix_acls: Remove redundant call to save mode
The same assignment is already done earlier, and nothing is changed in
between.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
eeb8a66b by Christof Schmitt at 2022-12-02T07:00:31+00:00
posix_acl: Move chown checks to new function
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
bfb4b368 by Christof Schmitt at 2022-12-02T07:00:31+00:00
nfs4_acls: Call chown_if_needed function to remove duplicate code
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
154a0613 by Christof Schmitt at 2022-12-02T07:00:31+00:00
posix_acls: Make try_chown and unpack_nt_owners static
These functions are now only called from check_chown in posix_acls.c
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
1d37c641 by Michael Tokarev at 2022-12-02T10:34:22+03:00
fix typo in fruit patch
- - - - -
d5e13a3b by Michael Tokarev at 2022-12-02T10:34:22+03:00
create samba-ad-provision package with contents of /usr/share/samba/setup
- - - - -
ed8adfa9 by Michael Tokarev at 2022-12-02T10:55:47+03:00
samba-ad-provision.lintian-overrides: license files
- - - - -
cffe96ef by Christof Schmitt at 2022-12-02T08:02:13+00:00
nfs4_acl: Add comment for setting ACL as root
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Dec 2 08:02:13 UTC 2022 on sn-devel-184
- - - - -
de6ef497 by Michael Tokarev at 2022-12-02T11:59:23+03:00
d/control: samba breaks older samba-ad-provision to ensure the latter is fresh enough
- - - - -
45f39d43 by Michael Tokarev at 2022-12-02T11:59:32+03:00
print meaningful error message if samba-ad-provision is not installed
- - - - -
788634a5 by Michael Tokarev at 2022-12-02T14:12:02+03:00
print meaningful error message if python3-markdown is not installed
- - - - -
fe488e50 by Michael Tokarev at 2022-12-02T14:12:02+03:00
a few more spelling fixes
- - - - -
c3026ded by Michael Tokarev at 2022-12-02T14:12:02+03:00
d/patches/spelling.patch: add DEP-3 description
- - - - -
4848658f by Michael Tokarev at 2022-12-02T14:12:02+03:00
mark d/patches/heimdal-rfc3454 with Forwaded: not-needed
- - - - -
2423a6f9 by Michael Tokarev at 2022-12-02T14:12:02+03:00
ctdb: move rundir from /var/run to /run
- - - - -
1fa738c1 by Michael Tokarev at 2022-12-02T14:15:34+03:00
d/libnss-winbind.{postinst,postrm}: add #DEBHELPER# tokens
- - - - -
f7d093f3 by Michael Tokarev at 2022-12-02T14:17:49+03:00
d/samba.lintian-overrides: remove mentions of /var/spool/samba (moved to /var/tmp/)
- - - - -
a451fa5e by Andreas Schneider at 2022-12-04T09:12:30+00:00
lib:compression: Initialize variables
lib/compression/tests/test_lzx_huffman.c: In function ‘test_lzxpress_huffman_overlong_matches’:
lib/compression/tests/test_lzx_huffman.c:1013:35: error: ‘j’ may be used uninitialized [-Werror=maybe-uninitialized]
1013 | assert_int_equal(score, i * j);
| ^
lib/compression/tests/test_lzx_huffman.c:979:19: note: ‘j’ was declared here
979 | size_t i, j;
| ^
lib/compression/tests/test_lzx_huffman.c: In function ‘test_lzxpress_huffman_overlong_matches_abc’:
lib/compression/tests/test_lzx_huffman.c:1059:39: error: ‘k’ may be used uninitialized [-Werror=maybe-uninitialized]
1059 | assert_int_equal(score, i * j * k);
| ^
lib/compression/tests/test_lzx_huffman.c:1020:22: note: ‘k’ was declared here
1020 | size_t i, j, k;
| ^
lib/compression/tests/test_lzx_huffman.c:1059:35: error: ‘j’ may be used uninitialized [-Werror=maybe-uninitialized]
1059 | assert_int_equal(score, i * j * k);
| ^
lib/compression/tests/test_lzx_huffman.c:1020:19: note: ‘j’ was declared here
1020 | size_t i, j, k;
| ^
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Sun Dec 4 09:12:30 UTC 2022 on sn-devel-184
- - - - -
db20e088 by Michael Tokarev at 2022-12-05T08:34:27+03:00
create samba-ad-dc metapackage
- - - - -
c0d7642a by Andreas Schneider at 2022-12-05T07:19:35+00:00
testprogs: If built against system db use the system tools in test_primary_group.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
4b9d1b36 by Andreas Schneider at 2022-12-05T07:19:35+00:00
testprogs: If built against system db use the system tools in test_trust_token.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
9a97e54f by Andreas Schneider at 2022-12-05T07:19:35+00:00
testprogs: If built against system db use the system tools in test_net_ads_dns.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
7d8347e8 by Andreas Schneider at 2022-12-05T07:19:35+00:00
testprogs: If built against system db use the system tools in ldapcmp_restoredc.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
5f2565f0 by Andreas Schneider at 2022-12-05T08:22:29+00:00
testprogs: Do not run tests if undump.sh is not available
We don't include source4/selftest/provisions/ in source tarballs!
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Dec 5 08:22:29 UTC 2022 on sn-devel-184
- - - - -
5ea3a15b by Mikhail Novosyolov at 2022-12-05T08:37:34+00:00
manpages: samba-dcerpcd: fix typo (add missing space)
Signed-off-by: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
a019803d by Ralph Boehme at 2022-12-05T09:26:17+00:00
torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fdb19ce8aa189f6cfbd2d1fd7ed6fe809ba93cf3)
- - - - -
b97d31ab by Andreas Schneider at 2022-12-05T09:36:40+00:00
nsswitch:tests: Use ldb(modify|search) from the system
If Samba is built against the system libldb, use the system tools.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Dec 5 09:36:40 UTC 2022 on sn-devel-184
- - - - -
404ca2b6 by Ralph Boehme at 2022-12-05T10:23:58+00:00
smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
Cf MS-FSA 2.1.5.14.2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 28 10:14:12 UTC 2022 on sn-devel-184
(cherry picked from commit 535a08dfc4c045d7b0c0ed335f76b5d560dd7bbd)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Dec 5 10:23:58 UTC 2022 on sn-devel-184
- - - - -
48fcc191 by Michael Tokarev at 2022-12-05T14:38:52+03:00
d/samba-libs.lintian-overrides: fix heimdal override to be understood by old lintian too, so the package can be uploaded
- - - - -
aa6c7b6a by Michael Tokarev at 2022-12-05T14:40:23+03:00
update changelog; upload 4.17.3+dfsg-4 to unstable (with new packages)
- - - - -
ef8c8ac5 by Andreas Schneider at 2022-12-05T12:05:24+00:00
s3:utils: Fix stack smashing in net offlinejoin
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8
==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
#0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
#1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
#2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
#3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
#4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
#5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
#6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Dec 5 12:05:24 UTC 2022 on sn-devel-184
- - - - -
7fe3fab6 by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: IO_REPARSE_TAG_NOT_HANDLED is acceptable for unlink
This happens when a path has an unknown reparse point in the middle
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
62302849 by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Show that a directory with a reparse point can't be populated
Works against Windows 2016
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
73233bc3 by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Show that we can write to a reparse point file
Works against Windows 2016
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
f10f259e by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Fix use of self.assertRaises()
The with statement creates a new variable. I thought it opens a block
where "e" is only valid in that block. But instead it runs the whole
thing, expecting an exception somewhere. Learning python....
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
7239d756 by Volker Lendecke at 2022-12-05T15:06:32+00:00
lib: Add symlink trust flags from dochelp
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
ec86c377 by Volker Lendecke at 2022-12-05T15:06:32+00:00
pylibsmb: Add symlink flags
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
b58f5f33 by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Ignore symlink trusts flags in symlink error returns
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
96580c8e by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Try setting a 0-sized reparse point
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
0996ccdb by Volker Lendecke at 2022-12-05T15:06:32+00:00
tests: Test error codes for SET_REPARSE_POINT
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
- - - - -
a1a0a711 by Volker Lendecke at 2022-12-05T15:06:32+00:00
smbd: Slightly simplify smb_posix_unlink()
We did check VALID_STAT() above.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4be2569c by Volker Lendecke at 2022-12-05T15:06:32+00:00
smbd: Fix a comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
f1713102 by Volker Lendecke at 2022-12-05T15:06:32+00:00
libsmb: Make readlink issue posix_readlink
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
a7f4ed09 by Volker Lendecke at 2022-12-05T15:06:32+00:00
smbclient: Use cli_readlink
Make smbclient's readlink command also work for SMB2 reparse style
symlink.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
71772c48 by Volker Lendecke at 2022-12-05T15:06:32+00:00
libsmb: Remove sync cli_posix_readlink() wrapper
cli_readlink() now covers smb1 posix extensions as well
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
453f846e by Volker Lendecke at 2022-12-05T15:06:32+00:00
smbd: No dfs_filename_convert() in filename_convert_smb1_search_path()
We further down call filename_convert_dirfsp(), which also has this
call. No need to copy that code here as well.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
f31fb6e1 by Volker Lendecke at 2022-12-05T15:06:32+00:00
smbd: Simplify readlink_talloc()
SMB_VFS_READLINKAT() just looks at the basename, we can avoid the
relname being talloc'ed
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
6ea1af28 by Volker Lendecke at 2022-12-05T16:06:51+00:00
smbd: Simplify symlink_target_below_conn()
readlink_talloc() deals exactly the same way with a NULL relname
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Dec 5 16:06:51 UTC 2022 on sn-devel-184
- - - - -
9925a0fc by Michael Tokarev at 2022-12-06T09:54:14+03:00
d/salsa-ci.yml: instead of allowing blhc to (always) fail, disable it
- - - - -
f3a76346 by Michael Tokarev at 2022-12-06T09:54:51+03:00
d/salsa-ci.yml: disable crossbuild-arm64 test (samba does not cross-build)
- - - - -
0a8c83c9 by Michael Tokarev at 2022-12-06T10:55:46+03:00
d/salsa-ci.yml: reprotest is now fixed
- - - - -
f569f2c1 by Noel Power at 2022-12-06T10:38:56+00:00
python/samba: use s3 param samba config parsing
follup to commit: b4d7540bb4798e6801accf34a26fc0f2636bdd1f
fix another instance to use s3 config parsing which is more
forgiving (e.g. include directives that point to non existing
files are ignored)
Signed-off-by: Noel Power <npower at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Dec 6 10:38:56 UTC 2022 on sn-devel-184
- - - - -
0c2146eb by Anoop C S at 2022-12-06T11:39:16+00:00
lib/compression: Include missing stat header file
<sys/stat.h> was missing from compression library tests which resulted
in the following compile time error:
../../lib/compression/tests/test_lzx_huffman.c: In function
‘datablob_from_file’:
../../lib/compression/tests/test_lzx_huffman.c:383:21: error:
storage size of ‘s’ isn’t known
383 | struct stat s;
| ^
../../lib/compression/tests/test_lzx_huffman.c:389:15: warning:
implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration]
389 | ret = fstat(fileno(fh), &s);
| ^~~~~
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Dec 6 11:39:16 UTC 2022 on sn-devel-184
- - - - -
c258b48d by Andreas Schneider at 2022-12-06T12:39:53+00:00
s3:utils: Fix stack smashing in net offlinejoin
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8
==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
#0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
#1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
#2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
#3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
#4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
#5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
#6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit ef8c8ac54cdf75ca4333223c1f3e580e31efca92)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Tue Dec 6 12:39:53 UTC 2022 on sn-devel-184
- - - - -
5a029159 by Andrew Bartlett at 2022-12-06T12:40:35+00:00
CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
A new file will shorlty fail as it is binary input
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
68fc909a by Nicolas Williams at 2022-12-06T13:41:05+00:00
CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184
- - - - -
7b90f5c8 by Andrew Bartlett at 2022-12-06T15:06:10+00:00
CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
A new file will shorlty fail as it is binary input
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5a02915913a2410904886e186ada90a36492571f)
- - - - -
7bb1180c by Nicolas Williams at 2022-12-06T16:03:55+00:00
CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184
(cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Tue Dec 6 16:03:55 UTC 2022 on sn-devel-184
- - - - -
9e9c5c14 by Volker Lendecke at 2022-12-06T22:37:30+00:00
smbd: Centralize error handling in smbd_smb2_create_after_exec()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
99480c50 by Volker Lendecke at 2022-12-06T23:37:52+00:00
smbd: Close the opened file in smbd_smb2_create_after_exec() error case
smbd_smb2_create_after_exec() is only called when the file has
successfully been opened. When this fails in the middle, we can't
leave the fsp around. Hard to test with current code, but with reparse
point handling we'll have a reproducable case soon.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 6 23:37:52 UTC 2022 on sn-devel-184
- - - - -
47110d7e by Michael Tokarev at 2022-12-07T13:05:11+03:00
d/genshlibs: sort shlibs files to make build reproducible
- - - - -
9986fd39 by Michael Tokarev at 2022-12-08T14:28:16+03:00
d/autodeps.py, d/library-equivalents: remove
- - - - -
70e8da42 by Pavel Filipenský at 2022-12-08T16:06:48+00:00
s3:libads: Fix debug message
652c8ce1 has introduced talloc_move() which zeroes kdc_str
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Dec 8 16:06:48 UTC 2022 on sn-devel-184
- - - - -
67042d95 by Sushmita Bhattacharya at 2022-12-09T23:11:37+00:00
Fix memleak in _nss_winbind_initgroups_dyn
Free the response at the end of _nss_winbind_initgroups_dyn
Signed-off-by: Sushmita Bhattacharya <sushmita.bhattacharya at oracle.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d1dd3f3d by Ralph Boehme at 2022-12-09T23:11:37+00:00
smbd: factor out reference_smb_fname_fsp_link() from parent_pathref()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7f20625f by Ralph Boehme at 2022-12-09T23:11:37+00:00
smbd: use reference_smb_fname_fsp_link() in rename_internals_fsp()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0226e0c3 by Ralph Boehme at 2022-12-09T23:11:37+00:00
smbd: add fsp_search_ask_sharemode() and fsp_getinfo_ask_sharemode()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f0e0fc17 by Ralph Boehme at 2022-12-09T23:11:37+00:00
smbd: use fsp_search_ask_sharemode() and fsp_getinfo_ask_sharemode()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
46ac8daa by Ralph Boehme at 2022-12-09T23:11:37+00:00
smbd: use fsp_getinfo_ask_sharemode() in open_file_ntcreate()
Note: this is a behaviour change in the non-default case when the user
has disabled "getinfo ask sharemode".
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a9c6a329 by Stefan Metzmacher at 2022-12-09T23:11:37+00:00
s3:locking: re-add saved_errno handling to fd_close_posix()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
19a01749 by Ralph Boehme at 2022-12-09T23:11:38+00:00
s3/locking: Revert "s3:locking: Remove dead code"
This reverts commit de493a3e3b5b8d54f62c45072e27f2fefd4af43a:
s3:locking: Remove dead code
Found by Coverity.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
dbwrap_do_locked() correctly returns saved_errno which is a possible
errno returned by close() inside fd_close_posix_fn().
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
aa8b0ef8 by Ralph Boehme at 2022-12-09T23:11:38+00:00
smbd: debug in smbd_smb2_close_send()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0db39fad by Ralph Boehme at 2022-12-09T23:11:38+00:00
g_lock: check for zero timeout in g_lock_lock()
If the record is already locked check if the requested timeout is zero
and fail directly with NT_STATUS_LOCK_NOT_GRANTED.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6cc866b5 by Ralph Boehme at 2022-12-09T23:11:38+00:00
smbd: introduce 'delete_on_close' helper variables
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8ccbbbd4 by Stefan Metzmacher at 2022-12-09T23:11:38+00:00
s3:locking: split out del_share_mode_open_id()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8a2c763d by Ralph Boehme at 2022-12-09T23:11:38+00:00
lib/cmdline/tests: add missing includes
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
09a844c6 by Ralph Boehme at 2022-12-09T23:11:38+00:00
vfs_zfsacl: remove unused function
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
043ce404 by Ralph Boehme at 2022-12-09T23:11:38+00:00
vfs_zfsacl: fix mixed declaration and code error
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fba4b290 by Ralph Boehme at 2022-12-09T23:11:38+00:00
s4:torture: remove remaining checks if alloc_size is 0 on empty files
commit 55b2f247f9ba56516efba52481418966a777343e already remove a few of these,
but a few remained.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9e1c2fed by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: add another simple DOS attributes test
- create file with ARCHIVE
- open file with ARCHIVE+HIDDEN+...
- check DOS attrs are still only ARCHIVE from the initial create
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c0be0b68 by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: increase find buffer to 1 MB in multiple_smb2_search()
This is used by performance tests that don't want to measure network latency but
fileserver IO latency.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cac95c3b by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: print duration of smb2.dir.test_large_files
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6c997c7f by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: add another large directory enumeration performance test
This one renames one file per iteration and can also be used to torture any
directory caching the server may employ.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8d58174c by Ralph Boehme at 2022-12-09T23:11:38+00:00
lib/torture: fix tctx arg usage in torture_assert_nttime_equal() macro
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6e1f58ab by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: add a test veryfing timestamps across rename
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3ece2cb8 by Ralph Boehme at 2022-12-09T23:11:38+00:00
smbd: remove oplock paranoia check from file_find_dif()
Since 4.16 stat opens will have a real fd, the only case where currently the fd
can still be -1 is a POSIX request on a symlink.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0fa7c3f7 by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: add an interactive test that works out maximum name and path lenghts
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
08997ac1 by Ralph Boehme at 2022-12-09T23:11:38+00:00
torture: convert mangling test to a suite
More tests to come...
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4bb3e4df by Ralph Boehme at 2022-12-10T00:07:09+00:00
torture: test that a find with a mangled name works
This was spawned by https://bugzilla.samba.org/show_bug.cgi?id=13472 back
then. Samba implement this correctly, just add this test found in the attic.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Dec 10 00:07:09 UTC 2022 on sn-devel-184
- - - - -
8578a24c by Stefan Metzmacher at 2022-12-12T13:39:00+00:00
CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1414269dccfd7cb831889cc92df35920b034457c)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Mon Dec 12 13:39:00 UTC 2022 on sn-devel-184
- - - - -
c8a37a24 by Volker Lendecke at 2022-12-12T21:16:33+00:00
smbd: Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6d365777 by Volker Lendecke at 2022-12-12T21:16:33+00:00
nsswitch: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1625dc4b by Volker Lendecke at 2022-12-12T21:16:33+00:00
tsocket: Fix the build on FreeBSD
FreeBSD does not have TCP_USER_TIMEOUT
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f30f5dd2 by Volker Lendecke at 2022-12-12T21:16:33+00:00
smbd: Simplify is_visible_fsp()
We don't need the wrapping if-statement, we check for the individual
flags. The compiler should be smart enough so that this is not a
difference in execution speed.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
080ded09 by Volker Lendecke at 2022-12-12T21:16:33+00:00
cldap_server: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f9c982b5 by Volker Lendecke at 2022-12-12T21:16:33+00:00
smbd: Simplify dos_mode_msdfs()
Use ISDOT[DOT]
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3f7c6467 by Volker Lendecke at 2022-12-12T21:16:33+00:00
lib: Remove fstring_sub() that was used just once
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0b070db6 by Volker Lendecke at 2022-12-12T21:16:33+00:00
lib: Remove unused octal_string()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
06408707 by Volker Lendecke at 2022-12-12T21:16:33+00:00
vfs: Remove an unnecessary if statement
get_local_machine_name() already does exactly this
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
46ce8a47 by Volker Lendecke at 2022-12-12T21:16:33+00:00
lib: Make substitute.c's "remote_proto" static
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8cc0489c by Volker Lendecke at 2022-12-12T21:16:33+00:00
lib: Add get_current_user_info_domain()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5d82af05 by Volker Lendecke at 2022-12-12T22:14:20+00:00
smbd: Remove a few "extern userdom_struct current_user_info"
get_current_username() returns current_user_info.smb_name
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Dec 12 22:14:20 UTC 2022 on sn-devel-184
- - - - -
5259926d by Douglas Bagnall at 2022-12-13T07:45:20+00:00
s4/torture/smb2: avoid possibly closing undefined handle
>From OSS-Fuzz compilation:
Step #3 - "compile-honggfuzz-address-x86_64": ../../source4/torture/smb2/dir.c:1456:2: error: variable 'dir_handle' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
Step #3 - "compile-honggfuzz-address-x86_64": torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
Step #3 - "compile-honggfuzz-address-x86_64": ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step #3 - "compile-honggfuzz-address-x86_64": ../../lib/torture/torture.h:748:3: note: expanded from macro 'torture_assert_ntstatus_ok_goto'
Step #3 - "compile-honggfuzz-address-x86_64": torture_assert_ntstatus_equal_goto(torture_ctx,expr,NT_STATUS_OK,ret,label,cmt)
Step #3 - "compile-honggfuzz-address-x86_64": ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step #3 - "compile-honggfuzz-address-x86_64": ../../lib/torture/torture.h:316:6: note: expanded from macro 'torture_assert_ntstatus_equal_goto'
Step #3 - "compile-honggfuzz-address-x86_64": if (!NT_STATUS_EQUAL(__got, __expected)) { \
Step #3 - "compile-honggfuzz-address-x86_64": ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step #3 - "compile-honggfuzz-address-x86_64": ../../source4/torture/smb2/dir.c:1582:24: note: uninitialized use occurs here
Step #3 - "compile-honggfuzz-address-x86_64": smb2_util_close(tree, dir_handle);
Step #3 - "compile-honggfuzz-address-x86_64": ^~~~~~~~~~
Step #3 - "compile-honggfuzz-address-x86_64": ../../source4/torture/smb2/dir.c:1456:2: note: remove the 'if' if its condition is always false
Step #3 - "compile-honggfuzz-address-x86_64": torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
Step #3 - "compile-honggfuzz-address-x86_64": ^
Step #3 - "compile-honggfuzz-address-x86_64": ../../lib/torture/torture.h:748:3: note: expanded from macro 'torture_assert_ntstatus_ok_goto'
Step #3 - "compile-honggfuzz-address-x86_64": torture_assert_ntstatus_equal_goto(torture_ctx,expr,NT_STATUS_OK,ret,label,cmt)
Step #3 - "compile-honggfuzz-address-x86_64": ^
Step #3 - "compile-honggfuzz-address-x86_64": ../../lib/torture/torture.h:316:2: note: expanded from macro 'torture_assert_ntstatus_equal_goto'
Step #3 - "compile-honggfuzz-address-x86_64": if (!NT_STATUS_EQUAL(__got, __expected)) { \
Step #3 - "compile-honggfuzz-address-x86_64": ^
Step #3 - "compile-honggfuzz-address-x86_64": ../../source4/torture/smb2/dir.c:1434:2: note: variable 'dir_handle' is declared here
Step #3 - "compile-honggfuzz-address-x86_64": struct smb2_handle dir_handle;
Step #3 - "compile-honggfuzz-address-x86_64": ^
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Dec 13 07:45:20 UTC 2022 on sn-devel-184
- - - - -
22128c71 by Andrew Bartlett at 2022-12-13T13:07:29+00:00
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
8ec62694 by Ralph Boehme at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
830e865b by Ralph Boehme at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
992f39a2 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7e7adf86 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
1fdf1d55 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d60828f6 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
1c6c1129 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e060ea5b by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7baabbe9 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0e6a2ba8 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ec62151a by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
16ee03ef by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
63c96ea6 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
cfd55a22 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b6339fd1 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4c7f8479 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
c8e53394 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b09f51ee by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
69b36541 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
bd429d02 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2ad302b4 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
43df4be3 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7ae37358 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
f43dc4f0 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
68950745 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7732a4b0 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
3c57608e by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b3ed90a0 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
f964c0c3 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4d540473 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
a4f6f51c by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
c0c25cc0 by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0248907e by Stefan Metzmacher at 2022-12-13T13:07:29+00:00
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
c7cd6889 by Andrew Bartlett at 2022-12-13T13:07:29+00:00
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
50e075d2 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e0a91ddd by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
177334c0 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
538315a2 by Andrew Bartlett at 2022-12-13T13:07:29+00:00
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
a50a2be6 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d861d4eb by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
ee18bc29 by Andrew Bartlett at 2022-12-13T13:07:29+00:00
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d6b3d68e by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b155b22 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
08664686 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a7a0b9ad by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
371d7e63 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
44802c46 by Joseph Sutton at 2022-12-13T13:07:29+00:00
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
975e43fc by Andrew Bartlett at 2022-12-13T13:07:30+00:00
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
4bb50c86 by Joseph Sutton at 2022-12-13T13:07:30+00:00
CVE-2022-37966 kdc: Assume trust objects support AES by default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6b46b764 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9da028c4 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a80f8e1b by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c9b10ee3 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2bd27955 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1a36c348 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f3fe1f2c by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
16b805c8 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a683507e by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
40b47c19 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:libnet: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4cedaa64 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b7260c89 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
621b8c39 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d7ea197e by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f1c5fa28 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9e69289b by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
271cd82c by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4ebbe7e4 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e0f89b7b by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d8fd6a22 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f434a30e by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
77bd3258 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c7c57620 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1dfa9168 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fde745ec by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7504a4d6 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fa64f8fa by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
36d0a495 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cca3c024 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d1999c15 by Stefan Metzmacher at 2022-12-13T13:07:30+00:00
CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
987cba90 by Stefan Metzmacher at 2022-12-13T14:06:14+00:00
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
- - - - -
19c82c19 by Ralph Boehme at 2022-12-14T01:38:29+00:00
lib/util: add process_set_title()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
14571c5c by Ralph Boehme at 2022-12-14T01:38:29+00:00
smbd: prepare smbd for calling setproctitle()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
969e0627 by Ralph Boehme at 2022-12-14T01:38:29+00:00
lib/util: use process_set_title() in tfork()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
1b62dfa6 by Ralph Boehme at 2022-12-14T01:38:29+00:00
s4/samba: use process_set_title()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
096295a6 by Ralph Boehme at 2022-12-14T01:38:29+00:00
winbindd: Use process_set_title() instead of setproctitle()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
62cc0bba by Ralph Boehme at 2022-12-14T01:38:29+00:00
smbd: explicitly call process_set_title()
Currently setting the shortname is achieved via the final arg to
smbd_reinit_after_fork(), but I'm going to remove that arg soon.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
38ba7d14 by Ralph Boehme at 2022-12-14T01:38:29+00:00
smbd: remove process shortname arg from smbd_reinit_after_fork()
All callers already do this explicitly by calling process_set_title().
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fc57b88e by Ralph Boehme at 2022-12-14T01:38:29+00:00
smbd: remove process shortname arg from reinit_after_fork()
All callers pass NULL anyway, so it isn't used anymore.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5955dc1e by Ralph Boehme at 2022-12-14T02:47:24+00:00
smbd: set long process name of smbd child processes to "smbd: <CLIENT IP>"
The resulting process listings, depending on the format chosen for the process
name, show the relevant smbd processes like this:
$ ps faxo pid,uid,comm | egrep "\_.*smbd" | grep -v grep
1690322 0 \_ smbd
1690326 0 \_ smbd-notifyd
1690327 0 \_ smbd-cleanupd
1690337 0 \_ smbd[::1]
$ ps faxo pid,uid,args | egrep "\_.*smbd" | grep -v grep
1690322 0 \_ ./bin/smbd -D
1690326 0 \_ smbd: notifyd
1690327 0 \_ smbd: cleanupd
1690337 0 \_ smbd: client [::1]
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 14 02:47:24 UTC 2022 on sn-devel-184
- - - - -
7870e82c by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ccb5bafe by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Move talloc_asprintf_addbuf() to talloc
I wanted to use this in debug.c, but this would have meant to pollute
debug's deps with a lot of stuff. Also, looking through uses of
talloc_asprint_append(), very many of those don't do NULL checks
properly and could benefit from the _addbuf() flavor. We can add a
vasprintf variant later if the need shows up.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
101396ab by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in debug.c
Slightly simplify debug_list_class_names_and_levels()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2c7766c2 by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in str_list_join()
This adds intermediate NULL checks via talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c692b5c9 by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in str_list_join_shell()
This adds proper NULL checks via talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bcdbe6ef by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in ldif_write_prefixMap()
The first call of talloc_asprintf_append() did not have a NULL check.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fe8895c8 by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in print_socket_options()
With the proper NULL checks we don't need the stackframe,
use a passed in context instead.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ffba59b5 by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in ldb_module_call_chain()
This was exactly what talloc_asprintf_addbuf() does.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cbcf7f0d by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Use talloc_asprintf_addbuf() in rdn_name_add()
Add implicit NULL checks
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c86112fe by Volker Lendecke at 2022-12-14T04:32:34+00:00
dns_server: Use talloc_asprintf_addbuf() in b9_format()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6b6f8deb by Volker Lendecke at 2022-12-14T04:32:34+00:00
libcldap: Save lines in cldap_netlogon_create_filter() with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fa8a657b by Volker Lendecke at 2022-12-14T04:32:34+00:00
auth4: Save lines with talloc_asprintf_addbuf() in authsam_domain_group_filter()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f25b6de7 by Volker Lendecke at 2022-12-14T04:32:34+00:00
winbind: Save an intermediate NULL check with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4156d37d by Volker Lendecke at 2022-12-14T04:32:34+00:00
winbind: Save lines with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
300ad4ff by Volker Lendecke at 2022-12-14T04:32:34+00:00
lib: Save intermediate NULL checks with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ac78cb71 by Volker Lendecke at 2022-12-14T05:29:51+00:00
libads: Save intermediate NULL checks with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 14 05:29:51 UTC 2022 on sn-devel-184
- - - - -
fd50943b by Andrew Bartlett at 2022-12-14T11:39:16+00:00
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 22128c718cadd34af892df102bd52df6a6b03303)
- - - - -
121c471b by Ralph Boehme at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
- - - - -
810b57b1 by Ralph Boehme at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
- - - - -
d39c3729 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
- - - - -
285ecad0 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
- - - - -
6c7aa761 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
- - - - -
ff5f2c81 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
- - - - -
15253c4d by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
- - - - -
b04f9cd9 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
- - - - -
93566433 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
- - - - -
911874a9 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
- - - - -
a31898e1 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
- - - - -
4d143e92 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
- - - - -
a656f2a3 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
- - - - -
84d53540 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
- - - - -
07518e76 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
- - - - -
eb1f1c37 by Stefan Metzmacher at 2022-12-14T11:39:16+00:00
CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
- - - - -
f6976639 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
- - - - -
c9193510 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
- - - - -
277bd2c6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
- - - - -
2cb10f96 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
- - - - -
1d2e938a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
- - - - -
f0cdff38 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
- - - - -
ff1c42ee by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
- - - - -
cf649bf2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
- - - - -
de639278 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
- - - - -
65d8624c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
- - - - -
8f7d77ec by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
- - - - -
e5e03583 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
- - - - -
0d4f8c70 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
- - - - -
f4d487bd by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
- - - - -
523f9aa7 by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:param: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9166254b by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:client: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c5eda69a by Andreas Schneider at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:utils: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
fea5bde5 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d08d54c9 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
- - - - -
9fa6585a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)
- - - - -
362de019 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
- - - - -
91dcb8d0 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
- - - - -
4870b9c8 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton at samba.org Adapted to 4.17 version of function]
- - - - -
649854b0 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton at samba.org Adapted to 4.17 version of function taking different
parameters]
- - - - -
15835e21 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af)
[jsutton at samba.org Fixed conflicts in usage.py, knownfails, tests.py]
- - - - -
6ff9fc58 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton at samba.org Fixed knownfail conflicts]
- - - - -
25918f9c by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da)
[jsutton at samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
- - - - -
3d276a19 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
- - - - -
ac8a4665 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
- - - - -
350a2e5f by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4)
- - - - -
42150ff9 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
- - - - -
d8cef2fa by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
- - - - -
123b3c05 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e)
- - - - -
64bfe0ef by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0)
[jsutton at samba.org Removed unneeded fast_tests.py change, added
non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
tests.py]
- - - - -
3d85ff9d by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
- - - - -
71e538e7 by Andrew Bartlett at 2022-12-14T11:39:17+00:00
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6)
[jsutton at samba.org Fixed knownfail conflicts]
- - - - -
82f3c287 by Joseph Sutton at 2022-12-14T11:39:17+00:00
CVE-2022-37966 kdc: Assume trust objects support AES by default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
- - - - -
5f885420 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d)
- - - - -
4ad0303e by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
- - - - -
425dc5a2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d)
- - - - -
91680bf6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
- - - - -
d022b9fa by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
- - - - -
b1052934 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
- - - - -
e2e29876 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
- - - - -
c894010a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
- - - - -
edccbf1a by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
- - - - -
8b9e670c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:libnet: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
- - - - -
96fcd2b2 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
- - - - -
e741eac0 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
- - - - -
ceda758d by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
- - - - -
42c12b8c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
- - - - -
d7efa582 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
- - - - -
bf27c7ba by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
- - - - -
9c106afa by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)
- - - - -
bf633c58 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
- - - - -
6a4531ad by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
- - - - -
0f63356c by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
- - - - -
d1b65794 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
- - - - -
afc05bec by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
- - - - -
c642bd9f by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
- - - - -
82739352 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
- - - - -
2d1f56c6 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905)
- - - - -
91be2dbb by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
- - - - -
428aa9b0 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
- - - - -
17db5768 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
- - - - -
dd4832f1 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
- - - - -
701c9885 by Stefan Metzmacher at 2022-12-14T11:39:17+00:00
CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
- - - - -
5048d63c by Stefan Metzmacher at 2022-12-14T12:40:42+00:00
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
(similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Wed Dec 14 12:40:42 UTC 2022 on sn-devel-184
- - - - -
53d55836 by Stefan Metzmacher at 2022-12-14T12:41:35+00:00
s4:libnet: fix error string for failing samr_ChangePasswordUser4()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
- - - - -
eb5df255 by Stefan Metzmacher at 2022-12-14T13:35:20+00:00
s4:libnet: correctly handle gnutls_pbkdf2() errors
We should not ignore the error nor should we map
GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD,
instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places
in the same file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184
- - - - -
77fb5b47 by Stefan Metzmacher at 2022-12-14T13:44:17+00:00
s4:libnet: fix error string for failing samr_ChangePasswordUser4()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
(cherry picked from commit 53d558365161be1793dad78ebcce877c732f2419)
- - - - -
1c7d60ee by Stefan Metzmacher at 2022-12-14T14:46:02+00:00
s4:libnet: correctly handle gnutls_pbkdf2() errors
We should not ignore the error nor should we map
GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD,
instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places
in the same file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Björn Baumbach <bbaumbach at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184
(cherry picked from commit eb5df255faea7326a7b85c1e7ce5a66119a27c3a)
Autobuild-User(v4-17-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-17-test): Wed Dec 14 14:46:02 UTC 2022 on sn-devel-184
- - - - -
49fdf8f9 by Volker Lendecke at 2022-12-14T22:54:29+00:00
smbd: Make set_current_case_sensitive() static
This is a SMB1-only thing
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d4848111 by Volker Lendecke at 2022-12-14T22:54:29+00:00
smbd: Slightly simplify set_current_case_sensitive()
Assert this isn't called from SMB2
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b94fd422 by Volker Lendecke at 2022-12-14T22:54:29+00:00
smbd: Slightly simplify set_current_case_sensitive()
Remove a global cache of calculating case sensivity. The calculation
is really simple: It only references a bool per-share parameter and a
global variable. I really doubt there is any measurable benefit from
this cache, and if there was, I don't care if SMB1 gets a tiny bit
slower in response to reduced global state.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d04db4a5 by Volker Lendecke at 2022-12-14T22:54:29+00:00
vfs: Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c12518a9 by Volker Lendecke at 2022-12-14T22:54:29+00:00
smbd: Remove source3/smbd/statcache.c
After I found that nobody calls stat_cache_add() anymore, there was no
reason to keep the rest of statcache.c.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
194f6661 by David Mulder at 2022-12-14T22:54:29+00:00
gp: Fix Firewalld RSoP output skipping Zones
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ecfa4e19 by David Mulder at 2022-12-14T22:54:29+00:00
gp: Fix GNOME Settings writing unreadable user profile
This file must be readable by all users,
otherwise the policy doesn't get read or applied.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
773659ba by Andreas Schneider at 2022-12-14T22:54:29+00:00
testprogs: Use new kerberos options for ldb and samba-tool in test_kinit_mit.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bc5e8ba9 by Andreas Schneider at 2022-12-14T22:54:29+00:00
testprogs: Use new kerberos options for samba-tool in test_export_keytab_mit.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
897f08f7 by Andreas Schneider at 2022-12-14T23:56:50+00:00
testprogs: Use new kerberos options for samba-tool in test_kpasswd_mit.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 14 23:56:50 UTC 2022 on sn-devel-184
- - - - -
612c8da0 by Volker Lendecke at 2022-12-15T10:34:34+00:00
tests: Show that in smb1 posix we don't treat dirs as case sensitive
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
17bbd6ec by Volker Lendecke at 2022-12-15T11:30:04+00:00
smbd: Add "posix" flag to openat_pathref_dirfsp_nosymlink()
Don't do the get_real_filename() retry if we're in posix context of if
the connection is case sensitive.
The whole concept of case sensivity blows my brain. In SMB1 without
posix extensions it's a per-request thing. In SMB2 without posix
extensions this should just depend on "case sensitive = yes/no", and
in future SMB2 posix extensions this will become a per-request thing
again, depending on the existence of the posix create context.
Then there are other semantics that are attached to posix-ness, which
have nothing to do with case sensivity. See for example merge request
2819 and bug 8776, or commit f0e1137425f. Also see
check_path_syntax_internal().
This patch uses the same flags as openat_pathref_fsp_case_insensitive()
does, but I am 100% certain this is wrong in a subtle way.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Dec 15 11:30:04 UTC 2022 on sn-devel-184
- - - - -
f676c903 by Jule Anger at 2022-12-15T17:05:11+01:00
WHATSNEW: Add release notes for Samba 4.17.4.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
ab48448c by Jule Anger at 2022-12-15T17:05:36+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
3aa49021 by Michael Tokarev at 2022-12-15T19:43:32+03:00
New upstream version 4.17.4+dfsg
- - - - -
76eb8daa by Michael Tokarev at 2022-12-15T19:44:05+03:00
Update upstream source from tag 'upstream/4.17.4+dfsg'
Update to upstream version '4.17.4+dfsg'
with Debian dir 40d56574171d59db23cf49dc40129f61b65b987e
- - - - -
30a9ca7d by Michael Tokarev at 2022-12-15T19:59:10+03:00
d/changelog: start 4.17.4
- - - - -
60368564 by Michael Tokarev at 2022-12-15T20:29:52+03:00
mention other bugs fixed by 4.17.4 (from WHATSNEW.txt)
- - - - -
bd6b1563 by Michael Tokarev at 2022-12-15T22:06:22+03:00
removed nsswitch-pam-data-time_t.patch
- - - - -
b5a8d45a by Michael Tokarev at 2022-12-15T22:06:22+03:00
removed CVE-2022-42898-lib-krb5-fix-_krb5_get_int64-on-32bit.patch
- - - - -
959c88bd by Michael Tokarev at 2022-12-15T22:06:34+03:00
update changelog; upload 4.17.4+dfsg-1 to unstable
- - - - -
7fcbae4e by Volker Lendecke at 2022-12-15T21:52:34+00:00
libsmb: Don't mess up pathnames in cli_smb2_create_fnum_send()
Master-only bug introduced with dd9cdfb3b14: smb2_dfs_share_path() can
change the length of fname, and if it happens that the original length
hits a \ in the enlarged filename, we cut it off.
Found by accident, this really made me scratch my head when looking at
traces :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c26f7fcc by Volker Lendecke at 2022-12-15T21:52:34+00:00
smbd: Fix a debug message
This used to be openat_pathref_nostream() at some point back
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
88848bc0 by Volker Lendecke at 2022-12-15T21:52:34+00:00
smbd: Use direct struct initialization, avoid explicit ZERO_STRUCT()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e2ccd822 by Volker Lendecke at 2022-12-15T21:52:34+00:00
smbd: Remove a pointless NULL check from readlink_talloc()
We should never call this without the place to put the target in.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bb94ec26 by Volker Lendecke at 2022-12-15T21:52:34+00:00
tdb: Move 160 bytes from R/W data segment to R/O text
The linker has to relocate the pointers in the array at startup, save
that. I know we have bigger .data blobs, but every bit counts :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
148b86b2 by Volker Lendecke at 2022-12-15T21:52:34+00:00
lib: Align an integer type
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c5bc9f73 by Volker Lendecke at 2022-12-15T21:52:34+00:00
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ddbb8f19 by Volker Lendecke at 2022-12-15T22:51:06+00:00
lib: Move 448 bytes from R/W data segment to R/O text
The linker has to relocate the pointers in the array at startup, save
that. I know we have bigger .data blobs, but every bit counts :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 15 22:51:06 UTC 2022 on sn-devel-184
- - - - -
9189bd9c by Andrew Bartlett at 2022-12-16T07:41:38+00:00
build: Convert winexe to use enabled= in wscript
This also allows --without-winexe to stop building the .exe files even if
the compilers are present on the system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15264
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Dec 16 07:41:38 UTC 2022 on sn-devel-184
- - - - -
96d68c6b by Volker Lendecke at 2022-12-16T07:42:38+00:00
libsmb: Make a r/w copy of fname in cli_smb2_create_fnum_send()
We're messing with this in 2 places in this routine and have to make a
copy in both places. Make this writable, so we don't have to make a
copy further down.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fdc6449a by Jeremy Allison at 2022-12-16T07:42:38+00:00
s3: smbd: Make extract_snapshot_token() a wrapper for extract_snapshot_token_internal().
Allows us to pass in path separator from a new function without
changing existing calling code.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
157a79f0 by Jeremy Allison at 2022-12-16T07:42:38+00:00
s3: lib: Add new clistr_smb2_extract_snapshot_token() function.
Strips @GMT from client pathnames for SMB2 (uses '\\' separator).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
c64c8af6 by Jeremy Allison at 2022-12-16T07:42:38+00:00
libsmb: Use clistr_smb2_extract_snapshot_token() in cli_smb2_create_fnum_send()
Now that fname is writable, we can avoid a bit of complexity with
clistr_smb2_extract_snapshot_token()
Signed-off-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
833cb4cb by Volker Lendecke at 2022-12-16T07:42:38+00:00
libsmb: Slightly simplify cli_smb2_create_fnum_send()
We can now write to fname directly.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
89828c64 by Volker Lendecke at 2022-12-16T08:42:18+00:00
libsmb: Simplify clistr_is_previous_version_path()
Nobody looks at the out params anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Dec 16 08:42:18 UTC 2022 on sn-devel-184
- - - - -
39e8489d by Günther Deschner at 2022-12-16T20:38:32+00:00
s3-librpc: add ads.idl and convert ads_struct to talloc.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f7cc00f7 by Günther Deschner at 2022-12-16T20:38:32+00:00
s3-librpc: use nbt_server_type in ads.idl
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
07617a34 by Günther Deschner at 2022-12-16T21:35:45+00:00
s4-auth: fix sam test binary ntstatus include path
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Dec 16 21:35:45 UTC 2022 on sn-devel-184
- - - - -
27507b60 by Michael Tokarev at 2022-12-19T16:38:19+03:00
samba-ad-provision breaks samba <4.17.4+dfsg-2 (#1026387); upload 4.17.4+dfsg-2 to unstable
- - - - -
87fddbad by Stefan Metzmacher at 2022-12-19T16:40:15+00:00
smbd/locking: make use of the same tdb hash_size and flags for all SMB related tdb's
It's good to have a consistent set of hash_size/flags for all aspects of
an open file handle. Currently we're using 4 databases:
smbXsrv_open_global.tdb, leases.tdb, locking.tdb and brlock.tdb.
While at it also crank up the hashsize if the smbXsrv_tcon and smbXsrv_session
TDBs. The default TDB hash size is insanely small and disk space is cheap these
days, by going with the much larger hash size we get O(1) lookup instead of O(n)
for moderate to large loads with a few thousand objects.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Dec 19 16:40:15 UTC 2022 on sn-devel-184
- - - - -
80c0b416 by Andrew at 2022-12-19T20:41:15+00:00
rpc_server:srvsvc - retrieve share ACL via root context
share_info.tdb has permissions of 0o600 and so we need
to become_root() prior to retrieving the security info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184
- - - - -
6f77b376 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression/huffman: avoid semi-defined behaviour in decompress
We had
output[output_pos - distance];
where output_pos and distance are size_t and distance can be greater
than output_pos (because it refers to a place in the previous block).
The underflow is defined, leading to a big number, and when
sizeof(size_t) == sizeof(*uint8_t) the subsequent overflow works as
expected. But if size_t is smaller than a pointer, bad things will
happen.
This was found by OSSFuzz with
'UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1'.
Credit to OSSFuzz.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e7489be7 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
fuzz: fix lzxpress plain round-trip fuzzer
The 'compressed' string can be about 9/8 the size of the decompressed
string, but we didn't allow enough memory in the fuzz target for that..
Then when it failed, we didn't check.
Credit to OSSFuzz.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
27af27f9 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression/huffman: tighten bit_len checks (fix SUSE -O3 build)
The struct write_context bit_len attribute is always between 0 and 31,
but if the next patches are applied without this, SUSE GCC -O3 will
worry thusly:
../../lib/compression/lzxpress_huffman.c: In function
‘lzxpress_huffman_compress’:
../../lib/compression/lzxpress_huffman.c:953:5: error: assuming signed
overflow does not occur when simplifying conditional to constant
[-Werror=strict-overflow]
if (wc->bit_len > 16) {
^
cc1: all warnings being treated as errors
Inspection tell us that the invariant holds. Nevertheless, we can
safely use an unsigned type and insist that over- or under- flow is
bad.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d6a67908 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression/huffman: check again for invalid codes (CID 1517302)
We know that code is non-zero, because it comes from the combination of
the intermediate representation and the symbol tables that were generated
at the same time. But Coverity doesn't know that, and it thinks we could
be doing undefined things in the subsequent shift.
CID 1517302: Integer handling issues (BAD_SHIFT)
In expression "1 << code_bit_len", shifting by a negative amount has
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b99e0e93 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression/tests: calm the static analysts (CID: numerous)
None of our test vectors are 18446744073709551615 bytes long, which
means we can know an `expected_length == returned_length` check will
catch the case where the compression function returns -1 for error. We
know that, but Coverity doesn't.
It's the same thing over and over again, in two different patterns:
>>> CID 1517301: Memory - corruptions (OVERRUN)
>>> Calling "memcmp" with "original.data" and "original.length" is
suspicious because of the very large index, 18446744073709551615. The index
may be due to a negative parameter being interpreted as unsigned.
393 if (original.length != decomp_written ||
394 memcmp(decompressed.data,
395 original.data,
396 original.length) != 0) {
397 debug_message("\033[1;31mgot %zd, expected %zu\033[0m\n",
398 decomp_written,
*** CID 1517299: Memory - corruptions (OVERRUN)
/lib/compression/tests/test_lzxpress_plain.c: 296 in
test_lzxpress_plain_decompress_more_compressed_files()
290 debug_start_timer();
291 written = lzxpress_decompress(p.compressed.data,
292 p.compressed.length,
293 dest,
294 p.decompressed.length);
295 debug_end_timer("decompress", p.decompressed.length);
>>> CID 1517299: Memory - corruptions (OVERRUN)
>>> Calling "memcmp" with "p.decompressed.data" and
"p.decompressed.length" is suspicious because of the very large index,
18446744073709551615. The index may be due to a negative parameter being
interpreted as unsigned.
296 if (written == p.decompressed.length &&
297 memcmp(dest, p.decompressed.data, p.decompressed.length)
== 0) {
298 debug_message("\033[1;32mdecompressed %s!
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
baba440f by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression tests: avoid div by zero in failure (CID 1517297)
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6b4d94c9 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression: fix sign extension of long matches (CID 1517275)
Very long matches would be written instead as very very long matches.
We can't in fact hit this because we have a MAX_MATCH_LENGTH defined
as 64M, but if we could, it might make certain 2GB+ strings impossible
to compress.
CID 1517275 (#1 of 1): Unintended sign extension
(SIGN_EXTENSION)sign_extension: Suspicious implicit sign extension:
intermediate[i + 2UL] with type uint16_t (16 bits, unsigned) is
promoted in intermediate[i + 2UL] << 16 to type int (32 bits, signed),
then sign-extended to type unsigned long (64 bits, unsigned). If
intermediate[i + 2UL] << 16 is greater than 0x7FFFFFFF, the upper bits
of the result will all be 1.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
628f14c1 by Douglas Bagnall at 2022-12-19T22:32:35+00:00
compression/huffman: double check distance in matches (CID 1517278)
Because we just wrote the intermediate representation to have no zero
distances, we can be sure it doesn't, but Coverity doesn't know. If
distance is zero, `bitlen_nonzero_16(distance)` would be bad.
CID 1517278 (#1 of 1): Bad bit shift operation
(BAD_SHIFT)41. large_shift: In expression 1 << code_dist, left
shifting by more than 31 bits has undefined behavior. The shift
amount, code_dist, is 65535.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
44a44005 by Douglas Bagnall at 2022-12-19T23:29:04+00:00
compression/huffman: debug function bails upon disaster (CID 1517261)
We shouldn't get a node with a zero code, and there's probably nothing
to do but stop.
CID 1517261 (#1-2 of 2): Bad bit shift operation
(BAD_SHIFT)11. negative_shift: In expression j >> offset - k,
shifting by a negative amount has undefined behavior. The shift
amount, offset - k, is -3.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Dec 19 23:29:04 UTC 2022 on sn-devel-184
- - - - -
5c25e262 by Ralph Boehme at 2022-12-20T01:32:07+00:00
tests: add a Python test for case insensitive access
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 20 01:32:07 UTC 2022 on sn-devel-184
- - - - -
393ec15b by Michael Tokarev at 2022-12-20T08:41:22+03:00
d/control: change version of samba which samba-ad-provisioning Breaks to where provisioning was split out
- - - - -
0dc5f807 by Andreas Schneider at 2022-12-20T05:56:35+00:00
s4:torture: Fix stack variable used out of scope in test_devmode_set_level()
==12122==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fff494dd900 at pc 0x7fdaebea71e3 bp 0x7fff494dd430 sp 0x7fff494dd428
READ of size 4 at 0x7fff494dd900 thread T0
#0 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo8 librpc/gen_ndr/ndr_spoolss.c:8618
#1 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo librpc/gen_ndr/ndr_spoolss.c:8796
#2 0x7fdaebea7482 in ndr_push_spoolss_SetPrinterInfoCtr librpc/gen_ndr/ndr_spoolss.c:9163
#3 0x7fdaebea7580 in ndr_push_spoolss_SetPrinter librpc/gen_ndr/ndr_spoolss.c:27000
#4 0x7fdaee3e1b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416
#5 0x7fdaee3e2132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553
#6 0x7fdaecb103fd in dcerpc_spoolss_SetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1722
#7 0x559a7294c2f1 in test_SetPrinter ../../source4/torture/rpc/spoolss.c:1293
#8 0x559a7297b4d4 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2126
#9 0x559a7299cfa1 in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2344
#10 0x559a7299cfa1 in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2489
#11 0x559a7299cfa1 in test_printer_dm ../../source4/torture/rpc/spoolss.c:9083
#12 0x7fdaeda9867d in wrap_test_with_simple_test ../../lib/torture/torture.c:808
#13 0x7fdaeda9a40b in internal_torture_run_test ../../lib/torture/torture.c:516
#14 0x7fdaeda9a87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581
#15 0x7fdaeda9aeb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435
#16 0x559a72b51668 in run_matching ../../source4/torture/smbtorture.c:95
#17 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105
#18 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105
#19 0x559a72b523ef in torture_run_named_tests ../../source4/torture/smbtorture.c:172
#20 0x559a72b563eb in main ../../source4/torture/smbtorture.c:750
#21 0x7fdaea42c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#22 0x7fdaea42c678 in __libc_start_main_impl ../csu/libc-start.c:381
#23 0x559a72755824 in _start ../sysdeps/x86_64/start.S:115
Address 0x7fff494dd900 is located in stack of thread T0 at offset 32 in frame
#0 0x559a7297b111 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2090
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
34ae731b by Andreas Schneider at 2022-12-20T05:56:35+00:00
s4:torture: Pass the dcerpc struct 'q' for GetPrinter down to the macro
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e3c9bea0 by Andreas Schneider at 2022-12-20T05:56:35+00:00
s4:torture: Pass the dcerpc struct 's' for SetPrinter down to the macro
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
57ff5a33 by Andreas Schneider at 2022-12-20T06:55:45+00:00
s4:torture: Fix stack variable used out of scope in test_devicemode_full()
==17828==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc37790230 at pc 0x7fc37e2a3a11 bp 0x7ffc3778fec0 sp 0x7ffc3778feb8
READ of size 16 at 0x7ffc37790230 thread T0
#0 0x7fc37e2a3a10 in ndr_push_spoolss_GetPrinter librpc/gen_ndr/ndr_spoolss.c:27123
#1 0x7fc380629b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416
#2 0x7fc38062a132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553
#3 0x7fc37ed113c9 in dcerpc_spoolss_GetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1947
#4 0x5570ba6c4d03 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2249
#5 0x5570ba6e61ea in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2384
#6 0x5570ba6e61ea in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2488
#7 0x5570ba6e61ea in test_printer_dm ../../source4/torture/rpc/spoolss.c:9082
#8 0x7fc37fc7b67d in wrap_test_with_simple_test ../../lib/torture/torture.c:808
#9 0x7fc37fc7d40b in internal_torture_run_test ../../lib/torture/torture.c:516
#10 0x7fc37fc7d87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581
#11 0x7fc37fc7deb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435
#12 0x5570ba89a65d in run_matching ../../source4/torture/smbtorture.c:95
#13 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105
#14 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105
#15 0x5570ba89b3e4 in torture_run_named_tests ../../source4/torture/smbtorture.c:172
#16 0x5570ba89f3e0 in main ../../source4/torture/smbtorture.c:750
#17 0x7fc37c62c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#18 0x7fc37c62c678 in __libc_start_main_impl ../csu/libc-start.c:381
#19 0x5570ba49e824 in _start ../sysdeps/x86_64/start.S:115
Address 0x7ffc37790230 is located in stack of thread T0 at offset 160 in frame
#0 0x5570ba6c4562 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2186
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 20 06:55:45 UTC 2022 on sn-devel-184
- - - - -
5b192889 by Andrew Walker at 2022-12-20T18:49:54+00:00
s3:params:lp_do_section - protect against NULL deref
iServiceIndex may indicate an empty slot in the ServicePtrs
array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex])
may trigger a NULL deref and crash. Skipping the check
here will cause a scan of the array in add_a_service() and the
NULL slot will be used safely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184
- - - - -
57152819 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Implement appliers for monitoring policy changes
This is currently a significant drawback of Samba
Group Policy. CSEs MUST be aware of policy changes
such as modification, removal, etc. This is a
complex process, and is easy to mess up. Here I
add 'appliers' (the first being for files), which
handle the complexty transparently to ensure this
is done correctly.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
3f710589 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Symlink CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
50f4c3d4 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify PAM Access CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
81dbcae9 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify OpenSSH CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
2953329b by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Sudoers CSEs to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
64f4930d by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Files CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f3e24a32 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Machine Scripts CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fb512e06 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify GNOME Settings CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f20ca1a7 by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Startup Scripts CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
acdc7fbe by David Mulder at 2022-12-21T02:04:36+00:00
gp: Modify Centrify Crontab compatible CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f36542b5 by David Mulder at 2022-12-21T02:04:37+00:00
gp: Modify Cert Auto Enroll CSE to use new applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5037d402 by David Mulder at 2022-12-21T02:04:37+00:00
gp: Modify Chromium CSE to use new files applier
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d170d8cf by David Mulder at 2022-12-21T02:04:37+00:00
gp: Test that files are re-created if manually removed
Currently applied files which are manually
removed do not get re-applied.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e6156b13 by David Mulder at 2022-12-21T02:04:37+00:00
gp: Re-create files if manually removed
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6710c50f by David Mulder at 2022-12-21T02:04:37+00:00
gp: Ensure policy changes don't leave files behind
This test exercises the gp_file_applier and
ensures that when a policy is modified, no old
policy is left behind.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
74598eee by David Mulder at 2022-12-21T02:04:37+00:00
gp: Enable gpupdate output when testing
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
c435c105 by David Mulder at 2022-12-21T02:04:37+00:00
gp: Fix rsop when final value isn't a str
The output must be a string value, or it will
crash. Chromium policies output integers, which
was causing the parser to crash.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0a1778cd by David Mulder at 2022-12-21T02:04:37+00:00
gp: Ensure rsop is tested for every CSE
A bug cropped up in the rsop that was causing a
crash because this wasn't being tested.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
94b70d1e by David Mulder at 2022-12-21T03:05:46+00:00
gp: Don't hide managed/recommended directories
Making these variables hidden prevents the parent
class gp_chromium_ext from reading them when
subclassed in gp_chrome_ext. This caused the
chrome policies to be installed in the chromium
directories.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 21 03:05:46 UTC 2022 on sn-devel-184
- - - - -
2e496efe by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: do an early exit in cm_open_connection()
Best viewed with git show -w. No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ccb6b754 by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: simplify find_new_dc()
Remove the dcname and pss args from find_new_dc(). The caller passes in the
domain anyway, so let's fill in domain->dcname and domain->dcaddr directly.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7315c5f4 by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: simplify cm_open_connection()
Simplify to retry logic: if cm_prepare_connection() succeeded just exit the
retry loop, only if it failed check the "retry" variable.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0fcf0012 by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: More simplification of cm_open_connection()
This basically moves the functionality to connect the socket to the currently
preferred DC to a new helper function connect_preferred_dc() that is called from
the renamed function find_new_dc().
find_dc() now either returns a connected to the preferred DC or a new DC until
all possible DCs are exhausted and cm_open_connection() can just call find_dc()
to get a connected socket and pass it to cm_prepare_connection().
While at it reorder the args of find_dc() and make the only real out arg "fd"
the last one.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
4a74748d by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: Add force_dc to bypass cached connection and DC lookup
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
eb1d1f19 by Ralph Boehme at 2022-12-21T19:10:35+00:00
winbindd: add dcname arg to ChangeMachineAccount request
Existing callers will pass an empty string, later a new caller will pass an
explicit DC name taken from the wbinfo command line.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
682216aa by Ralph Boehme at 2022-12-21T19:10:35+00:00
libwbclient: add wbc[Ctx]ChangeTrustCredentialsAt()
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
52cdf1d9 by Ralph Boehme at 2022-12-21T19:10:35+00:00
wbinfo: Add --change-secret-at=dcname
Add WHATSNEW.txt entry and update wbinfo man page.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b9070130 by Ralph Boehme at 2022-12-21T19:10:35+00:00
CI: join ad_member_s3_join to vampire_dc
Currently ad_member_s3_join is only used for testing samba-tool join and that'll
work just fine being joined to vampire_dc instead of ad_dc.
vampire_dc is an additional DC in the SAMBADOMAIN "started" by ad_dc_ntvfs, so
by joining ad_member_s3_join to the SAMBADOMAIN, it is member of a domain with
more then one DC.
Subsequently I'll add a test that needs such an environment.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6ec24883 by Ralph Boehme at 2022-12-21T20:05:59+00:00
CI: add a test for wbinfo --change-secret-at=DC
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 21 20:05:59 UTC 2022 on sn-devel-184
- - - - -
429bf5ce by Andreas Schneider at 2022-12-21T21:28:42+00:00
third_party: Update resolv_wrapper to version 1.1.8
res_randomid() is marked as deprecated in newer glibc.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 21 21:28:42 UTC 2022 on sn-devel-184
- - - - -
a4ba6fa4 by Andreas Schneider at 2022-12-22T09:45:37+00:00
autobuild: Don't use deprecated distutils
The distutils package was deprecated in Python 3.10 by PEP 632.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0d196126 by Andreas Schneider at 2022-12-22T09:45:37+00:00
s3:script: Improve test_chdir_cache.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
9c707b4b by Andreas Schneider at 2022-12-22T10:52:31+00:00
s3:client: Fix a use-after-free issue in smbclient
Detected by
make test TESTS="samba3.blackbox.chdir-cache"
with an optimized build or with AddressSanitizer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Dec 22 10:52:31 UTC 2022 on sn-devel-184
- - - - -
41249302 by Douglas Bagnall at 2022-12-22T19:50:33+00:00
lib/compression: add simple python bindings
There are four functions, allowing compression and decompression in
the two formats we support so far. The functions will accept bytes or
unicode strings which are treated as utf-8.
The LZ77+Huffman decompression algorithm requires an exact target
length to decompress, so this is mandatory.
The plain decompression algorithm does not need an exact length, but
you can provide one to help it know how much space to allocate. As
currently written, you can provide a short length and it will often
succeed in decompressing to a different shorter string.
These bindings are intended to make ad-hoc investigation easier, not
for production use. This is reflected in the guesses about output size
that plain_decompress() makes if you don't supply one -- either they
are stupidly wasteful or ridiculously insufficient, depending on
whether or not you were trying to decompress a 20MB string.
>>> a = '12345678'
>>> import compression
>>> b = compression.huffman_compress(a)
>>> b
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #....
>>> len(b)
262
>>> c = compression.huffman_decompress(b, len(a))
>>> c
b'12345678' # note, c is bytes, a is str
>>> a
'12345678'
>>> d = compression.plain_compress(a)
>>> d
b'\xff\xff\xff\x0012345678'
>>> compression.plain_decompress(d) # no size specified, guesses
b'12345678'
>>> compression.plain_decompress(d,5)
b'12345'
>>> compression.plain_decompress(d,0) # 0 for auto
b'12345678'
>>> compression.plain_decompress(d,1)
b'1'
>>> compression.plain_decompress(a,444)
Traceback (most recent call last):
compression.CompressionError: unable to decompress data into a buffer of 444 bytes.
>>> compression.plain_decompress(b,444)
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #...
That last one decompresses the Huffman compressed file with the plain
compressor; pretty much any string is valid for plain decompression.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
918a71f2 by Volker Lendecke at 2022-12-22T19:50:33+00:00
smbd: Print the file name in reparse point functions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
f70b3832 by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Rename "ctx" to the more common "mem_ctx" in reparse functions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b20e95fb by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Implement SET_REPARSE_POINT buffer size checks
Partially survives
samba.tests.reparsepoints.ReparsePoints.test_create_reparse
NTTRANS-FSCTL needs changing: Windows 2016 returns INVALID_BUFFER_SIZE
instead of our NOT_A_REPARSE_POINT. This is not the whole story, but
this smbtorture3 change makes autobuild survive.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6e89a16d by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Reduce indentation in ucf_flags_from_smb_request()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
aff8b4fd by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Simplify filename_convert_dirfsp_nosymlink()
Factor out the symlink-case into a more obvious if-statement with less
indentation.
Review with git show -b
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
70b515be by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Simplify filename_convert_dirfsp_nosymlink()
Avoid a nested if, the "&&" is easier to understand for me.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
636daef0 by Volker Lendecke at 2022-12-22T19:50:34+00:00
smbd: Hide the SMB1 posix symlink behaviour behind UCF_LCOMP_LNK_OK
This will be used in the future to also open symlinks as reparse
points, so this won't be specific to only SMB1 posix extensions.
I have tried to avoid additional flags for several weeks by making
openat_pathref_fsp or other flavors of this to always open fsp's with
symlink O_PATH opens, because I think NT_STATUS_OBJECT_NAME_NOT_FOUND
with a valid stat is a really bad and racy way to express that we just
hit a symlink, but I miserably failed. Adding additional flags (another one
will follow) is wrong, but I don't see another way right now.
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
c515a5b2 by Volker Lendecke at 2022-12-22T20:46:53+00:00
smbd: Make send_trans2_replies() static
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 22 20:46:53 UTC 2022 on sn-devel-184
- - - - -
14751e91 by Andreas Schneider at 2022-12-23T13:23:29+00:00
lib:ldb: Fix trailing whitespaces in common/attrib_handlers.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c8e3873e by Andreas Schneider at 2022-12-23T13:23:29+00:00
lib:ldb: Fix trailing whitespaces in common/ldb_utf8.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
78ca66a1 by Andreas Schneider at 2022-12-23T13:23:29+00:00
lib:ldb: Remove trailing white spaces in ldb_private.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
a8f6fa03 by Andreas Schneider at 2022-12-23T13:23:29+00:00
lib:ldb: Add ldb_ascii_toupper()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
24275cd8 by Andreas Schneider at 2022-12-23T13:23:29+00:00
lib:ldb: Use ldb_ascii_toupper() for case folding
For example there are at least two locales (tr_TR and az_AZ) in glibc
having dotless i transformation different from Latin scripts and GUID
versus Guid comparison would be different there (attribute name would
not match in the test).
See also
https://en.wikipedia.org/wiki/Dotted_and_dotless_I
https://lists.samba.org/archive/samba-technical/2019-December/134659.html
This fixes: LC_ALL=tr_TR.UTF-8 make test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
0c931fb3 by Andreas Schneider at 2022-12-23T14:17:31+00:00
waf: Run python tests also with tr_TR locale
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Dec 23 14:17:31 UTC 2022 on sn-devel-184
- - - - -
9a32c808 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Fix remove_directory()
common_test_fns.inc: line 121: [: too many arguments
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
e5910d28 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Add system_or_builddir_binary()
This should be used if we use a system or builddir binary.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
0aa24330 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for dbcheck and runtime tests
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
ee11fafc by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for dbcheck-oldrelease
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
4981cb45 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for demote-saveddb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
2cfe2664 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for functionalprep
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
e6ab157f by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for ldapcmp_restoredc
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
68471100 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for renamedc
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
6b7e5059 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_client_kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c9ca0f79 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_kinit_heimdal
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
fa5cba8f by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_kinit_mit
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
7baa3e13 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_ktpass
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c11f1912 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_ldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d891e590 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_ldb_simple
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
376ca5a1 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_net_ads
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
535bc5dc by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_net_ads_dns
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c6cd1263 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_old_enctypes
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
56b97238 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_pkinit_pac
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
605155f2 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_pkinit_simple
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
7c46c79a by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_primary_group
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
1106ef71 by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_special_group
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
39468deb by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for test_trust_token
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
40eeec0f by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for tombstones-expunge
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
eb6f74bd by Andreas Schneider at 2022-12-23T14:35:31+00:00
testprogs: Use system_or_builddir_binary() for upgradeprovision-oldrelease
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
5bed51fc by Andreas Schneider at 2022-12-23T14:35:31+00:00
nsswitch:tests: Use system_or_builddir_binary() for test_rfc2307_mapping
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
11be7d80 by Andreas Schneider at 2022-12-23T14:35:31+00:00
python:tests: Use system ldbsearch if we build with system libldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
9ac8dac6 by Andreas Schneider at 2022-12-23T14:35:31+00:00
python:tests: Use system ldbdump if we build with system ldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
6b4cc4cc by Andreas Schneider at 2022-12-23T14:35:31+00:00
python:tests: Use system ldbsearch if we built against system libldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
08be04bb by Andreas Schneider at 2022-12-23T15:31:31+00:00
s4:setup:tests: Use system ldbdump if we build with system ldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Dec 23 15:31:31 UTC 2022 on sn-devel-184
- - - - -
6d44dcf0 by Michael Tokarev at 2022-12-23T19:08:20+03:00
rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch
fix access-based share enum (broken since 4.16)
https://bugzilla.samba.org/show_bug.cgi?id=15265
- - - - -
5fa5d1d4 by Michael Tokarev at 2022-12-25T18:15:54+03:00
+reload-registry-shares-after-reloading-services.patch
https://bugzilla.samba.org/show_bug.cgi?id=15266
- - - - -
a00c7395 by Stefan Metzmacher at 2022-12-29T20:12:28+00:00
selftest: add samba3.blackbox.registry_share
This demonstrates the regression introduced by
f03665bb7e8ea97699062630f2aa1bac4c5dfc7f, where
registry shares are no longer listed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Walker <awalker at ixsystems.com>
- - - - -
f2855310 by Stefan Metzmacher at 2022-12-29T21:14:02+00:00
s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.
This fixes a regression in commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f
The use of reload_services() has a lot of side effects, e.g. reopen of
log files and other things, which are only useful in smbd, but not in rpcd_classic.
It was also unloading the user and registry shares we loaded a few lines
above.
We need to do all (re-)loading as root, otherwise we won't be able
to read root only smb.conf files, access registry shares, ...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Walker <awalker at ixsystems.com>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184
- - - - -
a6136b88 by Stefan Metzmacher at 2023-01-01T00:24:02+00:00
Happy New Year 2023!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sun Jan 1 00:24:02 UTC 2023 on sn-devel-184
- - - - -
01cdc5e0 by Andrew Walker at 2023-01-02T14:27:23+00:00
lib/replace - add extra check to bsd_attr_list
The FreeBSD extattr API may return success and truncated
namelist. We need to check for this in bsd_attr_list to
ensure that we don't accidentally read off the end of the
buffer. In the case of a truncated value, the pascal
strings for attr names will reflect the lengths as if
the value were not truncated. For example:
`58DosStrea`
In case of short read we now set error to ERANGE and
fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Jan 2 14:27:23 UTC 2023 on sn-devel-184
- - - - -
acfc1d7c by Michael Tokarev at 2023-01-02T17:58:01+03:00
d/samba.postinst: move /var/spool/samba => /var/tmp handling to before restart (#DEBHELPER#)
- - - - -
6cb63640 by Michael Tokarev at 2023-01-02T22:28:58+03:00
d/samba.postinst: fix /var/spool/samba => /var/tmp handling
1. Fix the "obvious" smb.conf cases automatically, instead of just warning
(in smb.conf only)
2. Do not restrict just to [printers] section (path= setting could have
been replicated to other sections too).
3. Check for the same path in include files too
(check whole testparam -s output)
4. Allow for subdirs of /var/spool/samba too, just in case
5. Handle upgrades from recent versions as well, to fix removal
of the spool dir while other sections are still referring to it
- - - - -
a04b5a27 by Michael Tokarev at 2023-01-02T22:29:41+03:00
create common script to check if the service is configured in smb.conf
Create /usr/share/samba/is-configured which looks at smb.conf
and decides if a given service should be run or not.
Use this script in ExecCondition= in systemd service units.
- - - - -
49f59ddf by Michael Tokarev at 2023-01-02T22:30:03+03:00
d/samba.postinst: stop masking systemd services
These are now auto-serviced by /usr/share/samba/is-configured.
Unmask everything masked instead.
- - - - -
0de846ea by Michael Tokarev at 2023-01-02T22:30:03+03:00
d/winbind.postinst: stop masking winbind service
These are now auto-serviced by /usr/share/samba/is-configured.
Unmask everything masked instead.
- - - - -
7203462f by Michael Tokarev at 2023-01-02T22:30:03+03:00
d/winbind.postinst: only touch /var/lib/samba/winbindd_privileged at install time
It should be possible to modify the group ownership and permissions
for this directory after install, do not fix it on upgrades.
- - - - -
49840434 by Michael Tokarev at 2023-01-02T22:30:03+03:00
samba init scripts: use check-service-run too to determine if the service should run
and while at it, stop making /run/samba dir (it is created automatically)
- - - - -
d54a0b57 by Michael Tokarev at 2023-01-02T22:30:03+03:00
Big cleanup for the init scripts
rewrite SysV init scripts:
- make them consistent with a common skeleton
- use log_end_msg consistently
- do not exit prematurely, script exit code will be from the last command
- stop the right process based on the executable, not only on the pidfile
- use is-configured script in a consistent way
- implement reload command for winbind
- read SMBDOPTIONS/NMBDOPTIONS/WINBINDOPTIONS/SAMBAOPTIONS from /etc/default/samba
if exists, the same way as is done in systemd service files
(in addition to WINBINDD_OPTS read from /etc/default/winbind)
- - - - -
4805f09f by Michael Tokarev at 2023-01-02T22:30:03+03:00
d/samba.postinst: simplify usershare dir handling a bit
- - - - -
f86223fb by Michael Tokarev at 2023-01-03T10:45:32+03:00
refresh reload-registry-shares-after-reloading-services.patch (samba bug 15266)
- - - - -
0dfe1f4b by Michael Tokarev at 2023-01-03T11:02:08+03:00
remove addition+deletion of selftest/knownfail.d/registry_share in previous patch
- - - - -
4afe11f4 by Michael Tokarev at 2023-01-03T11:05:16+03:00
d/samba.postinst: make warning messages more explicit
- - - - -
a73c045a by Michael Tokarev at 2023-01-03T11:05:16+03:00
update changelog; upload 4.17.4+dfsg-3 to unstable
- - - - -
d99d14cb by Jeremy Allison at 2023-01-04T06:50:37+00:00
s3: smbtorture: Add SMB2-DFS-FILENAME-LEADING-BACKSLASH test.
Shows that we fail to cope with MacOSX clients that send a
(or more than one) leading '\\' character for an SMB2 DFS pathname.
I missed this in earlier tests as Windows, Linux, and
libsmbclient clients do NOT send a leading backslash
for SMB2 DFS paths. Only MacOSX (sigh:-).
Passes against Windows. Adds a knownfail for smbd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15277
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
c9a6e242 by Jeremy Allison at 2023-01-04T07:46:06+00:00
s3: smbd: Strip any leading '\\' characters if the SMB2 DFS flag is set.
MacOS clients send SMB2 DFS pathnames as \server\share\file\name.
Ensure smbd can cope with this by stipping any leading '\\'
characters from an SMB2 packet with the DFS flag set.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15277
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 4 07:46:06 UTC 2023 on sn-devel-184
- - - - -
6619b16f by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Fix setfileinfo profiling
This ran under setpathinfo profiling
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
f72572ff by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Simplify call_trans2setfilepathinfo()
Move the file/path specific preparations to the respective callers.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5f38f236 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Factor out handle_trans2setfilepathinfo_result()
This will be lifted up in the next patches. We can also remove the
REALLOC of *pparams, for this we only ever send 2 NULL bytes that we
stack-allocate now.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
3b76bc96 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Remove call_trans2setfilepathinfo()
What's left was just a simple wrapper around smbd_do_setfilepathinfo()
and handle_trans2setfilepathinfo_result()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d66dc816 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Fix qfileinfo profiling
This ran under qpathinfo profiling
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5f7d16db by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Simplify call_trans2qfilepathinfo()
Move the file/path specific preparations to the respective callers.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
bad8aa10 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Factor out handle_trans2qfilepathinfo_result()
The error handling will be used in other places.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
58287995 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Make store_file_unix_basic[_info2] public
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
38b15fad by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move smb_posix_open() to smb1_trans2.c
Most of this is direct cut&paste without reformatting.
Don't pass SMB_POSIX_PATH_OPEN through smbd_do_setfilepathinfo(),
directly handle it in call_trans2setpathinfo() where we know we have a
path.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
bcc621a6 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Make smb_set_file_disposition_info() public
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
cabef724 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move smb_posix_unlink() to smb1_trans2.c
Most of this is direct cut&paste without reformatting.
Don't pass SMB_POSIX_PATH_UNLINK through smbd_do_setfilepathinfo(),
directly handle it in call_trans2setpathinfo() where we know we have a
path.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5273c1da by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move smb_set_file_unix_link() to smb1_trans2.c
Most of this is direct cut&paste without reformatting.
Don't pass SMB_SET_FILE_UNIX_LINK through smbd_do_setfilepathinfo(),
directly handle it in call_trans2setpathinfo() where we know we have a
path.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2cef6fcd by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move smb_set_file_unix_hlink() to smb1_trans2.c
Most of this is direct cut&paste without reformatting.
Don't pass SMB_SET_FILE_UNIX_HLINK through smbd_do_setfilepathinfo(),
directly handle it in call_trans2setpathinfo() where we know we have a
path.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
765f9bcf by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move handling smb_set_posix_lock() to smb1_trans2.c
Most of this is direct cut&paste without reformatting.
Don't pass SMB_SET_POSIX_LOCK through smbd_do_setfilepathinfo(),
directly handle it in call_trans2setfileinfo() where we know we have a
fsp.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
1c21fc72 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Make smb_set_file_size() public
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
483aa414 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Make map_info2_flags_to_sbuf() public
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
2be0e68e by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move SMB_SET_FILE_UNIX_[BASIC|INFO2] to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ad453a38 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Remove two variables never set after initialization
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
e53988cd by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Handle SMB_QUERY_POSIX_LOCK() in call_trans2qfileinfo()
smbd_do_qfilepathinfo() does not use the lock data anymore, we can
pass NULL/0 now.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
b0dfee96 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: smbd_do_qfilepathinfo() does not need lock_data anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
19c41395 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Make get_posix_fsp() public
This will go static again soon.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
4f69b76f by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move smb_set_posix_acl() to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
65fc2b10 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Remove an unnecessary if-statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
0cfea607 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Remove an unnecessary if-statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
01e14e0f by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move SMB_QUERY_FILE_UNIX_[BASIC|INFO2] to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
6fc64f53 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move SMB_QUERY_POSIX_ACL to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
f48e2489 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move get_posix_fsp() to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
71610e36 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Move SMB_QUERY_FILE_UNIX_LINK to smb1_trans2.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7a21dc75 by Volker Lendecke at 2023-01-04T08:54:32+00:00
torture: Fix whitespace
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
852ce99e by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Remove duplicate/unused #defines
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
eb0e911c by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Shorten a few lines
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d4f47d4b by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Modernize a DBG statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
ecdb225a by Volker Lendecke at 2023-01-04T08:54:32+00:00
pylibsmb: Get reparse tag when listing directories
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
8000c188 by Volker Lendecke at 2023-01-04T08:54:32+00:00
pylibsmb: Add reparse tag definitions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
dc98e564 by Volker Lendecke at 2023-01-04T08:54:32+00:00
smbd: Factor out get_dirent_ea_size()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
9636b40b by Volker Lendecke at 2023-01-04T09:48:37+00:00
smbd: Use get_dirent_ea_size() also for BOTH_DIRECTORY_INFO
This is a bit more involved as readdir_attr_data needs to be looked
at. The meaning of this if-statements should be the same though,
readdir_attr_data can only be non-NULL if we don't have a reparse
point around. See the beginning of smbd_marshall_dir_entry().
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jan 4 09:48:37 UTC 2023 on sn-devel-184
- - - - -
73e7d373 by Ralph Boehme at 2023-01-05T11:33:37+00:00
libreplace: update comment on __thread support
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
29a99e5e by Ralph Boehme at 2023-01-05T11:33:37+00:00
libreplace: require TLS support if pthread support is available
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
347f7549 by Ralph Boehme at 2023-01-05T11:33:37+00:00
nsswitch/stress-nss-libwbclient: also test after fork
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
ae4a06f4 by Ralph Boehme at 2023-01-05T11:33:37+00:00
nsswitch: prepare for removing global locking by using TLS
Switch to using TLS for all global variables. No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
642a4452 by Ralph Boehme at 2023-01-05T11:33:37+00:00
nsswitch: leverage TLS if available in favour over global locking
The global locking can lead to deadlocks when using nscd: when processing the
first request in winbind, when we know we call into code that will recurse into
winbind we call winbind_off() which sets an environment variable which is later
checked here in the nsswitch module.
But with nscd in the stack, we don't see the env variable in nsswitch, so when
we try to acquire the global lock again, it is already locked and we deadlock.
By using a thread specific winbindd_context, plus a few other thread local global
variables, we don't need a global lock anymore.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
316b8fa4 by Ralph Boehme at 2023-01-05T12:34:35+00:00
nsswitch: remove winbind_nss_mutex
We're now thread-safe by using TLS, so the global lock isn't needed anymore.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Jan 5 12:34:35 UTC 2023 on sn-devel-184
- - - - -
c1be6549 by Volker Lendecke at 2023-01-05T17:04:34+00:00
smbd: Fix CID 1518902 Use after free
The SMB_REALLOC macro properly deals with failure to realloc, so
overwriting the target variable is correct here.
Signed-off-by: Volker Lendecke <vl at samba.org>
- - - - -
17e9758b by Volker Lendecke at 2023-01-05T17:04:34+00:00
smbd: Fix CID 1518901 Logically dead code
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
dd863762 by Volker Lendecke at 2023-01-05T18:00:17+00:00
smbd: Fix indentation
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Jan 5 18:00:17 UTC 2023 on sn-devel-184
- - - - -
c29c487c by Andreas Schneider at 2023-01-06T14:02:35+00:00
third_party: Update waf to version 2.0.25
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
0d096931 by Stefan Metzmacher at 2023-01-06T14:02:35+00:00
s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
7545e2c7 by Ralph Boehme at 2023-01-06T15:04:46+00:00
nsswitch: avoid calling pthread_getspecific() on an uninitialized key
Found by ASAN:
$ bin/stress-nss-libwbclient
...
==1639426==ERROR: AddressSanitizer: unknown-crash on address 0x7f3907d85000 at pc 0x7f3907d649fb bp 0x7ffc6545f5b0 sp 0x7ffc6545f5a8
READ of size 4 at 0x7f3907d85000 thread T0
#0 0x7f3907d649fa in winbind_close_sock ../../nsswitch/wb_common.c:220
#1 0x7f3907d65866 in winbind_destructor ../../nsswitch/wb_common.c:246
#2 0x7f3907da5d3d in _dl_fini /usr/src/debug/glibc-2.35-20.fc36.x86_64/elf/dl-fini.c:142
#3 0x7f3907241044 in __run_exit_handlers (/lib64/libc.so.6+0x41044)
#4 0x7f39072411bf in exit (/lib64/libc.so.6+0x411bf)
#5 0x7f3907229516 in __libc_start_call_main (/lib64/libc.so.6+0x29516)
#6 0x7f39072295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8)
#7 0x56236a2042b4 in _start (/data/git/samba/scratch3/bin/default/nsswitch/stress-nss-libwbclient+0x22b4)
Address 0x7f3907d85000 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: unknown-crash ../../nsswitch/wb_common.c:220 in winbind_close_sock
The pthread key in wb_global_ctx.key is only initialized if
wb_thread_ctx_initialize() is called via get_wb_global_ctx() -> get_wb_thread_ctx().
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jan 6 15:04:46 UTC 2023 on sn-devel-184
- - - - -
75db84b1 by Florian Weimer at 2023-01-09T10:43:37+00:00
buildtools/wafsamba: Avoid calling lib_func without a prototype
This is a backport of commit f4c0a750d4adebcf2342a44e85f04526c34
("WAF: Fix detection of linker features")
to buildtools/wafsamba/samba_conftests.py. It fixes the check for
rpath support with compilers in strict C99 mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15281
Signed-off-by: Florian Weimer <fweimer at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d0ee9d5a by Florian Weimer at 2023-01-09T10:43:37+00:00
source3/wscript: Fix detection of major/minor macros
These macros are only available via <sys/sysmacros.h> as of glibc
commit e16deca62e16f645213dffd4ecd1153c37765f17 ("[BZ #19239] Don't
include sys/sysmacros.h from sys/types.h."), which went into
glibc 2.28.
This is different from the usual C99 cleanups because it changes
the configure check result with existing compilers that usually
accept implicit function declarations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15281
Signed-off-by: Florian Weimer <fweimer at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7779050a by Florian Weimer at 2023-01-09T11:46:35+00:00
source3/wscript: Remove implicit int and implicit function declarations
This should fix the remaining C89isms in these configure checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15281
Signed-off-by: Florian Weimer <fweimer at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jan 9 11:46:35 UTC 2023 on sn-devel-184
- - - - -
8141eae4 by Samuel Cabrero at 2023-01-09T14:23:35+00:00
CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
3cd18690 by Samuel Cabrero at 2023-01-09T14:23:35+00:00
CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
d9e6b490 by Samuel Cabrero at 2023-01-09T14:23:35+00:00
CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
121e7b0e by Samuel Cabrero at 2023-01-09T14:23:36+00:00
CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
Will be used later by s3 netlogon server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
25300d35 by Samuel Cabrero at 2023-01-09T14:23:36+00:00
CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
After s3 and s4 rpc servers merge we can avoid duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ca07f434 by Samuel Cabrero at 2023-01-09T14:23:36+00:00
CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
a0b97e26 by Samuel Cabrero at 2023-01-09T14:23:36+00:00
CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
By default we'll now require schannel connections with privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
02fba22b by Samuel Cabrero at 2023-01-09T14:23:36+00:00
CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
56837f3d by Samuel Cabrero at 2023-01-09T15:17:14+00:00
CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
After s3 and s4 rpc servers merge the loadparm_context is available in
the dcesrv_context structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jan 9 15:17:14 UTC 2023 on sn-devel-184
- - - - -
158314e0 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Make get_safe_[[SI]VAL|ptr] static to smb1_lanman.c
SMB1-specific, only used there.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
6907db5c by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Make map_share_mode_to_deny_mode() static to smbstatus
At some point in the future this might disappear, we should really not
show DOS share modes in smbstatus. Maybe this can't be changed though..
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
7ee474d9 by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Move tab_depth() to reg_parse_prs.c
Wow, I did not know we still use prs_struct...
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
14f761ec by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Remove unused smb_mkstemp prototype
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
e0fc8466 by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Move 16 bytes to readonly .text segment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
db25f0a0 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Move bytes from r/w data to r/o text section
Even const arrays of const strings need to be relocated at startup time.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ea7abdc1 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Avoid explicit ZERO_STRUCT()
Saves a few bytes of .text
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
9d7c7357 by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Add tdb_data_dbg()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
88191630 by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Use tdb_data_dbg() where appropriate
This changes the talloc hierarchy for a few callers, but as
talloc_tos() was initially designed exactly for this purpose (printing
SIDs in DEBUG), it should be okay.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
0c709cb6 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Use talloc_tos() for pushing smbXsrv_open_globalB
Use the toplevel talloc pool
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
fdca0558 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Remove a "can't happen" NULL check
This should really not happen, crashing would be the right response.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
a71288e8 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Remove smbXsrv_open->db_rec
This was only referenced in smbXsrv_open_close, but it was never
assigned anything but NULL.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
43f041de by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Add "starting_id" to idr_get_new_random()
To be used in smbXsrv_open.c, for this we need a lower bound.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
bac26568 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Simplify smbXsrv_open_set_replay_cache() with a struct assignment
Use a direct struct assignment instead of a function call
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
743df900 by Volker Lendecke at 2023-01-10T00:28:37+00:00
smbd: Simplify smbXsrv_open_set_replay_cache() with dbwrap_store_bystring()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
b73ecb28 by Volker Lendecke at 2023-01-10T00:28:37+00:00
lib: Remove idtree from samba_util.h
No need to recompile the world when only a few files need this.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
8ee20346 by Volker Lendecke at 2023-01-10T01:23:38+00:00
smbd: Use an idtree for local IDs
Volatile file handle IDs are purely per-process, in fact we used a
dbwrap_rbt for this. To get a unique ID we however have the
specialized idtree data structure, we don't need to repeat the
allocation algorithm that already exists there.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 10 01:23:38 UTC 2023 on sn-devel-184
- - - - -
01bd234f by Joseph Sutton at 2023-01-10T20:22:32+00:00
lib/talloc: Zero-initialise chunk pointers
Ensuring pointers are always initialised avoids compilation errors with
FORTIFY_SOURCE=2.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
cbe6fb38 by Joseph Sutton at 2023-01-10T20:22:32+00:00
lib/tfork: Don't overwrite 'ret' in cleanup phase
The cleanup phase of tfork_create() saves errno prior to calling
functions that might modify it, with the intention of restoring it
afterwards. However, the value of 'ret' is accidentally overwritten. It
will always be equal to 0, and hence errno will not be restored.
Fix this by introducing a new variable, ret2, for calling functions in
the cleanup phase.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
5aafff0a by Joseph Sutton at 2023-01-10T20:22:32+00:00
s4:rpc_server/dnsserver: Zero-initialise pointers
Ensuring pointers are always initialised simplifies the code and avoids
compilation errors with FORTIFY_SOURCE=2.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
ae6e76c0 by Joseph Sutton at 2023-01-10T20:22:32+00:00
lib/compression: Fix length check
Put the division on the correct side of the inequality.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
- - - - -
d7bab36a by Joseph Sutton at 2023-01-10T21:18:01+00:00
tests/krb5: Use Python bindings for LZ77+Huffman compression
We can now remove our existing decompression implementation in Python.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 10 21:18:01 UTC 2023 on sn-devel-184
- - - - -
55f4ac65 by Jeremy Allison at 2023-01-11T07:13:29+00:00
s3: smbd: SMB1 check_fsp_open() implicitly calls reply_nterror(.., NT_STATUS_INVALID_HANDLE) on error so don't duplicate in reply_close().
We'd end up sending 2 SMB1 error packets in this case.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
2fe95f6a by Jeremy Allison at 2023-01-11T07:13:29+00:00
s3: smbd: Ensure check_fsp_ntquota_handle() doesn't send SMB1 error packets.
check_fsp_ntquota_handle() is called from SMB2 codepaths as
well as from SMB1. Even in the SMB1 cases the callers of
check_fsp_ntquota_handle() handle sendng the error packet when
check_fsp_ntquota_handle returns false so on a 'return false'
we'd end up sending an error packet twice.
The SMB2 callers of check_fsp_ntquota_handle()
already check that fsp is valid, so there's
no danger of us sending an SMB1 error packet
over the SMB2 stream (so I'm not classing
this as a bug to be back-ported).
Fix check_fsp_ntquota_handle() by inlineing
the check_fsp_open() functionality without
the reply_nterror() calls.
This will allow the next commit to move check_fsp_open()
with the implicit reply_nterror() and also check_fsp()
(which calls check_fsp_open()) into the SMB1 smb1_reply.c
file as SMB1-only code.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
7ffa732d by Jeremy Allison at 2023-01-11T08:17:04+00:00
s3: smbd: Move check_fsp_open() and check_fsp() to smb1_reply.c
As these functions can implicitly call reply_nterror(..., NT_STATUS_INVALID_HANDLE)
they should never be available to SMB2 code paths.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 11 08:17:04 UTC 2023 on sn-devel-184
- - - - -
de5d31f4 by Jones Syue at 2023-01-11T17:08:10+00:00
s3:smbstatus: go to cmdline_messaging_context_free
If the locking.tdb is not found,
(for example, fresh new installed samba server is not running yet)
smbstatus utility would exit earlier,
and lock files are left behind in the directory 'msg.sock' and 'msg.lock'.
Consider that a script to run smbstatus utility in a loop,
this might result in used space slowly growing-up on the underlying filesystem.
Since the samba server is not running yet,
there is no cleanupd daemon could delete these files to reclaim space.
Supposed to use 'ret = 0; goto done;' instead of exit(0),
this would go through the cmdline_messaging_context_free() which deletes
the lock files in the directory msg.sock and msg.lock before smbstatus
utility is exiting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15282
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 11 17:08:10 UTC 2023 on sn-devel-184
- - - - -
98d84192 by Jones Syue at 2023-01-12T11:40:19+00:00
s3:utils:mdsearch go to cmdline_messaging_context_free
mdsearch utility would exit earlier with failure in several cases like:
a. samba server is not running yet,
[~] # mdsearch -Uuser%password1 ${server} Public '*=="Samba"'
main: Cannot connect to server: NT_STATUS_CONNECTION_REFUSED
b. spotlight backend service is not ready yet,
[~] # mdsearch -Uuser%password1 ${server} Public '*=="Samba"'
Failed to connect mdssvc
c. mdsearch utility paramters is not as expecred,
[~] # mdsearch -Uuser%password1 ${server} share_not_exist '*=="Samba"'
mdscli_search failed
And in the mean while once mdsearch utility exit earlier with failure,
the lock files are left behind in the directory 'msg.sock' and 'msg.lock'.
If a script to run mdsearch utility in a loop,
this might result in used space slowly growing-up on underlying filesystem.
Supposed to add a new label 'fail_free_messaging',
make it go through the cmdline_messaging_context_free() which deletes the
lock files in the directory msg.sock and msg.lock before mdsearch utility
is exiting with failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15284
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Jan 12 11:40:19 UTC 2023 on sn-devel-184
- - - - -
6dcbea9e by Volker Lendecke at 2023-01-12T15:38:30+00:00
build: Don't compile source3/lib/util_sd.c four times
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
3a458a81 by Volker Lendecke at 2023-01-12T15:38:30+00:00
lib: Use talloc_asprintf_addbuf() in print_ace_flags()
Simplifies code.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
d278fe4a by Volker Lendecke at 2023-01-12T15:38:30+00:00
lib: Fix out-of-bounds access in print_ace_flags()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
425aaf6f by Volker Lendecke at 2023-01-12T16:41:07+00:00
lib: Fix a use-after-free in "net vfs getntacl"
Don't hang "sd" off "fsp", which is free'ed before printing
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Jan 12 16:41:07 UTC 2023 on sn-devel-184
- - - - -
1421969b by Ralph Boehme at 2023-01-13T01:13:01+00:00
CI: add a test for @GMT mask in SMB1 find
Without FLAGS2_REPARSE_PATH a path containing an @GMT token can be used to
create a file including the @GMT token in the name and a directory list will
also return the file as result. Verified against Windows. Samba behaves exactly
the same.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jan 13 01:13:01 UTC 2023 on sn-devel-184
- - - - -
c844bff3 by Jeremy Allison at 2023-01-13T07:34:35+00:00
selftest: Show vfs_virusscanner crashes when traversing a 2-level directory tree.
Modify check_infected_read() test to use a 2-level deep
directory.
We must have vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
set on the virusscanner share as otherwise the openat flag
shortcut defeats the test.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15283
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
3d3d01cd by Jeremy Allison at 2023-01-13T08:33:47+00:00
s3: smbd: Tweak openat_pathref_dirfsp_nosymlink() to NULL out fsp->fsp_name after calling fd_close() on intermediate directories, rather than before.
vfs_virusfilter expects a non-NULL fsp->fsp_name to use for printing debugs
(it always indirects fsp->fsp_name). vfs_fruit also does the same, so would
also crash in fruit_close() with 'debug level = 10' and vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
set (we don't test with that which is why we haven't noticed
this before).
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15283
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Jan 13 08:33:47 UTC 2023 on sn-devel-184
- - - - -
86fde916 by Björn Baumbach at 2023-01-17T17:21:38+00:00
auth/creds: fix a typo in a comment
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5a017b11 by Björn Baumbach at 2023-01-17T17:21:38+00:00
samba-tool domain: fix a typo in samba-tool passwordsettings option description
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
1289575a by Björn Baumbach at 2023-01-17T17:21:38+00:00
s3/libsmb: fix a typo in parameter description
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
8fbadada by Björn Baumbach at 2023-01-17T18:23:18+00:00
lib/tsocket: fix a typo in the tsocket guide doc
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Björn Baumbach <bb at sernet.de>
Autobuild-Date(master): Tue Jan 17 18:23:18 UTC 2023 on sn-devel-184
- - - - -
d55880d9 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Slightly simplify smb2srv_open_recreate()
This moves the bit-fiddling right next to the check we do,
"global_zeros" was only used for this one purpose and its assignment
was a few lines away.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
b88db811 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Remove smbXsrv_open_global_destructor()
This did not do much.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
a39a3400 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Slightly simplify smbXsrv_open_create()
Move allocation of smbXsrv_open_global0 out of
smbXsrv_open_global_allocate()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
6deee159 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Remove unused smbXsrv_open_global_key_to_id()
This isn't exactly rocket science we would need to keep around
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
824b5417 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Directly initialize key in smbXsrv_open_global_fetch_locked()
Don't leave the key.dptr pointer uninitialized
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c6f1e3a6 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Make smbXsrv_open_global_id_to_key() a bit more type-safe
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
99de0cf6 by Volker Lendecke at 2023-01-18T11:49:38+00:00
smbd: Modernize DBG statements in smbXsrv_open_global_store()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
35ee3e02 by Volker Lendecke at 2023-01-18T11:49:38+00:00
ctdb: Fix the build on FreeBSD
"basename" is define in libgen.h included from system/dir.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
77110bc9 by Stefan Metzmacher at 2023-01-18T11:49:38+00:00
third_party: Update socket_wrapper to version 1.4.0
The key feature is support for sendmmsg and recvmmsg,
which is required by modern libuv versions, e.g.
nsupdate -g makes use of libuv, so we need this for samba.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
25aa870f by Stefan Metzmacher at 2023-01-18T12:47:48+00:00
third_party: Update uid_wrapper to version 1.3.0
This is mainly needed in order to have some interaction
with socket_wrapper 1.4.0 regarding the implementation
of syscall().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jan 18 12:47:48 UTC 2023 on sn-devel-184
- - - - -
7105554c by Stefan Metzmacher at 2023-01-18T14:17:23+00:00
bootstrap: Update to Ubuntu 22.04 as base default OS
We'll try to move autobuild to ubuntu 22.04 soon.
Note we leave ubuntu 18.04 for the coverage and 32bit builds
for now. As well as 20.04 for samba-fuzz.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jan 18 14:17:23 UTC 2023 on atb-devel-224
- - - - -
5224ed98 by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
talloc: version 2.4.0
* Add talloc_asprintf_addbuf()
* Support python 3.12
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
eab796a4 by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tdb: version 1.4.8
* Support python 3.12
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
a92150ed by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
s4:lib/events: let s4_event_context_init() use samba_tevent_context_init()
This is no real change, but it makes sure we only have to
change samba_tevent_context_init() in future in order to
distribute the change to all places.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
96e4be0a by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
lib/util: install a tevent_abort callback using smb_panic()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f6a6d917 by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: use samba_tevent_set_debug() in testsuite.c
Note testsuite.c is only used in Samba's smbtorture as
'smbtorture //a/b local.event'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
77c828e1 by Pavel Filipenský at 2023-01-18T16:26:36+00:00
tevent: Fix trailing whitespaces in tevent.c
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
eb05fe87 by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: remove unused tevent_liboop.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
620ad8af by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: remove unused register_backend() from python bindings
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
147a317b by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: remove solaris port backend
There's no way to verify changes we would have to do tevent_port.c,
as we don't have access to a solaris build machine.
So better use the poll backend instead. In performance critical code
we typically don't deal with a lot of file descriptors so the impact
should be fairly minimal.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
ab49d9ee by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: allow the "standard" backend to be overloaded
We'll export tevent_find_ops_byname() soon and will allow
the context_init() function of backends to find that standard ops
and hand over to standard_ops->context_init().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
07251f56 by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: expose tevent_find_ops_byname() to callers
This makes it more flexible and allow a caller to overload
a tevent backend. Which will be used by Samba in order to
glue in io_uring support.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
c5d5ebb6 by Pavel Filipenský at 2023-01-18T16:26:36+00:00
tevent: Call depth tracking
The change to lib/tevent/ABI/tevent-0.13.0.sigs will be reverted
in the commit for the 0.14.0 release...
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
3c6d28eb by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
tevent: version 0.14.0
- Support python 3.12
- remove solaris port backend (it's not maintainable)
- make tevent_find_ops_byname() available for callers.
- allow the "standard" backend to be overloaded
- add interface for request/subrequest call depth tracking:
- tevent_thread_call_depth_activate
- tevent_thread_call_depth_deactivate
- tevent_thread_call_depth_start
- tevent_thread_call_depth_stop
- tevent_thread_call_depth_reset_from_req
Note the changes to ABI/tevent-0.13.0.sigs only
revert the temporary changes made there...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
- - - - -
f972b1ea by Stefan Metzmacher at 2023-01-18T16:26:36+00:00
ldb: version 2.7.0
* Support python 3.12
* Have python functions operating on DNs raise LdbError
* don't call comparison() directly in LDB_TYPESAFE_QSORT
* Use ldb_ascii_toupper() for case folding to support
tr_TR.UTF-8 and other dotless i locales,
see https://bugzilla.samba.org/show_bug.cgi?id=15248
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
0c9b310e by Jule Anger at 2023-01-18T16:26:36+00:00
WHATSNEW: Up to Samba 4.18.0rc1.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
fbba9a24 by Jule Anger at 2023-01-18T16:26:36+00:00
VERSION: Disable GIT_SNAPSHOT for the Samba 4.18.0rc1 release.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
48350c06 by Michael Tokarev at 2023-01-20T19:57:07+03:00
prepare for 4.18
- - - - -
c4676f28 by Michael Tokarev at 2023-01-20T19:57:17+03:00
New upstream version 4.18.0~rc1+dfsg
- - - - -
aa079a80 by Michael Tokarev at 2023-01-20T19:57:53+03:00
Update upstream source from tag 'upstream/4.18.0_rc1+dfsg'
Update to upstream version '4.18.0~rc1+dfsg'
with Debian dir 2ea7d5c398f3a4434911b7754ff40a5ce19d6c5e
- - - - -
11a33987 by Michael Tokarev at 2023-01-20T20:00:09+03:00
d/control: bump talloc/tdb/tevent build-deps
- - - - -
3daf9a63 by Michael Tokarev at 2023-01-20T20:41:35+03:00
hurd-compat.patch: refresh
- - - - -
68eef0fb by Michael Tokarev at 2023-01-20T20:59:58+03:00
spelling.patch: refresh, just two hunks left for now
- - - - -
898d2459 by Michael Tokarev at 2023-01-20T21:01:09+03:00
spelling.patch: one more spelling fix (Controler)
- - - - -
063f9f0e by Michael Tokarev at 2023-01-20T21:02:15+03:00
spelling.patch: one more spelling fix (proces)
- - - - -
ce79ae89 by Michael Tokarev at 2023-01-20T21:26:19+03:00
add heimdal-spelling.patch
- - - - -
b8f7e683 by Michael Tokarev at 2023-01-20T21:27:15+03:00
unwrap-getresgid-typo.patch: remove, not needed
- - - - -
5ec895cc by Michael Tokarev at 2023-01-20T21:27:17+03:00
remove: reload-registry-shares-after-reloading-services.patch rpc_server_srvsvc-retrieve_share_ACL_via_root_context.patch
- - - - -
954d14d9 by Michael Tokarev at 2023-01-20T21:27:17+03:00
d/libwbclient0.symbols: add wbcChangeTrustCredentialsAt wbcCtxChangeTrustCredentialsAt and the new version
- - - - -
f16031b9 by Michael Tokarev at 2023-01-20T21:27:17+03:00
d/libldb2.symbols, python3-ldb.symbols.in: ad the new version
- - - - -
dcfddc47 by Michael Tokarev at 2023-01-20T21:27:17+03:00
d/samba-libs.install: add new internal library libstable-sort-samba4.so.0
- - - - -
c1e6f69d by Michael Tokarev at 2023-01-20T21:27:17+03:00
d/gbp.conf: unignore branch (gbp import-orig does fun stuff if it is set, too easy to forget)
- - - - -
b8bb4fe9 by Michael Tokarev at 2023-01-20T21:30:04+03:00
update changelog
- - - - -
30 changed files:
- .gitlab-ci-main.yml
- VERSION
- WHATSNEW.txt
- auth/credentials/credentials_cmdline.c
- auth/kerberos/wscript_build
- bootstrap/.gitlab-ci.yml
- bootstrap/config.py
- bootstrap/generated-dists/Vagrantfile
- bootstrap/generated-dists/centos8s/bootstrap.sh
- bootstrap/generated-dists/f36mit120/Dockerfile → bootstrap/generated-dists/f37mit120/Dockerfile
- bootstrap/generated-dists/f36mit120/bootstrap.sh → bootstrap/generated-dists/f37mit120/bootstrap.sh
- bootstrap/generated-dists/f36mit120/locale.sh → bootstrap/generated-dists/f37mit120/locale.sh
- bootstrap/generated-dists/fedora36/packages.yml → bootstrap/generated-dists/f37mit120/packages.yml
- bootstrap/generated-dists/fedora36/Dockerfile → bootstrap/generated-dists/fedora37/Dockerfile
- bootstrap/generated-dists/fedora36/bootstrap.sh → bootstrap/generated-dists/fedora37/bootstrap.sh
- bootstrap/generated-dists/fedora36/locale.sh → bootstrap/generated-dists/fedora37/locale.sh
- bootstrap/generated-dists/f36mit120/packages.yml → bootstrap/generated-dists/fedora37/packages.yml
- bootstrap/generated-dists/opensuse153/Dockerfile → bootstrap/generated-dists/opensuse154/Dockerfile
- bootstrap/generated-dists/opensuse153/bootstrap.sh → bootstrap/generated-dists/opensuse154/bootstrap.sh
- bootstrap/generated-dists/opensuse153/locale.sh → bootstrap/generated-dists/opensuse154/locale.sh
- bootstrap/generated-dists/opensuse153/packages.yml → bootstrap/generated-dists/opensuse154/packages.yml
- + bootstrap/generated-dists/ubuntu1804-32bit/Dockerfile
- + bootstrap/generated-dists/ubuntu1804-32bit/bootstrap.sh
- + bootstrap/generated-dists/ubuntu1804-32bit/locale.sh
- + bootstrap/generated-dists/ubuntu1804-32bit/packages.yml
- + bootstrap/generated-dists/ubuntu2204/Dockerfile
- + bootstrap/generated-dists/ubuntu2204/bootstrap.sh
- + bootstrap/generated-dists/ubuntu2204/locale.sh
- + bootstrap/generated-dists/ubuntu2204/packages.yml
- bootstrap/sha1sum.txt
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/483c3757c36e34ee805fa551347e109fa606650b...b8bb4fe98a9c8055e224e9c646d41d001e191dbf
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/483c3757c36e34ee805fa551347e109fa606650b...b8bb4fe98a9c8055e224e9c646d41d001e191dbf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20230120/d9b7fc54/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list